[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[ 15.393202][ C1] random: crng init done [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.214' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.930335][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 27.290472][ T22] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 27.299634][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 27.308923][ T22] usb 1-1: config 0 descriptor?? [ 27.560447][ T22] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 27.573051][ T22] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, 22:59:54:de:78:74 executing program [ 27.762169][ T22] usb 1-1: USB disconnect, device number 2 [ 27.768796][ T22] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 27.850719][ T22] ================================================================== [ 27.858870][ T22] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xed [ 27.865997][ T22] Read of size 8 at addr ffff8881d00c5b80 by task kworker/1:1/22 [ 27.873686][ T22] [ 27.876078][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.4.0-syzkaller #0 [ 27.883956][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.894007][ T22] Workqueue: usb_hub_wq hub_event [ 27.899016][ T22] Call Trace: [ 27.902300][ T22] dump_stack+0xef/0x16e [ 27.906526][ T22] ? ax88172a_unbind+0x76/0xed [ 27.911282][ T22] ? ax88172a_unbind+0x76/0xed [ 27.916028][ T22] print_address_description.constprop.0+0x36/0x50 [ 27.922598][ T22] ? ax88172a_unbind+0x76/0xed [ 27.927346][ T22] ? ax88172a_unbind+0x76/0xed [ 27.932091][ T22] __kasan_report.cold+0x1a/0x33 [ 27.937007][ T22] ? mark_held_locks+0x50/0xe0 [ 27.941748][ T22] ? ax88172a_unbind+0x76/0xed [ 27.946494][ T22] ? ax88172a_bind.cold+0x1e8/0x1e8 [ 27.951674][ T22] kasan_report+0xe/0x20 [ 27.955898][ T22] ax88172a_unbind+0x76/0xed [ 27.960464][ T22] usbnet_disconnect+0x145/0x270 [ 27.965386][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 27.970575][ T22] ? usb_autoresume_device+0x60/0x60 [ 27.975836][ T22] device_release_driver_internal+0x42f/0x500 [ 27.982062][ T22] bus_remove_device+0x2dc/0x4a0 [ 27.986979][ T22] device_del+0x481/0xd30 [ 27.991322][ T22] ? device_create_with_groups+0x120/0x120 [ 27.997219][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 28.002490][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.007760][ T22] usb_disable_device+0x211/0x690 [ 28.014764][ T22] usb_disconnect+0x284/0x8d0 [ 28.019424][ T22] hub_event+0x1753/0x3860 [ 28.023826][ T22] ? hub_port_debounce+0x260/0x260 [ 28.028927][ T22] ? find_held_lock+0x2d/0x110 [ 28.033677][ T22] ? mark_held_locks+0xe0/0xe0 [ 28.038432][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.044090][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.049393][ T22] process_one_work+0x92b/0x1530 [ 28.054402][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.059753][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 28.064759][ T22] worker_thread+0x96/0xe20 [ 28.069263][ T22] ? process_one_work+0x1530/0x1530 [ 28.076350][ T22] kthread+0x318/0x420 [ 28.080437][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 28.085786][ T22] ret_from_fork+0x24/0x30 [ 28.090183][ T22] [ 28.092492][ T22] Allocated by task 22: [ 28.096626][ T22] save_stack+0x1b/0x80 [ 28.100757][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.106384][ T22] ax88172a_bind+0x9f/0x7a2 [ 28.110906][ T22] usbnet_probe+0xb43/0x2470 [ 28.115485][ T22] usb_probe_interface+0x305/0x7a0 [ 28.120574][ T22] really_probe+0x281/0x6d0 [ 28.125173][ T22] driver_probe_device+0x104/0x210 [ 28.130279][ T22] __device_attach_driver+0x1c2/0x220 [ 28.135639][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.140472][ T22] __device_attach+0x217/0x360 [ 28.145221][ T22] bus_probe_device+0x1e4/0x290 [ 28.150057][ T22] device_add+0x1480/0x1c20 [ 28.154646][ T22] usb_set_configuration+0xe67/0x1740 [ 28.160012][ T22] generic_probe+0x9d/0xd5 [ 28.164508][ T22] usb_probe_device+0x99/0x100 [ 28.169261][ T22] really_probe+0x281/0x6d0 [ 28.173886][ T22] driver_probe_device+0x104/0x210 [ 28.178982][ T22] __device_attach_driver+0x1c2/0x220 [ 28.184334][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.189162][ T22] __device_attach+0x217/0x360 [ 28.193916][ T22] bus_probe_device+0x1e4/0x290 [ 28.198749][ T22] device_add+0x1480/0x1c20 [ 28.203232][ T22] usb_new_device.cold+0x6a4/0xe79 [ 28.208365][ T22] hub_event+0x1e59/0x3860 [ 28.212762][ T22] process_one_work+0x92b/0x1530 [ 28.217686][ T22] worker_thread+0x96/0xe20 [ 28.222190][ T22] kthread+0x318/0x420 [ 28.226252][ T22] ret_from_fork+0x24/0x30 [ 28.230639][ T22] [ 28.232961][ T22] Freed by task 22: [ 28.236756][ T22] save_stack+0x1b/0x80 [ 28.240895][ T22] __kasan_slab_free+0x130/0x180 [ 28.245815][ T22] kfree+0xdc/0x310 [ 28.249604][ T22] ax88172a_bind.cold+0x4d/0x1e8 [ 28.255403][ T22] usbnet_probe+0xb43/0x2470 [ 