[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 20.524630][ C1] random: crng init done [ 20.529207][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. executing program [ 36.657495][ T167] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 37.187343][ T167] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 37.196446][ T167] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 37.204480][ T167] usb 1-1: Product: syz [ 37.208704][ T167] usb 1-1: Manufacturer: syz [ 37.213297][ T167] usb 1-1: SerialNumber: syz [ 37.258403][ T167] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 37.837065][ T167] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 38.238959][ T22] usb 1-1: USB disconnect, device number 2 [ 39.136731][ T167] usb 1-1: Service connection timeout for: 256 [ 39.142987][ T167] ================================================================== [ 39.151099][ T167] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 39.157764][ T167] Read of size 4 at addr ffff8881cd203994 by task kworker/1:3/167 [ 39.165536][ T167] [ 39.167848][ T167] CPU: 1 PID: 167 Comm: kworker/1:3 Not tainted 5.7.0-rc6-syzkaller #0 [ 39.176056][ T167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.186111][ T167] Workqueue: events request_firmware_work_func [ 39.192237][ T167] Call Trace: [ 39.195506][ T167] dump_stack+0xef/0x16e [ 39.199740][ T167] print_address_description.constprop.0.cold+0xd3/0x415 [ 39.206764][ T167] ? vprintk_func+0x7d/0x113 [ 39.211332][ T167] ? kfree_skb+0x32/0x3d0 [ 39.215637][ T167] __kasan_report.cold+0x37/0x7d [ 39.220550][ T167] ? kfree_skb+0x32/0x3d0 [ 39.224853][ T167] ? kfree_skb+0x32/0x3d0 [ 39.229159][ T167] kasan_report+0x33/0x50 [ 39.233471][ T167] check_memory_region+0x173/0x1d0 [ 39.238557][ T167] kfree_skb+0x32/0x3d0 [ 39.242709][ T167] htc_connect_service.cold+0xa9/0x109 [ 39.248144][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 39.252984][ T167] ? ath9k_fatal_work+0x20/0x20 [ 39.257839][ T167] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 39.263896][ T167] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 39.269522][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.275912][ T167] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 39.281190][ T167] ? lockdep_init_map_waits+0x26a/0x7c0 [ 39.286726][ T167] ? __raw_spin_lock_init+0x34/0x100 [ 39.291987][ T167] ? tasklet_init+0x69/0x110 [ 39.296565][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.302030][ T167] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 39.308700][ T167] ? usb_submit_urb+0x6ed/0x1460 [ 39.313612][ T167] ? usb_free_urb.part.0+0x52/0x110 [ 39.318783][ T167] ? usb_free_urb+0x1b/0x30 [ 39.323267][ T167] ath9k_htc_hw_init+0x31/0x60 [ 39.328020][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.333650][ T167] ? ath9k_hif_usb_resume+0x320/0x320 [ 39.339000][ T167] request_firmware_work_func+0x126/0x242 [ 39.344694][ T167] ? request_firmware_into_buf+0x90/0x90 [ 39.350315][ T167] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.355837][ T167] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.361174][ T167] ? _raw_spin_unlock_irq+0x1f/0x30 [ 39.366365][ T167] process_one_work+0x965/0x1630 [ 39.371472][ T167] ? lock_release+0x720/0x720 [ 39.376131][ T167] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.381498][ T167] ? rwlock_bug.part.0+0x90/0x90 [ 39.386423][ T167] worker_thread+0x96/0xe20 [ 39.391444][ T167] ? process_one_work+0x1630/0x1630 [ 39.396618][ T167] kthread+0x326/0x430 [ 39.400669][ T167] ? kthread_create_on_node+0xf0/0xf0 [ 39.406018][ T167] ret_from_fork+0x24/0x30 [ 39.410423][ T167] [ 39.412729][ T167] Allocated by task 167: [ 39.416952][ T167] save_stack+0x1b/0x40 [ 39.421100][ T167] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 39.426709][ T167] kmem_cache_alloc_node+0xdc/0x330 [ 39.431906][ T167] __alloc_skb+0xba/0x5a0 [ 39.436213][ T167] htc_connect_service+0x2cc/0x840 [ 39.441316][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 39.446143][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.452535][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.458073][ T167] ath9k_htc_hw_init+0x31/0x60 [ 39.462815][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.468432][ T167] request_firmware_work_func+0x126/0x242 [ 39.474139][ T167] process_one_work+0x965/0x1630 [ 39.479066][ T167] worker_thread+0x96/0xe20 [ 39.483544][ T167] kthread+0x326/0x430 [ 39.487588][ T167] ret_from_fork+0x24/0x30 [ 39.491975][ T167] [ 39.494292][ T167] Freed by task 0: [ 39.498030][ T167] save_stack+0x1b/0x40 [ 39.502170][ T167] __kasan_slab_free+0x117/0x160 [ 39.507258][ T167] kmem_cache_free+0x9b/0x360 [ 39.511914][ T167] kfree_skbmem+0xef/0x1b0 [ 39.516307][ T167] kfree_skb+0x102/0x3d0 [ 39.520546][ T167] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 39.526171][ T167] hif_usb_regout_cb+0x115/0x1c0 [ 39.531099][ T167] __usb_hcd_giveback_urb+0x29a/0x550 [ 39.536460][ T167] usb_hcd_giveback_urb+0x368/0x420 [ 39.541635][ T167] dummy_timer+0x125e/0x32b4 [ 39.546206][ T167] call_timer_fn+0x1ac/0x700 [ 39.550781][ T167] run_timer_softirq+0x5f9/0x1500 [ 39.555782][ T167] __do_softirq+0x21e/0x9aa [ 39.560268][ T167] [ 39.562578][ T167] The buggy address belongs to the object at ffff8881cd2038c0 [ 39.562578][ T167] which belongs to the cache skbuff_head_cache of size 224 [ 39.577144][ T167] The buggy address is located 212 bytes inside of [ 39.577144][ T167] 224-byte region [ffff8881cd2038c0, ffff8881cd2039a0) [ 39.590384][ T167] The buggy address belongs to the page: [ 39.596007][ T167] page:ffffea00073480c0 refcount:1 mapcount:0 mapping:00000000d0628d69 index:0x0 [ 39.605085][ T167] flags: 0x200000000000200(slab) [ 39.610001][ T167] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 39.618563][ T167] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 39.627133][ T167] page dumped because: kasan: bad access detected [ 39.633517][ T167] [ 39.635835][ T167] Memory state around the buggy address: [ 39.641458][ T167] ffff8881cd203880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.649507][ T167] ffff8881cd203900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.657569][ T167] >ffff8881cd203980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 39.665606][ T167] ^ [ 39.670180][ T167] ffff8881cd203a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.678215][ T167] ffff8881cd203a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 39.686246][ T167] ================================================================== [ 39.694279][ T167] Disabling lock debugging due to kernel taint [ 39.700481][ T167] Kernel panic - not syncing: panic_on_warn set ... [ 39.707154][ T167] CPU: 1 PID: 167 Comm: kworker/1:3 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 39.719382][ T167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.729455][ T167] Workqueue: events request_firmware_work_func [ 39.735580][ T167] Call Trace: [ 39.738848][ T167] dump_stack+0xef/0x16e [ 39.743066][ T167] panic+0x2aa/0x6e1 [ 39.746935][ T167] ? add_taint.cold+0x16/0x16 [ 39.751605][ T167] ? retint_kernel+0x10/0x10 [ 39.756182][ T167] ? kfree_skb+0x32/0x3d0 [ 39.760500][ T167] ? trace_hardirqs_on+0x55/0x200 [ 39.765495][ T167] ? kfree_skb+0x32/0x3d0 [ 39.769815][ T167] end_report+0x4d/0x53 [ 39.773951][ T167] __kasan_report.cold+0x72/0x7d [ 39.778860][ T167] ? kfree_skb+0x32/0x3d0 [ 39.783175][ T167] ? kfree_skb+0x32/0x3d0 [ 39.787475][ T167] kasan_report+0x33/0x50 [ 39.791793][ T167] check_memory_region+0x173/0x1d0 [ 39.796898][ T167] kfree_skb+0x32/0x3d0 [ 39.801030][ T167] htc_connect_service.cold+0xa9/0x109 [ 39.806461][ T167] ath9k_wmi_connect+0xd2/0x1a0 [ 39.811284][ T167] ? ath9k_fatal_work+0x20/0x20 [ 39.816108][ T167] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 39.822164][ T167] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 39.827771][ T167] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 39.834158][ T167] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 39.839416][ T167] ? lockdep_init_map_waits+0x26a/0x7c0 [ 39.844936][ T167] ? __raw_spin_lock_init+0x34/0x100 [ 39.850195][ T167] ? tasklet_init+0x69/0x110 [ 39.854780][ T167] ath9k_htc_probe_device+0x25a/0x1da0 [ 39.860228][ T167] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 39.866890][ T167] ? usb_submit_urb+0x6ed/0x1460 [ 39.871803][ T167] ? usb_free_urb.part.0+0x52/0x110 [ 39.876988][ T167] ? usb_free_urb+0x1b/0x30 [ 39.881466][ T167] ath9k_htc_hw_init+0x31/0x60 [ 39.886205][ T167] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 39.891834][ T167] ? ath9k_hif_usb_resume+0x320/0x320 [ 39.897180][ T167] request_firmware_work_func+0x126/0x242 [ 39.902882][ T167] ? request_firmware_into_buf+0x90/0x90 [ 39.908492][ T167] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.914011][ T167] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.919289][ T167] ? _raw_spin_unlock_irq+0x1f/0x30 [ 39.924469][ T167] process_one_work+0x965/0x1630 [ 39.929384][ T167] ? lock_release+0x720/0x720 [ 39.934050][ T167] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.939395][ T167] ? rwlock_bug.part.0+0x90/0x90 [ 39.944312][ T167] worker_thread+0x96/0xe20 [ 39.948842][ T167] ? process_one_work+0x1630/0x1630 [ 39.954017][ T167] kthread+0x326/0x430 [ 39.958063][ T167] ? kthread_create_on_node+0xf0/0xf0 [ 39.963419][ T167] ret_from_fork+0x24/0x30 [ 39.968366][ T167] Kernel Offset: disabled [ 39.972679][ T167] Rebooting in 86400 seconds..