[ OK ] Reached target Login Prompts. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ 12.644407][ C1] random: crng init done [ 12.648823][ C1] random: 7 urandom warning(s) missed due to ratelimiting Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 20.163658][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.533166][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 20.542445][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 20.550561][ T83] usb 1-1: Product: syz [ 20.554790][ T83] usb 1-1: Manufacturer: syz [ 20.559367][ T83] usb 1-1: SerialNumber: syz [ 20.603946][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 21.212249][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 21.613896][ T95] usb 1-1: USB disconnect, device number 2 [ 22.510581][ T83] usb 1-1: Service connection timeout for: 256 [ 22.516870][ T83] ================================================================== [ 22.524988][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 22.531643][ T83] Read of size 4 at addr ffff8881d0957994 by task kworker/1:2/83 [ 22.539339][ T83] [ 22.541660][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0 [ 22.550004][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.560055][ T83] Workqueue: events request_firmware_work_func [ 22.566198][ T83] Call Trace: [ 22.569497][ T83] dump_stack+0xef/0x16e [ 22.573811][ T83] ? kfree_skb+0x32/0x3d0 [ 22.578119][ T83] ? kfree_skb+0x32/0x3d0 [ 22.582431][ T83] print_address_description.constprop.0.cold+0xd3/0x314 [ 22.589449][ T83] ? kfree_skb+0x32/0x3d0 [ 22.593760][ T83] ? kfree_skb+0x32/0x3d0 [ 22.598072][ T83] __kasan_report.cold+0x37/0x77 [ 22.603005][ T83] ? kfree_skb+0x32/0x3d0 [ 22.607327][ T83] kasan_report+0xe/0x20 [ 22.611550][ T83] check_memory_region+0x152/0x1c0 [ 22.616751][ T83] kfree_skb+0x32/0x3d0 [ 22.621135][ T83] htc_connect_service.cold+0xa9/0x109 [ 22.626606][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 22.631725][ T83] ? ath9k_fatal_work+0x20/0x20 [ 22.636572][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 22.642620][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 22.648258][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.654679][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 22.667930][ T83] ? lockdep_init_map+0x1b0/0x5e0 [ 22.672936][ T83] ? lockdep_init_map+0x1b0/0x5e0 [ 22.677956][ T83] ? tasklet_init+0x69/0x110 [ 22.682555][ T83] ath9k_htc_probe_device+0x25a/0x1d80 [ 22.688120][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 22.694790][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 22.699713][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 22.704900][ T83] ? usb_free_urb+0x1b/0x30 [ 22.709389][ T83] ath9k_htc_hw_init+0x31/0x60 [ 22.714138][ T83] ath9k_hif_usb_firmware_cb+0x26b/0x500 [ 22.719756][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 22.725110][ T83] request_firmware_work_func+0x126/0x242 [ 22.730815][ T83] ? request_firmware_into_buf+0x90/0x90 [ 22.736431][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.741955][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.747246][ T83] process_one_work+0x94b/0x1620 [ 22.752274][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 22.757648][ T83] ? do_raw_spin_lock+0x129/0x290 [ 22.762658][ T83] worker_thread+0x96/0xe20 [ 22.767145][ T83] ? process_one_work+0x1620/0x1620 [ 22.772322][ T83] kthread+0x318/0x420 [ 22.776370][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 22.781732][ T83] ret_from_fork+0x24/0x30 [ 22.786131][ T83] [ 22.788466][ T83] Allocated by task 83: [ 22.792602][ T83] save_stack+0x1b/0x80 [ 22.796754][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 22.802362][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 22.807539][ T83] __alloc_skb+0xba/0x5a0 [ 22.811849][ T83] htc_connect_service+0x2cc/0x840 [ 22.817034][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 22.822397][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.828812][ T83] ath9k_htc_probe_device+0x25a/0x1d80 [ 22.834274][ T83] ath9k_htc_hw_init+0x31/0x60 [ 22.839109][ T83] ath9k_hif_usb_firmware_cb+0x26b/0x500 [ 22.844825][ T83] request_firmware_work_func+0x126/0x242 [ 22.850682][ T83] process_one_work+0x94b/0x1620 [ 22.855750][ T83] worker_thread+0x96/0xe20 [ 22.860248][ T83] kthread+0x318/0x420 [ 22.864423][ T83] ret_from_fork+0x24/0x30 [ 22.868818][ T83] [ 22.871137][ T83] Freed by task 0: [ 22.874873][ T83] save_stack+0x1b/0x80 [ 22.879638][ T83] __kasan_slab_free+0x117/0x160 [ 22.884664][ T83] kmem_cache_free+0x9b/0x360 [ 