[�[0;32m OK �[0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 13.439059][ C0] random: crng init done
[ 13.439838][ C0] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.15.231' (ECDSA) to the list of known hosts.
executing program
[ 46.081278][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 46.621228][ T22] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 46.630450][ T22] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 46.638482][ T22] usb 1-1: Product: syz
[ 46.642687][ T22] usb 1-1: Manufacturer: syz
[ 46.647261][ T22] usb 1-1: SerialNumber: syz
[ 46.692144][ T22] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 47.371055][ T22] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 47.571177][ T333] udc-core: couldn't find an available UDC or it's busy
[ 47.578185][ T333] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 48.420822][ T22] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 48.427872][ T22] ath9k_htc: Failed to initialize the device
executing program
[ 48.589324][ T73] usb 1-1: USB disconnect, device number 2
[ 48.603575][ T73] usb 1-1: ath9k_htc: USB layer deinitialized
[ 48.970699][ T73] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[ 49.500658][ T73] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 49.509858][ T73] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 49.518015][ T73] usb 1-1: Product: syz
[ 49.522218][ T73] usb 1-1: Manufacturer: syz
[ 49.526793][ T73] usb 1-1: SerialNumber: syz
[ 49.573092][ T73] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.140580][ T73] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 50.340717][ T339] udc-core: couldn't find an available UDC or it's busy
[ 50.347676][ T339] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.220384][ T73] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 51.227329][ T73] ath9k_htc: Failed to initialize the device
executing program
[ 51.358063][ T22] usb 1-1: USB disconnect, device number 3
[ 51.369052][ T22] usb 1-1: ath9k_htc: USB layer deinitialized
[ 51.720273][ T22] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[ 52.250277][ T22] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 52.259318][ T22] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 52.267348][ T22] usb 1-1: Product: syz
[ 52.271573][ T22] usb 1-1: Manufacturer: syz
[ 52.276147][ T22] usb 1-1: SerialNumber: syz
[ 52.332434][ T22] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 52.920165][ T22] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 53.120320][ T344] udc-core: couldn't find an available UDC or it's busy
[ 53.127278][ T344] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 53.939943][ T22] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 53.946929][ T22] ath9k_htc: Failed to initialize the device
[ 53.953133][ C1] ==================================================================
[ 53.953204][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953215][ C1] Read of size 4 at addr ffff8881cd1c4098 by task kworker/1:1/22
[ 53.953219][ C1]
[ 53.953232][ C1] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.8.0-syzkaller #0
[ 53.953239][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.953256][ C1] Workqueue: events request_firmware_work_func
[ 53.953263][ C1] Call Trace:
[ 53.953269][ C1]
[ 53.953283][ C1] dump_stack+0xf6/0x16e
[ 53.953295][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953307][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953324][ C1] print_address_description.constprop.0+0x1c/0x210
[ 53.953347][ C1] ? vprintk_func+0x93/0x133
