[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 17.019600][ C1] random: crng init done [ 17.024105][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. executing program [ 36.598857][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 37.128631][ T94] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 37.138713][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 37.147272][ T94] usb 1-1: Product: syz [ 37.152175][ T94] usb 1-1: Manufacturer: syz [ 37.157052][ T94] usb 1-1: SerialNumber: syz [ 37.199762][ T94] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 37.798513][ T94] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 38.200905][ T12] usb 1-1: USB disconnect, device number 2 [ 39.067605][ T94] usb 1-1: Service connection timeout for: 256 [ 39.074366][ T94] ================================================================== [ 39.082591][ T94] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 39.089381][ T94] Read of size 4 at addr ffff8881cd2ae994 by task kworker/0:2/94 [ 39.107291][ T94] [ 39.109831][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 39.119987][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.130391][ T94] Workqueue: events request_firmware_work_func [ 39.136571][ T94] Call Trace: [ 39.139938][ T94] dump_stack+0xef/0x16e [ 39.144325][ T94] print_address_description.constprop.0.cold+0xd3/0x415 [ 39.151348][ T94] ? vprintk_func+0x7d/0x113 [ 39.155967][ T94] ? kfree_skb+0x32/0x3d0 [ 39.160297][ T94] __kasan_report.cold+0x37/0x7d [ 39.165305][ T94] ? kfree_skb+0x32/0x3d0 [ 39.169879][ T94] ? kfree_skb+0x32/0x3d0 [ 39.175694][ T94] kasan_report+0x33/0x50 [ 39.180058][ T94] check_memory_region+0x173/0x1d0 [ 39.185245][ T94] kfree_skb+0x32/0x3d0 [ 39.189471][ T94] htc_connect_service.cold+0xa9/0x109 [ 39.194938][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 39.199798][ T94] ? ath9k_fatal_work+0x20/0x20 [ 39.204663][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 39.211044][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 39.217545][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.223976][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 39.230034][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 39.235882][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 39.241175][ T94] ? tasklet_init+0x69/0x110 [ 39.246205][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.259466][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 39.266334][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 39.271626][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 39.276879][ T94] ? usb_free_urb+0x1b/0x30 [ 39.281392][ T94] ath9k_htc_hw_init+0x31/0x60 [ 39.286172][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.292251][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 39.297812][ T94] request_firmware_work_func+0x126/0x242 [ 39.303913][ T94] ? request_firmware_into_buf+0x90/0x90 [ 39.310200][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.315946][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.321270][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 39.326769][ T94] process_one_work+0x965/0x1630 [ 39.331802][ T94] ? lock_release+0x720/0x720 [ 39.336677][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.342051][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 39.347531][ T94] worker_thread+0x96/0xe20 [ 39.352270][ T94] ? process_one_work+0x1630/0x1630 [ 39.357474][ T94] kthread+0x326/0x430 [ 39.361557][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 39.367124][ T94] ret_from_fork+0x24/0x30 [ 39.371730][ T94] [ 39.374072][ T94] Allocated by task 94: [ 39.379182][ T94] save_stack+0x1b/0x40 [ 39.383342][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 39.388962][ T94] kmem_cache_alloc_node+0xdc/0x330 [ 39.394349][ T94] __alloc_skb+0xba/0x5a0 [ 39.398690][ T94] htc_connect_service+0x2cc/0x840 [ 39.403801][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 39.409967][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.416614][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.422092][ T94] ath9k_htc_hw_init+0x31/0x60 [ 39.426920][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.432568][ T94] request_firmware_work_func+0x126/0x242 [ 39.438501][ T94] process_one_work+0x965/0x1630 [ 39.443914][ T94] worker_thread+0x96/0xe20 [ 39.448497][ T94] kthread+0x326/0x430 [ 39.452568][ T94] ret_from_fork+0x24/0x30 [ 39.457360][ T94] [ 39.459691][ T94] Freed by task 0: [ 39.463433][ T94] save_stack+0x1b/0x40 [ 39.467770][ T94] __kasan_slab_free+0x117/0x160 [ 39.473757][ T94] kmem_cache_free+0x9b/0x360 [ 39.478443][ T94] kfree_skbmem+0xef/0x1b0 [ 39.482856][ T94] kfree_skb+0x102/0x3d0 [ 39.487186][ T94] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 39.493923][ T94] hif_usb_regout_cb+0x115/0x1c0 [ 39.500838][ T94] __usb_hcd_giveback_urb+0x29a/0x550 [ 39.506266][ T94] usb_hcd_giveback_urb+0x368/0x420 [ 39.513641][ T94] dummy_timer+0x125e/0x32b4 [ 39.518545][ T94] call_timer_fn+0x1ac/0x700 [ 39.523706][ T94] run_timer_softirq+0x5f9/0x1500 [ 39.528985][ T94] __do_softirq+0x21e/0x9aa [ 39.533774][ T94] [ 39.536189][ T94] The buggy address belongs to the object at ffff8881cd2ae8c0 [ 39.536189][ T94] which belongs to the cache skbuff_head_cache of size 224 [ 39.551632][ T94] The buggy address is located 212 bytes inside of [ 39.551632][ T94] 224-byte region [ffff8881cd2ae8c0, ffff8881cd2ae9a0) [ 39.566089][ T94] The buggy address belongs to the page: [ 39.571752][ T94] page:ffffea000734ab80 refcount:1 mapcount:0 mapping:000000004352f05d index:0x0 [ 39.581642][ T94] flags: 0x200000000000200(slab) [ 39.586889][ T94] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 39.596012][ T94] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 39.606761][ T94] page dumped because: kasan: bad access detected [ 39.613157][ T94] [ 39.615493][ T94] Memory state around the buggy address: [ 39.621215][ T94] ffff8881cd2ae880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.629569][ T94] ffff8881cd2ae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.637613][ T94] >ffff8881cd2ae980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 39.647726][ T94] ^ [ 39.652462][ T94] ffff8881cd2aea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.660618][ T94] ffff8881cd2aea80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 39.668690][ T94] ================================================================== [ 39.676902][ T94] Disabling lock debugging due to kernel taint [ 39.683977][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 39.690931][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 39.700563][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.710902][ T94] Workqueue: events request_firmware_work_func [ 39.717702][ T94] Call Trace: [ 39.721003][ T94] dump_stack+0xef/0x16e [ 39.725525][ T94] panic+0x2aa/0x6e1 [ 39.729528][ T94] ? add_taint.cold+0x16/0x16 [ 39.734200][ T94] ? retint_kernel+0x10/0x10 [ 39.739407][ T94] ? kfree_skb+0x32/0x3d0 [ 39.743821][ T94] ? trace_hardirqs_on+0x55/0x200 [ 39.748842][ T94] ? kfree_skb+0x32/0x3d0 [ 39.753881][ T94] end_report+0x4d/0x53 [ 39.758272][ T94] __kasan_report.cold+0x72/0x7d [ 39.763203][ T94] ? kfree_skb+0x32/0x3d0 [ 39.767515][ T94] ? kfree_skb+0x32/0x3d0 [ 39.771825][ T94] kasan_report+0x33/0x50 [ 39.776247][ T94] check_memory_region+0x173/0x1d0 [ 39.781365][ T94] kfree_skb+0x32/0x3d0 [ 39.785631][ T94] htc_connect_service.cold+0xa9/0x109 [ 39.791484][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 39.796345][ T94] ? ath9k_fatal_work+0x20/0x20 [ 39.801199][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 39.807255][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 39.813060][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.819595][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 39.824883][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 39.830548][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 39.835939][ T94] ? tasklet_init+0x69/0x110 [ 39.840729][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.846187][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 39.852865][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 39.858205][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 39.863802][ T94] ? usb_free_urb+0x1b/0x30 [ 39.868975][ T94] ath9k_htc_hw_init+0x31/0x60 [ 39.873985][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.879895][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 39.885673][ T94] request_firmware_work_func+0x126/0x242 [ 39.891410][ T94] ? request_firmware_into_buf+0x90/0x90 [ 39.897248][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.903019][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.908830][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 39.914321][ T94] process_one_work+0x965/0x1630 [ 39.919254][ T94] ? lock_release+0x720/0x720 [ 39.924666][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.930036][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 39.934959][ T94] worker_thread+0x96/0xe20 [ 39.939543][ T94] ? process_one_work+0x1630/0x1630 [ 39.945054][ T94] kthread+0x326/0x430 [ 39.949167][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 39.954927][ T94] ret_from_fork+0x24/0x30 [ 39.960290][ T94] Kernel Offset: disabled [ 39.964760][ T94] Rebooting in 86400 seconds..