[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.557443][ C1] random: crng init done [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 43.779392][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 43.789366][ T5] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 43.789998][ T17] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 43.796961][ T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 43.805523][ T78] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 43.811989][ T1739] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 44.019342][ T83] usb 1-1: Using ep0 maxpacket: 8 [ 44.059353][ T5] usb 2-1: Using ep0 maxpacket: 8 [ 44.064620][ T12] usb 6-1: Using ep0 maxpacket: 8 [ 44.069349][ T78] usb 3-1: Using ep0 maxpacket: 8 [ 44.070134][ T1739] usb 5-1: Using ep0 maxpacket: 8 [ 44.075454][ T17] usb 4-1: Using ep0 maxpacket: 8 [ 44.139630][ T83] usb 1-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.147946][ T83] usb 1-1: config 0 has no interface number 0 [ 44.154154][ T83] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.163460][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.172989][ T83] usb 1-1: config 0 descriptor?? [ 44.179651][ T5] usb 2-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.188025][ T5] usb 2-1: config 0 has no interface number 0 [ 44.194598][ T5] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.203861][ T5] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.209775][ T78] usb 3-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.212131][ T12] usb 6-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.220006][ T78] usb 3-1: config 0 has no interface number 0 [ 44.228071][ T12] usb 6-1: config 0 has no interface number 0 [ 44.234227][ T17] usb 4-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.240314][ T1739] usb 5-1: config 0 has an invalid interface number: 67 but max is 0 [ 44.248282][ T17] usb 4-1: config 0 has no interface number 0 [ 44.250664][ T83] rio500 1-1:0.67: USB Rio found at address 2 [ 44.256704][ T1739] usb 5-1: config 0 has no interface number 0 [ 44.261755][ T1739] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.264139][ T17] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.268947][ T1739] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.273258][ T5] usb 2-1: config 0 descriptor?? [ 44.275114][ T17] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.285330][ T12] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.305374][ T78] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 44.306195][ T12] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.306576][ T1739] usb 5-1: config 0 descriptor?? [ 44.314343][ T78] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 44.324601][ T78] usb 3-1: config 0 descriptor?? [ 44.335914][ T12] usb 6-1: config 0 descriptor?? [ 44.365405][ T5] rio500 2-1:0.67: Second USB Rio at address 2 refused [ 44.375202][ T17] usb 4-1: config 0 descriptor?? [ 44.376877][ T1739] rio500 5-1:0.67: Second USB Rio at address 2 refused [ 44.381682][ T78] rio500 3-1:0.67: Second USB Rio at address 2 refused [ 44.388507][ T5] rio500: probe of 2-1:0.67 failed with error -16 [ 44.395767][ T78] rio500: probe of 3-1:0.67 failed with error -16 [ 44.409033][ T1739] rio500: probe of 5-1:0.67 failed with error -16 [ 44.430842][ T17] rio500 4-1:0.67: Second USB Rio at address 2 refused executing program [ 44.437904][ T17] rio500: probe of 4-1:0.67 failed with error -16 [ 44.457248][ T17] usb 1-1: USB disconnect, device number 2 [ 44.466180][ T17] rio500 1-1:0.67: USB Rio disconnected. [ 44.480638][ T12] rio500 6-1:0.67: USB Rio found at address 2 executing program executing program executing program [ 44.561532][ T78] usb 2-1: USB disconnect, device number 2 [ 44.576700][ T83] usb 5-1: USB disconnect, device number 2 [ 44.583988][ T12] usb 3-1: USB disconnect, device number 2 executing program [ 44.630807][ T5] usb 4-1: USB disconnect, device number 