Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.1.52' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 23.329506][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 23.698782][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 23.707944][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 23.716010][ T83] usb 1-1: Product: syz
[ 23.720239][ T83] usb 1-1: Manufacturer: syz
[ 23.724815][ T83] usb 1-1: SerialNumber: syz
[ 23.769608][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 24.388092][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 24.607964][ C1] ==================================================================
[ 24.616151][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.623508][ C1] Write of size 2 at addr ffff8881cee11460 by task swapper/1/0
[ 24.631019][ C1]
[ 24.633329][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
[ 24.641194][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 24.651237][ C1] Call Trace:
[ 24.654505][ C1]
[ 24.657339][ C1] dump_stack+0xef/0x16e
[ 24.661585][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.666587][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.671596][ C1] print_address_description.constprop.0.cold+0xd3/0x314
[ 24.678599][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.683607][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.688620][ C1] __kasan_report.cold+0x37/0x77
[ 24.693556][ C1] ? do_raw_spin_lock+0x61/0x290
[ 24.698480][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.703490][ C1] kasan_report+0xe/0x20
[ 24.707733][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.712563][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 24.718026][ C1] ? trace_hardirqs_off+0x50/0x200
[ 24.723133][ C1] __usb_hcd_giveback_urb+0x29a/0x550
[ 24.728498][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 24.737848][ C1] dummy_timer+0x1258/0x32ae
[ 24.742429][ C1] ? dummy_udc_probe+0x930/0x930
[ 24.747347][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.752881][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.758152][ C1] call_timer_fn+0x195/0x6f0
[ 24.762780][ C1] ? dummy_udc_probe+0x930/0x930
[ 24.767709][ C1] ? msleep_interruptible+0x130/0x130
[ 24.773073][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.778601][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.783937][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 24.789141][ C1] ? dummy_udc_probe+0x930/0x930
[ 24.794061][ C1] run_timer_softirq+0x5f9/0x1500
[ 24.799081][ C1] ? add_timer+0x7a0/0x7a0
[ 24.803477][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.809004][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.814266][ C1] __do_softirq+0x21e/0x950
[ 24.818761][ C1] irq_exit+0x178/0x1a0
[ 24.822912][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 24.828435][ C1] apic_timer_interrupt+0xf/0x20
[ 24.833360][ C1]
[ 24.836279][ C1] RIP: 0010:default_idle+0x28/0x300
[ 24.841474][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 24.861064][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 24.869461][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 24.877411][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 24.885378][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 24.893341][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 24.901291][ C1] R13: 0000000000000001 R14: ffffffff87e607c0 R15: 0000000000000000
[ 24.909254][ C1] ? default_idle+0x1a/0x300
[ 24.913834][ C1] do_idle+0x3e0/0x500
[ 24.917935][ C1] ? __wake_up_common+0x147/0x650
[ 24.922946][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 24.927953][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 24.933764][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 24.939047][ C1] cpu_startup_entry+0x14/0x20
[ 24.943892][ C1] start_secondary+0x2a4/0x390
[ 24.948646][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 24.954109][ C1] secondary_startup_64+0xb6/0xc0
[ 24.959110][ C1]
[ 24.961437][ C1] Allocated by task 361:
[ 24.965660][ C1] save_stack+0x1b/0x80
[ 24.969793][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 24.975499][ C1] raw_alloc_io_data+0x150/0x1c0
[ 24.980427][ C1] raw_ioctl+0x686/0x1a70
[ 24.984740][ C1] ksys_ioctl+0x11a/0x180
[ 24.989047][ C1] __x64_sys_ioctl+0x6f/0xb0
[ 24.993620][ C1] do_syscall_64+0xb6/0x5a0
[ 24.998127][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 25.004004][ C1]
[ 25.006316][ C1] Freed by task 361:
[ 25.010204][ C1] save_stack+0x1b/0x80
[ 25.014338][ C1] __kasan_slab_free+0x117/0x160
[ 25.019255][ C1] kfree+0xd5/0x300
[ 25.023060][ C1] raw_ioctl+0x189/0x1a70
[ 25.027381][ C1] ksys_ioctl+0x11a/0x180
[ 25.031689][ C1] __x64_sys_ioctl+0x6f/0xb0
[ 25.036280][ C1] do_syscall_64+0xb6/0x5a0
[ 25.040785][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 25.046650][ C1]
[ 25.048957][ C1] The buggy address belongs to the object at ffff8881cee11000
[ 25.048957][ C1] which belongs to the cache kmalloc-2k of size 2048
[ 25.062991][ C1] The buggy address is located 1120 bytes inside of
[ 25.062991][ C1] 2048-byte region [ffff8881cee11000, ffff8881cee11800)
[ 25.077537][ C1] The buggy address belongs to the page:
[ 25.083185][ C1] page:ffffea00073b8400 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
[ 25.094712][ C1] flags: 0x200000000010200(slab|head)
[ 25.100076][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[ 25.108643][ C1] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 25.117234][ C1] page dumped because: kasan: bad access detected
[ 25.123643][ C1]
[ 25.125953][ C1] Memory state around the buggy address:
[ 25.131918][ C1] ffff8881cee11300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.139975][ C1] ffff8881cee11380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.148037][ C1] >ffff8881cee11400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.156118][ C1] ^
[ 25.163518][ C1] ffff8881cee11480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.171697][ C1] ffff8881cee11500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.179843][ C1] ==================================================================
[ 25.188194][ C1] Disabling lock debugging due to kernel taint
[ 25.194731][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 25.201317][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-rc5-syzkaller #0
[ 25.210590][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.220639][ C1] Call Trace:
[ 25.223904][ C1]
[ 25.226738][ C1] dump_stack+0xef/0x16e
[ 25.230957][ C1] panic+0x2aa/0x6e1
[ 25.234832][ C1] ? add_taint.cold+0x16/0x16
[ 25.239500][ C1] ? print_shadow_for_address+0xb8/0x114
[ 25.245115][ C1] ? trace_hardirqs_off+0x50/0x200
[ 25.250213][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.255212][ C1] end_report+0x43/0x49
[ 25.259348][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.264346][ C1] __kasan_report.cold+0x55/0x77
[ 25.269260][ C1] ? do_raw_spin_lock+0x61/0x290
[ 25.274173][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.279172][ C1] kasan_report+0xe/0x20
[ 25.283403][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.288242][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 25.293691][ C1] ? trace_hardirqs_off+0x50/0x200
[ 25.298797][ C1] __usb_hcd_giveback_urb+0x29a/0x550
[ 25.304163][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 25.309382][ C1] dummy_timer+0x1258/0x32ae
[ 25.313955][ C1] ? dummy_udc_probe+0x930/0x930
[ 25.318871][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.324393][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.329665][ C1] call_timer_fn+0x195/0x6f0
[ 25.334242][ C1] ? dummy_udc_probe+0x930/0x930
[ 25.339165][ C1] ? msleep_interruptible+0x130/0x130
[ 25.344525][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.350046][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.355307][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 25.360501][ C1] ? dummy_udc_probe+0x930/0x930
[ 25.365412][ C1] run_timer_softirq+0x5f9/0x1500
[ 25.370414][ C1] ? add_timer+0x7a0/0x7a0
[ 25.374805][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.380334][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.385607][ C1] __do_softirq+0x21e/0x950
[ 25.390090][ C1] irq_exit+0x178/0x1a0
[ 25.394298][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 25.399843][ C1] apic_timer_interrupt+0xf/0x20
[ 25.404762][ C1]
[ 25.407690][ C1] RIP: 0010:default_idle+0x28/0x300
[ 25.412863][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 25.432443][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 25.440834][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 25.448791][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 25.456743][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 25.464694][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 25.472643][ C1] R13: 0000000000000001 R14: ffffffff87e607c0 R15: 0000000000000000
[ 25.480686][ C1] ? default_idle+0x1a/0x300
[ 25.485270][ C1] do_idle+0x3e0/0x500
[ 25.489324][ C1] ? __wake_up_common+0x147/0x650
[ 25.494338][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 25.499341][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 25.505134][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 25.510400][ C1] cpu_startup_entry+0x14/0x20
[ 25.515142][ C1] start_secondary+0x2a4/0x390
[ 25.519882][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 25.525315][ C1] secondary_startup_64+0xb6/0xc0
[ 25.530891][ C1] Kernel Offset: disabled
[ 25.535201][ C1] Rebooting in 86400 seconds..