[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.399071][ T1665] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.844862][ T1697] random: sshd: uninitialized urandom read (32 bytes read) [ 16.986018][ T1700] random: sshd: uninitialized urandom read (32 bytes read) [ 17.084518][ C1] random: crng init done Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. executing program [ 23.423114][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.663062][ T12] usb 1-1: Using ep0 maxpacket: 32 [ 23.783160][ T12] usb 1-1: config 0 has an invalid interface number: 138 but max is 0 [ 23.791436][ T12] usb 1-1: config 0 has no interface number 0 [ 23.797569][ T12] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=2d.ac [ 23.806640][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 23.818179][ T12] usb 1-1: config 0 descriptor?? [ 23.863805][ T12] hub 1-1:0.138: bad descriptor, ignoring hub [ 23.870072][ T12] hub: probe of 1-1:0.138 failed with error -5 [ 24.073130][ T12] asix 1-1:0.138 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 24.085690][ T12] asix 1-1:0.138 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, 76:16:76:e7:25:cd [ 24.098831][ T12] ================================================================== [ 24.107003][ T12] BUG: KASAN: use-after-free in asix_suspend+0xb9/0xc0 [ 24.113848][ T12] Read of size 8 at addr ffff8881d1984288 by task kworker/0:1/12 [ 24.121555][ T12] [ 24.123893][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.5.0-rc2-syzkaller #0 [ 24.132037][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.142096][ T12] Workqueue: usb_hub_wq hub_event [ 24.147110][ T12] Call Trace: [ 24.150401][ T12] dump_stack+0xef/0x16e [ 24.154643][ T12] ? asix_suspend+0xb9/0xc0 [ 24.159144][ T12] ? asix_suspend+0xb9/0xc0 [ 24.163654][ T12] print_address_description.constprop.0+0x16/0x200 [ 24.170240][ T12] ? asix_suspend+0xb9/0xc0 [ 24.174746][ T12] ? asix_suspend+0xb9/0xc0 [ 24.179248][ T12] __kasan_report.cold+0x37/0x7f [ 24.184212][ T12] ? asix_suspend+0xb9/0xc0 [ 24.188705][ T12] kasan_report+0xe/0x20 [ 24.192929][ T12] asix_suspend+0xb9/0xc0 [ 24.197237][ T12] usb_suspend_both+0x260/0x7b0 [ 24.203756][ T12] ? usb_resume_interface.isra.0+0x390/0x390 [ 24.209821][ T12] ? mark_lock+0xbc/0x1160 [ 24.214227][ T12] ? autosuspend_check+0x453/0x540 [ 24.219316][ T12] usb_runtime_suspend+0x46/0x120 [ 24.224337][ T12] ? usb_probe_interface+0x7a0/0x7a0 [ 24.229864][ T12] ? usb_probe_interface+0x7a0/0x7a0 [ 24.235125][ T12] __rpm_callback+0x27e/0x3c0 [ 24.239881][ T12] ? usb_probe_interface+0x7a0/0x7a0 [ 24.245154][ T12] rpm_callback+0x105/0x230 [ 24.249647][ T12] ? usb_probe_interface+0x7a0/0x7a0 [ 24.254925][ T12] rpm_suspend+0x37a/0x1300 [ 24.259403][ T12] ? pm_runtime_irq_safe+0xa0/0xa0 [ 24.264491][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 24.269490][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 24.274401][ T12] ? lock_acquire+0x127/0x320 [ 24.279073][ T12] ? __pm_runtime_suspend+0xad/0x150 [ 24.284345][ T12] __pm_runtime_suspend+0xbb/0x150 [ 24.289439][ T12] usb_new_device.cold+0xaee/0xe79 [ 24.294537][ T12] hub_event+0x1e59/0x3860 [ 24.298933][ T12] ? hub_port_debounce+0x260/0x260 [ 24.304023][ T12] ? find_held_lock+0x2d/0x110 [ 24.308762][ T12] ? mark_held_locks+0xe0/0xe0 [ 24.313507][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 24.319031][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 24.324346][ T12] process_one_work+0x92b/0x1530 [ 24.329353][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 24.334701][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 24.339703][ T12] worker_thread+0x96/0xe20 [ 24.344186][ T12] ? process_one_work+0x1530/0x1530 [ 24.349370][ T12] kthread+0x318/0x420 [ 24.353420][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 24.358767][ T12] ret_from_fork+0x24/0x30 [ 24.363156][ T12] [ 24.365464][ T12] Allocated by task 12: [ 24.369596][ T12] save_stack+0x1b/0x80 [ 24.373728][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 24.379350][ T12] ax88172a_bind+0x9f/0x7a2 [ 24.383831][ T12] usbnet_probe+0xb43/0x2470 [ 24.388396][ T12] usb_probe_interface+0x305/0x7a0 [ 24.393522][ T12] really_probe+0x281/0x6d0 [ 24.398017][ T12] driver_probe_device+0x104/0x210 [ 24.403105][ T12] __device_attach_driver+0x1c2/0x220 [ 24.408454][ T12] bus_for_each_drv+0x162/0x1e0 [ 24.413296][ T12] __device_attach+0x217/0x360 [ 24.418045][ T12] bus_probe_device+0x1e4/0x290 [ 24.422870][ T12] device_add+0x1480/0x1c20 [ 24.427349][ T12] usb_set_configuration+0xe67/0x1740 [ 24.432695][ T12] generic_probe+0x9d/0xd5 [ 24.437105][ T12] usb_probe_device+0x99/0x100 [ 24.441843][ T12] really_probe+0x281/0x6d0 [ 24.446323][ T12] driver_probe_device+0x104/0x210 [ 24.451410][ T12] __device_attach_driver+0x1c2/0x220 [ 24.456770][ T12] bus_for_each_drv+0x162/0x1e0 [ 24.462311][ T12] __device_attach+0x217/0x360 [ 24.473400][ T12] bus_probe_device+0x1e4/0x290 [ 24.478771][ T12] device_add+0x1480/0x1c20 [ 24.483247][ T12] usb_new_device.cold+0x6a4/0xe79 [ 24.488331][ T12] hub_event+0x1e59/0x3860 [ 24.492744][ T12] process_one_work+0x92b/0x1530 [ 24.497660][ T12] worker_thread+0x96/0xe20 [ 24.502150][ T12] kthread+0x318/0x420 [ 24.506195][ T12] ret_from_fork+0x24/0x30 [ 24.510583][ T12] [ 24.512887][ T12] Freed by task 12: [ 24.516691][ T12] save_stack+0x1b/0x80 [ 24.520843][ T12] __kasan_slab_free+0x129/0x170 [ 24.525756][ T12] kfree+0xda/0x310 [ 24.529541][ T12] ax88172a_bind.cold+0x4d/0x1e8 [ 24.534453][ T12] usbnet_probe+0xb43/0x2470 [ 24.539021][ T12] usb_probe_interface+0x305/0x7a0 [ 24.544268][ T12] really_probe+0x281/0x6d0 [ 24.548800][ T12] driver_probe_device+0x104/0x210 [ 24.553888][ T12] __device_attach_driver+0x1c2/0x220 [ 24.559248][ T12] bus_for_each_drv+0x162/0x1e0 [ 24.564073][ T12] __device_attach+0x217/0x360 [ 24.568811][ T12] bus_probe_device+0x1e4/0x290 [ 24.573637][ T12] device_add+0x1480/0x1c20 [ 24.578167][ T12] usb_set_configuration+0xe67/0x1740 [ 24.583579][ T12] generic_probe+0x9d/0xd5 [ 24.587987][ T12] usb_probe_device+0x99/0x100 [ 24.592727][ T12] really_probe+0x281/0x6d0 [ 24.597206][ T12] driver_probe_device+0x104/0x210 [ 24.602293][ T12] __device_attach_driver+0x1c2/0x220 [ 24.613319][ T12] bus_for_each_drv+0x162/0x1e0 [ 24.618145][ T12] __device_attach+0x217/0x360 [ 24.622889][ T12] bus_probe_device+0x1e4/0x290 [ 24.627718][ T12] device_add+0x1480/0x1c20 [ 24.632200][ T12] usb_new_device.cold+0x6a4/0xe79 [ 24.637288][ T12] hub_event+0x1e59/0x3860 [ 24.641729][ T12] process_one_work+0x92b/0x1530 [ 24.646645][ T12] worker_thread+0x96/0xe20 [ 24.651124][ T12] kthread+0x318/0x420 [ 24.655169][ T12] ret_from_fork+0x24/0x30 [ 24.659556][ T12] [ 24.661864][ T12] The buggy address belongs to the object at ffff8881d1984280 [ 24.661864][ T12] which belongs to the cache kmalloc-64 of size 64 [ 24.675834][ T12] The buggy address is located 8 bytes inside of [ 24.675834][ T12] 64-byte region [ffff8881d1984280, ffff8881d19842c0) [ 24.688830][ T12] The buggy address belongs to the page: [ 24.694458][ T12] page:ffffea0007466100 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0x0 [ 24.703542][ T12] raw: 0200000000000200 ffffea00074c2100 0000000a0000000a ffff8881da003180 [ 24.712102][ T12] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 24.721543][ T12] page dumped because: kasan: bad access detected [ 24.727927][ T12] [ 24.730233][ T12] Memory state around the buggy address: [ 24.735928][ T12] ffff8881d1984180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.744067][ T12] ffff8881d1984200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 24.752467][ T12] >ffff8881d1984280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.761125][ T12] ^ [ 24.765440][ T12] ffff8881d1984300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.773479][ T12] ffff8881d