
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   15.044980][    C1] random: crng init done
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   55.187967][   T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   55.548057][   T21] usb 1-1: config 20 has an invalid interface number: 83 but max is 0
[   55.556375][   T21] usb 1-1: config 20 has no interface number 0
[   55.563180][   T21] usb 1-1: config 20 interface 83 has no altsetting 0
[   55.808014][   T21] usb 1-1: string descriptor 0 read error: -22
[   55.814292][   T21] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=69.8c
[   55.823553][   T21] usb 1-1: New USB device strings: Mfr=1, Product=8, SerialNumber=2
[   55.870190][   T21] dw2102: su3000_identify_state
[   55.875204][   T21] dvb-usb: found a 'TeVii S421 PCI' in warm state.
[   55.881970][   T21] dw2102: su3000_power_ctrl: 1, initialized 0
[   55.888493][   T21] dvb-usb: bulk message failed: -22 (2/0)
[   55.896166][   T21] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[   55.928387][   T21] dvbdev: DVB: registering new adapter (TeVii S421 PCI)
[   55.935657][   T21] usb 1-1: media controller created
[   55.941307][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   55.948156][   T21] dw2102: i2c transfer failed.
[   55.952998][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   55.959877][   T21] dw2102: i2c transfer failed.
[   55.964668][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   55.971338][   T21] dw2102: i2c transfer failed.
[   55.976442][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   55.983212][   T21] dw2102: i2c transfer failed.
[   55.988167][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   55.994866][   T21] dw2102: i2c transfer failed.
[   55.999875][   T21] dvb-usb: bulk message failed: -22 (6/-2035706760)
[   56.006471][   T21] dw2102: i2c transfer failed.
[   56.011585][   T21] dvb-usb: MAC address: 02:02:02:02:02:02
executing program
[   56.021475][   T21] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[   56.036959][   T21] dvb-usb: bulk message failed: -22 (1/0)
[   56.042950][   T21] dw2102: command 0x51 transfer failed.
[   56.050764][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.057488][   T21] dw2102: i2c transfer failed.
[   56.065058][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.071997][   T21] dw2102: i2c transfer failed.
[   56.077125][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.083872][   T21] dw2102: i2c transfer failed.
[   56.088880][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.095703][   T21] dw2102: i2c transfer failed.
[   56.100658][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.107269][   T21] dw2102: i2c transfer failed.
[   56.112246][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.118969][   T21] dw2102: i2c transfer failed.
[   56.168394][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.175057][   T21] dw2102: i2c transfer failed.
[   56.179928][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.187435][   T21] dw2102: i2c transfer failed.
[   56.192339][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.199291][   T21] dw2102: i2c transfer failed.
[   56.204203][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.211240][   T21] dw2102: i2c transfer failed.
[   56.216106][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.223015][   T21] dw2102: i2c transfer failed.
[   56.227822][   T21] dvb-usb: bulk message failed: -22 (5/-2035706760)
[   56.234590][   T21] dw2102: i2c transfer failed.
[   56.239653][   T21] ts2020 0-0060: Montage Technology TS2020 successfully identified
[   56.248333][   T21] dw2102: Attached RS2000/TS2020!
[   56.253926][   T21] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)...
[   56.262559][   T21] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered.
[   56.338427][   T21] Registered IR keymap rc-su3000
[   56.344676][   T21] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0
[   56.354317][   T21] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5
[   56.365182][   T21] dvb-usb: schedule remote query interval to 150 msecs.
[   56.372459][   T21] dw2102: su3000_power_ctrl: 0, initialized 1
[   56.378621][   T21] dvb-usb: TeVii S421 PCI successfully initialized and connected.
