Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   21.052660][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   21.582167][   T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   21.591288][   T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   21.599357][   T83] usb 1-1: Product: syz
[   21.603607][   T83] usb 1-1: Manufacturer: syz
[   21.608187][   T83] usb 1-1: SerialNumber: syz
[   21.653189][   T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   22.271411][   T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   22.674197][  T300] usb 1-1: USB disconnect, device number 2
[   23.510612][   T83] usb 1-1: Service connection timeout for: 256
[   23.516865][   T83] ==================================================================
[   23.525120][   T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   23.531835][   T83] Read of size 4 at addr ffff8881d32800d4 by task kworker/1:2/83
[   23.539522][   T83] 
[   23.541832][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0
[   23.549955][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.560111][   T83] Workqueue: events request_firmware_work_func
[   23.566239][   T83] Call Trace:
[   23.569512][   T83]  dump_stack+0xef/0x16e
[   23.573735][   T83]  print_address_description.constprop.0.cold+0xd3/0x415
[   23.580740][   T83]  ? vprintk_func+0x7d/0x113
[   23.585307][   T83]  ? kfree_skb+0x32/0x3d0
[   23.589615][   T83]  __kasan_report.cold+0x37/0x7d
[   23.594529][   T83]  ? kfree_skb+0x32/0x3d0
[   23.598839][   T83]  ? kfree_skb+0x32/0x3d0
[   23.603153][   T83]  kasan_report+0x33/0x50
[   23.607538][   T83]  check_memory_region+0x173/0x1d0
[   23.612631][   T83]  kfree_skb+0x32/0x3d0
[   23.616770][   T83]  htc_connect_service.cold+0xa9/0x109
[   23.622207][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   23.627033][   T83]  ? ath9k_fatal_work+0x20/0x20
[   23.631861][   T83]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   23.637903][   T83]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   23.643512][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   23.649911][   T83]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   23.655174][   T83]  ? lockdep_init_map_waits+0x26a/0x7c0
[   23.660695][   T83]  ? __raw_spin_lock_init+0x34/0x100
[   23.665955][   T83]  ? tasklet_init+0x69/0x110
[   23.670532][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   23.675978][   T83]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   23.682631][   T83]  ? usb_submit_urb+0x6ed/0x1460
[   23.687542][   T83]  ? usb_free_urb.part.0+0x52/0x110
[   23.692714][   T83]  ? usb_free_urb+0x1b/0x30
[   23.697203][   T83]  ath9k_htc_hw_init+0x31/0x60
[   23.701948][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   23.707559][   T83]  ? ath9k_hif_usb_resume+0x320/0x320
[   23.712907][   T83]  request_firmware_work_func+0x126/0x242
[   23.718605][   T83]  ? request_firmware_into_buf+0x90/0x90
[   23.724212][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   23.729732][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   23.734996][   T83]  ? _raw_spin_unlock_irq+0x1f/0x30
[   23.740169][   T83]  process_one_work+0x965/0x1630
[   23.745083][   T83]  ? lock_release+0x720/0x720
[   23.749734][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   23.755084][   T83]  ? rwlock_bug.part.0+0x90/0x90
[   23.759998][   T83]  worker_thread+0x96/0xe20
[   23.764475][   T83]  ? process_one_work+0x1630/0x1630
[   23.769647][   T83]  kthread+0x326/0x430
[   23.773692][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   23.779040][   T83]  ret_from_fork+0x24/0x30
[   23.783473][   T83] 
[   23.785779][   T83] Allocated by task 83:
[   23.789913][   T83]  save_stack+0x1b/0x40
[   23.794043][   T83]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   23.799652][   T83]  kmem_cache_alloc_node+0xdc/0x330
[   23.804826][   T83]  __alloc_skb+0xba/0x5a0
[   23.809131][   T83]  htc_connect_service+0x2cc/0x840
[   23.814214][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   23.819041][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   23.825450][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   23.830884][   T83]  ath9k_htc_hw_init+0x31/0x60
[   23.835623][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   23.841251][   T83]  request_firmware_work_func+0x126/0x242
[   23.846963][   T83]  process_one_work+0x965/0x1630
[   23.851889][   T83]  worker_thread+0x96/0xe20
[   23.856502][   T83]  kthread+0x326/0x430
[   23.860546][   T83]  ret_from_fork+0x24/0x30
[   23.864929][   T83] 
[   23.867231][   T83] Freed by task 150:
[   23.871101][   T83]  save_stack+0x1b/0x40
[   23.875231][   T83]  __kasan_slab_free+0x117/0x160
[   23.880143][   T83]  kmem_cache_free+0x9b/0x360
[   23.884797][   T83]  kfree_skbmem+0xef/0x1b0
[   23.889189][   T83]  kfree_skb+0x102/0x3d0