28.260059][ T22] usb_probe_interface+0x305/0x7a0 [ 28.265331][ T22] really_probe+0x281/0x6d0 [ 28.269866][ T22] driver_probe_device+0x104/0x210 [ 28.274957][ T22] __device_attach_driver+0x1c2/0x220 [ 28.280311][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.285286][ T22] __device_attach+0x217/0x360 [ 28.290039][ T22] bus_probe_device+0x1e4/0x290 [ 28.294874][ T22] device_add+0x1480/0x1c20 [ 28.299356][ T22] usb_set_configuration+0xe67/0x1740 [ 28.304705][ T22] generic_probe+0x9d/0xd5 [ 28.309095][ T22] usb_probe_device+0x99/0x100 [ 28.313839][ T22] really_probe+0x281/0x6d0 [ 28.318326][ T22] driver_probe_device+0x104/0x210 [ 28.323423][ T22] __device_attach_driver+0x1c2/0x220 [ 28.328779][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.333665][ T22] __device_attach+0x217/0x360 [ 28.338409][ T22] bus_probe_device+0x1e4/0x290 [ 28.343238][ T22] device_add+0x1480/0x1c20 [ 28.347723][ T22] usb_new_device.cold+0x6a4/0xe79 [ 28.352904][ T22] hub_event+0x1e59/0x3860 [ 28.357305][ T22] process_one_work+0x92b/0x1530 [ 28.362228][ T22] worker_thread+0x96/0xe20 [ 28.366852][ T22] kthread+0x318/0x420 [ 28.370905][ T22] ret_from_fork+0x24/0x30 [ 28.375351][ T22] [ 28.377666][ T22] The buggy address belongs to the object at ffff8881d00c5b80 [ 28.377666][ T22] which belongs to the cache kmalloc-64 of size 64 [ 28.391524][ T22] The buggy address is located 0 bytes inside of [ 28.391524][ T22] 64-byte region [ffff8881d00c5b80, ffff8881d00c5bc0) [ 28.404522][ T22] The buggy address belongs to the page: [ 28.410147][ T22] page:ffffea0007403140 refcount:1 mapcount:0 mapping:ffff8881da403180 index:0x0 [ 28.419241][ T22] raw: 0200000000000200 ffffea000742b980 0000001800000018 ffff8881da403180 [ 28.427841][ T22] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 28.436495][ T22] page dumped because: kasan: bad access detected [ 28.442890][ T22] [ 28.445194][ T22] Memory state around the buggy address: [ 28.450807][ T22] ffff8881d00c5a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.458859][ T22] ffff8881d00c5b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.466899][ T22] >ffff8881d00c5b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.474932][ T22] ^ [ 28.478974][ T22] ffff8881d00c5c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.487032][ T22] ffff8881d00c5c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.495118][ T22] ================================================================== [ 28.503161][ T22] Disabling lock debugging due to kernel taint [ 28.509338][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 28.515930][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.4.0-syzkaller #0 [ 28.525095][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.535151][ T22] Workqueue: usb_hub_wq hub_event [ 28.540164][ T22] Call Trace: [ 28.543476][ T22] dump_stack+0xef/0x16e [ 28.547724][ T22] panic+0x2aa/0x6e1 [ 28.551602][ T22] ? add_taint.cold+0x16/0x16 [ 28.556259][ T22] ? ax88172a_unbind+0x76/0xed [ 28.561013][ T22] ? trace_hardirqs_on+0x55/0x1e0 [ 28.566010][ T22] ? ax88172a_unbind+0x76/0xed [ 28.570747][ T22] end_report+0x43/0x49 [ 28.574877][ T22] ? ax88172a_unbind+0x76/0xed [ 28.579616][ T22] __kasan_report.cold+0xd/0x33 [ 28.584449][ T22] ? mark_held_locks+0x50/0xe0 [ 28.589212][ T22] ? ax88172a_unbind+0x76/0xed [ 28.593958][ T22] ? ax88172a_bind.cold+0x1e8/0x1e8 [ 28.599130][ T22] kasan_report+0xe/0x20 [ 28.603351][ T22] ax88172a_unbind+0x76/0xed [ 28.607922][ T22] usbnet_disconnect+0x145/0x270 [ 28.612835][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 28.618006][ T22] ? usb_autoresume_device+0x60/0x60 [ 28.623263][ T22] device_release_driver_internal+0x42f/0x500 [ 28.629312][ T22] bus_remove_device+0x2dc/0x4a0 [ 28.634226][ T22] device_del+0x481/0xd30 [ 28.638528][ T22] ? device_create_with_groups+0x120/0x120 [ 28.644311][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 28.649573][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.654830][ T22] usb_disable_device+0x211/0x690 [ 28.659835][ T22] usb_disconnect+0x284/0x8d0 [ 28.664489][ T22] hub_event+0x1753/0x3860 [ 28.668886][ T22] ? hub_port_debounce+0x260/0x260 [ 28.674064][ T22] ? find_held_lock+0x2d/0x110 [ 28.678816][ T22] ? mark_held_locks+0xe0/0xe0 [ 28.683555][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.689258][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.694530][ T22] process_one_work+0x92b/0x1530 [ 28.699459][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.704827][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 28.709832][ T22] worker_thread+0x96/0xe20 [ 28.714369][ T22] ? process_one_work+0x1530/0x1530 [ 28.719546][ T22] kthread+0x318/0x420 [ 28.723604][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 28.728955][ T22] ret_from_fork+0x24/0x30 [ 28.733974][ T22] Kernel Offset: disabled [ 28.738289][ T22] Rebooting in 86400 seconds..