[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   14.659376][ T1659] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   14.784671][    C1] random: crng init done

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   54.068849][  T102] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[   54.068856][   T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[   54.069156][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   54.076503][    T5] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[   54.098970][ T1727] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[   54.106596][ T1726] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   54.318841][  T102] usb 4-1: Using ep0 maxpacket: 16
[   54.324641][   T83] usb 1-1: Using ep0 maxpacket: 16
[   54.348821][ T1727] usb 3-1: Using ep0 maxpacket: 16
[   54.354095][   T12] usb 6-1: Using ep0 maxpacket: 16
[   54.359312][ T1726] usb 5-1: Using ep0 maxpacket: 16
[   54.364630][    T5] usb 2-1: Using ep0 maxpacket: 16
[   54.438898][  T102] usb 4-1: config 0 has an invalid interface number: 133 but max is 0
[   54.447247][  T102] usb 4-1: config 0 has no interface number 0
[   54.453530][   T83] usb 1-1: config 0 has an invalid interface number: 133 but max is 0
[   54.461727][   T83] usb 1-1: config 0 has no interface number 0
[   54.467818][  T102] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.476968][  T102] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.487024][   T83] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.496095][   T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.499116][   T12] usb 6-1: config 0 has an invalid interface number: 133 but max is 0
[   54.512319][   T12] usb 6-1: config 0 has no interface number 0
[   54.519077][ T1726] usb 5-1: config 0 has an invalid interface number: 133 but max is 0
[   54.519431][  T102] usb 4-1: config 0 descriptor??
[   54.527278][ T1726] usb 5-1: config 0 has no interface number 0
[   54.538782][ T1727] usb 3-1: config 0 has an invalid interface number: 133 but max is 0
[   54.539442][   T83] usb 1-1: config 0 descriptor??
[   54.546977][ T1727] usb 3-1: config 0 has no interface number 0
[   54.558006][    T5] usb 2-1: config 0 has an invalid interface number: 133 but max is 0
[   54.566196][    T5] usb 2-1: config 0 has no interface number 0
[   54.572333][ T1726] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.581403][ T1726] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.589453][   T12] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.598479][   T12] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.600652][  T102] rio500 4-1:0.133: USB Rio found at address 2
[   54.606556][    T5] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.614111][   T83] rio500 1-1:0.133: USB Rio found at address 2
[   54.621724][    T5] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.635887][ T1727] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0
[   54.644966][ T1727] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   54.656532][ T1726] usb 5-1: config 0 descriptor??
[   54.664943][   T12] usb 6-1: config 0 descriptor??
[   54.671156][ T1727] usb 3-1: config 0 descriptor??
[   54.681460][    T5] usb 2-1: config 0 descriptor??
[   54.710415][   T12] rio500 6-1:0.133: Second USB Rio at address 2 refused
[   54.717586][   T12] rio500: probe of 6-1:0.133 failed with error -16
[   54.725419][ T1726] rio500 5-1:0.133: Second USB Rio at address 2 refused
[   54.733742][ T1727] rio500 3-1:0.133: Second USB Rio at address 2 refused
[   54.742218][    T5] rio500 2-1:0.133: Second USB Rio at address 2 refused
[   54.749466][ T1726] rio500: probe of 5-1:0.133 failed with error -16
[   54.757672][ T1727] rio500: probe of 3-1:0.133 failed with error -16
[   54.764554][    T5] rio500: probe of 2-1:0.133 failed with error -16
executing program
executing program
[   54.800950][   T83] usb 4-1: USB disconnect, device number 2
[   54.809422][   T83] rio500 4-1:0.133: USB Rio disconnected.
