[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 22.956999][ C1] random: crng init done [ 22.961261][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. executing program [ 29.006927][ T115] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 29.526704][ T115] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 29.535905][ T115] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 29.543932][ T115] usb 1-1: Product: syz [ 29.548142][ T115] usb 1-1: Manufacturer: syz [ 29.552718][ T115] usb 1-1: SerialNumber: syz [ 29.597866][ T115] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 30.236236][ T115] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 30.665984][ C0] ================================================================== [ 30.674153][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.681786][ C0] Read of size 49085 at addr ffff88810cd90000 by task swapper/0/0 [ 30.689572][ C0] [ 30.691895][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.9.0-syzkaller #0 [ 30.699425][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.709454][ C0] Call Trace: [ 30.712723][ C0] [ 30.715552][ C0] dump_stack+0x107/0x163 [ 30.719857][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.725131][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.730391][ C0] print_address_description.constprop.0+0x1c/0x210 [ 30.737748][ C0] ? lock_acquire+0x1a7/0x830 [ 30.742409][ C0] ? ath9k_hif_usb_rx_cb+0x23e/0xf80 [ 30.747668][ C0] ? vprintk_func+0x93/0x140 [ 30.752233][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.757492][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.762749][ C0] kasan_report.cold+0x37/0x7c [ 30.767486][ C0] ? rwlock_bug.part.0+0x40/0x90 [ 30.772481][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.777751][ C0] check_memory_region+0xf4/0x1c0 [ 30.782749][ C0] memcpy+0x20/0x60 [ 30.786544][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 30.791639][ C0] ? lock_acquire+0x1a7/0x830 [ 30.796288][ C0] ? kcov_remote_start+0xce/0x400 [ 30.801285][ C0] ? hif_usb_start+0xa0/0xa0 [ 30.805850][ C0] ? __usb_hcd_giveback_urb+0x302/0x560 [ 30.811370][ C0] ? lock_downgrade+0x6d0/0x6d0 [ 30.816195][ C0] __usb_hcd_giveback_urb+0x32d/0x560 [ 30.821562][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 30.826865][ C0] dummy_timer+0x11f2/0x3240 [ 30.831446][ C0] ? __lock_acquire+0x16ae/0x5a60 [ 30.836450][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 30.841210][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 30.846112][ C0] call_timer_fn+0x1a5/0x630 [ 30.850695][ C0] ? timer_fixup_init+0x60/0x60 [ 30.855528][ C0] ? lock_downgrade+0x6d0/0x6d0 [ 30.860373][ C0] ? lockdep_hardirqs_on_prepare+0x129/0x3e0 [ 30.866330][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 30.871069][ C0] __run_timers.part.0+0x67c/0xa10 [ 30.876157][ C0] ? call_timer_fn+0x630/0x630 [ 30.880901][ C0] ? lapic_next_event+0x4d/0x80 [ 30.885731][ C0] ? clockevents_program_event+0x12b/0x350 [ 30.891535][ C0] ? tick_program_event+0xa8/0x130 [ 30.896629][ C0] ? hrtimer_interrupt+0x6c0/0x8f0 [ 30.901736][ C0] run_timer_softirq+0x80/0x120 [ 30.906567][ C0] __do_softirq+0x1b1/0x8d1 [ 30.911047][ C0] asm_call_irq_on_stack+0xf/0x20 [ 30.916056][ C0] [ 30.918974][ C0] do_softirq_own_stack+0x80/0xa0 [ 30.923973][ C0] irq_exit_rcu+0x110/0x1a0 [ 30.928461][ C0] sysvec_apic_timer_interrupt+0x43/0xa0 [ 30.934070][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 30.940035][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 [ 30.945814][ C0] Code: bd d6 7f fb 84 db 75 ac e8 44 de 7f fb e8 1f 72 85 fb e9 0c 00 00 00 e8 35 de 7f fb 0f 00 2d de 88 65 00 e8 29 de 7f fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 d6 7f fb 48 85 db [ 30.965392][ C0] RSP: 0018:ffffffff87207d60 EFLAGS: 00000293 [ 30.971452][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103b869 [ 30.979406][ C0] RDX: ffffffff872304c0 RSI: ffffffff85bf7667 RDI: ffffffff85bf7651 [ 30.987361][ C0] RBP: ffff888101592064 R08: 0000000000000001 R09: 0000000000000001 [ 30.995330][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 [ 31.003287][ C0] R13: ffff888101592000 R14: ffff888101592064 R15: ffff888102eb7804 [ 31.011242][ C0] ? acpi_idle_do_entry+0x1c7/0x250 [ 31.016427][ C0] ? acpi_idle_do_entry+0x1b1/0x250 [ 31.021600][ C0] acpi_idle_enter+0x337/0x490 [ 31.026340][ C0] cpuidle_enter_state+0x1a2/0xa80 [ 31.031426][ C0] cpuidle_enter+0x4a/0xa0 [ 31.035831][ C0] do_idle+0x3d5/0x580 [ 31.039886][ C0] ? arch_cpu_idle_exit+0x40/0x40 [ 31.044882][ C0] ? schedule+0xdf/0x270 [ 31.049098][ C0] cpu_startup_entry+0x14/0x20 [ 31.053836][ C0] start_kernel+0x495/0x4b6 [ 31.058325][ C0] secondary_startup_64_no_verify+0xb8/0xbb [ 31.064204][ C0] [ 31.066505][ C0] The buggy address belongs to the page: [ 31.072130][ C0] page:000000005530fd93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd90 [ 31.082347][ C0] head:000000005530fd93 order:3 compound_mapcount:0 compound_pincount:0 [ 31.090990][ C0] flags: 0x200000000010000(head) [ 31.095905][ C0] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000 [ 31.104462][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 31.113025][ C0] page dumped because: kasan: bad access detected [ 31.119405][ C0] [ 31.121707][ C0] Memory state around the buggy address: [ 31.127312][ C0] ffff88810cd97f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.135355][ C0] ffff88810cd97f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.143399][ C0] >ffff88810cd98000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.151430][ C0] ^ [ 31.155471][ C0] ffff88810cd98080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.163505][ C0] ffff88810cd98100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.171535][ C0] ================================================================== [ 31.179566][ C0] Disabling lock debugging due to kernel taint [ 31.185685][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 31.192255][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.9.0-syzkaller #0 [ 31.201152][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.211176][ C0] Call Trace: [ 31.214428][ C0] [ 31.217254][ C0] dump_stack+0x107/0x163 [ 31.221566][ C0] ? ath9k_hif_usb_rx_cb+0x2b0/0xf80 [ 31.226819][ C0] panic+0x2cb/0x702 [ 31.230683][ C0] ? __warn_printk+0xf3/0xf3 [ 31.235245][ C0] ? do_raw_spin_unlock+0x50/0x1f0 [ 31.240326][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 31.245579][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 31.250832][ C0] end_report+0x58/0x5e [ 31.254978][ C0] kasan_report.cold+0x72/0x7c [ 31.259712][ C0] ? rwlock_bug.part.0+0x40/0x90 [ 31.264618][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 31.269888][ C0] check_memory_region+0xf4/0x1c0 [ 31.274885][ C0] memcpy+0x20/0x60 [ 31.278662][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80 [ 31.283743][ C0] ? lock_acquire+0x1a7/0x830 [ 31.288390][ C0] ? kcov_remote_start+0xce/0x400 [ 31.293402][ C0] ? hif_usb_start+0xa0/0xa0 [ 31.297963][ C0] ? __usb_hcd_giveback_urb+0x302/0x560 [ 31.303476][ C0] ? lock_downgrade+0x6d0/0x6d0 [ 31.308295][ C0] __usb_hcd_giveback_urb+0x32d/0x560 [ 31.313637][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 31.318902][ C0] dummy_timer+0x11f2/0x3240 [ 31.323468][ C0] ? __lock_acquire+0x16ae/0x5a60 [ 31.328461][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 31.333192][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 31.337926][ C0] call_timer_fn+0x1a5/0x630 [ 31.342495][ C0] ? timer_fixup_init+0x60/0x60 [ 31.347316][ C0] ? lock_downgrade+0x6d0/0x6d0 [ 31.352146][ C0] ? lockdep_hardirqs_on_prepare+0x129/0x3e0 [ 31.358093][ C0] ? dummy_dequeue+0x4c0/0x4c0 [ 31.362841][ C0] __run_timers.part.0+0x67c/0xa10 [ 31.367923][ C0] ? call_timer_fn+0x630/0x630 [ 31.372655][ C0] ? lapic_next_event+0x4d/0x80 [ 31.377475][ C0] ? clockevents_program_event+0x12b/0x350 [ 31.383261][ C0] ? tick_program_event+0xa8/0x130 [ 31.388352][ C0] ? hrtimer_interrupt+0x6c0/0x8f0 [ 31.393443][ C0] run_timer_softirq+0x80/0x120 [ 31.398274][ C0] __do_softirq+0x1b1/0x8d1 [ 31.402748][ C0] asm_call_irq_on_stack+0xf/0x20 [ 31.407735][ C0] [ 31.410645][ C0] do_softirq_own_stack+0x80/0xa0 [ 31.415640][ C0] irq_exit_rcu+0x110/0x1a0 [ 31.420563][ C0] sysvec_apic_timer_interrupt+0x43/0xa0 [ 31.426163][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 31.432114][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 [ 31.437891][ C0] Code: bd d6 7f fb 84 db 75 ac e8 44 de 7f fb e8 1f 72 85 fb e9 0c 00 00 00 e8 35 de 7f fb 0f 00 2d de 88 65 00 e8 29 de 7f fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 d6 7f fb 48 85 db [ 31.457464][ C0] RSP: 0018:ffffffff87207d60 EFLAGS: 00000293 [ 31.463503][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103b869 [ 31.471445][ C0] RDX: ffffffff872304c0 RSI: ffffffff85bf7667 RDI: ffffffff85bf7651 [ 31.479398][ C0] RBP: ffff888101592064 R08: 0000000000000001 R09: 0000000000000001 [ 31.487339][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 [ 31.495281][ C0] R13: ffff888101592000 R14: ffff888101592064 R15: ffff888102eb7804 [ 31.503239][ C0] ? acpi_idle_do_entry+0x1c7/0x250 [ 31.508416][ C0] ? acpi_idle_do_entry+0x1b1/0x250 [ 31.513607][ C0] acpi_idle_enter+0x337/0x490 [ 31.518340][ C0] cpuidle_enter_state+0x1a2/0xa80 [ 31.523419][ C0] cpuidle_enter+0x4a/0xa0 [ 31.527816][ C0] do_idle+0x3d5/0x580 [ 31.532119][ C0] ? arch_cpu_idle_exit+0x40/0x40 [ 31.537147][ C0] ? schedule+0xdf/0x270 [ 31.541457][ C0] cpu_startup_entry+0x14/0x20 [ 31.546191][ C0] start_kernel+0x495/0x4b6 [ 31.550687][ C0] secondary_startup_64_no_verify+0xb8/0xbb [ 31.557259][ C0] Kernel Offset: disabled [ 31.561592][ C0] Rebooting in 86400 seconds..