Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 18.758937][ C1] random: crng init done [ 18.763624][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program [ 25.734996][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 26.254532][ T94] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 26.263710][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 26.271764][ T94] usb 1-1: Product: syz [ 26.276004][ T94] usb 1-1: Manufacturer: syz [ 26.280580][ T94] usb 1-1: SerialNumber: syz [ 26.325397][ T94] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 26.903751][ T94] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 27.327463][ T21] usb 1-1: USB disconnect, device number 2 [ 28.132699][ T94] usb 1-1: Service connection timeout for: 256 [ 28.138986][ T94] ================================================================== [ 28.147315][ T94] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 28.154001][ T94] Read of size 4 at addr ffff8881c6fe6ad4 by task kworker/1:2/94 [ 28.161689][ T94] [ 28.164004][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 28.172142][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.182201][ T94] Workqueue: events request_firmware_work_func [ 28.188346][ T94] Call Trace: [ 28.191618][ T94] dump_stack+0xef/0x16e [ 28.195870][ T94] print_address_description.constprop.0.cold+0xd3/0x415 [ 28.202934][ T94] ? vprintk_func+0x7d/0x113 [ 28.207503][ T94] ? kfree_skb+0x32/0x3d0 [ 28.211810][ T94] __kasan_report.cold+0x37/0x7d [ 28.216729][ T94] ? kfree_skb+0x32/0x3d0 [ 28.221035][ T94] ? kfree_skb+0x32/0x3d0 [ 28.225360][ T94] kasan_report+0x33/0x50 [ 28.229683][ T94] check_memory_region+0x173/0x1d0 [ 28.234772][ T94] kfree_skb+0x32/0x3d0 [ 28.238910][ T94] htc_connect_service.cold+0xa9/0x109 [ 28.244427][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 28.249346][ T94] ? ath9k_fatal_work+0x20/0x20 [ 28.254196][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.260243][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.266857][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.273251][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.278620][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.284253][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 28.289542][ T94] ? tasklet_init+0x69/0x110 [ 28.294134][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.299575][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.306330][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 28.311261][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 28.316439][ T94] ? usb_free_urb+0x1b/0x30 [ 28.320923][ T94] ath9k_htc_hw_init+0x31/0x60 [ 28.325670][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.331282][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.336652][ T94] request_firmware_work_func+0x126/0x242 [ 28.342372][ T94] ? request_firmware_into_buf+0x90/0x90 [ 28.348001][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.354684][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.359947][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.365150][ T94] process_one_work+0x965/0x1630 [ 28.371042][ T94] ? lock_release+0x720/0x720 [ 28.375697][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.381067][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 28.385982][ T94] worker_thread+0x96/0xe20 [ 28.390496][ T94] ? process_one_work+0x1630/0x1630 [ 28.395785][ T94] kthread+0x326/0x430 [ 28.400053][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 28.405936][ T94] ret_from_fork+0x24/0x30 [ 28.410387][ T94] [ 28.412696][ T94] Allocated by task 94: [ 28.416901][ T94] save_stack+0x1b/0x40 [ 28.421077][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.426736][ T94] kmem_cache_alloc_node+0xdc/0x330 [ 28.431930][ T94] __alloc_skb+0xba/0x5a0 [ 28.436285][ T94] htc_connect_service+0x2cc/0x840 [ 28.441402][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 28.446236][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.452633][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.458073][ T94] ath9k_htc_hw_init+0x31/0x60 [ 28.462835][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.468462][ T94] request_firmware_work_func+0x126/0x242 [ 28.474245][ T94] process_one_work+0x965/0x1630 [ 28.479158][ T94] worker_thread+0x96/0xe20 [ 28.483651][ T94] kthread+0x326/0x430 [ 28.487715][ T94] ret_from_fork+0x24/0x30 [ 28.498208][ T94] [ 28.500532][ T94] Freed by task 0: [ 28.504251][ T94] save_stack+0x1b/0x40 [ 28.508388][ T94] __kasan_slab_free+0x117/0x160 [ 28.513326][ T94] kmem_cache_free+0x9b/0x360 [ 28.517991][ T94] kfree_skbmem+0xef/0x1b0 [ 28.522386][ T94] kfree_skb+0x102/0x3d0 [ 28.526619][ T94] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 28.532832][ T94] hif_usb_regout_cb+0x115/0x1c0 [ 28.537750][ T94] __usb_hcd_giveback_urb+0x29a/0x550 [ 28.543213][ T94] usb_hcd_giveback_urb+0x368/0x420 [ 28.549174][ T94] dummy_timer+0x125e/0x32b4 [ 28.553758][ T94] call_timer_fn+0x1ac/0x700 [ 28.558341][ T94] run_timer_softirq+0x5f9/0x1500 [ 28.563350][ T94] __do_softirq+0x21e/0x9aa [ 28.567826][ T94] [ 28.570163][ T94] The buggy address belongs to the object at ffff8881c6fe6a00 [ 28.570163][ T94] which belongs to the cache skbuff_head_cache of size 224 [ 28.584742][ T94] The buggy address is located 212 bytes inside of [ 28.584742][ T94] 224-byte region [ffff8881c6fe6a00, ffff8881c6fe6ae0) [ 28.598105][ T94] The buggy address belongs to the page: [ 28.603745][ T94] page:ffffea00071bf980 refcount:1 mapcount:0 mapping:0000000087656c8a index:0x0 [ 28.612833][ T94] flags: 0x200000000000200(slab) [ 28.617755][ T94] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 28.626321][ T94] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 28.635181][ T94] page dumped because: kasan: bad access detected [ 28.641569][ T94] [ 28.643873][ T94] Memory state around the buggy address: [ 28.649918][ T94] ffff8881c6fe6980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.658071][ T94] ffff8881c6fe6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.666116][ T94] >ffff8881c6fe6a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.674161][ T94] ^ [ 28.680828][ T94] ffff8881c6fe6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.688893][ T94] ffff8881c6fe6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.696928][ T94] ================================================================== [ 28.705162][ T94] Disabling lock debugging due to kernel taint [ 28.711367][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 28.717983][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 28.727514][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.737575][ T94] Workqueue: events request_firmware_work_func [ 28.743715][ T94] Call Trace: [ 28.746985][ T94] dump_stack+0xef/0x16e [ 28.751215][ T94] panic+0x2aa/0x6e1 [ 28.755084][ T94] ? add_taint.cold+0x16/0x16 [ 28.759748][ T94] ? retint_kernel+0x10/0x10 [ 28.764316][ T94] ? kfree_skb+0x32/0x3d0 [ 28.768631][ T94] ? trace_hardirqs_on+0x55/0x200 [ 28.773627][ T94] ? kfree_skb+0x32/0x3d0 [ 28.777938][ T94] end_report+0x4d/0x53 [ 28.782167][ T94] __kasan_report.cold+0x72/0x7d [ 28.787089][ T94] ? kfree_skb+0x32/0x3d0 [ 28.791485][ T94] ? kfree_skb+0x32/0x3d0 [ 28.795799][ T94] kasan_report+0x33/0x50 [ 28.800236][ T94] check_memory_region+0x173/0x1d0 [ 28.805362][ T94] kfree_skb+0x32/0x3d0 [ 28.809532][ T94] htc_connect_service.cold+0xa9/0x109 [ 28.814968][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 28.819811][ T94] ? ath9k_fatal_work+0x20/0x20 [ 28.824641][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.830686][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.836297][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.842690][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.847955][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.853666][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 28.858935][ T94] ? tasklet_init+0x69/0x110 [ 28.863512][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.868973][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.875633][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 28.880548][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 28.885720][ T94] ? usb_free_urb+0x1b/0x30 [ 28.890309][ T94] ath9k_htc_hw_init+0x31/0x60 [ 28.895066][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.900969][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.908670][ T94] request_firmware_work_func+0x126/0x242 [ 28.914378][ T94] ? request_firmware_into_buf+0x90/0x90 [ 28.920007][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.925532][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.930794][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.935965][ T94] process_one_work+0x965/0x1630 [ 28.940882][ T94] ? lock_release+0x720/0x720 [ 28.945538][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.950884][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 28.955893][ T94] worker_thread+0x96/0xe20 [ 28.960377][ T94] ? process_one_work+0x1630/0x1630 [ 28.965897][ T94] kthread+0x326/0x430 [ 28.969950][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 28.975296][ T94] ret_from_fork+0x24/0x30 [ 28.980483][ T94] Kernel Offset: disabled [ 28.984794][ T94] Rebooting in 86400 seconds..