[ 53.953359][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953371][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953383][ C1] kasan_report.cold+0x37/0x7c
[ 53.953397][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953419][ C1] ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.953436][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 53.953449][ C1] ? hif_usb_start+0xa0/0xa0
[ 53.953464][ C1] ? lock_downgrade+0x740/0x740
[ 53.953478][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 53.953492][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 53.953506][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 53.953519][ C1] dummy_timer+0x11f2/0x3240
[ 53.953534][ C1] ? lock_downgrade+0x740/0x740
[ 53.953547][ C1] ? dummy_dequeue+0x490/0x490
[ 53.953561][ C1] call_timer_fn+0x1ac/0x6e0
[ 53.953574][ C1] ? dummy_dequeue+0x490/0x490
[ 53.953586][ C1] ? timer_fixup_init+0x60/0x60
[ 53.953601][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 53.953613][ C1] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 53.953625][ C1] ? trace_hardirqs_on+0x5f/0x200
[ 53.953638][ C1] ? dummy_dequeue+0x490/0x490
[ 53.953652][ C1] __run_timers.part.0+0x67c/0xa60
[ 53.953665][ C1] ? call_timer_fn+0x6e0/0x6e0
[ 53.953678][ C1] ? mark_lock+0xbc/0x1590
[ 53.953695][ C1] ? clockevents_program_event+0x12b/0x350
[ 53.953708][ C1] ? mark_held_locks+0x9f/0xe0
[ 53.953721][ C1] run_timer_softirq+0x80/0x120
[ 53.953737][ C1] __do_softirq+0x1af/0x91c
[ 53.953752][ C1] asm_call_on_stack+0xf/0x20
[ 53.953757][ C1]
[ 53.953773][ C1] do_softirq_own_stack+0x73/0x90
[ 53.953786][ C1] irq_exit_rcu+0x107/0x1a0
[ 53.953802][ C1] sysvec_apic_timer_interrupt+0x43/0x90
[ 53.953818][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 53.953833][ C1] RIP: 0010:console_unlock+0xa99/0xcd0
[ 53.953849][ C1] Code: 00 89 ee 48 c7 c7 60 07 35 87 e8 12 b9 03 00 65 ff 0d 1b 42 d8 7e e9 87 f9 ff ff e8 f1 53 16 00 e8 4c f1 1b 00 ff 74 24 30 9d 20 fe ff ff e8 dd 53 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 53.953858][ C1] RSP: 0018:ffff8881d982fa18 EFLAGS: 00000293
[ 53.953871][ C1] RAX: 0000000000005f15 RBX: 0000000000000200 RCX: 0000000000000006
[ 53.953881][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8129acf4
[ 53.953890][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff895c3627
[ 53.953900][ C1] R10: fffffbfff12b86c4 R11: 0000000000003254 R12: ffffffff82b36200
[ 53.953908][ C1] R13: ffffffff876f9890 R14: 0000000000000042 R15: dffffc0000000000
[ 53.953920][ C1] ? netconsole_netdev_event+0x2b0/0x2b0
[ 53.953929][ C1] ? console_unlock+0xa94/0xcd0
[ 53.953942][ C1] vprintk_emit+0x1b2/0x460
[ 53.953956][ C1] vprintk_func+0x8b/0x133
[ 53.953968][ C1] printk+0xba/0xed
[ 53.953981][ C1] ? log_store.cold+0x16/0x16
[ 53.953996][ C1] ? usb_submit_urb+0xb56/0x13e0
[ 53.954009][ C1] ? usb_free_urb+0x5c/0x110
[ 53.954024][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 53.954039][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 53.954053][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 53.954070][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 53.954086][ C1] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 53.954103][ C1] request_firmware_work_func+0x126/0x250
[ 53.954116][ C1] ? do_raw_spin_lock+0x120/0x260
[ 53.954132][ C1] ? request_firmware_into_buf+0x90/0x90
[ 53.954147][ C1] ? lockdep_hardirqs_on_prepare+0x322/0x4f0
[ 53.954162][ C1] process_one_work+0x94c/0x15f0
[ 53.954177][ C1] ? lock_release+0x7f0/0x7f0
[ 53.954190][ C1] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 53.954203][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 53.954215][ C1] worker_thread+0x64c/0x1120
