[  OK  ] Started Load/Save RF Kill Switch Status.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.211' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   94.608798][   T37] audit: type=1400 audit(1622528155.603:8): avc:  denied  { execmem } for  pid=8411 comm="syz-executor060" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   94.886842][    T7] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   95.407010][    T7] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   95.416834][    T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   95.424972][    T7] usb 1-1: Product: syz
[   95.431779][    T7] usb 1-1: Manufacturer: syz
[   95.436416][    T7] usb 1-1: SerialNumber: syz
[   95.495120][    T7] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   96.117008][    T7] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   96.526823][    C0] ==================================================================
[   96.535061][    C0] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.543285][    C0] Read of size 49146 at addr ffff88803c2f0000 by task swapper/0/0
[   96.551113][    C0] 
[   96.553435][    C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-syzkaller #0
[   96.561423][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   96.571490][    C0] Call Trace:
[   96.575121][    C0]  <IRQ>
[   96.577963][    C0]  dump_stack+0x141/0x1d7
[   96.582310][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.587806][    C0]  print_address_description.constprop.0.cold+0x5b/0x2c6
[   96.594829][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.600250][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.605640][    C0]  kasan_report.cold+0x7c/0xd8
[   96.610402][    C0]  ? rwlock_bug.part.0+0x60/0x90
[   96.615353][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.620736][    C0]  kasan_check_range+0x13d/0x180
[   96.625675][    C0]  memcpy+0x20/0x60
[   96.629475][    C0]  ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   96.634669][    C0]  ? hif_usb_start+0xa0/0xa0
[   96.639252][    C0]  ? __usb_hcd_giveback_urb+0x413/0x5c0
[   96.644796][    C0]  ? lock_downgrade+0x6e0/0x6e0
[   96.649650][    C0]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   96.655037][    C0]  usb_hcd_giveback_urb+0x367/0x410
[   96.660239][    C0]  dummy_timer+0x11f4/0x32a0
[   96.664872][    C0]  ? dummy_dequeue+0x500/0x500
[   96.669629][    C0]  ? dummy_dequeue+0x500/0x500
[   96.674389][    C0]  call_timer_fn+0x1a5/0x6b0
[   96.678988][    C0]  ? add_timer_on+0x4a0/0x4a0
[   96.683675][    C0]  ? lock_downgrade+0x6e0/0x6e0
[   96.688867][    C0]  ? _find_next_bit+0x1e3/0x260
[   96.693712][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[   96.698907][    C0]  ? dummy_dequeue+0x500/0x500
[   96.703720][    C0]  __run_timers.part.0+0x67c/0xa50
[   96.708834][    C0]  ? call_timer_fn+0x6b0/0x6b0
[   96.713612][    C0]  ? lapic_next_event+0x4d/0x80
[   96.718463][    C0]  ? kvm_sched_clock_read+0x14/0x40
[   96.723664][    C0]  ? sched_clock_cpu+0x18/0x1f0
[   96.728523][    C0]  run_timer_softirq+0xb3/0x1d0
[   96.733369][    C0]  __do_softirq+0x29b/0x9f6
[   96.737887][    C0]  __irq_exit_rcu+0x136/0x200
[   96.742555][    C0]  irq_exit_rcu+0x5/0x20
[   96.746810][    C0]  sysvec_apic_timer_interrupt+0x93/0xc0
[   96.752440][    C0]  </IRQ>
[   96.755373][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   96.761468][    C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   96.767322][    C0] Code: 4d c4 5a f8 84 db 75 ac e8 34 bc 5a f8 e8 af cc 60 f8 e9 0c 00 00 00 e8 25 bc 5a f8 0f 00 2d 5e 9c b4 00 e8 19 bc 5a f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 c2 5a f8 48 85 db
[   96.787035][    C0] RSP: 0018:ffffffff8bc07d60 EFLAGS: 00000293
[   96.793120][    C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   96.801085][    C0] RDX: ffffffff8bcbc540 RSI: ffffffff89195547 RDI: 0000000000000000
[   96.809116][    C0] RBP: ffff888019a46064 R08: 0000000000000001 R09: 0000000000000001
[   96.817129][    C0] R10: ffffffff817a2218 R11: 0000000000000000 R12: 0000000000000001
[   96.825099][    C0] R13: ffff888019a46000 R14: ffff888019a46064 R15: ffff888145a40804
[   96.833085][    C0]  ? trace_hardirqs_on+0x38/0x1c0
[   96.838133][    C0]  ? acpi_idle_do_entry+0x1c7/0x250
[   96.843330][    C0]  acpi_idle_enter+0x361/0x500
[   96.848338][    C0]  cpuidle_enter_state+0x1b1/0xc80
[   96.853754][    C0]  cpuidle_enter+0x4a/0xa0
