[ 12.665590][ C1] random: 7 urandom warning(s) missed due to ratelimiting [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.218' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.899093][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 68.419155][ T17] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 68.428271][ T17] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 68.436297][ T17] usb 1-1: Product: syz [ 68.440546][ T17] usb 1-1: Manufacturer: syz [ 68.445167][ T17] usb 1-1: SerialNumber: syz [ 68.490188][ T17] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 69.109090][ T17] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 69.511247][ T83] usb 1-1: USB disconnect, device number 2 [ 70.388939][ T17] usb 1-1: Service connection timeout for: 256 [ 70.395248][ T17] ================================================================== [ 70.403367][ T17] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 70.410015][ T17] Read of size 4 at addr ffff8881cfa210d4 by task kworker/1:0/17 [ 70.417958][ T17] [ 70.420456][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 70.428587][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.439590][ T17] Workqueue: events request_firmware_work_func [ 70.445726][ T17] Call Trace: [ 70.448992][ T17] dump_stack+0xef/0x16e [ 70.453227][ T17] print_address_description.constprop.0.cold+0xd3/0x415 [ 70.460221][ T17] ? vprintk_func+0x7d/0x113 [ 70.464869][ T17] ? kfree_skb+0x32/0x3d0 [ 70.469171][ T17] __kasan_report.cold+0x37/0x7d [ 70.474081][ T17] ? kfree_skb+0x32/0x3d0 [ 70.478383][ T17] ? kfree_skb+0x32/0x3d0 [ 70.482686][ T17] kasan_report+0x33/0x50 [ 70.487001][ T17] check_memory_region+0x173/0x1d0 [ 70.492091][ T17] kfree_skb+0x32/0x3d0 [ 70.496222][ T17] htc_connect_service.cold+0xa9/0x109 [ 70.501652][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 70.506477][ T17] ? ath9k_fatal_work+0x20/0x20 [ 70.511323][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 70.517363][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 70.522975][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 70.529384][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 70.534686][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 70.540240][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 70.545500][ T17] ? tasklet_init+0x69/0x110 [ 70.550098][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 70.555549][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 70.562211][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 70.567135][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 70.572322][ T17] ? usb_free_urb+0x1b/0x30 [ 70.576815][ T17] ath9k_htc_hw_init+0x31/0x60 [ 70.581561][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 70.587187][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 70.592547][ T17] request_firmware_work_func+0x126/0x242 [ 70.598247][ T17] ? request_firmware_into_buf+0x90/0x90 [ 70.604556][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 70.610238][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 70.615509][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 70.620691][ T17] process_one_work+0x965/0x1630 [ 70.625621][ T17] ? lock_release+0x720/0x720 [ 70.630296][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 70.635647][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 70.640566][ T17] worker_thread+0x96/0xe20 [ 70.645049][ T17] ? process_one_work+0x1630/0x1630 [ 70.650240][ T17] kthread+0x326/0x430 [ 70.654293][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 70.659647][ T17] ret_from_fork+0x24/0x30 [ 70.664126][ T17] [ 70.666436][ T17] Allocated by task 17: [ 70.670575][ T17] save_stack+0x1b/0x40 [ 70.674711][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 70.680324][ T17] kmem_cache_alloc_node+0xdc/0x330 [ 70.685524][ T17] __alloc_skb+0xba/0x5a0 [ 70.689836][ T17] htc_connect_service+0x2cc/0x840 [ 70.694936][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 70.699784][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 70.706178][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 70.711705][ T17] ath9k_htc_hw_init+0x31/0x60 [ 70.716475][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 70.722100][ T17] request_firmware_work_func+0x126/0x242 [ 70.727865][ T17] process_one_work+0x965/0x1630 [ 70.732786][ T17] worker_thread+0x96/0xe20 [ 70.737280][ T17] kthread+0x326/0x430 [ 70.741330][ T17] ret_from_fork+0x24/0x30 [ 70.745717][ T17] [ 70.748028][ T17] Freed by task 0: [ 70.751754][ T17] save_stack+0x1b/0x40 [ 70.755928][ T17] __kasan_slab_free+0x117/0x160 [ 70.760856][ T17] kmem_cache_free+0x9b/0x360 [ 70.765628][ T17] kfree_skbmem+0xef/0x1b0 [ 70.770022][ T17] kfree_skb+0x102/0x3d0 [ 70.774264][ T17] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 70.779881][ T17] hif_usb_regout_cb+0x115/0x1c0 [ 70.784813][ T17] __usb_hcd_giveback_urb+0x29a/0x550 [ 70.790162][ T17] usb_hcd_giveback_urb+0x368/0x420 [ 70.795340][ T17] dummy_timer+0x125e/0x32b4 [ 70.799910][ T17] call_timer_fn+0x1ac/0x700 [ 70.804492][ T17] run_timer_softirq+0x5f9/0x1500 [ 70.809496][ T17] __do_softirq+0x21e/0x9aa [ 70.813972][ T17] [ 70.816328][ T17] The buggy address belongs to the object at ffff8881cfa21000 [ 70.816328][ T17] which belongs to the cache skbuff_head_cache of size 224 [ 70.830884][ T17] The buggy address is located 212 bytes inside of [ 70.830884][ T17] 224-byte region [ffff8881cfa21000, ffff8881cfa210e0) [ 70.844652][ T17] The buggy address belongs to the page: [ 70.850261][ T17] page:ffffea00073e8840 refcount:1 mapcount:0 mapping:000000005fb03043 index:0x0 [ 70.859338][ T17] flags: 0x200000000000200(slab) [ 70.864267][ T17] raw: 0200000000000200 0000000000000000 0000000400000001 ffff8881da175400 [ 70.872854][ T17] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 70.881408][ T17] page dumped because: kasan: bad access detected [ 70.887791][ T17] [ 70.890093][ T17] Memory state around the buggy address: [ 70.895786][ T17] ffff8881cfa20f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.903829][ T17] ffff8881cfa21000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.911877][ T17] >ffff8881cfa21080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 70.919924][ T17] ^ [ 70.926841][ T17] ffff8881cfa21100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 70.934900][ T17] ffff8881cfa21180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.942930][ T17] ================================================================== [ 70.950971][ T17] Disabling lock debugging due to kernel taint [ 70.957439][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 70.964036][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 70.973564][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.983626][ T17] Workqueue: events request_firmware_work_func [ 70.989821][ T17] Call Trace: [ 70.993094][ T17] dump_stack+0xef/0x16e [ 70.997313][ T17] panic+0x2aa/0x6e1 [ 71.001185][ T17] ? add_taint.cold+0x16/0x16 [ 71.005848][ T17] ? retint_kernel+0x10/0x10 [ 71.010413][ T17] ? kfree_skb+0x32/0x3d0 [ 71.014729][ T17] ? trace_hardirqs_on+0x55/0x200 [ 71.020593][ T17] ? kfree_skb+0x32/0x3d0 [ 71.024898][ T17] end_report+0x4d/0x53 [ 71.029039][ T17] __kasan_report.cold+0x72/0x7d [ 71.033945][ T17] ? kfree_skb+0x32/0x3d0 [ 71.038255][ T17] ? kfree_skb+0x32/0x3d0 [ 71.042553][ T17] kasan_report+0x33/0x50 [ 71.046864][ T17] check_memory_region+0x173/0x1d0 [ 71.051946][ T17] kfree_skb+0x32/0x3d0 [ 71.056075][ T17] htc_connect_service.cold+0xa9/0x109 [ 71.061511][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 71.066332][ T17] ? ath9k_fatal_work+0x20/0x20 [ 71.071177][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 71.077228][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 71.082848][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 71.089234][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 71.094578][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 71.100094][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 71.105351][ T17] ? tasklet_init+0x69/0x110 [ 71.109912][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 71.115345][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 71.121996][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 71.127089][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 71.132256][ T17] ? usb_free_urb+0x1b/0x30 [ 71.136732][ T17] ath9k_htc_hw_init+0x31/0x60 [ 71.141482][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 71.147089][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 71.152435][ T17] request_firmware_work_func+0x126/0x242 [ 71.158130][ T17] ? request_firmware_into_buf+0x90/0x90 [ 71.163748][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 71.169294][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 71.174552][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 71.179735][ T17] process_one_work+0x965/0x1630 [ 71.184645][ T17] ? lock_release+0x720/0x720 [ 71.189293][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 71.194648][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 71.199556][ T17] worker_thread+0x96/0xe20 [ 71.204077][ T17] ? process_one_work+0x1630/0x1630 [ 71.209273][ T17] kthread+0x326/0x430 [ 71.213322][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 71.218670][ T17] ret_from_fork+0x24/0x30 [ 71.223664][ T17] Kernel Offset: disabled [ 71.227984][ T17] Rebooting in 86400 seconds..