[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 17.789276][ C1] random: crng init done [ 17.794030][ C1] random: 7 urandom warning(s) missed due to ratelimiting [ 25.556266][ T357] can: request_module (can-proto-0) failed. [ 25.567395][ T357] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.1.61' (ECDSA) to the list of known hosts. 2020/05/06 10:20:43 parsed 1 programs 2020/05/06 10:20:43 executed programs: 0 [ 32.495441][ T482] cgroup1: Unknown subsys name 'perf_event' [ 32.502270][ T482] cgroup1: Unknown subsys name 'net_cls' [ 32.505457][ T485] cgroup1: Unknown subsys name 'perf_event' [ 32.521053][ T485] cgroup1: Unknown subsys name 'net_cls' [ 32.524061][ T488] cgroup1: Unknown subsys name 'perf_event' [ 32.535027][ T492] cgroup1: Unknown subsys name 'perf_event' [ 32.537739][ T490] cgroup1: Unknown subsys name 'perf_event' [ 32.542824][ T495] cgroup1: Unknown subsys name 'perf_event' [ 32.554055][ T488] cgroup1: Unknown subsys name 'net_cls' [ 32.554661][ T492] cgroup1: Unknown subsys name 'net_cls' [ 32.564599][ T490] cgroup1: Unknown subsys name 'net_cls' [ 32.572614][ T495] cgroup1: Unknown subsys name 'net_cls' [ 35.308848][ T22] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 35.318823][ T101] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 35.398773][ T161] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 35.428733][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 35.428869][ T12] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 35.508717][ T1484] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 35.558638][ T101] usb 6-1: Using ep0 maxpacket: 16 [ 35.558655][ T22] usb 4-1: Using ep0 maxpacket: 16 [ 35.638604][ T161] usb 2-1: Using ep0 maxpacket: 16 [ 35.678671][ T101] usb 6-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.687146][ T101] usb 6-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.688636][ T17] usb 1-1: Using ep0 maxpacket: 16 [ 35.696062][ T101] usb 6-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.701548][ T22] usb 4-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.712791][ T12] usb 3-1: Using ep0 maxpacket: 16 [ 35.718845][ T22] usb 4-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.725324][ T101] usb 6-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.732874][ T22] usb 4-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.742860][ T101] usb 6-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 35.752680][ T22] usb 4-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.761016][ T101] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.779217][ T22] usb 4-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 35.788619][ T22] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.789801][ T1484] usb 5-1: Using ep0 maxpacket: 16 [ 35.797067][ T161] usb 2-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.810455][ T161] usb 2-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.819626][ T161] usb 2-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.829364][ T161] usb 2-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.839611][ T161] usb 2-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 35.848843][ T161] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.863296][ T12] usb 3-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.871668][ T12] usb 3-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.880595][ T12] usb 3-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.890002][ T12] usb 3-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.900146][ T12] usb 3-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 35.908857][ T17] usb 1-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.909940][ T12] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.918170][ T17] usb 1-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.935184][ T17] usb 1-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.938575][ T1484] usb 5-1: config index 0 descriptor too short (expected 8475, got 27) [ 35.944797][ T17] usb 1-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.952958][ T1484] usb 5-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 35.962814][ T17] usb 1-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 35.971544][ T1484] usb 5-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 35.979088][ T1484] usb 5-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 35.980920][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.008339][ T1484] usb 5-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 36.018459][ T1484] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.038445][ T101] usb 6-1: string descriptor 0 read error: -71 [ 36.081247][ T101] usb 6-1: USB disconnect, device number 2 [ 36.098638][ T1505] hwrng: no data available [ 36.128545][ T22] usb 4-1: string descriptor 0 read error: -71 [ 36.138395][ T161] usb 2-1: string descriptor 0 read error: -71 [ 36.159601][ T161] chaoskey 2-1:12.0: Unable to register with hwrng [ 36.166698][ T22] usb 4-1: USB disconnect, device number 2 [ 36.174047][ T161] usb 2-1: USB disconnect, device number 2 [ 36.238369][ T12] usb 3-1: string descriptor 0 read error: -71 [ 36.258240][ T17] usb 1-1: string descriptor 0 read error: -71 [ 36.259503][ T12] usb 3-1: USB disconnect, device number 2 [ 36.270762][ T17] chaoskey 1-1:12.0: Unable to register with hwrng [ 36.284992][ T17] usb 1-1: USB disconnect, device number 2 [ 36.318239][ T1484] usb 5-1: string descriptor 0 read error: -71 [ 36.339527][ T1484] usb 5-1: USB disconnect, device number 2 [ 36.877890][ T17] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 36.997792][ T161] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 37.117708][ T17] usb 2-1: Using ep0 maxpacket: 16 [ 37.237688][ T161] usb 1-1: Using ep0 maxpacket: 16 [ 37.243529][ T17] usb 2-1: config index 0 descriptor too short (expected 8475, got 27) [ 37.251878][ T17] usb 2-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 37.261897][ T17] usb 2-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 37.271220][ T17] usb 2-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 37.281250][ T17] usb 2-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 37.290524][ T17] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.377610][ T161] usb 1-1: config index 0 descriptor too short (expected 8475, got 27) [ 37.385968][ T161] usb 1-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 37.395351][ T161] usb 1-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 37.404831][ T161] usb 1-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 37.414826][ T161] usb 1-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 37.423965][ T161] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.577557][ T17] usb 2-1: string descriptor 0 read error: -71 [ 37.598845][ T17] usb 2-1: USB disconnect, device number 3 [ 37.707515][ T161] usb 1-1: string descriptor 0 read error: -71 [ 37.728598][ T161] usb 1-1: USB disconnect, device number 3 2020/05/06 10:20:49 executed programs: 6 2020/05/06 10:20:55 executed programs: 18 [ 46.503741][ T101] usb 6-1: new high-speed USB device number 3 using dummy_hcd [ 46.743597][ T101] usb 6-1: Using ep0 maxpacket: 16 [ 46.863757][ T101] usb 6-1: config index 0 descriptor too short (expected 8475, got 27) [ 46.872378][ T101] usb 6-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 46.881293][ T101] usb 6-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 46.891746][ T101] usb 6-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 46.903777][ T101] usb 6-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 46.912801][ T101] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 47.103604][ T101] usb 6-1: string descriptor 0 read error: -71 [ 47.126564][ T101] usb 6-1: USB disconnect, device number 3 [ 47.483387][ T101] usb 6-1: new high-speed USB device number 4 using dummy_hcd [ 47.723298][ T101] usb 6-1: Using ep0 maxpacket: 16 [ 47.843398][ T101] usb 6-1: config index 0 descriptor too short (expected 8475, got 27) [ 47.851674][ T101] usb 6-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 47.860516][ T101] usb 6-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 