Warning: Permanently added '10.128.0.159' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.427348][ T22] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 25.667284][ T22] usb 1-1: Using ep0 maxpacket: 8 [ 25.787373][ T22] usb 1-1: config 0 has an invalid interface number: 161 but max is 0 [ 25.795640][ T22] usb 1-1: config 0 has no interface number 0 [ 25.801784][ T22] usb 1-1: New USB device found, idVendor=9022, idProduct=d632, bcdDevice=e3.ee [ 25.810864][ T22] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 25.820159][ T22] usb 1-1: config 0 descriptor?? [ 25.869389][ T22] dw2102: su3000_identify_state [ 25.874335][ T22] dvb-usb: found a 'TeVii S632 USB' in warm state. [ 25.881041][ T22] dw2102: su3000_power_ctrl: 1, initialized 0 [ 25.887335][ T22] dvb-usb: bulk message failed: -22 (2/256) [ 25.894612][ T22] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 25.917636][ T22] dvbdev: DVB: registering new adapter (TeVii S632 USB) [ 25.924719][ T22] usb 1-1: media controller created [ 25.930249][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.936925][ T22] dw2102: i2c transfer failed. [ 25.941822][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.948482][ T22] dw2102: i2c transfer failed. [ 25.953251][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.964806][ T22] dw2102: i2c transfer failed. [ 25.969652][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.976303][ T22] dw2102: i2c transfer failed. [ 25.981114][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.987734][ T22] dw2102: i2c transfer failed. [ 25.992492][ T22] dvb-usb: bulk message failed: -22 (6/-2035937584) [ 25.999104][ T22] dw2102: i2c transfer failed. [ 26.003868][ T22] dvb-usb: MAC address: 02:02:02:02:02:02 [ 26.013624][ T22] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. executing program [ 26.041519][ T22] dvb-usb: bulk message failed: -22 (1/0) [ 26.047567][ T22] dw2102: command 0x51 transfer failed. [ 26.056914][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.063783][ T22] dw2102: i2c transfer failed. [ 26.070590][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.077307][ T22] dw2102: i2c transfer failed. [ 26.091657][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.098534][ T22] dw2102: i2c transfer failed. [ 26.107526][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.116244][ T22] dw2102: i2c transfer failed. [ 26.121956][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.128578][ T22] dw2102: i2c transfer failed. [ 26.133343][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.139953][ T22] dw2102: i2c transfer failed. [ 26.177959][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.184594][ T22] dw2102: i2c transfer failed. [ 26.189716][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.196368][ T22] dw2102: i2c transfer failed. [ 26.201206][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.207808][ T22] dw2102: i2c transfer failed. [ 26.212578][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.219233][ T22] dw2102: i2c transfer failed. [ 26.224065][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.230672][ T22] dw2102: i2c transfer failed. [ 26.235444][ T22] dvb-usb: bulk message failed: -22 (5/-2035937584) [ 26.242141][ T22] dw2102: i2c transfer failed. [ 26.246922][ T22] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 26.255396][ T22] dw2102: Attached RS2000/TS2020! [ 26.260591][ T22] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 26.269007][ T22] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 26.337555][ T22] Registered IR keymap rc-su3000 [ 26.343063][ T22] rc rc0: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 26.352373][ T22] input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 26.362885][ T22] dvb-usb: schedule remote query interval to 150 msecs. [ 26.369917][ T22] dw2102: su3000_power_ctrl: 0, initialized 1 [ 26.375983][ T22] dvb-usb: TeVii S632 USB successfully initialized and connected. [ 26.385153][ T22] usb 1-1: USB disconnect, device number 2 [ 26.391681][ T22] ================================================================== [ 26.399830][ T22] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 26.407491][ T22] Read of size 8 at addr ffff8881cfaa03e0 by task kworker/1:1/22 [ 26.415192][ T22] [ 26.417566][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.5.0-rc2-syzkaller #0 [ 26.425696][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.435742][ T22] Workqueue: usb_hub_wq hub_event [ 26.440744][ T22] Call Trace: [ 26.444016][ T22] dump_stack+0xef/0x16e [ 26.448235][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.453501][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.458764][ T22] print_address_description.constprop.0+0x16/0x200 [ 26.465330][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.470609][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.475876][ T22] __kasan_report.cold+0x37/0x7f [ 26.480794][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 26.486058][ T22] kasan_report+0xe/0x20 [ 26.490295][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 26.495388][ T22] ? dvb_usb_exit+0x290/0x290 [ 26.500650][ T22] ? mark_held_locks+0x9f/0xe0 [ 26.505413][ T22] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.511197][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 26.516462][ T22] ? usb_disable_interface+0x7b/0x1a0 [ 26.521810][ T22] ? __pm_runtime_resume+0x111/0x180 [ 26.527103][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 26.532289][ T22] ? usb_autoresume_device+0x60/0x60 [ 26.537555][ T22] device_release_driver_internal+0x42f/0x500 [ 26.543615][ T22] bus_remove_device+0x2dc/0x4a0 [ 26.548554][ T22] device_del+0x481/0xd30 [ 26.552864][ T22] ? device_create_with_groups+0x120/0x120 [ 26.558651][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 26.563915][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 26.569195][ T22] usb_disable_device+0x211/0x690 [ 26.574200][ T22] usb_disconnect+0x284/0x8d0 [ 26.578871][ T22] hub_event+0x1753/0x3860 [ 26.583277][ T22] ? hub_port_debounce+0x260/0x260 [ 26.588393][ T22] ? find_held_lock+0x2d/0x110 [ 26.593153][ T22] ? mark_held_locks+0xe0/0xe0 [ 26.597907][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.603468][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.608766][ T22] process_one_work+0x92b/0x1530 [ 26.613705][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.619074][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 26.624087][ T22] worker_thread+0x7ab/0xe20 [ 26.628659][ T22] ? process_one_work+0x1530/0x1530 [ 26.633835][ T22] kthread+0x318/0x420 [ 26.637884][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 26.643241][ T22] ret_from_fork+0x24/0x30 [ 26.647648][ T22] [ 26.649958][ T22] Allocated by task 22: [ 26.654094][ T22] save_stack+0x1b/0x80 [ 26.658228][ T22] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.663840][ T22] __kmalloc_track_caller+0xf0/0x310 [ 26.669130][ T22] kmemdup+0x23/0x50 [ 26.673020][ T22] dw2102_probe+0x627/0xc40 [ 26.677503][ T22] usb_probe_interface+0x305/0x7a0 [ 26.682595][ T22] really_probe+0x281/0x6d0 [ 26.687087][ T22] driver_probe_device+0x104/0x210 [ 26.692174][ T22] __device_attach_driver+0x1c2/0x220 [ 26.697529][ T22] bus_for_each_drv+0x162/0x1e0 [ 26.702408][ T22] __device_attach+0x217/0x360 [ 26.707159][ T22] bus_probe_device+0x1e4/0x290 [ 26.711992][ T22] device_add+0x1480/0x1c20 [ 26.716475][ T22] usb_set_configuration+0xe67/0x1740 [ 26.721827][ T22] generic_probe+0x9d/0xd5 [ 26.726235][ T22] usb_probe_device+0x99/0x100 [ 26.730977][ T22] really_probe+0x281/0x6d0 [ 26.735458][ T22] driver_probe_device+0x104/0x210 [ 26.740557][ T22] __device_attach_driver+0x1c2/0x220 [ 26.745929][ T22] bus_for_each_drv+0x162/0x1e0 [ 26.750762][ T22] __device_attach+0x217/0x360 [ 26.755566][ T22] bus_probe_device+0x1e4/0x290 [ 26.760413][ T22] device_add+0x1480/0x1c20 [ 26.764893][ T22] usb_new_device.cold+0x6a4/0xe79 [ 26.769985][ T22] hub_event+0x1e59/0x3860 [ 26.774456][ T22] process_one_work+0x92b/0x1530 [ 26.779404][ T22] worker_thread+0x96/0xe20 [ 26.783894][ T22] kthread+0x318/0x420 [ 26.788306][ T22] ret_from_fork+0x24/0x30 [ 26.792695][ T22] [ 26.795002][ T22] Freed by task 22: [ 26.798788][ T22] save_stack+0x1b/0x80 [ 26.803628][ T22] __kasan_slab_free+0x129/0x170 [ 26.808557][ T22] kfree+0xda/0x310 [ 26.812371][ T22] dw2102_probe+0x871/0xc40 [ 26.816871][ T22] usb_probe_interface+0x305/0x7a0 [ 26.821961][ T22] really_probe+0x281/0x6d0 [ 26.826441][ T22] driver_probe_device+0x104/0x210 [ 26.831530][ T22] __device_attach_driver+0x1c2/0x220 [ 26.836876][ T22] bus_for_each_drv+0x162/0x1e0 [ 26.841711][ T22] __device_attach+0x217/0x360 [ 26.846458][ T22] bus_probe_device+0x1e4/0x290 [ 26.851287][ T22] device_add+0x1480/0x1c20 [ 26.855774][ T22] usb_set_configuration+0xe67/0x1740 [ 26.861124][ T22] generic_probe+0x9d/0xd5 [ 26.865517][ T22] usb_probe_device+0x99/0x100 [ 26.870281][ T22] really_probe+0x281/0x6d0 [ 26.874766][ T22] driver_probe_device+0x104/0x210 [ 26.879867][ T22] __device_attach_driver+0x1c2/0x220 [ 26.885226][ T22] bus_for_each_drv+0x162/0x1e0 [ 26.890056][ T22] __device_attach+0x217/0x360 [ 26.894796][ T22] bus_probe_device+0x1e4/0x290 [ 26.899648][ T22] device_add+0x1480/0x1c20 [ 26.904140][ T22] usb_new_device.cold+0x6a4/0xe79 [ 26.909231][ T22] hub_event+0x1e59/0x3860 [ 26.913630][ T22] process_one_work+0x92b/0x1530 [ 26.918544][ T22] worker_thread+0x96/0xe20 [ 26.923030][ T22] kthread+0x318/0x420 [ 26.927085][ T22] ret_from_fork+0x24/0x30 [ 26.931471][ T22] [ 26.933820][ T22] The buggy address belongs to the object at ffff8881cfaa0000 [ 26.933820][ T22] which belongs to the cache kmalloc-4k of size 4096 [ 26.947849][ T22] The buggy address is located 992 bytes inside of [ 26.947849][ T22] 4096-byte region [ffff8881cfaa0000, ffff8881cfaa1000) [ 26.961220][ T22] The buggy address belongs to the page: [ 26.966843][ T22] page:ffffea00073ea800 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 26.977766][ T22] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 26.986356][ T22] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 26.994931][ T22] page dumped because: kasan: bad access detected [ 27.001318][ T22] [ 27.003738][ T22] Memory state around the buggy address: [ 27.009361][ T22] ffff8881cfaa0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.017403][ T22] ffff8881cfaa0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.025440][ T22] >ffff8881cfaa0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.033564][ T22] ^ [ 27.040738][ T22] ffff8881cfaa0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.048809][ T22] ffff8881cfaa0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.056872][ T22] ================================================================== [ 27.064948][ T22] Disabling lock debugging due to kernel taint [ 27.071167][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 27.077754][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.5.0-rc2-syzkaller #0 [ 27.087294][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.097334][ T22] Workqueue: usb_hub_wq hub_event [ 27.102333][ T22] Call Trace: [ 27.105610][ T22] dump_stack+0xef/0x16e [ 27.109846][ T22] panic+0x2aa/0x6e1 [ 27.113760][ T22] ? add_taint.cold+0x16/0x16 [ 27.118438][ T22] ? retint_kernel+0x10/0x10 [ 27.123019][ T22] ? trace_hardirqs_on+0x55/0x1e0 [ 27.128022][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.133311][ T22] end_report+0x43/0x49 [ 27.137456][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.142718][ T22] __kasan_report.cold+0x55/0x7f [ 27.147737][ T22] ? dvb_usb_device_exit+0x19a/0x1a0 [ 27.152999][ T22] kasan_report+0xe/0x20 [ 27.157256][ T22] dvb_usb_device_exit+0x19a/0x1a0 [ 27.162345][ T22] ? dvb_usb_exit+0x290/0x290 [ 27.167009][ T22] ? mark_held_locks+0x9f/0xe0 [ 27.171752][ T22] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 27.177534][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 27.182794][ T22] ? usb_disable_interface+0x7b/0x1a0 [ 27.188142][ T22] ? __pm_runtime_resume+0x111/0x180 [ 27.193402][ T22] usb_unbind_interface+0x1bd/0x8a0 [ 27.198575][ T22] ? usb_autoresume_device+0x60/0x60 [ 27.203838][ T22] device_release_driver_internal+0x42f/0x500 [ 27.209968][ T22] bus_remove_device+0x2dc/0x4a0 [ 27.214882][ T22] device_del+0x481/0xd30 [ 27.219202][ T22] ? device_create_with_groups+0x120/0x120 [ 27.224986][ T22] ? lockdep_hardirqs_on+0x382/0x580 [ 27.230261][ T22] ? remove_intf_ep_devs+0x13f/0x1d0 [ 27.235532][ T22] usb_disable_device+0x211/0x690 [ 27.240589][ T22] usb_disconnect+0x284/0x8d0 [ 27.245315][ T22] hub_event+0x1753/0x3860 [ 27.249716][ T22] ? hub_port_debounce+0x260/0x260 [ 27.254806][ T22] ? find_held_lock+0x2d/0x110 [ 27.259546][ T22] ? mark_held_locks+0xe0/0xe0 [ 27.264289][ T22] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.269819][ T22] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.275094][ T22] process_one_work+0x92b/0x1530 [ 27.280045][ T22] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.285402][ T22] ? do_raw_spin_lock+0x11a/0x280 [ 27.290405][ T22] worker_thread+0x7ab/0xe20 [ 27.294976][ T22] ? process_one_work+0x1530/0x1530 [ 27.300159][ T22] kthread+0x318/0x420 [ 27.304204][ T22] ? kthread_create_on_node+0xf0/0xf0 [ 27.309552][ T22] ret_from_fork+0x24/0x30 [ 27.314589][ T22] Kernel Offset: disabled [ 27.318909][ T22] Rebooting in 86400 seconds..