[   96.858175][    C0]  do_idle+0x3e8/0x590
[   96.862246][    C0]  ? arch_cpu_idle_exit+0x30/0x30
[   96.867270][    C0]  ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[   96.873529][    C0]  cpu_startup_entry+0x14/0x20
[   96.878327][    C0]  start_kernel+0x475/0x496
[   96.882836][    C0]  secondary_startup_64_no_verify+0xb0/0xbb
[   96.888728][    C0] 
[   96.891280][    C0] Allocated by task 7:
[   96.895357][    C0]  kasan_save_stack+0x1b/0x40
[   96.900044][    C0]  __kasan_kmalloc+0x98/0xc0
[   96.904640][    C0]  __alloc_skb+0xde/0x340
[   96.908960][    C0]  ath9k_hif_usb_alloc_urbs+0x665/0x1040
[   96.914604][    C0]  ath9k_hif_usb_firmware_cb+0x148/0x530
[   96.920235][    C0]  request_firmware_work_func+0x12c/0x230
[   96.925968][    C0]  process_one_work+0x98d/0x1600
[   96.930900][    C0]  worker_thread+0x64c/0x1120
[   96.935683][    C0]  kthread+0x3b1/0x4a0
[   96.939757][    C0]  ret_from_fork+0x1f/0x30
[   96.944295][    C0] 
[   96.946631][    C0] The buggy address belongs to the object at ffff88803c2f0000
[   96.946631][    C0]  which belongs to the cache kmalloc-32k of size 32768
[   96.961048][    C0] The buggy address is located 0 bytes inside of
[   96.961048][    C0]  32768-byte region [ffff88803c2f0000, ffff88803c2f8000)
[   96.974336][    C0] The buggy address belongs to the page:
[   96.979977][    C0] page:ffffea0000f0bc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c2f0
[   96.990487][    C0] head:ffffea0000f0bc00 order:4 compound_mapcount:0 compound_pincount:0
[   96.998827][    C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   97.006817][    C0] raw: 00fff00000010200 ffffea0000f0b808 ffffea0000e21808 ffff888011040c00
[   97.015403][    C0] raw: 0000000000000000 ffff88803c2f0000 0000000100000001 0000000000000000
[   97.024516][    C0] page dumped because: kasan: bad access detected
[   97.030915][    C0] page_owner tracks the page as allocated
[   97.036630][    C0] page last allocated via order 4, migratetype Unmovable, gfp_mask 0x2c20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 7, ts 96131291030, free_ts 94738197457
[   97.055844][    C0]  get_page_from_freelist+0x1033/0x2b60
[   97.061431][    C0]  __alloc_pages+0x1b2/0x500
[   97.066171][    C0]  cache_grow_begin+0x75/0x460
[   97.070951][    C0]  cache_alloc_refill+0x27f/0x380
[   97.075968][    C0]  kmem_cache_alloc_node_trace+0x4da/0x5b0
[   97.081894][    C0]  __kmalloc_node_track_caller+0x38/0x60
[   97.087527][    C0]  __alloc_skb+0xde/0x340
[   97.091957][    C0]  ath9k_hif_usb_alloc_urbs+0x665/0x1040
[   97.097844][    C0]  ath9k_hif_usb_firmware_cb+0x148/0x530
[   97.103475][    C0]  request_firmware_work_func+0x12c/0x230
[   97.109832][    C0]  process_one_work+0x98d/0x1600
[   97.114765][    C0]  worker_thread+0x64c/0x1120
[   97.119522][    C0]  kthread+0x3b1/0x4a0
[   97.125466][    C0]  ret_from_fork+0x1f/0x30
[   97.130060][    C0] page last free stack trace:
[   97.134717][    C0]  __free_pages_ok+0x476/0xce0
[   97.139471][    C0]  slabs_destroy+0x89/0xc0
[   97.143881][    C0]  ___cache_free+0x58b/0x7a0
[   97.148469][    C0]  qlist_free_all+0x4e/0x110
[   97.153054][    C0]  kasan_quarantine_reduce+0x180/0x200
[   97.158507][    C0]  __kasan_slab_alloc+0x8b/0xa0
[   97.163376][    C0]  kmem_cache_alloc_trace+0x26c/0x480
[   97.168841][    C0]  usb_control_msg+0xb9/0x4a0
[   97.173513][    C0]  hub_ext_port_status+0x112/0x450
[   97.178646][    C0]  hub_event+0x66a/0x4330
[   97.183058][    C0]  process_one_work+0x98d/0x1600
[   97.188003][    C0]  worker_thread+0x64c/0x1120
[   97.192685][    C0]  kthread+0x3b1/0x4a0
[   97.196742][    C0]  ret_from_fork+0x1f/0x30
[   97.201164][    C0] 
[   97.203484][    C0] Memory state around the buggy address:
[   97.209114][    C0]  ffff88803c2f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.217353][    C0]  ffff88803c2f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.225412][    C0] >ffff88803c2f8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   97.233477][    C0]                    ^
[   97.237551][    C0]  ffff88803c2f8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   97.245600][    C0]  ffff88803c2f8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   97.253771][    C0] ==================================================================
[   97.261988][    C0] Disabling lock debugging due to kernel taint
[   97.268171][    C0] Kernel panic - not syncing: panic_on_warn set ...
