Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts. executing program [ 24.675274][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.194855][ T17] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 25.204028][ T17] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.212181][ T17] usb 1-1: Product: syz [ 25.216508][ T17] usb 1-1: Manufacturer: syz [ 25.221096][ T17] usb 1-1: SerialNumber: syz [ 25.265749][ T17] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 25.894227][ T17] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 26.296092][ T83] usb 1-1: USB disconnect, device number 2 [ 27.133122][ T17] usb 1-1: Service connection timeout for: 256 [ 27.139415][ T17] ================================================================== [ 27.147546][ T17] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 27.154214][ T17] Read of size 4 at addr ffff8881c2b9f5d4 by task kworker/1:0/17 [ 27.162075][ T17] [ 27.164399][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 27.173411][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.183465][ T17] Workqueue: events request_firmware_work_func [ 27.189608][ T17] Call Trace: [ 27.192881][ T17] dump_stack+0xef/0x16e [ 27.197101][ T17] print_address_description.constprop.0.cold+0xd3/0x415 [ 27.204113][ T17] ? vprintk_func+0x7d/0x113 [ 27.208707][ T17] ? kfree_skb+0x32/0x3d0 [ 27.213035][ T17] __kasan_report.cold+0x37/0x7d [ 27.219170][ T17] ? kfree_skb+0x32/0x3d0 [ 27.223474][ T17] ? kfree_skb+0x32/0x3d0 [ 27.227795][ T17] kasan_report+0x33/0x50 [ 27.232140][ T17] check_memory_region+0x173/0x1d0 [ 27.237336][ T17] kfree_skb+0x32/0x3d0 [ 27.241529][ T17] htc_connect_service.cold+0xa9/0x109 [ 27.247096][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 27.251933][ T17] ? ath9k_fatal_work+0x20/0x20 [ 27.257130][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.263186][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.268970][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.275534][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.280796][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.286342][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 27.291608][ T17] ? tasklet_init+0x69/0x110 [ 27.296185][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.301618][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 27.308266][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 27.313178][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 27.318439][ T17] ? usb_free_urb+0x1b/0x30 [ 27.322918][ T17] ath9k_htc_hw_init+0x31/0x60 [ 27.327657][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.333271][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 27.338618][ T17] request_firmware_work_func+0x126/0x242 [ 27.345702][ T17] ? request_firmware_into_buf+0x90/0x90 [ 27.352021][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.357638][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.362909][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 27.368081][ T17] process_one_work+0x965/0x1630 [ 27.372992][ T17] ? lock_release+0x720/0x720 [ 27.377664][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.383018][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 27.387942][ T17] worker_thread+0x96/0xe20 [ 27.392445][ T17] ? process_one_work+0x1630/0x1630 [ 27.397706][ T17] kthread+0x326/0x430 [ 27.401761][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 27.407108][ T17] ret_from_fork+0x24/0x30 [ 27.411510][ T17] [ 27.413815][ T17] Allocated by task 17: [ 27.418221][ T17] save_stack+0x1b/0x40 [ 27.422353][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 27.428402][ T17] kmem_cache_alloc_node+0xdc/0x330 [ 27.433604][ T17] __alloc_skb+0xba/0x5a0 [ 27.437911][ T17] htc_connect_service+0x2cc/0x840 [ 27.443011][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 27.447855][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.454249][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.459773][ T17] ath9k_htc_hw_init+0x31/0x60 [ 27.464514][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.470121][ T17] request_firmware_work_func+0x126/0x242 [ 27.475812][ T17] process_one_work+0x965/0x1630 [ 27.480734][ T17] worker_thread+0x96/0xe20 [ 27.485244][ T17] kthread+0x326/0x430 [ 27.489310][ T17] ret_from_fork+0x24/0x30 [ 27.493695][ T17] [ 27.496010][ T17] Freed by task 0: [ 27.499731][ T17] save_stack+0x1b/0x40 [ 27.503885][ T17] __kasan_slab_free+0x117/0x160 [ 27.508810][ T17] kmem_cache_free+0x9b/0x360 [ 27.513564][ T17] kfree_skbmem+0xef/0x1b0 [ 27.517975][ T17] kfree_skb+0x102/0x3d0 [ 27.522199][ T17] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 27.527810][ T17] hif_usb_regout_cb+0x115/0x1c0 [ 27.532764][ T17] __usb_hcd_giveback_urb+0x29a/0x550 [ 27.538112][ T17] usb_hcd_giveback_urb+0x368/0x420 [ 27.543288][ T17] dummy_timer+0x125e/0x32b4 [ 27.548030][ T17] call_timer_fn+0x1ac/0x700 [ 27.552615][ T17] run_timer_softirq+0x5f9/0x1500 [ 27.557640][ T17] __do_softirq+0x21e/0x9aa [ 27.562125][ T17] [ 27.564433][ T17] The buggy address belongs to the object at ffff8881c2b9f500 [ 27.564433][ T17] which belongs to the cache skbuff_head_cache of size 224 [ 27.578982][ T17] The buggy address is located 212 bytes inside of [ 27.578982][ T17] 224-byte region [ffff8881c2b9f500, ffff8881c2b9f5e0) [ 27.592222][ T17] The buggy address belongs to the page: [ 27.597848][ T17] page:ffffea00070ae7c0 refcount:1 mapcount:0 mapping:0000000066a45763 index:0x0 [ 27.606939][ T17] flags: 0x200000000000200(slab) [ 27.611870][ T17] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 27.620442][ T17] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 27.629009][ T17] page dumped because: kasan: bad access detected [ 27.635390][ T17] [ 27.637693][ T17] Memory state around the buggy address: [ 27.643300][ T17] ffff8881c2b9f480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 27.651345][ T17] ffff8881c2b9f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.659388][ T17] >ffff8881c2b9f580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 27.669598][ T17] ^ [ 27.676265][ T17] ffff8881c2b9f600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 27.684483][ T17] ffff8881c2b9f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.692668][ T17] ================================================================== [ 27.700965][ T17] Disabling lock debugging due to kernel taint [ 27.707207][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 27.713798][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 27.723328][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.733735][ T17] Workqueue: events request_firmware_work_func [ 27.740303][ T17] Call Trace: [ 27.743588][ T17] dump_stack+0xef/0x16e [ 27.747942][ T17] panic+0x2aa/0x6e1 [ 27.752427][ T17] ? add_taint.cold+0x16/0x16 [ 27.757085][ T17] ? retint_kernel+0x10/0x10 [ 27.762011][ T17] ? kfree_skb+0x32/0x3d0 [ 27.766313][ T17] ? trace_hardirqs_on+0x55/0x200 [ 27.771309][ T17] ? kfree_skb+0x32/0x3d0 [ 27.775613][ T17] end_report+0x4d/0x53 [ 27.779742][ T17] __kasan_report.cold+0x72/0x7d [ 27.784740][ T17] ? kfree_skb+0x32/0x3d0 [ 27.789487][ T17] ? kfree_skb+0x32/0x3d0 [ 27.793858][ T17] kasan_report+0x33/0x50 [ 27.799303][ T17] check_memory_region+0x173/0x1d0 [ 27.804389][ T17] kfree_skb+0x32/0x3d0 [ 27.808531][ T17] htc_connect_service.cold+0xa9/0x109 [ 27.813991][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 27.818832][ T17] ? ath9k_fatal_work+0x20/0x20 [ 27.823666][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.830231][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.835846][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.842329][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.847601][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.853146][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 27.858429][ T17] ? tasklet_init+0x69/0x110 [ 27.863017][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.868479][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 27.875138][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 27.880054][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 27.885227][ T17] ? usb_free_urb+0x1b/0x30 [ 27.889739][ T17] ath9k_htc_hw_init+0x31/0x60 [ 27.894581][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.900979][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 27.906344][ T17] request_firmware_work_func+0x126/0x242 [ 27.912558][ T17] ? request_firmware_into_buf+0x90/0x90 [ 27.918164][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.923695][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.928956][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 27.934663][ T17] process_one_work+0x965/0x1630 [ 27.939666][ T17] ? lock_release+0x720/0x720 [ 27.944316][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.949661][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 27.954675][ T17] worker_thread+0x96/0xe20 [ 27.959512][ T17] ? process_one_work+0x1630/0x1630 [ 27.965575][ T17] kthread+0x326/0x430 [ 27.969737][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 27.975083][ T17] ret_from_fork+0x24/0x30 [ 27.980146][ T17] Kernel Offset: disabled [ 27.984452][ T17] Rebooting in 86400 seconds..