Warning: Permanently added '10.128.0.186' (ECDSA) to the list of known hosts. executing program [ 23.394856][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.914208][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.923336][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.931451][ T83] usb 1-1: Product: syz [ 23.935785][ T83] usb 1-1: Manufacturer: syz [ 23.940359][ T83] usb 1-1: SerialNumber: syz [ 23.985095][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.573366][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.975090][ T17] usb 1-1: USB disconnect, device number 2 [ 25.822110][ T83] usb 1-1: Service connection timeout for: 256 [ 25.828419][ T83] ================================================================== [ 25.836673][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.843370][ T83] Read of size 4 at addr ffff8881c31f85d4 by task kworker/1:2/83 [ 25.851058][ T83] [ 25.853371][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.861494][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.871550][ T83] Workqueue: events request_firmware_work_func [ 25.877721][ T83] Call Trace: [ 25.880992][ T83] dump_stack+0xef/0x16e [ 25.885215][ T83] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.892271][ T83] ? vprintk_func+0x7d/0x113 [ 25.896847][ T83] ? kfree_skb+0x32/0x3d0 [ 25.901174][ T83] __kasan_report.cold+0x37/0x7d [ 25.906092][ T83] ? kfree_skb+0x32/0x3d0 [ 25.910406][ T83] ? kfree_skb+0x32/0x3d0 [ 25.914729][ T83] kasan_report+0x33/0x50 [ 25.919037][ T83] check_memory_region+0x173/0x1d0 [ 25.924123][ T83] kfree_skb+0x32/0x3d0 [ 25.928267][ T83] htc_connect_service.cold+0xa9/0x109 [ 25.933702][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 25.938528][ T83] ? ath9k_fatal_work+0x20/0x20 [ 25.943370][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.949424][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.955033][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.961423][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.966685][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.972207][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 25.977479][ T83] ? tasklet_init+0x69/0x110 [ 25.982044][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.987479][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.994140][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 25.999058][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 26.004238][ T83] ? usb_free_urb+0x1b/0x30 [ 26.008776][ T83] ath9k_htc_hw_init+0x31/0x60 [ 26.013539][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.019157][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.024510][ T83] request_firmware_work_func+0x126/0x242 [ 26.030235][ T83] ? request_firmware_into_buf+0x90/0x90 [ 26.035865][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.041546][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.046830][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.052037][ T83] process_one_work+0x965/0x1630 [ 26.056952][ T83] ? lock_release+0x720/0x720 [ 26.061607][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.066953][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 26.071867][ T83] worker_thread+0x96/0xe20 [ 26.076346][ T83] ? process_one_work+0x1630/0x1630 [ 26.081535][ T83] kthread+0x326/0x430 [ 26.085593][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 26.090958][ T83] ret_from_fork+0x24/0x30 [ 26.095359][ T83] [ 26.097671][ T83] Allocated by task 83: [ 26.101806][ T83] save_stack+0x1b/0x40 [ 26.105938][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.111546][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 26.116740][ T83] __alloc_skb+0xba/0x5a0 [ 26.121045][ T83] htc_connect_service+0x2cc/0x840 [ 26.126131][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 26.130956][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.137346][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.142781][ T83] ath9k_htc_hw_init+0x31/0x60 [ 26.147521][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.153130][ T83] request_firmware_work_func+0x126/0x242 [ 26.159433][ T83] process_one_work+0x965/0x1630 [ 26.164361][ T83] worker_thread+0x96/0xe20 [ 26.168847][ T83] kthread+0x326/0x430 [ 26.172892][ T83] ret_from_fork+0x24/0x30 [ 26.177278][ T83] [ 26.179583][ T83] Freed by task 0: [ 26.183282][ T83] save_stack+0x1b/0x40 [ 26.187425][ T83] __kasan_slab_free+0x117/0x160 [ 26.192351][ T83] kmem_cache_free+0x9b/0x360 [ 26.197052][ T83] kfree_skbmem+0xef/0x1b0 [ 26.201448][ T83] kfree_skb+0x102/0x3d0 [ 