[ 15.253150][ C1] random: crng init done [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.167' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.559684][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.799693][ T22] usb 1-1: Using ep0 maxpacket: 8 [ 25.919720][ T22] usb 1-1: config 32 has an invalid interface number: 174 but max is 0 [ 25.928059][ T22] usb 1-1: config 32 has an invalid interface association descriptor of length 2, skipping [ 25.938206][ T22] usb 1-1: config 32 has no interface number 0 [ 25.944412][ T22] usb 1-1: config 32 interface 174 altsetting 4 has an invalid endpoint with address 0x0, skipping [ 25.955127][ T22] usb 1-1: config 32 interface 174 altsetting 4 endpoint 0x8F has invalid maxpacket 88, setting to 64 [ 25.966083][ T22] usb 1-1: config 32 interface 174 altsetting 4 has a duplicate endpoint with address 0x3, skipping [ 25.976866][ T22] usb 1-1: config 32 interface 174 has no altsetting 0 [ 26.219717][ T22] usb 1-1: string descriptor 0 read error: -22 [ 26.225966][ T22] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=2f.e3 [ 26.235037][ T22] usb 1-1: New USB device strings: Mfr=247, Product=4, SerialNumber=2 [ 26.281691][ T22] dw2102: su3000_identify_state [ 26.286635][ T22] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 26.293249][ T22] dw2102: su3000_power_ctrl: 1, initialized 0 [ 26.299507][ T22] dvb-usb: bulk message failed: -22 (2/-634124224) [ 26.307476][ T22] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 26.329951][ T22] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 26.337549][ T22] usb 1-1: media controller created [ 26.343070][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.349761][ T22] dw2102: i2c transfer failed. [ 26.361129][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.367712][ T22] dw2102: i2c transfer failed. [ 26.372546][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.379144][ T22] dw2102: i2c transfer failed. [ 26.383968][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.390720][ T22] dw2102: i2c transfer failed. [ 26.395491][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.402295][ T22] dw2102: i2c transfer failed. [ 26.407067][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 26.413743][ T22] dw2102: i2c transfer failed. [ 26.418502][ T22] dvb-usb: MAC address: 02:02:02:02:02:02 [ 26.428981][ T22] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 26.445568][ T22] dvb-usb: bulk message failed: -22 (1/0) [ 26.451391][ T22] dw2102: command 0x51 transfer failed. [ 26.458507][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.465283][ T22] dw2102: i2c transfer failed. [ 26.470342][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.476925][ T22] dw2102: i2c transfer failed. executing program [ 26.482043][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.488671][ T22] dw2102: i2c transfer failed. [ 26.493544][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.500195][ T22] dw2102: i2c transfer failed. [ 26.504975][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.511590][ T22] dw2102: i2c transfer failed. [ 26.516368][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.522991][ T22] dw2102: i2c transfer failed. [ 26.577924][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.584582][ T22] dw2102: i2c transfer failed. [ 26.589388][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.596053][ T22] dw2102: i2c transfer failed. [ 26.600876][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.607436][ T22] dw2102: i2c transfer failed. [ 26.612247][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.618829][ T22] dw2102: i2c transfer failed. [ 26.623690][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.630287][ T22] dw2102: i2c transfer failed. [ 26.635033][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 26.641634][ T22] dw2102: i2c transfer failed. [ 26.646398][ T22] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 26.654845][ T22] dw2102: Attached RS2000/TS2020! [ 26.660100][ T22] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 26.668396][ T22] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 26.729897][ T22] Registered IR keymap rc-su3000 [ 26.735279][ T22] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 26.744353][ T22] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 26.754478][ T22] dvb-usb: schedule remote query interval to 150 msecs. [ 26.761473][ T22] dw2102: su3000_power_ctrl: 0, initialized 1 [ 26.767513][ T22] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 