INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.208' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.001987][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 57.241971][ T12] usb 1-1: Using ep0 maxpacket: 16 [ 57.362025][ T12] usb 1-1: config 254 has an invalid interface number: 6 but max is 0 [ 57.370276][ T12] usb 1-1: config 254 has an invalid descriptor of length 0, skipping remainder of the config [ 57.380561][ T12] usb 1-1: config 254 has no interface number 0 [ 57.386950][ T12] usb 1-1: config 254 interface 6 has no altsetting 0 [ 57.393764][ T12] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=6b.a5 [ 57.402802][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 executing program [ 57.682093][ T12] usb 1-1: string descriptor 0 read error: -71 [ 57.690115][ T12] dw2102: su3000_identify_state [ 57.695233][ T12] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 57.701968][ T12] dw2102: su3000_power_ctrl: 1, initialized 0 [ 57.708511][ T12] dvb-usb: bulk message failed: -22 (2/0) [ 57.715919][ T12] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 57.742399][ T12] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 57.749666][ T12] usb 1-1: media controller created [ 57.755259][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.761913][ T12] dw2102: i2c transfer failed. [ 57.766790][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.773419][ T12] dw2102: i2c transfer failed. [ 57.778493][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.785308][ T12] dw2102: i2c transfer failed. [ 57.790220][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.796853][ T12] dw2102: i2c transfer failed. [ 57.801627][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.808445][ T12] dw2102: i2c transfer failed. [ 57.813254][ T12] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 57.819929][ T12] dw2102: i2c transfer failed. [ 57.824771][ T12] dvb-usb: MAC address: 02:02:02:02:02:02 [ 57.834700][ T12] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 57.849960][ T12] dvb-usb: bulk message failed: -22 (1/0) [ 57.855796][ T12] dw2102: command 0x51 transfer failed. [ 57.862904][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.869720][ T12] dw2102: i2c transfer failed. [ 57.874617][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.881237][ T12] dw2102: i2c transfer failed. [ 57.886092][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.892803][ T12] dw2102: i2c transfer failed. [ 57.897582][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.906662][ T12] dw2102: i2c transfer failed. [ 57.911551][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.918174][ T12] dw2102: i2c transfer failed. [ 57.922992][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.929561][ T12] dw2102: i2c transfer failed. [ 57.962062][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.968674][ T12] dw2102: i2c transfer failed. [ 57.973503][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.980180][ T12] dw2102: i2c transfer failed. [ 57.985015][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 57.992280][ T12] dw2102: i2c transfer failed. [ 57.997573][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 58.004254][ T12] dw2102: i2c transfer failed. [ 58.009042][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 58.015731][ T12] dw2102: i2c transfer failed. [ 58.020507][ T12] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 58.027288][ T12] dw2102: i2c transfer failed. [ 58.032159][ T12] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 58.040650][ T12] dw2102: Attached RS2000/TS2020! [ 58.045985][ T12] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 58.054561][ T12] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 58.122345][ T12] Registered IR keymap rc-su3000 [ 58.128044][ T12] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 58.137501][ T12] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 58.148392][ T12] dvb-usb: schedule remote query interval to 150 msecs. [ 58.155533][ T12] dw2102: su3000_power_ctrl: 0, initialized 1 [ 58.161638][ T12] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 58.171396][ T12] usb 1-1: USB disconnect, device number 2 [ 58.178872][ T12] ================================================================== [ 58.187231][ T12] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 [ 58.194969][ T12] Read of size 8 at addr ffff8881d38546d8 by task kworker/0:1/12 [ 58.202666][ T12] [ 58.205182][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #13 [ 58.212666][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.222733][ T12] Workqueue: usb_hub_wq hub_event [ 58.227737][ T12] Call Trace: [ 58.231014][ T12] dump_stack+0xca/0x13e [ 58.235284][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.240700][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.245800][ T12] print_address_description+0x67/0x231 [ 58.251335][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.256534][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.261635][ T12] __kasan_report.cold+0x1a/0x32 [ 58.266561][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.271659][ T12] kasan_report+0xe/0x20 [ 58.275888][ T12] dvb_usb_device_exit+0xb6/0xc0 [ 58.280882][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 58.286075][ T12] ? usb_autoresume_device+0x60/0x60 [ 58.291347][ T12] device_release_driver_internal+0x404/0x4c0 [ 58.297396][ T12] bus_remove_device+0x2dc/0x4a0 [ 58.302375][ T12] device_del+0x460/0xb80 [ 58.306701][ T12] ? __device_links_no_driver+0x240/0x240 [ 58.312526][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 58.317531][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 58.322804][ T12] usb_disable_device+0x211/0x690 [ 58.327808][ T12] usb_disconnect+0x284/0x830 [ 58.332466][ T12] hub_event+0x1409/0x3590 [ 58.336862][ T12] ? hub_port_debounce+0x260/0x260 [ 58.341991][ T12] process_one_work+0x905/0x1570 [ 58.346958][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.352320][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 58.357347][ T12] worker_thread+0x7ab/0xe20 [ 58.361955][ T12] ? process_one_work+0x1570/0x1570 [ 58.367437][ T12] kthread+0x30b/0x410 [ 58.372302][ T12] ? kthread_park+0x1a0/0x1a0 [ 58.376968][ T12] ret_from_fork+0x24/0x30 [ 58.381366][ T12] [ 58.383944][ T12] Allocated by task 12: [ 58.388091][ T12] save_stack+0x1b/0x80 [ 58.392341][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.397959][ T12] __kmalloc_track_caller+0xe2/0x2b0 [ 58.403228][ T12] kmemdup+0x23/0x50 [ 58.407106][ T12] dw2102_probe+0x627/0xc40 [ 58.411594][ T12] usb_probe_interface+0x305/0x7a0 [ 58.416697][ T12] really_probe+0x281/0x660 [ 58.421334][ T12] driver_probe_device+0x104/0x210 [ 58.426438][ T12] __device_attach_driver+0x1c2/0x220 [ 58.431788][ T12] bus_for_each_drv+0x15c/0x1e0 [ 58.436769][ T12] __device_attach+0x217/0x360 [ 58.441530][ T12] bus_probe_device+0x1e4/0x290 [ 58.446369][ T12] device_add+0xae6/0x16f0 [ 58.450768][ T12] usb_set_configuration+0xdf6/0x1670 [ 58.456220][ T12] generic_probe+0x9d/0xd5 [ 58.460730][ T12] usb_probe_device+0x99/0x100 [ 58.465480][ T12] really_probe+0x281/0x660 [ 58.470080][ T12] driver_probe_device+0x104/0x210 [ 58.475258][ T12] __device_attach_driver+0x1c2/0x220 [ 58.480789][ T12] bus_for_each_drv+0x15c/0x1e0 [ 58.485708][ T12] __device_attach+0x217/0x360 [ 58.490560][ T12] bus_probe_device+0x1e4/0x290 [ 58.495410][ T12] device_add+0xae6/0x16f0 [ 58.500095][ T12] usb_new_device.cold+0x8c1/0x1016 [ 58.505370][ T12] hub_event+0x1ada/0x3590 [ 58.509776][ T12] process_one_work+0x905/0x1570 [ 58.514775][ T12] worker_thread+0x96/0xe20 [ 58.519266][ T12] kthread+0x30b/0x410 [ 58.523317][ T12] ret_from_fork+0x24/0x30 [ 58.527709][ T12] [ 58.530129][ T12] Freed by task 12: [ 58.533921][ T12] save_stack+0x1b/0x80 [ 58.538073][ T12] __kasan_slab_free+0x130/0x180 [ 58.542997][ T12] kfree+0xd7/0x280 [ 58.546798][ T12] dw2102_probe+0x871/0xc40 [ 58.551612][ T12] usb_probe_interface+0x305/0x7a0 [ 58.556914][ T12] really_probe+0x281/0x660 [ 58.561731][ T12] driver_probe_device+0x104/0x210 [ 58.566868][ T12] __device_attach_driver+0x1c2/0x220 [ 58.572267][ T12] bus_for_each_drv+0x15c/0x1e0 [ 58.577103][ T12] __device_attach+0x217/0x360 [ 58.581847][ T12] bus_probe_device+0x1e4/0x290 [ 58.586677][ T12] device_add+0xae6/0x16f0 [ 58.591075][ T12] usb_set_configuration+0xdf6/0x1670 [ 58.596638][ T12] generic_probe+0x9d/0xd5 [ 58.601075][ T12] usb_probe_device+0x99/0x100 [ 58.605826][ T12] really_probe+0x281/0x660 [ 58.610316][ T12] driver_probe_device+0x104/0x210 [ 58.615471][ T12] __device_attach_driver+0x1c2/0x220 [ 58.620867][ T12] bus_for_each_drv+0x15c/0x1e0 [ 58.625700][ T12] __device_attach+0x217/0x360 [ 58.630579][ T12] bus_probe_device+0x1e4/0x290 [ 58.635727][ T12] device_add+0xae6/0x16f0 [ 58.640132][ T12] usb_new_device.cold+0x8c1/0x1016 [ 58.645321][ T12] hub_event+0x1ada/0x3590 [ 58.649721][ T12] process_one_work+0x905/0x1570 [ 58.654643][ T12] worker_thread+0x96/0xe20 [ 58.659259][ T12] kthread+0x30b/0x410 [ 58.663307][ T12] ret_from_fork+0x24/0x30 [ 58.667694][ T12] [ 58.670150][ T12] The buggy address belongs to the object at ffff8881d3854400 [ 58.670150][ T12] which belongs to the cache kmalloc-4k of size 4096 [ 58.684732][ T12] The buggy address is located 728 bytes inside of [ 58.684732][ T12] 4096-byte region [ffff8881d3854400, ffff8881d3855400) [ 58.698315][ T12] The buggy address belongs to the page: [ 58.703947][ T12] page:ffffea00074e1400 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 58.715088][ T12] flags: 0x200000000010200(slab|head) [ 58.720488][ T12] raw: 0200000000010200 dead000000000100 dead000000000200 ffff8881dac02600 [ 58.729059][ T12] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 58.737628][ T12] page dumped because: kasan: bad access detected [ 58.744025][ T12] [ 58.746347][ T12] Memory state around the buggy address: [ 58.752092][ T12] ffff8881d3854580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.760139][ T12] ffff8881d3854600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.768328][ T12] >ffff8881d3854680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.776392][ T12] ^ [ 58.783312][ T12] ffff8881d3854700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.791367][ T12] ffff8881d3854780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.799729][ T12] ================================================================== [ 58.807779][ T12] Disabling lock debugging due to kernel taint [ 58.813997][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 58.820706][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc6+ #13 [ 58.829926][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.839994][ T12] Workqueue: usb_hub_wq hub_event [ 58.845006][ T12] Call Trace: [ 58.848281][ T12] dump_stack+0xca/0x13e [ 58.852597][ T12] panic+0x292/0x6c9 [ 58.856477][ T12] ? __warn_printk+0xf3/0xf3 [ 58.861058][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.866160][ T12] ? trace_hardirqs_on+0x55/0x1c0 [ 58.871235][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.876336][ T12] end_report+0x43/0x49 [ 58.880669][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.885781][ T12] __kasan_report.cold+0xd/0x32 [ 58.890634][ T12] ? dvb_usb_device_exit+0xb6/0xc0 [ 58.895782][ T12] kasan_report+0xe/0x20 [ 58.900020][ T12] dvb_usb_device_exit+0xb6/0xc0 [ 58.904961][ T12] usb_unbind_interface+0x1bd/0x8a0 [ 58.910547][ T12] ? usb_autoresume_device+0x60/0x60 [ 58.916131][ T12] device_release_driver_internal+0x404/0x4c0 [ 58.922339][ T12] bus_remove_device+0x2dc/0x4a0 [ 58.927264][ T12] device_del+0x460/0xb80 [ 58.932023][ T12] ? __device_links_no_driver+0x240/0x240 [ 58.937737][ T12] ? usb_remove_ep_devs+0x3e/0x80 [ 58.942988][ T12] ? remove_intf_ep_devs+0x13f/0x1d0 [ 58.948356][ T12] usb_disable_device+0x211/0x690 [ 58.953366][ T12] usb_disconnect+0x284/0x830 [ 58.958030][ T12] hub_event+0x1409/0x3590 [ 58.962452][ T12] ? hub_port_debounce+0x260/0x260 [ 58.967773][ T12] process_one_work+0x905/0x1570 [ 58.972806][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.978156][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 58.983205][ T12] worker_thread+0x7ab/0xe20 [ 58.987796][ T12] ? process_one_work+0x1570/0x1570 [ 58.992986][ T12] kthread+0x30b/0x410 [ 58.997150][ T12] ? kthread_park+0x1a0/0x1a0 [ 59.001834][ T12] ret_from_fork+0x24/0x30 [ 59.007033][ T12] Kernel Offset: disabled [ 59.019431][ T12] Rebooting in 86400 seconds..