9m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.613610][ T1819] can: request_module (can-proto-0) failed. [ 29.113966][ T1819] can: request_module (can-proto-0) failed. [ 29.123880][ T1819] can: request_module (can-proto-7) failed. [ 29.134221][ T1819] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.1.30' (ECDSA) to the list of known hosts. 2020/02/10 15:50:35 parsed 1 programs 2020/02/10 15:50:35 executed programs: 0 [ 36.230329][ T1946] cgroup1: Unknown subsys name 'perf_event' [ 36.233031][ T1948] cgroup1: Unknown subsys name 'perf_event' [ 36.236814][ T1946] cgroup1: Unknown subsys name 'net_cls' [ 36.243630][ T1949] cgroup1: Unknown subsys name 'perf_event' [ 36.255659][ T1953] cgroup1: Unknown subsys name 'perf_event' [ 36.256113][ T1951] cgroup1: Unknown subsys name 'perf_event' [ 36.264593][ T1954] cgroup1: Unknown subsys name 'perf_event' [ 36.269493][ T1948] cgroup1: Unknown subsys name 'net_cls' [ 36.275179][ T1953] cgroup1: Unknown subsys name 'net_cls' [ 36.281340][ T1949] cgroup1: Unknown subsys name 'net_cls' [ 36.292702][ T1951] cgroup1: Unknown subsys name 'net_cls' [ 36.296509][ T1954] cgroup1: Unknown subsys name 'net_cls' [ 45.128903][ T95] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 45.329046][ T12] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 45.369048][ T95] usb 2-1: Using ep0 maxpacket: 8 [ 45.488868][ T62] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 45.488947][ T4449] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 45.503991][ T95] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 45.514366][ T95] usb 2-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a [ 45.523420][ T95] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.532971][ T95] usb 2-1: config 0 descriptor?? [ 45.578866][ T12] usb 3-1: Using ep0 maxpacket: 8 [ 45.618930][ T4499] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 45.628882][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 45.699019][ T12] usb 3-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 45.709274][ T12] usb 3-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a [ 45.718326][ T12] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.729566][ T12] usb 3-1: config 0 descriptor?? [ 45.739152][ T62] usb 5-1: Using ep0 maxpacket: 8 [ 45.748983][ T4449] usb 4-1: Using ep0 maxpacket: 8 [ 45.809048][ T95] usb 2-1: string descriptor 0 read error: -71 [ 45.815376][ T95] uvcvideo: Found UVC 0.00 device (0bd3:0555) [ 45.823044][ T95] ================================================================== [ 45.831211][ T95] BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29fe [ 45.838569][ T95] Read of size 2 at addr ffff8881d933182e by task kworker/0:2/95 [ 45.846273][ T95] [ 45.848607][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.5.0-rc3-syzkaller #0 [ 45.856738][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.866780][ T95] Workqueue: usb_hub_wq hub_event [ 45.871780][ T95] Call Trace: [ 45.875064][ T95] dump_stack+0xef/0x16e [ 45.879305][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 45.884307][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 45.889309][ T95] print_address_description.constprop.0.cold+0xd3/0x314 [ 45.896308][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 45.901307][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 45.906309][ T95] __kasan_report.cold+0x37/0x85 [ 45.911224][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 45.916230][ T95] kasan_report+0xe/0x20 [ 45.920466][ T95] uvc_probe.cold+0x2193/0x29fe [ 