[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 15.611105][ C1] random: crng init done [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.283110][ T107] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 31.523433][ T107] usb 1-1: Using ep0 maxpacket: 8 [ 31.643135][ T107] usb 1-1: config 0 has an invalid interface number: 110 but max is 0 [ 31.651470][ T107] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 31.661765][ T107] usb 1-1: config 0 has no interface number 0 [ 31.667923][ T107] usb 1-1: config 0 interface 110 altsetting 0 bulk endpoint 0xF has invalid maxpacket 0 [ 31.677796][ T107] usb 1-1: New USB device found, idVendor=1618, idProduct=9116, bcdDevice= 1.43 [ 31.686846][ T107] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 31.696626][ T107] usb 1-1: config 0 descriptor?? [ 31.736592][ T107] rsi_91x: rsi_probe: Failed to init usb interface [ 31.744166][ T107] ================================================================== [ 31.752435][ T107] BUG: KASAN: double-free or invalid-free in rsi_91x_deinit+0x270/0x2f0 [ 31.760757][ T107] [ 31.763125][ T107] CPU: 0 PID: 107 Comm: kworker/0:2 Not tainted 5.2.0-rc6+ #15 [ 31.770690][ T107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.780826][ T107] Workqueue: usb_hub_wq hub_event [ 31.785868][ T107] Call Trace: [ 31.789212][ T107] dump_stack+0xca/0x13e [ 31.793562][ T107] print_address_description+0x67/0x231 [ 31.799154][ T107] ? rsi_91x_deinit+0x270/0x2f0 [ 31.804019][ T107] kasan_report_invalid_free+0x61/0xa0 [ 31.809498][ T107] ? rsi_91x_deinit+0x270/0x2f0 [ 31.814377][ T107] __kasan_slab_free+0x162/0x180 [ 31.819596][ T107] ? rsi_91x_deinit+0x270/0x2f0 [ 31.824461][ T107] kfree+0xd7/0x280 [ 31.828284][ T107] rsi_91x_deinit+0x270/0x2f0 [ 31.833000][ T107] rsi_probe+0xcec/0x15a0 [ 31.837347][ T107] ? rsi_disconnect+0x630/0x630 [ 31.842227][ T107] ? lockdep_hardirqs_on+0x379/0x580 [ 31.847533][ T107] ? __pm_runtime_resume+0x111/0x180 [ 31.853040][ T107] usb_probe_interface+0x305/0x7a0 [ 31.858185][ T107] ? usb_probe_device+0x100/0x100 [ 31.863212][ T107] really_probe+0x281/0x660 [ 31.867741][ T107] driver_probe_device+0x104/0x210 [ 31.872878][ T107] __device_attach_driver+0x1c2/0x220 [ 31.878266][ T107] ? driver_allows_async_probing+0x160/0x160 [ 31.884257][ T107] bus_for_each_drv+0x15c/0x1e0 [ 31.889171][ T107] ? bus_rescan_devices+0x20/0x20 [ 31.894215][ T107] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 31.900042][ T107] ? lockdep_hardirqs_on+0x379/0x580 [ 31.905340][ T107] __device_attach+0x217/0x360 [ 31.910091][ T107] ? device_bind_driver+0xd0/0xd0 [ 31.915105][ T107] ? kobject_uevent_env+0x29e/0x1150 [ 31.920378][ T107] ? kobject_uevent_env+0x2a8/0x1150 [ 31.925665][ T107] bus_probe_device+0x1e4/0x290 [ 31.930560][ T107] ? blocking_notifier_call_chain+0x54/0xa0 [ 31.936512][ T107] device_add+0xae6/0x16f0 [ 31.940970][ T107] ? uevent_store+0x50/0x50 [ 31.945492][ T107] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 