[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. syzkaller login: [ 72.780422][ T8385] IPVS: ftp: loaded support on port[0] = 21 executing program [ 73.123853][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 73.363211][ T5] usb 1-1: Using ep0 maxpacket: 32 [ 73.483362][ T5] usb 1-1: config 8 has an invalid descriptor of length 0, skipping remainder of the config [ 73.494431][ T5] usb 1-1: config 8 interface 0 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 73.510040][ T5] usb 1-1: New USB device found, idVendor=731e, idProduct=128c, bcdDevice=ed.06 [ 73.519879][ T5] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 73.571655][ T5] usb 1-1: MIDIStreaming interface descriptor not found [ 73.770962][ T2966] usb 1-1: USB disconnect, device number 2 [ 73.818069][ T2966] ================================================================== [ 73.826408][ T2966] BUG: KASAN: use-after-free in usb_audio_disconnect+0x750/0x800 [ 73.834183][ T2966] Read of size 2 at addr ffff888027a08f24 by task kworker/0:2/2966 [ 73.842106][ T2966] [ 73.844443][ T2966] CPU: 0 PID: 2966 Comm: kworker/0:2 Not tainted 5.12.0-rc1-next-20210305-syzkaller #0 [ 73.854093][ T2966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.864386][ T2966] Workqueue: usb_hub_wq hub_event [ 73.869488][ T2966] Call Trace: [ 73.872783][ T2966] dump_stack+0xfa/0x151 [ 73.877068][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 73.882474][ T2966] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.889602][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 73.894979][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 73.900344][ T2966] kasan_report.cold+0x7c/0xd8 [ 73.905106][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 73.910485][ T2966] usb_audio_disconnect+0x750/0x800 [ 73.915678][ T2966] ? usb_audio_suspend+0x4f0/0x4f0 [ 73.920791][ T2966] ? mark_held_locks+0x9f/0xe0 [ 73.925548][ T2966] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 73.931777][ T2966] ? usb_disable_interface+0x82/0x3c0 [ 73.937141][ T2966] ? lockdep_hardirqs_on+0x79/0x100 [ 73.942331][ T2966] ? _raw_spin_unlock_irqrestore+0x33/0x50 [ 73.948130][ T2966] usb_unbind_interface+0x1d8/0x8d0 [ 73.953316][ T2966] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 73.959130][ T2966] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 73.964683][ T2966] ? usb_unbind_device+0x1a0/0x1a0 [ 73.969824][ T2966] __device_release_driver+0x3bd/0x6f0 [ 73.975376][ T2966] device_release_driver+0x26/0x40 [ 73.980513][ T2966] bus_remove_device+0x2eb/0x5a0 [ 73.985454][ T2966] device_del+0x502/0xd40 [ 73.989780][ T2966] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 73.996102][ T2966] ? pm_runtime_barrier+0xdc/0x1a0 [ 74.001229][ T2966] usb_disable_device+0x35b/0x7b0 [ 74.006369][ T2966] usb_disconnect.cold+0x27d/0x791 [ 74.011495][ T2966] hub_event+0x1c9c/0x4320 [ 74.015932][ T2966] ? hub_port_debounce+0x3c0/0x3c0 [ 74.021039][ T2966] ? lock_acquire+0x1bb/0x730 [ 74.025816][ T2966] ? lock_release+0x710/0x710 [ 74.030481][ T2966] ? lock_downgrade+0x6d0/0x6d0 [ 74.035324][ T2966] ? lock_is_held_type+0xd5/0x130 [ 74.040343][ T2966] process_one_work+0x98d/0x1600 [ 74.045277][ T2966] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.050729][ T2966] ? rwlock_bug.part.0+0x90/0x90 [ 74.055684][ T2966] ? _raw_spin_lock_irq+0x41/0x50 [ 74.061951][ T2966] worker_thread+0x64c/0x1120 [ 74.066701][ T2966] ? __kthread_parkme+0x13f/0x1e0 [ 74.072083][ T2966] ? process_one_work+0x1600/0x1600 [ 74.077464][ T2966] kthread+0x3b1/0x4a0 [ 74.081803][ T2966] ? __kthread_bind_mask+0xc0/0xc0 [ 74.086924][ T2966] ret_from_fork+0x1f/0x30 [ 74.091354][ T2966] [ 74.093664][ T2966] Allocated by task 5: [ 74.098078][ T2966] kasan_save_stack+0x1b/0x40 [ 74.102743][ T2966] __kasan_kmalloc+0x99/0xc0 [ 74.107504][ T2966] snd_card_new+0xc2/0xcb0 [ 74.111943][ T2966] usb_audio_probe+0x1547/0x2c70 [ 74.116882][ T2966] usb_probe_interface+0x315/0x7f0 [ 74.121996][ T2966] really_probe+0x291/0xe60 [ 74.126505][ T2966] driver_probe_device+0x26b/0x3d0 [ 74.131780][ T2966] __device_attach_driver+0x1d1/0x290 [ 74.137268][ T2966] bus_for_each_drv+0x15f/0x1e0 [ 74.142316][ T2966] __device_attach+0x228/0x4a0 [ 74.147574][ T2966] bus_probe_device+0x1e4/0x290 [ 74.152510][ T2966] device_add+0xbdb/0x1db0 [ 74.156915][ T2966] usb_set_configuration+0x113f/0x1910 [ 74.162366][ T2966] usb_generic_driver_probe+0xba/0x100 [ 74.167824][ T2966] usb_probe_device+0xd9/0x2c0 [ 74.172570][ T2966] really_probe+0x291/0xe60 [ 74.177064][ T2966] driver_probe_device+0x26b/0x3d0 [ 74.182159][ T2966] __device_attach_driver+0x1d1/0x290 [ 74.187513][ T2966] bus_for_each_drv+0x15f/0x1e0 [ 74.192349][ T2966] __device_attach+0x228/0x4a0 [ 74.197098][ T2966] bus_probe_device+0x1e4/0x290 [ 74.201935][ T2966] device_add+0xbdb/0x1db0 [ 74.206355][ T2966] usb_new_device.cold+0x721/0x1058 [ 74.211539][ T2966] hub_event+0x2357/0x4320 [ 74.215940][ T2966] process_one_work+0x98d/0x1600 [ 74.220861][ T2966] worker_thread+0x64c/0x1120 [ 74.225522][ T2966] kthread+0x3b1/0x4a0 [ 74.229589][ T2966] ret_from_fork+0x1f/0x30 [ 74.233990][ T2966] [ 74.236319][ T2966] Freed by task 2966: [ 74.240292][ T2966] kasan_save_stack+0x1b/0x40 [ 74.244964][ T2966] kasan_set_track+0x1c/0x30 [ 74.249538][ T2966] kasan_set_free_info+0x20/0x30 [ 74.254462][ T2966] __kasan_slab_free+0xf5/0x130 [ 74.259296][ T2966] slab_free_freelist_hook+0x72/0x1b0 [ 74.264657][ T2966] kfree+0xe5/0x7b0 [ 74.268449][ T2966] device_release+0x9f/0x240 [ 74.273023][ T2966] kobject_put+0x1c8/0x540 [ 74.277426][ T2966] put_device+0x1b/0x30 [ 74.281756][ T2966] snd_card_free_when_closed+0x35/0x50 [ 74.287222][ T2966] usb_audio_disconnect+0x2ba/0x800 [ 74.292418][ T2966] usb_unbind_interface+0x1d8/0x8d0 [ 74.297607][ T2966] __device_release_driver+0x3bd/0x6f0 [ 74.303067][ T2966] device_release_driver+0x26/0x40 [ 74.308316][ T2966] bus_remove_device+0x2eb/0x5a0 [ 74.313269][ T2966] device_del+0x502/0xd40 [ 74.317598][ T2966] usb_disable_device+0x35b/0x7b0 [ 74.322618][ T2966] usb_disconnect.cold+0x27d/0x791 [ 74.327733][ T2966] hub_event+0x1c9c/0x4320 [ 74.332134][ T2966] process_one_work+0x98d/0x1600 [ 74.337075][ T2966] worker_thread+0x64c/0x1120 [ 74.341746][ T2966] kthread+0x3b1/0x4a0 [ 74.345801][ T2966] ret_from_fork+0x1f/0x30 [ 74.350202][ T2966] [ 74.352875][ T2966] The buggy address belongs to the object at ffff888027a08000 [ 74.352875][ T2966] which belongs to the cache kmalloc-8k of size 8192 [ 74.367020][ T2966] The buggy address is located 3876 bytes inside of [ 74.367020][ T2966] 8192-byte region [ffff888027a08000, ffff888027a0a000) [ 74.380582][ T2966] The buggy address belongs to the page: [ 74.386214][ T2966] page:0000000024fc4526 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27a08 [ 74.396561][ T2966] head:0000000024fc4526 order:3 compound_mapcount:0 compound_pincount:0 [ 74.404879][ T2966] flags: 0xfff00000010200(slab|head) [ 74.410161][ T2966] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842280 [ 74.418820][ T2966] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 [ 74.427482][ T2966] page dumped because: kasan: bad access detected [ 74.433872][ T2966] [ 74.436179][ T2966] Memory state around the buggy address: [ 