[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   14.326407][ T1660] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   14.544791][    C1] random: crng init done

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.53' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   29.262554][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   29.262561][   T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[   29.277695][  T102] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[   29.283029][   T17] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[   29.285217][ T1725] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[   29.300118][    T5] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   29.502502][   T83] usb 1-1: Using ep0 maxpacket: 16
[   29.532504][   T17] usb 4-1: Using ep0 maxpacket: 16
[   29.552515][  T102] usb 2-1: Using ep0 maxpacket: 16
[   29.557754][    T5] usb 5-1: Using ep0 maxpacket: 16
[   29.562927][   T12] usb 6-1: Using ep0 maxpacket: 16
[   29.568334][ T1725] usb 3-1: Using ep0 maxpacket: 16
[   29.622584][   T83] usb 1-1: config 0 has an invalid interface number: 133 but max is 0
[   29.631048][   T83] usb 1-1: config 0 has no interface number 0
[   29.637324][   T83] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.646390][   T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.654573][   T17] usb 4-1: config 0 has an invalid interface number: 133 but max is 0
[   29.662771][   T17] usb 4-1: config 0 has no interface number 0
[   29.668845][   T17] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.678006][   T17] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.687216][   T83] usb 1-1: config 0 descriptor??
[   29.693809][   T17] usb 4-1: config 0 descriptor??
[   29.712689][   T12] usb 6-1: config 0 has an invalid interface number: 133 but max is 0
[   29.720885][   T12] usb 6-1: config 0 has no interface number 0
[   29.724117][   T83] rio500 1-1:0.133: USB Rio found at address 2
[   29.727138][    T5] usb 5-1: config 0 has an invalid interface number: 133 but max is 0
[   29.734898][   T17] rio500 4-1:0.133: USB Rio found at address 2
[   29.741532][    T5] usb 5-1: config 0 has no interface number 0
[   29.741586][  T102] usb 2-1: config 0 has an invalid interface number: 133 but max is 0
[   29.761945][  T102] usb 2-1: config 0 has no interface number 0
[   29.768269][ T1725] usb 3-1: config 0 has an invalid interface number: 133 but max is 0
[   29.776464][ T1725] usb 3-1: config 0 has no interface number 0
[   29.782615][   T12] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.791631][   T12] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.799699][    T5] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.808730][    T5] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.816761][ T1725] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.825822][ T1725] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.833869][  T102] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   29.842915][  T102] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   29.851878][    T5] usb 5-1: config 0 descriptor??
[   29.857147][   T12] usb 6-1: config 0 descriptor??
[   29.862963][ T1725] usb 3-1: config 0 descriptor??
[   29.868626][  T102] usb 2-1: config 0 descriptor??
[   29.893779][   T12] rio500 6-1:0.133: Second USB Rio at address 2 refused
[   29.900869][   T12] rio500: probe of 6-1:0.133 failed with error -16
[   29.908679][    T5] rio500 5-1:0.133: Second USB Rio at address 2 refused
[   29.916925][ T1725] rio500 3-1:0.133: Second USB Rio at address 2 refused
[   29.925725][  T102] rio500 2-1:0.133: Second USB Rio at address 2 refused
[   29.926434][   T17] usb 1-1: USB disconnect, device number 2
executing program
executing program
[   29.932851][    T5] rio500: probe of 5-1:0.133 failed with error -16
[   29.945789][ T1725] rio500: probe of 3-1:0.133 failed with error -16
[   29.953762][  T102] rio500: probe of 2-1:0.133 failed with error -16
[   29.972162][   T83] usb 4-1: USB disconnect, device number 2
[   29.978687][   T17] rio500 1-1:0.133: USB Rio disconnected.
