Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[�[0;32m OK �[0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[ 12.358523][ C1] random: crng init done
[ 12.359359][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.254' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 22.931582][ T104] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 23.451258][ T104] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 23.460385][ T104] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 23.468443][ T104] usb 1-1: Product: syz
[ 23.472661][ T104] usb 1-1: Manufacturer: syz
[ 23.477233][ T104] usb 1-1: SerialNumber: syz
[ 23.522048][ T104] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 24.130714][ T104] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 24.350541][ C0] ==================================================================
[ 24.358693][ C0] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.366038][ C0] Write of size 2 at addr ffff8881ccc71070 by task swapper/0/0
[ 24.373548][ C0]
[ 24.375855][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc6-syzkaller #0
[ 24.383739][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 24.393775][ C0] Call Trace:
[ 24.397039][ C0]
[ 24.399891][ C0] dump_stack+0xef/0x16e
[ 24.404129][ C0] print_address_description.constprop.0.cold+0xd3/0x415
[ 24.411127][ C0] ? vprintk_func+0x7d/0x113
[ 24.415688][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.420695][ C0] __kasan_report.cold+0x37/0x7d
[ 24.425624][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.430641][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.435658][ C0] kasan_report+0x33/0x50
[ 24.439960][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.444785][ C0] ath9k_hif_usb_reg_in_cb+0x1c0/0x630
[ 24.450226][ C0] ? _raw_read_unlock+0x1a/0x30
[ 24.455050][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 24.460670][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 24.466033][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 24.471204][ C0] dummy_timer+0x125e/0x32b4
[ 24.475770][ C0] ? dummy_udc_probe+0x980/0x980
[ 24.480683][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.486201][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.491457][ C0] call_timer_fn+0x1ac/0x700
[ 24.496020][ C0] ? dummy_udc_probe+0x980/0x980
[ 24.500933][ C0] ? timer_fixup_init+0x60/0x60
[ 24.505760][ C0] ? lock_downgrade+0x720/0x720
[ 24.510582][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.516098][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.521354][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 24.526553][ C0] ? dummy_udc_probe+0x980/0x980
[ 24.531478][ C0] run_timer_softirq+0x5f9/0x1500
[ 24.536485][ C0] ? add_timer+0x7a0/0x7a0
[ 24.540874][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 24.546404][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 24.551673][ C0] __do_softirq+0x21e/0x9aa
[ 24.556184][ C0] irq_exit+0x178/0x1a0
[ 24.560316][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 24.565851][ C0] apic_timer_interrupt+0xf/0x20
[ 24.571732][ C0]
[ 24.574660][ C0] RIP: 0010:default_idle+0x28/0x300
[ 24.579852][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 24.599427][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 24.607938][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 24.615898][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 24.623874][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 24.631838][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 24.639787][ C0] R13: 0000000000000000 R14: ffffffff87e88e00 R15: 0000000000000000
[ 24.647748][ C0] do_idle+0x3e0/0x500
[ 24.651792][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 24.656822][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 24.661827][ C0] ? schedule+0xe1/0x2b0
[ 24.666048][ C0] cpu_startup_entry+0x14/0x20
[ 24.670796][ C0] start_kernel+0x9bb/0x9f8
[ 24.675276][ C0] ? mem_encrypt_init+0x5/0x5
[ 24.679926][ C0] ? x86_family+0x3d/0x50
[ 24.684244][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 24.689072][ C0] secondary_startup_64+0xb6/0xc0
[ 24.694072][ C0]
[ 24.696373][ C0] Allocated by task 353:
[ 24.700602][ C0] save_stack+0x1b/0x40
[ 24.704762][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 24.710372][ C0] raw_alloc_io_data+0x157/0x1c0
[ 24.715297][ C0] raw_ioctl+0xf13/0x2570
[ 24.719611][ C0] ksys_ioctl+0x11a/0x180
[ 24.723919][ C0] __x64_sys_ioctl+0x6f/0xb0
[ 24.728481][ C0] do_syscall_64+0xb6/0x5a0
[ 24.732955][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 24.738833][ C0]
[ 24.741177][ C0] Freed by task 353:
[ 24.745058][ C0] save_stack+0x1b/0x40
[ 24.749206][ C0] __kasan_slab_free+0x117/0x160
[ 24.754130][ C0] kfree+0xd5/0x300
[ 24.757965][ C0] raw_ioctl+0x23e/0x2570
[ 24.762269][ C0] ksys_ioctl+0x11a/0x180
[ 24.766619][ C0] __x64_sys_ioctl+0x6f/0xb0
[ 24.771180][ C0] do_syscall_64+0xb6/0x5a0
[ 24.775850][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 24.781709][ C0]
[ 24.784024][ C0] The buggy address belongs to the object at ffff8881ccc71000
[ 24.784024][ C0] which belongs to the cache kmalloc-2k of size 2048
[ 24.798081][ C0] The buggy address is located 112 bytes inside of
[ 24.798081][ C0] 2048-byte region [ffff8881ccc71000, ffff8881ccc71800)
[ 24.811416][ C0] The buggy address belongs to the page:
[ 24.817051][ C0] page:ffffea0007331c00 refcount:1 mapcount:0 mapping:0000000087f49c50 index:0x0 head:ffffea0007331c00 order:3 compound_mapcount:0 compound_pincount:0
[ 24.832209][ C0] flags: 0x200000000010200(slab|head)
[ 24.837566][ C0] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[ 24.846124][ C0] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 24.854673][ C0] page dumped because: kasan: bad access detected
[ 24.861053][ C0]
[ 24.863353][ C0] Memory state around the buggy address:
[ 24.868962][ C0] ffff8881ccc70f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 24.877009][ C0] ffff8881ccc70f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 24.885049][ C0] >ffff8881ccc71000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.893087][ C0] ^
[ 24.900784][ C0] ffff8881ccc71080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.908816][ C0] ffff8881ccc71100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.916842][ C0] ==================================================================
[ 24.924884][ C0] Disabling lock debugging due to kernel taint
[ 24.931012][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 24.937567][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.7.0-rc6-syzkaller #0
[ 24.946823][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 24.956857][ C0] Call Trace:
[ 24.960111][ C0]
[ 24.962988][ C0] dump_stack+0xef/0x16e
[ 24.967199][ C0] panic+0x2aa/0x6e1
[ 24.971060][ C0] ? add_taint.cold+0x16/0x16
[ 24.975706][ C0] ? trace_hardirqs_off+0x50/0x200
[ 24.980785][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.985777][ C0] end_report+0x4d/0x53
[ 24.989900][ C0] __kasan_report.cold+0x72/0x7d
[ 24.994818][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 24.999820][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.004813][ C0] kasan_report+0x33/0x50
[ 25.009110][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.013928][ C0] ath9k_hif_usb_reg_in_cb+0x1c0/0x630
[ 25.019355][ C0] ? _raw_read_unlock+0x1a/0x30
[ 25.024176][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 25.029774][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 25.035123][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 25.040292][ C0] dummy_timer+0x125e/0x32b4
[ 25.044866][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.049772][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.055292][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.060543][ C0] call_timer_fn+0x1ac/0x700
[ 25.065099][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.070011][ C0] ? timer_fixup_init+0x60/0x60
[ 25.074836][ C0] ? lock_downgrade+0x720/0x720
[ 25.079653][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.085167][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.090432][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 25.095598][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.100516][ C0] run_timer_softirq+0x5f9/0x1500
[ 25.105519][ C0] ? add_timer+0x7a0/0x7a0
[ 25.109904][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.115414][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.120681][ C0] __do_softirq+0x21e/0x9aa
[ 25.125163][ C0] irq_exit+0x178/0x1a0
[ 25.129288][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 25.134800][ C0] apic_timer_interrupt+0xf/0x20
[ 25.139700][ C0]
[ 25.142609][ C0] RIP: 0010:default_idle+0x28/0x300
[ 25.147778][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 25.168155][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 25.176539][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 25.184497][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 25.192461][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 25.200404][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 25.208346][ C0] R13: 0000000000000000 R14: ffffffff87e88e00 R15: 0000000000000000
[ 25.216410][ C0] do_idle+0x3e0/0x500
[ 25.220464][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 25.225480][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 25.230495][ C0] ? schedule+0xe1/0x2b0
[ 25.234708][ C0] cpu_startup_entry+0x14/0x20
[ 25.239444][ C0] start_kernel+0x9bb/0x9f8
[ 25.243920][ C0] ? mem_encrypt_init+0x5/0x5
[ 25.249523][ C0] ? x86_family+0x3d/0x50
[ 25.254105][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 25.258927][ C0] secondary_startup_64+0xb6/0xc0
[ 25.264430][ C0] Kernel Offset: disabled
[ 25.268748][ C0] Rebooting in 86400 seconds..