Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.237' (ECDSA) to the list of known hosts. 2019/05/13 10:15:48 parsed 1 programs 2019/05/13 10:15:50 executed programs: 0 syzkaller login: [ 60.591485][ T5501] e cgroup1: Unknown subsys name 'hugetlb' [ 60.606785][ T5501] IPVS: ftp: loaded support on port[0] = 21 [ 60.682745][ T5501] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.690221][ T5501] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.698606][ T5501] device bridge_slave_0 entered promiscuous mode [ 60.706923][ T5501] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.714157][ T5501] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.722269][ T5501] device bridge_slave_1 entered promiscuous mode [ 60.737566][ T5501] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 60.747262][ T5501] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 60.764454][ T5501] team0: Port device team_slave_0 added [ 60.771181][ T5501] team0: Port device team_slave_1 added [ 60.795810][ T5501] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.803035][ T5501] bridge0: port 2(bridge_slave_1) entered forwarding state [ 60.810777][ T5501] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.817836][ T5501] bridge0: port 1(bridge_slave_0) entered forwarding state [ 60.848120][ T5501] 8021q: adding VLAN 0 to HW filter on device bond0 [ 60.859129][ T532] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 60.870069][ T532] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.878817][ T532] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.887049][ T532] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 60.898252][ T5501] 8021q: adding VLAN 0 to HW filter on device team0 [ 60.909235][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 60.917754][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.925443][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 60.938874][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 60.947780][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.955072][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 60.967309][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 60.976064][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 60.991936][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 61.000737][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 61.009400][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 61.053658][ T5501] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 61.386898][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 61.626452][ T17] usb 1-1: Using ep0 maxpacket: 8 [ 61.746555][ T17] usb 1-1: config 0 has an invalid interface number: 143 but max is 0 [ 61.754864][ T17] usb 1-1: config 0 has no interface number 0 [ 61.761233][ T17] usb 1-1: config 0 interface 143 has no altsetting 0 [ 61.768173][ T17] usb 1-1: New USB device found, idVendor=15a9, idProduct=0002, bcdDevice=82.2c [ 61.777444][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 61.787600][ T17] usb 1-1: config 0 descriptor?? [ 61.976470][ T17] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 62.976528][ T17] usb 1-1: device descriptor read/64, error -71 [ 63.366462][ T17] usb 1-1: Using ep0 maxpacket: 8 [ 63.686592][ T17] usb 1-1: Loading firmware file isl3887usb [ 63.707654][ T17] usb 1-1: Direct firmware load for isl3887usb failed with error -2 [ 63.714793][ T12] usb 1-1: USB disconnect, device number 2 [ 63.732585][ T17] usb 1-1: Firmware not found. [ 63.737737][ T17] ================================================================== [ 63.746068][ T17] BUG: KASAN: use-after-free in p54u_load_firmware_cb.cold+0x97/0x13a [ 63.754228][ T17] Read of size 8 at addr ffff88809803f588 by task kworker/1:0/17 [ 63.761937][ T17] [ 63.764249][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.1.0-rc3-319004-g43151d6 #6 [ 63.772903][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.782966][ T17] Workqueue: events request_firmware_work_func [ 63.789103][ T17] Call Trace: [ 63.792378][ T17] dump_stack+0xe8/0x16e [ 63.796608][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 63.802510][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 