Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 35.260418][ T4411] cgroup: Unknown subsys name 'perf_event' [ 35.268240][ T4411] cgroup: Unknown subsys name 'net_cls' [ 39.483169][ T4398] can: request_module (can-proto-0) failed. [ 39.495538][ T4398] can: request_module (can-proto-2) failed. [ 39.507788][ T4398] can: request_module (can-proto-0) failed. [ 39.519445][ T4398] can: request_module (can-proto-7) failed. [ 39.530768][ T4398] can: request_module (can-proto-0) failed. [ 39.543751][ T4398] can: request_module (can-proto-1) failed. Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. 2021/01/04 16:42:33 parsed 1 programs 2021/01/04 16:42:35 executed programs: 0 [ 49.295609][ T5017] cgroup: Unknown subsys name 'perf_event' [ 49.321275][ T5017] cgroup: Unknown subsys name 'net_cls' [ 49.385218][ T5021] cgroup: Unknown subsys name 'perf_event' [ 49.391855][ T5021] cgroup: Unknown subsys name 'net_cls' [ 49.415133][ T5025] cgroup: Unknown subsys name 'perf_event' [ 49.422023][ T5025] cgroup: Unknown subsys name 'net_cls' [ 49.426664][ T5027] cgroup: Unknown subsys name 'perf_event' [ 49.458053][ T5031] cgroup: Unknown subsys name 'perf_event' [ 49.464917][ T5027] cgroup: Unknown subsys name 'net_cls' [ 49.488021][ T5031] cgroup: Unknown subsys name 'net_cls' [ 49.505719][ T5038] cgroup: Unknown subsys name 'perf_event' [ 49.531503][ T5038] cgroup: Unknown subsys name 'net_cls' [ 61.871721][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 61.982265][ T2239] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 62.131613][ T5] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 62.212086][ T7698] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 62.252299][ T17] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.261698][ T17] usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.273130][ T17] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 62.286465][ T17] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 62.375467][ T7739] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 62.402158][ T2239] usb 3-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.411143][ T2239] usb 3-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.421368][ T2239] usb 3-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 62.437989][ T2239] usb 3-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 62.462363][ T17] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 62.471467][ T17] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 62.479475][ T17] usb 1-1: Product: syz [ 62.483700][ T17] usb 1-1: Manufacturer: syz [ 62.511679][ T5] usb 5-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.520671][ T5] usb 5-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.531047][ T5] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 62.541052][ T5] usb 5-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 62.544129][ T17] cdc_wdm 1-1:1.0: skipping garbage [ 62.557370][ T17] cdc_wdm 1-1:1.0: skipping garbage [ 62.575998][ T17] cdc_wdm 1-1:1.0: cdc-wdm0: USB WDM device [ 62.601854][ T2183] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 62.601966][ T2239] usb 3-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 62.618881][ T2239] usb 3-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 62.627144][ T2239] usb 3-1: Product: syz [ 62.631619][ T2239] usb 3-1: Manufacturer: syz [ 62.637241][ T7698] usb 6-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.647502][ T7698] usb 6-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.660166][ T7698] usb 6-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 62.669607][ T7698] usb 