Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.166507][ C0] random: crng init done [ 15.167783][ C0] random: 7 urandom warning(s) missed due to ratelimiting [ 23.258772][ T345] can: request_module (can-proto-0) failed. [ 23.678003][ T345] can: request_module (can-proto-0) failed. [ 23.687869][ T345] can: request_module (can-proto-7) failed. [ 23.697422][ T345] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. 2020/04/01 04:00:17 parsed 1 programs 2020/04/01 04:00:17 executed programs: 0 [ 30.780192][ T513] cgroup: Unknown subsys name 'perf_event' [ 30.781032][ T512] cgroup: Unknown subsys name 'perf_event' [ 30.787465][ T515] cgroup: Unknown subsys name 'perf_event' [ 30.799356][ T513] cgroup: Unknown subsys name 'net_cls' [ 30.805407][ T515] cgroup: Unknown subsys name 'net_cls' [ 30.805715][ T517] cgroup: Unknown subsys name 'perf_event' [ 30.822001][ T519] cgroup: Unknown subsys name 'perf_event' [ 30.824082][ T512] cgroup: Unknown subsys name 'net_cls' [ 30.828806][ T522] cgroup: Unknown subsys name 'perf_event' [ 30.843574][ T519] cgroup: Unknown subsys name 'net_cls' [ 30.850886][ T522] cgroup: Unknown subsys name 'net_cls' [ 30.861293][ T517] cgroup: Unknown subsys name 'net_cls' [ 38.877554][ T376] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 38.927486][ T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 39.027424][ T164] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 39.027471][ T83] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 39.047703][ T5] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 39.047721][ T3220] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 39.247709][ T376] usb 5-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.256846][ T376] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.264914][ T376] usb 5-1: Product: syz [ 39.269211][ T376] usb 5-1: Manufacturer: syz [ 39.273790][ T376] usb 5-1: SerialNumber: syz [ 39.317516][ T17] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.326599][ T17] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.334689][ T17] usb 2-1: Product: syz [ 39.338897][ T17] usb 2-1: Manufacturer: syz [ 39.343471][ T17] usb 2-1: SerialNumber: syz [ 39.349488][ T376] usb 5-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 39.398049][ T17] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 39.409420][ T164] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.418631][ T164] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.426597][ T164] usb 1-1: Product: syz [ 39.427754][ T83] usb 6-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.430829][ T164] usb 1-1: Manufacturer: syz [ 39.439863][ T83] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.444403][ T164] usb 1-1: SerialNumber: syz [ 39.452388][ T83] usb 6-1: Product: syz [ 39.459902][ T5] usb 4-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.461150][ T83] usb 6-1: Manufacturer: syz [ 39.470220][ T5] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.474773][ T83] usb 6-1: SerialNumber: syz [ 39.482777][ T5] usb 4-1: Product: syz [ 39.491506][ T5] usb 4-1: Manufacturer: syz [ 39.496098][ T5] usb 4-1: SerialNumber: syz [ 39.507407][ T3220] usb 3-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.516483][ T3220] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.524730][ T3220] usb 3-1: Product: syz [ 39.528958][ T3220] usb 3-1: Manufacturer: syz [ 39.533543][ T3220] usb 3-1: SerialNumber: syz [ 39.548069][ T164] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 39.556655][ T5] usb 4-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 39.578228][ T3220] usb 3-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 39.588711][ T83] usb 6-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 40.017293][ T17] usb 2-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.026353][ T376] usb 5-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.167187][ T3220] usb 6-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.176396][ T83] usb 3-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.187415][ T5] usb 4-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.196410][ T164] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 40.237216][ C1] ================================================================== [ 40.245414][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.252866][ C1] Write of size 2 at addr ffff8881c6ac11b0 by task swapper/1/0 [ 40.260815][ C1] [ 