Starting Update UTMP about System Runlevel Changes...
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 15.312554][ C0] random: crng init done
[ 15.316900][ C0] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts.
executing program
[ 26.302846][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 26.662669][ T95] usb 1-1: config index 0 descriptor too short (expected 57946, got 72)
[ 26.822573][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 26.831684][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 26.840883][ T95] usb 1-1: Product: syz
[ 26.845109][ T95] usb 1-1: Manufacturer: syz
[ 26.849709][ T95] usb 1-1: SerialNumber: syz
[ 26.893304][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 27.472227][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 27.911989][ C0] ==================================================================
[ 27.920182][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 27.927788][ C0] Read of size 48707 at addr ffff8881c8510000 by task swapper/0/0
[ 27.935779][ C0]
[ 27.938110][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc6-syzkaller #0
[ 27.945983][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.956020][ C0] Call Trace:
[ 27.959366][ C0]
[ 27.962213][ C0] dump_stack+0xef/0x16e
[ 27.966453][ C0] print_address_description.constprop.0.cold+0xd3/0x415
[ 27.973488][ C0] ? lock_acquire+0x18b/0x7c0
[ 27.978267][ C0] ? vprintk_func+0x7d/0x113
[ 27.983548][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 27.988949][ C0] __kasan_report.cold+0x37/0x7d
[ 27.993887][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 27.999289][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.004560][ C0] kasan_report+0x33/0x50
[ 28.008867][ C0] check_memory_region+0x173/0x1d0
[ 28.013969][ C0] memcpy+0x20/0x60
[ 28.017760][ C0] ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.022845][ C0] ? find_held_lock+0x2d/0x110
[ 28.027581][ C0] ? hif_usb_mgmt_cb+0x310/0x310
[ 28.032510][ C0] ? do_raw_spin_lock+0x129/0x290
[ 28.037519][ C0] ? lock_downgrade+0x720/0x720
[ 28.042378][ C0] ? trace_hardirqs_off+0x50/0x200
[ 28.047489][ C0] __usb_hcd_giveback_urb+0x29a/0x550
[ 28.052871][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 28.058170][ C0] dummy_timer+0x125e/0x32b4
[ 28.062937][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.067873][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.073515][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.078884][ C0] call_timer_fn+0x1ac/0x700
[ 28.083539][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.088535][ C0] ? timer_fixup_init+0x60/0x60
[ 28.093358][ C0] ? lock_downgrade+0x720/0x720
[ 28.098185][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.103799][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.109183][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 28.114460][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.119378][ C0] run_timer_softirq+0x5f9/0x1500
[ 28.124412][ C0] ? add_timer+0x7a0/0x7a0
[ 28.128806][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.134336][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.139603][ C0] __do_softirq+0x21e/0x9aa
[ 28.144082][ C0] irq_exit+0x178/0x1a0
[ 28.148213][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 28.153743][ C0] apic_timer_interrupt+0xf/0x20
[ 28.158651][ C0]
[ 28.161567][ C0] RIP: 0010:default_idle+0x28/0x300
[ 28.167278][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 16 28 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 28.186960][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 28.195880][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 28.203844][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 28.211790][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 28.219833][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 28.227875][ C0] R13: 0000000000000000 R14: ffffffff87e88c40 R15: 0000000000000000
[ 28.235844][ C0] do_idle+0x3e0/0x500
[ 28.239897][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 28.244910][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 28.249922][ C0] ? schedule+0xe1/0x2b0
[ 28.254264][ C0] cpu_startup_entry+0x14/0x20
[ 28.259015][ C0] start_kernel+0x9bb/0x9f8
[ 28.263532][ C0] ? mem_encrypt_init+0x5/0x5
[ 28.268208][ C0] ? x86_family+0x3d/0x50
[ 28.272528][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 28.277362][ C0] secondary_startup_64+0xb6/0xc0
[ 28.282363][ C0]
[ 28.284678][ C0] The buggy address belongs to the page:
