./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4079507471
<...>
DUID 00:04:c5:78:79:07:21:f0:b3:e0:09:b6:1a:d6:4d:97:86:4f
forked to background, child pid 3186
[ 26.254768][ T3187] 8021q: adding VLAN 0 to HW filter on device bond0
[ 26.264820][ T3187] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts.
execve("./syz-executor4079507471", ["./syz-executor4079507471"], 0x7fff99f93b30 /* 10 vars */) = 0
brk(NULL) = 0x555556aae000
brk(0x555556aaec40) = 0x555556aaec40
arch_prctl(ARCH_SET_FS, 0x555556aae300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor4079507471", 4096) = 28
brk(0x555556acfc40) = 0x555556acfc40
brk(0x555556ad0000) = 0x555556ad0000
mprotect(0x7febd31fa000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3609 attached
, child_tidptr=0x555556aae5d0) = 3609
[pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3609] setpgid(0, 0) = 0
[pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3609] write(3, "1000", 4) = 4
[pid 3609] close(3) = 0
[pid 3609] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3
[pid 3609] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
syzkaller login: [ 48.828505][ T141] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 9
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 72
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 4
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320046c) = 9
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320047c) = 10
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320048c) = 12
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320049c) = 11
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004ac) = 13
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004bc) = 14
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[ 49.438709][ T141] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 49.448276][ T141] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 49.456784][ T141] usb 1-1: Product: syz
[ 49.461228][ T141] usb 1-1: Manufacturer: syz
[ 49.465821][ T141] usb 1-1: SerialNumber: syz
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[ 49.511548][ T141] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 1856
[pid 3609] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[ 50.238546][ T141] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 316
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3609] close(-1) = -1 EBADF (Bad file descriptor)
[pid 3609] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 16
[ 51.278736][ T141] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 51.285887][ T141] ath9k_htc: Failed to initialize the device
[pid 3609] exit_group(0) = ?
[pid 3609] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3609, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556aae5d0) = 3613
./strace-static-x86_64: Process 3613 attached
[pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3613] setpgid(0, 0) = 0
[pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3613] write(3, "1000", 4) = 4
[pid 3613] close(3) = 0
[pid 3613] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3
[pid 3613] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[ 51.473177][ T14] usb 1-1: USB disconnect, device number 2
[ 51.501672][ T14] usb 1-1: ath9k_htc: USB layer deinitialized
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[ 51.878491][ T14] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 9
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 72
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 4
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320046c) = 9
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320047c) = 10
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320048c) = 12
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320049c) = 11
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004ac) = 13
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004bc) = 14
[ 52.498584][ T14] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 52.507842][ T14] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 52.515892][ T14] usb 1-1: Product: syz
[ 52.520084][ T14] usb 1-1: Manufacturer: syz
[ 52.524668][ T14] usb 1-1: SerialNumber: syz
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[ 52.569376][ T14] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 1856
[pid 3613] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[ 53.328554][ T3614] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 316
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3613] close(-1) = -1 EBADF (Bad file descriptor)
[pid 3613] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 16
[ 54.398448][ T3614] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 54.405423][ T3614] ath9k_htc: Failed to initialize the device
[pid 3613] exit_group(0) = ?
