DUID 00:04:11:31:ea:d8:bb:db:47:a8:80:cb:7d:0b:3c:d8:ea:74
forked to background, child pid 3174
[   29.256158][ T3175] 8021q: adding VLAN 0 to HW filter on device bond0
[   29.268743][ T3175] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.1.80' (ECDSA) to the list of known hosts.
syzkaller login: [   49.599783][ T3589] cgroup: Unknown subsys name 'net'
[   49.733135][ T3589] cgroup: Unknown subsys name 'rlimit'
[   49.901784][    T8] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   49.910085][    T8] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   49.920993][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   49.938928][   T55] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
executing program
[   49.947624][   T55] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   49.956086][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[   50.266723][   T20] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   50.796806][   T20] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   50.806061][   T20] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   50.814165][   T20] usb 1-1: Product: syz
[   50.818440][   T20] usb 1-1: Manufacturer: syz
[   50.823079][   T20] usb 1-1: SerialNumber: syz
[   50.879129][   T20] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   51.486823][ T2979] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   51.707355][    C1] usb 1-1: ath: unknown panic pattern!
[   51.716091][   T20] usb 1-1: USB disconnect, device number 2
executing program
[   52.516653][ T2979] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[   52.523943][ T2979] ath9k_htc: Failed to initialize the device
[   52.531423][   T20] usb 1-1: ath9k_htc: USB layer deinitialized
[   52.886677][   T20] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   53.406718][   T20] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   53.415863][   T20] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   53.424014][   T20] usb 1-1: Product: syz
[   53.428336][   T20] usb 1-1: Manufacturer: syz
[   53.432991][   T20] usb 1-1: SerialNumber: syz
[   53.477493][   T20] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   54.046751][ T3595] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   54.266796][    C1] usb 1-1: ath: unknown panic pattern!
[   54.273683][   T20] usb 1-1: USB disconnect, device number 3
executing program
[   55.076699][ T3595] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[   55.083661][ T3595] ath9k_htc: Failed to initialize the device
[   55.090956][   T20] usb 1-1: ath9k_htc: USB layer deinitialized
[   55.466682][   T20] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[   55.996795][   T20] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   56.005842][   T20] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   56.014646][   T20] usb 1-1: Product: syz
[   56.019102][   T20] usb 1-1: Manufacturer: syz
[   56.023686][   T20] usb 1-1: SerialNumber: syz
[   56.067289][   T20] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   56.656786][   T20] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   56.876821][    C1] usb 1-1: ath: unknown panic pattern!
[   56.880558][    T7] usb 1-1: USB disconnect, device number 4
[   56.882541][    C1] ==================================================================
[   56.896293][    C1] BUG: KASAN: use-after-free in kfree_skb_reason+0x33/0x400
[   56.903608][    C1] Read of size 4 at addr ffff888073d115dc by task swapper/1/0
[   56.911052][    C1] 
[   56.913366][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc4-syzkaller-00002-gd567f5db412e #0
[   56.923069][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.933114][    C1] Call Trace:
[   56.936390][    C1]  <IRQ>
[   56.939223][    C1]  dump_stack_lvl+0xcd/0x134
[   56.943806][    C1]  print_address_description.constprop.0.cold+0x8d/0x336
[   56.950823][    C1]  ? kfree_skb_reason+0x33/0x400
