Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. syzkaller login: [ 73.079484][ T8396] IPVS: ftp: loaded support on port[0] = 21 executing program [ 73.453458][ T2967] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 73.693483][ T2967] usb 1-1: Using ep0 maxpacket: 16 [ 73.813618][ T2967] usb 1-1: config 0 has an invalid interface number: 19 but max is 1 [ 73.821941][ T2967] usb 1-1: config 0 has no interface number 1 [ 73.983565][ T2967] usb 1-1: New USB device found, idVendor=0dba, idProduct=1000, bcdDevice=a3.00 [ 73.992677][ T2967] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 74.001755][ T2967] usb 1-1: Product: syz [ 74.006337][ T2967] usb 1-1: Manufacturer: syz [ 74.010978][ T2967] usb 1-1: SerialNumber: syz [ 74.023880][ T2967] usb 1-1: config 0 descriptor?? [ 74.268603][ T5] usb 1-1: USB disconnect, device number 2 [ 74.296753][ T5] ================================================================== [ 74.305179][ T5] BUG: KASAN: use-after-free in usb_audio_disconnect+0x750/0x800 [ 74.312996][ T5] Read of size 2 at addr ffff88802c954f24 by task kworker/0:0/5 [ 74.321504][ T5] [ 74.323895][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.12.0-rc1-next-20210305-syzkaller #0 [ 74.333290][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.343421][ T5] Workqueue: usb_hub_wq hub_event [ 74.348532][ T5] Call Trace: [ 74.352109][ T5] dump_stack+0xfa/0x151 [ 74.356531][ T5] ? usb_audio_disconnect+0x750/0x800 [ 74.362056][ T5] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 74.369156][ T5] ? usb_audio_disconnect+0x750/0x800 [ 74.374591][ T5] ? usb_audio_disconnect+0x750/0x800 [ 74.379988][ T5] kasan_report.cold+0x7c/0xd8 [ 74.384787][ T5] ? usb_audio_disconnect+0x750/0x800 [ 74.390323][ T5] usb_audio_disconnect+0x750/0x800 [ 74.395549][ T5] ? usb_audio_suspend+0x4f0/0x4f0 [ 74.400693][ T5] ? mark_held_locks+0x9f/0xe0 [ 74.405507][ T5] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.411943][ T5] ? usb_disable_interface+0x82/0x3c0 [ 74.417358][ T5] ? lockdep_hardirqs_on+0x79/0x100 [ 74.422588][ T5] ? _raw_spin_unlock_irqrestore+0x33/0x50 [ 74.428435][ T5] usb_unbind_interface+0x1d8/0x8d0 [ 74.433722][ T5] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 74.439306][ T5] ? usb_unbind_device+0x1a0/0x1a0 [ 74.444454][ T5] __device_release_driver+0x3bd/0x6f0 [ 74.450059][ T5] device_release_driver+0x26/0x40 [ 74.455192][ T5] bus_remove_device+0x2eb/0x5a0 [ 74.460170][ T5] device_del+0x502/0xd40 [ 74.464537][ T5] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 74.470893][ T5] ? pm_runtime_barrier+0xdc/0x1a0 [ 74.476063][ T5] usb_disable_device+0x35b/0x7b0 [ 74.481145][ T5] usb_disconnect.cold+0x27d/0x791 [ 74.486316][ T5] hub_event+0x1c9c/0x4320 [ 74.490979][ T5] ? hub_port_debounce+0x3c0/0x3c0 [ 74.496112][ T5] ? lock_acquire+0x1bb/0x730 [ 74.500798][ T5] ? lock_release+0x710/0x710 [ 74.505484][ T5] ? lock_downgrade+0x6d0/0x6d0 [ 74.510360][ T5] ? lock_is_held_type+0xd5/0x130 [ 74.515393][ T5] process_one_work+0x98d/0x1600 [ 74.520346][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.525738][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 74.530700][ T5] ? _raw_spin_lock_irq+0x41/0x50 [ 74.536212][ T5] worker_thread+0x64c/0x1120 [ 74.540956][ T5] ? process_one_work+0x1600/0x1600 [ 74.546197][ T5] kthread+0x3b1/0x4a0 [ 74.550305][ T5] ? __kthread_bind_mask+0xc0/0xc0 [ 74.555480][ T5] ret_from_fork+0x1f/0x30 [ 74.559939][ T5] [ 74.562286][ T5] Allocated by task 2967: [ 74.566647][ T5] kasan_save_stack+0x1b/0x40 [ 74.571443][ T5] __kasan_kmalloc+0x99/0xc0 [ 74.576068][ T5] snd_card_new+0xc2/0xcb0 [ 74.580500][ T5] usb_audio_probe+0x1547/0x2c70 [ 74.585446][ T5] usb_probe_interface+0x315/0x7f0 [ 74.590574][ T5] really_probe+0x291/0xe60 [ 74.595091][ T5] driver_probe_device+0x26b/0x3d0 [ 74.600247][ T5] __device_attach_driver+0x1d1/0x290 [ 74.605659][ T5] bus_for_each_drv+0x15f/0x1e0 [ 74.610537][ T5] __device_attach+0x228/0x4a0 [ 74.615340][ T5] bus_probe_device+0x1e4/0x290 [ 74.620221][ T5] device_add+0xbdb/0x1db0 [ 74.624661][ T5] usb_set_configuration+0x113f/0x1910 [ 74.630586][ T5] usb_generic_driver_probe+0xba/0x100 [ 74.636196][ T5] usb_probe_device+0xd9/0x2c0 [ 74.640990][ T5] really_probe+0x291/0xe60 [ 74.645545][ T5] driver_probe_device+0x26b/0x3d0 [ 74.650667][ T5] __device_attach_driver+0x1d1/0x290 [ 74.656050][ T5] bus_for_each_drv+0x15f/0x1e0 [ 74.660915][ T5] __device_attach+0x228/0x4a0 [ 74.665835][ T5] bus_probe_device+0x1e4/0x290 [ 74.670736][ T5] device_add+0xbdb/0x1db0 [ 74.675167][ T5] usb_new_device.cold+0x721/0x1058 [ 74.680384][ T5] hub_event+0x2357/0x4320 [ 74.684827][ T5] process_one_work+0x98d/0x1600 [ 74.689780][ T5] worker_thread+0x64c/0x1120 [ 74.694506][ T5] kthread+0x3b1/0x4a0 [ 74.698606][ T5] ret_from_fork+0x1f/0x30 [ 74.703035][ T5] [ 74.705469][ T5] Freed by task 5: [ 74.709184][ T5] kasan_save_stack+0x1b/0x40 [ 74.714061][ T5] kasan_set_track+0x1c/0x30 [ 74.718688][ T5] kasan_set_free_info+0x20/0x30 [ 74.723633][ T5] __kasan_slab_free+0xf5/0x130 [ 74.730168][ T5] slab_free_freelist_hook+0x72/0x1b0 [ 74.735652][ T5] kfree+0xe5/0x7b0 [ 74.739487][ T5] device_release+0x9f/0x240 [ 74.744087][ T5] kobject_put+0x1c8/0x540 [ 74.748524][ T5] put_device+0x1b/0x30 [ 74.752706][ T5] snd_card_free_when_closed+0x35/0x50 [ 74.758190][ T5] usb_audio_disconnect+0x2ba/0x800 [ 74.763407][ T5] usb_unbind_interface+0x1d8/0x8d0 [ 74.768688][ T5] __device_release_driver+0x3bd/0x6f0 [ 74.774164][ T5] device_release_driver+0x26/0x40 [ 74.779297][ T5] bus_remove_device+0x2eb/0x5a0 [ 74.784260][ T5] device_del+0x502/0xd40 [ 74.788595][ T5] usb_disable_device+0x35b/0x7b0 [ 74.793629][ T5] usb_disconnect.cold+0x27d/0x791 [ 74.798760][ T5] hub_event+0x1c9c/0x4320 [ 74.803197][ T5] process_one_work+0x98d/0x1600 [ 74.808162][ T5] worker_thread+0x64c/0x1120 [ 74.812853][ T5] kthread+0x3b1/0x4a0 [ 74.816937][ T5] ret_from_fork+0x1f/0x30 [ 74.821378][ T5] [ 74.823702][ T5] The buggy address belongs to the object at ffff88802c954000 [ 74.823702][ T5] which belongs to the cache kmalloc-8k of size 8192 [ 74.837890][ T5] The buggy address is located 3876 bytes inside of [ 74.837890][ T5] 8192-byte region [ffff88802c954000, ffff88802c956000) [ 74.851379][ T5] The buggy address belongs to the page: [ 74.857124][ T5] page:000000003ed6e46b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2c950 [ 74.867460][ T5] head:000000003ed6e46b order:3 compound_mapcount:0 compound_pincount:0 [ 74.876784][ T5] flags: 0xfff00000010200(slab|head) [ 74.882205][ T5] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842280 [ 74.891023][ T5] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 [ 74.899655][ T5] page dumped because: kasan: bad access detected [ 