dhcpcd-9.4.0 starting
dev: loaded udev
DUID 00:04:da:02:67:e5:e5:53:d2:9f:6e:c8:e3:c7:0e:cc:92:0b
forked to background, child pid 1218
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 39.898065][ T581] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 40.418149][ T581] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 40.427251][ T581] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 40.435271][ T581] usb 1-1: Product: syz
[ 40.439456][ T581] usb 1-1: Manufacturer: syz
[ 40.444036][ T581] usb 1-1: SerialNumber: syz
[ 40.491162][ T581] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 41.068135][ T581] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 42.148107][ T581] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 42.155211][ T581] ath9k_htc: Failed to initialize the device
executing program
[ 42.297258][ T72] usb 1-1: USB disconnect, device number 2
[ 42.311007][ T72] usb 1-1: ath9k_htc: USB layer deinitialized
[ 42.668061][ T72] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[ 43.188242][ T72] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 43.197286][ T72] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 43.205317][ T72] usb 1-1: Product: syz
[ 43.209499][ T72] usb 1-1: Manufacturer: syz
[ 43.214084][ T72] usb 1-1: SerialNumber: syz
[ 43.268700][ T72] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 43.838121][ T72] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 44.868045][ T72] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 44.874988][ T72] ath9k_htc: Failed to initialize the device
[ 44.881013][ C1] ==================================================================
[ 44.881019][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.881056][ C1] Read of size 4 at addr ffff888108dd42e8 by task kworker/1:2/72
[ 44.881068][ C1]
[ 44.881072][ C1] CPU: 1 PID: 72 Comm: kworker/1:2 Not tainted 5.19.0-rc4-syzkaller-00140-gc76d09da77d6 #0
[ 44.881086][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 44.881095][ C1] Workqueue: events request_firmware_work_func
[ 44.881120][ C1] Call Trace:
[ 44.881127][ C1]
[ 44.881135][ C1] dump_stack_lvl+0xcd/0x134
[ 44.881160][ C1] print_address_description.constprop.0.cold+0xeb/0x495
[ 44.881192][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.881217][ C1] kasan_report.cold+0xf4/0x1c6
[ 44.881245][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.881274][ C1] ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.881303][ C1] ? partition_sched_domains_locked+0x440/0x880
[ 44.881340][ C1] ? hif_usb_start+0xa0/0xa0
[ 44.881366][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 44.881397][ C1] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 44.881427][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 44.881451][ C1] dummy_timer+0x11f9/0x32b0
[ 44.881483][ C1] ? dummy_dequeue+0x500/0x500
[ 44.881511][ C1] ? dummy_dequeue+0x500/0x500
[ 44.881537][ C1] call_timer_fn+0x1a5/0x6b0
[ 44.881563][ C1] ? timer_fixup_activate+0x350/0x350
[ 44.881592][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 44.881623][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 44.881652][ C1] ? dummy_dequeue+0x500/0x500
[ 44.881680][ C1] __run_timers.part.0+0x679/0xa80
[ 44.881708][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 44.881734][ C1] ? lapic_next_event+0x4d/0x80
[ 44.881764][ C1] run_timer_softirq+0xb3/0x1d0
[ 44.881788][ C1] __do_softirq+0x288/0x9a5
[ 44.881812][ C1] __irq_exit_rcu+0x113/0x170
[ 44.881833][ C1] irq_exit_rcu+0x5/0x20
[ 44.881854][ C1] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 44.881878][ C1]
[ 44.881885][ C1]
[ 44.881892][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 44.881916][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 44.881944][ C1] Code: 48 89 ef 5d e9 b1 52 34 00 5d be 03 00 00 00 e9 c6 42 d0 00 66 0f 1f 44 00 00 48 8b be a8 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 49 5b bd 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 44.881967][ C1] RSP: 0018:ffffc900010278a0 EFLAGS: 00000293
[ 44.881987][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 44.882001][ C1] RDX: ffff88810c899c80 RSI: ffffffff812bcdc5 RDI: 0000000000000007
[ 44.882017][ C1] RBP: ffffc90001027a48 R08: 0000000000000007 R09: 0000000000000000
[ 44.882032][ C1] R10: 0000000000000200 R11: 0000000000000001 R12: 0000000000000001
