Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.826424][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.345900][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 25.355243][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.363310][ T83] usb 1-1: Product: syz [ 25.367543][ T83] usb 1-1: Manufacturer: syz [ 25.372250][ T83] usb 1-1: SerialNumber: syz [ 25.416758][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 26.025233][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 26.427054][ T17] usb 1-1: USB disconnect, device number 2 [ 27.273981][ T83] usb 1-1: Service connection timeout for: 256 [ 27.280435][ T83] ================================================================== [ 27.288558][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 27.295253][ T83] Read of size 4 at addr ffff8881c8c2d994 by task kworker/1:2/83 [ 27.302945][ T83] [ 27.305255][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 27.313375][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.323436][ T83] Workqueue: events request_firmware_work_func [ 27.329635][ T83] Call Trace: [ 27.332944][ T83] dump_stack+0xef/0x16e [ 27.337180][ T83] print_address_description.constprop.0.cold+0xd3/0x415 [ 27.344189][ T83] ? vprintk_func+0x7d/0x113 [ 27.348760][ T83] ? kfree_skb+0x32/0x3d0 [ 27.353072][ T83] __kasan_report.cold+0x37/0x7d [ 27.357984][ T83] ? kfree_skb+0x32/0x3d0 [ 27.362632][ T83] ? kfree_skb+0x32/0x3d0 [ 27.366958][ T83] kasan_report+0x33/0x50 [ 27.371273][ T83] check_memory_region+0x173/0x1d0 [ 27.376368][ T83] kfree_skb+0x32/0x3d0 [ 27.380509][ T83] htc_connect_service.cold+0xa9/0x109 [ 27.385948][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 27.390773][ T83] ? ath9k_fatal_work+0x20/0x20 [ 27.395601][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.401731][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.407345][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.413750][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.419050][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.424570][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 27.429832][ T83] ? tasklet_init+0x69/0x110 [ 27.434419][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.439880][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 27.446644][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 27.451563][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 27.456765][ T83] ? usb_free_urb+0x1b/0x30 [ 27.461246][ T83] ath9k_htc_hw_init+0x31/0x60 [ 27.465986][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.471604][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 27.476952][ T83] request_firmware_work_func+0x126/0x242 [ 27.482646][ T83] ? request_firmware_into_buf+0x90/0x90 [ 27.488257][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.493794][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.499068][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 27.504243][ T83] process_one_work+0x965/0x1630 [ 27.509166][ T83] ? lock_release+0x720/0x720 [ 27.513837][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.519208][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 27.524145][ T83] worker_thread+0x96/0xe20 [ 27.528631][ T83] ? process_one_work+0x1630/0x1630 [ 27.533826][ T83] kthread+0x326/0x430 [ 27.537885][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 27.543431][ T83] ret_from_fork+0x24/0x30 [ 27.547827][ T83] [ 27.550306][ T83] Allocated by task 83: [ 27.554438][ T83] save_stack+0x1b/0x40 [ 27.558583][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 27.564191][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 27.569800][ T83] __alloc_skb+0xba/0x5a0 [ 27.574122][ T83] htc_connect_service+0x2cc/0x840 [ 27.579208][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 27.584036][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.590428][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.595864][ T83] ath9k_htc_hw_init+0x31/0x60 [ 27.600625][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.606322][ T83] request_firmware_work_func+0x126/0x242 [ 27.612033][ T83] process_one_work+0x965/0x1630 [ 27.616947][ T83] worker_thread+0x96/0xe20 [ 27.621427][ T83] kthread+0x326/0x430 [ 27.625499][ T83] ret_from_fork+0x24/0x30 [ 27.629905][ T83] [ 27.632210][ T83] Freed by task 0: [ 27.635938][ T83] save_stack+0x1b/0x40 [ 27.640385][ T83] __kasan_slab_free+0x117/0x160 [ 27.645316][ T83] kmem_cache_free+0x9b/0x360 [ 27.649973][ T83] kfree_skbmem+0xef/0x1b0 [ 27.654386][ T83] kfree_skb+0x102/0x3d0 [ 27.658610][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 