[info] Using makefile-style concurrent boot in runlevel 2. [ 14.377004][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.592146][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 51.832120][ T12] usb 1-1: Using ep0 maxpacket: 16 [ 51.952228][ T12] usb 1-1: config 9 has an invalid interface number: 228 but max is 0 [ 51.960468][ T12] usb 1-1: config 9 contains an unexpected descriptor of type 0x2, skipping [ 51.969222][ T12] usb 1-1: config 9 has no interface number 0 [ 51.975334][ T12] usb 1-1: config 9 interface 228 altsetting 55 bulk endpoint 0x4 has invalid maxpacket 129 [ 51.985470][ T12] usb 1-1: config 9 interface 228 altsetting 55 bulk endpoint 0xF has invalid maxpacket 148 [ 51.995568][ T12] usb 1-1: config 9 interface 228 altsetting 55 has a duplicate endpoint with address 0xF, skipping [ 52.006442][ T12] usb 1-1: config 9 interface 228 altsetting 55 bulk endpoint 0xC has invalid maxpacket 0 [ 52.016426][ T12] usb 1-1: config 9 interface 228 has no altsetting 0 [ 52.262184][ T12] usb 1-1: string descriptor 0 read error: -22 [ 52.268405][ T12] usb 1-1: New USB device found, idVendor=1618, idProduct=9113, bcdDevice=6a.87 [ 52.277543][ T12] usb 1-1: New USB device strings: Mfr=0, Product=2, SerialNumber=94 [ 52.325280][ T12] rsi_91x: rsi_probe: Failed to init usb interface [ 52.332937][ T12] ================================================================== [ 52.341044][ T12] BUG: KASAN: double-free or invalid-free in rsi_91x_deinit+0x270/0x2f0 [ 52.349348][ T12] [ 52.351670][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #14 [ 52.359104][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.369142][ T12] Workqueue: usb_hub_wq hub_event [ 52.374177][ T12] Call Trace: [ 52.377455][ T12] dump_stack+0xca/0x13e [ 52.381696][ T12] print_address_description+0x67/0x231 [ 52.387401][ T12] ? rsi_91x_deinit+0x270/0x2f0 [ 52.392337][ T12] kasan_report_invalid_free+0x61/0xa0 [ 52.397838][ T12] ? rsi_91x_deinit+0x270/0x2f0 [ 52.402692][ T12] __kasan_slab_free+0x162/0x180 [ 52.407622][ T12] ? rsi_91x_deinit+0x270/0x2f0 [ 52.412465][ T12] kfree+0xd7/0x280 [ 52.416272][ T12] rsi_91x_deinit+0x270/0x2f0 [ 52.420940][ T12] rsi_probe+0xcec/0x15a0 [ 52.425246][ T12] ? rsi_disconnect+0x630/0x630 [ 52.430078][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 52.435398][ T12] ? __pm_runtime_resume+0x111/0x180 [ 52.440683][ T12] usb_probe_interface+0x305/0x7a0 [ 52.445782][ T12] ? usb_probe_device+0x100/0x100 [ 52.450833][ T12] really_probe+0x281/0x660 [ 52.455324][ T12] driver_probe_device+0x104/0x210 [ 52.460453][ T12] __device_attach_driver+0x1c2/0x220 [ 52.465817][ T12] ? driver_allows_async_probing+0x160/0x160 [ 52.471812][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.476649][ T12] ? bus_rescan_devices+0x20/0x20 [ 52.481664][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 52.487448][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 52.492703][ T12] __device_attach+0x217/0x360 [ 52.497446][ T12] ? device_bind_driver+0xd0/0xd0 [ 52.502548][ T12] ? kobject_uevent_env+0x29e/0x1150 [ 52.507829][ T12] ? kobject_uevent_env+0x2a8/0x1150 [ 52.513095][ T12] bus_probe_device+0x1e4/0x290 [ 52.518044][ T12] ? blocking_notifier_call_chain+0x54/0xa0 [ 52.524078][ T12] device_add+0xae6/0x16f0 [ 52.528486][ T12] ? uevent_store+0x50/0x50 [ 52.532978][ T12] usb_set_configuration+0xdf6/0x1670 [ 52.538337][ T12] generic_probe+0x9d/0xd5 [ 52.542741][ T12] usb_probe_device+0x99/0x100 [ 52.547487][ T12] ? usb_suspend+0x620/0x620 [ 52.552059][ T12] really_probe+0x281/0x660 [ 52.556541][ T12] driver_probe_device+0x104/0x210 [ 52.561623][ T12] __device_attach_driver+0x1c2/0x220 [ 52.566978][ T12] ? driver_allows_async_probing+0x160/0x160 [ 52.572940][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.577778][ T12] ? bus_rescan_devices+0x20/0x20 [ 52.582871][ T12] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 52.588696][ T12] ? lockdep_hardirqs_on+0x379/0x580 [ 52.593968][ T12] __device_attach+0x217/0x360 [ 52.598722][ T12] ? device_bind_driver+0xd0/0xd0 [ 52.603767][ T12] ? kobject_uevent_env+0x29e/0x1150 [ 52.609033][ T12] ? kobject_uevent_env+0x2a8/0x1150 [ 52.614290][ T12] bus_probe_device+0x1e4/0x290 [ 52.619157][ T12] ? blocking_notifier_call_chain+0x54/0xa0 [ 52.625035][ T12] device_add+0xae6/0x16f0 [ 52.629432][ T12] ? uevent_store+0x50/0x50 [ 52.633913][ T12] usb_new_device.cold+0x8c1/0x1016 [ 52.639092][ T12] ? usb_port_suspend+0xa40/0xa40 [ 52.644151][ T12] ? mark_held_locks+0x9f/0xe0 [ 52.648985][ T12] ? _raw_spin_unlock_irq+0x24/0x30 [ 52.654157][ T12] hub_event+0x1b3d/0x35f0 [ 52.658600][ T12] ? hub_port_debounce+0x260/0x260 [ 52.663707][ T12] process_one_work+0x905/0x1570 [ 52.668711][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 52.674070][ T12] ? do_raw_spin_lock+0x11a/0x280 [ 52.679079][ T12] worker_thread+0x96/0xe20 [ 52.683567][ T12] ? process_one_work+0x1570/0x1570 [ 52.688919][ T12] kthread+0x30b/0x410 [ 52.693095][ T12] ? kthread_park+0x1a0/0x1a0 [ 52.697759][ T12] ret_from_fork+0x24/0x30 [ 52.702146][ T12] [ 52.704492][ T12] Allocated by task 12: [ 52.708679][ T12] save_stack+0x1b/0x80 [ 52.712842][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 52.718461][ T12] rsi_probe+0x11a/0x15a0 [ 52.722858][ T12] usb_probe_interface+0x305/0x7a0 [ 52.727951][ T12] really_probe+0x281/0x660 [ 52.732428][ T12] driver_probe_device+0x104/0x210 [ 52.737522][ T12] __device_attach_driver+0x1c2/0x220 [ 52.742875][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.747706][ T12] __device_attach+0x217/0x360 [ 52.752448][ T12] bus_probe_device+0x1e4/0x290 [ 52.757268][ T12] device_add+0xae6/0x16f0 [ 52.761664][ T12] usb_set_configuration+0xdf6/0x1670 [ 52.767016][ T12] generic_probe+0x9d/0xd5 [ 52.771416][ T12] usb_probe_device+0x99/0x100 [ 52.776157][ T12] really_probe+0x281/0x660 [ 52.780651][ T12] driver_probe_device+0x104/0x210 [ 52.785751][ T12] __device_attach_driver+0x1c2/0x220 [ 52.791139][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.796687][ T12] __device_attach+0x217/0x360 [ 52.801434][ T12] bus_probe_device+0x1e4/0x290 [ 52.806300][ T12] device_add+0xae6/0x16f0 [ 52.810801][ T12] usb_new_device.cold+0x8c1/0x1016 [ 52.816063][ T12] hub_event+0x1b3d/0x35f0 [ 52.820462][ T12] process_one_work+0x905/0x1570 [ 52.825379][ T12] worker_thread+0x96/0xe20 [ 52.829875][ T12] kthread+0x30b/0x410 [ 52.833918][ T12] ret_from_fork+0x24/0x30 [ 52.838305][ T12] [ 52.840652][ T12] Freed by task 12: [ 52.844449][ T12] save_stack+0x1b/0x80 [ 52.848586][ T12] __kasan_slab_free+0x130/0x180 [ 52.853499][ T12] kfree+0xd7/0x280 [ 52.857282][ T12] rsi_probe+0xdfd/0x15a0 [ 52.861602][ T12] usb_probe_interface+0x305/0x7a0 [ 52.866696][ T12] really_probe+0x281/0x660 [ 52.871180][ T12] driver_probe_device+0x104/0x210 [ 52.876282][ T12] __device_attach_driver+0x1c2/0x220 [ 52.881744][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.886588][ T12] __device_attach+0x217/0x360 [ 52.891331][ T12] bus_probe_device+0x1e4/0x290 [ 52.896285][ T12] device_add+0xae6/0x16f0 [ 52.900689][ T12] usb_set_configuration+0xdf6/0x1670 [ 52.906045][ T12] generic_probe+0x9d/0xd5 [ 52.910497][ T12] usb_probe_device+0x99/0x100 [ 52.915253][ T12] really_probe+0x281/0x660 [ 52.919742][ T12] driver_probe_device+0x104/0x210 [ 52.924849][ T12] __device_attach_driver+0x1c2/0x220 [ 52.930199][ T12] bus_for_each_drv+0x15c/0x1e0 [ 52.935028][ T12] __device_attach+0x217/0x360 [ 52.939770][ T12] bus_probe_device+0x1e4/0x290 [ 52.944596][ T12] device_add+0xae6/0x16f0 [ 52.948993][ T12] usb_new_device.cold+0x8c1/0x1016 [ 52.954177][ T12] hub_event+0x1b3d/0x35f0 [ 52.958576][ T12] process_one_work+0x905/0x1570 [ 52.963496][ T12] worker_thread+0x96/0xe20 [ 52.967973][ T12] kthread+0x30b/0x410 [ 52.972015][ T12] ret_from_fork+0x24/0x30 [ 52.976403][ T12] [ 52.978719][ T12] The buggy address belongs to the object at ffff8881cf519b80 [ 52.978719][ T12] which belongs to the cache kmalloc-512 of size 512 [ 52.992767][ T12] The buggy address is located 0 bytes inside of [ 52.992767][ T12] 512-byte region [ffff8881cf519b80, ffff8881cf519d80) [ 53.005850][ T12] The buggy address belongs to the page: [ 53.011463][ T12] page:ffffea00073d4600 refcount:1 mapcount:0 mapping:ffff8881dac02c00 index:0x0 compound_mapcount: 0 [ 53.022377][ T12] flags: 0x200000000010200(slab|head) [ 53.027739][ T12] raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881dac02c00 [ 53.036423][ T12] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 53.044992][ T12] page dumped because: kasan: bad access detected [ 53.051384][ T12] [ 53.053696][ T12] Memory state around the buggy address: [ 53.059312][ T12] ffff8881cf519a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.067356][ T12] ffff8881cf519b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.075402][ T12] >ffff8881cf519b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.083446][ T12] ^ [ 53.087509][ T12] ffff8881cf519c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.095562][ T12] ffff8881cf519c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.103619][ T12] ================================================================== [ 53.111663][ T12] Disabling lock debugging due to kernel taint [ 53.117884][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 53.123557][ T1753] usb-fuzzer-gadget dummy_ud