Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.531525][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 46.771484][ T12] usb 1-1: Using ep0 maxpacket: 16 [ 46.891578][ T12] usb 1-1: config 0 has an invalid interface number: 127 but max is 0 [ 46.899946][ T12] usb 1-1: config 0 has no interface number 0 [ 46.906393][ T12] usb 1-1: config 0 interface 127 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 46.917473][ T12] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=3e.4a [ 46.926523][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 46.935652][ T12] usb 1-1: config 0 descriptor?? [ 46.973475][ T12] dw2102: su3000_identify_state [ 46.978428][ T12] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 46.985041][ T12] dw2102: su3000_power_ctrl: 1, initialized 0 [ 46.991370][ T12] dvb-usb: bulk message failed: -22 (2/-675587840) [ 46.999459][ T12] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 47.021899][ T12] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 47.028968][ T12] usb 1-1: media controller created [ 47.034526][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.041175][ T12] dw2102: i2c transfer failed. [ 47.046083][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.052768][ T12] dw2102: i2c transfer failed. [ 47.057521][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.064138][ T12] dw2102: i2c transfer failed. [ 47.068937][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.075550][ T12] dw2102: i2c transfer failed. [ 47.080325][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.086954][ T12] dw2102: i2c transfer failed. [ 47.091751][ T12] dvb-usb: bulk message failed: -22 (6/-2036042528) [ 47.098317][ T12] dw2102: i2c transfer failed. [ 47.103143][ T12] dvb-usb: MAC address: 02:02:02:02:02:02 [ 47.112830][ T12] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 47.127914][ T12] dvb-usb: bulk message failed: -22 (1/0) [ 47.133905][ T12] dw2102: command 0x51 transfer failed. [ 47.140929][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.147662][ T12] dw2102: i2c transfer failed. [ 47.153035][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.159603][ T12] dw2102: i2c transfer failed. [ 47.164432][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.171027][ T12] dw2102: i2c transfer failed. executing program [ 47.176852][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.183511][ T12] dw2102: i2c transfer failed. [ 47.188307][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.194933][ T12] dw2102: i2c transfer failed. [ 47.199707][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.207194][ T12] dw2102: i2c transfer failed. [ 47.261513][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.268119][ T12] dw2102: i2c transfer failed. [ 47.272956][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.279536][ T12] dw2102: i2c transfer failed. [ 47.284340][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.290916][ T12] dw2102: i2c transfer failed. [ 47.295765][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.302385][ T12] dw2102: i2c transfer failed. [ 47.307151][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.313864][ T12] dw2102: i2c transfer failed. [ 47.318628][ T12] dvb-usb: bulk message failed: -22 (5/-2036042528) [ 47.325233][ T12] dw2102: i2c transfer failed. [ 47.330537][ T12] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 47.339131][ T12] dw2102: Attached RS2000/TS2020! [ 47.344420][ T12] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 47.352769][ T12] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 47.411740][ T12] Registered IR keymap rc-su3000 [ 47.417294][ T12] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 47.426614][ T12] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 47.437182][ T12] dvb-usb: schedule remote query interval to 150 msecs. [ 47.444202][ T12] dw2102: su3000_power_ctrl: 0, initialized 1 [ 47.450264][ T12] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 47.459799][ T12] usb 1-1: USB disconnect, device number 2 [ 47.466666][ T12] ================================================================== [ 47.474909][ T12] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 47.482671][ T12] Read of size 8 at addr ffff8881cfe5c2e8 by task kworker/0:1/12 [ 47.490376][ T12] [ 47.492694][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.4.0-rc3+ #0 [ 