Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. executing program [ 27.300087][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 27.390269][ T95] usb 1-1: Using ep0 maxpacket: 8 [ 27.510104][ T95] usb 1-1: config 0 has an invalid interface number: 250 but max is 0 [ 27.518445][ T95] usb 1-1: config 0 has no interface number 0 [ 27.524816][ T95] usb 1-1: config 0 interface 250 has no altsetting 0 [ 27.531668][ T95] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=e3.96 [ 27.540903][ T95] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 27.550697][ T95] usb 1-1: config 0 descriptor?? [ 27.592171][ T95] dw2102: su3000_identify_state [ 27.597260][ T95] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 27.604148][ T95] dw2102: su3000_power_ctrl: 1, initialized 0 [ 27.610596][ T95] dvb-usb: bulk message failed: -22 (2/0) [ 27.617986][ T95] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 27.640333][ T95] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 27.648315][ T95] usb 1-1: media controller created [ 27.654070][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.660201][ T95] dw2102: i2c transfer failed. [ 27.665183][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.671032][ T95] dw2102: i2c transfer failed. [ 27.675825][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.681631][ T95] dw2102: i2c transfer failed. [ 27.686450][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.692245][ T95] dw2102: i2c transfer failed. [ 27.697320][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.703084][ T95] dw2102: i2c transfer failed. [ 27.707867][ T95] dvb-usb: bulk message failed: -22 (6/0) [ 27.713630][ T95] dw2102: i2c transfer failed. [ 27.718876][ T95] dvb-usb: MAC address: 02:02:02:02:02:02 [ 27.729268][ T95] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. executing program [ 27.749238][ T95] dvb-usb: bulk message failed: -22 (1/0) [ 27.755071][ T95] dw2102: command 0x51 transfer failed. [ 27.762481][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.768425][ T95] dw2102: i2c transfer failed. [ 27.773667][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.779702][ T95] dw2102: i2c transfer failed. [ 27.784698][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.790480][ T95] dw2102: i2c transfer failed. [ 27.795300][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.801389][ T95] dw2102: i2c transfer failed. [ 27.806320][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.812618][ T95] dw2102: i2c transfer failed. [ 27.817496][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.823263][ T95] dw2102: i2c transfer failed. [ 27.878196][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.884251][ T95] dw2102: i2c transfer failed. [ 27.889033][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.894798][ T95] dw2102: i2c transfer failed. [ 27.899591][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.905551][ T95] dw2102: i2c transfer failed. [ 27.910445][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.916307][ T95] dw2102: i2c transfer failed. [ 27.921190][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.926935][ T95] dw2102: i2c transfer failed. [ 27.931789][ T95] dvb-usb: bulk message failed: -22 (5/0) [ 27.937531][ T95] dw2102: i2c transfer failed. [ 27.942439][ T95] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 27.951367][ T95] dw2102: Attached RS2000/TS2020! [ 27.956622][ T95] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 27.965453][ T95] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 28.030422][ T95] Registered IR keymap rc-su3000 [ 28.036341][ T95] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 28.045969][ T95] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 28.056599][ T95] dvb-usb: schedule remote query interval to 150 msecs. [ 28.063668][ T95] dw2102: su3000_power_ctrl: 0, initialized 1 [ 28.069752][ T95] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 28.079003][ T95] usb 1-1: USB disconnect, device number 2 [ 28.085826][ T95] ================================================================== [ 28.094588][ T95] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 28.102215][ T95] Read of size 8 at addr ffff8881cde222e8 by task kworker/1:2/95 [ 28.110159][ T95] [ 28.112482][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc3-syzkaller #0 [ 28.120629][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.130816][ T95] Workqueue: usb_hub_wq hub_event [ 28.135826][ T95] Call Trace: [ 28.139220][ T95] dump_stack+0xef/0x16e [ 