[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 14.326407][ T1660] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 14.544791][ C1] random: crng init done
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.53' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [ 29.262554][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 29.262561][ T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[ 29.277695][ T102] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[ 29.283029][ T17] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 29.285217][ T1725] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[ 29.300118][ T5] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 29.502502][ T83] usb 1-1: Using ep0 maxpacket: 16
[ 29.532504][ T17] usb 4-1: Using ep0 maxpacket: 16
[ 29.552515][ T102] usb 2-1: Using ep0 maxpacket: 16
[ 29.557754][ T5] usb 5-1: Using ep0 maxpacket: 16
[ 29.562927][ T12] usb 6-1: Using ep0 maxpacket: 16
[ 29.568334][ T1725] usb 3-1: Using ep0 maxpacket: 16
[ 29.622584][ T83] usb 1-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.631048][ T83] usb 1-1: config 0 has no interface number 0
[ 29.637324][ T83] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.646390][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.654573][ T17] usb 4-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.662771][ T17] usb 4-1: config 0 has no interface number 0
[ 29.668845][ T17] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.678006][ T17] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.687216][ T83] usb 1-1: config 0 descriptor??
[ 29.693809][ T17] usb 4-1: config 0 descriptor??
[ 29.712689][ T12] usb 6-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.720885][ T12] usb 6-1: config 0 has no interface number 0
[ 29.724117][ T83] rio500 1-1:0.133: USB Rio found at address 2
[ 29.727138][ T5] usb 5-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.734898][ T17] rio500 4-1:0.133: USB Rio found at address 2
[ 29.741532][ T5] usb 5-1: config 0 has no interface number 0
[ 29.741586][ T102] usb 2-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.761945][ T102] usb 2-1: config 0 has no interface number 0
[ 29.768269][ T1725] usb 3-1: config 0 has an invalid interface number: 133 but max is 0
[ 29.776464][ T1725] usb 3-1: config 0 has no interface number 0
[ 29.782615][ T12] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.791631][ T12] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.799699][ T5] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.808730][ T5] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.816761][ T1725] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.825822][ T1725] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.833869][ T102] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[ 29.842915][ T102] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 29.851878][ T5] usb 5-1: config 0 descriptor??
[ 29.857147][ T12] usb 6-1: config 0 descriptor??
[ 29.862963][ T1725] usb 3-1: config 0 descriptor??
[ 29.868626][ T102] usb 2-1: config 0 descriptor??
[ 29.893779][ T12] rio500 6-1:0.133: Second USB Rio at address 2 refused
[ 29.900869][ T12] rio500: probe of 6-1:0.133 failed with error -16
[ 29.908679][ T5] rio500 5-1:0.133: Second USB Rio at address 2 refused
[ 29.916925][ T1725] rio500 3-1:0.133: Second USB Rio at address 2 refused
[ 29.925725][ T102] rio500 2-1:0.133: Second USB Rio at address 2 refused
[ 29.926434][ T17] usb 1-1: USB disconnect, device number 2
executing program
executing program
[ 29.932851][ T5] rio500: probe of 5-1:0.133 failed with error -16
[ 29.945789][ T1725] rio500: probe of 3-1:0.133 failed with error -16
[ 29.953762][ T102] rio500: probe of 2-1:0.133 failed with error -16
[ 29.972162][ T83] usb 4-1: USB disconnect, device number 2
[ 29.978687][ T17] rio500 1-1:0.133: USB Rio disconnected.
