INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.594814][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 30.685025][ T95] usb 1-1: Using ep0 maxpacket: 8 [ 30.804894][ T95] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 30.814285][ T95] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 30.823744][ T95] usb 1-1: config 0 descriptor?? [ 31.084884][ T95] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 31.097653][ T95] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, 56:67:b9:7d:03:d8 executing program [ 31.289995][ T94] usb 1-1: USB disconnect, device number 2 [ 31.296523][ T94] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 31.365459][ T94] ================================================================== [ 31.373648][ T94] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xef [ 31.380744][ T94] Read of size 8 at addr ffff8881d0706c00 by task kworker/1:2/94 [ 31.388465][ T94] [ 31.390787][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc6-syzkaller #0 [ 31.399257][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.409306][ T94] Workqueue: usb_hub_wq hub_event [ 31.414336][ T94] Call Trace: [ 31.417618][ T94] dump_stack+0xef/0x16e [ 31.421840][ T94] ? ax88172a_unbind+0x76/0xef [ 31.426582][ T94] ? ax88172a_unbind+0x76/0xef [ 31.431351][ T94] print_address_description.constprop.0.cold+0xd3/0x314 [ 31.438529][ T94] ? ax88172a_unbind+0x76/0xef [ 31.443283][ T94] ? ax88172a_unbind+0x76/0xef [ 31.448168][ T94] __kasan_report.cold+0x37/0x85 [ 31.453095][ T94] ? mark_held_locks+0x10/0xe0 [ 31.458066][ T94] ? ax88172a_unbind+0x76/0xef [ 31.464065][ T94] ? ax88172a_bind.cold+0x1d2/0x1d2 [ 31.469417][ T94] kasan_report+0xe/0x20 [ 31.473653][ T94] ax88172a_unbind+0x76/0xef [ 31.478361][ T94] usbnet_disconnect+0x145/0x270 [ 31.483285][ T94] usb_unbind_interface+0x1bd/0x8a0 [ 31.488473][ T94] ? usb_autoresume_device+0x60/0x60 [ 31.493743][ T94] device_release_driver_internal+0x42f/0x500 [ 31.499797][ T94] bus_remove_device+0x2eb/0x5a0 [ 31.504732][ T94] device_del+0x481/0xd30 [ 31.509193][ T94] ? mark_held_locks+0x9f/0xe0 [ 31.513948][ T94] ? device_create_with_groups+0x120/0x120 [ 31.519737][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 31.525061][ T94] ? remove_intf_ep_devs+0x13f/0x1d0 [ 31.530425][ T94] usb_disable_device+0x23d/0x790 [ 31.535436][ T94] usb_disconnect+0x293/0x900 [ 31.540112][ T94] hub_event+0x1a1d/0x4300 [ 31.544528][ T94] ? hub_port_debounce+0x350/0x350 [ 31.549628][ T94] ? find_held_lock+0x2d/0x110 [ 31.554408][ T94] ? mark_held_locks+0xe0/0xe0 [ 31.559261][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 31.564794][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 31.570119][ T94] process_one_work+0x945/0x15c0 [ 31.575050][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 31.580412][ T94] ? do_raw_spin_lock+0x129/0x290 [ 31.585429][ T94] worker_thread+0x96/0xe20 [ 31.589921][ T94] ? process_one_work+0x15c0/0x15c0 [ 31.595284][ T94] kthread+0x318/0x420 [ 31.599345][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 31.604785][ T94] ret_from_fork+0x24/0x30 [ 31.609299][ T94] [ 31.611716][ T94] Allocated by task 95: [ 31.615887][ T94] save_stack+0x1b/0x80 [ 