28.143580][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.149133][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.154590][ T95] print_address_description.constprop.0.cold+0xd3/0x314 [ 28.161764][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.167088][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.172364][ T95] __kasan_report.cold+0x37/0x77 [ 28.177314][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.182726][ T95] kasan_report+0xe/0x20 [ 28.186993][ T95] dvb_usb_device_exit+0x19a/0x1a0 [ 28.192232][ T95] ? dvb_usb_exit+0x290/0x290 [ 28.196922][ T95] ? mark_held_locks+0x9f/0xe0 [ 28.201693][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 28.207616][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 28.213038][ T95] ? usb_disable_interface+0x7b/0x1a0 [ 28.218571][ T95] ? __pm_runtime_resume+0x111/0x180 [ 28.223988][ T95] usb_unbind_interface+0x1bd/0x8a0 [ 28.229332][ T95] ? __pm_runtime_idle+0xd1/0x310 [ 28.234359][ T95] ? usb_autoresume_device+0x60/0x60 [ 28.239644][ T95] device_release_driver_internal+0x42f/0x500 [ 28.245869][ T95] bus_remove_device+0x2eb/0x5a0 [ 28.250858][ T95] device_del+0x481/0xd30 [ 28.255183][ T95] ? mark_held_locks+0x9f/0xe0 [ 28.260056][ T95] ? device_create_with_groups+0x120/0x120 [ 28.265877][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 28.271168][ T95] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.276457][ T95] usb_disable_device+0x23d/0x790 [ 28.281498][ T95] usb_disconnect+0x293/0x900 [ 28.286177][ T95] hub_event+0x1a1d/0x4300 [ 28.290627][ T95] ? hub_port_debounce+0x350/0x350 [ 28.295838][ T95] ? find_held_lock+0x2d/0x110 [ 28.300598][ T95] ? mark_held_locks+0xe0/0xe0 [ 28.305364][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.310925][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.316335][ T95] process_one_work+0x94b/0x1620 [ 28.321263][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.326628][ T95] ? do_raw_spin_lock+0x129/0x290 [ 28.331695][ T95] worker_thread+0x7ab/0xe20 [ 28.336307][ T95] ? process_one_work+0x1620/0x1620 [ 28.341502][ T95] kthread+0x318/0x420 [ 28.345785][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 28.351168][ T95] ret_from_fork+0x24/0x30 [ 28.355671][ T95] [ 28.358003][ T95] Allocated by task 95: [ 28.362154][ T95] save_stack+0x1b/0x80 [ 28.366458][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.372250][ T95] __kmalloc_track_caller+0xf0/0x330 [ 28.377536][ T95] kmemdup+0x23/0x50 [ 28.381417][ T95] dw2102_probe+0x627/0xc40 [ 28.386093][ T95] usb_probe_interface+0x310/0x800 [ 28.391304][ T95] really_probe+0x290/0xac0 [ 28.396063][ T95] driver_probe_device+0x223/0x350 [ 28.401169][ T95] __device_attach_driver+0x1d1/0x290 [ 28.406625][ T95] bus_for_each_drv+0x162/0x1e0 [ 28.411474][ T95] __device_attach+0x217/0x390 [ 28.416242][ T95] bus_probe_device+0x1e4/0x290 [ 28.421235][ T95] device_add+0x1459/0x1bf0 [ 28.425731][ T95] usb_set_configuration+0xe47/0x17d0 [ 28.431110][ T95] usb_generic_driver_probe+0x9d/0xe0 [ 28.436687][ T95] usb_probe_device+0xd9/0x230 [ 28.441472][ T95] really_probe+0x290/0xac0 [ 28.445975][ T95] driver_probe_device+0x223/0x350 [ 28.451075][ T95] __device_attach_driver+0x1d1/0x290 [ 28.456436][ T95] bus_for_each_drv+0x162/0x1e0 [ 28.461279][ T95] __device_attach+0x217/0x390 [ 28.466040][ T95] bus_probe_device+0x1e4/0x290 [ 28.470921][ T95] device_add+0x1459/0x1bf0 [ 28.475425][ T95] usb_new_device.cold+0x540/0xcd0 [ 28.480537][ T95] hub_event+0x21cb/0x4300 [ 28.484944][ T95] process_one_work+0x94b/0x1620 [ 28.489872][ T95] worker_thread+0x96/0xe20 [ 28.494391][ T95] kthread+0x318/0x420 [ 28.498448][ T95] ret_from_fork+0x24/0x30 [ 28.502843][ T95] [ 28.505180][ T95] Freed by task 95: [ 28.509005][ T95] save_stack+0x1b/0x80 [ 28.513208][ T95] __kasan_slab_free+0x117/0x160 [ 28.518141][ T95] kfree+0xd5/0x300 [ 28.521946][ T95] dw2102_probe+0x871/0xc40 [ 28.526450][ T95] usb_probe_interface+0x310/0x800 [ 28.531742][ T95] really_probe+0x290/0xac0 [ 28.536272][ T95] driver_probe_device+0x223/0x350 [ 28.541370][ T95] __device_attach_driver+0x1d1/0x290 [ 28.546756][ T95] bus_for_each_drv+0x162/0x1e0 [ 28.551603][ T95] __device_attach+0x217/0x390 [ 28.556436][ T95] bus_probe_device+0x1e4/0x290 [ 28.561284][ T95] device_add+0x1459/0x1bf0 [ 28.565789][ T95] usb_set_configuration+0xe47/0x17d0 [ 28.571153][ T95] usb_generic_driver_probe+0x9d/0xe0 [ 28.576522][ T95] usb_probe_device+0xd9/0x230 [ 28.581530][ T95] really_probe+0x290/0xac0 [ 28.586021][ T95] driver_probe_device+0x223/0x350 [ 28.591122][ T95] __device_attach_driver+0x1d1/0x290 [ 28.596705][ T95] bus_for_each_drv+0x162/0x1e0 [ 28.601544][ T95] __device_attach+0x217/0x390 [ 28.606442][ T95] bus_probe_device+0x1e4/0x290 [ 28.611293][ T95] device_add+0x1459/0x1bf0 [ 28.615789][ T95] usb_new_device.cold+0x540/0xcd0 [ 28.620899][ T95] hub_event+0x21cb/0x4300 [ 28.625319][ T95] process_one_work+0x94b/0x1620 [ 28.630469][ T95] worker_thread+0x96/0xe20 [ 28.634970][ T95] kthread+0x318/0x420 [ 28.639043][ T95] ret_from_fork+0x24/0x30 [ 28.643438][ T95] [ 28.645749][ T95] The buggy address belongs to the object at ffff8881cde22000 [ 28.645749][ T95] which belongs to the cache kmalloc-4k of size 4096 [ 28.659924][ T95] The buggy address is located 744 bytes inside of [ 28.659924][ T95] 4096-byte region [ffff8881cde22000, ffff8881cde23000) [ 28.673280][ T95] The buggy address belongs to the page: [ 28.678916][ T95] page:ffffea0007378800 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 28.689902][ T95] flags: 0x200000000010200(slab|head) [ 28.695275][ T95] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 28.703856][ T95] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 28.712501][ T95] page dumped because: kasan: bad access detected [ 28.718910][ T95] [ 28.721294][ T95] Memory state around the buggy address: [ 28.726919][ T95] ffff8881cde22180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.734971][ T95] ffff8881cde22200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.743023][ T95] >ffff8881cde22280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.751082][ T95] ^ [ 28.758634][ T95] ffff8881cde22300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.766742][ T95] ffff8881cde22380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.774799][ T95] ================================================================== [ 28.782851][ T95] Disabling lock debugging due to kernel taint [ 28.789072][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 28.796002][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 28.805643][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.815853][ T95] Workqueue: usb_hub_wq hub_event [ 28.820872][ T95] Call Trace: [ 28.824341][ T95] dump_stack+0xef/0x16e [ 28.828683][ T95] panic+0x2aa/0x6e1 [ 28.832638][ T95] ? add_taint.cold+0x16/0x16 [ 28.837321][ T95] ? retint_kernel+0x10/0x10 [ 28.842167][ T95] ? trace_hardirqs_on+0x55/0x200 [ 28.847176][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.852456][ T95] end_report+0x43/0x49 [ 28.856606][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.862000][ T95] __kasan_report.cold+0x55/0x77 [ 28.866933][ T95] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.872235][ T95] kasan_report+0xe/0x20 [ 28.876496][ T95] dvb_usb_device_exit+0x19a/0x1a0 [ 28.881631][ T95] ? dvb_usb_exit+0x290/0x290 [ 28.886295][ T95] ? mark_held_locks+0x9f/0xe0 [ 28.891040][ T95] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 28.896840][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 28.902114][ T95] ? usb_disable_interface+0x7b/0x1a0 [ 28.907622][ T95] ? __pm_runtime_resume+0x111/0x180 [ 28.912928][ T95] usb_unbind_interface+0x1bd/0x8a0 [ 28.918150][ T95] ? __pm_runtime_idle+0xd1/0x310 [ 28.923181][ T95] ? usb_autoresume_device+0x60/0x60 [ 28.928476][ T95] device_release_driver_internal+0x42f/0x500 [ 28.934790][ T95] bus_remove_device+0x2eb/0x5a0 [ 28.939720][ T95] device_del+0x481/0xd30 [ 28.944034][ T95] ? mark_held_locks+0x9f/0xe0 [ 28.948777][ T95] ? device_create_with_groups+0x120/0x120 [ 28.954580][ T95] ? lockdep_hardirqs_on+0x382/0x580 [ 28.959861][ T95] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.965148][ T95] usb_disable_device+0x23d/0x790 [ 28.970176][ T95] usb_disconnect+0x293/0x900 [ 28.974860][ T95] hub_event+0x1a1d/0x4300 [ 28.979262][ T95] ? hub_port_debounce+0x350/0x350 [ 28.984365][ T95] ? find_held_lock+0x2d/0x110 [ 28.989218][ T95] ? mark_held_locks+0xe0/0xe0 [ 28.993977][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.999643][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.004930][ T95] process_one_work+0x94b/0x1620 [ 29.009870][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 29.015247][ T95] ? do_raw_spin_lock+0x129/0x290 [ 29.020282][ T95] worker_thread+0x7ab/0xe20 [ 29.024868][ T95] ? process_one_work+0x1620/0x1620 [ 29.030062][ T95] kthread+0x318/0x420 [ 29.034251][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 29.039779][ T95] ret_from_fork+0x24/0x30 [ 29.044329][ T95] Kernel Offset: disabled [ 29.048650][ T95] Rebooting in 86400 seconds..