26.776998][ T22] usb 1-1: USB disconnect, device number 2 [ 26.784334][ T22] ================================================================== [ 26.792456][ T22] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 26.800057][ T22] Read of size 8 at addr ffff8881d50468e8 by task kworker/1:1/22 [ 26.807743][ T22] [ 26.810053][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.3.0-rc2+ #25 [ 26.817492][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.827544][ T22] Workqueue: usb_hub_wq hub_event [ 26.832542][ T22] Call Trace: [ 26.835820][ T22] dump_stack+0xca/0x13e [ 26.840091][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.845478][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.850746][ T22] print_address_description+0x6a/0x32c [ 26.856289][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.861560][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.866825][ T22] __kasan_report.cold+0x1a/0x33 [ 26.871783][ T22] ? _raw_spin_unlock_irq+0x20/0x30 [ 26.876969][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.882239][ T22] kasan_report+0xe/0x12 [ 26.886506][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 26.891602][ T22] ? dvb_usb_exit+0x290/0x290 [ 26.896424][ T22] ? usb_disable_endpoint+0x1ba/0x1f0 [ 26.901778][ T22] ? usb_disable_interface+0x140/0x1a0 [ 26.907219][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 26.912395][ T22] ? usb_autoresume_device+0x60/0x60 [ 26.917664][ T22] device_release_driver_internal+0x404/0x4c0 [ 26.923713][ T22] bus_remove_device+0x2dc/0x4a0 [ 26.928689][ T22] device_del+0x420/0xb10 [ 26.933004][ T22] ? __device_links_no_driver+0x240/0x240 [ 26.938725][ T22] ? usb_remove_ep_devs+0x3e/0x80 [ 26.943895][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 26.949162][ T22] usb_disable_device+0x211/0x690 [ 26.954212][ T22] usb_disconnect+0x284/0x8d0 [ 26.958873][ T22] hub_event+0x1454/0x3640 [ 26.963292][ T22] ? find_held_lock+0x2d/0x110 [ 26.968038][ T22] ? mark_held_locks+0xe0/0xe0 [ 26.972783][ T22] ? hub_port_debounce+0x260/0x260 [ 26.977933][ T22] process_one_work+0x92b/0x1530 [ 26.983068][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.988428][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 26.993432][ T22] worker_thread+0x7ab/0xe20 [ 26.998004][ T22] ? process_one_work+0x1530/0x1530 [ 27.003179][ T22] kthread+0x318/0x420 [ 27.007235][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 27.012598][ T22] ret_from_fork+0x24/0x30 [ 27.016984][ T22] [ 27.019290][ T22] Allocated by task 22: [ 27.023425][ T22] save_stack+0x1b/0x80 [ 27.027670][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 27.033278][ T22] __kmalloc_track_caller+0xc8/0x2a0 [ 27.038541][ T22] kmemdup+0x23/0x50 [ 27.042421][ T22] dw2102_probe+0x627/0xc40 [ 27.046942][ T22] usb_probe_interface+0x305/0x7a0 [ 27.052075][ T22] really_probe+0x281/0x650 [ 27.056564][ T22] driver_probe_device+0x101/0x1b0 [ 27.061703][ T22] __device_attach_driver+0x1c2/0x220 [ 27.067110][ T22] bus_for_each_drv+0x15c/0x1e0 [ 27.071949][ T22] __device_attach+0x217/0x360 [ 27.076718][ T22] bus_probe_device+0x1e4/0x290 [ 27.081548][ T22] device_add+0xae6/0x16f0 [ 27.086005][ T22] usb_set_configuration+0xdf6/0x1670 [ 27.091357][ T22] generic_probe+0x9d/0xd5 [ 27.095865][ T22] usb_probe_device+0x99/0x100 [ 27.100639][ T22] really_probe+0x281/0x650 [ 27.105132][ T22] driver_probe_device+0x101/0x1b0 [ 27.110220][ T22] __device_attach_driver+0x1c2/0x220 [ 27.115569][ T22] bus_for_each_drv+0x15c/0x1e0 [ 27.120395][ T22] __device_attach+0x217/0x360 [ 27.125148][ T22] bus_probe_device+0x1e4/0x290 [ 27.129979][ T22] device_add+0xae6/0x16f0 [ 27.134382][ T22] usb_new_device.cold+0x6a4/0xe79 [ 27.139476][ T22] hub_event+0x1b5c/0x3640 [ 27.143874][ T22] process_one_work+0x92b/0x1530 [ 27.148800][ T22] worker_thread+0x96/0xe20 [ 27.153307][ T22] kthread+0x318/0x420 [ 27.157398][ T22] ret_from_fork+0x24/0x30 [ 27.161959][ T22] [ 27.164267][ T22] Freed by task 22: [ 27.168147][ T22] save_stack+0x1b/0x80 [ 27.172285][ T22] __kasan_slab_free+0x130/0x180 [ 27.177200][ T22] kfree+0xe4/0x2f0 [ 27.180985][ T22] dw2102_probe+0x871/0xc40 [ 27.185466][ T22] usb_probe_interface+0x305/0x7a0 [ 27.190553][ T22] really_probe+0x281/0x650 [ 27.195034][ T22] driver_probe_device+0x101/0x1b0 [ 27.200147][ T22] __device_attach_driver+0x1c2/0x220 [ 27.205576][ T22] bus_for_each_drv+0x15c/0x1e0 [ 27.210410][ T22] __device_attach+0x217/0x360 [ 27.215174][ T22] bus_probe_device+0x1e4/0x290 [ 27.220269][ T22] device_add+0xae6/0x16f0 [ 27.224676][ T22] usb_set_configuration+0xdf6/0x1670 [ 27.230031][ T22] generic_probe+0x9d/0xd5 [ 27.234429][ T22] usb_probe_device+0x99/0x100 [ 27.239173][ T22] really_probe+0x281/0x650 [ 27.243687][ T22] driver_probe_device+0x101/0x1b0 [ 27.249239][ T22] __device_attach_driver+0x1c2/0x220 [ 27.254598][ T22] bus_for_each_drv+0x15c/0x1e0 [ 27.259542][ T22] __device_attach+0x217/0x360 [ 27.264288][ T22] bus_probe_device+0x1e4/0x290 [ 27.269247][ T22] device_add+0xae6/0x16f0 [ 27.273641][ T22] usb_new_device.cold+0x6a4/0xe79 [ 27.278736][ T22] hub_event+0x1b5c/0x3640 [ 27.283139][ T22] process_one_work+0x92b/0x1530 [ 27.288071][ T22] worker_thread+0x96/0xe20 [ 27.292571][ T22] kthread+0x318/0x420 [ 27.296639][ T22] ret_from_fork+0x24/0x30 [ 27.301156][ T22] [ 27.303519][ T22] The buggy address belongs to the object at ffff8881d5046600 [ 27.303519][ T22] which belongs to the cache kmalloc-4k of size 4096 [ 27.317581][ T22] The buggy address is located 744 bytes inside of [ 27.317581][ T22] 4096-byte region [ffff8881d5046600, ffff8881d5047600) [ 27.331011][ T22] The buggy address belongs to the page: [ 27.336628][ T22] page:ffffea0007541000 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 27.347662][ T22] flags: 0x200000000010200(slab|head) [ 27.353015][ T22] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 27.361581][ T22] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 27.370139][ T22] page dumped because: kasan: bad access detected [ 27.376525][ T22] [ 27.378837][ T22] Memory state around the buggy address: [ 27.384551][ T22] ffff8881d5046780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.392910][ T22] ffff8881d5046800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.400963][ T22] >ffff8881d5046880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.409003][ T22] ^ [ 27.416445][ T22] ffff8881d5046900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.424550][ T22] ffff8881d5046980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.432709][ T22] ================================================================== [ 27.440988][ T22] Disabling lock debugging due to kernel taint [ 27.447450][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 27.454187][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.3.0-rc2+ #25 [ 27.463098][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.473157][ T22] Workqueue: usb_hub_wq hub_event [ 27.478230][ T22] Call Trace: [ 27.481504][ T22] dump_stack+0xca/0x13e [ 27.485770][ T22] panic+0x2a3/0x6da [ 27.489655][ T22] ? add_taint.cold+0x16/0x16 [ 27.494316][ T22] ? retint_kernel+0x10/0x10 [ 27.498983][ T22] ? trace_hardirqs_on+0x55/0x1e0 [ 27.504106][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.509370][ T22] end_report+0x43/0x49 [ 27.513508][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.518786][ T22] __kasan_report.cold+0xd/0x33 [ 27.523618][ T22] ? _raw_spin_unlock_irq+0x20/0x30 [ 27.528796][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.534078][ T22] kasan_report+0xe/0x12 [ 27.538453][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 27.543554][ T22] ? dvb_usb_exit+0x290/0x290 [ 27.548329][ T22] ? usb_disable_endpoint+0x1ba/0x1f0 [ 27.553911][ T22] ? usb_disable_interface+0x140/0x1a0 [ 27.559488][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 27.564699][ T22] ? usb_autoresume_device+0x60/0x60 [ 27.569971][ T22] device_release_driver_internal+0x404/0x4c0 [ 27.576250][ T22] bus_remove_device+0x2dc/0x4a0 [ 27.581171][ T22] device_del+0x420/0xb10 [ 27.585490][ T22] ? __device_links_no_driver+0x240/0x240 [ 27.591234][ T22] ? usb_remove_ep_devs+0x3e/0x80 [ 27.596282][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 27.601596][ T22] usb_disable_device+0x211/0x690 [ 27.606746][ T22] usb_disconnect+0x284/0x8d0 [ 27.611446][ T22] hub_event+0x1454/0x3640 [ 27.615954][ T22] ? find_held_lock+0x2d/0x110 [ 27.620698][ T22] ? mark_held_locks+0xe0/0xe0 [ 27.625472][ T22] ? hub_port_debounce+0x260/0x260 [ 27.630704][ T22] process_one_work+0x92b/0x1530 [ 27.635631][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.641038][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 27.646043][ T22] worker_thread+0x7ab/0xe20 [ 27.650642][ T22] ? process_one_work+0x1530/0x1530 [ 27.655962][ T22] kthread+0x318/0x420 [ 27.660015][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 27.665425][ T22] ret_from_fork+0x24/0x30 [ 27.670101][ T22] Kernel Offset: disabled [ 27.674417][ T22] Rebooting in 86400 seconds..