[[0;32m OK [0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[[0;32m OK [0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[[0;32m OK [0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 22.956999][ C1] random: crng init done
[ 22.961261][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts.
executing program
[ 29.006927][ T115] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 29.526704][ T115] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 29.535905][ T115] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 29.543932][ T115] usb 1-1: Product: syz
[ 29.548142][ T115] usb 1-1: Manufacturer: syz
[ 29.552718][ T115] usb 1-1: SerialNumber: syz
[ 29.597866][ T115] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 30.236236][ T115] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 30.665984][ C0] ==================================================================
[ 30.674153][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.681786][ C0] Read of size 49085 at addr ffff88810cd90000 by task swapper/0/0
[ 30.689572][ C0]
[ 30.691895][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.9.0-syzkaller #0
[ 30.699425][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.709454][ C0] Call Trace:
[ 30.712723][ C0]
[ 30.715552][ C0] dump_stack+0x107/0x163
[ 30.719857][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.725131][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.730391][ C0] print_address_description.constprop.0+0x1c/0x210
[ 30.737748][ C0] ? lock_acquire+0x1a7/0x830
[ 30.742409][ C0] ? ath9k_hif_usb_rx_cb+0x23e/0xf80
[ 30.747668][ C0] ? vprintk_func+0x93/0x140
[ 30.752233][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.757492][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.762749][ C0] kasan_report.cold+0x37/0x7c
[ 30.767486][ C0] ? rwlock_bug.part.0+0x40/0x90
[ 30.772481][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.777751][ C0] check_memory_region+0xf4/0x1c0
[ 30.782749][ C0] memcpy+0x20/0x60
[ 30.786544][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 30.791639][ C0] ? lock_acquire+0x1a7/0x830
[ 30.796288][ C0] ? kcov_remote_start+0xce/0x400
[ 30.801285][ C0] ? hif_usb_start+0xa0/0xa0
[ 30.805850][ C0] ? __usb_hcd_giveback_urb+0x302/0x560
[ 30.811370][ C0] ? lock_downgrade+0x6d0/0x6d0
[ 30.816195][ C0] __usb_hcd_giveback_urb+0x32d/0x560
[ 30.821562][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 30.826865][ C0] dummy_timer+0x11f2/0x3240
[ 30.831446][ C0] ? __lock_acquire+0x16ae/0x5a60
[ 30.836450][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 30.841210][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 30.846112][ C0] call_timer_fn+0x1a5/0x630
[ 30.850695][ C0] ? timer_fixup_init+0x60/0x60
[ 30.855528][ C0] ? lock_downgrade+0x6d0/0x6d0
[ 30.860373][ C0] ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[ 30.866330][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 30.871069][ C0] __run_timers.part.0+0x67c/0xa10
[ 30.876157][ C0] ? call_timer_fn+0x630/0x630
[ 30.880901][ C0] ? lapic_next_event+0x4d/0x80
[ 30.885731][ C0] ? clockevents_program_event+0x12b/0x350
[ 30.891535][ C0] ? tick_program_event+0xa8/0x130
[ 30.896629][ C0] ? hrtimer_interrupt+0x6c0/0x8f0
[ 30.901736][ C0] run_timer_softirq+0x80/0x120
[ 30.906567][ C0] __do_softirq+0x1b1/0x8d1
[ 30.911047][ C0] asm_call_irq_on_stack+0xf/0x20
[ 30.916056][ C0]
[ 30.918974][ C0] do_softirq_own_stack+0x80/0xa0
[ 30.923973][ C0] irq_exit_rcu+0x110/0x1a0
[ 30.928461][ C0] sysvec_apic_timer_interrupt+0x43/0xa0
[ 30.934070][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 30.940035][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 30.945814][ C0] Code: bd d6 7f fb 84 db 75 ac e8 44 de 7f fb e8 1f 72 85 fb e9 0c 00 00 00 e8 35 de 7f fb 0f 00 2d de 88 65 00 e8 29 de 7f fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 d6 7f fb 48 85 db
[ 30.965392][ C0] RSP: 0018:ffffffff87207d60 EFLAGS: 00000293
[ 30.971452][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103b869
[ 30.979406][ C0] RDX: ffffffff872304c0 RSI: ffffffff85bf7667 RDI: ffffffff85bf7651
[ 30.987361][ C0] RBP: ffff888101592064 R08: 0000000000000001 R09: 0000000000000001
[ 30.995330][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 31.003287][ C0] R13: ffff888101592000 R14: ffff888101592064 R15: ffff888102eb7804
[ 31.011242][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 31.016427][ C0] ? acpi_idle_do_entry+0x1b1/0x250
[ 31.021600][ C0] acpi_idle_enter+0x337/0x490
[ 31.026340][ C0] cpuidle_enter_state+0x1a2/0xa80
[ 31.031426][ C0] cpuidle_enter+0x4a/0xa0
[ 31.035831][ C0] do_idle+0x3d5/0x580
[ 31.039886][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 31.044882][ C0] ? schedule+0xdf/0x270
[ 31.049098][ C0] cpu_startup_entry+0x14/0x20
[ 31.053836][ C0] start_kernel+0x495/0x4b6
[ 31.058325][ C0] secondary_startup_64_no_verify+0xb8/0xbb
[ 31.064204][ C0]
[ 31.066505][ C0] The buggy address belongs to the page:
[ 31.072130][ C0] page:000000005530fd93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd90
[ 31.082347][ C0] head:000000005530fd93 order:3 compound_mapcount:0 compound_pincount:0
[ 31.090990][ C0] flags: 0x200000000010000(head)
[ 31.095905][ C0] raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
[ 31.104462][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 31.113025][ C0] page dumped because: kasan: bad access detected
[ 31.119405][ C0]
[ 31.121707][ C0] Memory state around the buggy address:
[ 31.127312][ C0] ffff88810cd97f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 31.135355][ C0] ffff88810cd97f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 31.143399][ C0] >ffff88810cd98000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.151430][ C0] ^
[ 31.155471][ C0] ffff88810cd98080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.163505][ C0] ffff88810cd98100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.171535][ C0] ==================================================================
[ 31.179566][ C0] Disabling lock debugging due to kernel taint
[ 31.185685][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 31.192255][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.9.0-syzkaller #0
[ 31.201152][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.211176][ C0] Call Trace:
[ 31.214428][ C0]
[ 31.217254][ C0] dump_stack+0x107/0x163
[ 31.221566][ C0] ? ath9k_hif_usb_rx_cb+0x2b0/0xf80
[ 31.226819][ C0] panic+0x2cb/0x702
[ 31.230683][ C0] ? __warn_printk+0xf3/0xf3
[ 31.235245][ C0] ? do_raw_spin_unlock+0x50/0x1f0
[ 31.240326][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.245579][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.250832][ C0] end_report+0x58/0x5e
[ 31.254978][ C0] kasan_report.cold+0x72/0x7c
[ 31.259712][ C0] ? rwlock_bug.part.0+0x40/0x90
[ 31.264618][ C0] ? ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.269888][ C0] check_memory_region+0xf4/0x1c0
[ 31.274885][ C0] memcpy+0x20/0x60
[ 31.278662][ C0] ath9k_hif_usb_rx_cb+0x3a8/0xf80
[ 31.283743][ C0] ? lock_acquire+0x1a7/0x830
[ 31.288390][ C0] ? kcov_remote_start+0xce/0x400
[ 31.293402][ C0] ? hif_usb_start+0xa0/0xa0
[ 31.297963][ C0] ? __usb_hcd_giveback_urb+0x302/0x560
[ 31.303476][ C0] ? lock_downgrade+0x6d0/0x6d0
[ 31.308295][ C0] __usb_hcd_giveback_urb+0x32d/0x560
[ 31.313637][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 31.318902][ C0] dummy_timer+0x11f2/0x3240
[ 31.323468][ C0] ? __lock_acquire+0x16ae/0x5a60
[ 31.328461][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.333192][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.337926][ C0] call_timer_fn+0x1a5/0x630
[ 31.342495][ C0] ? timer_fixup_init+0x60/0x60
[ 31.347316][ C0] ? lock_downgrade+0x6d0/0x6d0
[ 31.352146][ C0] ? lockdep_hardirqs_on_prepare+0x129/0x3e0
[ 31.358093][ C0] ? dummy_dequeue+0x4c0/0x4c0
[ 31.362841][ C0] __run_timers.part.0+0x67c/0xa10
[ 31.367923][ C0] ? call_timer_fn+0x630/0x630
[ 31.372655][ C0] ? lapic_next_event+0x4d/0x80
[ 31.377475][ C0] ? clockevents_program_event+0x12b/0x350
[ 31.383261][ C0] ? tick_program_event+0xa8/0x130
[ 31.388352][ C0] ? hrtimer_interrupt+0x6c0/0x8f0
[ 31.393443][ C0] run_timer_softirq+0x80/0x120
[ 31.398274][ C0] __do_softirq+0x1b1/0x8d1
[ 31.402748][ C0] asm_call_irq_on_stack+0xf/0x20
[ 31.407735][ C0]
[ 31.410645][ C0] do_softirq_own_stack+0x80/0xa0
[ 31.415640][ C0] irq_exit_rcu+0x110/0x1a0
[ 31.420563][ C0] sysvec_apic_timer_interrupt+0x43/0xa0
[ 31.426163][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 31.432114][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 31.437891][ C0] Code: bd d6 7f fb 84 db 75 ac e8 44 de 7f fb e8 1f 72 85 fb e9 0c 00 00 00 e8 35 de 7f fb 0f 00 2d de 88 65 00 e8 29 de 7f fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 d6 7f fb 48 85 db
[ 31.457464][ C0] RSP: 0018:ffffffff87207d60 EFLAGS: 00000293
[ 31.463503][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff103b869
[ 31.471445][ C0] RDX: ffffffff872304c0 RSI: ffffffff85bf7667 RDI: ffffffff85bf7651
[ 31.479398][ C0] RBP: ffff888101592064 R08: 0000000000000001 R09: 0000000000000001
[ 31.487339][ C0] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 31.495281][ C0] R13: ffff888101592000 R14: ffff888101592064 R15: ffff888102eb7804
[ 31.503239][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 31.508416][ C0] ? acpi_idle_do_entry+0x1b1/0x250
[ 31.513607][ C0] acpi_idle_enter+0x337/0x490
[ 31.518340][ C0] cpuidle_enter_state+0x1a2/0xa80
[ 31.523419][ C0] cpuidle_enter+0x4a/0xa0
[ 31.527816][ C0] do_idle+0x3d5/0x580
[ 31.532119][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 31.537147][ C0] ? schedule+0xdf/0x270
[ 31.541457][ C0] cpu_startup_entry+0x14/0x20
[ 31.546191][ C0] start_kernel+0x495/0x4b6
[ 31.550687][ C0] secondary_startup_64_no_verify+0xb8/0xbb
[ 31.557259][ C0] Kernel Offset: disabled
[ 31.561592][ C0] Rebooting in 86400 seconds..