[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 14.532035][ C1] random: crng init done [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.023904][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 43.263975][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 43.384030][ T12] usb 1-1: config 0 has an invalid interface number: 21 but max is 0 [ 43.392311][ T12] usb 1-1: config 0 has no interface number 0 [ 43.398886][ T12] usb 1-1: New USB device found, idVendor=0553, idProduct=0151, bcdDevice= 3.c4 [ 43.407960][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 43.417374][ T12] usb 1-1: config 0 descriptor?? [ 43.455455][ T12] cpia2: CPiA2 USB camera found [ 43.574143][ T12] cpia2: Unexpected error: -110 [ 43.773972][ T12] cpia2: Unexpected error: -110 [ 43.893991][ T12] cpia2: Unexpected error: -110 [ 44.054128][ T12] cpia2: Unexpected error: -110 executing program [ 44.134015][ T12] cpia2: Unexpected error: -71 [ 44.154107][ T12] cpia2: Control message failed, err val = -71 [ 44.160278][ T12] cpia2: Message: request = 0x1, start = 0x90 [ 44.166432][ T12] cpia2: Message: count = 1, register[0] = 0x0 [ 44.172566][ T12] cpia2: Unexpected error: -71 [ 44.194040][ T12] cpia2: Control message failed, err val = -71 [ 44.200313][ T12] cpia2: Message: request = 0x1, start = 0x91 [ 44.206529][ T12] cpia2: Message: count = 1, register[0] = 0x0 [ 44.212661][ T12] cpia2: Unexpected error: -71 [ 44.234037][ T12] cpia2: Control message failed, err val = -71 [ 44.240262][ T12] cpia2: Message: request = 0x0, start = 0x2 [ 44.246551][ T12] cpia2: Message: count = 1, register[0] = 0x0 [ 44.252887][ T12] cpia2: Unexpected error: -71 [ 44.257698][ T12] cpia2: CPiA Version: 0.00 (103.233) [ 44.263325][ T12] cpia2: CPiA PnP-ID: 0000:0000:0000 [ 44.268905][ T12] cpia2: SensorID: 0.(version 0) [ 44.276010][ T12] usb 1-1: USB disconnect, device number 2 [ 44.282282][ T12] cpia2: Control message failed, err val = -19 [ 44.288513][ T12] cpia2: Message: request = 0x1, start = 0xB0 [ 44.294618][ T12] cpia2: Message: count = 4, register[0] = 0x0 [ 44.296738][ T1751] cpia2: Couldn't configure sensor, error=-22 [ 44.300765][ T12] cpia2: Unexpected error: -19 [ 44.300853][ T12] cpia2: Unexpected error: -19 [ 44.317207][ T12] cpia2: Control message failed, err val = -19 [ 44.323350][ T12] cpia2: Message: request = 0x1, start = 0xA9 [ 44.329485][ T12] cpia2: Message: count = 1, register[0] = 0x0 [ 44.335864][ T12] cpia2: Unexpected error: -19 [ 44.342415][ T12] ================================================================== [ 44.350649][ T12] BUG: KASAN: use-after-free in cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.358389][ T12] Read of size 8 at addr ffff8881d0202c50 by task kworker/0:1/12 [ 44.366223][ T12] [ 44.368537][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #13 [ 44.376004][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.386239][ T12] Workqueue: usb_hub_wq hub_event [ 44.391256][ T12] Call Trace: [ 44.394539][ T12] dump_stack+0xca/0x13e [ 44.398778][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.404139][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.409499][ T12] print_address_description+0x67/0x231 [ 44.415035][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.420387][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.425814][ T12] __kasan_report.cold+0x1a/0x32 [ 44.430876][ T12] ? cpia2_streamoff+0x1f0/0x270 [ 44.435869][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.441320][ T12] kasan_report+0xe/0x20 [ 44.445629][ T12] cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.450863][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 44.456053][ T12] ? usb_autoresume_device+0x60/0x60 [ 44.461330][ T12] device_release_driver_internal+0x404/0x4c0 [ 44.467385][ T12] bus_remove_device+0x2dc/0x4a0 [ 44.472314][ T12] device_del+0x460/0xb80 [ 44.476669][ T12] ? __device_links_no_driver+0x240/0x240 [ 44.482379][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 44.487649][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 44.492916][ T12] usb_disable_device+0x211/0x690 [ 44.498036][ T12] usb_disconnect+0x284/0x830 [ 44.502698][ T12] hub_event+0x1409/0x3590 [ 44.507097][ T12] ? hub_port_debounce+0x260/0x260 [ 44.512415][ T12] process_one_work+0x905/0x1570 [ 44.517350][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 44.523091][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 44.528271][ T12] worker_thread+0x7ab/0xe20 [ 44.532950][ T12] ? process_one_work+0x1570/0x1570 [ 44.538127][ T12] kthread+0x30b/0x410 [ 44.542382][ T12] ? kthread_park+0x1a0/0x1a0 [ 44.547043][ T12] ret_from_fork+0x24/0x30 [ 44.551460][ T12] [ 44.553776][ T12] Allocated by task 12: [ 44.557916][ T12] save_stack+0x1b/0x80 [ 44.562169][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 44.567895][ T12] cpia2_init_camera_struct+0x40/0x110 [ 44.573425][ T12] cpia2_usb_probe.cold+0x37/0x45a [ 44.578515][ T12] usb_probe_interface+0x305/0x7a0 [ 44.583712][ T12] really_probe+0x281/0x660 [ 44.588329][ T12] driver_probe_device+0x104/0x210 [ 44.593519][ T12] __device_attach_driver+0x1c2/0x220 [ 44.598876][ T12] bus_for_each_drv+0x15c/0x1e0 [ 44.604062][ T12] __device_attach+0x217/0x360 [ 44.608959][ T12] bus_probe_device+0x1e4/0x290 [ 44.614077][ T12] device_add+0xae6/0x16f0 [ 44.618478][ T12] usb_set_configuration+0xdf6/0x1670 [ 44.624053][ T12] generic_probe+0x9d/0xd5 [ 44.628554][ T12] usb_probe_device+0x99/0x100 [ 44.633491][ T12] really_probe+0x281/0x660 [ 44.637981][ T12] driver_probe_device+0x104/0x210 [ 44.643314][ T12] __device_attach_driver+0x1c2/0x220 [ 44.649000][ T12] bus_for_each_drv+0x15c/0x1e0 [ 44.653917][ T12] __device_attach+0x217/0x360 [ 44.658656][ T12] bus_probe_device+0x1e4/0x290 [ 44.663731][ T12] device_add+0xae6/0x16f0 [ 44.668394][ T12] usb_new_device.cold+0x8c1/0x1016 [ 44.673585][ T12] hub_event+0x1ada/0x3590 [ 44.678250][ T12] process_one_work+0x905/0x1570 [ 44.683194][ T12] worker_thread+0x96/0xe20 [ 44.687806][ T12] kthread+0x30b/0x410 [ 44.691865][ T12] ret_from_fork+0x24/0x30 [ 44.696328][ T12] [ 44.698640][ T12] Freed by task 12: [ 44.702438][ T12] save_stack+0x1b/0x80 [ 44.706573][ T12] __kasan_slab_free+0x130/0x180 [ 44.711899][ T12] kfree+0xd7/0x280 [ 44.715699][ T12] v4l2_device_put+0x76/0x90 [ 44.720277][ T12] cpia2_usb_disconnect+0x79/0x1c0 [ 44.725463][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 44.730641][ T12] device_release_driver_internal+0x404/0x4c0 [ 44.736689][ T12] bus_remove_device+0x2dc/0x4a0 [ 44.741613][ T12] device_del+0x460/0xb80 [ 44.745937][ T12] usb_disable_device+0x211/0x690 [ 44.750947][ T12] usb_disconnect+0x284/0x830 [ 44.755619][ T12] hub_event+0x1409/0x3590 [ 44.760028][ T12] process_one_work+0x905/0x1570 [ 44.765121][ T12] worker_thread+0x7ab/0xe20 [ 44.769700][ T12] kthread+0x30b/0x410 [ 44.773759][ T12] ret_from_fork+0x24/0x30 [ 44.778343][ T12] [ 44.780771][ T12] The