dhcpcd-9.4.0 starting dev: loaded udev DUID 00:04:28:fc:25:ea:d7:72:11:85:ec:f5:a4:60:37:c9:76:43 forked to background, child pid 1202 Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.233' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.197201][ T55] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 34.557269][ T55] usb 1-1: config 0 has an invalid interface number: 200 but max is 1 [ 34.565583][ T55] usb 1-1: config 0 has no interface number 1 [ 34.737356][ T55] usb 1-1: New USB device found, idVendor=25d4, idProduct=4cab, bcdDevice=78.60 [ 34.746636][ T55] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 34.754656][ T55] usb 1-1: Product: syz [ 34.758842][ T55] usb 1-1: Manufacturer: syz [ 34.763509][ T55] usb 1-1: SerialNumber: syz [ 34.770350][ T55] usb 1-1: config 0 descriptor?? [ 34.809558][ T55] r8712u: register rtl8712_netdev_ops to netdev_ops [ 34.816216][ T55] usb 1-1: r8712u: USB_SPEED_HIGH with 0 endpoints [ 34.917273][ T55] usb 1-1: r8712u: Boot from EFUSE: Autoload Failed [ 34.923945][ T55] usb 1-1: r8712u: MAC Address from efuse = 00:e0:4c:87:00:00 [ 34.931566][ T55] usb 1-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin" [ 34.941591][ T55] r8712u: register rtl8712_netdev_ops to netdev_ops [ 34.948266][ T55] usb 1-1: r8712u: USB_SPEED_HIGH with 0 endpoints [ 34.987209][ T55] usb 1-1: r8712u: Boot from EFUSE: Autoload Failed [ 34.993821][ T55] usb 1-1: r8712u: MAC Address from efuse = 00:e0:4c:87:00:00 [ 35.001624][ T55] usb 1-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin" executing program [ 35.360023][ T7] usb 1-1: USB disconnect, device number 2 [ 35.470570][ T1203] ================================================================== [ 35.480080][ T1203] BUG: KASAN: use-after-free in rtl8712_dl_fw+0xd95/0xe10 [ 35.487307][ T1203] Read of size 8 at addr ffff88810a2a6d00 by task dhcpcd/1203 [ 35.494852][ T1203] [ 35.497160][ T1203] CPU: 1 PID: 1203 Comm: dhcpcd Not tainted 5.15.0-rc6-syzkaller #0 [ 35.505126][ T1203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.515252][ T1203] Call Trace: [ 35.518530][ T1203] dump_stack_lvl+0xcd/0x134 [ 35.523129][ T1203] print_address_description.constprop.0.cold+0x6c/0x309 [ 35.530135][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 35.534887][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 35.539635][ T1203] kasan_report.cold+0x83/0xdf [ 35.544395][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 35.549145][ T1203] rtl8712_dl_fw+0xd95/0xe10 [ 35.553727][ T1203] ? r8712_usbctrl_vendorreq+0x14b/0x1f0 [ 35.559343][ T1203] ? rtl8712_hal_init.part.0+0x260/0x260 [ 35.565843][ T1203] ? usb_write8+0xa1/0xe0 [ 35.570160][ T1203] ? usb_write16+0xe0/0xe0 [ 35.574648][ T1203] ? usb_read16+0xd0/0xd0 [ 35.578961][ T1203] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 35.585187][ T1203] ? msleep+0xbf/0xf0 [ 35.589155][ T1203] ? ip6_route_dev_notify+0xda/0x3c0 [ 35.594436][ T1203] rtl871x_hal_init+0xae/0x180 [ 35.599786][ T1203] netdev_open+0xe6/0x6c0 [ 35.604124][ T1203] ? r871x_net_get_stats+0x2e0/0x2e0 [ 35.609533][ T1203] __dev_open+0x2bc/0x4d0 [ 35.613859][ T1203] ? dev_set_rx_mode+0x80/0x80 [ 35.618621][ T1203] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 35.624699][ T1203] ? __local_bh_enable_ip+0x9d/0xf0 [ 35.629886][ T1203] __dev_change_flags+0x583/0x750 [ 35.634902][ T1203] ? dev_set_allmulti+0x30/0x30 [ 