INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 39.937159][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 40.176716][ T83] usb 1-1: Using ep0 maxpacket: 16
[ 40.296796][ T83] usb 1-1: config 0 has an invalid interface number: 128 but max is 0
[ 40.305297][ T83] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config
[ 40.315539][ T83] usb 1-1: config 0 has no interface number 0
[ 40.321684][ T83] usb 1-1: config 0 interface 128 altsetting 0 endpoint 0x84 has an invalid bInterval 0, changing to 7
[ 40.332747][ T83] usb 1-1: New USB device found, idVendor=12cf, idProduct=7111, bcdDevice=48.08
[ 40.341793][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 40.351045][ T83] usb 1-1: config 0 descriptor??
[ 40.596808][ T83] radio-si470x 1-1:0.128: DeviceID=0xd163 ChipID=0xd381
[ 40.816748][ T83] radio-si470x 1-1:0.128: software version 209, hardware version 99
executing program
[ 41.036731][ T83] radio-si470x 1-1:0.128: si470x_set_report: usb_control_msg returned -71
[ 41.056713][ C1] radio-si470x 1-1:0.128: non-zero urb status (-71)
[ 41.064442][ T83] radio-si470x 1-1:0.128: si470x_set_report: usb_control_msg returned -71
[ 41.078078][ C1] radio-si470x 1-1:0.128: non-zero urb status (-71)
[ 41.085026][ T83] radio-si470x: probe of 1-1:0.128 failed with error -22
[ 41.094086][ T83] usb 1-1: USB disconnect, device number 2
[ 41.100092][ C1] ==================================================================
[ 41.100130][ C1] BUG: KASAN: use-after-free in si470x_int_in_callback.cold+0x27/0xbe
[ 41.100137][ C1] Read of size 8 at addr ffff8881d58fdfb0 by task kworker/1:2/83
[ 41.100139][ C1]
[ 41.100147][ C1] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0+ #0
[ 41.100152][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.100162][ C1] Workqueue: usb_hub_wq hub_event
[ 41.100166][ C1] Call Trace:
[ 41.100170][ C1]
[ 41.100181][ C1] dump_stack+0xca/0x13e
[ 41.100193][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.100205][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.100220][ C1] print_address_description.constprop.0+0x36/0x50
[ 41.100233][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.100244][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.100252][ C1] __kasan_report.cold+0x1a/0x33
[ 41.100260][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.100266][ C1] kasan_report+0xe/0x12
[ 41.100273][ C1] si470x_int_in_callback.cold+0x27/0xbe
[ 41.100281][ C1] ? usb_hcd_unmap_urb_for_dma+0x105/0x9b0
[ 41.100288][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 41.100295][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 41.100304][ C1] dummy_timer+0x120f/0x2fa2
[ 41.100313][ C1] ? __lock_acquire+0x145e/0x3eb0
[ 41.100319][ C1] ? find_held_lock+0x2d/0x110
[ 41.100331][ C1] ? debug_object_deactivate+0x1d9/0x320
[ 41.100340][ C1] ? mark_held_locks+0xe0/0xe0
[ 41.100347][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.100376][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.100384][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.100392][ C1] call_timer_fn+0x179/0x650