47.870835][ T101] usb 6-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 47.881029][ T101] usb 6-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 47.890133][ T101] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.183246][ T101] usb 6-1: string descriptor 0 read error: -71 [ 48.214392][ T101] usb 6-1: USB disconnect, device number 4 [ 48.220711][ T101] ================================================================== [ 48.228857][ T101] BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.237985][ T101] Read of size 4 at addr ffff8881ce51c820 by task kworker/0:2/101 [ 48.246654][ T101] [ 48.248986][ T101] CPU: 0 PID: 101 Comm: kworker/0:2 Not tainted 5.4.0-rc5-syzkaller #0 [ 48.257394][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.267548][ T101] Workqueue: usb_hub_wq hub_event [ 48.272556][ T101] Call Trace: [ 48.275830][ T101] dump_stack+0xca/0x13e [ 48.280052][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.286120][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.292763][ T101] print_address_description.constprop.0+0x36/0x50 [ 48.299353][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.305436][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.311493][ T101] __kasan_report.cold+0x1a/0x33 [ 48.316418][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.322459][ T101] kasan_report+0xe/0x20 [ 48.327305][ T101] check_memory_region+0x128/0x190 [ 48.332578][ T101] refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.341077][ T101] ? refcount_dec_and_mutex_lock+0x80/0x80 [ 48.346874][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 48.352431][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 48.357704][ T101] refcount_inc_checked+0x12/0x60 [ 48.362734][ T101] kthread_stop+0x6c/0x610 [ 48.367670][ T101] hwrng_unregister+0x190/0x210 [ 48.373285][ T101] chaoskey_disconnect+0x1bc/0x240 [ 48.378482][ T101] usb_unbind_interface+0x1bd/0x8a0 [ 48.383951][ T101] ? usb_autoresume_device+0x60/0x60 [ 48.391344][ T101] device_release_driver_internal+0x42f/0x500 [ 48.399451][ T101] bus_remove_device+0x2dc/0x4a0 [ 48.404930][ T101] device_del+0x420/0xb20 [ 48.409656][ T101] ? __device_link_del+0x2f0/0x2f0 [ 48.415530][ T101] ? usb_remove_ep_devs+0x3e/0x80 [ 48.420991][ T101] ? remove_intf_ep_devs+0x13f/0x1d0 [ 48.427160][ T101] usb_disable_device+0x211/0x690 [ 48.432316][ T101] usb_disconnect+0x284/0x8d0 [ 48.437072][ T101] hub_event+0x16f2/0x3800 [ 48.441502][ T101] ? hub_port_debounce+0x260/0x260 [ 48.447561][ T101] ? find_held_lock+0x2d/0x110 [ 48.452590][ T101] ? mark_held_locks+0xe0/0xe0 [ 48.458112][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 48.463853][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 48.469137][ T101] process_one_work+0x92b/0x1530 [ 48.474235][ T101] ? pwq_dec_nr_in_flight+0x310/0x310 [ 48.479622][ T101] ? do_raw_spin_lock+0x11a/0x280 [ 48.485714][ T101] worker_thread+0x7ab/0xe20 [ 48.490284][ T101] ? process_one_work+0x1530/0x1530 [ 48.495847][ T101] kthread+0x318/0x420 [ 48.499897][ T101] ? kthread_create_on_node+0xf0/0xf0 [ 48.505408][ T101] ret_from_fork+0x24/0x30 [ 48.509807][ T101] [ 48.512146][ T101] Allocated by task 2: [ 48.516237][ T101] save_stack+0x1b/0x80 [ 48.520372][ T101] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 48.525999][ T101] kmem_cache_alloc_node+0xdc/0x310 [ 48.531209][ T101] copy_process+0x4201/0x6470 [ 48.536043][ T101] _do_fork+0x129/0xec0 [ 48.540186][ T101] kernel_thread+0xaa/0xe0 [ 48.545719][ T101] kthreadd+0x4a2/0x680 [ 48.549956][ T101] ret_from_fork+0x24/0x30 [ 48.554355][ T101] [ 48.556677][ T101] Freed by task 149: [ 48.561595][ T101] save_stack+0x1b/0x80 [ 48.565749][ T101] __kasan_slab_free+0x130/0x180 [ 48.570764][ T101] kmem_cache_free+0xb9/0x380 [ 48.575434][ T101] __put_task_struct+0x1e2/0x4c0 [ 48.580374][ T101] delayed_put_task_struct+0x1b4/0x2c0 [ 48.585811][ T101] rcu_core+0x630/0x1ca0 [ 48.590050][ T101] __do_softirq+0x221/0x912 [ 48.594529][ T101] [ 48.596864][ T101] The buggy address belongs to the object at