31.620252][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 31.625876][ T94] ax88172a_bind+0xa4/0x8ba [ 31.630361][ T94] usbnet_probe+0xb54/0x2570 [ 31.634952][ T94] usb_probe_interface+0x310/0x800 [ 31.640063][ T94] really_probe+0x290/0xad0 [ 31.644546][ T94] driver_probe_device+0x223/0x350 [ 31.649834][ T94] __device_attach_driver+0x1d1/0x290 [ 31.655199][ T94] bus_for_each_drv+0x162/0x1e0 [ 31.660034][ T94] __device_attach+0x217/0x390 [ 31.664778][ T94] bus_probe_device+0x1e4/0x290 [ 31.669658][ T94] device_add+0x1459/0x1bf0 [ 31.674199][ T94] usb_set_configuration+0xe47/0x17d0 [ 31.679573][ T94] generic_probe+0x9d/0xd5 [ 31.683982][ T94] usb_probe_device+0xaf/0x140 [ 31.688742][ T94] really_probe+0x290/0xad0 [ 31.693227][ T94] driver_probe_device+0x223/0x350 [ 31.698316][ T94] __device_attach_driver+0x1d1/0x290 [ 31.704028][ T94] bus_for_each_drv+0x162/0x1e0 [ 31.708856][ T94] __device_attach+0x217/0x390 [ 31.713595][ T94] bus_probe_device+0x1e4/0x290 [ 31.718424][ T94] device_add+0x1459/0x1bf0 [ 31.722905][ T94] usb_new_device.cold+0x540/0xcd0 [ 31.727991][ T94] hub_event+0x21cb/0x4300 [ 31.732386][ T94] process_one_work+0x945/0x15c0 [ 31.739123][ T94] worker_thread+0x96/0xe20 [ 31.743620][ T94] kthread+0x318/0x420 [ 31.747668][ T94] ret_from_fork+0x24/0x30 [ 31.752074][ T94] [ 31.754398][ T94] Freed by task 95: [ 31.758190][ T94] save_stack+0x1b/0x80 [ 31.762339][ T94] __kasan_slab_free+0x117/0x160 [ 31.767267][ T94] kfree+0xd5/0x300 [ 31.771661][ T94] ax88172a_bind.cold+0x49/0x1d2 [ 31.776593][ T94] usbnet_probe+0xb54/0x2570 [ 31.781166][ T94] usb_probe_interface+0x310/0x800 [ 31.786259][ T94] really_probe+0x290/0xad0 [ 31.790754][ T94] driver_probe_device+0x223/0x350 [ 31.795932][ T94] __device_attach_driver+0x1d1/0x290 [ 31.801392][ T94] bus_for_each_drv+0x162/0x1e0 [ 31.806230][ T94] __device_attach+0x217/0x390 [ 31.811055][ T94] bus_probe_device+0x1e4/0x290 [ 31.815984][ T94] device_add+0x1459/0x1bf0 [ 31.820471][ T94] usb_set_configuration+0xe47/0x17d0 [ 31.825996][ T94] generic_probe+0x9d/0xd5 [ 31.830394][ T94] usb_probe_device+0xaf/0x140 [ 31.835141][ T94] really_probe+0x290/0xad0 [ 31.839674][ T94] driver_probe_device+0x223/0x350 [ 31.844883][ T94] __device_attach_driver+0x1d1/0x290 [ 31.850377][ T94] bus_for_each_drv+0x162/0x1e0 [ 31.855297][ T94] __device_attach+0x217/0x390 [ 31.860043][ T94] bus_probe_device+0x1e4/0x290 [ 31.864875][ T94] device_add+0x1459/0x1bf0 [ 31.869392][ T94] usb_new_device.cold+0x540/0xcd0 [ 31.874483][ T94] hub_event+0x21cb/0x4300 [ 31.878892][ T94] process_one_work+0x945/0x15c0 [ 31.883996][ T94] worker_thread+0x96/0xe20 [ 31.890149][ T94] kthread+0x318/0x420 [ 31.894199][ T94] ret_from_fork+0x24/0x30 [ 31.898606][ T94] [ 31.900928][ T94] The buggy address belongs to the object at ffff8881d0706c00 [ 31.900928][ T94] which belongs to the cache kmalloc-64 of size 64 [ 31.914886][ T94] The buggy address is located 0 bytes inside of [ 31.914886][ T94] 64-byte region [ffff8881d0706c00, ffff8881d0706c40) [ 31.927873][ T94] The buggy address belongs to the page: [ 31.933492][ T94] page:ffffea000741c180 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0x0 [ 31.942955][ T94] raw: 0200000000000200 