[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.218' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 86.038612][ T37] audit: type=1400 audit(1626716459.458:8): avc: denied { execmem } for pid=8448 comm="syz-executor167" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 86.300157][ T3160] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 86.540012][ T3160] usb 1-1: Using ep0 maxpacket: 8 [ 86.660474][ T3160] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 86.672446][ T3160] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 86.684144][ T3160] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 86.698722][ T3160] usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00 [ 86.708899][ T3160] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 86.721939][ T3160] usb 1-1: config 0 descriptor?? [ 87.209316][ T3160] betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.0-1/input0 [ 87.220934][ T3160] ================================================================== [ 87.229567][ T3160] BUG: KASAN: slab-out-of-bounds in betop_probe+0x3bb/0x5e0 [ 87.237156][ T3160] Write of size 8 at addr ffff8880166964c0 by task kworker/0:3/3160 [ 87.245409][ T3160] [ 87.247845][ T3160] CPU: 0 PID: 3160 Comm: kworker/0:3 Not tainted 5.14.0-rc2-syzkaller #0 [ 87.256386][ T3160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.266605][ T3160] Workqueue: usb_hub_wq hub_event [ 87.271751][ T3160] Call Trace: [ 87.275132][ T3160] dump_stack_lvl+0xcd/0x134 [ 87.280653][ T3160] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 87.287836][ T3160] ? betop_probe+0x3bb/0x5e0 [ 87.292563][ T3160] ? betop_probe+0x3bb/0x5e0 [ 87.297164][ T3160] kasan_report.cold+0x83/0xdf [ 87.302218][ T3160] ? kmem_cache_alloc_trace+0x111/0x480 [ 87.307785][ T3160] ? betop_probe+0x3bb/0x5e0 [ 87.312922][ T3160] kasan_check_range+0x13d/0x180 [ 87.317895][ T3160] betop_probe+0x3bb/0x5e0 [ 87.322489][ T3160] ? belkin_input_mapping+0x560/0x560 [ 87.328130][ T3160] hid_device_probe+0x2bd/0x3f0 [ 87.332973][ T3160] ? hid_match_device+0x390/0x390 [ 87.338002][ T3160] really_probe+0x23c/0xcd0 [ 87.342615][ T3160] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 87.348857][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.354160][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.359418][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.365017][ T3160] ? driver_allows_async_probing+0x150/0x150 [ 87.371122][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.376052][ T3160] ? bus_for_each_dev+0x1d0/0x1d0 [ 87.382315][ T3160] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 87.388653][ T3160] ? lockdep_hardirqs_on+0x79/0x100 [ 87.394201][ T3160] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 87.400223][ T3160] __device_attach+0x228/0x4a0 [ 87.405232][ T3160] ? device_driver_attach+0x210/0x210 [ 87.410916][ T3160] ? kfree+0x1ac/0x2c0 [ 87.415051][ T3160] ? kobject_uevent_env+0x2bb/0x1650 [ 87.420865][ T3160] bus_probe_device+0x1e4/0x290 [ 87.425909][ T3160] device_add+0xc2f/0x2180 [ 87.430326][ T3160] ? do_raw_spin_unlock+0x171/0x230 [ 87.435812][ T3160] ? __fw_devlink_link_to_suppliers+0x5e0/0x5e0 [ 87.442142][ T3160] ? __debugfs_create_file+0x362/0x4e0 [ 87.447891][ T3160] hid_add_device+0x344/0x9d0 [ 87.452670][ T3160] ? lockdep_init_map_type+0x2c3/0x7b0 [ 87.458141][ T3160] ? modalias_show+0x150/0x150 [ 87.462926][ T3160] ? lockdep_init_map_type+0x2c3/0x7b0 [ 87.468382][ T3160] ? __raw_spin_lock_init+0x36/0x110 [ 87.473955][ T3160] usbhid_probe+0xba9/0x10b0 [ 87.478559][ T3160] usb_probe_interface+0x315/0x7f0 [ 87.483760][ T3160] ? usb_match_dynamic_id+0x1a0/0x1a0 [ 87.489391][ T3160] really_probe+0x23c/0xcd0 [ 87.494091][ T3160] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 87.500442][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.505855][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.510914][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.516343][ T3160] ? driver_allows_async_probing+0x150/0x150 [ 87.522408][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.527272][ T3160] ? bus_for_each_dev+0x1d0/0x1d0 [ 87.532285][ T3160] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 87.538257][ T3160] ? lockdep_hardirqs_on+0x79/0x100 [ 87.543469][ T3160] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 87.549294][ T3160] __device_attach+0x228/0x4a0 [ 87.554085][ T3160] ? device_driver_attach+0x210/0x210 [ 87.559473][ T3160] ? kfree+0x1ac/0x2c0 [ 87.563638][ T3160] ? kobject_uevent_env+0x2bb/0x1650 [ 87.569699][ T3160] bus_probe_device+0x1e4/0x290 [ 87.574983][ T3160] device_add+0xc2f/0x2180 [ 87.579608][ T3160] ? wait_for_completion_io+0x280/0x280 [ 87.585175][ T3160] ? __fw_devlink_link_to_suppliers+0x5e0/0x5e0 [ 87.591432][ T3160] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 87.597380][ T3160] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 87.603649][ T3160] usb_set_configuration+0x113a/0x1910 [ 87.609239][ T3160] usb_generic_driver_probe+0xba/0x100 [ 87.614984][ T3160] usb_probe_device+0xd9/0x2c0 [ 87.619752][ T3160] ? usb_driver_release_interface+0x180/0x180 [ 87.625998][ T3160] really_probe+0x23c/0xcd0 [ 87.631337][ T3160] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 87.637580][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.643043][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.648553][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.654181][ T3160] ? driver_allows_async_probing+0x150/0x150 [ 87.660455][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.665312][ T3160] ? bus_for_each_dev+0x1d0/0x1d0 [ 87.670340][ T3160] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 87.676151][ T3160] ? lockdep_hardirqs_on+0x79/0x100 [ 87.681338][ T3160] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 87.687165][ T3160] __device_attach+0x228/0x4a0 [ 87.692141][ T3160] ? device_driver_attach+0x210/0x210 [ 87.697641][ T3160] ? kfree+0x1ac/0x2c0 [ 87.702144][ T3160] ? kobject_uevent_env+0x2bb/0x1650 [ 87.707826][ T3160] bus_probe_device+0x1e4/0x290 [ 87.713199][ T3160] device_add+0xc2f/0x2180 [ 87.717613][ T3160] ? __fw_devlink_link_to_suppliers+0x5e0/0x5e0 [ 87.724138][ T3160] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 87.730691][ T3160] usb_new_device.cold+0x63f/0x108e [ 87.736163][ T3160] ? hub_disconnect+0x510/0x510 [ 87.741361][ T3160] ? rwlock_bug.part.0+0x90/0x90 [ 87.746288][ T3160] ? _raw_spin_unlock_irq+0x1f/0x40 [ 87.751855][ T3160] hub_event+0x2357/0x4330 [ 87.756506][ T3160] ? hub_port_debounce+0x3c0/0x3c0 [ 87.761624][ T3160] ? lock_release+0x720/0x720 [ 87.766305][ T3160] ? lock_downgrade+0x6e0/0x6e0 [ 87.771448][ T3160] ? do_raw_spin_lock+0x120/0x2b0 [ 87.776772][ T3160] process_one_work+0x98d/0x1630 [ 87.782280][ T3160] ? pwq_dec_nr_in_flight+0x320/0x320 [ 87.787768][ T3160] ? rwlock_bug.part.0+0x90/0x90 [ 87.792838][ T3160] ? _raw_spin_lock_irq+0x41/0x50 [ 87.798272][ T3160] worker_thread+0x658/0x11f0 [ 87.803088][ T3160] ? process_one_work+0x1630/0x1630 [ 87.808546][ T3160] kthread+0x3e5/0x4d0 [ 87.812757][ T3160] ? set_kthread_struct+0x130/0x130 [ 87.818069][ T3160] ret_from_fork+0x1f/0x30 [ 87.822498][ T3160] [ 87.824840][ T3160] Allocated by task 3160: [ 87.829284][ T3160] kasan_save_stack+0x1b/0x40 [ 87.833959][ T3160] __kasan_kmalloc+0x98/0xc0 [ 87.838792][ T3160] kmem_cache_alloc_trace+0x1e4/0x480 [ 87.844376][ T3160] hidraw_connect+0x4b/0x440 [ 87.848984][ T3160] hid_connect+0x5be/0xbc0 [ 87.853503][ T3160] hid_hw_start+0xa2/0x130 [ 87.857922][ T3160] betop_probe+0xce/0x5e0 [ 87.862245][ T3160] hid_device_probe+0x2bd/0x3f0 [ 87.867098][ T3160] really_probe+0x23c/0xcd0 [ 87.871738][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.877037][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.882063][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.887439][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.892314][ T3160] __device_attach+0x228/0x4a0 [ 87.897407][ T3160] bus_probe_device+0x1e4/0x290 [ 87.902434][ T3160] device_add+0xc2f/0x2180 [ 87.907377][ T3160] hid_add_device+0x344/0x9d0 [ 87.912094][ T3160] usbhid_probe+0xba9/0x10b0 [ 87.917040][ T3160] usb_probe_interface+0x315/0x7f0 [ 87.922185][ T3160] really_probe+0x23c/0xcd0 [ 87.926863][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.932573][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.937611][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.943223][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.948180][ T3160] __device_attach+0x228/0x4a0 [ 87.953032][ T3160] bus_probe_device+0x1e4/0x290 [ 87.957888][ T3160] device_add+0xc2f/0x2180 [ 87.962397][ T3160] usb_set_configuration+0x113a/0x1910 [ 87.967877][ T3160] usb_generic_driver_probe+0xba/0x100 [ 87.973923][ T3160] usb_probe_device+0xd9/0x2c0 [ 87.979178][ T3160] really_probe+0x23c/0xcd0 [ 87.983814][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.989110][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.994324][ T3160] __device_attach_driver+0x20b/0x2f0 [ 88.000641][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 88.006076][ T3160] __device_attach+0x228/0x4a0 [ 88.011442][ T3160] bus_probe_device+0x1e4/0x290 [ 88.016467][ T3160] device_add+0xc2f/0x2180 [ 88.020971][ T3160] usb_new_device.cold+0x63f/0x108e [ 88.026176][ T3160] hub_event+0x2357/0x4330 [ 88.030621][ T3160] process_one_work+0x98d/0x1630 [ 88.035579][ T3160] worker_thread+0x658/0x11f0 [ 88.040619][ T3160] kthread+0x3e5/0x4d0 [ 88.045097][ T3160] ret_from_fork+0x1f/0x30 [ 88.049531][ T3160] [ 88.052200][ T3160] Last potentially related work creation: [ 88.058174][ T3160] kasan_save_stack+0x1b/0x40 [ 88.062944][ T3160] kasan_record_aux_stack+0xa4/0xd0 [ 88.068325][ T3160] insert_work+0x48/0x370 [ 88.072866][ T3160] __queue_work+0x5c1/0xed0 [ 88.077986][ T3160] queue_work_on+0xee/0x110 [ 88.082481][ T3160] call_usermodehelper_exec+0x1f0/0x4c0 [ 88.088359][ T3160] kobject_uevent_env+0xf8f/0x1650 [ 88.093706][ T3160] kobject_synth_uevent+0x701/0x850 [ 88.098931][ T3160] uevent_store+0x20/0x50 [ 88.103254][ T3160] dev_attr_store+0x50/0x80 [ 88.107759][ T3160] sysfs_kf_write+0x110/0x160 [ 88.112705][ T3160] kernfs_fop_write_iter+0x342/0x500 [ 