[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.591718][ C1] random: crng init done [ 16.596759][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts. executing program [ 28.305927][ T167] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 28.835026][ T167] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 28.844190][ T167] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 28.852275][ T167] usb 1-1: Product: syz [ 28.856521][ T167] usb 1-1: Manufacturer: syz [ 28.861116][ T167] usb 1-1: SerialNumber: syz [ 28.905838][ T167] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 29.484453][ T167] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 29.886098][ T12] usb 1-1: USB disconnect, device number 2 [ 30.743576][ T167] usb 1-1: Service connection timeout for: 256 [ 30.750954][ T167] ================================================================== [ 30.759638][ T167] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 30.769022][ T167] Read of size 4 at addr ffff8881cd81e0d4 by task kworker/0:3/167 [ 30.782723][ T167] [ 30.793731][ T167] CPU: 0 PID: 167 Comm: kworker/0:3 Not tainted 5.7.0-rc6-syzkaller #0 [ 30.801998][ T167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.812065][ T167] Workqueue: events request_firmware_work_func [ 30.818199][ T167] Call Trace: [ 30.821492][ T167] dump_stack+0xef/0x16e [ 30.825726][ T167] print_address_description.constprop.0.cold+0xd3/0x415 [ 30.832729][ T167] ? vprintk_func+0x7d/0x113 [ 30.837296][ T167] ? kfree_skb+0x32/0x3d0 [ 30.841603][ T167] __kasan_report.cold+0x37/0x7d [ 30.846516][ T167] ? kfree_skb+0x32/0x3d0 [ 30.850821][ T167] ? kfree_skb+0x32/0x3d0 [ 30.855124][ T167] kasan_report+0x33/0x50 [ 30.859430][ T167] check_memory_region+0x173/0x1d0 [ 30.864515][ T167] kfree_skb+0x32/0x3d0 [ 30.868665][ T167] htc_connect_service.cold+0xa9/0x109 [ 30.874097][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 30.878922][ T167] ? ath9k_fatal_work+0x20/0x20 [ 30.883762][ T167] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 30.889811][ T167] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 30.895425][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 30.901827][ T167] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 30.907097][ T167] ? lockdep_init_map_waits+0x26a/0x7c0 [ 30.912619][ T167] ? __raw_spin_lock_init+0x34/0x100 [ 30.917882][ T167] ? tasklet_init+0x69/0x110 [ 30.922448][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 30.927887][ T167] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 30.934539][ T167] ? usb_submit_urb+0x6ed/0x1460 [ 30.939452][ T167] ? usb_free_urb.part.0+0x52/0x110 [ 30.944625][ T167] ? usb_free_urb+0x1b/0x30 [ 30.949103][ T167] ath9k_htc_hw_init+0x31/0x60 [ 30.953864][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 30.959509][ T167] ? ath9k_hif_usb_resume+0x320/0x320 [ 30.964869][ T167] request_firmware_work_func+0x126/0x242 [ 30.970565][ T167] ? request_firmware_into_buf+0x90/0x90 [ 30.976200][ T167] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 30.981732][ T167] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 30.987020][ T167] ? _raw_spin_unlock_irq+0x1f/0x30 [ 30.992211][ T167] process_one_work+0x965/0x1630 [ 30.997133][ T167] ? lock_release+0x720/0x720 [ 31.001792][ T167] ? pwq_dec_nr_in_flight+0x310/0x310 [ 31.007140][ T167] ? rwlock_bug.part.0+0x90/0x90 [ 31.012074][ T167] worker_thread+0x96/0xe20 [ 31.016553][ T167] ? process_one_work+0x1630/0x1630 [ 31.021755][ T167] kthread+0x326/0x430 [ 31.025818][ T167] ? kthread_create_on_node+0xf0/0xf0 [ 31.031168][ T167] ret_from_fork+0x24/0x30 [ 31.035557][ T167] [ 31.037869][ T167] Allocated by task 167: [ 31.042116][ T167] save_stack+0x1b/0x40 [ 31.046250][ T167] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 31.051858][ T167] kmem_cache_alloc_node+0xdc/0x330 [ 31.057048][ T167] __alloc_skb+0xba/0x5a0 [ 31.061369][ T167] htc_connect_service+0x2cc/0x840 [ 31.066461][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 31.071299][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 31.077689][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 31.083137][ T167] ath9k_htc_hw_init+0x31/0x60 [ 31.087887][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 31.093554][ T167] request_firmware_work_func+0x126/0x242 [ 31.099253][ T167] process_one_work+0x965/0x1630 [ 31.104515][ T167] worker_thread+0x96/0xe20 [ 31.109001][ T167] kthread+0x326/0x430 [ 31.113048][ T167] ret_from_fork+0x24/0x30 [ 31.117481][ T167] [ 31.119788][ T167] Freed by task 0: [ 31.123534][ T167] save_stack+0x1b/0x40 [ 31.127663][ T167] __kasan_slab_free+0x117/0x160 [ 31.132589][ T167] kmem_cache_free+0x9b/0x360 [ 31.137254][ T167] kfree_skbmem+0xef/0x1b0 [ 31.141651][ T167] kfree_skb+0x102/0x3d0 [ 31.145922][ T167] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 31.151529][ T167] hif_usb_regout_cb+0x115/0x1c0 [ 31.156497][ T167] __usb_hcd_giveback_urb+0x29a/0x550 [ 31.162004][ T167] usb_hcd_giveback_urb+0x368/0x420 [ 31.167324][ T167] dummy_timer+0x125e/0x32b4 [ 31.171893][ T167] call_timer_fn+0x1ac/0x700 [ 31.176507][ T167] run_timer_softirq+0x5f9/0x1500 [ 31.181509][ T167] __do_softirq+0x21e/0x9aa [ 31.185981][ T167] [ 31.188286][ T167] The buggy address belongs to the object at ffff8881cd81e000 [ 31.188286][ T167] which belongs to the cache skbuff_head_cache of size 224 [ 31.202846][ T167] The buggy address is located 212 bytes inside of [ 31.202846][ T167] 224-byte region [ffff8881cd81e000, ffff8881cd81e0e0) [ 31.216095][ T167] The buggy address belongs to the page: [ 31.221735][ T167] page:ffffea0007360780 refcount:1 mapcount:0 mapping:00000000e1e335a7 index:0x0 [ 31.230839][ T167] flags: 0x200000000000200(slab) [ 31.235769][ T167] raw: 0200000000000200 0000000000000000 0000000100000001 ffff8881da175400 [ 31.244331][ T167] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 31.252885][ T167] page dumped because: kasan: bad access detected [ 31.259269][ T167] [ 31.261575][ T167] Memory state around the buggy address: [ 31.267190][ T167] ffff8881cd81df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.275225][ T167] ffff8881cd81e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.283261][ T167] >ffff8881cd81e080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 31.291298][ T167] ^ [ 31.297960][ T167] ffff8881cd81e100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.306003][ T167] ffff8881cd81e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.314035][ T167] ================================================================== [ 31.322072][ T167] Disabling lock debugging due to kernel taint [ 31.328272][ T167] Kernel panic - not syncing: panic_on_warn set ... [ 31.334866][ T167] CPU: 0 PID: 167 Comm: kworker/0:3 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 31.345010][ T167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.355069][ T167] Workqueue: events request_firmware_work_func [ 31.361380][ T167] Call Trace: [ 31.364678][ T167] dump_stack+0xef/0x16e [ 31.368895][ T167] panic+0x2aa/0x6e1 [ 31.372761][ T167] ? add_taint.cold+0x16/0x16 [ 31.377411][ T167] ? retint_kernel+0x10/0x10 [ 31.381973][ T167] ? kfree_skb+0x32/0x3d0 [ 31.386298][ T167] ? trace_hardirqs_on+0x55/0x200 [ 31.391308][ T167] ? kfree_skb+0x32/0x3d0 [ 31.395616][ T167] end_report+0x4d/0x53 [ 31.399751][ T167] __kasan_report.cold+0x72/0x7d [ 31.404693][ T167] ? kfree_skb+0x32/0x3d0 [ 31.408997][ T167] ? kfree_skb+0x32/0x3d0 [ 31.413329][ T167] kasan_report+0x33/0x50 [ 31.417634][ T167] check_memory_region+0x173/0x1d0 [ 31.422731][ T167] kfree_skb+0x32/0x3d0 [ 31.426875][ T167] htc_connect_service.cold+0xa9/0x109 [ 31.432375][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 31.437259][ T167] ? ath9k_fatal_work+0x20/0x20 [ 31.442087][ T167] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 31.448138][ T167] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 31.453745][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 31.460150][ T167] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 31.465410][ T167] ? lockdep_init_map_waits+0x26a/0x7c0 [ 31.470939][ T167] ? __raw_spin_lock_init+0x34/0x100 [ 31.476203][ T167] ? tasklet_init+0x69/0x110 [ 31.480768][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 31.486238][ T167] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 31.492897][ T167] ? usb_submit_urb+0x6ed/0x1460 [ 31.497810][ T167] ? usb_free_urb.part.0+0x52/0x110 [ 31.503007][ T167] ? usb_free_urb+0x1b/0x30 [ 31.507482][ T167] ath9k_htc_hw_init+0x31/0x60 [ 31.512235][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 31.517842][ T167] ? ath9k_hif_usb_resume+0x320/0x320 [ 31.523202][ T167] request_firmware_work_func+0x126/0x242 [ 31.528897][ T167] ? request_firmware_into_buf+0x90/0x90 [ 31.534505][ T167] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 31.540082][ T167] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 31.545388][ T167] ? _raw_spin_unlock_irq+0x1f/0x30 [ 31.550558][ T167] process_one_work+0x965/0x1630 [ 31.555590][ T167] ? lock_release+0x720/0x720 [ 31.560296][ T167] ? pwq_dec_nr_in_flight+0x310/0x310 [ 31.565646][ T167] ? rwlock_bug.part.0+0x90/0x90 [ 31.570557][ T167] worker_thread+0x96/0xe20 [ 31.575115][ T167] ? process_one_work+0x1630/0x1630 [ 31.580299][ T167] kthread+0x326/0x430 [ 31.584364][ T167] ? kthread_create_on_node+0xf0/0xf0 [ 31.589764][ T167] ret_from_fork+0x24/0x30 [ 31.594894][ T167] Kernel Offset: disabled [ 31.599205][ T167] Rebooting in 86400 seconds..