74.441788][ T2966] ffff888027a08e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.449832][ T2966] ffff888027a08e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.457878][ T2966] >ffff888027a08f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.465920][ T2966] ^ [ 74.471013][ T2966] ffff888027a08f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.479240][ T2966] ffff888027a09000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.487421][ T2966] ================================================================== [ 74.495578][ T2966] Disabling lock debugging due to kernel taint [ 74.513064][ T2966] Kernel panic - not syncing: panic_on_warn set ... [ 74.519710][ T2966] CPU: 0 PID: 2966 Comm: kworker/0:2 Tainted: G B 5.12.0-rc1-next-20210305-syzkaller #0 [ 74.530723][ T2966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.540871][ T2966] Workqueue: usb_hub_wq hub_event [ 74.545895][ T2966] Call Trace: [ 74.549166][ T2966] dump_stack+0xfa/0x151 [ 74.553399][ T2966] panic+0x306/0x73d [ 74.557296][ T2966] ? __warn_printk+0xf3/0xf3 [ 74.561869][ T2966] ? preempt_schedule_common+0x59/0xc0 [ 74.567312][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 74.572669][ T2966] ? preempt_schedule_thunk+0x16/0x18 [ 74.578030][ T2966] ? trace_hardirqs_on+0x38/0x1c0 [ 74.583043][ T2966] ? trace_hardirqs_on+0x51/0x1c0 [ 74.588053][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 74.593415][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 74.598873][ T2966] end_report.cold+0x5a/0x5a [ 74.603455][ T2966] kasan_report.cold+0x6a/0xd8 [ 74.608213][ T2966] ? usb_audio_disconnect+0x750/0x800 [ 74.613567][ T2966] usb_audio_disconnect+0x750/0x800 [ 74.618948][ T2966] ? usb_audio_suspend+0x4f0/0x4f0 [ 74.624049][ T2966] ? mark_held_locks+0x9f/0xe0 [ 74.628799][ T2966] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.635057][ T2966] ? usb_disable_interface+0x82/0x3c0 [ 74.640433][ T2966] ? lockdep_hardirqs_on+0x79/0x100 [ 74.645616][ T2966] ? _raw_spin_unlock_irqrestore+0x33/0x50 [ 74.651407][ T2966] usb_unbind_interface+0x1d8/0x8d0 [ 74.656604][ T2966] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 74.662569][ T2966] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 74.668111][ T2966] ? usb_unbind_device+0x1a0/0x1a0 [ 74.673205][ T2966] __device_release_driver+0x3bd/0x6f0 [ 74.678996][ T2966] device_release_driver+0x26/0x40 [ 74.684090][ T2966] bus_remove_device+0x2eb/0x5a0 [ 74.689042][ T2966] device_del+0x502/0xd40 [ 74.693364][ T2966] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 74.699698][ T2966] ? pm_runtime_barrier+0xdc/0x1a0 [ 74.704830][ T2966] usb_disable_device+0x35b/0x7b0 [ 74.709855][ T2966] usb_disconnect.cold+0x27d/0x791 [ 74.714959][ T2966] hub_event+0x1c9c/0x4320 [ 74.719379][ T2966] ? hub_port_debounce+0x3c0/0x3c0 [ 74.724487][ T2966] ? lock_acquire+0x1bb/0x730 [ 74.729146][ T2966] ? lock_release+0x710/0x710 [ 74.733804][ T2966] ? lock_downgrade+0x6d0/0x6d0 [ 74.738645][ T2966] ? lock_is_held_type+0xd5/0x130 [ 74.743668][ T2966] process_one_work+0x98d/0x1600 [ 74.748599][ T2966] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.753961][ T2966] ? rwlock_bug.part.0+0x90/0x90 [ 74.758922][ T2966] ? _raw_spin_lock_irq+0x41/0x50 [ 74.763941][ T2966] worker_thread+0x64c/0x1120 [ 74.768604][ T2966] ? __kthread_parkme+0x13f/0x1e0 [ 74.773610][ T2966] ? process_one_work+0x1600/0x1600 [ 74.778788][ T2966] kthread+0x3b1/0x4a0 [ 74.782856][ T2966] ? __kthread_bind_mask+0xc0/0xc0 [ 74.787982][ T2966] ret_from_fork+0x1f/0x30 [ 74.793133][ T2966] Kernel Offset: disabled [ 74.797456][ T2966] Rebooting in 86400 seconds..