[   13.252976][    C1] random: 7 urandom warning(s) missed due to ratelimiting
[[0;32m  OK  [0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   24.356497][   T72] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   24.876398][   T72] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   24.885546][   T72] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   24.893623][   T72] usb 1-1: Product: syz
[   24.897867][   T72] usb 1-1: Manufacturer: syz
[   24.902449][   T72] usb 1-1: SerialNumber: syz
[   24.947567][   T72] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   25.566043][   T72] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   26.005827][    C1] ==================================================================
[   26.014001][    C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.021625][    C1] Read of size 48856 at addr ffff8881cd938000 by task swapper/1/0
[   26.029398][    C1] 
[   26.031706][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.9.0-syzkaller #0
[   26.039219][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.049255][    C1] Call Trace:
[   26.052522][    C1]  <IRQ>
[   26.057789][    C1]  dump_stack+0x107/0x163
[   26.062103][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.067365][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.072628][    C1]  print_address_description.constprop.0+0x1c/0x210
[   26.079193][    C1]  ? lock_acquire+0x1a7/0x830
[   26.083856][    C1]  ? ath9k_hif_usb_rx_cb+0x23e/0xf80
[   26.089119][    C1]  ? vprintk_func+0x93/0x140
[   26.093697][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.098970][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.104253][    C1]  kasan_report.cold+0x37/0x7c
[   26.109013][    C1]  ? rwlock_bug.part.0+0x40/0x90
[   26.113933][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.119199][    C1]  check_memory_region+0xf4/0x1c0
[   26.124205][    C1]  memcpy+0x20/0x60
[   26.128013][    C1]  ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.133106][    C1]  ? lock_acquire+0x1a7/0x830
[   26.137761][    C1]  ? kcov_remote_start+0xce/0x400
[   26.142774][    C1]  ? hif_usb_start+0xa0/0xa0
[   26.147354][    C1]  ? __usb_hcd_giveback_urb+0x302/0x560
[   26.152900][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   26.157733][    C1]  __usb_hcd_giveback_urb+0x32d/0x560
[   26.163098][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   26.168279][    C1]  dummy_timer+0x11f2/0x3240
[   26.172848][    C1]  ? __lock_acquire+0x16ae/0x5a60
[   26.177853][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.182606][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.187357][    C1]  call_timer_fn+0x1a5/0x630
[   26.192186][    C1]  ? timer_fixup_init+0x60/0x60
[   26.197022][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   26.201877][    C1]  ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[   26.207840][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.212604][    C1]  __run_timers.part.0+0x67c/0xa10
[   26.217704][    C1]  ? call_timer_fn+0x630/0x630
[   26.222467][    C1]  ? lapic_next_event+0x4d/0x80
[   26.227299][    C1]  ? clockevents_program_event+0x12b/0x350
[   26.233094][    C1]  ? tick_program_event+0xa8/0x130
[   26.238190][    C1]  ? hrtimer_interrupt+0x6c0/0x8f0
[   26.243293][    C1]  run_timer_softirq+0x80/0x120
[   26.248132][    C1]  __do_softirq+0x1b1/0x8d1
[   26.252621][    C1]  asm_call_irq_on_stack+0xf/0x20
[   26.257627][    C1]  </IRQ>
[   26.260581][    C1]  do_softirq_own_stack+0x80/0xa0
[   26.265603][    C1]  irq_exit_rcu+0x110/0x1a0
[   26.270085][    C1]  sysvec_apic_timer_interrupt+0x43/0xa0
