[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.387101][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 30.607038][ T95] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 30.618193][ T95] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 30.627992][ T95] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 30.640842][ T95] usb 1-1: New USB device found, idVendor=20bc, idProduct=5500, bcdDevice= 0.00 [ 30.649930][ T95] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 30.659668][ T95] usb 1-1: config 0 descriptor?? [ 31.140678][ T95] betop 0003:20BC:5500.0001: unknown main item tag 0x0 [ 31.150135][ T95] betop 0003:20BC:5500.0001: hidraw0: USB HID v0.00 Device [HID 20bc:5500] on usb-dummy_hcd.0-1/input0 [ 31.165252][ T95] ================================================================== [ 31.173547][ T95] BUG: KASAN: slab-out-of-bounds in betop_probe+0x396/0x570 [ 31.180845][ T95] Write of size 8 at addr ffff8881d57c7ec0 by task kworker/0:2/95 [ 31.188625][ T95] [ 31.190952][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc1-syzkaller #0 [ 31.199074][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.209129][ T95] Workqueue: usb_hub_wq hub_event [ 31.214126][ T95] Call Trace: [ 31.217409][ T95] dump_stack+0xef/0x16e [ 31.221630][ T95] print_address_description.constprop.0.cold+0xd3/0x314 [ 31.228633][ T95] ? betop_probe+0x396/0x570 [ 31.233208][ T95] __kasan_report.cold+0x37/0x92 [ 31.238122][ T95] ? betop_probe+0x396/0x570 [ 31.242690][ T95] ? betop_probe+0x396/0x570 [ 31.247270][ T95] kasan_report+0x33/0x50 [ 31.251578][ T95] check_memory_region+0x173/0x1d0 [ 31.256760][ T95] betop_probe+0x396/0x570 [ 31.261178][ T95] ? belkin_probe.cold+0x3c/0x3c [ 31.266104][ T95] hid_device_probe+0x2be/0x3f0 [ 31.270933][ T95] ? hid_match_device+0x1f0/0x1f0 [ 31.275961][ T95] really_probe+0x290/0xac0 [ 31.280456][ T95] driver_probe_device+0x223/0x350 [ 31.285542][ T95] __device_attach_driver+0x1d1/0x290 [ 31.290893][ T95] ? driver_allows_async_probing+0x160/0x160 [ 31.296862][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.301694][ T95] ? bus_rescan_devices+0x20/0x20 [ 31.306699][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 31.312494][ T95] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 31.317758][ T95] __device_attach+0x21a/0x390 [ 31.322526][ T95] ? device_bind_driver+0xd0/0xd0 [ 31.327536][ T95] bus_probe_device+0x1e4/0x290 [ 31.332385][ T95] device_add+0x1367/0x1c20 [ 31.336873][ T95] ? device_link_remove+0x110/0x110 [ 31.342059][ T95] ? __debugfs_create_file+0x31f/0x400 [ 31.347499][ T95] hid_add_device+0x33c/0x9a0 [ 31.352171][ T95] ? debug_object_fixup+0x30/0x30 [ 31.357173][ T95] ? __hid_bus_reprobe_drivers+0x130/0x130 [ 31.362968][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 31.368491][ T95] usbhid_probe+0xa8c/0xfa0 [ 31.372984][ T95] usb_probe_interface+0x310/0x800 [ 31.378069][ T95] ? usb_probe_device+0x230/0x230 [ 31.383071][ T95] really_probe+0x290/0xac0 [ 31.387563][ T95] driver_probe_device+0x223/0x350 [ 31.392652][ T95] __device_attach_driver+0x1d1/0x290 [ 31.398003][ T95] ? driver_allows_async_probing+0x160/0x160 [ 31.403960][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.408791][ T95] ? bus_rescan_devices+0x20/0x20 [ 31.413795][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 31.419596][ T95] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 31.424867][ T95] __device_attach+0x21a/0x390 [ 31.429622][ T95] ? device_bind_driver+0xd0/0xd0 [ 31.434646][ T95] bus_probe_device+0x1e4/0x290 [ 31.439492][ T95] device_add+0x1367/0x1c20 [ 31.443988][ T95] ? wait_for_completion+0x280/0x280 [ 31.449256][ T95] ? device_link_remove+0x110/0x110 [ 31.454434][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 