Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 80.722495][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 80.972428][ T21] usb 1-1: Using ep0 maxpacket: 8 [ 81.102583][ T21] usb 1-1: config 0 has an invalid interface number: 218 but max is 0 [ 81.113686][ T21] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 81.130739][ T21] usb 1-1: config 0 has no interface number 0 [ 81.142372][ T21] usb 1-1: config 0 interface 218 altsetting 0 has an invalid endpoint with address 0x7E, skipping [ 81.158183][ T21] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=54.a5 [ 81.172620][ T21] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 81.187203][ T21] usb 1-1: config 0 descriptor?? [ 81.235208][ T21] dw2102: su3000_identify_state [ 81.242416][ T21] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 81.250990][ T21] dw2102: su3000_power_ctrl: 1, initialized 0 [ 81.260146][ T21] dvb-usb: bulk message failed: -22 (2/0) [ 81.269258][ T21] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 81.302885][ T21] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 81.315643][ T21] usb 1-1: media controller created [ 81.323945][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) [ 81.333411][ T21] dw2102: i2c transfer failed. [ 81.340191][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) [ 81.350498][ T21] dw2102: i2c transfer failed. [ 81.356527][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) [ 81.366616][ T21] dw2102: i2c transfer failed. [ 81.373084][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) [ 81.385568][ T21] dw2102: i2c transfer failed. [ 81.391306][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) executing program [ 81.399597][ T21] dw2102: i2c transfer failed. [ 81.406098][ T21] dvb-usb: bulk message failed: -22 (6/-2035711240) [ 81.414171][ T21] dw2102: i2c transfer failed. [ 81.419789][ T21] dvb-usb: MAC address: 02:02:02:02:02:02 [ 81.434102][ T21] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 81.459292][ T21] dvb-usb: bulk message failed: -22 (1/0) [ 81.465476][ T21] dw2102: command 0x51 transfer failed. [ 81.475307][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.483199][ T21] dw2102: i2c transfer failed. [ 81.488978][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.500797][ T21] dw2102: i2c transfer failed. [ 81.506899][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.515936][ T21] dw2102: i2c transfer failed. [ 81.523682][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.536577][ T21] dw2102: i2c transfer failed. [ 81.542066][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.550499][ T21] dw2102: i2c transfer failed. [ 81.556172][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.563522][ T21] dw2102: i2c transfer failed. [ 81.593079][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.601656][ T21] dw2102: i2c transfer failed. [ 81.606828][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.615384][ T21] dw2102: i2c transfer failed. [ 81.620494][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.629072][ T21] dw2102: i2c transfer failed. [ 81.634783][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.642979][ T21] dw2102: i2c transfer failed. [ 81.648257][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.655665][ T21] dw2102: i2c transfer failed. [ 81.661600][ T21] dvb-usb: bulk message failed: -22 (5/-2035711240) [ 81.669109][ T21] dw2102: i2c transfer failed. [ 81.674886][ T21] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 81.685738][ T21] dw2102: Attached RS2000/TS2020! [ 81.691781][ T21] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 81.701307][ T21] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 81.762939][ T21] Registered IR keymap rc-su3000 [ 81.769977][ T21] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 81.780377][ T21] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 81.792709][ T21] dvb-usb: schedule remote query interval to 150 msecs. [ 81.800195][ T21] dw2102: su3000_power_ctrl: 0, initialized 1 [ 81.806796][ T21] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 81.817635][ T21] usb 1-1: USB disconnect, device number 2 [ 81.824942][ T21] ================================================================== [ 81.833944][ T21] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 [ 81.843491][ T21] Read of size 8 at addr ffff8881cf4c68d8 by task kworker/1:1/21 [ 81.852328][ T21] [ 81.854794][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #10 [ 81.862998][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.874030][ T21] Workqueue: usb_hub_wq hub_event [ 81.879469][ T21] Call Trace: [ 81.882999][ T21] dump_stack+0xca/0x13e [ 81.888771][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 81.894261][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 81.900010][ T21] print_address_description+0x67/0x231 [ 81.906531][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 81.911777][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 81.917932][ T21] __kasan_report.cold+0x1a/0x32 [ 81.923631][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 81.928875][ T21] kasan_report+0xe/0x20 [ 81.933859][ T21] dvb_usb_device_exit+0xb6/0xc0 [ 81.939553][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 81.945956][ T21] ? usb_autoresume_device+0x60/0x60 [ 81.952610][ T21] device_release_driver_internal+0x404/0x4c0 [ 81.960024][ T21] bus_remove_device+0x2dc/0x4a0 [ 81.965978][ T21] device_del+0x460/0xb80 [ 81.970566][ T21] ? __device_links_no_driver+0x240/0x240 [ 81.978321][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 81.985002][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 81.991154][ T21] usb_disable_device+0x211/0x690 [ 81.997182][ T21] usb_disconnect+0x284/0x830 [ 82.002554][ T21] hub_event+0x1409/0x3590 [ 82.008399][ T21] ? hub_port_debounce+0x260/0x260 [ 82.014121][ T21] process_one_work+0x905/0x1570 [ 82.020401][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 82.027043][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 82.032954][ T21] worker_thread+0x7ab/0xe20 [ 82.038283][ T21] ? process_one_work+0x1570/0x1570 [ 82.044824][ T21] kthread+0x30b/0x410 [ 82.050130][ T21] ? kthread_park+0x1a0/0x1a0 [ 82.055184][ T21] ret_from_fork+0x24/0x30 [ 82.060410][ T21] [ 82.063325][ T21] Allocated by task 21: [ 82.069513][ T21] save_stack+0x1b/0x80 [ 82.075453][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 82.082024][ T21] __kmalloc_track_caller+0xe2/0x2b0 [ 82.087894][ T21] kmemdup+0x23/0x50 [ 82.093172][ T21] dw2102_probe+0x627/0xc40 [ 82.098983][ T21] usb_probe_interface+0x305/0x7a0 [ 82.105136][ T21] really_probe+0x281/0x660 [ 82.110241][ T21] driver_probe_device+0x104/0x210 [ 82.116766][ T21] __device_attach_driver+0x1c2/0x220 [ 82.123472][ T21] bus_for_each_drv+0x15c/0x1e0 [ 82.129031][ T21] __device_attach+0x217/0x360 [ 82.135419][ T21] bus_probe_device+0x1e4/0x290 [ 82.140954][ T21] device_add+0xae6/0x16f0 [ 82.146983][ T21] usb_set_configuration+0xdf6/0x1670 [ 82.153296][ T21] generic_probe+0x9d/0xd5 [ 82.175008][ T21] usb_probe_device+0x99/0x100 [ 82.182018][ T21] really_probe+0x281/0x660 [ 82.188633][ T21] driver_probe_device+0x104/0x210 [ 82.195717][ T21] __device_attach_driver+0x1c2/0x220 [ 82.202690][ T21] bus_for_each_drv+0x15c/0x1e0 [ 82.208398][ T21] __device_attach+0x217/0x360 [ 82.213469][ T21] bus_probe_device+0x1e4/0x290 [ 82.220110][ T21] device_add+0xae6/0x16f0 [ 82.226014][ T21] usb_new_device.cold+0x8c1/0x1016 [ 82.232192][ T21] hub_event+0x1ada/0x3590 [ 82.238372][ T21] process_one_work+0x905/0x1570 [ 82.244318][ T21] worker_thread+0x96/0xe20 [ 82.250396][ T21] kthread+0x30b/0x410 [ 82.254977][ T21] ret_from_fork+0x24/0x30 [ 82.259631][ T21] [ 82.262267][ T21] Freed by task 21: [ 82.266104][ T21] save_stack+0x1b/0x80 [ 82.270688][ T21] __kasan_slab_free+0x130/0x180 [ 82.276448][ T21] kfree+0xd7/0x280 [ 82.281055][ T21] dw2102_probe+0x871/0xc40 [ 82.286926][ T21] usb_probe_interface+0x305/0x7a0 [ 82.292996][ T21] really_probe+0x281/0x660 [ 82.298277][ T21] driver_probe_device+0x104/0x210 [ 82.303854][ T21] __device_attach_driver+0x1c2/0x220 [ 82.309575][ T21] bus_for_each_drv+0x15c/0x1e0 [ 82.315092][ T21] __device_attach+0x217/0x360 [ 82.320442][ T21] bus_probe_device+0x1e4/0x290 [ 82.325583][ T21] device_add+0xae6/0x16f0 [ 82.330201][ T21] usb_set_configuration+0xdf6/0x1670 [ 82.336923][ T21] generic_probe+0x9d/0xd5 [ 82.342790][ T21] usb_probe_device+0x99/0x100 [ 82.348769][ T21] really_probe+0x281/0x660 [ 82.355886][ T21] driver_probe_device+0x104/0x210 [ 82.361936][ T21] __device_attach_driver+0x1c2/0x220 [ 82.367733][ T21] bus_for_each_drv+0x15c/0x1e0 [ 82.374879][ T21] __device_attach+0x217/0x360 [ 82.380094][ T21] bus_probe_device+0x1e4/0x290 [ 82.385777][ T21] device_add+0xae6/0x16f0 [ 82.391071][ T21] usb_new_device.cold+0x8c1/0x1016 [ 82.396771][ T21] hub_event+0x1ada/0x3590 [ 82.401796][ T21] process_one_work+0x905/0x1570 [ 82.408004][ T21] worker_thread+0x96/0xe20 [ 82.413057][ T21] kthread+0x30b/0x410 [ 82.418162][ T21] ret_from_fork+0x24/0x30 [ 82.423295][ T21] [ 82.425878][ T21] The buggy address belongs to the object at ffff8881cf4c6600 [ 82.425878][ T21] which belongs to the cache kmalloc-4k of size 4096 [ 82.443043][ T21] The buggy address is located 728 bytes inside of [ 82.443043][ T21] 4096-byte region [ffff8881cf4c6600, ffff8881cf4c7600) [ 82.458061][ T21] The buggy address belongs to the page: [ 82.464686][ T21] page:ffffea00073d3000 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 82.477180][ T21] flags: 0x200000000010200(slab|head) [ 82.483398][ T21] raw: 0200000000010200 ffffea00073d0c00 0000000200000002 ffff8881dac02600 [ 82.493154][ T21] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 82.503343][ T21] page dumped because: kasan: bad access detected [ 82.511047][ T21] [ 82.514415][ T21] Memory state around the buggy address: [ 82.521224][ T21] ffff8881cf4c6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.529861][ T21] ffff8881cf4c6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.539859][ T21] >ffff8881cf4c6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.550043][ T21] ^ [ 82.557636][ T21] ffff8881cf4c6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.567321][ T21] ffff8881cf4c6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.576929][ T21] ================================================================== [ 82.586756][ T21] Disabling lock debugging due to kernel taint [ 82.593531][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 82.601562][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.2.0-rc1+ #10 [ 82.612362][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.623855][ T21] Workqueue: usb_hub_wq hub_event [ 82.629755][ T21] Call Trace: [ 82.633814][ T21] dump_stack+0xca/0x13e [ 82.638741][ T21] panic+0x292/0x6c9 [ 82.643060][ T21] ? __warn_printk+0xf3/0xf3 [ 82.648081][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 82.654038][ T21] ? trace_hardirqs_on+0x55/0x1c0 [ 82.660011][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 82.666538][ T21] end_report+0x43/0x49 [ 82.672100][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 82.679577][ T21] __kasan_report.cold+0xd/0x32 [ 82.686933][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 82.692947][ T21] kasan_report+0xe/0x20 [ 82.698400][ T21] dvb_usb_device_exit+0xb6/0xc0 [ 82.704989][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 82.712403][ T21] ? usb_autoresume_device+0x60/0x60 [ 82.719747][ T21] device_release_driver_internal+0x404/0x4c0 [ 82.726632][ T21] bus_remove_device+0x2dc/0x4a0 [ 82.733642][ T21] device_del+0x460/0xb80 [ 82.738845][ T21] ? __device_links_no_driver+0x240/0x240 [ 82.747320][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 82.754482][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 82.762460][ T21] usb_disable_device+0x211/0x690 [ 82.767862][ T21] usb_disconnect+0x284/0x830 [ 82.773160][ T21] hub_event+0x1409/0x3590 [ 82.778501][ T21] ? hub_port_debounce+0x260/0x260 [ 82.785166][ T21] process_one_work+0x905/0x1570 [ 82.790387][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 82.796452][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 82.801682][ T21] worker_thread+0x7ab/0xe20 [ 82.807165][ T21] ? process_one_work+0x1570/0x1570 [ 82.813844][ T21] kthread+0x30b/0x410 [ 82.819536][ T21] ? kthread_park+0x1a0/0x1a0 [ 82.825264][ T21] ret_from_fork+0x24/0x30 [ 82.831862][ T21] Kernel Offset: disabled [ 82.837319][ T21] Rebooting in 86400 seconds..