[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts. syzkaller login: [ 48.396572][ T8373] IPVS: ftp: loaded support on port[0] = 21 [ 48.495714][ T8373] chnl_net:caif_netlink_parms(): no params data found [ 48.542551][ T8373] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.550560][ T8373] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.559860][ T8373] device bridge_slave_0 entered promiscuous mode [ 48.571596][ T8373] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.582618][ T8373] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.592460][ T8373] device bridge_slave_1 entered promiscuous mode [ 48.613382][ T8373] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 48.624965][ T8373] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 48.649106][ T8373] team0: Port device team_slave_0 added [ 48.656319][ T8373] team0: Port device team_slave_1 added [ 48.674788][ T8373] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 48.681909][ T8373] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 48.709943][ T8373] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 48.724115][ T8373] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 48.732706][ T8373] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 48.760814][ T8373] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 48.787961][ T8373] device hsr_slave_0 entered promiscuous mode [ 48.795538][ T8373] device hsr_slave_1 entered promiscuous mode [ 48.889889][ T8373] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 48.903611][ T8373] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 48.912497][ T8373] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 48.925760][ T8373] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 48.949702][ T8373] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.956889][ T8373] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.964863][ T8373] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.972020][ T8373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.015189][ T8373] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.030861][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.041436][ T3151] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.050997][ T3151] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.060604][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.074320][ T8373] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.085773][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.095203][ T3151] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.102346][ T3151] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.119481][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.129012][ T4874] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.136410][ T4874] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.153692][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.163456][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.178459][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.193601][ T8373] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.205544][ T8373] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.221059][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 49.230968][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.240399][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.258526][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 49.266182][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.280254][ T8373] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.299382][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 49.325398][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 49.335096][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 49.344357][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 49.355322][ T8373] device veth0_vlan entered promiscuous mode [ 49.367657][ T8373] device veth1_vlan entered promiscuous mode [ 49.387128][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 