31.460244][ T95] usb_set_configuration+0xed4/0x1850 [ 31.465619][ T95] usb_generic_driver_probe+0x9d/0xe0 [ 31.471120][ T95] usb_probe_device+0xd9/0x230 [ 31.475870][ T95] ? usb_suspend+0x600/0x600 [ 31.480446][ T95] really_probe+0x290/0xac0 [ 31.484934][ T95] driver_probe_device+0x223/0x350 [ 31.490039][ T95] __device_attach_driver+0x1d1/0x290 [ 31.495399][ T95] ? driver_allows_async_probing+0x160/0x160 [ 31.501462][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.506306][ T95] ? bus_rescan_devices+0x20/0x20 [ 31.511320][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 31.517118][ T95] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 31.522392][ T95] __device_attach+0x21a/0x390 [ 31.527139][ T95] ? device_bind_driver+0xd0/0xd0 [ 31.532148][ T95] bus_probe_device+0x1e4/0x290 [ 31.536986][ T95] device_add+0x1367/0x1c20 [ 31.541482][ T95] ? device_link_remove+0x110/0x110 [ 31.546846][ T95] usb_new_device.cold+0x552/0xf6e [ 31.551984][ T95] ? hub_disconnect+0x4a0/0x4a0 [ 31.556816][ T95] ? mark_held_locks+0x9f/0xe0 [ 31.561597][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 31.566777][ T95] hub_event+0x226d/0x43c0 [ 31.571175][ T95] ? hub_port_debounce+0x350/0x350 [ 31.576281][ T95] ? umh_clean_and_save_pid+0x1/0xd0 [ 31.581555][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 31.587074][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 31.592351][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 31.597526][ T95] process_one_work+0x965/0x1630 [ 31.602463][ T95] ? lock_release+0x720/0x720 [ 31.607115][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 31.612480][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 31.617416][ T95] worker_thread+0x96/0xe20 [ 31.621905][ T95] ? process_one_work+0x1630/0x1630 [ 31.627093][ T95] kthread+0x326/0x430 [ 31.631144][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 31.636506][ T95] ret_from_fork+0x24/0x30 [ 31.640997][ T95] [ 31.643325][ T95] Allocated by task 95: [ 31.647474][ T95] save_stack+0x1b/0x40 [ 31.651607][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 31.657277][ T95] hidraw_connect+0x4b/0x3f0 [ 31.661858][ T95] hid_connect+0x5cd/0xbc0 [ 31.666266][ T95] hid_hw_start+0xa2/0x130 [ 31.670672][ T95] betop_probe+0xbc/0x570 [ 31.674978][ T95] hid_device_probe+0x2be/0x3f0 [ 31.679807][ T95] really_probe+0x290/0xac0 [ 31.684303][ T95] driver_probe_device+0x223/0x350 [ 31.689391][ T95] __device_attach_driver+0x1d1/0x290 [ 31.694770][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.699732][ T95] __device_attach+0x21a/0x390 [ 31.704501][ T95] bus_probe_device+0x1e4/0x290 [ 31.709349][ T95] device_add+0x1367/0x1c20 [ 31.713845][ T95] hid_add_device+0x33c/0x9a0 [ 31.718500][ T95] usbhid_probe+0xa8c/0xfa0 [ 31.722982][ T95] usb_probe_interface+0x310/0x800 [ 31.728081][ T95] really_probe+0x290/0xac0 [ 31.732560][ T95] driver_probe_device+0x223/0x350 [ 31.737646][ T95] __device_attach_driver+0x1d1/0x290 [ 31.743212][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.748049][ T95] __device_attach+0x21a/0x390 [ 31.752818][ T95] bus_probe_device+0x1e4/0x290 [ 31.757777][ T95] device_add+0x1367/0x1c20 [ 31.762266][ T95] usb_set_configuration+0xed4/0x1850 [ 31.767626][ T95] usb_generic_driver_probe+0x9d/0xe0 [ 31.772982][ T95] usb_probe_device+0xd9/0x230 [ 31.777752][ T95] really_probe+0x290/0xac0 [ 31.782237][ T95] driver_probe_device+0x223/0x350 [ 31.787330][ T95] __device_attach_driver+0x1d1/0x290 [ 31.792680][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.797523][ T95] __device_attach+0x21a/0x390 [ 31.802282][ T95] bus_probe_device+0x1e4/0x290 [ 31.807299][ T95] device_add+0x1367/0x1c20 [ 31.811806][ T95] usb_new_device.cold+0x552/0xf6e [ 31.816911][ T95] hub_event+0x226d/0x43c0 [ 31.821308][ T95] process_one_work+0x965/0x1630 [ 31.826227][ T95] worker_thread+0x96/0xe20 [ 31.830734][ T95] kthread+0x326/0x430 [ 31.834787][ T95] ret_from_fork+0x24/0x30 [ 31.839191][ T95] [ 31.841499][ T95] Freed by task 1: [ 31.845203][ T95] save_stack+0x1b/0x40 [ 31.849337][ T95] __kasan_slab_free+0x117/0x160 [ 31.854254][ T95] kfree+0xd5/0x300 [ 31.858040][ T95] usb_free_urb.part.0+0xaf/0x110 [ 31.863038][ T95] usb_free_urb+0x1b/0x30 [ 31.867343][ T95] usb_start_wait_urb+0x1e1/0x4c0 [ 31.872366][ T95] usb_control_msg+0x31c/0x4a0 [ 31.877106][ T95] set_port_feature+0x69/0x90 [ 31.881762][ T95] hub_power_on+0x186/0x400 [ 31.886242][ T95] hub_activate+0x1102/0x16e0 [ 31.890895][ T95] hub_probe.cold+0x2a3d/0x2a4a [ 31.895739][ T95] usb_probe_interface+0x310/0x800 [ 31.900829][ T95] really_probe+0x290/0xac0 [ 31.905308][ T95] driver_probe_device+0x223/0x350 [ 31.910399][ T95] __device_attach_driver+0x1d1/0x290 [ 31.915751][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.920590][ T95] __device_attach+0x21a/0x390 [ 31.925354][ T95] bus_probe_device+0x1e4/0x290 [ 31.930180][ T95] device_add+0x1367/0x1c20 [ 31.934676][ T95] usb_set_configuration+0xed4/0x1850 [ 31.940026][ T95] usb_generic_driver_probe+0x9d/0xe0 [ 31.945374][ T95] usb_probe_device+0xd9/0x230 [ 31.950116][ T95] really_probe+0x290/0xac0 [ 31.954617][ T95] driver_probe_device+0x223/0x350 [ 31.959707][ T95] __device_attach_driver+0x1d1/0x290 [ 31.965081][ T95] bus_for_each_drv+0x162/0x1e0 [ 31.969906][ T95] __device_attach+0x21a/0x390 [ 31.974664][ T95] bus_probe_device+0x1e4/0x290 [ 31.979508][ T95] device_add+0x1367/0x1c20 [ 31.983991][ T95] usb_new_device.cold+0x552/0xf6e [ 31.989096][ T95] usb_add_hcd.cold+0x1386/0x1787 [ 31.994532][ T95] vhci_hcd_probe+0x1c9/0x3a0 [ 31.999186][ T95] platform_drv_probe+0x87/0x140 [ 32.004101][ T95] really_probe+0x290/0xac0 [ 32.008627][ T95] driver_probe_device+0x223/0x350 [ 32.013713][ T95] __device_attach_driver+0x1d1/0x290 [ 32.019078][ T95] bus_for_each_drv+0x162/0x1e0 [ 32.023907][ T95] __device_attach+0x21a/0x390 [ 32.028647][ T95] bus_probe_device+0x1e4/0x290 [ 32.033490][ T95] device_add+0x1367/0x1c20 [ 32.037985][ T95] platform_device_add+0x35c/0x820 [ 32.043091][ T95] vhci_hcd_init+0x344/0x488 [ 32.047678][ T95] do_one_initcall+0x10a/0x6b0 [ 32.052419][ T95] kernel_init_freeable+0x4e6/0x593 [ 32.057697][ T95] kernel_init+0xd/0x1b9 [ 32.061935][ T95] ret_from_fork+0x24/0x30 [ 32.066324][ T95] [ 32.068631][ T95] The buggy address belongs to the object at ffff8881d57c7e00 [ 32.068631][ T95] which belongs to the cache kmalloc-192 of size 192 [ 32.082671][ T95] The buggy address is located 0 bytes to the right of [ 32.082671][ T95] 192-byte region [ffff8881d57c7e00, ffff8881d57c7ec0) [ 32.096259][ T95] The buggy address belongs to the page: [ 32.101871][ T95] page:ffffea000755f1c0 refcount:1 mapcount:0 mapping:000000003daeafdc index:0x0 [ 32.110978][ T95] flags: 0x200000000000200(slab) [ 32.115897][ T95] raw: 0200000000000200 ffffea000755eec0 0000000500000005 ffff8881da002a00 [ 32.124479][ T95] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 32.133037][ T95] page dumped because: kasan: bad access detected [ 32.139421][ T95] [ 32.141725][ T95] Memory state around the buggy address: [ 32.147337][ T95] ffff8881d57c7d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.155566][ T95] ffff8881d57c7e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.163607][ T95] >ffff8881d57c7e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.171641][ T95] ^ [ 32.177781][ T95] ffff8881d57c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.185839][ T95] ffff8881d57c7f80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 32.193890][ T