[ OK ] Started Regular background program processing daemon. Starting getty on tty2-tty6 if dbus and logind are not available... [ OK ] Started System Logging Service. [ OK ] Started Permit User Sessions. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.194' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.399915][ T6782] IPVS: ftp: loaded support on port[0] = 21 [ 55.738563][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 55.978993][ T17] usb 1-1: Using ep0 maxpacket: 8 [ 56.098632][ T17] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=78.22 [ 56.107897][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 56.119838][ T17] usb 1-1: config 0 descriptor?? [ 56.379052][ T17] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 56.397055][ T17] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, c6:0a:e9:e6:07:9a [ 56.583367][ T17] usb 1-1: USB disconnect, device number 2 [ 56.590754][ T17] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 56.649321][ T17] ================================================================== [ 56.657561][ T17] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xe7 [ 56.664676][ T17] Read of size 8 at addr ffff8880a6be3700 by task kworker/1:0/17 [ 56.672559][ T17] [ 56.675151][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-syzkaller #0 [ 56.682931][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.694490][ T17] Workqueue: usb_hub_wq hub_event [ 56.699505][ T17] Call Trace: [ 56.702810][ T17] dump_stack+0x188/0x20d [ 56.707908][ T17] ? ax88172a_unbind+0x76/0xe7 [ 56.712746][ T17] ? ax88172a_unbind+0x76/0xe7 [ 56.717757][ T17] print_address_description.constprop.0.cold+0xd3/0x413 [ 56.724781][ T17] ? usbnet_disconnect+0xf0/0x270 [ 56.729893][ T17] ? vprintk_func+0x97/0x1a6 [ 56.734588][ T17] ? ax88172a_unbind+0x76/0xe7 [ 56.739438][ T17] kasan_report.cold+0x1f/0x37 [ 56.749762][ T17] ? ax88172a_unbind+0x76/0xe7 [ 56.754612][ T17] ? ax88172a_reset.cold+0x131/0x131 [ 56.759879][ T17] ax88172a_unbind+0x76/0xe7 [ 56.764508][ T17] usbnet_disconnect+0x145/0x270 [ 56.769449][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 56.774635][ T17] ? __pm_runtime_idle+0xd1/0x320 [ 56.779658][ T17] ? usb_autoresume_device+0x60/0x60 [ 56.784960][ T17] device_release_driver_internal+0x432/0x500 [ 56.791014][ T17] bus_remove_device+0x2dc/0x4a0 [ 56.795939][ T17] device_del+0x481/0xd30 [ 56.800257][ T17] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.806237][ T17] ? device_link_remove+0x110/0x110 [ 56.811436][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 56.816798][ T17] usb_disable_device+0x211/0x690 [ 56.821844][ T17] usb_disconnect+0x284/0x8d0 [ 56.826682][ T17] hub_event+0x17ca/0x38f0 [ 56.831100][ T17] ? hub_port_debounce+0x260/0x260 [ 56.836196][ T17] ? __queue_work+0x730/0x1280 [ 56.840948][ T17] ? debug_smp_processor_id+0x2f/0x185 [ 56.846396][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 56.851928][ T17] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 56.857894][ T17] process_one_work+0x965/0x16a0 [ 56.862835][ T17] ? lock_release+0x800/0x800 [ 56.867512][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 56.872871][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 56.877899][ T17] worker_thread+0x96/0xe20 [ 56.882393][ T17] ? process_one_work+0x16a0/0x16a0 [ 56.887582][ T17] kthread+0x388/0x470 [ 56.891748][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.897462][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.903164][ T17] ret_from_fork+0x24/0x30 [ 56.907569][ T17] [ 56.909878][ T17] Allocated by task 17: [ 56.914017][ T17] save_stack+0x1b/0x40 [ 56.918156][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.923769][ T17] kmem_cache_alloc_trace+0x153/0x7d0 [ 56.929140][ T17] ax88172a_bind+0xa3/0x751 [ 56.933640][ T17] usbnet_probe+0xb36/0x2600 [ 56.938228][ T17] usb_probe_interface+0x305/0x7a0 [ 56.943321][ T17] really_probe+0x281/0x6d0 [ 56.947890][ T17] driver_probe_device+0x104/0x210 [ 56.952983][ T17] __device_attach_driver+0x1c2/0x220 [ 56.958350][ T17] bus_for_each_drv+0x162/0x1e0 [ 56.963182][ T17] __device_attach+0x21a/0x360 [ 56.967958][ T17] bus_probe_device+0x1e4/0x290 [ 56.972804][ T17] device_add+0x132d/0x1c10 [ 56.977303][ T17] usb_set_configuration+0xec5/0x1740 [ 56.982673][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 56.988029][ T17] usb_probe_device+0xc6/0x1f0 [ 56.992950][ T17] really_probe+0x281/0x6d0 [ 56.997449][ T17] driver_probe_device+0x104/0x210 [ 57.003584][ T17] __device_attach_driver+0x1c2/0x220 [ 57.009143][ T17] bus_for_each_drv+0x162/0x1e0 [ 57.020835][ T17] __device_attach+0x21a/0x360 [ 57.025767][ T17] bus_probe_device+0x1e4/0x290 [ 57.030600][ T17] device_add+0x132d/0x1c10 [ 57.035100][ T17] usb_new_device.cold+0x753/0x103d [ 57.040295][ T17] hub_event+0x1eca/0x38f0 [ 57.044866][ T17] process_one_work+0x965/0x16a0 [ 57.049871][ T17] worker_thread+0x96/0xe20 [ 57.054366][ T17] kthread+0x388/0x470 [ 57.058503][ T17] ret_from_fork+0x24/0x30 [ 57.062978][ T17] [ 57.065294][ T17] Freed by task 17: [ 57.069080][ T17] save_stack+0x1b/0x40 [ 57.073211][ T17] __kasan_slab_free+0xf7/0x140 [ 57.078036][ T17] kfree+0x109/0x2b0 [ 57.081914][ T17] ax88172a_bind.cold+0xad/0x1df [ 57.086827][ T17] usbnet_probe+0xb36/0x2600 [ 57.091406][ T17] usb_probe_interface+0x305/0x7a0 [ 57.096505][ T17] really_probe+0x281/0x6d0 [ 57.100996][ T17] driver_probe_device+0x104/0x210 [ 57.106094][ T17] __device_attach_driver+0x1c2/0x220 [ 57.111442][ T17] bus_for_each_drv+0x162/0x1e0 [ 57.116272][ T17] __device_attach+0x21a/0x360 [ 57.121023][ T17] bus_probe_device+0x1e4/0x290 [ 57.125851][ T17] device_add+0x132d/0x1c10 [ 57.130349][ T17] usb_set_configuration+0xec5/0x1740 [ 57.135703][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 57.141052][ T17] usb_probe_device+0xc6/0x1f0 [ 57.145800][ T17] really_probe+0x281/0x6d0 [ 57.150280][ T17] driver_probe_device+0x104/0x210 [ 57.155368][ T17] __device_attach_driver+0x1c2/0x220 [ 57.160714][ T17] bus_for_each_drv+0x162/0x1e0 [ 57.165994][ T17] __device_attach+0x21a/0x360 [ 57.170735][ T17] bus_probe_device+0x1e4/0x290 [ 57.175559][ T17] device_add+0x132d/0x1c10 [ 57.180038][ T17] usb_new_device.cold+0x753/0x103d [ 57.185222][ T17] hub_event+0x1eca/0x38f0 [ 57.189618][ T17] process_one_work+0x965/0x16a0 [ 57.194533][ T17] worker_thread+0x96/0xe20 [ 57.199012][ T17] kthread+0x388/0x470 [ 57.203055][ T17] ret_from_fork+0x24/0x30 [ 57.207442][ T17] [ 57.209765][ T17] The buggy address belongs to the object at ffff8880a6be3700 [ 57.209765][ T17] which belongs to the cache kmalloc-64 of size 64 [ 57.223632][ T17] The buggy address is located 0 bytes inside of [ 57.223632][ T17] 64-byte region [ffff8880a6be3700, ffff8880a6be3740) [ 57.236637][ T17] The buggy address belongs to the page: [ 57.242262][ T17] page:ffffea00029af8c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 57.251347][ T17] flags: 0xfffe0000000200(slab) [ 57.256180][ T17] raw: 00fffe0000000200 ffffea000258df48 ffffea00028e3588 ffff8880aa000380 [ 57.264745][ T17] raw: 0000000000000000 ffff8880a6be3000 0000000100000020 0000000000000000 [ 57.273309][ T17] page dumped because: kasan: bad access detected [ 57.279714][ T17] [ 57.282018][ T17] Memory state around the buggy address: [ 57.287623][ T17] ffff8880a6be3600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 57.295660][ T17] ffff8880a6be3680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 57.303708][ T17] >ffff8880a6be3700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.311835][ T17] ^ [ 57.315894][ T17] ffff8880a6be3780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.323935][ T17] ffff8880a6be3800: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 57.331982][ T17] ================================================================== [ 57.340019][ T17] Disabling lock debugging due to kernel taint [ 57.348405][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 57.355005][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-syzkaller #0 [ 57.364187][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.374250][ T17] Workqueue: usb_hub_wq hub_event [ 57.379297][ T17] Call Trace: [ 57.382624][ T17] dump_stack+0x188/0x20d [ 57.386941][ T17] ? ax88172a_reset.cold+0x117/0x131 [ 57.392211][ T17] panic+0x2e3/0x75c [ 57.396099][ T17] ? add_taint.cold+0x16/0x16 [ 57.400788][ T17] ? preempt_schedule_common+0x5e/0xc0 [ 57.406238][ T17] ? ax88172a_unbind+0x76/0xe7 [ 57.410978][ T17] ? ax88172a_unbind+0x76/0xe7 [ 57.415732][ T17] ? preempt_schedule_thunk+0x16/0x18 [ 57.421106][ T17] ? trace_hardirqs_on+0x55/0x230 [ 57.426172][ T17] ? ax88172a_unbind+0x76/0xe7 [ 57.430937][ T17] ? ax88172a_unbind+0x76/0xe7 [ 57.435766][ T17] end_report+0x4d/0x53 [ 57.439899][ T17] kasan_report.cold+0xd/0x37 [ 57.444548][ T17] ? ax88172a_unbind+0x76/0xe7 [ 57.449283][ T17] ? ax88172a_reset.cold+0x131/0x131 [ 57.454538][ T17] ax88172a_unbind+0x76/0xe7 [ 57.459194][ T17] usbnet_disconnect+0x145/0x270 [ 57.464103][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 57.469276][ T17] ? __pm_runtime_idle+0xd1/0x320 [ 57.474271][ T17] ? usb_autoresume_device+0x60/0x60 [ 57.479541][ T17] device_release_driver_internal+0x432/0x500 [ 57.485587][ T17] bus_remove_device+0x2dc/0x4a0 [ 57.490515][ T17] device_del+0x481/0xd30 [ 57.494843][ T17] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 57.500792][ T17] ? device_link_remove+0x110/0x110 [ 57.505960][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 57.511217][ T17] usb_disable_device+0x211/0x690 [ 57.516211][ T17] usb_disconnect+0x284/0x8d0 [ 57.520877][ T17] hub_event+0x17ca/0x38f0 [ 57.525271][ T17] ? hub_port_debounce+0x260/0x260 [ 57.530369][ T17] ? __queue_work+0x730/0x1280 [ 57.535119][ T17] ? debug_smp_processor_id+0x2f/0x185 [ 57.540638][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 57.546167][ T17] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 57.552121][ T17] process_one_work+0x965/0x16a0 [ 57.557050][ T17] ? lock_release+0x800/0x800 [ 57.561700][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 57.567044][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 57.571972][ T17] worker_thread+0x96/0xe20 [ 57.576455][ T17] ? process_one_work+0x16a0/0x16a0 [ 57.581625][ T17] kthread+0x388/0x470 [ 57.585675][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 57.591420][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 57.597219][ T17] ret_from_fork+0x24/0x30 [ 57.602755][ T17] Kernel Offset: disabled [ 57.607186][ T17] Rebooting in 86400 seconds..