[ 44.967104] audit: type=1800 audit(1555461265.686:27): pid=5196 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 44.986621] audit: type=1800 audit(1555461265.696:28): pid=5196 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.590039] audit: type=1800 audit(1555461266.346:29): pid=5196 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 45.609474] audit: type=1800 audit(1555461266.346:30): pid=5196 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.15' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 84.753161] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 84.993121] usb 1-1: Using ep0 maxpacket: 8 [ 85.123177] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 85.130765] usb 1-1: config 0 has no interface number 0 [ 85.136229] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 85.144604] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 85.153768] usb 1-1: config 0 descriptor?? [ 85.393379] ================================================================== [ 85.401130] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 85.407295] Read of size 1 at addr ffff88809f4c0802 by task kworker/0:2/532 [ 85.414482] [ 85.416116] CPU: 0 PID: 532 Comm: kworker/0:2 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 85.424339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.433688] Workqueue: usb_hub_wq hub_event [ 85.437990] Call Trace: [ 85.440573] dump_stack+0xe8/0x16e [ 85.444105] ? ds_probe+0x604/0x760 [ 85.447809] ? ds_probe+0x604/0x760 [ 85.451526] print_address_description+0x6c/0x236 [ 85.456469] ? ds_probe+0x604/0x760 [ 85.460084] ? ds_probe+0x604/0x760 [ 85.463703] kasan_report.cold+0x1a/0x3c [ 85.467843] ? ds_probe+0x604/0x760 [ 85.471712] ds_probe+0x604/0x760 [ 85.475168] usb_probe_interface+0x31d/0x820 [ 85.479749] ? usb_probe_device+0x150/0x150 [ 85.484060] really_probe+0x2da/0xb10 [ 85.487984] driver_probe_device+0x21d/0x350 [ 85.492755] __device_attach_driver+0x1d8/0x290 [ 85.497759] ? driver_allows_async_probing+0x160/0x160 [ 85.503036] bus_for_each_drv+0x163/0x1e0 [ 85.507186] ? bus_rescan_devices+0x30/0x30 [ 85.511503] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 85.516594] ? lockdep_hardirqs_on+0x37e/0x580 [ 85.521166] __device_attach+0x223/0x3a0 [ 85.525421] ? device_bind_driver+0xe0/0xe0 [ 85.529749] ? kobject_uevent_env+0x295/0x13d0 [ 85.534348] bus_probe_device+0x1f1/0x2a0 [ 85.538500] ? blocking_notifier_call_chain+0x59/0xb0 [ 85.543804] device_add+0xad2/0x16e0 [ 85.547512] ? get_device_parent.isra.0+0x560/0x560 [ 85.552520] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 85.557616] usb_set_configuration+0xdf7/0x1740 [ 85.562297] generic_probe+0xa2/0xda [ 85.566063] usb_probe_device+0xc0/0x150 [ 85.570245] ? usb_suspend+0x5f0/0x5f0 [ 85.574321] really_probe+0x2da/0xb10 [ 85.578150] driver_probe_device+0x21d/0x350 [ 85.582649] __device_attach_driver+0x1d8/0x290 [ 85.588008] ? driver_allows_async_probing+0x160/0x160 [ 85.593763] bus_for_each_drv+0x163/0x1e0 [ 85.598012] ? bus_rescan_devices+0x30/0x30 [ 85.602409] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 85.607889] ? lockdep_hardirqs_on+0x37e/0x580 [ 85.612579] __device_attach+0x223/0x3a0 [ 85.616627] ? device_bind_driver+0xe0/0xe0 [ 85.621143] ? kobject_uevent_env+0x295/0x13d0 [ 85.625743] bus_probe_device+0x1f1/0x2a0 [ 85.629883] ? blocking_notifier_call_chain+0x59/0xb0 [ 85.636284] device_add+0xad2/0x16e0 [ 85.639991] ? get_device_parent.isra.0+0x560/0x560 [ 85.645018] usb_new_device.cold+0x537/0xccf [ 85.649425] hub_event+0x138e/0x3b00 [ 85.653199] ? hub_port_debounce+0x350/0x350 [ 85.657610] ? _raw_spin_unlock_irq+0x29/0x40 [ 85.662102] process_one_work+0x90f/0x1580 [ 85.666451] ? wq_pool_ids_show+0x300/0x300 [ 85.670770] ? do_raw_spin_lock+0x11f/0x290 [ 85.675089] worker_thread+0x9b/0xe20 [ 85.679008] ? process_one_work+0x1580/0x1580 [ 85.683494] kthread+0x313/0x420 [ 85.686977] ? kthread_park+0x1a0/0x1a0 [ 85.691079] ret_from_fork+0x3a/0x50 [ 85.694784] [ 85.696398] Allocated by task 3691: [ 85.700016] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 85.704930] security_task_alloc+0x113/0x180 [ 85.709324] copy_process.part.0+0x1c62/0x76b0 [ 85.713893] _do_fork+0x234/0xed0 [ 85.717350] do_syscall_64+0xcf/0x4f0 [ 85.721151] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.726322] [ 85.727936] Freed by task 16: [ 85.731288] __kasan_slab_free+0x130/0x180 [ 85.735517] slab_free_freelist_hook+0x5e/0x140 [ 85.741565] kfree+0xce/0x290 [ 