[   26.275703][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   26.281660][    C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   26.287441][    C1] Code: 4d ce 83 fb 84 db 75 ac e8 d4 d5 83 fb e8 ff 69 89 fb e9 0c 00 00 00 e8 c5 d5 83 fb 0f 00 2d 9e ac 69 00 e8 b9 d5 83 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 74 ce 83 fb 48 85 db
[   26.307034][    C1] RSP: 0018:ffff8881da257d18 EFLAGS: 00000293
[   26.313105][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103af21
[   26.321055][    C1] RDX: ffff8881da23b280 RSI: ffffffff85bb48e7 RDI: ffffffff85bb48d1
[   26.329017][    C1] RBP: ffff8881d8d4a064 R08: 0000000000000001 R09: 0000000000000001
[   26.337023][    C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   26.345014][    C1] R13: ffff8881d8d4a000 R14: ffff8881d8d4a064 R15: ffff8881d6f18804
[   26.352987][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   26.358182][    C1]  ? acpi_idle_do_entry+0x1b1/0x250
[   26.363359][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   26.368543][    C1]  acpi_idle_enter+0x337/0x490
[   26.373284][    C1]  cpuidle_enter_state+0x1a2/0xa80
[   26.378385][    C1]  ? tick_nohz_idle_stop_tick+0x526/0xa90
[   26.384086][    C1]  cpuidle_enter+0x4a/0xa0
[   26.388482][    C1]  do_idle+0x3d5/0x580
[   26.392537][    C1]  ? arch_cpu_idle_exit+0x40/0x40
[   26.397548][    C1]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[   26.403515][    C1]  ? _raw_spin_unlock_irqrestore+0x34/0x40
[   26.409298][    C1]  ? trace_hardirqs_on+0x5b/0x1a0
[   26.414302][    C1]  cpu_startup_entry+0x14/0x20
[   26.419049][    C1]  start_secondary+0x25b/0x320
[   26.423801][    C1]  ? set_cpu_sibling_map+0x1ff0/0x1ff0
[   26.429240][    C1]  secondary_startup_64_no_verify+0xb8/0xbb
[   26.435541][    C1] 
[   26.437855][    C1] The buggy address belongs to the page:
[   26.443477][    C1] page:00000000fcd1433e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cd938
[   26.453734][    C1] head:00000000fcd1433e order:3 compound_mapcount:0 compound_pincount:0
[   26.462038][    C1] flags: 0x200000000010000(head)
[   26.466963][    C1] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
[   26.475536][    C1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   26.484099][    C1] page dumped because: kasan: bad access detected
[   26.490484][    C1] 
[   26.492786][    C1] Memory state around the buggy address:
[   26.498392][    C1]  ffff8881cd93ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.506444][    C1]  ffff8881cd93ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.514497][    C1] >ffff8881cd940000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.522540][    C1]                    ^
[   26.526594][    C1]  ffff8881cd940080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.534644][    C1]  ffff8881cd940100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.542682][    C1] ==================================================================
[   26.550723][    C1] Disabling lock debugging due to kernel taint
[   26.557814][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   26.564375][    C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             5.9.0-syzkaller #0
[   26.573280][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.583310][    C1] Call Trace:
[   26.586582][    C1]  <IRQ>
[   26.589454][    C1]  dump_stack+0x107/0x163
[   26.593774][    C1]  ? ath9k_hif_usb_rx_cb+0x2c0/0xf80
[   26.599031][    C1]  panic+0x2cb/0x702
[   26.602955][    C1]  ? __warn_printk+0xf3/0xf3
[   26.607532][    C1]  ? do_raw_spin_unlock+0x50/0x1f0
[   26.612631][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.617887][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.623148][    C1]  end_report+0x58/0x5e
[   26.627276][    C1]  kasan_report.cold+0x72/0x7c
