[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.602840][ T1666] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 14.706322][ C1] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 48.399976][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 48.399984][ T12] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 48.419964][ T102] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 48.420828][ T17] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 48.427545][ T103] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 48.442737][ T5] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 48.649959][ T83] usb 1-1: Using ep0 maxpacket: 16 [ 48.650073][ T12] usb 6-1: Using ep0 maxpacket: 16 [ 48.670182][ T17] usb 3-1: Using ep0 maxpacket: 16 [ 48.709963][ T103] usb 2-1: Using ep0 maxpacket: 16 [ 48.715264][ T5] usb 4-1: Using ep0 maxpacket: 16 [ 48.720538][ T102] usb 5-1: Using ep0 maxpacket: 16 [ 48.770119][ T83] usb 1-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.778442][ T83] usb 1-1: config 0 has no interface number 0 [ 48.780098][ T12] usb 6-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.784944][ T83] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.792811][ T12] usb 6-1: config 0 has no interface number 0 [ 48.801833][ T83] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.801925][ T17] usb 3-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.808378][ T12] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.815982][ T17] usb 3-1: config 0 has no interface number 0 [ 48.816420][ T17] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.824352][ T12] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.833278][ T17] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.838438][ T83] usb 1-1: config 0 descriptor?? [ 48.840168][ T102] usb 5-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.853523][ T17] usb 3-1: config 0 descriptor?? [ 48.856620][ T102] usb 5-1: config 0 has no interface number 0 [ 48.888709][ T5] usb 4-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.891825][ T83] rio500 1-1:0.133: USB Rio found at address 2 [ 48.896938][ T5] usb 4-1: config 0 has no interface number 0 [ 48.908027][ T17] rio500 3-1:0.133: USB Rio found at address 2 executing program executing program [ 48.909151][ T103] usb 2-1: config 0 has an invalid interface number: 133 but max is 0 [ 48.909164][ T103] usb 2-1: config 0 has no interface number 0 [ 48.909191][ T103] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.938925][ T103] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.947322][ T5] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.956429][ T5] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.964758][ T12] usb 6-1: config 0 descriptor?? [ 48.971034][ T5] usb 4-1: config 0 descriptor?? [ 48.976370][ T102] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 48.985555][ T102] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.993975][ T103] usb 2-1: config 0 descriptor?? [ 49.001240][ T12] rio500 6-1:0.133: Second USB Rio at address 2 refused [ 49.008345][ T12] rio500: probe of 6-1:0.133 failed with error -16 [ 49.016244][ T5] rio500 4-1:0.133: Second USB Rio at address 2 refused [ 49.023566][ T102] usb 5-1: config 0 descriptor?? [ 49.028735][ T5] rio500: probe of 4-1:0.133 failed with error -16 [ 49.036561][ T103] rio500 2-1:0.133: Second USB Rio at address 2 refused [ 49.046218][ T103] rio500: probe of 2-1:0.133 failed with error -16 [ 49.061399][ T102] rio500 5-1:0.133: Second USB Rio at address 2 refused [ 49.068436][ T102] rio500: probe of 5-1:0.133 failed with error -16 [ 49.092233][ T83] usb 1-1: USB disconnect, device number 2 [ 49.100957][ T83] rio500 1-1:0.133: USB Rio disconnected. [ 49.112875][ T102] usb 3-1: USB disconnect, device number 2 [ 49.119818][ T102] ================================================================== [ 49.128059][ T102] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0 [ 49.136403][ T102] [ 49.138717][ T102] CPU: 0 PID: 102 Comm: kworker/0:2 Not tainted 5.3.0+ #0 [ 49.145850][ T102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.155925][ T102] Workqueue: usb_hub_wq hub_event [ 49.160943][ T102] Call Trace: [ 49.164213][ T102] dump_stack+0xca/0x13e [ 49.168441][ T102] print_address_description+0x6a/0x32c [ 49.173961][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.178787][ T102] kasan_report_invalid_free+0x61/0xa0 [ 49.184286][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.189188][ T102] __kasan_slab_free+0x162/0x180 [ 49.194113][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.198944][ T102] kfree+0xe4/0x2f0 [ 49.201656][ T17] usb 6-1: USB disconnect, device number 2 [ 49.202743][ T102] disconnect_rio+0x12b/0x1b0 [ 49.213193][ T102] usb_unbind_interface+0x1bd/0x8a0 [ 49.218396][ T102] ? usb_autoresume_device+0x60/0x60 [ 49.218934][ T1736] usb 4-1: USB disconnect, device number 2 [ 49.223676][ T102] device_release_driver_internal+0x42f/0x500 [ 49.223687][ T102] bus_remove_device+0x2dc/0x4a0 [ 49.223698][ T102] device_del+0x420/0xb10 [ 49.223714][ T102] ? __device_links_no_driver+0x240/0x240 [ 49.238446][ T1746] usb 2-1: USB disconnect, device number 2 [ 49.240487][ T102] ? lockdep_hardirqs_on+0x379/0x580 [ 49.240500][ T102] ? remove_intf_ep_devs+0x13f/0x1d0 [ 49.240516][ T102] usb_disable_device+0x211/0x690 [ 49.271971][ T102] usb_disconnect+0x284/0x8d0 [ 49.276626][ T102] hub_event+0x1454/0x3640 [ 49.281044][ T102] ? find_held_lock+0x2d/0x110 [ 49.285792][ T102] ? mark_held_locks+0xe0/0xe0 [ 49.290542][ T102] ? hub_port_debounce+0x260/0x260 [ 49.295627][ T102] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 49.301151][ T102] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 49.306414][ T102] process_one_work+0x92b/0x1530 [ 49.311339][ T102] ? pwq_dec_nr_in_flight+0x310/0x310 [ 49.316683][ T102] ? do_raw_spin_lock+0x11a/0x280 [ 49.321693][ T102] worker_thread+0x96/0xe20 [ 49.326170][ T102] ? process_one_work+0x1530/0x1530 [ 49.331349][ T102] kthread+0x318/0x420 [ 49.335393][ T102] ? kthread_create_on_node+0xf0/0xf0 [ 49.340741][ T102] ret_from_fork+0x24/0x30 [ 49.345135][ T102] [ 49.347451][ T102] Allocated by task 17: [ 49.351597][ T102] save_stack+0x1b/0x80 [ 49.355736][ T102] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 49.361343][ T102] probe_rio+0x135/0x248 [ 49.365561][ T102] usb_probe_interface+0x305/0x7a0 [ 49.370646][ T102] really_probe+0x281/0x6d0 [ 49.375128][ T102] driver_probe_device+0x101/0x1b0 [ 49.380211][ T102] __device_attach_driver+0x1c2/0x220 [ 49.385553][ T102] bus_for_each_drv+0x162/0x1e0 [ 49.390376][ T102] __device_attach+0x217/0x360 [ 49.395111][ T102] bus_probe_device+0x1e4/0x290 [ 49.399944][ T102] device_add+0xae6/0x16f0 [ 49.404338][ T102] usb_set_configuration+0xdf6/0x1670 [ 49.409681][ T102] generic_probe+0x9d/0xd5 [ 49.414072][ T102] usb_probe_device+0x99/0x100 [ 49.418822][ T102] really_probe+0x281/0x6d0 [ 49.423305][ T102] driver_probe_device+0x101/0x1b0 [ 49.428400][ T102] __device_attach_driver+0x1c2/0x220 [ 49.433743][ T102] bus_for_each_drv+0x162/0x1e0 [ 49.438573][ T102] __device_attach+0x217/0x360 [ 49.443316][ T102] bus_probe_device+0x1e4/0x290 [ 49.448143][ T102] device_add+0xae6/0x16f0 [ 49.452535][ T102] usb_new_device.cold+0x6a4/0xe79 [ 49.457627][ T102] hub_event+0x1b5c/0x3640 [ 49.462018][ T102] process_one_work+0x92b/0x1530 [ 49.466946][ T102] worker_thread+0x96/0xe20 [ 49.471424][ T102] kthread+0x318/0x420 [ 49.475471][ T102] ret_from_fork+0x24/0x30 [ 49.479857][ T102] [ 49.482340][ T102] Freed by task 83: [ 49.486125][ T102] save_stack+0x1b/0x80 [ 49.490264][ T102] __kasan_slab_free+0x130/0x180 [ 49.495173][ T102] kfree+0xe4/0x2f0 [ 49.498954][ T102] disconnect_rio+0x12b/0x1b0 [ 49.503606][ T102] usb_unbind_interface+0x1bd/0x8a0 [ 49.508778][ T102] device_release_driver_internal+0x42f/0x500 [ 49.514921][ T102] bus_remove_device+0x2dc/0x4a0 [ 49.519845][ T102] device_del+0x420/0xb10 [ 49.524157][ T102] usb_disable_device+0x211/0x690 [ 49.529153][ T102] usb_disconnect+0x284/0x8d0 [ 49.533799][ T102] hub_event+0x1454/0x3640 [ 49.538192][ T102] process_one_work+0x92b/0x1530 [ 49.543102][ T102] worker_thread+0x96/0xe20 [ 49.547586][ T102] kthread+0x318/0x420 [ 49.551629][ T102] ret_from_fork+0x24/0x30 [ 49.556013][ T102] [ 49.558320][ T102] The buggy address belongs to the object at ffff8881d5498000 [ 49.558320][ T102] which belongs to the cache kmalloc-4k of size 4096 [ 49.572354][ T102] The buggy address is located 0 bytes inside of [ 49.572354][ T102] 4096-byte region [ffff8881d5498000, ffff8881d5499000) [ 49.585516][ T102] The buggy address belongs to the page: [ 49.591123][ T102] page:ffffea0007552600 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 49.602027][ T102] flags: 0x200000000010200(slab|head) [ 49.607374][ T102] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 49.615954][ T102] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 49.624516][ T102] page dumped because: kasan: bad access detected [ 49.630901][ T102] [ 49.633199][ T102] Memory state around the buggy address: [ 49.638814][ T102] ffff8881d5497f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.646847][ T102] ffff8881d5497f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.654893][ T102] >ffff8881d5498000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.662938][ T102] ^ [ 49.667047][ T102] ffff8881d5498080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.675091][ T102] ffff8881d5498100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.683497][ T102] ================================================================== [ 49.691541][ T102] Disabling lock debugging due to kernel taint [ 49.697785][ T102] Kernel panic - not syncing: panic_on_warn set ... [ 49.704392][ T102] CPU: 0 PID: 102 Comm: kworker/0:2 Tainted: G B 5.3.0+ #0 [ 49.712874][ T102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.722914][ T102] Workqueue: usb_hub_wq hub_event [ 49.727912][ T102] Call Trace: [ 49.731181][ T102] dump_stack+0xca/0x13e [ 49.735416][ T102] panic+0x2a3/0x6da [ 49.739290][ T102] ? add_taint.cold+0x16/0x16 [ 49.743942][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.748769][ T102] ? trace_hardirqs_on+0x55/0x1e0 [ 49.753781][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.758608][ T102] end_report+0x43/0x49 [ 49.762743][ T102] kasan_report_invalid_free+0x7d/0xa0 [ 49.768182][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.773009][ T102] __kasan_slab_free+0x162/0x180 [ 49.777931][ T102] ? disconnect_rio+0x12b/0x1b0 [ 49.782769][ T102] kfree+0xe4/0x2f0 [ 49.786567][ T102] disconnect_rio+0x12b/0x1b0 [ 49.791223][ T102] usb_unbind_interface+0x1bd/0x8a0 [ 49.796399][ T102] ? usb_autoresume_device+0x60/0x60 [ 49.801662][ T102] device_release_driver_internal+0x42f/0x500 [ 49.807705][ T102] bus_remove_device+0x2dc/0x4a0 [ 49.812645][ T102] device_del+0x420/0xb10 [ 49.816960][ T102] ? __device_links_no_driver+0x240/0x240 [ 49.822669][ T102] ? lockdep_hardirqs_on+0x379/0x580 [ 49.827947][ T102] ? remove_intf_ep_devs+0x13f/0x1d0 [ 49.833223][ T102] usb_disable_device+0x211/0x690 [ 49.838225][ T102] usb_disconnect+0x284/0x8d0 [ 49.842877][ T102] hub_event+0x1454/0x3640 [ 49.847269][ T102] ? find_held_lock+0x2d/0x110 [ 49.852009][ T102] ? mark_held_locks+0xe0/0xe0 [ 49.856755][ T102] ? hub_port_debounce+0x260/0x260 [ 49.861843][ T102] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 49.867366][ T102] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 49.872629][ T102] process_one_work+0x92b/0x1530 [ 49.877553][ T102] ? pwq_dec_nr_in_flight+0x310/0x310 [ 49.882918][ T102] ? do_raw_spin_lock+0x11a/0x280 [ 49.887918][ T102] worker_thread+0x96/0xe20 [ 49.892404][ T102] ? process_one_work+0x1530/0x1530 [ 49.897586][ T102] kthread+0x318/0x420 [ 49.901629][ T102] ? kthread_create_on_node+0xf0/0xf0 [ 49.906989][ T102] ret_from_fork+0x24/0x30 [ 49.911858][ T102] Kernel Offset: disabled [ 49.916301][ T102] Rebooting in 86400 seconds..