[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.143' (ECDSA) to the list of known hosts. syzkaller login: [ 54.453474][ T8375] IPVS: ftp: loaded support on port[0] = 21 [ 54.534588][ T8375] chnl_net:caif_netlink_parms(): no params data found [ 54.575307][ T8375] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.584571][ T8375] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.598289][ T8375] device bridge_slave_0 entered promiscuous mode [ 54.608349][ T8375] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.618698][ T8375] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.629892][ T8375] device bridge_slave_1 entered promiscuous mode [ 54.647365][ T8375] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 54.662678][ T8375] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 54.682721][ T8375] team0: Port device team_slave_0 added [ 54.692422][ T8375] team0: Port device team_slave_1 added [ 54.708817][ T8375] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 54.717257][ T8375] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.746021][ T8375] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 54.758406][ T8375] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 54.765380][ T8375] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.794143][ T8375] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 54.818316][ T8375] device hsr_slave_0 entered promiscuous mode [ 54.826481][ T8375] device hsr_slave_1 entered promiscuous mode [ 54.905765][ T8375] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 54.916624][ T8375] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 54.928725][ T8375] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 54.938677][ T8375] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 54.964547][ T8375] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.972027][ T8375] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.980065][ T8375] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.987683][ T8375] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.031472][ T8375] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.048084][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.063440][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.074522][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.088399][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 55.100974][ T8375] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.111890][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.120386][ T20] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.128105][ T20] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.139611][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.149664][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.160516][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.182374][ T3692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.194220][ T3692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.210636][ T3692] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.222697][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.236317][ T8375] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.251397][ T8375] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.259585][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.279242][ T8375] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.291941][ T3692] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 55.300165][ T3692] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 55.318742][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 55.337846][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 55.348475][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 55.357585][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 55.368271][ T8375] device veth0_vlan entered promiscuous mode [ 55.378978][ T8375] device veth1_vlan entered promiscuous mode [ 55.398295][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 55.406445][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 55.415236][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 