Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. [ 14.789799][ C1] random: crng init done [ 14.794099][ C1] random: 7 urandom warning(s) missed due to ratelimiting Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.14' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.302689][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.831075][ T17] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 25.840228][ T17] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.848294][ T17] usb 1-1: Product: syz [ 25.852529][ T17] usb 1-1: Manufacturer: syz [ 25.857112][ T17] usb 1-1: SerialNumber: syz [ 25.901880][ T17] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 26.569718][ T17] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 26.971771][ T93] usb 1-1: USB disconnect, device number 2 [ 27.818797][ T17] usb 1-1: Service connection timeout for: 256 [ 27.825097][ T17] ================================================================== [ 27.833259][ T17] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 27.839977][ T17] Read of size 4 at addr ffff8881ce113d54 by task kworker/1:0/17 [ 27.848282][ T17] [ 27.850619][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 27.858746][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.868801][ T17] Workqueue: events request_firmware_work_func [ 27.874938][ T17] Call Trace: [ 27.878232][ T17] dump_stack+0xef/0x16e [ 27.882458][ T17] print_address_description.constprop.0.cold+0xd3/0x415 [ 27.889592][ T17] ? vprintk_func+0x7d/0x113 [ 27.894528][ T17] ? kfree_skb+0x32/0x3d0 [ 27.898992][ T17] __kasan_report.cold+0x37/0x7d [ 27.904979][ T17] ? kfree_skb+0x32/0x3d0 [ 27.909299][ T17] ? kfree_skb+0x32/0x3d0 [ 27.913611][ T17] kasan_report+0x33/0x50 [ 27.918007][ T17] check_memory_region+0x173/0x1d0 [ 27.923121][ T17] kfree_skb+0x32/0x3d0 [ 27.927958][ T17] htc_connect_service.cold+0xa9/0x109 [ 27.933424][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 27.938277][ T17] ? ath9k_fatal_work+0x20/0x20 [ 27.943137][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.949205][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.954842][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.961238][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.966522][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.972058][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 27.977357][ T17] ? tasklet_init+0x69/0x110 [ 27.981970][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.987629][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 27.995309][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 28.000628][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 28.005838][ T17] ? usb_free_urb+0x1b/0x30 [ 28.010407][ T17] ath9k_htc_hw_init+0x31/0x60 [ 28.015173][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.020795][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.026254][ T17] request_firmware_work_func+0x126/0x242 [ 28.031984][ T17] ? request_firmware_into_buf+0x90/0x90 [ 28.037605][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.043469][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.048743][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.053923][ T17] process_one_work+0x965/0x1630 [ 28.058867][ T17] ? lock_release+0x720/0x720 [ 28.063540][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.068918][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 28.073941][ T17] worker_thread+0x96/0xe20 [ 28.078440][ T17] ? process_one_work+0x1630/0x1630 [ 28.083651][ T17] kthread+0x326/0x430 [ 28.087704][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 28.093069][ T17] ret_from_fork+0x24/0x30 [ 28.097463][ T17] [ 28.099778][ T17] Allocated by task 17: [ 28.104163][ T17] save_stack+0x1b/0x40 [ 28.108755][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.114378][ T17] kmem_cache_alloc_node+0xdc/0x330 [ 28.119572][ T17] __alloc_skb+0xba/0x5a0 [ 28.123904][ T17] htc_connect_service+0x2cc/0x840 [ 28.129131][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 28.133964][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.140415][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.145890][ T17] ath9k_htc_hw_init+0x31/0x60 [ 28.150663][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.156291][ T17] request_firmware_work_func+0x126/0x242 [ 28.161987][ T17] process_one_work+0x965/0x1630 [ 28.166912][ T17] worker_thread+0x96/0xe20 [ 28.171393][ T17] kthread+0x326/0x430 [ 28.175442][ T17] ret_from_fork+0x24/0x30 [ 28.179831][ T17] [ 28.182139][ T17] Freed by task 0: [ 28.185847][ T17] save_stack+0x1b/0x40 [ 28.189979][ T17] __kasan_slab_free+0x117/0x160 [ 28.194896][ T17] kmem_cache_free+0x9b/0x360 [ 28.199550][ T17] kfree_skbmem+0xef/0x1b0 [ 28.203947][ T17] kfree_skb+0x102/0x3d0 [ 28.208242][ T17] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 28.213890][ T17] hif_usb_regout_cb+0x115/0x1c0 [ 28.218818][ T17] __usb_hcd_giveback_urb+0x29a/0x550 [ 28.224195][ T17] usb_hcd_giveback_urb+0x368/0x420 [ 28.229394][ T17] dummy_timer+0x125e/0x32b4 [ 28.233987][ T17] call_timer_fn+0x1ac/0x700 [ 28.238646][ T17] run_timer_softirq+0x5f9/0x1500 [ 28.243665][ T17] __do_softirq+0x21e/0x9aa [ 28.248148][ T17] [ 28.250455][ T17] The buggy address belongs to the object at ffff8881ce113c80 [ 28.250455][ T17] which belongs to the cache skbuff_head_cache of size 224 [ 28.265020][ T17] The buggy address is located 212 bytes inside of [ 28.265020][ T17] 224-byte region [ffff8881ce113c80, ffff8881ce113d60) [ 28.278284][ T17] The buggy address belongs to the page: [ 28.283894][ T17] page:ffffea00073844c0 refcount:1 mapcount:0 mapping:0000000012d78999 index:0x0 [ 28.293498][ T17] flags: 0x200000000000200(slab) [ 28.298416][ T17] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 28.306979][ T17] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 28.315551][ T17] page dumped because: kasan: bad access detected [ 28.321937][ T17] [ 28.324253][ T17] Memory state around the buggy address: [ 28.330643][ T17] ffff8881ce113c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.338683][ T17] ffff8881ce113c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.346724][ T17] >ffff8881ce113d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.354770][ T17] ^ [ 28.361420][ T17] ffff8881ce113d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.369459][ T17] ffff8881ce113e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.377493][ T17] ================================================================== [ 28.385537][ T17] Disabling lock debugging due to kernel taint [ 28.391743][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 28.398342][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 28.407870][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.418012][ T17] Workqueue: events request_firmware_work_func [ 28.424148][ T17] Call Trace: [ 28.427426][ T17] dump_stack+0xef/0x16e [ 28.431681][ T17] panic+0x2aa/0x6e1 [ 28.435573][ T17] ? add_taint.cold+0x16/0x16 [ 28.440247][ T17] ? retint_kernel+0x10/0x10 [ 28.444820][ T17] ? kfree_skb+0x32/0x3d0 [ 28.449127][ T17] ? trace_hardirqs_on+0x55/0x200 [ 28.454140][ T17] ? kfree_skb+0x32/0x3d0 [ 28.458443][ T17] end_report+0x4d/0x53 [ 28.462590][ T17] __kasan_report.cold+0x72/0x7d [ 28.467516][ T17] ? kfree_skb+0x32/0x3d0 [ 28.471822][ T17] ? kfree_skb+0x32/0x3d0 [ 28.476129][ T17] kasan_report+0x33/0x50 [ 28.480797][ T17] check_memory_region+0x173/0x1d0 [ 28.485901][ T17] kfree_skb+0x32/0x3d0 [ 28.490051][ T17] htc_connect_service.cold+0xa9/0x109 [ 28.495485][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 28.500374][ T17] ? ath9k_fatal_work+0x20/0x20 [ 28.505309][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.511360][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.517111][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.523505][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.528912][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.534454][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 28.539722][ T17] ? tasklet_init+0x69/0x110 [ 28.544340][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.549778][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.556568][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 28.561493][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 28.566728][ T17] ? usb_free_urb+0x1b/0x30 [ 28.571223][ T17] ath9k_htc_hw_init+0x31/0x60 [ 28.575970][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.581599][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.586946][ T17] request_firmware_work_func+0x126/0x242 [ 28.592653][ T17] ? request_firmware_into_buf+0x90/0x90 [ 28.598273][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.603793][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.609059][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.614240][ T17] process_one_work+0x965/0x1630 [ 28.619212][ T17] ? lock_release+0x720/0x720 [ 28.623875][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.629233][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 28.634170][ T17] worker_thread+0x96/0xe20 [ 28.638649][ T17] ? process_one_work+0x1630/0x1630 [ 28.643834][ T17] kthread+0x326/0x430 [ 28.647882][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 28.653246][ T17] ret_from_fork+0x24/0x30 [ 28.658317][ T17] Kernel Offset: disabled [ 28.662638][ T17] Rebooting in 86400 seconds..