[ 53.954231][ C1] ? __kthread_parkme+0x118/0x1d0
[ 53.954244][ C1] ? process_one_work+0x15f0/0x15f0
[ 53.954257][ C1] kthread+0x392/0x470
[ 53.954273][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 53.954285][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 53.954297][ C1] ret_from_fork+0x1f/0x30
[ 53.954302][ C1]
[ 53.954331][ C1] general protection fault, probably for non-canonical address 0xdead000000000400: 0000 [#1] SMP KASAN
[ 53.954344][ C1] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.8.0-syzkaller #0
[ 53.954352][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.954364][ C1] Workqueue: events request_firmware_work_func
[ 53.954383][ C1] RIP: 0010:print_address_description.constprop.0+0x192/0x210
[ 53.954395][ C1] Code: 5b 5d 41 5c 41 5d 41 5e c3 4c 89 e6 48 2b 35 85 dc a3 05 48 89 e8 49 8b 5c 24 18 48 c1 fe 06 48 c1 e6 0c 48 03 35 7e dc a3 05 <8b> 4b 18 48 29 f0 48 99 48 89 cf 48 f7 f9 41 0f b7 44 24 2a 48 89
[ 53.954408][ C1] RSP: 0018:ffff8881db309820 EFLAGS: 00010086
[ 53.954418][ C1] RAX: ffff8881cd1c4098 RBX: dead000000000400 RCX: 0000000000000000
[ 53.954425][ C1] RDX: 0000000000000001 RSI: ffff8881cd1c4000 RDI: ffffed103b6612f6
[ 53.954433][ C1] RBP: ffff8881cd1c4098 R08: 0000000000000000 R09: ffff8881db31fe8b
[ 53.954441][ C1] R10: 0000000000000000 R11: 0000000000000001 R12: ffffea0007347100
[ 53.954449][ C1] R13: ffffffff82e4cc9d R14: ffffffff82e4cc9d R15: ffff8881cd1c3100
[ 53.954461][ C1] FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
[ 53.954472][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.954480][ C1] CR2: 00000000006d0090 CR3: 00000001c4565000 CR4: 00000000001506e0
[ 53.954487][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.954494][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.954497][ C1] Call Trace:
[ 53.954501][ C1]
[ 53.954514][ C1] ? vprintk_func+0x93/0x133
[ 53.954526][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.954538][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.954550][ C1] kasan_report.cold+0x37/0x7c
[ 53.954564][ C1] ? ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.954578][ C1] ath9k_hif_usb_rx_cb+0xd7d/0xf80
[ 53.954593][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 53.954605][ C1] ? hif_usb_start+0xa0/0xa0
[ 53.954618][ C1] ? lock_downgrade+0x740/0x740
[ 53.954629][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 53.954643][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 53.954656][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 53.954669][ C1] dummy_timer+0x11f2/0x3240
[ 53.954683][ C1] ? lock_downgrade+0x740/0x740
[ 53.954694][ C1] ? dummy_dequeue+0x490/0x490
[ 53.954707][ C1] call_timer_fn+0x1ac/0x6e0
[ 53.954719][ C1] ? dummy_dequeue+0x490/0x490
[ 53.954730][ C1] ? timer_fixup_init+0x60/0x60
[ 53.954741][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 53.954756][ C1] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 53.954766][ C1] ? trace_hardirqs_on+0x5f/0x200
[ 53.954777][ C1] ? dummy_dequeue+0x490/0x490
[ 53.954789][ C1] __run_timers.part.0+0x67c/0xa60
[ 53.954802][ C1] ? call_timer_fn+0x6e0/0x6e0
[ 53.954813][ C1] ? mark_lock+0xbc/0x1590
[ 53.954827][ C1] ? clockevents_program_event+0x12b/0x350
[ 53.954839][ C1] ? mark_held_locks+0x9f/0xe0
[ 53.954852][ C1] run_timer_softirq+0x80/0x120
[ 53.954866][ C1] __do_softirq+0x1af/0x91c
[ 53.954880][ C1] asm_call_on_stack+0xf/0x20
[ 53.954885][ C1]
[ 53.954899][ C1] do_softirq_own_stack+0x73/0x90
[ 53.954908][ C1] irq_exit_rcu+0x107/0x1a0
[ 53.954921][ C1] sysvec_apic_timer_interrupt+0x43/0x90