buggy address belongs to the object at ffff8881d0202200 [ 44.780771][ T12] which belongs to the cache kmalloc-4k of size 4096 [ 44.795217][ T12] The buggy address is located 2640 bytes inside of [ 44.795217][ T12] 4096-byte region [ffff8881d0202200, ffff8881d0203200) [ 44.808642][ T12] The buggy address belongs to the page: [ 44.814306][ T12] page:ffffea0007408000 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 44.825415][ T12] flags: 0x200000000010200(slab|head) [ 44.830858][ T12] raw: 0200000000010200 ffffea0007405c00 0000000200000002 ffff8881dac02600 [ 44.840026][ T12] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 44.848689][ T12] page dumped because: kasan: bad access detected [ 44.855082][ T12] [ 44.857394][ T12] Memory state around the buggy address: [ 44.863119][ T12] ffff8881d0202b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.871396][ T12] ffff8881d0202b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.879711][ T12] >ffff8881d0202c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.887774][ T12] ^ [ 44.894680][ T12] ffff8881d0202c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.903257][ T12] ffff8881d0202d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.911312][ T12] ================================================================== [ 44.920151][ T12] Disabling lock debugging due to kernel taint [ 44.926468][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 44.933060][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc6+ #13 [ 44.942433][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.952720][ T12] Workqueue: usb_hub_wq hub_event [ 44.958055][ T12] Call Trace: [ 44.961429][ T12] dump_stack+0xca/0x13e [ 44.965707][ T12] panic+0x292/0x6c9 [ 44.969813][ T12] ? __warn_printk+0xf3/0xf3 [ 44.974484][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.979845][ T12] ? trace_hardirqs_on+0x55/0x1c0 [ 44.984895][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 44.990566][ T12] end_report+0x43/0x49 [ 44.994769][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 45.000459][ T12] __kasan_report.cold+0xd/0x32 [ 45.005783][ T12] ? cpia2_streamoff+0x1f0/0x270 [ 45.010817][ T12] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 45.016223][ T12] kasan_report+0xe/0x20 [ 45.020465][ T12] cpia2_usb_disconnect+0x1a4/0x1c0 [ 45.025653][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 45.030852][ T12] ? usb_autoresume_device+0x60/0x60 [ 45.036187][ T12] device_release_driver_internal+0x404/0x4c0 [ 45.042610][ T12] bus_remove_device+0x2dc/0x4a0 [ 45.047539][ T12] device_del+0x460/0xb80 [ 45.051949][ T12] ? __device_links_no_driver+0x240/0x240 [ 45.057659][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 45.063019][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 45.068404][ T12] usb_disable_device+0x211/0x690 [ 45.073824][ T12] usb_disconnect+0x284/0x830 [ 45.078501][ T12] hub_event+0x1409/0x3590 [ 45.082901][ T12] ? hub_port_debounce+0x260/0x260 [ 45.088147][ T12] process_one_work+0x905/0x1570 [ 45.093090][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.098454][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 45.103565][ T12] worker_thread+0x7ab/0xe20 [ 45.108227][ T12] ? process_one_work+0x1570/0x1570 [ 45.113405][ T12] kthread+0x30b/0x410 [ 45.117454][ T12] ? kthread_park+0x1a0/0x1a0 [ 45.122181][ T12] ret_from_fork+0x24/0x30 [ 45.127201][ T12] Kernel Offset: disabled [ 45.131988][ T12] Rebooting in 86400 seconds..