[   56.388697][   T21] usb 1-1: USB disconnect, device number 2
[   56.395649][   T21] ==================================================================
[   56.404120][   T21] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0
[   56.411589][   T21] Read of size 8 at addr ffff8881cfed02d8 by task kworker/1:1/21
[   56.419875][   T21] 
[   56.422209][   T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.2.0-rc6+ #13
[   56.429778][   T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.440013][   T21] Workqueue: usb_hub_wq hub_event
[   56.445038][   T21] Call Trace:
[   56.448425][   T21]  dump_stack+0xca/0x13e
[   56.452921][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   56.458209][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   56.463441][   T21]  print_address_description+0x67/0x231
[   56.469269][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   56.474630][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   56.479945][   T21]  __kasan_report.cold+0x1a/0x32
[   56.485309][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   56.490437][   T21]  kasan_report+0xe/0x20
[   56.496109][   T21]  dvb_usb_device_exit+0xb6/0xc0
[   56.501708][   T21]  usb_unbind_interface+0x1bd/0x8a0
[   56.507115][   T21]  ? usb_autoresume_device+0x60/0x60
[   56.512472][   T21]  device_release_driver_internal+0x404/0x4c0
[   56.518655][   T21]  bus_remove_device+0x2dc/0x4a0
[   56.524226][   T21]  device_del+0x460/0xb80
[   56.529304][   T21]  ? __device_links_no_driver+0x240/0x240
[   56.535106][   T21]  ? usb_remove_ep_devs+0x3e/0x80
[   56.540162][   T21]  ? remove_intf_ep_devs+0x13f/0x1d0
[   56.545521][   T21]  usb_disable_device+0x211/0x690
[   56.550551][   T21]  usb_disconnect+0x284/0x830
[   56.555248][   T21]  hub_event+0x1409/0x3590
[   56.559673][   T21]  ? hub_port_debounce+0x260/0x260
[   56.564798][   T21]  process_one_work+0x905/0x1570
[   56.569754][   T21]  ? pwq_dec_nr_in_flight+0x310/0x310
[   56.575292][   T21]  ? do_raw_spin_lock+0x11a/0x280
[   56.581110][   T21]  worker_thread+0x7ab/0xe20
[   56.586292][   T21]  ? process_one_work+0x1570/0x1570
[   56.591615][   T21]  kthread+0x30b/0x410
[   56.595878][   T21]  ? kthread_park+0x1a0/0x1a0
[   56.600663][   T21]  ret_from_fork+0x24/0x30
[   56.605645][   T21] 
[   56.607966][   T21] Allocated by task 21:
[   56.612112][   T21]  save_stack+0x1b/0x80
[   56.616271][   T21]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   56.621960][   T21]  __kmalloc_track_caller+0xe2/0x2b0
[   56.627417][   T21]  kmemdup+0x23/0x50
[   56.631454][   T21]  dw2102_probe+0x627/0xc40
[   56.636224][   T21]  usb_probe_interface+0x305/0x7a0
[   56.642033][   T21]  really_probe+0x281/0x660
[   56.646580][   T21]  driver_probe_device+0x104/0x210
[   56.651690][   T21]  __device_attach_driver+0x1c2/0x220
[   56.657141][   T21]  bus_for_each_drv+0x15c/0x1e0
[   56.661975][   T21]  __device_attach+0x217/0x360
[   56.666833][   T21]  bus_probe_device+0x1e4/0x290
[   56.671787][   T21]  device_add+0xae6/0x16f0
[   56.676211][   T21]  usb_set_configuration+0xdf6/0x1670
[   56.681585][   T21]  generic_probe+0x9d/0xd5
[   56.686201][   T21]  usb_probe_device+0x99/0x100
[   56.691182][   T21]  really_probe+0x281/0x660
[   56.695695][   T21]  driver_probe_device+0x104/0x210
[   56.700820][   T21]  __device_attach_driver+0x1c2/0x220
[   56.706219][   T21]  bus_for_each_drv+0x15c/0x1e0
[   56.711104][   T21]  __device_attach+0x217/0x360
[   56.715894][   T21]  bus_probe_device+0x1e4/0x290
[   56.720935][   T21]  device_add+0xae6/0x16f0
[   56.725365][   T21]  usb_new_device.cold+0x8c1/0x1016
[   56.730653][   T21]  hub_event+0x1ada/0x3590
[   56.735293][   T21]  process_one_work+0x905/0x1570
[   56.740270][   T21]  worker_thread+0x96/0xe20
[   56.744802][   T21]  kthread+0x30b/0x410
[   56.748861][   T21]  ret_from_fork+0x24/0x30
[   56.753278][   T21] 
[   56.755596][   T21] Freed by task 21:
[   56.759828][   T21]  save_stack+0x1b/0x80
[   56.764037][   T21]  __kasan_slab_free+0x130/0x180
[   56.768991][   T21]  kfree+0xd7/0x280
[   56.772818][   T21]  dw2102_probe+0x871/0xc40
[   56.777406][   T21]  usb_probe_interface+0x305/0x7a0
[   56.782791][   T21]  really_probe+0x281/0x660
[   56.787508][   T21]  driver_probe_device+0x104/0x210
[   56.792725][   T21]  __device_attach_driver+0x1c2/0x220
[   56.798106][   T21]  bus_for_each_drv+0x15c/0x1e0
[   56.803131][   T21]  __device_attach+0x217/0x360
[   56.807916][   T21]  bus_probe_device+0x1e4/0x290
[   56.812756][   T21]  device_add+0xae6/0x16f0
