INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.993118][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.233114][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 24.353208][ T12] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 24.362320][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.371679][ T12] usb 1-1: config 0 descriptor?? [ 24.623195][ T12] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 24.635837][ T12] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, aa:77:f9:ef:c1:f8 executing program [ 24.824831][ T12] usb 1-1: USB disconnect, device number 2 [ 24.831379][ T12] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 24.893848][ T12] ================================================================== [ 24.902010][ T12] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xed [ 24.909111][ T12] Read of size 8 at addr ffff8881d0aa1380 by task kworker/0:1/12 [ 24.916805][ T12] [ 24.919116][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.5.0-rc2-syzkaller #0 [ 24.927238][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.937273][ T12] Workqueue: usb_hub_wq hub_event [ 24.942270][ T12] Call Trace: [ 24.945539][ T12] dump_stack+0xef/0x16e [ 24.949775][ T12] ? ax88172a_unbind+0x76/0xed [ 24.954520][ T12] ? ax88172a_unbind+0x76/0xed [ 24.959263][ T12] print_address_description.constprop.0+0x16/0x200 [ 24.965829][ T12] ? ax88172a_unbind+0x76/0xed [ 24.970578][ T12] ? ax88172a_unbind+0x76/0xed [ 24.975321][ T12] __kasan_report.cold+0x37/0x7f [ 24.980236][ T12] ? mark_lock+0x1160/0x1160 [ 24.984802][ T12] ? ax88172a_unbind+0x76/0xed [ 24.989554][ T12] ? ax88172a_bind.cold+0x1e8/0x1e8 [ 24.994735][ T12] kasan_report+0xe/0x20 [ 24.998989][ T12] ax88172a_unbind+0x76/0xed [ 25.003567][ T12] usbnet_disconnect+0x145/0x270 [ 25.008489][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 25.013666][ T12] ? usb_autoresume_device+0x60/0x60 [ 25.018932][ T12] device_release_driver_internal+0x42f/0x500 [ 25.025081][ T12] bus_remove_device+0x2dc/0x4a0 [ 25.030000][ T12] device_del+0x481/0xd30 [ 25.034306][ T12] ? device_create_with_groups+0x120/0x120 [ 25.040087][ T12] ? lockdep_hardirqs_on+0x382/0x580 [ 25.045364][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 25.050681][ T12] usb_disable_device+0x211/0x690 [ 25.055728][ T12] usb_disconnect+0x284/0x8d0 [ 25.060432][ T12] hub_event+0x1753/0x3860 [ 25.064831][ T12] ? hub_port_debounce+0x260/0x260 [ 25.069921][ T12] ? find_held_lock+0x2d/0x110 [ 25.074666][ T12] ? mark_held_locks+0xe0/0xe0 [ 25.079408][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.084931][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.090313][ T12] process_one_work+0x92b/0x1530 [ 25.095232][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.100578][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 25.105580][ T12] worker_thread+0x96/0xe20 [ 25.110060][ T12] ? process_one_work+0x1530/0x1530 [ 25.115235][ T12] kthread+0x318/0x420 [ 25.119279][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 25.124642][ T12] ret_from_fork+0x24/0x30 [ 25.129037][ T12] [ 25.131350][ T12] Allocated by task 12: [ 25.135488][ T12] save_stack+0x1b/0x80 [ 25.139632][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.145277][ T12] ax88172a_bind+0x9f/0x7a2 [ 25.149760][ T12] usbnet_probe+0xb43/0x2470 [ 25.154331][ T12] usb_probe_interface+0x305/0x7a0 [ 25.159419][ T12] really_probe+0x281/0x6d0 [ 25.163900][ T12] driver_probe_device+0x104/0x210 [ 25.168984][ T12] __device_attach_driver+0x1c2/0x220 [ 25.174329][ T12] bus_for_each_drv+0x162/0x1e0 [ 25.179161][ T12] __device_attach+0x217/0x360 [ 25.183903][ T12] bus_probe_device+0x1e4/0x290 [ 25.188729][ T12] device_add+0x1480/0x1c20 [ 25.193208][ T12] usb_set_configuration+0xe67/0x1740 [ 25.198578][ T12] generic_probe+0x9d/0xd5 [ 25.202971][ T12] usb_probe_device+0x99/0x100 [ 25.207713][ T12] really_probe+0x281/0x6d0 [ 25.212193][ T12] driver_probe_device+0x104/0x210 [ 25.217292][ T12] __device_attach_driver+0x1c2/0x220 [ 25.222639][ T12] bus_for_each_drv+0x162/0x1e0 [ 25.227477][ T12] __device_attach+0x217/0x360 [ 25.232221][ T12] bus_probe_device+0x1e4/0x290 [ 25.237063][ T12] device_add+0x1480/0x1c20 [ 25.241554][ T12] usb_new_device.cold+0x6a4/0xe79 [ 25.246649][ T12] hub_event+0x1e59/0x3860 [ 25.251043][ T12] process_one_work+0x92b/0x1530 [ 25.255957][ T12] worker_thread+0x96/0xe20 [ 25.260463][ T12] kthread+0x318/0x420 [ 25.264577][ T12] ret_from_fork+0x24/0x30 [ 25.268965][ T12] [ 25.271272][ T12] Freed by task 12: [ 25.275063][ T12] save_stack+0x1b/0x80 [ 25.279206][ T12] __kasan_slab_free+0x129/0x170 [ 25.284118][ T12] kfree+0xda/0x310 [ 25.287904][ T12] ax88172a_bind.cold+0x4d/0x1e8 [ 25.292816][ T12] usbnet_probe+0xb43/0x2470 [ 25.297383][ T12] usb_probe_interface+0x305/0x7a0 [ 25.302490][ T12] really_probe+0x281/0x6d0 [ 25.307035][ T12] driver_probe_device+0x104/0x210 [ 25.312135][ T12] __device_attach_driver+0x1c2/0x220 [ 25.317483][ T12] bus_for_each_drv+0x162/0x1e0 [ 25.322309][ T12] __device_attach+0x217/0x360 [ 25.327050][ T12] bus_probe_device+0x1e4/0x290 [ 25.331881][ T12] device_add+0x1480/0x1c20 [ 25.336366][ T12] usb_set_configuration+0xe67/0x1740 [ 25.341718][ T12] generic_probe+0x9d/0xd5 [ 25.346113][ T12] usb_probe_device+0x99/0x100 [ 25.350853][ T12] really_probe+0x281/0x6d0 [ 25.355332][ T12] driver_probe_device+0x104/0x210 [ 25.360426][ T12] __device_attach_driver+0x1c2/0x220 [ 25.365816][ T12] bus_for_each_drv+0x162/0x1e0 [ 25.370645][ T12] __device_attach+0x217/0x360 [ 25.375382][ T12] bus_probe_device+0x1e4/0x290 [ 25.380219][ T12] device_add+0x1480/0x1c20 [ 25.384697][ T12] usb_new_device.cold+0x6a4/0xe79 [ 25.389781][ T12] hub_event+0x1e59/0x3860 [ 25.394171][ T12] process_one_work+0x92b/0x1530 [ 25.399125][ T12] worker_thread+0x96/0xe20 [ 25.403606][ T12] kthread+0x318/0x420 [ 25.407652][ T12] ret_from_fork+0x24/0x30 [ 25.412076][ T12] [ 25.414385][ T12] The buggy address belongs to the object at ffff8881d0aa1380 [ 25.414385][ T12] which belongs to the cache kmalloc-64 of size 64 [ 25.428266][ T12] The buggy address is located 0 bytes inside of [ 25.428266][ T12] 64-byte region [ffff8881d0aa1380, ffff8881d0aa13c0) [ 25.441283][ T12] The buggy address belongs to the page: [ 25.446894][ T12] page:ffffea000742a840 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0xffff8881d0aa1900 [ 25.457299][ T12] raw: 0200000000000200 ffffea000742f040 0000000f0000000f ffff8881da003180 [ 25.465861][ T12] raw: ffff8881d0aa1900 000000008020001e 00000001ffffffff 0000000000000000 [ 25.474420][ T12] page dumped because: kasan: bad access detected [ 25.480804][ T12] [ 25.483111][ T12] Memory state around the buggy address: [ 25.488721][ T12] ffff8881d0aa1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.496819][ T12] ffff8881d0aa1300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.504884][ T12] >ffff8881d0aa1380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.512921][ T12] ^ [ 25.516968][ T12] ffff8881d0aa1400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.525005][ T12] ffff8881d0aa1480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 25.533044][ T12] ================================================================== [ 25.541117][ T12] Disabling lock debugging due to kernel taint [ 25.547443][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 25.554027][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.5.0-rc2-syzkaller #0 [ 25.563538][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.573593][ T12] Workqueue: usb_hub_wq hub_event [ 25.578591][ T12] Call Trace: [ 25.581863][ T12] dump_stack+0xef/0x16e [ 25.586169][ T12] panic+0x2aa/0x6e1 [ 25.590046][ T12] ? add_taint.cold+0x16/0x16 [ 25.594698][ T12] ? ax88172a_unbind+0x76/0xed [ 25.599436][ T12] ? trace_hardirqs_on+0x55/0x1e0 [ 25.604432][ T12] ? ax88172a_unbind+0x76/0xed [ 25.609169][ T12] end_report+0x43/0x49 [ 25.614605][ T12] ? ax88172a_unbind+0x76/0xed [ 25.626994][ T12] __kasan_report.cold+0x55/0x7f [ 25.631912][ T12] ? mark_lock+0x1160/0x1160 [ 25.636477][ T12] ? ax88172a_unbind+0x76/0xed [ 25.641214][ T12] ? ax88172a_bind.cold+0x1e8/0x1e8 [ 25.646710][ T12] kasan_report+0xe/0x20 [ 25.651044][ T12] ax88172a_unbind+0x76/0xed [ 25.655638][ T12] usbnet_disconnect+0x145/0x270 [ 25.660653][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 25.665836][ T12] ? usb_autoresume_device+0x60/0x60 [ 25.671101][ T12] device_release_driver_internal+0x42f/0x500 [ 25.677146][ T12] bus_remove_device+0x2dc/0x4a0 [ 25.682410][ T12] device_del+0x481/0xd30 [ 25.686737][ T12] ? device_create_with_groups+0x120/0x120 [ 25.692519][ T12] ? lockdep_hardirqs_on+0x382/0x580 [ 25.697799][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 25.703091][ T12] usb_disable_device+0x211/0x690 [ 25.708093][ T12] usb_disconnect+0x284/0x8d0 [ 25.712741][ T12] hub_event+0x1753/0x3860 [ 25.717133][ T12] ? hub_port_debounce+0x260/0x260 [ 25.722232][ T12] ? find_held_lock+0x2d/0x110 [ 25.728192][ T12] ? mark_held_locks+0xe0/0xe0 [ 25.732929][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.738446][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.743708][ T12] process_one_work+0x92b/0x1530 [ 25.748624][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.753977][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 25.760016][ T12] worker_thread+0x96/0xe20 [ 25.764497][ T12] ? process_one_work+0x1530/0x1530 [ 25.769667][ T12] kthread+0x318/0x420 [ 25.773709][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 25.779114][ T12] ret_from_fork+0x24/0x30 [ 25.784101][ T12] Kernel Offset: disabled [ 25.788416][ T12] Rebooting in 86400 seconds..