
[   16.757428][    C1] random: crng init done
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   35.517952][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   35.757474][   T83] usb 1-1: Using ep0 maxpacket: 32
[   35.877565][   T83] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7
[   35.888772][   T83] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
[   35.901837][   T83] usb 1-1: New USB device found, idVendor=046d, idProduct=c71c, bcdDevice= 0.40
[   35.910885][   T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   35.920413][   T83] usb 1-1: config 0 descriptor??
[   36.389350][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.397682][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.405951][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.414160][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.422359][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.430656][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.438874][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.446943][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.455199][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.463499][   T83] logitech-djreceiver 0003:046D:C71C.0001: unknown main item tag 0x0
[   36.473427][   T83] logitech-djreceiver 0003:046D:C71C.0001: hidraw0: USB HID v0.00 Device [HID 046d:c71c] on usb-dummy_hcd.0-1/input0
[   36.588783][   T83] usb 1-1: USB disconnect, device number 2
[   36.788859][ T1725] ==================================================================
[   36.797262][ T1725] BUG: KASAN: use-after-free in hidraw_ioctl+0x5e1/0xae0
[   36.804384][ T1725] Read of size 4 at addr ffff8881d5cb4018 by task syz-executor128/1725
[   36.812834][ T1725] 
[   36.815199][ T1725] CPU: 1 PID: 1725 Comm: syz-executor128 Not tainted 5.3.0-rc2+ #25
[   36.823285][ T1725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.833355][ T1725] Call Trace:
[   36.836653][ T1725]  dump_stack+0xca/0x13e
[   36.840950][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   36.845659][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   36.850324][ T1725]  print_address_description+0x6a/0x32c
[   36.855865][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   36.860662][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   36.865368][ T1725]  __kasan_report.cold+0x1a/0x33
[   36.870296][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   36.875057][ T1725]  kasan_report+0xe/0x12
[   36.879293][ T1725]  hidraw_ioctl+0x5e1/0xae0
[   36.883899][ T1725]  ? hidraw_disconnect+0x2c0/0x2c0
[   36.889088][ T1725]  ? lock_acquire+0x127/0x320
[   36.893887][ T1725]  ? debug_object_free+0x52/0x340
[   36.898902][ T1725]  ? _raw_spin_unlock_irqrestore+0x3e/0x50
[   36.904700][ T1725]  ? hidraw_disconnect+0x2c0/0x2c0
[   36.909969][ T1725]  do_vfs_ioctl+0xd2d/0x1330
[   36.914628][ T1725]  ? ioctl_preallocate+0x200/0x200
[   36.919731][ T1725]  ? hrtimer_nanosleep+0x28a/0x510
[   36.925034][ T1725]  ? nanosleep_copyout+0x100/0x100
[   36.930273][ T1725]  ? _copy_from_user+0x123/0x190
[   36.935202][ T1725]  ? clock_was_set_work+0x20/0x20
[   36.940214][ T1725]  ? put_old_itimerspec32+0x1d0/0x1d0
[   36.945610][ T1725]  ? rwlock_bug.part.0+0x90/0x90
[   36.950537][ T1725]  ksys_ioctl+0x9b/0xc0
[   36.954681][ T1725]  __x64_sys_ioctl+0x6f/0xb0
[   36.959371][ T1725]  ? lockdep_hardirqs_on+0x379/0x580
[   36.964765][ T1725]  do_syscall_64+0xb7/0x580
[   36.969361][ T1725]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.975489][ T1725] RIP: 0033:0x444749
[   36.979434][ T1725] Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   36.999037][ T1725] RSP: 002b:00007ffcf6666bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   37.007430][ T1725] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444749
[   37.015625][ T1725] RDX: 00000000200003c0 RSI: 0000000090044802 RDI: 0000000000000004
[   37.023643][ T1725] RBP: 00000000006cf018 R08: 000000000000000b R09: 00000000004002e0
[   37.031712][ T1725] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004023f0
[   37.039678][ T1725] R13: 0000000000402480 R14: 0000000000000000 R15: 0000000000000000
[   37.047643][ T1725] 
[   37.050436][ T1725] Allocated by task 83:
[   37.054586][ T1725]  save_stack+0x1b/0x80
[   37.059012][ T1725]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   37.064638][ T1725]  __kmalloc_node_track_caller+0xd0/0x230
[   37.070436][ T1725]  __kmalloc_reserve.isra.0+0x39/0xe0
[   37.076007][ T1725]  __alloc_skb+0xef/0x5a0
[   37.080327][ T1725]  alloc_uevent_skb+0x7b/0x210
[   37.085070][ T1725]  kobject_uevent_env+0x8ee/0x1160
[   37.090265][ T1725]  device_release_driver_internal+0x3c4/0x4c0
[   37.096318][ T1725]  bus_remove_device+0x2dc/0x4a0
[   37.101359][ T1725]  device_del+0x420/0xb10
[   37.105767][ T1725]  usb_disconnect+0x4c3/0x8d0
[   37.110452][ T1725]  hub_event+0x1454/0x3640
[   37.114859][ T1725]  process_one_work+0x92b/0x1530
[   37.119792][ T1725]  worker_thread+0x96/0xe20
