[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.090953][ C1] random: crng init done [ 16.095249][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts. executing program [ 23.000026][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.519321][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.528460][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.536547][ T83] usb 1-1: Product: syz [ 23.540768][ T83] usb 1-1: Manufacturer: syz [ 23.545336][ T83] usb 1-1: SerialNumber: syz [ 23.590137][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.218960][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 25.308441][ T83] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive [ 25.315534][ T83] ath9k_htc: Failed to initialize the device [ 25.328543][ C1] ================================================================== [ 25.336752][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xe64/0xf90 [ 25.344354][ C1] Read of size 4 at addr ffff8881cd5140d0 by task swapper/1/0 [ 25.351790][ C1] [ 25.354103][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.361972][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.372012][ C1] Call Trace: [ 25.375273][ C1] [ 25.378101][ C1] dump_stack+0xef/0x16e [ 25.382351][ C1] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.389356][ C1] ? __build_skb+0x21/0x60 [ 25.393746][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.399266][ C1] ? vprintk_func+0x7d/0x113 [ 25.403838][ C1] ? ath9k_hif_usb_rx_cb+0xe64/0xf90 [ 25.409092][ C1] __kasan_report.cold+0x37/0x7d [ 25.414012][ C1] ? ath9k_hif_usb_rx_cb+0xe64/0xf90 [ 25.419273][ C1] ? ath9k_hif_usb_rx_cb+0xe64/0xf90 [ 25.424537][ C1] kasan_report+0x33/0x50 [ 25.428853][ C1] ath9k_hif_usb_rx_cb+0xe64/0xf90 [ 25.433937][ C1] ? hif_usb_mgmt_cb+0x310/0x310 [ 25.438846][ C1] ? do_raw_spin_lock+0x129/0x290 [ 25.443854][ C1] ? lock_downgrade+0x720/0x720 [ 25.448675][ C1] ? trace_hardirqs_off+0x50/0x200 [ 25.453756][ C1] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.459097][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 25.464267][ C1] dummy_timer+0x125e/0x32b4 [ 25.468830][ C1] ? dummy_udc_probe+0x980/0x980 [ 25.473749][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.479268][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.484529][ C1] call_timer_fn+0x1ac/0x700 [ 25.489096][ C1] ? dummy_udc_probe+0x980/0x980 [ 25.494002][ C1] ? timer_fixup_init+0x60/0x60 [ 25.498822][ C1] ? lock_downgrade+0x720/0x720 [ 25.503642][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.509173][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.514456][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.519644][ C1] ? dummy_udc_probe+0x980/0x980 [ 25.524579][ C1] run_timer_softirq+0x5f9/0x1500 [ 25.529601][ C1] ? add_timer+0x7a0/0x7a0 [ 25.534040][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.539560][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.544825][ C1] __do_softirq+0x21e/0x9aa [ 25.549309][ C1] irq_exit+0x178/0x1a0 [ 25.553448][ C1] smp_apic_timer_interrupt+0x141/0x540 [ 25.558970][ C1] apic_timer_interrupt+0xf/0x20 [ 25.563876][ C1] [ 25.566790][ C1] RIP: 0010:default_idle+0x28/0x300 [ 25.571975][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 16 28 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 [ 25.591563][ C1] RSP: 0018:ffff8881da227da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 25.599970][ C1] RAX: 0000000000000007 RBX: ffff8881da20b180 RCX: 0000000000000000 [ 25.607923][ C1] R