[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 17.650028][ C0] random: crng init done [ 17.651738][ C0] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. executing program [ 18.079475][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 18.289343][ T21] usb 1-1: config 1 has an invalid descriptor of length 9, skipping remainder of the config [ 18.299881][ T21] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 6 [ 18.469191][ T21] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 18.478416][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 18.486857][ T21] usb 1-1: Product: syz [ 18.491099][ T21] usb 1-1: Manufacturer: syz [ 18.495962][ T21] usb 1-1: SerialNumber: syz [ 18.540110][ T21] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 19.108646][ T21] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 19.318455][ C1] ================================================================== [ 19.326771][ C1] BUG: KASAN: slab-out-of-bounds in ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.334489][ C1] Write of size 2 at addr ffff8881cecbb510 by task swapper/1/0 [ 19.342033][ C1] [ 19.344364][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0 [ 19.352281][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.362329][ C1] Call Trace: [ 19.365594][ C1] [ 19.368427][ C1] dump_stack+0xef/0x16e [ 19.372651][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.377729][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.382758][ C1] print_address_description.constprop.0.cold+0xd3/0x314 [ 19.389766][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.394778][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.399779][ C1] __kasan_report.cold+0x37/0x77 [ 19.404702][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.409702][ C1] kasan_report+0xe/0x20 [ 19.413936][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 19.418771][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630 [ 19.424210][ C1] ? _raw_read_unlock+0x1a/0x30 [ 19.429042][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 19.434652][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 19.439999][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 19.445174][ C1] dummy_timer+0x1258/0x32ae [ 19.449741][ C1] ? dummy_udc_probe+0x930/0x930 [ 19.454654][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 19.460174][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 19.465431][ C1] call_timer_fn+0x195/0x6f0 [ 19.470008][ C1] ? dummy_udc_probe+0x930/0x930 [ 19.474921][ C1] ? msleep_interruptible+0x130/0x130 [ 19.480265][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 19.485798][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 19.491125][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 19.496305][ C1] ? dummy_udc_probe+0x930/0x930 [ 19.501222][ C1] run_timer_softirq+0x5f9/0x1500 [ 19.506252][ C1] ? add_timer+0x7a0/0x7a0 [ 19.510561][ T94] usb 1-1: USB disconnect, device number 2 [ 19.510669][ C1] ?