[ 12.886565][ C1] random: crng init done
[ 12.888055][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 23.735434][ T345] can: request_module (can-proto-0) failed.
[ 24.058956][ T345] can: request_module (can-proto-0) failed.
[ 24.068877][ T345] can: request_module (can-proto-7) failed.
[ 24.078712][ T345] can: request_module (can-proto-0) failed.
Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts.
2020/04/01 10:13:25 parsed 1 programs
2020/04/01 10:13:25 executed programs: 0
[ 31.324614][ T517] cgroup: Unknown subsys name 'perf_event'
[ 31.325535][ T516] cgroup: Unknown subsys name 'perf_event'
[ 31.331769][ T519] cgroup: Unknown subsys name 'perf_event'
[ 31.344550][ T517] cgroup: Unknown subsys name 'net_cls'
[ 31.351637][ T521] cgroup: Unknown subsys name 'perf_event'
[ 31.353714][ T523] cgroup: Unknown subsys name 'perf_event'
[ 31.357639][ T521] cgroup: Unknown subsys name 'net_cls'
[ 31.364893][ T524] cgroup: Unknown subsys name 'perf_event'
[ 31.372657][ T516] cgroup: Unknown subsys name 'net_cls'
[ 31.380001][ T523] cgroup: Unknown subsys name 'net_cls'
[ 31.381708][ T519] cgroup: Unknown subsys name 'net_cls'
[ 31.388596][ T524] cgroup: Unknown subsys name 'net_cls'
[ 39.495980][ T17] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 39.565337][ T166] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 39.695090][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 39.702672][ T3208] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[ 39.755049][ T95] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[ 39.785045][ T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[ 39.885134][ T17] usb 4-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 39.894346][ T17] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 39.902550][ T17] usb 4-1: Product: syz
[ 39.907130][ T17] usb 4-1: Manufacturer: syz
[ 39.911857][ T17] usb 4-1: SerialNumber: syz
[ 39.955231][ T166] usb 5-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 39.964592][ T166] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 39.972667][ T166] usb 5-1: Product: syz
[ 39.976960][ T166] usb 5-1: Manufacturer: syz
[ 39.981540][ T166] usb 5-1: SerialNumber: syz
[ 39.987575][ T17] usb 4-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 39.995898][ T17] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.045470][ T166] usb 5-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 40.053910][ T166] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.102701][ T17] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.109022][ T17] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.115211][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 40.124242][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 40.132357][ T83] usb 1-1: Product: syz
[ 40.136718][ T83] usb 1-1: Manufacturer: syz
[ 40.141313][ T83] usb 1-1: SerialNumber: syz
[ 40.146233][ T3208] usb 3-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 40.155515][ T3208] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 40.163494][ T3208] usb 3-1: Product: syz
[ 40.167710][ T3208] usb 3-1: Manufacturer: syz
[ 40.172306][ T3208] usb 3-1: SerialNumber: syz
[ 40.175014][ T95] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 40.177470][ T166] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.186216][ T95] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 40.192261][ T166] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.200296][ T95] usb 2-1: Product: syz
[ 40.210646][ T95] usb 2-1: Manufacturer: syz
[ 40.215307][ T95] usb 2-1: SerialNumber: syz
[ 40.245884][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 40.254066][ T83] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.260857][ T3208] usb 3-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 40.264998][ T12] usb 6-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 40.269216][ T3208] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.278087][ T12] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 40.288458][ T3208] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.291627][ T12] usb 6-1: Product: syz
[ 40.297712][ T3208] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.301793][ T12] usb 6-1: Manufacturer: syz
[ 40.308207][ T83] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.312455][ T12] usb 6-1: SerialNumber: syz
[ 40.318616][ T83] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.325994][ T95] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 40.337438][ T95] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.356854][ T95] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.363107][ T95] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.405463][ T12] usb 6-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 40.413663][ T12] ath9k_debug ath9k_hif_usb_probe, 1307
[ 40.425617][ T12] ath9k_debug ath9k_hif_usb_firmware_cb, 1162
[ 40.431713][ T12] ath9k_debug ath9k_hif_usb_firmware_cb, 1174
[ 40.764953][ T17] usb 4-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.804819][ T166] usb 5-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.874773][ T3208] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.894717][ T83] usb 3-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.974745][ C1] ==================================================================
[ 40.983067][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 40.984729][ T95] usb 2-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.990419][ C1] Write of size 2 at addr ffff8881c95d81b0 by task swapper/1/0
[ 40.990430][ C1]
[ 41.009369][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
[ 41.017291][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.027444][ C1] Call Trace:
[ 41.030773][ C1]
[ 41.033622][ C1] dump_stack+0xef/0x16e
[ 41.037848][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.042858][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.048035][ C1] print_address_description.constprop.0.cold+0xd3/0x314
[ 41.055192][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.060216][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.065233][ C1] __kasan_report.cold+0x37/0x77
[ 41.070184][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.075199][ C1] kasan_report+0xe/0x20
[ 41.079437][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.084267][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 41.089722][ C1] ? _raw_read_unlock+0x1a/0x30
[ 41.094577][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 41.100207][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 41.105734][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 41.110909][ C1] dummy_timer+0x1258/0x32ae
[ 41.115580][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.120517][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.126144][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.131423][ C1] call_timer_fn+0x195/0x6f0
[ 41.135992][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.140906][ C1] ? msleep_interruptible+0x130/0x130
[ 41.146276][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.151831][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.157125][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 41.162328][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.167256][ C1] run_timer_softirq+0x5f9/0x1500
[ 41.168875][ T3232] usb 4-1: USB disconnect, device number 2
[ 41.174033][ C1] ? add_timer+0x7a0/0x7a0
[ 41.184224][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.189777][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.195435][ C1] __do_softirq+0x21e/0x950
[ 41.199947][ C1] irq_exit+0x178/0x1a0
[ 41.204110][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 41.209656][ C1] apic_timer_interrupt+0xf/0x20
[ 41.214658][ C1]
[ 41.217973][ C1] RIP: 0010:default_idle+0x28/0x300
[ 41.223246][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 41.242841][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 41.251383][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 41.259398][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 41.267576][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 41.275539][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 41.283606][ C1] R13: 0000000000000001 R14: ffffffff87e61480 R15: 0000000000000000
[ 41.291615][ C1] ? default_idle+0x1a/0x300
[ 41.296202][ C1] do_idle+0x3e0/0x500
[ 41.300343][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 41.305465][ C1] ? do_idle+0x310/0x500
[ 41.309821][ C1] cpu_startup_entry+0x14/0x20
[ 41.314675][ C1] start_secondary+0x2a4/0x390
[ 41.319448][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 41.324894][ C1] secondary_startup_64+0xb6/0xc0
[ 41.329901][ C1]
[ 41.332255][ C1] Allocated by task 155:
[ 41.336616][ C1] save_stack+0x1b/0x80
[ 41.340762][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 41.346380][ C1] kmem_cache_alloc_node+0xdc/0x330
[ 41.351575][ C1] copy_process+0x4303/0x6640
[ 41.356237][ C1] _do_fork+0x12d/0xfd0
[ 41.360384][ C1] __x64_sys_clone+0x182/0x210
[ 41.365142][ C1] do_syscall_64+0xb6/0x5a0
[ 41.369641][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 41.375519][ C1]
[ 41.377837][ C1] Freed by task 9:
[ 41.381549][ C1] save_stack+0x1b/0x80
[ 41.385689][ C1] __kasan_slab_free+0x117/0x160
[ 41.390621][ C1] kmem_cache_free+0x9b/0x360
[ 41.395278][ C1] __put_task_struct+0x220/0x510
[ 41.400221][ C1] delayed_put_task_struct+0x22a/0x370
[ 41.405667][ C1] rcu_core+0x5ae/0x1b00
[ 41.409915][ C1] __do_softirq+0x21e/0x950