40.263149][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0 [ 40.271015][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.281067][ C1] Call Trace: [ 40.284346][ C1] [ 40.287192][ C1] dump_stack+0xef/0x16e [ 40.291465][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.296498][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.301503][ C1] print_address_description.constprop.0.cold+0xd3/0x314 [ 40.308516][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.313517][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.318520][ C1] __kasan_report.cold+0x37/0x77 [ 40.323447][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.328520][ C1] kasan_report+0xe/0x20 [ 40.332762][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.337679][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630 [ 40.343129][ C1] ? _raw_read_unlock+0x1a/0x30 [ 40.347960][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 40.353577][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 40.358929][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 40.364108][ C1] dummy_timer+0x1258/0x32ae [ 40.368691][ C1] ? dummy_udc_probe+0x930/0x930 [ 40.373620][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 40.379169][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 40.385506][ C1] call_timer_fn+0x195/0x6f0 [ 40.390076][ C1] ? dummy_udc_probe+0x930/0x930 [ 40.394994][ C1] ? msleep_interruptible+0x130/0x130 [ 40.400367][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 40.405925][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 40.411205][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 40.416382][ C1] ? dummy_udc_probe+0x930/0x930 [ 40.421318][ C1] run_timer_softirq+0x5f9/0x1500 [ 40.426688][ C1] ? add_timer+0x7a0/0x7a0 [ 40.431093][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 40.436621][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 40.441911][ C1] __do_softirq+0x21e/0x950 [ 40.446400][ C1] irq_exit+0x178/0x1a0 [ 40.450539][ C1] smp_apic_timer_interrupt+0x141/0x540 [ 40.456073][ C1] apic_timer_interrupt+0xf/0x20 [ 40.460990][ C1] [ 40.463912][ C1] RIP: 0010:default_idle+0x28/0x300 [ 40.469089][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 [ 40.488681][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 40.497132][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000 [ 40.505104][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c [ 40.513072][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000 [ 40.521046][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 40.529000][ C1] R13: 0000000000000001 R14: ffffffff87e612c0 R15: 0000000000000000 [ 40.537035][ C1] ? default_idle+0x1a/0x300 [ 40.541627][ C1] do_idle+0x3e0/0x500 [ 40.545678][ C1] ? __wake_up_common+0x147/0x650 [ 40.550683][ C1] ? arch_cpu_idle_exit+0x40/0x40 [ 40.555689][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 40.561479][ C1] ? lockdep_hardirqs_on+0x382/0x580 [ 40.566846][ C1] cpu_startup_entry+0x14/0x20 [ 40.571592][ C1] start_secondary+0x2a4/0x390 [ 40.575521][ T12] usb 6-1: USB disconnect, device number 2 [ 40.576345][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90 [ 40.576362][ C1] secondary_startup_64+0xb6/0xc0 [ 40.576371][ C1] [ 40.594958][ C1] Allocated by task 2959: [ 40.597607][ T3234] usb 4-1: USB disconnect, device number 2 [ 40.599283][ C1] save_stack+0x1b/0x80 [ 40.599296][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 40.599307][ C1] kmem_cache_alloc+0xd8/0x300 [ 40.599320][ C1] getname_flags+0xd2/0x5b0 [ 40.599329][ C1] do_sys_openat2+0x3cf/0x740 [ 40.599338][ C1] do_sys_open+0xc3/0x140 [ 40.599354][ C1] do_syscall_64+0xb6/0x5a0 [ 40.639662][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.645527][ C1] [ 40.647832][ C1] Freed by task 2959: [ 40.651886][ C1] save_stack+0x1b/0x80 [ 40.656022][ C1] __kasan_slab_free+0x117/0x160 [ 40.660950][ C1] kmem_cache_free+0x9b/0x360 [ 40.665622][ C1] putname+0xe1/0x120 [ 40.669641][ C1] do_sys_openat2+0x43a/0x740 [ 40.674315][ C1] do_sys_open+0xc3/0x140 [ 40.678634][ C1] do_syscall_64+0xb6/0x5a0 [ 40.683127][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.689000][ C1] [ 40.691327][ C1] The buggy address belongs to the object at ffff8881c6ac1100 [ 40.691327][ C1] which belongs to the cache names_cache of size 4096 [ 40.705466][ C1] The buggy address is located 176 bytes inside of [ 40.705466][ C1] 4096-byte region [ffff8881c6ac1100, ffff8881c6ac2100) [ 40.718813][ C1] The buggy