[info] Using makefile-style concurrent boot in runlevel 2. [ 15.049105][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.876280][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.116267][ T22] usb 1-1: Using ep0 maxpacket: 8 [ 23.236335][ T22] usb 1-1: config 0 has an invalid descriptor of length 58, skipping remainder of the config [ 23.246701][ T22] usb 1-1: New USB device found, idVendor=0b00, idProduct=0555, bcdDevice=69.6a [ 23.255703][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 23.265498][ T22] usb 1-1: config 0 descriptor?? [ 23.308296][ T22] uvcvideo: Found UVC 0.00 device (0b00:0555) [ 23.315369][ T22] uvcvideo 1-1:0.0: Entity type for entity Output 0 was not initialized! [ 23.508358][ T1719] usb 1-1: USB disconnect, device number 2 [ 23.514925][ T1719] ================================================================== [ 23.523072][ T1719] BUG: KASAN: use-after-free in __media_entity_remove_links+0x134/0x160 [ 23.531373][ T1719] Read of size 8 at addr ffff8881d199f120 by task kworker/1:2/1719 [ 23.539234][ T1719] [ 23.541545][ T1719] CPU: 1 PID: 1719 Comm: kworker/1:2 Not tainted 5.5.0-rc1-syzkaller #0 [ 23.549843][ T1719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.559883][ T1719] Workqueue: usb_hub_wq hub_event [ 23.564879][ T1719] Call Trace: [ 23.568150][ T1719] dump_stack+0xef/0x16e [ 23.572369][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 23.578337][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 23.584332][ T1719] print_address_description.constprop.0+0x16/0x200 [ 23.590914][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 23.596924][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 23.602884][ T1719] __kasan_report.cold+0x37/0x7f [ 23.607842][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 23.613803][ T1719] kasan_report+0xe/0x20 [ 23.618026][ T1719] __media_entity_remove_links+0x134/0x160 [ 23.623817][ T1719] __media_device_unregister_entity+0x187/0x300 [ 23.630109][ T1719] media_device_unregister_entity+0x49/0x70 [ 23.635998][ T1719] v4l2_device_unregister_subdev+0x257/0x380 [ 23.641958][ T1719] v4l2_device_unregister+0x139/0x220 [ 23.647680][ T1719] uvc_unregister_video+0x11a/0x210 [ 23.652870][ T1719] uvc_disconnect+0xbc/0x160 [ 23.657443][ T1719] usb_unbind_interface+0x1bd/0x8a0 [ 23.662621][ T1719] ? usb_autoresume_device+0x60/0x60 [ 23.667886][ T1719] device_release_driver_internal+0x42f/0x500 [ 23.673930][ T1719] bus_remove_device+0x2dc/0x4a0 [ 23.678863][ T1719] device_del+0x481/0xd30 [ 23.683182][ T1719] ? device_create_with_groups+0x120/0x120 [ 23.688977][ T1719] ? lockdep_hardirqs_on+0x382/0x580 [ 23.694239][ T1719] ? remove_intf_ep_devs+0x13f/0x1d0 [ 23.699511][ T1719] usb_disable_device+0x211/0x690 [ 23.704529][ T1719] usb_disconnect+0x284/0x8d0 [ 23.709184][ T1719] hub_event+0x1753/0x3860 [ 23.713580][ T1719] ? hub_port_debounce+0x260/0x260 [ 23.718671][ T1719] ? find_held_lock+0x2d/0x110 [ 23.723414][ T1719] ? mark_held_locks+0xe0/0xe0 [ 23.728159][ T1719] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.733694][ T1719] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.738977][ T1719] process_one_work+0x92b/0x1530 [ 23.743917][ T1719] ? pwq_dec_nr_in_flight+0x310/0x310 [ 23.749276][ T1719] ? do_raw_spin_lock+0x11a/0x280 [ 23.754301][ T1719] worker_thread+0x96/0xe20 [ 23.758792][ T1719] ? process_one_work+0x1530/0x1530 [ 23.763969][ T1719] kthread+0x318/0x420 [ 23.768031][ T1719] ? kthread_create_on_node+0xf0/0xf0 [ 23.773384][ T1719] ret_from_fork+0x24/0x30 [ 23.777791][ T1719] [ 23.780100][ T1719] Allocated by task 22: [ 23.784236][ T1719] save_stack+0x1b/0x80 [ 23.788379][ T1719] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 23.793984][ T1719] media_add_link+0x47/0x180 [ 23.798550][ T1719] media_create_pad_link+0x1fb/0x530 [ 23.803813][ T1719] uvc_mc_register_entities+0x468/0x77a [ 23.809337][ T1719] uvc_probe.cold+0x2137/0x29de [ 23.814163][ T1719] usb_probe_interface+0x305/0x7a0 [ 23.819247][ T1719] really_probe+0x281/0x6d0 [ 23.823724][ T1719] driver_probe_device+0x104/0x210 [ 23.828822][ T1719] __device_attach_driver+0x1c2/0x220 [ 23.834169][ T1719] bus_for_each_drv+0x162/0x1e0 [ 23.838997][ T1719] __device_attach+0x217/0x360 [ 23.843736][ T1719] bus_probe_device+0x1e4/0x290 [ 23.848574][ T1719] device_add+0x1480/0x1c20 [ 23.853052][ T1719] usb_set_configuration+0xe67/0x1740 [ 23.858397][ T1719] generic_probe+0x9d/0xd5 [ 23.862809][ T1719] usb_probe_device+0x99/0x100 [ 23.867554][ T1719] really_probe+0x281/0x6d0 [ 23.872042][ T1719] driver_probe_device+0x104/0x210 [ 23.877135][ T1719] __device_attach_driver+0x1c2/0x220 [ 23.882487][ T1719] bus_for_each_drv+0x162/0x1e0 [ 23.887316][ T1719] __device_attach+0x217/0x360 [ 23.892062][ T1719] bus_probe_device+0x1e4/0x290 [ 23.896891][ T1719] device_add+0x1480/0x1c20 [ 23.901383][ T1719] usb_new_device.cold+0x6a4/0xe79 [ 23.906480][ T1719] hub_event+0x1e59/0x3860 [ 23.910874][ T1719] process_one_work+0x92b/0x1530 [ 23.915809][ T1719] worker_thread+0x96/0xe20 [ 23.920339][ T1719] kthread+0x318/0x420 [ 23.924391][ T1719] ret_from_fork+0x24/0x30 [ 23.928784][ T1719] [ 23.931095][ T1719] Freed by task 1719: [ 23.935058][ T1719] save_stack+0x1b/0x80 [ 23.939194][ T1719] __kasan_slab_free+0x129/0x170 [ 23.944110][ T1719] kfree+0xda/0x310 [ 23.947913][ T1719] __media_entity_remove_link+0x25c/0x5d0 [ 23.953628][ T1719] __media_entity_remove_links+0x86/0x160 [ 23.959344][ T1719] __media_device_unregister_entity+0x187/0x300 [ 23.965574][ T1719] media_device_unregister_entity+0x49/0x70 [ 23.972138][ T1719] v4l2_device_unregister_subdev+0x257/0x380 [ 23.978108][ T1719] v4l2_device_unregister+0x139/0x220 [ 23.983456][ T1719] uvc_unregister_video+0x11a/0x210 [ 23.988639][ T1719] uvc_disconnect+0xbc/0x160 [ 23.993205][ T1719] usb_unbind_interface+0x1bd/0x8a0 [ 23.998381][ T1719] device_release_driver_internal+0x42f/0x500 [ 24.004421][ T1719] bus_remove_device+0x2dc/0x4a0 [ 24.009332][ T1719] device_del+0x481/0xd30 [ 24.013638][ T1719] usb_disable_device+0x211/0x690 [ 24.018656][ T1719] usb_disconnect+0x284/0x8d0 [ 24.023329][ T1719] hub_event+0x1753/0x3860 [ 24.027722][ T1719] process_one_work+0x92b/0x1530 [ 24.032634][ T1719] worker_thread+0x96/0xe20 [ 24.037114][ T1719] kthread+0x318/0x420 [ 24.041172][ T1719] ret_from_fork+0x24/0x30 [ 24.045558][ T1719] [ 24.047873][ T1719] The buggy address belongs to the object at ffff8881d199f100 [ 24.047873][ T1719] which belongs to the cache kmalloc-96 of size 96 [ 24.061726][ T1719] The buggy address is located 32 bytes inside of [ 24.061726][ T1719] 96-byte region [ffff8881d199f100, ffff8881d199f160) [ 24.074798][ T1719] The buggy address belongs to the page: [ 24.080409][ T1719] page:ffffea00074667c0 refcount:1 mapcount:0 mapping:ffff8881da002f00 index:0xffff8881d199fe80 [ 24.090795][ T1719] raw: 0200000000000200 ffffea0007474e40 0000000e0000000e ffff8881da002f00 [ 24.099357][ T1719] raw: ffff8881d199fe80 0000000080200016 