[   29.986876][   T83] ==================================================================
[   29.995028][   T83] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0
[   30.003321][   T83] 
[   30.005669][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.4.0-rc1+ #0
[   30.013007][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.023046][   T83] Workqueue: usb_hub_wq hub_event
[   30.028048][   T83] Call Trace:
[   30.031316][   T83]  dump_stack+0xca/0x13e
[   30.035547][   T83]  print_address_description.constprop.0+0x36/0x50
[   30.042033][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.046860][   T83]  kasan_report_invalid_free+0x61/0xa0
[   30.052302][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.057145][   T83]  __kasan_slab_free+0x162/0x180
[   30.062066][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.066889][   T83]  kfree+0xe4/0x2f0
[   30.070697][   T83]  disconnect_rio+0x12b/0x1b0
[   30.075359][   T83]  usb_unbind_interface+0x1bd/0x8a0
[   30.080532][   T83]  ? usb_autoresume_device+0x60/0x60
[   30.085805][   T83]  device_release_driver_internal+0x42f/0x500
executing program
[   30.091852][   T83]  bus_remove_device+0x2dc/0x4a0
[   30.096784][   T83]  device_del+0x420/0xb20
[   30.101096][   T83]  ? __device_link_del+0x2f0/0x2f0
[   30.106198][   T83]  ? lockdep_hardirqs_on+0x382/0x580
[   30.111472][   T83]  ? remove_intf_ep_devs+0x13f/0x1d0
[   30.116760][   T83]  usb_disable_device+0x211/0x690
[   30.121761][   T83]  usb_disconnect+0x284/0x8d0
[   30.126426][   T83]  hub_event+0x1454/0x3640
[   30.130841][   T83]  ? find_held_lock+0x2d/0x110
[   30.131267][  T102] usb 6-1: USB disconnect, device number 2
executing program
[   30.135618][   T83]  ? mark_held_locks+0xe0/0xe0
[   30.135638][   T83]  ? hub_port_debounce+0x260/0x260
[   30.135649][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   30.135660][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   30.135671][   T83]  process_one_work+0x92b/0x1530
[   30.135682][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   30.135693][   T83]  ? do_raw_spin_lock+0x11a/0x280
[   30.135702][   T83]  worker_thread+0x96/0xe20
[   30.135717][   T83]  ? process_one_work+0x1530/0x1530
[   30.154480][    T5] usb 3-1: USB disconnect, device number 2
[   30.156863][   T83]  kthread+0x318/0x420
[   30.156875][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   30.156886][   T83]  ret_from_fork+0x24/0x30
[   30.156892][   T83] 
[   30.156898][   T83] Allocated by task 17:
[   30.156911][   T83]  save_stack+0x1b/0x80
[   30.156926][   T83]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   30.222794][   T83]  probe_rio+0x135/0x248
[   30.227024][   T83]  usb_probe_interface+0x305/0x7a0
[   30.232115][   T83]  really_probe+0x281/0x6d0
[   30.236601][   T83]  driver_probe_device+0x104/0x210
[   30.241690][   T83]  __device_attach_driver+0x1c2/0x220
[   30.247046][   T83]  bus_for_each_drv+0x162/0x1e0
[   30.251878][   T83]  __device_attach+0x217/0x360
[   30.256620][   T83]  bus_probe_device+0x1e4/0x290
[   30.261444][   T83]  device_add+0xae6/0x16f0
[   30.265854][   T83]  usb_set_configuration+0xdf6/0x1670
[   30.271197][   T83]  generic_probe+0x9d/0xd5
[   30.275591][   T83]  usb_probe_device+0x99/0x100
[   30.280327][   T83]  really_probe+0x281/0x6d0
[   30.284808][   T83]  driver_probe_device+0x104/0x210
[   30.289904][   T83]  __device_attach_driver+0x1c2/0x220
[   30.295246][   T83]  bus_for_each_drv+0x162/0x1e0
[   30.300070][   T83]  __device_attach+0x217/0x360
[   30.304814][   T83]  bus_probe_device+0x1e4/0x290
[   30.309647][   T83]  device_add+0xae6/0x16f0
[   30.314036][   T83]  usb_new_device.cold+0x6a4/0xe79
[   30.319119][   T83]  hub_event+0x1b5c/0x3640
[   30.323511][   T83]  process_one_work+0x92b/0x1530
[   30.328419][   T83]  worker_thread+0x96/0xe20
[   30.332894][   T83]  kthread+0x318/0x420
[   30.336941][   T83]  ret_from_fork+0x24/0x30
[   30.341338][   T83] 
[   30.343653][   T83] Freed by task 17:
[   30.347462][   T83]  save_stack+0x1b/0x80
[   30.351601][   T83]  __kasan_slab_free+0x130/0x180
[   30.356513][   T83]  kfree+0xe4/0x2f0
[   30.360306][   T83]  disconnect_rio+0x12b/0x1b0
[   30.364957][   T83]  usb_unbind_interface+0x1bd/0x8a0
[   30.370133][   T83]  device_release_driver_internal+0x42f/0x500
[   30.376171][   T83]  bus_remove_device+0x2dc/0x4a0
[   30.381089][   T83]  device_del+0x420/0xb20
[   30.385402][   T83]  usb_disable_device+0x211/0x690
[   30.390407][   T83]  usb_disconnect+0x284/0x8d0
[   30.395056][   T83]  hub_event+0x1454/0x3640
[   30.399447][   T83]  process_one_work+0x92b/0x1530
[   30.404359][   T83]  worker_thread+0x96/0xe20
[   30.408832][   T83]  kthread+0x318/0x420
[   30.412875][   T83]  ret_from_fork+0x24/0x30
[   30.417262][   T83] 
[   30.419568][   T83] The buggy address belongs to the object at ffff8881d4480000
[   30.419568][   T83]  which belongs to the cache kmalloc-4k of size 4096
[   30.433591][   T83] The buggy address is located 0 bytes inside of
[   30.433591][   T83]  4096-byte region [ffff8881d4480000, ffff8881d4481000)
[   30.446745][   T83] The buggy address belongs to the page:
[   30.452353][   T83] page:ffffea0007512000 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[   30.463255][   T83] flags: 0x200000000010200(slab|head)
[   30.468602][   T83] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[   30.477162][   T83] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[   30.485719][   T83] page dumped because: kasan: bad access detected
[   30.492103][   T83] 
[   30.494416][   T83] Memory state around the buggy address:
[   30.500035][   T83]  ffff8881d447ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.502478][  T102] usb 6-1: new high-speed USB device number 3 using dummy_hcd
[   30.508073][   T83]  ffff8881d447ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.508082][   T83] >ffff8881d4480000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.508087][   T83]                    ^
[   30.508096][   T83]  ffff8881d4480080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.508104][   T83]  ffff8881d4480100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.508109][   T83] ==================================================================
[   30.508113][   T83] Disabling lock debugging due to kernel taint
[   30.508305][   T83] Kernel panic - not syncing: panic_on_warn set ...
[   30.522325][ T1725] usb 5-1: USB disconnect, device number 2
[   30.523615][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G    B             5.4.0-rc1+ #0
[   30.523622][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.523635][   T83] Workqueue: usb_hub_wq hub_event
[   30.523640][   T83] Call Trace:
[   30.523655][   T83]  dump_stack+0xca/0x13e
[   30.523669][   T83]  panic+0x2a3/0x6da
[   30.523679][   T83]  ? add_taint.cold+0x16/0x16
[   30.523690][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.523699][   T83]  ? trace_hardirqs_on+0x55/0x1e0
[   30.523708][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.523718][   T83]  end_report+0x43/0x49
[   30.523728][   T83]  kasan_report_invalid_free+0x7d/0xa0
[   30.523738][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.523749][   T83]  __kasan_slab_free+0x162/0x180
[   30.523759][   T83]  ? disconnect_rio+0x12b/0x1b0
[   30.523768][   T83]  kfree+0xe4/0x2f0
[   30.523778][   T83]  disconnect_rio+0x12b/0x1b0
[   30.523790][   T83]  usb_unbind_interface+0x1bd/0x8a0
[   30.523802][   T83]  ? usb_autoresume_device+0x60/0x60
[   30.523814][   T83]  device_release_driver_internal+0x42f/0x500
[   30.523825][   T83]  bus_remove_device+0x2dc/0x4a0
[   30.523835][   T83]  device_del+0x420/0xb20
[   30.523845][   T83]  ? __device_link_del+0x2f0/0x2f0
[   30.523858][   T83]  ? lockdep_hardirqs_on+0x382/0x580
[   30.523868][   T83]  ? remove_intf_ep_devs+0x13f/0x1d0
[   30.523882][   T83]  usb_disable_device+0x211/0x690
[   30.533022][   T12] usb 2-1: USB disconnect, device number 2
[   30.536056][   T83]  usb_disconnect+0x284/0x8d0
[   30.536065][   T83]  hub_event+0x1454/0x3640
[   30.536081][   T83]  ? find_held_lock+0x2d/0x110
[   30.562470][    T5] usb 3-1: new high-speed USB device number 3 using dummy_hcd
[   30.566341][   T83]  ? mark_held_locks+0xe0/0xe0
[   30.744163][   T83]  ? hub_port_debounce+0x260/0x260
[   30.749250][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   30.752466][  T102] usb 6-1: Using ep0 maxpacket: 16
[   30.754785][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   30.754797][   T83]  process_one_work+0x92b/0x1530
[   30.754807][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   30.754822][   T83]  ? do_raw_spin_lock+0x11a/0x280
[   30.780445][   T83]  worker_thread+0x96/0xe20
[   30.784923][   T83]  ? process_one_work+0x1530/0x1530
[   30.790190][   T83]  kthread+0x318/0x420
[   30.794239][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   30.799586][   T83]  ret_from_fork+0x24/0x30
[   30.804682][   T83] Kernel Offset: disabled
[   30.809005][   T83] Rebooting in 86400 seconds..