[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[ 13.653582][ C1] random: crng init done [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.243' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.807337][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 37.017398][ T94] usb 1-1: config 0 has an invalid interface number: 227 but max is 0 [ 37.025642][ T94] usb 1-1: config 0 has no interface number 0 [ 37.031826][ T94] usb 1-1: New USB device found, idVendor=9022, idProduct=d632, bcdDevice=bb.88 [ 37.041008][ T94] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 37.050741][ T94] usb 1-1: config 0 descriptor?? executing program [ 37.327607][ T94] usb 1-1: string descriptor 0 read error: -71 [ 37.335713][ T94] dw2102: su3000_identify_state [ 37.340707][ T94] dvb-usb: found a 'TeVii S632 USB' in warm state. [ 37.347338][ T94] dw2102: su3000_power_ctrl: 1, initialized 0 [ 37.353527][ T94] dvb-usb: bulk message failed: -22 (2/0) [ 37.360939][ T94] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 37.387673][ T94] dvbdev: DVB: registering new adapter (TeVii S632 USB) [ 37.394726][ T94] usb 1-1: media controller created [ 37.400304][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.406066][ T94] dw2102: i2c transfer failed. [ 37.411040][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.416750][ T94] dw2102: i2c transfer failed. [ 37.421827][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.427623][ T94] dw2102: i2c transfer failed. [ 37.432381][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.438128][ T94] dw2102: i2c transfer failed. [ 37.442900][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.448736][ T94] dw2102: i2c transfer failed. [ 37.453512][ T94] dvb-usb: bulk message failed: -22 (6/0) [ 37.459264][ T94] dw2102: i2c transfer failed. [ 37.464107][ T94] dvb-usb: MAC address: 02:02:02:02:02:02 [ 37.474644][ T94] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 37.489479][ T94] dvb-usb: bulk message failed: -22 (1/0) [ 37.495216][ T94] dw2102: command 0x51 transfer failed. [ 37.502150][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.507988][ T94] dw2102: i2c transfer failed. [ 37.512883][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.518676][ T94] dw2102: i2c transfer failed. [ 37.523487][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.529239][ T94] dw2102: i2c transfer failed. [ 37.534030][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.539803][ T94] dw2102: i2c transfer failed. [ 37.544592][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.550342][ T94] dw2102: i2c transfer failed. [ 37.555135][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.560878][ T94] dw2102: i2c transfer failed. [ 37.615744][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.621501][ T94] dw2102: i2c transfer failed. [ 37.626263][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.632026][ T94] dw2102: i2c transfer failed. [ 37.636793][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.642604][ T94] dw2102: i2c transfer failed. [ 37.647411][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.653107][ T94] dw2102: i2c transfer failed. [ 37.657944][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.663660][ T94] dw2102: i2c transfer failed. [ 37.668486][ T94] dvb-usb: bulk message failed: -22 (5/0) [ 37.674198][ T94] dw2102: i2c transfer failed. [ 37.679007][ T94] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 37.687359][ T94] dw2102: Attached RS2000/TS2020! [ 37.692503][ T94] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 37.700949][ T94] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 37.757517][ T94] Registered IR keymap rc-su3000 [ 37.763291][ T94] rc rc0: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 37.772815][ T94] input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 37.783157][ T94] dvb-usb: schedule remote query interval to 150 msecs. [ 37.790173][ T94] dw2102: su3000_power_ctrl: 0, initialized 1 [ 37.796236][ T94] dvb-usb: TeVii S632 USB successfully initialized and connected. [ 37.805296][ T94] usb 1-1: USB disconnect, device number 2 [ 37.811932][ T94] ================================================================== [ 37.820071][ T94] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 37.827756][ T94] Read of size 8 at addr ffff8881cdda43e0 by task kworker/0:2/94 [ 37.835442][ T94] [ 37.837748][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Not tainted 5.6.0-rc3-syzkaller #0 [ 37.845867][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.855901][ T94] Workqueue: usb_hub_wq hub_event [ 37.860914][ T94] Call Trace: [ 37.864188][ T94] dump_stack+0xef/0x16e [ 37.868410][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.873680][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.878971][ T94] print_address_description.constprop.0.cold+0xd3/0x314 [ 37.885994][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.891267][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.896528][ T94] __kasan_report.cold+0x37/0x77 [ 37.901454][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 37.906712][ T94] kasan_report+0xe/0x20 [ 37.910927][ T94] dvb_usb_device_exit+0x19a/0x1a0 [ 37.916026][ T94] ? dvb_usb_exit+0x290/0x290 [ 37.920676][ T94] ? mark_held_locks+0x9f/0xe0 [ 37.925430][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 37.931226][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 37.936482][ T94] ? usb_disable_interface+0x7b/0x1a0 [ 37.941934][ T94] ? __pm_runtime_resume+0x111/0x180 [ 37.947196][ T94] usb_unbind_interface+0x1bd/0x8a0 [ 37.952690][ T94] ? __pm_runtime_idle+0xd1/0x310 [ 37.957709][ T94] ? usb_autoresume_device+0x60/0x60 [ 37.962977][ T94] device_release_driver_internal+0x42f/0x500 [ 37.969013][ T94] bus_remove_device+0x2eb/0x5a0 [ 37.973957][ T94] device_del+0x481/0xd30 [ 37.978258][ T94] ? mark_held_locks+0x9f/0xe0 [ 37.983014][ T94] ? device_create_with_groups+0x120/0x120 [ 37.988792][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 37.994048][ T94] ? remove_intf_ep_devs+0x13f/0x1d0 [ 37.999316][ T94] usb_disable_device+0x23d/0x790 [ 38.004309][ T94] usb_disconnect+0x293/0x900 [ 38.008969][ T94] hub_event+0x1a1d/0x4300 [ 38.013372][ T94] ? hub_port_debounce+0x350/0x350 [ 38.018455][ T94] ? find_held_lock+0x2d/0x110 [ 38.023188][ T94] ? mark_held_locks+0xe0/0xe0 [ 38.027938][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.033524][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.038799][ T94] process_one_work+0x94b/0x1620 [ 38.043735][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.049136][ T94] ? do_raw_spin_lock+0x129/0x290 [ 38.054133][ T94] worker_thread+0x7ab/0xe20 [ 38.058709][ T94] ? process_one_work+0x1620/0x1620 [ 38.063881][ T94] kthread+0x318/0x420 [ 38.067947][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 38.073303][ T94] ret_from_fork+0x24/0x30 [ 38.077687][ T94] [ 38.079986][ T94] Allocated by task 94: [ 38.084109][ T94] save_stack+0x1b/0x80 [ 38.088235][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 38.093847][ T94] __kmalloc_track_caller+0xf0/0x330 [ 38.099139][ T94] kmemdup+0x23/0x50 [ 38.103053][ T94] dw2102_probe+0x627/0xc40 [ 38.107525][ T94] usb_probe_interface+0x310/0x800 [ 38.112602][ T94] really_probe+0x290/0xac0 [ 38.117073][ T94] driver_probe_device+0x223/0x350 [ 38.122151][ T94] __device_attach_driver+0x1d1/0x290 [ 38.127499][ T94] bus_for_each_drv+0x162/0x1e0 [ 38.132328][ T94] __device_attach+0x217/0x390 [ 38.137057][ T94] bus_probe_device+0x1e4/0x290 [ 38.141875][ T94] device_add+0x1459/0x1bf0 [ 38.146358][ T94] usb_set_configuration+0xe47/0x17d0 [ 38.151715][ T94] usb_generic_driver_probe+0x9d/0xe0 [ 38.157057][ T94] usb_probe_device+0xd9/0x230 [ 38.161790][ T94] really_probe+0x290/0xac0 [ 38.166261][ T94] driver_probe_device+0x223/0x350 [ 38.171348][ T94] __device_attach_driver+0x1d1/0x290 [ 38.176713][ T94] bus_for_each_drv+0x162/0x1e0 [ 38.181581][ T94] __device_attach+0x217/0x390 [ 38.186311][ T94] bus_probe_device+0x1e4/0x290 [ 38.191127][ T94] device_add+0x1459/0x1bf0 [ 38.195599][ T94] usb_new_device.cold+0x540/0xcd0 [ 38.200692][ T94] hub_event+0x21cb/0x4300 [ 38.205079][ T94] process_one_work+0x94b/0x1620 [ 38.209999][ T94] worker_thread+0x96/0xe20 [ 38.214481][ T94] kthread+0x318/0x420 [ 38.218529][ T94] ret_from_fork+0x24/0x30 [ 38.222910][ T94] [ 38.225207][ T94] Freed by task 94: [ 38.229030][ T94] save_stack+0x1b/0x80 [ 38.233171][ T94] __kasan_slab_free+0x117/0x160 [ 38.238086][ T94] kfree+0xd5/0x300 [ 38.241878][ T94] dw2102_probe+0x871/0xc40 [ 38.246393][ T94] usb_probe_interface+0x310/0x800 [ 38.251484][ T94] really_probe+0x290/0xac0 [ 38.255963][ T94] driver_probe_device+0x223/0x350 [ 38.261047][ T94] __device_attach_driver+0x1d1/0x290 [ 38.266412][ T94] bus_for_each_drv+0x162/0x1e0 [ 38.271379][ T94] __device_attach+0x217/0x390 [ 38.276115][ T94] bus_probe_device+0x1e4/0x290 [ 38.280938][ T94] device_add+0x1459/0x1bf0 [ 38.285414][ T94] usb_set_configuration+0xe47/0x17d0 [ 38.290774][ T94] usb_generic_driver_probe+0x9d/0xe0 [ 38.296116][ T94] usb_probe_device+0xd9/0x230 [ 38.300852][ T94] really_probe+0x290/0xac0 [ 