00000001ffffffff 0000000000000000 [ 24.107931][ T1719] page dumped because: kasan: bad access detected [ 24.114319][ T1719] [ 24.116623][ T1719] Memory state around the buggy address: [ 24.122244][ T1719] ffff8881d199f000: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.130280][ T1719] ffff8881d199f080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.138317][ T1719] >ffff8881d199f100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.146355][ T1719] ^ [ 24.151442][ T1719] ffff8881d199f180: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.159480][ T1719] ffff8881d199f200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 24.167514][ T1719] ================================================================== [ 24.175546][ T1719] Disabling lock debugging due to kernel taint [ 24.181763][ T1719] Kernel panic - not syncing: panic_on_warn set ... [ 24.188366][ T1719] CPU: 1 PID: 1719 Comm: kworker/1:2 Tainted: G B 5.5.0-rc1-syzkaller #0 [ 24.198052][ T1719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.208101][ T1719] Workqueue: usb_hub_wq hub_event [ 24.213099][ T1719] Call Trace: [ 24.216367][ T1719] dump_stack+0xef/0x16e [ 24.220584][ T1719] panic+0x2aa/0x6e1 [ 24.224454][ T1719] ? add_taint.cold+0x16/0x16 [ 24.229130][ T1719] ? retint_kernel+0x10/0x10 [ 24.233694][ T1719] ? trace_hardirqs_on+0x55/0x1e0 [ 24.238707][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 24.244661][ T1719] end_report+0x43/0x49 [ 24.248791][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 24.254759][ T1719] __kasan_report.cold+0x55/0x7f [ 24.259670][ T1719] ? __media_entity_remove_links+0x134/0x160 [ 24.265623][ T1719] kasan_report+0xe/0x20 [ 24.269844][ T1719] __media_entity_remove_links+0x134/0x160 [ 24.275625][ T1719] __media_device_unregister_entity+0x187/0x300 [ 24.281842][ T1719] media_device_unregister_entity+0x49/0x70 [ 24.287709][ T1719] v4l2_device_unregister_subdev+0x257/0x380 [ 24.293679][ T1719] v4l2_device_unregister+0x139/0x220 [ 24.299042][ T1719] uvc_unregister_video+0x11a/0x210 [ 24.304215][ T1719] uvc_disconnect+0xbc/0x160 [ 24.308788][ T1719] usb_unbind_interface+0x1bd/0x8a0 [ 24.313961][ T1719] ? usb_autoresume_device+0x60/0x60 [ 24.319222][ T1719] device_release_driver_internal+0x42f/0x500 [ 24.325262][ T1719] bus_remove_device+0x2dc/0x4a0 [ 24.330173][ T1719] device_del+0x481/0xd30 [ 24.334500][ T1719] ? device_create_with_groups+0x120/0x120 [ 24.340297][ T1719] ? lockdep_hardirqs_on+0x382/0x580 [ 24.345580][ T1719] ? remove_intf_ep_devs+0x13f/0x1d0 [ 24.350845][ T1719] usb_disable_device+0x211/0x690 [ 24.355843][ T1719] usb_disconnect+0x284/0x8d0 [ 24.360509][ T1719] hub_event+0x1753/0x3860 [ 24.364914][ T1719] ? hub_port_debounce+0x260/0x260 [ 24.370000][ T1719] ? find_held_lock+0x2d/0x110 [ 24.374737][ T1719] ? mark_held_locks+0xe0/0xe0 [ 24.379478][ T1719] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 24.386213][ T1719] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 24.391472][ T1719] process_one_work+0x92b/0x1530 [ 24.396389][ T1719] ? pwq_dec_nr_in_flight+0x310/0x310 [ 24.401780][ T1719] ? do_raw_spin_lock+0x11a/0x280 [ 24.406778][ T1719] worker_thread+0x96/0xe20 [ 24.411255][ T1719] ? process_one_work+0x1530/0x1530 [ 24.416426][ T1719] kthread+0x318/0x420 [ 24.420506][ T1719] ? kthread_create_on_node+0xf0/0xf0 [ 24.425875][ T1719] ret_from_fork+0x24/0x30 [ 24.430853][ T1719] Kernel Offset: disabled [ 24.435166][ T1719] Rebooting in 86400 seconds..