./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1445462085 <...> Warning: Permanently added '10.128.1.88' (ECDSA) to the list of known hosts. execve("./syz-executor1445462085", ["./syz-executor1445462085"], 0x7ffc1b4b64c0 /* 10 vars */) = 0 brk(NULL) = 0x555555e39000 brk(0x555555e39d00) = 0x555555e39d00 arch_prctl(ARCH_SET_FS, 0x555555e393c0) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1445462085", 4096) = 28 brk(0x555555e5ad00) = 0x555555e5ad00 brk(0x555555e5b000) = 0x555555e5b000 mprotect(0x7f622d0cd000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f622d019f80, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f622d01ddc0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f622d019f80, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f622d01ddc0}, NULL, 8) = 0 getpid() = 3487 mkdir("./syzkaller.nBif4R", 0700) = 0 chmod("./syzkaller.nBif4R", 0777) = 0 chdir("./syzkaller.nBif4R") = 0 mkdir("./0", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3488 attached [pid 3488] chdir("./0") = 0 [pid 3488] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3488] setpgid(0, 0) = 0 [pid 3488] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3488] write(3, "1000", 4) = 4 [pid 3488] close(3) = 0 [pid 3488] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3488] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR [pid 3487] <... clone resumed>, child_tidptr=0x555555e39690) = 3488 [pid 3488] <... openat resumed>) = 3 [pid 3488] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [ 115.792020][ T25] usb 1-1: new high-speed USB device number 2 using dummy_hcd [pid 3488] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 18 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 18 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 9 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 224 [ 116.202237][ T25] usb 1-1: config 0 has an invalid interface number: 72 but max is 0 [ 116.210554][ T25] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping [ 116.219468][ T25] usb 1-1: config 0 has an invalid interface association descriptor of length 2, skipping [ 116.229692][ T25] usb 1-1: config 0 has an invalid interface association descriptor of length 2, skipping [ 116.240075][ T25] usb 1-1: config 0 contains an unexpected descriptor of type 0x1, skipping [ 116.248977][ T25] usb 1-1: config 0 has no interface number 0 [ 116.255280][ T25] usb 1-1: config 0 interface 72 altsetting 0 has an invalid endpoint with address 0x80, skipping [ 116.266352][ T25] usb 1-1: config 0 interface 72 altsetting 0 endpoint 0xA has invalid maxpacket 1023, setting to 64 [ 116.277489][ T25] usb 1-1: config 0 interface 72 altsetting 0 endpoint 0x4 has invalid maxpacket 512, setting to 64 [ 116.288555][ T25] usb 1-1: config 0 interface 72 altsetting 0 has a duplicate endpoint with address 0xC, skipping [ 116.299481][ T25] usb 1-1: config 0 interface 72 altsetting 0 bulk endpoint 0x83 has invalid maxpacket 8 [ 116.309550][ T25] usb 1-1: config 0 interface 72 altsetting 0 has a duplicate endpoint with address 0x4, skipping [ 116.320431][ T25] usb 1-1: config 0 interface 72 altsetting 0 has a duplicate endpoint with address 0xC, skipping [ 116.331345][ T25] usb 1-1: config 0 interface 72 altsetting 0 has a duplicate endpoint with address 0x3, skipping [ 116.342263][ T25] usb 1-1: config 0 interface 72 altsetting 0 bulk endpoint 0x3 has invalid maxpacket 8 [pid 3488] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [pid 3488] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f622d0d346c) = -1 EINVAL (Invalid argument) [ 116.352262][ T25] usb 1-1: config 0 interface 72 altsetting 0 endpoint 0x2 has invalid maxpacket 1023, setting to 64 [ 116.363402][ T25] usb 1-1: config 0 interface 72 altsetting 0 has a duplicate endpoint with address 0x3, skipping [ 116.374352][ T25] usb 1-1: New USB device found, idVendor=0846, idProduct=9010, bcdDevice=a0.e4 [ 116.383723][ T25] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 116.395382][ T25] usb 1-1: config 0 descriptor?? [pid 3488] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffcd9e6d4b0) = 0 [pid 3488] exit_group(0) = ? [ 116.592013][ T25] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [pid 3488] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3488, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555555e3a6e0 /* 3 entries */, 32768) = 80 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 getdents64(3, 0x555555e3a6e0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e39690) = 3491 ./strace-static-x86_64: Process 3491 attached [pid 3491] chdir("./1") = 0 [pid 3491] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3491] setpgid(0, 0) = 0 [pid 3491] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3491] write(3, "1000", 4) = 4 [pid 3491] close(3) = 0 [pid 3491] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3491] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 [pid 3491] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffcd9e6e4c0) = 0 [pid 3491] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [ 117.042028][ T25] usb 1-1: device descriptor read/64, error -71 [pid 3491] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 18 [ 117.322005][ T25] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [pid 3491] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 18 [pid 3491] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffcd9e6d4b0) = 224 [pid 3491] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffcd9e6e4c0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [pid 3491] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f622d0d346c) = -1 EINVAL (Invalid argument) [pid 3491] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffcd9e6d4b0) = 0 [ 117.763954][ T120] usb 1-1: driver API: 1.9.9 2016-02-15 [1-1] [ 117.770470][ T120] usb 1-1: firmware API: 1.9.6 2012-07-07 [ 117.777799][ T120] ------------[ cut here ]------------ [ 117.783454][ T120] usb 1-1: BOGUS urb xfer, pipe 1 != type 3 [ 117.790517][ T120] WARNING: CPU: 0 PID: 120 at drivers/usb/core/urb.c:505 usb_submit_urb+0x19a2/0x2760 [ 117.800387][ T120] Modules linked in: [ 117.804511][ T120] CPU: 0 PID: 120 Comm: kworker/0:2 Not tainted 6.0.0-rc4-syzkaller-48209-gfaf04f9bcf05 #0 [ 117.814812][ T120] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 117.825145][ T120] Workqueue: events request_firmware_work_func [ 117.831490][ T120] RIP: 0010:usb_submit_urb+0x19a2/0x2760 [ 117.837376][ T120] Code: ff 44 8b 28 85 db 4c 8b a5 00 ff ff ff 0f 85 cd 02 00 00 48 c7 c7 f8 9a dc 8e 48 8b 75 b8 48 8b 55 88 45 89 e8 e8 6e 2d 4e f9 <0f> 0b 44 8a ad 08 ff ff ff 48 8b 9d f0 fe ff ff 89 d8 44 89 e7 48 [ 117.857268][ T120] RSP: 0018:ffff888109ca7a10 EFLAGS: 00010246 [ 117.863666][ T120] RAX: 44fe977281a9e800 RBX: 0000000000000000 RCX: ffff888109c9a0c0 [ 117.871784][ T120] ===================================================== [ 117.878981][ T120] BUG: KMSAN: uninit-value in __show_regs+0xb20/0xc90 [ 117.886003][ T120] __show_regs+0xb20/0xc90 [ 117.890552][ T120] show_regs+0x6e/0xd0 [ 117.894778][ T120] __warn+0x242/0x580 [ 117.898889][ T120] report_bug+0x7ff/0xa10 [ 117.903360][ T120] handle_bug+0x41/0x70 [ 117.907617][ T120] exc_invalid_op+0x1b/0x50 [pid 3491] exit_group(0) = ? [ 117.912262][ T120] asm_exc_invalid_op+0x1b/0x20 [ 117.917257][ T120] usb_submit_urb+0x19a2/0x2760 [ 117.922307][ T120] carl9170_usb_init_device+0x35d/0xd30 [ 117.928014][ T120] carl9170_usb_firmware_step2+0x1d7/0x430 [ 117.934049][ T120] request_firmware_work_func+0x12c/0x240 [ 117.940176][ T120] process_one_work+0xb27/0x13e0 [ 117.945398][ T120] worker_thread+0x1076/0x1d60 [ 117.950311][ T120] kthread+0x31b/0x430 [ 117.954565][ T120] ret_from_fork+0x1f/0x30 [ 117.958059][ T2859] usb 1-1: USB disconnect, device number 2 [pid 3491] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3491, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555555e3a6e0 /* 3 entries */, 32768) = 80 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 117.959072][ T120] [ 117.959088][ T120] Local variable rf created at: [ 117.959112][ T120] __schedule+0x44/0x21d0 [ 117.976735][ T120] schedule+0x136/0x200 [ 117.981000][ T120] [ 117.983524][ T120] CPU: 0 PID: 120 Comm: kworker/0:2 Not tainted 6.0.0-rc4-syzkaller-48209-gfaf04f9bcf05 #0 [ 117.993687][ T120] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 118.004121][ T120] Workqueue: events request_firmware_work_func unlink("./1/binderfs") = 0 getdents64(3, 0x555555e3a6e0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 [ 118.010440][ T120] ===================================================== [ 118.017541][ T120] Disabling lock debugging due to kernel taint [ 118.023831][ T120] Kernel panic - not syncing: kmsan.panic set ... [ 118.030329][ T120] CPU: 0 PID: 120 Comm: kworker/0:2 Tainted: G B 6.0.0-rc4-syzkaller-48209-gfaf04f9bcf05 #0 [ 118.041921][ T120] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 118.052073][ T120] Workqueue: events request_firmware_work_func [ 118.058472][ T120] Call Trace: [ 118.061836][ T120] [ 118.064836][ T120] dump_stack_lvl+0x1c8/0x256 [ 118.069668][ T120] dump_stack+0x1a/0x1c [ 118.073958][ T120] panic+0x4d3/0xc69 [ 118.078007][ T120] kmsan_report+0x2cc/0x2d0 [ 118.082664][ T120] ? __msan_warning+0x92/0x110 [ 118.087553][ T120] ? __show_regs+0xb20/0xc90 [ 118.092281][ T120] ? show_regs+0x6e/0xd0 [ 118.096643][ T120] ? __warn+0x242/0x580 [ 118.100923][ T120] ? report_bug+0x7ff/0xa10 [ 118.105620][ T120] ? handle_bug+0x41/0x70 [ 118.110399][ T120] ? exc_invalid_op+0x1b/0x50 [ 118.115264][ T120] ? asm_exc_invalid_op+0x1b/0x20 [ 118.120442][ T120] ? usb_submit_urb+0x19a2/0x2760 [ 118.125600][ T120] ? carl9170_usb_init_device+0x35d/0xd30 [ 118.131486][ T120] ? carl9170_usb_firmware_step2+0x1d7/0x430 [ 118.137629][ T120] ? request_firmware_work_func+0x12c/0x240 [ 118.143656][ T120] ? process_one_work+0xb27/0x13e0 [ 118.148910][ T120] ? worker_thread+0x1076/0x1d60 [ 118.153973][ T120] ? kthread+0x31b/0x430 [ 118.158325][ T120] ? ret_from_fork+0x1f/0x30 [ 118.163037][ T120] ? kmsan_internal_set_shadow_origin+0x62/0xe0 [ 118.169424][ T120] ? vprintk_default+0x3a/0x50 [ 118.174328][ T120] ? vprintk+0xfa/0x110 [ 118.178609][ T120] ? _printk+0x160/0x19f [ 118.183000][ T120] ? kmsan_get_shadow_origin_ptr+0x49/0xa0 [ 118.188989][ T120] __msan_warning+0x92/0x110 [ 118.193722][ T120] __show_regs+0xb20/0xc90 [ 118.198301][ T120] show_regs+0x6e/0xd0 [ 118.202504][ T120] __warn+0x242/0x580 [ 118.206619][ T120] ? usb_submit_urb+0x19a2/0x2760 [ 118.211769][ T120] report_bug+0x7ff/0xa10 [ 118.216218][ T120] ? usb_submit_urb+0x19a2/0x2760 [ 118.221361][ T120] handle_bug+0x41/0x70 [ 118.225629][ T120] exc_invalid_op+0x1b/0x50 [ 118.230244][ T120] asm_exc_invalid_op+0x1b/0x20 [ 118.235228][ T120] RIP: 0010:usb_submit_urb+0x19a2/0x2760 [ 118.240980][ T120] Code: ff 44 8b 28 85 db 4c 8b a5 00 ff ff ff 0f 85 cd 02 00 00 48 c7 c7 f8 9a dc 8e 48 8b 75 b8 48 8b 55 88 45 89 e8 e8 6e 2d 4e f9 <0f> 0b 44 8a ad 08 ff ff ff 48 8b 9d f0 fe ff ff 89 d8 44 89 e7 48 [ 118.260715][ T120] RSP: 0018:ffff888109ca7a10 EFLAGS: 00010246 [ 118.266881][ T120] RAX: 44fe977281a9e800 RBX: 0000000000000000 RCX: ffff888109c9a0c0 [ 118.274963][ T120] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 118.283015][ T120] RBP: ffff888109ca7b30 R08: ffffffff817e4fc4 R09: ffffea000000000f [ 118.291084][ T120] R10: 0000000000000010 R11: 000000000fef1e80 R12: 0000000000000002 [ 118.299139][ T120] R13: 0000000000000003 R14: ffff888109c9ac18 R15: 0000000000000000 [ 118.307210][ T120] ? vprintk_emit+0x4c4/0x8d0 [ 118.312032][ T120] ? preempt_count_sub+0x7d/0x280 [ 118.317214][ T120] carl9170_usb_init_device+0x35d/0xd30 [ 118.322929][ T120] carl9170_usb_firmware_step2+0x1d7/0x430 [ 118.328901][ T120] request_firmware_work_func+0x12c/0x240 [ 118.334753][ T120] ? carl9170_usb_tasklet+0x360/0x360 [ 118.340268][ T120] ? request_firmware_nowait+0x6e0/0x6e0 [ 118.346022][ T120] process_one_work+0xb27/0x13e0 [ 118.351118][ T120] worker_thread+0x1076/0x1d60 [ 118.356017][ T120] ? kmsan_get_shadow_origin_ptr+0x49/0xa0 [ 118.361967][ T120] ? __kthread_parkme+0x110/0x1b0 [ 118.367110][ T120] kthread+0x31b/0x430 [ 118.371284][ T120] ? worker_clr_flags+0x2b0/0x2b0 [ 118.376451][ T120] ? kthread_blkcg+0x120/0x120 [ 118.381332][ T120] ret_from_fork+0x1f/0x30 [ 118.385895][ T120] [ 118.389127][ T120] Kernel Offset: disabled [ 118.393497][ T120] Rebooting in 86400 seconds..