[ 46.723695] audit: type=1800 audit(1555272945.633:27): pid=5509 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 46.723721] audit: type=1800 audit(1555272945.633:28): pid=5509 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 47.548032] audit: type=1800 audit(1555272946.483:29): pid=5509 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 47.567463] audit: type=1800 audit(1555272946.493:30): pid=5509 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.209333] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 58.449261] usb 1-1: Using ep0 maxpacket: 8 [ 58.569321] usb 1-1: config 0 has an invalid interface number: 119 but max is 0 [ 58.576857] usb 1-1: config 0 descriptor has 1 excess byte, ignoring [ 58.583398] usb 1-1: config 0 has no interface number 0 [ 58.588788] usb 1-1: config 0 interface 119 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 11 [ 58.598043] usb 1-1: New USB device found, idVendor=0586, idProduct=0102, bcdDevice=cd.59 [ 58.606408] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 58.615535] usb 1-1: config 0 descriptor?? [ 58.671778] ================================================================== [ 58.679311] BUG: KASAN: stack-out-of-bounds in hfcsusb_probe.cold+0x1a43/0x267f [ 58.686769] Read of size 4 at addr ffff8880a84b72f0 by task kworker/0:1/12 [ 58.693756] [ 58.695382] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 58.703326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.712730] Workqueue: usb_hub_wq hub_event [ 58.717031] Call Trace: [ 58.719606] dump_stack+0xe8/0x16e [ 58.723128] ? hfcsusb_probe.cold+0x1a43/0x267f [ 58.727778] ? hfcsusb_probe.cold+0x1a43/0x267f [ 58.732428] print_address_description+0x6c/0x236 [ 58.737253] ? hfcsusb_probe.cold+0x1a43/0x267f [ 58.741934] ? hfcsusb_probe.cold+0x1a43/0x267f [ 58.746581] kasan_report.cold+0x1a/0x3c [ 58.750638] ? hfcsusb_probe.cold+0x1a43/0x267f [ 58.755288] hfcsusb_probe.cold+0x1a43/0x267f [ 58.759774] ? handle_led+0x780/0x780 [ 58.763559] ? __pm_runtime_set_status+0x5d6/0xa10 [ 58.768484] usb_probe_interface+0x31d/0x820 [ 58.772889] ? usb_probe_device+0x150/0x150 [ 58.777197] really_probe+0x2da/0xb10 [ 58.780984] driver_probe_device+0x21d/0x350 [ 58.785375] __device_attach_driver+0x1d8/0x290 [ 58.790030] ? driver_allows_async_probing+0x160/0x160 [ 58.795304] bus_for_each_drv+0x163/0x1e0 [ 58.799444] ? bus_rescan_devices+0x30/0x30 [ 58.803748] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 58.808829] ? lockdep_hardirqs_on+0x37e/0x580 [ 58.813393] __device_attach+0x223/0x3a0 [ 58.817433] ? device_bind_driver+0xe0/0xe0 [ 58.821737] ? kobject_uevent_env+0x295/0x13d0 [ 58.826308] bus_probe_device+0x1f1/0x2a0 [ 58.830442] ? blocking_notifier_call_chain+0x59/0xb0 [ 58.835615] device_add+0xad2/0x16e0 [ 58.839315] ? get_device_parent.isra.0+0x560/0x560 [ 58.844314] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 58.849418] usb_set_configuration+0xdf7/0x1740 [ 58.854097] generic_probe+0xa2/0xda [ 58.857810] usb_probe_device+0xc0/0x150 [ 58.861871] ? usb_suspend+0x5f0/0x5f0 [ 58.865767] really_probe+0x2da/0xb10 [ 58.869565] driver_probe_device+0x21d/0x350 [ 58.873977] __device_attach_driver+0x1d8/0x290 [ 58.879262] ? driver_allows_async_probing+0x160/0x160 [ 58.884536] bus_for_each_drv+0x163/0x1e0 [ 58.888683] ? bus_rescan_devices+0x30/0x30 [ 58.893003] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 58.898101] ? lockdep_hardirqs_on+0x37e/0x580 [ 58.902687] __device_attach+0x223/0x3a0 [ 58.906742] ? device_bind_driver+0xe0/0xe0 [ 58.911077] ? kobject_uevent_env+0x295/0x13d0 [ 58.915667] bus_probe_device+0x1f1/0x2a0 [ 58.919812] ? blocking_notifier_call_chain+0x59/0xb0 [ 58.925001] device_add+0xad2/0x16e0 [ 58.928717] ? get_device_parent.isra.0+0x560/0x560 [ 58.933746] usb_new_device.cold+0x537/0xccf [ 58.938156] hub_event+0x138e/0x3b00 [ 58.941894] ? hub_port_debounce+0x350/0x350 [ 58.946317] ? _raw_spin_unlock_irq+0x29/0x40 [ 58.950815] process_one_work+0x90f/0x1580 [ 58.955058] ? wq_pool_ids_show+0x300/0x300 [ 58.959375] ? do_raw_spin_lock+0x11f/0x290 [ 58.963700] worker_thread+0x9b/0xe20 [ 58.967507] ? process_one_work+0x1580/0x1580 [ 58.972001] kthread+0x313/0x420 [ 58.975363] ? kthread_park+0x1a0/0x1a0 [ 58.979336] ret_from_fork+0x3a/0x50 [ 58.983054] [ 58.984668] The buggy address belongs to the page: [ 58.989615] page:ffffea0002a12dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 58.997752] flags: 0xfff00000000000() [ 59.001548] raw: 00fff00000000000 ffffea0002a12dc8 ffffea0002a12dc8 0000000000000000 [ 59.009423] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 59.017289] page dumped because: kasan: bad access detected [ 59.022985] [ 59.024598] Memory state around the buggy address: [ 59.029522] ffff8880a84b7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.036870] ffff8880a84b7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 59.044221] >ffff8880a84b7280: f1 f1 f1 f1 01 f2 00 00 00 00 00 00 00 00 f3 f3 [ 59.051569] ^ [ 59.058570] ffff8880a84b7300: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.065921] ffff8880a84b7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [