[info] Using makefile-style concurrent boot in runlevel 2. [ 15.230998][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.107' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.725936][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 26.965926][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 27.086013][ T12] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 27.096275][ T12] usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a [ 27.105339][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 27.114912][ T12] usb 1-1: config 0 descriptor?? [ 27.596001][ T12] uvcvideo: Found UVC 0.00 device (0bd3:0555) [ 27.603074][ T12] uvcvideo 1-1:0.0: Entity type for entity 㰉잭崮㑿ࠦ蓣쏦趬똛 was not initialized! [ 27.815967][ T22] usb 1-1: USB disconnect, device number 2 [ 27.822598][ T22] ================================================================== [ 27.830731][ T22] BUG: KASAN: use-after-free in __media_entity_remove_links+0x134/0x160 [ 27.839048][ T22] Read of size 8 at addr ffff8881cfebe3a0 by task kworker/1:1/22 [ 27.846739][ T22] [ 27.849054][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.5.0-rc2-syzkaller #0 [ 27.857178][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.867216][ T22] Workqueue: usb_hub_wq hub_event [ 27.872223][ T22] Call Trace: [ 27.875505][ T22] dump_stack+0xef/0x16e [ 27.879729][ T22] ? __media_entity_remove_links+0x134/0x160 [ 27.885684][ T22] ? __media_entity_remove_links+0x134/0x160 [ 27.891643][ T22] print_address_description.constprop.0+0x16/0x200 [ 27.898233][ T22] ? __media_entity_remove_links+0x134/0x160 [ 27.904224][ T22] ? __media_entity_remove_links+0x134/0x160 [ 27.910251][ T22] __kasan_report.cold+0x37/0x7f [ 27.915177][ T22] ? __media_entity_remove_links+0x134/0x160 [ 27.921139][ T22] kasan_report+0xe/0x20 [ 27.925360][ T22] __media_entity_remove_links+0x134/0x160 [ 27.931142][ T22] __media_device_unregister_entity+0x187/0x300 [ 27.937361][ T22] media_device_unregister_entity+0x49/0x70 [ 27.943231][ T22] v4l2_device_unregister_subdev+0x257/0x380 [ 27.949188][ T22] v4l2_device_unregister+0x139/0x220 [ 27.954537][ T22] uvc_unregister_video+0x11a/0x210 [ 27.959768][ T22] uvc_disconnect+0xbc/0x160 [ 27.964364][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 27.969617][ T22] ? usb_autoresume_device+0x60/0x60 [ 27.975848][ T22] device_release_driver_internal+0x42f/0x500 [ 27.981955][ T22] bus_remove_device+0x2dc/0x4a0 [ 27.986873][ T22] device_del+0x481/0xd30 [ 27.991222][ T22] ? device_create_with_groups+0x120/0x120 [ 27.997010][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 28.002271][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.007568][ T22] usb_disable_device+0x211/0x690 [ 28.012704][ T22] usb_disconnect+0x284/0x8d0 [ 28.017357][ T22] hub_event+0x1753/0x3860 [ 28.021755][ T22] ? hub_port_debounce+0x260/0x260 [ 28.026857][ T22] ? find_held_lock+0x2d/0x110 [ 28.031599][ T22] ? mark_held_locks+0xe0/0xe0 [ 28.036339][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.041864][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.047138][ T22] process_one_work+0x92b/0x1530 [ 28.052056][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.057409][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 28.062417][ T22] worker_thread+0x96/0xe20 [ 28.067232][ T22] ? process_one_work+0x1530/0x1530 [ 28.072412][ T22] kthread+0x318/0x420 [ 