Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts.
executing program
[ 25.082155][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 25.451843][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 25.461323][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 25.469481][ T95] usb 1-1: Product: syz
[ 25.473704][ T95] usb 1-1: Manufacturer: syz
[ 25.478716][ T95] usb 1-1: SerialNumber: syz
[ 25.522541][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 26.121696][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 26.331077][ C0] ==================================================================
[ 26.339386][ C0] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.346916][ C0] Write of size 2 at addr ffff8881d8dc5460 by task swapper/0/0
[ 26.354611][ C0]
[ 26.356929][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
[ 26.364800][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 26.374865][ C0] Call Trace:
[ 26.378138][ C0]
[ 26.381065][ C0] dump_stack+0xef/0x16e
[ 26.385309][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.390441][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.395498][ C0] print_address_description.constprop.0.cold+0xd3/0x314
[ 26.403066][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.408485][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.413621][ C0] __kasan_report.cold+0x37/0x77
[ 26.418667][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.423859][ C0] kasan_report+0xe/0x20
[ 26.428101][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 26.433183][ C0] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 26.438804][ C0] ? _raw_read_unlock+0x1a/0x30
[ 26.443859][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 26.449487][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 26.455213][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 26.460408][ C0] dummy_timer+0x1258/0x32ae
[ 26.465417][ C0] ? dummy_udc_probe+0x930/0x930
[ 26.470429][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 26.476171][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 26.481440][ C0] call_timer_fn+0x195/0x6f0
[ 26.486046][ C0] ? dummy_udc_probe+0x930/0x930
[ 26.491092][ C0] ? msleep_interruptible+0x130/0x130
[ 26.496928][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 26.502856][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 26.508548][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 26.513775][ C0] ? dummy_udc_probe+0x930/0x930
[ 26.518883][ C0] run_timer_softirq+0x5f9/0x1500
[ 26.523898][ C0] ? add_timer+0x7a0/0x7a0
[ 26.528307][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 26.533883][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 26.539243][ C0] __do_softirq+0x21e/0x950
[ 26.543735][ C0] irq_exit+0x178/0x1a0
[ 26.547882][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 26.553462][ C0] apic_timer_interrupt+0xf/0x20
[ 26.558417][ C0]
[ 26.561410][ C0] RIP: 0010:default_idle+0x28/0x300
[ 26.566647][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 44 eb 71 7a 41 54 55 53 0f 1f 44 00 00 e8 f6 d7 b4 fb e9 07 00 00 00 0f 00 2d aa 7c 52 00 fb f4 <65> 44 8b 2d 20 eb 71 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 26.586373][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 26.594979][ C0] RAX: 0000000000000007 RBX: ffffffff8702c740 RCX: 0000000000000000
[ 26.603082][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702cf8c
[ 26.611047][ C0] RBP: fffffbfff0e058e8 R08: ffffffff8702c740 R09: 0000000000000000
[ 26.619128][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 26.627329][ C0] R13: 0000000000000000 R14: ffffffff87e629c0 R15: 0000000000000000
[ 26.635401][ C0] do_idle+0x3e0/0x500
[ 26.639457][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 26.644467][ C0] ? schedule+0xe1/0x2b0