35.639756][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 35.645983][ T1203] ? apparmor_capable+0x1d8/0x460 [ 35.650994][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 35.657221][ T1203] ? full_name_hash+0xb5/0xf0 [ 35.661885][ T1203] dev_change_flags+0x93/0x170 [ 35.666650][ T1203] devinet_ioctl+0x15d1/0x1ca0 [ 35.671401][ T1203] ? inet_ifa_byprefix+0x2a0/0x2a0 [ 35.676543][ T1203] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 35.682783][ T1203] ? _copy_from_user+0x5d/0x180 [ 35.687621][ T1203] inet_ioctl+0x1e6/0x320 [ 35.691942][ T1203] ? inet_dgram_connect+0x210/0x210 [ 35.697128][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 35.701964][ T1203] ? kfree+0xd9/0x460 [ 35.705933][ T1203] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 35.712178][ T1203] ? tomoyo_path_number_perm+0x24e/0x590 [ 35.717814][ T1203] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 35.723606][ T1203] ? __lock_acquire+0x162f/0x54a0 [ 35.728624][ T1203] sock_do_ioctl+0xcc/0x230 [ 35.733155][ T1203] ? put_user_ifreq+0x140/0x140 [ 35.738000][ T1203] ? vfs_fileattr_set+0xb70/0xb70 [ 35.743067][ T1203] sock_ioctl+0x2f1/0x640 [ 35.747391][ T1203] ? br_ioctl_call+0xa0/0xa0 [ 35.752014][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 35.756873][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 35.761716][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 35.767946][ T1203] ? br_ioctl_call+0xa0/0xa0 [ 35.772609][ T1203] __x64_sys_ioctl+0x193/0x200 [ 35.777360][ T1203] do_syscall_64+0x35/0xb0 [ 35.781790][ T1203] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 35.787692][ T1203] RIP: 0033:0x7f06c6d7c0e7 [ 35.792107][ T1203] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 61 9d 0c 00 f7 d8 64 89 01 48 [ 35.811720][ T1203] RSP: 002b:00007fff6b4c61c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.820205][ T1203] RAX: ffffffffffffffda RBX: 00007f06c6c8e6c8 RCX: 00007f06c6d7c0e7 [ 35.828162][ T1203] RDX: 00007fff6b4d63b8 RSI: 0000000000008914 RDI: 0000000000000005 [ 35.836124][ T1203] RBP: 00007fff6b4e6568 R08: 00007fff6b4d6378 R09: 00007fff6b4d6328 [ 35.845121][ T1203] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 35.853077][ T1203] R13: 00007fff6b4d63b8 R14: 0000000000000028 R15: 0000000000008914 [ 35.861032][ T1203] [ 35.863344][ T1203] Allocated by task 55: [ 35.867483][ T1203] kasan_save_stack+0x1b/0x40 [ 35.872166][ T1203] __kasan_kmalloc+0x7c/0x90 [ 35.876749][ T1203] _request_firmware+0x192/0x1440 [ 35.881771][ T1203] request_firmware_work_func+0xdd/0x230 [ 35.887417][ T1203] process_one_work+0x9bf/0x1620 [ 35.892343][ T1203] worker_thread+0x658/0x11f0 [ 35.897450][ T1203] kthread+0x3c2/0x4a0 [ 35.901515][ T1203] ret_from_fork+0x1f/0x30 [ 35.905923][ T1203] [ 35.908228][ T1203] Freed by task 7: [ 35.911925][ T1203] kasan_save_stack+0x1b/0x40 [ 35.916588][ T1203] kasan_set_track+0x1c/0x30 [ 35.921162][ T1203] kasan_set_free_info+0x20/0x30 [ 35.926083][ T1203] __kasan_slab_free+0xe0/0x110 [ 35.930933][ T1203] kfree+0xd9/0x460 [ 35.934734][ T1203] release_firmware+0x1b/0x30 [ 35.939916][ T1203] r871xu_dev_remove+0xcc/0x2c0 [ 35.944761][ T1203] usb_unbind_interface+0x1d8/0x8d0 [ 35.949948][ T1203] __device_release_driver+0x5d7/0x700 [ 35.955447][ T1203] device_release_driver+0x26/0x40 [ 35.960596][ T1203] bus_remove_device+0x2eb/0x5a0 [ 35.965551][ T1203] device_del+0x502/0xd60 [ 35.969870][ T1203] usb_disable_device+0x35b/0x7b0 [ 35.974889][ T1203] usb_disconnect.cold+0x27a/0x78e [ 35.979989][ T1203] hub_event+0x1c9c/0x4330 [ 35.984477][ T1203] process_one_work+0x9bf/0x1620 [ 35.989466][ T1203] worker_thread+0x658/0x11f0 [ 35.994159][ T1203] kthread+0x3c2/0x4a0 [ 35.998215][ T1203] ret_from_fork+0x1f/0x30 [ 36.002618][ T1203] [ 36.004927][ T1203] The buggy address belongs to the object at ffff88810a2a6d00 [ 36.004927][ T1203] which belongs to the cache kmalloc-32 of size 32 [ 36.018790][ T1203] The buggy address is located 0 bytes inside of [ 36.018790][ T1203] 32-byte region [ffff88810a2a6d00, ffff88810a2a6d20) [ 36.031875][ T1203] The buggy address belongs to the page: [ 36.037486][ T1203] page:ffffea000428a980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a2a6 [ 36.047704][ T1203] flags: 0x200000000000200(slab|node=0|zone=2) [ 36.053860][ T1203] raw: 0200000000000200 0000000000000000 0000000100000001 ffff888100041500 [ 36.062429][ T1203] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 [ 36.070997][ T1203] page dumped because: kasan: bad access detected [ 36.077495][ T1203] page_owner tracks the page as allocated [ 36.083195][ T1203] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 4281956844, free_ts 0 [ 36.098039][ T1203] get_page_from_freelist+0x11d2/0x28b0 [ 36.103598][ T1203] __alloc_pages+0x1b2/0x4e0 [ 36.108174][ T1203] alloc_page_interleave+0x1e/0x1b0 [ 36.113373][ T1203] alloc_pages+0x29f/0x300 [ 36.117776][ T1203] new_slab+0x319/0x490 [ 36.122032][ T1203] ___slab_alloc+0xa4b/0x1170 [ 36.126692][ T1203] __kmalloc_node+0x13a/0x370 [ 36.131350][ T1203] crypto_create_tfm_node+0x7f/0x320 [ 36.136637][ T1203] crypto_alloc_tfm_node+0x107/0x260 [ 36.141905][ T1203] digsig_init+0x1b/0x61 [ 36.146154][ T1203] do_one_initcall+0x103/0x5d0 [ 36.150908][ T1203] kernel_init_freeable+0x6a7/0x730 [ 36.156092][ T1203] kernel_init+0x1a/0x1d0 [ 36.160406][ T1203] ret_from_fork+0x1f/0x30 [ 36.164811][ T1203] page_owner free stack trace missing [ 36.170156][ T1203] [ 36.172463][ T1203] Memory state around the buggy address: [ 36.178073][ T1203] ffff88810a2a6c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 36.186116][ T1203] ffff88810a2a6c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 36.195896][ T1203] >ffff88810a2a6d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 36.203935][ T1203] ^ [ 36.208011][ T1203] ffff88810a2a6d80: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc [ 36.216055][ T1203] ffff88810a2a6e00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 36.224123][ T1203] ================================================================== [ 36.232161][ T1203] Disabling lock debugging due to kernel taint [ 36.238363][ T1203] Kernel panic - not syncing: panic_on_warn set ... [ 36.244941][ T1203] CPU: 1 PID: 1203 Comm: dhcpcd Tainted: G B 5.15.0-rc6-syzkaller #0 [ 36.254343][ T1203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.264393][ T1203] Call Trace: [ 36.267655][ T1203] dump_stack_lvl+0xcd/0x134 [ 36.272238][ T1203] panic+0x2b0/0x6dd [ 36.276125][ T1203] ? __warn_printk+0xf3/0xf3 [ 36.280699][ T1203] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 36.286843][ T1203] ? trace_hardirqs_on+0x38/0x1a0 [ 36.291876][ T1203] ? trace_hardirqs_on+0x51/0x1a0 [ 36.296894][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 36.301639][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 36.306386][ T1203] end_report.cold+0x63/0x6f [ 36.310968][ T1203] kasan_report.cold+0x71/0xdf [ 36.315715][ T1203] ? rtl8712_dl_fw+0xd95/0xe10 [ 36.320474][ T1203] rtl8712_dl_fw+0xd95/0xe10 [ 36.325060][ T1203] ? r8712_usbctrl_vendorreq+0x14b/0x1f0 [ 36.330676][ T1203] ? rtl8712_hal_init.part.0+0x260/0x260 [ 36.336304][ T1203] ? usb_write8+0xa1/0xe0 [ 36.340617][ T1203] ? usb_write16+0xe0/0xe0 [ 36.345014][ T1203] ? usb_read16+0xd0/0xd0 [ 36.350036][ T1203] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 36.356274][ T1203] ? msleep+0xbf/0xf0 [ 36.360257][ T1203] ? ip6_route_dev_notify+0xda/0x3c0 [ 36.365528][ T1203] rtl871x_hal_init+0xae/0x180 [ 36.370275][ T1203] netdev_open+0xe6/0x6c0 [ 36.374640][ T1203] ? r871x_net_get_stats+0x2e0/0x2e0 [ 36.379910][ T1203] __dev_open+0x2bc/0x4d0 [ 36.384234][ T1203] ? dev_set_rx_mode+0x80/0x80 [ 36.388983][ T1203] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 36.394960][ T1203] ? __local_bh_enable_ip+0x9d/0xf0 [ 36.400141][ T1203] __dev_change_flags+0x583/0x750 [ 36.405242][ T1203] ? dev_set_allmulti+0x30/0x30 [ 36.410085][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 36.416310][ T1203] ? apparmor_capable+0x1d8/0x460 [ 36.421316][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 36.427537][ T1203] ? full_name_hash+0xb5/0xf0 [ 36.432213][ T1203] dev_change_flags+0x93/0x170 [ 36.436970][ T1203] devinet_ioctl+0x15d1/0x1ca0 [ 36.441729][ T1203] ? inet_ifa_byprefix+0x2a0/0x2a0 [ 36.446835][ T1203] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 36.453070][ T1203] ? _copy_from_user+0x5d/0x180 [ 36.457918][ T1203] inet_ioctl+0x1e6/0x320 [ 36.462238][ T1203] ? inet_dgram_connect+0x210/0x210 [ 36.467423][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 36.472256][ T1203] ? kfree+0xd9/0x460 [ 36.476218][ T1203] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 36.482445][ T1203] ? tomoyo_path_number_perm+0x24e/0x590 [ 36.488077][ T1203] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 36.493865][ T1203] ? __lock_acquire+0x162f/0x54a0 [ 36.498869][ T1203] sock_do_ioctl+0xcc/0x230 [ 36.503355][ T1203] ? put_user_ifreq+0x140/0x140 [ 36.508187][ T1203] ? vfs_fileattr_set+0xb70/0xb70 [ 36.513302][ T1203] sock_ioctl+0x2f1/0x640 [ 36.517625][ T1203] ? br_ioctl_call+0xa0/0xa0 [ 36.522199][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 36.527048][ T1203] ? lock_downgrade+0x6e0/0x6e0 [ 36.531890][ T1203] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 36.538115][ T1203] ? br_ioctl_call+0xa0/0xa0 [ 36.542688][ T1203] __x64_sys_ioctl+0x193/0x200 [ 36.547434][ T1203] do_syscall_64+0x35/0xb0 [ 36.551842][ T1203] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 36.557720][ T1203] RIP: 0033:0x7f06c6d7c0e7 [ 36.562205][ T1203] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 61 9d 0c 00 f7 d8 64 89 01 48 [ 36.581804][ T1203] RSP: 002b:00007fff6b4c61c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 36.590201][ T1203] RAX: ffffffffffffffda RBX: 00007f06c6c8e6c8 RCX: 00007f06c6d7c0e7 [ 36.598153][ T1203] RDX: 00007fff6b4d63b8 RSI: 0000000000008914 RDI: 0000000000000005 [ 36.606103][ T1203] RBP: 00007fff6b4e6568 R08: 00007fff6b4d6378 R09: 00007fff6b4d6328 [ 36.614057][ T1203] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 36.622023][ T1203] R13: 00007fff6b4d63b8 R14: 0000000000000028 R15: 0000000000008914 [ 36.630275][ T1203] Kernel Offset: disabled [ 36.634594][ T1203] Rebooting in 86400 seconds..