28.076470][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 28.081816][ T22] ret_from_fork+0x24/0x30 [ 28.086299][ T22] [ 28.088610][ T22] Allocated by task 12: [ 28.092759][ T22] save_stack+0x1b/0x80 [ 28.096893][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.102508][ T22] media_add_link+0x47/0x180 [ 28.107075][ T22] media_create_pad_link+0x1fb/0x530 [ 28.112338][ T22] uvc_mc_register_entities+0x468/0x77a [ 28.117888][ T22] uvc_probe.cold+0x2137/0x29de [ 28.122713][ T22] usb_probe_interface+0x305/0x7a0 [ 28.127800][ T22] really_probe+0x281/0x6d0 [ 28.132277][ T22] driver_probe_device+0x104/0x210 [ 28.137381][ T22] __device_attach_driver+0x1c2/0x220 [ 28.142725][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.147554][ T22] __device_attach+0x217/0x360 [ 28.152292][ T22] bus_probe_device+0x1e4/0x290 [ 28.157128][ T22] device_add+0x1480/0x1c20 [ 28.161610][ T22] usb_set_configuration+0xe67/0x1740 [ 28.166967][ T22] generic_probe+0x9d/0xd5 [ 28.171378][ T22] usb_probe_device+0x99/0x100 [ 28.176174][ T22] really_probe+0x281/0x6d0 [ 28.180709][ T22] driver_probe_device+0x104/0x210 [ 28.185808][ T22] __device_attach_driver+0x1c2/0x220 [ 28.191222][ T22] bus_for_each_drv+0x162/0x1e0 [ 28.196058][ T22] __device_attach+0x217/0x360 [ 28.200800][ T22] bus_probe_device+0x1e4/0x290 [ 28.205648][ T22] device_add+0x1480/0x1c20 [ 28.210131][ T22] usb_new_device.cold+0x6a4/0xe79 [ 28.215219][ T22] hub_event+0x1e59/0x3860 [ 28.219624][ T22] process_one_work+0x92b/0x1530 [ 28.224535][ T22] worker_thread+0x96/0xe20 [ 28.229024][ T22] kthread+0x318/0x420 [ 28.233070][ T22] ret_from_fork+0x24/0x30 [ 28.237468][ T22] [ 28.239779][ T22] Freed by task 22: [ 28.243614][ T22] save_stack+0x1b/0x80 [ 28.247752][ T22] __kasan_slab_free+0x129/0x170 [ 28.252665][ T22] kfree+0xda/0x310 [ 28.256454][ T22] __media_entity_remove_link+0x25c/0x5d0 [ 28.262160][ T22] __media_entity_remove_links+0x86/0x160 [ 28.267867][ T22] __media_device_unregister_entity+0x187/0x300 [ 28.274096][ T22] media_device_unregister_entity+0x49/0x70 [ 28.279963][ T22] v4l2_device_unregister_subdev+0x257/0x380 [ 28.285922][ T22] v4l2_device_unregister+0x139/0x220 [ 28.291278][ T22] uvc_unregister_video+0x11a/0x210 [ 28.296461][ T22] uvc_disconnect+0xbc/0x160 [ 28.301026][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 28.306385][ T22] device_release_driver_internal+0x42f/0x500 [ 28.312431][ T22] bus_remove_device+0x2dc/0x4a0 [ 28.317346][ T22] device_del+0x481/0xd30 [ 28.321665][ T22] usb_disable_device+0x211/0x690 [ 28.326669][ T22] usb_disconnect+0x284/0x8d0 [ 28.331316][ T22] hub_event+0x1753/0x3860 [ 28.335716][ T22] process_one_work+0x92b/0x1530 [ 28.340629][ T22] worker_thread+0x96/0xe20 [ 28.345107][ T22] kthread+0x318/0x420 [ 28.349152][ T22] ret_from_fork+0x24/0x30 [ 28.353540][ T22] [ 28.355852][ T22] The buggy address belongs to the object at ffff8881cfebe380 [ 28.355852][ T22] which belongs to the cache kmalloc-96 of size 96 [ 28.369717][ T22] The buggy address is located 32 bytes inside of [ 28.369717][ T22] 96-byte region [ffff8881cfebe380, ffff8881cfebe3e0) [ 28.382796][ T22] The buggy address belongs to the page: [ 28.388408][ T22] page:ffffea00073faf80 refcount:1 mapcount:0 mapping:ffff8881da002f00 index:0x0 [ 28.397502][ T22] raw: 0200000000000200 ffffea000745b900 0000001a0000001a ffff8881da002f00 [ 28.406064][ T22] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 28.414758][ T22] page dumped because: kasan: bad access detected [ 28.421167][ T22] [ 28.423474][ T22] Memory state around the buggy address: [ 28.429098][ T22] ffff8881cfebe280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.437140][ T22] ffff8881cfebe300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.445189][ T22] >ffff8881cfebe380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.453323][ T22] ^ [ 28.458413][ T22] ffff8881cfebe400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.467337][ T22] ffff8881cfebe480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.475369][ T22] ================================================================== [ 28.483408][ T22] Disabling lock debugging due to kernel taint [ 28.489791][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 28.496380][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.5.0-rc2-syzkaller #0 [ 28.505906][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.515946][ T22] Workqueue: usb_hub_wq hub_event [ 28.520942][ T22] Call Trace: [ 28.524209][ T22] dump_stack+0xef/0x16e [ 28.528438][ T22] panic+0x2aa/0x6e1 [ 28.532309][ T22] ? add_taint.cold+0x16/0x16 [ 28.536963][ T22] ? retint_kernel+0x10/0x10 [ 28.541542][ T22] ? trace_hardirqs_on+0x55/0x1e0 [ 28.546651][ T22] ? __media_entity_remove_links+0x134/0x160 [ 28.552605][ T22] end_report+0x43/0x49 [ 28.556739][ T22] ? __media_entity_remove_links+0x134/0x160 [ 28.562691][ T22] __kasan_report.cold+0x55/0x7f [ 28.567604][ T22] ? __media_entity_remove_links+0x134/0x160 [ 28.573554][ T22] kasan_report+0xe/0x20 [ 28.577771][ T22] __media_entity_remove_links+0x134/0x160 [ 28.583553][ T22] __media_device_unregister_entity+0x187/0x300 [ 28.589779][ T22] media_device_unregister_entity+0x49/0x70 [ 28.595649][ T22] v4l2_device_unregister_subdev+0x257/0x380 [ 28.601617][ T22] v4l2_device_unregister+0x139/0x220 [ 28.606965][ T22] uvc_unregister_video+0x11a/0x210 [ 28.612148][ T22] uvc_disconnect+0xbc/0x160 [ 28.616714][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 28.621895][ T22] ? usb_autoresume_device+0x60/0x60 [ 28.627157][ T22] device_release_driver_internal+0x42f/0x500 [ 28.633209][ T22] bus_remove_device+0x2dc/0x4a0 [ 28.638118][ T22] device_del+0x481/0xd30 [ 28.642420][ T22] ? device_create_with_groups+0x120/0x120 [ 28.648222][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 28.653509][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.658835][ T22] usb_disable_device+0x211/0x690 [ 28.663847][ T22] usb_disconnect+0x284/0x8d0 [ 28.668514][ T22] hub_event+0x1753/0x3860 [ 28.672905][ T22] ? hub_port_debounce+0x260/0x260 [ 28.678033][ T22] ? find_held_lock+0x2d/0x110 [ 28.682775][ T22] ? mark_held_locks+0xe0/0xe0 [ 28.687554][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.693074][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.698372][ T22] process_one_work+0x92b/0x1530 [ 28.703290][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.708769][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 28.713766][ T22] worker_thread+0x96/0xe20 [ 28.718245][ T22] ? process_one_work+0x1530/0x1530 [ 28.723414][ T22] kthread+0x318/0x420 [ 28.727458][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 28.732803][ T22] ret_from_fork+0x24/0x30 [ 28.737684][ T22] Kernel Offset: disabled [ 28.742044][ T22] Rebooting in 86400 seconds..