[�[0;32m OK �[0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 16.798645][ C1] random: crng init done
[ 16.803178][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts.
2020/05/19 06:57:25 parsed 1 programs
2020/05/19 06:57:26 executed programs: 0
[ 23.786155][ T372] cgroup: Unknown subsys name 'perf_event'
[ 23.792904][ T372] cgroup: Unknown subsys name 'net_cls'
[ 25.766011][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 26.045359][ T95] usb 1-1: too many configurations: 28, using maximum allowed: 8
[ 26.844614][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 26.853654][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 26.861813][ T95] usb 1-1: Product: syz
[ 26.866038][ T95] usb 1-1: Manufacturer: syz
[ 26.870641][ T95] usb 1-1: SerialNumber: syz
[ 26.915513][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 27.514116][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 27.914586][ T822] udc-core: couldn't find an available UDC or it's busy
[ 27.921615][ T822] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 28.543262][ T95] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 28.550303][ T95] ath9k_htc: Failed to initialize the device
[ 28.734834][ T167] usb 1-1: USB disconnect, device number 2
[ 28.764798][ T167] usb 1-1: ath9k_htc: USB layer deinitialized
2020/05/19 06:57:31 executed programs: 1
[ 29.512621][ T95] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[ 29.793151][ T95] usb 1-1: too many configurations: 28, using maximum allowed: 8
[ 30.592051][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 30.601092][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 30.609139][ T95] usb 1-1: Product: syz
[ 30.613368][ T95] usb 1-1: Manufacturer: syz
[ 30.617949][ T95] usb 1-1: SerialNumber: syz
[ 30.662594][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 31.231659][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 31.632238][ T830] udc-core: couldn't find an available UDC or it's busy
[ 31.639201][ T830] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 32.301001][ T95] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 32.307970][ T95] ath9k_htc: Failed to initialize the device
[ 32.451948][ T167] usb 1-1: USB disconnect, device number 3
[ 32.472342][ T167] usb 1-1: ath9k_htc: USB layer deinitialized
[ 33.220496][ T167] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[ 33.510503][ T167] usb 1-1: too many configurations: 28, using maximum allowed: 8
[ 34.310062][ T167] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 34.319244][ T167] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 34.327387][ T167] usb 1-1: Product: syz
[ 34.331611][ T167] usb 1-1: Manufacturer: syz
[ 34.336183][ T167] usb 1-1: SerialNumber: syz
[ 34.381193][ T167] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 34.959770][ T167] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 35.360399][ T839] udc-core: couldn't find an available UDC or it's busy
[ 35.367409][ T839] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 35.979216][ T167] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 35.986298][ T167] ath9k_htc: Failed to initialize the device
[ 35.992576][ C1] ==================================================================
[ 35.992633][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.992644][ C1] Read of size 4 at addr ffff8881c76440dc by task kworker/1:3/167
[ 35.992648][ C1]
[ 35.992661][ C1] CPU: 1 PID: 167 Comm: kworker/1:3 Not tainted 5.7.0-rc5-syzkaller #0
[ 35.992668][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.992682][ C1] Workqueue: events request_firmware_work_func
[ 35.992688][ C1] Call Trace:
[ 35.992693][ C1]
[ 35.992706][ C1] dump_stack+0xef/0x16e
[ 35.992719][ C1] print_address_description.constprop.0.cold+0xd3/0x314
[ 35.992729][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.992738][ C1] __kasan_report.cold+0x37/0x92
[ 35.992748][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.992758][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.992766][ C1] kasan_report+0x33/0x50
[ 35.992778][ C1] ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.992798][ C1] ? find_held_lock+0x2d/0x110
[ 35.992808][ C1] ? hif_usb_mgmt_cb+0x310/0x310
[ 35.992820][ C1] ? usb_hcd_unmap_urb_setup_for_dma+0x8a/0x470
[ 35.992830][ C1] ? do_raw_read_unlock+0x3b/0x70
[ 35.992841][ C1] ? _raw_read_unlock+0x1a/0x30
[ 35.992851][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 35.992861][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 35.992874][ C1] dummy_timer+0x125e/0x32b4
[ 35.992887][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.992900][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.992911][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.992923][ C1] call_timer_fn+0x1ac/0x700
[ 35.992935][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.992946][ C1] ? timer_fixup_init+0x60/0x60
[ 35.992957][ C1] ? lock_downgrade+0x720/0x720
[ 35.992968][ C1] ? mark_held_locks+0x9f/0xe0
[ 35.992979][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.992989][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 35.993000][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.993012][ C1] run_timer_softirq+0x5f9/0x1500
[ 35.993023][ C1] ? add_timer+0x7a0/0x7a0
[ 35.993034][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.993046][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.993057][ C1] ? mark_held_locks+0x9f/0xe0
[ 35.993068][ C1] __do_softirq+0x21e/0x9aa
[ 35.993081][ C1] irq_exit+0x178/0x1a0
[ 35.993094][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 35.993105][ C1] apic_timer_interrupt+0xf/0x20
[ 35.993111][ C1]
[ 35.993125][ C1] RIP: 0010:console_unlock+0xa6b/0xca0
[ 35.993138][ C1] Code: 00 89 ee 48 c7 c7 20 d2 14 87 e8 50 cf 03 00 65 ff 0d f1 30 d8 7e e9 b5 f9 ff ff e8 4f 5f 16 00 e8 2a bb 1b 00 ff 74 24 30 9d 17 fe ff ff e8 3b 5f 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 35.993145][ C1] RSP: 0018:ffff8881cdbdfa30 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
[ 35.993157][ C1] RAX: 0000000000000007 RBX: 0000000000000200 RCX: 1ffffffff126c9bd
[ 35.993164][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881cdb3b9fc
[ 35.993196][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: fffffbfff126c8bd
[ 35.993203][ C1] R10: ffffffff893645e7 R11: fffffbfff126c8bc R12: ffffffff82aba0b0
[ 35.993210][ C1] R13: ffffffff874ee290 R14: 0000000000000042 R15: dffffc0000000000
[ 35.993223][ C1] ? netconsole_netdev_event+0x2a0/0x2a0
[ 35.993236][ C1] vprintk_emit+0x16d/0x3e0
[ 35.993247][ C1] vprintk_func+0x75/0x113
[ 35.993257][ C1] printk+0xba/0xed
[ 35.993268][ C1] ? kmsg_dump_rewind_nolock+0xd9/0xd9
[ 35.993279][ C1] ? usb_free_urb.part.0+0x52/0x110
[ 35.993292][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 35.993303][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 35.993316][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 35.993330][ C1] ath9k_hif_usb_firmware_cb+0x274/0x510
[ 35.993343][ C1] ? ath9k_hif_usb_resume+0x320/0x320
[ 35.993356][ C1] request_firmware_work_func+0x126/0x242
[ 35.993369][ C1] ? request_firmware_into_buf+0x90/0x90
[ 35.993382][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.993394][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.993406][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 35.993417][ C1] process_one_work+0x965/0x1630