45.925296][ T95] ? mark_lock+0xbc/0x1160 [ 45.929703][ T95] ? mark_lock+0xbc/0x1160 [ 45.934116][ T95] ? mark_held_locks+0x9f/0xe0 [ 45.938876][ T95] ? usb_probe_interface+0x310/0x800 [ 45.944148][ T95] usb_probe_interface+0x310/0x800 [ 45.949256][ T95] ? usb_probe_device+0x140/0x140 [ 45.954263][ T95] really_probe+0x290/0xad0 [ 45.958747][ T95] driver_probe_device+0x223/0x350 [ 45.963846][ T95] __device_attach_driver+0x1d1/0x290 [ 45.969203][ T95] ? driver_allows_async_probing+0x160/0x160 [ 45.975160][ T95] bus_for_each_drv+0x162/0x1e0 [ 45.979994][ T95] ? bus_rescan_devices+0x20/0x20 [ 45.984997][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 45.990811][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 45.996084][ T95] __device_attach+0x217/0x390 [ 46.000844][ T95] ? device_bind_driver+0xd0/0xd0 [ 46.005855][ T95] bus_probe_device+0x1e4/0x290 [ 46.010695][ T95] device_add+0x1459/0x1bf0 [ 46.015186][ T95] ? wait_for_completion+0x3c0/0x3c0 [ 46.020456][ T95] ? device_link_remove+0x110/0x110 [ 46.025634][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 46.031436][ T95] usb_set_configuration+0xe47/0x17d0 [ 46.036803][ T95] generic_probe+0x9d/0xd5 [ 46.041207][ T95] usb_probe_device+0xaf/0x140 [ 46.045957][ T95] ? usb_suspend+0x5f0/0x5f0 [ 46.050531][ T95] really_probe+0x290/0xad0 [ 46.055014][ T95] driver_probe_device+0x223/0x350 [ 46.060110][ T95] __device_attach_driver+0x1d1/0x290 [ 46.065468][ T95] ? driver_allows_async_probing+0x160/0x160 [ 46.071444][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.076279][ T95] ? bus_rescan_devices+0x20/0x20 [ 46.081302][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 46.087805][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 46.093087][ T95] __device_attach+0x217/0x390 [ 46.097952][ T95] ? device_bind_driver+0xd0/0xd0 [ 46.103194][ T95] bus_probe_device+0x1e4/0x290 [ 46.108075][ T95] device_add+0x1459/0x1bf0 [ 46.112586][ T95] ? device_link_remove+0x110/0x110 [ 46.117789][ T95] usb_new_device.cold+0x540/0xcd0 [ 46.122916][ T95] hub_event+0x21cb/0x4300 [ 46.127328][ T95] ? hub_port_debounce+0x350/0x350 [ 46.132427][ T95] ? find_held_lock+0x2d/0x110 [ 46.137186][ T95] ? mark_held_locks+0xe0/0xe0 [ 46.141963][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 46.147515][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.152803][ T95] process_one_work+0x945/0x15c0 [ 46.157756][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 46.163119][ T95] ? do_raw_spin_lock+0x129/0x290 [ 46.168137][ T95] worker_thread+0x96/0xe20 [ 46.172627][ T95] ? process_one_work+0x15c0/0x15c0 [ 46.177829][ T95] kthread+0x318/0x420 [ 46.181906][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 46.187351][ T95] ret_from_fork+0x24/0x30 [ 46.191745][ T95] [ 46.194077][ T95] Allocated by task 95: [ 46.198568][ T95] save_stack+0x1b/0x80 [ 46.202776][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 46.208409][ T95] uvc_alloc_chain+0x48/0xfa [ 46.212977][ T95] uvc_probe.cold+0x15f0/0x29fe [ 46.217816][ T95] usb_probe_interface+0x310/0x800 [ 46.222914][ T95] really_probe+0x290/0xad0 [ 46.227507][ T95] driver_probe_device+0x223/0x350 [ 46.232631][ T95] __device_attach_driver+0x1d1/0x290 [ 46.238127][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.243046][ T95] __device_attach+0x217/0x390 [ 46.247850][ T95] bus_probe_device+0x1e4/0x290 [ 46.252704][ T95] device_add+0x1459/0x1bf0 [ 46.257214][ T95] usb_set_configuration+0xe47/0x17d0 [ 46.262584][ T95] generic_probe+0x9d/0xd5 [ 46.266981][ T95] usb_probe_device+0xaf/0x140 [ 