[�[0;32m OK �[0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 42.382137][ C1] random: crng init done
[ 42.386740][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[ 49.869544][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 49.879570][ T83] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 49.887249][ T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[ 49.890093][ T12] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 49.909893][ T388] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[ 49.917608][ T21] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[ 50.389611][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.400108][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.408106][ T95] usb 1-1: Product: syz
[ 50.412394][ T95] usb 1-1: Manufacturer: syz
[ 50.417303][ T95] usb 1-1: SerialNumber: syz
[ 50.422281][ T12] usb 4-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.431841][ T12] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.439766][ T17] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.439990][ T12] usb 4-1: Product: syz
[ 50.449452][ T17] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.453541][ T12] usb 4-1: Manufacturer: syz
[ 50.461676][ T17] usb 2-1: Product: syz
[ 50.466280][ T12] usb 4-1: SerialNumber: syz
[ 50.470527][ T17] usb 2-1: Manufacturer: syz
[ 50.470540][ T17] usb 2-1: SerialNumber: syz
[ 50.484625][ T83] usb 5-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.493733][ T83] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.501810][ T83] usb 5-1: Product: syz
[ 50.505985][ T83] usb 5-1: Manufacturer: syz
[ 50.510636][ T83] usb 5-1: SerialNumber: syz
[ 50.515596][ T388] usb 6-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.520737][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.524812][ T388] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.533679][ T12] usb 4-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.541165][ T388] usb 6-1: Product: syz
[ 50.541177][ T388] usb 6-1: Manufacturer: syz
[ 50.541189][ T388] usb 6-1: SerialNumber: syz
[ 50.541476][ T21] usb 3-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 50.572243][ T21] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 50.580651][ T21] usb 3-1: Product: syz
[ 50.584897][ T21] usb 3-1: Manufacturer: syz
[ 50.589626][ T21] usb 3-1: SerialNumber: syz
[ 50.640304][ T83] usb 5-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.650066][ T388] usb 6-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.659988][ T17] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 50.670008][ T21] usb 3-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 51.169468][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.178561][ T12] usb 4-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.269494][ T83] usb 6-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.279056][ T21] usb 3-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.288470][ T388] usb 2-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.297797][ T17] usb 5-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 51.369648][ T376] udc-core: couldn't find an available UDC or it's busy
[ 51.369650][ T383] udc-core: couldn't find an available UDC or it's busy
[ 51.369688][ T383] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.376800][ T376] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.469703][ T384] udc-core: couldn't find an available UDC or it's busy
[ 51.469734][ T382] udc-core: couldn't find an available UDC or it's busy
[ 51.477010][ T384] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.484019][ T382] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.495959][ T389] udc-core: couldn't find an available UDC or it's busy
[ 51.500229][ T386] udc-core: couldn't find an available UDC or it's busy
[ 51.505995][ T389] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 51.513237][ T386] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.219378][ T95] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 52.226528][ T95] ath9k_htc: Failed to initialize the device
[ 52.234352][ T12] ath9k_htc 4-1:1.0: ath9k_htc: Target is unresponsive
[ 52.243072][ T12] ath9k_htc: Failed to initialize the device
[ 52.369363][ T83] ath9k_htc 6-1:1.0: ath9k_htc: Target is unresponsive
[ 52.376450][ T83] ath9k_htc: Failed to initialize the device
[ 52.382872][ T21] ath9k_htc 3-1:1.0: ath9k_htc: Target is unresponsive
[ 52.389936][ T388] ath9k_htc 2-1:1.0: ath9k_htc: Target is unresponsive
[ 52.396892][ T388] ath9k_htc: Failed to initialize the device
[ 52.403020][ T17] ath9k_htc 5-1:1.0: ath9k_htc: Target is unresponsive
[ 52.408316][ T383] udc-core: couldn't find an available UDC or it's busy
[ 52.410302][ T17] ath9k_htc: Failed to initialize the device
[ 52.417189][ T383] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.423827][ T376] udc-core: couldn't find an available UDC or it's busy
[ 52.433463][ T398] udc-core: couldn't find an available UDC or it's busy
[ 52.437978][ T376] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.438213][ T21] ath9k_htc: Failed to initialize the device
[ 52.445921][ T398] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.456036][ T399] udc-core: couldn't find an available UDC or it's busy
[ 52.475178][ T399] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.509689][ T384] udc-core: couldn't find an available UDC or it's busy