[   23.893410][   T83]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   23.899063][   T83]  hif_usb_regout_cb+0x115/0x1c0
[   23.903979][   T83]  __usb_hcd_giveback_urb+0x29a/0x550
[   23.909326][   T83]  usb_hcd_giveback_urb+0x368/0x420
[   23.914509][   T83]  dummy_timer+0x125e/0x32b4
[   23.919086][   T83]  call_timer_fn+0x1ac/0x700
[   23.923653][   T83]  run_timer_softirq+0x5f9/0x1500
[   23.928766][   T83]  __do_softirq+0x21e/0x9aa
[   23.933248][   T83] 
[   23.935555][   T83] The buggy address belongs to the object at ffff8881d3280000
[   23.935555][   T83]  which belongs to the cache skbuff_head_cache of size 224
[   23.950102][   T83] The buggy address is located 212 bytes inside of
[   23.950102][   T83]  224-byte region [ffff8881d3280000, ffff8881d32800e0)
[   23.963342][   T83] The buggy address belongs to the page:
[   23.968953][   T83] page:ffffea00074ca000 refcount:1 mapcount:0 mapping:0000000089124c2a index:0x0
[   23.978036][   T83] flags: 0x200000000000200(slab)
[   23.982951][   T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400
[   23.991538][   T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   24.000102][   T83] page dumped because: kasan: bad access detected
[   24.006507][   T83] 
[   24.008810][   T83] Memory state around the buggy address:
[   24.014426][   T83]  ffff8881d327ff80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   24.022481][   T83]  ffff8881d3280000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.030518][   T83] >ffff8881d3280080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   24.038567][   T83]                                                  ^
[   24.045217][   T83]  ffff8881d3280100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.053275][   T83]  ffff8881d3280180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.061305][   T83] ==================================================================
[   24.069354][   T83] Disabling lock debugging due to kernel taint
[   24.075555][   T83] Kernel panic - not syncing: panic_on_warn set ...
[   24.082145][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   24.091758][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.101815][   T83] Workqueue: events request_firmware_work_func
[   24.107951][   T83] Call Trace:
[   24.111222][   T83]  dump_stack+0xef/0x16e
[   24.115438][   T83]  panic+0x2aa/0x6e1
[   24.119305][   T83]  ? add_taint.cold+0x16/0x16
[   24.123951][   T83]  ? retint_kernel+0x10/0x10
[   24.128517][   T83]  ? kfree_skb+0x32/0x3d0
[   24.132819][   T83]  ? trace_hardirqs_on+0x55/0x200
[   24.137830][   T83]  ? kfree_skb+0x32/0x3d0
[   24.142149][   T83]  end_report+0x4d/0x53
[   24.146276][   T83]  __kasan_report.cold+0x72/0x7d
[   24.151184][   T83]  ? kfree_skb+0x32/0x3d0
[   24.155484][   T83]  ? kfree_skb+0x32/0x3d0
[   24.159793][   T83]  kasan_report+0x33/0x50
[   24.164099][   T83]  check_memory_region+0x173/0x1d0
[   24.169189][   T83]  kfree_skb+0x32/0x3d0
[   24.173318][   T83]  htc_connect_service.cold+0xa9/0x109
[   24.178763][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   24.183585][   T83]  ? ath9k_fatal_work+0x20/0x20
[   24.188428][   T83]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   24.194498][   T83]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   24.200110][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.206513][   T83]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   24.211771][   T83]  ? lockdep_init_map_waits+0x26a/0x7c0
[   24.217287][   T83]  ? __raw_spin_lock_init+0x34/0x100
[   24.222551][   T83]  ? tasklet_init+0x69/0x110
[   24.227119][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   24.232557][   T83]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   24.239204][   T83]  ? usb_submit_urb+0x6ed/0x1460
[   24.244113][   T83]  ? usb_free_urb.part.0+0x52/0x110
[   24.249282][   T83]  ? usb_free_urb+0x1b/0x30
[   24.253757][   T83]  ath9k_htc_hw_init+0x31/0x60
[   24.258495][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   24.264101][   T83]  ? ath9k_hif_usb_resume+0x320/0x320
[   24.269450][   T83]  request_firmware_work_func+0x126/0x242
[   24.275154][   T83]  ? request_firmware_into_buf+0x90/0x90
[   24.280762][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   24.286286][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   24.291545][   T83]  ? _raw_spin_unlock_irq+0x1f/0x30
[   24.296725][   T83]  process_one_work+0x965/0x1630
[   24.301649][   T83]  ? lock_release+0x720/0x720
[   24.306297][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   24.311642][   T83]  ? rwlock_bug.part.0+0x90/0x90
[   24.316551][   T83]  worker_thread+0x96/0xe20
[   24.321028][   T83]  ? process_one_work+0x1630/0x1630
[   24.326199][   T83]  kthread+0x326/0x430
[   24.330241][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   24.335586][   T83]  ret_from_fork+0x24/0x30
[   24.340575][   T83] Kernel Offset: disabled
[   24.344883][   T83] Rebooting in 86400 seconds..