[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 14.589644][ C1] random: crng init done [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.177108][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.267344][ T94] usb 1-1: Using ep0 maxpacket: 8 [ 24.397203][ T94] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=78.22 [ 24.406379][ T94] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.416111][ T94] usb 1-1: config 0 descriptor?? [ 24.687220][ T94] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 24.699651][ T94] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, f6:02:88:57:5c:21 executing program [ 24.891257][ T95] usb 1-1: USB disconnect, device number 2 [ 24.897806][ T95] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 24.967763][ T95] ================================================================== [ 24.976020][ T95] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xef [ 24.983273][ T95] Read of size 8 at addr ffff8881d0756d80 by task kworker/1:2/95 [ 24.990975][ T95] [ 24.993301][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.5.0-syzkaller #0 [ 25.001408][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.011470][ T95] Workqueue: usb_hub_wq hub_event [ 25.016487][ T95] Call Trace: [ 25.019781][ T95] dump_stack+0xef/0x16e [ 25.024023][ T95] ? ax88172a_unbind+0x76/0xef [ 25.028850][ T95] ? ax88172a_unbind+0x76/0xef [ 25.033638][ T95] print_address_description.constprop.0.cold+0xd3/0x314 [ 25.040802][ T95] ? ax88172a_unbind+0x76/0xef [ 25.045648][ T95] ? ax88172a_unbind+0x76/0xef [ 25.050411][ T95] __kasan_report.cold+0x37/0x77 [ 25.055346][ T95] ? mark_held_locks+0x20/0xe0 [ 25.060102][ T95] ? ax88172a_unbind+0x76/0xef [ 25.065859][ T95] ? ax88172a_bind.cold+0x1d2/0x1d2 [ 25.071071][ T95] kasan_report+0xe/0x20 [ 25.075358][ T95] ax88172a_unbind+0x76/0xef [ 25.079986][ T95] usbnet_disconnect+0x145/0x270 [ 25.085019][ T95] usb_unbind_interface+0x1bd/0x8a0 [ 25.090463][ T95] ? __pm_runtime_idle+0xd1/0x310 [ 25.095480][ T95] ? usb_autoresume_device+0x60/0x60 [ 25.100761][ T95] device_release_driver_internal+0x42f/0x500 [ 25.106836][ T95] bus_remove_device+0x2eb/0x5a0 [ 25.111786][ T95] device_del+0x481/0xd30 [ 25.116116][ T95] ? mark_held_locks+0x9f/0xe0 [ 25.120865][ T95] ? device_create_with_groups+0x120/0x120 [ 25.127080][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 25.132753][ T95] ? remove_intf_ep_devs+0x13f/0x1d0 [ 25.138158][ T95] usb_disable_device+0x23d/0x790 [ 25.143324][ T95] usb_disconnect+0x293/0x900 [ 25.148124][ T95] hub_event+0x1a1d/0x4300 [ 25.152644][ T95] ? hub_port_debounce+0x350/0x350 [ 25.157744][ T95] ? find_held_lock+0x2d/0x110 [ 25.162541][ T95] ? mark_held_locks+0xe0/0xe0 [ 25.167341][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.172903][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.178970][ T95] process_one_work+0x94b/0x1620 [ 25.184061][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.189428][ T95] ? do_raw_spin_lock+0x129/0x290 [ 25.194566][ T95] worker_thread+0x96/0xe20 [ 25.199078][ T95] ? process_one_work+0x1620/0x1620 [ 25.204272][ T95] kthread+0x318/0x420 [ 25.208325][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.213824][ T95] ret_from_fork+0x24/0x30 [ 25.218360][ T95] [ 25.220671][ T95] Allocated by task 