[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.321730][ T2662] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 35.561547][ T2662] usb 1-1: Using ep0 maxpacket: 8 [ 35.681640][ T2662] usb 1-1: config 0 has an invalid interface number: 46 but max is 0 [ 35.689814][ T2662] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping [ 35.698778][ T2662] usb 1-1: config 0 has no interface number 0 [ 35.704948][ T2662] usb 1-1: config 0 interface 46 altsetting 0 endpoint 0xF has invalid maxpacket 1024, setting to 64 [ 35.716024][ T2662] usb 1-1: config 0 interface 46 altsetting 0 has a duplicate endpoint with address 0x2, skipping [ 35.726690][ T2662] usb 1-1: config 0 interface 46 altsetting 0 has an invalid endpoint with address 0x80, skipping [ 35.737326][ T2662] usb 1-1: config 0 interface 46 altsetting 0 has a duplicate endpoint with address 0xF, skipping [ 35.748038][ T2662] usb 1-1: config 0 interface 46 altsetting 0 endpoint 0x1 has invalid maxpacket 1024, setting to 64 [ 35.758959][ T2662] usb 1-1: config 0 interface 46 altsetting 0 has an invalid endpoint with address 0x80, skipping [ 35.769627][ T2662] usb 1-1: config 0 interface 46 altsetting 0 has a duplicate endpoint with address 0x2, skipping [ 35.780635][ T2662] usb 1-1: config 0 interface 46 altsetting 0 endpoint 0xB has an invalid bInterval 0, changing to 7 [ 35.791562][ T2662] usb 1-1: config 0 interface 46 altsetting 0 endpoint 0xB has invalid maxpacket 1072, setting to 1024 [ 35.802689][ T2662] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=4c.b2 [ 35.811787][ T2662] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.825251][ T2662] usb 1-1: config 0 descriptor?? [ 35.864072][ T2662] dw2102: su3000_identify_state [ 35.869049][ T2662] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 35.876050][ T2662] dw2102: su3000_power_ctrl: 1, initialized 0 [ 35.882861][ T2662] dvb-usb: bulk message failed: -8 (2/0) [ 35.890054][ T2662] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 35.911924][ T2662] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 35.919036][ T2662] usb 1-1: media controller created [ 35.924830][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.930607][ T2662] dw2102: i2c transfer failed. [ 35.935582][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.941220][ T2662] dw2102: i2c transfer failed. [ 35.946295][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.952009][ T2662] dw2102: i2c transfer failed. [ 35.956815][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.962497][ T2662] dw2102: i2c transfer failed. [ 35.967297][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.972994][ T2662] dw2102: i2c transfer failed. [ 35.977792][ T2662] dvb-usb: bulk message failed: -8 (6/0) [ 35.983480][ T2662] dw2102: i2c transfer failed. [ 35.988246][ T2662] dvb-usb: MAC address: 02:02:02:02:02:02 [ 35.998500][ T2662] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. executing program [ 36.018900][ T2662] dvb-usb: bulk message failed: -8 (1/0) [ 36.024647][ T2662] dw2102: command 0x51 transfer failed. [ 36.074628][ T2662] DVB: Unable to find symbol m88rs2000_attach() [ 36.080900][ T2662] dvb-usb: no frontend was attached by 'TeVii S421 PCI' [ 36.161570][ T2662] rc_core: IR keymap rc-su3000 not found [ 36.167236][ T2662] Registered IR keymap rc-empty [ 36.172960][ T2662] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 36.184333][ T2662] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 36.195562][ T2662] dvb-usb: schedule