ffff8881ce51c800 [ 48.596864][ T101] which belongs to the cache task_struct of size 5888 [ 48.610995][ T101] The buggy address is located 32 bytes inside of [ 48.610995][ T101] 5888-byte region [ffff8881ce51c800, ffff8881ce51df00) [ 48.624240][ T101] The buggy address belongs to the page: [ 48.629940][ T101] page:ffffea0007394600 refcount:1 mapcount:0 mapping:ffff8881da116000 index:0x0 compound_mapcount: 0 [ 48.641302][ T101] flags: 0x200000000010200(slab|head) [ 48.646654][ T101] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da116000 [ 48.655245][ T101] raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000 [ 48.663809][ T101] page dumped because: kasan: bad access detected [ 48.670208][ T101] [ 48.672521][ T101] Memory state around the buggy address: [ 48.678150][ T101] ffff8881ce51c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.686375][ T101] ffff8881ce51c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.694590][ T101] >ffff8881ce51c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.702736][ T101] ^ [ 48.708890][ T101] ffff8881ce51c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.717132][ T101] ffff8881ce51c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.725976][ T101] ================================================================== [ 48.734552][ T101] Disabling lock debugging due to kernel taint [ 48.740781][ T101] Kernel panic - not syncing: panic_on_warn set ... [ 48.747378][ T101] CPU: 0 PID: 101 Comm: kworker/0:2 Tainted: G B 5.4.0-rc5-syzkaller #0 [ 48.757354][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.767758][ T101] Workqueue: usb_hub_wq hub_event [ 48.773033][ T101] Call Trace: [ 48.776322][ T101] dump_stack+0xca/0x13e [ 48.780559][ T101] panic+0x2aa/0x6e1 [ 48.785341][ T101] ? add_taint.cold+0x16/0x16 [ 48.790380][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.796708][ T101] ? trace_hardirqs_on+0x55/0x1e0 [ 48.801745][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.808492][ T101] end_report+0x43/0x49 [ 48.812642][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.818684][ T101] __kasan_report.cold+0xd/0x33 [ 48.823516][ T101] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.829558][ T101] kasan_report+0xe/0x20 [ 48.833796][ T101] check_memory_region+0x128/0x190 [ 48.838895][ T101] refcount_inc_not_zero_checked+0x72/0x1e0 [ 48.844867][ T101] ? refcount_dec_and_mutex_lock+0x80/0x80 [ 48.850877][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 48.856408][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 48.861685][ T101] refcount_inc_checked+0x12/0x60 [ 48.866701][ T101] kthread_stop+0x6c/0x610 [ 48.871114][ T101] hwrng_unregister+0x190/0x210 [ 48.876551][ T101] chaoskey_disconnect+0x1bc/0x240 [ 48.881638][ T101] usb_unbind_interface+0x1bd/0x8a0 [ 48.886809][ T101] ? usb_autoresume_device+0x60/0x60 [ 48.892613][ T101] device_release_driver_internal+0x42f/0x500 [ 48.898944][ T101] bus_remove_device+0x2dc/0x4a0 [ 48.904658][ T101] device_del+0x420/0xb20 [ 48.908977][ T101] ? __device_link_del+0x2f0/0x2f0 [ 48.914063][ T101] ? usb_remove_ep_devs+0x3e/0x80 [ 48.919060][ T101] ? remove_intf_ep_devs+0x13f/0x1d0 [ 48.924320][ T101] usb_disable_device+0x211/0x690 [ 48.929336][ T101] usb_disconnect+0x284/0x8d0 [ 48.934727][ T101] hub_event+0x16f2/0x3800 [ 48.939263][ T101] ? hub_port_debounce+0x260/0x260 [ 48.944350][ T101] ? find_held_lock+0x2d/0x110 [ 48.949105][ T101] ? mark_held_locks+0xe0/0xe0 [ 48.953858][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 48.959404][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 48.965012][ T101] process_one_work+0x92b/0x1530 [ 48.970084][ T101] ? pwq_dec_nr_in_flight+0x310/0x310 [ 48.975700][ T101] ? do_raw_spin_lock+0x11a/0x280 [ 48.981165][ T101] worker_thread+0x7ab/0xe20 [ 48.986112][ T101] ? process_one_work+0x1530/0x1530 [ 48.991389][ T101] kthread+0x318/0x420 [ 48.996279][ T101] ? kthread_create_on_node+0xf0/0xf0 [ 49.004957][ T101] ret_from_fork+0x24/0x30 [ 49.010288][ T101] Kernel Offset: disabled [ 49.014597][ T101] Rebooting in 86400 seconds..