[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.378738][ C1] random: crng init done [ 16.383271][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. executing program [ 23.262002][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.780970][ T17] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.790595][ T17] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.799085][ T17] usb 1-1: Product: syz [ 23.803322][ T17] usb 1-1: Manufacturer: syz [ 23.808219][ T17] usb 1-1: SerialNumber: syz [ 23.852640][ T17] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.440366][ T17] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.842128][ T83] usb 1-1: USB disconnect, device number 2 [ 25.679336][ T17] usb 1-1: Service connection timeout for: 256 [ 25.685928][ T17] ================================================================== [ 25.694080][ T17] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.700752][ T17] Read of size 4 at addr ffff8881c6acfd54 by task kworker/1:0/17 [ 25.708441][ T17] [ 25.710774][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.719090][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.729147][ T17] Workqueue: events request_firmware_work_func [ 25.735482][ T17] Call Trace: [ 25.738768][ T17] dump_stack+0xef/0x16e [ 25.743215][ T17] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.750231][ T17] ? vprintk_func+0x7d/0x113 [ 25.754894][ T17] ? kfree_skb+0x32/0x3d0 [ 25.759225][ T17] __kasan_report.cold+0x37/0x7d [ 25.764150][ T17] ? kfree_skb+0x32/0x3d0 [ 25.768730][ T17] ? kfree_skb+0x32/0x3d0 [ 25.773051][ T17] kasan_report+0x33/0x50 [ 25.777476][ T17] check_memory_region+0x173/0x1d0 [ 25.782586][ T17] kfree_skb+0x32/0x3d0 [ 25.787179][ T17] htc_connect_service.cold+0xa9/0x109 [ 25.792740][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 25.797724][ T17] ? ath9k_fatal_work+0x20/0x20 [ 25.802582][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.808637][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.814278][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.820736][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.826118][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.831678][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 25.836955][ T17] ? tasklet_init+0x69/0x110 [ 25.841811][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.847694][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.854455][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 25.859517][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 25.864761][ T17] ? usb_free_urb+0x1b/0x30 [ 25.869345][ T17] ath9k_htc_hw_init+0x31/0x60 [ 25.874116][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.879741][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.885183][ T17] request_firmware_work_func+0x126/0x242 [ 25.890887][ T17] ? request_firmware_into_buf+0x90/0x90 [ 25.896675][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.902514][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.907780][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.912967][ T17] process_one_work+0x965/0x1630 [ 25.917919][ T17] ? lock_release+0x720/0x720 [ 25.922581][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.927937][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 25.932855][ T17] worker_thread+0x96/0xe20 [ 25.937386][ T17] ? process_one_work+0x1630/0x1630 [ 25.942580][ T17] kthread+0x326/0x430 [ 25.946657][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 25.952022][ T17] ret_from_fork+0x24/0x30 [ 25.956426][ T17] [ 25.958741][ T17] Allocated by task 17: [ 25.962886][ T17] save_stack+0x1b/0x40 [ 25.967154][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.972948][ T17] kmem_cache_alloc_node+0xdc/0x330 [ 25.978225][ T17] __alloc_skb+0xba/0x5a0 [ 25.982541][ T17] htc_connect_service+0x2cc/0x840 [ 25.988779][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 25.993726][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.000142][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.005610][ T17] ath9k_htc_hw_init+0x31/0x60 [ 26.010357][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.015980][ T17] request_firmware_work_func+0x126/0x242 [ 26.021679][ T17] process_one_work+0x965/0x1630 [ 26.026592][ T17] worker_thread+0x96/0xe20 [ 26.031080][ T17] kthread+0x326/0x430 [ 26.036892][ T17] ret_from_fork+0x24/0x30 [ 26.041293][ T17] [ 26.043603][ T17] Freed by task 0: [ 26.047304][ T17] save_stack+0x1b/0x40 [ 26.051441][ T17] __kasan_slab_free+0x117/0x160 [ 26.056461][ T17] kmem_cache_free+0x9b/0x360 [ 26.061137][ T17] kfree_skbmem+0xef/0x1b0 [ 26.065576][ T17] kfree_skb+0x102/0x3d0 [ 26.070330][ T17] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.075948][ T17] hif_usb_regout_cb+0x115/0x1c0 [ 26.080866][ T17] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.086239][ T17] usb_hcd_giveback_urb+0x368/0x420 [ 26.091426][ T17] dummy_timer+0x125e/0x32b4 [ 26.095995][ T17] call_timer_fn+0x1ac/0x700 [ 26.100763][ T17] run_timer_softirq+0x5f9/0x1500 [ 26.105808][ T17] __do_softirq+0x21e/0x9aa [ 26.110300][ T17] [ 26.112629][ T17] The buggy address belongs to the object at ffff8881c6acfc80 [ 26.112629][ T17] which belongs to the cache skbuff_head_cache of size 224 [ 26.127201][ T17] The buggy address is located 212 bytes inside of [ 26.127201][ T17] 224-byte region [ffff8881c6acfc80, ffff8881c6acfd60) [ 26.140451][ T17] The buggy address belongs to the page: [ 26.146094][ T17] page:ffffea00071ab3c0 refcount:1 mapcount:0 mapping:00000000a1d5c73f index:0x0 [ 26.155323][ T17] flags: 0x200000000000200(slab) [ 26.160249][ T17] raw: 0200000000000200 ffffea000736e540 0000000e00000003 ffff8881da175400 [ 26.168818][ T17] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.177377][ T17] page dumped because: kasan: bad access detected [ 26.183777][ T17] [ 26.186094][ T17] Memory state around the buggy address: [ 26.191788][ T17] ffff8881c6acfc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.199840][ T17] ffff8881c6acfc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.208228][ T17] >ffff8881c6acfd00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.216276][ T17] ^ [ 26.222938][ T17] ffff8881c6acfd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.231267][ T17] ffff8881c6acfe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.239308][ T17] ================================================================== [ 26.250645][ T17] Disabling lock debugging due to kernel taint [ 26.256873][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 26.263463][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.272999][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.283062][ T17] Workqueue: events request_firmware_work_func [ 26.289202][ T17] Call Trace: [ 26.292537][ T17] dump_stack+0xef/0x16e [ 26.296757][ T17] panic+0x2aa/0x6e1 [ 26.300626][ T17] ? add_taint.cold+0x16/0x16 [ 26.305278][ T17] ? retint_kernel+0x10/0x10 [ 26.310277][ T17] ? kfree_skb+0x32/0x3d0 [ 26.314594][ T17] ? trace_hardirqs_on+0x55/0x200 [ 26.319603][ T17] ? kfree_skb+0x32/0x3d0 [ 26.323911][ T17] end_report+0x4d/0x53 [ 26.328139][ T17] __kasan_report.cold+0x72/0x7d [ 26.333146][ T17] ? kfree_skb+0x32/0x3d0 [ 26.337465][ T17] ? kfree_skb+0x32/0x3d0 [ 26.341806][ T17] kasan_report+0x33/0x50 [ 26.346110][ T17] check_memory_region+0x173/0x1d0 [ 26.351215][ T17] kfree_skb+0x32/0x3d0 [ 26.355789][ T17] htc_connect_service.cold+0xa9/0x109 [ 26.361223][ T17] ath9k_wmi_connect+0xd2/0x1a0 [ 26.366047][ T17] ? ath9k_fatal_work+0x20/0x20 [ 26.370872][ T17] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.376934][ T17] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.382549][ T17] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.389228][ T17] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.394493][ T17] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.400124][ T17] ? __raw_spin_lock_init+0x34/0x100 [ 26.405481][ T17] ? tasklet_init+0x69/0x110 [ 26.410238][ T17] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.415948][ T17] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.424794][ T17] ? usb_submit_urb+0x6ed/0x1460 [ 26.429793][ T17] ? usb_free_urb.part.0+0x52/0x110 [ 26.434981][ T17] ? usb_free_urb+0x1b/0x30 [ 26.440259][ T17] ath9k_htc_hw_init+0x31/0x60 [ 26.445012][ T17] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.450635][ T17] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.455984][ T17] request_firmware_work_func+0x126/0x242 [ 26.461698][ T17] ? request_firmware_into_buf+0x90/0x90 [ 26.467436][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.472964][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.478240][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.483417][ T17] process_one_work+0x965/0x1630 [ 26.488508][ T17] ? lock_release+0x720/0x720 [ 26.493166][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.498537][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 26.503470][ T17] worker_thread+0x96/0xe20 [ 26.507958][ T17] ? process_one_work+0x1630/0x1630 [ 26.513146][ T17] kthread+0x326/0x430 [ 26.517255][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 26.522712][ T17] ret_from_fork+0x24/0x30 [ 26.528235][ T17] Kernel Offset: disabled [ 26.532676][ T17] Rebooting in 86400 seconds..