./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1308163111 <...> Warning: Permanently added '10.128.0.246' (ECDSA) to the list of known hosts. execve("./syz-executor1308163111", ["./syz-executor1308163111"], 0x7ffd9ad2e060 /* 10 vars */) = 0 brk(NULL) = 0x5555568ec000 brk(0x5555568ecc40) = 0x5555568ecc40 arch_prctl(ARCH_SET_FS, 0x5555568ec300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1308163111", 4096) = 28 brk(0x55555690dc40) = 0x55555690dc40 brk(0x55555690e000) = 0x55555690e000 mprotect(0x7f1a2a1e9000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3602 attached , child_tidptr=0x5555568ec5d0) = 3602 [pid 3602] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3602] setpgid(0, 0) = 0 [pid 3602] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "1000", 4) = 4 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 [pid 3602] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 18 syzkaller login: [ 50.408724][ T14] usb 1-1: new high-speed USB device number 2 using dummy_hcd [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 18 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 50.688988][ T14] usb 1-1: too many configurations: 130, using maximum allowed: 8 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 50.768729][ T14] usb 1-1: config index 0 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 50.848741][ T14] usb 1-1: config index 1 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 50.928813][ T14] usb 1-1: config index 2 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 51.008753][ T14] usb 1-1: config index 3 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 51.088783][ T14] usb 1-1: config index 4 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 51.168823][ T14] usb 1-1: config index 5 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 51.248762][ T14] usb 1-1: config index 6 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 4 [ 51.328779][ T14] usb 1-1: config index 7 descriptor too short (expected 65163, got 72) [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef46c) = 9 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef47c) = 10 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef48c) = 12 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef49c) = 11 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef4ac) = 13 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef4bc) = 14 [ 51.488886][ T14] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 51.498774][ T14] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 51.507089][ T14] usb 1-1: Product: syz [ 51.511430][ T14] usb 1-1: Manufacturer: syz [ 51.516037][ T14] usb 1-1: SerialNumber: syz [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [ 51.559999][ T14] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 1856 [pid 3602] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 0 [ 52.138721][ T142] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [ 53.178713][ T142] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive [ 53.186186][ T142] ath9k_htc: Failed to initialize the device [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [ 54.621754][ T142] usb 1-1: ath9k_htc: USB layer deinitialized [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3602] ioctl(3, USB_RAW_IOCTL_EP_WRITE [pid 3601] kill(-3602, SIGKILL [pid 3602] <... ioctl resumed> ) = ? [pid 3601] <... kill resumed>) = 0 [pid 3602] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=3602, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=2} --- kill(3602, SIGKILL) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3610 attached , child_tidptr=0x5555568ec5d0) = 3610 [pid 3610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3610] setpgid(0, 0) = 0 [pid 3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3610] write(3, "1000", 4) = 4 [pid 3610] close(3) = 0 [pid 3610] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 [pid 3610] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 55.141346][ T3606] usb 1-1: USB disconnect, device number 2 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 18 [ 55.558642][ T3606] usb 1-1: new high-speed USB device number 3 using dummy_hcd [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 18 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 55.838753][ T3606] usb 1-1: too many configurations: 130, using maximum allowed: 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 55.918732][ T3606] usb 1-1: config index 0 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 