[ 29.986876][ T83] ==================================================================
[ 29.995028][ T83] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0
[ 30.003321][ T83]
[ 30.005669][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.4.0-rc1+ #0
[ 30.013007][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.023046][ T83] Workqueue: usb_hub_wq hub_event
[ 30.028048][ T83] Call Trace:
[ 30.031316][ T83] dump_stack+0xca/0x13e
[ 30.035547][ T83] print_address_description.constprop.0+0x36/0x50
[ 30.042033][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.046860][ T83] kasan_report_invalid_free+0x61/0xa0
[ 30.052302][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.057145][ T83] __kasan_slab_free+0x162/0x180
[ 30.062066][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.066889][ T83] kfree+0xe4/0x2f0
[ 30.070697][ T83] disconnect_rio+0x12b/0x1b0
[ 30.075359][ T83] usb_unbind_interface+0x1bd/0x8a0
[ 30.080532][ T83] ? usb_autoresume_device+0x60/0x60
[ 30.085805][ T83] device_release_driver_internal+0x42f/0x500
executing program
[ 30.091852][ T83] bus_remove_device+0x2dc/0x4a0
[ 30.096784][ T83] device_del+0x420/0xb20
[ 30.101096][ T83] ? __device_link_del+0x2f0/0x2f0
[ 30.106198][ T83] ? lockdep_hardirqs_on+0x382/0x580
[ 30.111472][ T83] ? remove_intf_ep_devs+0x13f/0x1d0
[ 30.116760][ T83] usb_disable_device+0x211/0x690
[ 30.121761][ T83] usb_disconnect+0x284/0x8d0
[ 30.126426][ T83] hub_event+0x1454/0x3640
[ 30.130841][ T83] ? find_held_lock+0x2d/0x110
[ 30.131267][ T102] usb 6-1: USB disconnect, device number 2
executing program
[ 30.135618][ T83] ? mark_held_locks+0xe0/0xe0
[ 30.135638][ T83] ? hub_port_debounce+0x260/0x260
[ 30.135649][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 30.135660][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 30.135671][ T83] process_one_work+0x92b/0x1530
[ 30.135682][ T83] ? pwq_dec_nr_in_flight+0x310/0x310
[ 30.135693][ T83] ? do_raw_spin_lock+0x11a/0x280
[ 30.135702][ T83] worker_thread+0x96/0xe20
[ 30.135717][ T83] ? process_one_work+0x1530/0x1530
[ 30.154480][ T5] usb 3-1: USB disconnect, device number 2
[ 30.156863][ T83] kthread+0x318/0x420
[ 30.156875][ T83] ? kthread_create_on_node+0xf0/0xf0
[ 30.156886][ T83] ret_from_fork+0x24/0x30
[ 30.156892][ T83]
[ 30.156898][ T83] Allocated by task 17:
[ 30.156911][ T83] save_stack+0x1b/0x80
[ 30.156926][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 30.222794][ T83] probe_rio+0x135/0x248
[ 30.227024][ T83] usb_probe_interface+0x305/0x7a0
[ 30.232115][ T83] really_probe+0x281/0x6d0
[ 30.236601][ T83] driver_probe_device+0x104/0x210
[ 30.241690][ T83] __device_attach_driver+0x1c2/0x220
[ 30.247046][ T83] bus_for_each_drv+0x162/0x1e0
[ 30.251878][ T83] __device_attach+0x217/0x360
[ 30.256620][ T83] bus_probe_device+0x1e4/0x290
[ 30.261444][ T83] device_add+0xae6/0x16f0
[ 30.265854][ T83] usb_set_configuration+0xdf6/0x1670
[ 30.271197][ T83] generic_probe+0x9d/0xd5
[ 30.275591][ T83] usb_probe_device+0x99/0x100
[ 30.280327][ T83] really_probe+0x281/0x6d0
[ 30.284808][ T83] driver_probe_device+0x104/0x210
[ 30.289904][ T83] __device_attach_driver+0x1c2/0x220
[ 30.295246][ T83] bus_for_each_drv+0x162/0x1e0
[ 30.300070][ T83] __device_attach+0x217/0x360
[ 30.304814][ T83] bus_probe_device+0x1e4/0x290
[ 30.309647][ T83] device_add+0xae6/0x16f0
[ 30.314036][ T83] usb_new_device.cold+0x6a4/0xe79
[ 30.319119][ T83] hub_event+0x1b5c/0x3640
[ 30.323511][ T83] process_one_work+0x92b/0x1530
[ 30.328419][ T83] worker_thread+0x96/0xe20
[ 30.332894][ T83] kthread+0x318/0x420
[ 30.336941][ T83] ret_from_fork+0x24/0x30
[ 30.341338][ T83]
[ 30.343653][ T83] Freed by task 17:
[ 30.347462][ T83] save_stack+0x1b/0x80
[ 30.351601][ T83] __kasan_slab_free+0x130/0x180
[ 30.356513][ T83] kfree+0xe4/0x2f0
[ 30.360306][ T83] disconnect_rio+0x12b/0x1b0
[ 30.364957][ T83] usb_unbind_interface+0x1bd/0x8a0
[ 30.370133][ T83] device_release_driver_internal+0x42f/0x500
[ 30.376171][ T83] bus_remove_device+0x2dc/0x4a0
[ 30.381089][ T83] device_del+0x420/0xb20
[ 30.385402][ T83] usb_disable_device+0x211/0x690
[ 30.390407][ T83] usb_disconnect+0x284/0x8d0
[ 30.395056][ T83] hub_event+0x1454/0x3640
