Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.702238][ T107] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 38.942176][ T107] usb 1-1: Using ep0 maxpacket: 8 [ 39.062325][ T107] usb 1-1: config 0 has an invalid interface number: 222 but max is 0 [ 39.070937][ T107] usb 1-1: config 0 has no interface number 0 [ 39.077125][ T107] usb 1-1: New USB device found, idVendor=9022, idProduct=d632, bcdDevice=eb.69 [ 39.086241][ T107] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 39.096264][ T107] usb 1-1: config 0 descriptor?? [ 39.134407][ T107] dw2102: su3000_identify_state [ 39.139416][ T107] dvb-usb: found a 'TeVii S632 USB' in warm state. [ 39.146090][ T107] dw2102: su3000_power_ctrl: 1, initialized 0 [ 39.152463][ T107] dvb-usb: bulk message failed: -22 (2/0) [ 39.159906][ T107] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 39.182570][ T107] dvbdev: DVB: registering new adapter (TeVii S632 USB) [ 39.189733][ T107] usb 1-1: media controller created [ 39.195250][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.201900][ T107] dw2102: i2c transfer failed. [ 39.206815][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.213452][ T107] dw2102: i2c transfer failed. [ 39.218389][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.225050][ T107] dw2102: i2c transfer failed. [ 39.229886][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.236545][ T107] dw2102: i2c transfer failed. [ 39.241348][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.248080][ T107] dw2102: i2c transfer failed. [ 39.252917][ T107] dvb-usb: bulk message failed: -22 (6/-2035708080) [ 39.259649][ T107] dw2102: i2c transfer failed. [ 39.264626][ T107] dvb-usb: MAC address: 02:02:02:02:02:02 [ 39.274753][ T107] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. executing program [ 39.290993][ T107] dvb-usb: bulk message failed: -22 (1/0) [ 39.296921][ T107] dw2102: command 0x51 transfer failed. [ 39.304432][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.311172][ T107] dw2102: i2c transfer failed. [ 39.317546][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.324210][ T107] dw2102: i2c transfer failed. [ 39.330441][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.337132][ T107] dw2102: i2c transfer failed. [ 39.341970][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.348850][ T107] dw2102: i2c transfer failed. [ 39.353692][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.360269][ T107] dw2102: i2c transfer failed. [ 39.365561][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.372216][ T107] dw2102: i2c transfer failed. [ 39.422702][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.429469][ T107] dw2102: i2c transfer failed. [ 39.434416][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.441167][ T107] dw2102: i2c transfer failed. [ 39.446129][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.452865][ T107] dw2102: i2c transfer failed. [ 39.457674][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.464361][ T107] dw2102: i2c transfer failed. [ 39.469189][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.475841][ T107] dw2102: i2c transfer failed. [ 39.480691][ T107] dvb-usb: bulk message failed: -22 (5/-2035708080) [ 39.487364][ T107] dw2102: i2c transfer failed. [ 39.492259][ T107] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 39.500913][ T107] dw2102: Attached RS2000/TS2020! [ 39.506307][ T107] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 39.514788][ T107] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 39.592514][ T107] Registered IR keymap rc-su3000 [ 39.598827][ T107] rc rc0: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 39.608506][ T107] input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 39.619475][ T107] dvb-usb: schedule remote query interval to 150 msecs. [ 39.626572][ T107] dw2102: su3000_power_ctrl: 0, initialized 1 [ 39.632739][ T107] dvb-usb: TeVii S632 USB successfully initialized and connected. [ 39.642492][ T107] usb 1-1: USB disconnect, device number 2 [ 39.649066][ T107] ================================================================== [ 39.657219][ T107] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 [ 39.664725][ T107] Read of size 8 at addr ffff8881d38a14d0 by task kworker/0:2/107 [ 39.672663][ T107] [ 39.674991][ T107] CPU: 0 PID: 107 Comm: kworker/0:2 Not tainted 5.2.0-rc5+ #11 [ 39.682519][ T107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.692583][ T107] Workqueue: usb_hub_wq hub_event [ 39.697749][ T107] Call Trace: [ 39.701054][ T107] dump_stack+0xca/0x13e [ 39.705341][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 39.710452][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 39.715561][ T107] print_address_description+0x67/0x231 [ 39.721100][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 39.726216][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 39.731401][ T107] __kasan_report.cold+0x1a/0x32 [ 39.736346][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 39.741452][ T107] kasan_report+0xe/0x20 [ 39.745696][ T107] dvb_usb_device_exit+0xb6/0xc0 [ 39.750702][ T107] usb_unbind_interface+0x1bd/0x8a0 [ 39.755938][ T107] ? usb_autoresume_device+0x60/0x60 [ 39.761227][ T107] device_release_driver_internal+0x404/0x4c0 [ 39.767398][ T107] bus_remove_device+0x2dc/0x4a0 [ 39.772340][ T107] device_del+0x460/0xb80 [ 39.776756][ T107] ? __device_links_no_driver+0x240/0x240 [ 39.783043][ T107] ? lockdep_hardirqs_on+0x379/0x580 [ 39.788332][ T107] ? remove_intf_ep_devs+0x13f/0x1d0 [ 39.793619][ T107] usb_disable_device+0x211/0x690 [ 39.798739][ T107] usb_disconnect+0x284/0x830 [ 39.803428][ T107] hub_event+0x1409/0x3590 [ 39.807898][ T107] ? hub_port_debounce+0x260/0x260 [ 39.813182][ T107] process_one_work+0x905/0x1570 [ 39.818571][ T107] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.823988][ T107] ? do_raw_spin_lock+0x11a/0x280 [ 39.829022][ T107] worker_thread+0x7ab/0xe20 [ 39.833768][ T107] ? process_one_work+0x1570/0x1570 [ 39.838997][ T107] kthread+0x30b/0x410 [ 39.843186][ T107] ? kthread_park+0x1a0/0x1a0 [ 39.847974][ T107] ret_from_fork+0x24/0x30 [ 39.853079][ T107] [ 39.855469][ T107] Allocated by task 107: [ 39.859709][ T107] save_stack+0x1b/0x80 [ 39.863863][ T107] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 39.869495][ T107] __kmalloc_track_caller+0xe2/0x2b0 [ 39.874781][ T107] kmemdup+0x23/0x50 [ 39.878939][ T107] dw2102_probe+0x627/0xc40 [ 39.883535][ T107] usb_probe_interface+0x305/0x7a0 [ 39.888814][ T107] really_probe+0x281/0x660 [ 39.893314][ T107] driver_probe_device+0x104/0x210 [ 39.898424][ T107] __device_attach_driver+0x1c2/0x220 [ 39.903796][ T107] bus_for_each_drv+0x15c/0x1e0 [ 39.908635][ T107] __device_attach+0x217/0x360 [ 39.913399][ T107] bus_probe_device+0x1e4/0x290 [ 39.918724][ T107] device_add+0xae6/0x16f0 [ 39.923150][ T107] usb_set_configuration+0xdf6/0x1670 [ 39.928629][ T107] generic_probe+0x9d/0xd5 [ 39.933068][ T107] usb_probe_device+0x99/0x100 [ 39.937913][ T107] really_probe+0x281/0x660 [ 39.942411][ T107] driver_probe_device+0x104/0x210 [ 39.947521][ T107] __device_attach_driver+0x1c2/0x220 [ 39.952885][ T107] bus_for_each_drv+0x15c/0x1e0 [ 39.957722][ T107] __device_attach+0x217/0x360 [ 39.962488][ T107] bus_probe_device+0x1e4/0x290 [ 39.967394][ T107] device_add+0xae6/0x16f0 [ 39.971812][ T107] usb_new_device.cold+0x8c1/0x1016 [ 39.977004][ T107] hub_event+0x1ada/0x3590 [ 39.981468][ T107] process_one_work+0x905/0x1570 [ 39.986535][ T107] worker_thread+0x96/0xe20 [ 39.991029][ T107] kthread+0x30b/0x410 [ 39.995092][ T107] ret_from_fork+0x24/0x30 [ 39.999494][ T107] [ 40.001808][ T107] Freed by task 107: [ 40.005697][ T107] save_stack+0x1b/0x80 [ 40.009847][ T107] __kasan_slab_free+0x130/0x180 [ 40.014784][ T107] kfree+0xd7/0x280 [ 40.018588][ T107] dw2102_probe+0x871/0xc40 [ 40.023092][ T107] usb_probe_interface+0x305/0x7a0 [ 40.028393][ T107] really_probe+0x281/0x660 [ 40.032919][ T107] driver_probe_device+0x104/0x210 [ 40.038143][ T107] __device_attach_driver+0x1c2/0x220 [ 40.043516][ T107] bus_for_each_drv+0x15c/0x1e0 [ 40.048374][ T107] __device_attach+0x217/0x360 [ 40.053136][ T107] bus_probe_device+0x1e4/0x290 [ 40.058032][ T107] device_add+0xae6/0x16f0 [ 40.062453][ T107] usb_set_configuration+0xdf6/0x1670 [ 