[ 41.100398][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.100405][ C1] ? msleep_interruptible+0x130/0x130
[ 41.100411][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.100418][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.100426][ C1] ? _raw_spin_unlock_irq+0x24/0x30
[ 41.100433][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.100439][ C1] run_timer_softirq+0x5e0/0x14d0
[ 41.100446][ C1] ? add_timer+0x7a0/0x7a0
[ 41.100453][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.100460][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.100467][ C1] __do_softirq+0x221/0x912
[ 41.100475][ C1] irq_exit+0x178/0x1a0
[ 41.100482][ C1] smp_apic_timer_interrupt+0x12f/0x500
[ 41.100489][ C1] apic_timer_interrupt+0xf/0x20
[ 41.100492][ C1]
[ 41.100499][ C1] RIP: 0010:console_unlock+0xa2a/0xc40
[ 41.100507][ C1] Code: 00 89 ee 48 c7 c7 c0 6f f3 86 e8 c1 b7 03 00 65 ff 0d 92 6e d9 7e e9 db f9 ff ff e8 60 bc 15 00 e8 7b ea 1a 00 ff 74 24 30 9d 18 fe ff ff e8 4c bc 15 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 41.100511][ C1] RSP: 0018:ffff8881d93d76c0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
[ 41.100518][ C1] RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
[ 41.100522][ C1] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d92e384c
[ 41.100527][ C1] RBP: 0000000000000000 R08: ffff8881d92e3000 R09: fffffbfff11f45a5
[ 41.100531][ C1] R10: fffffbfff11f45a4 R11: ffffffff88fa2d27 R12: 0000000000000040
[ 41.100535][ C1] R13: dffffc0000000000 R14: ffffffff8293e1a0 R15: ffffffff8727c990
[ 41.100543][ C1] ? netconsole_netdev_event+0x2a0/0x2a0
[ 41.100550][ C1] vprintk_emit+0x171/0x3e0
[ 41.100558][ C1] dev_vprintk_emit+0x4fc/0x541
[ 41.100565][ C1] ? devm_device_remove_groups.cold+0x18/0x18
[ 41.100572][ C1] ? __kasan_slab_free+0x130/0x180
[ 41.100577][ C1] ? kfree+0xe4/0x2f0
[ 41.100583][ C1] ? usb_control_msg+0x393/0x4a0
[ 41.100590][ C1] ? usb_clear_port_feature+0x6a/0x90
[ 41.100595][ C1] ? hub_event+0xcf3/0x3640
[ 41.100604][ C1] ? process_one_work+0x92b/0x1530
[ 41.100610][ C1] ? worker_thread+0x7ab/0xe20
[ 41.100617][ C1] ? kthread+0x318/0x420
[ 41.100623][ C1] ? ret_from_fork+0x24/0x30
[ 41.100630][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.100636][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 41.100642][ C1] ? find_held_lock+0x2d/0x110
[ 41.100649][ C1] dev_printk_emit+0xba/0xf1
[ 41.100655][ C1] ? dev_vprintk_emit+0x541/0x541
[ 41.100662][ C1] __dev_printk+0x1db/0x203
[ 41.100668][ C1] _dev_info+0xd7/0x109
[ 41.100674][ C1] ? _dev_notice+0x109/0x109
[ 41.100680][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.100687][ C1] ? _raw_spin_unlock_irqrestore+0x3e/0x50
[ 41.100693][ C1] usb_disconnect+0x7f/0x8d0
[ 41.100700][ C1] ? usb_clear_port_feature+0x6a/0x90
[ 41.100707][ C1] hub_event+0x1454/0x3640
[ 41.100715][ C1] ? find_held_lock+0x2d/0x110
[ 41.100721][ C1] ? mark_held_locks+0xe0/0xe0
[ 41.100728][ C1] ? hub_port_debounce+0x260/0x260
[ 41.100735][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.100742][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.100749][ C1] process_one_work+0x92b/0x1530
[ 41.100756][ C1] ? pwq_dec_nr_in_flight+0x310/0x310
