Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts.
executing program
[   23.495350][   T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   24.024329][   T12] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   24.033459][   T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   24.041538][   T12] usb 1-1: Product: syz
[   24.045771][   T12] usb 1-1: Manufacturer: syz
[   24.050348][   T12] usb 1-1: SerialNumber: syz
[   24.095167][   T12] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   24.753487][   T12] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   25.155314][   T83] usb 1-1: USB disconnect, device number 2
[   26.002504][   T12] usb 1-1: Service connection timeout for: 256
[   26.008864][   T12] ==================================================================
[   26.017132][   T12] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   26.023801][   T12] Read of size 4 at addr ffff8881c9023c14 by task kworker/0:1/12
[   26.031631][   T12] 
[   26.033973][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc6-syzkaller #0
[   26.042109][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.055743][   T12] Workqueue: events request_firmware_work_func
[   26.061895][   T12] Call Trace:
[   26.065181][   T12]  dump_stack+0xef/0x16e
[   26.069412][   T12]  print_address_description.constprop.0.cold+0xd3/0x415
[   26.076610][   T12]  ? vprintk_func+0x7d/0x113
[   26.081218][   T12]  ? kfree_skb+0x32/0x3d0
[   26.085547][   T12]  __kasan_report.cold+0x37/0x7d
[   26.090519][   T12]  ? kfree_skb+0x32/0x3d0
[   26.095286][   T12]  ? kfree_skb+0x32/0x3d0
[   26.099605][   T12]  kasan_report+0x33/0x50
[   26.103935][   T12]  check_memory_region+0x173/0x1d0
[   26.109301][   T12]  kfree_skb+0x32/0x3d0
[   26.113445][   T12]  htc_connect_service.cold+0xa9/0x109
[   26.118981][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   26.123833][   T12]  ? ath9k_fatal_work+0x20/0x20
[   26.128765][   T12]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   26.134892][   T12]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   26.140529][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.147125][   T12]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   26.152404][   T12]  ? lockdep_init_map_waits+0x26a/0x7c0
[   26.157953][   T12]  ? __raw_spin_lock_init+0x34/0x100
[   26.163266][   T12]  ? tasklet_init+0x69/0x110
[   26.167841][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.173351][   T12]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   26.180127][   T12]  ? usb_submit_urb+0x6ed/0x1460
[   26.185061][   T12]  ? usb_free_urb.part.0+0x52/0x110
[   26.190358][   T12]  ? usb_free_urb+0x1b/0x30
[   26.195736][   T12]  ath9k_htc_hw_init+0x31/0x60
[   26.200540][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.206308][   T12]  ? ath9k_hif_usb_resume+0x320/0x320
[   26.211695][   T12]  request_firmware_work_func+0x126/0x242
[   26.217415][   T12]  ? request_firmware_into_buf+0x90/0x90
[   26.223310][   T12]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   26.228842][   T12]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   26.234119][   T12]  ? _raw_spin_unlock_irq+0x1f/0x30
[   26.239321][   T12]  process_one_work+0x965/0x1630
[   26.244363][   T12]  ? lock_release+0x720/0x720
[   26.249026][   T12]  ? pwq_dec_nr_in_flight+0x310/0x310
[   26.254382][   T12]  ? rwlock_bug.part.0+0x90/0x90
[   26.259303][   T12]  worker_thread+0x96/0xe20
[   26.264059][   T12]  ? process_one_work+0x1630/0x1630
[   26.269268][   T12]  kthread+0x326/0x430
[   26.273419][   T12]  ? kthread_create_on_node+0xf0/0xf0
[   26.278787][   T12]  ret_from_fork+0x24/0x30
[   26.283205][   T12] 
[   26.285641][   T12] Allocated by task 12:
[   26.289837][   T12]  save_stack+0x1b/0x40
[   26.294062][   T12]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   26.300113][   T12]  kmem_cache_alloc_node+0xdc/0x330
[   26.305379][   T12]  __alloc_skb+0xba/0x5a0
[   26.309904][   T12]  htc_connect_service+0x2cc/0x840
[   26.315112][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   26.319964][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.326364][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.331903][   T12]  ath9k_htc_hw_init+0x31/0x60
[   26.336656][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.342296][   T12]  request_firmware_work_func+0x126/0x242
[   26.348083][   T12]  process_one_work+0x965/0x1630
[   26.353034][   T12]  worker_thread+0x96/0xe20
[   26.357608][   T12]  kthread+0x326/0x430
[   26.361769][   T12]  ret_from_fork+0x24/0x30
[   26.367563][   T12] 
[   26.369871][   T12] Freed by task 378:
[   26.373780][   T12]  save_stack+0x1b/0x40
[   26.378176][   T12]  __kasan_slab_free+0x117/0x160
[   26.383093][   T12]  kmem_cache_free+0x9b/0x360
[   26.387849][   T12]  kfree_skbmem+0xef/0x1b0
[   26.392262][   T12]  kfree_skb+0x102/0x3d0
