[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.791687][ C1] random: crng init done [ 15.796177][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program [ 22.870858][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.390457][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.399677][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.407934][ T95] usb 1-1: Product: syz [ 23.412213][ T95] usb 1-1: Manufacturer: syz [ 23.416793][ T95] usb 1-1: SerialNumber: syz [ 23.461363][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.099854][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.501914][ T12] usb 1-1: USB disconnect, device number 2 [ 25.328808][ T95] usb 1-1: Service connection timeout for: 256 [ 25.335125][ T95] ================================================================== [ 25.343238][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.349905][ T95] Read of size 4 at addr ffff8881c6b1e994 by task kworker/0:2/95 [ 25.357602][ T95] [ 25.359922][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.368058][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.378267][ T95] Workqueue: events request_firmware_work_func [ 25.384406][ T95] Call Trace: [ 25.387674][ T95] dump_stack+0xef/0x16e [ 25.391894][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.398908][ T95] ? vprintk_func+0x7d/0x113 [ 25.403473][ T95] ? kfree_skb+0x32/0x3d0 [ 25.407778][ T95] __kasan_report.cold+0x37/0x7d [ 25.412692][ T95] ? kfree_skb+0x32/0x3d0 [ 25.417010][ T95] ? kfree_skb+0x32/0x3d0 [ 25.421314][ T95] kasan_report+0x33/0x50 [ 25.425621][ T95] check_memory_region+0x173/0x1d0 [ 25.430720][ T95] kfree_skb+0x32/0x3d0 [ 25.434953][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.440400][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.445224][ T95] ? ath9k_fatal_work+0x20/0x20 [ 25.450054][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.456097][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.461705][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.468538][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.473802][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.479345][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 25.484616][ T95] ? tasklet_init+0x69/0x110 [ 25.489185][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.494640][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.501333][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 25.506248][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 25.511435][ T95] ? usb_free_urb+0x1b/0x30 [ 25.515921][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.520660][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.526299][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.531755][ T95] request_firmware_work_func+0x126/0x242 [ 25.537462][ T95] ? request_firmware_into_buf+0x90/0x90 [ 25.543162][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.548908][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.554175][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.559428][ T95] process_one_work+0x965/0x1630 [ 25.564355][ T95] ? lock_release+0x720/0x720 [ 25.569139][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.574702][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 25.579623][ T95] worker_thread+0x96/0xe20 [ 25.584114][ T95] ? process_one_work+0x1630/0x1630 [ 25.589309][ T95] kthread+0x326/0x430 [ 25.593410][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.598759][ T95] ret_from_fork+0x24/0x30 [ 25.603175][ T95] [ 25.605479][ T95] Allocated by task 95: [ 25.609615][ T95] save_stack+0x1b/0x40 [ 25.613754][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.619360][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 25.624532][ T95] __alloc_skb+0xba/0x5a0 [ 25.628839][ T95] htc_connect_service+0x2cc/0x840 [ 25.633926][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.638787][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.645181][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.650631][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.655386][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.661014][ T95] request_firmware_work_func+0x126/0x242 [ 25.666730][ T95] process_one_work+0x965/0x1630 [ 25.671659][ T95] worker_thread+0x96/0xe20 [ 25.676159][ T95] kthread+0x326/0x430 [ 25.680204][ T95] ret_from_fork+0x24/0x30 [ 25.684590][ T95] [ 25.686895][ T95] Freed by task 12: [ 25.690691][ T95] save_stack+0x1b/0x40 [ 25.694829][ T95] __kasan_slab_free+0x117/0x160 [ 25.699756][ T95] kmem_cache_free+0x9b/0x360 [ 25.704442][ T95] kfree_skbmem+0xef/0x1b0 [ 25.708850][ T95] kfree_skb+0x102/0x3d0 [ 