[ 44.882044][ C1] R13: ffffffff8b8d4ae0 R14: 0000000000000200 R15: ffffffff87ec7098
[ 44.882070][ C1] ? console_emit_next_record.constprop.0+0x4f5/0x840
[ 44.882102][ C1] console_emit_next_record.constprop.0+0x4fb/0x840
[ 44.882131][ C1] ? devkmsg_read+0x730/0x730
[ 44.882157][ C1] ? lock_release+0x780/0x780
[ 44.882183][ C1] console_unlock+0x37a/0x5a0
[ 44.882209][ C1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 44.882239][ C1] ? __down_trylock_console_sem+0x108/0x120
[ 44.882267][ C1] ? kmsg_dump+0x200/0x260
[ 44.882293][ C1] ? vprintk+0x80/0x90
[ 44.882320][ C1] vprintk_emit+0x1b9/0x5f0
[ 44.882347][ C1] vprintk+0x80/0x90
[ 44.882373][ C1] _printk+0xba/0xed
[ 44.882397][ C1] ? record_print_text.cold+0x16/0x16
[ 44.882425][ C1] ? usb_free_urb+0x5c/0x110
[ 44.882448][ C1] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 44.882475][ C1] ath9k_htc_hw_init.cold+0x17/0x1c
[ 44.882500][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 44.882530][ C1] ? ath9k_hif_usb_alloc_urbs+0x1050/0x1050
[ 44.882556][ C1] request_firmware_work_func+0x12c/0x230
[ 44.882589][ C1] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 44.882622][ C1] process_one_work+0x996/0x1610
[ 44.882648][ C1] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 44.882676][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 44.882702][ C1] ? _raw_spin_lock_irq+0x41/0x50
[ 44.882733][ C1] worker_thread+0x665/0x1080
[ 44.882761][ C1] ? __kthread_parkme+0x15f/0x220
[ 44.882786][ C1] ? process_one_work+0x1610/0x1610
[ 44.882814][ C1] kthread+0x2ef/0x3a0
[ 44.882837][ C1] ? kthread_complete_and_exit+0x40/0x40
[ 44.882864][ C1] ret_from_fork+0x1f/0x30
[ 44.882893][ C1]
[ 44.882901][ C1]
[ 44.882905][ C1] The buggy address belongs to the physical page:
[ 44.882913][ C1] page:ffffea0004237500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108dd4
[ 44.882940][ C1] flags: 0x200000000000000(node=0|zone=2)
[ 44.882969][ C1] raw: 0200000000000000 0000000000000000 ffffea0004237508 0000000000000000
[ 44.882991][ C1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 44.883004][ C1] page dumped because: kasan: bad access detected
[ 44.883014][ C1] page_owner tracks the page as freed
[ 44.883020][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 72, tgid 72 (kworker/1:2), ts 43848735537, free_ts 44874966092
[ 44.883066][ C1] get_page_from_freelist+0x138c/0x27a0
[ 44.883095][ C1] __alloc_pages+0x1c7/0x510
[ 44.883119][ C1] alloc_pages+0x1aa/0x310
[ 44.883146][ C1] kmalloc_order+0x34/0xf0
[ 44.883166][ C1] kmalloc_order_trace+0x14/0x120
[ 44.883187][ C1] wiphy_new_nm+0x6f0/0x2080
[ 44.883213][ C1] ieee80211_alloc_hw_nm+0x373/0x2270
[ 44.883236][ C1] ath9k_htc_probe_device+0x97/0x1f00
[ 44.883265][ C1] ath9k_htc_hw_init+0x31/0x60
[ 44.883288][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 44.883314][ C1] request_firmware_work_func+0x12c/0x230
[ 44.883344][ C1] process_one_work+0x996/0x1610
[ 44.883368][ C1] worker_thread+0x665/0x1080
[ 44.883391][ C1] kthread+0x2ef/0x3a0
[ 44.883412][ C1] ret_from_fork+0x1f/0x30
[ 44.883434][ C1] page last free stack trace:
[ 44.883440][ C1] free_pcp_prepare+0x537/0xb80
[ 44.883463][ C1] free_unref_page+0x19/0x5a0
[ 44.883484][ C1] device_release+0x9f/0x240
[ 44.883506][ C1] kobject_put+0x1c8/0x540
[ 44.883526][ C1] put_device+0x1b/0x30
[ 44.883549][ C1] ath9k_htc_probe_device+0x1c7/0x1f00
[ 44.883577][ C1] ath9k_htc_hw_init+0x31/0x60
[ 44.883600][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 44.883625][ C1] request_firmware_work_func+0x12c/0x230
[ 44.883655][ C1] process_one_work+0x996/0x1610
[ 44.883679][ C1] worker_thread+0x665/0x1080
[ 44.883702][ C1] kthread+0x2ef/0x3a0
[ 44.883721][ C1] ret_from_fork+0x1f/0x30
[ 44.883743][ C1]
[ 44.883747][ C1] Memory state around the buggy address:
[ 44.883758][ C1] ffff888108dd4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.883775][ C1] ffff888108dd4200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.883791][ C1] >ffff888108dd4280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.883803][ C1] ^
[ 44.883816][ C1] ffff888108dd4300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.883833][ C1] ffff888108dd4380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.883845][ C1] ==================================================================