[ 53.954932][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 53.954942][ C1] RIP: 0010:console_unlock+0xa99/0xcd0
[ 53.954955][ C1] Code: 00 89 ee 48 c7 c7 60 07 35 87 e8 12 b9 03 00 65 ff 0d 1b 42 d8 7e e9 87 f9 ff ff e8 f1 53 16 00 e8 4c f1 1b 00 ff 74 24 30 9d 20 fe ff ff e8 dd 53 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 53.954963][ C1] RSP: 0018:ffff8881d982fa18 EFLAGS: 00000293
[ 53.954972][ C1] RAX: 0000000000005f15 RBX: 0000000000000200 RCX: 0000000000000006
[ 53.954981][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8129acf4
[ 53.954989][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff895c3627
[ 53.954996][ C1] R10: fffffbfff12b86c4 R11: 0000000000003254 R12: ffffffff82b36200
[ 53.955004][ C1] R13: ffffffff876f9890 R14: 0000000000000042 R15: dffffc0000000000
[ 53.955015][ C1] ? netconsole_netdev_event+0x2b0/0x2b0
[ 53.955026][ C1] ? console_unlock+0xa94/0xcd0
[ 53.955036][ C1] vprintk_emit+0x1b2/0x460
[ 53.955054][ C1] vprintk_func+0x8b/0x133
[ 53.955065][ C1] printk+0xba/0xed
[ 53.955076][ C1] ? log_store.cold+0x16/0x16
[ 53.955090][ C1] ? usb_submit_urb+0xb56/0x13e0
[ 53.955101][ C1] ? usb_free_urb+0x5c/0x110
[ 53.955115][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 53.955128][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 53.955142][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 53.955156][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 53.955172][ C1] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 53.955186][ C1] request_firmware_work_func+0x126/0x250
[ 53.955198][ C1] ? do_raw_spin_lock+0x120/0x260
[ 53.955212][ C1] ? request_firmware_into_buf+0x90/0x90
[ 53.955226][ C1] ? lockdep_hardirqs_on_prepare+0x322/0x4f0
[ 53.955239][ C1] process_one_work+0x94c/0x15f0
[ 53.955251][ C1] ? lock_release+0x7f0/0x7f0
[ 53.955263][ C1] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 53.955281][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 53.955293][ C1] worker_thread+0x64c/0x1120
[ 53.955307][ C1] ? __kthread_parkme+0x118/0x1d0
[ 53.955319][ C1] ? process_one_work+0x15f0/0x15f0
[ 53.955332][ C1] kthread+0x392/0x470
[ 53.955347][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 53.955362][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 53.955373][ C1] ret_from_fork+0x1f/0x30
[ 53.955377][ C1] Modules linked in:
[ 53.955394][ C1] ---[ end trace 5a5438cf382ba37c ]---
[ 53.955419][ C1] RIP: 0010:print_address_description.constprop.0+0x192/0x210
[ 53.955432][ C1] Code: 5b 5d 41 5c 41 5d 41 5e c3 4c 89 e6 48 2b 35 85 dc a3 05 48 89 e8 49 8b 5c 24 18 48 c1 fe 06 48 c1 e6 0c 48 03 35 7e dc a3 05 <8b> 4b 18 48 29 f0 48 99 48 89 cf 48 f7 f9 41 0f b7 44 24 2a 48 89
[ 53.955439][ C1] RSP: 0018:ffff8881db309820 EFLAGS: 00010086
[ 53.955449][ C1] RAX: ffff8881cd1c4098 RBX: dead000000000400 RCX: 0000000000000000
[ 53.955458][ C1] RDX: 0000000000000001 RSI: ffff8881cd1c4000 RDI: ffffed103b6612f6
[ 53.955467][ C1] RBP: ffff8881cd1c4098 R08: 0000000000000000 R09: ffff8881db31fe8b
[ 53.955474][ C1] R10: 0000000000000000 R11: 0000000000000001 R12: ffffea0007347100
[ 53.955483][ C1] R13: ffffffff82e4cc9d R14: ffffffff82e4cc9d R15: ffff8881cd1c3100
[ 53.955491][ C1] FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
[ 53.955508][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.955516][ C1] CR2: 00000000006d0090 CR3: 00000001c4565000 CR4: 00000000001506e0
[ 53.955524][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.955531][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.955538][ C1] Kernel panic - not syncing: Fatal exception in interrupt
[ 53.956169][ C1] Kernel Offset: disabled
[ 55.089428][ C1] Rebooting in 86400 seconds..