[ 28.290287][ C0] page:ffffea0007214400 refcount:1 mapcount:0 mapping:0000000031e60f75 index:0x0 head:ffffea0007214400 order:3 compound_mapcount:0 compound_pincount:0
[ 28.305448][ C0] flags: 0x200000000010000(head)
[ 28.310420][ C0] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
[ 28.319006][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 28.327573][ C0] page dumped because: kasan: bad access detected
[ 28.333954][ C0]
[ 28.336265][ C0] Memory state around the buggy address:
[ 28.341878][ C0] ffff8881c8517f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 28.349932][ C0] ffff8881c8517f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 28.358107][ C0] >ffff8881c8518000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.366940][ C0] ^
[ 28.370989][ C0] ffff8881c8518080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.379101][ C0] ffff8881c8518100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.387622][ C0] ==================================================================
[ 28.395684][ C0] Disabling lock debugging due to kernel taint
[ 28.401817][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 28.408412][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.7.0-rc6-syzkaller #0
[ 28.417669][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 28.428582][ C0] Call Trace:
[ 28.431845][ C0]
[ 28.434762][ C0] dump_stack+0xef/0x16e
[ 28.439050][ C0] panic+0x2aa/0x6e1
[ 28.442938][ C0] ? add_taint.cold+0x16/0x16
[ 28.447603][ C0] ? trace_hardirqs_off+0x50/0x200
[ 28.452706][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.457961][ C0] end_report+0x4d/0x53
[ 28.462090][ C0] __kasan_report.cold+0x72/0x7d
[ 28.467006][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.472265][ C0] ? ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.477525][ C0] kasan_report+0x33/0x50
[ 28.481911][ C0] check_memory_region+0x173/0x1d0
[ 28.486999][ C0] memcpy+0x20/0x60
[ 28.490788][ C0] ath9k_hif_usb_rx_cb+0x3be/0xf90
[ 28.495874][ C0] ? find_held_lock+0x2d/0x110
[ 28.500617][ C0] ? hif_usb_mgmt_cb+0x310/0x310
[ 28.505527][ C0] ? do_raw_spin_lock+0x129/0x290
[ 28.510521][ C0] ? lock_downgrade+0x720/0x720
[ 28.515338][ C0] ? trace_hardirqs_off+0x50/0x200
[ 28.520416][ C0] __usb_hcd_giveback_urb+0x29a/0x550
[ 28.525755][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 28.531117][ C0] dummy_timer+0x125e/0x32b4
[ 28.535744][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.540662][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.546193][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.551547][ C0] call_timer_fn+0x1ac/0x700
[ 28.556326][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.561513][ C0] ? timer_fixup_init+0x60/0x60
[ 28.566371][ C0] ? lock_downgrade+0x720/0x720
[ 28.571203][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.576778][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.582051][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 28.587219][ C0] ? dummy_udc_probe+0x980/0x980
[ 28.592183][ C0] run_timer_softirq+0x5f9/0x1500
[ 28.597207][ C0] ? add_timer+0x7a0/0x7a0
[ 28.601619][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 28.607148][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 28.612421][ C0] __do_softirq+0x21e/0x9aa
[ 28.616913][ C0] irq_exit+0x178/0x1a0
[ 28.621083][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 28.626603][ C0] apic_timer_interrupt+0xf/0x20
[ 28.631505][ C0]
[ 28.634430][ C0] RIP: 0010:default_idle+0x28/0x300
[ 28.639609][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 16 28 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 28.659183][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 28.667665][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 28.675619][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 28.683560][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 28.691513][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 28.699554][ C0] R13: 0000000000000000 R14: ffffffff87e88c40 R15: 0000000000000000
[ 28.707520][ C0] do_idle+0x3e0/0x500
[ 28.711559][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 28.716552][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 28.721578][ C0] ? schedule+0xe1/0x2b0
[ 28.725800][ C0] cpu_startup_entry+0x14/0x20
[ 28.730560][ C0] start_kernel+0x9bb/0x9f8
[ 28.735072][ C0] ? mem_encrypt_init+0x5/0x5
[ 28.739835][ C0] ? x86_family+0x3d/0x50
[ 28.744543][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 28.750630][ C0] secondary_startup_64+0xb6/0xc0
[ 28.755743][ C0] Kernel Offset: disabled
[ 28.760155][ C0] Rebooting in 86400 seconds..