[   26.396499][   T12]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   26.402124][   T12]  hif_usb_regout_cb+0x115/0x1c0
[   26.407062][   T12]  __usb_hcd_giveback_urb+0x29a/0x550
[   26.412492][   T12]  usb_hcd_giveback_urb+0x368/0x420
[   26.417676][   T12]  dummy_timer+0x125e/0x32b4
[   26.422348][   T12]  call_timer_fn+0x1ac/0x700
[   26.426917][   T12]  run_timer_softirq+0x5f9/0x1500
[   26.431934][   T12]  __do_softirq+0x21e/0x9aa
[   26.436426][   T12] 
[   26.438746][   T12] The buggy address belongs to the object at ffff8881c9023b40
[   26.438746][   T12]  which belongs to the cache skbuff_head_cache of size 224
[   26.453324][   T12] The buggy address is located 212 bytes inside of
[   26.453324][   T12]  224-byte region [ffff8881c9023b40, ffff8881c9023c20)
[   26.466589][   T12] The buggy address belongs to the page:
[   26.472222][   T12] page:ffffea00072408c0 refcount:1 mapcount:0 mapping:00000000c62404eb index:0x0
[   26.481309][   T12] flags: 0x200000000000200(slab)
[   26.486237][   T12] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400
[   26.494811][   T12] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   26.503735][   T12] page dumped because: kasan: bad access detected
[   26.510143][   T12] 
[   26.512459][   T12] Memory state around the buggy address:
[   26.518166][   T12]  ffff8881c9023b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   26.526213][   T12]  ffff8881c9023b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.534634][   T12] >ffff8881c9023c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   26.543281][   T12]                          ^
[   26.547864][   T12]  ffff8881c9023c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.555932][   T12]  ffff8881c9023d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   26.563978][   T12] ==================================================================
[   26.572033][   T12] Disabling lock debugging due to kernel taint
[   26.578339][   T12] Kernel panic - not syncing: panic_on_warn set ...
[   26.584938][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   26.594469][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.604531][   T12] Workqueue: events request_firmware_work_func
[   26.610680][   T12] Call Trace:
[   26.614087][   T12]  dump_stack+0xef/0x16e
[   26.618329][   T12]  panic+0x2aa/0x6e1
[   26.622216][   T12]  ? add_taint.cold+0x16/0x16
[   26.626884][   T12]  ? retint_kernel+0x10/0x10
[   26.631725][   T12]  ? kfree_skb+0x32/0x3d0
[   26.636290][   T12]  ? trace_hardirqs_on+0x55/0x200
[   26.641407][   T12]  ? kfree_skb+0x32/0x3d0
[   26.646079][   T12]  end_report+0x4d/0x53
[   26.650247][   T12]  __kasan_report.cold+0x72/0x7d
[   26.655191][   T12]  ? kfree_skb+0x32/0x3d0
[   26.659524][   T12]  ? kfree_skb+0x32/0x3d0
[   26.663954][   T12]  kasan_report+0x33/0x50
[   26.668289][   T12]  check_memory_region+0x173/0x1d0
[   26.673381][   T12]  kfree_skb+0x32/0x3d0
[   26.677525][   T12]  htc_connect_service.cold+0xa9/0x109
[   26.683116][   T12]  ath9k_wmi_connect+0xd2/0x1a0
[   26.688163][   T12]  ? ath9k_fatal_work+0x20/0x20
[   26.693012][   T12]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   26.699083][   T12]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   26.705017][   T12]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.711639][   T12]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   26.717349][   T12]  ? lockdep_init_map_waits+0x26a/0x7c0
[   26.723228][   T12]  ? __raw_spin_lock_init+0x34/0x100
[   26.728855][   T12]  ? tasklet_init+0x69/0x110
[   26.733454][   T12]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.738935][   T12]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   26.745617][   T12]  ? usb_submit_urb+0x6ed/0x1460
[   26.750563][   T12]  ? usb_free_urb.part.0+0x52/0x110
[   26.755792][   T12]  ? usb_free_urb+0x1b/0x30
[   26.760423][   T12]  ath9k_htc_hw_init+0x31/0x60
[   26.765193][   T12]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.770832][   T12]  ? ath9k_hif_usb_resume+0x320/0x320
[   26.776205][   T12]  request_firmware_work_func+0x126/0x242
[   26.787463][   T12]  ? request_firmware_into_buf+0x90/0x90
[   26.793429][   T12]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   26.798980][   T12]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   26.804268][   T12]  ? _raw_spin_unlock_irq+0x1f/0x30
[   26.809462][   T12]  process_one_work+0x965/0x1630
[   26.814386][   T12]  ? lock_release+0x720/0x720
[   26.819051][   T12]  ? pwq_dec_nr_in_flight+0x310/0x310
[   26.824540][   T12]  ? rwlock_bug.part.0+0x90/0x90
[   26.829499][   T12]  worker_thread+0x96/0xe20
[   26.833986][   T12]  ? process_one_work+0x1630/0x1630
[   26.839374][   T12]  kthread+0x326/0x430
[   26.843604][   T12]  ? kthread_create_on_node+0xf0/0xf0
[   26.848971][   T12]  ret_from_fork+0x24/0x30
[   26.854145][   T12] Kernel Offset: disabled
[   26.860779][   T12] Rebooting in 86400 seconds..