[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   69.386101][    T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   69.746115][    T5] usb 1-1: config 1 has an invalid descriptor of length 9, skipping remainder of the config
[   69.756429][    T5] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 6
[   69.926092][    T5] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   69.935245][    T5] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   69.944164][    T5] usb 1-1: Product: syz
[   69.948860][    T5] usb 1-1: Manufacturer: syz
[   69.953479][    T5] usb 1-1: SerialNumber: syz
[   69.998248][    T5] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   70.605888][    T5] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   71.045811][    C0] ==================================================================
[   71.054044][    C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.061767][    C0] Read of size 40655 at addr ffff888018980000 by task swapper/0/0
[   71.069573][    C0] 
[   71.071886][    C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.0-rc4-syzkaller #0
[   71.079835][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.089883][    C0] Call Trace:
[   71.093143][    C0]  <IRQ>
[   71.095978][    C0]  dump_stack+0x107/0x163
[   71.100287][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.105643][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.111003][    C0]  print_address_description.constprop.0.cold+0xae/0x4c8
[   71.118008][    C0]  ? vprintk_func+0x95/0x1e0
[   71.122578][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.127925][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.133304][    C0]  kasan_report.cold+0x1f/0x37
[   71.138071][    C0]  ? spin_bug+0xd0/0x100
[   71.142289][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.147641][    C0]  check_memory_region+0x13d/0x180
[   71.152730][    C0]  memcpy+0x20/0x60
[   71.156517][    C0]  ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.161702][    C0]  ? hif_usb_start+0xa0/0xa0
[   71.166269][    C0]  ? __usb_hcd_giveback_urb+0x302/0x560
[   71.171789][    C0]  ? lock_downgrade+0x6d0/0x6d0
[   71.176626][    C0]  ? kcov_remote_start+0xce/0x450
[   71.181646][    C0]  __usb_hcd_giveback_urb+0x32d/0x560
[   71.187000][    C0]  usb_hcd_giveback_urb+0x367/0x410
[   71.192179][    C0]  dummy_timer+0x11f4/0x3280
[   71.196769][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.201531][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.206274][    C0]  call_timer_fn+0x1a5/0x6b0
[   71.210845][    C0]  ? add_timer_on+0x4a0/0x4a0
[   71.215523][    C0]  ? lock_downgrade+0x6d0/0x6d0
[   71.220358][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[   71.225532][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.230281][    C0]  __run_timers.part.0+0x67c/0xa50
[   71.235375][    C0]  ? call_timer_fn+0x6b0/0x6b0
[   71.240117][    C0]  ? lapic_next_event+0x4d/0x80
[   71.244949][    C0]  ? kvm_sched_clock_read+0x14/0x40
[   71.250134][    C0]  ? sched_clock+0x2a/0x40
[   71.254528][    C0]  ? sched_clock_cpu+0x18/0x1f0
[   71.259362][    C0]  run_timer_softirq+0xb3/0x1d0
[   71.264191][    C0]  __do_softirq+0x2a0/0x9f6
[   71.268678][    C0]  asm_call_irq_on_stack+0xf/0x20
[   71.273689][    C0]  </IRQ>
[   71.276608][    C0]  do_softirq_own_stack+0xaa/0xd0
[   71.281622][    C0]  irq_exit_rcu+0x132/0x200
[   71.286108][    C0]  sysvec_apic_timer_interrupt+0x4d/0x100
[   71.291805][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   71.297765][    C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   71.303547][    C0] Code: 7d 44 88 f8 84 db 75 ac e8 64 4c 88 f8 e8 1f 0b 8e f8 e9 0c 00 00 00 e8 55 4c 88 f8 0f 00 2d 4e 97 c0 00 e8 49 4c 88 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 a4 44 88 f8 48 85 db
[   71.323145][    C0] RSP: 0018:ffffffff8b007d60 EFLAGS: 00000293
[   71.329191][    C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff19d8f61
[   71.337142][    C0] RDX: ffffffff8b09af80 RSI: ffffffff88e7e397 RDI: 0000000000000000
[   71.345090][    C0] RBP: ffff8880149a9864 R08: 0000000000000001 R09: 0000000000000001
[   71.353040][    C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   71.360992][    C0] R13: ffff8880149a9800 R14: ffff8880149a9864 R15: ffff888142e94004
[   71.368960][    C0]  ? acpi_idle_do_entry+0x1c7/0x250
[   71.374141][    C0]  acpi_idle_enter+0x361/0x500
[   71.378909][    C0]  cpuidle_enter_state+0x1b1/0xc80
[   71.384002][    C0]  cpuidle_enter+0x4a/0xa0
[   71.388414][    C0]  do_idle+0x3e1/0x590
[   71.392476][    C0]  ? arch_cpu_idle_exit+0x40/0x40
[   71.397495][    C0]  ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[   71.403717][    C0]  cpu_startup_entry+0x14/0x20
[   71.408475][    C0]  start_kernel+0x470/0x491
[   71.412961][    C0]  secondary_startup_64_no_verify+0xb0/0xbb
[   71.418838][    C0] 
[   71.421141][    C0] The buggy address belongs to the page:
[   71.426754][    C0] page:0000000094165723 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18980
[   71.436875][    C0] head:0000000094165723 order:3 compound_mapcount:0 compound_pincount:0
[   71.445171][    C0] flags: 0xfff00000010000(head)
[   71.450000][    C0] raw: 00fff00000010000 dead000000000100 dead000000000122 0000000000000000
[   71.458561][    C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   71.467128][    C0] page dumped because: kasan: bad access detected
[   71.473511][    C0] 
[   71.475827][    C0] Memory state around the buggy address:
[   71.481434][    C0]  ffff888018987f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.489496][    C0]  ffff888018987f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.497533][    C0] >ffff888018988000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   71.505581][    C0]                    ^
[   71.509623][    C0]  ffff888018988080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   71.517661][    C0]  ffff888018988100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   71.525694][    C0] ==================================================================
[   71.533726][    C0] Disabling lock debugging due to kernel taint
[   71.539848][    C0] Kernel panic - not syncing: panic_on_warn set ...
