Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 57.961954][ T4818] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 58.481947][ T4818] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 58.491233][ T4818] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 58.499278][ T4818] usb 1-1: Product: syz
[ 58.503498][ T4818] usb 1-1: Manufacturer: syz
[ 58.508074][ T4818] usb 1-1: SerialNumber: syz
[ 58.553568][ T4818] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 59.171908][ T4818] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 60.261623][ T4818] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 60.269151][ T4818] ath9k_htc: Failed to initialize the device
[ 60.275643][ C0] ==================================================================
[ 60.275711][ C0] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.275755][ C0] Read of size 4 at addr ffff88802b08c178 by task kworker/0:3/4818
[ 60.275773][ C0]
[ 60.275778][ C0] CPU: 0 PID: 4818 Comm: kworker/0:3 Not tainted 5.13.0-rc6-syzkaller #0
[ 60.275798][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 60.275812][ C0] Workqueue: events request_firmware_work_func
[ 60.275841][ C0] Call Trace:
[ 60.275847][ C0]
[ 60.275855][ C0] dump_stack+0x141/0x1d7
[ 60.275883][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.275904][ C0] print_address_description.constprop.0.cold+0x5b/0x2f8
[ 60.275932][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.275951][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.275971][ C0] kasan_report.cold+0x7c/0xd8
[ 60.275996][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.276020][ C0] ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.276053][ C0] ? hif_usb_start+0xa0/0xa0
[ 60.276072][ C0] ? __usb_hcd_giveback_urb+0x413/0x5c0
[ 60.276107][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 60.276147][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 60.276177][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 60.276204][ C0] dummy_timer+0x11f4/0x32a0
[ 60.276261][ C0] ? lock_chain_count+0x20/0x20
[ 60.276289][ C0] ? dummy_dequeue+0x500/0x500
[ 60.276324][ C0] ? dummy_dequeue+0x500/0x500
[ 60.276350][ C0] call_timer_fn+0x1a5/0x6b0
[ 60.276372][ C0] ? add_timer_on+0x4a0/0x4a0
[ 60.276401][ C0] ? _raw_spin_unlock_irq+0x1f/0x40
[ 60.276425][ C0] ? dummy_dequeue+0x500/0x500
[ 60.276454][ C0] __run_timers.part.0+0x67c/0xa50
[ 60.276487][ C0] ? call_timer_fn+0x6b0/0x6b0
[ 60.276511][ C0] ? lapic_next_event+0x4d/0x80
[ 60.276546][ C0] run_timer_softirq+0xb3/0x1d0
[ 60.276571][ C0] __do_softirq+0x29b/0x9f6
[ 60.276601][ C0] __irq_exit_rcu+0x136/0x200
[ 60.276625][ C0] irq_exit_rcu+0x5/0x20
[ 60.276647][ C0] sysvec_apic_timer_interrupt+0x93/0xc0
[ 60.276675][ C0]
[ 60.276683][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 60.276708][ C0] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 60.276738][ C0] Code: f0 4d 89 03 e9 f2 fc ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 40 00 <65> 8b 05 c9 13 8d 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 60.276759][ C0] RSP: 0018:ffffc9000ad87948 EFLAGS: 00000293
[ 60.276778][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 60.276793][ C0] RDX: ffff888028ef3880 RSI: ffffffff815cb063 RDI: 0000000000000003
[ 60.276808][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff902278a7
