[info] Using makefile-style concurrent boot in runlevel 2. [ 15.406918][ C0] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.132' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.911238][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 42.151206][ T21] usb 1-1: Using ep0 maxpacket: 8 [ 42.271279][ T21] usb 1-1: config 0 has an invalid interface number: 225 but max is 0 [ 42.279583][ T21] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 42.289778][ T21] usb 1-1: config 0 has no interface number 0 [ 42.296000][ T21] usb 1-1: config 0 interface 225 altsetting 0 bulk endpoint 0x81 has invalid maxpacket 29 [ 42.307027][ T21] usb 1-1: New USB device found, idVendor=04d8, idProduct=0a30, bcdDevice=33.30 [ 42.316100][ T21] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 42.325216][ T21] usb 1-1: config 0 descriptor?? [ 42.364549][ T21] mcba_usb 1-1:0.225 can0: failed tx_urb -2 [ 42.370659][ T21] mcba_usb 1-1:0.225 can0: Failed to send cmd (169) [ 42.377540][ T21] mcba_usb 1-1:0.225 can0: failed tx_urb -2 [ 42.384008][ T21] mcba_usb 1-1:0.225 can0: Failed to send cmd (169) [ 42.390605][ T21] mcba_usb 1-1:0.225: Microchip CAN BUS Analyzer connected executing program [ 42.542736][ T21] usb 1-1: USB disconnect, device number 2 [ 42.549974][ T21] mcba_usb 1-1:0.225 can0: device disconnected [ 42.631628][ T21] ================================================================== [ 42.651446][ T21] BUG: KASAN: use-after-free in __lock_acquire+0x3a5d/0x5340 [ 42.658976][ T21] Read of size 8 at addr ffff8881cf4d0ec8 by task kworker/1:1/21 [ 42.666795][ T21] [ 42.669114][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.2.0-rc6+ #13 [ 42.676554][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.686790][ T21] Workqueue: usb_hub_wq hub_event [ 42.691801][ T21] Call Trace: [ 42.695225][ T21] dump_stack+0xca/0x13e [ 42.699758][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 42.704977][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 42.710052][ T21] print_address_description+0x67/0x231 [ 42.715631][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 42.720651][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 42.725838][ T21] __kasan_report.cold+0x1a/0x32 [ 42.730874][ T21] ? free_netdev+0x2e0/0x420 [ 42.735562][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 42.740579][ T21] kasan_report+0xe/0x20 [ 42.745211][ T21] __lock_acquire+0x3a5d/0x5340 [ 42.750154][ T21] ? worker_thread+0x96/0xe20 [ 42.754807][ T21] ? kthread+0x30b/0x410 [ 42.759075][ T21] ? ret_from_fork+0x24/0x30 [ 42.763661][ T21] ? find_held_lock+0x2d/0x110 [ 42.768413][ T21] ? debug_check_no_obj_freed+0x20a/0x42e [ 42.774119][ T21] ? mark_held_locks+0xe0/0xe0 [ 42.778911][ T21] ? mark_held_locks+0x9f/0xe0 [ 42.783666][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 42.788939][ T21] ? quarantine_put+0xb2/0x150 [ 42.793691][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 42.798966][ T21] lock_acquire+0x100/0x2b0 [ 42.803455][ T21] ? usb_kill_anchored_urbs+0x1e/0x110 [ 42.809037][ T21] ? kobject_put+0x18c/0x280 [ 42.813616][ T21] _raw_spin_lock_irq+0x2d/0x40 [ 42.818448][ T21] ? usb_kill_anchored_urbs+0x1e/0x110 [ 42.823890][ T21] usb_kill_anchored_urbs+0x1e/0x110 [ 42.829506][ T21] mcba_usb_disconnect+0xd6/0xe4 [ 42.834563][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 42.839808][ T21] ? usb_autoresume_device+0x60/0x60 [ 42.845130][ T21] device_release_driver_internal+0x404/0x4c0 [ 42.851190][ T21] bus_remove_device+0x2dc/0x4a0 [ 42.856119][ T21] device_del+0x460/0xb80 [ 42.860436][ T21] ? __device_links_no_driver+0x240/0x240 [ 42.866148][ T21] ? usb_remove_ep_devs+0x3e/0x80 [ 42.871161][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 