94: [ 25.224825][ T95] save_stack+0x1b/0x80 [ 25.229043][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.234736][ T95] ax88172a_bind+0xa4/0x8ba [ 25.239230][ T95] usbnet_probe+0xb54/0x2570 [ 25.243897][ T95] usb_probe_interface+0x310/0x800 [ 25.249125][ T95] really_probe+0x290/0xac0 [ 25.253795][ T95] driver_probe_device+0x223/0x350 [ 25.259048][ T95] __device_attach_driver+0x1d1/0x290 [ 25.264416][ T95] bus_for_each_drv+0x162/0x1e0 [ 25.269565][ T95] __device_attach+0x217/0x390 [ 25.274405][ T95] bus_probe_device+0x1e4/0x290 [ 25.279261][ T95] device_add+0x1459/0x1bf0 [ 25.283854][ T95] usb_set_configuration+0xe47/0x17d0 [ 25.289207][ T95] generic_probe+0x9d/0xd5 [ 25.293676][ T95] usb_probe_device+0xaf/0x140 [ 25.298553][ T95] really_probe+0x290/0xac0 [ 25.303050][ T95] driver_probe_device+0x223/0x350 [ 25.308336][ T95] __device_attach_driver+0x1d1/0x290 [ 25.313740][ T95] bus_for_each_drv+0x162/0x1e0 [ 25.318841][ T95] __device_attach+0x217/0x390 [ 25.323875][ T95] bus_probe_device+0x1e4/0x290 [ 25.328777][ T95] device_add+0x1459/0x1bf0 [ 25.333275][ T95] usb_new_device.cold+0x540/0xcd0 [ 25.338377][ T95] hub_event+0x21cb/0x4300 [ 25.342793][ T95] process_one_work+0x94b/0x1620 [ 25.347804][ T95] worker_thread+0x96/0xe20 [ 25.352407][ T95] kthread+0x318/0x420 [ 25.356471][ T95] ret_from_fork+0x24/0x30 [ 25.361112][ T95] [ 25.363433][ T95] Freed by task 94: [ 25.367227][ T95] save_stack+0x1b/0x80 [ 25.371557][ T95] __kasan_slab_free+0x117/0x160 [ 25.376521][ T95] kfree+0xd5/0x300 [ 25.380320][ T95] ax88172a_bind.cold+0x49/0x1d2 [ 25.385280][ T95] usbnet_probe+0xb54/0x2570 [ 25.389901][ T95] usb_probe_interface+0x310/0x800 [ 25.395039][ T95] really_probe+0x290/0xac0 [ 25.399540][ T95] driver_probe_device+0x223/0x350 [ 25.404832][ T95] __device_attach_driver+0x1d1/0x290 [ 25.410301][ T95] bus_for_each_drv+0x162/0x1e0 [ 25.415149][ T95] __device_attach+0x217/0x390 [ 25.419932][ T95] bus_probe_device+0x1e4/0x290 [ 25.424779][ T95] device_add+0x1459/0x1bf0 [ 25.429273][ T95] usb_set_configuration+0xe47/0x17d0 [ 25.434713][ T95] generic_probe+0x9d/0xd5 [ 25.439516][ T95] usb_probe_device+0xaf/0x140 [ 25.444312][ T95] really_probe+0x290/0xac0 [ 25.448839][ T95] driver_probe_device+0x223/0x350 [ 25.453944][ T95] __device_attach_driver+0x1d1/0x290 [ 25.459468][ T95] bus_for_each_drv+0x162/0x1e0 [ 25.464309][ T95] __device_attach+0x217/0x390 [ 25.469070][ T95] bus_probe_device+0x1e4/0x290 [ 25.474074][ T95] device_add+0x1459/0x1bf0 [ 25.478580][ T95] usb_new_device.cold+0x540/0xcd0 [ 25.483813][ T95] hub_event+0x21cb/0x4300 [ 25.488224][ T95] process_one_work+0x94b/0x1620 [ 25.493408][ T95] worker_thread+0x96/0xe20 [ 25.497946][ T95] kthread+0x318/0x420 [ 25.502161][ T95] ret_from_fork+0x24/0x30 [ 25.506577][ T95] [ 25.508907][ T95] The buggy address belongs to the object at ffff8881d0756d80 [ 25.508907][ T95] which belongs to the cache kmalloc-64 of size 64 [ 25.523255][ T95] The buggy address is located 0 bytes inside of [ 25.523255][ T95] 64-byte region [ffff8881d0756d80, ffff8881d0756dc0) [ 25.536469][ T95] The buggy address belongs to the page: [ 25.542100][ T95] page:ffffea000741d580 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0x0 [ 25.551259][ T95] flags: 0x200000000000200(slab) [ 25.556196][ T95] raw: 