INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.843227][ T83] usb 1-1: new low-speed USB device number 2 using dummy_hcd [ 27.222818][ T83] usb 1-1: config 0 has an invalid interface number: 111 but max is 0 [ 27.231207][ T83] usb 1-1: config 0 has no interface number 0 [ 27.237486][ T83] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=bd.e4 [ 27.246537][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 27.255818][ T83] usb 1-1: config 0 descriptor?? [ 27.295158][ T83] dw2102: su3000_identify_state [ 27.300145][ T83] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 27.306879][ T83] dw2102: su3000_power_ctrl: 1, initialized 0 [ 27.313162][ T83] dvb-usb: bulk message failed: -22 (2/256) [ 27.320402][ T83] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 27.343054][ T83] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 27.350157][ T83] usb 1-1: media controller created [ 27.355699][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.362349][ T83] dw2102: i2c transfer failed. [ 27.367240][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.373860][ T83] dw2102: i2c transfer failed. [ 27.378614][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.385254][ T83] dw2102: i2c transfer failed. [ 27.390207][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.396835][ T83] dw2102: i2c transfer failed. [ 27.401602][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.408218][ T83] dw2102: i2c transfer failed. [ 27.413015][ T83] dvb-usb: bulk message failed: -22 (6/-2036301600) [ 27.419583][ T83] dw2102: i2c transfer failed. [ 27.424383][ T83] dvb-usb: MAC address: 02:02:02:02:02:02 [ 27.433991][ T83] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 27.449262][ T83] dvb-usb: bulk message failed: -22 (1/0) [ 27.455113][ T83] dw2102: command 0x51 transfer failed. [ 27.462105][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.468868][ T83] dw2102: i2c transfer failed. [ 27.473805][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.480394][ T83] dw2102: i2c transfer failed. [ 27.485228][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.491804][ T83] dw2102: i2c transfer failed. executing program [ 27.497642][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.504468][ T83] dw2102: i2c transfer failed. [ 27.509252][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.515883][ T83] dw2102: i2c transfer failed. [ 27.520655][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.527269][ T83] dw2102: i2c transfer failed. [ 27.573226][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.579920][ T83] dw2102: i2c transfer failed. [ 27.584753][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.591477][ T83] dw2102: i2c transfer failed. [ 27.596449][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.603154][ T83] dw2102: i2c transfer failed. [ 27.607925][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.614604][ T83] dw2102: i2c transfer failed. [ 27.619383][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.625991][ T83] dw2102: i2c transfer failed. [ 27.630758][ T83] dvb-usb: bulk message failed: -22 (5/-2036301600) [ 27.637372][ T83] dw2102: i2c transfer failed. [ 27.642182][ T83] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 27.650740][ T83] dw2102: Attached RS2000/TS2020! [ 27.656333][ T83] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 27.664741][ T83] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 27.722981][ T83] Registered IR keymap rc-su3000 [ 27.728696][ T83] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 27.738066][ T83] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 27.748497][ T83] dvb-usb: schedule remote query interval to 150 msecs. [ 27.755531][ T83] dw2102: su3000_power_ctrl: 0, initialized 1 [ 27.761600][ T83] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 27.770731][ T83] usb 1-1: USB disconnect, device number 2 [ 27.777185][ T83] ================================================================== [ 27.785483][ T83] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 27.793325][ T83] Read of size 8 at addr ffff8881d368e2e8 by task kworker/1:2/83 [ 27.801044][ T83] [ 27.803361][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.4.0-rc6+ #0 [ 27.810711][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.820772][ T83] Workqueue: usb_hub_wq hub_event [ 27.825770][ T83] Call Trace: [ 27.829047][ T83] dump_stack+0xca/0x13e [ 