31.951410][ T107] usb_set_configuration+0xdf6/0x1670 [ 31.956801][ T107] generic_probe+0x9d/0xd5 [ 31.961225][ T107] usb_probe_device+0x99/0x100 [ 31.965993][ T107] ? usb_suspend+0x620/0x620 [ 31.970583][ T107] really_probe+0x281/0x660 [ 31.975090][ T107] driver_probe_device+0x104/0x210 [ 31.980212][ T107] __device_attach_driver+0x1c2/0x220 [ 31.985772][ T107] ? driver_allows_async_probing+0x160/0x160 [ 31.991758][ T107] bus_for_each_drv+0x15c/0x1e0 [ 31.996618][ T107] ? bus_rescan_devices+0x20/0x20 [ 32.001654][ T107] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 32.007466][ T107] ? lockdep_hardirqs_on+0x379/0x580 [ 32.012766][ T107] __device_attach+0x217/0x360 [ 32.017534][ T107] ? device_bind_driver+0xd0/0xd0 [ 32.022635][ T107] ? kobject_uevent_env+0x29e/0x1150 [ 32.027940][ T107] ? kobject_uevent_env+0x2a8/0x1150 [ 32.033236][ T107] bus_probe_device+0x1e4/0x290 [ 32.038099][ T107] ? blocking_notifier_call_chain+0x54/0xa0 [ 32.044001][ T107] device_add+0xae6/0x16f0 [ 32.048420][ T107] ? uevent_store+0x50/0x50 [ 32.052926][ T107] usb_new_device.cold+0x6a4/0xe61 [ 32.058043][ T107] hub_event+0x1abd/0x3550 [ 32.062461][ T107] ? hub_port_debounce+0x260/0x260 [ 32.067583][ T107] process_one_work+0x905/0x1570 [ 32.072525][ T107] ? pwq_dec_nr_in_flight+0x310/0x310 [ 32.077923][ T107] ? do_raw_spin_lock+0x11a/0x280 [ 32.082951][ T107] worker_thread+0x96/0xe20 [ 32.087456][ T107] ? process_one_work+0x1570/0x1570 [ 32.092654][ T107] kthread+0x30b/0x410 [ 32.096731][ T107] ? kthread_park+0x1a0/0x1a0 [ 32.101411][ T107] ret_from_fork+0x24/0x30 [ 32.105819][ T107] [ 32.108138][ T107] Allocated by task 107: [ 32.112379][ T107] save_stack+0x1b/0x80 [ 32.116567][ T107] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 32.122286][ T107] rsi_probe+0x11a/0x15a0 [ 32.126707][ T107] usb_probe_interface+0x305/0x7a0 [ 32.131817][ T107] really_probe+0x281/0x660 [ 32.136318][ T107] driver_probe_device+0x104/0x210 [ 32.141576][ T107] __device_attach_driver+0x1c2/0x220 [ 32.146967][ T107] bus_for_each_drv+0x15c/0x1e0 [ 32.151821][ T107] __device_attach+0x217/0x360 [ 32.156580][ T107] bus_probe_device+0x1e4/0x290 [ 32.161428][ T107] device_add+0xae6/0x16f0 [ 32.165843][ T107] usb_set_configuration+0xdf6/0x1670 [ 32.171214][ T107] generic_probe+0x9d/0xd5 [ 32.175645][ T107] usb_probe_device+0x99/0x100 [ 32.180415][ T107] really_probe+0x281/0x660 [ 32.184915][ T107] driver_probe_device+0x104/0x210 [ 32.190022][ T107] __device_attach_driver+0x1c2/0x220 [ 32.195410][ T107] bus_for_each_drv+0x15c/0x1e0 [ 32.200340][ T107] __device_attach+0x217/0x360 [ 32.205241][ T107] bus_probe_device+0x1e4/0x290 [ 32.210246][ T107] device_add+0xae6/0x16f0 [ 32.214740][ T107] usb_new_device.cold+0x6a4/0xe61 [ 32.219984][ T107] hub_event+0x1abd/0x3550 [ 32.224483][ T107] process_one_work+0x905/0x1570 [ 32.229542][ T107] worker_thread+0x96/0xe20 [ 32.234127][ T107] kthread+0x30b/0x410 [ 32.238272][ T107] ret_from_fork+0x24/0x30 [ 