Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about Sy[ 12.590016][ C0] random: crng init done [ 12.595306][ C0] random: 7 urandom warning(s) missed due to ratelimiting stem Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.491926][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.011553][ T21] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 20.020699][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 20.028749][ T21] usb 1-1: Product: syz [ 20.032964][ T21] usb 1-1: Manufacturer: syz [ 20.037551][ T21] usb 1-1: SerialNumber: syz [ 20.082984][ T21] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 20.680967][ T21] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 21.085543][ T95] usb 1-1: USB disconnect, device number 2 [ 21.949776][ T21] usb 1-1: Service connection timeout for: 256 [ 21.956623][ T21] ================================================================== [ 21.964749][ T21] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 21.972007][ T21] Read of size 4 at addr ffff8881ce1bed54 by task kworker/1:1/21 [ 21.979695][ T21] [ 21.982033][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.7.0-rc6-syzkaller #0 [ 21.990157][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.000194][ T21] Workqueue: events request_firmware_work_func [ 22.006323][ T21] Call Trace: [ 22.009600][ T21] dump_stack+0xef/0x16e [ 22.013833][ T21] print_address_description.constprop.0.cold+0xd3/0x415 [ 22.020841][ T21] ? vprintk_func+0x7d/0x113 [ 22.025406][ T21] ? kfree_skb+0x32/0x3d0 [ 22.029728][ T21] __kasan_report.cold+0x37/0x7d [ 22.034648][ T21] ? kfree_skb+0x32/0x3d0 [ 22.038961][ T21] ? kfree_skb+0x32/0x3d0 [ 22.043265][ T21] kasan_report+0x33/0x50 [ 22.047572][ T21] check_memory_region+0x173/0x1d0 [ 22.052656][ T21] kfree_skb+0x32/0x3d0 [ 22.056804][ T21] htc_connect_service.cold+0xa9/0x109 [ 22.062237][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 22.067062][ T21] ? ath9k_fatal_work+0x20/0x20 [ 22.071890][ T21] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 22.077935][ T21] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 22.083559][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.089948][ T21] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 22.095237][ T21] ? lockdep_init_map_waits+0x26a/0x7c0 [ 22.100755][ T21] ? __raw_spin_lock_init+0x34/0x100 [ 22.106035][ T21] ? tasklet_init+0x69/0x110 [ 22.110599][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.116033][ T21] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 22.122693][ T21] ? usb_submit_urb+0x6ed/0x1460 [ 22.127605][ T21] ? usb_free_urb.part.0+0x52/0x110 [ 22.132775][ T21] ? usb_free_urb+0x1b/0x30 [ 22.137600][ T21] ath9k_htc_hw_init+0x31/0x60 [ 22.142341][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.147970][ T21] ? ath9k_hif_usb_resume+0x320/0x320 [ 22.153332][ T21] request_firmware_work_func+0x126/0x242 [ 22.159028][ T21] ? request_firmware_into_buf+0x90/0x90 [ 22.164636][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.170163][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.175855][ T21] ? _raw_spin_unlock_irq+0x1f/0x30 [ 22.181044][ T21] process_one_work+0x965/0x1630 [ 22.185964][ T21] ? lock_release+0x720/0x720 [ 22.190672][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 22.196045][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 22.200960][ T21] worker_thread+0x96/0xe20 [ 22.205439][ T21] ? process_one_work+0x1630/0x1630 [ 22.210625][ T21] kthread+0x326/0x430 [ 22.214688][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 22.220045][ T21] ret_from_fork+0x24/0x30 [ 22.224447][ T21] [ 22.226753][ T21] Allocated by task 21: [ 22.230898][ T21] save_stack+0x1b/0x40 [ 22.235041][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 22.240668][ T21] kmem_cache_alloc_node+0xdc/0x330 [ 22.245853][ T21] __alloc_skb+0xba/0x5a0 [ 22.250160][ T21] htc_connect_service+0x2cc/0x840 [ 22.255281][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 22.260126][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.266514][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.271958][ T21] ath9k_htc_hw_init+0x31/0x60 [ 22.276696][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.282313][ T21] request_firmware_work_func+0x126/0x242 [ 22.288107][ T21] process_one_work+0x965/0x1630 [ 22.293018][ T21] worker_thread+0x96/0xe20 [ 22.297517][ T21] kthread+0x326/0x430 [ 22.301561][ T21] ret_from_fork+0x24/0x30 [ 22.306465][ T21] [ 22.309723][ T21] Freed by task 0: [ 22.313422][ T21] save_stack+0x1b/0x40 [ 22.317567][ T21] __kasan_slab_free+0x117/0x160 [ 22.322478][ T21] kmem_cache_free+0x9b/0x360 [ 22.327129][ T21] kfree_skbmem+0xef/0x1b0 [ 22.331517][ T21] kfree_skb+0x102/0x3d0 [ 22.335737][ T21] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 22.341343][ T21] hif_usb_regout_cb+0x115/0x1c0 [ 22.346254][ T21] __usb_hcd_giveback_urb+0x29a/0x550 [ 22.351599][ T21] usb_hcd_giveback_urb+0x368/0x420 [ 22.356773][ T21] dummy_timer+0x125e/0x32b4 [ 22.361342][ T21] call_timer_fn+0x1ac/0x700 [ 22.365906][ T21] run_timer_softirq+0x5f9/0x1500 [ 22.370905][ T21] __do_softirq+0x21e/0x9aa [ 22.375395][ T21] [ 22.377706][ T21] The buggy address belongs to the object at ffff8881ce1bec80 [ 22.377706][ T21] which belongs to the cache skbuff_head_cache of size 224 [ 22.392274][ T21] The buggy address is located 212 bytes inside of [ 22.392274][ T21] 224-byte region [ffff8881ce1bec80, ffff8881ce1bed60) [ 22.405520][ T21] The buggy address belongs to the page: [ 22.411128][ T21] page:ffffea0007386f80 refcount:1 mapcount:0 mapping:000000001d893d76 index:0x0 [ 22.420217][ T21] flags: 0x200000000000200(slab) [ 22.425140][ T21] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 22.433710][ T21] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 22.442290][ T21] page dumped because: kasan: bad access detected [ 22.448679][ T21] [ 22.450980][ T21] Memory state around the buggy address: [ 22.456593][ T21] ffff8881ce1bec00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 22.464632][ T21] ffff8881ce1bec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.472754][ T21] >ffff8881ce1bed00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 22.480786][ T21] ^ [ 22.488391][ T21] ffff8881ce1bed80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 22.496436][ T21] ffff8881ce1bee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.504464][ T21] ================================================================== [ 22.512507][ T21] Disabling lock debugging due to kernel taint [ 22.518698][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 22.525292][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 22.534819][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.545310][ T21] Workqueue: events request_firmware_work_func [ 22.552415][ T21] Call Trace: [ 22.555684][ T21] dump_stack+0xef/0x16e [ 22.559913][ T21] panic+0x2aa/0x6e1 [ 22.563789][ T21] ? add_taint.cold+0x16/0x16 [ 22.569402][ T21] ? retint_kernel+0x10/0x10 [ 22.573969][ T21] ? kfree_skb+0x32/0x3d0 [ 22.578279][ T21] ? trace_hardirqs_on+0x55/0x200 [ 22.583278][ T21] ? kfree_skb+0x32/0x3d0 [ 22.587578][ T21] end_report+0x4d/0x53 [ 22.591705][ T21] __kasan_report.cold+0x72/0x7d [ 22.596614][ T21] ? kfree_skb+0x32/0x3d0 [ 22.600913][ T21] ? kfree_skb+0x32/0x3d0 [ 22.605218][ T21] kasan_report+0x33/0x50 [ 22.610475][ T21] check_memory_region+0x173/0x1d0 [ 22.615566][ T21] kfree_skb+0x32/0x3d0 [ 22.619700][ T21] htc_connect_service.cold+0xa9/0x109 [ 22.625180][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 22.630053][ T21] ? ath9k_fatal_work+0x20/0x20 [ 22.634878][ T21] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 22.640921][ T21] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 22.646762][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.653159][ T21] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 22.658419][ T21] ? lockdep_init_map_waits+0x26a/0x7c0 [ 22.663941][ T21] ? __raw_spin_lock_init+0x34/0x100 [ 22.669203][ T21] ? tasklet_init+0x69/0x110 [ 22.673767][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.679230][ T21] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 22.685877][ T21] ? usb_submit_urb+0x6ed/0x1460 [ 22.690800][ T21] ? usb_free_urb.part.0+0x52/0x110 [ 22.695985][ T21] ? usb_free_urb+0x1b/0x30 [ 22.700477][ T21] ath9k_htc_hw_init+0x31/0x60 [ 22.705354][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.711120][ T21] ? ath9k_hif_usb_resume+0x320/0x320 [ 22.716468][ T21] request_firmware_work_func+0x126/0x242 [ 22.722183][ T21] ? request_firmware_into_buf+0x90/0x90 [ 22.727796][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.733328][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.738590][ T21] ? _raw_spin_unlock_irq+0x1f/0x30 [ 22.743769][ T21] process_one_work+0x965/0x1630 [ 22.748697][ T21] ? lock_release+0x720/0x720 [ 22.753348][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 22.758810][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 22.764690][ T21] worker_thread+0x96/0xe20 [ 22.769176][ T21] ? process_one_work+0x1630/0x1630 [ 22.774356][ T21] kthread+0x326/0x430 [ 22.778414][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 22.783759][ T21] ret_from_fork+0x24/0x30 [ 22.788702][ T21] Kernel Offset: disabled [ 22.793018][ T21] Rebooting in 86400 seconds..