Warning: Permanently added '10.128.1.35' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   38.554592][   T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   39.074499][   T12] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   39.083623][   T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   39.091659][   T12] usb 1-1: Product: syz
[   39.095912][   T12] usb 1-1: Manufacturer: syz
[   39.100497][   T12] usb 1-1: SerialNumber: syz
[   39.145507][   T12] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   39.804221][   T12] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   40.206716][   T94] usb 1-1: USB disconnect, device number 2
[   41.103771][   T12] usb 1-1: Service connection timeout for: 256
[   41.110076][   T12] ==================================================================
[   41.118206][   T12] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   41.124892][   T12] Read of size 4 at addr ffff8881cffe80d4 by task kworker/0:1/12
[   41.132579][   T12] 
[   41.134932][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc6-syzkaller #0
[   41.143053][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.153106][   T12] Workqueue: events request_firmware_work_func
[   41.159244][   T12] Call Trace:
[   41.162517][   T12]  dump_stack+0xef/0x16e
[   41.166743][   T12]  print_address_description.constprop.0.cold+0xd3/0x415
[   41.173742][   T12]  ? vprintk_func+0x7d/0x113
[   41.178390][   T12]  ? kfree_skb+0x32/0x3d0
[   41.182711][   T12]  __kasan_report.cold+0x37/0x7d
[   41.187657][   T12]  ? kfree_skb+0x32/0x3d0
[   41.191975][   T12]  ? kfree_skb+0x32/0x3d0
[   41.196284][   T12]  kasan_report+0x33/0x50
[   41.200647][   T12]  check_memory_region+0x173/0x1d0
[   41.205733][   T12]  kfree_skb+0x32/0x3d0
[   41.209871][   T12]  htc_connect_service.cold+0xa9/0x109
[   41.215359][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   41.220187][   T12]  ? ath9k_fatal_work+0x20/0x20
[   41.225016][   T12]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   41.231061][   T12]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   41.236683][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   41.243093][   T12]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   41.248371][   T12]  ? lockdep_init_map_waits+0x26a/0x7c0
[   41.253917][   T12]  ? __raw_spin_lock_init+0x34/0x100
[   41.259179][   T12]  ? tasklet_init+0x69/0x110
[   41.263774][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   41.269234][   T12]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   41.275898][   T12]  ? usb_submit_urb+0x6ed/0x1460
[   41.280823][   T12]  ? usb_free_urb.part.0+0x52/0x110
[   41.286009][   T12]  ? usb_free_urb+0x1b/0x30
[   41.290501][   T12]  ath9k_htc_hw_init+0x31/0x60
[   41.295255][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   41.300866][   T12]  ? ath9k_hif_usb_resume+0x320/0x320
[   41.306219][   T12]  request_firmware_work_func+0x126/0x242
[   41.311929][   T12]  ? request_firmware_into_buf+0x90/0x90
[   41.317540][   T12]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   41.323074][   T12]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   41.328346][   T12]  ? _raw_spin_unlock_irq+0x1f/0x30
[   41.333534][   T12]  process_one_work+0x965/0x1630
[   41.338468][   T12]  ? lock_release+0x720/0x720
[   41.343126][   T12]  ? pwq_dec_nr_in_flight+0x310/0x310
[   41.348487][   T12]  ? rwlock_bug.part.0+0x90/0x90
[   41.353493][   T12]  worker_thread+0x96/0xe20
[   41.357974][   T12]  ? process_one_work+0x1630/0x1630
[   41.363150][   T12]  kthread+0x326/0x430
[   41.367201][   T12]  ? kthread_create_on_node+0xf0/0xf0
[   41.372562][   T12]  ret_from_fork+0x24/0x30
[   41.376951][   T12] 
[   41.379257][   T12] Allocated by task 12:
[   41.383404][   T12]  save_stack+0x1b/0x40
[   41.387599][   T12]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   41.393223][   T12]  kmem_cache_alloc_node+0xdc/0x330
[   41.398402][   T12]  __alloc_skb+0xba/0x5a0
[   41.403234][   T12]  htc_connect_service+0x2cc/0x840
[   41.408324][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   41.413169][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   41.419565][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   41.425000][   T12]  ath9k_htc_hw_init+0x31/0x60
[   41.429757][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   41.435375][   T12]  request_firmware_work_func+0x126/0x242
[   41.441136][   T12]  process_one_work+0x965/0x1630
[   41.446054][   T12]  worker_thread+0x96/0xe20
[   41.450536][   T12]  kthread+0x326/0x430
[   41.454646][   T12]  ret_from_fork+0x24/0x30
[   41.459068][   T12] 
[   41.461378][   T12] Freed by task 0:
[   41.465079][   T12]  save_stack+0x1b/0x40
[   41.469213][   T12]  __kasan_slab_free+0x117/0x160
[   41.474153][   T12]  kmem_cache_free+0x9b/0x360
[   41.478809][   T12]  kfree_skbmem+0xef/0x1b0
[   41.483198][   T12]  kfree_skb+0x102/0x3d0