address belongs to the page: [ 40.724432][ C1] page:ffffea00071ab000 refcount:1 mapcount:0 mapping:ffff8881da11c000 index:0x0 compound_mapcount: 0 [ 40.735343][ C1] flags: 0x200000000010200(slab|head) [ 40.740706][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11c000 [ 40.749498][ C1] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 40.758069][ C1] page dumped because: kasan: bad access detected [ 40.764483][ C1] [ 40.766791][ C1] Memory state around the buggy address: [ 40.772424][ C1] ffff8881c6ac1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.780471][ C1] ffff8881c6ac1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.788782][ C1] >ffff8881c6ac1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.796824][ C1] ^ [ 40.802446][ C1] ffff8881c6ac1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.810492][ C1] ffff8881c6ac1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.818567][ C1] ================================================================== [ 40.826655][ C1] Disabling lock debugging due to kernel taint [ 40.832788][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 40.839365][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 40.848625][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.858920][ C1] Call Trace: [ 40.862198][ C1] [ 40.865036][ C1] dump_stack+0xef/0x16e [ 40.869301][ C1] panic+0x2aa/0x6e1 [ 40.873211][ C1] ? add_taint.cold+0x16/0x16 [ 40.877884][ C1] ? print_shadow_for_address+0xb8/0x114 [ 40.883503][ C1] ? trace_hardirqs_off+0x50/0x200 [ 40.888642][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.890732][ T3235] usb 3-1: USB disconnect, device number 2 [ 40.893654][ C1] end_report+0x43/0x49 [ 40.893666][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.893677][ C1] __kasan_report.cold+0x55/0x77 [ 40.893687][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.893704][ C1] kasan_report+0xe/0x20 [ 40.922850][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 40.927679][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630 [ 40.933117][ C1] ? _raw_read_unlock+0x1a/0x30 [ 40.937956][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 40.943683][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 40.949034][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 40.954209][ C1] dummy_timer+0x1258/0x32ae [ 40.958784][ C1] ? dummy_udc_probe+0x930/0x930 [ 40.963756][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 40.969291][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 40.974556][ C1] call_timer_fn+0x195/0x6f0 [ 40.979134][ C1] ? dummy_udc_probe+0x930/0x930 [ 40.984049][ C1] ? msleep_interruptible+0x130/0x130 [ 40.989605][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 40.995132][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 41.000403][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 41.005582][ C1] ? dummy_udc_probe+0x930/0x930 [ 41.010522][ C1] run_timer_softirq+0x5f9/0x1500 [ 41.015537][ C1] ? add_timer+0x7a0/0x7a0 [ 41.019930][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 41.025451][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 41.030711][ C1] __do_softirq+0x21e/0x950 [ 41.035195][ C1] irq_exit+0x178/0x1a0 [ 41.039338][ C1] smp_apic_timer_interrupt+0x141/0x540 [ 41.044886][ C1] apic_timer_interrupt+0xf/0x20 [ 41.049811][ C1] [ 41.052734][ C1] RIP: 0010:default_idle+0x28/0x300 [ 41.057910][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 [ 41.077902][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 41.086307][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000 [ 41.094268][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c [ 41.102222][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000 [ 41.110198][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 41.118147][ C1] R13: 0000000000000001 R14: ffffffff87e612c0 R15: 0000000000000000 [ 41.126105][ C1] ? default_idle+0x1a/0x300 [ 41.130689][ C1] do_idle+0x3e0/0x500 [ 41.134744][ C1] ? __wake_up_common+0x147/0x650 [ 41.139745][ C1] ? arch_cpu_idle_exit+0x40/0x40 [ 41.144745][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 41.150527][ C1] ? lockdep_hardirqs_on+0x382/0x580 [ 41.155787][ C1] cpu_startup_entry+0x14/0x20 [ 41.160545][ C1] start_secondary+0x2a4/0x390 [ 41.165315][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90 [ 41.170882][ C1] secondary_startup_64+0xb6/0xc0 [ 41.176593][ C1] Kernel Offset: disabled [ 41.180908][ C1] Rebooting in 86400 seconds..