63.808326][ T17] print_address_description+0x6c/0x236 [ 63.813870][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 63.819687][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 63.825531][ T17] kasan_report.cold+0x1a/0x3c [ 63.830285][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 63.836076][ T17] p54u_load_firmware_cb.cold+0x97/0x13a [ 63.841802][ T17] ? p54u_rx_cb+0x760/0x760 [ 63.846288][ T17] request_firmware_work_func+0x12d/0x249 [ 63.851991][ T17] ? request_firmware_into_buf+0x90/0x90 [ 63.857608][ T17] ? _raw_spin_unlock_irq+0x29/0x40 [ 63.862794][ T17] process_one_work+0x90f/0x1580 [ 63.867727][ T17] ? wq_pool_ids_show+0x300/0x300 [ 63.872737][ T17] ? do_raw_spin_lock+0x11f/0x290 [ 63.877750][ T17] worker_thread+0x9b/0xe20 [ 63.882246][ T17] ? process_one_work+0x1580/0x1580 [ 63.887436][ T17] kthread+0x313/0x420 [ 63.891509][ T17] ? kthread_park+0x1a0/0x1a0 [ 63.896169][ T17] ret_from_fork+0x3a/0x50 [ 63.900611][ T17] [ 63.902926][ T17] Allocated by task 0: [ 63.906970][ T17] (stack is not available) [ 63.911379][ T17] [ 63.913687][ T17] Freed by task 0: [ 63.917475][ T17] (stack is not available) [ 63.921871][ T17] [ 63.924220][ T17] The buggy address belongs to the object at ffff88809803f180 [ 63.924220][ T17] which belongs to the cache kmalloc-1k of size 1024 [ 63.938260][ T17] The buggy address is located 8 bytes to the right of [ 63.938260][ T17] 1024-byte region [ffff88809803f180, ffff88809803f580) [ 63.952045][ T17] The buggy address belongs to the page: [ 63.957675][ T17] page:ffffea0002600f00 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0 compound_mapcount: 0 [ 63.968592][ T17] flags: 0xfff00000010200(slab|head) [ 63.973912][ T17] raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00 [ 63.982505][ T17] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 [ 63.991082][ T17] page dumped because: kasan: bad access detected [ 63.997477][ T17] [ 63.999789][ T17] Memory state around the buggy address: [ 64.005506][ T17] ffff88809803f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.013678][ T17] ffff88809803f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.021773][ T17] >ffff88809803f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.029823][ T17] ^ [ 64.034143][ T17] ffff88809803f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.043094][ T17] ffff88809803f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.051141][ T17] ================================================================== [ 64.059229][ T17] Disabling lock debugging due to kernel taint [ 64.065706][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 64.072369][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.1.0-rc3-319004-g43151d6 #6 [ 64.082949][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.093111][ T17] Workqueue: events request_firmware_work_func [ 64.099251][ T17] Call Trace: [ 64.102544][ T17] dump_stack+0xe8/0x16e [ 64.106801][ T17] panic+0x29d/0x5f2 [ 64.110704][ T17] ? __warn_printk+0xf8/0xf8 [ 64.115278][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 64.121082][ T17] ? trace_hardirqs_on+0x55/0x1c0 [ 64.126095][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 64.131876][ T17] end_report+0x48/0x4e [ 64.136013][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 64.141806][ T17] kasan_report.cold+0xd/0x3c [ 64.146451][ T12] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 64.153899][ T17] ? p54u_load_firmware_cb.cold+0x97/0x13a [ 64.159698][ T17] p54u_load_firmware_cb.cold+0x97/0x13a [ 64.165314][ T17] ? p54u_rx_cb+0x760/0x760 [ 64.169800][ T17] request_firmware_work_func+0x12d/0x249 [ 64.175499][ T17] ? request_firmware_into_buf+0x90/0x90 [ 64.181116][ T17] ? _raw_spin_unlock_irq+0x29/0x40 [ 64.186299][ T17] process_one_work+0x90f/0x1580 [ 64.191225][ T17] ? wq_pool_ids_show+0x300/0x300 [ 64.196231][ T17] ? do_raw_spin_lock+0x11f/0x290 [ 64.201250][ T17] worker_thread+0x9b/0xe20 [ 64.205856][ T17] ? process_one_work+0x1580/0x1580 [ 64.211036][ T17] kthread+0x313/0x420 [ 64.215086][ T17] ? kthread_park+0x1a0/0x1a0 [ 64.219747][ T17] ret_from_fork+0x3a/0x50 [ 64.225148][ T17] Kernel Offset: disabled [ 64.229473][ T17] Rebooting in 86400 seconds..