55.998734][ T3606] usb 1-1: config index 1 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 56.078815][ T3606] usb 1-1: config index 2 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [ 56.158731][ T3606] usb 1-1: config index 3 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 56.248736][ T3606] usb 1-1: config index 4 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 56.328723][ T3606] usb 1-1: config index 5 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 56.408752][ T3606] usb 1-1: config index 6 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 72 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 4 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [ 56.488791][ T3606] usb 1-1: config index 7 descriptor too short (expected 65163, got 72) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc3c0372b0) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef46c) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef47c) = 10 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef48c) = 12 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef49c) = 11 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef4ac) = 13 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f1a2a1ef4bc) = 14 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 0 [ 56.648769][ T3606] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 56.658405][ T3606] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 56.667196][ T3606] usb 1-1: Product: syz [ 56.671679][ T3606] usb 1-1: Manufacturer: syz [ 56.676274][ T3606] usb 1-1: SerialNumber: syz [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [ 56.721318][ T3606] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 4096 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 1856 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc3c0382c0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc3c0372b0) = 0 [ 57.288778][ T3606] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [ 58.378678][ T3606] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive [ 58.385724][ T3606] ath9k_htc: Failed to initialize the device [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffc3c0382f0) = 4 [ 58.518642][ C0] ================================================================== [ 58.526720][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 58.534541][ C0] Read of size 4 at addr ffff88801e75c2f4 by task swapper/0/0 [ 58.541990][ C0] [ 58.544304][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 58.553662][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 58.563703][ C0] Call Trace: [ 58.566978][ C0] [ 58.569860][ C0] dump_stack_lvl+0xcd/0x134 [ 58.574454][ C0] print_address_description.constprop.0.cold+0xeb/0x495 [ 58.581489][ C0] ? ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 58.586933][ C0] kasan_report.cold+0xf4/0x1c6 [ 58.591805][ C0] ? ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 58.597197][ C0] ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 58.602406][ C0] ? psi_cgroup_free+0xf0/0x180 [ 58.607267][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 58.612118][ C0] ? hif_usb_start+0xa0/0xa0 [ 58.616711][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 58.621655][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 58.627040][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 58.632243][ C0] dummy_timer+0x11f9/0x32b0 [ 58.636852][ C0] ? dummy_dequeue+0x500/0x500 [ 58.641641][ C0] ? dummy_dequeue+0x500/0x500 [ 58.646441][ C0] call_timer_fn+0x1a5/0x6b0 [ 58.651047][ C0] ? timer_fixup_activate+0x350/0x350 [ 58.656427][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 58.661295][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 58.666514][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 58.671730][ C0] ? dummy_dequeue+0x500/0x500 [ 58.676522][ C0] __run_timers.part.0+0x679/0xa80 [ 58.681648][ C0] ? call_timer_fn+0x6b0/0x6b0 [ 58.686424][ C0] ? __wake_up_locked_sync_key+0x20/0x20 [ 58.692059][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 58.697276][ C0] ? sched_clock_cpu+0x69/0x2b0 [ 58.702148][ C0] run_timer_softirq+0xb3/0x1d0 [ 58.707008][ C0] __do_softirq+0x29b/0x9c2 [ 58.711541][ C0] __irq_exit_rcu+0x123/0x180 [ 58.716274][ C0] irq_exit_rcu+0x5/0x20 [ 58.720532][ C0] sysvec_apic_timer_interrupt+0x93/0xc0 [ 58.726183][ C0] [ 58.729211][ C0] [ 58.732159][ C0] asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 58.738156][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x240 [ 58.743985][ C0] Code: 89 de e8 9a d3 ff f7 84 db 75 98 e8 91 d7 ff f7 e8 fc 26 06 f8 66 90 e8 85 d7 ff f7 0f 00 2d fe 24 b9 00 e8 79 d7 ff f7 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 d3 ff f7 48 85 db [ 58.763606][ C0] RSP: 0018:ffffffff8ba07d38 EFLAGS: 00000293 [ 58.769676][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 58.777648][ C0] RDX: ffffffff8babc940 RSI: ffffffff897b0247 RDI: 0000000000000000 [ 58.785621][ C0] RBP: ffff888017199864 R08: 0000000000000001 R09: 0000000000000001 [ 58.793592][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 [ 58.801564][ C0] R13: ffff888017199800 R14: ffff888017199864 R15: ffff8881458c2804 [ 58.809547][ C0] ? acpi_idle_do_entry+0x1c7/0x240 [ 58.814760][ C0] ? acpi_idle_do_entry+0x1c7/0x240 [ 58.819964][ C0] acpi_idle_enter+0x369/0x510 [ 58.824738][ C0] cpuidle_enter_state+0x1b1/0xc80 [ 58.829862][ C0] cpuidle_enter+0x4a/0xa0 [ 58.834286][ C0] do_idle+0x3e8/0x590 [ 58.838361][ C0] ? arch_cpu_idle_exit+0x30/0x30 [ 58.843403][ C0] cpu_startup_entry+0x14/0x20 [ 58.848171][ C0] rest_init+0x169/0x270 [ 58.852416][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe [ 58.858751][ C0] arch_call_rest_init+0xf/0x14 [ 58.863608][ C0] start_kernel+0x46e/0x48f [ 58.868204][ C0] secondary_startup_64_no_verify+0xce/0xdb [ 58.874111][ C0] [ 58.877127][ C0] [ 58.879452][ C0] Allocated by task 3610: [ 58.883772][ C0] kasan_save_stack+0x1e/0x40 [ 58.888450][ C0] __kasan_kmalloc+0xa9/0xd0 [ 58.893038][ C0] tomoyo_realpath_from_path+0xc3/0x620 [ 58.898591][ C0] tomoyo_path_number_perm+0x1d5/0x590 [ 58.904056][ C0] security_file_ioctl+0x50/0xb0 [ 58.908995][ C0] __x64_sys_ioctl+0xb3/0x200 [ 58.913675][ C0] do_syscall_64+0x35/0xb0 [ 58.918098][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.924009][ C0] [ 58.926334][ C0] Freed by task 3610: [ 58.930314][ C0] kasan_save_stack+0x1e/0x40 [ 58.935017][ C0] kasan_set_track+0x21/0x30 [ 58.939611][ C0] kasan_set_free_info+0x20/0x30 [ 58.944558][ C0] ____kasan_slab_free+0x166/0x1a0 [ 58.949676][ C0] slab_free_freelist_hook+0x8b/0x1c0 [ 58.955051][ C0] kfree+0xe2/0x4d0 [ 58.958864][ C0] tomoyo_realpath_from_path+0x191/0x620 [ 58.964510][ C0] tomoyo_path_number_perm+0x1d5/0x590 [ 58.969975][ C0] security_file_ioctl+0x50/0xb0 [ 58.974914][ C0] __x64_sys_ioctl+0xb3/0x200 [ 58.979596][ C0] do_syscall_64+0x35/0xb0 [ 58.984017][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.989913][ C0] [ 58.992233][ C0] The buggy address belongs to the object at ffff88801e75c000 [ 58.992233][ C0] which belongs to the cache kmalloc-4k of size 4096 [ 59.006284][ C0] The buggy address is located 756 bytes inside of [ 59.006284][ C0] 4096-byte region [ffff88801e75c000, ffff88801e75d000) [ 59.019651][ C0] [ 59.021970][ C0] The buggy address belongs to the physical page: [ 59.028375][ C0] page:ffffea000079d600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e758 [ 59.038525][ C0] head:ffffea000079d600 order:3 compound_mapcount:0 compound_pincount:0 [ 59.046855][ C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 59.054846][ C0] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140 [ 59.063433][ C0] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 59.072010][ C0] page dumped because: kasan: bad access detected [ 59.078415][ C0] page_owner tracks the page as allocated [ 59.084118][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2952, tgid 2952 (syslogd), ts 58392133386, free_ts 58385668170 [ 59.104267][ C0] get_page_from_freelist+0x1298/0x3b80 [ 59.109818][ C0] __alloc_pages+0x1c7/0x510 [ 59.114413][ C0] alloc_pages+0x1aa/0x310 [ 59.118833][ C0] allocate_slab+0x26c/0x3c0 [ 59.123429][ C0] ___slab_alloc+0x99f/0xe10 [ 59.128026][ C0] __slab_alloc.constprop.0+0x4d/0xa0 [ 59.133404][ C0] __kmalloc+0x393/0x470 [ 59.137651][ C0] tomoyo_realpath_from_path+0xc3/0x620 [ 59.143204][ C0] tomoyo_check_open_permission+0x272/0x380 [ 59.149104][ C0] tomoyo_file_open+0x9d/0xc0 [ 59.153786][ C0] security_file_open+0x45/0xb0 [ 59.158646][ C0] do_dentry_open+0x349/0x12d0 [ 59.163412][ C0] path_openat+0x1c92/0x28f0 [ 59.168003][ C0] do_filp_open+0x1b6/0x400 [ 59.172514][ C0] do_sys_openat2+0x16d/0x4c0 [ 59.177193][ C0] __x64_sys_openat+0x13f/0x1f0 [ 59.182049][ C0] page last free stack trace: [ 59.186714][ C0] free_pcp_prepare+0x549/0xd20 [ 59.191586][ C0] free_unref_page+0x19/0x6a0 [ 59.196265][ C0] device_release+0x9f/0x240 [ 59.200862][ C0] kobject_put+0x1c8/0x540 [ 59.205284][ C0] put_device+0x1b/0x30 [ 59.209444][ C0] ath9k_htc_probe_device+0x1c7/0x1f00 [ 59.214904][ C0] ath9k_htc_hw_init+0x31/0x60 [ 59.219668][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530 [ 59.225307][ C0] request_firmware_work_func+0x12c/0x230 [ 59.231028][ C0] process_one_work+0x996/0x1610 [ 59.235969][ C0] worker_thread+0x665/0x1080 [ 59.240670][ C0] kthread+0x2e9/0x3a0 [ 59.244739][ C0] ret_from_fork+0x1f/0x30 [ 59.249159][ C0] [ 59.251476][ C0] Memory state around the buggy address: [ 59.257100][ C0] ffff88801e75c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.265162][ C0] ffff88801e75c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.273219][ C0] >ffff88801e75c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.281297][ C0] ^ [ 59.289009][ C0] ffff88801e75c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.297067][ C0] ffff88801e75c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.306311][ C0] ================================================================== [ 59.315437][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 59.323699][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 59.333888][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 59.344527][ C0] Call Trace: [ 59.347806][ C0] [ 59.350660][ C0] dump_stack_lvl+0xcd/0x134 [ 59.355268][ C0] panic+0x2d7/0x636 [ 59.359165][ C0] ? panic_print_sys_info.part.0+0x10b/0x10b [ 59.365161][ C0] ? ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 59.370540][ C0] end_report.part.0+0x3f/0x7c [ 59.375308][ C0] kasan_report.cold+0x93/0x1c6 [ 59.380165][ C0] ? ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 59.385545][ C0] ath9k_hif_usb_rx_cb+0xd17/0x10d0 [ 59.390754][ C0] ? psi_cgroup_free+0xf0/0x180 [ 59.395613][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 59.400464][ C0] ? hif_usb_start+0xa0/0xa0 [ 59.405057][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 59.410004][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 59.415382][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 59.420585][ C0] dummy_timer+0x11f9/0x32b0 [ 59.425194][ C0] ? dummy_dequeue+0x500/0x500 [ 59.429964][ C0] ? dummy_dequeue+0x500/0x500 [ 59.434730][ C0] call_timer_fn+0x1a5/0x6b0 [ 59.439326][ C0] ? timer_fixup_activate+0x350/0x350 [ 59.444701][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 59.449553][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 59.454758][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 59.459958][ C0] ? dummy_dequeue+0x500/0x500 [ 59.464727][ C0] __run_timers.part.0+0x679/0xa80 [ 59.469848][ C0] ? call_timer_fn+0x6b0/0x6b0 [ 59.474617][ C0] ? __wake_up_locked_sync_key+0x20/0x20 [ 59.480251][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 59.485452][ C0] ? sched_clock_cpu+0x69/0x2b0 [ 59.490310][ C0] run_timer_softirq+0xb3/0x1d0 [ 59.495167][ C0] __do_softirq+0x29b/0x9c2 [ 59.499770][ C0] __irq_exit_rcu+0x123/0x180 [ 59.504449][ C0] irq_exit_rcu+0x5/0x20 [ 59.508693][ C0] sysvec_apic_timer_interrupt+0x93/0xc0 [ 59.514334][ C0] [ 59.517263][ C0] [ 59.520197][ C0] asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 59.526187][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x240 [ 59.531998][ C0] Code: 89 de e8 9a d3 ff f7 84 db 75 98 e8 91 d7 ff f7 e8 fc 26 06 f8 66 90 e8 85 d7 ff f7 0f 00 2d fe 24 b9 00 e8 79 d7 ff f7 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 d3 ff f7 48 85 db [ 59.551610][ C0] RSP: 0018:ffffffff8ba07d38 EFLAGS: 00000293 [ 59.557682][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 59.565657][ C0] RDX: ffffffff8babc940 RSI: ffffffff897b0247 RDI: 0000000000000000 [ 59.573629][ C0] RBP: ffff888017199864 R08: 0000000000000001 R09: 0000000000000001 [ 59.581600][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 [ 59.589568][ C0] R13: ffff888017199800 R14: ffff888017199864 R15: ffff8881458c2804 [ 59.597546][ C0] ? acpi_idle_do_entry+0x1c7/0x240 [ 59.602755][ C0] ? acpi_idle_do_entry+0x1c7/0x240 [ 59.607955][ C0] acpi_idle_enter+0x369/0x510 [ 59.612725][ C0] cpuidle_enter_state+0x1b1/0xc80 [ 59.617848][ C0] cpuidle_enter+0x4a/0xa0 [ 59.622271][ C0] do_idle+0x3e8/0x590 [ 59.626346][ C0] ? arch_cpu_idle_exit+0x30/0x30 [ 59.631378][ C0] cpu_startup_entry+0x14/0x20 [ 59.636144][ C0] rest_init+0x169/0x270 [ 59.640387][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe [ 59.646631][ C0] arch_call_rest_init+0xf/0x14 [ 59.651491][ C0] start_kernel+0x46e/0x48f [ 59.656003][ C0] secondary_startup_64_no_verify+0xce/0xdb [ 59.661916][ C0] [ 59.665168][ C0] Kernel Offset: disabled [ 59.669492][ C0] Rebooting in 86400 seconds..