46.271791][ T95] really_probe+0x290/0xad0 [ 46.276307][ T95] driver_probe_device+0x223/0x350 [ 46.281417][ T95] __device_attach_driver+0x1d1/0x290 [ 46.286775][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.291614][ T95] __device_attach+0x217/0x390 [ 46.296397][ T95] bus_probe_device+0x1e4/0x290 [ 46.301246][ T95] device_add+0x1459/0x1bf0 [ 46.305746][ T95] usb_new_device.cold+0x540/0xcd0 [ 46.310847][ T95] hub_event+0x21cb/0x4300 [ 46.315253][ T95] process_one_work+0x945/0x15c0 [ 46.320175][ T95] worker_thread+0x96/0xe20 [ 46.324718][ T95] kthread+0x318/0x420 [ 46.329234][ T95] ret_from_fork+0x24/0x30 [ 46.333713][ T95] [ 46.336025][ T95] Freed by task 95: [ 46.339835][ T95] save_stack+0x1b/0x80 [ 46.344932][ T95] __kasan_slab_free+0x117/0x160 [ 46.349850][ T95] kfree+0xd5/0x300 [ 46.353649][ T95] uvc_probe.cold+0x16fd/0x29fe [ 46.358922][ T95] usb_probe_interface+0x310/0x800 [ 46.364081][ T95] really_probe+0x290/0xad0 [ 46.368571][ T95] driver_probe_device+0x223/0x350 [ 46.373672][ T95] __device_attach_driver+0x1d1/0x290 [ 46.379065][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.383899][ T95] __device_attach+0x217/0x390 [ 46.388650][ T95] bus_probe_device+0x1e4/0x290 [ 46.393542][ T95] device_add+0x1459/0x1bf0 [ 46.398033][ T95] usb_set_configuration+0xe47/0x17d0 [ 46.403409][ T95] generic_probe+0x9d/0xd5 [ 46.407843][ T95] usb_probe_device+0xaf/0x140 [ 46.412592][ T95] really_probe+0x290/0xad0 [ 46.417100][ T95] driver_probe_device+0x223/0x350 [ 46.422209][ T95] __device_attach_driver+0x1d1/0x290 [ 46.427611][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.432445][ T95] __device_attach+0x217/0x390 [ 46.437196][ T95] bus_probe_device+0x1e4/0x290 [ 46.442146][ T95] device_add+0x1459/0x1bf0 [ 46.446634][ T95] usb_new_device.cold+0x540/0xcd0 [ 46.451735][ T95] hub_event+0x21cb/0x4300 [ 46.456242][ T95] process_one_work+0x945/0x15c0 [ 46.461180][ T95] worker_thread+0x96/0xe20 [ 46.465674][ T95] kthread+0x318/0x420 [ 46.469744][ T95] ret_from_fork+0x24/0x30 [ 46.474155][ T95] [ 46.476498][ T95] The buggy address belongs to the object at ffff8881d9331800 [ 46.476498][ T95] which belongs to the cache kmalloc-256 of size 256 [ 46.490547][ T95] The buggy address is located 46 bytes inside of [ 46.490547][ T95] 256-byte region [ffff8881d9331800, ffff8881d9331900) [ 46.503720][ T95] The buggy address belongs to the page: [ 46.509407][ T95] page:ffffea000764cc00 refcount:1 mapcount:0 mapping:ffff8881da002780 index:0x0 compound_mapcount: 0 [ 46.520379][ T95] raw: 0200000000010200 ffffea0007648d80 0000000e0000000e ffff8881da002780 [ 46.528962][ T95] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 46.537639][ T95] page dumped because: kasan: bad access detected [ 46.544033][ T95] [ 46.546342][ T95] Memory state around the buggy address: [ 46.551982][ T95] ffff8881d9331700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.560074][ T95] ffff8881d9331780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.568121][ T95] >ffff8881d9331800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.576220][ T95] ^ [ 46.581626][ T95] ffff8881d9331880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.589669][ T95] ffff8881d9331900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.597712][ T95] ================================================================== [ 46.605767][ T95] Disabling lock debugging due to kernel taint [ 46.612097][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 46.618679][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.5.0-rc3-syzkaller #0 [ 