[pid 3613] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3613, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556aae5d0) = 3615
./strace-static-x86_64: Process 3615 attached
[pid 3615] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3615] setpgid(0, 0) = 0
[pid 3615] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3615] write(3, "1000", 4) = 4
[pid 3615] close(3) = 0
[pid 3615] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3
[pid 3615] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[ 54.556865][ T22] usb 1-1: USB disconnect, device number 3
[ 54.573956][ T22] usb 1-1: ath9k_htc: USB layer deinitialized
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
[ 54.928490][ T22] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 18
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 9
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 72
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 4
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe7e045570) = 8
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320046c) = 9
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320047c) = 10
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320048c) = 12
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd320049c) = 11
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004ac) = 13
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7febd32004bc) = 14
[ 55.448576][ T22] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 55.457640][ T22] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 55.466413][ T22] usb 1-1: Product: syz
[ 55.470937][ T22] usb 1-1: Manufacturer: syz
[ 55.476388][ T22] usb 1-1: SerialNumber: syz
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[ 55.519243][ T22] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 4096
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 1856
[pid 3615] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe7e046580) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe7e045570) = 0
[ 56.088540][ T26] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 316
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 0
[pid 3615] close(-1) = -1 EBADF (Bad file descriptor)
[pid 3615] ioctl(3, USB_RAW_IOCTL_EP_WRITE, 0x7ffe7e0465b0) = 16
[ 57.118489][ T26] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 57.125522][ T26] ath9k_htc: Failed to initialize the device
[ 57.131595][ C1] ==================================================================
[ 57.131603][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.131637][ C1] Read of size 4 at addr ffff888073f742e8 by task kworker/1:1/26
[ 57.131648][ C1]
[ 57.131652][ C1] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 5.19.0-rc7-syzkaller #0
[ 57.131665][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 57.131673][ C1] Workqueue: events request_firmware_work_func
[ 57.131691][ C1] Call Trace:
[ 57.131697][ C1]
[ 57.131706][ C1] dump_stack_lvl+0xcd/0x134
[ 57.131734][ C1] print_address_description.constprop.0.cold+0xeb/0x495
[ 57.131765][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.131792][ C1] kasan_report.cold+0xf4/0x1c6
[ 57.131817][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.131846][ C1] ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.131875][ C1] ? ww_mutex_trylock+0x560/0xcb0
[ 57.131907][ C1] ? hif_usb_start+0xa0/0xa0
[ 57.131932][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 57.131964][ C1] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 57.131994][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 57.132021][ C1] dummy_timer+0x11f9/0x32b0
[ 57.132065][ C1] ? dummy_dequeue+0x500/0x500
[ 57.132096][ C1] ? dummy_dequeue+0x500/0x500
[ 57.132122][ C1] call_timer_fn+0x1a5/0x6b0
[ 57.132146][ C1] ? timer_fixup_activate+0x350/0x350
[ 57.132173][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 57.132197][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 57.132221][ C1] ? dummy_dequeue+0x500/0x500
[ 57.132249][ C1] __run_timers.part.0+0x679/0xa80
[ 57.132278][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 57.132304][ C1] ? __wake_up_locked_sync_key+0x20/0x20
[ 57.132335][ C1] run_timer_softirq+0xb3/0x1d0
[ 57.132360][ C1] __do_softirq+0x29b/0x9c2
[ 57.132391][ C1] __irq_exit_rcu+0x123/0x180
[ 57.132411][ C1] irq_exit_rcu+0x5/0x20
[ 57.132427][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 57.132449][ C1]
[ 57.132455][ C1]
