[info] Using makefi[ 15.050863][ C0] random: crng init done le-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.36' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.476781][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 43.716322][ T22] usb 1-1: Using ep0 maxpacket: 8 [ 43.836445][ T22] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 255, changing to 11 [ 43.847703][ T22] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 43.860706][ T22] usb 1-1: New USB device found, idVendor=054c, idProduct=05c4, bcdDevice= 0.40 [ 43.870214][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 43.879605][ T22] usb 1-1: config 0 descriptor?? [ 44.368174][ T22] sony 0003:054C:05C4.0001: unknown main item tag 0x0 [ 44.375252][ T22] sony 0003:054C:05C4.0001: unknown main item tag 0x0 [ 44.382683][ T22] sony 0003:054C:05C4.0001: unknown main item tag 0x0 [ 44.391225][ T22] sony 0003:054C:05C4.0001: hidraw0: USB HID v80.00 Device [HID 054c:05c4] on usb-dummy_hcd.0-1/input0 [ 44.404367][ T22] sony 0003:054C:05C4.0001: failed to claim input executing program [ 44.638330][ T12] usb 1-1: USB disconnect, device number 2 [ 44.996343][ T12] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 45.236291][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 45.356436][ T12] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 255, changing to 11 [ 45.367607][ T12] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 45.380425][ T12] usb 1-1: New USB device found, idVendor=054c, idProduct=05c4, bcdDevice= 0.40 [ 45.389598][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.399134][ T12] usb 1-1: config 0 descriptor?? [ 45.867626][ T12] sony 0003:054C:05C4.0002: unknown main item tag 0x0 [ 45.874745][ T12] sony 0003:054C:05C4.0002: unknown main item tag 0x0 [ 45.881730][ T12] sony 0003:054C:05C4.0002: unknown main item tag 0x0 [ 45.889491][ T12] sony 0003:054C:05C4.0002: hidraw1: USB HID v80.00 Device [HID 054c:05c4] on usb-dummy_hcd.0-1/input0 [ 45.901191][ T12] sony 0003:054C:05C4.0002: failed to claim input [ 46.066714][ T1728] ================================================================== [ 46.074906][ T1728] BUG: KASAN: use-after-free in usbhid_power+0xca/0xe0 [ 46.081766][ T1728] Read of size 8 at addr ffff8881c80c4008 by task syz-executor817/1728 [ 46.090017][ T1728] [ 46.092769][ T1728] CPU: 1 PID: 1728 Comm: syz-executor817 Not tainted 5.3.0-rc7+ #0 [ 46.101009][ T1728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.111073][ T1728] Call Trace: [ 46.114358][ T1728] dump_stack+0xca/0x13e [ 46.118670][ T1728] ? usbhid_power+0xca/0xe0 [ 46.123157][ T1728] ? usbhid_power+0xca/0xe0 [ 46.127645][ T1728] print_address_description+0x6a/0x32c [ 46.133188][ T1728] ? usbhid_power+0xca/0xe0 [ 46.137691][ T1728] ? usbhid_power+0xca/0xe0 [ 46.142190][ T1728] __kasan_report.cold+0x1a/0x33 [ 46.147112][ T1728] ? usbhid_power+0xca/0xe0 [ 46.152151][ T1728] kasan_report+0xe/0x12 [ 46.156972][ T1728] usbhid_power+0xca/0xe0 [ 46.161342][ T1728] hidraw_open+0x20d/0x740 [ 46.165953][ T1728] ? usbhid_output_report+0x290/0x290 [ 46.171521][ T1728] ? hidraw_ioctl+0xae0/0xae0 [ 46.176466][ T1728] chrdev_open+0x219/0x5c0 [ 46.181218][ T1728] ? rwlock_bug.part.0+0x90/0x90 [ 46.186575][ T1728] ? cdev_put.part.0+0x50/0x50 [ 46.191440][ T1728] do_dentry_open+0x494/0x1120 [ 46.196275][ T1728] ? cdev_put.part.0+0x50/0x50 [ 46.201385][ T1728] ? chmod_common+0x3c0/0x3c0 [ 46.206816][ T1728] ? inode_permission+0xbe/0x3a0 [ 46.212078][ T1728] path_openat+0x1430/0x3f50 [ 46.217004][ T1728] ? save_stack+0x1b/0x80 [ 46.221333][ T1728] ? do_sys_open+0x294/0x580 [ 46.225927][ T1728] ? do_syscall_64+0xb7/0x580 [ 46.230588][ T1728] ? path_lookupat.isra.0+0x8d0/0x8d0 [ 46.235943][ T1728] ? __lock_acquire+0x145e/0x3b50 [ 46.241396][ T1728] do_filp_open+0x1a1/0x280 [ 46.246374][ T1728] ? may_open_dev+0xf0/0xf0 [ 46.250882][ T1728] ? __alloc_fd+0x46d/0x600 [ 46.255367][ T1728] ? do_raw_spin_lock+0x11a/0x280 [ 46.260371][ T1728] ? do_raw_spin_unlock+0x50/0x220 [ 46.265551][ T1728] ? _raw_spin_unlock+0x1f/0x30 [ 46.270390][ T1728] ? __alloc_fd+0x46d/0x600 [ 46.274877][ T1728] do_sys_open+0x3c0/0x580 [ 46.279282][ T1728] ? filp_open+0x70/0x70 [ 46.283778][ T1728] ? trace_hardirqs_off_caller+0x55/0x1e0 [ 46.289602][ T1728] do_syscall_64+0xb7/0x580 [ 46.294461][ T1728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.300355][ T1728] RIP: 0033:0x402770 [ 46.304385][ T1728] Code: 01 f0 ff ff 0f 83 40 0e 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 5d 5f 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 14 0e 00 00 c3 48 83 ec 08 e8 7a 03 00 00 [ 46.324516][ T1728] RSP: 002b:00007ffca1455ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 46.333111][ T1728] RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000402770 [ 46.341323][ T1728] RDX: 0000000000000000 RSI: 000000000012d43d RDI: 00007ffca1455c50 [ 46.349301][ T1728] RBP: 000000000000a8b2 R08: 00007ffca1455bb0 R09: 000000000000a8b2 [ 46.357263][ T1728] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000403a10 [ 46.365232][ T1728] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000 [ 46.373186][ T1728] [ 46.375524][ T1728] Allocated by task 345: [ 46.379789][ T1728] save_stack+0x1b/0x80 [ 46.383930][ T1728] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 46.389850][ T1728] __kmalloc_node_track_caller+0xfc/0x380 [ 46.395553][ T1728] __kmalloc_reserve.isra.0+0x39/0xe0 [ 46.400926][ T1728] __alloc_skb+0xef/0x5a0 [ 46.405240][ T1728] netlink_sendmsg+0x8cd/0xcc0 [ 46.410022][ T1728] sock_sendmsg+0xcf/0x120 [ 46.414432][ T1728] ___sys_sendmsg+0x803/0x920 [ 46.419155][ T1728] __sys_sendmsg+0xec/0x1b0 [ 46.423664][ T1728] do_syscall_64+0xb7/0x580 [ 46.428173][ T1728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.434042][ T1728] [ 46.436527][ T1728] Freed by task 345: [ 46.440422][ T1728] save_stack+0x1b/0x80 [ 46.444562][ T1728] __kasan_slab_free+0x130/0x180 [ 46.449568][ T1728] kfree+0xe4/0x2f0 [ 46.453469][ T1728] skb_free_head+0x8b/0xa0 [ 46.457876][ T1728] skb_release_data+0x41f/0x7c0 [ 46.462708][ T1728] skb_release_all+0x46/0x60 [ 46.467276][ T1728] consume_skb+0xd9/0x320 [ 46.471586][ T1728] netlink_unicast+0x4d7/0x690 [ 46.476881][ T1728] netlink_sendmsg+0x802/0xcc0 [ 46.482279][ T1728] sock_sendmsg+0xcf/0x120 [ 46.487062][ T1728] ___sys_sendmsg+0x803/0x920 [ 46.493380][ T1728] __sys_sendmsg+0xec/0x1b0 [ 46.498399][ T1728] do_syscall_64+0xb7/0x580 [ 46.503163][ T1728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.510133][ T1728] [ 46.513674][ T1728] The buggy address belongs to the object at ffff8881c80c4000 [ 46.513674][ T1728] which belongs to the cache kmalloc-1k of size 1024 [ 46.528074][ T1728] The buggy address is located 8 bytes inside of [ 46.528074][ T1728] 1024-byte region [ffff8881c80c4000, ffff8881c80c4400) [ 46.541331][ T1728] The buggy address belongs to the page: [ 46.547059][ T1728] page:ffffea0007203100 refcount:1 mapcount:0 mapping:ffff8881da002280 index:0x0 compound_mapcount: 0 [ 46.558067][ T1728] flags: 0x200000000010200(slab|head) [ 46.563438][ T1728] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da002280 [ 46.572102][ T1728] raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000 [ 46.580945][ T1728] page dumped because: kasan: bad access detected [ 46.587460][ T1728] [ 46.589883][ T1728] Memory state around the buggy address: [ 46.595582][ T1728] ffff8881c80c3f00: 00 00 00 00 00 00 fc fc fc fc fb fb fb fb fb fb [ 46.603627][ T1728] ffff8881c80c3f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 46.611684][ T1728] >ffff8881c80c4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.619980][ T1728] ^ [ 46.624292][ T1728] ffff8881c80c4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.632345][ T1728] ffff8881c80c4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.640397][ T1728] ================================================================== [ 46.648436][ T1728] Disabling lock debugging due to kernel taint [ 46.654944][ T1728] Kernel panic - not syncing: panic_on_warn set ... [ 46.661951][ T1728] CPU: 1 PID: 1728 Comm: syz-executor817 Tainted: G B 5.3.0-rc7+ #0 [ 46.671426][ T1728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.681564][ T1728] Call Trace: [ 46.684872][ T1728] dump_stack+0xca/0x13e [ 46.689105][ T1728] panic+0x2a3/0x6da [ 46.692994][ T1728] ? add_taint.cold+0x16/0x16 [ 46.697670][ T1728] ? retint_kernel+0x10/0x10 [ 46.702335][ T1728] ? trace_hardirqs_on+0x55/0x1e0 [ 46.707345][ T1728] ? usbhid_power+0xca/0xe0 [ 46.711826][ T1728] end_report+0x43/0x49 [ 46.715960][ T1728] ? usbhid_power+0xca/0xe0 [ 46.720458][ T1728] __kasan_report.cold+0xd/0x33 [ 46.725303][ T1728] ? usbhid_power+0xca/0xe0 [ 46.729876][ T1728] kasan_report+0xe/0x12 [ 46.734110][ T1728] usbhid_power+0xca/0xe0 [ 46.738452][ T1728] hidraw_open+0x20d/0x740 [ 46.742851][ T1728] ? usbhid_output_report+0x290/0x290 [ 46.748218][ T1728] ? hidraw_ioctl+0xae0/0xae0 [ 46.752933][ T1728] chrdev_open+0x219/0x5c0 [ 46.757418][ T1728] ? rwlock_bug.part.0+0x90/0x90 [ 46.762337][ T1728] ? cdev_put.part.0+0x50/0x50 [ 46.767252][ T1728] do_dentry_open+0x494/0x1120 [ 46.771996][ T1728] ? cdev_put.part.0+0x50/0x50 [ 46.777712][ T1728] ? chmod_common+0x3c0/0x3c0 [ 46.782379][ T1728] ? inode_permission+0xbe/0x3a0 [ 46.787302][ T1728] path_openat+0x1430/0x3f50 [ 46.791885][ T1728] ? save_stack+0x1b/0x80 [ 46.796202][ T1728] ? do_sys_open+0x294/0x580 [ 46.800776][ T1728] ? do_syscall_64+0xb7/0x580 [ 46.805438][ T1728] ? path_lookupat.isra.0+0x8d0/0x8d0 [ 46.811095][ T1728] ? __lock_acquire+0x145e/0x3b50 [ 46.816099][ T1728] do_filp_open+0x1a1/0x280 [ 46.820587][ T1728] ? may_open_dev+0xf0/0xf0 [ 46.825085][ T1728] ? __alloc_fd+0x46d/0x600 [ 46.829584][ T1728] ? do_raw_spin_lock+0x11a/0x280 [ 46.834613][ T1728] ? do_raw_spin_unlock+0x50/0x220 [ 46.839707][ T1728] ? _raw_spin_unlock+0x1f/0x30 [ 46.844657][ T1728] ? __alloc_fd+0x46d/0x600 [ 46.849171][ T1728] do_sys_open+0x3c0/0x580 [ 46.853691][ T1728] ? filp_open+0x70/0x70 [ 46.857918][ T1728] ? trace_hardirqs_off_caller+0x55/0x1e0 [ 46.863809][ T1728] do_syscall_64+0xb7/0x580 [ 46.868306][ T1728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.874187][ T1728] RIP: 0033:0x402770 [ 46.878081][ T1728] Code: 01 f0 ff ff 0f 83 40 0e 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 5d 5f 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 14 0e 00 00 c3 48 83 ec 08 e8 7a 03 00 00 [ 46.897790][ T1728] RSP: 002b:00007ffca1455ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 46.906207][ T1728] RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000402770 [ 46.914168][ T1728] RDX: 0000000000000000 RSI: 000000000012d43d RDI: 00007ffca1455c50 [ 46.922131][ T1728] RBP: 000000000000a8b2 R08: 00007ffca1455bb0 R09: 000000000000a8b2 [ 46.930088][ T1728] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000403a10 [ 46.938042][ T1728] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000 [ 46.946758][ T1728] Kernel Offset: disabled [ 46.951097][ T1728] Rebooting in 86400 seconds..