[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.733348][ T1666] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.788802][ T1700] random: sshd: uninitialized urandom read (32 bytes read) [ 18.804717][ C1] random: crng init done [ 27.399841][ T1738] can: request_module (can-proto-0) failed. [ 27.481239][ T1738] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. 2019/11/16 05:51:46 parsed 1 programs 2019/11/16 05:51:46 executed programs: 0 [ 34.288285][ T1860] cgroup1: Unknown subsys name 'perf_event' [ 34.288288][ T1856] cgroup1: Unknown subsys name 'perf_event' [ 34.289092][ T1856] cgroup1: Unknown subsys name 'net_cls' [ 34.294513][ T1860] cgroup1: Unknown subsys name 'net_cls' [ 34.301718][ T1858] cgroup1: Unknown subsys name 'perf_event' [ 34.314615][ T1864] cgroup1: Unknown subsys name 'perf_event' [ 34.319174][ T1862] cgroup1: Unknown subsys name 'perf_event' [ 34.324767][ T1865] cgroup1: Unknown subsys name 'perf_event' [ 34.332090][ T1858] cgroup1: Unknown subsys name 'net_cls' [ 34.341798][ T1862] cgroup1: Unknown subsys name 'net_cls' [ 34.343079][ T1864] cgroup1: Unknown subsys name 'net_cls' [ 34.353681][ T1865] cgroup1: Unknown subsys name 'net_cls' [ 37.547493][ T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 37.567978][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 37.597450][ T1739] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 37.617566][ T78] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 37.677441][ T102] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 37.687547][ T12] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 37.787960][ T17] usb 2-1: Using ep0 maxpacket: 16 [ 37.807524][ T83] usb 1-1: Using ep0 maxpacket: 16 [ 37.837429][ T1739] usb 6-1: Using ep0 maxpacket: 16 [ 37.857467][ T78] usb 4-1: Using ep0 maxpacket: 16 [ 37.908080][ T17] usb 2-1: config index 0 descriptor too short (expected 8475, got 27) [ 37.916527][ T17] usb 2-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 37.925464][ T17] usb 2-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 37.927403][ T102] usb 3-1: Using ep0 maxpacket: 16 [ 37.934846][ T83] usb 1-1: config index 0 descriptor too short (expected 8475, got 27) [ 37.940054][ T12] usb 5-1: Using ep0 maxpacket: 16 [ 37.948062][ T83] usb 1-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 37.948079][ T83] usb 1-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 37.948401][ T83] usb 1-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 37.981144][ T83] usb 1-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 37.990276][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.998345][ T1739] usb 6-1: config index 0 descriptor too short (expected 8475, got 27) [ 38.006597][ T1739] usb 6-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 38.015436][ T1739] usb 6-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 38.024647][ T78] usb 4-1: config index 0 descriptor too short (expected 8475, got 27) [ 38.032949][ T78] usb 4-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 38.041794][ T78] usb 4-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 38.051430][ T17] usb 2-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 38.061372][ T17] usb 2-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 38.070451][ T17] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.077577][ T12] usb 5-1: config index 0 descriptor too short (expected 8475, got 27) [ 38.078508][ T1739] usb 6-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 38.086732][ T12] usb 5-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 38.096730][ T1739] usb 6-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 38.105479][ T12] usb 5-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 38.106070][ T102] usb 3-1: config index 0 descriptor too short (expected 8475, got 27) [ 38.114542][ T1739] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.114588][ T78] usb 4-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 38.123689][ T102] usb 3-1: config 12 has too many interfaces: 208, using maximum allowed: 32 [ 38.123702][ T102] usb 3-1: config 12 has 1 interface, different from the descriptor's value: 208 [ 38.123866][ T102] usb 3-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 38.132032][ T78] usb 4-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 38.132046][ T78] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.194906][ T102] usb 3-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 38.203995][ T102] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.212077][ T12] usb 5-1: config 12 interface 0 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 73 [ 38.222041][ T12] usb 5-1: New USB device found, idVendor=1d50, idProduct=60c6, bcdDevice=1a.d7 [ 38.231087][ T12] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.467606][ T78] usb 4-1: string descriptor 0 read error: -71 [ 38.475268][ T17] usb 2-1: string descriptor 0 read error: -71 [ 38.482326][ T83] usb 1-1: string descriptor 0 read error: -71 [ 38.488745][ T1739] usb 6-1: string descriptor 0 read error: -71 [ 38.517597][ T12] usb 5-1: string descriptor 0 read error: -71 [ 38.521202][ T17] chaoskey 2-1:12.0: Unable to register with hwrng [ 38.523987][ T102] usb 3-1: string descriptor 0 read error: -71 [ 38.530712][ T78] chaoskey 4-1:12.0: Unable to register with hwrng [ 38.543140][ T1739] chaoskey 6-1:12.0: Unable to register with hwrng [ 38.550511][ T83] usb 1-1: USB disconnect, device number 2 [ 38.564009][ T1739] usb 6-1: USB disconnect, device number 2 [ 38.578618][ T17] usb 2-1: USB disconnect, device number 2 [ 38.578759][ T102] chaoskey 3-1:12.0: Unable to register with hwrng [ 38.591369][ T78] usb 4-1: USB disconnect, device number 2 [ 38.592010][ T12] usb 5-1: USB disconnect, device number 2 [ 38.608440][ T12] ================================================================== [ 38.616779][ T12] BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.625201][ T12] Read of size 4 at addr ffff8881d3106020 by task kworker/0:1/12 [ 38.632914][ T12] [ 38.635253][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.4.0-rc5+ #0 [ 38.642645][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.652733][ T12] Workqueue: usb_hub_wq hub_event [ 38.657746][ T12] Call Trace: [ 38.661015][ T12] dump_stack+0xca/0x13e [ 38.665293][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.671700][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.677763][ T12] print_address_description.constprop.0+0x36/0x50 [ 38.684305][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.690493][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.696561][ T12] __kasan_report.cold+0x1a/0x33 [ 38.701505][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.707657][ T12] kasan_report+0xe/0x20 [ 38.711906][ T12] check_memory_region+0x128/0x190 [ 38.717171][ T12] refcount_inc_not_zero_checked+0x72/0x1e0 [ 38.723050][ T12] ? refcount_dec_and_mutex_lock+0x80/0x80 [ 38.728846][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.734459][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.739725][ T12] refcount_inc_checked+0x12/0x60 [ 38.744727][ T12] kthread_stop+0x6c/0x610 [ 38.749380][ T12] hwrng_unregister+0x190/0x210 [ 38.754208][ T12] chaoskey_disconnect+0x1b2/0x200 [ 38.759296][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 38.764500][ T12] ? usb_autoresume_device+0x60/0x60 [ 38.769771][ T12] device_release_driver_internal+0x42f/0x500 [ 38.775816][ T12] bus_remove_device+0x2dc/0x4a0 [ 38.780758][ T12] device_del+0x420/0xb20 [ 38.785068][ T12] ? __device_link_del+0x2f0/0x2f0 [ 38.790160][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 38.795171][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 38.800436][ T12] usb_disable_device+0x211/0x690 [ 38.805444][ T12] usb_disconnect+0x284/0x8d0 [ 38.810113][ T12] hub_event+0x16f2/0x3800 [ 38.814502][ T12] ? hub_port_debounce+0x260/0x260 [ 38.819586][ T12] ? find_held_lock+0x2d/0x110 [ 38.824336][ T12] ? mark_held_locks+0xe0/0xe0 [ 38.829075][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.834617][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.839885][ T12] process_one_work+0x92b/0x1530 [ 38.844804][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.850160][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 38.855161][ T12] worker_thread+0x7ab/0xe20 [ 38.859738][ T12] ? process_one_work+0x1530/0x1530 [ 38.864917][ T12] kthread+0x318/0x420 [ 38.868974][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 38.874333][ T12] ret_from_fork+0x24/0x30 [ 38.878815][ T12] [ 38.881156][ T12] Allocated by task 2: [ 38.885217][ T12] save_stack+0x1b/0x80 [ 38.889360][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 38.894971][ T12] kmem_cache_alloc_node+0xdc/0x310 [ 38.900146][ T12] copy_process+0x4201/0x6470 [ 38.904796][ T12] _do_fork+0x129/0xec0 [ 38.908928][ T12] kernel_thread+0xaa/0xe0 [ 38.913317][ T12] kthreadd+0x4a2/0x680 [ 38.917465][ T12] ret_from_fork+0x24/0x30 [ 38.921873][ T12] [ 38.924190][ T12] Freed by task 9: [ 38.927898][ T12] save_stack+0x1b/0x80 [ 38.932052][ T12] __kasan_slab_free+0x130/0x180 [ 38.936988][ T12] kmem_cache_free+0xb9/0x380 [ 38.941664][ T12] __put_task_struct+0x1e2/0x4c0 [ 38.946599][ T12] delayed_put_task_struct+0x1b4/0x2c0 [ 38.952037][ T12] rcu_core+0x630/0x1ca0 [ 38.956254][ T12] __do_softirq+0x221/0x912 [ 38.960737][ T12] [ 38.963045][ T12] The buggy address belongs to the object at ffff8881d3106000 [ 38.963045][ T12] which belongs to the cache task_struct of size 5888 [ 38.977159][ T12] The buggy address is located 32 bytes inside of [ 38.977159][ T12] 5888-byte region [ffff8881d3106000, ffff8881d3107700) [ 38.990700][ T12] The buggy address belongs to the page: [ 38.996330][ T12] page:ffffea00074c4000 refcount:1 mapcount:0 mapping:ffff8881da116000 index:0xffff8881d3101800 compound_mapcount: 0 [ 39.008541][ T12] flags: 0x200000000010200(slab|head) [ 39.013892][ T12] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da116000 [ 39.022540][ T12] raw: ffff8881d3101800 0000000080050004 00000001ffffffff 0000000000000000 [ 39.031094][ T12] page dumped because: kasan: bad access detected [ 39.037488][ T12] [ 39.039790][ T12] Memory state around the buggy address: [ 39.045397][ T12] ffff8881d3105f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.053459][ T12] ffff8881d3105f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.061513][ T12] >ffff8881d3106000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.069815][ T12] ^ [ 39.074906][ T12] ffff8881d3106080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.082977][ T12] ffff8881d3106100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.091021][ T12] ================================================================== [ 39.099320][ T12] Disabling lock debugging due to kernel taint [ 39.105978][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 39.112609][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.0-rc5+ #0 [ 39.121361][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.131406][ T12] Workqueue: usb_hub_wq hub_event [ 39.136429][ T12] Call Trace: [ 39.139719][ T12] dump_stack+0xca/0x13e [ 39.143961][ T12] panic+0x2aa/0x6e1 [ 39.147838][ T12] ? add_taint.cold+0x16/0x16 [ 39.152493][ T12] ? retint_kernel+0x10/0x10 [ 39.157057][ T12] ? trace_hardirqs_on+0x55/0x1e0 [ 39.162069][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 39.168204][ T12] end_report+0x43/0x49 [ 39.172346][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 39.178384][ T12] __kasan_report.cold+0xd/0x33 [ 39.183219][ T12] ? refcount_inc_not_zero_checked+0x72/0x1e0 [ 39.189267][ T12] kasan_report+0xe/0x20 [ 39.193501][ T12] check_memory_region+0x128/0x190 [ 39.199131][ T12] refcount_inc_not_zero_checked+0x72/0x1e0 [ 39.205017][ T12] ? refcount_dec_and_mutex_lock+0x80/0x80 [ 39.210811][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.216339][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.221618][ T12] refcount_inc_checked+0x12/0x60 [ 39.226632][ T12] kthread_stop+0x6c/0x610 [ 39.231028][ T12] hwrng_unregister+0x190/0x210 [ 39.235864][ T12] chaoskey_disconnect+0x1b2/0x200 [ 39.241041][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 39.246221][ T12] ? usb_autoresume_device+0x60/0x60 [ 39.251496][ T12] device_release_driver_internal+0x42f/0x500 [ 39.257558][ T12] bus_remove_device+0x2dc/0x4a0 [ 39.262490][ T12] device_del+0x420/0xb20 [ 39.266802][ T12] ? __device_link_del+0x2f0/0x2f0 [ 39.271891][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 39.276905][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 39.282188][ T12] usb_disable_device+0x211/0x690 [ 39.287198][ T12] usb_disconnect+0x284/0x8d0 [ 39.291920][ T12] hub_event+0x16f2/0x3800 [ 39.296761][ T12] ? hub_port_debounce+0x260/0x260 [ 39.301861][ T12] ? find_held_lock+0x2d/0x110 [ 39.306606][ T12] ? mark_held_locks+0xe0/0xe0 [ 39.311360][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.316907][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.322185][ T12] process_one_work+0x92b/0x1530 [ 39.327111][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.332462][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 39.337480][ T12] worker_thread+0x7ab/0xe20 [ 39.342056][ T12] ? process_one_work+0x1530/0x1530 [ 39.347257][ T12] kthread+0x318/0x420 [ 39.351303][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 39.356651][ T12] ret_from_fork+0x24/0x30 [ 39.361877][ T12] Kernel Offset: disabled [ 39.366185][ T12] Rebooting in 86400 seconds..