[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c[ 14.484400][ C0] random: crng init done 7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.209' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.827961][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 50.188016][ T12] usb 1-1: config 0 has an invalid interface number: 106 but max is 0 [ 50.196309][ T12] usb 1-1: config 0 has no interface number 0 [ 50.202592][ T12] usb 1-1: New USB device found, idVendor=20b7, idProduct=1540, bcdDevice=ef.8f [ 50.211639][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 50.221413][ T12] usb 1-1: config 0 descriptor?? [ 51.358031][ T12] usb 1-1: ATUSB: AT86RF230 version 0 [ 51.577982][ T12] usb 1-1: Firmware: major: 0, minor: 0, hardware type: ATUSB (0) [ 51.585821][ T12] usb 1-1: Firmware version (0.0) predates our first public release. [ 51.593956][ T12] usb 1-1: Please update to version 0.2 or newer [ 51.797999][ T12] usb 1-1: Firmware: build executing program [ 52.421767][ T83] usb 1-1: USB disconnect, device number 2 [ 52.559042][ T83] ================================================================== [ 52.567254][ T83] BUG: KASAN: use-after-free in atusb_disconnect+0x17f/0x1c0 [ 52.574614][ T83] Read of size 8 at addr ffff8881d53eee28 by task kworker/1:2/83 [ 52.582421][ T83] [ 52.584735][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5+ #28 [ 52.592170][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.602249][ T83] Workqueue: usb_hub_wq hub_event [ 52.607302][ T83] Call Trace: [ 52.610593][ T83] dump_stack+0xca/0x13e [ 52.614826][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 52.619943][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 52.624961][ T83] print_address_description+0x6a/0x32c [ 52.630498][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 52.635505][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 52.640634][ T83] __kasan_report.cold+0x1a/0x33 [ 52.645563][ T83] ? kobject_put+0x90/0x280 [ 52.650051][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 52.655055][ T83] kasan_report+0xe/0x12 [ 52.659278][ T83] atusb_disconnect+0x17f/0x1c0 [ 52.664350][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 52.669540][ T83] ? usb_autoresume_device+0x60/0x60 [ 52.674937][ T83] device_release_driver_internal+0x42f/0x500 [ 52.680989][ T83] bus_remove_device+0x2dc/0x4a0 [ 52.686377][ T83] device_del+0x420/0xb10 [ 52.690904][ T83] ? __device_links_no_driver+0x240/0x240 [ 52.696607][ T83] ? lockdep_hardirqs_on+0x379/0x580 [ 52.701876][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 52.707245][ T83] usb_disable_device+0x211/0x690 [ 52.712275][ T83] usb_disconnect+0x284/0x8d0 [ 52.716935][ T83] hub_event+0x1454/0x3640 [ 52.721453][ T83] ? find_held_lock+0x2d/0x110 [ 52.726203][ T83] ? mark_held_locks+0xe0/0xe0 [ 52.730950][ T83] ? hub_port_debounce+0x260/0x260 [ 52.736055][ T83] process_one_work+0x92b/0x1530 [ 52.740984][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 52.746339][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 52.751402][ T83] worker_thread+0x96/0xe20 [ 52.755900][ T83] ? process_one_work+0x1530/0x1530 [ 52.761173][ T83] kthread+0x318/0x420 [ 52.765217][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 52.770567][ T83] ret_from_fork+0x24/0x30 [ 52.774970][ T83] [ 52.777278][ T83] Allocated by task 12: [ 52.781423][ T83] save_stack+0x1b/0x80 [ 52.785565][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 52.791184][ T83] wpan_phy_new+0x22/0x290 [ 52.795588][ T83] ieee802154_alloc_hw+0x11d/0x750 [ 52.800676][ T83] atusb_probe+0x9b/0xfa2 [ 52.805005][ T83] usb_probe_interface+0x305/0x7a0 [ 52.810192][ T83] really_probe+0x281/0x6d0 [ 52.814686][ T83] driver_probe_device+0x101/0x1b0 [ 52.819783][ T83] __device_attach_driver+0x1c2/0x220 [ 52.825196][ T83] bus_for_each_drv+0x162/0x1e0 [ 52.830119][ T83] __device_attach+0x217/0x360 [ 52.835147][ T83] bus_probe_device+0x1e4/0x290 [ 52.840051][ T83] device_add+0xae6/0x16f0 [ 52.844520][ T83] usb_set_configuration+0xdf6/0x1670 [ 52.849966][ T83] generic_probe+0x9d/0xd5 [ 52.854384][ T83] usb_probe_device+0x99/0x100 [ 52.859140][ T83] really_probe+0x281/0x6d0 [ 52.863629][ T83] driver_probe_device+0x101/0x1b0 [ 52.868725][ T83] __device_attach_driver+0x1c2/0x220 [ 52.874167][ T83] bus_for_each_drv+0x162/0x1e0 [ 52.879015][ T83] __device_attach+0x217/0x360 [ 52.883762][ T83] bus_probe_device+0x1e4/0x290 [ 52.888592][ T83] device_add+0xae6/0x16f0 [ 52.893063][ T83] usb_new_device.cold+0x6a4/0xe79 [ 52.898171][ T83] hub_event+0x1b5c/0x3640 [ 52.902660][ T83] process_one_work+0x92b/0x1530 [ 52.907584][ T83] worker_thread+0x96/0xe20 [ 52.912130][ T83] kthread+0x318/0x420 [ 52.916261][ T83] ret_from_fork+0x24/0x30 [ 52.920665][ T83] [ 52.922972][ T83] Freed by task 83: [ 52.926814][ T83] save_stack+0x1b/0x80 [ 52.931399][ T83] __kasan_slab_free+0x130/0x180 [ 52.936322][ T83] kfree+0xe4/0x2f0 [ 52.940638][ T83] device_release+0x71/0x200 [ 52.945217][ T83] kobject_put+0x171/0x280 [ 52.949616][ T83] put_device+0x1b/0x30 [ 52.954102][ T83] atusb_disconnect+0x117/0x1c0 [ 52.958952][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 52.964134][ T83] device_release_driver_internal+0x42f/0x500 [ 52.970180][ T83] bus_remove_device+0x2dc/0x4a0 [ 52.975212][ T83] device_del+0x420/0xb10 [ 52.979518][ T83] usb_disable_device+0x211/0x690 [ 52.984627][ T83] usb_disconnect+0x284/0x8d0 [ 52.989397][ T83] hub_event+0x1454/0x3640 [ 52.993794][ T83] process_one_work+0x92b/0x1530 [ 52.998714][ T83] worker_thread+0x96/0xe20 [ 53.003194][ T83] kthread+0x318/0x420 [ 53.007362][ T83] ret_from_fork+0x24/0x30 [ 53.011753][ T83] [ 53.014074][ T83] The buggy address belongs to the object at ffff8881d53ee600 [ 53.014074][ T83] which belongs to the cache kmalloc-4k of size 4096 [ 53.028201][ T83] The buggy address is located 2088 bytes inside of [ 53.028201][ T83] 4096-byte region [ffff8881d53ee600, ffff8881d53ef600) [ 53.041632][ T83] The buggy address belongs to the page: [ 53.047310][ T83] page:ffffea000754fa00 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 53.058308][ T83] flags: 0x200000000010200(slab|head) [ 53.063672][ T83] raw: 0200000000010200 0000000000000000 0000000600000001 ffff8881da00c280 [ 53.072350][ T83] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 53.080929][ T83] page dumped because: kasan: bad access detected [ 53.087324][ T83] [ 53.089646][ T83] Memory state around the buggy address: [ 53.095356][ T83] ffff8881d53eed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.103427][ T83] ffff8881d53eed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.111472][ T83] >ffff8881d53eee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.119521][ T83] ^ [ 53.125102][ T83] ffff8881d53eee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.133156][ T83] ffff8881d53eef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.141198][ T83] ================================================================== [ 53.149339][ T83] Disabling lock debugging due to kernel taint [ 53.155526][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 53.162117][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.3.0-rc5+ #28 [ 53.170943][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.180990][ T83] Workqueue: usb_hub_wq hub_event [ 53.186150][ T83] Call Trace: [ 53.189426][ T83] dump_stack+0xca/0x13e [ 53.193910][ T83] panic+0x2a3/0x6da [ 53.197887][ T83] ? add_taint.cold+0x16/0x16 [ 53.202552][ T83] ? retint_kernel+0x10/0x10 [ 53.207124][ T83] ? trace_hardirqs_on+0x55/0x1e0 [ 53.212130][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 53.217132][ T83] end_report+0x43/0x49 [ 53.221589][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 53.226619][ T83] __kasan_report.cold+0xd/0x33 [ 53.231463][ T83] ? kobject_put+0x90/0x280 [ 53.235949][ T83] ? atusb_disconnect+0x17f/0x1c0 [ 53.240958][ T83] kasan_report+0xe/0x12 [ 53.245192][ T83] atusb_disconnect+0x17f/0x1c0 [ 53.250386][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 53.255726][ T83] ? usb_autoresume_device+0x60/0x60 [ 53.260988][ T83] device_release_driver_internal+0x42f/0x500 [ 53.267146][ T83] bus_remove_device+0x2dc/0x4a0 [ 53.272078][ T83] device_del+0x420/0xb10 [ 53.276494][ T83] ? __device_links_no_driver+0x240/0x240 [ 53.282199][ T83] ? lockdep_hardirqs_on+0x379/0x580 [ 53.287477][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 53.292748][ T83] usb_disable_device+0x211/0x690 [ 53.297872][ T83] usb_disconnect+0x284/0x8d0 [ 53.302532][ T83] hub_event+0x1454/0x3640 [ 53.306931][ T83] ? find_held_lock+0x2d/0x110 [ 53.311691][ T83] ? mark_held_locks+0xe0/0xe0 [ 53.316744][ T83] ? hub_port_debounce+0x260/0x260 [ 53.321852][ T83] process_one_work+0x92b/0x1530 [ 53.326769][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 53.332118][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 53.337289][ T83] worker_thread+0x96/0xe20 [ 53.341909][ T83] ? process_one_work+0x1530/0x1530 [ 53.347096][ T83] kthread+0x318/0x420 [ 53.351146][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 53.356544][ T83] ret_from_fork+0x24/0x30 [ 53.361599][ T83] Kernel Offset: disabled [ 53.365964][ T83] Rebooting in 86400 seconds..