[ 41.100762][ C1] ? do_raw_spin_lock+0x11a/0x280
[ 41.100769][ C1] worker_thread+0x7ab/0xe20
[ 41.100776][ C1] ? process_one_work+0x1530/0x1530
[ 41.100782][ C1] kthread+0x318/0x420
[ 41.100788][ C1] ? kthread_create_on_node+0xf0/0xf0
[ 41.100794][ C1] ret_from_fork+0x24/0x30
[ 41.100797][ C1]
[ 41.100801][ C1] Allocated by task 83:
[ 41.100808][ C1] save_stack+0x1b/0x80
[ 41.100814][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 41.100821][ C1] si470x_usb_driver_probe+0x51/0xf50
[ 41.100827][ C1] usb_probe_interface+0x305/0x7a0
[ 41.100833][ C1] really_probe+0x281/0x6d0
[ 41.100839][ C1] driver_probe_device+0x104/0x210
[ 41.100845][ C1] __device_attach_driver+0x1c2/0x220
[ 41.100851][ C1] bus_for_each_drv+0x162/0x1e0
[ 41.100857][ C1] __device_attach+0x217/0x360
[ 41.100863][ C1] bus_probe_device+0x1e4/0x290
[ 41.100868][ C1] device_add+0xae6/0x16f0
[ 41.100874][ C1] usb_set_configuration+0xdf6/0x1670
[ 41.100880][ C1] generic_probe+0x9d/0xd5
[ 41.100885][ C1] usb_probe_device+0x99/0x100
[ 41.100891][ C1] really_probe+0x281/0x6d0
[ 41.100897][ C1] driver_probe_device+0x104/0x210
[ 41.100904][ C1] __device_attach_driver+0x1c2/0x220
[ 41.100909][ C1] bus_for_each_drv+0x162/0x1e0
[ 41.100915][ C1] __device_attach+0x217/0x360
[ 41.100921][ C1] bus_probe_device+0x1e4/0x290
[ 41.100927][ C1] device_add+0xae6/0x16f0
[ 41.100933][ C1] usb_new_device.cold+0x6a4/0xe79
[ 41.100938][ C1] hub_event+0x1b5c/0x3640
[ 41.100944][ C1] process_one_work+0x92b/0x1530
[ 41.100950][ C1] worker_thread+0x96/0xe20
[ 41.100955][ C1] kthread+0x318/0x420
[ 41.100961][ C1] ret_from_fork+0x24/0x30
[ 41.100963][ C1]
[ 41.100966][ C1] Freed by task 83:
[ 41.100972][ C1] save_stack+0x1b/0x80
[ 41.100978][ C1] __kasan_slab_free+0x130/0x180
[ 41.100983][ C1] kfree+0xe4/0x2f0
[ 41.100989][ C1] si470x_usb_driver_probe+0xb27/0xf50
[ 41.100995][ C1] usb_probe_interface+0x305/0x7a0
[ 41.101001][ C1] really_probe+0x281/0x6d0
[ 41.101007][ C1] driver_probe_device+0x104/0x210
[ 41.101013][ C1] __device_attach_driver+0x1c2/0x220
[ 41.101019][ C1] bus_for_each_drv+0x162/0x1e0
[ 41.101025][ C1] __device_attach+0x217/0x360
[ 41.101031][ C1] bus_probe_device+0x1e4/0x290
[ 41.101036][ C1] device_add+0xae6/0x16f0
[ 41.101042][ C1] usb_set_configuration+0xdf6/0x1670
[ 41.101047][ C1] generic_probe+0x9d/0xd5
[ 41.101053][ C1] usb_probe_device+0x99/0x100
[ 41.101058][ C1] really_probe+0x281/0x6d0
[ 41.101065][ C1] driver_probe_device+0x104/0x210
[ 41.101071][ C1] __device_attach_driver+0x1c2/0x220
[ 41.101077][ C1] bus_for_each_drv+0x162/0x1e0
[ 41.101083][ C1] __device_attach+0x217/0x360
[ 41.101089][ C1] bus_probe_device+0x1e4/0x290
[ 41.101094][ C1] device_add+0xae6/0x16f0
[ 41.101100][ C1] usb_new_device.cold+0x6a4/0xe79
[ 41.101106][ C1] hub_event+0x1b5c/0x3640
[ 41.101112][ C1] process_one_work+0x92b/0x1530
[ 41.101117][ C1] worker_thread+0x96/0xe20
[ 41.101123][ C1] kthread+0x318/0x420
[ 41.101128][ C1] ret_from_fork+0x24/0x30
[ 41.101130][ C1]
[ 41.101135][ C1] The buggy address belongs to the object at ffff8881d58fd500
[ 41.101135][ C1] which belongs to the cache kmalloc-4k of size 4096