85.744663] security_task_free+0x9a/0xf0 [ 85.748797] __put_task_struct+0xec/0x4d0 [ 85.752983] delayed_put_task_struct+0x189/0x290 [ 85.757738] rcu_core+0x83b/0x1a80 [ 85.761277] __do_softirq+0x22a/0x8cd [ 85.765145] [ 85.766755] The buggy address belongs to the object at ffff88809f4c07e0 [ 85.766755] which belongs to the cache kmalloc-64 of size 64 [ 85.779543] The buggy address is located 34 bytes inside of [ 85.779543] 64-byte region [ffff88809f4c07e0, ffff88809f4c0820) [ 85.791371] The buggy address belongs to the page: [ 85.796292] page:ffffea00027d3000 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 85.804429] flags: 0xfff00000000200(slab) [ 85.808559] raw: 00fff00000000200 ffffea00025e0f40 0000000800000008 ffff88812c3f5600 [ 85.816425] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 85.824285] page dumped because: kasan: bad access detected [ 85.830079] [ 85.831690] Memory state around the buggy address: [ 85.836603] ffff88809f4c0700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 85.844151] ffff88809f4c0780: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 85.851502] >ffff88809f4c0800: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 85.858843] ^ [ 85.862191] ffff88809f4c0880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 85.869730] ffff88809f4c0900: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 85.877082] ================================================================== [ 85.884459] Disabling lock debugging due to kernel taint [ 85.890031] Kernel panic - not syncing: panic_on_warn set ... [ 85.896014] CPU: 0 PID: 532 Comm: kworker/0:2 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 85.905466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.914820] Workqueue: usb_hub_wq hub_event [ 85.919142] Call Trace: [ 85.921728] dump_stack+0xe8/0x16e [ 85.925262] panic+0x29d/0x5f2 [ 85.928532] ? __warn_printk+0xf8/0xf8 [ 85.932421] ? retint_kernel+0x10/0x10 [ 85.936314] ? trace_hardirqs_on+0x55/0x1c0 [ 85.940651] ? ds_probe+0x604/0x760 [ 85.944285] end_report+0x48/0x4e [ 85.947734] ? ds_probe+0x604/0x760 [ 85.951349] kasan_report.cold+0xd/0x3c [ 85.955316] ? ds_probe+0x604/0x760 [ 85.958954] ds_probe+0x604/0x760 [ 85.962416] usb_probe_interface+0x31d/0x820 [ 85.966838] ? usb_probe_device+0x150/0x150 [ 85.971150] really_probe+0x2da/0xb10 [ 85.974944] driver_probe_device+0x21d/0x350 [ 85.979366] __device_attach_driver+0x1d8/0x290 [ 85.984028] ? driver_allows_async_probing+0x160/0x160 [ 85.989300] bus_for_each_drv+0x163/0x1e0 [ 85.993529] ? bus_rescan_devices+0x30/0x30 [ 85.997847] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 86.002943] ? lockdep_hardirqs_on+0x37e/0x580 [ 86.007989] __device_attach+0x223/0x3a0 [ 86.012045] ? device_bind_driver+0xe0/0xe0 [ 86.016362] ? kobject_uevent_env+0x295/0x13d0 [ 86.020940] bus_probe_device+0x1f1/0x2a0 [ 86.025124] ? blocking_notifier_call_chain+0x59/0xb0 [ 86.030307] device_add+0xad2/0x16e0 [ 86.034017] ? get_device_parent.isra.0+0x560/0x560 [ 86.039024] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 86.044137] usb_set_configuration+0xdf7/0x1740 [ 86.048810] generic_probe+0xa2/0xda [ 86.052515] usb_probe_device+0xc0/0x150 [ 86.056569] ? usb_suspend+0x5f0/0x5f0 [ 86.060449] really_probe+0x2da/0xb10 [ 86.064247] driver_probe_device+0x21d/0x350 [ 86.068650] __device_attach_driver+0x1d8/0x290 [ 86.073313] ? driver_allows_async_probing+0x160/0x160 [ 86.087181] bus_for_each_drv+0x163/0x1e0 [ 86.091431] ? bus_rescan_devices+0x30/0x30 [ 86.095751] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 86.100866] ? lockdep_hardirqs_on+0x37e/0x580 [ 86.105449] __device_attach+0x223/0x3a0 [ 86.109502] ? device_bind_driver+0xe0/0xe0 [ 86.113822] ? kobject_uevent_env+0x295/0x13d0 [ 86.118401] bus_probe_device+0x1f1/0x2a0 [ 86.122563] ? blocking_notifier_call_chain+0x59/0xb0 [ 86.127746] device_add+0xad2/0x16e0 [ 86.131455] ? get_device_parent.isra.0+0x560/0x560 [ 86.136477] usb_new_device.cold+0x537/0xccf [ 86.140882] hub_event+0x138e/0x3b00 [ 86.144591] ? hub_port_debounce+0x350/0x350 [ 86.149232] ? _raw_spin_unlock_irq+0x29/0x40 [ 86.154147] process_one_work+0x90f/0x1580 [ 86.158446] ? wq_pool_ids_show+0x300/0x300 [ 86.162814] ? do_raw_spin_lock+0x11f/0x290 [ 86.167139] worker_thread+0x9b/0xe20 [ 86.170965] ? process_one_work+0x1580/0x1580 [ 86.175457] kthread+0x313/0x420 [ 86.178817] ? kthread_park+0x1a0/0x1a0 [ 86.182786] ret_from_fork+0x3a/0x50 [ 86.187283] Kernel Offset: disabled [ 86.190907] Rebooting in 86400 seconds..