[ 52.510065][ T400] udc-core: couldn't find an available UDC or it's busy
[ 52.516753][ T384] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.524230][ T400] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.532569][ T389] udc-core: couldn't find an available UDC or it's busy
[ 52.543274][ T386] udc-core: couldn't find an available UDC or it's busy
[ 52.546289][ T389] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.554206][ T386] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.562065][ T382] udc-core: couldn't find an available UDC or it's busy
[ 52.573174][ T403] udc-core: couldn't find an available UDC or it's busy
[ 52.576325][ T382] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.576663][ T402] udc-core: couldn't find an available UDC or it's busy
[ 52.583520][ T403] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.599741][ T401] udc-core: couldn't find an available UDC or it's busy
[ 52.606732][ T402] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.622246][ T401] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 52.859368][ C0] ==================================================================
[ 52.867891][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 52.875770][ C0] Read of size 4 at addr ffff8881ccbfc0dc by task swapper/0/0
[ 52.883390][ C0]
[ 52.885737][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc5-syzkaller #0
[ 52.893635][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 52.903690][ C0] Call Trace:
[ 52.906967][ C0]
[ 52.909819][ C0] dump_stack+0xef/0x16e
[ 52.914101][ C0] print_address_description.constprop.0.cold+0xd3/0x314
[ 52.921146][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 52.926437][ C0] __kasan_report.cold+0x37/0x92
[ 52.931450][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 52.936745][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 52.942023][ C0] kasan_report+0x33/0x50
[ 52.946703][ C0] ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 52.951976][ C0] ? find_held_lock+0x2d/0x110
[ 52.957013][ C0] ? hif_usb_mgmt_cb+0x310/0x310
[ 52.962048][ C0] ? usb_hcd_unmap_urb_setup_for_dma+0x8a/0x470
[ 52.968300][ C0] ? do_raw_read_unlock+0x3b/0x70
[ 52.973591][ C0] ? _raw_read_unlock+0x1a/0x30
[ 52.978633][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 52.984351][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 52.989562][ C0] dummy_timer+0x125e/0x32b4
[ 52.994169][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.000564][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.006266][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.011656][ C0] call_timer_fn+0x1ac/0x700
[ 53.016254][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.021196][ C0] ? timer_fixup_init+0x60/0x60
[ 53.026821][ C0] ? lock_downgrade+0x720/0x720
[ 53.031701][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.037249][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.042542][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 53.048027][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.052974][ C0] run_timer_softirq+0x5f9/0x1500
[ 53.057991][ C0] ? add_timer+0x7a0/0x7a0
[ 53.062414][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.067968][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.073266][ C0] __do_softirq+0x21e/0x9aa
[ 53.077755][ C0] irq_exit+0x178/0x1a0
[ 53.081902][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 53.087446][ C0] apic_timer_interrupt+0xf/0x20
[ 53.092378][ C0]
[ 53.095319][ C0] RIP: 0010:default_idle+0x28/0x300
[ 53.100513][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 24 83 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 69 af fb e9 07 00 00 00 0f 00 2d 0a 25 4c 00 fb f4 <65> 44 8b 2d 00 83 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 53.120483][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 53.128887][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 53.136877][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 53.144041][ T392] usb 1-1: USB disconnect, device number 2
[ 53.144850][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 53.144869][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 53.167151][ C0] R13: 0000000000000000 R14: ffffffff87e88e80 R15: 0000000000000000
[ 53.175141][ C0] do_idle+0x3e0/0x500
[ 53.179279][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 53.184326][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 53.189387][ C0] ? schedule+0xe1/0x2b0
[ 53.193627][ C0] cpu_startup_entry+0x14/0x20
[ 53.198645][ C0] start_kernel+0x9bb/0x9f5
[ 53.203237][ C0] ? mem_encrypt_init+0x5/0x5
[ 53.207941][ C0] ? x86_family+0x3d/0x50
[ 53.212383][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 53.217328][ C0] secondary_startup_64+0xb6/0xc0
[ 53.222365][ C0]
[ 53.224678][ C0] Allocated by task 145:
[ 53.228911][ C0] save_stack+0x1b/0x40
[ 53.233072][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 53.238702][ C0] kmem_cache_alloc+0xd8/0x300
[ 53.243450][ C0] getname_flags+0xd2/0x5b0
[ 53.247932][ C0] do_mkdirat+0x8d/0x250
[ 53.252249][ C0] do_syscall_64+0xb6/0x5a0
[ 53.256760][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 53.262643][ C0]
[ 53.264953][ C0] Freed by task 145:
[ 53.268877][ C0] save_stack+0x1b/0x40
[ 53.271855][ T406] usb 2-1: USB disconnect, device number 2
[ 53.273220][ C0] __kasan_slab_free+0x117/0x160
[ 53.273236][ C0] kmem_cache_free+0x9b/0x360