[ 35.993430][ C1] ? lock_release+0x720/0x720
[ 35.993441][ C1] ? pwq_dec_nr_in_flight+0x310/0x310
[ 35.993452][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 35.993463][ C1] worker_thread+0x96/0xe20
[ 35.993475][ C1] ? process_one_work+0x1630/0x1630
[ 35.993487][ C1] kthread+0x326/0x430
[ 35.993500][ C1] ? kthread_create_on_node+0xf0/0xf0
[ 35.993511][ C1] ret_from_fork+0x24/0x30
[ 35.993517][ C1]
[ 35.993547][ C1] general protection fault, probably for non-canonical address 0xdead000000000400: 0000 [#1] SMP KASAN
[ 35.993558][ C1] CPU: 1 PID: 167 Comm: kworker/1:3 Not tainted 5.7.0-rc5-syzkaller #0
[ 35.993564][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.993576][ C1] Workqueue: events request_firmware_work_func
[ 35.993590][ C1] RIP: 0010:print_address_description.constprop.0.cold+0x124/0x314
[ 35.993602][ C1] Code: 00 f6 c4 02 0f 84 0f ff ff ff 48 89 e9 48 2b 0d 1c 00 85 05 4c 89 e0 4c 8b 6d 18 48 c1 f9 06 48 c1 e1 0c 48 03 0d 16 00 85 05 <41> 8b 7d 18 48 29 c8 48 99 48 f7 ff 4c 89 e0 48 29 d0 48 89 c2 0f
[ 35.993608][ C1] RSP: 0018:ffff8881db309858 EFLAGS: 00010086
[ 35.993616][ C1] RAX: ffff8881c76440dc RBX: 0000000000000004 RCX: ffff8881c7644000
[ 35.993622][ C1] RDX: 0000000000000000 RSI: ffffffff812a31fd RDI: ffffed103b6612fd
[ 35.993629][ C1] RBP: ffffea00071d9100 R08: 0000000000000000 R09: ffffed103b6643c9
[ 35.993636][ C1] R10: ffff8881db321e43 R11: ffffed103b6643c8 R12: ffff8881c76440dc
[ 35.993642][ C1] R13: dead000000000400 R14: ffff8881c79ab800 R15: ffff8881c96bd000
[ 35.993650][ C1] FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
[ 35.993661][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.993667][ C1] CR2: 00007f4d803e1020 CR3: 00000001c69ab000 CR4: 00000000001406e0
[ 35.993681][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 35.993687][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 35.993690][ C1] Call Trace:
[ 35.993693][ C1]
[ 35.993707][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.993716][ C1] __kasan_report.cold+0x37/0x92
[ 35.993729][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.993741][ C1] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.993749][ C1] kasan_report+0x33/0x50
[ 35.993759][ C1] ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 35.993769][ C1] ? find_held_lock+0x2d/0x110
[ 35.993783][ C1] ? hif_usb_mgmt_cb+0x310/0x310
[ 35.993793][ C1] ? usb_hcd_unmap_urb_setup_for_dma+0x8a/0x470
[ 35.993806][ C1] ? do_raw_read_unlock+0x3b/0x70
[ 35.993814][ C1] ? _raw_read_unlock+0x1a/0x30
[ 35.993823][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 35.993833][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 35.993848][ C1] dummy_timer+0x125e/0x32b4
[ 35.993862][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.993879][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.993889][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.993902][ C1] call_timer_fn+0x1ac/0x700
[ 35.993911][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.993925][ C1] ? timer_fixup_init+0x60/0x60
[ 35.993934][ C1] ? lock_downgrade+0x720/0x720
[ 35.993944][ C1] ? mark_held_locks+0x9f/0xe0
[ 35.993953][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.993965][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 35.993976][ C1] ? dummy_udc_probe+0x980/0x980
[ 35.993986][ C1] run_timer_softirq+0x5f9/0x1500
[ 35.993996][ C1] ? add_timer+0x7a0/0x7a0
[ 35.994011][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.994021][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.994034][ C1] ? mark_held_locks+0x9f/0xe0
[ 35.994048][ C1] __do_softirq+0x21e/0x9aa
