[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.56' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.488174][ T29] audit: type=1400 audit(1590187057.486:8): avc: denied { execmem } for pid=7166 comm="syz-executor020" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 66.518181][ T7167] IPVS: ftp: loaded support on port[0] = 21 [ 66.833837][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 67.073729][ T5] usb 1-1: Using ep0 maxpacket: 32 [ 67.194008][ T5] usb 1-1: config 0 interface 0 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 67.363882][ T5] usb 1-1: New USB device found, idVendor=17e9, idProduct=3f57, bcdDevice= 6.02 [ 67.372932][ T5] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 67.381858][ T5] usb 1-1: Product: syz [ 67.386748][ T5] usb 1-1: Manufacturer: syz [ 67.391325][ T5] usb 1-1: SerialNumber: syz [ 67.403963][ T5] usb 1-1: config 0 descriptor?? [ 67.706314][ T5] ================================================================== [ 67.706318][ T5] BUG: KASAN: slab-out-of-bounds in hex_string+0x439/0x4c0 [ 67.706321][ T5] Read of size 1 at addr ffff8880a202da1b by task kworker/0:0/5 [ 67.706323][ T5] [ 67.706326][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 67.706330][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.706332][ T5] Workqueue: usb_hub_wq hub_event [ 67.706337][ T5] Call Trace: [ 67.706339][ T5] dump_stack+0x188/0x20d [ 67.706342][ T5] print_address_description.constprop.0.cold+0xd3/0x413 [ 67.706344][ T5] ? update_sd_lb_stats.constprop.0+0x2680/0x2680 [ 67.706346][ T5] ? vprintk_func+0x81/0x17e [ 67.706348][ T5] ? hex_string+0x439/0x4c0 [ 67.706350][ T5] __kasan_report.cold+0x20/0x38 [ 67.706352][ T5] ? hex_string+0x439/0x4c0 [ 67.706354][ T5] ? hex_string+0x439/0x4c0 [ 67.706356][ T5] kasan_report+0x33/0x50 [ 67.706358][ T5] hex_string+0x439/0x4c0 [ 67.706360][ T5] ? check_pointer+0x210/0x210 [ 67.706361][ T5] ? number+0x82a/0xb00 [ 67.706363][ T5] ? check_irq_usage+0x165/0xbe0 [ 67.706365][ T5] pointer+0x346/0x7c0 [ 67.706367][ T5] ? file_dentry_name+0x120/0x120 [ 67.706370][ T5] ? check_usage_forwards+0x4e0/0x4e0 [ 67.706371][ T5] ? __bfs+0x76/0x520 [ 67.706373][ T5] vsnprintf+0x5ac/0x14f0 [ 67.706375][ T5] ? pointer+0x7c0/0x7c0 [ 67.706377][ T5] ? set_precision+0x170/0x170 [ 67.706379][ T5] va_format.isra.0+0x129/0x1b0 [ 67.706381][ T5] ? vsnprintf+0x14f0/0x14f0 [ 67.706388][ T5] ? string_nocheck+0x1a9/0x220 [ 67.706390][ T5] ? widen_string+0x2a0/0x2a0 [ 67.706392][ T5] pointer+0x534/0x7c0 [ 67.706394][ T5] ? file_dentry_name+0x120/0x120 [ 67.706396][ T5] ? hex_string+0x4c0/0x4c0 [ 67.706398][ T5] vsnprintf+0x5ac/0x14f0 [ 67.706399][ T5] ? pointer+0x7c0/0x7c0 [ 67.706401][ T5] ? lock_release+0x800/0x800 [ 67.706403][ T5] vscnprintf+0x29/0x80 [ 67.706405][ T5] vprintk_store+0x40/0x4b0 [ 67.706407][ T5] vprintk_emit+0x139/0x730 [ 67.706409][ T5] dev_vprintk_emit+0x4fc/0x541 [ 67.706411][ T5] ? dev_attr_show.cold+0x3a/0x3a [ 67.706413][ T5] ? device_add+0x132d/0x1c10 [ 67.706415][ T5] ? dev_vprintk_emit+0x329/0x541 [ 67.706417][ T5] ? __device_attach_driver+0x1c2/0x220 [ 67.706419][ T5] ? bus_for_each_drv+0x162/0x1e0 [ 67.706421][ T5] ? __device_attach+0x21a/0x360 [ 67.706424][ T5] ? bus_probe_device+0x1e4/0x290 [ 67.706425][ T5] ? device_add+0x132d/0x1c10 [ 67.706428][ T5] ? usb_new_device.cold+0x701/0xfcf [ 67.706430][ T5] ? hub_event+0x1eca/0x38f0 [ 67.706432][ T5] ? process_one_work+0x965/0x16a0 [ 67.706434][ T5] ? worker_thread+0x96/0xe20 [ 67.706435][ T5] ? kthread+0x388/0x470 [ 67.706437][ T5] ? ret_from_fork+0x24/0x30 [ 67.706439][ T5] ? lock_downgrade+0x840/0x840 [ 67.706441][ T5] ? mark_lock+0x12b/0xf10 [ 67.706443][ T5] dev_printk_emit+0xba/0xf1 [ 67.706446][ T5] ? dev_vprintk_emit+0x541/0x541 [ 67.706447][ T5] ? kfree+0x1eb/0x2b0 [ 67.706449][ T5] __dev_printk+0x1db/0x203 [ 67.706451][ T5] _dev_info+0xd7/0x109 [ 67.706453][ T5] ? _dev_notice+0x109/0x109 [ 67.706456][ T5] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 67.706458][ T5] ? usb_get_descriptor+0xcd/0x1b0 [ 67.706460][ T5] ? usb_get_descriptor+0x13d/0x1b0 [ 67.706462][ T5] ? __usb_get_extra_descriptor+0x15d/0x1a0 [ 67.706464][ T5] dlfb_usb_probe.cold+0x103c/0x1cae [ 67.706466][ T5] ? mark_held_locks+0x9f/0xe0 [ 67.706469][ T5] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 67.706471][ T5] ? lockdep_hardirqs_on+0x463/0x620 [ 67.706474][ T5] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 67.706476][ T5] ? __pm_runtime_set_status+0x5d5/0xa10 [ 67.706478][ T5] ? dlfb_ops_open+0x280/0x280 [ 67.706480][ T5] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 67.706485][ T5] ? __pm_runtime_resume+0x111/0x170 [ 67.706488][ T5] usb_probe_interface+0x305/0x7a0 [ 67.706490][ T5] ? usb_probe_device+0x1f0/0x1f0 [ 67.706492][ T5] really_probe+0x281/0x6d0 [ 67.706494][ T5] driver_probe_device+0x104/0x210 [ 67.706496][ T5] __device_attach_driver+0x1c2/0x220 [ 67.706499][ T5] ? driver_allows_async_probing+0x170/0x170 [ 67.706501][ T5] bus_for_each_drv+0x162/0x1e0 [ 67.706503][ T5] ? bus_rescan_devices+0x20/0x20 [ 67.706505][ T5] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 67.706507][ T5] ? lockdep_hardirqs_on+0x463/0x620 [ 67.706510][ T5] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 67.706512][ T5] __device_attach+0x21a/0x360 [ 67.706514][ T5] ? device_bind_driver+0xd0/0xd0 [ 67.706516][ T5] bus_probe_device+0x1e4/0x290 [ 67.706518][ T5] device_add+0x132d/0x1c10 [ 67.706520][ T5] ? wait_for_completion+0x270/0x270 [ 67.706522][ T5] ? uevent_show+0x360/0x360 [ 67.706524][ T5] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 67.706526][ T5] usb_set_configuration+0xec5/0x1740 [ 67.706529][ T5] usb_generic_driver_probe+0x9d/0xe0 [ 67.706532][ T5] usb_probe_device+0xc6/0x1f0 [ 67.706534][ T5] ? usb_suspend+0x630/0x630 [ 67.706536][ T5] really_probe+0x281/0x6d0 [ 67.706538][ T5] driver_probe_device+0x104/0x210 [ 67.706541][ T5] __device_attach_driver+0x1c2/0x220 [ 67.706543][ T5] ? driver_allows_async_probing+0x170/0x170 [ 67.706545][ T5] bus_for_each_drv+0x162/0x1e0 [ 67.706547][ T5] ? bus_rescan_devices+0x20/0x20 [ 67.706549][ T5] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 67.706552][ T5] ? lockdep_hardirqs_on+0x463/0x620 [ 67.706556][ T5] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 67.706558][ T5] __device_attach+0x21a/0x360 [ 67.706560][ T5] ? device_bind_driver+0xd0/0xd0 [ 67.706562][ T5] bus_probe_device+0x1e4/0x290 [ 67.706564][ T5] device_add+0x132d/0x1c10 [ 67.706566][ T5] ? uevent_show+0x360/0x360 [ 67.706568][ T5] ? usb_cache_string+0xcd/0x110 [ 67.706570][ T5] ? lockdep_hardirqs_on+0x463/0x620 [ 67.706572][ T5] usb_new_device.cold+0x701/0xfcf [ 67.706574][ T5] ? hub_disconnect+0x4a0/0x4a0 [ 67.706576][ T5] ? mark_held_locks+0x9f/0xe0 [ 67.706578][ T5] ? _raw_spin_unlock_irq+0x1f/0x80 [ 67.706580][ T5] hub_event+0x1eca/0x38f0 [ 67.706582][ T5] ? hub_port_debounce+0x260/0x260 [ 67.706585][ T5] ? perf_trace_workqueue_execute_end+0x201/0x420 [ 67.706587][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 67.706590][ T5] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 67.706592][ T5] ? _raw_spin_unlock_irq+0x1f/0x80 [ 67.706594][ T5] process_one_work+0x965/0x16a0 [ 67.706596][ T5] ? lock_release+0x800/0x800 [ 67.706598][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 67.706600][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 67.706602][ T5] worker_thread+0x96/0xe20 [ 67.706604][ T5] ? process_one_work+0x16a0/0x16a0 [ 67.706606][ T5] kthread+0x388/0x470 [ 67.706608][ T5] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 67.706610][ T5] ret_from_fork+0x24/0x30 [ 67.706612][ T5] [ 67.706613][ T5] Allocated by task 5: [ 67.706615][ T5] save_stack+0x1b/0x40 [ 67.706618][ T5] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 67.706619][ T5] __kmalloc+0x161/0x7a0 [ 67.706622][ T5] usb_get_configuration+0x311/0x3890 [ 67.706624][ T5] usb_new_device+0x387/0x670 [ 67.706626][ T5] hub_event+0x1eca/0x38f0 [ 67.706628][ T5] process_one_work+0x965/0x16a0 [ 67.706629][ T5] worker_thread+0x96/0xe20 [ 67.706631][ T5] kthread+0x388/0x470 [ 67.706633][ T5] ret_from_fork+0x24/0x30 [ 67.706634][ T5] [ 67.706636][ T5] Freed by task 4242: [ 67.706638][ T5] save_stack+0x1b/0x40 [ 67.706640][ T5] __kasan_slab_free+0xf7/0x140 [ 67.706642][ T5] kfree+0x109/0x2b0 [ 67.706644][ T5] kernfs_fop_write+0x300/0x490 [ 67.706646][ T5] __vfs_write+0x76/0x100 [ 67.706648][ T5] vfs_write+0x268/0x5d0 [ 67.706653][ T5] ksys_write+0x12d/0x250 [ 67.706655][ T5] do_syscall_64+0xf6/0x7d0 [ 67.706658][ T5] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 67.706659][ T5] [ 67.706662][ T5] The buggy address belongs to the object at ffff8880a202da00 [ 67.706666][ T5] which belongs to the cache kmalloc-32 of size 32 [ 67.706669][ T5] The buggy address is located 27 bytes inside of [ 67.706672][ T5] 32-byte region [ffff8880a202da00, ffff8880a202da20) [ 67.706674][ T5] The buggy address belongs to the page: [ 67.706679][ T5] page:ffffea0002880b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a202dfc1 [ 67.706681][ T5] flags: 0xfffe0000000200(slab) [ 67.706684][ T5] raw: 00fffe0000000200 ffffea0002766188 ffff8880aa001240 ffff8880aa0001c0 [ 67.706688][ T5] raw: ffff8880a202dfc1 ffff8880a202d000 0000000100000027 0000000000000000 [ 67.706690][ T5] page dumped because: kasan: bad access detected [ 67.706692][ T5] [ 67.706694][ T5] Memory state around the buggy address: [ 67.706698][ T5] ffff8880a202d900: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc [ 67.706701][ T5] ffff8880a202d980: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 67.706704][ T5] >ffff8880a202da00: 00 00 00 03 fc fc fc fc fb fb fb fb fc fc fc fc [ 67.706706][ T5] ^ [ 67.706710][ T5] ffff8880a202da80: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 67.706713][ T5] ffff8880a202db00: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 67.706716][ T5] ================================================================== [ 67.706719][ T5] Disabling lock debugging due