27.664220][ T83] hif_usb_regout_cb+0x115/0x1c0 [ 27.669146][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 27.674509][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 27.679783][ T83] dummy_timer+0x125e/0x32b4 [ 27.684358][ T83] call_timer_fn+0x1ac/0x700 [ 27.688939][ T83] run_timer_softirq+0x5f9/0x1500 [ 27.693969][ T83] __do_softirq+0x21e/0x9aa [ 27.698724][ T83] [ 27.701033][ T83] The buggy address belongs to the object at ffff8881c8c2d8c0 [ 27.701033][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 27.715805][ T83] The buggy address is located 212 bytes inside of [ 27.715805][ T83] 224-byte region [ffff8881c8c2d8c0, ffff8881c8c2d9a0) [ 27.729140][ T83] The buggy address belongs to the page: [ 27.734773][ T83] page:ffffea0007230b40 refcount:1 mapcount:0 mapping:00000000542beabc index:0x0 [ 27.743877][ T83] flags: 0x200000000000200(slab) [ 27.748827][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 27.757394][ T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 27.765972][ T83] page dumped because: kasan: bad access detected [ 27.772385][ T83] [ 27.774707][ T83] Memory state around the buggy address: [ 27.780335][ T83] ffff8881c8c2d880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.788378][ T83] ffff8881c8c2d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.796418][ T83] >ffff8881c8c2d980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.804474][ T83] ^ [ 27.809042][ T83] ffff8881c8c2da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.817085][ T83] ffff8881c8c2da80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.825123][ T83] ================================================================== [ 27.833160][ T83] Disabling lock debugging due to kernel taint [ 27.839377][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 27.845963][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 27.855497][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.865560][ T83] Workqueue: events request_firmware_work_func [ 27.871708][ T83] Call Trace: [ 27.874983][ T83] dump_stack+0xef/0x16e [ 27.879222][ T83] panic+0x2aa/0x6e1 [ 27.883121][ T83] ? add_taint.cold+0x16/0x16 [ 27.887777][ T83] ? retint_kernel+0x10/0x10 [ 27.892447][ T83] ? kfree_skb+0x32/0x3d0 [ 27.896927][ T83] ? trace_hardirqs_on+0x55/0x200 [ 27.902010][ T83] ? kfree_skb+0x32/0x3d0 [ 27.906312][ T83] end_report+0x4d/0x53 [ 27.910450][ T83] __kasan_report.cold+0x72/0x7d [ 27.915374][ T83] ? kfree_skb+0x32/0x3d0 [ 27.919689][ T83] ? kfree_skb+0x32/0x3d0 [ 27.924013][ T83] kasan_report+0x33/0x50 [ 27.928328][ T83] check_memory_region+0x173/0x1d0 [ 27.933429][ T83] kfree_skb+0x32/0x3d0 [ 27.937570][ T83] htc_connect_service.cold+0xa9/0x109 [ 27.943023][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 27.947857][ T83] ? ath9k_fatal_work+0x20/0x20 [ 27.952683][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.958813][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.964432][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.971187][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.976456][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.982008][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 27.987294][ T83] ? tasklet_init+0x69/0x110 [ 27.991872][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.997307][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.003951][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 28.008859][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 28.014029][ T83] ? usb_free_urb+0x1b/0x30 [ 28.018528][ T83] ath9k_htc_hw_init+0x31/0x60 [ 28.023285][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.028913][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.034270][ T83] request_firmware_work_func+0x126/0x242 [ 28.040003][ T83] ? request_firmware_into_buf+0x90/0x90 [ 28.045620][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.052114][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.057380][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.062555][ T83] process_one_work+0x965/0x1630 [ 28.067482][ T83] ? lock_release+0x720/0x720 [ 28.072138][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.077504][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 28.082423][ T83] worker_thread+0x96/0xe20 [ 28.086905][ T83] ? process_one_work+0x1630/0x1630 [ 28.092086][ T83] kthread+0x326/0x430 [ 28.096131][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 28.101483][ T83] ret_from_fork+0x24/0x30 [ 28.106796][ T83] Kernel Offset: disabled [ 28.111112][ T83] Rebooting in 86400 seconds..