[ 60.276822][ C0] R10: ffffffff815cb059 R11: 0000000000000000 R12: ffffffff84bbe4a0
[ 60.276837][ C0] R13: 0000000000000200 R14: dffffc0000000000 R15: ffffc9000ad879a8
[ 60.276854][ C0] ? loopback_xmit+0x630/0x630
[ 60.276880][ C0] ? console_unlock+0x7b9/0xc40
[ 60.276910][ C0] ? console_unlock+0x7c3/0xc40
[ 60.276940][ C0] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 60.276968][ C0] console_unlock+0x7c9/0xc40
[ 60.276993][ C0] ? devkmsg_read+0x7d0/0x7d0
[ 60.277016][ C0] ? lock_release+0x720/0x720
[ 60.277045][ C0] ? vprintk+0x8d/0x260
[ 60.277062][ C0] ? vprintk+0x8d/0x260
[ 60.277087][ C0] vprintk_emit+0x1ca/0x560
[ 60.277115][ C0] vprintk+0x8d/0x260
[ 60.277136][ C0] printk+0xba/0xed
[ 60.277157][ C0] ? record_print_text.cold+0x16/0x16
[ 60.277179][ C0] ? usb_submit_urb+0x6ec/0x1540
[ 60.277210][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 60.277238][ C0] ? usb_free_urb+0x5c/0x110
[ 60.277263][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 60.277292][ C0] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 60.277324][ C0] ath9k_htc_hw_init.cold+0x17/0x1c
[ 60.277354][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 60.277382][ C0] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 60.277405][ C0] request_firmware_work_func+0x12c/0x230
[ 60.277434][ C0] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 60.277472][ C0] process_one_work+0x98d/0x1600
[ 60.277506][ C0] ? pwq_dec_nr_in_flight+0x320/0x320
[ 60.277537][ C0] ? rwlock_bug.part.0+0x90/0x90
[ 60.277556][ C0] ? _raw_spin_lock_irq+0x41/0x50
[ 60.277583][ C0] worker_thread+0x64c/0x1120
[ 60.277617][ C0] ? __kthread_parkme+0x13f/0x1e0
[ 60.277640][ C0] ? process_one_work+0x1600/0x1600
[ 60.277667][ C0] kthread+0x3b1/0x4a0
[ 60.277687][ C0] ? __kthread_bind_mask+0xc0/0xc0
[ 60.277712][ C0] ret_from_fork+0x1f/0x30
[ 60.277751][ C0]
[ 60.277756][ C0] Allocated by task 4850:
[ 60.277766][ C0] kasan_save_stack+0x1b/0x40
[ 60.277791][ C0] __kasan_kmalloc+0x9b/0xd0
[ 60.277815][ C0] kernfs_iop_get_link+0x61/0x6e0
[ 60.277841][ C0] vfs_readlink+0x1d7/0x390
[ 60.277865][ C0] do_readlinkat+0x27e/0x2f0
[ 60.277887][ C0] __x64_sys_readlinkat+0x93/0xf0
[ 60.277905][ C0] do_syscall_64+0x3a/0xb0
[ 60.277927][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 60.277949][ C0]
[ 60.277953][ C0] Freed by task 4850:
[ 60.277962][ C0] kasan_save_stack+0x1b/0x40
[ 60.277986][ C0] kasan_set_track+0x1c/0x30
[ 60.278010][ C0] kasan_set_free_info+0x20/0x30
[ 60.278030][ C0] __kasan_slab_free+0xfb/0x130
[ 60.278048][ C0] slab_free_freelist_hook+0xdf/0x240
[ 60.278072][ C0] kfree+0xe5/0x7f0
[ 60.278100][ C0] vfs_readlink+0x142/0x390
[ 60.278123][ C0] do_readlinkat+0x27e/0x2f0
[ 60.278147][ C0] __x64_sys_readlinkat+0x93/0xf0
[ 60.278166][ C0] do_syscall_64+0x3a/0xb0
[ 60.278187][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 60.278209][ C0]
[ 60.278213][ C0] The buggy address belongs to the object at ffff88802b08c000
[ 60.278213][ C0] which belongs to the cache kmalloc-4k of size 4096
[ 60.278230][ C0] The buggy address is located 376 bytes inside of
[ 60.278230][ C0] 4096-byte region [ffff88802b08c000, ffff88802b08d000)
[ 60.278251][ C0] The buggy address belongs to the page:
[ 60.278259][ C0] page:ffffea0000ac2200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b088
[ 60.278282][ C0] head:ffffea0000ac2200 order:3 compound_mapcount:0 compound_pincount:0
