Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts.
executing program
[ 29.667141][ T106] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 30.026983][ T106] usb 1-1: config 1 has an invalid descriptor of length 9, skipping remainder of the config
[ 30.037159][ T106] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 6
[ 30.206910][ T106] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 30.216071][ T106] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 30.224143][ T106] usb 1-1: Product: syz
[ 30.228444][ T106] usb 1-1: Manufacturer: syz
[ 30.233030][ T106] usb 1-1: SerialNumber: syz
[ 30.287831][ T106] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 30.986388][ T106] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 31.426151][ C0] ==================================================================
[ 31.434314][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.441918][ C0] Read of size 40655 at addr ffff8881cd3a8000 by task swapper/0/0
[ 31.449689][ C0]
[ 31.452007][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.9.0-rc8-syzkaller #0
[ 31.459879][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.469916][ C0] Call Trace:
[ 31.473192][ C0]
[ 31.476033][ C0] dump_stack+0x107/0x16e
[ 31.480338][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.485612][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.490886][ C0] print_address_description.constprop.0+0x1c/0x210
[ 31.497457][ C0] ? ath9k_hif_usb_rx_cb+0x23e/0xf80
[ 31.502716][ C0] ? vprintk_func+0x93/0x133
[ 31.507291][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.512554][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.517817][ C0] kasan_report.cold+0x37/0x7c
[ 31.522566][ C0] ? spin_bug+0xf0/0x100
[ 31.526782][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.532039][ C0] check_memory_region+0xf4/0x1c0
[ 31.537076][ C0] memcpy+0x20/0x60
[ 31.540868][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.545956][ C0] ? kcov_remote_start+0xce/0x400
[ 31.550962][ C0] ? hif_usb_start+0xa0/0xa0
[ 31.555539][ C0] ? lock_downgrade+0x740/0x740
[ 31.560378][ C0] __usb_hcd_giveback_urb+0x32d/0x560
[ 31.565732][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 31.570908][ C0] dummy_timer+0x11f2/0x3240
[ 31.575474][ C0] ? lock_downgrade+0x740/0x740
[ 31.580296][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.585032][ C0] call_timer_fn+0x1ac/0x6e0
[ 31.589593][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.594327][ C0] ? timer_fixup_init+0x60/0x60
[ 31.599151][ C0] ? lock_downgrade+0x740/0x740
[ 31.603988][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 31.609171][ C0] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 31.615135][ C0] ? trace_hardirqs_on+0x5f/0x200
[ 31.620144][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.624886][ C0] __run_timers.part.0+0x67c/0xa60
[ 31.629971][ C0] ? call_timer_fn+0x6e0/0x6e0
[ 31.634720][ C0] ? clockevents_program_event+0x12b/0x350
[ 31.640510][ C0] ? tick_program_event+0xa8/0x130
[ 31.645594][ C0] run_timer_softirq+0x80/0x120
[ 31.650430][ C0] __do_softirq+0x1af/0x92c
[ 31.654915][ C0] asm_call_irq_on_stack+0xf/0x20
[ 31.659913][ C0]
[ 31.662845][ C0] do_softirq_own_stack+0x71/0x90
[ 31.667875][ C0] irq_exit_rcu+0x110/0x1a0
[ 31.672353][ C0] sysvec_apic_timer_interrupt+0x43/0x90
[ 31.677960][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 31.683917][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 31.689703][ C0] Code: 4d 6c 88 fb 84 db 75 ac e8 d4 73 88 fb e8 7f 11 8e fb e9 0c 00 00 00 e8 c5 73 88 fb 0f 00 2d 5e 2c 6d 00 e8 b9 73 88 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 74 6c 88 fb 48 85 db
[ 31.709290][ C0] RSP: 0018:ffffffff87207d68 EFLAGS: 00000293
[ 31.715338][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff1016b89
[ 31.723295][ C0] RDX: ffffffff8722f240 RSI: ffffffff85b79e07 RDI: ffffffff85b79df1
[ 31.731356][ C0] RBP: ffff8881d8cd3064 R08: 0000000000000001 R09: 0000000000000001
[ 31.739308][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 31.747255][ C0] R13: ffff8881d8cd3000 R14: ffff8881d8cd3064 R15: ffff8881d6f30004
[ 31.755228][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 31.760404][ C0] ? acpi_idle_do_entry+0x1b1/0x250
[ 31.765588][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 31.770806][ C0] acpi_idle_enter+0x337/0x490
[ 31.775555][ C0] cpuidle_enter_state+0x19e/0xa10
[ 31.780667][ C0] cpuidle_enter+0x4a/0xa0
[ 31.785080][ C0] do_idle+0x3d5/0x580
[ 31.789126][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 31.794124][ C0] cpu_startup_entry+0x14/0x20
[ 31.798863][ C0] start_kernel+0x495/0x4b6
[ 31.803350][ C0] secondary_startup_64+0xb6/0xc0
[ 31.808343][ C0]
[ 31.810654][ C0] The buggy address belongs to the page:
[ 31.816262][ C0] page:00000000d9342a1d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cd3a8
