INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.909532][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.149512][ T12] usb 1-1: Using ep0 maxpacket: 8 [ 25.269621][ T12] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 25.280944][ T12] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 25.294009][ T12] usb 1-1: New USB device found, idVendor=1a34, idProduct=f705, bcdDevice= 0.40 [ 25.303531][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 25.312732][ T12] usb 1-1: config 0 descriptor?? [ 25.785018][ T12] acrux 0003:1A34:F705.0001: hidraw0: USB HID v0.00 Device [HID 1a34:f705] on usb-dummy_hcd.0-1/input0 [ 25.796359][ T12] ================================================================== [ 25.804522][ T12] BUG: KASAN: slab-out-of-bounds in ax_probe+0x369/0x540 [ 25.811578][ T12] Write of size 8 at addr ffff8881d5749bc0 by task kworker/0:1/12 [ 25.819795][ T12] [ 25.822113][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc2+ #25 [ 25.829653][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.839697][ T12] Workqueue: usb_hub_wq hub_event [ 25.845343][ T12] Call Trace: [ 25.848621][ T12] dump_stack+0xca/0x13e [ 25.852868][ T12] ? ax_probe+0x369/0x540 [ 25.857269][ T12] ? ax_probe+0x369/0x540 [ 25.861588][ T12] print_address_description+0x6a/0x32c [ 25.867150][ T12] ? ax_probe+0x369/0x540 [ 25.871460][ T12] ? ax_probe+0x369/0x540 [ 25.876898][ T12] __kasan_report.cold+0x1a/0x33 [ 25.881818][ T12] ? ax_probe+0x369/0x540 [ 25.886125][ T12] kasan_report+0xe/0x12 [ 25.890940][ T12] check_memory_region+0x128/0x190 [ 25.896041][ T12] ax_probe+0x369/0x540 [ 25.900174][ T12] ? ax_remove+0x20/0x20 [ 25.904400][ T12] hid_device_probe+0x2be/0x3f0 [ 25.909231][ T12] ? hid_match_device+0x1f0/0x1f0 [ 25.914274][ T12] really_probe+0x281/0x650 [ 25.918766][ T12] driver_probe_device+0x101/0x1b0 [ 25.923972][ T12] __device_attach_driver+0x1c2/0x220 [ 25.929442][ T12] ? driver_allows_async_probing+0x160/0x160 [ 25.935408][ T12] bus_for_each_drv+0x15c/0x1e0 [ 25.940240][ T12] ? bus_rescan_devices+0x20/0x20 [ 25.945247][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 25.951033][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 25.956293][ T12] __device_attach+0x217/0x360 [ 25.961137][ T12] ? device_bind_driver+0xd0/0xd0 [ 25.966308][ T12] ? kobject_uevent_env+0x29e/0x1160 [ 25.971637][ T12] ? kobject_uevent_env+0x2a8/0x1160 [ 25.976907][ T12] bus_probe_device+0x1e4/0x290 [ 25.981774][ T12] ? blocking_notifier_call_chain+0x54/0xa0 [ 25.987757][ T12] device_add+0xae6/0x16f0 [ 25.992155][ T12] ? up_write+0x97/0x270 [ 25.996449][ T12] ? uevent_store+0x50/0x50 [ 26.000939][ T12] ? __debugfs_create_file+0x2da/0x3c0 [ 26.006581][ T12] hid_add_device+0x33c/0x990 [ 26.011522][ T12] ? hid_allocate_device+0x440/0x440 [ 26.016799][ T12] ? lockdep_init_map+0x1b0/0x5e0 [ 26.021805][ T12] usbhid_probe+0xa81/0xfa0 [ 26.026414][ T12] usb_probe_interface+0x305/0x7a0 [ 26.031511][ T12] ? usb_probe_device+0x100/0x100 [ 26.036662][ T12] really_probe+0x281/0x650 [ 26.041256][ T12] driver_probe_device+0x101/0x1b0 [ 26.046354][ T12] __device_attach_driver+0x1c2/0x220 [ 26.051711][ T12] ? driver_allows_async_probing+0x160/0x160 [ 26.057778][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.062615][ T12] ? bus_rescan_devices+0x20/0x20 [ 26.067624][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.073534][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 26.078903][ T12] __device_attach+0x217/0x360 [ 26.083654][ T12] ? device_bind_driver+0xd0/0xd0 [ 26.088657][ T12] ? kobject_uevent_env+0x29e/0x1160 [ 26.094159][ T12] ? kobject_uevent_env+0x2a8/0x1160 [ 26.099506][ T12] bus_probe_device+0x1e4/0x290 [ 26.104346][ T12] ? blocking_notifier_call_chain+0x54/0xa0 [ 26.110217][ T12] device_add+0xae6/0x16f0 [ 26.114612][ T12] ? uevent_store+0x50/0x50 [ 26.119098][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.124883][ T12] usb_set_configuration+0xdf6/0x1670 [ 26.130235][ T12] generic_probe+0x9d/0xd5 [ 26.134638][ T12] usb_probe_device+0x99/0x100 [ 26.139387][ T12] ? usb_suspend+0x620/0x620 [ 26.144792][ T12] really_probe+0x281/0x650 [ 26.149273][ T12] driver_probe_device+0x101/0x1b0 [ 26.154367][ T12] __device_attach_driver+0x1c2/0x220 [ 26.159817][ T12] ? driver_allows_async_probing+0x160/0x160 [ 26.165778][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.170708][ T12] ? bus_rescan_devices+0x20/0x20 [ 26.175714][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 26.181543][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 26.186820][ T12] __device_attach+0x217/0x360 [ 26.191564][ T12] ? device_bind_driver+0xd0/0xd0 [ 26.196835][ T12] ? kobject_uevent_env+0x29e/0x1160 [ 26.202256][ T12] ? kobject_uevent_env+0x2a8/0x1160 [ 26.207660][ T12] bus_probe_device+0x1e4/0x290 [ 26.213051][ T12] ? blocking_notifier_call_chain+0x54/0xa0 [ 26.218926][ T12] device_add+0xae6/0x16f0 [ 26.224480][ T12] ? uevent_store+0x50/0x50 [ 26.228967][ T12] usb_new_device.cold+0x6a4/0xe79 [ 26.234053][ T12] hub_event+0x1b5c/0x3640 [ 26.238556][ T12] ? hub_port_debounce+0x260/0x260 [ 26.243742][ T12] process_one_work+0x92b/0x1530 [ 26.248810][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.254327][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 26.259342][ T12] worker_thread+0x96/0xe20 [ 26.263831][ T12] ? process_one_work+0x1530/0x1530 [ 26.269012][ T12] kthread+0x318/0x420 [ 26.273060][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 26.278412][ T12] ret_from_fork+0x24/0x30 [ 26.282803][ T12] [ 26.285110][ T12] Allocated by task 12: [ 26.289246][ T12] save_stack+0x1b/0x80 [ 26.293458][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.299132][ T12] hidraw_connect+0x4b/0x3e0 [ 26.303773][ T12] hid_connect+0x5c7/0xbb0 [ 26.308176][ T12] hid_hw_start+0xa2/0x130 [ 26.312779][ T12] ax_probe+0x52/0x540 [ 26.316891][ T12] hid_device_probe+0x2be/0x3f0 [ 26.321724][ T12] really_probe+0x281/0x650 [ 26.326201][ T12] driver_probe_device+0x101/0x1b0 [ 26.331288][ T12] __device_attach_driver+0x1c2/0x220 [ 26.336634][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.341458][ T12] __device_attach+0x217/0x360 [ 26.346238][ T12] bus_probe_device+0x1e4/0x290 [ 26.351069][ T12] device_add+0xae6/0x16f0 [ 26.355462][ T12] hid_add_device+0x33c/0x990 [ 26.360119][ T12] usbhid_probe+0xa81/0xfa0 [ 26.364597][ T12] usb_probe_interface+0x305/0x7a0 [ 26.370151][ T12] really_probe+0x281/0x650 [ 26.374634][ T12] driver_probe_device+0x101/0x1b0 [ 26.379722][ T12] __device_attach_driver+0x1c2/0x220 [ 26.385066][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.389890][ T12] __device_attach+0x217/0x360 [ 26.394802][ T12] bus_probe_device+0x1e4/0x290 [ 26.399671][ T12] device_add+0xae6/0x16f0 [ 26.404257][ T12] usb_set_configuration+0xdf6/0x1670 [ 26.409765][ T12] generic_probe+0x9d/0xd5 [ 26.414157][ T12] usb_probe_device+0x99/0x100 [ 26.418901][ T12] really_probe+0x281/0x650 [ 26.423383][ T12] driver_probe_device+0x101/0x1b0 [ 26.428482][ T12] __device_attach_driver+0x1c2/0x220 [ 26.433834][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.438656][ T12] __device_attach+0x217/0x360 [ 26.443400][ T12] bus_probe_device+0x1e4/0x290 [ 26.448342][ T12] device_add+0xae6/0x16f0 [ 26.453039][ T12] usb_new_device.cold+0x6a4/0xe79 [ 26.458129][ T12] hub_event+0x1b5c/0x3640 [ 26.462675][ T12] process_one_work+0x92b/0x1530 [ 26.467789][ T12] worker_thread+0x96/0xe20 [ 26.472540][ T12] kthread+0x318/0x420 [ 26.476595][ T12] ret_from_fork+0x24/0x30 [ 26.480987][ T12] [ 26.483479][ T12] Freed by task 1: [ 26.487340][ T12] save_stack+0x1b/0x80 [ 26.492040][ T12] __kasan_slab_free+0x130/0x180 [ 26.496956][ T12] kfree+0xe4/0x2f0 [ 26.500754][ T12] usb_free_urb.part.0+0x7a/0xc0 [ 26.505671][ T12] usb_free_urb+0x1b/0x30 [ 26.509981][ T12] usb_start_wait_urb+0x1e5/0x2b0 [ 26.514988][ T12] usb_control_msg+0x31c/0x4a0 [ 26.519730][ T12] set_port_feature+0x69/0x90 [ 26.524387][ T12] hub_power_on+0xca/0x280 [ 26.528783][ T12] hub_activate+0xfb7/0x1570 [ 26.533352][ T12] hub_probe.cold+0x21f8/0x2201 [ 26.538184][ T12] usb_probe_interface+0x305/0x7a0 [ 26.543275][ T12] really_probe+0x281/0x650 [ 26.547849][ T12] driver_probe_device+0x101/0x1b0 [ 26.552940][ T12] __device_attach_driver+0x1c2/0x220 [ 26.558299][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.563135][ T12] __device_attach+0x217/0x360 [ 26.567943][ T12] bus_probe_device+0x1e4/0x290 [ 26.572776][ T12] device_add+0xae6/0x16f0 [ 26.577175][ T12] usb_set_configuration+0xdf6/0x1670 [ 26.582529][ T12] generic_probe+0x9d/0xd5 [ 26.586928][ T12] usb_probe_device+0x99/0x100 [ 26.591675][ T12] really_probe+0x281/0x650 [ 26.596264][ T12] driver_probe_device+0x101/0x1b0 [ 26.601358][ T12] __device_attach_driver+0x1c2/0x220 [ 26.606709][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.611647][ T12] __device_attach+0x217/0x360 [ 26.616383][ T12] bus_probe_device+0x1e4/0x290 [ 26.621213][ T12] device_add+0xae6/0x16f0 [ 26.625733][ T12] usb_new_device.cold+0x6a4/0xe79 [ 26.630822][ T12] usb_add_hcd.cold+0x10d5/0x15c5 [ 26.635882][ T12] vhci_hcd_probe+0xf6/0x230 [ 26.640648][ T12] platform_drv_probe+0xce/0x1a0 [ 26.645611][ T12] really_probe+0x281/0x650 [ 26.650102][ T12] driver_probe_device+0x101/0x1b0 [ 26.655196][ T12] __device_attach_driver+0x1c2/0x220 [ 26.660753][ T12] bus_for_each_drv+0x15c/0x1e0 [ 26.666253][ T12] __device_attach+0x217/0x360 [ 26.671582][ T12] bus_probe_device+0x1e4/0x290 [ 26.676413][ T12] device_add+0xae6/0x16f0 [ 26.680810][ T12] platform_device_add+0x34d/0x6c0 [ 26.685895][ T12] vhci_hcd_init+0x344/0x488 [ 26.690462][ T12] do_one_initcall+0xf0/0x614 [ 26.695125][ T12] kernel_init_freeable+0x4a9/0x596 [ 26.700306][ T12] kernel_init+0xd/0x1bf [ 26.704523][ T12] ret_from_fork+0x24/0x30 [ 26.708908][ T12] [ 26.711216][ T12] The buggy address belongs to the object at ffff8881d5749b00 [ 26.711216][ T12] which belongs to the cache kmalloc-192 of size 192 [ 26.725365][ T12] The buggy address is located 0 bytes to the right of [ 26.725365][ T12] 192-byte region [ffff8881d5749b00, ffff8881d5749bc0) [ 26.738960][ T12] The buggy address belongs to the page: [ 26.744583][ T12] page:ffffea000755d240 refcount:1 mapcount:0 mapping:ffff8881da002a00 index:0x0 [ 26.753674][ T12] flags: 0x200000000000200(slab) [ 26.759101][ T12] raw: 0200000000000200 ffffea000755c3c0 0000000400000004 ffff8881da002a00 [ 26.767673][ T12] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 26.776234][ T12] page dumped because: kasan: bad access detected [ 26.782623][ T12] [ 26.784995][ T12] Memory state around the buggy address: [ 26.790612][ T12] ffff8881d5749a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.798914][ T12] ffff8881d5749b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.806952][ T12] >ffff8881d5749b80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 26.814993][ T12] ^ [ 26.821127][ T12] ffff8881d5749c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.829224][ T12] ffff8881d5749c80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 26.837267][ T12] ====