[   56.955766][    C1]  ? kfree_skb_reason+0x33/0x400
[   56.960694][    C1]  kasan_report.cold+0x83/0xdf
[   56.965453][    C1]  ? kfree_skb_reason+0x33/0x400
[   56.970390][    C1]  kasan_check_range+0x13d/0x180
[   56.975324][    C1]  kfree_skb_reason+0x33/0x400
[   56.980090][    C1]  ath9k_hif_usb_reg_in_cb+0x4c2/0x630
[   56.985545][    C1]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   56.990915][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   56.996110][    C1]  dummy_timer+0x11f9/0x32b0
[   57.000718][    C1]  ? dummy_dequeue+0x500/0x500
[   57.005480][    C1]  ? dummy_dequeue+0x500/0x500
[   57.010239][    C1]  call_timer_fn+0x1a5/0x6b0
[   57.014822][    C1]  ? timer_fixup_activate+0x350/0x350
[   57.020199][    C1]  ? lock_downgrade+0x6e0/0x6e0
[   57.025048][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   57.030246][    C1]  ? dummy_dequeue+0x500/0x500
[   57.035076][    C1]  __run_timers.part.0+0x67c/0xa30
[   57.040188][    C1]  ? call_timer_fn+0x6b0/0x6b0
[   57.044949][    C1]  ? kvm_sched_clock_read+0x14/0x40
[   57.050135][    C1]  ? sched_clock_cpu+0x15/0x1f0
[   57.054987][    C1]  run_timer_softirq+0xb3/0x1d0
[   57.059829][    C1]  __do_softirq+0x29b/0x9c2
[   57.064419][    C1]  __irq_exit_rcu+0x123/0x180
[   57.069092][    C1]  irq_exit_rcu+0x5/0x20
[   57.073331][    C1]  sysvec_apic_timer_interrupt+0x93/0xc0
[   57.078959][    C1]  </IRQ>
[   57.081878][    C1]  <TASK>
[   57.084796][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   57.090768][    C1] RIP: 0010:acpi_idle_do_entry+0x1c6/0x250
[   57.096572][    C1] Code: 89 de e8 8d 3b 28 f8 84 db 75 ac e8 04 39 28 f8 e8 af 78 2e f8 eb 0c e8 f8 38 28 f8 0f 00 2d b1 ef c0 00 e8 ec 38 28 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c7 3c 28 f8 48 85 db
[   57.116181][    C1] RSP: 0018:ffffc90000d57d18 EFLAGS: 00000293
[   57.122235][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   57.130196][    C1] RDX: ffff88801192d700 RSI: ffffffff89509534 RDI: 0000000000000000
[   57.138159][    C1] RBP: ffff888011a4b864 R08: 0000000000000001 R09: 0000000000000001
[   57.146133][    C1] R10: ffffffff817f0e08 R11: 0000000000000000 R12: 0000000000000001
[   57.154089][    C1] R13: ffff888011a4b800 R14: ffff888011a4b864 R15: ffff888017973804
[   57.162052][    C1]  ? trace_hardirqs_on+0x38/0x1c0
[   57.167073][    C1]  ? acpi_idle_do_entry+0x1c4/0x250
[   57.172270][    C1]  ? acpi_idle_do_entry+0x1c4/0x250
[   57.177475][    C1]  acpi_idle_enter+0x361/0x500
[   57.182233][    C1]  cpuidle_enter_state+0x1b1/0xc80
[   57.187335][    C1]  cpuidle_enter+0x4a/0xa0
[   57.191738][    C1]  do_idle+0x3e8/0x590
[   57.195799][    C1]  ? arch_cpu_idle_exit+0x30/0x30
[   57.200812][    C1]  ? _raw_spin_unlock_irqrestore+0x40/0x70
[   57.206608][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   57.211798][    C1]  cpu_startup_entry+0x14/0x20
[   57.216554][    C1]  start_secondary+0x265/0x340
[   57.221320][    C1]  ? set_cpu_sibling_map+0x1ee0/0x1ee0
[   57.226864][    C1]  secondary_startup_64_no_verify+0xc3/0xcb
[   57.232757][    C1]  </TASK>
[   57.235764][    C1] 
[   57.238079][    C1] Allocated by task 20:
[   57.242223][    C1]  kasan_save_stack+0x1e/0x40
[   57.246894][    C1]  __kasan_slab_alloc+0x90/0xc0
[   57.251749][    C1]  kmem_cache_alloc_node+0x2c3/0x4f0
[   57.257019][    C1]  __alloc_skb+0x215/0x340
[   57.261422][    C1]  ath9k_hif_usb_alloc_urbs+0x91d/0x1040
[   57.267043][    C1]  ath9k_hif_usb_firmware_cb+0x148/0x530
[   57.272661][    C1]  request_firmware_work_func+0x12c/0x230
[   57.278385][    C1]  process_one_work+0x9ac/0x1650
[   57.283314][    C1]  worker_thread+0x657/0x1110
[   57.287977][    C1]  kthread+0x2e9/0x3a0
[   57.292030][    C1]  ret_from_fork+0x1f/0x30
[   57.296432][    C1] 
[   57.298741][    C1] Freed by task 0:
[   57.302438][    C1]  kasan_save_stack+0x1e/0x40
[   57.307103][    C1]  kasan_set_track+0x21/0x30
[   57.311681][    C1]  kasan_set_free_info+0x20/0x30
[   57.316604][    C1]  ____kasan_slab_free+0x126/0x160
[   57.321703][    C1]  slab_free_freelist_hook+0x8b/0x1c0
[   57.327059][    C1]  kmem_cache_free+0xd7/0x370
[   57.331721][    C1]  kfree_skbmem+0xef/0x1b0
[   57.336127][    C1]  kfree_skb_reason+0x145/0x400
[   57.340966][    C1]  ath9k_htc_rx_msg+0x1ed/0xb70
[   57.345807][    C1]  ath9k_hif_usb_reg_in_cb+0x1ac/0x630
[   57.351253][    C1]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   57.356614][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   57.361797][    C1]  dummy_timer+0x11f9/0x32b0
[   57.366373][    C1]  call_timer_fn+0x1a5/0x6b0
[   57.370948][    C1]  __run_timers.part.0+0x67c/0xa30
[   57.376041][    C1]  run_timer_softirq+0xb3/0x1d0
[   57.380906][    C1]  __do_softirq+0x29b/0x9c2
[   57.385397][    C1] 
[   57.387710][    C1] The buggy address belongs to the object at ffff888073d11500
[   57.387710][    C1]  which belongs to the cache skbuff_head_cache of size 232
[   57.402265][    C1] The buggy address is located 220 bytes inside of
[   57.402265][    C1]  232-byte region [ffff888073d11500, ffff888073d115e8)
[   57.415524][    C1] The buggy address belongs to the page:
[   57.421136][    C1] page:ffffea0001cf4440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73d11
[   57.431276][    C1] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   57.438815][    C1] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881447b8140
[   57.447387][    C1] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   57.455957][    C1] page dumped because: kasan: bad access detected
[   57.462349][    C1] page_owner tracks the page as allocated
[   57.468043][    C1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 20, ts 56666229404, free_ts 56517048686
[   57.483850][    C1]  get_page_from_freelist+0xa72/0x2f50
[   57.489321][    C1]  __alloc_pages+0x1b2/0x500
[   57.493916][    C1]  alloc_pages+0x1aa/0x310
[   57.498344][    C1]  allocate_slab+0x27f/0x3c0
[   57.502945][    C1]  ___slab_alloc+0xbe1/0x12b0
[   57.507730][    C1]  __slab_alloc.constprop.0+0x4d/0xa0
[   57.513204][    C1]  kmem_cache_alloc_node+0x190/0x4f0
[   57.518491][    C1]  __alloc_skb+0x215/0x340
[   57.522911][    C1]  ath9k_hif_usb_alloc_urbs+0x91d/0x1040
[   57.528571][    C1]  ath9k_hif_usb_firmware_cb+0x148/0x530
[   57.534197][    C1]  request_firmware_work_func+0x12c/0x230
[   57.539905][    C1]  process_one_work+0x9ac/0x1650
[   57.544830][    C1]  worker_thread+0x657/0x1110
[   57.549497][    C1]  kthread+0x2e9/0x3a0
[   57.553553][    C1]  ret_from_fork+0x1f/0x30
[   57.557955][    C1] page last free stack trace:
[   57.562607][    C1]  free_pcp_prepare+0x374/0x870
[   57.567452][    C1]  free_unref_page+0x19/0x690
[   57.572118][    C1]  __unfreeze_partials+0x320/0x340
[   57.577216][    C1]  qlist_free_all+0x6d/0x160
[   57.581801][    C1]  kasan_quarantine_reduce+0x180/0x200
[   57.587245][    C1]  __kasan_slab_alloc+0xa2/0xc0
[   57.592098][    C1]  __kmalloc+0x256/0x450
[   57.596325][    C1]  raw_alloc_io_data+0x157/0x1c0
[   57.601251][    C1]  raw_ioctl+0x1105/0x2690
[   57.605657][    C1]  __x64_sys_ioctl+0x193/0x200
[   57.610430][    C1]  do_syscall_64+0x35/0xb0
[   57.614862][    C1]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   57.620770][    C1] 
[   57.623081][    C1] Memory state around the buggy address:
[   57.628692][    C1]  ffff888073d11480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   57.636734][    C1]  ffff888073d11500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.644793][    C1] >ffff888073d11580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   57.652973][    C1]                                                     ^
[   57.659895][    C1]  ffff888073d11600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   57.667941][    C1]  ffff888073d11680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.676071][    C1] ==================================================================
