[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   40.321975][   T30] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   40.841934][   T30] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   40.851110][   T30] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   40.859146][   T30] usb 1-1: Product: syz
[   40.863410][   T30] usb 1-1: Manufacturer: syz
[   40.868136][   T30] usb 1-1: SerialNumber: syz
[   40.916361][   T30] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   41.531506][   T30] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   41.971346][    C1] ==================================================================
[   41.979521][    C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   41.987217][    C1] Read of size 49387 at addr ffff88810a578000 by task swapper/1/0
[   41.994991][    C1] 
[   41.997304][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.9.0-syzkaller #0
[   42.004821][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.014868][    C1] Call Trace:
[   42.018132][    C1]  <IRQ>
[   42.021006][    C1]  dump_stack+0x107/0x163
[   42.025315][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.030663][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.036028][    C1]  print_address_description.constprop.0.cold+0xae/0x4c8
[   42.043025][    C1]  ? lock_acquire+0x1a7/0x870
[   42.047679][    C1]  ? ath9k_hif_usb_rx_cb+0x244/0x1020
[   42.053028][    C1]  ? vprintk_func+0x93/0x140
[   42.057606][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.062953][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.068560][    C1]  kasan_report.cold+0x1f/0x37
[   42.073299][    C1]  ? rwlock_bug.part.0+0x80/0x90
[   42.078214][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.083579][    C1]  check_memory_region+0x13d/0x180
[   42.088666][    C1]  memcpy+0x20/0x60
[   42.092465][    C1]  ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.097652][    C1]  ? lock_acquire+0x1a7/0x870
[   42.102306][    C1]  ? hif_usb_start+0xa0/0xa0
[   42.106888][    C1]  ? __usb_hcd_giveback_urb+0x302/0x560
[   42.112410][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   42.117275][    C1]  __usb_hcd_giveback_urb+0x32d/0x560
[   42.122621][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   42.127795][    C1]  dummy_timer+0x11f4/0x3280
[   42.132359][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.137123][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.141862][    C1]  call_timer_fn+0x1a5/0x630
[   42.146427][    C1]  ? timer_fixup_init+0x60/0x60
[   42.151250][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   42.156093][    C1]  ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[   42.162054][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.166792][    C1]  __run_timers.part.0+0x67c/0xa10
[   42.171894][    C1]  ? call_timer_fn+0x630/0x630
[   42.176648][    C1]  ? clockevents_program_event+0x12b/0x350
[   42.182452][    C1]  ? tick_program_event+0xa8/0x130
[   42.187540][    C1]  run_timer_softirq+0x80/0x120
[   42.192365][    C1]  __do_softirq+0x1b2/0x945
[   42.196846][    C1]  asm_call_irq_on_stack+0xf/0x20
[   42.201870][    C1]  </IRQ>
[   42.204787][    C1]  do_softirq_own_stack+0x80/0xa0
[   42.209876][    C1]  irq_exit_rcu+0x110/0x1a0
[   42.214358][    C1]  sysvec_apic_timer_interrupt+0x43/0xa0
[   42.219982][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   42.225957][    C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   42.231747][    C1] Code: bd c9 a3 fb 84 db 75 ac e8 64 d1 a3 fb e8 9f 77 a9 fb e9 0c 00 00 00 e8 55 d1 a3 fb 0f 00 2d 9e 44 6c 00 e8 49 d1 a3 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 c9 a3 fb 48 85 db
[   42.251472][    C1] RSP: 0018:ffffc900000dfd18 EFLAGS: 00000293
[   42.257522][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff10788a1
[   42.265526][    C1] RDX: ffff888100293280 RSI: ffffffff859afbe7 RDI: ffffffff859afbd1
[   42.273481][    C1] RBP: ffff8881008c6864 R08: 0000000000000001 R09: 0000000000000001
[   42.281437][    C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   42.289398][    C1] R13: ffff8881008c6800 R14: ffff8881008c6864 R15: ffff888103f9a004
[   42.297368][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   42.302553][    C1]  ? acpi_idle_do_entry+0x1b1/0x250
[   42.307727][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   42.312901][    C1]  acpi_idle_enter+0x355/0x4f0
[   42.317644][    C1]  cpuidle_enter_state+0x1b1/0xc80
[   42.322728][    C1]  cpuidle_enter+0x4a/0xa0
[   42.327132][    C1]  do_idle+0x3d5/0x580
[   42.331176][    C1]  ? arch_cpu_idle_exit+0x40/0x40
[   42.336183][    C1]  cpu_startup_entry+0x14/0x20
[   42.340919][    C1]  start_secondary+0x265/0x340
[   42.345659][    C1]  ? set_cpu_sibling_map+0x2460/0x2460
[   42.351090][    C1]  secondary_startup_64_no_verify+0xa6/0xab
[   42.356964][    C1] 
[   42.359277][    C1] The buggy address belongs to the page:
[   42.365071][    C1] page:00000000d33ce639 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a578
[   42.375373][    C1] head:00000000d33ce639 order:3 compound_mapcount:0 compound_pincount:0
