./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2802726252 <...> [ 25.890361][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0 [ 25.899478][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 36.845319][ T26] kauditd_printk_skb: 37 callbacks suppressed [ 36.845335][ T26] audit: type=1400 audit(1666530588.214:73): avc: denied { transition } for pid=3393 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 36.878115][ T26] audit: type=1400 audit(1666530588.244:74): avc: denied { write } for pid=3393 comm="sh" path="pipe:[28205]" dev="pipefs" ino=28205 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.1.123' (ECDSA) to the list of known hosts. execve("./syz-executor2802726252", ["./syz-executor2802726252"], 0x7ffd14bfa2a0 /* 10 vars */) = 0 brk(NULL) = 0x5555558d4000 brk(0x5555558d4c40) = 0x5555558d4c40 arch_prctl(ARCH_SET_FS, 0x5555558d4300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2802726252", 4096) = 28 brk(0x5555558f5c40) = 0x5555558f5c40 brk(0x5555558f6000) = 0x5555558f6000 mprotect(0x7f9ce06de000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffc6a8519a0) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 [ 48.337935][ T26] audit: type=1400 audit(1666530599.714:75): avc: denied { execmem } for pid=3603 comm="syz-executor280" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 48.361908][ T26] audit: type=1400 audit(1666530599.714:76): avc: denied { read write } for pid=3603 comm="syz-executor280" name="raw-gadget" dev="devtmpfs" ino=731 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 48.386277][ T26] audit: type=1400 audit(1666530599.714:77): avc: denied { open } for pid=3603 comm="syz-executor280" path="/dev/raw-gadget" dev="devtmpfs" ino=731 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 48.410243][ T26] audit: type=1400 audit(1666530599.714:78): avc: denied { ioctl } for pid=3603 comm="syz-executor280" path="/dev/raw-gadget" dev="devtmpfs" ino=731 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 18 [ 48.607835][ T143] usb 1-1: new full-speed USB device number 2 using dummy_hcd ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 18 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 10 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 9 [ 49.008225][ T143] usb 1-1: unable to get BOS descriptor or descriptor too short [ 49.047856][ T143] usb 1-1: not running at top speed; connect to a high speed hub ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 812 [ 49.128256][ T143] usb 1-1: config 6 has an invalid interface number: 155 but max is 3 [ 49.136526][ T143] usb 1-1: config 6 has an invalid interface association descriptor of length 2, skipping [ 49.146629][ T143] usb 1-1: config 6 has an invalid interface number: 73 but max is 3 [ 49.154769][ T143] usb 1-1: config 6 contains an unexpected descriptor of type 0x1, skipping [ 49.163481][ T143] usb 1-1: config 6 has an invalid interface number: 66 but max is 3 [ 49.171667][ T143] usb 1-1: config 6 has an invalid interface association descriptor of length 2, skipping [ 49.181590][ T143] usb 1-1: config 6 has an invalid interface number: 196 but max is 3 [ 49.189778][ T143] usb 1-1: config 6 has no interface number 0 [ 49.195859][ T143] usb 1-1: config 6 has no interface number 1 [ 49.202064][ T143] usb 1-1: config 6 has no interface number 2 [ 49.208172][ T143] usb 1-1: config 6 has no interface number 3 [ 49.214307][ T143] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x86 has invalid wMaxPacketSize 0 [ 49.224324][ T143] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x6 has invalid maxpacket 512, setting to 64 [ 49.235240][ T143] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0xE has invalid maxpacket 512, setting to 64 [ 49.246295][ T143] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0x6, skipping [ 49.257018][ T143] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0x6, skipping [ 49.267738][ T143] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x9 has invalid maxpacket 23595, setting to 64 [ 49.278856][ T143] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0xE, skipping [ 49.289569][ T143] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x3 has invalid maxpacket 1023, setting to 64 [ 49.300544][ T143] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 49.311166][ T143] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xB has invalid maxpacket 1023, setting to 64 [ 49.322041][ T143] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x0, skipping [ 49.332590][ T143] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xC has invalid wMaxPacketSize 0 [ 49.342384][ T143] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xA has invalid maxpacket 1024, setting to 64 [ 49.353291][ T143] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0x6, skipping [ 49.363916][ T143] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0xE, skipping [ 49.374564][ T143] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 49.385184][ T143] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0x4 has invalid maxpacket 1023, setting to 64 [ 49.396063][ T143] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0x6, skipping [ 49.406694][ T143] usb 1-1: config 6 interface 66 altsetting 32 has a duplicate endpoint with address 0xA, skipping [ 49.417394][ T143] usb 1-1: config 6 interface 66 altsetting 32 has a duplicate endpoint with address 0xB, skipping [ 49.428202][ T143] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x7 has invalid maxpacket 1024, setting to 64 [ 49.439152][ T143] usb 1-1: config 6 interface 66 altsetting 32 has an invalid endpoint with address 0x0, skipping [ 49.449766][ T143] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x5 has invalid maxpacket 512, setting to 64 [ 49.460646][ T143] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x8 has invalid maxpacket 512, setting to 64 [ 49.471603][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x7, skipping [ 49.482319][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0xE, skipping [ 49.493064][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x7, skipping [ 49.503843][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x2, skipping [ 49.514554][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0xA, skipping ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 [ 49.525247][ T143] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x5, skipping [ 49.536042][ T143] usb 1-1: config 6 interface 155 has no altsetting 0 [ 49.542826][ T143] usb 1-1: config 6 interface 73 has no altsetting 0 [ 49.549536][ T143] usb 1-1: config 6 interface 66 has no altsetting 0 [ 49.556219][ T143] usb 1-1: config 6 interface 196 has no altsetting 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffc6a850990) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffc6a8519a0) = 0 ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0 ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f9ce06e43ac) = 0 ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffc6a850990) = 0 [ 49.797884][ T143] usb 1-1: string descriptor 0 read error: -22 [ 49.804128][ T143] usb 1-1: New USB device found, idVendor=0cf3, idProduct=0003, bcdDevice=95.a4 [ 49.813324][ T143] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 49.859556][ T143] ------------[ cut here ]------------ [ 49.865055][ T143] usb 1-1: BOGUS urb xfer, pipe 3 != type 1 [ 49.871476][ T143] WARNING: CPU: 0 PID: 143 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 [ 49.881044][ T143] Modules linked in: [ 49.884921][ T143] CPU: 0 PID: 143 Comm: kworker/0:2 Not tainted 6.1.0-rc1-syzkaller-00249-g4da34b7d175d #0 [ 49.895115][ T143] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 49.905349][ T143] Workqueue: usb_hub_wq hub_event [ 49.910468][ T143] RIP: 0010:usb_submit_urb+0xed2/0x1880 [ 49.916039][ T143] Code: 7c 24 18 e8 10 7f ea fb 48 8b 7c 24 18 e8 46 22 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 80 ab 90 8a e8 4a f4 b7 03 <0f> 0b e9 58 f8 ff ff e8 e2 7e ea fb 48 81 c5 c0 05 00 00 e9 84 f7 [ 49.935826][ T143] RSP: 0018:ffffc90002d9ef58 EFLAGS: 00010282 [ 49.941936][ T143] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 49.949957][ T143] RDX: ffff88801bfea040 RSI: ffffffff81613148 RDI: fffff520005b3ddd [ 49.957988][ T143] RBP: ffff888020c80800 R08: 0000000000000005 R09: 0000000000000000 [ 49.965959][ T143] R10: 0000000080000000 R11: 3a312d3120627375 R12: 0000000000000003 [ 49.973974][ T143] R13: ffff88801e3fe040 R14: 0000000000000003 R15: ffff888016fe3e00 [ 49.981974][ T143] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 49.990998][ T143] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.997592][ T143] CR2: 0000564e48583ea8 CR3: 000000007c879000 CR4: 00000000003506f0 exit_group(0) = ? [ 50.005587][ T143] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 50.013611][ T143] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 50.021606][ T143] Call Trace: [ 50.024884][ T143] [ 50.027842][ T143] ? kmem_dump_obj+0x93/0x110 [ 50.032548][ T143] ar5523_submit_rx_cmd+0x1f1/0x320 [ 50.037773][ T143] ar5523_probe+0xbff/0x1d10 [ 50.042378][ T143] ? ar5523_disconnect+0x3e0/0x3e0 [ 50.047506][ T143] ? _raw_spin_lock_irqsave+0x41/0x50 [ 50.052927][ T143] ? _raw_spin_unlock_irqrestore+0x50/0x70 +++ exited with 0 +++ [ 50.058788][ T1