remote query interval to 150 msecs. [ 36.202668][ T2662] dw2102: su3000_power_ctrl: 0, initialized 1 [ 36.208739][ T2662] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 36.221526][ T2662] usb 1-1: USB disconnect, device number 2 [ 36.232720][ T2662] ================================================================== [ 36.241113][ T2662] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 36.248755][ T2662] Read of size 8 at addr ffff8881022562e8 by task kworker/1:3/2662 [ 36.256646][ T2662] [ 36.260208][ T2662] CPU: 1 PID: 2662 Comm: kworker/1:3 Not tainted 5.10.0-rc7-syzkaller #0 [ 36.268782][ T2662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.278886][ T2662] Workqueue: usb_hub_wq hub_event [ 36.283896][ T2662] Call Trace: [ 36.287172][ T2662] dump_stack+0x107/0x163 [ 36.291571][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.296837][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.302106][ T2662] print_address_description.constprop.0.cold+0xae/0x4c8 [ 36.309112][ T2662] ? usb_hcd_flush_endpoint+0x140/0x410 [ 36.314638][ T2662] ? vprintk_func+0x93/0x140 [ 36.319209][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.324473][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.329737][ T2662] kasan_report.cold+0x1f/0x37 [ 36.334484][ T2662] ? _raw_spin_unlock_bh+0x30/0x30 [ 36.339593][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.344857][ T2662] dvb_usb_device_exit+0x19a/0x1a0 [ 36.349968][ T2662] ? dvb_usb_exit.isra.0+0x310/0x310 [ 36.355234][ T2662] ? usb_disable_interface+0x177/0x3c0 [ 36.360674][ T2662] usb_unbind_interface+0x1d8/0x8d0 [ 36.365855][ T2662] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 36.371379][ T2662] ? usb_unbind_device+0x1a0/0x1a0 [ 36.376489][ T2662] __device_release_driver+0x3bd/0x6f0 [ 36.381940][ T2662] device_release_driver+0x26/0x40 [ 36.387031][ T2662] bus_remove_device+0x2eb/0x5a0 [ 36.391948][ T2662] device_del+0x502/0xec0 [ 36.396266][ T2662] ? device_link_add_missing_supplier_links+0x370/0x370 [ 36.403183][ T2662] ? kobject_put+0x1f3/0x540 [ 36.407752][ T2662] usb_disable_device+0x35b/0x7b0 [ 36.412846][ T2662] usb_disconnect.cold+0x27d/0x780 [ 36.417946][ T2662] hub_event+0x1c8a/0x42d0 [ 36.422344][ T2662] ? hub_port_debounce+0x3b0/0x3b0 [ 36.427443][ T2662] ? __lock_acquire+0x821/0x54f0 [ 36.432368][ T2662] ? put_pwq+0xb1/0x1b0 [ 36.436503][ T2662] ? lock_release+0x6d0/0x6d0 [ 36.441159][ T2662] ? lock_downgrade+0x6d0/0x6d0 [ 36.445987][ T2662] ? do_raw_spin_lock+0x120/0x2b0 [ 36.450996][ T2662] process_one_work+0x933/0x1520 [ 36.455914][ T2662] ? lock_release+0x6d0/0x6d0 [ 36.460570][ T2662] ? pwq_dec_nr_in_flight+0x320/0x320 [ 36.465940][ T2662] ? rwlock_bug.part.0+0x90/0x90 [ 36.470859][ T2662] worker_thread+0x82b/0x1120 [ 36.475536][ T2662] ? __kthread_parkme+0x118/0x1d0 [ 36.480549][ T2662] ? process_one_work+0x1520/0x1520 [ 36.485735][ T2662] kthread+0x38c/0x460 [ 36.489787][ T2662] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.494965][ T2662] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 36.500836][ T2662] ret_from_fork+0x1f/0x30 [ 36.505227][ T2662] [ 36.507535][ T2662] Allocated by task 2662: [ 36.511846][ T2662] kasan_save_stack+0x1b/0x40 [ 36.516503][ T2662] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 36.522114][ T2662] __kmalloc_track_caller+0x14c/0x2e0 [ 36.527472][ T2662] kmemdup+0x23/0x50 [ 36.531348][ T2662] dw2102_probe+0x57c/0xb10 [ 36.535851][ T2662] usb_probe_interface+0x315/0x7f0 [ 36.540942][ T2662] really_probe+0x291/0xde0 [ 36.545435][ T2662] driver_probe_device+0x26b/0x3d0 [ 36.550531][ T2662] __device_attach_driver+0x1d1/0x290 [ 36.555882][ T2662] bus_for_each_drv+0x15f/0x1e0 [ 36.560710][ T2662] __device_attach+0x228/0x4a0 [ 36.565469][ T2662] bus_probe_device+0x1e4/0x290 [ 36.570297][ T2662] device_add+0xbb2/0x1ce0 [ 36.574695][ T2662] usb_set_configuration+0x113c/0x1910 [ 36.580137][ T2662] usb_generic_driver_probe+0xba/0x100 [ 36.585574][ T2662] usb_probe_device+0xd9/0x2c0 [ 36.590316][ T2662] really_probe+0x291/0xde0 [ 36.594801][ T2662] driver_probe_device+0x26b/0x3d0 [ 36.599891][ T2662] __device_attach_driver+0x1d1/0x290 [ 36.605245][ T2662] bus_for_each_drv+0x15f/0x1e0 [ 36.610075][ T2662] __device_attach+0x228/0x4a0 [ 36.614820][ T2662] bus_probe_device+0x1e4/0x290 [ 36.619648][ T2662] device_add+0xbb2/0x1ce0 [ 36.624099][ T2662] usb_new_device.cold+0x71d/0xfe9 [ 36.629190][ T2662] hub_event+0x2348/0x42d0 [ 36.633589][ T2662] process_one_work+0x933/0x1520 [ 36.638504][ T2662] worker_thread+0x64c/0x1120 [ 36.643160][ T2662] kthread+0x38c/0x460 [ 36.647207][ T2662] ret_from_fork+0x1f/0x30 [ 36.651596][ T2662] [ 36.653913][ T2662] Freed by task 2662: [ 36.657888][ T2662] kasan_save_stack+0x1b/0x40 [ 36.662548][ T2662] kasan_set_track+0x1c/0x30 [ 36.667122][ T2662] kasan_set_free_info+0x1b/0x30 [ 36.672040][ T2662] __kasan_slab_free+0x102/0x140 [ 36.676965][ T2662] slab_free_freelist_hook+0x5d/0x150 [ 36.682322][ T2662] kfree+0xe5/0x5e0 [ 36.686110][ T2662] dw2102_probe+0x782/0xb10 [ 36.690592][ T2662] usb_probe_interface+0x315/0x7f0 [ 36.695714][ T2662] really_probe+0x291/0xde0 [ 36.700197][ T2662] driver_probe_device+0x26b/0x3d0 [ 36.705289][ T2662] __device_attach_driver+0x1d1/0x290 [ 36.710640][ T2662] bus_for_each_drv+0x15f/0x1e0 [ 36.715470][ T2662] __device_attach+0x228/0x4a0 [ 36.720216][ T2662] bus_probe_device+0x1e4/0x290 [ 36.725046][ T2662] device_add+0xbb2/0x1ce0 [ 36.729443][ T2662] usb_set_configuration+0x113c/0x1910 [ 36.734880][ T2662] usb_generic_driver_probe+0xba/0x100 [ 36.740322][ T2662] usb_probe_device+0xd9/0x2c0 [ 36.745067][ T2662] really_probe+0x291/0xde0 [ 36.749565][ T2662] driver_probe_device+0x26b/0x3d0 [ 36.754677][ T2662] __device_attach_driver+0x1d1/0x290 [ 36.760035][ T2662] bus_for_each_drv+0x15f/0x1e0 [ 36.764881][ T2662] __device_attach+0x228/0x4a0 [ 36.769692][ T2662] bus_probe_device+0x1e4/0x290 [ 36.774540][ T2662] device_add+0xbb2/0x1ce0 [ 36.778948][ T2662] usb_new_device.cold+0x71d/0xfe9 [ 36.784054][ T2662] hub_event+0x2348/0x42d0 [ 36.788456][ T2662] process_one_work+0x933/0x1520 [ 36.793375][ T2662] worker_thread+0x64c/0x1120 [ 36.798033][ T2662] kthread+0x38c/0x460 [ 36.802082][ T2662] ret_from_fork+0x1f/0x30 [ 36.806473][ T2662] [ 36.808785][ T2662] The buggy address belongs to the object at ffff888102256000 [ 36.808785][ T2662] which belongs to the cache kmalloc-4k of size 4096 [ 36.822845][ T2662] The buggy address is located 744 bytes inside of [ 36.822845][ T2662] 4096-byte region [ffff888102256000, ffff888102257000) [ 36.836176][ T2662] The buggy address belongs to the page: [ 36.841794][ T2662] page:0000000077b66daf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102250 [ 36.852028][ T2662] head:0000000077b66daf order:3 compound_mapcount:0 compound_pincount:0 [ 36.860340][ T2662] flags: 0x200000000010200(slab|head) [ 36.865709][ T2662] raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100042140 [ 36.874275][ T2662] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.882836][ T2662] page dumped because: kasan: bad access detected [ 36.889236][ T2662] [ 36.891552][ T2662] Memory state around the buggy address: [ 36.897168][ T2662] ffff888102256180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.905212][ T2662] ffff888102256200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.913255][ T2662] >ffff888102256280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.921353][ T2662] ^ [ 36.928789][ T2662] ffff888102256300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.936976][ T2662] ffff888102256380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.945035][ T2662] ================================================================== [ 36.953086][ T2662] Disabling lock debugging due to kernel taint [ 36.959346][ T2662] Kernel panic - not syncing: panic_on_warn set ... [ 36.965946][ T2662] CPU: 1 PID: 2662 Comm: kworker/1:3 Tainted: G B 5.10.0-rc7-syzkaller #0 [ 36.975743][ T2662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.985808][ T2662] Workqueue: usb_hub_wq hub_event [ 36.990825][ T2662] Call Trace: [ 36.994117][ T2662] dump_stack+0x107/0x163 [ 36.998460][ T2662] ? dvb_usb_device_exit+0xb0/0x1a0 [ 37.003646][ T2662] panic+0x306/0x73d [ 37.007528][ T2662] ? __warn_printk+0xf3/0xf3 [ 37.012100][ T2662] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 37.018226][ T2662] ? trace_hardirqs_on+0x51/0x1a0 [ 37.023248][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.028526][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.033784][ T2662] end_report+0x58/0x5e [ 37.037915][ T2662] kasan_report.cold+0xd/0x37 [ 37.042567][ T2662] ? _raw_spin_unlock_bh+0x30/0x30 [ 37.047652][ T2662] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.052909][ T2662] dvb_usb_device_exit+0x19a/0x1a0 [ 37.058000][ T2662] ? dvb_usb_exit.isra.0+0x310/0x310 [ 37.063260][ T2662] ? usb_disable_interface+0x177/0x3c0 [ 37.068692][ T2662] usb_unbind_interface+0x1d8/0x8d0 [ 37.073870][ T2662] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 37.079391][ T2662] ? usb_unbind_device+0x1a0/0x1a0 [ 37.084483][ T2662] __device_release_driver+0x3bd/0x6f0 [ 37.089923][ T2662] device_release_driver+0x26/0x40 [ 37.095012][ T2662] bus_remove_device+0x2eb/0x5a0 [ 37.099924][ T2662] device_del+0x502/0xec0 [ 37.104231][ T2662] ? device_link_add_missing_supplier_links+0x370/0x370 [ 37.111139][ T2662] ? kobject_put+0x1f3/0x540 [ 37.115705][ T2662] usb_disable_device+0x35b/0x7b0 [ 37.120756][ T2662] usb_disconnect.cold+0x27d/0x780 [ 37.125846][ T2662] hub_event+0x1c8a/0x42d0 [ 37.130271][ T2662] ? hub_port_debounce+0x3b0/0x3b0 [ 37.135358][ T2662] ? __lock_acquire+0x821/0x54f0 [ 37.140269][ T2662] ? put_pwq+0xb1/0x1b0 [ 37.144398][ T2662] ? lock_release+0x6d0/0x6d0 [ 37.149048][ T2662] ? lock_downgrade+0x6d0/0x6d0 [ 37.153873][ T2662] ? do_raw_spin_lock+0x120/0x2b0 [ 37.158922][ T2662] process_one_work+0x933/0x1520 [ 37.163836][ T2662] ? lock_release+0x6d0/0x6d0 [ 37.168489][ T2662] ? pwq_dec_nr_in_flight+0x320/0x320 [ 37.173834][ T2662] ? rwlock_bug.part.0+0x90/0x90 [ 37.178748][ T2662] worker_thread+0x82b/0x1120 [ 37.183402][ T2662] ? __kthread_parkme+0x118/0x1d0 [ 37.188402][ T2662] ? process_one_work+0x1520/0x1520 [ 37.193592][ T2662] kthread+0x38c/0x460 [ 37.197639][ T2662] ? _raw_spin_unlock_irq+0x1f/0x30 [ 37.202811][ T2662] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 37.208679][ T2662] ret_from_fork+0x1f/0x30 [ 37.213676][ T2662] Kernel Offset: disabled [ 37.217988][ T2662] Rebooting in 86400 seconds..