[ 30.399447][ T83] process_one_work+0x92b/0x1530
[ 30.404359][ T83] worker_thread+0x96/0xe20
[ 30.408832][ T83] kthread+0x318/0x420
[ 30.412875][ T83] ret_from_fork+0x24/0x30
[ 30.417262][ T83]
[ 30.419568][ T83] The buggy address belongs to the object at ffff8881d4480000
[ 30.419568][ T83] which belongs to the cache kmalloc-4k of size 4096
[ 30.433591][ T83] The buggy address is located 0 bytes inside of
[ 30.433591][ T83] 4096-byte region [ffff8881d4480000, ffff8881d4481000)
[ 30.446745][ T83] The buggy address belongs to the page:
[ 30.452353][ T83] page:ffffea0007512000 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[ 30.463255][ T83] flags: 0x200000000010200(slab|head)
[ 30.468602][ T83] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[ 30.477162][ T83] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 30.485719][ T83] page dumped because: kasan: bad access detected
[ 30.492103][ T83]
[ 30.494416][ T83] Memory state around the buggy address:
[ 30.500035][ T83] ffff8881d447ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 30.502478][ T102] usb 6-1: new high-speed USB device number 3 using dummy_hcd
[ 30.508073][ T83] ffff8881d447ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 30.508082][ T83] >ffff8881d4480000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.508087][ T83] ^
[ 30.508096][ T83] ffff8881d4480080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.508104][ T83] ffff8881d4480100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.508109][ T83] ==================================================================
[ 30.508113][ T83] Disabling lock debugging due to kernel taint
[ 30.508305][ T83] Kernel panic - not syncing: panic_on_warn set ...
[ 30.522325][ T1725] usb 5-1: USB disconnect, device number 2
[ 30.523615][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.4.0-rc1+ #0
[ 30.523622][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.523635][ T83] Workqueue: usb_hub_wq hub_event
[ 30.523640][ T83] Call Trace:
[ 30.523655][ T83] dump_stack+0xca/0x13e
[ 30.523669][ T83] panic+0x2a3/0x6da
[ 30.523679][ T83] ? add_taint.cold+0x16/0x16
[ 30.523690][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.523699][ T83] ? trace_hardirqs_on+0x55/0x1e0
[ 30.523708][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.523718][ T83] end_report+0x43/0x49
[ 30.523728][ T83] kasan_report_invalid_free+0x7d/0xa0
[ 30.523738][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.523749][ T83] __kasan_slab_free+0x162/0x180
[ 30.523759][ T83] ? disconnect_rio+0x12b/0x1b0
[ 30.523768][ T83] kfree+0xe4/0x2f0
[ 30.523778][ T83] disconnect_rio+0x12b/0x1b0
[ 30.523790][ T83] usb_unbind_interface+0x1bd/0x8a0
[ 30.523802][ T83] ? usb_autoresume_device+0x60/0x60
[ 30.523814][ T83] device_release_driver_internal+0x42f/0x500
[ 30.523825][ T83] bus_remove_device+0x2dc/0x4a0
[ 30.523835][ T83] device_del+0x420/0xb20
[ 30.523845][ T83] ? __device_link_del+0x2f0/0x2f0
[ 30.523858][ T83] ? lockdep_hardirqs_on+0x382/0x580
[ 30.523868][ T83] ? remove_intf_ep_devs+0x13f/0x1d0
[ 30.523882][ T83] usb_disable_device+0x211/0x690
[ 30.533022][ T12] usb 2-1: USB disconnect, device number 2
[ 30.536056][ T83] usb_disconnect+0x284/0x8d0
[ 30.536065][ T83] hub_event+0x1454/0x3640
[ 30.536081][ T83] ? find_held_lock+0x2d/0x110
[ 30.562470][ T5] usb 3-1: new high-speed USB device number 3 using dummy_hcd
[ 30.566341][ T83] ? mark_held_locks+0xe0/0xe0
[ 30.744163][ T83] ? hub_port_debounce+0x260/0x260
[ 30.749250][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 30.752466][ T102] usb 6-1: Using ep0 maxpacket: 16
[ 30.754785][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 30.754797][ T83] process_one_work+0x92b/0x1530
[ 30.754807][ T83] ? pwq_dec_nr_in_flight+0x310/0x310
[ 30.754822][ T83] ? do_raw_spin_lock+0x11a/0x280
[ 30.780445][ T83] worker_thread+0x96/0xe20
[ 30.784923][ T83] ? process_one_work+0x1530/0x1530
[ 30.790190][ T83] kthread+0x318/0x420
[ 30.794239][ T83] ? kthread_create_on_node+0xf0/0xf0
[ 30.799586][ T83] ret_from_fork+0x24/0x30
[ 30.804682][ T83] Kernel Offset: disabled
[ 30.809005][ T83] Rebooting in 86400 seconds..