[ 31.826467][ C0] head:00000000d9342a1d order:3 compound_mapcount:0 compound_pincount:0
[ 31.834776][ C0] flags: 0x200000000010000(head)
[ 31.839699][ C0] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
[ 31.848275][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 31.856827][ C0] page dumped because: kasan: bad access detected
[ 31.863237][ C0]
[ 31.865535][ C0] Memory state around the buggy address:
[ 31.871139][ C0] ffff8881cd3aff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 31.879185][ C0] ffff8881cd3aff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 31.887234][ C0] >ffff8881cd3b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.895274][ C0] ^
[ 31.899315][ C0] ffff8881cd3b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.907359][ C0] ffff8881cd3b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.915398][ C0] ==================================================================
[ 31.923430][ C0] Disabling lock debugging due to kernel taint
[ 31.929561][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 31.936124][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.9.0-rc8-syzkaller #0
[ 31.945377][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.955400][ C0] Call Trace:
[ 31.958663][ C0]
[ 31.961503][ C0] dump_stack+0x107/0x16e
[ 31.965817][ C0] ? ath9k_hif_usb_rx_cb+0x310/0xf80
[ 31.971071][ C0] panic+0x2cb/0x702
[ 31.974934][ C0] ? __warn_printk+0xf3/0xf3
[ 31.979504][ C0] ? do_raw_spin_unlock+0x50/0x1f0
[ 31.984586][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.989839][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.995091][ C0] end_report+0x4d/0x53
[ 31.999227][ C0] kasan_report.cold+0x72/0x7c
[ 32.003969][ C0] ? spin_bug+0xf0/0x100
[ 32.008182][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 32.013448][ C0] check_memory_region+0xf4/0x1c0
[ 32.018455][ C0] memcpy+0x20/0x60
[ 32.022243][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 32.027338][ C0] ? kcov_remote_start+0xce/0x400
[ 32.032331][ C0] ? hif_usb_start+0xa0/0xa0
[ 32.036897][ C0] ? lock_downgrade+0x740/0x740
[ 32.041739][ C0] __usb_hcd_giveback_urb+0x32d/0x560
[ 32.047117][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 32.052311][ C0] dummy_timer+0x11f2/0x3240
[ 32.056884][ C0] ? lock_downgrade+0x740/0x740
[ 32.061702][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 32.066454][ C0] call_timer_fn+0x1ac/0x6e0
[ 32.071013][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 32.075745][ C0] ? timer_fixup_init+0x60/0x60
[ 32.080604][ C0] ? lock_downgrade+0x740/0x740
[ 32.085429][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 32.090599][ C0] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 32.096563][ C0] ? trace_hardirqs_on+0x5f/0x200
[ 32.101570][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 32.106304][ C0] __run_timers.part.0+0x67c/0xa60
[ 32.111453][ C0] ? call_timer_fn+0x6e0/0x6e0
[ 32.116216][ C0] ? clockevents_program_event+0x12b/0x350
[ 32.121995][ C0] ? tick_program_event+0xa8/0x130
[ 32.127077][ C0] run_timer_softirq+0x80/0x120
[ 32.131926][ C0] __do_softirq+0x1af/0x92c
[ 32.136400][ C0] asm_call_irq_on_stack+0xf/0x20
[ 32.141398][ C0]
[ 32.144309][ C0] do_softirq_own_stack+0x71/0x90
[ 32.149303][ C0] irq_exit_rcu+0x110/0x1a0
[ 32.153775][ C0] sysvec_apic_timer_interrupt+0x43/0x90
[ 32.159387][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 32.165346][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 32.171120][ C0] Code: 4d 6c 88 fb 84 db 75 ac e8 d4 73 88 fb e8 7f 11 8e fb e9 0c 00 00 00 e8 c5 73 88 fb 0f 00 2d 5e 2c 6d 00 e8 b9 73 88 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 74 6c 88 fb 48 85 db
[ 32.190703][ C0] RSP: 0018:ffffffff87207d68 EFLAGS: 00000293
[ 32.196745][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff1016b89
[ 32.204694][ C0] RDX: ffffffff8722f240 RSI: ffffffff85b79e07 RDI: ffffffff85b79df1
[ 32.212640][ C0] RBP: ffff8881d8cd3064 R08: 0000000000000001 R09: 0000000000000001
[ 32.220582][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 32.228533][ C0] R13: ffff8881d8cd3000 R14: ffff8881d8cd3064 R15: ffff8881d6f30004
[ 32.236484][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 32.241649][ C0] ? acpi_idle_do_entry+0x1b1/0x250
[ 32.246828][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 32.252016][ C0] acpi_idle_enter+0x337/0x490
[ 32.256751][ C0] cpuidle_enter_state+0x19e/0xa10
[ 32.261844][ C0] cpuidle_enter+0x4a/0xa0
[ 32.266233][ C0] do_idle+0x3d5/0x580
[ 32.270272][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 32.275274][ C0] cpu_startup_entry+0x14/0x20
[ 32.280008][ C0] start_kernel+0x495/0x4b6
[ 32.284490][ C0] secondary_startup_64+0xb6/0xc0
[ 32.289886][ C0] Kernel Offset: disabled
[ 32.294205][ C0] Rebooting in 86400 seconds..