[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.863552] kauditd_printk_skb: 8 callbacks suppressed [ 44.863561] audit: type=1800 audit(1555550859.527:29): pid=4986 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 44.888606] audit: type=1800 audit(1555550859.537:30): pid=4986 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 56.014359] IPVS: ftp: loaded support on port[0] = 21 [ 56.306976] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 56.546969] usb 1-1: Using ep0 maxpacket: 8 [ 56.667045] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 56.674807] usb 1-1: config 0 has no interface number 0 [ 56.680480] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 56.689166] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 56.700303] usb 1-1: config 0 descriptor?? [ 56.937177] ================================================================== [ 56.944782] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 56.950964] Read of size 1 at addr ffff88821b043802 by task kworker/0:2/532 [ 56.958263] [ 56.959882] CPU: 0 PID: 532 Comm: kworker/0:2 Not tainted 5.1.0-rc5-319617-gd34f951 #4 [ 56.968053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.977422] Workqueue: usb_hub_wq hub_event [ 56.981740] Call Trace: [ 56.984334] dump_stack+0xe8/0x16e [ 56.987863] ? ds_probe+0x604/0x760 [ 56.991482] ? ds_probe+0x604/0x760 [ 56.995216] print_address_description+0x6c/0x236 [ 57.000061] ? ds_probe+0x604/0x760 [ 57.003681] ? ds_probe+0x604/0x760 [ 57.007395] kasan_report.cold+0x1a/0x3c [ 57.011575] ? ds_probe+0x604/0x760 [ 57.015313] ds_probe+0x604/0x760 [ 57.018769] usb_probe_interface+0x31d/0x820 [ 57.023169] ? usb_probe_device+0x150/0x150 [ 57.027648] really_probe+0x2da/0xb10 [ 57.031642] driver_probe_device+0x21d/0x350 [ 57.036147] __device_attach_driver+0x1d8/0x290 [ 57.040905] ? driver_allows_async_probing+0x160/0x160 [ 57.046271] bus_for_each_drv+0x163/0x1e0 [ 57.050559] ? bus_rescan_devices+0x30/0x30 [ 57.054882] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.059990] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.064569] __device_attach+0x223/0x3a0 [ 57.068624] ? device_bind_driver+0xe0/0xe0 [ 57.072952] ? kobject_uevent_env+0x295/0x13d0 [ 57.077532] bus_probe_device+0x1f1/0x2a0 [ 57.081674] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.086969] device_add+0xad2/0x16e0 [ 57.090854] ? get_device_parent.isra.0+0x560/0x560 [ 57.096193] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.101312] usb_set_configuration+0xdf7/0x1740 [ 57.106248] generic_probe+0xa2/0xda [ 57.109952] usb_probe_device+0xc0/0x150 [ 57.114002] ? usb_suspend+0x5f0/0x5f0 [ 57.118242] really_probe+0x2da/0xb10 [ 57.122153] driver_probe_device+0x21d/0x350 [ 57.126652] __device_attach_driver+0x1d8/0x290 [ 57.131427] ? driver_allows_async_probing+0x160/0x160 [ 57.136707] bus_for_each_drv+0x163/0x1e0 [ 57.140863] ? bus_rescan_devices+0x30/0x30 [ 57.145179] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.150278] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.154930] __device_attach+0x223/0x3a0 [ 57.159085] ? device_bind_driver+0xe0/0xe0 [ 57.163422] ? kobject_uevent_env+0x295/0x13d0 [ 57.168467] bus_probe_device+0x1f1/0x2a0 [ 57.173160] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.178368] device_add+0xad2/0x16e0 [ 57.182076] ? get_device_parent.isra.0+0x560/0x560 [ 57.187556] usb_new_device.cold+0x537/0xccf [ 57.192065] hub_event+0x1398/0x3b00 [ 57.195788] ? hub_port_debounce+0x350/0x350 [ 57.200276] ? _raw_spin_unlock_irq+0x29/0x40 [ 57.204791] process_one_work+0x90f/0x1580 [ 57.209170] ? wq_pool_ids_show+0x300/0x300 [ 57.213511] ? do_raw_spin_lock+0x11f/0x290 [ 57.217833] worker_thread+0x9b/0xe20 [ 57.221644] ? process_one_work+0x1580/0x1580 [ 57.226277] kthread+0x313/0x420 [ 57.229643] ? kthread_park+0x1a0/0x1a0 [ 57.233614] ret_from_fork+0x3a/0x50 [ 57.237852] [ 57.239541] Allocated by task 532: [ 57.243085] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.248213] __kmalloc_node_track_caller+0xf3/0x320 [ 57.253523] __devres_alloc_node+0x65/0x150 [ 57.257918] devm_pinctrl_get+0x34/0xc0 [ 57.262116] pinctrl_bind_pins+0xcb/0x950 [ 57.266444] really_probe+0x126/0xb10 [ 57.270336] driver_probe_device+0x21d/0x350 [ 57.274745] __device_attach_driver+0x1d8/0x290 [ 57.279661] bus_for_each_drv+0x163/0x1e0 [ 57.283920] __device_attach+0x223/0x3a0 [ 57.288339] bus_probe_device+0x1f1/0x2a0 [ 57.292501] device_add+0xad2/0x16e0 [ 57.296217] usb_set_configuration+0xdf7/0x1740 [ 57.300879] generic_probe+0xa2/0xda [ 57.304739] usb_probe_device+0xc0/0x150 [ 57.308797] really_probe+0x2da/0xb10 [ 57.312630] driver_probe_device+0x21d/0x350 [ 57.317126] __device_attach_driver+0x1d8/0x290 [ 57.321824] bus_for_each_drv+0x163/0x1e0 [ 57.325962] __device_attach+0x223/0x3a0 [ 57.330181] bus_probe_device+0x1f1/0x2a0 [ 57.334328] device_add+0xad2/0x16e0 [ 57.338644] usb_new_device.cold+0x537/0xccf [ 57.343059] hub_event+0x1398/0x3b00 [ 57.346780] process_one_work+0x90f/0x1580 [ 57.351107] worker_thread+0x9b/0xe20 [ 57.354907] kthread+0x313/0x420 [ 57.358269] ret_from_fork+0x3a/0x50 [ 57.361977] [ 57.363720] Freed by task 532: [ 57.366915] __kasan_slab_free+0x130/0x180 [ 57.371152] slab_free_freelist_hook+0x5e/0x140 [ 57.376131] kfree+0xce/0x280 [ 57.379233] devres_free+0x4a/0x70 [ 57.382774] devres_release+0x52/0x70 [ 57.386565] devm_pinctrl_put+0x46/0x80 [ 57.390623] pinctrl_bind_pins+0x333/0x950 [ 57.394861] really_probe+0x126/0xb10 [ 57.398975] driver_probe_device+0x21d/0x350 [ 57.403641] __device_attach_driver+0x1d8/0x290 [ 57.408503] bus_for_each_drv+0x163/0x1e0 [ 57.412892] __device_attach+0x223/0x3a0 [ 57.416948] bus_probe_device+0x1f1/0x2a0 [ 57.421271] device_add+0xad2/0x16e0 [ 57.425192] usb_set_configuration+0xdf7/0x1740 [ 57.430116] generic_probe+0xa2/0xda [ 57.433974] usb_probe_device+0xc0/0x150 [ 57.438103] really_probe+0x2da/0xb10 [ 57.442395] driver_probe_device+0x21d/0x350 [ 57.446818] __device_attach_driver+0x1d8/0x290 [ 57.451493] bus_for_each_drv+0x163/0x1e0 [ 57.455637] __device_attach+0x223/0x3a0 [ 57.459714] bus_probe_device+0x1f1/0x2a0 [ 57.463856] device_add+0xad2/0x16e0 [ 57.467848] usb_new_device.cold+0x537/0xccf [ 57.472528] hub_event+0x1398/0x3b00 [ 57.476313] process_one_work+0x90f/0x1580 [ 57.480644] worker_thread+0x9b/0xe20 [ 57.484706] kthread+0x313/0x420 [ 57.488061] ret_from_fork+0x3a/0x50 [ 57.491870] [ 57.493491] The buggy address belongs to the object at ffff88821b0437e0 [ 57.493491] which belongs to the cache kmalloc-64 of size 64 [ 57.506036] The buggy address is located 34 bytes inside of [ 57.506036] 64-byte region [ffff88821b0437e0, ffff88821b043820) [ 57.518505] The buggy address belongs to the page: [ 57.523567] page:ffffea00086c10c0 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 57.531700] flags: 0x57ff00000000200(slab) [ 57.535927] raw: 057ff00000000200 dead000000000100 dead000000000200 ffff88812c3f5600 [ 57.544102] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 57.552103] page dumped because: kasan: bad access detected [ 57.558060] [ 57.559764] Memory state around the buggy address: [ 