[   71.546419][    C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.10.0-rc4-syzkaller #0
[   71.555755][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.565779][    C0] Call Trace:
[   71.569050][    C0]  <IRQ>
[   71.571894][    C0]  dump_stack+0x107/0x163
[   71.576210][    C0]  ? ath9k_hif_usb_rx_cb+0x340/0x1020
[   71.581553][    C0]  panic+0x306/0x73d
[   71.585420][    C0]  ? __warn_printk+0xf3/0xf3
[   71.590004][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.595345][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.600698][    C0]  end_report+0x58/0x5e
[   71.604838][    C0]  kasan_report.cold+0xd/0x37
[   71.609488][    C0]  ? spin_bug+0xd0/0x100
[   71.613701][    C0]  ? ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.619045][    C0]  check_memory_region+0x13d/0x180
[   71.624128][    C0]  memcpy+0x20/0x60
[   71.627909][    C0]  ath9k_hif_usb_rx_cb+0x3ab/0x1020
[   71.633098][    C0]  ? hif_usb_start+0xa0/0xa0
[   71.637660][    C0]  ? __usb_hcd_giveback_urb+0x302/0x560
[   71.643177][    C0]  ? lock_downgrade+0x6d0/0x6d0
[   71.648002][    C0]  ? kcov_remote_start+0xce/0x450
[   71.652998][    C0]  __usb_hcd_giveback_urb+0x32d/0x560
[   71.658340][    C0]  usb_hcd_giveback_urb+0x367/0x410
[   71.663520][    C0]  dummy_timer+0x11f4/0x3280
[   71.668087][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.672820][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.677555][    C0]  call_timer_fn+0x1a5/0x6b0
[   71.682119][    C0]  ? add_timer_on+0x4a0/0x4a0
[   71.686766][    C0]  ? lock_downgrade+0x6d0/0x6d0
[   71.691593][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[   71.696772][    C0]  ? dummy_dequeue+0x4c0/0x4c0
[   71.701514][    C0]  __run_timers.part.0+0x67c/0xa50
[   71.706622][    C0]  ? call_timer_fn+0x6b0/0x6b0
[   71.711358][    C0]  ? lapic_next_event+0x4d/0x80
[   71.716181][    C0]  ? kvm_sched_clock_read+0x14/0x40
[   71.721361][    C0]  ? sched_clock+0x2a/0x40
[   71.725750][    C0]  ? sched_clock_cpu+0x18/0x1f0
[   71.730574][    C0]  run_timer_softirq+0xb3/0x1d0
[   71.735396][    C0]  __do_softirq+0x2a0/0x9f6
[   71.739873][    C0]  asm_call_irq_on_stack+0xf/0x20
[   71.744862][    C0]  </IRQ>
[   71.747778][    C0]  do_softirq_own_stack+0xaa/0xd0
[   71.752772][    C0]  irq_exit_rcu+0x132/0x200
[   71.757249][    C0]  sysvec_apic_timer_interrupt+0x4d/0x100
[   71.762954][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   71.768907][    C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   71.774684][    C0] Code: 7d 44 88 f8 84 db 75 ac e8 64 4c 88 f8 e8 1f 0b 8e f8 e9 0c 00 00 00 e8 55 4c 88 f8 0f 00 2d 4e 97 c0 00 e8 49 4c 88 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 a4 44 88 f8 48 85 db
[   71.794261][    C0] RSP: 0018:ffffffff8b007d60 EFLAGS: 00000293
[   71.800304][    C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff19d8f61
[   71.808250][    C0] RDX: ffffffff8b09af80 RSI: ffffffff88e7e397 RDI: 0000000000000000
[   71.816197][    C0] RBP: ffff8880149a9864 R08: 0000000000000001 R09: 0000000000000001
[   71.824140][    C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[   71.832083][    C0] R13: ffff8880149a9800 R14: ffff8880149a9864 R15: ffff888142e94004
[   71.840036][    C0]  ? acpi_idle_do_entry+0x1c7/0x250
[   71.845208][    C0]  acpi_idle_enter+0x361/0x500
[   71.849959][    C0]  cpuidle_enter_state+0x1b1/0xc80
[   71.855048][    C0]  cpuidle_enter+0x4a/0xa0
[   71.859497][    C0]  do_idle+0x3e1/0x590
[   71.863548][    C0]  ? arch_cpu_idle_exit+0x40/0x40
[   71.868550][    C0]  ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[   71.874765][    C0]  cpu_startup_entry+0x14/0x20
[   71.879728][    C0]  start_kernel+0x470/0x491
[   71.884208][    C0]  secondary_startup_64_no_verify+0xb0/0xbb
[   71.890645][    C0] Kernel Offset: disabled
[   71.894952][    C0] Rebooting in 86400 seconds..