[ 15.051230][ T1693] random: sshd: uninitialized urandom read (32 bytes read) [ 15.262754][ T1696] random: sshd: uninitialized urandom read (32 bytes read) [ 15.363707][ C1] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.222621][ T1706] can: request_module (can-proto-0) failed. [ 24.608482][ T1706] can: request_module (can-proto-0) failed. [ 24.618808][ T1706] can: request_module (can-proto-7) failed. [ 24.628619][ T1706] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.0.135' (ECDSA) to the list of known hosts. 2019/12/02 18:54:56 parsed 1 programs 2019/12/02 18:54:56 executed programs: 0 [ 31.388067][ T1850] cgroup1: Unknown subsys name 'perf_event' [ 31.388070][ T1851] cgroup1: Unknown subsys name 'perf_event' [ 31.388572][ T1851] cgroup1: Unknown subsys name 'net_cls' [ 31.394378][ T1850] cgroup1: Unknown subsys name 'net_cls' [ 31.408760][ T1853] cgroup1: Unknown subsys name 'perf_event' [ 31.418185][ T1855] cgroup1: Unknown subsys name 'perf_event' [ 31.424452][ T1855] cgroup1: Unknown subsys name 'net_cls' [ 31.431552][ T1859] cgroup1: Unknown subsys name 'perf_event' [ 31.435867][ T1860] cgroup1: Unknown subsys name 'perf_event' [ 31.439968][ T1853] cgroup1: Unknown subsys name 'net_cls' [ 31.444156][ T1860] cgroup1: Unknown subsys name 'net_cls' [ 31.449870][ T1859] cgroup1: Unknown subsys name 'net_cls' [ 36.197250][ T101] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 36.217232][ T12] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 36.246816][ T5] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 36.276858][ T17] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 36.306812][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 36.326909][ T3382] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 36.436898][ T101] usb 3-1: Using ep0 maxpacket: 8 [ 36.456876][ T12] usb 4-1: Using ep0 maxpacket: 8 [ 36.486861][ T5] usb 2-1: Using ep0 maxpacket: 8 [ 36.526853][ T17] usb 6-1: Using ep0 maxpacket: 8 [ 36.556928][ T83] usb 1-1: Using ep0 maxpacket: 8 [ 36.557083][ T101] usb 3-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.570488][ T101] usb 3-1: config 0 has no interface number 0 [ 36.576898][ T12] usb 4-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.585056][ T12] usb 4-1: config 0 has no interface number 0 [ 36.591323][ T101] usb 3-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.596797][ T3382] usb 5-1: Using ep0 maxpacket: 8 [ 36.600423][ T101] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.613698][ T12] usb 4-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.622790][ T12] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.632095][ T101] usb 3-1: config 0 descriptor?? [ 36.638497][ T12] usb 4-1: config 0 descriptor?? [ 36.646894][ T5] usb 2-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.655268][ T5] usb 2-1: config 0 has no interface number 0 [ 36.661627][ T5] usb 2-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.670736][ T5] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.677224][ T17] usb 6-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.687024][ T17] usb 6-1: config 0 has no interface number 0 [ 36.690495][ T5] usb 2-1: config 0 descriptor?? [ 36.693370][ T83] usb 1-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.706272][ T83] usb 1-1: config 0 has no interface number 0 [ 36.712606][ T17] usb 6-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.721705][ T17] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.729879][ T3382] usb 5-1: config 0 has an invalid interface number: 147 but max is 0 [ 36.738105][ T3382] usb 5-1: config 0 has no interface number 0 [ 36.744211][ T83] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.753298][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.761794][ T3382] usb 5-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=dc.dc [ 36.770885][ T3382] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.779193][ T17] usb 6-1: config 0 descriptor?? [ 36.784877][ T83] usb 1-1: config 0 descriptor?? [ 36.790741][ T3382] usb 5-1: config 0 descriptor?? [ 36.897047][ T12] asix 4-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 36.906906][ T101] asix 3-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 36.920024][ T101] asix 3-1:0.147 eth1: register 'asix' at usb-dummy_hcd.2-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 36.938907][ T12] asix 4-1:0.147 eth2: register 'asix' at usb-dummy_hcd.3-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 36.956997][ T5] asix 2-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 36.977700][ T5] asix 2-1:0.147 eth3: register 'asix' at usb-dummy_hcd.1-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 37.027060][ T17] asix 6-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 37.047088][ T3382] asix 5-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 37.057042][ T83] asix 1-1:0.147 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 37.087685][ T3382] asix 5-1:0.147 eth4: register 'asix' at usb-dummy_hcd.4-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 37.111604][ T83] asix 1-1:0.147 eth5: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 37.128255][ T17] asix 6-1:0.147 eth6: register 'asix' at usb-dummy_hcd.5-1, ASIX AX88172A USB 2.0 Ethernet, 32:9d:a9:c6:ca:fe [ 37.160093][ T5] usb 2-1: USB disconnect, device number 2 [ 37.173297][ T3382] usb 4-1: USB disconnect, device number 2 [ 37.187624][ T5] asix 2-1:0.147 eth3: unregister 'asix' usb-dummy_hcd.1-1, ASIX AX88172A USB 2.0 Ethernet [ 37.193401][ T3382] asix 4-1:0.147 eth2: unregister 'asix' usb-dummy_hcd.3-1, ASIX AX88172A USB 2.0 Ethernet [ 37.233533][ T83] usb 3-1: USB disconnect, device number 2 [ 37.239681][ T17] usb 6-1: USB disconnect, device number 2 [ 37.247641][ T83] asix 3-1:0.147 eth1: unregister 'asix' usb-dummy_hcd.2-1, ASIX AX88172A USB 2.0 Ethernet [ 37.258440][ T17] asix 6-1:0.147 eth6: unregister 'asix' usb-dummy_hcd.5-1, ASIX AX88172A USB 2.0 Ethernet [ 37.259096][ T101] usb 1-1: USB disconnect, device number 2 [ 37.286672][ T3427] usb 5-1: USB disconnect, device number 2 [ 37.298180][ T3427] asix 5-1:0.147 eth4: unregister 'asix' usb-dummy_hcd.4-1, ASIX AX88172A USB 2.0 Ethernet [ 37.298929][ T101] asix 1-1:0.147 eth5: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 37.431255][ T3382] ================================================================== [ 37.439477][ T3382] BUG: KASAN: use-after-free in ax88172a_unbind.cold+0x4b/0xcb [ 37.447029][ T3382] Read of size 8 at addr ffff8881ccee8700 by task kworker/1:3/3382 [ 37.454934][ T3382] [ 37.457271][ T3382] CPU: 1 PID: 3382 Comm: kworker/1:3 Not tainted 5.4.0-syzkaller #0 [ 37.465337][ T3382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.475402][ T3382] Workqueue: usb_hub_wq hub_event [ 37.480447][ T3382] Call Trace: [ 37.483738][ T3382] dump_stack+0xef/0x16e [ 37.487990][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 37.493225][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 37.498450][ T3382] print_address_description.constprop.0+0x36/0x50 [ 37.504988][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 37.510192][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 37.515391][ T3382] __kasan_report.cold+0x1a/0x33 [ 37.520339][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 37.525992][ T3382] ? ax88172a_bind+0x7b0/0x7b0 [ 37.530782][ T3382] kasan_report+0xe/0x20 [ 37.535182][ T3382] ax88172a_unbind.cold+0x4b/0xcb [ 37.540208][ T3382] usbnet_disconnect+0x145/0x270 [ 37.545146][ T3382] usb_unbind_interface+0x1bd/0x8a0 [ 37.550360][ T3382] ? usb_autoresume_device+0x60/0x60 [ 37.555657][ T3382] device_release_driver_internal+0x42f/0x500 [ 37.561735][ T3382] bus_remove_device+0x2dc/0x4a0 [ 37.566691][ T3382] device_del+0x481/0xd30 [ 37.571033][ T3382] ? device_create_with_groups+0x120/0x120 [ 37.576840][ T3382] ? lockdep_hardirqs_on+0x382/0x580 [ 37.582147][ T3382] ? remove_intf_ep_devs+0x13f/0x1d0 [ 37.587434][ T3382] usb_disable_device+0x211/0x690 [ 37.592455][ T3382] usb_disconnect+0x284/0x8d0 [ 37.597131][ T3382] hub_event+0x1753/0x3860 [ 37.601556][ T3382] ? hub_port_debounce+0x260/0x260 [ 37.606825][ T3382] ? find_held_lock+0x2d/0x110 [ 37.611588][ T3382] ? mark_held_locks+0xe0/0xe0 [ 37.616351][ T3382] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 37.621892][ T3382] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 37.627178][ T3382] process_one_work+0x92b/0x1530 [ 37.632147][ T3382] ? pwq_dec_nr_in_flight+0x310/0x310 [ 37.637515][ T3382] ? do_raw_spin_lock+0x11a/0x280 [ 37.642538][ T3382] worker_thread+0x96/0xe20 [ 37.647042][ T3382] ? process_one_work+0x1530/0x1530 [ 37.652239][ T3382] kthread+0x318/0x420 [ 37.656305][ T3382] ? kthread_create_on_node+0xf0/0xf0 [ 37.661676][ T3382] ret_from_fork+0x24/0x30 [ 37.666087][ T3382] [ 37.668414][ T3382] Allocated by task 12: [ 37.672656][ T3382] save_stack+0x1b/0x80 [ 37.676809][ T3382] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 37.682440][ T3382] ax88172a_bind+0x9f/0x7b0 [ 37.686947][ T3382] usbnet_probe+0xb43/0x2470 [ 37.691538][ T3382] usb_probe_interface+0x305/0x7a0 [ 37.696647][ T3382] really_probe+0x281/0x6d0 [ 37.701148][ T3382] driver_probe_device+0x104/0x210 [ 37.706255][ T3382] __device_attach_driver+0x1c2/0x220 [ 37.711633][ T3382] bus_for_each_drv+0x162/0x1e0 [ 37.716480][ T3382] __device_attach+0x217/0x360 [ 37.721241][ T3382] bus_probe_device+0x1e4/0x290 [ 37.726091][ T3382] device_add+0x1480/0x1c20 [ 37.730600][ T3382] usb_set_configuration+0xe67/0x1740 [ 37.735973][ T3382] generic_probe+0x9d/0xd5 [ 37.740392][ T3382] usb_probe_device+0x99/0x100 [ 37.745151][ T3382] really_probe+0x281/0x6d0 [ 37.749655][ T3382] driver_probe_device+0x104/0x210 [ 37.754767][ T3382] __device_attach_driver+0x1c2/0x220 [ 37.760144][ T3382] bus_for_each_drv+0x162/0x1e0 [ 37.765000][ T3382] __device_attach+0x217/0x360 [ 37.769764][ T3382] bus_probe_device+0x1e4/0x290 [ 37.774614][ T3382] device_add+0x1480/0x1c20 [ 37.779123][ T3382] usb_new_device.cold+0x6a4/0xe79 [ 37.784232][ T3382] hub_event+0x1e59/0x3860 [ 37.788651][ T3382] process_one_work+0x92b/0x1530 [ 37.793586][ T3382] worker_thread+0x96/0xe20 [ 37.798086][ T3382] kthread+0x318/0x420 [ 37.802156][ T3382] ret_from_fork+0x24/0x30 [ 37.806560][ T3382] [ 37.808917][ T3382] Freed by task 12: [ 37.812720][ T3382] save_stack+0x1b/0x80 [ 37.816874][ T3382] __kasan_slab_free+0x130/0x180 [ 37.821811][ T3382] kfree+0xdc/0x310 [ 37.825617][ T3382] ax88172a_bind.cold+0x4d/0x1e8 [ 37.830639][ T3382] usbnet_probe+0xb43/0x2470 [ 37.835232][ T3382] usb_probe_interface+0x305/0x7a0 [ 37.840337][ T3382] really_probe+0x281/0x6d0 [ 37.844837][ T3382] driver_probe_device+0x104/0x210 [ 37.849947][ T3382] __device_attach_driver+0x1c2/0x220 [ 37.855313][ T3382] bus_for_each_drv+0x162/0x1e0 [ 37.860152][ T3382] __device_attach+0x217/0x360 [ 37.864907][ T3382] bus_probe_device+0x1e4/0x290 [ 37.869761][ T3382] device_add+0x1480/0x1c20 [ 37.874246][ T3382] usb_set_configuration+0xe67/0x1740 [ 37.879611][ T3382] generic_probe+0x9d/0xd5 [ 37.884044][ T3382] usb_probe_device+0x99/0x100 [ 37.889062][ T3382] really_probe+0x281/0x6d0 [ 37.893547][ T3382] driver_probe_device+0x104/0x210 [ 37.898818][ T3382] __device_attach_driver+0x1c2/0x220 [ 37.904236][ T3382] bus_for_each_drv+0x162/0x1e0 [ 37.909075][ T3382] __device_attach+0x217/0x360 [ 37.914699][ T3382] bus_probe_device+0x1e4/0x290 [ 37.919552][ T3382] device_add+0x1480/0x1c20 [ 37.924065][ T3382] usb_new_device.cold+0x6a4/0xe79 [ 37.929166][ T3382] hub_event+0x1e59/0x3860 [ 37.933570][ T3382] process_one_work+0x92b/0x1530 [ 37.938501][ T3382] worker_thread+0x96/0xe20 [ 37.942983][ T3382] kthread+0x318/0x420 [ 37.947055][ T3382] ret_from_fork+0x24/0x30 [ 37.951452][ T3382] [ 37.953767][ T3382] The buggy address belongs to the object at ffff8881ccee8700 [ 37.953767][ T3382] which belongs to the cache kmalloc-64 of size 64 [ 37.967628][ T3382] The buggy address is located 0 bytes inside of [ 37.967628][ T3382] 64-byte region [ffff8881ccee8700, ffff8881ccee8740) [ 37.980621][ T3382] The buggy address belongs to the page: [ 37.986371][ T3382] page:ffffea000733ba00 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0x0 [ 37.995535][ T3382] raw: 0200000000000200 ffffea00073a7000 0000000700000007 ffff8881da003180 [ 38.004116][ T3382] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 38.012685][ T3382] page dumped because: kasan: bad access detected [ 38.019076][ T3382] [ 38.021381][ T3382] Memory state around the buggy address: [ 38.026994][ T3382] ffff8881ccee8600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.035034][ T3382] ffff8881ccee8680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.043082][ T3382] >ffff8881ccee8700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.051131][ T3382] ^ [ 38.055181][ T3382] ffff8881ccee8780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.063246][ T3382] ffff8881ccee8800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.071449][ T3382] ================================================================== [ 38.079491][ T3382] Disabling lock debugging due to kernel taint [ 38.085890][ T3382] Kernel panic - not syncing: panic_on_warn set ... [ 38.092486][ T3382] CPU: 1 PID: 3382 Comm: kworker/1:3 Tainted: G B 5.4.0-syzkaller #0 [ 38.101860][ T3382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.111907][ T3382] Workqueue: usb_hub_wq hub_event [ 38.118316][ T3382] Call Trace: [ 38.121587][ T3382] dump_stack+0xef/0x16e [ 38.125816][ T3382] panic+0x2aa/0x6e1 [ 38.129820][ T3382] ? add_taint.cold+0x16/0x16 [ 38.134490][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 38.139955][ T3382] ? trace_hardirqs_on+0x55/0x1e0 [ 38.144972][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 38.150162][ T3382] end_report+0x43/0x49 [ 38.154412][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 38.159712][ T3382] __kasan_report.cold+0xd/0x33 [ 38.164545][ T3382] ? ax88172a_unbind.cold+0x4b/0xcb [ 38.169726][ T3382] ? ax88172a_bind+0x7b0/0x7b0 [ 38.174471][ T3382] kasan_report+0xe/0x20 [ 38.179916][ T3382] ax88172a_unbind.cold+0x4b/0xcb [ 38.184945][ T3382] usbnet_disconnect+0x145/0x270 [ 38.189883][ T3382] usb_unbind_interface+0x1bd/0x8a0 [ 38.195122][ T3382] ? usb_autoresume_device+0x60/0x60 [ 38.200390][ T3382] device_release_driver_internal+0x42f/0x500 [ 38.206444][ T3382] bus_remove_device+0x2dc/0x4a0 [ 38.211378][ T3382] device_del+0x481/0xd30 [ 38.215703][ T3382] ? device_create_with_groups+0x120/0x120 [ 38.221507][ T3382] ? lockdep_hardirqs_on+0x382/0x580 [ 38.226774][ T3382] ? remove_intf_ep_devs+0x13f/0x1d0 [ 38.232044][ T3382] usb_disable_device+0x211/0x690 [ 38.237044][ T3382] usb_disconnect+0x284/0x8d0 [ 38.241798][ T3382] hub_event+0x1753/0x3860 [ 38.246190][ T3382] ? hub_port_debounce+0x260/0x260 [ 38.251280][ T3382] ? find_held_lock+0x2d/0x110 [ 38.256019][ T3382] ? mark_held_locks+0xe0/0xe0 [ 38.260779][ T3382] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.266331][ T3382] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.271603][ T3382] process_one_work+0x92b/0x1530 [ 38.276532][ T3382] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.282466][ T3382] ? do_raw_spin_lock+0x11a/0x280 [ 38.287478][ T3382] worker_thread+0x96/0xe20 [ 38.292234][ T3382] ? process_one_work+0x1530/0x1530 [ 38.297521][ T3382] kthread+0x318/0x420 [ 38.301580][ T3382] ? kthread_create_on_node+0xf0/0xf0 [ 38.306930][ T3382] ret_from_fork+0x24/0x30 [ 38.312011][ T3382] Kernel Offset: disabled [ 38.316619][ T3382] Rebooting in 86400 seconds..