42.876487][ T21] usb_disable_device+0x211/0x690 [ 42.881508][ T21] usb_disconnect+0x284/0x830 [ 42.886225][ T21] hub_event+0x1409/0x3590 [ 42.891094][ T21] ? hub_port_debounce+0x260/0x260 [ 42.896196][ T21] process_one_work+0x905/0x1570 [ 42.901244][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.906606][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 42.911631][ T21] worker_thread+0x96/0xe20 [ 42.916167][ T21] ? process_one_work+0x1570/0x1570 [ 42.921555][ T21] kthread+0x30b/0x410 [ 42.925935][ T21] ? kthread_park+0x1a0/0x1a0 [ 42.931373][ T21] ret_from_fork+0x24/0x30 [ 42.935763][ T21] [ 42.938098][ T21] Allocated by task 21: [ 42.942245][ T21] save_stack+0x1b/0x80 [ 42.946392][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 42.952053][ T21] kvmalloc_node+0x61/0xf0 [ 42.956469][ T21] alloc_netdev_mqs+0x97/0xce0 [ 42.961226][ T21] alloc_candev_mqs+0x58/0x320 [ 42.965978][ T21] mcba_usb_probe+0xaf/0xbca [ 42.970565][ T21] usb_probe_interface+0x305/0x7a0 [ 42.975665][ T21] really_probe+0x281/0x660 [ 42.980150][ T21] driver_probe_device+0x104/0x210 [ 42.985246][ T21] __device_attach_driver+0x1c2/0x220 [ 42.990602][ T21] bus_for_each_drv+0x15c/0x1e0 [ 42.995440][ T21] __device_attach+0x217/0x360 [ 43.000184][ T21] bus_probe_device+0x1e4/0x290 [ 43.005123][ T21] device_add+0xae6/0x16f0 [ 43.009529][ T21] usb_set_configuration+0xdf6/0x1670 [ 43.014898][ T21] generic_probe+0x9d/0xd5 [ 43.019426][ T21] usb_probe_device+0x99/0x100 [ 43.024169][ T21] really_probe+0x281/0x660 [ 43.028655][ T21] driver_probe_device+0x104/0x210 [ 43.033754][ T21] __device_attach_driver+0x1c2/0x220 [ 43.039115][ T21] bus_for_each_drv+0x15c/0x1e0 [ 43.044146][ T21] __device_attach+0x217/0x360 [ 43.048906][ T21] bus_probe_device+0x1e4/0x290 [ 43.053969][ T21] device_add+0xae6/0x16f0 [ 43.058380][ T21] usb_new_device.cold+0x8c1/0x1016 [ 43.063569][ T21] hub_event+0x1ada/0x3590 [ 43.068074][ T21] process_one_work+0x905/0x1570 [ 43.073007][ T21] worker_thread+0x96/0xe20 [ 43.077540][ T21] kthread+0x30b/0x410 [ 43.081948][ T21] ret_from_fork+0x24/0x30 [ 43.086345][ T21] [ 43.088659][ T21] Freed by task 21: [ 43.092468][ T21] save_stack+0x1b/0x80 [ 43.096600][ T21] __kasan_slab_free+0x130/0x180 [ 43.101525][ T21] kfree+0xd7/0x280 [ 43.105326][ T21] kvfree+0x59/0x60 [ 43.109309][ T21] device_release+0x71/0x200 [ 43.113888][ T21] kobject_put+0x171/0x280 [ 43.118301][ T21] put_device+0x1b/0x30 [ 43.122449][ T21] free_netdev+0x317/0x420 [ 43.126862][ T21] mcba_usb_disconnect+0xca/0xe4 [ 43.131959][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 43.137149][ T21] device_release_driver_internal+0x404/0x4c0 [ 43.143208][ T21] bus_remove_device+0x2dc/0x4a0 [ 43.148171][ T21] device_del+0x460/0xb80 [ 43.152531][ T21] usb_disable_device+0x211/0x690 [ 43.157545][ T21] usb_disconnect+0x284/0x830 [ 43.162201][ T21] hub_event+0x1409/0x3590 [ 43.166597][ T21] process_one_work+0x905/0x1570 [ 43.171592][ T21] worker_thread+0x96/0xe20 [ 43.176085][ T21] kthread+0x30b/0x410 [ 43.180145][ T21] ret_from_fork+0x24/0x30 [ 43.184541][ T21] [ 43.186876][ T21] The buggy address belongs to the object at ffff8881cf4d0000 [ 43.186876][ T21] which belongs to the cache kmalloc-4k of size 4096 [ 43.200918][ T21] The buggy address is located 3784 bytes inside of [ 43.200918][ T21] 4096-byte region [ffff8881cf4d0000, ffff8881cf4d1000) [ 43.214456][ T21] The buggy address belongs to the page: [ 43.220080][ T21] page:ffffea00073d3400 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 43.231036][ T21] flags: 0x200000000010200(slab|head) [ 43.236405][ T21] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881dac02600 [ 43.245041][ T21] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 43.253616][ T21] page dumped because: kasan: bad access detected [ 43.260009][ T21] [ 43.262318][ T21] Memory state around the buggy address: [ 43.268171][ T21] ffff8881cf4d0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.276222][ T21] ffff8881cf4d0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.284315][ T21] >ffff8881cf4d0e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.292364][ T21] ^ [ 43.298766][ T21] ffff8881cf4d0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.306864][ T21] ffff8881cf4d0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.315029][ T21] ================================================================== [ 43.323076][ T21] Disabling lock debugging due to kernel taint [ 43.329321][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 43.335911][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.2.0-rc6+ #13 [ 43.344843][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.354898][ T21] Workqueue: usb_hub_wq hub_event [ 43.359907][ T21] Call Trace: [ 43.363186][ T21] dump_stack+0xca/0x13e [ 43.367563][ T21] panic+0x292/0x6c9 [ 43.371550][ T21] ? __warn_printk+0xf3/0xf3 [ 43.376143][ T21] ? lock_downgrade+0x630/0x630 [ 43.380987][ T21] ? print_shadow_for_address+0xb8/0x114 [ 43.386713][ T21] ? trace_hardirqs_off+0x50/0x1c0 [ 43.392768][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 43.397776][ T21] end_report+0x43/0x49 [ 43.401924][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 43.406942][ T21] __kasan_report.cold+0xd/0x32 [ 43.411779][ T21] ? free_netdev+0x2e0/0x420 [ 43.416509][ T21] ? __lock_acquire+0x3a5d/0x5340 [ 43.421521][ T21] kasan_report+0xe/0x20 [ 43.425751][ T21] __lock_acquire+0x3a5d/0x5340 [ 43.430592][ T21] ? worker_thread+0x96/0xe20 [ 43.435258][ T21] ? kthread+0x30b/0x410 [ 43.439528][ T21] ? ret_from_fork+0x24/0x30 [ 43.444154][ T21] ? find_held_lock+0x2d/0x110 [ 43.448905][ T21] ? debug_check_no_obj_freed+0x20a/0x42e [ 43.454620][ T21] ? mark_held_locks+0xe0/0xe0 [ 43.459403][ T21] ? mark_held_locks+0x9f/0xe0 [ 43.464361][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 43.469697][ T21] ? quarantine_put+0xb2/0x150 [ 43.474495][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 43.479809][ T21] lock_acquire+0x100/0x2b0 [ 43.484343][ T21] ? usb_kill_anchored_urbs+0x1e/0x110 [ 43.489832][ T21] ? kobject_put+0x18c/0x280 [ 43.494450][ T21] _raw_spin_lock_irq+0x2d/0x40 [ 43.499291][ T21] ? usb_kill_anchored_urbs+0x1e/0x110 [ 43.504733][ T21] usb_kill_anchored_urbs+0x1e/0x110 [ 43.510042][ T21] mcba_usb_disconnect+0xd6/0xe4 [ 43.515112][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 43.520302][ T21] ? usb_autoresume_device+0x60/0x60 [ 43.525571][ T21] device_release_driver_internal+0x404/0x4c0 [ 43.531730][ T21] bus_remove_device+0x2dc/0x4a0 [ 43.536653][ T21] device_del+0x460/0xb80 [ 43.540961][ T21] ? __device_links_no_driver+0x240/0x240 [ 43.546769][ T21] ? usb_remove_ep_devs+0x3e/0x80 [ 43.551872][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 43.557141][ T21] usb_disable_device+0x211/0x690 [ 43.562198][ T21] usb_disconnect+0x284/0x830 [ 43.566872][ T21] hub_event+0x1409/0x3590 [ 43.571318][ T21] ? hub_port_debounce+0x260/0x260 [ 43.576463][ T21] process_one_work+0x905/0x1570 [ 43.581602][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 43.587175][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 43.592189][ T21] worker_thread+0x96/0xe20 [ 43.596727][ T21] ? process_one_work+0x1570/0x1570 [ 43.602133][ T21] kthread+0x30b/0x410 [ 43.606191][ T21] ? kthread_park+0x1a0/0x1a0 [ 43.610870][ T21] ret_from_fork+0x24/0x30 [ 43.615675][ T21] Kernel Offset: disabled [ 43.620169][ T21] Rebooting in 86400 seconds..