[info] Using makefile-style concurrent boot in runlevel 2. [ 15.528532][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.918220][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 28.158161][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 28.278341][ T83] usb 1-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7 [ 28.290740][ T83] usb 1-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 28.458617][ T83] usb 1-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 28.468802][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 28.477057][ T83] usb 1-1: Product: syz [ 28.481262][ T83] usb 1-1: Manufacturer: syz [ 28.485998][ T83] usb 1-1: SerialNumber: syz executing program [ 28.848406][ T83] ================================================================== [ 28.856919][ T83] BUG: KASAN: use-after-free in parse_term_proc_unit+0x57a/0x5e0 [ 28.864626][ T83] Read of size 1 at addr ffff8881d5118d4b by task kworker/1:2/83 [ 28.872562][ T83] [ 28.874881][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.4.0-rc3+ #0 [ 28.883281][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.893416][ T83] Workqueue: usb_hub_wq hub_event [ 28.898513][ T83] Call Trace: [ 28.901798][ T83] dump_stack+0xca/0x13e [ 28.906138][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 28.911938][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 28.917395][ T83] print_address_description.constprop.0+0x36/0x50 [ 28.923889][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 28.929256][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 28.934612][ T83] __kasan_report.cold+0x1a/0x33 [ 28.939529][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 28.944881][ T83] kasan_report+0xe/0x20 [ 28.949185][ T83] parse_term_proc_unit+0x57a/0x5e0 [ 28.954358][ T83] __check_input_term+0xc32/0x13f0 [ 28.959451][ T83] parse_audio_unit+0x101d/0x36f0 [ 28.964551][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 28.970493][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 28.975770][ T83] ? stack_depot_save+0x252/0x440 [ 28.980780][ T83] ? build_audio_procunit+0x13f0/0x13f0 [ 28.986922][ T83] ? save_stack+0x1b/0x80 [ 28.991231][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.997072][ T83] ? snd_usb_create_mixer+0x180/0x1890 [ 29.002518][ T83] ? usb_audio_probe+0xc76/0x2010 [ 29.007535][ T83] ? usb_probe_interface+0x305/0x7a0 [ 29.012809][ T83] ? really_probe+0x281/0x6d0 [ 29.017464][ T83] ? driver_probe_device+0x104/0x210 [ 29.022997][ T83] ? __device_attach_driver+0x1c2/0x220 [ 29.028542][ T83] ? bus_for_each_drv+0x162/0x1e0 [ 29.034000][ T83] ? __device_attach+0x217/0x360 [ 29.039306][ T83] ? bus_probe_device+0x1e4/0x290 [ 29.044340][ T83] ? device_add+0xae6/0x16f0 [ 29.048949][ T83] ? usb_set_configuration+0xdf6/0x1670 [ 29.054580][ T83] ? validate_desc.part.0+0x17f/0x240 [ 29.060294][ T83] snd_usb_mixer_controls+0x715/0xb90 [ 29.066635][ T83] ? parse_audio_unit+0x36f0/0x36f0 [ 29.072080][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.077355][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 29.083331][ T83] ? kasan_unpoison_shadow+0x30/0x40 [ 29.088594][ T83] ? usb_ifnum_to_if+0x12b/0x180 [ 29.093614][ T83] snd_usb_create_mixer+0x2b5/0x1890 [ 29.099143][ T83] ? mark_lock+0xbc/0x1160 [ 29.103636][ T83] ? mark_held_locks+0x9f/0xe0 [ 29.108372][ T83] ? snd_usb_mixer_interrupt+0x800/0x800 [ 29.114072][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 29.119346][ T83] ? usb_driver_claim_interface+0x210/0x420 [ 29.125232][ T83] ? snd_usb_create_stream+0x16a/0x4c0 [ 29.130776][ T83] usb_audio_probe+0xc76/0x2010 [ 29.135835][ T83] ? usb_audio_resume+0x20/0x20 [ 29.140787][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.146576][ T83] usb_probe_interface+0x305/0x7a0 [ 29.151909][ T83] ? usb_probe_device+0x100/0x100 [ 29.156946][ T83] really_probe+0x281/0x6d0 [ 29.161646][ T83] driver_probe_device+0x104/0x210 [ 29.167129][ T83] __device_attach_driver+0x1c2/0x220 [ 29.172486][ T83] ? driver_allows_async_probing+0x160/0x160 [ 29.179046][ T83] bus_for_each_drv+0x162/0x1e0 [ 29.183977][ T83] ? bus_rescan_devices+0x20/0x20 [ 29.189158][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.195150][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 29.200591][ T83] __device_attach+0x217/0x360 [ 29.205340][ T83] ? device_bind_driver+0xd0/0xd0 [ 29.210345][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 29.215620][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 29.220974][ T83] bus_probe_device+0x1e4/0x290 [ 29.225806][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 29.231675][ T83] device_add+0xae6/0x16f0 [ 29.236071][ T83] ? uevent_store+0x50/0x50 [ 29.240571][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.246355][ T83] usb_set_configuration+0xdf6/0x1670 [ 29.251796][ T83] generic_probe+0x9d/0xd5 [ 29.256195][ T83] usb_probe_device+0x99/0x100 [ 29.261038][ T83] ? usb_suspend+0x620/0x620 [ 29.265622][ T83] really_probe+0x281/0x6d0 [ 29.270216][ T83] driver_probe_device+0x104/0x210 [ 29.275400][ T83] __device_attach_driver+0x1c2/0x220 [ 29.280767][ T83] ? driver_allows_async_probing+0x160/0x160 [ 29.286746][ T83] bus_for_each_drv+0x162/0x1e0 [ 29.291588][ T83] ? bus_rescan_devices+0x20/0x20 [ 29.296641][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.302438][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 29.307702][ T83] __device_attach+0x217/0x360 [ 29.312444][ T83] ? device_bind_driver+0xd0/0xd0 [ 29.317457][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 29.322739][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 29.328009][ T83] bus_probe_device+0x1e4/0x290 [ 29.333051][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 29.339097][ T83] device_add+0xae6/0x16f0 [ 29.343759][ T83] ? uevent_store+0x50/0x50 [ 29.348250][ T83] usb_new_device.cold+0x6a4/0xe79 [ 29.353344][ T83] hub_event+0x1dd0/0x37e0 [ 29.357755][ T83] ? hub_port_debounce+0x260/0x260 [ 29.362858][ T83] ? find_held_lock+0x2d/0x110 [ 29.367613][ T83] ? mark_held_locks+0xe0/0xe0 [ 29.372531][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 29.378056][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.383498][ T83] process_one_work+0x92b/0x1530 [ 29.388415][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 29.393780][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 29.398795][ T83] worker_thread+0x96/0xe20 [ 29.403303][ T83] ? process_one_work+0x1530/0x1530 [ 29.408619][ T83] kthread+0x318/0x420 [ 29.412710][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 29.418080][ T83] ret_from_fork+0x24/0x30 [ 29.422484][ T83] [ 29.424794][ T83] Allocated by task 83: [ 29.428964][ T83] save_stack+0x1b/0x80 [ 29.433099][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 29.438725][ T83] usb_alloc_urb+0x65/0xb0 [ 29.443120][ T83] usb_control_msg+0x1c9/0x4a0 [ 29.447887][ T83] usb_get_descriptor+0xc1/0x1b0 [ 29.452804][ T83] usb_get_configuration+0x28e/0x3050 [ 29.458158][ T83] usb_new_device+0xd3/0x160 [ 29.462811][ T83] hub_event+0x1dd0/0x37e0 [ 29.467229][ T83] process_one_work+0x92b/0x1530 [ 29.472188][ T83] worker_thread+0x96/0xe20 [ 29.476675][ T83] kthread+0x318/0x420 [ 29.480754][ T83] ret_from_fork+0x24/0x30 [ 29.485140][ T83] [ 29.487488][ T83] Freed by task 83: [ 29.491285][ T83] save_stack+0x1b/0x80 [ 29.495421][ T83] __kasan_slab_free+0x130/0x180 [ 29.500337][ T83] kfree+0xe4/0x320 [ 29.504138][ T83] usb_free_urb.part.0+0x7a/0xc0 [ 29.509053][ T83] usb_free_urb+0x1b/0x30 [ 29.513361][ T83] usb_start_wait_urb+0x1e5/0x2b0 [ 29.518371][ T83] usb_control_msg+0x31c/0x4a0 [ 29.523113][ T83] usb_get_descriptor+0xc1/0x1b0 [ 29.528063][ T83] usb_get_configuration+0x28e/0x3050 [ 29.533421][ T83] usb_new_device+0xd3/0x160 [ 29.538002][ T83] hub_event+0x1dd0/0x37e0 [ 29.542420][ T83] process_one_work+0x92b/0x1530 [ 29.547414][ T83] worker_thread+0x96/0xe20 [ 29.551927][ T83] kthread+0x318/0x420 [ 29.555980][ T83] ret_from_fork+0x24/0x30 [ 29.560378][ T83] [ 29.562690][ T83] The buggy address belongs to the object at ffff8881d5118d00 [ 29.562690][ T83] which belongs to the cache kmalloc-192 of size 192 [ 29.576743][ T83] The buggy address is located 75 bytes inside of [ 29.576743][ T83] 192-byte region [ffff8881d5118d00, ffff8881d5118dc0) [ 29.589915][ T83] The buggy address belongs to the page: [ 29.595668][ T83] page:ffffea0007544600 refcount:1 mapcount:0 mapping:ffff8881da002a00 index:0x0 [ 29.604892][ T83] flags: 0x200000000000200(slab) [ 29.609816][ T83] raw: 0200000000000200 ffffea0007544300 0000000700000007 ffff8881da002a00 [ 29.618379][ T83] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 29.626935][ T83] page dumped because: kasan: bad access detected [ 29.633326][ T83] [ 29.635629][ T83] Memory state around the buggy address: [ 29.641258][ T83] ffff8881d5118c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.649310][ T83] ffff8881d5118c80: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc [ 29.657353][ T83] >ffff8881d5118d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.665393][ T83] ^ [ 29.671803][ T83] ffff8881d5118d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.679854][ T83] ffff8881d5118e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.687903][ T83] ================================================================== [ 29.695942][ T83] Disabling lock debugging due to kernel taint [ 29.702455][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 29.709049][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.4.0-rc3+ #0 [ 29.717905][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.728103][ T83] Workqueue: usb_hub_wq hub_event [ 29.733114][ T83] Call Trace: [ 29.736394][ T83] dump_stack+0xca/0x13e [ 29.740618][ T83] panic+0x2aa/0x6e1 [ 29.744507][ T83] ? add_taint.cold+0x16/0x16 [ 29.749386][ T83] ? retint_kernel+0x10/0x10 [ 29.754403][ T83] ? trace_hardirqs_on+0x55/0x1e0 [ 29.759430][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 29.764796][ T83] end_report+0x43/0x49 [ 29.768939][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 29.774295][ T83] __kasan_report.cold+0xd/0x33 [ 29.779143][ T83] ? parse_term_proc_unit+0x57a/0x5e0 [ 29.784621][ T83] kasan_report+0xe/0x20 [ 29.788902][ T83] parse_term_proc_unit+0x57a/0x5e0 [ 29.794112][ T83] __check_input_term+0xc32/0x13f0 [ 29.799225][ T83] parse_audio_unit+0x101d/0x36f0 [ 29.804237][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.810035][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 29.815311][ T83] ? stack_depot_save+0x252/0x440 [ 29.820320][ T83] ? build_audio_procunit+0x13f0/0x13f0 [ 29.825844][ T83] ? save_stack+0x1b/0x80 [ 29.830174][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 29.836120][ T83] ? snd_usb_create_mixer+0x180/0x1890 [ 29.841655][ T83] ? usb_audio_probe+0xc76/0x2010 [ 29.846799][ T83] ? usb_probe_interface+0x305/0x7a0 [ 29.852261][ T83] ? really_probe+0x281/0x6d0 [ 29.856927][ T83] ? driver_probe_device+0x104/0x210 [ 29.862377][ T83] ? __device_attach_driver+0x1c2/0x220 [ 29.867930][ T83] ? bus_for_each_drv+0x162/0x1e0 [ 29.873134][ T83] ? __device_attach+0x217/0x360 [ 29.878152][ T83] ? bus_probe_device+0x1e4/0x290 [ 29.883177][ T83] ? device_add+0xae6/0x16f0 [ 29.887762][ T83] ? usb_set_configuration+0xdf6/0x1670 [ 29.893292][ T83] ? validate_desc.part.0+0x17f/0x240 [ 29.898650][ T83] snd_usb_mixer_controls+0x715/0xb90 [ 29.904108][ T83] ? parse_audio_unit+0x36f0/0x36f0 [ 29.909309][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.914582][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 29.920364][ T83] ? kasan_unpoison_shadow+0x30/0x40 [ 29.925666][ T83] ? usb_ifnum_to_if+0x12b/0x180 [ 29.930592][ T83] snd_usb_create_mixer+0x2b5/0x1890 [ 29.935859][ T83] ? mark_lock+0xbc/0x1160 [ 29.940269][ T83] ? mark_held_locks+0x9f/0xe0 [ 29.945025][ T83] ? snd_usb_mixer_interrupt+0x800/0x800 [ 29.950640][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 29.955919][ T83] ? usb_driver_claim_interface+0x210/0x420 [ 29.961892][ T83] ? snd_usb_create_stream+0x16a/0x4c0 [ 29.967375][ T83] usb_audio_probe+0xc76/0x2010 [ 29.972210][ T83] ? usb_audio_resume+0x20/0x20 [ 29.977040][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 29.982824][ T83] usb_probe_interface+0x305/0x7a0 [ 29.987924][ T83] ? usb_probe_device+0x100/0x100 [ 29.992933][ T83] really_probe+0x281/0x6d0 [ 29.997427][ T83] driver_probe_device+0x104/0x210 [ 30.002622][ T83] __device_attach_driver+0x1c2/0x220 [ 30.007990][ T83] ? driver_allows_async_probing+0x160/0x160 [ 30.013956][ T83] bus_for_each_drv+0x162/0x1e0 [ 30.018789][ T83] ? bus_rescan_devices+0x20/0x20 [ 30.023809][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 30.030014][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 30.035303][ T83] __device_attach+0x217/0x360 [ 30.040057][ T83] ? device_bind_driver+0xd0/0xd0 [ 30.045155][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 30.050434][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 30.055696][ T83] bus_probe_device+0x1e4/0x290 [ 30.060531][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 30.066411][ T83] device_add+0xae6/0x16f0 [ 30.070818][ T83] ? uevent_store+0x50/0x50 [ 30.075320][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 30.081121][ T83] usb_set_configuration+0xdf6/0x1670 [ 30.086496][ T83] generic_probe+0x9d/0xd5 [ 30.090977][ T83] usb_probe_device+0x99/0x100 [ 30.095726][ T83] ? usb_suspend+0x620/0x620 [ 30.100304][ T83] really_probe+0x281/0x6d0 [ 30.104781][ T83] driver_probe_device+0x104/0x210 [ 30.109881][ T83] __device_attach_driver+0x1c2/0x220 [ 30.115343][ T83] ? driver_allows_async_probing+0x160/0x160 [ 30.121322][ T83] bus_for_each_drv+0x162/0x1e0 [ 30.126160][ T83] ? bus_rescan_devices+0x20/0x20 [ 30.131168][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 30.136956][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 30.142233][ T83] __device_attach+0x217/0x360 [ 30.146971][ T83] ? device_bind_driver+0xd0/0xd0 [ 30.151984][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 30.157247][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 30.162508][ T83] bus_probe_device+0x1e4/0x290 [ 30.168146][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 30.174013][ T83] device_add+0xae6/0x16f0 [ 30.178417][ T83] ? uevent_store+0x50/0x50 [ 30.183069][ T83] usb_new_device.cold+0x6a4/0xe79 [ 30.188251][ T83] hub_event+0x1dd0/0x37e0 [ 30.192657][ T83] ? hub_port_debounce+0x260/0x260 [ 30.197762][ T83] ? find_held_lock+0x2d/0x110 [ 30.202515][ T83] ? mark_held_locks+0xe0/0xe0 [ 30.207487][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 30.213897][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 30.219430][ T83] process_one_work+0x92b/0x1530 [ 30.224350][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 30.229698][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 30.234699][ T83] worker_thread+0x96/0xe20 [ 30.239178][ T83] ? process_one_work+0x1530/0x1530 [ 30.244348][ T83] kthread+0x318/0x420 [ 30.248393][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 30.253743][ T83] ret_from_fork+0x24/0x30 [ 30.258927][ T83] Kernel Offset: disabled [ 30.263249][ T83] Rebooting in 86400 seconds..