57.564785] ffff88821b043700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 57.572233] ffff88821b043780: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 57.579816] >ffff88821b043800: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 00 00 [ 57.587381] ^ [ 57.590744] ffff88821b043880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 57.598546] ffff88821b043900: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 57.606192] ================================================================== [ 57.613672] Disabling lock debugging due to kernel taint [ 57.619486] Kernel panic - not syncing: panic_on_warn set ... [ 57.625382] CPU: 0 PID: 532 Comm: kworker/0:2 Tainted: G B 5.1.0-rc5-319617-gd34f951 #4 [ 57.634815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.644168] Workqueue: usb_hub_wq hub_event [ 57.648760] Call Trace: [ 57.651466] dump_stack+0xe8/0x16e [ 57.654996] panic+0x29d/0x5f2 [ 57.658178] ? __warn_printk+0xf8/0xf8 [ 57.662144] ? retint_kernel+0x10/0x10 [ 57.666043] ? trace_hardirqs_on+0x55/0x1c0 [ 57.670359] ? ds_probe+0x604/0x760 [ 57.673977] end_report+0x48/0x4e [ 57.677533] ? ds_probe+0x604/0x760 [ 57.681154] kasan_report.cold+0xd/0x3c [ 57.685118] ? ds_probe+0x604/0x760 [ 57.688734] ds_probe+0x604/0x760 [ 57.692270] usb_probe_interface+0x31d/0x820 [ 57.696711] ? usb_probe_device+0x150/0x150 [ 57.701045] really_probe+0x2da/0xb10 [ 57.705093] driver_probe_device+0x21d/0x350 [ 57.709501] __device_attach_driver+0x1d8/0x290 [ 57.714158] ? driver_allows_async_probing+0x160/0x160 [ 57.725940] bus_for_each_drv+0x163/0x1e0 [ 57.730080] ? bus_rescan_devices+0x30/0x30 [ 57.734390] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.739833] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.744408] __device_attach+0x223/0x3a0 [ 57.748547] ? device_bind_driver+0xe0/0xe0 [ 57.752857] ? kobject_uevent_env+0x295/0x13d0 [ 57.758025] bus_probe_device+0x1f1/0x2a0 [ 57.762169] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.767365] device_add+0xad2/0x16e0 [ 57.771076] ? get_device_parent.isra.0+0x560/0x560 [ 57.776110] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.781207] usb_set_configuration+0xdf7/0x1740 [ 57.785875] generic_probe+0xa2/0xda [ 57.789613] usb_probe_device+0xc0/0x150 [ 57.793702] ? usb_suspend+0x5f0/0x5f0 [ 57.797619] really_probe+0x2da/0xb10 [ 57.801494] driver_probe_device+0x21d/0x350 [ 57.805902] __device_attach_driver+0x1d8/0x290 [ 57.810828] ? driver_allows_async_probing+0x160/0x160 [ 57.816094] bus_for_each_drv+0x163/0x1e0 [ 57.820421] ? bus_rescan_devices+0x30/0x30 [ 57.824806] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 57.829901] ? lockdep_hardirqs_on+0x37e/0x580 [ 57.834557] __device_attach+0x223/0x3a0 [ 57.839211] ? device_bind_driver+0xe0/0xe0 [ 57.843519] ? kobject_uevent_env+0x295/0x13d0 [ 57.848183] bus_probe_device+0x1f1/0x2a0 [ 57.852509] ? blocking_notifier_call_chain+0x59/0xb0 [ 57.857696] device_add+0xad2/0x16e0 [ 57.861426] ? get_device_parent.isra.0+0x560/0x560 [ 57.866575] usb_new_device.cold+0x537/0xccf [ 57.871061] hub_event+0x1398/0x3b00 [ 57.874802] ? hub_port_debounce+0x350/0x350 [ 57.879288] ? _raw_spin_unlock_irq+0x29/0x40 [ 57.883783] process_one_work+0x90f/0x1580 [ 57.888011] ? wq_pool_ids_show+0x300/0x300 [ 57.892363] ? do_raw_spin_lock+0x11f/0x290 [ 57.896715] worker_thread+0x9b/0xe20 [ 57.900856] ? process_one_work+0x1580/0x1580 [ 57.905863] kthread+0x313/0x420 [ 57.909471] ? kthread_park+0x1a0/0x1a0 [ 57.913565] ret_from_fork+0x3a/0x50 [ 57.918536] Kernel Offset: disabled [ 57.922501] Rebooting in 86400 seconds..