74.906167][ T5] [ 74.908510][ T5] Memory state around the buggy address: [ 74.914159][ T5] ffff88802c954e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.922273][ T5] ffff88802c954e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.930363][ T5] >ffff88802c954f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.938439][ T5] ^ [ 74.943568][ T5] ffff88802c954f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.951646][ T5] ffff88802c955000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.959741][ T5] ================================================================== [ 74.968069][ T5] Disabling lock debugging due to kernel taint [ 74.983308][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 74.989945][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.12.0-rc1-next-20210305-syzkaller #0 [ 75.000735][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.011337][ T5] Workqueue: usb_hub_wq hub_event [ 75.016398][ T5] Call Trace: [ 75.019695][ T5] dump_stack+0xfa/0x151 [ 75.023956][ T5] panic+0x306/0x73d [ 75.027848][ T5] ? __warn_printk+0xf3/0xf3 [ 75.032602][ T5] ? preempt_schedule_common+0x59/0xc0 [ 75.038082][ T5] ? usb_audio_disconnect+0x750/0x800 [ 75.043490][ T5] ? preempt_schedule_thunk+0x16/0x18 [ 75.048882][ T5] ? trace_hardirqs_on+0x38/0x1c0 [ 75.053907][ T5] ? trace_hardirqs_on+0x51/0x1c0 [ 75.058951][ T5] ? usb_audio_disconnect+0x750/0x800 [ 75.064327][ T5] ? usb_audio_disconnect+0x750/0x800 [ 75.069706][ T5] end_report.cold+0x5a/0x5a [ 75.074317][ T5] kasan_report.cold+0x6a/0xd8 [ 75.079087][ T5] ? usb_audio_disconnect+0x750/0x800 [ 75.084513][ T5] usb_audio_disconnect+0x750/0x800 [ 75.089750][ T5] ? usb_audio_suspend+0x4f0/0x4f0 [ 75.094883][ T5] ? mark_held_locks+0x9f/0xe0 [ 75.099674][ T5] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 75.106066][ T5] ? usb_disable_interface+0x82/0x3c0 [ 75.111471][ T5] ? lockdep_hardirqs_on+0x79/0x100 [ 75.116676][ T5] ? _raw_spin_unlock_irqrestore+0x33/0x50 [ 75.122582][ T5] usb_unbind_interface+0x1d8/0x8d0 [ 75.127795][ T5] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 75.133344][ T5] ? usb_unbind_device+0x1a0/0x1a0 [ 75.138472][ T5] __device_release_driver+0x3bd/0x6f0 [ 75.143931][ T5] device_release_driver+0x26/0x40 [ 75.149049][ T5] bus_remove_device+0x2eb/0x5a0 [ 75.153993][ T5] device_del+0x502/0xd40 [ 75.158325][ T5] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 75.164655][ T5] ? pm_runtime_barrier+0xdc/0x1a0 [ 75.169772][ T5] usb_disable_device+0x35b/0x7b0 [ 75.174806][ T5] usb_disconnect.cold+0x27d/0x791 [ 75.179922][ T5] hub_event+0x1c9c/0x4320 [ 75.184380][ T5] ? hub_port_debounce+0x3c0/0x3c0 [ 75.189493][ T5] ? lock_acquire+0x1bb/0x730 [ 75.194170][ T5] ? lock_release+0x710/0x710 [ 75.198859][ T5] ? lock_downgrade+0x6d0/0x6d0 [ 75.203812][ T5] ? lock_is_held_type+0xd5/0x130 [ 75.208840][ T5] process_one_work+0x98d/0x1600 [ 75.213780][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.219169][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 75.224197][ T5] ? _raw_spin_lock_irq+0x41/0x50 [ 75.229253][ T5] worker_thread+0x64c/0x1120 [ 75.234372][ T5] ? process_one_work+0x1600/0x1600 [ 75.239588][ T5] kthread+0x3b1/0x4a0 [ 75.243678][ T5] ? __kthread_bind_mask+0xc0/0xc0 [ 75.248890][ T5] ret_from_fork+0x1f/0x30 [ 75.253794][ T5] Kernel Offset: disabled [ 75.258240][ T5] Rebooting in 86400 seconds..