[   57.684124][    C1] Disabling lock debugging due to kernel taint
[   57.690253][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   57.696812][    C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             5.17.0-rc4-syzkaller-00002-gd567f5db412e #0
[   57.715898][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.725936][    C1] Call Trace:
[   57.729198][    C1]  <IRQ>
[   57.732025][    C1]  dump_stack_lvl+0xcd/0x134
[   57.736607][    C1]  panic+0x2b0/0x6dd
[   57.740489][    C1]  ? __warn_printk+0xf3/0xf3
[   57.745068][    C1]  ? kfree_skb_reason+0x33/0x400
[   57.749995][    C1]  ? kfree_skb_reason+0x33/0x400
[   57.754927][    C1]  end_report.cold+0x63/0x6f
[   57.759505][    C1]  kasan_report.cold+0x71/0xdf
[   57.764263][    C1]  ? kfree_skb_reason+0x33/0x400
[   57.769190][    C1]  kasan_check_range+0x13d/0x180
[   57.774460][    C1]  kfree_skb_reason+0x33/0x400
[   57.779221][    C1]  ath9k_hif_usb_reg_in_cb+0x4c2/0x630
[   57.784702][    C1]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   57.790064][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   57.795252][    C1]  dummy_timer+0x11f9/0x32b0
[   57.799856][    C1]  ? dummy_dequeue+0x500/0x500
[   57.804607][    C1]  ? dummy_dequeue+0x500/0x500
[   57.809360][    C1]  call_timer_fn+0x1a5/0x6b0
[   57.813937][    C1]  ? timer_fixup_activate+0x350/0x350
[   57.819294][    C1]  ? lock_downgrade+0x6e0/0x6e0
[   57.824133][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   57.829326][    C1]  ? dummy_dequeue+0x500/0x500
[   57.834084][    C1]  __run_timers.part.0+0x67c/0xa30
[   57.839180][    C1]  ? call_timer_fn+0x6b0/0x6b0
[   57.843925][    C1]  ? kvm_sched_clock_read+0x14/0x40
[   57.849107][    C1]  ? sched_clock_cpu+0x15/0x1f0
[   57.854223][    C1]  run_timer_softirq+0xb3/0x1d0
[   57.859060][    C1]  __do_softirq+0x29b/0x9c2
[   57.863551][    C1]  __irq_exit_rcu+0x123/0x180
[   57.868229][    C1]  irq_exit_rcu+0x5/0x20
[   57.872463][    C1]  sysvec_apic_timer_interrupt+0x93/0xc0
[   57.878082][    C1]  </IRQ>
[   57.880991][    C1]  <TASK>
[   57.883915][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   57.889877][    C1] RIP: 0010:acpi_idle_do_entry+0x1c6/0x250
[   57.895669][    C1] Code: 89 de e8 8d 3b 28 f8 84 db 75 ac e8 04 39 28 f8 e8 af 78 2e f8 eb 0c e8 f8 38 28 f8 0f 00 2d b1 ef c0 00 e8 ec 38 28 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c7 3c 28 f8 48 85 db
[   57.915260][    C1] RSP: 0018:ffffc90000d57d18 EFLAGS: 00000293
[   57.921314][    C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   57.929277][    C1] RDX: ffff88801192d700 RSI: ffffffff89509534 RDI: 0000000000000000
[   57.937231][    C1] RBP: ffff888011a4b864 R08: 0000000000000001 R09: 0000000000000001
[   57.945183][    C1] R10: ffffffff817f0e08 R11: 0000000000000000 R12: 0000000000000001
[   57.953136][    C1] R13: ffff888011a4b800 R14: ffff888011a4b864 R15: ffff888017973804
[   57.961126][    C1]  ? trace_hardirqs_on+0x38/0x1c0
[   57.966151][    C1]  ? acpi_idle_do_entry+0x1c4/0x250
[   57.971337][    C1]  ? acpi_idle_do_entry+0x1c4/0x250
[   57.976526][    C1]  acpi_idle_enter+0x361/0x500
[   57.981314][    C1]  cpuidle_enter_state+0x1b1/0xc80
[   57.986415][    C1]  cpuidle_enter+0x4a/0xa0
[   57.990815][    C1]  do_idle+0x3e8/0x590
[   57.994889][    C1]  ? arch_cpu_idle_exit+0x30/0x30
[   57.999902][    C1]  ? _raw_spin_unlock_irqrestore+0x40/0x70
[   58.005698][    C1]  ? lockdep_hardirqs_on+0x79/0x100
[   58.010898][    C1]  cpu_startup_entry+0x14/0x20
[   58.015649][    C1]  start_secondary+0x265/0x340
[   58.020400][    C1]  ? set_cpu_sibling_map+0x1ee0/0x1ee0
[   58.025847][    C1]  secondary_startup_64_no_verify+0xc3/0xcb
[   58.031732][    C1]  </TASK>
[   58.034980][    C1] Kernel Offset: disabled
[   58.039293][    C1] Rebooting in 86400 seconds..