Warning: Permanently added '10.128.0.166' (ECDSA) to the list of known hosts.
executing program
[   21.211577][   T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   21.341560][   T95] usb 1-1: too many configurations: 217, using maximum allowed: 8
[   22.140702][   T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   22.149750][   T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   22.157846][   T95] usb 1-1: Product: syz
[   22.162074][   T95] usb 1-1: Manufacturer: syz
[   22.166649][   T95] usb 1-1: SerialNumber: syz
[   22.211556][   T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   22.819978][   T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   23.221641][   T83] usb 1-1: USB disconnect, device number 2
[   24.098811][   T95] usb 1-1: Service connection timeout for: 256
[   24.105082][   T95] ==================================================================
[   24.113245][   T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   24.119898][   T95] Read of size 4 at addr ffff8881d0e3c5d4 by task kworker/0:2/95
[   24.127584][   T95] 
[   24.129893][   T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.6.0-rc5-syzkaller #0
[   24.138028][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.148079][   T95] Workqueue: events request_firmware_work_func
[   24.154218][   T95] Call Trace:
[   24.157491][   T95]  dump_stack+0xef/0x16e
[   24.161715][   T95]  ? kfree_skb+0x32/0x3d0
[   24.166039][   T95]  ? kfree_skb+0x32/0x3d0
[   24.170412][   T95]  print_address_description.constprop.0.cold+0xd3/0x314
[   24.177445][   T95]  ? kfree_skb+0x32/0x3d0
[   24.181757][   T95]  ? kfree_skb+0x32/0x3d0
[   24.186075][   T95]  __kasan_report.cold+0x37/0x77
[   24.191046][   T95]  ? kfree_skb+0x32/0x3d0
[   24.195398][   T95]  kasan_report+0xe/0x20
[   24.199627][   T95]  check_memory_region+0x152/0x1c0
[   24.204761][   T95]  kfree_skb+0x32/0x3d0
[   24.208907][   T95]  htc_connect_service.cold+0xa9/0x109
[   24.214347][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.219176][   T95]  ? ath9k_fatal_work+0x20/0x20
[   24.224001][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   24.230043][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   24.235654][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.242048][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   24.247310][   T95]  ? lockdep_init_map+0x1b0/0x5e0
[   24.252310][   T95]  ? lockdep_init_map+0x1b0/0x5e0
[   24.257313][   T95]  ? tasklet_init+0x69/0x110
[   24.261880][   T95]  ath9k_htc_probe_device+0x25a/0x1d80
[   24.267338][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   24.273992][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   24.278927][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   24.284111][   T95]  ? usb_free_urb+0x1b/0x30
[   24.288598][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.293483][   T95]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   24.299141][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   24.304512][   T95]  request_firmware_work_func+0x126/0x242
[   24.310213][   T95]  ? request_firmware_into_buf+0x90/0x90
[   24.315866][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   24.321391][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   24.326655][   T95]  process_one_work+0x94b/0x1620
[   24.331570][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   24.336968][   T95]  ? do_raw_spin_lock+0x129/0x290
[   24.341983][   T95]  worker_thread+0x96/0xe20
[   24.346480][   T95]  ? process_one_work+0x1620/0x1620
[   24.351703][   T95]  kthread+0x318/0x420
[   24.355751][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   24.361161][   T95]  ret_from_fork+0x24/0x30
[   24.365563][   T95] 
[   24.367879][   T95] Allocated by task 95:
[   24.372016][   T95]  save_stack+0x1b/0x80
[   24.376185][   T95]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   24.381796][   T95]  kmem_cache_alloc_node+0xdc/0x330
[   24.386970][   T95]  __alloc_skb+0xba/0x5a0
[   24.391277][   T95]  htc_connect_service+0x2cc/0x840
[   24.396365][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.401258][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.407659][   T95]  ath9k_htc_probe_device+0x25a/0x1d80
[   24.413142][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.417919][   T95]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   24.423528][   T95]  request_firmware_work_func+0x126/0x242
[   24.429234][   T95]  process_one_work+0x94b/0x1620
[   24.434166][   T95]  worker_thread+0x96/0xe20
[   24.438670][   T95]  kthread+0x318/0x420
[   24.442726][   T95]  ret_from_fork+0x24/0x30
[   24.447113][   T95] 
[   24.449430][   T95] Freed by task 0:
[   24.453141][   T95]  save_stack+0x1b/0x80
[   24.457279][   T95]  __kasan_slab_free+0x117/0x160
[   24.462203][   T95]  kmem_cache_free+0x9b/0x360
[   24.467033][   T95]  kfree_skbmem+0xef/0x1b0