26.205672][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.211279][ T83] hif_usb_regout_cb+0x115/0x1c0 [ 26.216202][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.221563][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 26.226736][ T83] dummy_timer+0x125e/0x32b4 [ 26.231310][ T83] call_timer_fn+0x1ac/0x700 [ 26.235905][ T83] run_timer_softirq+0x5f9/0x1500 [ 26.240906][ T83] __do_softirq+0x21e/0x9aa [ 26.245391][ T83] [ 26.247701][ T83] The buggy address belongs to the object at ffff8881c31f8500 [ 26.247701][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 26.262251][ T83] The buggy address is located 212 bytes inside of [ 26.262251][ T83] 224-byte region [ffff8881c31f8500, ffff8881c31f85e0) [ 26.275502][ T83] The buggy address belongs to the page: [ 26.281113][ T83] page:ffffea00070c7e00 refcount:1 mapcount:0 mapping:0000000071e10a08 index:0x0 [ 26.290192][ T83] flags: 0x200000000000200(slab) [ 26.295119][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 26.303694][ T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.312250][ T83] page dumped because: kasan: bad access detected [ 26.318639][ T83] [ 26.320953][ T83] Memory state around the buggy address: [ 26.326569][ T83] ffff8881c31f8480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.334616][ T83] ffff8881c31f8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.342667][ T83] >ffff8881c31f8580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.350706][ T83] ^ [ 26.357381][ T83] ffff8881c31f8600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.365432][ T83] ffff8881c31f8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.373492][ T83] ================================================================== [ 26.381535][ T83] Disabling lock debugging due to kernel taint [ 26.387724][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 26.394314][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.403843][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.414003][ T83] Workqueue: events request_firmware_work_func [ 26.420145][ T83] Call Trace: [ 26.423417][ T83] dump_stack+0xef/0x16e [ 26.427645][ T83] panic+0x2aa/0x6e1 [ 26.431524][ T83] ? add_taint.cold+0x16/0x16 [ 26.436176][ T83] ? retint_kernel+0x10/0x10 [ 26.440740][ T83] ? kfree_skb+0x32/0x3d0 [ 26.445051][ T83] ? trace_hardirqs_on+0x55/0x200 [ 26.450094][ T83] ? kfree_skb+0x32/0x3d0 [ 26.454398][ T83] end_report+0x4d/0x53 [ 26.458527][ T83] __kasan_report.cold+0x72/0x7d [ 26.463480][ T83] ? kfree_skb+0x32/0x3d0 [ 26.467808][ T83] ? kfree_skb+0x32/0x3d0 [ 26.472117][ T83] kasan_report+0x33/0x50 [ 26.476427][ T83] check_memory_region+0x173/0x1d0 [ 26.481511][ T83] kfree_skb+0x32/0x3d0 [ 26.485686][ T83] htc_connect_service.cold+0xa9/0x109 [ 26.491121][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 26.495949][ T83] ? ath9k_fatal_work+0x20/0x20 [ 26.500902][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.506954][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.512580][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.518971][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.524231][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.529778][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 26.535052][ T83] ? tasklet_init+0x69/0x110 [ 26.539629][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.545065][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.551712][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 26.556648][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 26.561821][ T83] ? usb_free_urb+0x1b/0x30 [ 26.566303][ T83] ath9k_htc_hw_init+0x31/0x60 [ 26.571066][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.576678][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.582031][ T83] request_firmware_work_func+0x126/0x242 [ 26.587724][ T83] ? request_firmware_into_buf+0x90/0x90 [ 26.593328][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.598847][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.604105][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.609275][ T83] process_one_work+0x965/0x1630 [ 26.614187][ T83] ? lock_release+0x720/0x720 [ 26.618841][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.624194][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 26.629103][ T83] worker_thread+0x96/0xe20 [ 26.633580][ T83] ? process_one_work+0x1630/0x1630 [ 26.638752][ T83] kthread+0x326/0x430 [ 26.642797][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 26.648141][ T83] ret_from_fork+0x24/0x30 [ 26.653078][ T83] Kernel Offset: disabled [ 26.657402][ T83] Rebooting in 86400 seconds..