[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[ 14.527858][ C1] random: crng init done
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 48.296372][ T101] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 48.536359][ T101] usb 1-1: Using ep0 maxpacket: 16
[ 48.656502][ T101] usb 1-1: config 0 has an invalid interface number: 154 but max is 0
[ 48.664784][ T101] usb 1-1: config 0 has no interface number 0
[ 48.671083][ T101] usb 1-1: config 0 interface 154 altsetting 0 endpoint 0x8D has an invalid bInterval 0, changing to 7
[ 48.682136][ T101] usb 1-1: config 0 interface 154 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0
[ 48.691978][ T101] usb 1-1: config 0 interface 154 altsetting 0 bulk endpoint 0x8F has invalid maxpacket 0
[ 48.701919][ T101] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice= 3.28
[ 48.711133][ T101] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 48.720289][ T101] usb 1-1: config 0 descriptor??
executing program
[ 48.996524][ T101] usb 1-1: string descriptor 0 read error: -71
[ 49.004647][ T101] dw2102: su3000_identify_state
[ 49.009673][ T101] dvb-usb: found a 'TeVii S421 PCI' in warm state.
[ 49.016253][ T101] dw2102: su3000_power_ctrl: 1, initialized 0
[ 49.022597][ T101] dvb-usb: bulk message failed: -22 (2/-731388224)
[ 49.030669][ T101] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[ 49.056663][ T101] dvbdev: DVB: registering new adapter (TeVii S421 PCI)
[ 49.063735][ T101] usb 1-1: media controller created
[ 49.069289][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.076101][ T101] dw2102: i2c transfer failed.
[ 49.080995][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.087591][ T101] dw2102: i2c transfer failed.
[ 49.092357][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.099077][ T101] dw2102: i2c transfer failed.
[ 49.103867][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.110471][ T101] dw2102: i2c transfer failed.
[ 49.115230][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.121829][ T101] dw2102: i2c transfer failed.
[ 49.126628][ T101] dvb-usb: bulk message failed: -22 (6/-2035908400)
[ 49.133191][ T101] dw2102: i2c transfer failed.
[ 49.137966][ T101] dvb-usb: MAC address: 02:02:02:02:02:02
[ 49.147585][ T101] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[ 49.162542][ T101] dvb-usb: bulk message failed: -22 (1/0)
[ 49.168352][ T101] dw2102: command 0x51 transfer failed.
[ 49.175290][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.182015][ T101] dw2102: i2c transfer failed.
[ 49.187077][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.193657][ T101] dw2102: i2c transfer failed.
[ 49.198484][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.205052][ T101] dw2102: i2c transfer failed.
[ 49.209873][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.216464][ T101] dw2102: i2c transfer failed.
[ 49.221226][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.227829][ T101] dw2102: i2c transfer failed.
[ 49.232590][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.239196][ T101] dw2102: i2c transfer failed.
[ 49.286385][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.293030][ T101] dw2102: i2c transfer failed.
[ 49.297854][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.304429][ T101] dw2102: i2c transfer failed.
[ 49.309236][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.315812][ T101] dw2102: i2c transfer failed.
[ 49.320623][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.327221][ T101] dw2102: i2c transfer failed.
[ 49.331984][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.338595][ T101] dw2102: i2c transfer failed.
[ 49.343380][ T101] dvb-usb: bulk message failed: -22 (5/-2035908400)
[ 49.349982][ T101] dw2102: i2c transfer failed.
[ 49.354757][ T101] ts2020 0-0060: Montage Technology TS2020 successfully identified
[ 49.363210][ T101] dw2102: Attached RS2000/TS2020!
[ 49.368415][ T101] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)...
[ 49.376803][ T101] dvbdev: dvb_create_media_entity: media entity 'M88RS2000 DVB-S' registered.
[ 49.436600][ T101] Registered IR keymap rc-su3000
[ 49.442120][ T101] rc rc0: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0
[ 49.451486][ T101] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5
[ 49.462002][ T101] dvb-usb: schedule remote query interval to 150 msecs.
[ 49.469022][ T101] dw2102: su3000_power_ctrl: 0, initialized 1
[ 49.475090][ T101] dvb-usb: TeVii S421 PCI successfully initialized and connected.
[ 49.485092][ T101] usb 1-1: USB disconnect, device number 2
[ 49.492143][ T101] ==================================================================
[ 49.500258][ T101] BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0
[ 49.507865][ T101] Read of size 8 at addr ffff8881d5a3c6e8 by task kworker/0:2/101
[ 49.515661][ T101]
[ 49.517979][ T101] CPU: 0 PID: 101 Comm: kworker/0:2 Not tainted 5.3.0+ #0
[ 49.525061][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 49.535099][ T101] Workqueue: usb_hub_wq hub_event
[ 49.540098][ T101] Call Trace:
[ 49.543395][ T101] dump_stack+0xca/0x13e
[ 49.547616][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 49.552896][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 49.558173][ T101] print_address_description.constprop.0+0x36/0x50
[ 49.564845][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 49.570136][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 49.575398][ T101] __kasan_report.cold+0x1a/0x33
[ 49.580313][ T101] ? _raw_spin_trylock_bh+0x40/0x70
[ 49.585488][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 49.590750][ T101] kasan_report+0xe/0x12
[ 49.594968][ T101] dvb_usb_device_exit+0x19a/0x1a0
[ 49.600060][ T101] ? dvb_usb_exit+0x290/0x290
[ 49.604712][ T101] ? usb_disable_endpoint+0x1ba/0x1f0
[ 49.610068][ T101] ? usb_disable_interface+0x140/0x1a0
[ 49.615501][ T101] usb_unbind_interface+0x1bd/0x8a0
[ 49.620678][ T101] ? usb_autoresume_device+0x60/0x60
[ 49.625959][ T101] device_release_driver_internal+0x42f/0x500
[ 49.632020][ T101] bus_remove_device+0x2dc/0x4a0
[ 49.636932][ T101] device_del+0x420/0xb10
[ 49.641245][ T101] ? __device_links_no_driver+0x240/0x240
[ 49.646955][ T101] ? usb_remove_ep_devs+0x3e/0x80
[ 49.651953][ T101] ? remove_intf_ep_devs+0x13f/0x1d0
[ 49.657213][ T101] usb_disable_device+0x211/0x690
[ 49.662211][ T101] usb_disconnect+0x284/0x8d0
[ 49.666877][ T101] hub_event+0x1454/0x3640
[ 49.671272][ T101] ? find_held_lock+0x2d/0x110
[ 49.676106][ T101] ? mark_held_locks+0xe0/0xe0
[ 49.680946][ T101] ? hub_port_debounce+0x260/0x260
[ 49.686034][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 49.691566][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 49.696839][ T101] process_one_work+0x92b/0x1530
[ 49.701768][ T101] ? pwq_dec_nr_in_flight+0x310/0x310
[ 49.707116][ T101] ? do_raw_spin_lock+0x11a/0x280
[ 49.712127][ T101] worker_thread+0x7ab/0xe20
[ 49.717044][ T101] ? process_one_work+0x1530/0x1530
[ 49.723100][ T101] kthread+0x318/0x420
[ 49.727150][ T101] ? kthread_create_on_node+0xf0/0xf0
[ 49.732522][ T101] ret_from_fork+0x24/0x30
[ 49.736911][ T101]
[ 49.739213][ T101] Allocated by task 101:
[ 49.743436][ T101] save_stack+0x1b/0x80
[ 49.747569][ T101] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 49.753180][ T101] __kmalloc_track_caller+0xfd/0x330
[ 49.758440][ T101] kmemdup+0x23/0x50
[ 49.762315][ T101] dw2102_probe+0x627/0xc40
[ 49.766881][ T101] usb_probe_interface+0x305/0x7a0
[ 49.771971][ T101] really_probe+0x281/0x6d0
[ 49.776459][ T101] driver_probe_device+0x104/0x210
[ 49.781557][ T101] __device_attach_driver+0x1c2/0x220
[ 49.786904][ T101] bus_for_each_drv+0x162/0x1e0
[ 49.791729][ T101] __device_attach+0x217/0x360
[ 49.796472][ T101] bus_probe_device+0x1e4/0x290
[ 49.801477][ T101] device_add+0xae6/0x16f0
[ 49.805871][ T101] usb_set_configuration+0xdf6/0x1670
[ 49.811230][ T101] generic_probe+0x9d/0xd5
[ 49.815631][ T101] usb_probe_device+0x99/0x100
[ 49.820385][ T101] really_probe+0x281/0x6d0
[ 49.824861][ T101] driver_probe_device+0x104/0x210
[ 49.829961][ T101] __device_attach_driver+0x1c2/0x220
[ 49.835326][ T101] bus_for_each_drv+0x162/0x1e0
[ 49.840209][ T101] __device_attach+0x217/0x360
[ 49.844957][ T101] bus_probe_device+0x1e4/0x290
[ 49.849879][ T101] device_add+0xae6/0x16f0
[ 49.854288][ T101] usb_new_device.cold+0x6a4/0xe79
[ 49.859378][ T101] hub_event+0x1b5c/0x3640
[ 49.863780][ T101] process_one_work+0x92b/0x1530
[ 49.868870][ T101] worker_thread+0x96/0xe20
[ 49.873361][ T101] kthread+0x318/0x420
[ 49.877408][ T101] ret_from_fork+0x24/0x30
[ 49.881792][ T101]
[ 49.884099][ T101] Freed by task 101:
[ 49.887977][ T101] save_stack+0x1b/0x80
[ 49.892122][ T101] __kasan_slab_free+0x130/0x180
[ 49.897050][ T101] kfree+0xe4/0x2f0
[ 49.900843][ T101] dw2102_probe+0x871/0xc40
[ 49.905327][ T101] usb_probe_interface+0x305/0x7a0
[ 49.910419][ T101] really_probe+0x281/0x6d0
[ 49.914897][ T101] driver_probe_device+0x104/0x210
[ 49.919984][ T101] __device_attach_driver+0x1c2/0x220
[ 49.925417][ T101] bus_for_each_drv+0x162/0x1e0
[ 49.930246][ T101] __device_attach+0x217/0x360
[ 49.934989][ T101] bus_probe_device+0x1e4/0x290
[ 49.939814][ T101] device_add+0xae6/0x16f0
[ 49.944207][ T101] usb_set_configuration+0xdf6/0x1670
[ 49.949554][ T101] generic_probe+0x9d/0xd5
[ 49.953955][ T101] usb_probe_device+0x99/0x100
[ 49.958705][ T101] really_probe+0x281/0x6d0
[ 49.963199][ T101] driver_probe_device+0x104/0x210
[ 49.968328][ T101] __device_attach_driver+0x1c2/0x220
[ 49.973703][ T101] bus_for_each_drv+0x162/0x1e0
[ 49.978535][ T101] __device_attach+0x217/0x360
[ 49.983280][ T101] bus_probe_device+0x1e4/0x290
[ 49.988132][ T101] device_add+0xae6/0x16f0
[ 49.992545][ T101] usb_new_device.cold+0x6a4/0xe79
[ 49.997644][ T101] hub_event+0x1b5c/0x3640
[ 50.002045][ T101] process_one_work+0x92b/0x1530
[ 50.006970][ T101] worker_thread+0x96/0xe20
[ 50.011463][ T101] kthread+0x318/0x420
[ 50.015510][ T101] ret_from_fork+0x24/0x30
[ 50.019897][ T101]
[ 50.022204][ T101] The buggy address belongs to the object at ffff8881d5a3c400
[ 50.022204][ T101] which belongs to the cache kmalloc-4k of size 4096
[ 50.036234][ T101] The buggy address is located 744 bytes inside of
[ 50.036234][ T101] 4096-byte region [ffff8881d5a3c400, ffff8881d5a3d400)
[ 50.049569][ T101] The buggy address belongs to the page:
[ 50.055191][ T101] page:ffffea0007568e00 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[ 50.066108][ T101] flags: 0x200000000010200(slab|head)
[ 50.071466][ T101] raw: 0200000000010200 0000000000000000 0000000600000001 ffff8881da00c280
[ 50.080032][ T101] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 50.088590][ T101] page dumped because: kasan: bad access detected
[ 50.094976][ T101]
[ 50.097286][ T101] Memory state around the buggy address:
[ 50.102896][ T101] ffff8881d5a3c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.110948][ T101] ffff8881d5a3c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.118997][ T101] >ffff8881d5a3c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.127036][ T101] ^
[ 50.134485][ T101] ffff8881d5a3c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.142525][ T101] ffff8881d5a3c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.150578][ T101] ==================================================================
[ 50.158617][ T101] Disabling lock debugging due to kernel taint
[ 50.164810][ T101] Kernel panic - not syncing: panic_on_warn set ...
[ 50.171393][ T101] CPU: 0 PID: 101 Comm: kworker/0:2 Tainted: G B 5.3.0+ #0
[ 50.179869][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.189914][ T101] Workqueue: usb_hub_wq hub_event
[ 50.194913][ T101] Call Trace:
[ 50.198208][ T101] dump_stack+0xca/0x13e
[ 50.202435][ T101] panic+0x2a3/0x6da
[ 50.206314][ T101] ? add_taint.cold+0x16/0x16
[ 50.210969][ T101] ? retint_kernel+0x10/0x10
[ 50.215537][ T101] ? trace_hardirqs_on+0x55/0x1e0
[ 50.220539][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 50.225803][ T101] end_report+0x43/0x49
[ 50.229937][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 50.235196][ T101] __kasan_report.cold+0xd/0x33
[ 50.240025][ T101] ? _raw_spin_trylock_bh+0x40/0x70
[ 50.245203][ T101] ? dvb_usb_device_exit+0x19a/0x1a0
[ 50.250463][ T101] kasan_report+0xe/0x12
[ 50.254686][ T101] dvb_usb_device_exit+0x19a/0x1a0
[ 50.259783][ T101] ? dvb_usb_exit+0x290/0x290
[ 50.264439][ T101] ? usb_disable_endpoint+0x1ba/0x1f0
[ 50.269788][ T101] ? usb_disable_interface+0x140/0x1a0
[ 50.275236][ T101] usb_unbind_interface+0x1bd/0x8a0
[ 50.280417][ T101] ? usb_autoresume_device+0x60/0x60
[ 50.285688][ T101] device_release_driver_internal+0x42f/0x500
[ 50.291729][ T101] bus_remove_device+0x2dc/0x4a0
[ 50.296641][ T101] device_del+0x420/0xb10
[ 50.300948][ T101] ? __device_links_no_driver+0x240/0x240
[ 50.306646][ T101] ? usb_remove_ep_devs+0x3e/0x80
[ 50.311645][ T101] ? remove_intf_ep_devs+0x13f/0x1d0
[ 50.316913][ T101] usb_disable_device+0x211/0x690
[ 50.321917][ T101] usb_disconnect+0x284/0x8d0
[ 50.326657][ T101] hub_event+0x1454/0x3640
[ 50.331048][ T101] ? find_held_lock+0x2d/0x110
[ 50.335788][ T101] ? mark_held_locks+0xe0/0xe0
[ 50.340531][ T101] ? hub_port_debounce+0x260/0x260
[ 50.345631][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 50.351166][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 50.356438][ T101] process_one_work+0x92b/0x1530
[ 50.361351][ T101] ? pwq_dec_nr_in_flight+0x310/0x310
[ 50.366700][ T101] ? do_raw_spin_lock+0x11a/0x280
[ 50.371710][ T101] worker_thread+0x7ab/0xe20
[ 50.376286][ T101] ? process_one_work+0x1530/0x1530
[ 50.381459][ T101] kthread+0x318/0x420
[ 50.385500][ T101] ? kthread_create_on_node+0xf0/0xf0
[ 50.390848][ T101] ret_from_fork+0x24/0x30
[ 50.395856][ T101] Kernel Offset: disabled
[ 50.400180][ T101] Rebooting in 86400 seconds..