[�[0;32m OK �[0m] Started Getty on tty2.
[�[0;32m OK �[0m] Started Serial Getty on ttyS0.
[�[0;32m OK �[0m] Started Getty on tty1.
[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 66.093909][ T23] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 66.453932][ T23] usb 1-1: config 1 has an invalid descriptor of length 9, skipping remainder of the config
[ 66.464318][ T23] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 6
[ 66.633894][ T23] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 66.642947][ T23] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 66.652002][ T23] usb 1-1: Product: syz
[ 66.656777][ T23] usb 1-1: Manufacturer: syz
[ 66.661365][ T23] usb 1-1: SerialNumber: syz
[ 66.705890][ T23] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 67.353759][ T23] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 67.793695][ C1] ==================================================================
[ 67.801921][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.809624][ C1] Read of size 40655 at addr ffff888016b20000 by task swapper/1/0
[ 67.817415][ C1]
[ 67.819750][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.0-rc3-syzkaller #0
[ 67.827708][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 67.837767][ C1] Call Trace:
[ 67.841052][ C1]
[ 67.843912][ C1] dump_stack+0x107/0x163
[ 67.848246][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.853634][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.859018][ C1] print_address_description.constprop.0.cold+0xae/0x4c8
[ 67.866056][ C1] ? vprintk_func+0x95/0x1e0
[ 67.870656][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.876036][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.881404][ C1] kasan_report.cold+0x1f/0x37
[ 67.886260][ C1] ? spin_bug+0xd0/0x100
[ 67.890506][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.895871][ C1] check_memory_region+0x13d/0x180
[ 67.900988][ C1] memcpy+0x20/0x60
[ 67.904790][ C1] ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 67.909984][ C1] ? hif_usb_start+0xa0/0xa0
[ 67.914564][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 67.920094][ C1] ? lock_downgrade+0x6d0/0x6d0
[ 67.924933][ C1] ? kcov_remote_start+0xce/0x450
[ 67.929953][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 67.935317][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 67.940520][ C1] dummy_timer+0x11f4/0x3280
[ 67.945134][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 67.949896][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 67.954644][ C1] call_timer_fn+0x1a5/0x6b0
[ 67.959232][ C1] ? add_timer_on+0x4a0/0x4a0
[ 67.963894][ C1] ? lock_downgrade+0x6d0/0x6d0
[ 67.968737][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 67.973929][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 67.978678][ C1] __run_timers.part.0+0x67c/0xa50
[ 67.983780][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 67.988545][ C1] ? lapic_next_event+0x4d/0x80
[ 67.993410][ C1] ? kvm_sched_clock_read+0x14/0x40
[ 67.998638][ C1] ? sched_clock+0x2a/0x40
[ 68.003048][ C1] ? sched_clock_cpu+0x18/0x1f0
[ 68.007975][ C1] run_timer_softirq+0xb3/0x1d0
[ 68.012830][ C1] __do_softirq+0x2a0/0x9f6
[ 68.017344][ C1] asm_call_irq_on_stack+0xf/0x20
[ 68.022363][ C1]
[ 68.025307][ C1] do_softirq_own_stack+0xaa/0xd0
[ 68.030323][ C1] irq_exit_rcu+0x132/0x200
[ 68.034815][ C1] sysvec_apic_timer_interrupt+0x4d/0x100
[ 68.040564][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 68.046543][ C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 68.052438][ C1] Code: 2d 10 89 f8 84 db 75 ac e8 14 18 89 f8 e8 cf d6 8e f8 e9 0c 00 00 00 e8 05 18 89 f8 0f 00 2d 1e 56 c1 00 e8 f9 17 89 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 54 10 89 f8 48 85 db
[ 68.072038][ C1] RSP: 0018:ffffc90000d27d18 EFLAGS: 00000293
[ 68.078098][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff19d8a69
[ 68.086059][ C1] RDX: ffff888010da8000 RSI: ffffffff88e701c7 RDI: 0000000000000000
[ 68.094021][ C1] RBP: ffff888013fff864 R08: 0000000000000001 R09: 0000000000000001
[ 68.101996][ C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 68.109957][ C1] R13: ffff888013fff800 R14: ffff888013fff864 R15: ffff8880174e8804
[ 68.117938][ C1] ? acpi_idle_do_entry+0x1c7/0x250
[ 68.123127][ C1] ? acpi_idle_do_entry+0x1c7/0x250
[ 68.128314][ C1] acpi_idle_enter+0x361/0x500
[ 68.133084][ C1] cpuidle_enter_state+0x1b1/0xc80
[ 68.138205][ C1] cpuidle_enter+0x4a/0xa0
[ 68.142610][ C1] do_idle+0x3e1/0x590
[ 68.146674][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 68.151692][ C1] ? _raw_spin_unlock_bh+0x20/0x30
[ 68.156813][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 68.162017][ C1] cpu_startup_entry+0x14/0x20
[ 68.166772][ C1] start_secondary+0x266/0x340
[ 68.171543][ C1] ? set_cpu_sibling_map+0x2460/0x2460
[ 68.177012][ C1] secondary_startup_64_no_verify+0xb0/0xbb
[ 68.182898][ C1]
[ 68.185210][ C1] The buggy address belongs to the page:
[ 68.190844][ C1] page:00000000f905a324 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16b20
[ 68.200983][ C1] head:00000000f905a324 order:3 compound_mapcount:0 compound_pincount:0
[ 68.209315][ C1] flags: 0xfff00000010000(head)
[ 68.214155][ C1] raw: 00fff00000010000 dead000000000100 dead000000000122 0000000000000000
[ 68.222728][ C1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 68.231298][ C1] page dumped because: kasan: bad access detected
[ 68.237704][ C1]
[ 68.240011][ C1] Memory state around the buggy address:
[ 68.245632][ C1] ffff888016b27f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 68.253699][ C1] ffff888016b27f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 68.261753][ C1] >ffff888016b28000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.269801][ C1] ^
[ 68.273976][ C1] ffff888016b28080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.282024][ C1] ffff888016b28100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.290073][ C1] ==================================================================
[ 68.298122][ C1] Disabling lock debugging due to kernel taint
[ 68.304263][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 68.310831][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.10.0-rc3-syzkaller #0
[ 68.320171][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.330268][ C1] Call Trace:
[ 68.333537][ C1]
[ 68.336393][ C1] dump_stack+0x107/0x163
[ 68.340708][ C1] ? ath9k_hif_usb_rx_cb+0x3a0/0x1020
[ 68.346075][ C1] panic+0x306/0x73d
[ 68.349963][ C1] ? __warn_printk+0xf3/0xf3
[ 68.354554][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 68.359902][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 68.365254][ C1] end_report+0x58/0x5e
[ 68.369398][ C1] kasan_report.cold+0xd/0x37
[ 68.374067][ C1] ? spin_bug+0xd0/0x100
[ 68.378286][ C1] ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 68.383640][ C1] check_memory_region+0x13d/0x180
[ 68.388737][ C1] memcpy+0x20/0x60
[ 68.392540][ C1] ath9k_hif_usb_rx_cb+0x3ab/0x1020
[ 68.397728][ C1] ? hif_usb_start+0xa0/0xa0
[ 68.402300][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 68.407840][ C1] ? lock_downgrade+0x6d0/0x6d0
[ 68.412677][ C1] ? kcov_remote_start+0xce/0x450
[ 68.417711][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 68.423063][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 68.428255][ C1] dummy_timer+0x11f4/0x3280
[ 68.432850][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 68.437611][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 68.442358][ C1] call_timer_fn+0x1a5/0x6b0
[ 68.446935][ C1] ? add_timer_on+0x4a0/0x4a0
[ 68.451618][ C1] ? lock_downgrade+0x6d0/0x6d0
[ 68.456451][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 68.461631][ C1] ? dummy_dequeue+0x4c0/0x4c0
[ 68.466393][ C1] __run_timers.part.0+0x67c/0xa50
[ 68.471488][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 68.476241][ C1] ? lapic_next_event+0x4d/0x80
[ 68.481083][ C1] ? kvm_sched_clock_read+0x14/0x40
[ 68.486271][ C1] ? sched_clock+0x2a/0x40
[ 68.490733][ C1] ? sched_clock_cpu+0x18/0x1f0
[ 68.495570][ C1] run_timer_softirq+0xb3/0x1d0
[ 68.500436][ C1] __do_softirq+0x2a0/0x9f6
[ 68.504935][ C1] asm_call_irq_on_stack+0xf/0x20
[ 68.509951][ C1]
[ 68.512874][ C1] do_softirq_own_stack+0xaa/0xd0
[ 68.517897][ C1] irq_exit_rcu+0x132/0x200
[ 68.522383][ C1] sysvec_apic_timer_interrupt+0x4d/0x100
[ 68.528087][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 68.534069][ C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 68.539887][ C1] Code: 2d 10 89 f8 84 db 75 ac e8 14 18 89 f8 e8 cf d6 8e f8 e9 0c 00 00 00 e8 05 18 89 f8 0f 00 2d 1e 56 c1 00 e8 f9 17 89 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 54 10 89 f8 48 85 db
[ 68.559479][ C1] RSP: 0018:ffffc90000d27d18 EFLAGS: 00000293
[ 68.565532][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff19d8a69
[ 68.573488][ C1] RDX: ffff888010da8000 RSI: ffffffff88e701c7 RDI: 0000000000000000
[ 68.581452][ C1] RBP: ffff888013fff864 R08: 0000000000000001 R09: 0000000000000001
[ 68.589411][ C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 68.597370][ C1] R13: ffff888013fff800 R14: ffff888013fff864 R15: ffff8880174e8804
[ 68.605358][ C1] ? acpi_idle_do_entry+0x1c7/0x250
[ 68.610547][ C1] ? acpi_idle_do_entry+0x1c7/0x250
[ 68.615747][ C1] acpi_idle_enter+0x361/0x500
[ 68.620512][ C1] cpuidle_enter_state+0x1b1/0xc80
[ 68.625634][ C1] cpuidle_enter+0x4a/0xa0
[ 68.630041][ C1] do_idle+0x3e1/0x590
[ 68.634122][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 68.639137][ C1] ? _raw_spin_unlock_bh+0x20/0x30
[ 68.644242][ C1] ? lockdep_hardirqs_on+0x79/0x100
[ 68.649427][ C1] cpu_startup_entry+0x14/0x20
[ 68.654177][ C1] start_secondary+0x266/0x340
[ 68.658924][ C1] ? set_cpu_sibling_map+0x2460/0x2460
[ 68.664368][ C1] secondary_startup_64_no_verify+0xb0/0xbb
[ 68.670815][ C1] Kernel Offset: disabled
[ 68.675136][ C1] Rebooting in 86400 seconds..