[�[0;32m OK �[0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 14.113074][ C1] random: crng init done
[ 14.117402][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts.
executing program
[ 28.366344][ T123] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 28.885528][ T123] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 28.894655][ T123] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 28.902720][ T123] usb 1-1: Product: syz
[ 28.906955][ T123] usb 1-1: Manufacturer: syz
[ 28.911549][ T123] usb 1-1: SerialNumber: syz
[ 28.956251][ T123] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 29.615019][ T123] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 30.704265][ T123] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 30.711507][ T123] ath9k_htc: Failed to initialize the device
[ 30.854249][ C1] ==================================================================
[ 30.862487][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.870315][ C1] Read of size 4 at addr ffff8881cd0f4090 by task swapper/1/0
[ 30.877755][ C1]
[ 30.880062][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.8.0-rc1-syzkaller #0
[ 30.887922][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.897951][ C1] Call Trace:
[ 30.901211][ C1]
[ 30.904058][ C1] dump_stack+0xf6/0x16e
[ 30.908299][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.913674][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.919033][ C1] print_address_description.constprop.0.cold+0xd3/0x415
[ 30.926056][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 30.931338][ C1] ? __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 30.937119][ C1] ? vprintk_func+0x93/0x133
[ 30.941702][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.947077][ C1] kasan_report.cold+0x37/0x7c
[ 30.951999][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.957569][ C1] ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 30.962757][ C1] ? hif_usb_mgmt_cb+0x310/0x310
[ 30.967677][ C1] ? do_raw_spin_lock+0x120/0x290
[ 30.972679][ C1] ? lock_downgrade+0x720/0x720
[ 30.977520][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 30.982625][ C1] __usb_hcd_giveback_urb+0x29a/0x550
[ 30.988036][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 30.993219][ C1] dummy_timer+0x125e/0x32b4
[ 30.997806][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.002735][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 31.008253][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 31.013527][ C1] call_timer_fn+0x1ac/0x6e0
[ 31.018093][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.023009][ C1] ? msleep_interruptible+0x130/0x130
[ 31.028423][ C1] ? lock_downgrade+0x720/0x720
[ 31.033263][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 31.038467][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x550
[ 31.044443][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.049445][ C1] run_timer_softirq+0x5e5/0x14c0
[ 31.054454][ C1] ? add_timer+0x7b0/0x7b0
[ 31.058849][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 31.064434][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 31.069695][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x550
[ 31.075652][ C1] __do_softirq+0x21e/0x996
[ 31.080199][ C1] asm_call_on_stack+0xf/0x20
[ 31.084852][ C1]
[ 31.087775][ C1] do_softirq_own_stack+0x109/0x140
[ 31.092970][ C1] irq_exit_rcu+0x16f/0x1a0
[ 31.097471][ C1] sysvec_apic_timer_interrupt+0xd3/0x1b0
[ 31.103199][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 31.109160][ C1] RIP: 0010:acpi_safe_halt+0x72/0x90
[ 31.114421][ C1] Code: 74 06 5b e9 d0 05 a6 fb e8 cb 05 a6 fb e8 d6 69 ab fb e9 0c 00 00 00 e8 bc 05 a6 fb 0f 00 2d 75 58 6b 00 e8 b0 05 a6 fb fb f4 e8 c8 67 ab fb 5b e9 a2 05 a6 fb 48 89 df e8 8a b4 cf fb eb ab
[ 31.134003][ C1] RSP: 0018:ffff8881da22fc60 EFLAGS: 00000293
[ 31.141971][ C1] RAX: ffff8881da213200 RBX: 0000000000000000 RCX: 1ffffffff0fd4d32
[ 31.149942][ C1] RDX: 0000000000000000 RSI: ffffffff85996970 RDI: ffff8881da213a38
