[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 14.256532][ C1] random: crng init done [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.182276][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 42.422255][ T83] usb 1-1: Using ep0 maxpacket: 16 [ 42.542340][ T83] usb 1-1: config 0 has an invalid interface number: 16 but max is 0 [ 42.550499][ T83] usb 1-1: config 0 has no interface number 0 [ 42.556653][ T83] usb 1-1: config 0 interface 16 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 42.567699][ T83] usb 1-1: config 0 interface 16 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 42.581029][ T83] usb 1-1: New USB device found, idVendor=0d8c, idProduct=0022, bcdDevice= 0.00 [ 42.590108][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 42.599953][ T83] usb 1-1: config 0 descriptor?? [ 43.083803][ T83] cm6533_jd 0003:0D8C:0022.0001: unknown main item tag 0x0 [ 43.091256][ T83] cm6533_jd 0003:0D8C:0022.0001: unknown main item tag 0x0 [ 43.098851][ T83] cm6533_jd 0003:0D8C:0022.0001: unknown main item tag 0x0 [ 43.106104][ T83] cm6533_jd 0003:0D8C:0022.0001: unknown main item tag 0x0 [ 43.113350][ T83] cm6533_jd 0003:0D8C:0022.0001: unknown main item tag 0x0 [ 43.121807][ T83] input: HID 0d8c:0022 as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.16/0003:0D8C:0022.0001/input/input5 [ 43.143125][ T83] cm6533_jd 0003:0D8C:0022.0001: input,hiddev0,hidraw0: USB HID v0.00 Device [HID 0d8c:0022] on usb-dummy_hcd.0-1/input16 [ 43.352482][ T1731] ================================================================== [ 43.360646][ T1731] BUG: KASAN: slab-out-of-bounds in hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.369430][ T1731] Write of size 4 at addr ffff8881d59384b4 by task syz-executor819/1731 [ 43.377922][ T1731] [ 43.380300][ T1731] CPU: 1 PID: 1731 Comm: syz-executor819 Not tainted 5.3.0+ #0 [ 43.387933][ T1731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.399088][ T1731] Call Trace: [ 43.402377][ T1731] dump_stack+0xca/0x13e [ 43.406698][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.412790][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.418754][ T1731] print_address_description+0x6a/0x32c [ 43.424387][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.430355][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.436315][ T1731] __kasan_report.cold+0x1a/0x33 [ 43.441234][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.447197][ T1731] kasan_report+0xe/0x12 [ 43.451424][ T1731] hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 43.457282][ T1731] ? hiddev_hid_event+0x2c0/0x2c0 [ 43.462346][ T1731] ? usbhid_init_reports+0x124/0x320 [ 43.467682][ T1731] hiddev_ioctl+0x7a1/0x1550 [ 43.472259][ T1731] ? hiddev_ioctl_string.isra.0+0x1d0/0x1d0 [ 43.478161][ T1731] ? mark_lock+0xbc/0x1160 [ 43.482563][ T1731] ? find_held_lock+0x2d/0x110 [ 43.487350][ T1731] ? debug_check_no_obj_freed+0x20f/0x443 [ 43.493053][ T1731] ? lock_downgrade+0x6e0/0x6e0 [ 43.497896][ T1731] ? lock_acquire+0x127/0x320 [ 43.502556][ T1731] ? debug_check_no_obj_freed+0xc4/0x443 [ 43.508172][ T1731] ? hiddev_ioctl_string.isra.0+0x1d0/0x1d0 [ 43.514074][ T1731] do_vfs_ioctl+0xd2d/0x1330 [ 43.518687][ T1731] ? putname+0xe1/0x120 [ 43.522826][ T1731] ? putname+0xe1/0x120 [ 43.526961][ T1731] ? ioctl_preallocate+0x200/0x200 [ 43.532053][ T1731] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 43.537324][ T1731] ? __kasan_slab_free+0x145/0x180 [ 43.542654][ T1731] ? kmem_cache_free+0x2cd/0x380 [ 43.547575][ T1731] ? putname+0xe1/0x120 [ 43.551755][ T1731] ? do_sys_open+0x2e7/0x580 [ 43.556328][ T1731] ksys_ioctl+0x9b/0xc0 [ 43.560466][ T1731] __x64_sys_ioctl+0x6f/0xb0 [ 43.565037][ T1731] ? lockdep_hardirqs_on+0x379/0x580 [ 43.570305][ T1731] do_syscall_64+0xb7/0x580 [ 43.574794][ T1731] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.580669][ T1731] RIP: 0033:0x444809 [ 43.584548][ T1731] Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.604428][ T1731] RSP: 002b:00007ffd4d98f5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.612839][ T1731] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444809 [ 43.620922][ T1731] RDX: 00000000200008c0 RSI: 000000004018480c RDI: 0000000000000004 [ 43.628882][ T1731] RBP: 00000000006cf018 R08: 18c1180b508ac6d9 R09: 00000000004002e0 [ 43.636839][ T1731] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004024b0 [ 43.644828][ T1731] R13: 0000000000402540 R14: 0000000000000000 R15: 0000000000000000 [ 43.652790][ T1731] [ 43.655109][ T1731] Allocated by task 83: [ 43.659252][ T1731] save_stack+0x1b/0x80 [ 43.663440][ T1731] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 43.669152][ T1731] hid_add_field+0x444/0x11c0 [ 43.673811][ T1731] hid_parser_main+0x6ab/0xbf0 [ 43.678558][ T1731] hid_open_report+0x372/0x620 [ 43.683341][ T1731] cmhid_probe+0xdd/0x160 [ 43.687700][ T1731] hid_device_probe+0x2be/0x3f0 [ 43.692533][ T1731] really_probe+0x281/0x6d0 [ 43.697021][ T1731] driver_probe_device+0x101/0x1b0 [ 43.702115][ T1731] __device_attach_driver+0x1c2/0x220 [ 43.707486][ T1731] bus_for_each_drv+0x162/0x1e0 [ 43.712323][ T1731] __device_attach+0x217/0x360 [ 43.717068][ T1731] bus_probe_device+0x1e4/0x290 [ 43.721951][ T1731] device_add+0xae6/0x16f0 [ 43.726350][ T1731] hid_add_device+0x33c/0x990 [ 43.731043][ T1731] usbhid_probe+0xa81/0xfa0 [ 43.735559][ T1731] usb_probe_interface+0x305/0x7a0 [ 43.740683][ T1731] really_probe+0x281/0x6d0 [ 43.745692][ T1731] driver_probe_device+0x101/0x1b0 [ 43.750872][ T1731] __device_attach_driver+0x1c2/0x220 [ 43.756422][ T1731] bus_for_each_drv+0x162/0x1e0 [ 43.761305][ T1731] __device_attach+0x217/0x360 [ 43.766254][ T1731] bus_probe_device+0x1e4/0x290 [ 43.771227][ T1731] device_add+0xae6/0x16f0 [ 43.775635][ T1731] usb_set_configuration+0xdf6/0x1670 [ 43.780992][ T1731] generic_probe+0x9d/0xd5 [ 43.785503][ T1731] usb_probe_device+0x99/0x100 [ 43.790248][ T1731] really_probe+0x281/0x6d0 [ 43.794763][ T1731] driver_probe_device+0x101/0x1b0 [ 43.799859][ T1731] __device_attach_driver+0x1c2/0x220 [ 43.805214][ T1731] bus_for_each_drv+0x162/0x1e0 [ 43.810047][ T1731] __device_attach+0x217/0x360 [ 43.814792][ T1731] bus_probe_device+0x1e4/0x290 [ 43.819623][ T1731] device_add+0xae6/0x16f0 [ 43.824132][ T1731] usb_new_device.cold+0x6a4/0xe79 [ 43.829345][ T1731] hub_event+0x1b5c/0x3640 [ 43.833844][ T1731] process_one_work+0x92b/0x1530 [ 43.838765][ T1731] worker_thread+0x96/0xe20 [ 43.843415][ T1731] kthread+0x318/0x420 [ 43.847598][ T1731] ret_from_fork+0x24/0x30 [ 43.852005][ T1731] [ 43.854325][ T1731] Freed by task 1: [ 43.858035][ T1731] save_stack+0x1b/0x80 [ 43.862268][ T1731] __kasan_slab_free+0x130/0x180 [ 43.867791][ T1731] kfree+0xe4/0x2f0 [ 43.871589][ T1731] do_mount+0x69f/0x1af0 [ 43.875837][ T1731] ksys_mount+0xd7/0x150 [ 43.880133][ T1731] do_mount_root+0x32/0x1ce [ 43.884621][ T1731] mount_block_root+0x317/0x5d3 [ 43.889452][ T1731] mount_root+0x1cd/0x213 [ 43.893770][ T1731] prepare_namespace+0x1ff/0x23b [ 43.898694][ T1731] kernel_init_freeable+0x57e/0x596 [ 43.903941][ T1731] kernel_init+0xd/0x1bf [ 43.908468][ T1731] ret_from_fork+0x24/0x30 [ 43.913277][ T1731] [ 43.918524][ T1731] The buggy address belongs to the object at ffff8881d59383c0 [ 43.918524][ T1731] which belongs to the cache kmalloc-256 of size 256 [ 43.932943][ T1731] The buggy address is located 244 bytes inside of [ 43.932943][ T1731] 256-byte region [ffff8881d59383c0, ffff8881d59384c0) [ 43.946221][ T1731] The buggy address belongs to the page: [ 43.951843][ T1731] page:ffffea0007564e00 refcount:1 mapcount:0 mapping:ffff8881da002780 index:0x0 [ 43.960971][ T1731] flags: 0x200000000000200(slab) [ 43.966016][ T1731] raw: 0200000000000200 ffffea0007607e40 0000000b0000000b ffff8881da002780 [ 43.974606][ T1731] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 43.983171][ T1731] page dumped because: kasan: bad access detected [ 43.989594][ T1731] [ 43.991938][ T1731] Memory state around the buggy address: [ 43.997556][ T1731] ffff8881d5938380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 44.005601][ T1731] ffff8881d5938400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.013660][ T1731] >ffff8881d5938480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 44.021806][ T1731] ^ [ 44.028624][ T1731] ffff8881d5938500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.036739][ T1731] ffff8881d5938580: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 44.044893][ T1731] ================================================================== [ 44.052935][ T1731] Disabling lock debugging due to kernel taint [ 44.059185][ T1731] Kernel panic - not syncing: panic_on_warn set ... [ 44.065865][ T1731] CPU: 1 PID: 1731 Comm: syz-executor819 Tainted: G B 5.3.0+ #0 [ 44.074852][ T1731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.084903][ T1731] Call Trace: [ 44.088190][ T1731] dump_stack+0xca/0x13e [ 44.092468][ T1731] panic+0x2a3/0x6da [ 44.096350][ T1731] ? add_taint.cold+0x16/0x16 [ 44.101025][ T1731] ? retint_kernel+0x10/0x10 [ 44.105721][ T1731] ? trace_hardirqs_on+0x55/0x1e0 [ 44.110829][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 44.116883][ T1731] end_report+0x43/0x49 [ 44.121208][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 44.127238][ T1731] __kasan_report.cold+0xd/0x33 [ 44.132076][ T1731] ? hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 44.138077][ T1731] kasan_report+0xe/0x12 [ 44.142361][ T1731] hiddev_ioctl_usage.isra.0+0x1251/0x13b0 [ 44.148270][ T1731] ? hiddev_hid_event+0x2c0/0x2c0 [ 44.153282][ T1731] ? usbhid_init_reports+0x124/0x320 [ 44.158548][ T1731] hiddev_ioctl+0x7a1/0x1550 [ 44.163253][ T1731] ? hiddev_ioctl_string.isra.0+0x1d0/0x1d0 [ 44.169175][ T1731] ? mark_lock+0xbc/0x1160 [ 44.173837][ T1731] ? find_held_lock+0x2d/0x110 [ 44.178585][ T1731] ? debug_check_no_obj_freed+0x20f/0x443 [ 44.184365][ T1731] ? lock_downgrade+0x6e0/0x6e0 [ 44.189196][ T1731] ? lock_acquire+0x127/0x320 [ 44.193854][ T1731] ? debug_check_no_obj_freed+0xc4/0x443 [ 44.199465][ T1731] ? hiddev_ioctl_string.isra.0+0x1d0/0x1d0 [ 44.205351][ T1731] do_vfs_ioctl+0xd2d/0x1330 [ 44.209923][ T1731] ? putname+0xe1/0x120 [ 44.214064][ T1731] ? putname+0xe1/0x120 [ 44.218200][ T1731] ? ioctl_preallocate+0x200/0x200 [ 44.223299][ T1731] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 44.228566][ T1731] ? __kasan_slab_free+0x145/0x180 [ 44.233718][ T1731] ? kmem_cache_free+0x2cd/0x380 [ 44.238636][ T1731] ? putname+0xe1/0x120 [ 44.242795][ T1731] ? do_sys_open+0x2e7/0x580 [ 44.247372][ T1731] ksys_ioctl+0x9b/0xc0 [ 44.251511][ T1731] __x64_sys_ioctl+0x6f/0xb0 [ 44.256083][ T1731] ? lockdep_hardirqs_on+0x379/0x580 [ 44.261403][ T1731] do_syscall_64+0xb7/0x580 [ 44.265898][ T1731] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.271790][ T1731] RIP: 0033:0x444809 [ 44.276020][ T1731] Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.295627][ T1731] RSP: 002b:00007ffd4d98f5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.304108][ T1731] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444809 [ 44.312065][ T1731] RDX: 00000000200008c0 RSI: 000000004018480c RDI: 0000000000000004 [ 44.320075][ T1731] RBP: 00000000006cf018 R08: 18c1180b508ac6d9 R09: 00000000004002e0 [ 44.328032][ T1731] R10: 000000000000000f R11: 0000000000000246 R12: 00000000004024b0 [ 44.335986][ T1731] R13: 0000000000402540 R14: 0000000000000000 R15: 0000000000000000 [ 44.344898][ T1731] Kernel Offset: disabled [ 44.349283][ T1731] Rebooting in 86400 seconds..