[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.456634][ C0] random: crng init done [ 16.460904][ C0] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts. executing program [ 25.096117][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.615883][ T12] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 25.625166][ T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.633203][ T12] usb 1-1: Product: syz [ 25.637472][ T12] usb 1-1: Manufacturer: syz [ 25.642045][ T12] usb 1-1: SerialNumber: syz [ 25.686732][ T12] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 26.265407][ T12] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 26.667293][ T95] usb 1-1: USB disconnect, device number 2 [ 27.514592][ T12] usb 1-1: Service connection timeout for: 256 [ 27.520852][ T12] ================================================================== [ 27.529020][ T12] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 27.535716][ T12] Read of size 4 at addr ffff8881cd4e7ad4 by task kworker/0:1/12 [ 27.543400][ T12] [ 27.545763][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc6-syzkaller #0 [ 27.553888][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.563925][ T12] Workqueue: events request_firmware_work_func [ 27.570090][ T12] Call Trace: [ 27.573361][ T12] dump_stack+0xef/0x16e [ 27.577583][ T12] print_address_description.constprop.0.cold+0xd3/0x415 [ 27.584579][ T12] ? vprintk_func+0x7d/0x113 [ 27.589144][ T12] ? kfree_skb+0x32/0x3d0 [ 27.593455][ T12] __kasan_report.cold+0x37/0x7d [ 27.598367][ T12] ? kfree_skb+0x32/0x3d0 [ 27.602671][ T12] ? kfree_skb+0x32/0x3d0 [ 27.606981][ T12] kasan_report+0x33/0x50 [ 27.611290][ T12] check_memory_region+0x173/0x1d0 [ 27.616377][ T12] kfree_skb+0x32/0x3d0 [ 27.620512][ T12] htc_connect_service.cold+0xa9/0x109 [ 27.625945][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 27.630774][ T12] ? ath9k_fatal_work+0x20/0x20 [ 27.635600][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 27.641644][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 27.647256][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.653646][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 27.658915][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 27.664444][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 27.669718][ T12] ? tasklet_init+0x69/0x110 [ 27.674290][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.679737][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 27.686435][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 27.691350][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 27.696566][ T12] ? usb_free_urb+0x1b/0x30 [ 27.701056][ T12] ath9k_htc_hw_init+0x31/0x60 [ 27.705862][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.711491][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 27.716842][ T12] request_firmware_work_func+0x126/0x242 [ 27.722584][ T12] ? request_firmware_into_buf+0x90/0x90 [ 27.728228][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.733786][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.739046][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 27.744256][ T12] process_one_work+0x965/0x1630 [ 27.749171][ T12] ? lock_release+0x720/0x720 [ 27.753824][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.759171][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 27.764092][ T12] worker_thread+0x96/0xe20 [ 27.768568][ T12] ? process_one_work+0x1630/0x1630 [ 27.773743][ T12] kthread+0x326/0x430 [ 27.777802][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 27.783149][ T12] ret_from_fork+0x24/0x30 [ 27.787534][ T12] [ 27.789837][ T12] Allocated by task 12: [ 27.793990][ T12] save_stack+0x1b/0x40 [ 27.798132][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 27.803739][ T12] kmem_cache_alloc_node+0xdc/0x330 [ 27.808920][ T12] __alloc_skb+0xba/0x5a0 [ 27.813245][ T12] htc_connect_service+0x2cc/0x840 [ 27.818331][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 27.823158][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 27.829557][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 27.834992][ T12] ath9k_htc_hw_init+0x31/0x60 [ 27.839734][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 27.845350][ T12] request_firmware_work_func+0x126/0x242 [ 27.851221][ T12] process_one_work+0x965/0x1630 [ 27.856153][ T12] worker_thread+0x96/0xe20 [ 27.860628][ T12] kthread+0x326/0x430 [ 27.864689][ T12] ret_from_fork+0x24/0x30 [ 27.869071][ T12] [ 27.871392][ T12] Freed by task 0: [ 27.875089][ T12] save_stack+0x1b/0x40 [ 27.879219][ T12] __kasan_slab_free+0x117/0x160 [ 27.884130][ T12] kmem_cache_free+0x9b/0x360 [ 27.888781][ T12] kfree_skbmem+0xef/0x1b0 [ 27.893169][ T12] kfree_skb+0x102/0x3d0 [ 27.897410][ T12] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 27.903028][ T12] hif_usb_regout_cb+0x115/0x1c0 [ 27.907950][ T12] __usb_hcd_giveback_urb+0x29a/0x550 [ 27.913293][ T12] usb_hcd_giveback_urb+0x368/0x420 [ 27.918464][ T12] dummy_timer+0x125e/0x32b4 [ 27.923025][ T12] call_timer_fn+0x1ac/0x700 [ 27.927587][ T12] run_timer_softirq+0x5f9/0x1500 [ 27.932584][ T12] __do_softirq+0x21e/0x9aa [ 27.937054][ T12] [ 27.939360][ T12] The buggy address belongs to the object at ffff8881cd4e7a00 [ 27.939360][ T12] which belongs to the cache skbuff_head_cache of size 224 [ 27.953905][ T12] The buggy address is located 212 bytes inside of [ 27.953905][ T12] 224-byte region [ffff8881cd4e7a00, ffff8881cd4e7ae0) [ 27.967142][ T12] The buggy address belongs to the page: [ 27.972764][ T12] page:ffffea00073539c0 refcount:1 mapcount:0 mapping:00000000c25ddbb7 index:0x0 [ 27.981839][ T12] flags: 0x200000000000200(slab) [ 27.986839][ T12] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 27.995412][ T12] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 28.003963][ T12] page dumped because: kasan: bad access detected [ 28.010342][ T12] [ 28.012642][ T12] Memory state around the buggy address: [ 28.018247][ T12] ffff8881cd4e7980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.026294][ T12] ffff8881cd4e7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.034327][ T12] >ffff8881cd4e7a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.042370][ T12] ^ [ 28.049027][ T12] ffff8881cd4e7b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.057073][ T12] ffff8881cd4e7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.065103][ T12] ================================================================== [ 28.073131][ T12] Disabling lock debugging due to kernel taint [ 28.079350][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 28.085938][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 28.095462][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.105510][ T12] Workqueue: events request_firmware_work_func [ 28.111640][ T12] Call Trace: [ 28.114923][ T12] dump_stack+0xef/0x16e [ 28.119141][ T12] panic+0x2aa/0x6e1 [ 28.123007][ T12] ? add_taint.cold+0x16/0x16 [ 28.127659][ T12] ? retint_kernel+0x10/0x10 [ 28.132217][ T12] ? kfree_skb+0x32/0x3d0 [ 28.136517][ T12] ? trace_hardirqs_on+0x55/0x200 [ 28.141526][ T12] ? kfree_skb+0x32/0x3d0 [ 28.145825][ T12] end_report+0x4d/0x53 [ 28.149950][ T12] __kasan_report.cold+0x72/0x7d [ 28.154855][ T12] ? kfree_skb+0x32/0x3d0 [ 28.159152][ T12] ? kfree_skb+0x32/0x3d0 [ 28.163449][ T12] kasan_report+0x33/0x50 [ 28.167749][ T12] check_memory_region+0x173/0x1d0 [ 28.172829][ T12] kfree_skb+0x32/0x3d0 [ 28.176958][ T12] htc_connect_service.cold+0xa9/0x109 [ 28.182396][ T12] ath9k_wmi_connect+0xd2/0x1a0 [ 28.187222][ T12] ? ath9k_fatal_work+0x20/0x20 [ 28.192050][ T12] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.198096][ T12] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.203704][ T12] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.210091][ T12] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.215350][ T12] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.220869][ T12] ? __raw_spin_lock_init+0x34/0x100 [ 28.226133][ T12] ? tasklet_init+0x69/0x110 [ 28.230697][ T12] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.236129][ T12] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.242773][ T12] ? usb_submit_urb+0x6ed/0x1460 [ 28.247681][ T12] ? usb_free_urb.part.0+0x52/0x110 [ 28.252890][ T12] ? usb_free_urb+0x1b/0x30 [ 28.257366][ T12] ath9k_htc_hw_init+0x31/0x60 [ 28.262148][ T12] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.267752][ T12] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.273095][ T12] request_firmware_work_func+0x126/0x242 [ 28.278785][ T12] ? request_firmware_into_buf+0x90/0x90 [ 28.284390][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.289921][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.295180][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.300353][ T12] process_one_work+0x965/0x1630 [ 28.305271][ T12] ? lock_release+0x720/0x720 [ 28.309920][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.315263][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 28.320180][ T12] worker_thread+0x96/0xe20 [ 28.324658][ T12] ? process_one_work+0x1630/0x1630 [ 28.329831][ T12] kthread+0x326/0x430 [ 28.333873][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 28.339228][ T12] ret_from_fork+0x24/0x30 [ 28.344238][ T12] Kernel Offset: disabled [ 28.348542][ T12] Rebooting in 86400 seconds..