0200000000000200 ffffea0007637040 0000000c0000000c ffff8881da003180 [ 25.564976][ T95] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 25.573559][ T95] page dumped because: kasan: bad access detected [ 25.580060][ T95] [ 25.582576][ T95] Memory state around the buggy address: [ 25.588317][ T95] ffff8881d0756c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 25.596374][ T95] ffff8881d0756d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.604646][ T95] >ffff8881d0756d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.612705][ T95] ^ [ 25.616869][ T95] ffff8881d0756e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.624925][ T95] ffff8881d0756e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.633231][ T95] ================================================================== [ 25.641436][ T95] Disabling lock debugging due to kernel taint [ 25.647941][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 25.654670][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Tainted: G B 5.5.0-syzkaller #0 [ 25.663846][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.674353][ T95] Workqueue: usb_hub_wq hub_event [ 25.679469][ T95] Call Trace: [ 25.682768][ T95] dump_stack+0xef/0x16e [ 25.687101][ T95] panic+0x2aa/0x6e1 [ 25.691044][ T95] ? add_taint.cold+0x16/0x16 [ 25.695821][ T95] ? ax88172a_unbind+0x76/0xef [ 25.700765][ T95] ? trace_hardirqs_on+0x55/0x200 [ 25.705900][ T95] ? ax88172a_unbind+0x76/0xef [ 25.710751][ T95] end_report+0x43/0x49 [ 25.715347][ T95] ? ax88172a_unbind+0x76/0xef [ 25.720298][ T95] __kasan_report.cold+0x55/0x77 [ 25.725476][ T95] ? mark_held_locks+0x20/0xe0 [ 25.730539][ T95] ? ax88172a_unbind+0x76/0xef [ 25.735450][ T95] ? ax88172a_bind.cold+0x1d2/0x1d2 [ 25.740993][ T95] kasan_report+0xe/0x20 [ 25.746164][ T95] ax88172a_unbind+0x76/0xef [ 25.751567][ T95] usbnet_disconnect+0x145/0x270 [ 25.756596][ T95] usb_unbind_interface+0x1bd/0x8a0 [ 25.761880][ T95] ? __pm_runtime_idle+0xd1/0x310 [ 25.766961][ T95] ? usb_autoresume_device+0x60/0x60 [ 25.772249][ T95] device_release_driver_internal+0x42f/0x500 [ 25.778324][ T95] bus_remove_device+0x2eb/0x5a0 [ 25.783252][ T95] device_del+0x481/0xd30 [ 25.787567][ T95] ? mark_held_locks+0x9f/0xe0 [ 25.792817][ T95] ? device_create_with_groups+0x120/0x120 [ 25.798616][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 25.803974][ T95] ? remove_intf_ep_devs+0x13f/0x1d0 [ 25.809257][ T95] usb_disable_device+0x23d/0x790 [ 25.814395][ T95] usb_disconnect+0x293/0x900 [ 25.819082][ T95] hub_event+0x1a1d/0x4300 [ 25.823622][ T95] ? hub_port_debounce+0x350/0x350 [ 25.828750][ T95] ? find_held_lock+0x2d/0x110 [ 25.833626][ T95] ? mark_held_locks+0xe0/0xe0 [ 25.838481][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.844022][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.849361][ T95] process_one_work+0x94b/0x1620 [ 25.854471][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.859843][ T95] ? do_raw_spin_lock+0x129/0x290 [ 25.864864][ T95] worker_thread+0x96/0xe20 [ 25.869501][ T95] ? process_one_work+0x1620/0x1620 [ 25.874708][ T95] kthread+0x318/0x420 [ 25.878760][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.884128][ T95] ret_from_fork+0x24/0x30 [ 25.889465][ T95] Kernel Offset: disabled [ 25.893823][ T95] Rebooting in 86400 seconds..