55.426067][ T8375] device veth0_macvtap entered promiscuous mode [ 55.435204][ T8375] device veth1_macvtap entered promiscuous mode [ 55.449512][ T8375] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 55.457003][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 55.466767][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 55.479053][ T8375] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 55.487417][ T8583] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 55.499377][ T8375] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.511707][ T8375] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.521307][ T8375] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.529998][ T8375] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.850917][ T20] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 56.120336][ T20] usb 1-1: Using ep0 maxpacket: 8 [ 56.261423][ T20] usb 1-1: config 0 has an invalid interface number: 57 but max is 0 [ 56.271794][ T20] usb 1-1: config 0 has no interface number 0 [ 56.450661][ T20] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=d3.e1 [ 56.462536][ T20] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 56.471578][ T20] usb 1-1: Product: syz [ 56.476253][ T20] usb 1-1: Manufacturer: syz [ 56.481720][ T20] usb 1-1: SerialNumber: syz [ 56.495314][ T20] usb 1-1: config 0 descriptor?? [ 56.555927][ T20] dw2102: su3000_identify_state [ 56.564220][ T20] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 56.571859][ T20] dw2102: su3000_power_ctrl: 1, initialized 0 [ 56.582785][ T20] dvb-usb: bulk message failed: -22 (2/0) [ 56.592491][ T20] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 56.630608][ T20] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 56.642129][ T20] usb 1-1: media controller created [ 56.647994][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.657683][ T20] dw2102: i2c transfer failed. [ 56.663149][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.669381][ T20] dw2102: i2c transfer failed. [ 56.674460][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.683835][ T20] dw2102: i2c transfer failed. [ 56.689997][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.697509][ T20] dw2102: i2c transfer failed. [ 56.702514][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.708245][ T20] dw2102: i2c transfer failed. [ 56.713224][ T20] dvb-usb: bulk message failed: -22 (6/0) [ 56.719477][ T20] dw2102: i2c transfer failed. [ 56.724412][ T20] dvb-usb: MAC address: 02:02:02:02:02:02 [ 56.734616][ T20] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 56.755740][ T20] dvb-usb: bulk message failed: -22 (1/0) [ 56.764191][ T20] dw2102: command 0x51 transfer failed. [ 56.805470][ T20] DVB: Unable to find symbol m88rs2000_attach() [ 56.820438][ T20] dvb-usb: no frontend was attached by 'TeVii S421 PCI' [ 56.910402][ T20] rc_core: IR keymap rc-su3000 not found [ 56.916265][ T20] Registered IR keymap rc-empty [ 56.930923][ T20] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 56.970600][ T20] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 56.997025][ T20] dvb-usb: schedule remote query interval to 150 msecs. [ 57.020126][ T20] dw2102: su3000_power_ctrl: 0, initialized 1 [ 57.026665][ T20] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 57.052100][ T20] usb 1-1: USB disconnect, device number 2 [ 57.059268][ T20] ================================================================== [ 57.067510][ T20] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x274/0x280 [ 57.075172][ T20] Read of size 8 at addr ffff888140d3c2e8 by task kworker/1:0/20 [ 57.082870][ T20] [ 57.085175][ T20] CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.12.0-rc6-syzkaller #0 [ 57.093574][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.103979][ T20] Workqueue: usb_hub_wq hub_event [ 57.109401][ T20] Call Trace: [ 57.112667][ T20] dump_stack+0x141/0x1d7 [ 57.117030][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.122308][ T20] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 