[ 57.132461][ C1] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 57.132487][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 57.132516][ C1] Code: 48 89 ef 5d e9 e1 1a 4c 00 5d be 03 00 00 00 e9 76 26 82 02 66 0f 1f 44 00 00 48 8b be a8 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 d9 02 88 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 57.132539][ C1] RSP: 0018:ffffc90000a1f8a0 EFLAGS: 00000293
[ 57.132568][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 57.132583][ C1] RDX: ffff8880166b9d80 RSI: ffffffff81608f85 RDI: 0000000000000007
[ 57.132599][ C1] RBP: ffffc90000a1fa48 R08: 0000000000000007 R09: 0000000000000000
[ 57.132614][ C1] R10: 0000000000000200 R11: 0000000000000001 R12: 0000000000000001
[ 57.132628][ C1] R13: ffffffff90f13d20 R14: 0000000000000200 R15: ffffffff8c81be58
[ 57.132649][ C1] ? console_emit_next_record.constprop.0+0x4f5/0x840
[ 57.132676][ C1] console_emit_next_record.constprop.0+0x4fb/0x840
[ 57.132704][ C1] ? devkmsg_read+0x730/0x730
[ 57.132730][ C1] ? lock_release+0x780/0x780
[ 57.132752][ C1] console_unlock+0x37a/0x5a0
[ 57.132778][ C1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 57.132801][ C1] ? __down_trylock_console_sem+0x108/0x120
[ 57.132827][ C1] ? kmsg_dump+0x240/0x260
[ 57.132844][ C1] ? vprintk+0x80/0x90
[ 57.132864][ C1] vprintk_emit+0x1b9/0x5f0
[ 57.132885][ C1] vprintk+0x80/0x90
[ 57.132904][ C1] _printk+0xba/0xed
[ 57.132924][ C1] ? record_print_text.cold+0x16/0x16
[ 57.132946][ C1] ? usb_free_urb+0x5c/0x110
[ 57.132967][ C1] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 57.132995][ C1] ath9k_htc_hw_init.cold+0x17/0x1c
[ 57.133021][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 57.133049][ C1] ? ath9k_hif_usb_alloc_urbs+0x1050/0x1050
[ 57.133076][ C1] request_firmware_work_func+0x12c/0x230
[ 57.133103][ C1] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 57.133133][ C1] process_one_work+0x996/0x1610
[ 57.133159][ C1] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 57.133184][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 57.133205][ C1] ? _raw_spin_lock_irq+0x41/0x50
[ 57.133232][ C1] worker_thread+0x665/0x1080
[ 57.133262][ C1] ? process_one_work+0x1610/0x1610
[ 57.133288][ C1] kthread+0x2e9/0x3a0
[ 57.133310][ C1] ? kthread_complete_and_exit+0x40/0x40
[ 57.133335][ C1] ret_from_fork+0x1f/0x30
[ 57.133368][ C1]
[ 57.133376][ C1]
[ 57.133380][ C1] The buggy address belongs to the physical page:
[ 57.133388][ C1] page:ffffea0001cfdd00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73f74
[ 57.133412][ C1] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 57.133441][ C1] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 57.133463][ C1] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 57.133475][ C1] page dumped because: kasan: bad access detected
[ 57.133485][ C1] page_owner tracks the page as freed
[ 57.133490][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 26, tgid 26 (kworker/1:1), ts 56099917170, free_ts 57125471522
[ 57.133529][ C1] get_page_from_freelist+0x1290/0x3b70
[ 57.133561][ C1] __alloc_pages+0x1c7/0x510
[ 57.133582][ C1] alloc_pages+0x1aa/0x310
[ 57.133600][ C1] kmalloc_order+0x34/0xf0
[ 57.133623][ C1] kmalloc_order_trace+0x14/0x120
[ 57.133647][ C1] wiphy_new_nm+0x6f0/0x2080
[ 57.133671][ C1] ieee80211_alloc_hw_nm+0x373/0x2270
[ 57.133694][ C1] ath9k_htc_probe_device+0x97/0x1f00
[ 57.133714][ C1] ath9k_htc_hw_init+0x31/0x60
[ 57.133737][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 57.133761][ C1] request_firmware_work_func+0x12c/0x230
[ 57.133784][ C1] process_one_work+0x996/0x1610
[ 57.133803][ C1] worker_thread+0x665/0x1080
[ 57.133823][ C1] kthread+0x2e9/0x3a0
[ 57.133842][ C1] ret_from_fork+0x1f/0x30
[ 57.133864][ C1] page last free stack trace:
[ 57.133870][ C1] free_pcp_prepare+0x549/0xd20
[ 57.133890][ C1] free_unref_page+0x19/0x6a0
[ 57.133910][ C1] device_release+0x9f/0x240
[ 57.133930][ C1] kobject_put+0x1c8/0x540
[ 57.133951][ C1] put_device+0x1b/0x30
[ 57.133970][ C1] ath9k_htc_probe_device+0x1c7/0x1f00
[ 57.133993][ C1] ath9k_htc_hw_init+0x31/0x60
[ 57.134017][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 57.134042][ C1] request_firmware_work_func+0x12c/0x230
[ 57.134064][ C1] process_one_work+0x996/0x1610
[ 57.134085][ C1] worker_thread+0x665/0x1080
[ 57.134106][ C1] kthread+0x2e9/0x3a0
[ 57.134124][ C1] ret_from_fork+0x1f/0x30
[ 57.134147][ C1]
[ 57.134151][ C1] Memory state around the buggy address:
[ 57.134161][ C1] ffff888073f74180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.134177][ C1] ffff888073f74200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.134193][ C1] >ffff888073f74280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.134204][ C1] ^