[ 26.648851][ C0] cpu_startup_entry+0x14/0x20
[ 26.653698][ C0] start_kernel+0x8a5/0x8df
[ 26.658328][ C0] ? mem_encrypt_init+0x5/0x5
[ 26.663011][ C0] ? x86_family+0x3d/0x50
[ 26.667675][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 26.672632][ C0] secondary_startup_64+0xb6/0xc0
[ 26.677644][ C0]
[ 26.679963][ C0] Allocated by task 364:
[ 26.684323][ C0] save_stack+0x1b/0x80
[ 26.688512][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 26.694130][ C0] __kmalloc_node_track_caller+0xfc/0x3b0
[ 26.699931][ C0] __kmalloc_reserve.isra.0+0x39/0xe0
[ 26.705678][ C0] pskb_expand_head+0x148/0x1020
[ 26.710808][ C0] netlink_trim+0x1ea/0x240
[ 26.715590][ C0] netlink_broadcast_filtered+0x5f/0xd40
[ 26.721209][ C0] nlmsg_notify+0x90/0x250
[ 26.725616][ C0] rtmsg_ifinfo_event.part.0+0xb6/0xe0
[ 26.731333][ C0] rtmsg_ifinfo+0x7f/0xa0
[ 26.736039][ C0] __dev_notify_flags+0x235/0x2c0
[ 26.741333][ C0] dev_change_flags+0x100/0x160
[ 26.746505][ C0] do_setlink+0xa1c/0x35f0
[ 26.751068][ C0] __rtnl_newlink+0xad5/0x1590
[ 26.755826][ C0] rtnl_newlink+0x64/0xa0
[ 26.760143][ C0] rtnetlink_rcv_msg+0x42b/0xae0
[ 26.765256][ C0] netlink_rcv_skb+0x15a/0x410
[ 26.770389][ C0] netlink_unicast+0x537/0x740
[ 26.775404][ C0] netlink_sendmsg+0x882/0xe10
[ 26.780164][ C0] sock_sendmsg+0xcf/0x120
[ 26.784952][ C0] __sys_sendto+0x21a/0x330
[ 26.789638][ C0] __x64_sys_sendto+0xdd/0x1b0
[ 26.794666][ C0] do_syscall_64+0xb6/0x5a0
[ 26.799420][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 26.805594][ C0]
[ 26.808443][ C0] Freed by task 364:
[ 26.812418][ C0] save_stack+0x1b/0x80
[ 26.816557][ C0] __kasan_slab_free+0x117/0x160
[ 26.821565][ C0] kfree+0xd5/0x300
[ 26.825364][ C0] skb_free_head+0x8b/0xa0
[ 26.829769][ C0] skb_release_data+0x41f/0x7c0
[ 26.834868][ C0] skb_release_all+0x46/0x60
[ 26.839455][ C0] consume_skb+0xf3/0x3c0
[ 26.843787][ C0] netlink_broadcast_filtered+0x34f/0xd40
[ 26.849810][ C0] nlmsg_notify+0x90/0x250
[ 26.854627][ C0] rtmsg_ifinfo_event.part.0+0xb6/0xe0
[ 26.860329][ C0] rtmsg_ifinfo+0x7f/0xa0
[ 26.864720][ C0] __dev_notify_flags+0x235/0x2c0
[ 26.869878][ C0] dev_change_flags+0x100/0x160
[ 26.874912][ C0] do_setlink+0xa1c/0x35f0
[ 26.879317][ C0] __rtnl_newlink+0xad5/0x1590
[ 26.884291][ C0] rtnl_newlink+0x64/0xa0
[ 26.888628][ C0] rtnetlink_rcv_msg+0x42b/0xae0
[ 26.893928][ C0] netlink_rcv_skb+0x15a/0x410
[ 26.898689][ C0] netlink_unicast+0x537/0x740
[ 26.903551][ C0] netlink_sendmsg+0x882/0xe10
[ 26.908374][ C0] sock_sendmsg+0xcf/0x120
[ 26.913093][ C0] __sys_sendto+0x21a/0x330
[ 26.918340][ C0] __x64_sys_sendto+0xdd/0x1b0
[ 26.924179][ C0] do_syscall_64+0xb6/0x5a0
[ 26.928741][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 26.934910][ C0]
[ 26.937249][ C0] The buggy address belongs to the object at ffff8881d8dc5000
[ 26.937249][ C0] which belongs to the cache kmalloc-2k of size 2048
[ 26.951751][ C0] The buggy address is located 1120 bytes inside of
[ 26.951751][ C0] 2048-byte region [ffff8881d8dc5000, ffff8881d8dc5800)
[ 26.965359][ C0] The buggy address belongs to the page:
[ 26.971020][ C0] page:ffffea0007637000 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
[ 26.981976][ C0] flags: 0x200000000010200(slab|head)
[ 26.987336][ C0] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[ 26.995907][ C0] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 27.004588][ C0] page dumped because: kasan: bad access detected
[ 27.011133][ C0]
[ 27.013649][ C0] Memory state around the buggy address:
[ 27.019348][ C0] ffff8881d8dc5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.027591][ C0] ffff8881d8dc5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.035644][ C0] >ffff8881d8dc5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.043698][ C0] ^