38.305333][ T94] driver_probe_device+0x223/0x350 [ 38.310422][ T94] __device_attach_driver+0x1d1/0x290 [ 38.315771][ T94] bus_for_each_drv+0x162/0x1e0 [ 38.320652][ T94] __device_attach+0x217/0x390 [ 38.325388][ T94] bus_probe_device+0x1e4/0x290 [ 38.330214][ T94] device_add+0x1459/0x1bf0 [ 38.334728][ T94] usb_new_device.cold+0x540/0xcd0 [ 38.339847][ T94] hub_event+0x21cb/0x4300 [ 38.344240][ T94] process_one_work+0x94b/0x1620 [ 38.349154][ T94] worker_thread+0x96/0xe20 [ 38.353688][ T94] kthread+0x318/0x420 [ 38.357739][ T94] ret_from_fork+0x24/0x30 [ 38.362128][ T94] [ 38.364437][ T94] The buggy address belongs to the object at ffff8881cdda4000 [ 38.364437][ T94] which belongs to the cache kmalloc-4k of size 4096 [ 38.378472][ T94] The buggy address is located 992 bytes inside of [ 38.378472][ T94] 4096-byte region [ffff8881cdda4000, ffff8881cdda5000) [ 38.391801][ T94] The buggy address belongs to the page: [ 38.397408][ T94] page:ffffea0007376800 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 38.408307][ T94] flags: 0x200000000010200(slab|head) [ 38.413657][ T94] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 38.422235][ T94] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 38.430795][ T94] page dumped because: kasan: bad access detected [ 38.437174][ T94] [ 38.439471][ T94] Memory state around the buggy address: [ 38.445085][ T94] ffff8881cdda4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.453119][ T94] ffff8881cdda4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.461159][ T94] >ffff8881cdda4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.469193][ T94] ^ [ 38.476359][ T94] ffff8881cdda4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.484499][ T94] ffff8881cdda4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.492541][ T94] ================================================================== [ 38.500570][ T94] Disabling lock debugging due to kernel taint [ 38.506908][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 38.513487][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 38.522997][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.533025][ T94] Workqueue: usb_hub_wq hub_event [ 38.538016][ T94] Call Trace: [ 38.541276][ T94] dump_stack+0xef/0x16e [ 38.545538][ T94] panic+0x2aa/0x6e1 [ 38.549414][ T94] ? add_taint.cold+0x16/0x16 [ 38.554105][ T94] ? retint_kernel+0x10/0x10 [ 38.558701][ T94] ? trace_hardirqs_on+0x55/0x200 [ 38.563702][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 38.568997][ T94] end_report+0x43/0x49 [ 38.573124][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 38.578397][ T94] __kasan_report.cold+0x55/0x77 [ 38.583369][ T94] ? dvb_usb_device_exit+0x19a/0x1a0 [ 38.588709][ T94] kasan_report+0xe/0x20 [ 38.592920][ T94] dvb_usb_device_exit+0x19a/0x1a0 [ 38.598001][ T94] ? dvb_usb_exit+0x290/0x290 [ 38.602681][ T94] ? mark_held_locks+0x9f/0xe0 [ 38.607416][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 38.613190][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 38.618507][ T94] ? usb_disable_interface+0x7b/0x1a0 [ 38.623883][ T94] ? __pm_runtime_resume+0x111/0x180 [ 38.629135][ T94] usb_unbind_interface+0x1bd/0x8a0 [ 38.634300][ T94] ? __pm_runtime_idle+0xd1/0x310 [ 38.639326][ T94] ? usb_autoresume_device+0x60/0x60 [ 38.644578][ T94] device_release_driver_internal+0x42f/0x500 [ 38.650639][ T94] bus_remove_device+0x2eb/0x5a0 [ 38.655557][ T94] device_del+0x481/0xd30 [ 38.659970][ T94] ? mark_held_locks+0x9f/0xe0 [ 38.664707][ T94] ? device_create_with_groups+0x120/0x120 [ 38.670486][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 38.675760][ T94] ? remove_intf_ep_devs+0x13f/0x1d0 [ 38.681017][ T94] usb_disable_device+0x23d/0x790 [ 38.686015][ T94] usb_disconnect+0x293/0x900 [ 38.690680][ T94] hub_event+0x1a1d/0x4300 [ 38.695193][ T94] ? hub_port_debounce+0x350/0x350 [ 38.700272][ T94] ? find_held_lock+0x2d/0x110 [ 38.705077][ T94] ? mark_held_locks+0xe0/0xe0 [ 38.709845][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 38.715364][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 38.720623][ T94] process_one_work+0x94b/0x1620 [ 38.725537][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 38.730970][ T94] ? do_raw_spin_lock+0x129/0x290 [ 38.735981][ T94] worker_thread+0x7ab/0xe20 [ 38.740548][ T94] ? process_one_work+0x1620/0x1620 [ 38.745722][ T94] kthread+0x318/0x420 [ 38.749785][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 38.755146][ T94] ret_from_fork+0x24/0x30 [ 38.760019][ T94] Kernel Offset: disabled [ 38.764328][ T94] Rebooting in 86400 seconds..