[   42.383668][    C1] flags: 0x200000000010000(head)
[   42.388582][    C1] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
[   42.397149][    C1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   42.405708][    C1] page dumped because: kasan: bad access detected
[   42.412091][    C1] 
[   42.414394][    C1] Memory state around the buggy address:
[   42.419998][    C1]  ffff88810a57ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   42.428033][    C1]  ffff88810a57ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   42.436068][    C1] >ffff88810a580000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.444100][    C1]                    ^
[   42.448140][    C1]  ffff88810a580080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.456182][    C1]  ffff88810a580100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.464216][    C1] ==================================================================
[   42.472248][    C1] Disabling lock debugging due to kernel taint
[   42.478372][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   42.484933][    C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             5.9.0-syzkaller #0
[   42.493850][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.503961][    C1] Call Trace:
[   42.507235][    C1]  <IRQ>
[   42.510065][    C1]  dump_stack+0x107/0x163
[   42.514807][    C1]  ? ath9k_hif_usb_rx_cb+0x300/0x1020
[   42.520148][    C1]  panic+0x306/0x73d
[   42.524023][    C1]  ? __warn_printk+0xf3/0xf3
[   42.528587][    C1]  ? do_raw_spin_unlock+0x50/0x230
[   42.533669][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.539011][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.544351][    C1]  end_report+0x58/0x5e
[   42.548476][    C1]  kasan_report.cold+0xd/0x37
[   42.553123][    C1]  ? rwlock_bug.part.0+0x80/0x90
[   42.558029][    C1]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.563376][    C1]  check_memory_region+0x13d/0x180
[   42.568457][    C1]  memcpy+0x20/0x60
[   42.572235][    C1]  ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   42.577496][    C1]  ? lock_acquire+0x1a7/0x870
[   42.582143][    C1]  ? hif_usb_start+0xa0/0xa0
[   42.586707][    C1]  ? __usb_hcd_giveback_urb+0x302/0x560
[   42.592220][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   42.597040][    C1]  __usb_hcd_giveback_urb+0x32d/0x560
[   42.602382][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   42.607548][    C1]  dummy_timer+0x11f4/0x3280
[   42.612106][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.616839][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.621581][    C1]  call_timer_fn+0x1a5/0x630
[   42.626144][    C1]  ? timer_fixup_init+0x60/0x60
[   42.630965][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   42.635786][    C1]  ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[   42.641736][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   42.646589][    C1]  __run_timers.part.0+0x67c/0xa10
[   42.651684][    C1]  ? call_timer_fn+0x630/0x630
[   42.656432][    C1]  ? clockevents_program_event+0x12b/0x350
[   42.662231][    C1]  ? tick_program_event+0xa8/0x130
[   42.667318][    C1]  run_timer_softirq+0x80/0x120
[   42.672142][    C1]  __do_softirq+0x1b2/0x945
[   42.676620][    C1]  asm_call_irq_on_stack+0xf/0x20
[   42.681626][    C1]  </IRQ>
[   42.684541][    C1]  do_softirq_own_stack+0x80/0xa0
[   42.689538][    C1]  irq_exit_rcu+0x110/0x1a0
[   42.694031][    C1]  sysvec_apic_timer_interrupt+0x43/0xa0
[   42.699636][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   42.705586][    C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   42.711363][    C1] Code: bd c9 a3 fb 84 db 75 ac e8 64 d1 a3 fb e8 9f 77 a9 fb e9 0c 00 00 00 e8 55 d1 a3 fb 0f 00 2d 9e 44 6c 00 e8 49 d1 a3 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 c9 a3 fb 48 85 db
[   42.730964][    C1] RSP: 0018:ffffc900000dfd18 EFLAGS: 00000293
[   42.737001][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff10788a1
[   42.744982][    C1] RDX: ffff888100293280 RSI: ffffffff859afbe7 RDI: ffffffff859afbd1
[   42.752945][    C1] RBP: ffff8881008c6864 R08: 0000000000000001 R09: 0000000000000001
[   42.760887][    C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   42.768827][    C1] R13: ffff8881008c6800 R14: ffff8881008c6864 R15: ffff888103f9a004
[   42.776861][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   42.782037][    C1]  ? acpi_idle_do_entry+0x1b1/0x250
[   42.787209][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   42.792377][    C1]  acpi_idle_enter+0x355/0x4f0
[   42.797110][    C1]  cpuidle_enter_state+0x1b1/0xc80
[   42.802190][    C1]  cpuidle_enter+0x4a/0xa0
[   42.806575][    C1]  do_idle+0x3d5/0x580
[   42.810615][    C1]  ? arch_cpu_idle_exit+0x40/0x40
[   42.815608][    C1]  cpu_startup_entry+0x14/0x20
[   42.820340][    C1]  start_secondary+0x265/0x340
[   42.825075][    C1]  ? set_cpu_sibling_map+0x2460/0x2460
[   42.830505][    C1]  secondary_startup_64_no_verify+0xa6/0xab
[   42.837214][    C1] Kernel Offset: disabled
[   42.841525][    C1] Rebooting in 86400 seconds..