[   37.124276][ T1725]  kthread+0x318/0x420
[   37.128333][ T1725]  ret_from_fork+0x24/0x30
[   37.132720][ T1725] 
[   37.135034][ T1725] Freed by task 239:
[   37.138919][ T1725]  save_stack+0x1b/0x80
[   37.143058][ T1725]  __kasan_slab_free+0x130/0x180
[   37.148027][ T1725]  kfree+0xe4/0x2f0
[   37.151827][ T1725]  skb_free_head+0x8b/0xa0
[   37.156408][ T1725]  skb_release_data+0x41f/0x7c0
[   37.161248][ T1725]  skb_release_all+0x46/0x60
[   37.165826][ T1725]  consume_skb+0xd9/0x320
[   37.170182][ T1725]  skb_free_datagram+0x16/0xf0
[   37.174941][ T1725]  netlink_recvmsg+0x65e/0xee0
[   37.179691][ T1725]  sock_recvmsg+0xca/0x110
[   37.184084][ T1725]  ___sys_recvmsg+0x271/0x5a0
[   37.188745][ T1725]  __sys_recvmsg+0xe9/0x1b0
[   37.193231][ T1725]  do_syscall_64+0xb7/0x580
[   37.197714][ T1725]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.203581][ T1725] 
[   37.205964][ T1725] The buggy address belongs to the object at ffff8881d5cb4000
[   37.205964][ T1725]  which belongs to the cache kmalloc-1k of size 1024
[   37.220123][ T1725] The buggy address is located 24 bytes inside of
[   37.220123][ T1725]  1024-byte region [ffff8881d5cb4000, ffff8881d5cb4400)
[   37.233610][ T1725] The buggy address belongs to the page:
[   37.239681][ T1725] page:ffffea0007572d00 refcount:1 mapcount:0 mapping:ffff8881da002280 index:0x0 compound_mapcount: 0
[   37.250604][ T1725] flags: 0x200000000010200(slab|head)
[   37.256094][ T1725] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da002280
[   37.264712][ T1725] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
[   37.273280][ T1725] page dumped because: kasan: bad access detected
[   37.279774][ T1725] 
[   37.282078][ T1725] Memory state around the buggy address:
[   37.287701][ T1725]  ffff8881d5cb3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.295744][ T1725]  ffff8881d5cb3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.303789][ T1725] >ffff8881d5cb4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.311876][ T1725]                             ^
[   37.316722][ T1725]  ffff8881d5cb4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.324775][ T1725]  ffff8881d5cb4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.333029][ T1725] ==================================================================
[   37.341206][ T1725] Disabling lock debugging due to kernel taint
[   37.347524][ T1725] Kernel panic - not syncing: panic_on_warn set ...
[   37.354247][ T1725] CPU: 1 PID: 1725 Comm: syz-executor128 Tainted: G    B             5.3.0-rc2+ #25
[   37.363895][ T1725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.374164][ T1725] Call Trace:
[   37.377450][ T1725]  dump_stack+0xca/0x13e
[   37.381675][ T1725]  panic+0x2a3/0x6da
[   37.385659][ T1725]  ? add_taint.cold+0x16/0x16
[   37.390908][ T1725]  ? retint_kernel+0x10/0x10
[   37.396039][ T1725]  ? trace_hardirqs_on+0x55/0x1e0
[   37.401412][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   37.406074][ T1725]  end_report+0x43/0x49
[   37.410376][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   37.415300][ T1725]  __kasan_report.cold+0xd/0x33
[   37.420292][ T1725]  ? hidraw_ioctl+0x5e1/0xae0
[   37.425041][ T1725]  kasan_report+0xe/0x12
[   37.429260][ T1725]  hidraw_ioctl+0x5e1/0xae0
[   37.434280][ T1725]  ? hidraw_disconnect+0x2c0/0x2c0
[   37.439684][ T1725]  ? lock_acquire+0x127/0x320
[   37.444395][ T1725]  ? debug_object_free+0x52/0x340
[   37.449407][ T1725]  ? _raw_spin_unlock_irqrestore+0x3e/0x50
[   37.455239][ T1725]  ? hidraw_disconnect+0x2c0/0x2c0
[   37.460562][ T1725]  do_vfs_ioctl+0xd2d/0x1330
[   37.465425][ T1725]  ? ioctl_preallocate+0x200/0x200
[   37.470643][ T1725]  ? hrtimer_nanosleep+0x28a/0x510
[   37.475739][ T1725]  ? nanosleep_copyout+0x100/0x100
[   37.480985][ T1725]  ? _copy_from_user+0x123/0x190
[   37.486019][ T1725]  ? clock_was_set_work+0x20/0x20
[   37.491652][ T1725]  ? put_old_itimerspec32+0x1d0/0x1d0
[   37.497007][ T1725]  ? rwlock_bug.part.0+0x90/0x90
[   37.502055][ T1725]  ksys_ioctl+0x9b/0xc0
[   37.506335][ T1725]  __x64_sys_ioctl+0x6f/0xb0
[   37.511256][ T1725]  ? lockdep_hardirqs_on+0x379/0x580
[   37.516526][ T1725]  do_syscall_64+0xb7/0x580
[   37.521091][ T1725]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.526981][ T1725] RIP: 0033:0x444749
[   37.530995][ T1725] Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   37.550710][ T1725] RSP: 002b:00007ffcf6666bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   37.559479][ T1725] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444749
[   37.567570][ T1725] RDX: 00000000200003c0 RSI: 0000000090044802 RDI: 0000000000000004
[   37.575672][ T1725] RBP: 00000000006cf018 R08: 000000000000000b R09: 00000000004002e0
[   37.583794][ T1725] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004023f0
[   37.591853][ T1725] R13: 0000000000402480 R14: 0000000000000000 R15: 0000000000000000
[   37.600872][ T1725] Kernel Offset: disabled
[   37.605201][ T1725] Rebooting in 86400 seconds..