25.714007][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 25.719626][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 25.724666][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.730029][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 25.735239][ T95] dummy_timer+0x125e/0x32b4 [ 25.739807][ T95] call_timer_fn+0x1ac/0x700 [ 25.744399][ T95] run_timer_softirq+0x5f9/0x1500 [ 25.749448][ T95] __do_softirq+0x21e/0x9aa [ 25.754028][ T95] [ 25.756349][ T95] The buggy address belongs to the object at ffff8881c6b1e8c0 [ 25.756349][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 25.771343][ T95] The buggy address is located 212 bytes inside of [ 25.771343][ T95] 224-byte region [ffff8881c6b1e8c0, ffff8881c6b1e9a0) [ 25.784587][ T95] The buggy address belongs to the page: [ 25.790200][ T95] page:ffffea00071ac780 refcount:1 mapcount:0 mapping:00000000baf65143 index:0x0 [ 25.799291][ T95] flags: 0x200000000000200(slab) [ 25.804230][ T95] raw: 0200000000000200 ffffea00073bae00 0000000b0000000b ffff8881da175400 [ 25.812818][ T95] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 25.821375][ T95] page dumped because: kasan: bad access detected [ 25.827761][ T95] [ 25.830076][ T95] Memory state around the buggy address: [ 25.835696][ T95] ffff8881c6b1e880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.843753][ T95] ffff8881c6b1e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.851805][ T95] >ffff8881c6b1e980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.859848][ T95] ^ [ 25.864437][ T95] ffff8881c6b1ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.872496][ T95] ffff8881c6b1ea80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 25.880533][ T95] ================================================================== [ 25.888589][ T95] Disabling lock debugging due to kernel taint [ 25.894777][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 25.901369][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 25.911181][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.921241][ T95] Workqueue: events request_firmware_work_func [ 25.927384][ T95] Call Trace: [ 25.930672][ T95] dump_stack+0xef/0x16e [ 25.934890][ T95] panic+0x2aa/0x6e1 [ 25.938774][ T95] ? add_taint.cold+0x16/0x16 [ 25.943541][ T95] ? retint_kernel+0x10/0x10 [ 25.948125][ T95] ? kfree_skb+0x32/0x3d0 [ 25.952457][ T95] ? trace_hardirqs_on+0x55/0x200 [ 25.957482][ T95] ? kfree_skb+0x32/0x3d0 [ 25.961790][ T95] end_report+0x4d/0x53 [ 25.965937][ T95] __kasan_report.cold+0x72/0x7d [ 25.970850][ T95] ? kfree_skb+0x32/0x3d0 [ 25.975178][ T95] ? kfree_skb+0x32/0x3d0 [ 25.979495][ T95] kasan_report+0x33/0x50 [ 25.983814][ T95] check_memory_region+0x173/0x1d0 [ 25.988909][ T95] kfree_skb+0x32/0x3d0 [ 25.993051][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.998659][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 26.003609][ T95] ? ath9k_fatal_work+0x20/0x20 [ 26.008459][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.014514][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.020131][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.026537][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.031797][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.037336][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 26.042758][ T95] ? tasklet_init+0x69/0x110 [ 26.047330][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.052772][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.059423][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 26.064350][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 26.069521][ T95] ? usb_free_urb+0x1b/0x30 [ 26.074120][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.078886][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.084514][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.089947][ T95] request_firmware_work_func+0x126/0x242 [ 26.095640][ T95] ? request_firmware_into_buf+0x90/0x90 [ 26.101261][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.106780][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.112039][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.117232][ T95] process_one_work+0x965/0x1630 [ 26.122149][ T95] ? lock_release+0x720/0x720 [ 26.126800][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.132146][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 26.137055][ T95] worker_thread+0x96/0xe20 [ 26.141545][ T95] ? process_one_work+0x1630/0x1630 [ 26.147532][ T95] kthread+0x326/0x430 [ 26.151588][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 26.156936][ T95] ret_from_fork+0x24/0x30 [ 26.162037][ T95] Kernel Offset: disabled [ 26.166348][ T95] Rebooting in 86400 seconds..