Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. syzkaller login: [ 18.603511][ C0] random: crng init done [ 18.607779][ C0] random: 7 urandom warning(s) missed due to ratelimiting executing program [ 19.034365][ T138] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 19.393822][ T138] usb 1-1: config 0 has an invalid interface number: 40 but max is 0 [ 19.401994][ T138] usb 1-1: config 0 has no interface number 0 [ 19.409026][ T138] usb 1-1: config 0 interface 40 altsetting 253 bulk endpoint 0x5 has invalid maxpacket 64 [ 19.419084][ T138] usb 1-1: config 0 interface 40 altsetting 253 bulk endpoint 0x8B has invalid maxpacket 1023 [ 19.429384][ T138] usb 1-1: config 0 interface 40 has no altsetting 0 [ 19.436129][ T138] usb 1-1: New USB device found, idVendor=50c2, idProduct=4013, bcdDevice= 7.d0 [ 19.445197][ T138] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 19.455781][ T138] usb 1-1: config 0 descriptor?? [ 19.473852][ T344] raw-gadget gadget: fail, usb_ep_enable returned -22 [ 19.480670][ T344] raw-gadget gadget: fail, usb_ep_enable returned -22 [ 19.495923][ T138] ================================================================== [ 19.504084][ T138] BUG: KASAN: slab-out-of-bounds in prism2sta_probe_usb+0x26c/0x810 [ 19.512036][ T138] Read of size 1 at addr ffff8881cc0c85a3 by task kworker/0:3/138 [ 19.519934][ T138] [ 19.522250][ T138] CPU: 0 PID: 138 Comm: kworker/0:3 Not tainted 5.8.0-rc7-syzkaller #0 [ 19.530489][ T138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.540529][ T138] Workqueue: usb_hub_wq hub_event [ 19.545573][ T138] Call Trace: [ 19.548841][ T138] dump_stack+0xf6/0x16e [ 19.553073][ T138] ? prism2sta_probe_usb+0x26c/0x810 [ 19.558345][ T138] ? prism2sta_probe_usb+0x26c/0x810 [ 19.563609][ T138] print_address_description.constprop.0+0x1a/0x210 [ 19.570178][ T138] ? vprintk_func+0x93/0x133 [ 19.574746][ T138] ? prism2sta_probe_usb+0x26c/0x810 [ 19.580004][ T138] kasan_report.cold+0x37/0x7c [ 19.584744][ T138] ? prism2sta_probe_usb+0x26c/0x810 [ 19.590028][ T138] prism2sta_probe_usb+0x26c/0x810 [ 19.595114][ T138] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 19.600912][ T138] ? lockdep_hardirqs_on_prepare+0x370/0x550 [ 19.606867][ T138] ? trace_hardirqs_on+0x5f/0x200 [ 19.611876][ T138] ? prism2sta_mlmerequest+0xce0/0xce0 [ 19.617317][ T138] ? __pm_runtime_set_status+0x48a/0xc30 [ 19.622932][ T138] usb_probe_interface+0x315/0x7f0 [ 19.628018][ T138] ? usb_device_match+0x300/0x300 [ 19.634145][ T138] really_probe+0x291/0xc90 [ 19.638620][ T138] driver_probe_device+0x26b/0x3d0 [ 19.643717][ T138] __device_attach_driver+0x1d1/0x290 [ 19.649060][ T138] ? driver_allows_async_probing+0x150/0x150 [ 19.655022][ T138] bus_for_each_drv+0x15f/0x1e0 [ 19.659854][ T138] ? bus_for_each_dev+0x1d0/0x1d0 [ 19.664852][ T138] __device_attach+0x28d/0x430 [ 19.669589][ T138] ? really_probe+0xc90/0xc90 [ 19.674253][ T138] ? kobject_uevent_env+0x2b4/0x1540 [ 19.679509][ T138] bus_probe_device+0x1e4/0x290 [ 19.684333][ T138] device_add+0xb09/0x1c10 [ 19.688732][ T138] ? device_check_offline+0x280/0x280 [ 19.694088][ T138] ? trace_hardirqs_on+0x5f/0x200 [ 19.699102][ T138] usb_set_configuration+0xf05/0x18a0 [ 19.704463][ T138] usb_generic_driver_probe+0xba/0xf2 [ 19.709822][ T138] usb_probe_device+0xd9/0x250 [ 19.714584][ T138] ? usb_driver_release_interface+0x180/0x180 [ 19.720645][ T138] really_probe+0x291/0xc90 [ 19.725135][ T138] driver_probe_device+0x26b/0x3d0 [ 19.730232][ T138] __device_attach_driver+0x1d1/0x290 [ 19.735590][ T138] ? driver_allows_async_probing+0x150/0x150 [ 19.741556][ T138] bus_for_each_drv+0x15f/0x1e0 [ 