Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.744445][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 43.984363][ T22] usb 1-1: Using ep0 maxpacket: 32 [ 44.104500][ T22] usb 1-1: config 0 has an invalid interface number: 31 but max is 0 [ 44.112756][ T22] usb 1-1: config 0 has no interface number 0 [ 44.119044][ T22] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=c1.e6 [ 44.128371][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.137836][ T22] usb 1-1: config 0 descriptor?? executing program [ 44.414629][ T22] usb 1-1: string descriptor 0 read error: -71 [ 44.422663][ T22] dw2102: su3000_identify_state [ 44.427653][ T22] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 44.434428][ T22] dw2102: su3000_power_ctrl: 1, initialized 0 [ 44.440649][ T22] dvb-usb: bulk message failed: -22 (2/-634642368) [ 44.448834][ T22] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 44.474821][ T22] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 44.481852][ T22] usb 1-1: media controller created [ 44.487280][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.493910][ T22] dw2102: i2c transfer failed. [ 44.498820][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.505435][ T22] dw2102: i2c transfer failed. [ 44.510194][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.516828][ T22] dw2102: i2c transfer failed. [ 44.521699][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.528329][ T22] dw2102: i2c transfer failed. [ 44.533101][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.539728][ T22] dw2102: i2c transfer failed. [ 44.544538][ T22] dvb-usb: bulk message failed: -22 (6/-2035979840) [ 44.551105][ T22] dw2102: i2c transfer failed. [ 44.555917][ T22] dvb-usb: MAC address: 02:02:02:02:02:02 [ 44.565850][ T22] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 44.581602][ T22] dvb-usb: bulk message failed: -22 (1/0) [ 44.587465][ T22] dw2102: command 0x51 transfer failed. [ 44.594817][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.601463][ T22] dw2102: i2c transfer failed. [ 44.606404][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.612993][ T22] dw2102: i2c transfer failed. [ 44.617825][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.624438][ T22] dw2102: i2c transfer failed. [ 44.629203][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.636062][ T22] dw2102: i2c transfer failed. [ 44.640848][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.647537][ T22] dw2102: i2c transfer failed. [ 44.652314][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.658929][ T22] dw2102: i2c transfer failed. [ 44.705084][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.711752][ T22] dw2102: i2c transfer failed. [ 44.716704][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.723316][ T22] dw2102: i2c transfer failed. [ 44.728230][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.734847][ T22] dw2102: i2c transfer failed. [ 44.739752][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.746397][ T22] dw2102: i2c transfer failed. [ 44.751196][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.757835][ T22] dw2102: i2c transfer failed. [ 44.762624][ T22] dvb-usb: bulk message failed: -22 (5/-2035979840) [ 44.769318][ T22] dw2102: i2c transfer failed. [ 44.774140][ T22] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 44.782725][ T22] dw2102: Attached RS2000/TS2020! [ 44.788054][ T22] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 44.796691][ T22] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 44.874666][ T22] Registered IR keymap rc-su3000 [ 44.880179][ T22] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 44.889498][ T22] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 44.899996][ T22] dvb-usb: schedule remote query interval to 150 msecs. [ 44.907026][ T22] dw2102: su3000_power_ctrl: 0, initialized 1 [ 44.913108][ T22] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 44.923681][ T22] usb 1-1: USB disconnect, device number 2 [ 44.930191][ T22] ================================================================== [ 44.938302][ T22] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 44.945920][ T22] Read of size 8 at addr ffff8881d5ac82e8 by task kworker/1:1/22 [ 44.953613][ T22] [ 44.955933][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.3.0-rc2+ #25 [ 44.963368][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.973561][ T22] Workqueue: usb_hub_wq hub_event [ 44.978566][ T22] Call Trace: [ 44.981838][ T22] dump_stack+0xca/0x13e [ 44.986155][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 44.991422][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 44.996706][ T22] print_address_description+0x6a/0x32c [ 45.002242][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.008032][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.013303][ T22] __kasan_report.cold+0x1a/0x33 [ 45.018240][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.023520][ T22] kasan_report+0xe/0x12 [ 45.027770][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 45.032880][ T22] ? dvb_usb_exit+0x290/0x290 [ 45.037542][ T22] ? mark_held_locks+0x9f/0xe0 [ 45.042310][ T22] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 45.048196][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 45.053466][ T22] ? usb_disable_interface+0x7b/0x1a0 [ 45.058825][ T22] ? __pm_runtime_resume+0x111/0x180 [ 45.064099][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 45.069282][ T22] ? usb_autoresume_device+0x60/0x60 [ 45.074600][ T22] device_release_driver_internal+0x404/0x4c0 [ 45.080663][ T22] bus_remove_device+0x2dc/0x4a0 [ 45.085583][ T22] device_del+0x420/0xb10 [ 45.090003][ T22] ? __device_links_no_driver+0x240/0x240 [ 45.095751][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 45.101023][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 45.106325][ T22] usb_disable_device+0x211/0x690 [ 45.111340][ T22] usb_disconnect+0x284/0x8d0 [ 45.116000][ T22] hub_event+0x1454/0x3640 [ 45.120412][ T22] ? find_held_lock+0x2d/0x110 [ 45.125217][ T22] ? mark_held_locks+0xe0/0xe0 [ 45.130023][ T22] ? hub_port_debounce+0x260/0x260 [ 45.135127][ T22] process_one_work+0x92b/0x1530 [ 45.140057][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.145464][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 45.150478][ T22] worker_thread+0x7ab/0xe20 [ 45.155050][ T22] ? process_one_work+0x1530/0x1530 [ 45.160239][ T22] kthread+0x318/0x420 [ 45.164410][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 45.169784][ T22] ret_from_fork+0x24/0x30 [ 45.174226][ T22] [ 45.176542][ T22] Allocated by task 22: [ 45.180678][ T22] save_stack+0x1b/0x80 [ 45.184819][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 45.190438][ T22] __kmalloc_track_caller+0xc8/0x2a0 [ 45.195706][ T22] kmemdup+0x23/0x50 [ 45.199684][ T22] dw2102_probe+0x627/0xc40 [ 45.204185][ T22] usb_probe_interface+0x305/0x7a0 [ 45.209285][ T22] really_probe+0x281/0x650 [ 45.213811][ T22] driver_probe_device+0x101/0x1b0 [ 45.218916][ T22] __device_attach_driver+0x1c2/0x220 [ 45.224332][ T22] bus_for_each_drv+0x15c/0x1e0 [ 45.229183][ T22] __device_attach+0x217/0x360 [ 45.234064][ T22] bus_probe_device+0x1e4/0x290 [ 45.238913][ T22] device_add+0xae6/0x16f0 [ 45.243330][ T22] usb_set_configuration+0xdf6/0x1670 [ 45.248767][ T22] generic_probe+0x9d/0xd5 [ 45.253173][ T22] usb_probe_device+0x99/0x100 [ 45.257921][ T22] really_probe+0x281/0x650 [ 45.262415][ T22] driver_probe_device+0x101/0x1b0 [ 45.267511][ T22] __device_attach_driver+0x1c2/0x220 [ 45.272983][ T22] bus_for_each_drv+0x15c/0x1e0 [ 45.277814][ T22] __device_attach+0x217/0x360 [ 45.282568][ T22] bus_probe_device+0x1e4/0x290 [ 45.287522][ T22] device_add+0xae6/0x16f0 [ 45.291935][ T22] usb_new_device.cold+0x6a4/0xe79 [ 45.297099][ T22] hub_event+0x1b5c/0x3640 [ 45.301592][ T22] process_one_work+0x92b/0x1530 [ 45.306764][ T22] worker_thread+0x96/0xe20 [ 45.311271][ T22] kthread+0x318/0x420 [ 45.315466][ T22] ret_from_fork+0x24/0x30 [ 45.319901][ T22] [ 45.322212][ T22] Freed by task 22: [ 45.326008][ T22] save_stack+0x1b/0x80 [ 45.330211][ T22] __kasan_slab_free+0x130/0x180 [ 45.335131][ T22] kfree+0xe4/0x2f0 [ 45.338919][ T22] dw2102_probe+0x871/0xc40 [ 45.343402][ T22] usb_probe_interface+0x305/0x7a0 [ 45.348499][ T22] really_probe+0x281/0x650 [ 45.353041][ T22] driver_probe_device+0x101/0x1b0 [ 45.358138][ T22] __device_attach_driver+0x1c2/0x220 [ 45.363493][ T22] bus_for_each_drv+0x15c/0x1e0 [ 45.368373][ T22] __device_attach+0x217/0x360 [ 45.373125][ T22] bus_probe_device+0x1e4/0x290 [ 45.377953][ T22] device_add+0xae6/0x16f0 [ 45.382347][ T22] usb_set_configuration+0xdf6/0x1670 [ 45.387695][ T22] generic_probe+0x9d/0xd5 [ 45.392157][ T22] usb_probe_device+0x99/0x100 [ 45.396911][ T22] really_probe+0x281/0x650 [ 45.401398][ T22] driver_probe_device+0x101/0x1b0 [ 45.406489][ T22] __device_attach_driver+0x1c2/0x220 [ 45.411844][ T22] bus_for_each_drv+0x15c/0x1e0 [ 45.416676][ T22] __device_attach+0x217/0x360 [ 45.421420][ T22] bus_probe_device+0x1e4/0x290 [ 45.426252][ T22] device_add+0xae6/0x16f0 [ 45.430655][ T22] usb_new_device.cold+0x6a4/0xe79 [ 45.435748][ T22] hub_event+0x1b5c/0x3640 [ 45.440148][ T22] process_one_work+0x92b/0x1530 [ 45.446108][ T22] worker_thread+0x96/0xe20 [ 45.450629][ T22] kthread+0x318/0x420 [ 45.454693][ T22] ret_from_fork+0x24/0x30 [ 45.459101][ T22] [ 45.461410][ T22] The buggy address belongs to the object at ffff8881d5ac8000 [ 45.461410][ T22] which belongs to the cache kmalloc-4k of size 4096 [ 45.475510][ T22] The buggy address is located 744 bytes inside of [ 45.475510][ T22] 4096-byte region [ffff8881d5ac8000, ffff8881d5ac9000) [ 45.488878][ T22] The buggy address belongs to the page: [ 45.494524][ T22] page:ffffea000756b200 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 45.505582][ T22] flags: 0x200000000010200(slab|head) [ 45.510940][ T22] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 45.524547][ T22] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 45.533110][ T22] page dumped because: kasan: bad access detected [ 45.539497][ T22] [ 45.541899][ T22] Memory state around the buggy address: [ 45.547565][ T22] ffff8881d5ac8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.555608][ T22] ffff8881d5ac8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.563654][ T22] >ffff8881d5ac8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.571894][ T22] ^ [ 45.579329][ T22] ffff8881d5ac8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.587378][ T22] ffff8881d5ac8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.595488][ T22] ================================================================== [ 45.603532][ T22] Disabling lock debugging due to kernel taint [ 45.609765][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 45.616367][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.3.0-rc2+ #25 [ 45.625193][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.635233][ T22] Workqueue: usb_hub_wq hub_event [ 45.640240][ T22] Call Trace: [ 45.643510][ T22] dump_stack+0xca/0x13e [ 45.647738][ T22] panic+0x2a3/0x6da [ 45.651680][ T22] ? add_taint.cold+0x16/0x16 [ 45.656356][ T22] ? retint_kernel+0x10/0x10 [ 45.660926][ T22] ? trace_hardirqs_on+0x55/0x1e0 [ 45.665931][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.671262][ T22] end_report+0x43/0x49 [ 45.675440][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.680855][ T22] __kasan_report.cold+0xd/0x33 [ 45.685690][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 45.691053][ T22] kasan_report+0xe/0x12 [ 45.695277][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 45.700371][ T22] ? dvb_usb_exit+0x290/0x290 [ 45.705032][ T22] ? mark_held_locks+0x9f/0xe0 [ 45.709884][ T22] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 45.715710][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 45.720986][ T22] ? usb_disable_interface+0x7b/0x1a0 [ 45.726337][ T22] ? __pm_runtime_resume+0x111/0x180 [ 45.731600][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 45.736790][ T22] ? usb_autoresume_device+0x60/0x60 [ 45.742069][ T22] device_release_driver_internal+0x404/0x4c0 [ 45.748116][ T22] bus_remove_device+0x2dc/0x4a0 [ 45.753046][ T22] device_del+0x420/0xb10 [ 45.757353][ T22] ? __device_links_no_driver+0x240/0x240 [ 45.763051][ T22] ? lockdep_hardirqs_on+0x379/0x580 [ 45.768325][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 45.773663][ T22] usb_disable_device+0x211/0x690 [ 45.778671][ T22] usb_disconnect+0x284/0x8d0 [ 45.783329][ T22] hub_event+0x1454/0x3640 [ 45.787725][ T22] ? find_held_lock+0x2d/0x110 [ 45.792465][ T22] ? mark_held_locks+0xe0/0xe0 [ 45.797205][ T22] ? hub_port_debounce+0x260/0x260 [ 45.802293][ T22] process_one_work+0x92b/0x1530 [ 45.807209][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.812606][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 45.817619][ T22] worker_thread+0x7ab/0xe20 [ 45.822197][ T22] ? process_one_work+0x1530/0x1530 [ 45.827377][ T22] kthread+0x318/0x420 [ 45.831556][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 45.836912][ T22] ret_from_fork+0x24/0x30 [ 45.841634][ T22] Kernel Offset: disabled [ 45.845950][ T22] Rebooting in 86400 seconds..