[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.301719][ C1] random: crng init done [ 16.306107][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. executing program [ 23.343197][ T270] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.862767][ T270] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.871913][ T270] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.879960][ T270] usb 1-1: Product: syz [ 23.884196][ T270] usb 1-1: Manufacturer: syz [ 23.889432][ T270] usb 1-1: SerialNumber: syz [ 23.933650][ T270] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.572155][ T270] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.973817][ T5] usb 1-1: USB disconnect, device number 2 [ 25.871006][ T270] usb 1-1: Service connection timeout for: 256 [ 25.877382][ T270] ================================================================== [ 25.885795][ T270] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.892648][ T270] Read of size 4 at addr ffff8881cfd6ed54 by task kworker/0:3/270 [ 25.900496][ T270] [ 25.902826][ T270] CPU: 0 PID: 270 Comm: kworker/0:3 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.911065][ T270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.921109][ T270] Workqueue: events request_firmware_work_func [ 25.927247][ T270] Call Trace: [ 25.930531][ T270] dump_stack+0xef/0x16e [ 25.934754][ T270] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.941770][ T270] ? vprintk_func+0x7d/0x113 [ 25.946396][ T270] ? kfree_skb+0x32/0x3d0 [ 25.950722][ T270] __kasan_report.cold+0x37/0x7d [ 25.955748][ T270] ? kfree_skb+0x32/0x3d0 [ 25.960094][ T270] ? kfree_skb+0x32/0x3d0 [ 25.964497][ T270] kasan_report+0x33/0x50 [ 25.968807][ T270] check_memory_region+0x173/0x1d0 [ 25.974007][ T270] kfree_skb+0x32/0x3d0 [ 25.978336][ T270] htc_connect_service.cold+0xa9/0x109 [ 25.983918][ T270] ath9k_wmi_connect+0xd2/0x1a0 [ 25.988768][ T270] ? ath9k_fatal_work+0x20/0x20 [ 25.993621][ T270] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.999699][ T270] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.005339][ T270] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.011767][ T270] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.018170][ T270] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.023712][ T270] ? __raw_spin_lock_init+0x34/0x100 [ 26.028984][ T270] ? tasklet_init+0x69/0x110 [ 26.033559][ T270] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.039040][ T270] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.045699][ T270] ? usb_submit_urb+0x6ed/0x1460 [ 26.050631][ T270] ? usb_free_urb.part.0+0x52/0x110 [ 26.055802][ T270] ? usb_free_urb+0x1b/0x30 [ 26.060472][ T270] ath9k_htc_hw_init+0x31/0x60 [ 26.065237][ T270] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.071319][ T270] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.076675][ T270] request_firmware_work_func+0x126/0x242 [ 26.082384][ T270] ? request_firmware_into_buf+0x90/0x90 [ 26.087996][ T270] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.093518][ T270] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.098779][ T270] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.104088][ T270] process_one_work+0x965/0x1630 [ 26.109055][ T270] ? lock_release+0x720/0x720 [ 26.113726][ T270] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.119112][ T270] ? rwlock_bug.part.0+0x90/0x90 [ 26.124041][ T270] worker_thread+0x96/0xe20 [ 26.128557][ T270] ? process_one_work+0x1630/0x1630 [ 26.133753][ T270] kthread+0x326/0x430 [ 26.137812][ T270] ? kthread_create_on_node+0xf0/0xf0 [ 26.143201][ T270] ret_from_fork+0x24/0x30 [ 26.147593][ T270] [ 26.149900][ T270] Allocated by task 270: [ 26.154215][ T270] save_stack+0x1b/0x40 [ 26.158368][ T270] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.163980][ T270] kmem_cache_alloc_node+0xdc/0x330 [ 26.169166][ T270] __alloc_skb+0xba/0x5a0 [ 26.173561][ T270] htc_connect_service+0x2cc/0x840 [ 26.178665][ T270] ath9k_wmi_connect+0xd2/0x1a0 [ 26.183503][ T270] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.189902][ T270] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.195345][ T270] ath9k_htc_hw_init+0x31/0x60 [ 26.200106][ T270] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.205730][ T270] request_firmware_work_func+0x126/0x242 [ 26.211520][ T270] process_one_work+0x965/0x1630 [ 26.216444][ T270] worker_thread+0x96/0xe20 [ 26.220927][ T270] kthread+0x326/0x430 [ 26.225000][ T270] ret_from_fork+0x24/0x30 [ 26.229390][ T270] [ 26.231697][ T270] Freed by task 0: [ 26.235435][ T270] save_stack+0x1b/0x40 [ 26.239575][ T270] __kasan_slab_free+0x117/0x160 [ 26.244914][ T270] kmem_cache_free+0x9b/0x360 [ 26.249604][ T270] kfree_skbmem+0xef/0x1b0 [ 26.254006][ T270] kfree_skb+0x102/0x3d0 [ 26.258249][ T270] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.263892][ T270] hif_usb_regout_cb+0x115/0x1c0 [ 26.268826][ T270] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.274249][ T270] usb_hcd_giveback_urb+0x368/0x420 [ 26.279457][ T270] dummy_timer+0x125e/0x32b4 [ 26.284047][ T270] call_timer_fn+0x1ac/0x700 [ 26.288632][ T270] run_timer_softirq+0x5f9/0x1500 [ 26.293660][ T270] __do_softirq+0x21e/0x9aa [ 26.298838][ T270] [ 26.301157][ T270] The buggy address belongs to the object at ffff8881cfd6ec80 [ 26.301157][ T270] which belongs to the cache skbuff_head_cache of size 224 [ 26.315740][ T270] The buggy address is located 212 bytes inside of [ 26.315740][ T270] 224-byte region [ffff8881cfd6ec80, ffff8881cfd6ed60) [ 26.328994][ T270] The buggy address belongs to the page: [ 26.334635][ T270] page:ffffea00073f5b80 refcount:1 mapcount:0 mapping:000000008d41388b index:0x0 [ 26.343732][ T270] flags: 0x200000000000200(slab) [ 26.348680][ T270] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 26.357437][ T270] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 26.366068][ T270] page dumped because: kasan: bad access detected [ 26.372609][ T270] [ 26.374927][ T270] Memory state around the buggy address: [ 26.380560][ T270] ffff8881cfd6ec00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.388604][ T270] ffff8881cfd6ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.396717][ T270] >ffff8881cfd6ed00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.404781][ T270] ^ [ 26.411454][ T270] ffff8881cfd6ed80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.419784][ T270] ffff8881cfd6ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.427981][ T270] ================================================================== [ 26.436048][ T270] Disabling lock debugging due to kernel taint [ 26.442377][ T270] Kernel panic - not syncing: panic_on_warn set ... [ 26.448978][ T270] CPU: 0 PID: 270 Comm: kworker/0:3 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.458750][ T270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.468832][ T270] Workqueue: events request_firmware_work_func [ 26.475782][ T270] Call Trace: [ 26.479097][ T270] dump_stack+0xef/0x16e [ 26.483376][ T270] panic+0x2aa/0x6e1 [ 26.487259][ T270] ? add_taint.cold+0x16/0x16 [ 26.492212][ T270] ? retint_kernel+0x10/0x10 [ 26.497525][ T270] ? kfree_skb+0x32/0x3d0 [ 26.501851][ T270] ? trace_hardirqs_on+0x55/0x200 [ 26.506894][ T270] ? kfree_skb+0x32/0x3d0 [ 26.511219][ T270] end_report+0x4d/0x53 [ 26.515448][ T270] __kasan_report.cold+0x72/0x7d [ 26.520378][ T270] ? kfree_skb+0x32/0x3d0 [ 26.524809][ T270] ? kfree_skb+0x32/0x3d0 [ 26.530163][ T270] kasan_report+0x33/0x50 [ 26.534591][ T270] check_memory_region+0x173/0x1d0 [ 26.539840][ T270] kfree_skb+0x32/0x3d0 [ 26.543994][ T270] htc_connect_service.cold+0xa9/0x109 [ 26.549457][ T270] ath9k_wmi_connect+0xd2/0x1a0 [ 26.554310][ T270] ? ath9k_fatal_work+0x20/0x20 [ 26.559161][ T270] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.565222][ T270] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.570837][ T270] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.577238][ T270] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.582516][ T270] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.588049][ T270] ? __raw_spin_lock_init+0x34/0x100 [ 26.593346][ T270] ? tasklet_init+0x69/0x110 [ 26.598788][ T270] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.604252][ T270] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.611076][ T270] ? usb_submit_urb+0x6ed/0x1460 [ 26.616035][ T270] ? usb_free_urb.part.0+0x52/0x110 [ 26.621230][ T270] ? usb_free_urb+0x1b/0x30 [ 26.625738][ T270] ath9k_htc_hw_init+0x31/0x60 [ 26.630486][ T270] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.636117][ T270] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.641645][ T270] request_firmware_work_func+0x126/0x242 [ 26.647343][ T270] ? request_firmware_into_buf+0x90/0x90 [ 26.653085][ T270] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.658619][ T270] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.663903][ T270] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.669080][ T270] process_one_work+0x965/0x1630 [ 26.674068][ T270] ? lock_release+0x720/0x720 [ 26.678736][ T270] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.684098][ T270] ? rwlock_bug.part.0+0x90/0x90 [ 26.689031][ T270] worker_thread+0x96/0xe20 [ 26.693509][ T270] ? process_one_work+0x1630/0x1630 [ 26.698704][ T270] kthread+0x326/0x430 [ 26.702769][ T270] ? kthread_create_on_node+0xf0/0xf0 [ 26.708134][ T270] ret_from_fork+0x24/0x30 [ 26.713256][ T270] Kernel Offset: disabled [ 26.717662][ T270] Rebooting in 86400 seconds..