32.242672][ T107] [ 32.244990][ T107] Freed by task 107: [ 32.248953][ T107] save_stack+0x1b/0x80 [ 32.253159][ T107] __kasan_slab_free+0x130/0x180 [ 32.258264][ T107] kfree+0xd7/0x280 [ 32.262180][ T107] rsi_probe+0xdfd/0x15a0 [ 32.266587][ T107] usb_probe_interface+0x305/0x7a0 [ 32.271729][ T107] really_probe+0x281/0x660 [ 32.276228][ T107] driver_probe_device+0x104/0x210 [ 32.281390][ T107] __device_attach_driver+0x1c2/0x220 [ 32.286808][ T107] bus_for_each_drv+0x15c/0x1e0 [ 32.291755][ T107] __device_attach+0x217/0x360 [ 32.296628][ T107] bus_probe_device+0x1e4/0x290 [ 32.301563][ T107] device_add+0xae6/0x16f0 [ 32.306043][ T107] usb_set_configuration+0xdf6/0x1670 [ 32.311496][ T107] generic_probe+0x9d/0xd5 [ 32.316023][ T107] usb_probe_device+0x99/0x100 [ 32.320909][ T107] really_probe+0x281/0x660 [ 32.325484][ T107] driver_probe_device+0x104/0x210 [ 32.330711][ T107] __device_attach_driver+0x1c2/0x220 [ 32.336168][ T107] bus_for_each_drv+0x15c/0x1e0 [ 32.341159][ T107] __device_attach+0x217/0x360 [ 32.345988][ T107] bus_probe_device+0x1e4/0x290 [ 32.350952][ T107] device_add+0xae6/0x16f0 [ 32.355521][ T107] usb_new_device.cold+0x6a4/0xe61 [ 32.360719][ T107] hub_event+0x1abd/0x3550 [ 32.365234][ T107] process_one_work+0x905/0x1570 [ 32.370248][ T107] worker_thread+0x96/0xe20 [ 32.374855][ T107] kthread+0x30b/0x410 [ 32.379045][ T107] ret_from_fork+0x24/0x30 [ 32.383456][ T107] [ 32.385887][ T107] The buggy address belongs to the object at ffff8881d099a500 [ 32.385887][ T107] which belongs to the cache kmalloc-512 of size 512 [ 32.400033][ T107] The buggy address is located 0 bytes inside of [ 32.400033][ T107] 512-byte region [ffff8881d099a500, ffff8881d099a700) [ 32.413411][ T107] The buggy address belongs to the page: [ 32.419113][ T107] page:ffffea0007426680 refcount:1 mapcount:0 mapping:ffff8881dac02c00 index:0x0 compound_mapcount: 0 [ 32.430107][ T107] flags: 0x200000000010200(slab|head) [ 32.435643][ T107] raw: 0200000000010200 ffffea000746dc00 0000000300000003 ffff8881dac02c00 [ 32.444273][ T107] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 32.452915][ T107] page dumped because: kasan: bad access detected [ 32.459391][ T107] [ 32.461797][ T107] Memory state around the buggy address: [ 32.467481][ T107] ffff8881d099a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.475631][ T107] ffff8881d099a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.483728][ T107] >ffff8881d099a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.491827][ T107] ^ [ 32.495998][ T107] ffff8881d099a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.504563][ T107] ffff8881d099a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.512711][ T107] ================================================================== [ 32.520756][ T107] Disabling lock debugging due to kernel taint [ 32.527044][ T107] Kernel panic - not syncing: panic_on_warn set ... [ 32.533637][ T107] CPU: 0 PID: 107 Comm: kworker/0:2 Tainted: G B