[info] Using makefile-style concurrent boot in runlevel 2. [ 15.578170][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.357399][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 51.597378][ T22] usb 1-1: Using ep0 maxpacket: 8 [ 51.717485][ T22] usb 1-1: config 171 has an invalid interface number: 21 but max is 0 [ 51.725966][ T22] usb 1-1: config 171 has no interface number 0 [ 51.732777][ T22] usb 1-1: New USB device found, idVendor=0553, idProduct=0151, bcdDevice= 3.c4 [ 51.742036][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 51.789857][ T22] cpia2: CPiA2 USB camera found [ 51.917574][ T22] cpia2: Unexpected error: -110 [ 52.097452][ T22] cpia2: Unexpected error: -110 [ 52.217419][ T22] cpia2: Unexpected error: -110 [ 52.377433][ T22] cpia2: Unexpected error: -110 executing program [ 52.457469][ T22] cpia2: Unexpected error: -71 [ 52.477670][ T22] cpia2: Control message failed, err val = -71 [ 52.484244][ T22] cpia2: Message: request = 0x1, start = 0x90 [ 52.490459][ T22] cpia2: Message: count = 1, register[0] = 0x0 [ 52.496757][ T22] cpia2: Unexpected error: -71 [ 52.517500][ T22] cpia2: Control message failed, err val = -71 [ 52.523849][ T22] cpia2: Message: request = 0x1, start = 0x91 [ 52.530287][ T22] cpia2: Message: count = 1, register[0] = 0x0 [ 52.536533][ T22] cpia2: Unexpected error: -71 [ 52.557527][ T22] cpia2: Control message failed, err val = -71 [ 52.563707][ T22] cpia2: Message: request = 0x0, start = 0x2 [ 52.569963][ T22] cpia2: Message: count = 1, register[0] = 0x0 [ 52.576342][ T22] cpia2: Unexpected error: -71 [ 52.581398][ T22] cpia2: CPiA Version: 0.00 (103.9) [ 52.586766][ T22] cpia2: CPiA PnP-ID: 0000:0000:0000 [ 52.592259][ T22] cpia2: SensorID: 0.(version 0) [ 52.600341][ T22] usb 1-1: USB disconnect, device number 2 [ 52.607020][ T22] cpia2: Control message failed, err val = -19 [ 52.613546][ T22] cpia2: Message: request = 0x1, start = 0xB0 [ 52.619950][ T22] cpia2: Message: count = 4, register[0] = 0x0 [ 52.626101][ T22] cpia2: Unexpected error: -19 [ 52.631154][ T22] cpia2: Unexpected error: -19 [ 52.635954][ T22] cpia2: Control message failed, err val = -19 [ 52.642244][ T22] cpia2: Message: request = 0x1, start = 0xA9 [ 52.647502][ T1757] cpia2: Couldn't configure sensor, error=-22 [ 52.648436][ T22] cpia2: Message: count = 1, register[0] = 0x0 [ 52.661036][ T22] cpia2: Unexpected error: -19 [ 52.667886][ T22] ================================================================== [ 52.676044][ T22] BUG: KASAN: use-after-free in cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.683845][ T22] Read of size 8 at addr ffff8881cf6c4e50 by task kworker/1:1/22 [ 52.692114][ T22] [ 52.694445][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc6+ #13 [ 52.702141][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.712449][ T22] Workqueue: usb_hub_wq hub_event [ 52.717762][ T22] Call Trace: [ 52.721080][ T22] dump_stack+0xca/0x13e [ 52.725506][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.731039][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.736813][ T22] print_address_description+0x67/0x231 [ 52.742596][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.748070][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.753452][ T22] __kasan_report.cold+0x1a/0x32 [ 52.758573][ T22] ? cpia2_streamoff+0x1f0/0x270 [ 52.763642][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.769109][ T22] kasan_report+0xe/0x20 [ 52.773497][ T22] cpia2_usb_disconnect+0x1a4/0x1c0 [ 52.778683][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 52.784005][ T22] ? usb_autoresume_device+0x60/0x60 [ 52.789289][ T22] device_release_driver_internal+0x404/0x4c0 [ 52.795349][ T22] bus_remove_device+0x2dc/0x4a0 [ 52.800273][ T22] device_del+0x460/0xb80 [ 52.804586][ T22] ? __device_links_no_driver+0x240/0x240 [ 52.810289][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 52.815697][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 52.821013][ T22] usb_disable_device+0x211/0x690 [ 52.826116][ T22] usb_disconnect+0x284/0x830 [ 52.830982][ T22] hub_event+0x1409/0x3590 [ 52.835382][ T22] ? hub_port_debounce+0x260/0x260 [ 52.840691][ T22] process_one_work+0x905/0x1570 [ 52.846017][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 52.851392][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 52.857084][ T22] worker_thread+0x7ab/0xe20 [ 52.861676][ T22] ? process_one_work+0x1570/0x1570 [ 52.867055][ T22] kthread+0x30b/0x410 [ 52.871120][ T22] ? kthread_park+0x1a0/0x1a0 [ 52.875990][ T22] ret_from_fork+0x24/0x30 [ 52.880479][ T22] [ 52.882832][ T22] Allocated by task 22: [ 52.886973][ T22] save_stack+0x1b/0x80 [ 52.891325][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 52.896986][ T22] cpia2_init_camera_struct+0x40/0x110 [ 52.902788][ T22] cpia2_usb_probe.cold+0x37/0x45a [ 52.907969][ T22] usb_probe_interface+0x305/0x7a0 [ 52.913158][ T22] really_probe+0x281/0x660 [ 52.917979][ T22] driver_probe_device+0x104/0x210 [ 52.923315][ T22] __device_attach_driver+0x1c2/0x220 [ 52.928769][ T22] bus_for_each_drv+0x15c/0x1e0 [ 52.933647][ T22] __device_attach+0x217/0x360 [ 52.938489][ T22] bus_probe_device+0x1e4/0x290 [ 52.943411][ T22] device_add+0xae6/0x16f0 [ 52.947938][ T22] usb_set_configuration+0xdf6/0x1670 [ 52.953972][ T22] generic_probe+0x9d/0xd5 [ 52.958711][ T22] usb_probe_device+0x99/0x100 [ 52.963716][ T22] really_probe+0x281/0x660 [ 52.968417][ T22] driver_probe_device+0x104/0x210 [ 52.973627][ T22] __device_attach_driver+0x1c2/0x220 [ 52.979282][ T22] bus_for_each_drv+0x15c/0x1e0 [ 52.984440][ T22] __device_attach+0x217/0x360 [ 52.989190][ T22] bus_probe_device+0x1e4/0x290 [ 52.994362][ T22] device_add+0xae6/0x16f0 [ 52.998826][ T22] usb_new_device.cold+0x8c1/0x1016 [ 53.004233][ T22] hub_event+0x1ada/0x3590 [ 53.008652][ T22] process_one_work+0x905/0x1570 [ 53.013899][ T22] worker_thread+0x96/0xe20 [ 53.018386][ T22] kthread+0x30b/0x410 [ 53.022439][ T22] ret_from_fork+0x24/0x30 [ 53.026956][ T22] [ 53.029269][ T22] Freed by task 22: [ 53.033262][ T22] save_stack+0x1b/0x80 [ 53.037537][ T22] __kasan_slab_free+0x130/0x180 [ 53.042886][ T22] kfree+0xd7/0x280 [ 53.046823][ T22] v4l2_device_put+0x76/0x90 [ 53.051445][ T22] cpia2_usb_disconnect+0x79/0x1c0 [ 53.056534][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 53.061724][ T22] device_release_driver_internal+0x404/0x4c0 [ 53.067774][ T22] bus_remove_device+0x2dc/0x4a0 [ 53.072798][ T22] device_del+0x460/0xb80 [ 53.077111][ T22] usb_disable_device+0x211/0x690 [ 53.082293][ T22] usb_disconnect+0x284/0x830 [ 53.087037][ T22] hub_event+0x1409/0x3590 [ 53.091821][ T22] process_one_work+0x905/0x1570 [ 53.096739][ T22] worker_thread+0x7ab/0xe20 [ 53.101354][ T22] kthread+0x30b/0x410 [ 53.105422][ T22] ret_from_fork+0x24/0x30 [ 53.109867][ T22] [ 53.112441][ T22] The buggy address belongs to the object at ffff8881cf6c4400 [ 53.112441][ T22] which belongs to the cache kmalloc-4k of size 4096 [ 53.128981][ T22] The buggy address is located 2640 bytes inside of [ 53.128981][ T22] 4096-byte region [ffff8881cf6c4400, ffff8881cf6c5400) [ 53.142985][ T22] The buggy address belongs to the page: [ 53.148657][ T22] page:ffffea00073db000 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 53.159810][ T22] flags: 0x200000000010200(slab|head) [ 53.165258][ T22] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881dac02600 [ 53.173954][ T22] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 53.182826][ T22] page dumped because: kasan: bad access detected [ 53.189218][ T22] [ 53.191658][ T22] Memory state around the buggy address: [ 53.197370][ T22] ffff8881cf6c4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.205768][ T22] ffff8881cf6c4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.213821][ T22] >ffff8881cf6c4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.221991][ T22] ^ [ 53.228669][ T22] ffff8881cf6c4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.236757][ T22] ffff8881cf6c4f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.244997][ T22] ================================================================== [ 53.253593][ T22] Disabling lock debugging due to kernel taint [ 53.259904][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 53.276688][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc6+ #13 [ 53.285845][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.296094][ T22] Workqueue: usb_hub_wq hub_event [ 53.301184][ T22] Call Trace: [ 53.304460][ T22] dump_stack+0xca/0x13e [ 53.308961][ T22] panic+0x292/0x6c9 [ 53.312982][ T22] ? __warn_printk+0xf3/0xf3 [ 53.317558][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 53.323087][ T22] ? trace_hardirqs_on+0x55/0x1c0 [ 53.328096][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 53.333495][ T22] end_report+0x43/0x49 [ 53.337647][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 53.343006][ T22] __kasan_report.cold+0xd/0x32 [ 53.348184][ T22] ? cpia2_streamoff+0x1f0/0x270 [ 53.353411][ T22] ? cpia2_usb_disconnect+0x1a4/0x1c0 [ 53.358859][ T22] kasan_report+0xe/0x20 [ 53.363416][ T22] cpia2_usb_disconnect+0x1a4/0x1c0 [ 53.368854][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 53.374127][ T22] ? usb_autoresume_device+0x60/0x60 [ 53.379519][ T22] device_release_driver_internal+0x404/0x4c0 [ 53.385915][ T22] bus_remove_device+0x2dc/0x4a0 [ 53.390976][ T22] device_del+0x460/0xb80 [ 53.395697][ T22] ? __device_links_no_driver+0x240/0x240 [ 53.401695][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 53.407097][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 53.412543][ T22] usb_disable_device+0x211/0x690 [ 53.417736][ T22] usb_disconnect+0x284/0x830 [ 53.422407][ T22] hub_event+0x1409/0x3590 [ 53.426819][ T22] ? hub_port_debounce+0x260/0x260 [ 53.432007][ T22] process_one_work+0x905/0x1570 [ 53.437027][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 53.442471][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 53.447511][ T22] worker_thread+0x7ab/0xe20 [ 53.452278][ T22] ? process_one_work+0x1570/0x1570 [ 53.457850][ T22] kthread+0x30b/0x410 [ 53.461938][ T22] ? kthread_park+0x1a0/0x1a0 [ 53.466606][ T22] ret_from_fork+0x24/0x30 [ 53.471925][ T22] Kernel Offset: disabled [ 53.476466][ T22] Rebooting in 86400 seconds..