to kernel taint [ 67.706722][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 67.706725][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 67.706729][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.706731][ T5] Workqueue: usb_hub_wq hub_event [ 67.706734][ T5] Call Trace: [ 67.706736][ T5] dump_stack+0x188/0x20d [ 67.706737][ T5] panic+0x2e3/0x75c [ 67.706739][ T5] ? add_taint.cold+0x16/0x16 [ 67.706742][ T5] ? trace_hardirqs_off+0x50/0x220 [ 67.706743][ T5] ? hex_string+0x439/0x4c0 [ 67.706745][ T5] end_report+0x4d/0x53 [ 67.706747][ T5] __kasan_report.cold+0xd/0x38 [ 67.706749][ T5] ? hex_string+0x439/0x4c0 [ 67.706751][ T5] ? hex_string+0x439/0x4c0 [ 67.706753][ T5] kasan_report+0x33/0x50 [ 67.706755][ T5] hex_string+0x439/0x4c0 [ 67.706757][ T5] ? check_pointer+0x210/0x210 [ 67.706758][ T5] ? number+0x82a/0xb00 [ 67.706761][ T5] ? check_irq_usage+0x165/0xbe0 [ 67.706762][ T5] pointer+0x346/0x7c0 [ 67.706764][ T5] ? file_dentry_name+0x120/0x120 [ 67.706767][ T5] ? check_usage_forwards+0x4e0/0x4e0 [ 67.706768][ T5] ? __bfs+0x76/0x520 [ 67.706770][ T5] vsnprintf+0x5ac/0x14f0 [ 67.706772][ T5] ? pointer+0x7c0/0x7c0 [ 67.706774][ T5] ? set_precision+0x170/0x170 [ 67.706776][ T5] va_format.isra.0+0x129/0x1b0 [ 67.706778][ T5] ? vsnprintf+0x14f0/0x14f0 [ 67.706780][ T5] ? string_nocheck+0x1a9/0x220 [ 67.706782][ T5] ? widen_string+0x2a0/0x2a0 [ 67.706784][ T5] pointer+0x534/0x7c0 [ 67.706786][ T5] ? file_dentry_name+0x120/0x120 [ 67.706787][ T5] ? hex_string+0x4c0/0x4c0 [ 67.706789][ T5] vsnprintf+0x5ac/0x14f0 [ 67.706791][ T5] ? pointer+0x7c0/0x7c0 [ 67.706793][ T5] ? lock_release+0x800/0x800 [ 67.706795][ T5] vscnprintf+0x29/0x80 [ 67.706797][ T5] vprintk_store+0x40/0x4b0 [ 67.706799][ T5] vprintk_emit+0x139/0x730 [ 67.706801][ T5] dev_vprintk_emit+0x4fc/0x541 [ 67.706803][ T5] ? dev_attr_show.cold+0x3a/0x3a [ 67.706805][ T5] ? device_add+0x132d/0x1c10 [ 67.706807][ T5] ? dev_vprintk_emit+0x329/0x541 [ 67.706809][ T5] ? __device_attach_driver+0x1c2/0x220 [ 67.706811][ T5] ? bus_for_each_drv+0x162/0x1e0 [ 67.706813][ T5] ? __device_attach+0x21a/0x360 [ 67.706815][ T5] ? bus_probe_device+0x1e4/0x290 [ 67.706817][ T5] ? device_add+0x132d/0x1c10 [ 67.706820][ T5] ? usb_new_device.cold+0x701/0xfcf [ 67.706821][ T5] ? hub_event+0x1eca/0x38f0 [ 67.706824][ T5] ? process_one_work+0x965/0x16a0 [ 67.706826][ T5] ? worker_thread+0x96/0xe20 [ 67.706827][ T5] ? kthread+0x388/0x470 [ 67.706829][ T5] ? ret_from_fork+0x24/0x30 [ 67.706831][ T5] ? lock_downgrade+0x840/0x840 [ 67.706833][ T5] ? mark_lock+0x12b/0xf10 [ 67.706835][ T5] dev_printk_emit+0xba/0xf1 [ 67.706837][ T5] ? dev_vprintk_emit+0x541/0x541 [ 67.706839][ T5] ? kfree+0x1eb/0x2b0 [ 67.706841][ T5] __dev_printk+0x1db/0x203 [ 67.706843][ T5] _dev_info+0xd7/0x109 [ 67.706845][ T5] ? _dev_notice+0x109/0x109 [ 67.706847][ T5] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 67.706849][ T5] ? usb_get_descriptor+0xcd/0x1b0 [ 67.706851][ T5] ? usb_get_descriptor+0x13d/0x1b0 [ 67.706854][ T5] ? __usb_get_extra_descriptor+0x15d/0x1a0 [ 67.706856][ T5] dlfb_usb_probe.cold+0x103c/0x1cae [ 67.706858][ T5] ? mark_held_locks+0x9f/0xe0 [ 67.706860][ T5] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 67.706863][ T5] ? lockdep_hardirqs_on+0x463/0x620 [ 67.706864][ T5] ? _raw_spin_ [ 67.706868][ T5] Lost 62 message(s)!