[ 41.410055][ T3240] usb 5-1: USB disconnect, device number 2
[ 41.414401][ C1]
[ 41.414410][ C1] The buggy address belongs to the object at ffff8881c95d8000
[ 41.414410][ C1] which belongs to the cache task_struct of size 6016
[ 41.414419][ C1] The buggy address is located 432 bytes inside of
[ 41.414419][ C1] 6016-byte region [ffff8881c95d8000, ffff8881c95d9780)
[ 41.414422][ C1] The buggy address belongs to the page:
[ 41.414434][ C1] page:ffffea0007257600 refcount:1 mapcount:0 mapping:ffff8881da116000 index:0x0 compound_mapcount: 0
[ 41.414442][ C1] flags: 0x200000000010200(slab|head)
[ 41.414463][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da116000
[ 41.448911][ T3242] usb 2-1: USB disconnect, device number 2
[ 41.450259][ C1] raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000
[ 41.450265][ C1] page dumped because: kasan: bad access detected
[ 41.450269][ C1]
[ 41.450273][ C1] Memory state around the buggy address:
[ 41.450284][ C1] ffff8881c95d8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.450293][ C1] ffff8881c95d8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.450302][ C1] >ffff8881c95d8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.450308][ C1] ^
[ 41.450316][ C1] ffff8881c95d8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.450328][ C1] ffff8881c95d8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.556077][ C1] ==================================================================
[ 41.565422][ C1] Disabling lock debugging due to kernel taint
[ 41.571555][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 41.578126][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-rc7-syzkaller #0
[ 41.587383][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.597420][ C1] Call Trace:
[ 41.600684][ C1]
[ 41.603520][ C1] dump_stack+0xef/0x16e
[ 41.607763][ C1] panic+0x2aa/0x6e1
[ 41.611636][ C1] ? add_taint.cold+0x16/0x16
[ 41.616298][ C1] ? print_shadow_for_address+0xb8/0x114
[ 41.621928][ C1] ? trace_hardirqs_off+0x50/0x200
[ 41.627071][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.632087][ C1] end_report+0x43/0x49
[ 41.636369][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.641385][ C1] __kasan_report.cold+0x55/0x77
[ 41.646320][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.651325][ C1] kasan_report+0xe/0x20
[ 41.655548][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 41.660379][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 41.665827][ C1] ? _raw_read_unlock+0x1a/0x30
[ 41.670672][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 41.676295][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 41.681647][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 41.686821][ C1] dummy_timer+0x1258/0x32ae
[ 41.691395][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.696330][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.701862][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.707141][ C1] call_timer_fn+0x195/0x6f0
[ 41.711732][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.716662][ C1] ? msleep_interruptible+0x130/0x130
[ 41.722012][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.727648][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.732917][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 41.738170][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.743303][ C1] run_timer_softirq+0x5f9/0x1500
[ 41.748403][ C1] ? add_timer+0x7a0/0x7a0
[ 41.752806][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.758488][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.763752][ C1] __do_softirq+0x21e/0x950
[ 41.768236][ C1] irq_exit+0x178/0x1a0
[ 41.772386][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 41.777924][ C1] apic_timer_interrupt+0xf/0x20
[ 41.783114][ C1]
[ 41.786052][ C1] RIP: 0010:default_idle+0x28/0x300
[ 41.793330][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 41.812921][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 41.821332][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 41.829283][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 41.837244][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 41.845455][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 41.853416][ C1] R13: 0000000000000001 R14: ffffffff87e61480 R15: 0000000000000000
[ 41.861387][ C1] ? default_idle+0x1a/0x300
[ 41.866102][ C1] do_idle+0x3e0/0x500
[ 41.870172][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 41.875248][ C1] ? do_idle+0x310/0x500
[ 41.879500][ C1] cpu_startup_entry+0x14/0x20
[ 41.884260][ C1] start_secondary+0x2a4/0x390
[ 41.889006][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 41.894441][ C1] secondary_startup_64+0xb6/0xc0
[ 41.900171][ C1] Kernel Offset: disabled
[ 41.904484][ C1] Rebooting in 86400 seconds..