Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. executing program [ 22.083341][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 22.293713][ T17] usb 1-1: config 1 has an invalid interface number: 33 but max is 0 [ 22.301876][ T17] usb 1-1: config 1 has no interface number 0 [ 22.309182][ T17] usb 1-1: config 1 interface 33 altsetting 253 endpoint 0x9 has an invalid bInterval 224, changing to 11 [ 22.320561][ T17] usb 1-1: config 1 interface 33 altsetting 253 has an invalid endpoint with address 0x0, skipping [ 22.331333][ T17] usb 1-1: config 1 interface 33 altsetting 253 bulk endpoint 0xE has invalid maxpacket 16 [ 22.341366][ T17] usb 1-1: config 1 interface 33 altsetting 253 endpoint 0x8 has invalid maxpacket 1024, setting to 64 [ 22.352490][ T17] usb 1-1: config 1 interface 33 has no altsetting 0 [ 22.359268][ T17] usb 1-1: New USB device found, idVendor=9022, idProduct=d632, bcdDevice=17.fc [ 22.368454][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 executing program [ 22.652906][ T17] usb 1-1: string descriptor 0 read error: -71 [ 22.663973][ T17] dw2102: su3000_identify_state [ 22.668958][ T17] dvb-usb: found a 'TeVii S632 USB' in warm state. [ 22.676010][ T17] dw2102: su3000_power_ctrl: 1, initialized 0 [ 22.682308][ T17] dvb-usb: bulk message failed: -22 (2/0) [ 22.690478][ T17] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 22.713054][ T17] dvbdev: DVB: registering new adapter (TeVii S632 USB) [ 22.721390][ T17] usb 1-1: media controller created [ 22.727560][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.733929][ T17] dw2102: i2c transfer failed. [ 22.738843][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.744680][ T17] dw2102: i2c transfer failed. [ 22.749752][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.755539][ T17] dw2102: i2c transfer failed. [ 22.760347][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.766182][ T17] dw2102: i2c transfer failed. [ 22.771705][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.778320][ T17] dw2102: i2c transfer failed. [ 22.783305][ T17] dvb-usb: bulk message failed: -22 (6/0) [ 22.789222][ T17] dw2102: i2c transfer failed. [ 22.794139][ T17] dvb-usb: MAC address: 02:02:02:02:02:02 [ 22.804047][ T17] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 22.826665][ T17] dvb-usb: bulk message failed: -22 (1/0) [ 22.832872][ T17] dw2102: command 0x51 transfer failed. [ 22.840786][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.846849][ T17] dw2102: i2c transfer failed. [ 22.851825][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.857615][ T17] dw2102: i2c transfer failed. [ 22.862517][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.868228][ T17] dw2102: i2c transfer failed. [ 22.873097][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.878894][ T17] dw2102: i2c transfer failed. [ 22.883764][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.889481][ T17] dw2102: i2c transfer failed. [ 22.894332][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.900036][ T17] dw2102: i2c transfer failed. [ 22.954932][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.960680][ T17] dw2102: i2c transfer failed. [ 22.966271][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.971988][ T17] dw2102: i2c transfer failed. [ 22.977418][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.983217][ T17] dw2102: i2c transfer failed. [ 22.987999][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 22.993813][ T17] dw2102: i2c transfer failed. [ 22.998601][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 23.004608][ T17] dw2102: i2c transfer failed. [ 23.009382][ T17] dvb-usb: bulk message failed: -22 (5/0) [ 23.015150][ T17] dw2102: i2c transfer failed. [ 23.019933][ T17] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 23.028516][ T17] dw2102: Attached RS2000/TS2020! [ 23.033821][ T17] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 23.042549][ T17] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered. [ 23.112523][ T17] Registered IR keymap rc-su3000 [ 23.118612][ T17] rc rc0: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0 [ 23.128212][ T17] input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 [ 23.138718][ T17] dvb-usb: schedule remote query interval to 150 msecs. [ 23.145780][ T17] dw2102: su3000_power_ctrl: 0, initialized 1 [ 23.151992][ T17] dvb-usb: TeVii S632 USB successfully initialized and connected. [ 23.161954][ T17] usb 1-1: USB disconnect, device number 2 [ 23.170430][ T17] ================================================================== [ 23.178611][ T17] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 [ 23.186229][ T17] Read of size 8 at addr ffff8881ccdf83e0 by task kworker/1:0/17 [ 23.194090][ T17] [ 23.196422][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-rc1-syzkaller #0 [ 23.204547][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.214717][ T17] Workqueue: usb_hub_wq hub_event [ 23.219733][ T17] Call Trace: [ 23.223137][ T17] dump_stack+0xef/0x16e [ 23.227407][ T17] print_address_description.constprop.0.cold+0xd3/0x314 [ 23.235042][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.240332][ T17] __kasan_report.cold+0x37/0x92 [ 23.245264][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.250593][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.255887][ T17] kasan_report+0x33/0x50 [ 23.260203][ T17] dvb_usb_device_exit+0x19a/0x1a0 [ 23.265309][ T17] ? dvb_usb_exit+0x290/0x290 [ 23.269975][ T17] ? usb_disable_endpoint+0x1ba/0x1f0 [ 23.275327][ T17] ? usb_disable_interface+0x140/0x1a0 [ 23.280786][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 23.285967][ T17] ? __pm_runtime_idle+0xd1/0x310 [ 23.290971][ T17] ? usb_autoresume_device+0x60/0x60 [ 23.296329][ T17] device_release_driver_internal+0x432/0x500 [ 23.302394][ T17] bus_remove_device+0x2eb/0x5a0 [ 23.307335][ T17] device_del+0x481/0xd30 [ 23.311656][ T17] ? device_create_with_groups+0x120/0x120 [ 23.317448][ T17] ? usb_remove_ep_devs+0x3e/0x80 [ 23.322472][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 23.327841][ T17] usb_disable_device+0x23d/0x790 [ 23.332982][ T17] usb_disconnect+0x293/0x900 [ 23.337643][ T17] hub_event+0x1abf/0x43c0 [ 23.342045][ T17] ? hub_port_debounce+0x350/0x350 [ 23.347142][ T17] ? umh_clean_and_save_pid+0x1/0xd0 [ 23.352413][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.357938][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.363218][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 23.368419][ T17] process_one_work+0x965/0x1630 [ 23.373356][ T17] ? lock_release+0x720/0x720 [ 23.378047][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 23.383405][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 23.388321][ T17] worker_thread+0x7ab/0xe20 [ 23.392911][ T17] ? process_one_work+0x1630/0x1630 [ 23.398103][ T17] kthread+0x326/0x430 [ 23.402180][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 23.407532][ T17] ret_from_fork+0x24/0x30 [ 23.412011][ T17] [ 23.414318][ T17] Allocated by task 17: [ 23.418468][ T17] save_stack+0x1b/0x40 [ 23.422617][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 23.428232][ T17] __kmalloc_track_caller+0xf0/0x330 [ 23.433494][ T17] kmemdup+0x23/0x50 [ 23.437387][ T17] dw2102_probe+0x627/0xc40 [ 23.441877][ T17] usb_probe_interface+0x310/0x800 [ 23.446975][ T17] really_probe+0x290/0xac0 [ 23.451457][ T17] driver_probe_device+0x223/0x350 [ 23.456576][ T17] __device_attach_driver+0x1d1/0x290 [ 23.461958][ T17] bus_for_each_drv+0x162/0x1e0 [ 23.466807][ T17] __device_attach+0x21a/0x390 [ 23.471549][ T17] bus_probe_device+0x1e4/0x290 [ 23.476378][ T17] device_add+0x1367/0x1c20 [ 23.480883][ T17] usb_set_configuration+0xed4/0x1850 [ 23.486243][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 23.491714][ T17] usb_probe_device+0xd9/0x230 [ 23.496464][ T17] really_probe+0x290/0xac0 [ 23.500965][ T17] driver_probe_device+0x223/0x350 [ 23.506071][ T17] __device_attach_driver+0x1d1/0x290 [ 23.511432][ T17] bus_for_each_drv+0x162/0x1e0 [ 23.516316][ T17] __device_attach+0x21a/0x390 [ 23.521070][ T17] bus_probe_device+0x1e4/0x290 [ 23.525931][ T17] device_add+0x1367/0x1c20 [ 23.530414][ T17] usb_new_device.cold+0x552/0xf6e [ 23.535503][ T17] hub_event+0x226d/0x43c0 [ 23.539921][ T17] process_one_work+0x965/0x1630 [ 23.544863][ T17] worker_thread+0x96/0xe20 [ 23.549343][ T17] kthread+0x326/0x430 [ 23.553391][ T17] ret_from_fork+0x24/0x30 [ 23.557847][ T17] [ 23.560227][ T17] Freed by task 17: [ 23.564071][ T17] save_stack+0x1b/0x40 [ 23.568359][ T17] __kasan_slab_free+0x117/0x160 [ 23.573282][ T17] kfree+0xd5/0x300 [ 23.577074][ T17] dw2102_probe+0x871/0xc40 [ 23.581558][ T17] usb_probe_interface+0x310/0x800 [ 23.586651][ T17] really_probe+0x290/0xac0 [ 23.591136][ T17] driver_probe_device+0x223/0x350 [ 23.596227][ T17] __device_attach_driver+0x1d1/0x290 [ 23.601578][ T17] bus_for_each_drv+0x162/0x1e0 [ 23.606406][ T17] __device_attach+0x21a/0x390 [ 23.611148][ T17] bus_probe_device+0x1e4/0x290 [ 23.615975][ T17] device_add+0x1367/0x1c20 [ 23.620488][ T17] usb_set_configuration+0xed4/0x1850 [ 23.625840][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 23.631198][ T17] usb_probe_device+0xd9/0x230 [ 23.636079][ T17] really_probe+0x290/0xac0 [ 23.640588][ T17] driver_probe_device+0x223/0x350 [ 23.645700][ T17] __device_attach_driver+0x1d1/0x290 [ 23.651149][ T17] bus_for_each_drv+0x162/0x1e0 [ 23.656057][ T17] __device_attach+0x21a/0x390 [ 23.660806][ T17] bus_probe_device+0x1e4/0x290 [ 23.665786][ T17] device_add+0x1367/0x1c20 [ 23.670383][ T17] usb_new_device.cold+0x552/0xf6e [ 23.675503][ T17] hub_event+0x226d/0x43c0 [ 23.680025][ T17] process_one_work+0x965/0x1630 [ 23.684943][ T17] worker_thread+0x96/0xe20 [ 23.689531][ T17] kthread+0x326/0x430 [ 23.693614][ T17] ret_from_fork+0x24/0x30 [ 23.698031][ T17] [ 23.700342][ T17] The buggy address belongs to the object at ffff8881ccdf8000 [ 23.700342][ T17] which belongs to the cache kmalloc-4k of size 4096 [ 23.714390][ T17] The buggy address is located 992 bytes inside of [ 23.714390][ T17] 4096-byte region [ffff8881ccdf8000, ffff8881ccdf9000) [ 23.727731][ T17] The buggy address belongs to the page: [ 23.733445][ T17] page:ffffea0007337e00 refcount:1 mapcount:0 mapping:00000000d6db6df0 index:0x0 head:ffffea0007337e00 order:3 compound_mapcount:0 compound_pincount:0 [ 23.748627][ T17] flags: 0x200000000010200(slab|head) [ 23.753982][ T17] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c280 [ 23.762564][ T17] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 23.771121][ T17] page dumped because: kasan: bad access detected [ 23.777506][ T17] [ 23.779811][ T17] Memory state around the buggy address: [ 23.785437][ T17] ffff8881ccdf8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.793487][ T17] ffff8881ccdf8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.801534][ T17] >ffff8881ccdf8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.809755][ T17] ^ [ 23.816927][ T17] ffff8881ccdf8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.824970][ T17] ffff8881ccdf8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.833108][ T17] ================================================================== [ 23.841165][ T17] Disabling lock debugging due to kernel taint [ 23.847424][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 23.854015][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-rc1-syzkaller #0 [ 23.863546][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.873636][ T17] Workqueue: usb_hub_wq hub_event [ 23.878647][ T17] Call Trace: [ 23.881932][ T17] dump_stack+0xef/0x16e [ 23.886151][ T17] panic+0x2aa/0x6e1 [ 23.890034][ T17] ? add_taint.cold+0x16/0x16 [ 23.894699][ T17] ? retint_kernel+0x10/0x10 [ 23.899262][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.904537][ T17] ? trace_hardirqs_on+0x55/0x200 [ 23.909535][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.914812][ T17] end_report+0x4d/0x53 [ 23.918943][ T17] __kasan_report.cold+0x72/0x92 [ 23.923855][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.929120][ T17] ? dvb_usb_device_exit+0x19a/0x1a0 [ 23.934379][ T17] kasan_report+0x33/0x50 [ 23.938701][ T17] dvb_usb_device_exit+0x19a/0x1a0 [ 23.943885][ T17] ? dvb_usb_exit+0x290/0x290 [ 23.948541][ T17] ? usb_disable_endpoint+0x1ba/0x1f0 [ 23.953924][ T17] ? usb_disable_interface+0x140/0x1a0 [ 23.959374][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 23.964685][ T17] ? __pm_runtime_idle+0xd1/0x310 [ 23.969701][ T17] ? usb_autoresume_device+0x60/0x60 [ 23.974973][ T17] device_release_driver_internal+0x432/0x500 [ 23.981031][ T17] bus_remove_device+0x2eb/0x5a0 [ 23.985945][ T17] device_del+0x481/0xd30 [ 23.990251][ T17] ? device_create_with_groups+0x120/0x120 [ 23.996034][ T17] ? usb_remove_ep_devs+0x3e/0x80 [ 24.001052][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 24.006315][ T17] usb_disable_device+0x23d/0x790 [ 24.011315][ T17] usb_disconnect+0x293/0x900 [ 24.015972][ T17] hub_event+0x1abf/0x43c0 [ 24.020364][ T17] ? hub_port_debounce+0x350/0x350 [ 24.025473][ T17] ? umh_clean_and_save_pid+0x1/0xd0 [ 24.030752][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 24.036283][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 24.041560][ T17] ? _raw_spin_unlock_irq+0x1f/0x30 [ 24.046745][ T17] process_one_work+0x965/0x1630 [ 24.051688][ T17] ? lock_release+0x720/0x720 [ 24.056350][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 24.061698][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 24.066610][ T17] worker_thread+0x7ab/0xe20 [ 24.071210][ T17] ? process_one_work+0x1630/0x1630 [ 24.076405][ T17] kthread+0x326/0x430 [ 24.080454][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 24.085840][ T17] ret_from_fork+0x24/0x30 [ 24.090961][ T17] Kernel Offset: disabled [ 24.095277][ T17] Rebooting in 86400 seconds..