[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 14.071783][ C1] random: crng init done [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.211' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.645296][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 33.885285][ T83] usb 1-1: Using ep0 maxpacket: 8 [ 34.005328][ T83] usb 1-1: config 0 has an invalid interface number: 117 but max is 0 [ 34.013565][ T83] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 34.023652][ T83] usb 1-1: config 0 has no interface number 0 [ 34.029765][ T83] usb 1-1: config 0 interface 117 altsetting 0 bulk endpoint 0x81 has invalid maxpacket 29 [ 34.039800][ T83] usb 1-1: New USB device found, idVendor=04d8, idProduct=0a30, bcdDevice=18.34 [ 34.048839][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 34.058091][ T83] usb 1-1: config 0 descriptor?? [ 34.110162][ T83] mcba_usb 1-1:0.117 can0: failed tx_urb -2 [ 34.116182][ T83] mcba_usb 1-1:0.117 can0: Failed to send cmd (169) [ 34.122824][ T83] mcba_usb 1-1:0.117 can0: failed tx_urb -2 [ 34.129255][ T83] mcba_usb 1-1:0.117 can0: Failed to send cmd (169) [ 34.135859][ T83] mcba_usb 1-1:0.117: Microchip CAN BUS Analyzer connected executing program [ 34.308025][ T12] usb 1-1: USB disconnect, device number 2 [ 34.315032][ T12] mcba_usb 1-1:0.117 can0: device disconnected [ 34.385591][ T12] ================================================================== [ 34.393696][ T12] BUG: KASAN: use-after-free in __lock_acquire+0x3377/0x3eb0 [ 34.401034][ T12] Read of size 8 at addr ffff8881d2d98f48 by task kworker/0:1/12 [ 34.408715][ T12] [ 34.411018][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0+ #0 [ 34.418086][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.428116][ T12] Workqueue: usb_hub_wq hub_event [ 34.433105][ T12] Call Trace: [ 34.436365][ T12] dump_stack+0xca/0x13e [ 34.440581][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.445572][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.450570][ T12] print_address_description+0x6a/0x32c [ 34.456091][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.461086][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.466082][ T12] __kasan_report.cold+0x1a/0x33 [ 34.470989][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.475987][ T12] kasan_report+0xe/0x12 [ 34.480202][ T12] __lock_acquire+0x3377/0x3eb0 [ 34.485022][ T12] ? mark_held_locks+0x9f/0xe0 [ 34.489758][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 34.495052][ T12] ? quarantine_put+0xb2/0x150 [ 34.499785][ T12] ? mark_held_locks+0xe0/0xe0 [ 34.504518][ T12] lock_acquire+0x127/0x320 [ 34.508997][ T12] ? usb_kill_anchored_urbs+0x1e/0x110 [ 34.514424][ T12] ? kobject_put+0x18c/0x280 [ 34.518982][ T12] _raw_spin_lock_irq+0x2d/0x40 [ 34.523803][ T12] ? usb_kill_anchored_urbs+0x1e/0x110 [ 34.529230][ T12] usb_kill_anchored_urbs+0x1e/0x110 [ 34.534484][ T12] mcba_usb_disconnect+0xd6/0xe4 [ 34.539398][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 34.544566][ T12] ? usb_autoresume_device+0x60/0x60 [ 34.549829][ T12] device_release_driver_internal+0x42f/0x500 [ 34.555869][ T12] bus_remove_device+0x2dc/0x4a0 [ 34.560778][ T12] device_del+0x420/0xb10 [ 34.565092][ T12] ? __device_links_no_driver+0x240/0x240 [ 34.570782][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 34.575776][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 34.581032][ T12] usb_disable_device+0x211/0x690 [ 34.586025][ T12] usb_disconnect+0x284/0x8d0 [ 34.590671][ T12] hub_event+0x1454/0x3640 [ 34.595058][ T12] ? find_held_lock+0x2d/0x110 [ 34.599790][ T12] ? mark_held_locks+0xe0/0xe0 [ 34.604523][ T12] ? hub_port_debounce+0x260/0x260 [ 34.609607][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 34.615122][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 34.620376][ T12] process_one_work+0x92b/0x1530 [ 34.625284][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 34.630643][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 34.635648][ T12] worker_thread+0x96/0xe20 [ 34.640130][ T12] ? process_one_work+0x1530/0x1530 [ 34.645326][ T12] kthread+0x318/0x420 [ 34.649367][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 34.654711][ T12] ret_from_fork+0x24/0x30 [ 34.659094][ T12] [ 34.661393][ T12] The buggy address belongs to the page: [ 34.667002][ T12] page:ffffea00074b6600 refcount:1 mapcount:0 mapping:ffff8881da114000 index:0x0 compound_mapcount: 0 [ 34.677912][ T12] flags: 0x200000000010200(slab|head) [ 34.683256][ T12] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da114000 [ 34.691811][ T12] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 34.700359][ T12] page dumped because: kasan: bad access detected [ 34.706737][ T12] [ 34.709036][ T12] Memory state around the buggy address: [ 34.714636][ T12] ffff8881d2d98e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.722666][ T12] ffff8881d2d98e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.730697][ T12] >ffff8881d2d98f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.738724][ T12] ^ [ 34.745103][ T12] ffff8881d2d98f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.753131][ T12] ffff8881d2d99000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.761159][ T12] ================================================================== [ 34.769187][ T12] Disabling lock debugging due to kernel taint [ 34.775320][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 34.781875][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.3.0+ #0 [ 34.790249][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.800284][ T12] Workqueue: usb_hub_wq hub_event [ 34.805276][ T12] Call Trace: [ 34.808542][ T12] dump_stack+0xca/0x13e [ 34.812764][ T12] panic+0x2a3/0x6da [ 34.816638][ T12] ? add_taint.cold+0x16/0x16 [ 34.821284][ T12] ? print_shadow_for_address+0xb8/0x114 [ 34.826901][ T12] ? trace_hardirqs_off+0x50/0x1d0 [ 34.831994][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.836996][ T12] end_report+0x43/0x49 [ 34.841120][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.846113][ T12] __kasan_report.cold+0xd/0x33 [ 34.850940][ T12] ? __lock_acquire+0x3377/0x3eb0 [ 34.855931][ T12] kasan_report+0xe/0x12 [ 34.860142][ T12] __lock_acquire+0x3377/0x3eb0 [ 34.864960][ T12] ? mark_held_locks+0x9f/0xe0 [ 34.869691][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 34.874944][ T12] ? quarantine_put+0xb2/0x150 [ 34.879679][ T12] ? mark_held_locks+0xe0/0xe0 [ 34.884411][ T12] lock_acquire+0x127/0x320 [ 34.888884][ T12] ? usb_kill_anchored_urbs+0x1e/0x110 [ 34.894316][ T12] ? kobject_put+0x18c/0x280 [ 34.898880][ T12] _raw_spin_lock_irq+0x2d/0x40 [ 34.903702][ T12] ? usb_kill_anchored_urbs+0x1e/0x110 [ 34.909131][ T12] usb_kill_anchored_urbs+0x1e/0x110 [ 34.914388][ T12] mcba_usb_disconnect+0xd6/0xe4 [ 34.919298][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 34.924466][ T12] ? usb_autoresume_device+0x60/0x60 [ 34.929720][ T12] device_release_driver_internal+0x42f/0x500 [ 34.935767][ T12] bus_remove_device+0x2dc/0x4a0 [ 34.940687][ T12] device_del+0x420/0xb10 [ 34.944991][ T12] ? __device_links_no_driver+0x240/0x240 [ 34.950680][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 34.955674][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 34.960930][ T12] usb_disable_device+0x211/0x690 [ 34.965924][ T12] usb_disconnect+0x284/0x8d0 [ 34.970572][ T12] hub_event+0x1454/0x3640 [ 34.974960][ T12] ? find_held_lock+0x2d/0x110 [ 34.979694][ T12] ? mark_held_locks+0xe0/0xe0 [ 34.984429][ T12] ? hub_port_debounce+0x260/0x260 [ 34.989554][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 34.995072][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 35.000331][ T12] process_one_work+0x92b/0x1530 [ 35.005249][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 35.010599][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 35.015594][ T12] worker_thread+0x96/0xe20 [ 35.020071][ T12] ? process_one_work+0x1530/0x1530 [ 35.025239][ T12] kthread+0x318/0x420 [ 35.029278][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 35.034620][ T12] ret_from_fork+0x24/0x30 [ 35.039752][ T12] Kernel Offset: disabled [ 35.044076][ T12] Rebooting in 86400 seconds..