[   97.274785][    C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.13.0-rc4-syzkaller #0
[   97.284313][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.294360][    C0] Call Trace:
[   97.297642][    C0]  <IRQ>
[   97.300483][    C0]  dump_stack+0x141/0x1d7
[   97.304800][    C0]  panic+0x306/0x73d
[   97.308691][    C0]  ? __warn_printk+0xf3/0xf3
[   97.313278][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   97.318649][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   97.324136][    C0]  end_report.cold+0x5a/0x5a
[   97.328721][    C0]  kasan_report.cold+0x6a/0xd8
[   97.333470][    C0]  ? rwlock_bug.part.0+0x60/0x90
[   97.338428][    C0]  ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   97.343792][    C0]  kasan_check_range+0x13d/0x180
[   97.348744][    C0]  memcpy+0x20/0x60
[   97.352624][    C0]  ath9k_hif_usb_rx_cb+0x3d3/0x1050
[   97.357823][    C0]  ? hif_usb_start+0xa0/0xa0
[   97.362397][    C0]  ? __usb_hcd_giveback_urb+0x413/0x5c0
[   97.367949][    C0]  ? lock_downgrade+0x6e0/0x6e0
[   97.372787][    C0]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   97.378184][    C0]  usb_hcd_giveback_urb+0x367/0x410
[   97.383382][    C0]  dummy_timer+0x11f4/0x32a0
[   97.387961][    C0]  ? dummy_dequeue+0x500/0x500
[   97.392710][    C0]  ? dummy_dequeue+0x500/0x500
[   97.397459][    C0]  call_timer_fn+0x1a5/0x6b0
[   97.402043][    C0]  ? add_timer_on+0x4a0/0x4a0
[   97.406909][    C0]  ? lock_downgrade+0x6e0/0x6e0
[   97.411866][    C0]  ? _find_next_bit+0x1e3/0x260
[   97.416802][    C0]  ? _raw_spin_unlock_irq+0x1f/0x40
[   97.421991][    C0]  ? dummy_dequeue+0x500/0x500
[   97.426854][    C0]  __run_timers.part.0+0x67c/0xa50
[   97.431965][    C0]  ? call_timer_fn+0x6b0/0x6b0
[   97.436743][    C0]  ? lapic_next_event+0x4d/0x80
[   97.441581][    C0]  ? kvm_sched_clock_read+0x14/0x40
[   97.446789][    C0]  ? sched_clock_cpu+0x18/0x1f0
[   97.451648][    C0]  run_timer_softirq+0xb3/0x1d0
[   97.456490][    C0]  __do_softirq+0x29b/0x9f6
[   97.462084][    C0]  __irq_exit_rcu+0x136/0x200
[   97.466762][    C0]  irq_exit_rcu+0x5/0x20
[   97.470998][    C0]  sysvec_apic_timer_interrupt+0x93/0xc0
[   97.476789][    C0]  </IRQ>
[   97.479804][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   97.485774][    C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[   97.491581][    C0] Code: 4d c4 5a f8 84 db 75 ac e8 34 bc 5a f8 e8 af cc 60 f8 e9 0c 00 00 00 e8 25 bc 5a f8 0f 00 2d 5e 9c b4 00 e8 19 bc 5a f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 c2 5a f8 48 85 db
[   97.511186][    C0] RSP: 0018:ffffffff8bc07d60 EFLAGS: 00000293
[   97.517257][    C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   97.525223][    C0] RDX: ffffffff8bcbc540 RSI: ffffffff89195547 RDI: 0000000000000000
[   97.533215][    C0] RBP: ffff888019a46064 R08: 0000000000000001 R09: 0000000000000001
[   97.541318][    C0] R10: ffffffff817a2218 R11: 0000000000000000 R12: 0000000000000001
[   97.549279][    C0] R13: ffff888019a46000 R14: ffff888019a46064 R15: ffff888145a40804
[   97.557255][    C0]  ? trace_hardirqs_on+0x38/0x1c0
[   97.562530][    C0]  ? acpi_idle_do_entry+0x1c7/0x250
[   97.567715][    C0]  acpi_idle_enter+0x361/0x500
[   97.572464][    C0]  cpuidle_enter_state+0x1b1/0xc80
[   97.577563][    C0]  cpuidle_enter+0x4a/0xa0
[   97.582040][    C0]  do_idle+0x3e8/0x590
[   97.586095][    C0]  ? arch_cpu_idle_exit+0x30/0x30
[   97.591146][    C0]  ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[   97.597393][    C0]  cpu_startup_entry+0x14/0x20
[   97.602154][    C0]  start_kernel+0x475/0x496
[   97.606664][    C0]  secondary_startup_64_no_verify+0xb0/0xbb
[   97.613309][    C0] Kernel Offset: disabled
[   97.617656][    C0] Rebooting in 86400 seconds..