6-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 62.691583][ T5] usb 5-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 62.701761][ T5] usb 5-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 62.709948][ T5] usb 5-1: Product: syz [ 62.714296][ T5] usb 5-1: Manufacturer: syz [ 62.722885][ T2239] cdc_wdm 3-1:1.0: skipping garbage [ 62.728136][ T2239] cdc_wdm 3-1:1.0: skipping garbage [ 62.742805][ T2239] cdc_wdm 3-1:1.0: cdc-wdm1: USB WDM device [ 62.773344][ T5] cdc_wdm 5-1:1.0: skipping garbage [ 62.779723][ T5] cdc_wdm 5-1:1.0: skipping garbage [ 62.803351][ T5] cdc_wdm 5-1:1.0: cdc-wdm2: USB WDM device [ 62.811998][ T7698] usb 6-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 62.821059][ T7698] usb 6-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 62.829309][ T7698] usb 6-1: Product: syz [ 62.833539][ T7698] usb 6-1: Manufacturer: syz [ 62.881639][ T7739] usb 2-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.890287][ T7739] usb 2-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.901751][ T7739] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 62.912279][ T7698] cdc_wdm 6-1:1.0: skipping garbage [ 62.917616][ T7698] cdc_wdm 6-1:1.0: skipping garbage [ 62.933059][ T7698] cdc_wdm 6-1:1.0: cdc-wdm3: USB WDM device [ 62.961762][ T7739] usb 2-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 62.961856][ T2183] usb 4-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 62.981859][ T2183] usb 4-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 62.993971][ T2183] usb 4-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 63.007119][ T2183] usb 4-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 63.131529][ C1] cdc_wdm 1-1:1.0: unknown notification 61 received: index 46970 len 38478 [ 63.131721][ T2183] usb 4-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 63.141144][ T7739] usb 2-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 63.150043][ T2183] usb 4-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 63.150061][ T2183] usb 4-1: Product: syz [ 63.160183][ C1] cdc_wdm 1-1:1.0: unknown notification 140 received: index 42101 len 41787 [ 63.168439][ T2183] usb 4-1: Manufacturer: syz [ 63.172639][ T7739] usb 2-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 63.195015][ T7739] usb 2-1: Product: syz [ 63.199737][ T7739] usb 2-1: Manufacturer: syz [ 63.232957][ T2183] cdc_wdm 4-1:1.0: skipping garbage [ 63.238205][ T2183] cdc_wdm 4-1:1.0: skipping garbage [ 63.252710][ T7739] cdc_wdm 2-1:1.0: skipping garbage [ 63.258126][ T7739] cdc_wdm 2-1:1.0: skipping garbage [ 63.268796][ T2183] cdc_wdm 4-1:1.0: cdc-wdm4: USB WDM device [ 63.283253][ T7739] cdc_wdm 2-1:1.0: cdc-wdm5: USB WDM device [ 63.441506][ C1] cdc_wdm 1-1:1.0: unknown notification 47 received: index 30720 len 26702 [ 63.513396][ T2183] usb 1-1: USB disconnect, device number 2 [ 63.632921][ T7799] ================================================================== [ 63.642775][ T7799] BUG: KASAN: use-after-free in usb_submit_urb+0x1210/0x1560 [ 63.651210][ T7799] Read of size 4 at addr ffff888113e9f018 by task syz-executor.0/7799 [ 63.660464][ T7799] [ 63.663445][ T7799] CPU: 1 PID: 7799 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 [ 63.672779][ T7799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.683330][ T7799] Call Trace: [ 63.686629][ T7799] dump_stack+0x107/0x163 [ 63.691048][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 63.696069][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 63.701364][ T7799] print_address_description.constprop.0.cold+0xae/0x4c8 [ 63.708555][ T7799] ? vprintk_func+0x93/0x140 [ 