[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.214' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.475808][ T2173] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 34.714978][ T2173] usb 1-1: Using ep0 maxpacket: 8 [ 34.855063][ T2173] usb 1-1: config 0 has an invalid interface number: 57 but max is 0 [ 34.863416][ T2173] usb 1-1: config 0 has no interface number 0 [ 35.024921][ T2173] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=d3.e1 [ 35.034867][ T2173] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 35.043093][ T2173] usb 1-1: Product: syz [ 35.047421][ T2173] usb 1-1: Manufacturer: syz [ 35.052206][ T2173] usb 1-1: SerialNumber: syz [ 35.060816][ T2173] usb 1-1: config 0 descriptor?? [ 35.117667][ T2173] dw2102: su3000_identify_state [ 35.122712][ T2173] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 35.130210][ T2173] dw2102: su3000_power_ctrl: 1, initialized 0 [ 35.136741][ T2173] dvb-usb: bulk message failed: -22 (2/0) [ 35.145223][ T2173] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 35.175229][ T2173] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 35.183347][ T2173] usb 1-1: media controller created [ 35.189518][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.195687][ T2173] dw2102: i2c transfer failed. [ 35.200991][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.206856][ T2173] dw2102: i2c transfer failed. [ 35.211955][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.218259][ T2173] dw2102: i2c transfer failed. [ 35.223075][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.229270][ T2173] dw2102: i2c transfer failed. [ 35.234086][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.240353][ T2173] dw2102: i2c transfer failed. [ 35.245280][ T2173] dvb-usb: bulk message failed: -22 (6/0) [ 35.251022][ T2173] dw2102: i2c transfer failed. [ 35.255955][ T2173] dvb-usb: MAC address: 02:02:02:02:02:02 [ 35.266553][ T2173] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. executing program [ 35.288013][ T2173] dvb-usb: bulk message failed: -22 (1/0) [ 35.294274][ T2173] dw2102: command 0x51 transfer failed. [ 35.343328][ T2173] DVB: Unable to find symbol m88rs2000_attach() [ 35.349986][ T2173] dvb-usb: no frontend was attached by 'TeVii S421 PCI' [ 35.464678][ T2173] rc_core: IR keymap rc-su3000 not found [ 35.470964][ T2173] Registered IR keymap rc-empty [ 35.476837][ T2173] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 35.486633][ T2173] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 35.498049][ T2173] dvb-usb: schedule remote query interval to 150 msecs. [ 35.505169][ T2173] dw2102: su3000_power_ctrl: 0, initialized 1 [ 35.511503][ T2173] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 35.522725][ T2173] usb 1-1: USB disconnect, device number 2 [ 35.530341][ T2173] ================================================================== [ 35.538763][ T2173] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 35.546721][ T2173] Read of size 8 at addr ffff888116f042e8 by task kworker/0:2/2173 [ 35.554623][ T2173] [ 35.556991][ T2173] CPU: 0 PID: 2173 Comm: kworker/0:2 Not tainted 5.10.0-rc2-syzkaller #0 [ 35.565413][ T2173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.575789][ T2173] Workqueue: usb_hub_wq hub_event [ 35.581007][ T2173] Call Trace: [ 35.584401][ T2173] dump_stack+0x107/0x163 [ 35.588887][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 35.594335][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 35.599839][ T2173] print_address_description.constprop.0.cold+0xae/0x4c8 [ 35.606876][ T2173] ? vprintk_func+0x93/0x140 [ 35.611481][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 35.616883][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 35.622397][ T2173] kasan_report.cold+0x1f/0x37 [ 35.627271][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 35.632819][ T2173] dvb_usb_device_exit+0x19a/0x1a0 [ 35.637933][ T2173] ? dvb_usb_exit.isra.0+0x310/0x310 [ 35.643300][ T2173] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 35.649592][ T2173] ? usb_disable_interface+0x82/0x3c0 [ 35.654984][ T2173] ? usb_unbind_device+0x1a0/0x1a0 [ 35.660129][ T2173] usb_unbind_interface+0x1d8/0x8d0 [ 35.665345][ T2173] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 35.670979][ T2173] ? usb_unbind_device+0x1a0/0x1a0 [ 35.676107][ T2173] __device_release_driver+0x3c6/0x6f0 [ 35.681579][ T2173] device_release_driver+0x26/0x40 [ 35.686843][ T2173] bus_remove_device+0x2eb/0x5a0 [ 35.691925][ T2173] device_del+0x502/0xec0 [ 35.696260][ T2173] ? device_link_add_missing_supplier_links+0x370/0x370 [ 35.704166][ T2173] ? pm_runtime_barrier+0xdc/0x1a0 [ 35.709461][ T2173] usb_disable_device+0x35b/0x7b0 [ 35.714693][ T2173] ? trace_hardirqs_off_caller+0x130/0x1a0 [ 35.720505][ T2173] usb_disconnect.cold+0x27d/0x780 [ 35.725639][ T2173] hub_event+0x1c8a/0x42d0 [ 35.730075][ T2173] ? hub_port_debounce+0x3b0/0x3b0 [ 35.735359][ T2173] ? __lock_acquire+0x10f1/0x5c20 [ 35.740378][ T2173] ? __do_compat_sys_getrusage+0x81/0x120 [ 35.746125][ T2173] ? lock_release+0x6d0/0x6d0 [ 35.751756][ T2173] ? lock_downgrade+0x6d0/0x6d0 [ 35.756812][ T2173] ? do_raw_spin_lock+0x120/0x2b0 [ 35.761852][ T2173] process_one_work+0x933/0x1520 [ 35.766933][ T2173] ? lock_release+0x6d0/0x6d0 [ 35.771755][ T2173] ? pwq_dec_nr_in_flight+0x320/0x320 [ 35.777140][ T2173] ? rwlock_bug.part.0+0x90/0x90 [ 35.782070][ T2173] worker_thread+0x82b/0x1120 [ 35.786841][ T2173] ? __kthread_parkme+0x118/0x1d0 [ 35.791960][ T2173] ? process_one_work+0x1520/0x1520 [ 35.797153][ T2173] kthread+0x38c/0x460 [ 35.801633][ T2173] ? _raw_spin_unlock_irq+0x1f/0x30 [ 35.807235][ T2173] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 35.813423][ T2173] ret_from_fork+0x1f/0x30 [ 35.817833][ T2173] [ 35.820280][ T2173] Allocated by task 2173: [ 35.824760][ T2173] kasan_save_stack+0x1b/0x40 [ 35.829453][ T2173] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 35.835232][ T2173] __kmalloc_track_caller+0x147/0x2f0 [ 35.840884][ T2173] kmemdup+0x23/0x50 [ 35.845181][ T2173] dw2102_probe+0x57c/0xb10 [ 35.850165][ T2173] usb_probe_interface+0x315/0x7f0 [ 35.855274][ T2173] really_probe+0x291/0xde0 [ 35.859763][ T2173] driver_probe_device+0x26b/0x3d0 [ 35.864901][ T2173] __device_attach_driver+0x1d1/0x290 [ 35.870516][ T2173] bus_for_each_drv+0x15f/0x1e0 [ 35.875472][ T2173] __device_attach+0x228/0x4a0 [ 35.880246][ T2173] bus_probe_device+0x1e4/0x290 [ 35.885081][ T2173] device_add+0xbb2/0x1ce0 [ 35.889495][ T2173] usb_set_configuration+0x113c/0x1910 [ 35.894999][ T2173] usb_generic_driver_probe+0xba/0x100 [ 35.900448][ T2173] usb_probe_device+0xd9/0x2c0 [ 35.905201][ T2173] really_probe+0x291/0xde0 [ 35.909705][ T2173] driver_probe_device+0x26b/0x3d0 [ 35.915208][ T2173] __device_attach_driver+0x1d1/0x290 [ 35.920570][ T2173] bus_for_each_drv+0x15f/0x1e0 [ 35.925766][ T2173] __device_attach+0x228/0x4a0 [ 35.930555][ T2173] bus_probe_device+0x1e4/0x290 [ 35.935403][ T2173] device_add+0xbb2/0x1ce0 [ 35.940525][ T2173] usb_new_device.cold+0x71d/0xfe9 [ 35.945782][ T2173] hub_event+0x2348/0x42d0 [ 35.950499][ T2173] process_one_work+0x933/0x1520 [ 35.955448][ T2173] worker_thread+0x64c/0x1120 [ 35.960146][ T2173] kthread+0x38c/0x460 [ 35.964575][ T2173] ret_from_fork+0x1f/0x30 [ 35.968991][ T2173] [ 35.971326][ T2173] Freed by task 2173: [ 35.975308][ T2173] kasan_save_stack+0x1b/0x40 [ 35.980072][ T2173] kasan_set_track+0x1c/0x30 [ 35.985004][ T2173] kasan_set_free_info+0x1b/0x30 [ 35.990120][ T2173] __kasan_slab_free+0x102/0x140 [ 35.995212][ T2173] slab_free_freelist_hook+0x5d/0x150 [ 36.000736][ T2173] kfree+0xe5/0x5e0 [ 36.004613][ T2173] dw2102_probe+0x782/0xb10 [ 36.009266][ T2173] usb_probe_interface+0x315/0x7f0 [ 36.014529][ T2173] really_probe+0x291/0xde0 [ 36.019230][ T2173] driver_probe_device+0x26b/0x3d0 [ 36.024331][ T2173] __device_attach_driver+0x1d1/0x290 [ 36.029807][ T2173] bus_for_each_drv+0x15f/0x1e0 [ 36.034779][ T2173] __device_attach+0x228/0x4a0 [ 36.039544][ T2173] bus_probe_device+0x1e4/0x290 [ 36.044401][ T2173] device_add+0xbb2/0x1ce0 [ 36.048819][ T2173] usb_set_configuration+0x113c/0x1910 [ 36.054654][ T2173] usb_generic_driver_probe+0xba/0x100 [ 36.060634][ T2173] usb_probe_device+0xd9/0x2c0 [ 36.065396][ T2173] really_probe+0x291/0xde0 [ 36.070054][ T2173] driver_probe_device+0x26b/0x3d0 [ 36.075193][ T2173] __device_attach_driver+0x1d1/0x290 [ 36.080696][ T2173] bus_for_each_drv+0x15f/0x1e0 [ 36.085665][ T2173] __device_attach+0x228/0x4a0 [ 36.090587][ T2173] bus_probe_device+0x1e4/0x290 [ 36.095439][ T2173] device_add+0xbb2/0x1ce0 [ 36.100159][ T2173] usb_new_device.cold+0x71d/0xfe9 [ 36.105709][ T2173] hub_event+0x2348/0x42d0 [ 36.110122][ T2173] process_one_work+0x933/0x1520 [ 36.115058][ T2173] worker_thread+0x64c/0x1120 [ 36.119939][ T2173] kthread+0x38c/0x460 [ 36.124033][ T2173] ret_from_fork+0x1f/0x30 [ 36.128669][ T2173] [ 36.131041][ T2173] The buggy address belongs to the object at ffff888116f04000 [ 36.131041][ T2173] which belongs to the cache kmalloc-4k of size 4096 [ 36.145241][ T2173] The buggy address is located 744 bytes inside of [ 36.145241][ T2173] 4096-byte region [ffff888116f04000, ffff888116f05000) [ 36.158990][ T2173] The buggy address belongs to the page: [ 36.164845][ T2173] page:00000000c4b2737c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116f00 [ 36.178534][ T2173] head:00000000c4b2737c order:3 compound_mapcount:0 compound_pincount:0 [ 36.187020][ T2173] flags: 0x200000000010200(slab|head) [ 36.192590][ T2173] raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100042140 [ 36.201807][ T2173] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.210516][ T2173] page dumped because: kasan: bad access detected [ 36.216942][ T2173] [ 36.219270][ T2173] Memory state around the buggy address: [ 36.224901][ T2173] ffff888116f04180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.233407][ T2173] ffff888116f04200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.241933][ T2173] >ffff888116f04280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.249991][ T2173] ^ [ 36.257561][ T2173] ffff888116f04300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.265612][ T2173] ffff888116f04380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.274025][ T2173] ================================================================== [ 36.282189][ T2173] Disabling lock debugging due to kernel taint [ 36.288477][ T2173] Kernel panic - not syncing: panic_on_warn set ... [ 36.295089][ T2173] CPU: 0 PID: 2173 Comm: kworker/0:2 Tainted: G B 5.10.0-rc2-syzkaller #0 [ 36.304905][ T2173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.315160][ T2173] Workqueue: usb_hub_wq hub_event [ 36.320509][ T2173] Call Trace: [ 36.323926][ T2173] dump_stack+0x107/0x163 [ 36.328266][ T2173] ? dvb_usb_device_exit+0x190/0x1a0 [ 36.333746][ T2173] panic+0x306/0x73d [ 36.337640][ T2173] ? __warn_printk+0xf3/0xf3 [ 36.342504][ T2173] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 36.348658][ T2173] ? trace_hardirqs_on+0x51/0x1a0 [ 36.353775][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.359333][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.364605][ T2173] end_report+0x58/0x5e [ 36.369141][ T2173] kasan_report.cold+0xd/0x37 [ 36.374042][ T2173] ? dvb_usb_device_exit+0x19a/0x1a0 [ 36.379517][ T2173] dvb_usb_device_exit+0x19a/0x1a0 [ 36.385103][ T2173] ? dvb_usb_exit.isra.0+0x310/0x310 [ 36.390819][ T2173] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 36.396808][ T2173] ? usb_disable_interface+0x82/0x3c0 [ 36.402194][ T2173] ? usb_unbind_device+0x1a0/0x1a0 [ 36.407446][ T2173] usb_unbind_interface+0x1d8/0x8d0 [ 36.412793][ T2173] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 36.418487][ T2173] ? usb_unbind_device+0x1a0/0x1a0 [ 36.423799][ T2173] __device_release_driver+0x3c6/0x6f0 [ 36.429286][ T2173] device_release_driver+0x26/0x40 [ 36.434516][ T2173] bus_remove_device+0x2eb/0x5a0 [ 36.439612][ T2173] device_del+0x502/0xec0 [ 36.443947][ T2173] ? device_link_add_missing_supplier_links+0x370/0x370 [ 36.450920][ T2173] ? pm_runtime_barrier+0xdc/0x1a0 [ 36.456503][ T2173] usb_disable_device+0x35b/0x7b0 [ 36.461607][ T2173] ? trace_hardirqs_off_caller+0x130/0x1a0 [ 36.467431][ T2173] usb_disconnect.cold+0x27d/0x780 [ 36.472534][ T2173] hub_event+0x1c8a/0x42d0 [ 36.477079][ T2173] ? hub_port_debounce+0x3b0/0x3b0 [ 36.482885][ T2173] ? __lock_acquire+0x10f1/0x5c20 [ 36.488156][ T2173] ? __do_compat_sys_getrusage+0x81/0x120 [ 36.494859][ T2173] ? lock_release+0x6d0/0x6d0 [ 36.499793][ T2173] ? lock_downgrade+0x6d0/0x6d0 [ 36.504661][ T2173] ? do_raw_spin_lock+0x120/0x2b0 [ 36.509928][ T2173] process_one_work+0x933/0x1520 [ 36.514867][ T2173] ? lock_release+0x6d0/0x6d0 [ 36.520686][ T2173] ? pwq_dec_nr_in_flight+0x320/0x320 [ 36.526066][ T2173] ? rwlock_bug.part.0+0x90/0x90 [ 36.531054][ T2173] worker_thread+0x82b/0x1120 [ 36.535746][ T2173] ? __kthread_parkme+0x118/0x1d0 [ 36.541519][ T2173] ? process_one_work+0x1520/0x1520 [ 36.546714][ T2173] kthread+0x38c/0x460 [ 36.550804][ T2173] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.556285][ T2173] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 36.562220][ T2173] ret_from_fork+0x1f/0x30 [ 36.567420][ T2173] Kernel Offset: disabled [ 36.572024][ T2173] Rebooting in 86400 seconds..