[   26.632012][    C1]  ? rwlock_bug.part.0+0x40/0x90
[   26.636922][    C1]  ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.642193][    C1]  check_memory_region+0xf4/0x1c0
[   26.647188][    C1]  memcpy+0x20/0x60
[   26.650985][    C1]  ath9k_hif_usb_rx_cb+0x3a8/0xf80
[   26.656080][    C1]  ? lock_acquire+0x1a7/0x830
[   26.660736][    C1]  ? kcov_remote_start+0xce/0x400
[   26.665734][    C1]  ? hif_usb_start+0xa0/0xa0
[   26.670300][    C1]  ? __usb_hcd_giveback_urb+0x302/0x560
[   26.675822][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   26.680647][    C1]  __usb_hcd_giveback_urb+0x32d/0x560
[   26.686011][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   26.691196][    C1]  dummy_timer+0x11f2/0x3240
[   26.695762][    C1]  ? __lock_acquire+0x16ae/0x5a60
[   26.700774][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.705523][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.710267][    C1]  call_timer_fn+0x1a5/0x630
[   26.714835][    C1]  ? timer_fixup_init+0x60/0x60
[   26.719662][    C1]  ? lock_downgrade+0x6d0/0x6d0
[   26.724529][    C1]  ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[   26.730485][    C1]  ? dummy_dequeue+0x4c0/0x4c0
[   26.735221][    C1]  __run_timers.part.0+0x67c/0xa10
[   26.740309][    C1]  ? call_timer_fn+0x630/0x630
[   26.745061][    C1]  ? lapic_next_event+0x4d/0x80
[   26.750604][    C1]  ? clockevents_program_event+0x12b/0x350
[   26.756494][    C1]  ? tick_program_event+0xa8/0x130
[   26.761590][    C1]  ? hrtimer_interrupt+0x6c0/0x8f0
[   26.766685][    C1]  run_timer_softirq+0x80/0x120
[   26.771509][    C1]  __do_softirq+0x1b1/0x8d1
[   26.775994][    C1]  asm_call_irq_on_stack+0xf/0x20
[   26.780986][    C1]  </IRQ>
[   26.783904][    C1]  do_softirq_own_stack+0x80/0xa0
[   26.788909][    C1]  irq_exit_rcu+0x110/0x1a0
[   26.793406][    C1]  sysvec_apic_timer_interrupt+0x43/0xa0
[   26.799023][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   26.804979][    C1] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   26.810755][    C1] Code: 4d ce 83 fb 84 db 75 ac e8 d4 d5 83 fb e8 ff 69 89 fb e9 0c 00 00 00 e8 c5 d5 83 fb 0f 00 2d 9e ac 69 00 e8 b9 d5 83 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 74 ce 83 fb 48 85 db
[   26.831296][    C1] RSP: 0018:ffff8881da257d18 EFLAGS: 00000293
[   26.837345][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103af21
[   26.845289][    C1] RDX: ffff8881da23b280 RSI: ffffffff85bb48e7 RDI: ffffffff85bb48d1
[   26.853242][    C1] RBP: ffff8881d8d4a064 R08: 0000000000000001 R09: 0000000000000001
[   26.861186][    C1] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   26.869132][    C1] R13: ffff8881d8d4a000 R14: ffff8881d8d4a064 R15: ffff8881d6f18804
[   26.877182][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   26.882360][    C1]  ? acpi_idle_do_entry+0x1b1/0x250
[   26.887543][    C1]  ? acpi_idle_do_entry+0x1c7/0x250
[   26.892721][    C1]  acpi_idle_enter+0x337/0x490
[   26.897458][    C1]  cpuidle_enter_state+0x1a2/0xa80
[   26.902550][    C1]  ? tick_nohz_idle_stop_tick+0x526/0xa90
[   26.908238][    C1]  cpuidle_enter+0x4a/0xa0
[   26.912627][    C1]  do_idle+0x3d5/0x580
[   26.916678][    C1]  ? arch_cpu_idle_exit+0x40/0x40
[   26.921686][    C1]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[   26.927645][    C1]  ? _raw_spin_unlock_irqrestore+0x34/0x40
[   26.933431][    C1]  ? trace_hardirqs_on+0x5b/0x1a0
[   26.938429][    C1]  cpu_startup_entry+0x14/0x20
[   26.943164][    C1]  start_secondary+0x25b/0x320
[   26.947898][    C1]  ? set_cpu_sibling_map+0x1ff0/0x1ff0
[   26.953338][    C1]  secondary_startup_64_no_verify+0xb8/0xbb
[   26.959750][    C1] Kernel Offset: disabled
[   26.964077][    C1] Rebooting in 86400 seconds..