[   24.471469][   T95]  kfree_skb+0x102/0x3d0
[   24.475700][   T95]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   24.481325][   T95]  hif_usb_regout_cb+0x10b/0x1b0
[   24.486244][   T95]  __usb_hcd_giveback_urb+0x29a/0x550
[   24.491600][   T95]  usb_hcd_giveback_urb+0x368/0x420
[   24.496787][   T95]  dummy_timer+0x1258/0x32ae
[   24.501356][   T95]  call_timer_fn+0x195/0x6f0
[   24.505924][   T95]  run_timer_softirq+0x5f9/0x1500
[   24.510926][   T95]  __do_softirq+0x21e/0x950
[   24.515400][   T95] 
[   24.517708][   T95] The buggy address belongs to the object at ffff8881d0e3c500
[   24.517708][   T95]  which belongs to the cache skbuff_head_cache of size 224
[   24.532308][   T95] The buggy address is located 212 bytes inside of
[   24.532308][   T95]  224-byte region [ffff8881d0e3c500, ffff8881d0e3c5e0)
[   24.545563][   T95] The buggy address belongs to the page:
[   24.551177][   T95] page:ffffea0007438f00 refcount:1 mapcount:0 mapping:ffff8881da16b400 index:0x0
[   24.560299][   T95] flags: 0x200000000000200(slab)
[   24.565334][   T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da16b400
[   24.573910][   T95] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   24.582465][   T95] page dumped because: kasan: bad access detected
[   24.588847][   T95] 
[   24.591151][   T95] Memory state around the buggy address:
[   24.596759][   T95]  ffff8881d0e3c480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   24.604798][   T95]  ffff8881d0e3c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.612841][   T95] >ffff8881d0e3c580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   24.620886][   T95]                                                  ^
[   24.627534][   T95]  ffff8881d0e3c600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.635615][   T95]  ffff8881d0e3c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.643655][   T95] ==================================================================
[   24.651798][   T95] Disabling lock debugging due to kernel taint
[   24.658005][   T95] Kernel panic - not syncing: panic_on_warn set ...
[   24.664596][   T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G    B             5.6.0-rc5-syzkaller #0
[   24.674129][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.684189][   T95] Workqueue: events request_firmware_work_func
[   24.690324][   T95] Call Trace:
[   24.693594][   T95]  dump_stack+0xef/0x16e
[   24.697817][   T95]  panic+0x2aa/0x6e1
[   24.701691][   T95]  ? add_taint.cold+0x16/0x16
[   24.706346][   T95]  ? kfree_skb+0x32/0x3d0
[   24.710654][   T95]  ? trace_hardirqs_on+0x55/0x200
[   24.715659][   T95]  ? kfree_skb+0x32/0x3d0
[   24.719966][   T95]  end_report+0x43/0x49
[   24.724141][   T95]  ? kfree_skb+0x32/0x3d0
[   24.728451][   T95]  __kasan_report.cold+0x55/0x77
[   24.733401][   T95]  ? kfree_skb+0x32/0x3d0
[   24.737729][   T95]  kasan_report+0xe/0x20
[   24.741996][   T95]  check_memory_region+0x152/0x1c0
[   24.747095][   T95]  kfree_skb+0x32/0x3d0
[   24.751244][   T95]  htc_connect_service.cold+0xa9/0x109
[   24.756729][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.761593][   T95]  ? ath9k_fatal_work+0x20/0x20
[   24.766428][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   24.772477][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   24.778146][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.784585][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   24.789850][   T95]  ? lockdep_init_map+0x1b0/0x5e0
[   24.794852][   T95]  ? lockdep_init_map+0x1b0/0x5e0
[   24.799896][   T95]  ? tasklet_init+0x69/0x110
[   24.804480][   T95]  ath9k_htc_probe_device+0x25a/0x1d80
[   24.809919][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   24.816609][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   24.821520][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   24.826692][   T95]  ? usb_free_urb+0x1b/0x30
[   24.831213][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.835954][   T95]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   24.841562][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   24.846958][   T95]  request_firmware_work_func+0x126/0x242
[   24.852665][   T95]  ? request_firmware_into_buf+0x90/0x90
[   24.858280][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   24.863814][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   24.869106][   T95]  process_one_work+0x94b/0x1620
[   24.874049][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   24.879403][   T95]  ? do_raw_spin_lock+0x129/0x290
[   24.884406][   T95]  worker_thread+0x96/0xe20
[   24.888899][   T95]  ? process_one_work+0x1620/0x1620
[   24.894090][   T95]  kthread+0x318/0x420
[   24.898143][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   24.903502][   T95]  ret_from_fork+0x24/0x30
[   24.908591][   T95] Kernel Offset: disabled
[   24.912918][   T95] Rebooting in 86400 seconds..