[ 60.278299][ C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 60.278332][ C0] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011042140
[ 60.278351][ C0] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 60.278363][ C0] page dumped because: kasan: bad access detected
[ 60.278373][ C0] page_owner tracks the page as allocated
[ 60.278379][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8418, ts 60273903950, free_ts 60269133508
[ 60.278412][ C0] get_page_from_freelist+0x1033/0x2b60
[ 60.278436][ C0] __alloc_pages+0x1b2/0x500
[ 60.278456][ C0] alloc_pages+0x18c/0x2a0
[ 60.278474][ C0] allocate_slab+0x2c5/0x4c0
[ 60.278497][ C0] ___slab_alloc+0x4a1/0x810
[ 60.278519][ C0] __slab_alloc.constprop.0+0xa7/0xf0
[ 60.278542][ C0] kmem_cache_alloc_trace+0x2a3/0x2c0
[ 60.278565][ C0] tomoyo_init_log+0x18a/0x1ee0
[ 60.278587][ C0] tomoyo_supervisor+0x34d/0xf00
[ 60.278611][ C0] tomoyo_path_number_perm+0x419/0x590
[ 60.278631][ C0] security_file_ioctl+0x50/0xb0
[ 60.278656][ C0] __x64_sys_ioctl+0xb3/0x200
[ 60.278674][ C0] do_syscall_64+0x3a/0xb0
[ 60.278695][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 60.278717][ C0] page last free stack trace:
[ 60.278723][ C0] __free_pages_ok+0x476/0xce0
[ 60.278743][ C0] device_release+0x9f/0x240
[ 60.278766][ C0] kobject_put+0x1c8/0x540
[ 60.278791][ C0] put_device+0x1b/0x30
[ 60.278812][ C0] ath9k_htc_probe_device+0x1c7/0x1e50
[ 60.278835][ C0] ath9k_htc_hw_init+0x31/0x60
[ 60.278853][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 60.278874][ C0] request_firmware_work_func+0x12c/0x230
[ 60.278899][ C0] process_one_work+0x98d/0x1600
[ 60.278922][ C0] worker_thread+0x64c/0x1120
[ 60.278944][ C0] kthread+0x3b1/0x4a0
[ 60.278962][ C0] ret_from_fork+0x1f/0x30
[ 60.278983][ C0]
[ 60.278987][ C0] Memory state around the buggy address:
[ 60.278997][ C0] ffff88802b08c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.279012][ C0] ffff88802b08c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.279027][ C0] >ffff88802b08c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.279039][ C0] ^
[ 60.279051][ C0] ffff88802b08c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.279066][ C0] ffff88802b08c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.279083][ C0] ==================================================================
[ 60.279091][ C0] Disabling lock debugging due to kernel taint
[ 60.279099][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 60.279108][ C0] CPU: 0 PID: 4818 Comm: kworker/0:3 Tainted: G B 5.13.0-rc6-syzkaller #0
[ 60.279129][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 60.279141][ C0] Workqueue: events request_firmware_work_func
[ 60.279165][ C0] Call Trace:
[ 60.279170][ C0]
[ 60.279176][ C0] dump_stack+0x141/0x1d7
[ 60.279197][ C0] panic+0x306/0x73d
[ 60.279217][ C0] ? __warn_printk+0xf3/0xf3
[ 60.279241][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.279260][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.279278][ C0] end_report.cold+0x5a/0x5a
[ 60.279298][ C0] kasan_report.cold+0x6a/0xd8
[ 60.279319][ C0] ? ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.279338][ C0] ath9k_hif_usb_rx_cb+0xdd8/0x1050
[ 60.279360][ C0] ? hif_usb_start+0xa0/0xa0
[ 60.279377][ C0] ? __usb_hcd_giveback_urb+0x413/0x5c0
