
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   15.491319][    C1] random: crng init done
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.161' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   49.666155][   T22] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[   49.666162][  T101] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[   49.681773][   T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   49.696495][   T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[   49.704338][ T1733] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[   49.712090][ T1734] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   49.916081][   T22] usb 6-1: Using ep0 maxpacket: 8
[   49.926158][   T12] usb 1-1: Using ep0 maxpacket: 8
[   49.931354][  T101] usb 4-1: Using ep0 maxpacket: 8
[   49.936175][   T17] usb 2-1: Using ep0 maxpacket: 8
[   49.956340][ T1734] usb 5-1: Using ep0 maxpacket: 8
[   49.961493][ T1733] usb 3-1: Using ep0 maxpacket: 8
[   50.046323][   T22] usb 6-1: config 0 has an invalid interface number: 67 but max is 0
[   50.046335][   T12] usb 1-1: config 0 has an invalid interface number: 67 but max is 0
[   50.046371][   T22] usb 6-1: config 0 has no interface number 0
[   50.054590][   T12] usb 1-1: config 0 has no interface number 0
[   50.063036][   T22] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.070019][  T101] usb 4-1: config 0 has an invalid interface number: 67 but max is 0
[   50.075940][   T22] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.076113][   T17] usb 2-1: config 0 has an invalid interface number: 67 but max is 0
[   50.085211][  T101] usb 4-1: config 0 has no interface number 0
[   50.093372][   T17] usb 2-1: config 0 has no interface number 0
[   50.101930][   T12] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.110516][   T17] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.115631][   T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.121006][   T12] usb 1-1: config 0 descriptor??
[   50.121952][   T17] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.131499][  T101] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.140508][   T22] usb 6-1: config 0 descriptor??
[   50.148276][  T101] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.150085][  T101] usb 4-1: config 0 descriptor??
[   50.153334][ T1734] usb 5-1: config 0 has an invalid interface number: 67 but max is 0
[   50.187822][   T12] rio500 1-1:0.67: USB Rio found at address 2
[   50.188608][ T1734] usb 5-1: config 0 has no interface number 0
[   50.205310][  T101] rio500 4-1:0.67: USB Rio found at address 2
[   50.209237][ T1733] usb 3-1: config 0 has an invalid interface number: 67 but max is 0
[   50.209249][ T1733] usb 3-1: config 0 has no interface number 0
[   50.209289][ T1733] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.238741][ T1733] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.248284][   T17] usb 2-1: config 0 descriptor??
[   50.256005][ T1733] usb 3-1: config 0 descriptor??
[   50.261649][ T1734] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90
[   50.270856][ T1734] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.280256][ T1734] usb 5-1: config 0 descriptor??
[   50.297881][   T22] rio500 6-1:0.67: Second USB Rio at address 2 refused
[   50.304959][   T22] rio500: probe of 6-1:0.67 failed with error -16
[   50.312871][   T17] rio500 2-1:0.67: Second USB Rio at address 2 refused
[   50.321789][ T1733] rio500 3-1:0.67: Second USB Rio at address 2 refused
[   50.330162][ T1734] rio500 5-1:0.67: Second USB Rio at address 2 refused
[   50.337178][ T1733] rio500: probe of 3-1:0.67 failed with error -16
[   50.345265][   T17] rio500: probe of 2-1:0.67 failed with error -16
[   50.351890][ T1734] rio500: probe of 5-1:0.67 failed with error -16
executing program
executing program
[   50.399697][  T101] usb 4-1: USB disconnect, device number 2
[   50.404755][ T1734] usb 1-1: USB disconnect, device number 2
[   50.409142][  T101] rio500 4-1:0.67: USB Rio disconnected.
[   50.425803][ T1734] ==================================================================
[   50.434203][ T1734] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0
[   50.442723][ T1734] 
[   50.445047][ T1734] CPU: 1 PID: 1734 Comm: kworker/1:3 Not tainted 5.3.0+ #0
[   50.452313][ T1734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.462412][ T1734] Workqueue: usb_hub_wq hub_event
[   50.467441][ T1734] Call Trace:
[   50.470745][ T1734]  dump_stack+0xca/0x13e
[   50.474981][ T1734]  print_address_description+0x6a/0x32c
[   50.480522][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   50.485382][ T1734]  kasan_report_invalid_free+0x61/0xa0
[   50.492325][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   50.497180][ T1734]  __kasan_slab_free+0x162/0x180
[   50.499990][ T1736] usb 2-1: USB disconnect, device number 2
[   50.503866][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   50.509924][   T12] usb 6-1: USB disconnect, device number 2
[   50.514508][ T1734]  kfree+0xe4/0x2f0
[   50.524096][ T1734]  disconnect_rio+0x12b/0x1b0
[   50.528799][ T1734]  usb_unbind_interface+0x1bd/0x8a0
[   50.534194][ T1734]  ? usb_autoresume_device+0x60/0x60
[   50.539504][ T1734]  device_release_driver_internal+0x42f/0x500
[   50.544202][ T1748] usb 3-1: USB disconnect, device number 2
executing program
executing program
[   50.545583][ T1734]  bus_remove_device+0x2dc/0x4a0
[   50.545597][ T1734]  device_del+0x420/0xb10
[   50.545614][ T1734]  ? __device_links_no_driver+0x240/0x240
[   50.558629][ T1751] usb 5-1: USB disconnect, device number 2
[   50.560944][ T1734]  ? lockdep_hardirqs_on+0x379/0x580
[   50.560960][ T1734]  ? remove_intf_ep_devs+0x13f/0x1d0
[   50.560976][ T1734]  usb_disable_device+0x211/0x690
[   50.588250][ T1734]  usb_disconnect+0x284/0x8d0
[   50.592944][ T1734]  hub_event+0x1454/0x3640
[   50.597354][ T1734]  ? find_held_lock+0x2d/0x110
[   50.602110][ T1734]  ? mark_held_locks+0xe0/0xe0
[   50.606879][ T1734]  ? hub_port_debounce+0x260/0x260
[   50.612003][ T1734]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   50.617570][ T1734]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   50.623102][ T1734]  process_one_work+0x92b/0x1530
[   50.628041][ T1734]  ? pwq_dec_nr_in_flight+0x310/0x310
[   50.633526][ T1734]  ? do_raw_spin_lock+0x11a/0x280
[   50.638562][ T1734]  worker_thread+0x96/0xe20
[   50.643068][ T1734]  ? process_one_work+0x1530/0x1530
[   50.648262][ T1734]  kthread+0x318/0x420
[   50.652325][ T1734]  ? kthread_create_on_node+0xf0/0xf0
[   50.657787][ T1734]  ret_from_fork+0x24/0x30
[   50.662360][ T1734] 
[   50.664779][ T1734] Allocated by task 101:
[   50.669049][ T1734]  save_stack+0x1b/0x80
[   50.673214][ T1734]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   50.678842][ T1734]  probe_rio+0x135/0x248
[   50.683165][ T1734]  usb_probe_interface+0x305/0x7a0
[   50.688286][ T1734]  really_probe+0x281/0x6d0
[   50.692874][ T1734]  driver_probe_device+0x101/0x1b0
[   50.698012][ T1734]  __device_attach_driver+0x1c2/0x220
[   50.703368][ T1734]  bus_for_each_drv+0x162/0x1e0
[   50.708345][ T1734]  __device_attach+0x217/0x360
[   50.713108][ T1734]  bus_probe_device+0x1e4/0x290
[   50.717959][ T1734]  device_add+0xae6/0x16f0
[   50.722365][ T1734]  usb_set_configuration+0xdf6/0x1670
[   50.727740][ T1734]  generic_probe+0x9d/0xd5
[   50.732154][ T1734]  usb_probe_device+0x99/0x100
[   50.736923][ T1734]  really_probe+0x281/0x6d0
[   50.741434][ T1734]  driver_probe_device+0x101/0x1b0
[   50.746538][ T1734]  __device_attach_driver+0x1c2/0x220
[   50.751941][ T1734]  bus_for_each_drv+0x162/0x1e0
[   50.756871][ T1734]  __device_attach+0x217/0x360
[   50.761725][ T1734]  bus_probe_device+0x1e4/0x290
[   50.766704][ T1734]  device_add+0xae6/0x16f0
[   50.771111][ T1734]  usb_new_device.cold+0x6a4/0xe79
[   50.776113][  T101] usb 4-1: new high-speed USB device number 3 using dummy_hcd
[   50.776297][ T1734]  hub_event+0x1b5c/0x3640
[   50.788230][ T1734]  process_one_work+0x92b/0x1530
[   50.793268][ T1734]  worker_thread+0x96/0xe20
[   50.797767][ T1734]  kthread+0x318/0x420
[   50.801820][ T1734]  ret_from_fork+0x24/0x30
[   50.806221][ T1734] 
[   50.808529][ T1734] Freed by task 101:
[   50.812415][ T1734]  save_stack+0x1b/0x80
[   50.816562][ T1734]  __kasan_slab_free+0x130/0x180
[   50.821504][ T1734]  kfree+0xe4/0x2f0
[   50.825304][ T1734]  disconnect_rio+0x12b/0x1b0
[   50.829970][ T1734]  usb_unbind_interface+0x1bd/0x8a0
[   50.835159][ T1734]  device_release_driver_internal+0x42f/0x500
[   50.841209][ T1734]  bus_remove_device+0x2dc/0x4a0
[   50.846287][ T1734]  device_del+0x420/0xb10
[   50.850602][ T1734]  usb_disable_device+0x211/0x690
[   50.855612][ T1734]  usb_disconnect+0x284/0x8d0
[   50.860285][ T1734]  hub_event+0x1454/0x3640
[   50.864718][ T1734]  process_one_work+0x92b/0x1530
[   50.869675][ T1734]  worker_thread+0x96/0xe20
[   50.874432][ T1734]  kthread+0x318/0x420
[   50.878492][ T1734]  ret_from_fork+0x24/0x30
[   50.882896][ T1734] 
[   50.885209][ T1734] The buggy address belongs to the object at ffff8881d2e30000
[   50.885209][ T1734]  which belongs to the cache kmalloc-4k of size 4096
[   50.899260][ T1734] The buggy address is located 0 bytes inside of
[   50.899260][ T1734]  4096-byte region [ffff8881d2e30000, ffff8881d2e31000)
[   50.912442][ T1734] The buggy address belongs to the page:
[   50.918074][ T1734] page:ffffea00074b8c00 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[   50.929005][ T1734] flags: 0x200000000010200(slab|head)
[   50.934498][ T1734] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c280
[   50.936115][   T12] usb 6-1: new high-speed USB device number 3 using dummy_hcd
[   50.943089][ T1734] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[   50.943095][ T1734] page dumped because: kasan: bad access detected
[   50.943098][ T1734] 
[   50.943102][ T1734] Memory state around the buggy address:
[   50.943112][ T1734]  ffff8881d2e2ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.943121][ T1734]  ffff8881d2e2ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.943128][ T1734] >ffff8881d2e30000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.943138][ T1734]                    ^
[   50.966343][ T1751] usb 5-1: new high-speed USB device number 3 using dummy_hcd
[   50.968048][ T1734]  ffff8881d2e30080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.968058][ T1734]  ffff8881d2e30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.968062][ T1734] ==================================================================
[   50.968067][ T1734] Disabling lock debugging due to kernel taint
[   50.968296][ T1734] Kernel panic - not syncing: panic_on_warn set ...
[   51.046792][ T1734] CPU: 1 PID: 1734 Comm: kworker/1:3 Tainted: G    B             5.3.0+ #0
[   51.055466][ T1734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.065626][ T1734] Workqueue: usb_hub_wq hub_event
[   51.070636][ T1734] Call Trace:
[   51.073993][ T1734]  dump_stack+0xca/0x13e
[   51.078233][ T1734]  panic+0x2a3/0x6da
[   51.082549][ T1734]  ? add_taint.cold+0x16/0x16
[   51.087212][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   51.092047][ T1734]  ? trace_hardirqs_on+0x55/0x1e0
[   51.097055][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   51.101893][ T1734]  end_report+0x43/0x49
[   51.106037][ T1734]  kasan_report_invalid_free+0x7d/0xa0
[   51.111667][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   51.116504][ T1734]  __kasan_slab_free+0x162/0x180
[   51.121790][ T1734]  ? disconnect_rio+0x12b/0x1b0
[   51.126628][ T1734]  kfree+0xe4/0x2f0
[   51.130423][ T1734]  disconnect_rio+0x12b/0x1b0
[   51.135089][ T1734]  usb_unbind_interface+0x1bd/0x8a0
[   51.140361][ T1734]  ? usb_autoresume_device+0x60/0x60
[   51.146363][ T1734]  device_release_driver_internal+0x42f/0x500
[   51.152529][ T1734]  bus_remove_device+0x2dc/0x4a0
[   51.157551][ T1734]  device_del+0x420/0xb10
[   51.161867][ T1734]  ? __device_links_no_driver+0x240/0x240
[   51.167678][ T1734]  ? lockdep_hardirqs_on+0x379/0x580
[   51.172955][ T1734]  ? remove_intf_ep_devs+0x13f/0x1d0
[   51.178328][ T1734]  usb_disable_device+0x211/0x690
[   51.183370][ T1734]  usb_disconnect+0x284/0x8d0
[   51.188032][ T1734]  hub_event+0x1454/0x3640
[   51.192453][ T1734]  ? find_held_lock+0x2d/0x110
[   51.197210][ T1734]  ? mark_held_locks+0xe0/0xe0
[   51.201957][ T1734]  ? hub_port_debounce+0x260/0x260
[   51.207061][ T1734]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   51.212591][ T1734]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   51.217873][ T1734]  process_one_work+0x92b/0x1530
[   51.222814][ T1734]  ? pwq_dec_nr_in_flight+0x310/0x310
[   51.228171][ T1734]  ? do_raw_spin_lock+0x11a/0x280
[   51.233182][ T1734]  worker_thread+0x96/0xe20
[   51.237767][ T1734]  ? process_one_work+0x1530/0x1530
[   51.242950][ T1734]  kthread+0x318/0x420
[   51.247022][ T1734]  ? kthread_create_on_node+0xf0/0xf0
[   51.252388][ T1734]  ret_from_fork+0x24/0x30
[   51.257874][ T1734] Kernel Offset: disabled
[   51.262301][ T1734] Rebooting in 86400 seconds..