49.395755][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 49.404053][ T4874] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 49.415006][ T8373] device veth0_macvtap entered promiscuous mode [ 49.425827][ T8373] device veth1_macvtap entered promiscuous mode [ 49.444577][ T8373] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 49.453212][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 49.466021][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 49.478140][ T8373] batman_adv: batadv0: Interface activated: batadv_slave_1 executing program [ 49.488361][ T8373] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.497169][ T8373] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.509152][ T8373] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.518014][ T8373] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.528537][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 49.537060][ T3151] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 49.847628][ T3151] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 50.087504][ T3151] usb 1-1: Using ep0 maxpacket: 8 [ 50.207609][ T3151] usb 1-1: config 0 has an invalid interface number: 57 but max is 0 [ 50.215874][ T3151] usb 1-1: config 0 has no interface number 0 [ 50.377994][ T3151] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=d3.e1 [ 50.387063][ T3151] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.396476][ T3151] usb 1-1: Product: syz [ 50.400816][ T3151] usb 1-1: Manufacturer: syz [ 50.405423][ T3151] usb 1-1: SerialNumber: syz [ 50.414901][ T3151] usb 1-1: config 0 descriptor?? [ 50.460512][ T3151] dw2102: su3000_identify_state [ 50.465569][ T3151] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 50.474965][ T3151] dw2102: su3000_power_ctrl: 1, initialized 0 [ 50.481468][ T3151] dvb-usb: bulk message failed: -22 (2/0) [ 50.493017][ T3151] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 50.517662][ T3151] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 50.524753][ T3151] usb 1-1: media controller created [ 50.533298][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.539312][ T3151] dw2102: i2c transfer failed. [ 50.544350][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.552048][ T3151] dw2102: i2c transfer failed. [ 50.557036][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.563100][ T3151] dw2102: i2c transfer failed. [ 50.568032][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.573759][ T3151] dw2102: i2c transfer failed. [ 50.578632][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.584353][ T3151] dw2102: i2c transfer failed. [ 50.589588][ T3151] dvb-usb: bulk message failed: -22 (6/0) [ 50.595322][ T3151] dw2102: i2c transfer failed. [ 50.600513][ T3151] dvb-usb: MAC address: 02:02:02:02:02:02 [ 50.610120][ T3151] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 50.639340][ T3151] dvb-usb: bulk message failed: -22 (1/0) [ 50.645109][ T3151] dw2102: command 0x51 transfer failed. [ 50.688657][ T3151] DVB: Unable to find symbol m88rs2000_attach() [ 50.694940][ T3151] dvb-usb: no frontend was attached by 'TeVii S421 PCI' [ 50.788645][ T3151] rc_core: IR keymap rc-su3000 not found [ 50.794318][ T3151] Registered IR keymap rc-empty [ 50.810021][ T3151] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 50.832709][ T3151] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 50.860432][ T3151] dvb-usb: schedule remote query interval to 150 msecs. [ 50.877231][ T3151] dw2102: su3000_power_ctrl: 0, initialized 1 [ 50.883378][ T3151] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 50.912445][ T3151] usb 1-1: USB disconnect, device number 2 [ 50.930138][ T3151] ================================================================== [ 50.938593][ T3151] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xd2/0x120 [ 50.946145][ T3151] Read of size 8 at addr ffff8881413622e8 by task kworker/0:3/3151 [ 50.954019][ T3151] [ 50.956330][ T3151] CPU: 0 PID: 3151 Comm: kworker/0:3 Not tainted 5.12.0-rc6-syzkaller #0 [ 50.964820][ T3151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.974960][ T3151] Workqueue: usb_hub_wq hub_event [ 50.980156][ T3151] Call Trace: [ 50.983438][ T3151] dump_stack+0x176/0x24e [ 50.987762][ T3151] print_address_description+0x5f/0x3a0 [ 50.993423][ T3151] kasan_report+0x15c/0x200 [ 50.997943][ T3151] ? dvb_usb_device_exit+0xd2/0x120 [ 51.003131][ T3151] ? _raw_spin_unlock_irqrestore+0x3f/0xc0 [ 51.008921][ T3151] dvb_usb_device_exit+0xd2/0x120 [ 51.013927][ T3151] ? _raw_spin_unlock_irqrestore+0x7f/0xc0 [ 51.019902][ T3151] usb_unbind_interface+0x1f2/0x860 [ 51.025112][ T3151] ? usb_driver_release_interface+0x1c0/0x1c0 [ 51.031185][ T3151] device_release_driver_internal+0x51e/0x7b0 [ 51.037252][ T3151] bus_remove_device+0x300/0x420 [ 51.042267][ T3151] device_del+0x5e1/0xa90 [ 51.046596][ T3151] usb_disable_device+0x407/0x800 [ 51.051610][ T3151] usb_disconnect+0x33a/0x8a0 [ 51.056274][ T3151] hub_port_connect+0x214/0x25b0 [ 51.061207][ T3151] ? hub_port_connect_change+0x5b4/0xab0 [ 51.066825][ T3151] ? hub_port_connect_change+0x5b4/0xab0 [ 51.072458][ T3151] ? __mutex_unlock_slowpath+0x12d/0x520 [ 51.078078][ T3151] hub_port_connect_change+0x5c6/0xab0 [ 51.083559][ T3151] ? hub_handle_remote_wakeup+0x18d/0x3f0 [ 51.089261][ T3151] port_event+0xa6f/0x10b0 [ 51.093675][ T3151] ? hub_event+0x40b/0xcb0 [ 51.098070][ T3151] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.103744][ T3151] hub_event+0x417/0xcb0 [ 51.107978][ T3151] ? rcu_read_lock_sched_held+0x41/0xb0 [ 51.113522][ T3151] process_one_work+0x789/0xfd0 [ 51.118382][ T3151] worker_thread+0xe28/0x1300 [ 51.123072][ T3151] ? __kthread_parkme+0x148/0x190 [ 51.128278][ T3151] ? rcu_lock_release+0x20/0x20 [ 51.133142][ T3151] kthread+0x39a/0x3c0 [ 51.137214][ T3151] ? rcu_lock_release+0x20/0x20 [ 51.142077][ T3151] ? kthread_blkcg+0xd0/0xd0 [ 51.146657][ T3151] ret_from_fork+0x1f/0x30 [ 51.151080][ T3151] [ 51.153399][ T3151] Allocated by task 6402: [ 51.157790][ T3151] ____kasan_kmalloc+0xc2/0xf0 [ 51.162597][ T3151] __kmalloc+0xb4/0x380 [ 51.166766][ T3151] tomoyo_realpath_from_path+0xd8/0x610 [ 51.172372][ T3151] tomoyo_path_perm+0x191/0x570 [ 51.177489][ T3151] security_inode_getattr+0xc0/0x140 [ 51.184152][ T3151] vfs_statx+0xe8/0x320 [ 51.188704][ T3151] __x64_sys_newlstat+0x81/0xd0 [ 51.194182][ T3151] do_syscall_64+0x2d/0x70 [ 51.198610][ T3151] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 51.205446][ T3151] [ 51.207753][ T3151] Freed by task 3151: [ 51.211710][ T3151] kasan_set_track+0x3d/0x70 [ 51.216330][ T3151] kasan_set_free_info+0x1f/0x40 [ 51.221326][ T3151] ____kasan_slab_free+0x100/0x140 [ 51.226453][ T3151] slab_free_freelist_hook+0x171/0x270 [ 51.232278][ T3151] kfree+0xcf/0x2d0 [ 51.236085][ T3151] dw2102_probe+0x5b3/0x620 [ 51.240580][ T3151] usb_probe_interface+0x632/0xb30 [ 51.245689][ T3151] really_probe+0x4ab/0x13d0 [ 51.250259][ T3151] driver_probe_device+0x15a/0x310 [ 51.255350][ T3151] bus_for_each_drv+0x108/0x170 [ 51.260195][ T3151] __device_attach+0x2cb/0x480 [ 51.264940][ T3151] bus_probe_device+0xb8/0x1f0 [ 51.269695][ T3151] device_add+0x1240/0x1670 [ 51.274200][ T3151] usb_set_configuration+0x1a86/0x2100 [ 51.279670][ T3151] usb_generic_driver_probe+0x83/0x140 [ 51.285141][ T3151] usb_probe_device+0x13a/0x260 [ 51.290078][ T3151] really_probe+0x4ab/0x13d0 [ 51.294665][ T3151] driver_probe_device+0x15a/0x310 [ 51.299781][ T3151] bus_for_each_drv+0x108/0x170 [ 51.304623][ T3151] __device_attach+0x2cb/0x480 [ 51.309371][ T3151] bus_probe_device+0xb8/0x1f0 [ 51.314128][ T3151] device_add+0x1240/0x1670 [ 51.318709][ T3151] usb_new_device+0xcda/0x1730 [ 51.323455][ T3151] hub_port_connect+0xffb/0x25b0 [ 51.328369][ T3151] hub_port_connect_change+0x5c6/0xab0 [ 51.333810][ T3151] port_event+0xa6f/0x10b0 [ 51.338217][ T3151] hub_event+0x417/0xcb0 [ 51.342435][ T3151] process_one_work+0x789/0xfd0 [ 51.347266][ T3151] worker_thread+0xac1/0x1300 [ 51.351923][ T3151] kthread+0x39a/0x3c0 [ 51.355985][ T3151] ret_from_fork+0x1f/0x30 [ 51.360383][ T3151] [ 51.362695][ T3151] The buggy address belongs to the object at ffff888141362000 [ 51.362695][ T3151] which belongs to the cache kmalloc-4k of size 4096 [ 51.376810][ T3151] The buggy address is located 744 bytes inside of [ 51.376810][ T3151] 4096-byte region [ffff888141362000, ffff888141363000) [ 51.390152][ T3151] The buggy address belongs to the page: [ 51.395768][ T3151] page:ffffea000504d800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141360 [ 51.405983][ T3151] head:ffffea000504d800 order:3 compound_mapcount:0 compound_pincount:0 [ 51.414286][ T3151] flags: 0x57ff00000010200(slab|head) [ 51.419643][ T3151] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010842140 [ 51.428206][ T3151] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 51.436763][ T3151] page dumped because: kasan: bad access detected [ 51.443201][ T3151] [ 51.445504][ T3151] Memory state around the buggy address: [ 51.451110][ T3151] ffff888141362180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.459247][ T3151] ffff888141362200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.467295][ T3151] >ffff888141362280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.475450][ T3151] ^ [ 51.482896][ T3151] ffff888141362300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.490950][ T3151] ffff888141362380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.498988][ T3151] ================================================================== [ 51.507051][ T3151] Disabling lock debugging due to kernel taint [ 51.518667][ T3151] Kernel panic - not syncing: panic_on_warn set ... [ 51.525280][ T3151] CPU: 0 PID: 3151 Comm: kworker/0:3 Tainted: G B 5.12.0-rc6-syzkaller #0 [ 51.535086][ T3151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.545464][ T3151] Workqueue: usb_hub_wq hub_event [ 51.550476][ T3151] Call Trace: [ 51.553737][ T3151] dump_stack+0x176/0x24e [ 51.558047][ T3151] panic+0x291/0x800 [ 51.561922][ T3151] ? preempt_schedule_thunk+0x16/0x18 [ 51.567269][ T3151] ? trace_hardirqs_on+0x30/0x80 [ 51.572185][ T3151] kasan_report+0x1ff/0x200 [ 51.576662][ T3151] ? dvb_usb_device_exit+0xd2/0x120 [ 51.581833][ T3151] ? _raw_spin_unlock_irqrestore+0x3f/0xc0 [ 51.587635][ T3151] dvb_usb_device_exit+0xd2/0x120 [ 51.592633][ T3151] ? _raw_spin_unlock_irqrestore+0x7f/0xc0 [ 51.598425][ T3151] usb_unbind_interface+0x1f2/0x860 [ 51.603625][ T3151] ? usb_driver_release_interface+0x1c0/0x1c0 [ 51.609674][ T3151] device_release_driver_internal+0x51e/0x7b0 [ 51.615728][ T3151] bus_remove_device+0x300/0x420 [ 51.620641][ T3151] device_del+0x5e1/0xa90 [ 51.624946][ T3151] usb_disable_device+0x407/0x800 [ 51.629946][ T3151] usb_disconnect+0x33a/0x8a0 [ 51.634601][ T3151] hub_port_connect+0x214/0x25b0 [ 51.639514][ T3151] ? hub_port_connect_change+0x5b4/0xab0 [ 51.645206][ T3151] ? hub_port_connect_change+0x5b4/0xab0 [ 51.650825][ T3151] ? __mutex_unlock_slowpath+0x12d/0x520 [ 51.656444][ T3151] hub_port_connect_change+0x5c6/0xab0 [ 51.661880][ T3151] ? hub_handle_remote_wakeup+0x18d/0x3f0 [ 51.667575][ T3151] port_event+0xa6f/0x10b0 [ 51.671984][ T3151] ? hub_event+0x40b/0xcb0 [ 51.676372][ T3151] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.681546][ T3151] hub_event+0x417/0xcb0 [ 51.685777][ T3151] ? rcu_read_lock_sched_held+0x41/0xb0 [ 51.691321][ T3151] process_one_work+0x789/0xfd0 [ 51.696158][ T3151] worker_thread+0xe28/0x1300 [ 51.700813][ T3151] ? __kthread_parkme+0x148/0x190 [ 51.705813][ T3151] ? rcu_lock_release+0x20/0x20 [ 51.710638][ T3151] kthread+0x39a/0x3c0 [ 51.714680][ T3151] ? rcu_lock_release+0x20/0x20 [ 51.719504][ T3151] ? kthread_blkcg+0xd0/0xd0 [ 51.724079][ T3151] ret_from_fork+0x1f/0x30 [ 51.729235][ T3151] Kernel Offset: disabled [ 51.733559][ T3151] Rebooting in 86400 seconds..