[ 35.994058][ C1] irq_exit+0x178/0x1a0
[ 35.994069][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 35.994079][ C1] apic_timer_interrupt+0xf/0x20
[ 35.994083][ C1]
[ 35.994095][ C1] RIP: 0010:console_unlock+0xa6b/0xca0
[ 35.994110][ C1] Code: 00 89 ee 48 c7 c7 20 d2 14 87 e8 50 cf 03 00 65 ff 0d f1 30 d8 7e e9 b5 f9 ff ff e8 4f 5f 16 00 e8 2a bb 1b 00 ff 74 24 30 9d 17 fe ff ff e8 3b 5f 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 35.994115][ C1] RSP: 0018:ffff8881cdbdfa30 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
[ 35.994124][ C1] RAX: 0000000000000007 RBX: 0000000000000200 RCX: 1ffffffff126c9bd
[ 35.994130][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881cdb3b9fc
[ 35.994140][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: fffffbfff126c8bd
[ 35.994146][ C1] R10: ffffffff893645e7 R11: fffffbfff126c8bc R12: ffffffff82aba0b0
[ 35.994152][ C1] R13: ffffffff874ee290 R14: 0000000000000042 R15: dffffc0000000000
[ 35.994163][ C1] ? netconsole_netdev_event+0x2a0/0x2a0
[ 35.994177][ C1] vprintk_emit+0x16d/0x3e0
[ 35.994186][ C1] vprintk_func+0x75/0x113
[ 35.994195][ C1] printk+0xba/0xed
[ 35.994204][ C1] ? kmsg_dump_rewind_nolock+0xd9/0xd9
[ 35.994214][ C1] ? usb_free_urb.part.0+0x52/0x110
[ 35.994225][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 35.994236][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 35.994246][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 35.994258][ C1] ath9k_hif_usb_firmware_cb+0x274/0x510
[ 35.994269][ C1] ? ath9k_hif_usb_resume+0x320/0x320
[ 35.994280][ C1] request_firmware_work_func+0x126/0x242
[ 35.994309][ C1] ? request_firmware_into_buf+0x90/0x90
[ 35.994320][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 35.994331][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 35.994341][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 35.994351][ C1] process_one_work+0x965/0x1630
[ 35.994361][ C1] ? lock_release+0x720/0x720
[ 35.994370][ C1] ? pwq_dec_nr_in_flight+0x310/0x310
[ 35.994377][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 35.994385][ C1] worker_thread+0x96/0xe20
[ 35.994393][ C1] ? process_one_work+0x1630/0x1630
[ 35.994401][ C1] kthread+0x326/0x430
[ 35.994412][ C1] ? kthread_create_on_node+0xf0/0xf0
[ 35.994421][ C1] ret_from_fork+0x24/0x30
[ 35.994426][ C1] Modules linked in:
[ 35.994440][ C1] ---[ end trace d7b0f12c2e41c773 ]---
[ 35.994452][ C1] RIP: 0010:print_address_description.constprop.0.cold+0x124/0x314
[ 35.994462][ C1] Code: 00 f6 c4 02 0f 84 0f ff ff ff 48 89 e9 48 2b 0d 1c 00 85 05 4c 89 e0 4c 8b 6d 18 48 c1 f9 06 48 c1 e1 0c 48 03 0d 16 00 85 05 <41> 8b 7d 18 48 29 c8 48 99 48 f7 ff 4c 89 e0 48 29 d0 48 89 c2 0f
[ 35.994468][ C1] RSP: 0018:ffff8881db309858 EFLAGS: 00010086
[ 35.994475][ C1] RAX: ffff8881c76440dc RBX: 0000000000000004 RCX: ffff8881c7644000
[ 35.994482][ C1] RDX: 0000000000000000 RSI: ffffffff812a31fd RDI: ffffed103b6612fd
[ 35.994488][ C1] RBP: ffffea00071d9100 R08: 0000000000000000 R09: ffffed103b6643c9
[ 35.994494][ C1] R10: ffff8881db321e43 R11: ffffed103b6643c8 R12: ffff8881c76440dc
[ 35.994508][ C1] R13: dead000000000400 R14: ffff8881c79ab800 R15: ffff8881c96bd000
[ 35.994517][ C1] FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
[ 35.994526][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.994532][ C1] CR2: 00007f4d803e1020 CR3: 00000001c69ab000 CR4: 00000000001406e0
[ 35.994538][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 35.994544][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 35.994550][ C1] Kernel panic - not syncing: Fatal exception in interrupt
[ 35.995190][ C1] Kernel Offset: disabled
[ 37.107458][ C1] Rebooting in 86400 seconds..