27.833270][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.838530][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.843874][ T83] print_address_description.constprop.0+0x36/0x50 [ 27.850441][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.855720][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.861029][ T83] __kasan_report.cold+0x1a/0x33 [ 27.865957][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.871312][ T83] kasan_report+0xe/0x20 [ 27.875535][ T83] dvb_usb_device_exit+0x19a/0x1a0 [ 27.880624][ T83] ? dvb_usb_exit+0x290/0x290 [ 27.885285][ T83] ? mark_held_locks+0x9f/0xe0 [ 27.890026][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 27.895807][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 27.901071][ T83] ? usb_disable_interface+0x7b/0x1a0 [ 27.906432][ T83] ? __pm_runtime_resume+0x111/0x180 [ 27.911715][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 27.916896][ T83] ? usb_autoresume_device+0x60/0x60 [ 27.922250][ T83] device_release_driver_internal+0x42f/0x500 [ 27.928308][ T83] bus_remove_device+0x2dc/0x4a0 [ 27.933224][ T83] device_del+0x420/0xb20 [ 27.937547][ T83] ? __device_link_del+0x2f0/0x2f0 [ 27.942641][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 27.947904][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 27.953178][ T83] usb_disable_device+0x211/0x690 [ 27.958204][ T83] usb_disconnect+0x284/0x8d0 [ 27.962866][ T83] hub_event+0x16f2/0x3800 [ 27.967271][ T83] ? hub_port_debounce+0x260/0x260 [ 27.972371][ T83] ? find_held_lock+0x2d/0x110 [ 27.977119][ T83] ? mark_held_locks+0xe0/0xe0 [ 27.981862][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.987389][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.992665][ T83] process_one_work+0x92b/0x1530 [ 27.997589][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.002936][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 28.007937][ T83] worker_thread+0x7ab/0xe20 [ 28.012504][ T83] ? process_one_work+0x1530/0x1530 [ 28.017683][ T83] kthread+0x318/0x420 [ 28.021731][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 28.027079][ T83] ret_from_fork+0x24/0x30 [ 28.031480][ T83] [ 28.033789][ T83] Allocated by task 83: [ 28.037928][ T83] save_stack+0x1b/0x80 [ 28.042059][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.047667][ T83] __kmalloc_track_caller+0xf0/0x310 [ 28.052933][ T83] kmemdup+0x23/0x50 [ 28.056807][ T83] dw2102_probe+0x627/0xc40 [ 28.061290][ T83] usb_probe_interface+0x305/0x7a0 [ 28.066381][ T83] really_probe+0x281/0x6d0 [ 28.070873][ T83] driver_probe_device+0x104/0x210 [ 28.075961][ T83] __device_attach_driver+0x1c2/0x220 [ 28.081326][ T83] bus_for_each_drv+0x162/0x1e0 [ 28.086156][ T83] __device_attach+0x217/0x360 [ 28.090893][ T83] bus_probe_device+0x1e4/0x290 [ 28.095733][ T83] device_add+0xae6/0x16f0 [ 28.100129][ T83] usb_set_configuration+0xdf6/0x1670 [ 28.105476][ T83] generic_probe+0x9d/0xd5 [ 28.109866][ T83] usb_probe_device+0x99/0x100 [ 28.114629][ T83] really_probe+0x281/0x6d0 [ 28.119122][ T83] driver_probe_device+0x104/0x210 [ 28.124213][ T83] __device_attach_driver+0x1c2/0x220 [ 28.129560][ T83] bus_for_each_drv+0x162/0x1e0 [ 28.134388][ T83] __device_attach+0x217/0x360 [ 28.139144][ T83] bus_probe_device+0x1e4/0x290 [ 28.143971][ T83] device_add+0xae6/0x16f0 [ 28.148364][ T83] usb_new_device.cold+0x6a4/0xe79 [ 28.153450][ T83] hub_event+0x1df8/0x3800 [ 28.157845][ T83] process_one_work+0x92b/0x1530 [ 28.162760][ T83] worker_thread+0x96/0xe20 [ 28.167238][ T83] kthread+0x318/0x420 [ 28.171297][ T83] ret_from_fork+0x24/0x30 [ 28.176551][ T83] [ 28.178874][ T83] Freed by task 83: [ 28.182671][ T83] save_stack+0x1b/0x80 [ 28.186822][ T83] __kasan_slab_free+0x130/0x180 [ 28.191782][ T83] kfree+0xe4/0x320 [ 28.195580][ T83] dw2102_probe+0x871/0xc40 [ 28.200081][ T83] usb_probe_interface+0x305/0x7a0 [ 28.205172][ T83] really_probe+0x281/0x6d0 [ 28.209697][ T83] driver_probe_device+0x104/0x210 [ 28.214787][ T83] __device_attach_driver+0x1c2/0x220 [ 28.220136][ T83] bus_for_each_drv+0x162/0x1e0 [ 28.224980][ T83] __device_attach+0x217/0x360 [ 28.229722][ T83] bus_probe_device+0x1e4/0x290 [ 28.234548][ T83] device_add+0xae6/0x16f0 [ 28.238943][ T83] usb_set_configuration+0xdf6/0x1670 [ 28.244292][ T83] generic_probe+0x9d/0xd5 [ 28.248687][ T83] usb_probe_device+0x99/0x100 [ 28.253439][ T83] really_probe+0x281/0x6d0 [ 28.257924][ T83] driver_probe_device+0x104/0x210 [ 28.263017][ T83] __device_attach_driver+0x1c2/0x220 [ 28.268364][ T83] bus_for_each_drv+0x162/0x1e0 [ 28.273205][ T83] __device_attach+0x217/0x360 [ 28.277977][ T83] bus_probe_device+0x1e4/0x290 [ 28.282817][ T83] device_add+0xae6/0x16f0 [ 28.287264][ T83] usb_new_device.cold+0x6a4/0xe79 [ 28.292359][ T83] hub_event+0x1df8/0x3800 [ 28.296755][ T83] process_one_work+0x92b/0x1530 [ 28.301668][ T83] worker_thread+0x96/0xe20 [ 28.306148][ T83] kthread+0x318/0x420 [ 28.310195][ T83] ret_from_fork+0x24/0x30 [ 28.314580][ T83] [ 28.316892][ T83] The buggy address belongs to the object at ffff8881d368e000 [ 28.316892][ T83] which belongs to the cache kmalloc-4k of size 4096 [ 28.330926][ T83] The buggy address is located 744 bytes inside of [ 28.330926][ T83] 4096-byte region [ffff8881d368e000, ffff8881d368f000) [ 28.344256][ T83] The buggy address belongs to the page: [ 28.349879][ T83] page:ffffea00074da200 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 28.360787][ T83] flags: 0x200000000010200(slab|head) [ 28.366138][ T83] raw: 0200000000010200 0000000000000000 0000000200000001 ffff8881da00c280 [ 28.375006][ T83] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 28.383587][ T83] page dumped because: kasan: bad access detected [ 28.389980][ T83] [ 28.392293][ T83] Memory state around the buggy address: [ 28.397903][ T83] ffff8881d368e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.405959][ T83] ffff8881d368e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.414007][ T83] >ffff8881d368e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.422057][ T83] ^ [ 28.429495][ T83] ffff8881d368e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.437545][ T83] ffff8881d368e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.445581][ T83] ================================================================== [ 28.453625][ T83] Disabling lock debugging due to kernel taint [ 28.459818][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 28.466399][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.4.0-rc6+ #0 [ 28.475129][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.485170][ T83] Workqueue: usb_hub_wq hub_event [ 28.490181][ T83] Call Trace: [ 28.493450][ T83] dump_stack+0xca/0x13e [ 28.497667][ T83] panic+0x2aa/0x6e1 [ 28.501536][ T83] ? add_taint.cold+0x16/0x16 [ 28.506188][ T83] ? retint_kernel+0x10/0x10 [ 28.510767][ T83] ? trace_hardirqs_on+0x55/0x1e0 [ 28.515770][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.521034][ T83] end_report+0x43/0x49 [ 28.525167][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.530423][ T83] __kasan_report.cold+0xd/0x33 [ 28.535271][ T83] ? dvb_usb_device_exit+0x19a/0x1a0 [ 28.540537][ T83] kasan_report+0xe/0x20 [ 28.544772][ T83] dvb_usb_device_exit+0x19a/0x1a0 [ 28.549856][ T83] ? dvb_usb_exit+0x290/0x290 [ 28.554524][ T83] ? mark_held_locks+0x9f/0xe0 [ 28.559291][ T83] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 28.565095][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 28.570360][ T83] ? usb_disable_interface+0x7b/0x1a0 [ 28.575705][ T83] ? __pm_runtime_resume+0x111/0x180 [ 28.580981][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 28.586170][ T83] ? usb_autoresume_device+0x60/0x60 [ 28.591436][ T83] device_release_driver_internal+0x42f/0x500 [ 28.597555][ T83] bus_remove_device+0x2dc/0x4a0 [ 28.602478][ T83] device_del+0x420/0xb20 [ 28.606785][ T83] ? __device_link_del+0x2f0/0x2f0 [ 28.611935][ T83] ? lockdep_hardirqs_on+0x382/0x580 [ 28.617196][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 28.622451][ T83] usb_disable_device+0x211/0x690 [ 28.627452][ T83] usb_disconnect+0x284/0x8d0 [ 28.632102][ T83] hub_event+0x16f2/0x3800 [ 28.636512][ T83] ? hub_port_debounce+0x260/0x260 [ 28.641611][ T83] ? find_held_lock+0x2d/0x110 [ 28.646354][ T83] ? mark_held_locks+0xe0/0xe0 [ 28.651093][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.656614][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.661875][ T83] process_one_work+0x92b/0x1530 [ 28.666787][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.672132][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 28.677146][ T83] worker_thread+0x7ab/0xe20 [ 28.681732][ T83] ? process_one_work+0x1530/0x1530 [ 28.686911][ T83] kthread+0x318/0x420 [ 28.690956][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 28.696305][ T83] ret_from_fork+0x24/0x30 [ 28.701442][ T83] Kernel Offset: disabled [ 28.705763][ T83] Rebooting in 86400 seconds..