[ 44.883854][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 44.883864][ C1] CPU: 1 PID: 72 Comm: kworker/1:2 Not tainted 5.19.0-rc4-syzkaller-00140-gc76d09da77d6 #0
[ 44.883890][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 44.883904][ C1] Workqueue: events request_firmware_work_func
[ 44.883935][ C1] Call Trace:
[ 44.883941][ C1]
[ 44.883948][ C1] dump_stack_lvl+0xcd/0x134
[ 44.883973][ C1] panic+0x2d7/0x636
[ 44.883998][ C1] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 44.884030][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.884063][ C1] end_report.part.0+0x3f/0x7c
[ 44.884089][ C1] kasan_report.cold+0x93/0x1c6
[ 44.884114][ C1] ? ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.884140][ C1] ath9k_hif_usb_rx_cb+0xea7/0x10d0
[ 44.884166][ C1] ? partition_sched_domains_locked+0x440/0x880
[ 44.884200][ C1] ? hif_usb_start+0xa0/0xa0
[ 44.884223][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 44.884252][ C1] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 44.884284][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 44.884316][ C1] dummy_timer+0x11f9/0x32b0
[ 44.884349][ C1] ? dummy_dequeue+0x500/0x500
[ 44.884377][ C1] ? dummy_dequeue+0x500/0x500
[ 44.884402][ C1] call_timer_fn+0x1a5/0x6b0
[ 44.884428][ C1] ? timer_fixup_activate+0x350/0x350
[ 44.884456][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 44.884486][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 44.884515][ C1] ? dummy_dequeue+0x500/0x500
[ 44.884542][ C1] __run_timers.part.0+0x679/0xa80
[ 44.884570][ C1] ? call_timer_fn+0x6b0/0x6b0
[ 44.884595][ C1] ? lapic_next_event+0x4d/0x80
[ 44.884624][ C1] run_timer_softirq+0xb3/0x1d0
[ 44.884651][ C1] __do_softirq+0x288/0x9a5
[ 44.884676][ C1] __irq_exit_rcu+0x113/0x170
[ 44.884699][ C1] irq_exit_rcu+0x5/0x20
[ 44.884722][ C1] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 44.884747][ C1]
[ 44.884754][ C1]
[ 44.884761][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 44.884787][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
[ 44.884818][ C1] Code: 48 89 ef 5d e9 b1 52 34 00 5d be 03 00 00 00 e9 c6 42 d0 00 66 0f 1f 44 00 00 48 8b be a8 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 49 5b bd 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
[ 44.884842][ C1] RSP: 0018:ffffc900010278a0 EFLAGS: 00000293
[ 44.884859][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 44.884875][ C1] RDX: ffff88810c899c80 RSI: ffffffff812bcdc5 RDI: 0000000000000007
[ 44.884891][ C1] RBP: ffffc90001027a48 R08: 0000000000000007 R09: 0000000000000000
[ 44.884906][ C1] R10: 0000000000000200 R11: 0000000000000001 R12: 0000000000000001
[ 44.884921][ C1] R13: ffffffff8b8d4ae0 R14: 0000000000000200 R15: ffffffff87ec7098
[ 44.884939][ C1] ? console_emit_next_record.constprop.0+0x4f5/0x840
[ 44.884970][ C1] console_emit_next_record.constprop.0+0x4fb/0x840
[ 44.885001][ C1] ? devkmsg_read+0x730/0x730
[ 44.885029][ C1] ? lock_release+0x780/0x780
[ 44.885060][ C1] console_unlock+0x37a/0x5a0
[ 44.885086][ C1] ? console_emit_next_record.constprop.0+0x840/0x840
[ 44.885116][ C1] ? __down_trylock_console_sem+0x108/0x120
[ 44.885144][ C1] ? kmsg_dump+0x200/0x260
[ 44.885169][ C1] ? vprintk+0x80/0x90
[ 44.885195][ C1] vprintk_emit+0x1b9/0x5f0
[ 44.885222][ C1] vprintk+0x80/0x90
[ 44.885247][ C1] _printk+0xba/0xed
[ 44.885269][ C1] ? record_print_text.cold+0x16/0x16
[ 44.885296][ C1] ? usb_free_urb+0x5c/0x110
[ 44.885318][ C1] ? ath9k_htc_hw_init.cold+0x5/0x1c
[ 44.885342][ C1] ath9k_htc_hw_init.cold+0x17/0x1c
[ 44.885367][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 44.885396][ C1] ? ath9k_hif_usb_alloc_urbs+0x1050/0x1050
[ 44.885422][ C1] request_firmware_work_func+0x12c/0x230
[ 44.885453][ C1] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 44.885487][ C1] process_one_work+0x996/0x1610
[ 44.885515][ C1] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 44.885543][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 44.885569][ C1] ? _raw_spin_lock_irq+0x41/0x50
[ 44.885600][ C1] worker_thread+0x665/0x1080
[ 44.885627][ C1] ? __kthread_parkme+0x15f/0x220
[ 44.885649][ C1] ? process_one_work+0x1610/0x1610
[ 44.885675][ C1] kthread+0x2ef/0x3a0
[ 44.885697][ C1] ? kthread_complete_and_exit+0x40/0x40
[ 44.885722][ C1] ret_from_fork+0x1f/0x30
[ 44.885748][ C1]
[ 44.885943][ C1] Kernel Offset: disabled
[ 46.019616][ C1] Rebooting in 86400 seconds..