19.746408][ T138] ? bus_for_each_dev+0x1d0/0x1d0 [ 19.751418][ T138] __device_attach+0x28d/0x430 [ 19.756170][ T138] ? really_probe+0xc90/0xc90 [ 19.760835][ T138] ? kobject_uevent_env+0x2b4/0x1540 [ 19.766107][ T138] bus_probe_device+0x1e4/0x290 [ 19.770948][ T138] device_add+0xb09/0x1c10 [ 19.775364][ T138] ? device_check_offline+0x280/0x280 [ 19.780730][ T138] ? _raw_spin_unlock_irq+0x1f/0x30 [ 19.785921][ T138] usb_new_device.cold+0x71d/0xfd4 [ 19.791028][ T138] ? hub_disconnect+0x510/0x510 [ 19.795872][ T138] ? lockdep_hardirqs_on_prepare+0x370/0x550 [ 19.801850][ T138] ? trace_hardirqs_on+0x5f/0x200 [ 19.806924][ T138] hub_event+0x2361/0x4390 [ 19.811331][ T138] ? hub_port_debounce+0x3b0/0x3b0 [ 19.816435][ T138] ? perf_trace_workqueue_execute_start+0x211/0x390 [ 19.823009][ T138] ? lock_release+0x7e0/0x7e0 [ 19.827692][ T138] ? lock_downgrade+0x730/0x730 [ 19.832530][ T138] ? do_raw_spin_lock+0x120/0x260 [ 19.837544][ T138] ? _raw_spin_unlock_irq+0x1f/0x30 [ 19.842730][ T138] ? lockdep_hardirqs_on_prepare+0x370/0x550 [ 19.848697][ T138] process_one_work+0x94c/0x15f0 [ 19.853624][ T138] ? lock_release+0x7e0/0x7e0 [ 19.858285][ T138] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 19.863645][ T138] ? rwlock_bug.part.0+0x90/0x90 [ 19.868567][ T138] worker_thread+0x64c/0x1120 [ 19.873264][ T138] ? __kthread_parkme+0x118/0x1d0 [ 19.878296][ T138] ? process_one_work+0x15f0/0x15f0 [ 19.883482][ T138] kthread+0x392/0x470 [ 19.887539][ T138] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 19.893420][ T138] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 19.899298][ T138] ret_from_fork+0x1f/0x30 [ 19.903694][ T138] [ 19.906008][ T138] Allocated by task 138: [ 19.910241][ T138] save_stack+0x1b/0x40 [ 19.914434][ T138] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 19.920072][ T138] usb_get_configuration+0x13d7/0x3a50 [ 19.925520][ T138] usb_new_device+0x42c/0x7a0 [ 19.930184][ T138] hub_event+0x2361/0x4390 [ 19.934587][ T138] process_one_work+0x94c/0x15f0 [ 19.939526][ T138] worker_thread+0x64c/0x1120 [ 19.944193][ T138] kthread+0x392/0x470 [ 19.948249][ T138] ret_from_fork+0x1f/0x30 [ 19.952662][ T138] [ 19.954980][ T138] Freed by task 16: [ 19.958779][ T138] save_stack+0x1b/0x40 [ 19.962942][ T138] __kasan_slab_free+0x116/0x160 [ 19.967880][ T138] slab_free_freelist_hook+0x53/0x140 [ 19.973242][ T138] kfree+0xbc/0x2c0 [ 19.977042][ T138] __put_seccomp_filter+0xb3/0xf0 [ 19.982051][ T138] free_task+0x76/0x110 [ 19.986192][ T138] __put_task_struct+0x21c/0x3a0 [ 19.991116][ T138] delayed_put_task_struct+0x21c/0x360 [ 19.996563][ T138] rcu_core+0x506/0x1840 [ 20.000794][ T138] __do_softirq+0x222/0x95b [ 20.005275][ T138] [ 20.007594][ T138] The buggy address belongs to the object at ffff8881cc0c8500 [ 20.007594][ T138] which belongs to the cache kmalloc-192 of size 192 [ 20.021635][ T138] The buggy address is located 163 bytes inside of [ 20.021635][ T138] 192-byte region [ffff8881cc0c8500, ffff8881cc0c85c0) [ 20.034884][ T138] The buggy address belongs to the page: [ 20.040506][ T138] page:ffffea0007303200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 20.049597][ T138] flags: 0x200000000000200(slab) [ 20.054528][ T138] raw: 0200000000000200 ffffea00073e28c0 0000000400000004 ffff8881da002a00 [ 20.063130][ T138] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 20.071706][ T138] page dumped because: kasan: bad access detected [ 20.078111][ T138] [ 20.080422][ T138] Memory state around the buggy address: [ 20.086039][ T138] ffff8881cc0c8480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.094088][ T138] ffff8881cc0c8500: 00 00 00 00 00