[info] Using makefile-style concurrent boot in runlevel 2. [ 15.242194][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.277355][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 60.517338][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 60.637428][ T21] usb 1-1: config 4 has an invalid interface number: 126 but max is 0 [ 60.646659][ T21] usb 1-1: config 4 contains an unexpected descriptor of type 0x1, skipping [ 60.655652][ T21] usb 1-1: config 4 has no interface number 0 [ 60.662059][ T21] usb 1-1: config 4 interface 126 altsetting 6 endpoint 0xF has an invalid bInterval 121, changing to 7 [ 60.673321][ T21] usb 1-1: config 4 interface 126 altsetting 6 has an invalid endpoint with address 0x0, skipping [ 60.686213][ T21] usb 1-1: config 4 interface 126 altsetting 6 endpoint 0x8 has invalid maxpacket 257, setting to 64 [ 60.698337][ T21] usb 1-1: config 4 interface 126 altsetting 6 has a duplicate endpoint with address 0xF, skipping [ 60.709268][ T21] usb 1-1: config 4 interface 126 altsetting 6 has a duplicate endpoint with address 0xF, skipping [ 60.720136][ T21] usb 1-1: config 4 interface 126 has no altsetting 0 [ 60.957429][ T21] usb 1-1: string descriptor 0 read error: -22 [ 60.964069][ T21] usb 1-1: New USB device found, idVendor=9022, idProduct=d632, bcdDevice=62.e0 [ 60.973436][ T21] usb 1-1: New USB device strings: Mfr=255, Product=9, SerialNumber=255 [ 61.019337][ T21] dw2102: su3000_identify_state [ 61.024609][ T21] dvb-usb: found a 'TeVii S632 USB' in warm state. [ 61.032342][ T21] dw2102: su3000_power_ctrl: 1, initialized 0 [ 61.039109][ T21] dvb-usb: bulk message failed: -22 (2/0) [ 61.046914][ T21] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 61.077795][ T21] dvbdev: DVB: registering new adapter (TeVii S632 USB) [ 61.085280][ T21] usb 1-1: media controller created [ 61.090925][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.098059][ T21] dw2102: i2c transfer failed. [ 61.103189][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.110360][ T21] dw2102: i2c transfer failed. [ 61.115320][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.122286][ T21] dw2102: i2c transfer failed. [ 61.127184][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.134007][ T21] dw2102: i2c transfer failed. [ 61.138926][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.145738][ T21] dw2102: i2c transfer failed. [ 61.150625][ T21] dvb-usb: bulk message failed: -22 (6/-2035706760) [ 61.158502][ T21] dw2102: i2c transfer failed. [ 61.163744][ T21] dvb-usb: MAC address: 02:02:02:02:02:02 executing program [ 61.173450][ T21] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 61.187466][ T21] dvb-usb: bulk message failed: -22 (1/0) [ 61.193287][ T21] dw2102: command 0x51 transfer failed. [ 61.201297][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.208094][ T21] dw2102: i2c transfer failed. [ 61.213347][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.220072][ T21] dw2102: i2c transfer failed. [ 61.224916][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.233288][ T21] dw2102: i2c transfer failed. [ 61.238250][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.244839][ T21] dw2102: i2c transfer failed. [ 61.249710][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.256342][ T21] dw2102: i2c transfer failed. [ 61.261276][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.267994][ T21] dw2102: i2c transfer failed. [ 61.317824][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.325242][ T21] dw2102: i2c transfer failed. [ 61.330117][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.337120][ T21] dw2102: i2c transfer failed. [ 61.342850][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.349595][ T21] dw2102: i2c transfer failed. [ 61.354507][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.361278][ T21] dw2102: i2c transfer failed. [ 61.366142][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.373331][ T21] dw2102: i2c transfer failed. [ 61.378908][ T21] dvb-usb: bulk message failed: -22 (5/-2035706760) [ 61.386233][ T21] dw2102: i2c transfer failed. [ 61.391337][ T21] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 61.402221][ T21] dw2102: Attached RS2000/TS2020! [ 61.407720][ T21] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 61.416958][ T21] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 61.487697][ T21] Registered IR keymap rc-su3000 [ 61.493501][ T21] rc rc0: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 61.502778][ T21] input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 61.513257][ T21] dvb-usb: schedule remote query interval to 150 msecs. [ 61.520587][ T21] dw2102: su3000_power_ctrl: 0, initialized 1 [ 61.526928][ T21] dvb-usb: TeVii S632 USB successfully initialized and connected. [ 61.536639][ T21] usb 1-1: USB disconnect, device number 2 [ 61.543819][ T21] ================================================================== [ 61.552014][ T21] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 [ 61.559626][ T21] Read of size 8 at addr ffff8881cf4f69d0 by task kworker/1:1/21 [ 61.568755][ T21] [ 61.571082][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.2.0-rc6+ #13 [ 61.578620][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.589037][ T21] Workqueue: usb_hub_wq hub_event [ 61.594913][ T21] Call Trace: [ 61.598305][ T21] dump_stack+0xca/0x13e [ 61.602915][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 61.608684][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 61.613949][ T21] print_address_description+0x67/0x231 [ 61.619815][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 61.625169][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 61.630375][ T21] __kasan_report.cold+0x1a/0x32 [ 61.636000][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 61.641839][ T21] kasan_report+0xe/0x20 [ 61.646574][ T21] dvb_usb_device_exit+0xb6/0xc0 [ 61.651882][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 61.657533][ T21] ? usb_autoresume_device+0x60/0x60 [ 61.662924][ T21] device_release_driver_internal+0x404/0x4c0 [ 61.669336][ T21] bus_remove_device+0x2dc/0x4a0 [ 61.674402][ T21] device_del+0x460/0xb80 [ 61.678935][ T21] ? __device_links_no_driver+0x240/0x240 [ 61.684818][ T21] ? usb_remove_ep_devs+0x3e/0x80 [ 61.690216][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 61.695520][ T21] usb_disable_device+0x211/0x690 [ 61.700552][ T21] usb_disconnect+0x284/0x830 [ 61.705221][ T21] hub_event+0x1409/0x3590 [ 61.709634][ T21] ? hub_port_debounce+0x260/0x260 [ 61.714915][ T21] process_one_work+0x905/0x1570 [ 61.720029][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.725580][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 61.730746][ T21] worker_thread+0x7ab/0xe20 [ 61.735405][ T21] ? process_one_work+0x1570/0x1570 [ 61.740861][ T21] kthread+0x30b/0x410 [ 61.745252][ T21] ? kthread_park+0x1a0/0x1a0 [ 61.750110][ T21] ret_from_fork+0x24/0x30 [ 61.754685][ T21] [ 61.757113][ T21] Allocated by task 21: [ 61.761496][ T21] save_stack+0x1b/0x80 [ 61.766077][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.772155][ T21] __kmalloc_track_caller+0xe2/0x2b0 [ 61.777588][ T21] kmemdup+0x23/0x50 [ 61.781537][ T21] dw2102_probe+0x627/0xc40 [ 61.787056][ T21] usb_probe_interface+0x305/0x7a0 [ 61.792157][ T21] really_probe+0x281/0x660 [ 61.796707][ T21] driver_probe_device+0x104/0x210 [ 61.801880][ T21] __device_attach_driver+0x1c2/0x220 [ 61.807319][ T21] bus_for_each_drv+0x15c/0x1e0 [ 61.812269][ T21] __device_attach+0x217/0x360 [ 61.817025][ T21] bus_probe_device+0x1e4/0x290 [ 61.822092][ T21] device_add+0xae6/0x16f0 [ 61.826500][ T21] usb_set_configuration+0xdf6/0x1670 [ 61.831870][ T21] generic_probe+0x9d/0xd5 [ 61.836403][ T21] usb_probe_device+0x99/0x100 [ 61.841152][ T21] really_probe+0x281/0x660 [ 61.845832][ T21] driver_probe_device+0x104/0x210 [ 61.850942][ T21] __device_attach_driver+0x1c2/0x220 [ 61.856996][ T21] bus_for_each_drv+0x15c/0x1e0 [ 61.862698][ T21] __device_attach+0x217/0x360 [ 61.867657][ T21] bus_probe_device+0x1e4/0x290 [ 61.872587][ T21] device_add+0xae6/0x16f0 [ 61.877190][ T21] usb_new_device.cold+0x8c1/0x1016 [ 61.883785][ T21] hub_event+0x1ada/0x3590 [ 61.888293][ T21] process_one_work+0x905/0x1570 [ 61.893574][ T21] worker_thread+0x96/0xe20 [ 61.898163][ T21] kthread+0x30b/0x410 [ 61.902496][ T21] ret_from_fork+0x24/0x30 [ 61.907029][ T21] [ 61.909350][ T21] Freed by task 21: [ 61.913154][ T21] save_stack+0x1b/0x80 [ 61.918200][ T21] __kasan_slab_free+0x130/0x180 [ 61.923245][ T21] kfree+0xd7/0x280 [ 61.927100][ T21] dw2102_probe+0x871/0xc40 [ 61.932056][ T21] usb_probe_interface+0x305/0x7a0 [ 61.937215][ T21] really_probe+0x281/0x660 [ 61.941817][ T21] driver_probe_device+0x104/0x210 [ 61.946941][ T21] __device_attach_driver+0x1c2/0x220 [ 61.952354][ T21] bus_for_each_drv+0x15c/0x1e0 [ 61.957326][ T21] __device_attach+0x217/0x360 [ 61.962076][ T21] bus_probe_device+0x1e4/0x290 [ 61.966907][ T21] device_add+0xae6/0x16f0 [ 61.971322][ T21] usb_set_configuration+0xdf6/0x1670 [ 61.976790][ T21] generic_probe+0x9d/0xd5 [ 61.981210][ T21] usb_probe_device+0x99/0x100 [ 61.985971][ T21] really_probe+0x281/0x660 [ 61.990648][ T21] driver_probe_device+0x104/0x210 [ 62.001410][ T21] __device_attach_driver+0x1c2/0x220 [ 62.009672][ T21] bus_for_each_drv+0x15c/0x1e0 [ 62.014817][ T21] __device_attach+0x217/0x360 [ 62.020686][ T21] bus_probe_device+0x1e4/0x290 [ 62.025552][ T21] device_add+0xae6/0x16f0 [ 62.030000][ T21] usb_new_device.cold+0x8c1/0x1016 [ 62.036311][ T21] hub_event+0x1ada/0x3590 [ 62.040743][ T21] process_one_work+0x905/0x1570 [ 62.045838][ T21] worker_thread+0x96/0xe20 [ 62.051110][ T21] kthread+0x30b/0x410 [ 62.055275][ T21] ret_from_fork+0x24/0x30 [ 62.060309][ T21] [ 62.062662][ T21] The buggy address belongs to the object at ffff8881cf4f6600 [ 62.062662][ T21] which belongs to the cache kmalloc-4k of size 4096 [ 62.076886][ T21] The buggy address is located 976 bytes inside of [ 62.076886][ T21] 4096-byte region [ffff8881cf4f6600, ffff8881cf4f7600) [ 62.091114][ T21] The buggy address belongs to the page: [ 62.097290][ T21] page:ffffea00073d3c00 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0 [ 62.108784][ T21] flags: 0x200000000010200(slab|head) [ 62.114300][ T21] raw: 0200000000010200 ffffea00073ffc00 0000000200000002 ffff8881dac02600 [ 62.122928][ T21] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 62.131653][ T21] page dumped because: kasan: bad access detected [ 62.139771][ T21] [ 62.142102][ T21] Memory state around the buggy address: [ 62.147909][ T21] ffff8881cf4f6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.156145][ T21] ffff8881cf4f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.164197][ T21] >ffff8881cf4f6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.172419][ T21] ^ [ 62.180035][ T21] ffff8881cf4f6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.188554][ T21] ffff8881cf4f6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.197052][ T21] ================================================================== [ 62.205380][ T21] Disabling lock debugging due to kernel taint [ 62.211922][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 62.219128][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.2.0-rc6+ #13 [ 62.228131][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.238820][ T21] Workqueue: usb_hub_wq hub_event [ 62.243841][ T21] Call Trace: [ 62.247122][ T21] dump_stack+0xca/0x13e [ 62.251366][ T21] panic+0x292/0x6c9 [ 62.255352][ T21] ? __warn_printk+0xf3/0xf3 [ 62.260026][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 62.265198][ T21] ? trace_hardirqs_on+0x55/0x1c0 [ 62.270497][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 62.275709][ T21] end_report+0x43/0x49 [ 62.279989][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 62.285117][ T21] __kasan_report.cold+0xd/0x32 [ 62.290313][ T21] ? dvb_usb_device_exit+0xb6/0xc0 [ 62.295438][ T21] kasan_report+0xe/0x20 [ 62.299796][ T21] dvb_usb_device_exit+0xb6/0xc0 [ 62.304869][ T21] usb_unbind_interface+0x1bd/0x8a0 [ 62.310077][ T21] ? usb_autoresume_device+0x60/0x60 [ 62.315374][ T21] device_release_driver_internal+0x404/0x4c0 [ 62.321559][ T21] bus_remove_device+0x2dc/0x4a0 [ 62.326615][ T21] device_del+0x460/0xb80 [ 62.330942][ T21] ? __device_links_no_driver+0x240/0x240 [ 62.336660][ T21] ? usb_remove_ep_devs+0x3e/0x80 [ 62.341674][ T21] ? remove_intf_ep_devs+0x13f/0x1d0 [ 62.347048][ T21] usb_disable_device+0x211/0x690 [ 62.352066][ T21] usb_disconnect+0x284/0x830 [ 62.356730][ T21] hub_event+0x1409/0x3590 [ 62.361260][ T21] ? hub_port_debounce+0x260/0x260 [ 62.366415][ T21] process_one_work+0x905/0x1570 [ 62.371604][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.377053][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 62.382080][ T21] worker_thread+0x7ab/0xe20 [ 62.386679][ T21] ? process_one_work+0x1570/0x1570 [ 62.392041][ T21] kthread+0x30b/0x410 [ 62.396116][ T21] ? kthread_park+0x1a0/0x1a0 [ 62.401237][ T21] ret_from_fork+0x24/0x30 [ 62.406708][ T21] Kernel Offset: disabled [ 62.411286][ T21] Rebooting in 86400 seconds..