[ 57.134215][ C1] ffff888073f74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.134230][ C1] ffff888073f74380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.134242][ C1] ==================================================================
[ 57.134250][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 57.134259][ C1] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 5.19.0-rc7-syzkaller #0
[ 57.134280][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 57.134295][ C1] Workqueue: events request_firmware_work_func
[ 57.134318][ C1] Call Trace:
[ 57.134324][ C1]
[ 57.134331][ C1] dump_stack_lvl+0xcd/0x134
[ 57.134358][ C1] panic+0x2d7/0x636
[ 57.134380][ C1] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 57.134413][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.134440][ C1] end_report.part.0+0x3f/0x7c
[ 57.134464][ C1] kasan_report.cold+0x93/0x1c6
[ 57.134489][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.134517][ C1] ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 57.134545][ C1] ? ww_mutex_trylock+0x560/0xcb0
[ 57.134587][ C1] ? hif_usb_start+0xa0/0xa0
[ 57.134612][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 57.134642][ C1] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 57.134668][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 57.134696][ C1] dummy_timer+0x11f9/0x32b0
[ 57.134739][ C1] ? dummy_dequeue+0x500/0x500
[ 57.134769][ C1] ? dummy_dequeue+0x500/0x500
[ 57.134795][ C1] call_timer_fn+0x1a5/0x6b0
[ 57.134817][ C1] ? timer_fixup_activate+0x350/0x350
[ 57.134842][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 57.134866][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 57.134891][ C1] ? dummy_dequeue+0x500/0x500
[ 57.134918][ C1] __run_timers.part.0+0x679/0xa80
[ 57.134945][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 57.134969][ C1] ? __wake_up_locked_sync_key+0x20/0x20
[ 57.134996][ C1] run_timer_softirq+0xb3/0x1d0
[ 57.135019][ C1] __do_softirq+0x29b/0x9c2
[ 57.135048][ C1] __irq_exit_rcu+0x123/0x180
[ 57.135112][ C1] irq_exit_rcu+0x5/0x20
[ 57.135138][ C1] sysvec_apic_timer_interrupt+0x93/0xc0
[ 57.135167][ C1]
[ 57.135174][ C1]
[ 57.135181][ C1] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 57.135211][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 57.135241][ C1] Code: 48 89 ef 5d e9 e1 1a 4c 00 5d be 03 00 00 00 e9 76 26 82 02 66 0f 1f 44 00 00 48 8b be a8 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 d9 02 88 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 57.135263][ C1] RSP: 0018:ffffc90000a1f8a0 EFLAGS: 00000293
[ 57.135283][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 57.135298][ C1] RDX: ffff8880166b9d80 RSI: ffffffff81608f85 RDI: 0000000000000007
[ 57.135311][ C1] RBP: ffffc90000a1fa48 R08: 0000000000000007 R09: 0000000000000000
[ 57.135322][ C1] R10: 0000000000000200 R11: 0000000000000001 R12: 0000000000000001
[ 57.135333][ C1] R13: ffffffff90f13d20 R14: 0000000000000200 R15: ffffffff8c81be58
[ 57.135350][ C1] ? console_emit_next_record.constprop.0+0x4f5/0x840
[ 57.135377][ C1] console_emit_next_record.constprop.0+0x4fb/0x840
[ 57.135405][ C1] ? devkmsg_read+0x730/0x730
[ 57.135431][ C1] ? lock_release+0x780/0x780
[ 57.135450][ C1] console_unlock+0x37a/0x5a0
[ 57.135470][ C1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 57.135497][ C1] ? __down_trylock_console_sem+0x108/0x120
[ 57.135523][ C1] ? kmsg_dump+0x240/0x260
[ 57.135545][ C1] ? vprintk+0x80/0x90
[ 57.135574][ C1] vprintk_emit+0x1b9/0x5f0
[ 57.135598][ C1] vprintk+0x80/0x90
[ 57.135618][ C1] _printk+0xba/0xed
[ 57.135639][ C1] ? record_print_text.cold+0x16/0x16
[ 57.135665][ C1] ? usb_free_urb+0x5c/0x110
[ 57.135690][ C1] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 57.135719][ C1] ath9k_htc_hw_init.cold+0x17/0x1c
[ 57.135746][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 57.135778][ C1] ? ath9k_hif_usb_alloc_urbs+0x1050/0x1050
[ 57.135805][ C1] request_firmware_work_func+0x12c/0x230
[ 57.135831][ C1] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 57.135862][ C1] process_one_work+0x996/0x1610
[ 57.135891][ C1] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 57.135918][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 57.135948][ C1] ? _raw_spin_lock_irq+0x41/0x50
[ 57.135975][ C1] worker_thread+0x665/0x1080
[ 57.136000][ C1] ? process_one_work+0x1610/0x1610
[ 57.136022][ C1] kthread+0x2e9/0x3a0
[ 57.136040][ C1] ? kthread_complete_and_exit+0x40/0x40
[ 57.136063][ C1] ret_from_fork+0x1f/0x30
[ 57.136091][ C1]
[ 57.136248][ C1] Kernel Offset: disabled
[ 58.256150][ C1] Rebooting in 86400 seconds..