[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.863529][ C1] random: crng init done [ 15.868091][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.4' (ECDSA) to the list of known hosts. executing program [ 36.139097][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 36.658890][ T12] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 36.668000][ T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 36.676180][ T12] usb 1-1: Product: syz [ 36.680414][ T12] usb 1-1: Manufacturer: syz [ 36.684991][ T12] usb 1-1: SerialNumber: syz [ 36.729884][ T12] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 37.368553][ T12] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 37.770461][ T158] usb 1-1: USB disconnect, device number 2 [ 38.638250][ T12] usb 1-1: Service connection timeout for: 256 [ 38.644603][ T12] ================================================================== [ 38.653075][ T12] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 38.659732][ T12] Read of size 4 at addr ffff8881d1a1a5d4 by task kworker/0:1/12 [ 38.667800][ T12] [ 38.670138][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc6-syzkaller #0 [ 38.678405][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.688734][ T12] Workqueue: events request_firmware_work_func [ 38.694887][ T12] Call Trace: [ 38.698186][ T12] dump_stack+0xef/0x16e [ 38.702447][ T12] print_address_description.constprop.0.cold+0xd3/0x415 [ 38.709545][ T12] ? vprintk_func+0x7d/0x113 [ 38.714204][ T12] ? kfree_skb+0x32/0x3d0 [ 38.718714][ T12] __kasan_report.cold+0x37/0x7d [ 38.723649][ T12] ? kfree_skb+0x32/0x3d0 [ 38.727964][ T12] ? kfree_skb+0x32/0x3d0 [ 38.732274][ T12] kasan_report+0x33/0x50 [ 38.736599][ T12] check_memory_region+0x173/0x1d0 [ 38.741900][ T12] kfree_skb+0x32/0x3d0 [ 38.746039][ T12] htc_connect_service.cold+0xa9/0x109 [ 38.751676][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 38.756509][ T12] ? ath9k_fatal_work+0x20/0x20 [ 38.761350][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 38.767523][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 38.773457][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 38.779879][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 38.785269][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 38.790824][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 38.796177][ T12] ? tasklet_init+0x69/0x110 [ 38.800763][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 38.806419][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 38.813888][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 38.818811][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 38.824009][ T12] ? usb_free_urb+0x1b/0x30 [ 38.828565][ T12] ath9k_htc_hw_init+0x31/0x60 [ 38.833328][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 38.839006][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 38.844904][ T12] request_firmware_work_func+0x126/0x242 [ 38.850783][ T12] ? request_firmware_into_buf+0x90/0x90 [ 38.856488][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.862012][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.867612][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 38.872795][ T12] process_one_work+0x965/0x1630 [ 38.877749][ T12] ? lock_release+0x720/0x720 [ 38.882432][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.887792][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 38.892714][ T12] worker_thread+0x96/0xe20 [ 38.897208][ T12] ? process_one_work+0x1630/0x1630 [ 38.902402][ T12] kthread+0x326/0x430 [ 38.906451][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 38.911802][ T12] ret_from_fork+0x24/0x30 [ 38.916209][ T12] [ 38.918539][ T12] Allocated by task 12: [ 38.922779][ T12] save_stack+0x1b/0x40 [ 38.926937][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 38.932548][ T12] kmem_cache_alloc_node+0xdc/0x330 [ 38.937984][ T12] __alloc_skb+0xba/0x5a0 [ 38.942294][ T12] htc_connect_service+0x2cc/0x840 [ 38.947379][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 38.952224][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 38.958749][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 38.965171][ T12] ath9k_htc_hw_init+0x31/0x60 [ 38.970454][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 38.976256][ T12] request_firmware_work_func+0x126/0x242 [ 38.981957][ T12] process_one_work+0x965/0x1630 [ 38.987375][ T12] worker_thread+0x96/0xe20 [ 38.991867][ T12] kthread+0x326/0x430 [ 38.996364][ T12] ret_from_fork+0x24/0x30 [ 39.000758][ T12] [ 39.003064][ T12] Freed by task 158: [ 39.006951][ T12] save_stack+0x1b/0x40 [ 39.011103][ T12] __kasan_slab_free+0x117/0x160 [ 39.016051][ T12] kmem_cache_free+0x9b/0x360 [ 39.020710][ T12] kfree_skbmem+0xef/0x1b0 [ 39.025236][ T12] kfree_skb+0x102/0x3d0 [ 39.030166][ T12] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 39.035930][ T12] hif_usb_regout_cb+0x115/0x1c0 [ 39.040863][ T12] __usb_hcd_giveback_urb+0x29a/0x550 [ 39.046244][ T12] usb_hcd_giveback_urb+0x368/0x420 [ 39.051446][ T12] dummy_timer+0x125e/0x32b4 [ 39.056021][ T12] call_timer_fn+0x1ac/0x700 [ 39.060587][ T12] run_timer_softirq+0x5f9/0x1500 [ 39.065596][ T12] __do_softirq+0x21e/0x9aa [ 39.070076][ T12] [ 39.072402][ T12] The buggy address belongs to the object at ffff8881d1a1a500 [ 39.072402][ T12] which belongs to the cache skbuff_head_cache of size 224 [ 39.088163][ T12] The buggy address is located 212 bytes inside of [ 39.088163][ T12] 224-byte region [ffff8881d1a1a500, ffff8881d1a1a5e0) [ 39.102230][ T12] The buggy address belongs to the page: [ 39.107849][ T12] page:ffffea0007468680 refcount:1 mapcount:0 mapping:00000000d14f2758 index:0x0 [ 39.117631][ T12] flags: 0x200000000000200(slab) [ 39.122567][ T12] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 39.134776][ T12] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 39.143343][ T12] page dumped because: kasan: bad access detected [ 39.149918][ T12] [ 39.152693][ T12] Memory state around the buggy address: [ 39.158585][ T12] ffff8881d1a1a480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 39.166641][ T12] ffff8881d1a1a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.174721][ T12] >ffff8881d1a1a580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 39.182772][ T12] ^ [ 39.189425][ T12] ffff8881d1a1a600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.197461][ T12] ffff8881d1a1a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.205684][ T12] ================================================================== [ 39.213770][ T12] Disabling lock debugging due to kernel taint [ 39.220339][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 39.227471][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 39.237187][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.247257][ T12] Workqueue: events request_firmware_work_func [ 39.254014][ T12] Call Trace: [ 39.257315][ T12] dump_stack+0xef/0x16e [ 39.261552][ T12] panic+0x2aa/0x6e1 [ 39.265430][ T12] ? add_taint.cold+0x16/0x16 [ 39.270094][ T12] ? retint_kernel+0x10/0x10 [ 39.274676][ T12] ? kfree_skb+0x32/0x3d0 [ 39.278998][ T12] ? trace_hardirqs_on+0x55/0x200 [ 39.284001][ T12] ? kfree_skb+0x32/0x3d0 [ 39.288309][ T12] end_report+0x4d/0x53 [ 39.292462][ T12] __kasan_report.cold+0x72/0x7d [ 39.297379][ T12] ? kfree_skb+0x32/0x3d0 [ 39.301683][ T12] ? kfree_skb+0x32/0x3d0 [ 39.306076][ T12] kasan_report+0x33/0x50 [ 39.310400][ T12] check_memory_region+0x173/0x1d0 [ 39.315499][ T12] kfree_skb+0x32/0x3d0 [ 39.319643][ T12] htc_connect_service.cold+0xa9/0x109 [ 39.325085][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 39.330737][ T12] ? ath9k_fatal_work+0x20/0x20 [ 39.335578][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 39.341634][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 39.347334][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.353732][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 39.359094][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 39.364632][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 39.370100][ T12] ? tasklet_init+0x69/0x110 [ 39.374695][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.380145][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 39.386811][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 39.391763][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 39.396950][ T12] ? usb_free_urb+0x1b/0x30 [ 39.401435][ T12] ath9k_htc_hw_init+0x31/0x60 [ 39.406176][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.411905][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 39.417263][ T12] request_firmware_work_func+0x126/0x242 [ 39.423063][ T12] ? request_firmware_into_buf+0x90/0x90 [ 39.428709][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.434325][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.439593][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 39.445129][ T12] process_one_work+0x965/0x1630 [ 39.450479][ T12] ? lock_release+0x720/0x720 [ 39.455267][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.460637][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 39.465570][ T12] worker_thread+0x96/0xe20 [ 39.470348][ T12] ? process_one_work+0x1630/0x1630 [ 39.475545][ T12] kthread+0x326/0x430 [ 39.479709][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 39.485074][ T12] ret_from_fork+0x24/0x30 [ 39.490358][ T12] Kernel Offset: disabled [ 39.494689][ T12] Rebooting in 86400 seconds..