[ 60.279399][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 60.279426][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 60.279451][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 60.279475][ C0] dummy_timer+0x11f4/0x32a0
[ 60.279502][ C0] ? lock_chain_count+0x20/0x20
[ 60.279523][ C0] ? dummy_dequeue+0x500/0x500
[ 60.279545][ C0] ? dummy_dequeue+0x500/0x500
[ 60.279566][ C0] call_timer_fn+0x1a5/0x6b0
[ 60.279584][ C0] ? add_timer_on+0x4a0/0x4a0
[ 60.279604][ C0] ? _raw_spin_unlock_irq+0x1f/0x40
[ 60.279620][ C0] ? dummy_dequeue+0x500/0x500
[ 60.279644][ C0] __run_timers.part.0+0x67c/0xa50
[ 60.279664][ C0] ? call_timer_fn+0x6b0/0x6b0
[ 60.279682][ C0] ? lapic_next_event+0x4d/0x80
[ 60.279704][ C0] run_timer_softirq+0xb3/0x1d0
[ 60.279725][ C0] __do_softirq+0x29b/0x9f6
[ 60.279748][ C0] __irq_exit_rcu+0x136/0x200
[ 60.279769][ C0] irq_exit_rcu+0x5/0x20
[ 60.279789][ C0] sysvec_apic_timer_interrupt+0x93/0xc0
[ 60.279815][ C0]
[ 60.279821][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 60.279844][ C0] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 60.279871][ C0] Code: f0 4d 89 03 e9 f2 fc ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 40 00 <65> 8b 05 c9 13 8d 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 60.279890][ C0] RSP: 0018:ffffc9000ad87948 EFLAGS: 00000293
[ 60.279907][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 60.279919][ C0] RDX: ffff888028ef3880 RSI: ffffffff815cb063 RDI: 0000000000000003
[ 60.279933][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff902278a7
[ 60.279945][ C0] R10: ffffffff815cb059 R11: 0000000000000000 R12: ffffffff84bbe4a0
[ 60.279959][ C0] R13: 0000000000000200 R14: dffffc0000000000 R15: ffffc9000ad879a8
[ 60.279973][ C0] ? loopback_xmit+0x630/0x630
[ 60.279995][ C0] ? console_unlock+0x7b9/0xc40
[ 60.280020][ C0] ? console_unlock+0x7c3/0xc40
[ 60.280044][ C0] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 60.280070][ C0] console_unlock+0x7c9/0xc40
[ 60.280101][ C0] ? devkmsg_read+0x7d0/0x7d0
[ 60.280125][ C0] ? lock_release+0x720/0x720
[ 60.280151][ C0] ? vprintk+0x8d/0x260
[ 60.280168][ C0] ? vprintk+0x8d/0x260
[ 60.280186][ C0] vprintk_emit+0x1ca/0x560
[ 60.280211][ C0] vprintk+0x8d/0x260
[ 60.280228][ C0] printk+0xba/0xed
[ 60.280245][ C0] ? record_print_text.cold+0x16/0x16
[ 60.280265][ C0] ? usb_submit_urb+0x6ec/0x1540
[ 60.280291][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 60.280318][ C0] ? usb_free_urb+0x5c/0x110
[ 60.280341][ C0] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 60.280367][ C0] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 60.280393][ C0] ath9k_htc_hw_init.cold+0x17/0x1c
[ 60.280419][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 60.280441][ C0] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 60.280462][ C0] request_firmware_work_func+0x12c/0x230
[ 60.280488][ C0] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 60.280517][ C0] process_one_work+0x98d/0x1600
[ 60.280542][ C0] ? pwq_dec_nr_in_flight+0x320/0x320
[ 60.280566][ C0] ? rwlock_bug.part.0+0x90/0x90
[ 60.280583][ C0] ? _raw_spin_lock_irq+0x41/0x50
[ 60.280604][ C0] worker_thread+0x64c/0x1120
[ 60.280629][ C0] ? __kthread_parkme+0x13f/0x1e0
[ 60.280649][ C0] ? process_one_work+0x1600/0x1600
[ 60.280672][ C0] kthread+0x3b1/0x4a0
[ 60.280691][ C0] ? __kthread_bind_mask+0xc0/0xc0
[ 60.280712][ C0] ret_from_fork+0x1f/0x30
[ 60.286409][ C0] Kernel Offset: disabled
[ 61.582413][ C0] Rebooting in 86400 seconds..