[ 27.051538][ C0] ffff8881d8dc5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.060150][ C0] ffff8881d8dc5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.068363][ C0] ==================================================================
[ 27.076671][ C0] Disabling lock debugging due to kernel taint
[ 27.082902][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 27.089760][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.6.0-rc7-syzkaller #0
[ 27.099120][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 27.109549][ C0] Call Trace:
[ 27.113104][ C0]
[ 27.115955][ C0] dump_stack+0xef/0x16e
[ 27.120271][ C0] panic+0x2aa/0x6e1
[ 27.124154][ C0] ? add_taint.cold+0x16/0x16
[ 27.128818][ C0] ? print_shadow_for_address+0xb8/0x114
[ 27.134616][ C0] ? trace_hardirqs_off+0x50/0x200
[ 27.139831][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 27.145314][ C0] end_report+0x43/0x49
[ 27.149545][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 27.154654][ C0] __kasan_report.cold+0x55/0x77
[ 27.160179][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 27.165490][ C0] kasan_report+0xe/0x20
[ 27.169769][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 27.174609][ C0] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 27.180081][ C0] ? _raw_read_unlock+0x1a/0x30
[ 27.185013][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 27.190629][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 27.196041][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 27.201267][ C0] dummy_timer+0x1258/0x32ae
[ 27.205843][ C0] ? dummy_udc_probe+0x930/0x930
[ 27.210884][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 27.216498][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 27.221771][ C0] call_timer_fn+0x195/0x6f0
[ 27.226493][ C0] ? dummy_udc_probe+0x930/0x930
[ 27.231410][ C0] ? msleep_interruptible+0x130/0x130
[ 27.236776][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 27.242397][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 27.247668][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 27.252854][ C0] ? dummy_udc_probe+0x930/0x930
[ 27.257771][ C0] run_timer_softirq+0x5f9/0x1500
[ 27.262774][ C0] ? add_timer+0x7a0/0x7a0
[ 27.267169][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 27.273091][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 27.278402][ C0] __do_softirq+0x21e/0x950
[ 27.283060][ C0] irq_exit+0x178/0x1a0
[ 27.287296][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 27.293604][ C0] apic_timer_interrupt+0xf/0x20
[ 27.298656][ C0]
[ 27.301676][ C0] RIP: 0010:default_idle+0x28/0x300
[ 27.307726][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 44 eb 71 7a 41 54 55 53 0f 1f 44 00 00 e8 f6 d7 b4 fb e9 07 00 00 00 0f 00 2d aa 7c 52 00 fb f4 <65> 44 8b 2d 20 eb 71 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 27.327754][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 27.336378][ C0] RAX: 0000000000000007 RBX: ffffffff8702c740 RCX: 0000000000000000
[ 27.344583][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702cf8c
[ 27.352539][ C0] RBP: fffffbfff0e058e8 R08: ffffffff8702c740 R09: 0000000000000000
[ 27.360517][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 27.368756][ C0] R13: 0000000000000000 R14: ffffffff87e629c0 R15: 0000000000000000
[ 27.376989][ C0] do_idle+0x3e0/0x500
[ 27.381056][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 27.386332][ C0] ? schedule+0xe1/0x2b0
[ 27.390660][ C0] cpu_startup_entry+0x14/0x20
[ 27.395504][ C0] start_kernel+0x8a5/0x8df
[ 27.400083][ C0] ? mem_encrypt_init+0x5/0x5
[ 27.404748][ C0] ? x86_family+0x3d/0x50
[ 27.409217][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 27.414066][ C0] secondary_startup_64+0xb6/0xc0
[ 27.420464][ C0] Kernel Offset: disabled
[ 27.424837][ C0] Rebooting in 86400 seconds..