[ 31.159061][ C1] RBP: ffff8881d8c92864 R08: 0000000000000000 R09: 0000000000000001
[ 31.167051][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881d8c92864
[ 31.175009][ C1] R13: 1ffff1103b445f96 R14: ffff8881d8c92865 R15: 0000000000000001
[ 31.182975][ C1] ? acpi_safe_halt+0x70/0x90
[ 31.187635][ C1] acpi_idle_do_entry+0xa9/0xe0
[ 31.192554][ C1] acpi_idle_enter+0x42b/0xac0
[ 31.197336][ C1] ? nr_iowait_cpu+0x47/0x90
[ 31.201908][ C1] ? acpi_idle_enter_s2idle+0x190/0x190
[ 31.210747][ C1] ? kvm_sched_clock_read+0x14/0x30
[ 31.215924][ C1] ? sched_clock+0x5/0x10
[ 31.220239][ C1] ? sched_clock_cpu+0x18/0x170
[ 31.225066][ C1] cpuidle_enter_state+0xdb/0xc20
[ 31.230082][ C1] ? lockdep_hardirqs_on_prepare+0x370/0x550
[ 31.236052][ C1] cpuidle_enter+0x4a/0xa0
[ 31.240444][ C1] do_idle+0x3c2/0x500
[ 31.244531][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 31.249617][ C1] ? lockdep_hardirqs_on_prepare+0x370/0x550
[ 31.255572][ C1] cpu_startup_entry+0x14/0x20
[ 31.260325][ C1] start_secondary+0x294/0x370
[ 31.265063][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 31.270496][ C1] secondary_startup_64+0xb6/0xc0
[ 31.275504][ C1]
[ 31.277807][ C1] Allocated by task 116:
[ 31.282025][ C1] save_stack+0x1b/0x40
[ 31.286165][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 31.291794][ C1] uevent_show+0x15c/0x360
[ 31.296187][ C1] dev_attr_show+0x4b/0x90
[ 31.300595][ C1] sysfs_kf_seq_show+0x1f8/0x410
[ 31.305508][ C1] seq_read+0x432/0xfd0
[ 31.309636][ C1] kernfs_fop_read+0xe9/0x590
[ 31.314296][ C1] __vfs_read+0x76/0x100
[ 31.318514][ C1] vfs_read+0x1f0/0x420
[ 31.322653][ C1] ksys_read+0x12d/0x250
[ 31.326877][ C1] do_syscall_64+0x50/0x90
[ 31.331347][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 31.337358][ C1]
[ 31.339668][ C1] Freed by task 116:
[ 31.343558][ C1] save_stack+0x1b/0x40
[ 31.347951][ C1] __kasan_slab_free+0x117/0x160
[ 31.352860][ C1] kfree+0xd5/0x300
[ 31.356642][ C1] uevent_show+0x2b9/0x360
[ 31.361049][ C1] dev_attr_show+0x4b/0x90
[ 31.365666][ C1] sysfs_kf_seq_show+0x1f8/0x410
[ 31.374261][ C1] seq_read+0x432/0xfd0
[ 31.378392][ C1] kernfs_fop_read+0xe9/0x590
[ 31.383828][ C1] __vfs_read+0x76/0x100
[ 31.388684][ C1] vfs_read+0x1f0/0x420
[ 31.392926][ C1] ksys_read+0x12d/0x250
[ 31.397150][ C1] do_syscall_64+0x50/0x90
[ 31.401557][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 31.409123][ C1]
[ 31.411513][ C1] The buggy address belongs to the object at ffff8881cd0f4000
[ 31.411513][ C1] which belongs to the cache kmalloc-4k of size 4096
[ 31.428266][ C1] The buggy address is located 144 bytes inside of
[ 31.428266][ C1] 4096-byte region [ffff8881cd0f4000, ffff8881cd0f5000)
[ 31.446710][ C1] The buggy address belongs to the page:
[ 31.452330][ C1] page:ffffea0007343c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0007343c00 order:3 compound_mapcount:0 compound_pincount:0
[ 31.467491][ C1] flags: 0x200000000010200(slab|head)
[ 31.472840][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[ 31.482962][ C1] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
[ 31.492479][ C1] page dumped because: kasan: bad access detected
[ 31.500183][ C1]
[ 31.502489][ C1] Memory state around the buggy address:
[ 31.508103][ C1] ffff8881cd0f3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 31.516154][ C1] ffff8881cd0f4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.524189][ C1] >ffff8881cd0f4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.532225][ C1] ^
[ 31.536789][ C1] ffff8881cd0f4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.544843][ C1] ffff8881cd0f4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.552874][ C1] ==================================================================
[ 31.560921][ C1] Disabling lock debugging due to kernel taint
[ 31.594971][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 31.601696][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.8.0-rc1-syzkaller #0
[ 31.610968][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.621019][ C1] Call Trace:
[ 31.624295][ C1]
[ 31.627142][ C1] dump_stack+0xf6/0x16e
[ 31.631380][ C1] ? ath9k_hif_usb_rx_cb+0xcd0/0x1050
[ 31.637012][ C1] panic+0x2aa/0x6e1
[ 31.640879][ C1] ? __warn_printk+0xf3/0xf3
[ 31.645443][ C1] ? _raw_spin_unlock_irqrestore+0x2a/0x40
[ 31.651235][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 31.668843][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 31.674209][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 31.679557][ C1] end_report+0x4d/0x53
[ 31.683684][ C1] kasan_report.cold+0x72/0x7c
[ 31.688423][ C1] ? ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 31.693783][ C1] ath9k_hif_usb_rx_cb+0xdb4/0x1050
[ 31.699121][ C1] ? hif_usb_mgmt_cb+0x310/0x310
[ 31.704048][ C1] ? do_raw_spin_lock+0x120/0x290
[ 31.709152][ C1] ? lock_downgrade+0x720/0x720
[ 31.713996][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 31.719078][ C1] __usb_hcd_giveback_urb+0x29a/0x550
[ 31.724425][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 31.729599][ C1] dummy_timer+0x125e/0x32b4
[ 31.734187][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.739101][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 31.744639][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 31.749899][ C1] call_timer_fn+0x1ac/0x6e0
[ 31.754466][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.761550][ C1] ? msleep_interruptible+0x130/0x130
[ 31.766921][ C1] ? lock_downgrade+0x720/0x720
[ 31.771840][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 31.777044][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x550
[ 31.783071][ C1] ? dummy_udc_probe+0x980/0x980
[ 31.788108][ C1] run_timer_softirq+0x5e5/0x14c0
[ 31.793292][ C1] ? add_timer+0x7b0/0x7b0
[ 31.797698][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 31.803250][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 31.808547][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x550
[ 31.814511][ C1] __do_softirq+0x21e/0x996
[ 31.818992][ C1] asm_call_on_stack+0xf/0x20
[ 31.823639][ C1]
[ 31.826572][ C1] do_softirq_own_stack+0x109/0x140
[ 31.831761][ C1] irq_exit_rcu+0x16f/0x1a0
[ 31.836240][ C1] sysvec_apic_timer_interrupt+0xd3/0x1b0
[ 31.841934][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 31.852347][ C1] RIP: 0010:acpi_safe_halt+0x72/0x90
[ 31.857609][ C1] Code: 74 06 5b e9 d0 05 a6 fb e8 cb 05 a6 fb e8 d6 69 ab fb e9 0c 00 00 00 e8 bc 05 a6 fb 0f 00 2d 75 58 6b 00 e8 b0 05 a6 fb fb f4 e8 c8 67 ab fb 5b e9 a2 05 a6 fb 48 89 df e8 8a b4 cf fb eb ab
[ 31.893944][ C1] RSP: 0018:ffff8881da22fc60 EFLAGS: 00000293
[ 31.899999][ C1] RAX: ffff8881da213200 RBX: 0000000000000000 RCX: 1ffffffff0fd4d32
[ 31.907950][ C1] RDX: 0000000000000000 RSI: ffffffff85996970 RDI: ffff8881da213a38
[ 31.915897][ C1] RBP: ffff8881d8c92864 R08: 0000000000000000 R09: 0000000000000001
[ 31.923843][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881d8c92864
[ 31.931811][ C1] R13: 1ffff1103b445f96 R14: ffff8881d8c92865 R15: 0000000000000001
[ 31.939780][ C1] ? acpi_safe_halt+0x70/0x90
[ 31.944444][ C1] acpi_idle_do_entry+0xa9/0xe0
[ 31.949266][ C1] acpi_idle_enter+0x42b/0xac0
[ 31.954003][ C1] ? nr_iowait_cpu+0x47/0x90
[ 31.959085][ C1] ? acpi_idle_enter_s2idle+0x190/0x190
[ 31.964602][ C1] ? kvm_sched_clock_read+0x14/0x30
[ 31.969788][ C1] ? sched_clock+0x5/0x10
[ 31.974110][ C1] ? sched_clock_cpu+0x18/0x170
[ 31.978958][ C1] cpuidle_enter_state+0xdb/0xc20
[ 31.983974][ C1] ? lockdep_hardirqs_on_prepare+0x370/0x550
[ 31.990389][ C1] cpuidle_enter+0x4a/0xa0
[ 31.995125][ C1] do_idle+0x3c2/0x500
[ 31.999169][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 32.004166][ C1] ? lockdep_hardirqs_on_prepare+0x370/0x550
[ 32.010121][ C1] cpu_startup_entry+0x14/0x20
[ 32.014858][ C1] start_secondary+0x294/0x370
[ 32.020291][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 32.025735][ C1] secondary_startup_64+0xb6/0xc0
[ 32.031356][ C1] Kernel Offset: disabled
[ 32.035669][ C1] Rebooting in 86400 seconds..