Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 94.042500][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 94.402144][ T22] usb 1-1: config 0 has an invalid interface number: 99 but max is 0 [ 94.410324][ T22] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 94.420839][ T22] usb 1-1: config 0 has no interface number 0 [ 94.427050][ T22] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=98.2c [ 94.436594][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 94.446150][ T22] usb 1-1: config 0 descriptor?? [ 94.489976][ T22] dw2102: su3000_identify_state [ 94.495552][ T22] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 94.502327][ T22] dw2102: su3000_power_ctrl: 1, initialized 0 [ 94.509023][ T22] dvb-usb: bulk message failed: -22 (2/0) [ 94.516578][ T22] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 94.542430][ T22] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 94.549495][ T22] usb 1-1: media controller created [ 94.555227][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.562742][ T22] dw2102: i2c transfer failed. [ 94.567547][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.574302][ T22] dw2102: i2c transfer failed. [ 94.579260][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.586560][ T22] dw2102: i2c transfer failed. [ 94.591454][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.598370][ T22] dw2102: i2c transfer failed. [ 94.603537][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.610325][ T22] dw2102: i2c transfer failed. [ 94.615186][ T22] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 94.621784][ T22] dw2102: i2c transfer failed. [ 94.626730][ T22] dvb-usb: MAC address: 02:02:02:02:02:02 executing program [ 94.636294][ T22] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 94.649444][ T22] dvb-usb: bulk message failed: -22 (1/0) [ 94.655342][ T22] dw2102: command 0x51 transfer failed. [ 94.663946][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.670852][ T22] dw2102: i2c transfer failed. [ 94.675920][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.682919][ T22] dw2102: i2c transfer failed. [ 94.688023][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.694926][ T22] dw2102: i2c transfer failed. [ 94.699842][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.707184][ T22] dw2102: i2c transfer failed. [ 94.712064][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.718641][ T22] dw2102: i2c transfer failed. [ 94.723615][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.730990][ T22] dw2102: i2c transfer failed. [ 94.772451][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.779589][ T22] dw2102: i2c transfer failed. [ 94.784441][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.791093][ T22] dw2102: i2c transfer failed. [ 94.796050][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.802667][ T22] dw2102: i2c transfer failed. [ 94.807458][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.814249][ T22] dw2102: i2c transfer failed. [ 94.819359][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.826525][ T22] dw2102: i2c transfer failed. [ 94.831311][ T22] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 94.837993][ T22] dw2102: i2c transfer failed. [ 94.843352][ T22] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 94.851736][ T22] dw2102: Attached RS2000/TS2020! [ 94.857027][ T22] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 94.865452][ T22] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 94.932400][ T22] Registered IR keymap rc-su3000 [ 94.937861][ T22] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 94.947332][ T22] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 94.957579][ T22] dvb-usb: schedule remote query interval to 150 msecs. [ 94.964741][ T22] dw2102: su3000_power_ctrl: 0, initialized 1 [ 94.970917][ T22] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 94.980154][ T22] usb 1-1: USB disconnect, device number 2 [ 94.987350][ T22] ================================================================== [ 94.995935][ T22] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 [ 95.004462][ T22] Read of size 8 at addr ffff8881cf7a46d8 by task kworker/1:1/22 [ 95.012669][ T22] [ 95.015215][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc5+ #11 [ 95.022656][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.033099][ T22] Workqueue: usb_hub_wq hub_event [ 95.038357][ T22] Call Trace: [ 95.041647][ T22] dump_stack+0xca/0x13e [ 95.045994][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.051798][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.056990][ T22] print_address_description+0x67/0x231 [ 95.062542][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.067998][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.073500][ T22] __kasan_report.cold+0x1a/0x32 [ 95.078904][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.084105][ T22] kasan_report+0xe/0x20 [ 95.088353][ T22] dvb_usb_device_exit+0xb6/0xc0 [ 95.093289][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 95.098602][ T22] ? usb_autoresume_device+0x60/0x60 [ 95.103961][ T22] device_release_driver_internal+0x404/0x4c0 [ 95.110029][ T22] bus_remove_device+0x2dc/0x4a0 [ 95.114957][ T22] device_del+0x460/0xb80 [ 95.119276][ T22] ? __device_links_no_driver+0x240/0x240 [ 95.125517][ T22] ? usb_remove_ep_devs+0x3e/0x80 [ 95.130938][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 95.136534][ T22] usb_disable_device+0x211/0x690 [ 95.141558][ T22] usb_disconnect+0x284/0x830 [ 95.146277][ T22] hub_event+0x1409/0x3590 [ 95.150691][ T22] ? hub_port_debounce+0x260/0x260 [ 95.155815][ T22] process_one_work+0x905/0x1570 [ 95.160870][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 95.166615][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 95.171645][ T22] worker_thread+0x7ab/0xe20 [ 95.176232][ T22] ? process_one_work+0x1570/0x1570 [ 95.181899][ T22] kthread+0x30b/0x410 [ 95.185963][ T22] ? kthread_park+0x1a0/0x1a0 [ 95.190638][ T22] ret_from_fork+0x24/0x30 [ 95.195040][ T22] [ 95.197484][ T22] Allocated by task 22: [ 95.201641][ T22] save_stack+0x1b/0x80 [ 95.205832][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 95.211464][ T22] __kmalloc_track_caller+0xe2/0x2b0 [ 95.217040][ T22] kmemdup+0x23/0x50 [ 95.220936][ T22] dw2102_probe+0x627/0xc40 [ 95.225433][ T22] usb_probe_interface+0x305/0x7a0 [ 95.230772][ T22] really_probe+0x281/0x660 [ 95.235432][ T22] driver_probe_device+0x104/0x210 [ 95.240601][ T22] __device_attach_driver+0x1c2/0x220 [ 95.245972][ T22] bus_for_each_drv+0x15c/0x1e0 [ 95.250817][ T22] __device_attach+0x217/0x360 [ 95.255802][ T22] bus_probe_device+0x1e4/0x290 [ 95.260720][ T22] device_add+0xae6/0x16f0 [ 95.265142][ T22] usb_set_configuration+0xdf6/0x1670 [ 95.270514][ T22] generic_probe+0x9d/0xd5 [ 95.275074][ T22] usb_probe_device+0x99/0x100 [ 95.280743][ T22] really_probe+0x281/0x660 [ 95.285366][ T22] driver_probe_device+0x104/0x210 [ 95.290478][ T22] __device_attach_driver+0x1c2/0x220 [ 95.296151][ T22] bus_for_each_drv+0x15c/0x1e0 [ 95.301096][ T22] __device_attach+0x217/0x360 [ 95.306129][ T22] bus_probe_device+0x1e4/0x290 [ 95.311077][ T22] device_add+0xae6/0x16f0 [ 95.315549][ T22] usb_new_device.cold+0x8c1/0x1016 [ 95.320859][ T22] hub_event+0x1ada/0x3590 [ 95.325391][ T22] process_one_work+0x905/0x1570 [ 95.330747][ T22] worker_thread+0x96/0xe20 [ 95.335301][ T22] kthread+0x30b/0x410 [ 95.339371][ T22] ret_from_fork+0x24/0x30 [ 95.343770][ T22] [ 95.346088][ T22] Freed by task 22: [ 95.349896][ T22] save_stack+0x1b/0x80 [ 95.354037][ T22] __kasan_slab_free+0x130/0x180 [ 95.358971][ T22] kfree+0xd7/0x280 [ 95.362781][ T22] dw2102_probe+0x871/0xc40 [ 95.367391][ T22] usb_probe_interface+0x305/0x7a0 [ 95.372552][ T22] really_probe+0x281/0x660 [ 95.377052][ T22] driver_probe_device+0x104/0x210 [ 95.382886][ T22] __device_attach_driver+0x1c2/0x220 [ 95.388428][ T22] bus_for_each_drv+0x15c/0x1e0 [ 95.393482][ T22] __device_attach+0x217/0x360 [ 95.398240][ T22] bus_probe_device+0x1e4/0x290 [ 95.403080][ T22] device_add+0xae6/0x16f0 [ 95.407660][ T22] usb_set_configuration+0xdf6/0x1670 [ 95.413459][ T22] generic_probe+0x9d/0xd5 [ 95.417865][ T22] usb_probe_device+0x99/0x100 [ 95.422715][ T22] really_probe+0x281/0x660 [ 95.427208][ T22] driver_probe_device+0x104/0x210 [ 95.432852][ T22] __device_attach_driver+0x1c2/0x220 [ 95.438226][ T22] bus_for_each_drv+0x15c/0x1e0 [ 95.443080][ T22] __device_attach+0x217/0x360 [ 95.448084][ T22] bus_probe_device+0x1e4/0x290 [ 95.452937][ T22] device_add+0xae6/0x16f0 [ 95.457357][ T22] usb_new_device.cold+0x8c1/0x1016 [ 95.462615][ T22] hub_event+0x1ada/0x3590 [ 95.467086][ T22] process_one_work+0x905/0x1570 [ 95.472276][ T22] worker_thread+0x96/0xe20 [ 95.476938][ T22] kthread+0x30b/0x410 [ 95.481099][ T22] ret_from_fork+0x24/0x30 [ 95.485699][ T22] [ 95.488022][ T22] The buggy address belongs to the object at ffff8881cf7a4400 [ 95.488022][ T22] which belongs to the cache kmalloc-4k of size 4096 [ 95.502310][ T22] The buggy address is located 728 bytes inside of [ 95.502310][ T22] 4096-byte region [ffff8881cf7a4400, ffff8881cf7a5400) [ 95.515718][ T22] The buggy address belongs to the page: [ 95.521351][ T22] page:ffffea00073de800 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 95.532333][ T22] flags: 0x200000000010200(slab|head) [ 95.537904][ T22] raw: 0200000000010200 dead000000000100 dead000000000200 ffff8881dac02600 [ 95.546601][ T22] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 95.555548][ T22] page dumped because: kasan: bad access detected [ 95.562390][ T22] [ 95.564936][ T22] Memory state around the buggy address: [ 95.570672][ T22] ffff8881cf7a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.578870][ T22] ffff8881cf7a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.587270][ T22] >ffff8881cf7a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.595372][ T22] ^ [ 95.602305][ T22] ffff8881cf7a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.610613][ T22] ffff8881cf7a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.619377][ T22] ================================================================== [ 95.627965][ T22] Disabling lock debugging due to kernel taint [ 95.634207][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 95.640804][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc5+ #11 [ 95.649849][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.660092][ T22] Workqueue: usb_hub_wq hub_event [ 95.665102][ T22] Call Trace: [ 95.668383][ T22] dump_stack+0xca/0x13e [ 95.672701][ T22] panic+0x292/0x6c9 [ 95.676667][ T22] ? __warn_printk+0xf3/0xf3 [ 95.681256][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.686398][ T22] ? trace_hardirqs_on+0x55/0x1c0 [ 95.691504][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.696618][ T22] end_report+0x43/0x49 [ 95.700879][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.705980][ T22] __kasan_report.cold+0xd/0x32 [ 95.710919][ T22] ? dvb_usb_device_exit+0xb6/0xc0 [ 95.716169][ T22] kasan_report+0xe/0x20 [ 95.720419][ T22] dvb_usb_device_exit+0xb6/0xc0 [ 95.725359][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 95.730564][ T22] ? usb_autoresume_device+0x60/0x60 [ 95.735883][ T22] device_release_driver_internal+0x404/0x4c0 [ 95.741960][ T22] bus_remove_device+0x2dc/0x4a0 [ 95.746914][ T22] device_del+0x460/0xb80 [ 95.751226][ T22] ? __device_links_no_driver+0x240/0x240 [ 95.756933][ T22] ? usb_remove_ep_devs+0x3e/0x80 [ 95.761951][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 95.767492][ T22] usb_disable_device+0x211/0x690 [ 95.772959][ T22] usb_disconnect+0x284/0x830 [ 95.777627][ T22] hub_event+0x1409/0x3590 [ 95.782044][ T22] ? hub_port_debounce+0x260/0x260 [ 95.787342][ T22] process_one_work+0x905/0x1570 [ 95.792727][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 95.798508][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 95.803534][ T22] worker_thread+0x7ab/0xe20 [ 95.808222][ T22] ? process_one_work+0x1570/0x1570 [ 95.813404][ T22] kthread+0x30b/0x410 [ 95.817461][ T22] ? kthread_park+0x1a0/0x1a0 [ 95.822738][ T22] ret_from_fork+0x24/0x30 [ 95.828127][ T22] Kernel Offset: disabled [ 95.832460][ T22] Rebooting in 86400 seconds..