47.500122][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.510166][ T12] Workqueue: usb_hub_wq hub_event [ 47.515170][ T12] Call Trace: [ 47.518453][ T12] dump_stack+0xca/0x13e [ 47.522690][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 47.528013][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 47.533282][ T12] print_address_description.constprop.0+0x36/0x50 [ 47.539765][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 47.545030][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 47.550304][ T12] __kasan_report.cold+0x1a/0x33 [ 47.555224][ T12] ? _raw_spin_trylock_bh+0x10/0x70 [ 47.560398][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 47.565678][ T12] kasan_report+0xe/0x20 [ 47.569953][ T12] dvb_usb_device_exit+0x19a/0x1a0 [ 47.575059][ T12] ? dvb_usb_exit+0x290/0x290 [ 47.580014][ T12] ? usb_disable_endpoint+0x1ba/0x1f0 [ 47.585366][ T12] ? usb_disable_interface+0x140/0x1a0 [ 47.590804][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 47.595997][ T12] ? usb_autoresume_device+0x60/0x60 [ 47.601277][ T12] device_release_driver_internal+0x42f/0x500 [ 47.607322][ T12] bus_remove_device+0x2dc/0x4a0 [ 47.612243][ T12] device_del+0x420/0xb20 [ 47.616554][ T12] ? __device_link_del+0x2f0/0x2f0 [ 47.621648][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 47.626653][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 47.632000][ T12] usb_disable_device+0x211/0x690 [ 47.637001][ T12] usb_disconnect+0x284/0x8d0 [ 47.641762][ T12] hub_event+0x16ca/0x37e0 [ 47.646161][ T12] ? hub_port_debounce+0x260/0x260 [ 47.651335][ T12] ? find_held_lock+0x2d/0x110 [ 47.656098][ T12] ? mark_held_locks+0xe0/0xe0 [ 47.660845][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 47.666380][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 47.671714][ T12] process_one_work+0x92b/0x1530 [ 47.676645][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 47.682009][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 47.687122][ T12] worker_thread+0x7ab/0xe20 [ 47.691752][ T12] ? process_one_work+0x1530/0x1530 [ 47.696933][ T12] kthread+0x318/0x420 [ 47.701000][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 47.706361][ T12] ret_from_fork+0x24/0x30 [ 47.710755][ T12] [ 47.713130][ T12] Allocated by task 12: [ 47.717284][ T12] save_stack+0x1b/0x80 [ 47.721426][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 47.727049][ T12] __kmalloc_track_caller+0xfd/0x330 [ 47.732323][ T12] kmemdup+0x23/0x50 [ 47.736368][ T12] dw2102_probe+0x627/0xc40 [ 47.741016][ T12] usb_probe_interface+0x305/0x7a0 [ 47.746116][ T12] really_probe+0x281/0x6d0 [ 47.750607][ T12] driver_probe_device+0x104/0x210 [ 47.755703][ T12] __device_attach_driver+0x1c2/0x220 [ 47.761055][ T12] bus_for_each_drv+0x162/0x1e0 [ 47.765893][ T12] __device_attach+0x217/0x360 [ 47.770639][ T12] bus_probe_device+0x1e4/0x290 [ 47.775470][ T12] device_add+0xae6/0x16f0 [ 47.779997][ T12] usb_set_configuration+0xdf6/0x1670 [ 47.785349][ T12] generic_probe+0x9d/0xd5 [ 47.789747][ T12] usb_probe_device+0x99/0x100 [ 47.794490][ T12] really_probe+0x281/0x6d0 [ 47.798971][ T12] driver_probe_device+0x104/0x210 [ 47.804079][ T12] __device_attach_driver+0x1c2/0x220 [ 47.809462][ T12] bus_for_each_drv+0x162/0x1e0 [ 47.814294][ T12] __device_attach+0x217/0x360 [ 47.819033][ T12] bus_probe_device+0x1e4/0x290 [ 47.823860][ T12] device_add+0xae6/0x16f0 [ 47.828254][ T12] usb_new_device.cold+0x6a4/0xe79 [ 47.833429][ T12] hub_event+0x1dd0/0x37e0 [ 47.837824][ T12] process_one_work+0x92b/0x1530 [ 47.842739][ T12] worker_thread+0x96/0xe20 [ 47.847245][ T12] kthread+0x318/0x420 [ 47.851292][ T12] ret_from_fork+0x24/0x30 [ 47.855676][ T12] [ 47.857995][ T12] Freed by task 12: [ 47.861784][ T12] save_stack+0x1b/0x80 [ 47.865920][ T12] __kasan_slab_free+0x130/0x180 [ 47.870835][ T12] kfree+0xe4/0x320 [ 47.874621][ T12] dw2102_probe+0x871/0xc40 [ 47.879122][ T12] usb_probe_interface+0x305/0x7a0 [ 47.884210][ T12] really_probe+0x281/0x6d0 [ 47.888691][ T12] driver_probe_device+0x104/0x210 [ 47.893786][ T12] __device_attach_driver+0x1c2/0x220 [ 47.899133][ T12] bus_for_each_drv+0x162/0x1e0 [ 47.903960][ T12] __device_attach+0x217/0x360 [ 47.908700][ T12] bus_probe_device+0x1e4/0x290 [ 47.913544][ T12] device_add+0xae6/0x16f0 [ 47.917938][ T12] usb_set_configuration+0xdf6/0x1670 [ 47.923300][ T12] generic_probe+0x9d/0xd5 [ 47.927695][ T12] usb_probe_device+0x99/0x100 [ 47.932453][ T12] really_probe+0x281/0x6d0 [ 47.936947][ T12] driver_probe_device+0x104/0x210 [ 47.942053][ T12] __device_attach_driver+0x1c2/0x220 [ 47.947400][ T12] bus_for_each_drv+0x162/0x1e0 [ 47.952226][ T12] __device_attach+0x217/0x360 [ 47.956967][ T12] bus_probe_device+0x1e4/0x290 [ 47.961796][ T12] device_add+0xae6/0x16f0 [ 47.966191][ T12] usb_new_device.cold+0x6a4/0xe79 [ 47.971557][ T12] hub_event+0x1dd0/0x37e0 [ 47.975961][ T12] process_one_work+0x92b/0x1530 [ 47.980872][ T12] worker_thread+0x96/0xe20 [ 47.985356][ T12] kthread+0x318/0x420 [ 47.989399][ T12] ret_from_fork+0x24/0x30 [ 47.993787][ T12] [ 47.996114][ T12] The buggy address belongs to the object at ffff8881cfe5c000 [ 47.996114][ T12] which belongs to the cache kmalloc-4k of size 4096 [ 48.010150][ T12] The buggy address is located 744 bytes inside of [ 48.010150][ T12] 4096-byte region [ffff8881cfe5c000, ffff8881cfe5d000) [ 48.023771][ T12] The buggy address belongs to the page: [ 48.029413][ T12] page:ffffea00073f9600 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 48.040327][ T12] flags: 0x200000000010200(slab|head) [ 48.045701][ T12] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 48.054268][ T12] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 48.062825][ T12] page dumped because: kasan: bad access detected [ 48.069217][ T12] [ 48.071520][ T12] Memory state around the buggy address: [ 48.077129][ T12] ffff8881cfe5c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.085175][ T12] ffff8881cfe5c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.093212][ T12] >ffff8881cfe5c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.101247][ T12] ^ [ 48.108689][ T12] ffff8881cfe5c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.116732][ T12] ffff8881cfe5c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.125118][ T12] ================================================================== [ 48.133171][ T12] Disabling lock debugging due to kernel taint [ 48.139457][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 48.146045][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.0-rc3+ #0 [ 48.154791][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.165979][ T12] Workqueue: usb_hub_wq hub_event [ 48.170981][ T12] Call Trace: [ 48.174258][ T12] dump_stack+0xca/0x13e [ 48.178484][ T12] panic+0x2aa/0x6e1 [ 48.182360][ T12] ? add_taint.cold+0x16/0x16 [ 48.187026][ T12] ? retint_kernel+0x10/0x10 [ 48.191640][ T12] ? trace_hardirqs_on+0x55/0x1e0 [ 48.196690][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 48.202097][ T12] end_report+0x43/0x49 [ 48.206248][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 48.211518][ T12] __kasan_report.cold+0xd/0x33 [ 48.216345][ T12] ? _raw_spin_trylock_bh+0x10/0x70 [ 48.221517][ T12] ? dvb_usb_device_exit+0x19a/0x1a0 [ 48.226776][ T12] kasan_report+0xe/0x20 [ 48.230993][ T12] dvb_usb_device_exit+0x19a/0x1a0 [ 48.236093][ T12] ? dvb_usb_exit+0x290/0x290 [ 48.240763][ T12] ? usb_disable_endpoint+0x1ba/0x1f0 [ 48.246112][ T12] ? usb_disable_interface+0x140/0x1a0 [ 48.251546][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 48.256735][ T12] ? usb_autoresume_device+0x60/0x60 [ 48.262009][ T12] device_release_driver_internal+0x42f/0x500 [ 48.268059][ T12] bus_remove_device+0x2dc/0x4a0 [ 48.272991][ T12] device_del+0x420/0xb20 [ 48.277294][ T12] ? __device_link_del+0x2f0/0x2f0 [ 48.282397][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 48.287397][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 48.292829][ T12] usb_disable_device+0x211/0x690 [ 48.297839][ T12] usb_disconnect+0x284/0x8d0 [ 48.302489][ T12] hub_event+0x16ca/0x37e0 [ 48.307488][ T12] ? hub_port_debounce+0x260/0x260 [ 48.312603][ T12] ? find_held_lock+0x2d/0x110 [ 48.317344][ T12] ? mark_held_locks+0xe0/0xe0 [ 48.322103][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 48.327634][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 48.332956][ T12] process_one_work+0x92b/0x1530 [ 48.337898][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 48.343277][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 48.348291][ T12] worker_thread+0x7ab/0xe20 [ 48.352951][ T12] ? process_one_work+0x1530/0x1530 [ 48.358128][ T12] kthread+0x318/0x420 [ 48.362176][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 48.367527][ T12] ret_from_fork+0x24/0x30 [ 48.372868][ T12] Kernel Offset: disabled [ 48.377180][ T12] Rebooting in 86400 seconds..