ffffea00074185c0 0000001500000015 ffff8881da003180 [ 31.952535][ T94] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 31.961117][ T94] page dumped because: kasan: bad access detected [ 31.967533][ T94] [ 31.969843][ T94] Memory state around the buggy address: [ 31.975469][ T94] ffff8881d0706b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.983508][ T94] ffff8881d0706b80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 31.992895][ T94] >ffff8881d0706c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.001067][ T94] ^ [ 32.005375][ T94] ffff8881d0706c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.013460][ T94] ffff8881d0706d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.021516][ T94] ================================================================== [ 32.029573][ T94] Disabling lock debugging due to kernel taint [ 32.035905][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 32.042498][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 32.052250][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.062297][ T94] Workqueue: usb_hub_wq hub_event [ 32.067313][ T94] Call Trace: [ 32.070584][ T94] dump_stack+0xef/0x16e [ 32.074805][ T94] panic+0x2aa/0x6e1 [ 32.078676][ T94] ? add_taint.cold+0x16/0x16 [ 32.083329][ T94] ? ax88172a_unbind+0x76/0xef [ 32.088083][ T94] ? trace_hardirqs_on+0x55/0x200 [ 32.093095][ T94] ? ax88172a_unbind+0x76/0xef [ 32.097872][ T94] end_report+0x43/0x49 [ 32.102003][ T94] ? ax88172a_unbind+0x76/0xef [ 32.106742][ T94] __kasan_report.cold+0x55/0x85 [ 32.111683][ T94] ? mark_held_locks+0x10/0xe0 [ 32.116454][ T94] ? ax88172a_unbind+0x76/0xef [ 32.121308][ T94] ? ax88172a_bind.cold+0x1d2/0x1d2 [ 32.126560][ T94] kasan_report+0xe/0x20 [ 32.131317][ T94] ax88172a_unbind+0x76/0xef [ 32.135910][ T94] usbnet_disconnect+0x145/0x270 [ 32.140834][ T94] usb_unbind_interface+0x1bd/0x8a0 [ 32.146479][ T94] ? usb_autoresume_device+0x60/0x60 [ 32.151750][ T94] device_release_driver_internal+0x42f/0x500 [ 32.157816][ T94] bus_remove_device+0x2eb/0x5a0 [ 32.162843][ T94] device_del+0x481/0xd30 [ 32.167410][ T94] ? mark_held_locks+0x9f/0xe0 [ 32.172160][ T94] ? device_create_with_groups+0x120/0x120 [ 32.178054][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 32.183470][ T94] ? remove_intf_ep_devs+0x13f/0x1d0 [ 32.188738][ T94] usb_disable_device+0x23d/0x790 [ 32.193744][ T94] usb_disconnect+0x293/0x900 [ 32.198402][ T94] hub_event+0x1a1d/0x4300 [ 32.202796][ T94] ? hub_port_debounce+0x350/0x350 [ 32.207890][ T94] ? find_held_lock+0x2d/0x110 [ 32.212637][ T94] ? mark_held_locks+0xe0/0xe0 [ 32.217384][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 32.222913][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 32.228178][ T94] process_one_work+0x945/0x15c0 [ 32.233879][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 32.239242][ T94] ? do_raw_spin_lock+0x129/0x290 [ 32.244244][ T94] worker_thread+0x96/0xe20 [ 32.248731][ T94] ? process_one_work+0x15c0/0x15c0 [ 32.253904][ T94] kthread+0x318/0x420 [ 32.257980][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 32.263336][ T94] ret_from_fork+0x24/0x30 [ 32.268379][ T94] Kernel Offset: disabled [ 32.272702][ T94] Rebooting in 86400 seconds..