INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.928856][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.168774][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 24.288865][ T83] usb 1-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7 [ 24.299852][ T83] usb 1-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 24.468850][ T83] usb 1-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 24.477943][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 24.485972][ T83] usb 1-1: Product: syz [ 24.490178][ T83] usb 1-1: Manufacturer: syz [ 24.494756][ T83] usb 1-1: SerialNumber: syz executing program [ 24.839024][ T83] ================================================================== [ 24.847269][ T83] BUG: KASAN: use-after-free in build_audio_procunit+0xeab/0x13f0 [ 24.855188][ T83] Read of size 1 at addr ffff8881d545362b by task kworker/1:2/83 [ 24.862880][ T83] [ 24.865232][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.4.0-rc3+ #0 [ 24.872578][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.882633][ T83] Workqueue: usb_hub_wq hub_event [ 24.887822][ T83] Call Trace: [ 24.891104][ T83] dump_stack+0xca/0x13e [ 24.895329][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 24.900773][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 24.906226][ T83] print_address_description.constprop.0+0x36/0x50 [ 24.912724][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 24.918174][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 24.923761][ T83] __kasan_report.cold+0x1a/0x33 [ 24.928712][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 24.934461][ T83] kasan_report+0xe/0x20 [ 24.938700][ T83] build_audio_procunit+0xeab/0x13f0 [ 24.944186][ T83] parse_audio_unit+0x1812/0x36f0 [ 24.949195][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 24.954983][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 24.960275][ T83] ? stack_depot_save+0x252/0x440 [ 24.965431][ T83] ? build_audio_procunit+0x13f0/0x13f0 [ 24.970979][ T83] ? save_stack+0x4c/0x80 [ 24.975309][ T83] ? save_stack+0x1b/0x80 [ 24.979825][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 24.985626][ T83] ? snd_usb_create_mixer+0x180/0x1890 [ 24.991093][ T83] ? usb_audio_probe+0xc76/0x2010 [ 24.996103][ T83] ? usb_probe_interface+0x305/0x7a0 [ 25.001380][ T83] ? really_probe+0x281/0x6d0 [ 25.006041][ T83] ? driver_probe_device+0x104/0x210 [ 25.011335][ T83] ? __device_attach_driver+0x1c2/0x220 [ 25.016949][ T83] ? bus_for_each_drv+0x162/0x1e0 [ 25.021971][ T83] ? __device_attach+0x217/0x360 [ 25.026916][ T83] ? bus_probe_device+0x1e4/0x290 [ 25.031924][ T83] ? device_add+0xae6/0x16f0 [ 25.036498][ T83] ? usb_set_configuration+0xdf6/0x1670 [ 25.042039][ T83] ? validate_desc.part.0+0x17f/0x240 [ 25.047480][ T83] snd_usb_mixer_controls+0x715/0xb90 [ 25.052837][ T83] ? parse_audio_unit+0x36f0/0x36f0 [ 25.058028][ T83] ? fs_reclaim_acquire.part.0+0x30/0x30 [ 25.063667][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.068957][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.074890][ T83] ? kasan_unpoison_shadow+0x30/0x40 [ 25.080203][ T83] ? usb_ifnum_to_if+0x12b/0x180 [ 25.085144][ T83] snd_usb_create_mixer+0x2b5/0x1890 [ 25.090421][ T83] ? mark_lock+0xbc/0x1160 [ 25.094819][ T83] ? mark_held_locks+0x9f/0xe0 [ 25.099565][ T83] ? snd_usb_mixer_interrupt+0x800/0x800 [ 25.105182][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 25.110581][ T83] ? usb_driver_claim_interface+0x210/0x420 [ 25.116575][ T83] ? snd_usb_create_stream+0x16a/0x4c0 [ 25.122026][ T83] usb_audio_probe+0xc76/0x2010 [ 25.126883][ T83] ? usb_audio_resume+0x20/0x20 [ 25.131748][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.137628][ T83] usb_probe_interface+0x305/0x7a0 [ 25.142752][ T83] ? usb_probe_device+0x100/0x100 [ 25.147773][ T83] really_probe+0x281/0x6d0 [ 25.152271][ T83] driver_probe_device+0x104/0x210 [ 25.157373][ T83] __device_attach_driver+0x1c2/0x220 [ 25.162728][ T83] ? driver_allows_async_probing+0x160/0x160 [ 25.169026][ T83] bus_for_each_drv+0x162/0x1e0 [ 25.173878][ T83] ? bus_rescan_devices+0x20/0x20 [ 25.178892][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.184682][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 25.189950][ T83] __device_attach+0x217/0x360 [ 25.194696][ T83] ? device_bind_driver+0xd0/0xd0 [ 25.199704][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 25.204970][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 25.211199][ T83] bus_probe_device+0x1e4/0x290 [ 25.216038][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 25.221926][ T83] device_add+0xae6/0x16f0 [ 25.226338][ T83] ? uevent_store+0x50/0x50 [ 25.230826][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.236616][ T83] usb_set_configuration+0xdf6/0x1670 [ 25.242124][ T83] generic_probe+0x9d/0xd5 [ 25.246660][ T83] usb_probe_device+0x99/0x100 [ 25.251547][ T83] ? usb_suspend+0x620/0x620 [ 25.256147][ T83] really_probe+0x281/0x6d0 [ 25.260724][ T83] driver_probe_device+0x104/0x210 [ 25.265853][ T83] __device_attach_driver+0x1c2/0x220 [ 25.271238][ T83] ? driver_allows_async_probing+0x160/0x160 [ 25.277198][ T83] bus_for_each_drv+0x162/0x1e0 [ 25.282030][ T83] ? bus_rescan_devices+0x20/0x20 [ 25.287049][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.292842][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 25.298110][ T83] __device_attach+0x217/0x360 [ 25.302856][ T83] ? device_bind_driver+0xd0/0xd0 [ 25.308124][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 25.313403][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 25.318696][ T83] bus_probe_device+0x1e4/0x290 [ 25.323546][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 25.330206][ T83] device_add+0xae6/0x16f0 [ 25.334608][ T83] ? uevent_store+0x50/0x50 [ 25.339110][ T83] usb_new_device.cold+0x6a4/0xe79 [ 25.344226][ T83] hub_event+0x1dd0/0x37e0 [ 25.348627][ T83] ? hub_port_debounce+0x260/0x260 [ 25.353722][ T83] ? find_held_lock+0x2d/0x110 [ 25.358556][ T83] ? mark_held_locks+0xe0/0xe0 [ 25.363329][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.368897][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.374170][ T83] process_one_work+0x92b/0x1530 [ 25.379104][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.384468][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 25.389477][ T83] worker_thread+0x96/0xe20 [ 25.396147][ T83] ? process_one_work+0x1530/0x1530 [ 25.401339][ T83] kthread+0x318/0x420 [ 25.405389][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 25.410749][ T83] ret_from_fork+0x24/0x30 [ 25.415240][ T83] [ 25.417547][ T83] Allocated by task 83: [ 25.421800][ T83] save_stack+0x1b/0x80 [ 25.425974][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.431692][ T83] usb_alloc_urb+0x65/0xb0 [ 25.436090][ T83] usb_control_msg+0x1c9/0x4a0 [ 25.440849][ T83] usb_get_descriptor+0xc1/0x1b0 [ 25.445770][ T83] usb_get_configuration+0x28e/0x3050 [ 25.451126][ T83] usb_new_device+0xd3/0x160 [ 25.455773][ T83] hub_event+0x1dd0/0x37e0 [ 25.460186][ T83] process_one_work+0x92b/0x1530 [ 25.465372][ T83] worker_thread+0x96/0xe20 [ 25.469871][ T83] kthread+0x318/0x420 [ 25.473925][ T83] ret_from_fork+0x24/0x30 [ 25.478329][ T83] [ 25.480641][ T83] Freed by task 83: [ 25.484434][ T83] save_stack+0x1b/0x80 [ 25.488589][ T83] __kasan_slab_free+0x130/0x180 [ 25.493515][ T83] kfree+0xe4/0x320 [ 25.497325][ T83] usb_free_urb.part.0+0x7a/0xc0 [ 25.502238][ T83] usb_free_urb+0x1b/0x30 [ 25.506548][ T83] usb_start_wait_urb+0x1e5/0x2b0 [ 25.511551][ T83] usb_control_msg+0x31c/0x4a0 [ 25.516304][ T83] usb_get_descriptor+0xc1/0x1b0 [ 25.521238][ T83] usb_get_configuration+0x28e/0x3050 [ 25.526592][ T83] usb_new_device+0xd3/0x160 [ 25.531178][ T83] hub_event+0x1dd0/0x37e0 [ 25.535579][ T83] process_one_work+0x92b/0x1530 [ 25.540496][ T83] worker_thread+0x96/0xe20 [ 25.544977][ T83] kthread+0x318/0x420 [ 25.549199][ T83] ret_from_fork+0x24/0x30 [ 25.553587][ T83] [ 25.555905][ T83] The buggy address belongs to the object at ffff8881d5453600 [ 25.555905][ T83] which belongs to the cache kmalloc-192 of size 192 [ 25.569938][ T83] The buggy address is located 43 bytes inside of [ 25.569938][ T83] 192-byte region [ffff8881d5453600, ffff8881d54536c0) [ 25.583384][ T83] The buggy address belongs to the page: [ 25.589014][ T83] page:ffffea00075514c0 refcount:1 mapcount:0 mapping:ffff8881da002a00 index:0x0 [ 25.598102][ T83] flags: 0x200000000000200(slab) [ 25.603040][ T83] raw: 0200000000000200 ffffea00075512c0 0000000b0000000b ffff8881da002a00 [ 25.611628][ T83] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 25.620195][ T83] page dumped because: kasan: bad access detected [ 25.626581][ T83] [ 25.628889][ T83] Memory state around the buggy address: [ 25.634499][ T83] ffff8881d5453500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.642552][ T83] ffff8881d5453580: 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc [ 25.650610][ T83] >ffff8881d5453600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.658650][ T83] ^ [ 25.664002][ T83] ffff8881d5453680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.672061][ T83] ffff8881d5453700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.680201][ T83] ================================================================== [ 25.688239][ T83] Disabling lock debugging due to kernel taint [ 25.694451][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 25.701058][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.4.0-rc3+ #0 [ 25.709817][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.720455][ T83] Workqueue: usb_hub_wq hub_event [ 25.725513][ T83] Call Trace: [ 25.728971][ T83] dump_stack+0xca/0x13e [ 25.733682][ T83] panic+0x2aa/0x6e1 [ 25.738036][ T83] ? add_taint.cold+0x16/0x16 [ 25.742843][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 25.748295][ T83] ? trace_hardirqs_on+0x55/0x1e0 [ 25.753310][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 25.758762][ T83] end_report+0x43/0x49 [ 25.762907][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 25.768347][ T83] __kasan_report.cold+0xd/0x33 [ 25.773192][ T83] ? build_audio_procunit+0xeab/0x13f0 [ 25.778632][ T83] kasan_report+0xe/0x20 [ 25.782874][ T83] build_audio_procunit+0xeab/0x13f0 [ 25.788138][ T83] parse_audio_unit+0x1812/0x36f0 [ 25.793145][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.798967][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 25.804239][ T83] ? stack_depot_save+0x252/0x440 [ 25.809300][ T83] ? build_audio_procunit+0x13f0/0x13f0 [ 25.814846][ T83] ? save_stack+0x4c/0x80 [ 25.819156][ T83] ? save_stack+0x1b/0x80 [ 25.823515][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.829318][ T83] ? snd_usb_create_mixer+0x180/0x1890 [ 25.834765][ T83] ? usb_audio_probe+0xc76/0x2010 [ 25.839791][ T83] ? usb_probe_interface+0x305/0x7a0 [ 25.845054][ T83] ? really_probe+0x281/0x6d0 [ 25.849708][ T83] ? driver_probe_device+0x104/0x210 [ 25.854987][ T83] ? __device_attach_driver+0x1c2/0x220 [ 25.860519][ T83] ? bus_for_each_drv+0x162/0x1e0 [ 25.865535][ T83] ? __device_attach+0x217/0x360 [ 25.870603][ T83] ? bus_probe_device+0x1e4/0x290 [ 25.875614][ T83] ? device_add+0xae6/0x16f0 [ 25.880217][ T83] ? usb_set_configuration+0xdf6/0x1670 [ 25.885765][ T83] ? validate_desc.part.0+0x17f/0x240 [ 25.891144][ T83] snd_usb_mixer_controls+0x715/0xb90 [ 25.896638][ T83] ? parse_audio_unit+0x36f0/0x36f0 [ 25.901836][ T83] ? fs_reclaim_acquire.part.0+0x30/0x30 [ 25.907446][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.912725][ T83] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.918525][ T83] ? kasan_unpoison_shadow+0x30/0x40 [ 25.923887][ T83] ? usb_ifnum_to_if+0x12b/0x180 [ 25.928813][ T83] snd_usb_create_mixer+0x2b5/0x1890 [ 25.934095][ T83] ? mark_lock+0xbc/0x1160 [ 25.938489][ T83] ? mark_held_locks+0x9f/0xe0 [ 25.943250][ T83] ? snd_usb_mixer_interrupt+0x800/0x800 [ 25.948868][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 25.954133][ T83] ? usb_driver_claim_interface+0x210/0x420 [ 25.961861][ T83] ? snd_usb_create_stream+0x16a/0x4c0 [ 25.967328][ T83] usb_audio_probe+0xc76/0x2010 [ 25.972171][ T83] ? usb_audio_resume+0x20/0x20 [ 25.977007][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.982901][ T83] usb_probe_interface+0x305/0x7a0 [ 25.988083][ T83] ? usb_probe_device+0x100/0x100 [ 25.993348][ T83] really_probe+0x281/0x6d0 [ 25.997833][ T83] driver_probe_device+0x104/0x210 [ 26.002926][ T83] __device_attach_driver+0x1c2/0x220 [ 26.008274][ T83] ? driver_allows_async_probing+0x160/0x160 [ 26.014231][ T83] bus_for_each_drv+0x162/0x1e0 [ 26.019060][ T83] ? bus_rescan_devices+0x20/0x20 [ 26.024083][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.029870][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 26.035740][ T83] __device_attach+0x217/0x360 [ 26.040486][ T83] ? device_bind_driver+0xd0/0xd0 [ 26.045489][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 26.050759][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 26.056032][ T83] bus_probe_device+0x1e4/0x290 [ 26.060869][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 26.066740][ T83] device_add+0xae6/0x16f0 [ 26.071135][ T83] ? uevent_store+0x50/0x50 [ 26.075626][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.081559][ T83] usb_set_configuration+0xdf6/0x1670 [ 26.086908][ T83] generic_probe+0x9d/0xd5 [ 26.091302][ T83] usb_probe_device+0x99/0x100 [ 26.099094][ T83] ? usb_suspend+0x620/0x620 [ 26.103680][ T83] really_probe+0x281/0x6d0 [ 26.108262][ T83] driver_probe_device+0x104/0x210 [ 26.113365][ T83] __device_attach_driver+0x1c2/0x220 [ 26.118723][ T83] ? driver_allows_async_probing+0x160/0x160 [ 26.124701][ T83] bus_for_each_drv+0x162/0x1e0 [ 26.129681][ T83] ? bus_rescan_devices+0x20/0x20 [ 26.134909][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.140911][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 26.146345][ T83] __device_attach+0x217/0x360 [ 26.151109][ T83] ? device_bind_driver+0xd0/0xd0 [ 26.156163][ T83] ? kobject_uevent_env+0x29e/0x1150 [ 26.161587][ T83] ? kobject_uevent_env+0x2a8/0x1150 [ 26.166867][ T83] bus_probe_device+0x1e4/0x290 [ 26.171705][ T83] ? blocking_notifier_call_chain+0x54/0xa0 [ 26.177734][ T83] device_add+0xae6/0x16f0 [ 26.182134][ T83] ? uevent_store+0x50/0x50 [ 26.186928][ T83] usb_new_device.cold+0x6a4/0xe79 [ 26.192092][ T83] hub_event+0x1dd0/0x37e0 [ 26.196551][ T83] ? hub_port_debounce+0x260/0x260 [ 26.201642][ T83] ? find_held_lock+0x2d/0x110 [ 26.206523][ T83] ? mark_held_locks+0xe0/0xe0 [ 26.211277][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.216854][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.222152][ T83] process_one_work+0x92b/0x1530 [ 26.227085][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.232446][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 26.237537][ T83] worker_thread+0x96/0xe20 [ 26.242028][ T83] ? process_one_work+0x1530/0x1530 [ 26.247381][ T83] kthread+0x318/0x420 [ 26.251444][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 26.256823][ T83] ret_from_fork+0x24/0x30 [ 26.261273][ T83] Kernel Offset: disabled [ 26.265681][ T83] Rebooting in 86400 seconds..