46.628259][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.638304][ T95] Workqueue: usb_hub_wq hub_event [ 46.643311][ T95] Call Trace: [ 46.646590][ T95] dump_stack+0xef/0x16e [ 46.651082][ T95] panic+0x2aa/0x6e1 [ 46.654963][ T95] ? add_taint.cold+0x16/0x16 [ 46.659622][ T95] ? retint_kernel+0x10/0x10 [ 46.664213][ T95] ? trace_hardirqs_on+0x55/0x200 [ 46.669229][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 46.674238][ T95] end_report+0x43/0x49 [ 46.678376][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 46.683381][ T95] __kasan_report.cold+0x55/0x85 [ 46.688297][ T95] ? uvc_probe.cold+0x2193/0x29fe [ 46.693402][ T95] kasan_report+0xe/0x20 [ 46.697626][ T95] uvc_probe.cold+0x2193/0x29fe [ 46.702502][ T95] ? mark_lock+0xbc/0x1160 [ 46.706900][ T95] ? mark_lock+0xbc/0x1160 [ 46.711292][ T95] ? mark_held_locks+0x9f/0xe0 [ 46.716048][ T95] ? usb_probe_interface+0x310/0x800 [ 46.721312][ T95] usb_probe_interface+0x310/0x800 [ 46.726523][ T95] ? usb_probe_device+0x140/0x140 [ 46.731574][ T95] really_probe+0x290/0xad0 [ 46.736056][ T95] driver_probe_device+0x223/0x350 [ 46.741144][ T95] __device_attach_driver+0x1d1/0x290 [ 46.746516][ T95] ? driver_allows_async_probing+0x160/0x160 [ 46.752482][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.757319][ T95] ? bus_rescan_devices+0x20/0x20 [ 46.762322][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 46.768155][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 46.773462][ T95] __device_attach+0x217/0x390 [ 46.778214][ T95] ? device_bind_driver+0xd0/0xd0 [ 46.783224][ T95] bus_probe_device+0x1e4/0x290 [ 46.788055][ T95] device_add+0x1459/0x1bf0 [ 46.792644][ T95] ? wait_for_completion+0x3c0/0x3c0 [ 46.797910][ T95] ? device_link_remove+0x110/0x110 [ 46.803099][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 46.808978][ T95] usb_set_configuration+0xe47/0x17d0 [ 46.814346][ T95] generic_probe+0x9d/0xd5 [ 46.818750][ T95] usb_probe_device+0xaf/0x140 [ 46.823493][ T95] ? usb_suspend+0x5f0/0x5f0 [ 46.828064][ T95] really_probe+0x290/0xad0 [ 46.832549][ T95] driver_probe_device+0x223/0x350 [ 46.837646][ T95] __device_attach_driver+0x1d1/0x290 [ 46.843097][ T95] ? driver_allows_async_probing+0x160/0x160 [ 46.849063][ T95] bus_for_each_drv+0x162/0x1e0 [ 46.853942][ T95] ? bus_rescan_devices+0x20/0x20 [ 46.858948][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 46.864852][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 46.870147][ T95] __device_attach+0x217/0x390 [ 46.874892][ T95] ? device_bind_driver+0xd0/0xd0 [ 46.879900][ T95] bus_probe_device+0x1e4/0x290 [ 46.884731][ T95] device_add+0x1459/0x1bf0 [ 46.889246][ T95] ? device_link_remove+0x110/0x110 [ 46.894435][ T95] usb_new_device.cold+0x540/0xcd0 [ 46.899525][ T95] hub_event+0x21cb/0x4300 [ 46.903921][ T95] ? hub_port_debounce+0x350/0x350 [ 46.909015][ T95] ? find_held_lock+0x2d/0x110 [ 46.913800][ T95] ? mark_held_locks+0xe0/0xe0 [ 46.918551][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 46.924100][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.929415][ T95] process_one_work+0x945/0x15c0 [ 46.934336][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 46.939704][ T95] ? do_raw_spin_lock+0x129/0x290 [ 46.944721][ T95] worker_thread+0x96/0xe20 [ 46.949204][ T95] ? process_one_work+0x15c0/0x15c0 [ 46.954378][ T95] kthread+0x318/0x420 [ 46.958429][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 46.963794][ T95] ret_from_fork+0x24/0x30 [ 46.969009][ T95] Kernel Offset: disabled [ 46.973333][ T95] Rebooting in 86400 seconds..