[   54.835423][  T102] usb 1-1: USB disconnect, device number 2
[   54.842715][  T102] ==================================================================
[   54.851024][  T102] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0
[   54.859338][  T102] 
[   54.861695][  T102] CPU: 1 PID: 102 Comm: kworker/1:3 Not tainted 5.3.0+ #0
[   54.868786][  T102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.878857][  T102] Workqueue: usb_hub_wq hub_event
[   54.883869][  T102] Call Trace:
[   54.887149][  T102]  dump_stack+0xca/0x13e
[   54.891383][  T102]  print_address_description+0x6a/0x32c
[   54.896916][  T102]  ? disconnect_rio+0x12b/0x1b0
[   54.901762][  T102]  kasan_report_invalid_free+0x61/0xa0
[   54.907205][  T102]  ? disconnect_rio+0x12b/0x1b0
[   54.912036][  T102]  __kasan_slab_free+0x162/0x180
[   54.916995][  T102]  ? disconnect_rio+0x12b/0x1b0
[   54.921827][  T102]  kfree+0xe4/0x2f0
[   54.925626][  T102]  disconnect_rio+0x12b/0x1b0
[   54.930308][  T102]  usb_unbind_interface+0x1bd/0x8a0
[   54.935487][  T102]  ? usb_autoresume_device+0x60/0x60
[   54.940761][  T102]  device_release_driver_internal+0x42f/0x500
executing program
[   54.942683][    T5] usb 2-1: USB disconnect, device number 2
[   54.946815][  T102]  bus_remove_device+0x2dc/0x4a0
[   54.957544][  T102]  device_del+0x420/0xb10
[   54.961876][  T102]  ? __device_links_no_driver+0x240/0x240
[   54.967593][  T102]  ? lockdep_hardirqs_on+0x379/0x580
[   54.972867][  T102]  ? remove_intf_ep_devs+0x13f/0x1d0
[   54.978140][  T102]  usb_disable_device+0x211/0x690
[   54.983175][  T102]  usb_disconnect+0x284/0x8d0
[   54.987845][  T102]  hub_event+0x1454/0x3640
[   54.992244][  T102]  ? find_held_lock+0x2d/0x110
[   54.997002][  T102]  ? mark_held_locks+0xe0/0xe0
[   55.001751][  T102]  ? hub_port_debounce+0x260/0x260
[   55.006844][  T102]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   55.012377][  T102]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   55.017641][  T102]  process_one_work+0x92b/0x1530
[   55.022562][  T102]  ? pwq_dec_nr_in_flight+0x310/0x310
[   55.027911][  T102]  ? do_raw_spin_lock+0x11a/0x280
[   55.032913][  T102]  worker_thread+0x96/0xe20
[   55.037410][  T102]  ? process_one_work+0x1530/0x1530
[   55.042589][  T102]  kthread+0x318/0x420
[   55.046638][  T102]  ? kthread_create_on_node+0xf0/0xf0
[   55.051988][  T102]  ret_from_fork+0x24/0x30
[   55.056389][  T102] 
[   55.058697][  T102] Allocated by task 83:
[   55.062837][  T102]  save_stack+0x1b/0x80
[   55.066978][  T102]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   55.072587][  T102]  probe_rio+0x135/0x248
[   55.076817][  T102]  usb_probe_interface+0x305/0x7a0
[   55.082020][  T102]  really_probe+0x281/0x6d0
[   55.086498][  T102]  driver_probe_device+0x101/0x1b0
[   55.091584][  T102]  __device_attach_driver+0x1c2/0x220
[   55.096934][  T102]  bus_for_each_drv+0x162/0x1e0
[   55.101765][  T102]  __device_attach+0x217/0x360
[   55.106521][  T102]  bus_probe_device+0x1e4/0x290
[   55.111377][  T102]  device_add+0xae6/0x16f0
[   55.115789][  T102]  usb_set_configuration+0xdf6/0x1670
[   55.121147][  T102]  generic_probe+0x9d/0xd5
[   55.125558][  T102]  usb_probe_device+0x99/0x100
[   55.130306][  T102]  really_probe+0x281/0x6d0
[   55.134783][  T102]  driver_probe_device+0x101/0x1b0
[   55.139870][  T102]  __device_attach_driver+0x1c2/0x220
[   55.145223][  T102]  bus_for_each_drv+0x162/0x1e0
[   55.150049][  T102]  __device_attach+0x217/0x360
[   55.154787][  T102]  bus_probe_device+0x1e4/0x290
[   55.159615][  T102]  device_add+0xae6/0x16f0
[   55.164011][  T102]  usb_new_device.cold+0x6a4/0xe79
[   55.169102][  T102]  hub_event+0x1b5c/0x3640
[   55.173512][  T102]  process_one_work+0x92b/0x1530
[   55.178425][  T102]  worker_thread+0x96/0xe20
[   55.182904][  T102]  kthread+0x318/0x420
[   55.186952][  T102]  ret_from_fork+0x24/0x30
[   55.191339][  T102] 
[   55.193645][  T102] Freed by task 83:
[   55.197434][  T102]  save_stack+0x1b/0x80
[   55.201564][  T102]  __kasan_slab_free+0x130/0x180
[   55.206482][  T102]  kfree+0xe4/0x2f0
[   55.210285][  T102]  disconnect_rio+0x12b/0x1b0
[   55.214940][  T102]  usb_unbind_interface+0x1bd/0x8a0
[   55.220120][  T102]  device_release_driver_internal+0x42f/0x500
[   55.226182][  T102]  bus_remove_device+0x2dc/0x4a0
[   55.231096][  T102]  device_del+0x420/0xb10
[   55.235403][  T102]  usb_disable_device+0x211/0x690
[   55.240404][  T102]  usb_disconnect+0x284/0x8d0
[   55.245062][  T102]  hub_event+0x1454/0x3640
[   55.249475][  T102]  process_one_work+0x92b/0x1530
[   55.254392][  T102]  worker_thread+0x96/0xe20
[   55.258888][  T102]  kthread+0x318/0x420
[   55.262935][  T102]  ret_from_fork+0x24/0x30
[   55.267322][  T102] 
[   55.269644][  T102] The buggy address belongs to the object at ffff8881c7d85500
[   55.269644][  T102]  which belongs to the cache kmalloc-4k of size 4096
[   55.283672][  T102] The buggy address is located 0 bytes inside of
[   55.283672][  T102]  4096-byte region [ffff8881c7d85500, ffff8881c7d86500)
[   55.296828][  T102] The buggy address belongs to the page:
[   55.302443][  T102] page:ffffea00071f6000 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[   55.313349][  T102] flags: 0x200000000010200(slab|head)
[   55.318710][  T102] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[   55.327305][  T102] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[   55.335871][  T102] page dumped because: kasan: bad access detected
[   55.342258][  T102] 
[   55.344567][  T102] Memory state around the buggy address:
[   55.350182][  T102]  ffff8881c7d85400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.358226][  T102]  ffff8881c7d85480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.358830][    T5] usb 2-1: new high-speed USB device number 3 using dummy_hcd
[   55.366295][  T102] >ffff8881c7d85500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.366301][  T102]                    ^
[   55.366309][  T102]  ffff8881c7d85580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.366317][  T102]  ffff8881c7d85600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
executing program
[   55.366322][  T102] ==================================================================
[   55.366326][  T102] Disabling lock debugging due to kernel taint
[   55.366479][  T102] Kernel panic - not syncing: panic_on_warn set ...