[ 41.101141][ C1] The buggy address is located 2736 bytes inside of
[ 41.101141][ C1] 4096-byte region [ffff8881d58fd500, ffff8881d58fe500)
[ 41.101143][ C1] The buggy address belongs to the page:
[ 41.101150][ C1] page:ffffea0007563e00 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[ 41.101159][ C1] flags: 0x200000000010200(slab|head)
[ 41.101169][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[ 41.101176][ C1] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 41.101180][ C1] page dumped because: kasan: bad access detected
[ 41.101181][ C1]
[ 41.101184][ C1] Memory state around the buggy address:
[ 41.101189][ C1] ffff8881d58fde80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.101195][ C1] ffff8881d58fdf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.101200][ C1] >ffff8881d58fdf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.101202][ C1] ^
[ 41.101208][ C1] ffff8881d58fe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.101213][ C1] ffff8881d58fe080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.101216][ C1] ==================================================================
[ 41.101218][ C1] Disabling lock debugging due to kernel taint
[ 41.101222][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 41.101229][ C1] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.3.0+ #0
[ 41.101232][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.101238][ C1] Workqueue: usb_hub_wq hub_event
[ 41.101241][ C1] Call Trace:
[ 41.101243][ C1]
[ 41.101248][ C1] dump_stack+0xca/0x13e
[ 41.101253][ C1] panic+0x2a3/0x6da
[ 41.101258][ C1] ? add_taint.cold+0x16/0x16
[ 41.101265][ C1] ? print_shadow_for_address+0xb8/0x114
[ 41.101272][ C1] ? trace_hardirqs_off+0x50/0x1d0
[ 41.101282][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.101292][ C1] end_report+0x43/0x49
[ 41.101302][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.101312][ C1] __kasan_report.cold+0xd/0x33
[ 41.101323][ C1] ? si470x_int_in_callback.cold+0x27/0xbe
[ 41.101333][ C1] kasan_report+0xe/0x12
[ 41.101341][ C1] si470x_int_in_callback.cold+0x27/0xbe
[ 41.101349][ C1] ? usb_hcd_unmap_urb_for_dma+0x105/0x9b0
[ 41.101360][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 41.101367][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 41.101373][ C1] dummy_timer+0x120f/0x2fa2
[ 41.101379][ C1] ? __lock_acquire+0x145e/0x3eb0
[ 41.101385][ C1] ? find_held_lock+0x2d/0x110
[ 41.101392][ C1] ? debug_object_deactivate+0x1d9/0x320
[ 41.101398][ C1] ? mark_held_locks+0xe0/0xe0
[ 41.101404][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.101411][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.101417][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.101423][ C1] call_timer_fn+0x179/0x650
[ 41.101429][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.101437][ C1] ? msleep_interruptible+0x130/0x130
[ 41.101443][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.101449][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.101455][ C1] ? _raw_spin_unlock_irq+0x24/0x30
[ 41.101461][ C1] ? dummy_udc_probe+0x930/0x930
[ 41.101467][ C1] run_timer_softirq+0x5e0/0x14d0
[ 41.101473][ C1] ? add_timer+0x7a0/0x7a0
[ 41.101479][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.101486][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.101492][ C1] __do_softirq+0x221/0x912
[ 41.101498][ C1] irq_exit+0x178/0x1a0
[ 41.101504][ C1] smp_apic_timer_interrupt+0x12f/0x500
[ 41.101513][ C1] apic_timer_interrupt+0xf/0x20
[ 41.101515][ C1]
[ 41.101521][ C1] RIP: 0010:console_unlock+0xa2a/0xc40
[ 41.101527][ C1] Code: 00 89 ee 48 c7 c7 c0 6f f3 86 e8 c1 b7 03 00 65 ff 0d 92 6e d9 7e e9 db f9 ff ff e8 60 bc 15 00 e8 7b ea 1a 00 ff 74 24 30 9d 18 fe ff ff e8 4c bc 15 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 41.101530][ C1] RSP: 0018:ffff8881d93d76c0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
[ 41.101536][ C1] RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
[ 41.101541][ C1] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d92e384c
[ 41.101544][ C1] RBP: 0000000000000000 R08: ffff8881d92e3000 R09: fffffbfff11f45a5
[ 41.101548][ C1] R10: fffffbfff11f45a4 R11: ffffffff88fa2d27 R12: 0000000000000040
[ 41.101552][ C1] R13: dffffc0000000000 R14: ffffffff8293e1a0 R15: ffffffff8727c990
[ 41.101558][ C1] ? netconsole_netdev_event+0x2a0/0x2a0
[ 41.101564][ C1] vprintk_emit+0x171/0x3e0
[ 41.101570][ C1] dev_vprintk_emit+0x4fc/0x541
[ 41.101577][ C1] ? devm_device_remove_groups.cold+0x18/0x18
[ 41.101584][ C1] ? __kasan_slab_free+0x130/0x180
[ 41.101589][ C1] ? kfree+0xe4/0x2f0
[ 41.101595][ C1] ? usb_control_msg+0x393/0x4a0
[ 41.101600][ C1] ? usb_clear_port_feature+0x6a/0x90
[ 41.101606][ C1] ? hub_event+0xcf3/0x3640
[ 41.101612][ C1] ? process_one_work+0x92b/0x1530
[ 41.101617][ C1] ? worker_thread+0x7ab/0xe20
[ 41.101623][ C1] ? kthread+0x318/0x420
[ 41.101628][ C1] ? ret_from_fork+0x24/0x30
[ 41.101634][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.101640][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 41.101645][ C1] ? find_held_lock+0x2d/0x110
[ 41.101651][ C1] dev_printk_emit+0xba/0xf1
[ 41.101657][ C1] ? dev_vprintk_emit+0x541/0x541
[ 41.101663][ C1] __dev_printk+0x1db/0x203
[ 41.101668][ C1] _dev_info+0xd7/0x109
[ 41.101674][ C1] ? _dev_notice+0x109/0x109
[ 41.101680][ C1] ? mark_held_locks+0x9f/0xe0
[ 41.101686][ C1] ? _raw_spin_unlock_irqrestore+0x3e/0x50
[ 41.101691][ C1] usb_disconnect+0x7f/0x8d0
[ 41.101697][ C1] ? usb_clear_port_feature+0x6a/0x90
[ 41.101708][ C1] hub_event+0x1454/0x3640
[ 41.101714][ C1] ? find_held_lock+0x2d/0x110
[ 41.101720][ C1] ? mark_held_locks+0xe0/0xe0
[ 41.101726][ C1] ? hub_port_debounce+0x260/0x260
[ 41.101733][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 41.101739][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 41.101745][ C1] process_one_work+0x92b/0x1530
[ 41.101752][ C1] ? pwq_dec_nr_in_flight+0x310/0x310
[ 41.101763][ C1] ? do_raw_spin_lock+0x11a/0x280
[ 41.101769][ C1] worker_thread+0x7ab/0xe20
[ 41.101775][ C1] ? process_one_work+0x1530/0x1530
[ 41.101781][ C1] kthread+0x318/0x420
[ 41.101787][ C1] ? kthread_create_on_node+0xf0/0xf0
[ 41.101792][ C1] ret_from_fork+0x24/0x30
[ 41.102294][ C1] Kernel Offset: disabled
[ 42.524434][ C1] Rebooting in 86400 seconds..