[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.706218][ T1716] can: request_module (can-proto-0) failed. [ 26.098917][ T1716] can: request_module (can-proto-0) failed. [ 26.108827][ T1716] can: request_module (can-proto-7) failed. [ 26.118440][ T1716] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts. 2019/12/14 06:52:58 parsed 1 programs 2019/12/14 06:52:58 executed programs: 0 [ 32.854861][ T1856] cgroup1: Unknown subsys name 'perf_event' [ 32.856388][ T1857] cgroup1: Unknown subsys name 'perf_event' [ 32.865171][ T1859] cgroup1: Unknown subsys name 'perf_event' [ 32.867948][ T1857] cgroup1: Unknown subsys name 'net_cls' [ 32.876009][ T1856] cgroup1: Unknown subsys name 'net_cls' [ 32.886235][ T1861] cgroup1: Unknown subsys name 'perf_event' [ 32.895246][ T1864] cgroup1: Unknown subsys name 'perf_event' [ 32.902612][ T1859] cgroup1: Unknown subsys name 'net_cls' [ 32.903335][ T1868] cgroup1: Unknown subsys name 'perf_event' [ 32.908697][ T1861] cgroup1: Unknown subsys name 'net_cls' [ 32.921459][ T1868] cgroup1: Unknown subsys name 'net_cls' [ 32.922224][ T1864] cgroup1: Unknown subsys name 'net_cls' [ 37.437093][ T83] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 37.557079][ T12] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 37.647039][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 37.687101][ T22] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 37.737059][ T3380] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 37.757061][ T102] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 37.807182][ T83] usb 3-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 37.816403][ T83] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.826361][ T83] usb 3-1: config 0 descriptor?? [ 37.947169][ T12] usb 5-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 37.956292][ T12] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.965234][ T12] usb 5-1: config 0 descriptor?? [ 38.007219][ T17] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 38.016283][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.025983][ T17] usb 1-1: config 0 descriptor?? [ 38.057158][ T22] usb 6-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 38.066302][ T22] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.079072][ T22] usb 6-1: config 0 descriptor?? [ 38.087409][ T83] asix 3-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 38.100410][ T83] asix 3-1:0.0 eth1: register 'asix' at usb-dummy_hcd.2-1, ASIX AX88172A USB 2.0 Ethernet, 4e:df:b0:3a:51:2d [ 38.112248][ T3380] usb 2-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 38.121435][ T3380] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.134535][ T3380] usb 2-1: config 0 descriptor?? [ 38.147179][ T102] usb 4-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=9b.e9 [ 38.156291][ T102] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.191768][ T102] usb 4-1: config 0 descriptor?? [ 38.227150][ T12] asix 5-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 38.256152][ T12] asix 5-1:0.0 eth2: register 'asix' at usb-dummy_hcd.4-1, ASIX AX88172A USB 2.0 Ethernet, 4e:df:b0:3a:51:2d [ 38.277436][ T17] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 38.288509][ T12] usb 3-1: USB disconnect, device number 2 [ 38.292024][ T17] asix 1-1:0.0 eth3: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, 4e:df:b0:3a:51:2d [ 38.295229][ T12] asix 3-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.2-1, ASIX AX88172A USB 2.0 Ethernet [ 38.327136][ T22] asix 6-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 38.352923][ T22] asix 6-1:0.0 eth1: register 'asix' at usb-dummy_hcd.5-1, ASIX AX88172A USB 2.0 Ethernet, 4e:df:b0:3a:51:2d [ 38.357632][ T12] ================================================================== [ 38.372638][ T12] BUG: KASAN: use-after-free in ax88172a_unbind.cold+0x4b/0xc4 [ 38.380178][ T12] Read of size 8 at addr ffff8881ccef7680 by task kworker/0:1/12 [ 38.387882][ T12] [ 38.390226][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.4.0-syzkaller #0 [ 38.398017][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.408080][ T12] Workqueue: usb_hub_wq hub_event [ 38.413096][ T12] Call Trace: [ 38.416367][ T12] dump_stack+0xef/0x16e [ 38.420591][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 38.425765][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 38.430947][ T12] print_address_description.constprop.0+0x36/0x50 [ 