[ 53.289725][ C0] putname+0xe1/0x120
[ 53.293913][ C0] filename_parentat.isra.0+0x38c/0x400
[ 53.299637][ C0] filename_create+0x9e/0x4a0
[ 53.304310][ C0] do_mkdirat+0xa0/0x250
[ 53.308546][ C0] do_syscall_64+0xb6/0x5a0
[ 53.313028][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 53.318890][ C0]
[ 53.321207][ C0] The buggy address belongs to the object at ffff8881ccbfb300
[ 53.321207][ C0] which belongs to the cache names_cache of size 4096
[ 53.335340][ C0] The buggy address is located 3548 bytes inside of
[ 53.335340][ C0] 4096-byte region [ffff8881ccbfb300, ffff8881ccbfc300)
[ 53.348853][ C0] The buggy address belongs to the page:
[ 53.354494][ C0] page:ffffea000732fe00 refcount:1 mapcount:0 mapping:00000000de9971d4 index:0x0 head:ffffea000732fe00 order:3 compound_mapcount:0 compound_pincount:0
[ 53.369666][ C0] flags: 0x200000000010200(slab|head)
[ 53.375039][ C0] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11e000
[ 53.383610][ C0] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 53.392177][ C0] page dumped because: kasan: bad access detected
[ 53.398666][ C0]
[ 53.401028][ C0] Memory state around the buggy address:
[ 53.406665][ C0] ffff8881ccbfbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.414813][ C0] ffff8881ccbfc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.423010][ C0] >ffff8881ccbfc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.431052][ C0] ^
[ 53.437961][ C0] ffff8881ccbfc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.446022][ C0] ffff8881ccbfc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.454096][ C0] ==================================================================
[ 53.462565][ C0] Disabling lock debugging due to kernel taint
[ 53.468787][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 53.475371][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.7.0-rc5-syzkaller #0
[ 53.484722][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.494753][ C0] Call Trace:
[ 53.498016][ C0]
[ 53.500851][ C0] dump_stack+0xef/0x16e
[ 53.505071][ C0] panic+0x2aa/0x6e1
[ 53.508940][ C0] ? add_taint.cold+0x16/0x16
[ 53.513593][ C0] ? print_shadow_for_address+0xb8/0x114
[ 53.519200][ C0] ? trace_hardirqs_off+0x50/0x200
[ 53.524299][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 53.529558][ C0] end_report+0x4d/0x53
[ 53.533698][ C0] __kasan_report.cold+0x72/0x92
[ 53.538623][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 53.543887][ C0] ? ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 53.549151][ C0] kasan_report+0x33/0x50
[ 53.553458][ C0] ath9k_hif_usb_rx_cb+0xad3/0xf90
[ 53.558549][ C0] ? find_held_lock+0x2d/0x110
[ 53.563287][ C0] ? hif_usb_mgmt_cb+0x310/0x310
[ 53.568211][ C0] ? usb_hcd_unmap_urb_setup_for_dma+0x8a/0x470
[ 53.574428][ C0] ? do_raw_read_unlock+0x3b/0x70
[ 53.579449][ C0] ? _raw_read_unlock+0x1a/0x30
[ 53.584283][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 53.589668][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 53.594885][ C0] dummy_timer+0x125e/0x32b4
[ 53.599816][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.604749][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.610275][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.615556][ C0] call_timer_fn+0x1ac/0x700
[ 53.620146][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.625059][ C0] ? timer_fixup_init+0x60/0x60
[ 53.629900][ C0] ? lock_downgrade+0x720/0x720
[ 53.634731][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.640255][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.645540][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 53.651007][ C0] ? dummy_udc_probe+0x980/0x980
[ 53.656128][ C0] run_timer_softirq+0x5f9/0x1500
[ 53.661851][ C0] ? add_timer+0x7a0/0x7a0
[ 53.666251][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 53.671793][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 53.677058][ C0] __do_softirq+0x21e/0x9aa
[ 53.681554][ C0] irq_exit+0x178/0x1a0
[ 53.685688][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 53.691210][ C0] apic_timer_interrupt+0xf/0x20
[ 53.696140][ C0]
[ 53.699059][ C0] RIP: 0010:default_idle+0x28/0x300
[ 53.704510][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 24 83 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 69 af fb e9 07 00 00 00 0f 00 2d 0a 25 4c 00 fb f4 <65> 44 8b 2d 00 83 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 53.724240][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 53.732628][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 53.740591][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 53.748982][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 53.756949][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 53.764917][ C0] R13: 0000000000000000 R14: ffffffff87e88e80 R15: 0000000000000000
[ 53.772880][ C0] do_idle+0x3e0/0x500
[ 53.776930][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 53.781974][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 53.787001][ C0] ? schedule+0xe1/0x2b0
[ 53.791239][ C0] cpu_startup_entry+0x14/0x20
[ 53.796114][ C0] start_kernel+0x9bb/0x9f5
[ 53.800830][ C0] ? mem_encrypt_init+0x5/0x5
[ 53.805491][ C0] ? x86_family+0x3d/0x50
[ 53.809851][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 53.814679][ C0] secondary_startup_64+0xb6/0xc0
[ 53.820518][ C0] Kernel Offset: disabled
[ 53.824830][ C0] Rebooting in 86400 seconds..