[   56.817263][   T21]  usb_set_configuration+0xdf6/0x1670
[   56.822764][   T21]  generic_probe+0x9d/0xd5
[   56.827391][   T21]  usb_probe_device+0x99/0x100
[   56.832287][   T21]  really_probe+0x281/0x660
[   56.836873][   T21]  driver_probe_device+0x104/0x210
[   56.842284][   T21]  __device_attach_driver+0x1c2/0x220
[   56.847661][   T21]  bus_for_each_drv+0x15c/0x1e0
[   56.852512][   T21]  __device_attach+0x217/0x360
[   56.857472][   T21]  bus_probe_device+0x1e4/0x290
[   56.862326][   T21]  device_add+0xae6/0x16f0
[   56.866824][   T21]  usb_new_device.cold+0x8c1/0x1016
[   56.872128][   T21]  hub_event+0x1ada/0x3590
[   56.876778][   T21]  process_one_work+0x905/0x1570
[   56.881762][   T21]  worker_thread+0x96/0xe20
[   56.887539][   T21]  kthread+0x30b/0x410
[   56.892199][   T21]  ret_from_fork+0x24/0x30
[   56.896721][   T21] 
[   56.899414][   T21] The buggy address belongs to the object at ffff8881cfed0000
[   56.899414][   T21]  which belongs to the cache kmalloc-4k of size 4096
[   56.914714][   T21] The buggy address is located 728 bytes inside of
[   56.914714][   T21]  4096-byte region [ffff8881cfed0000, ffff8881cfed1000)
[   56.928250][   T21] The buggy address belongs to the page:
[   56.934063][   T21] page:ffffea00073fb400 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0
[   56.945449][   T21] flags: 0x200000000010200(slab|head)
[   56.951230][   T21] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881dac02600
[   56.959991][   T21] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[   56.968672][   T21] page dumped because: kasan: bad access detected
[   56.975076][   T21] 
[   56.977467][   T21] Memory state around the buggy address:
[   56.983219][   T21]  ffff8881cfed0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.991402][   T21]  ffff8881cfed0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.999561][   T21] >ffff8881cfed0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.007675][   T21]                                                     ^
[   57.014804][   T21]  ffff8881cfed0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.022896][   T21]  ffff8881cfed0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.031108][   T21] ==================================================================
[   57.039289][   T21] Disabling lock debugging due to kernel taint
[   57.045671][   T21] Kernel panic - not syncing: panic_on_warn set ...
[   57.052284][   T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G    B             5.2.0-rc6+ #13
[   57.061347][   T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.071666][   T21] Workqueue: usb_hub_wq hub_event
[   57.076837][   T21] Call Trace:
[   57.080130][   T21]  dump_stack+0xca/0x13e
[   57.084375][   T21]  panic+0x292/0x6c9
[   57.088256][   T21]  ? __warn_printk+0xf3/0xf3
[   57.092855][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   57.098045][   T21]  ? trace_hardirqs_on+0x55/0x1c0
[   57.103430][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   57.108669][   T21]  end_report+0x43/0x49
[   57.112958][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   57.118064][   T21]  __kasan_report.cold+0xd/0x32
[   57.123037][   T21]  ? dvb_usb_device_exit+0xb6/0xc0
[   57.128267][   T21]  kasan_report+0xe/0x20
[   57.132526][   T21]  dvb_usb_device_exit+0xb6/0xc0
[   57.137490][   T21]  usb_unbind_interface+0x1bd/0x8a0
[   57.142861][   T21]  ? usb_autoresume_device+0x60/0x60
[   57.148140][   T21]  device_release_driver_internal+0x404/0x4c0
[   57.154211][   T21]  bus_remove_device+0x2dc/0x4a0
[   57.159263][   T21]  device_del+0x460/0xb80
[   57.163594][   T21]  ? __device_links_no_driver+0x240/0x240
[   57.169327][   T21]  ? usb_remove_ep_devs+0x3e/0x80
[   57.174453][   T21]  ? remove_intf_ep_devs+0x13f/0x1d0
[   57.179744][   T21]  usb_disable_device+0x211/0x690
[   57.184851][   T21]  usb_disconnect+0x284/0x830
[   57.189752][   T21]  hub_event+0x1409/0x3590
[   57.194239][   T21]  ? hub_port_debounce+0x260/0x260
[   57.200009][   T21]  process_one_work+0x905/0x1570
[   57.204954][   T21]  ? pwq_dec_nr_in_flight+0x310/0x310
[   57.210456][   T21]  ? do_raw_spin_lock+0x11a/0x280
[   57.215483][   T21]  worker_thread+0x7ab/0xe20
[   57.220085][   T21]  ? process_one_work+0x1570/0x1570
[   57.225290][   T21]  kthread+0x30b/0x410
[   57.229513][   T21]  ? kthread_park+0x1a0/0x1a0
[   57.234311][   T21]  ret_from_fork+0x24/0x30
[   57.239814][   T21] Kernel Offset: disabled
[   57.244256][   T21] Rebooting in 86400 seconds..