2 executing program [ 44.681158][ T1739] usb 6-1: USB disconnect, device number 2 [ 44.691119][ T1739] rio500 6-1:0.67: USB Rio disconnected. [ 44.819357][ T17] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 44.919345][ T78] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 44.939429][ T83] usb 5-1: new high-speed USB device number 3 using dummy_hcd [ 44.949363][ T12] usb 3-1: new high-speed USB device number 3 using dummy_hcd [ 45.039376][ T5] usb 4-1: new high-speed USB device number 3 using dummy_hcd [ 45.059345][ T17] usb 1-1: Using ep0 maxpacket: 8 [ 45.059432][ T1739] usb 6-1: new high-speed USB device number 3 using dummy_hcd [ 45.169384][ T78] usb 2-1: Using ep0 maxpacket: 8 [ 45.179537][ T83] usb 5-1: Using ep0 maxpacket: 8 [ 45.184859][ T17] usb 1-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.193847][ T17] usb 1-1: config 0 has no interface number 0 [ 45.199387][ T12] usb 3-1: Using ep0 maxpacket: 8 [ 45.200186][ T17] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.214493][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.223926][ T17] usb 1-1: config 0 descriptor?? [ 45.271251][ T17] rio500 1-1:0.67: USB Rio found at address 3 [ 45.279483][ T5] usb 4-1: Using ep0 maxpacket: 8 [ 45.299549][ T78] usb 2-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.307728][ T78] usb 2-1: config 0 has no interface number 0 [ 45.314205][ T78] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.323578][ T78] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.332006][ T83] usb 5-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.339327][ T1739] usb 6-1: Using ep0 maxpacket: 8 [ 45.340115][ T83] usb 5-1: config 0 has no interface number 0 [ 45.340303][ T83] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.349518][ T12] usb 3-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.351269][ T83] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.360706][ T78] usb 2-1: config 0 descriptor?? [ 45.368962][ T12] usb 3-1: config 0 has no interface number 0 [ 45.372865][ T12] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.379450][ T83] usb 5-1: config 0 descriptor?? [ 45.383512][ T12] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.412577][ T5] usb 4-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.420736][ T5] usb 4-1: config 0 has no interface number 0 [ 45.426972][ T5] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.432764][ T83] rio500 5-1:0.67: Second USB Rio at address 3 refused [ 45.436275][ T5] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.451760][ T78] rio500 2-1:0.67: Second USB Rio at address 3 refused [ 45.451816][ T78] rio500: probe of 2-1:0.67 failed with error -16 executing program [ 45.468478][ T12] usb 3-1: config 0 descriptor?? [ 45.474692][ T83] rio500: probe of 5-1:0.67 failed with error -16 [ 45.477880][ T5] usb 4-1: config 0 descriptor?? [ 45.489920][ T1744] usb 1-1: USB disconnect, device number 3 [ 45.501712][ T1744] rio500 1-1:0.67: USB Rio disconnected. [ 45.509685][ T1739] usb 6-1: config 0 has an invalid interface number: 67 but max is 0 [ 45.518212][ T1739] usb 6-1: config 0 has no interface number 0 [ 45.526309][ T5] rio500 4-1:0.67: USB Rio found at address 3 [ 45.534056][ T12] rio500 3-1:0.67: USB Rio found at address 3 [ 45.546954][ T1739] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=6e.90 [ 45.556269][ T1739] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 45.565880][ T1739] usb 6-1: config 0 descriptor?? executing program [ 45.620876][ T1739] rio500 6-1:0.67: Second USB Rio at address 3 refused [ 45.628057][ T1739] rio500: probe of 6-1:0.67 failed with error -16 [ 45.631863][ T83] usb 2-1: USB disconnect, device number 3 executing program [ 45.661200][ T1739] usb 5-1: USB disconnect, device number 3 executing program executing program [ 45.726151][ T5] usb 4-1: USB disconnect, device number 3 [ 45.733700][ T5] rio500 4-1:0.67: USB Rio disconnected. [ 45.734032][ T78] usb 