[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.925509][ C1] random: crng init done [ 15.930036][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.56' (ECDSA) to the list of known hosts. executing program [ 23.108786][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.638434][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.647564][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.655605][ T95] usb 1-1: Product: syz [ 23.659828][ T95] usb 1-1: Manufacturer: syz [ 23.664404][ T95] usb 1-1: SerialNumber: syz [ 23.709366][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.317746][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.719540][ T12] usb 1-1: USB disconnect, device number 2 [ 25.616580][ T95] usb 1-1: Service connection timeout for: 256 [ 25.622946][ T95] ================================================================== [ 25.631079][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.637731][ T95] Read of size 4 at addr ffff8881d160fad4 by task kworker/0:2/95 [ 25.645415][ T95] [ 25.647725][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.656199][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.666258][ T95] Workqueue: events request_firmware_work_func [ 25.672383][ T95] Call Trace: [ 25.675667][ T95] dump_stack+0xef/0x16e [ 25.679887][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.686882][ T95] ? vprintk_func+0x7d/0x113 [ 25.691461][ T95] ? kfree_skb+0x32/0x3d0 [ 25.695778][ T95] __kasan_report.cold+0x37/0x7d [ 25.700691][ T95] ? kfree_skb+0x32/0x3d0 [ 25.705003][ T95] ? kfree_skb+0x32/0x3d0 [ 25.709317][ T95] kasan_report+0x33/0x50 [ 25.713637][ T95] check_memory_region+0x173/0x1d0 [ 25.718734][ T95] kfree_skb+0x32/0x3d0 [ 25.722873][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.728316][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.733152][ T95] ? ath9k_fatal_work+0x20/0x20 [ 25.737978][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.744023][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.749644][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.756048][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.761320][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.766840][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 25.772105][ T95] ? tasklet_init+0x69/0x110 [ 25.776683][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.782142][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.788791][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 25.793715][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 25.798890][ T95] ? usb_free_urb+0x1b/0x30 [ 25.803368][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.808108][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.813716][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.819070][ T95] request_firmware_work_func+0x126/0x242 [ 25.824780][ T95] ? request_firmware_into_buf+0x90/0x90 [ 25.830388][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.835906][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.841164][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.846343][ T95] process_one_work+0x965/0x1630 [ 25.851272][ T95] ? lock_release+0x720/0x720 [ 25.855925][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.861271][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 25.866190][ T95] worker_thread+0x96/0xe20 [ 25.870678][ T95] ? process_one_work+0x1630/0x1630 [ 25.875853][ T95] kthread+0x326/0x430 [ 25.879898][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.885243][ T95] ret_from_fork+0x24/0x30 [ 25.889647][ T95] [ 25.891964][ T95] Allocated by task 95: [ 25.896106][ T95] save_stack+0x1b/0x40 [ 25.900255][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.905876][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 25.911160][ T95] __alloc_skb+0xba/0x5a0 [ 25.916244][ T95] htc_connect_service+0x2cc/0x840 [ 25.921338][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.926164][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.932552][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.937990][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.942749][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.948358][ T95] request_firmware_work_func+0x126/0x242 [ 25.954051][ T95] process_one_work+0x965/0x1630 [ 25.958976][ T95] worker_thread+0x96/0xe20 [ 25.963453][ T95] kthread+0x326/0x430 [ 25.967511][ T95] ret_from_fork+0x24/0x30 [ 25.971896][ T95] [ 25.974197][ T95] Freed by task 0: [ 25.977912][ T95] save_stack+0x1b/0x40 [ 25.982043][ T95] __kasan_slab_free+0x117/0x160 [ 25.986957][ T95] kmem_cache_free+0x9b/0x360 [ 25.991624][ T95] kfree_skbmem+0xef/0x1b0 [ 25.996013][ T95] kfree_skb+0x102/0x3d0 [ 26.000230][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.005850][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 26.010855][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.016207][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 26.021389][ T95] dummy_timer+0x125e/0x32b4 [ 26.025956][ T95] call_timer_fn+0x1ac/0x700 [ 26.030524][ T95] run_timer_softirq+0x5f9/0x1500 [ 26.035540][ T95] __do_softirq+0x21e/0x9aa [ 26.040010][ T95] [ 26.042315][ T95] The buggy address belongs to the object at ffff8881d160fa00 [ 26.042315][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 26.056872][ T95] The buggy address is located 212 bytes inside of [ 26.056872][ T95] 224-byte region [ffff8881d160fa00, ffff8881d160fae0) [ 26.070114][ T95] The buggy address belongs to the page: [ 26.075721][ T95] page:ffffea00074583c0 refcount:1 mapcount:0 mapping:000000003dde93a1 index:0x0 [ 26.084798][ T95] flags: 0x200000000000200(slab) [ 26.089714][ T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 26.098273][ T95] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.107697][ T95] page dumped because: kasan: bad access detected [ 26.114084][ T95] [ 26.116386][ T95] Memory state around the buggy address: [ 26.121990][ T95] ffff8881d160f980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.130025][ T95] ffff8881d160fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.138076][ T95] >ffff8881d160fa80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.146129][ T95] ^ [ 26.152779][ T95] ffff8881d160fb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.160824][ T95] ffff8881d160fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.168855][ T95] ================================================================== [ 26.176903][ T95] Disabling lock debugging due to kernel taint [ 26.183086][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 26.189675][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.199200][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.209255][ T95] Workqueue: events request_firmware_work_func [ 26.215404][ T95] Call Trace: [ 26.218671][ T95] dump_stack+0xef/0x16e [ 26.222885][ T95] panic+0x2aa/0x6e1 [ 26.226752][ T95] ? add_taint.cold+0x16/0x16 [ 26.231401][ T95] ? retint_kernel+0x10/0x10 [ 26.235975][ T95] ? kfree_skb+0x32/0x3d0 [ 26.240276][ T95] ? trace_hardirqs_on+0x55/0x200 [ 26.245272][ T95] ? kfree_skb+0x32/0x3d0 [ 26.249575][ T95] end_report+0x4d/0x53 [ 26.253703][ T95] __kasan_report.cold+0x72/0x7d [ 26.258611][ T95] ? kfree_skb+0x32/0x3d0 [ 26.262925][ T95] ? kfree_skb+0x32/0x3d0 [ 26.267243][ T95] kasan_report+0x33/0x50 [ 26.271546][ T95] check_memory_region+0x173/0x1d0 [ 26.276640][ T95] kfree_skb+0x32/0x3d0 [ 26.280770][ T95] htc_connect_service.cold+0xa9/0x109 [ 26.286213][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 26.291035][ T95] ? ath9k_fatal_work+0x20/0x20 [ 26.295871][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.301910][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.307789][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.314183][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.319455][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.324972][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 26.330229][ T95] ? tasklet_init+0x69/0x110 [ 26.334791][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.340222][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.346866][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 26.351773][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 26.357031][ T95] ? usb_free_urb+0x1b/0x30 [ 26.361526][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.366275][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.371880][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.377238][ T95] request_firmware_work_func+0x126/0x242 [ 26.382951][ T95] ? request_firmware_into_buf+0x90/0x90 [ 26.388573][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.394091][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.399347][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.404523][ T95] process_one_work+0x965/0x1630 [ 26.409437][ T95] ? lock_release+0x720/0x720 [ 26.414093][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.419488][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 26.424399][ T95] worker_thread+0x96/0xe20 [ 26.428886][ T95] ? process_one_work+0x1630/0x1630 [ 26.434086][ T95] kthread+0x326/0x430 [ 26.438130][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 26.443473][ T95] ret_from_fork+0x24/0x30 [ 26.447919][ T95] Kernel Offset: disabled [ 26.452223][ T95] Rebooting in 86400 seconds..