[   55.383058][ T1727] usb 5-1: USB disconnect, device number 2
[   55.385878][  T102] CPU: 1 PID: 102 Comm: kworker/1:3 Tainted: G    B             5.3.0+ #0
[   55.385884][  T102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.385902][  T102] Workqueue: usb_hub_wq hub_event
[   55.394089][   T12] usb 6-1: USB disconnect, device number 2
[   55.401963][  T102] Call Trace:
[   55.401982][  T102]  dump_stack+0xca/0x13e
[   55.401993][  T102]  panic+0x2a3/0x6da
[   55.402002][  T102]  ? add_taint.cold+0x16/0x16
[   55.402022][  T102]  ? disconnect_rio+0x12b/0x1b0
[   55.410516][ T1726] usb 3-1: USB disconnect, device number 2
[   55.416199][  T102]  ? trace_hardirqs_on+0x55/0x1e0
[   55.416215][  T102]  ? disconnect_rio+0x12b/0x1b0
[   55.494412][  T102]  end_report+0x43/0x49
[   55.498590][  T102]  kasan_report_invalid_free+0x7d/0xa0
[   55.504030][  T102]  ? disconnect_rio+0x12b/0x1b0
[   55.508860][  T102]  __kasan_slab_free+0x162/0x180
[   55.513778][  T102]  ? disconnect_rio+0x12b/0x1b0
[   55.518603][  T102]  kfree+0xe4/0x2f0
[   55.522402][  T102]  disconnect_rio+0x12b/0x1b0
[   55.527511][  T102]  usb_unbind_interface+0x1bd/0x8a0
[   55.532701][  T102]  ? usb_autoresume_device+0x60/0x60
[   55.537968][  T102]  device_release_driver_internal+0x42f/0x500
[   55.544015][  T102]  bus_remove_device+0x2dc/0x4a0
[   55.548933][  T102]  device_del+0x420/0xb10
[   55.553294][  T102]  ? __device_links_no_driver+0x240/0x240
[   55.558991][  T102]  ? lockdep_hardirqs_on+0x379/0x580
[   55.564298][  T102]  ? remove_intf_ep_devs+0x13f/0x1d0
[   55.569560][  T102]  usb_disable_device+0x211/0x690
[   55.574562][  T102]  usb_disconnect+0x284/0x8d0
[   55.579221][  T102]  hub_event+0x1454/0x3640
[   55.583625][  T102]  ? find_held_lock+0x2d/0x110
[   55.588368][  T102]  ? mark_held_locks+0xe0/0xe0
[   55.593117][  T102]  ? hub_port_debounce+0x260/0x260
[   55.598219][  T102]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   55.603750][  T102]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   55.609017][  T102]  process_one_work+0x92b/0x1530
[   55.613944][  T102]  ? pwq_dec_nr_in_flight+0x310/0x310
[   55.618778][    T5] usb 2-1: Using ep0 maxpacket: 16
[   55.619305][  T102]  ? do_raw_spin_lock+0x11a/0x280
[   55.619319][  T102]  worker_thread+0x96/0xe20
[   55.619334][  T102]  ? process_one_work+0x1530/0x1530
[   55.639225][  T102]  kthread+0x318/0x420
[   55.643270][  T102]  ? kthread_create_on_node+0xf0/0xf0
[   55.648623][  T102]  ret_from_fork+0x24/0x30
[   55.653824][  T102] Kernel Offset: disabled
[   55.658134][  T102] Rebooting in 86400 seconds..