[ 14.246213][ C1] random: 7 urandom warning(s) missed due to ratelimiting [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.384097][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.484271][ T94] usb 1-1: Using ep0 maxpacket: 32 [ 25.604160][ T94] usb 1-1: config 0 interface 0 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 25.773912][ T94] usb 1-1: New USB device found, idVendor=17e9, idProduct=3f57, bcdDevice= 6.02 [ 25.783953][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.792035][ T94] usb 1-1: Product: syz [ 25.796346][ T94] usb 1-1: Manufacturer: syz [ 25.801045][ T94] usb 1-1: SerialNumber: syz [ 25.807789][ T94] usb 1-1: config 0 descriptor?? executing program [ 26.105711][ T94] ================================================================== [ 26.105716][ T94] BUG: KASAN: slab-out-of-bounds in hex_string+0x439/0x4c0 [ 26.105719][ T94] Read of size 1 at addr ffff8881d11554db by task kworker/0:2/94 [ 26.105720][ T94] [ 26.105724][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Not tainted 5.7.0-rc1-syzkaller #0 [ 26.105728][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.105730][ T94] Workqueue: usb_hub_wq hub_event [ 26.105733][ T94] Call Trace: [ 26.105735][ T94] dump_stack+0xef/0x16e [ 26.105738][ T94] print_address_description.constprop.0.cold+0xd3/0x314 [ 26.105739][ T94] ? hex_string+0x439/0x4c0 [ 26.105741][ T94] __kasan_report.cold+0x37/0x92 [ 26.105743][ T94] ? hex_string+0x439/0x4c0 [ 26.105745][ T94] ? hex_string+0x439/0x4c0 [ 26.105747][ T94] kasan_report+0x33/0x50 [ 26.105749][ T94] hex_string+0x439/0x4c0 [ 26.105751][ T94] ? check_pointer+0x210/0x210 [ 26.105753][ T94] ? __lock_acquire+0x2248/0x6650 [ 26.105755][ T94] ? number+0x82a/0xb00 [ 26.105757][ T94] ? lock_pin_lock+0x62/0x300 [ 26.105758][ T94] pointer+0x45b/0x680 [ 26.105760][ T94] ? file_dentry_name+0x120/0x120 [ 26.105762][ T94] ? __bfs+0x76/0x520 [ 26.105764][ T94] vsnprintf+0x5ac/0x14f0 [ 26.105766][ T94] ? pointer+0x680/0x680 [ 26.105767][ T94] ? mark_lock+0x12b/0x1510 [ 26.105769][ T94] ? set_precision+0x170/0x170 [ 26.105771][ T94] va_format.isra.0+0x129/0x1b0 [ 26.105773][ T94] ? vsnprintf+0x14f0/0x14f0 [ 26.105775][ T94] ? string_nocheck+0x1a9/0x220 [ 26.105777][ T94] ? widen_string+0x2a0/0x2a0 [ 26.105779][ T94] pointer+0x4bf/0x680 [ 26.105781][ T94] ? file_dentry_name+0x120/0x120 [ 26.105783][ T94] ? hex_string+0x4c0/0x4c0 [ 26.105785][ T94] ? ret_from_fork+0x24/0x30 [ 26.105787][ T94] vsnprintf+0x5ac/0x14f0 [ 26.105788][ T94] ? pointer+0x680/0x680 [ 26.105790][ T94] ? lock_release+0x720/0x720 [ 26.105792][ T94] vscnprintf+0x29/0x80 [ 26.105794][ T94] vprintk_store+0x40/0x4b0 [ 26.105796][ T94] vprintk_emit+0xc8/0x3e0 [ 26.105798][ T94] dev_vprintk_emit+0x4fc/0x541 [ 26.105800][ T94] ? dev_attr_show.cold+0x3a/0x3a [ 26.105802][ T94] ? usb_set_configuration+0xed4/0x1850 [ 26.105804][ T94] ? mark_lock+0x12b/0x1510 [ 26.105806][ T94] ? usb_new_device.cold+0x552/0xf6e [ 26.105808][ T94] ? hub_event+0x226d/0x43c0 [ 26.105810][ T94] ? process_one_work+0x965/0x1630 [ 26.105812][ T94] ? worker_thread+0x96/0xe20 [ 26.105814][ T94] ? kthread+0x326/0x430 [ 26.105816][ T94] ? print_usage_bug+0x200/0x200 [ 26.105818][ T94] dev_printk_emit+0xba/0xf1 [ 26.105820][ T94] ? dev_vprintk_emit+0x541/0x541 [ 26.105822][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.105824][ T94] __dev_printk+0x1db/0x203 [ 26.105825][ T94] _dev_info+0xd7/0x109 [ 26.105827][ T94] ? _dev_notice+0x109/0x109 [ 26.105829][ T94] ? dlfb_usb_probe+0x21a/0x450 [ 26.105832][ T94] ? usb_get_descriptor+0xcd/0x1b0 [ 26.105834][ T94] ? usb_get_descriptor+0x13d/0x1b0 [ 26.105836][ T94] ? __usb_get_extra_descriptor+0x15d/0x1a0 [ 26.105838][ T94] dlfb_usb_probe.cold+0x102d/0x1c03 [ 26.105840][ T94] ? mark_held_locks+0x9f/0xe0 [ 26.105842][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.105845][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.105847][ T94] ? __pm_runtime_set_status+0x5d5/0xa10 [ 26.105849][ T94] ? edid_store+0x180/0x180 [ 26.105851][ T94] ? __pm_runtime_resume+0x111/0x180 [ 26.105853][ T94] usb_probe_interface+0x310/0x800 [ 26.105855][ T94] ? usb_probe_device+0x230/0x230 [ 26.105857][ T94] really_probe+0x290/0xac0 [ 26.105859][ T94] driver_probe_device+0x223/0x350 [ 26.105861][ T94] __device_attach_driver+0x1d1/0x290 [ 26.105864][ T94] ? driver_allows_async_probing+0x160/0x160 [ 26.105866][ T94] bus_for_each_drv+0x162/0x1e0 [ 26.105868][ T94] ? bus_rescan_devices+0x20/0x20 [ 26.105870][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.105872][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.105874][ T94] __device_attach+0x21a/0x390 [ 26.105876][ T94] ? device_bind_driver+0xd0/0xd0 [ 26.105878][ T94] bus_probe_device+0x1e4/0x290 [ 26.105880][ T94] device_add+0x1367/0x1c20 [ 26.105882][ T94] ? wait_for_completion+0x280/0x280 [ 26.105884][ T94] ? device_link_remove+0x110/0x110 [ 26.105887][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.105889][ T94] usb_set_configuration+0xed4/0x1850 [ 26.105891][ T94] usb_generic_driver_probe+0x9d/0xe0 [ 26.105893][ T94] usb_probe_device+0xd9/0x230 [ 26.105895][ T94] ? usb_suspend+0x600/0x600 [ 26.105897][ T94] really_probe+0x290/0xac0 [ 26.105899][ T94] driver_probe_device+0x223/0x350 [ 26.105901][ T94] __device_attach_driver+0x1d1/0x290 [ 26.105903][ T94] ? driver_allows_async_probing+0x160/0x160 [ 26.105905][ T94] bus_for_each_drv+0x162/0x1e0 [ 26.105907][ T94] ? bus_rescan_devices+0x20/0x20 [ 26.105910][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.105912][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.105914][ T94] __device_attach+0x21a/0x390 [ 26.105916][ T94] ? device_bind_driver+0xd0/0xd0 [ 26.105918][ T94] bus_probe_device+0x1e4/0x290 [ 26.105920][ T94] device_add+0x1367/0x1c20 [ 26.105922][ T94] ? device_link_remove+0x110/0x110 [ 26.105924][ T94] usb_new_device.cold+0x552/0xf6e [ 26.105926][ T94] ? hub_disconnect+0x4a0/0x4a0 [ 26.105928][ T94] ? mark_held_locks+0x9f/0xe0 [ 26.105930][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.105932][ T94] hub_event+0x226d/0x43c0 [ 26.105934][ T94] ? hub_port_debounce+0x350/0x350 [ 26.105936][ T94] ? umh_clean_and_save_pid+0x1/0xd0 [ 26.105939][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.105941][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.105943][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.105945][ T94] process_one_work+0x965/0x1630 [ 26.105947][ T94] ? lock_release+0x720/0x720 [ 26.105949][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.105951][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 26.105953][ T94] worker_thread+0x96/0xe20 [ 26.105955][ T94] ? process_one_work+0x1630/0x1630 [ 26.105957][ T94] kthread+0x326/0x430 [ 26.105959][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 26.105961][ T94] ret_from_fork+0x24/0x30 [ 26.105962][ T94] [ 26.105964][ T94] Allocated by task 94: [ 26.105966][ T94] save_stack+0x1b/0x40 [ 26.105968][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.105970][ T94] usb_get_configuration+0x311/0x3a20 [ 26.105972][ T94] usb_new_device+0x42c/0x740 [ 26.105974][ T94] hub_event+0x226d/0x43c0 [ 26.105976][ T94] process_one_work+0x965/0x1630 [ 26.105978][ T94] worker_thread+0x96/0xe20 [ 26.105979][ T94] kthread+0x326/0x430 [ 26.105981][ T94] ret_from_fork+0x24/0x30 [ 26.105983][ T94] [ 26.105984][ T94] Freed by task 234: [ 26.105986][ T94] save_stack+0x1b/0x40 [ 26.105988][ T94] __kasan_slab_free+0x117/0x160 [ 26.105990][ T94] kfree+0xd5/0x300 [ 26.105992][ T94] single_release+0x8c/0xb0 [ 26.105993][ T94] __fput+0x33b/0x880 [ 26.105995][ T94] task_work_run+0xf4/0x1b0 [ 26.105997][ T94] exit_to_usermode_loop+0x1d2/0x200 [ 26.105999][ T94] do_syscall_64+0x4e0/0x5a0 [ 26.106002][ T94] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 26.106003][ T94] [ 26.106006][ T94] The buggy address belongs to the object at ffff8881d11554c0 [ 26.106009][ T94] which belongs to the cache kmalloc-32 of size 32 [ 26.106011][ T94] The buggy address is located 27 bytes inside of [ 26.106014][ T94] 32-byte region [ffff8881d11554c0, ffff8881d11554e0) [ 26.106017][ T94] The buggy address belongs to the page: [ 26.106020][ T94] page:ffffea0007445540 refcount:1 mapcount:0 mapping:0000000039800198 index:0x0 [ 26.106022][ T94] flags: 0x200000000000200(slab) [ 26.106026][ T94] raw: 0200000000000200 ffffea00071c7040 0000001500000015 ffff8881da003400 [ 26.106029][ T94] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 26.106032][ T94] page dumped because: kasan: bad access detected [ 26.106033][ T94] [ 26.106036][ T94] Memory state around the buggy address: [ 26.106039][ T94] ffff8881d1155380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.106042][ T94] ffff8881d1155400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.106045][ T94] >ffff8881d1155480: fb fb fb fb fc fc fc fc 00 00 00 03 fc fc fc fc [ 26.106048][ T94] ^ [ 26.106051][ T94] ffff8881d1155500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.106055][ T94] ffff8881d1155580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.106058][ T94] ================================================================== [ 26.106061][ T94] Disabling lock debugging due to kernel taint [ 26.106063][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 26.106067][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Tainted: G B 5.7.0-rc1-syzkaller #0 [ 26.106071][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.106073][ T94] Workqueue: usb_hub_wq hub_event [ 26.106076][ T94] Call Trace: [ 26.106077][ T94] dump_stack+0xef/0x16e [ 26.106079][ T94] panic+0x2aa/0x6e1 [ 26.106081][ T94] ? add_taint.cold+0x16/0x16 [ 26.106083][ T94] ? print_shadow_for_address+0xb8/0x114 [ 26.106085][ T94] ? trace_hardirqs_off+0x50/0x200 [ 26.106087][ T94] ? hex_string+0x439/0x4c0 [ 26.106089][ T94] end_report+0x4d/0x53 [ 26.106091][ T94] __kasan_report.cold+0x72/0x92 [ 26.106093][ T94] ? hex_string+0x439/0x4c0 [ 26.106095][ T94] ? hex_string+0x439/0x4c0 [ 26.106097][ T94] kasan_report+0x33/0x50 [ 26.106098][ T94] hex_string+0x439/0x4c0 [ 26.106100][ T94] ? check_pointer+0x210/0x210 [ 26.106102][ T94] ? __lock_acquire+0x2248/0x6650 [ 26.106104][ T94] ? number+0x82a/0xb00 [ 26.106106][ T94] ? lock_pin_lock+0x62/0x300 [ 26.106108][ T94] pointer+0x45b/0x680 [ 26.106127][ T94] ? file_dentry_name+0x120/0x120 [ 26.106129][ T94] ? __bfs+0x76/0x520 [ 26.106131][ T94] vsnprintf+0x5ac/0x14f0 [ 26.106133][ T94] ? pointer+0x680/0x680 [ 26.106134][ T94] ? mark_lock+0x12b/0x1510 [ 26.106137][ T94] ? set_precision+0x170/0x170 [ 26.106139][ T94] va_format.isra.0+0x129/0x1b0 [ 26.106141][ T94] ? vsnprintf+0x14f0/0x14f0 [ 26.106143][ T94] ? string_nocheck+0x1a9/0x220 [ 26.106145][ T94] ? widen_string+0x2a0/0x2a0 [ 26.106147][ T94] pointer+0x4bf/0x680 [ 26.106149][ T94] ? file_dentry_name+0x120/0x120 [ 26.106151][ T94] ? hex_string+0x4c0/0x4c0 [ 26.106153][ T94] ? ret_from_fork+0x24/0x30 [ 26.106155][ T94] vsnprintf+0x5ac/0x14f0 [ 26.106156][ T94] ? pointer+0x680/0x680 [ 26.106158][ T94] ? lock_release+0x720/0x720 [ 26.106160][ T94] vscnprintf+0x29/0x80 [ 26.106162][ T94] vprintk_store+0x40/0x4b0 [ 26.106164][ T94] vprintk_emit+0xc8/0x3e0 [ 26.106166][ T94] dev_vprintk_emit+0x4fc/0x541 [ 26.106168][ T94] ? dev_attr_show.cold+0x3a/0x3a [ 26.106171][ T94] ? usb_set_configuration+0xed4/0x1850 [ 26.106173][ T94] ? mark_lock+0x12b/0x1510 [ 26.106175][ T94] ? usb_new_device.cold+0x552/0xf6e [ 26.106177][ T94] ? hub_event+0x226d/0x43c0 [ 26.106179][ T94] ? process_one_work+0x965/0x1630 [ 26.106181][ T94] ? worker_thread+0x96/0xe20 [ 26.106183][ T94] ? kthread+0x326/0x430 [ 26.106185][ T94] ? print_usage_bug+0x200/0x200 [ 26.106187][ T94] dev_printk_emit+0xba/0xf1 [ 26.106189][ T94] ? dev_vprintk_emit+0x541/0x541 [ 26.106191][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.106193][ T94] __dev_printk+0x1db/0x203 [ 26.106195][ T94] _dev_info+0xd7/0x109 [ 26.106197][ T94] ? _dev_notice+0x109/0x109 [ 26.106199][ T94] ? dlfb_usb_probe+0x21a/0x450 [ 26.106201][ T94] ? usb_get_descriptor+0xcd/0x1b0 [ 26.106203][ T94] ? usb_get_descriptor+0x13d/0x1b0 [ 26.106206][ T94] ? __usb_get_extra_descriptor+0x15d/0x1a0 [ 26.106208][ T94] dlfb_usb_probe.cold+0x102d/0x1c03 [ 26.106210][ T94] ? mark_held_locks+0x9f/0xe0 [ 26.106212][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.106215][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.106217][ T94] ? __pm_runtime_set_status+0x5d5/0xa10 [ 26.106219][ T94] ? edid_store+0x180/0x180 [ 26.106221][ T94] ? __pm_runtime_resume+0x111/0x180 [ 26.106223][ T94] usb_probe_interface+0x310/0x800 [ 26.106225][ T94] ? usb_probe_device+0x230/0x230 [ 26.106227][ T94] really_probe+0x290/0xac0 [ 26.106229][ T94] driver_probe_device+0x223/0x350 [ 26.106232][ T94] __device_attach_driver+0x1d1/0x290 [ 26.106234][ T94] ? driver_allows_async_probing+0x160/0x160 [ 26.106236][ T94] bus_for_each_drv+0x162/0x1e0 [ 26.106238][ T94] ? bus_rescan_devices+0x20/0x20 [ 26.106241][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.106243][ T94] ? lockdep_hardirqs_on+0x3c7/0x5d0 [ 26.106245][ T94] __device_attach+0x21a/0x390 [ 26.106247][ T94] ? device_bind_driver+0xd0/0xd0 [ 26.106249][ T94] bus_probe_device+0x1e4/0x290 [ 26.106251][ T94] device_add+0x1367/0x1c20 [ 26.106253][ T94] ? wait_for_completion+0x280/0x280 [ 26.106255][ T94] ? device_link_remove+0x [ 26.106260][ T94] Lost 38 message(s)!