22.889350][ T83] kfree_skbmem+0xef/0x1b0 [ 22.893768][ T83] kfree_skb+0x102/0x3d0 [ 22.898000][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 22.903622][ T83] hif_usb_regout_cb+0x10b/0x1b0 [ 22.911681][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 22.917045][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 22.922325][ T83] dummy_timer+0x1258/0x32ae [ 22.926908][ T83] call_timer_fn+0x195/0x6f0 [ 22.931488][ T83] run_timer_softirq+0x5f9/0x1500 [ 22.936622][ T83] __do_softirq+0x21e/0x950 [ 22.941134][ T83] [ 22.943464][ T83] The buggy address belongs to the object at ffff8881d09578c0 [ 22.943464][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 22.958978][ T83] The buggy address is located 212 bytes inside of [ 22.958978][ T83] 224-byte region [ffff8881d09578c0, ffff8881d09579a0) [ 22.972226][ T83] The buggy address belongs to the page: [ 22.977848][ T83] page:ffffea00074255c0 refcount:1 mapcount:0 mapping:ffff8881da16b400 index:0x0 [ 22.986948][ T83] flags: 0x200000000000200(slab) [ 22.992020][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da16b400 [ 23.000587][ T83] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 23.009162][ T83] page dumped because: kasan: bad access detected [ 23.015556][ T83] [ 23.017869][ T83] Memory state around the buggy address: [ 23.024448][ T83] ffff8881d0957880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 23.032501][ T83] ffff8881d0957900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.040558][ T83] >ffff8881d0957980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 23.048607][ T83] ^ [ 23.053185][ T83] ffff8881d0957a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.061284][ T83] ffff8881d0957a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 23.069367][ T83] ================================================================== [ 23.077407][ T83] Disabling lock debugging due to kernel taint [ 23.083803][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 23.090543][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 23.100684][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.110834][ T83] Workqueue: events request_firmware_work_func [ 23.117080][ T83] Call Trace: [ 23.120430][ T83] dump_stack+0xef/0x16e [ 23.124752][ T83] panic+0x2aa/0x6e1 [ 23.128643][ T83] ? add_taint.cold+0x16/0x16 [ 23.133302][ T83] ? kfree_skb+0x32/0x3d0 [ 23.137832][ T83] ? trace_hardirqs_on+0x55/0x200 [ 23.142967][ T83] ? kfree_skb+0x32/0x3d0 [ 23.147281][ T83] end_report+0x43/0x49 [ 23.151421][ T83] ? kfree_skb+0x32/0x3d0 [ 23.155747][ T83] __kasan_report.cold+0x55/0x77 [ 23.160666][ T83] ? kfree_skb+0x32/0x3d0 [ 23.165076][ T83] kasan_report+0xe/0x20 [ 23.169300][ T83] check_memory_region+0x152/0x1c0 [ 23.174388][ T83] kfree_skb+0x32/0x3d0 [ 23.178538][ T83] htc_connect_service.cold+0xa9/0x109 [ 23.184519][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 23.189344][ T83] ? ath9k_fatal_work+0x20/0x20 [ 23.194169][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 23.200216][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 23.205825][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 23.212227][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 23.217607][ T83] ? lockdep_init_map+0x1b0/0x5e0 [ 23.222634][ T83] ? lockdep_init_map+0x1b0/0x5e0 [ 23.227646][ T83] ? tasklet_init+0x69/0x110 [ 23.232219][ T83] ath9k_htc_probe_device+0x25a/0x1d80 [ 23.237656][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 23.244310][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 23.249239][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 23.254413][ T83] ? usb_free_urb+0x1b/0x30 [ 23.258915][ T83] ath9k_htc_hw_init+0x31/0x60 [ 23.263671][ T83] ath9k_hif_usb_firmware_cb+0x26b/0x500 [ 23.269313][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 23.274690][ T83] request_firmware_work_func+0x126/0x242 [ 23.280480][ T83] ? request_firmware_into_buf+0x90/0x90 [ 23.286098][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.291632][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.296931][ T83] process_one_work+0x94b/0x1620 [ 23.301859][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 23.307210][ T83] ? do_raw_spin_lock+0x129/0x290 [ 23.312227][ T83] worker_thread+0x96/0xe20 [ 23.316708][ T83] ? process_one_work+0x1620/0x1620 [ 23.321913][ T83] kthread+0x318/0x420 [ 23.325971][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 23.331328][ T83] ret_from_fork+0x24/0x30 [ 23.336423][ T83] Kernel Offset: disabled [ 23.340775][ T83] Rebooting in 86400 seconds..