57.129333][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.134610][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.139911][ T20] kasan_report.cold+0x7c/0xd8 [ 57.144669][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.149948][ T20] dvb_usb_device_exit+0x274/0x280 [ 57.155050][ T20] ? dvb_usb_exit.isra.0+0x310/0x310 [ 57.160329][ T20] ? mark_held_locks+0x9f/0xe0 [ 57.165085][ T20] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 57.171321][ T20] ? usb_disable_interface+0x82/0x3c0 [ 57.176686][ T20] ? lockdep_hardirqs_on+0x79/0x100 [ 57.181876][ T20] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 57.187676][ T20] usb_unbind_interface+0x1d8/0x8d0 [ 57.192871][ T20] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 57.198443][ T20] ? usb_unbind_device+0x1a0/0x1a0 [ 57.203570][ T20] __device_release_driver+0x3bd/0x6f0 [ 57.209031][ T20] device_release_driver+0x26/0x40 [ 57.214133][ T20] bus_remove_device+0x2eb/0x5a0 [ 57.219154][ T20] device_del+0x502/0xd40 [ 57.223484][ T20] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 57.229815][ T20] ? pm_runtime_barrier+0xdc/0x1a0 [ 57.234924][ T20] usb_disable_device+0x35b/0x7b0 [ 57.240917][ T20] usb_disconnect.cold+0x27d/0x791 [ 57.246043][ T20] hub_event+0x1c9c/0x4320 [ 57.250475][ T20] ? hub_port_debounce+0x3c0/0x3c0 [ 57.256967][ T20] ? lock_release+0x720/0x720 [ 57.261634][ T20] ? lock_downgrade+0x6e0/0x6e0 [ 57.266470][ T20] ? do_raw_spin_lock+0x120/0x2b0 [ 57.271493][ T20] process_one_work+0x98d/0x1600 [ 57.276423][ T20] ? pwq_dec_nr_in_flight+0x320/0x320 [ 57.281782][ T20] ? rwlock_bug.part.0+0x90/0x90 [ 57.286706][ T20] ? _raw_spin_lock_irq+0x41/0x50 [ 57.291723][ T20] worker_thread+0x82b/0x1120 [ 57.296395][ T20] ? process_one_work+0x1600/0x1600 [ 57.301581][ T20] kthread+0x3b1/0x4a0 [ 57.305637][ T20] ? __kthread_bind_mask+0xc0/0xc0 [ 57.310739][ T20] ret_from_fork+0x1f/0x30 [ 57.315154][ T20] [ 57.317479][ T20] Allocated by task 6408: [ 57.322465][ T20] kasan_save_stack+0x1b/0x40 [ 57.327131][ T20] __kasan_kmalloc+0x99/0xc0 [ 57.331966][ T20] tomoyo_realpath_from_path+0xc3/0x620 [ 57.337496][ T20] tomoyo_path_number_perm+0x1d5/0x590 [ 57.342944][ T20] security_path_chmod+0xe0/0x150 [ 57.347959][ T20] chmod_common+0x156/0x440 [ 57.352445][ T20] __x64_sys_fchmod+0x10e/0x190 [ 57.357713][ T20] do_syscall_64+0x2d/0x70 [ 57.362116][ T20] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.369210][ T20] [ 57.371518][ T20] Freed by task 20: [ 57.375302][ T20] kasan_save_stack+0x1b/0x40 [ 57.379962][ T20] kasan_set_track+0x1c/0x30 [ 57.384535][ T20] kasan_set_free_info+0x20/0x30 [ 57.389457][ T20] __kasan_slab_free+0xf5/0x130 [ 57.394288][ T20] slab_free_freelist_hook+0x92/0x210 [ 57.399648][ T20] kfree+0xe5/0x7f0 [ 57.403438][ T20] dw2102_probe+0x782/0xb10 [ 57.407926][ T20] usb_probe_interface+0x315/0x7f0 [ 57.413023][ T20] really_probe+0x291/0xe60 [ 57.417517][ T20] driver_probe_device+0x26b/0x3d0 [ 57.422614][ T20] __device_attach_driver+0x1d1/0x290 [ 57.427968][ T20] bus_for_each_drv+0x15f/0x1e0 [ 57.432802][ T20] __device_attach+0x228/0x4a0 [ 57.437556][ T20] bus_probe_device+0x1e4/0x290 [ 57.442390][ T20] device_add+0xbdb/0x1db0 [ 57.446789][ T20] usb_set_configuration+0x113f/0x1910 [ 57.452235][ T20] usb_generic_driver_probe+0xba/0x100 [ 57.459944][ T20] usb_probe_device+0xd9/0x2c0 [ 57.464808][ T20] really_probe+0x291/0xe60 [ 57.469602][ T20] driver_probe_device+0x26b/0x3d0 [ 57.476336][ T20] __device_attach_driver+0x1d1/0x290 [ 57.482903][ T20] bus_for_each_drv+0x15f/0x1e0 [ 57.487780][ T20] __device_attach+0x228/0x4a0 [ 57.493433][ T20] bus_probe_device+0x1e4/0x290 [ 57.498563][ T20] device_add+0xbdb/0x1db0 [ 57.503003][ T20] usb_new_device.cold+0x721/0x1058 [ 57.510443][ T20] hub_event+0x2357/0x4320 [ 57.517156][ T20] process_one_work+0x98d/0x1600 [ 57.522092][ T20] worker_thread+0x64c/0x1120 [ 57.526839][ T20] kthread+0x3b1/0x4a0 [ 57.530892][ T20] ret_from_fork+0x1f/0x30 [ 57.535312][ T20] [ 57.537615][ T20] The buggy address belongs to the object at ffff888140d3c000 [ 57.537615][ T20] which belongs to