38.437427][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 38.442605][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 38.447782][ T12] __kasan_report.cold+0x1a/0x33 [ 38.452701][ T12] ? mark_held_locks+0x10/0xe0 [ 38.457441][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 38.462617][ T12] ? ax88172a_bind+0x7b0/0x7b0 [ 38.467358][ T12] kasan_report+0xe/0x20 [ 38.471579][ T12] ax88172a_unbind.cold+0x4b/0xc4 [ 38.476583][ T12] usbnet_disconnect+0x145/0x270 [ 38.481589][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 38.486764][ T12] ? usb_autoresume_device+0x60/0x60 [ 38.492029][ T12] device_release_driver_internal+0x42f/0x500 [ 38.498074][ T12] bus_remove_device+0x2dc/0x4a0 [ 38.502992][ T12] device_del+0x481/0xd30 [ 38.507300][ T12] ? device_create_with_groups+0x120/0x120 [ 38.513098][ T12] ? lockdep_hardirqs_on+0x382/0x580 [ 38.518363][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 38.523626][ T12] usb_disable_device+0x211/0x690 [ 38.528628][ T12] usb_disconnect+0x284/0x8d0 [ 38.533284][ T12] hub_event+0x1753/0x3860 [ 38.537680][ T12] ? hub_port_debounce+0x260/0x260 [ 38.542769][ T12] ? find_held_lock+0x2d/0x110 [ 38.547513][ T12] ? mark_held_locks+0xe0/0xe0 [ 38.552270][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.557794][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.563057][ T12] process_one_work+0x92b/0x1530 [ 38.567975][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.573325][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 38.578331][ T12] worker_thread+0x96/0xe20 [ 38.582816][ T12] ? process_one_work+0x1530/0x1530 [ 38.587995][ T12] kthread+0x318/0x420 [ 38.592044][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 38.597394][ T12] ret_from_fork+0x24/0x30 [ 38.601788][ T12] [ 38.604094][ T12] Allocated by task 83: [ 38.608228][ T12] save_stack+0x1b/0x80 [ 38.612362][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 38.617971][ T12] ax88172a_bind+0x9f/0x7b0 [ 38.622457][ T12] usbnet_probe+0xb43/0x2470 [ 38.627025][ T12] usb_probe_interface+0x305/0x7a0 [ 38.632112][ T12] really_probe+0x281/0x6d0 [ 38.636598][ T12] driver_probe_device+0x104/0x210 [ 38.641685][ T12] __device_attach_driver+0x1c2/0x220 [ 38.647034][ T12] bus_for_each_drv+0x162/0x1e0 [ 38.651861][ T12] __device_attach+0x217/0x360 [ 38.656599][ T12] bus_probe_device+0x1e4/0x290 [ 38.661425][ T12] device_add+0x1480/0x1c20 [ 38.665991][ T12] usb_set_configuration+0xe67/0x1740 [ 38.671340][ T12] generic_probe+0x9d/0xd5 [ 38.675741][ T12] usb_probe_device+0x99/0x100 [ 38.680476][ T12] really_probe+0x281/0x6d0 [ 38.684955][ T12] driver_probe_device+0x104/0x210 [ 38.690042][ T12] __device_attach_driver+0x1c2/0x220 [ 38.695391][ T12] bus_for_each_drv+0x162/0x1e0 [ 38.700219][ T12] __device_attach+0x217/0x360 [ 38.704971][ T12] bus_probe_device+0x1e4/0x290 [ 38.709799][ T12] device_add+0x1480/0x1c20 [ 38.714277][ T12] usb_new_device.cold+0x6a4/0xe79 [ 38.719362][ T12] hub_event+0x1e59/0x3860 [ 38.723755][ T12] process_one_work+0x92b/0x1530 [ 38.728669][ T12] worker_thread+0x96/0xe20 [ 38.733147][ T12] kthread+0x318/0x420 [ 38.737194][ T12] ret_from_fork+0x24/0x30 [ 38.741579][ T12] [ 38.743886][ T12] Freed by task 83: [ 38.747670][ T12] save_stack+0x1b/0x80 [ 38.751803][ T12] __kasan_slab_free+0x130/0x180 [ 38.756714][ T12] kfree+0xdc/0x310 [ 38.760498][ T12] ax88172a_bind.cold+0x4d/0x1e8 [ 38.765409][ T12] usbnet_probe+0xb43/0x2470 [ 38.769991][ T12] usb_probe_interface+0x305/0x7a0 [ 38.775075][ T12] really_probe+0x281/0x6d0 [ 38.779552][ T12] driver_probe_device+0x104/0x210 [ 38.784637][ T12] __device_attach_driver+0x1c2/0x220 [ 38.789985][ T12] bus_for_each_drv+0x162/0x1e0 [ 38.794823][ T12] __device_attach+0x217/0x360 [ 38.799564][ T12] bus_probe_device+0x1e4/0x290 [ 38.804399][ T12] device_add+0x1480/0x1c20 [ 38.808891][ T12] usb_set_configuration+0xe67/0x1740 [ 38.814240][ T12] generic_probe+0x9d/0xd5 [ 38.818630][ T12] usb_probe_device+0x99/0x100 [ 38.823370][ T12] really_probe+0x281/0x6d0 [ 38.827875][ T12] driver_probe_device+0x104/0x210 [ 38.832966][ T12] __device_attach_driver+0x1c2/0x220 [ 38.838315][ T12] bus_for_each_drv+0x162/0x1e0 [ 38.843145][ T12] __device_attach+0x217/0x360 [ 38.847887][ T12] bus_probe_device+0x1e4/0x290 [ 38.852714][ T12] device_add+0x1480/0x1c20 [ 38.857196][ T12] usb_new_device.cold+0x6a4/0xe79 [ 38.862282][ T12] hub_event+0x1e59/0x3860 [ 38.866675][ T12] process_one_work+0x92b/0x1530 [ 38.871597][ T12] worker_thread+0x96/0xe20 [ 38.876075][ T12] kthread+0x318/0x420 [ 38.880119][ T12] ret_from_fork+0x24/0x30 [ 38.884506][ T12] [ 38.886812][ T12] The buggy address belongs to the object at ffff8881ccef7680 [ 38.886812][ T12] which belongs to the cache kmalloc-64 of size 64 [ 38.900673][ T12] The buggy address is located 0 bytes inside of [ 38.900673][ T12] 64-byte region [ffff8881ccef7680, ffff8881ccef76c0) [ 38.913655][ T12] The buggy address belongs to the page: [ 38.919265][ T12] page:ffffea000733bdc0 refcount:1 mapcount:0 mapping:ffff8881da003180 index:0x0 [ 38.928353][ T12] raw: 0200000000000200 ffffea000733c780 0000000500000005 ffff8881da003180 [ 38.936916][ T12] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 38.945472][ T12] page dumped because: kasan: bad access detected [ 38.951854][ T12] [ 38.954159][ T12] Memory state around the buggy address: [ 38.959766][ T12] ffff8881ccef7580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.967804][ T12] ffff8881ccef7600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.975841][ T12] >ffff8881ccef7680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.983878][ T12] ^ [ 38.987931][ T12] ffff8881ccef7700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.995991][ T12] ffff8881ccef7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.004033][ T12] ================================================================== [ 39.012082][ T12] Disabling lock debugging due to kernel taint [ 39.018580][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 39.018951][ T22] usb 1-1: USB disconnect, device number 2 [ 39.025162][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.0-syzkaller #0 [ 39.025168][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.025182][ T12] Workqueue: usb_hub_wq hub_event [ 39.031287][ T22] asix 1-1:0.0 eth3: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 39.040147][ T12] Call Trace: [ 39.040163][ T12] dump_stack+0xef/0x16e [ 39.040177][ T12] panic+0x2aa/0x6e1 [ 39.040188][ T12] ? add_taint.cold+0x16/0x16 [ 39.040200][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 39.040215][ T12] ? trace_hardirqs_on+0x55/0x1e0 [ 39.082375][ T83] usb 5-1: USB disconnect, device number 2 [ 39.086225][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 39.086237][ T12] end_report+0x43/0x49 [ 39.086255][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 39.091417][ T3386] usb 6-1: USB disconnect, device number 2 [ 39.097044][ T12] __kasan_report.cold+0xd/0x33 [ 39.097055][ T12] ? mark_held_locks+0x10/0xe0 [ 39.097066][ T12] ? ax88172a_unbind.cold+0x4b/0xc4 [ 39.097076][ T12] ? ax88172a_bind+0x7b0/0x7b0 [ 39.097084][ T12] kasan_report+0xe/0x20 [ 39.097094][ T12] ax88172a_unbind.cold+0x4b/0xc4 [ 39.097106][ T12] usbnet_disconnect+0x145/0x270 [ 39.097117][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 39.097130][ T12] ? usb_autoresume_device+0x60/0x60 [ 39.102374][ T3380] asix 2-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 39.106430][ T12] device_release_driver_internal+0x42f/0x500 [ 39.106447][ T12] bus_remove_device+0x2dc/0x4a0 [ 39.125830][ T3386] asix 6-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.5-1, ASIX AX88172A USB 2.0 Ethernet [ 39.126978][ T12] device_del+0x481/0xd30 [ 39.126991][ T12] ? device_create_with_groups+0x120/0x120 [ 39.127000][ T12] ? lockdep_hardirqs_on+0x382/0x580 [ 39.127013][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 39.127022][ T12] usb_disable_device+0x211/0x690 [ 39.127036][ T12] usb_disconnect+0x284/0x8d0 [ 39.161070][ T83] asix 5-1:0.0 eth2: unregister 'asix' usb-dummy_hcd.4-1, ASIX AX88172A USB 2.0 Ethernet [ 39.161547][ T12] hub_event+0x1753/0x3860 [ 39.236007][ T12] ? hub_port_debounce+0x260/0x260 [ 39.241115][ T12] ? find_held_lock+0x2d/0x110 [ 39.245873][ T12] ? mark_held_locks+0xe0/0xe0 [ 39.250635][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.256205][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.261490][ T12] process_one_work+0x92b/0x1530 [ 39.266423][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.271798][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 39.276815][ T12] worker_thread+0x96/0xe20 [ 39.281315][ T12] ? process_one_work+0x1530/0x1530 [ 39.286516][ T12] kthread+0x318/0x420 [ 39.290673][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 39.296041][ T12] ret_from_fork+0x24/0x30 [ 39.301159][ T12] Kernel Offset: disabled [ 39.305475][ T12] Rebooting in 86400 seconds..