40.067836][ T107] generic_probe+0x9d/0xd5 [ 40.072361][ T107] usb_probe_device+0x99/0x100 [ 40.077135][ T107] really_probe+0x281/0x660 [ 40.081649][ T107] driver_probe_device+0x104/0x210 [ 40.086891][ T107] __device_attach_driver+0x1c2/0x220 [ 40.092266][ T107] bus_for_each_drv+0x15c/0x1e0 [ 40.097140][ T107] __device_attach+0x217/0x360 [ 40.101908][ T107] bus_probe_device+0x1e4/0x290 [ 40.106774][ T107] device_add+0xae6/0x16f0 [ 40.111273][ T107] usb_new_device.cold+0x8c1/0x1016 [ 40.116555][ T107] hub_event+0x1ada/0x3590 [ 40.121017][ T107] process_one_work+0x905/0x1570 [ 40.125951][ T107] worker_thread+0x96/0xe20 [ 40.130458][ T107] kthread+0x30b/0x410 [ 40.134537][ T107] ret_from_fork+0x24/0x30 [ 40.139102][ T107] [ 40.141448][ T107] The buggy address belongs to the object at ffff8881d38a1100 [ 40.141448][ T107] which belongs to the cache kmalloc-4k of size 4096 [ 40.155895][ T107] The buggy address is located 976 bytes inside of [ 40.155895][ T107] 4096-byte region [ffff8881d38a1100, ffff8881d38a2100) [ 40.169580][ T107] The buggy address belongs to the page: [ 40.175213][ T107] page:ffffea00074e2800 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 40.186485][ T107] flags: 0x200000000010200(slab|head) [ 40.191863][ T107] raw: 0200000000010200 dead000000000100 dead000000000200 ffff8881dac02600 [ 40.201215][ T107] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 40.209845][ T107] page dumped because: kasan: bad access detected [ 40.216478][ T107] [ 40.218981][ T107] Memory state around the buggy address: [ 40.224602][ T107] ffff8881d38a1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.232790][ T107] ffff8881d38a1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.240867][ T107] >ffff8881d38a1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.248909][ T107] ^ [ 40.255576][ T107] ffff8881d38a1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.263740][ T107] ffff8881d38a1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.271799][ T107] ================================================================== [ 40.279849][ T107] Disabling lock debugging due to kernel taint [ 40.286646][ T107] Kernel panic - not syncing: panic_on_warn set ... [ 40.293397][ T107] CPU: 0 PID: 107 Comm: kworker/0:2 Tainted: G B 5.2.0-rc5+ #11 [ 40.303243][ T107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.313302][ T107] Workqueue: usb_hub_wq hub_event [ 40.318303][ T107] Call Trace: [ 40.321581][ T107] dump_stack+0xca/0x13e [ 40.325851][ T107] panic+0x292/0x6c9 [ 40.329815][ T107] ? __warn_printk+0xf3/0xf3 [ 40.334410][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 40.339511][ T107] ? trace_hardirqs_on+0x55/0x1c0 [ 40.344524][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 40.350836][ T107] end_report+0x43/0x49 [ 40.355060][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 40.360167][ T107] __kasan_report.cold+0xd/0x32 [ 40.365164][ T107] ? dvb_usb_device_exit+0xb6/0xc0 [ 40.370284][ T107] kasan_report+0xe/0x20 [ 40.374535][ T107] dvb_usb_device_exit+0xb6/0xc0 [ 40.379462][ T107] usb_unbind_interface+0x1bd/0x8a0 [ 40.384650][ T107] ? usb_autoresume_device+0x60/0x60 [ 40.389921][ T107] device_release_driver_internal+0x404/0x4c0 [ 40.395985][ T107] bus_remove_device+0x2dc/0x4a0 [ 40.401211][ T107] device_del+0x460/0xb80 [ 40.405535][ T107] ? __device_links_no_driver+0x240/0x240 [ 40.411288][ T107] ? lockdep_hardirqs_on+0x379/0x580 [ 40.416579][ T107] ? remove_intf_ep_devs+0x13f/0x1d0 [ 40.422134][ T107] usb_disable_device+0x211/0x690 [ 40.427163][ T107] usb_disconnect+0x284/0x830 [ 40.431837][ T107] hub_event+0x1409/0x3590 [ 40.436298][ T107] ? hub_port_debounce+0x260/0x260 [ 40.441581][ T107] process_one_work+0x905/0x1570 [ 40.446620][ T107] ? pwq_dec_nr_in_flight+0x310/0x310 [ 40.451989][ T107] ? do_raw_spin_lock+0x11a/0x280 [ 40.457007][ T107] worker_thread+0x7ab/0xe20 [ 40.461703][ T107] ? process_one_work+0x1570/0x1570 [ 40.466907][ T107] kthread+0x30b/0x410 [ 40.471230][ T107] ? kthread_park+0x1a0/0x1a0 [ 40.476102][ T107] ret_from_fork+0x24/0x30 [ 40.481023][ T107] Kernel Offset: disabled [ 40.491535][ T107] Rebooting in 86400 seconds..