63.713552][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 63.718910][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 63.723942][ T7799] kasan_report.cold+0x1f/0x37 [ 63.728798][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 63.733836][ T7799] usb_submit_urb+0x1210/0x1560 [ 63.738950][ T7799] ? _raw_spin_unlock_irq+0x1f/0x30 [ 63.744142][ T7799] service_outstanding_interrupt.part.0+0x5f/0xa0 [ 63.750551][ T7799] wdm_read+0x9a0/0xbd0 [ 63.754773][ T7799] ? wdm_rxwork+0x200/0x200 [ 63.759379][ T7799] ? security_file_permission+0x248/0x560 [ 63.765196][ T7799] ? wdm_rxwork+0x200/0x200 [ 63.769879][ T7799] vfs_read+0x1b5/0x570 [ 63.774028][ T7799] ksys_read+0x12d/0x250 [ 63.778260][ T7799] ? vfs_write+0xa30/0xa30 [ 63.782664][ T7799] ? lockdep_hardirqs_on_prepare+0x286/0x3f0 [ 63.788729][ T7799] ? syscall_enter_from_user_mode+0x1d/0x50 [ 63.794876][ T7799] do_syscall_64+0x2d/0x40 [ 63.799291][ T7799] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.805191][ T7799] RIP: 0033:0x45e149 [ 63.809086][ T7799] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.828985][ T7799] RSP: 002b:00007fcce8099c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 63.837508][ T7799] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e149 [ 63.845493][ T7799] RDX: 0000000000001000 RSI: 0000000020001000 RDI: 0000000000000004 [ 63.853645][ T7799] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 63.861651][ T7799] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 63.869952][ T7799] R13: 00007fffc13967df R14: 00007fcce809a9c0 R15: 000000000119c034 [ 63.878005][ T7799] [ 63.880336][ T7799] Allocated by task 17: [ 63.884580][ T7799] kasan_save_stack+0x1b/0x40 [ 63.889390][ T7799] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 63.895009][ T7799] usb_alloc_dev+0x51/0xef0 [ 63.899512][ T7799] hub_event+0x1def/0x42d0 [ 63.904179][ T7799] process_one_work+0x98d/0x15c0 [ 63.909223][ T7799] worker_thread+0x64c/0x1120 [ 63.913893][ T7799] kthread+0x38c/0x460 [ 63.917981][ T7799] ret_from_fork+0x1f/0x30 [ 63.922399][ T7799] [ 63.924720][ T7799] Freed by task 2183: [ 63.928691][ T7799] kasan_save_stack+0x1b/0x40 [ 63.933372][ T7799] kasan_set_track+0x1c/0x30 [ 63.937999][ T7799] kasan_set_free_info+0x1b/0x30 [ 63.942943][ T7799] __kasan_slab_free+0x102/0x140 [ 63.948679][ T7799] slab_free_freelist_hook+0x5d/0x150 [ 63.954161][ T7799] kfree+0xdb/0x3a0 [ 63.958287][ T7799] device_release+0x9f/0x240 [ 63.962880][ T7799] kobject_put+0x1c8/0x540 [ 63.967300][ T7799] put_device+0x1b/0x30 [ 63.971466][ T7799] hub_event+0x1c8a/0x42d0 [ 63.975906][ T7799] process_one_work+0x98d/0x15c0 [ 63.980972][ T7799] worker_thread+0x64c/0x1120 [ 63.985846][ T7799] kthread+0x38c/0x460 [ 63.989922][ T7799] ret_from_fork+0x1f/0x30 [ 63.994452][ T7799] [ 63.996876][ T7799] Last potentially related work creation: [ 64.002595][ T7799] kasan_save_stack+0x1b/0x40 [ 64.007295][ T7799] kasan_record_aux_stack+0xc0/0xf0 [ 64.012755][ T7799] insert_work+0x48/0x370 [ 64.017170][ T7799] __queue_work+0x5c3/0xf60 [ 64.021885][ T7799] queue_work_on+0xc7/0xd0 [ 64.026669][ T7799] release_tty+0x4e9/0x610 [ 64.031101][ T7799] tty_release_struct+0xb4/0xe0 [ 64.036137][ T7799] tty_release+0xc70/0x1210 [ 64.040746][ T7799] __fput+0x288/0x920 [ 64.044888][ T7799] task_work_run+0xdd/0x1a0 [ 64.049411][ T7799] exit_to_user_mode_prepare+0x186/0x190 [ 64.055171][ T7799] syscall_exit_to_user_mode+0x19/0x50 [ 64.060809][ T7799] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.066701][ T7799] [ 64.069600][ T7799] The buggy address belongs to the object at ffff888113e9f000 [ 64.069600][ T7799] which belongs to the cache kmalloc-2k of size 2048 [ 64.083910][ T7799] The buggy address is located 24 bytes inside of [ 64.083910][ T7799] 2048-byte region [ffff888113e9f000, ffff888113e9f800) [ 64.097185][ T7799] The buggy address belongs to the page: [ 64.103123][ T7799] page:00000000e5a7bd64 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113e98 [ 64.113444][ T7799] head:00000000e5a7bd64 order:3 compound_mapcount:0 compound_pincount:0 [ 64.121914][ T7799] flags: 0x200000000010200(slab|head) [ 64.127874][ T7799] raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100042000 [ 64.136586][ T7799] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 64.145291][ T7799] page dumped because: kasan: bad access detected [ 64.152710][ T7799] [ 64.155561][ T7799] Memory state around the buggy address: [ 64.161589][ T7799] ffff888113e9ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.169827][ T7799] ffff888113e9ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.180314][ T7799] >ffff888113e9f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.188828][ T7799] ^ [ 64.193802][ T7799] ffff888113e9f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.202176][ T7799] ffff888113e9f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.210224][ T7799] ================================================================== [ 64.218368][ T7799] Disabling lock debugging due to kernel taint [ 64.225843][ T7799] Kernel panic - not syncing: panic_on_warn set ... [ 64.232929][ T7799] CPU: 1 PID: 7799 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0 [ 64.242908][ T7799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.253783][ T7799] Call Trace: [ 64.257509][ T7799] dump_stack+0x107/0x163 [ 64.263045][ T7799] panic+0x343/0x77f [ 64.268015][ T7799] ? __warn_printk+0xf3/0xf3 [ 64.273542][ T7799] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 64.281220][ T7799] ? trace_hardirqs_on+0x38/0x1a0 [ 64.286799][ T7799] ? trace_hardirqs_on+0x51/0x1a0 [ 64.292594][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 64.299968][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 64.305505][ T7799] end_report+0x58/0x5e [ 64.311288][ T7799] kasan_report.cold+0xd/0x37 [ 64.316570][ T7799] ? usb_submit_urb+0x1210/0x1560 [ 64.321888][ T7799] usb_submit_urb+0x1210/0x1560 [ 64.326973][ T7799] ? _raw_spin_unlock_irq+0x1f/0x30 [ 64.332261][ T7799] service_outstanding_interrupt.part.0+0x5f/0xa0 [ 64.338766][ T7799] wdm_read+0x9a0/0xbd0 [ 64.343595][ T7799] ? wdm_rxwork+0x200/0x200 [ 64.348220][ T7799] ? security_file_permission+0x248/0x560 [ 64.354126][ T7799] ? wdm_rxwork+0x200/0x200 [ 64.358637][ T7799] vfs_read+0x1b5/0x570 [ 64.362869][ T7799] ksys_read+0x12d/0x250 [ 64.367285][ T7799] ? vfs_write+0xa30/0xa30 [ 64.372036][ T7799] ? lockdep_hardirqs_on_prepare+0x286/0x3f0 [ 64.380719][ T7799] ? syscall_enter_from_user_mode+0x1d/0x50 [ 64.387501][ T7799] do_syscall_64+0x2d/0x40 [ 64.392146][ T7799] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.398112][ T7799] RIP: 0033:0x45e149 [ 64.401993][ T7799] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.422184][ T7799] RSP: 002b:00007fcce8099c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 64.430687][ T7799] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e149 [ 64.439644][ T7799] RDX: 0000000000001000 RSI: 0000000020001000 RDI: 0000000000000004 [ 64.447853][ T7799] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 64.456600][ T7799] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 64.464571][ T7799] R13: 00007fffc13967df R14: 00007fcce809a9c0 R15: 000000000119c034 [ 64.474026][ T7799] Kernel Offset: disabled [ 64.478914][ T7799] Rebooting in 86400 seconds..