the cache kmalloc-4k of size 4096 [ 57.551649][ T20] The buggy address is located 744 bytes inside of [ 57.551649][ T20] 4096-byte region [ffff888140d3c000, ffff888140d3d000) [ 57.565165][ T20] The buggy address belongs to the page: [ 57.570769][ T20] page:ffffea0005034e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x140d38 [ 57.580989][ T20] head:ffffea0005034e00 order:3 compound_mapcount:0 compound_pincount:0 [ 57.589292][ T20] flags: 0x57ff00000010200(slab|head) [ 57.594650][ T20] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010442140 [ 57.603394][ T20] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 57.611953][ T20] page dumped because: kasan: bad access detected [ 57.618431][ T20] [ 57.620733][ T20] Memory state around the buggy address: [ 57.626343][ T20] ffff888140d3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.634386][ T20] ffff888140d3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.642541][ T20] >ffff888140d3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.650680][ T20] ^ [ 57.658120][ T20] ffff888140d3c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.666169][ T20] ffff888140d3c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.674214][ T20] ================================================================== [ 57.682253][ T20] Disabling lock debugging due to kernel taint [ 57.700585][ T20] Kernel panic - not syncing: panic_on_warn set ... [ 57.707290][ T20] CPU: 1 PID: 20 Comm: kworker/1:0 Tainted: G B 5.12.0-rc6-syzkaller #0 [ 57.716915][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.726957][ T20] Workqueue: usb_hub_wq hub_event [ 57.731970][ T20] Call Trace: [ 57.735232][ T20] dump_stack+0x141/0x1d7 [ 57.739823][ T20] panic+0x306/0x73d [ 57.743698][ T20] ? __warn_printk+0xf3/0xf3 [ 57.748268][ T20] ? preempt_schedule_common+0x59/0xc0 [ 57.753707][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.758972][ T20] ? preempt_schedule_thunk+0x16/0x18 [ 57.764322][ T20] ? trace_hardirqs_on+0x38/0x1c0 [ 57.769326][ T20] ? trace_hardirqs_on+0x51/0x1c0 [ 57.774331][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.779602][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.784865][ T20] end_report.cold+0x5a/0x5a [ 57.789438][ T20] kasan_report.cold+0x6a/0xd8 [ 57.794178][ T20] ? dvb_usb_device_exit+0x274/0x280 [ 57.799452][ T20] dvb_usb_device_exit+0x274/0x280 [ 57.804554][ T20] ? dvb_usb_exit.isra.0+0x310/0x310 [ 57.809827][ T20] ? mark_held_locks+0x9f/0xe0 [ 57.814573][ T20] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 57.820800][ T20] ? usb_disable_interface+0x82/0x3c0 [ 57.826156][ T20] ? lockdep_hardirqs_on+0x79/0x100 [ 57.831500][ T20] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 57.837600][ T20] usb_unbind_interface+0x1d8/0x8d0 [ 57.842886][ T20] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 57.848417][ T20] ? usb_unbind_device+0x1a0/0x1a0 [ 57.853514][ T20] __device_release_driver+0x3bd/0x6f0 [ 57.858963][ T20] device_release_driver+0x26/0x40 [ 57.864056][ T20] bus_remove_device+0x2eb/0x5a0 [ 57.868976][ T20] device_del+0x502/0xd40 [ 57.873292][ T20] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 57.879603][ T20] ? pm_runtime_barrier+0xdc/0x1a0 [ 57.884698][ T20] usb_disable_device+0x35b/0x7b0 [ 57.889705][ T20] usb_disconnect.cold+0x27d/0x791 [ 57.894802][ T20] hub_event+0x1c9c/0x4320 [ 57.899206][ T20] ? hub_port_debounce+0x3c0/0x3c0 [ 57.904301][ T20] ? lock_release+0x720/0x720 [ 57.908962][ T20] ? lock_downgrade+0x6e0/0x6e0 [ 57.913794][ T20] ? do_raw_spin_lock+0x120/0x2b0 [ 57.918804][ T20] process_one_work+0x98d/0x1600 [ 57.923725][ T20] ? pwq_dec_nr_in_flight+0x320/0x320 [ 57.929080][ T20] ? rwlock_bug.part.0+0x90/0x90 [ 57.933999][ T20] ? _raw_spin_lock_irq+0x41/0x50 [ 57.939015][ T20] worker_thread+0x82b/0x1120 [ 57.943674][ T20] ? process_one_work+0x1600/0x1600 [ 57.948854][ T20] kthread+0x3b1/0x4a0 [ 57.952906][ T20] ? __kthread_bind_mask+0xc0/0xc0 [ 57.957999][ T20] ret_from_fork+0x1f/0x30 [ 57.965975][ T20] Kernel Offset: disabled [ 57.970281][ T20] Rebooting in 86400 seconds..