3-1: USB disconnect, device number 3 [ 45.748537][ T78] ================================================================== [ 45.756791][ T78] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0 [ 45.765491][ T78] [ 45.767894][ T78] CPU: 1 PID: 78 Comm: kworker/1:1 Not tainted 5.3.0+ #0 [ 45.775091][ T78] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.785184][ T78] Workqueue: usb_hub_wq hub_event [ 45.790404][ T78] Call Trace: [ 45.793697][ T78] dump_stack+0xca/0x13e [ 45.797935][ T78] print_address_description+0x6a/0x32c [ 45.803510][ T78] ? disconnect_rio+0x12b/0x1b0 [ 45.808377][ T78] kasan_report_invalid_free+0x61/0xa0 [ 45.814112][ T78] ? disconnect_rio+0x12b/0x1b0 [ 45.818958][ T78] __kasan_slab_free+0x162/0x180 executing program [ 45.820939][ T12] usb 6-1: USB disconnect, device number 3 [ 45.824507][ T78] ? disconnect_rio+0x12b/0x1b0 [ 45.835139][ T78] kfree+0xe4/0x2f0 [ 45.838961][ T78] disconnect_rio+0x12b/0x1b0 [ 45.843724][ T78] usb_unbind_interface+0x1bd/0x8a0 [ 45.848934][ T78] ? usb_autoresume_device+0x60/0x60 [ 45.854225][ T78] device_release_driver_internal+0x42f/0x500 [ 45.860323][ T78] bus_remove_device+0x2dc/0x4a0 [ 45.865266][ T78] device_del+0x420/0xb10 [ 45.869590][ T78] ? __device_links_no_driver+0x240/0x240 [ 45.875306][ T78] ? lockdep_hardirqs_on+0x379/0x580 [ 45.880587][ T78] ? remove_intf_ep_devs+0x13f/0x1d0 [ 45.885882][ T78] usb_disable_device+0x211/0x690 [ 45.890902][ T78] usb_disconnect+0x284/0x8d0 [ 45.895577][ T78] hub_event+0x1454/0x3640 [ 45.900000][ T78] ? find_held_lock+0x2d/0x110 [ 45.906258][ T78] ? mark_held_locks+0xe0/0xe0 [ 45.911142][ T78] ? hub_port_debounce+0x260/0x260 [ 45.916255][ T78] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 45.921807][ T78] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 45.927089][ T78] process_one_work+0x92b/0x1530 [ 45.932024][ T78] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.937414][ T78] ? do_raw_spin_lock+0x11a/0x280 [ 45.942468][ T78] worker_thread+0x96/0xe20 [ 45.946972][ T78] ? process_one_work+0x1530/0x1530 [ 45.952169][ T78] kthread+0x318/0x420 [ 45.956260][ T78] ? kthread_create_on_node+0xf0/0xf0 [ 45.961637][ T78] ret_from_fork+0x24/0x30 [ 45.966033][ T78] [ 45.968350][ T78] Allocated by task 12: [ 45.972502][ T78] save_stack+0x1b/0x80 [ 45.976647][ T78] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 45.982373][ T78] probe_rio+0x135/0x248 [ 45.986620][ T78] usb_probe_interface+0x305/0x7a0 [ 45.991733][ T78] really_probe+0x281/0x6d0 [ 45.996325][ T78] driver_probe_device+0x101/0x1b0 [ 46.001748][ T78] __device_attach_driver+0x1c2/0x220 [ 46.007128][ T78] bus_for_each_drv+0x162/0x1e0 [ 46.012063][ T78] __device_attach+0x217/0x360 [ 46.016824][ T78] bus_probe_device+0x1e4/0x290 [ 46.021678][ T78] device_add+0xae6/0x16f0 [ 46.026099][ T78] usb_set_configuration+0xdf6/0x1670 [ 46.032697][ T78] generic_probe+0x9d/0xd5 [ 46.037128][ T78] usb_probe_device+0x99/0x100 [ 46.042109][ T78] really_probe+0x281/0x6d0 [ 46.046673][ T78] driver_probe_device+0x101/0x1b0 [ 46.051947][ T78] __device_attach_driver+0x1c2/0x220 [ 46.057309][ T78] bus_for_each_drv+0x162/0x1e0 [ 46.062242][ T78] __device_attach+0x217/0x360 [ 46.067116][ T78] bus_probe_device+0x1e4/0x290 [ 46.072178][ T78] device_add+0xae6/0x16f0 [ 46.076599][ T78] usb_new_device.cold+0x6a4/0xe79 [ 46.081811][ T78] hub_event+0x1b5c/0x3640 [ 46.086514][ T78] process_one_work+0x92b/0x1530 [ 46.091448][ T78] worker_thread+0x96/0xe20 [ 46.096159][ T78] kthread+0x318/0x420 [ 46.100229][ T78] ret_from_fork+0x24/0x30 [ 46.104949][ T78] [ 46.107324][ T78] Freed by task 5: [ 46.111177][ T78] save_stack+0x1b/0x80 [ 46.115442][ T78] __kasan_slab_free+0x130/0x180 [ 46.120363][ T78] kfree+0xe4/0x2f0 [ 46.124174][ T78] disconnect_rio+0x12b/0x1b0 [ 46.128846][ T78] usb_unbind_interface+0x1bd/0x8a0 [ 46.134047][ T78] device_release_driver_internal+0x42f/0x500 [ 46.140111][ T78] bus_remove_device+0x2dc/0x4a0 [ 46.145210][ T78] device_del+0x420/0xb10 [ 46.149562][ T78] usb_disable_device+0x211/0x690 [ 46.154591][ T78] usb_disconnect+0x284/0x8d0 [ 46.159270][ T78] hub_event+0x1454/0x3640 [ 46.163690][ T78] process_one_work+0x92b/0x1530 [ 46.168696][ T78] worker_thread+0x96/0xe20 [ 46.173235][ T78] kthread+0x318/0x420 [ 46.177300][ T78] ret_from_fork+0x24/0x30 [ 46.181698][ T78] [ 46.184023][ T78] The buggy address belongs to the object at ffff8881d1895500 [ 46.184023][ T78] which belongs to the cache kmalloc-4k of size 4096 [ 46.198068][ T78] The buggy address is located 0 bytes inside of [ 46.198068][ T78] 4096-byte region [ffff8881d1895500, ffff8881d1896500) [ 46.211241][ T78] The buggy address belongs to the page: [ 46.216888][ T78] page:ffffea0007462400 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 46.227831][ T78] flags: 0x200000000010200(slab|head) [ 46.233205][ T78] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 46.241884][ T78] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 46.250473][ T78] page dumped because: kasan: bad access detected [ 46.256873][ T78] [ 46.259208][ T78] Memory state around the buggy address: [ 46.264855][ T78] ffff8881d1895400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.272915][ T78] ffff8881d1895480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.280980][ T78] >ffff8881d1895500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.289041][ T78] ^ [ 46.293110][ T78] ffff8881d1895580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.301176][ T78] ffff8881d1895600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.309324][ T78] ================================================================== [ 46.317475][ T78] Disabling lock debugging due to kernel taint [ 46.324132][ T78] Kernel panic - not syncing: panic_on_warn set ... [ 46.330730][ T78] CPU: 1 PID: 78 Comm: kworker/1:1 Tainted: G B 5.3.0+ #0 [ 46.339134][ T78] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.349196][ T78] Workqueue: usb_hub_wq hub_event [ 46.354208][ T78] Call Trace: [ 46.357514][ T78] dump_stack+0xca/0x13e [ 46.361744][ T78] panic+0x2a3/0x6da [ 46.365637][ T78] ? add_taint.cold+0x16/0x16 [ 46.370323][ T78] ? disconnect_rio+0x12b/0x1b0 [ 46.375166][ T78] ? trace_hardirqs_on+0x55/0x1e0 [ 46.380175][ T78] ? disconnect_rio+0x12b/0x1b0 [ 46.385736][ T78] end_report+0x43/0x49 [ 46.389966][ T78] kasan_report_invalid_free+0x7d/0xa0 [ 46.395425][ T78] ? disconnect_rio+0x12b/0x1b0 [ 46.400294][ T78] __kasan_slab_free+0x162/0x180 [ 46.405334][ T78] ? disconnect_rio+0x12b/0x1b0 [ 46.410197][ T78] kfree+0xe4/0x2f0 [ 46.414017][ T78] disconnect_rio+0x12b/0x1b0 [ 46.418692][ T78] usb_unbind_interface+0x1bd/0x8a0 [ 46.423880][ T78] ? usb_autoresume_device+0x60/0x60 [ 46.429165][ T78] device_release_driver_internal+0x42f/0x500 [ 46.435241][ T78] bus_remove_device+0x2dc/0x4a0 [ 46.440193][ T78] device_del+0x420/0xb10 [ 46.444524][ T78] ? __device_links_no_driver+0x240/0x240 [ 46.450361][ T78] ? lockdep_hardirqs_on+0x379/0x580 [ 46.455648][ T78] ? remove_intf_ep_devs+0x13f/0x1d0 [ 46.460943][ T78] usb_disable_device+0x211/0x690 [ 46.465959][ T78] usb_disconnect+0x284/0x8d0 [ 46.470623][ T78] hub_event+0x1454/0x3640 [ 46.475054][ T78] ? find_held_lock+0x2d/0x110 [ 46.479836][ T78] ? mark_held_locks+0xe0/0xe0 [ 46.484607][ T78] ? hub_port_debounce+0x260/0x260 [ 46.489707][ T78] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 46.495239][ T78] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.500515][ T78] process_one_work+0x92b/0x1530 [ 46.505445][ T78] ? pwq_dec_nr_in_flight+0x310/0x310 [ 46.510904][ T78] ? do_raw_spin_lock+0x11a/0x280 [ 46.515934][ T78] worker_thread+0x96/0xe20 [ 46.520548][ T78] ? process_one_work+0x1530/0x1530 [ 46.525758][ T78] kthread+0x318/0x420 [ 46.529822][ T78] ? kthread_create_on_node+0xf0/0xf0 [ 46.535208][ T78] ret_from_fork+0x24/0x30 [ 46.540456][ T78] Kernel Offset: disabled [ 46.545146][ T78] Rebooting in 86400 seconds..