[   41.487420][   T12]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   41.493050][   T12]  hif_usb_regout_cb+0x115/0x1c0
[   41.497963][   T12]  __usb_hcd_giveback_urb+0x29a/0x550
[   41.503524][   T12]  usb_hcd_giveback_urb+0x368/0x420
[   41.508719][   T12]  dummy_timer+0x125e/0x32b4
[   41.513290][   T12]  call_timer_fn+0x1ac/0x700
[   41.517870][   T12]  run_timer_softirq+0x5f9/0x1500
[   41.522874][   T12]  __do_softirq+0x21e/0x9aa
[   41.527346][   T12] 
[   41.529654][   T12] The buggy address belongs to the object at ffff8881cffe8000
[   41.529654][   T12]  which belongs to the cache skbuff_head_cache of size 224
[   41.544206][   T12] The buggy address is located 212 bytes inside of
[   41.544206][   T12]  224-byte region [ffff8881cffe8000, ffff8881cffe80e0)
[   41.557570][   T12] The buggy address belongs to the page:
[   41.563182][   T12] page:ffffea00073ffa00 refcount:1 mapcount:0 mapping:00000000f43ca92b index:0x0
[   41.572260][   T12] flags: 0x200000000000200(slab)
[   41.577193][   T12] raw: 0200000000000200 ffffea000716dc00 0000000500000005 ffff8881da175400
[   41.585754][   T12] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   41.594324][   T12] page dumped because: kasan: bad access detected
[   41.600882][   T12] 
[   41.603194][   T12] Memory state around the buggy address:
[   41.608812][   T12]  ffff8881cffe7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.616960][   T12]  ffff8881cffe8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.624997][   T12] >ffff8881cffe8080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   41.633096][   T12]                                                  ^
[   41.639805][   T12]  ffff8881cffe8100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.647907][   T12]  ffff8881cffe8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.655999][   T12] ==================================================================
[   41.664083][   T12] Disabling lock debugging due to kernel taint
[   41.670316][   T12] Kernel panic - not syncing: panic_on_warn set ...
[   41.676909][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   41.686439][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.696509][   T12] Workqueue: events request_firmware_work_func
[   41.702722][   T12] Call Trace:
[   41.705994][   T12]  dump_stack+0xef/0x16e
[   41.710227][   T12]  panic+0x2aa/0x6e1
[   41.714112][   T12]  ? add_taint.cold+0x16/0x16
[   41.718778][   T12]  ? retint_kernel+0x10/0x10
[   41.723427][   T12]  ? kfree_skb+0x32/0x3d0
[   41.727728][   T12]  ? trace_hardirqs_on+0x55/0x200
[   41.732724][   T12]  ? kfree_skb+0x32/0x3d0
[   41.737028][   T12]  end_report+0x4d/0x53
[   41.741174][   T12]  __kasan_report.cold+0x72/0x7d
[   41.746096][   T12]  ? kfree_skb+0x32/0x3d0
[   41.750397][   T12]  ? kfree_skb+0x32/0x3d0
[   41.754699][   T12]  kasan_report+0x33/0x50
[   41.759017][   T12]  check_memory_region+0x173/0x1d0
[   41.764102][   T12]  kfree_skb+0x32/0x3d0
[   41.768254][   T12]  htc_connect_service.cold+0xa9/0x109
[   41.773685][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   41.778565][   T12]  ? ath9k_fatal_work+0x20/0x20
[   41.783407][   T12]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   41.789462][   T12]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   41.795129][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   41.801524][   T12]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   41.806782][   T12]  ? lockdep_init_map_waits+0x26a/0x7c0
[   41.812315][   T12]  ? __raw_spin_lock_init+0x34/0x100
[   41.817587][   T12]  ? tasklet_init+0x69/0x110
[   41.822151][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   41.827602][   T12]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   41.834250][   T12]  ? usb_submit_urb+0x6ed/0x1460
[   41.839162][   T12]  ? usb_free_urb.part.0+0x52/0x110
[   41.844344][   T12]  ? usb_free_urb+0x1b/0x30
[   41.848834][   T12]  ath9k_htc_hw_init+0x31/0x60
[   41.853573][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   41.859192][   T12]  ? ath9k_hif_usb_resume+0x320/0x320
[   41.864550][   T12]  request_firmware_work_func+0x126/0x242
[   41.870268][   T12]  ? request_firmware_into_buf+0x90/0x90
[   41.875879][   T12]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   41.881398][   T12]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   41.886669][   T12]  ? _raw_spin_unlock_irq+0x1f/0x30
[   41.891854][   T12]  process_one_work+0x965/0x1630
[   41.896783][   T12]  ? lock_release+0x720/0x720
[   41.901447][   T12]  ? pwq_dec_nr_in_flight+0x310/0x310
[   41.906878][   T12]  ? rwlock_bug.part.0+0x90/0x90
[   41.911787][   T12]  worker_thread+0x96/0xe20
[   41.916263][   T12]  ? process_one_work+0x1630/0x1630
[   41.921435][   T12]  kthread+0x326/0x430
[   41.925481][   T12]  ? kthread_create_on_node+0xf0/0xf0
[   41.930826][   T12]  ret_from_fork+0x24/0x30
[   41.935934][   T12] Kernel Offset: disabled
[   41.940240][   T12] Rebooting in 86400 seconds..