88.118794][ T3160] new_sync_write+0x426/0x650 [ 88.123480][ T3160] vfs_write+0x75a/0xa40 [ 88.128007][ T3160] ksys_write+0x12d/0x250 [ 88.132350][ T3160] do_syscall_64+0x35/0xb0 [ 88.137046][ T3160] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.143798][ T3160] [ 88.146593][ T3160] Second to last potentially related work creation: [ 88.153405][ T3160] kasan_save_stack+0x1b/0x40 [ 88.158102][ T3160] kasan_record_aux_stack+0xa4/0xd0 [ 88.163325][ T3160] insert_work+0x48/0x370 [ 88.167774][ T3160] __queue_work+0x5c1/0xed0 [ 88.172281][ T3160] queue_work_on+0xee/0x110 [ 88.176782][ T3160] call_usermodehelper_exec+0x1f0/0x4c0 [ 88.182408][ T3160] kobject_uevent_env+0xf8f/0x1650 [ 88.187704][ T3160] kobject_synth_uevent+0x701/0x850 [ 88.192924][ T3160] uevent_store+0x20/0x50 [ 88.197368][ T3160] dev_attr_store+0x50/0x80 [ 88.201880][ T3160] sysfs_kf_write+0x110/0x160 [ 88.206553][ T3160] kernfs_fop_write_iter+0x342/0x500 [ 88.211917][ T3160] new_sync_write+0x426/0x650 [ 88.216605][ T3160] vfs_write+0x75a/0xa40 [ 88.220857][ T3160] ksys_write+0x12d/0x250 [ 88.225491][ T3160] do_syscall_64+0x35/0xb0 [ 88.230128][ T3160] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.236462][ T3160] [ 88.238791][ T3160] The buggy address belongs to the object at ffff888016696400 [ 88.238791][ T3160] which belongs to the cache kmalloc-192 of size 192 [ 88.253124][ T3160] The buggy address is located 0 bytes to the right of [ 88.253124][ T3160] 192-byte region [ffff888016696400, ffff8880166964c0) [ 88.267511][ T3160] The buggy address belongs to the page: [ 88.273238][ T3160] page:ffffea000059a580 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888016696600 pfn:0x16696 [ 88.284689][ T3160] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 88.292932][ T3160] raw: 00fff00000000200 ffffea00005c31c8 ffffea000066e4c8 ffff888010840000 [ 88.302115][ T3160] raw: ffff888016696600 ffff888016696000 0000000100000007 0000000000000000 [ 88.311536][ T3160] page dumped because: kasan: bad access detected [ 88.317952][ T3160] page_owner tracks the page as allocated [ 88.323679][ T3160] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2611248540, free_ts 0 [ 88.341432][ T3160] get_page_from_freelist+0xa72/0x2f80 [ 88.347109][ T3160] __alloc_pages+0x1b2/0x500 [ 88.351978][ T3160] cache_grow_begin+0x75/0x460 [ 88.356768][ T3160] cache_alloc_refill+0x27f/0x380 [ 88.361974][ T3160] kmem_cache_alloc_trace+0x38c/0x480 [ 88.367521][ T3160] call_usermodehelper_setup+0x9d/0x340 [ 88.373334][ T3160] kobject_uevent_env+0xf73/0x1650 [ 88.378460][ T3160] param_sysfs_init+0x3bf/0x498 [ 88.383303][ T3160] do_one_initcall+0x103/0x650 [ 88.388066][ T3160] kernel_init_freeable+0x6b8/0x741 [ 88.393565][ T3160] kernel_init+0x1a/0x1d0 [ 88.397897][ T3160] ret_from_fork+0x1f/0x30 [ 88.403030][ T3160] page_owner free stack trace missing [ 88.409000][ T3160] [ 88.411337][ T3160] Memory state around the buggy address: [ 88.417320][ T3160] ffff888016696380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 88.425579][ T3160] ffff888016696400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 88.434466][ T3160] >ffff888016696480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 88.443024][ T3160] ^ [ 88.449397][ T3160] ffff888016696500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.457558][ T3160] ffff888016696580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc f