[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 15.338426][ C1] random: crng init done [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.475531][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 41.715545][ T94] usb 1-1: Using ep0 maxpacket: 8 [ 41.835588][ T94] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 41.846004][ T94] usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a [ 41.855012][ T94] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 41.865103][ T94] usb 1-1: config 0 descriptor?? executing program [ 42.165543][ T94] usb 1-1: string descriptor 0 read error: -71 [ 42.172743][ T94] uvcvideo: Found UVC 0.00 device (0bd3:0555) [ 42.179936][ T94] ================================================================== [ 42.188107][ T94] BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de [ 42.195481][ T94] Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 [ 42.203172][ T94] [ 42.205497][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc3-syzkaller #0 [ 42.213630][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.223670][ T94] Workqueue: usb_hub_wq hub_event [ 42.228667][ T94] Call Trace: [ 42.231940][ T94] dump_stack+0xef/0x16e [ 42.236158][ T94] ? uvc_probe.cold+0x2193/0x29de [ 42.241245][ T94] ? uvc_probe.cold+0x2193/0x29de [ 42.246622][ T94] print_address_description.constprop.0.cold+0xd3/0x314 [ 42.253628][ T94] ? uvc_probe.cold+0x2193/0x29de [ 42.258627][ T94] ? uvc_probe.cold+0x2193/0x29de [ 42.263627][ T94] __kasan_report.cold+0x37/0x85 [ 42.268552][ T94] ? uvc_probe.cold+0x2193/0x29de [ 42.273553][ T94] kasan_report+0xe/0x20 [ 42.277964][ T94] uvc_probe.cold+0x2193/0x29de [ 42.282854][ T94] ? mark_lock+0xbc/0x1160 [ 42.287252][ T94] ? mark_lock+0xbc/0x1160 [ 42.291654][ T94] ? mark_held_locks+0x9f/0xe0 [ 42.296416][ T94] ? usb_probe_interface+0x310/0x800 [ 42.301706][ T94] usb_probe_interface+0x310/0x800 [ 42.306813][ T94] ? usb_probe_device+0x140/0x140 [ 42.311815][ T94] really_probe+0x290/0xad0 [ 42.316576][ T94] driver_probe_device+0x223/0x350 [ 42.321778][ T94] __device_attach_driver+0x1d1/0x290 [ 42.328279][ T94] ? driver_allows_async_probing+0x160/0x160 [ 42.334520][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.339354][ T94] ? bus_rescan_devices+0x20/0x20 [ 42.344379][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 42.350173][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 42.355435][ T94] __device_attach+0x217/0x390 [ 42.360266][ T94] ? device_bind_driver+0xd0/0xd0 [ 42.365280][ T94] bus_probe_device+0x1e4/0x290 [ 42.370117][ T94] device_add+0x1459/0x1bf0 [ 42.374604][ T94] ? wait_for_completion+0x3c0/0x3c0 [ 42.379870][ T94] ? device_link_remove+0x110/0x110 [ 42.385059][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 42.390857][ T94] usb_set_configuration+0xe47/0x17d0 [ 42.396216][ T94] generic_probe+0x9d/0xd5 [ 42.400611][ T94] usb_probe_device+0xaf/0x140 [ 42.405363][ T94] ? usb_suspend+0x5f0/0x5f0 [ 42.409929][ T94] really_probe+0x290/0xad0 [ 42.414408][ T94] driver_probe_device+0x223/0x350 [ 42.419497][ T94] __device_attach_driver+0x1d1/0x290 [ 42.424846][ T94] ? driver_allows_async_probing+0x160/0x160 [ 42.430995][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.435906][ T94] ? bus_rescan_devices+0x20/0x20 [ 42.440907][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 42.446697][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 42.451967][ T94] __device_attach+0x217/0x390 [ 42.456721][ T94] ? device_bind_driver+0xd0/0xd0 [ 42.461819][ T94] bus_probe_device+0x1e4/0x290 [ 42.466645][ T94] device_add+0x1459/0x1bf0 [ 42.471142][ T94] ? device_link_remove+0x110/0x110 [ 42.476328][ T94] usb_new_device.cold+0x540/0xcd0 [ 42.481427][ T94] hub_event+0x21cb/0x4300 [ 42.485830][ T94] ? hub_port_debounce+0x350/0x350 [ 42.491013][ T94] ? find_held_lock+0x2d/0x110 [ 42.495765][ T94] ? mark_held_locks+0xe0/0xe0 [ 42.500518][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 42.506065][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 42.511344][ T94] process_one_work+0x945/0x15c0 [ 42.516272][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.521637][ T94] ? do_raw_spin_lock+0x129/0x290 [ 42.526837][ T94] worker_thread+0x96/0xe20 [ 42.531343][ T94] ? process_one_work+0x15c0/0x15c0 [ 42.536531][ T94] kthread+0x318/0x420 [ 42.540578][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 42.545944][ T94] ret_from_fork+0x24/0x30 [ 42.550488][ T94] [ 42.552847][ T94] Allocated by task 94: [ 42.557048][ T94] save_stack+0x1b/0x80 [ 42.561309][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 42.567008][ T94] uvc_alloc_chain+0x48/0xfa [ 42.571714][ T94] uvc_probe.cold+0x15f0/0x29de [ 42.576561][ T94] usb_probe_interface+0x310/0x800 [ 42.582093][ T94] really_probe+0x290/0xad0 [ 42.586577][ T94] driver_probe_device+0x223/0x350 [ 42.591682][ T94] __device_attach_driver+0x1d1/0x290 [ 42.597032][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.601875][ T94] __device_attach+0x217/0x390 [ 42.606624][ T94] bus_probe_device+0x1e4/0x290 [ 42.611580][ T94] device_add+0x1459/0x1bf0 [ 42.616075][ T94] usb_set_configuration+0xe47/0x17d0 [ 42.621885][ T94] generic_probe+0x9d/0xd5 [ 42.626290][ T94] usb_probe_device+0xaf/0x140 [ 42.631049][ T94] really_probe+0x290/0xad0 [ 42.636075][ T94] driver_probe_device+0x223/0x350 [ 42.641247][ T94] __device_attach_driver+0x1d1/0x290 [ 42.646611][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.651628][ T94] __device_attach+0x217/0x390 [ 42.656987][ T94] bus_probe_device+0x1e4/0x290 [ 42.661834][ T94] device_add+0x1459/0x1bf0 [ 42.666323][ T94] usb_new_device.cold+0x540/0xcd0 [ 42.671783][ T94] hub_event+0x21cb/0x4300 [ 42.676255][ T94] process_one_work+0x945/0x15c0 [ 42.681178][ T94] worker_thread+0x96/0xe20 [ 42.685660][ T94] kthread+0x318/0x420 [ 42.689707][ T94] ret_from_fork+0x24/0x30 [ 42.694105][ T94] [ 42.696411][ T94] Freed by task 94: [ 42.700203][ T94] save_stack+0x1b/0x80 [ 42.704358][ T94] __kasan_slab_free+0x117/0x160 [ 42.709276][ T94] kfree+0xd5/0x300 [ 42.713088][ T94] uvc_probe.cold+0x16fd/0x29de [ 42.717928][ T94] usb_probe_interface+0x310/0x800 [ 42.723033][ T94] really_probe+0x290/0xad0 [ 42.727511][ T94] driver_probe_device+0x223/0x350 [ 42.732610][ T94] __device_attach_driver+0x1d1/0x290 [ 42.738093][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.743376][ T94] __device_attach+0x217/0x390 [ 42.748132][ T94] bus_probe_device+0x1e4/0x290 [ 42.752970][ T94] device_add+0x1459/0x1bf0 [ 42.757560][ T94] usb_set_configuration+0xe47/0x17d0 [ 42.762913][ T94] generic_probe+0x9d/0xd5 [ 42.767355][ T94] usb_probe_device+0xaf/0x140 [ 42.772094][ T94] really_probe+0x290/0xad0 [ 42.776575][ T94] driver_probe_device+0x223/0x350 [ 42.781668][ T94] __device_attach_driver+0x1d1/0x290 [ 42.787020][ T94] bus_for_each_drv+0x162/0x1e0 [ 42.791861][ T94] __device_attach+0x217/0x390 [ 42.796603][ T94] bus_probe_device+0x1e4/0x290 [ 42.801435][ T94] device_add+0x1459/0x1bf0 [ 42.805916][ T94] usb_new_device.cold+0x540/0xcd0 [ 42.811002][ T94] hub_event+0x21cb/0x4300 [ 42.815402][ T94] process_one_work+0x945/0x15c0 [ 42.820317][ T94] worker_thread+0x96/0xe20 [ 42.824806][ T94] kthread+0x318/0x420 [ 42.828850][ T94] ret_from_fork+0x24/0x30 [ 42.833235][ T94] [ 42.835542][ T94] The buggy address belongs to the object at ffff8881d4f1bc00 [ 42.835542][ T94] which belongs to the cache kmalloc-256 of size 256 [ 42.849582][ T94] The buggy address is located 46 bytes inside of [ 42.849582][ T94] 256-byte region [ffff8881d4f1bc00, ffff8881d4f1bd00) [ 42.862749][ T94] The buggy address belongs to the page: [ 42.868383][ T94] page:ffffea000753c680 refcount:1 mapcount:0 mapping:ffff8881da002780 index:0x0 compound_mapcount: 0 [ 42.879312][ T94] raw: 0200000000010200 ffffea000753c600 0000000300000003 ffff8881da002780 [ 42.887892][ T94] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 42.896494][ T94] page dumped because: kasan: bad access detected [ 42.902932][ T94] [ 42.905256][ T94] Memory state around the buggy address: [ 42.910877][ T94] ffff8881d4f1bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.919096][ T94] ffff8881d4f1bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.927139][ T94] >ffff8881d4f1bc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.935181][ T94] ^ [ 42.940534][ T94] ffff8881d4f1bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.948784][ T94] ffff8881d4f1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.956828][ T94] ================================================================== [ 42.964868][ T94] Disabling lock debugging due to kernel taint [ 42.971123][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 42.977725][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Tainted: G B 5.5.0-rc3-syzkaller #0 [ 42.987243][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.997299][ T94] Workqueue: usb_hub_wq hub_event [ 43.002298][ T94] Call Trace: [ 43.005572][ T94] dump_stack+0xef/0x16e [ 43.009850][ T94] panic+0x2aa/0x6e1 [ 43.013727][ T94] ? add_taint.cold+0x16/0x16 [ 43.018536][ T94] ? retint_kernel+0x10/0x10 [ 43.023131][ T94] ? trace_hardirqs_on+0x55/0x200 [ 43.028141][ T94] ? uvc_probe.cold+0x2193/0x29de [ 43.033160][ T94] end_report+0x43/0x49 [ 43.037297][ T94] ? uvc_probe.cold+0x2193/0x29de [ 43.042307][ T94] __kasan_report.cold+0x55/0x85 [ 43.047242][ T94] ? uvc_probe.cold+0x2193/0x29de [ 43.052331][ T94] kasan_report+0xe/0x20 [ 43.056549][ T94] uvc_probe.cold+0x2193/0x29de [ 43.061376][ T94] ? mark_lock+0xbc/0x1160 [ 43.065774][ T94] ? mark_lock+0xbc/0x1160 [ 43.070166][ T94] ? mark_held_locks+0x9f/0xe0 [ 43.074911][ T94] ? usb_probe_interface+0x310/0x800 [ 43.080171][ T94] usb_probe_interface+0x310/0x800 [ 43.085256][ T94] ? usb_probe_device+0x140/0x140 [ 43.090254][ T94] really_probe+0x290/0xad0 [ 43.095179][ T94] driver_probe_device+0x223/0x350 [ 43.100279][ T94] __device_attach_driver+0x1d1/0x290 [ 43.105628][ T94] ? driver_allows_async_probing+0x160/0x160 [ 43.111584][ T94] bus_for_each_drv+0x162/0x1e0 [ 43.116418][ T94] ? bus_rescan_devices+0x20/0x20 [ 43.121427][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 43.127214][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 43.132474][ T94] __device_attach+0x217/0x390 [ 43.137226][ T94] ? device_bind_driver+0xd0/0xd0 [ 43.142919][ T94] bus_probe_device+0x1e4/0x290 [ 43.147758][ T94] device_add+0x1459/0x1bf0 [ 43.153456][ T94] ? wait_for_completion+0x3c0/0x3c0 [ 43.158725][ T94] ? device_link_remove+0x110/0x110 [ 43.163905][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 43.169695][ T94] usb_set_configuration+0xe47/0x17d0 [ 43.175042][ T94] generic_probe+0x9d/0xd5 [ 43.179432][ T94] usb_probe_device+0xaf/0x140 [ 43.184225][ T94] ? usb_suspend+0x5f0/0x5f0 [ 43.188801][ T94] really_probe+0x290/0xad0 [ 43.193287][ T94] driver_probe_device+0x223/0x350 [ 43.198376][ T94] __device_attach_driver+0x1d1/0x290 [ 43.203726][ T94] ? driver_allows_async_probing+0x160/0x160 [ 43.209690][ T94] bus_for_each_drv+0x162/0x1e0 [ 43.214781][ T94] ? bus_rescan_devices+0x20/0x20 [ 43.219780][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 43.225567][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 43.231370][ T94] __device_attach+0x217/0x390 [ 43.236111][ T94] ? device_bind_driver+0xd0/0xd0 [ 43.241109][ T94] bus_probe_device+0x1e4/0x290 [ 43.245938][ T94] device_add+0x1459/0x1bf0 [ 43.250427][ T94] ? device_link_remove+0x110/0x110 [ 43.255600][ T94] usb_new_device.cold+0x540/0xcd0 [ 43.260699][ T94] hub_event+0x21cb/0x4300 [ 43.265094][ T94] ? hub_port_debounce+0x350/0x350 [ 43.270178][ T94] ? find_held_lock+0x2d/0x110 [ 43.274913][ T94] ? mark_held_locks+0xe0/0xe0 [ 43.279650][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 43.285180][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 43.290446][ T94] process_one_work+0x945/0x15c0 [ 43.295366][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 43.300724][ T94] ? do_raw_spin_lock+0x129/0x290 [ 43.305743][ T94] worker_thread+0x96/0xe20 [ 43.310230][ T94] ? process_one_work+0x15c0/0x15c0 [ 43.315420][ T94] kthread+0x318/0x420 [ 43.319474][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 43.325775][ T94] ret_from_fork+0x24/0x30 [ 43.330830][ T94] Kernel Offset: disabled [ 43.335145][ T94] Rebooting in 86400 seconds..