[ 44.317184] audit: type=1800 audit(1555475665.744:27): pid=5297 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 44.317208] audit: type=1800 audit(1555475665.744:28): pid=5297 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.029749] audit: type=1800 audit(1555475666.474:29): pid=5297 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 45.050494] audit: type=1800 audit(1555475666.474:30): pid=5297 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.57' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.686526] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 68.926477] usb 1-1: Using ep0 maxpacket: 8 [ 69.046563] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 69.054097] usb 1-1: config 0 has no interface number 0 [ 69.060067] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 69.068471] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 69.080126] usb 1-1: config 0 descriptor?? [ 69.316670] ================================================================== [ 69.324204] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 69.330239] Read of size 1 at addr ffff8880a5032202 by task kworker/1:3/576 [ 69.337497] [ 69.339128] CPU: 1 PID: 576 Comm: kworker/1:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 69.347172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.356536] Workqueue: usb_hub_wq hub_event [ 69.360850] Call Trace: [ 69.363435] dump_stack+0xe8/0x16e [ 69.366967] ? ds_probe+0x604/0x760 [ 69.370659] ? ds_probe+0x604/0x760 [ 69.374477] print_address_description+0x6c/0x236 [ 69.379742] ? ds_probe+0x604/0x760 [ 69.383543] ? ds_probe+0x604/0x760 [ 69.387159] kasan_report.cold+0x1a/0x3c [ 69.391234] ? ds_probe+0x604/0x760 [ 69.394894] ds_probe+0x604/0x760 [ 69.398356] usb_probe_interface+0x31d/0x820 [ 69.402776] ? usb_probe_device+0x150/0x150 [ 69.407200] really_probe+0x2da/0xb10 [ 69.411451] driver_probe_device+0x21d/0x350 [ 69.415873] __device_attach_driver+0x1d8/0x290 [ 69.420647] ? driver_allows_async_probing+0x160/0x160 [ 69.426121] bus_for_each_drv+0x163/0x1e0 [ 69.430285] ? bus_rescan_devices+0x30/0x30 [ 69.434607] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 69.439761] ? lockdep_hardirqs_on+0x37e/0x580 [ 69.444390] __device_attach+0x223/0x3a0 [ 69.448448] ? device_bind_driver+0xe0/0xe0 [ 69.452761] ? kobject_uevent_env+0x295/0x13d0 [ 69.457390] bus_probe_device+0x1f1/0x2a0 [ 69.461587] ? blocking_notifier_call_chain+0x59/0xb0 [ 69.466786] device_add+0xad2/0x16e0 [ 69.470499] ? get_device_parent.isra.0+0x560/0x560 [ 69.475520] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 69.480628] usb_set_configuration+0xdf7/0x1740 [ 69.485292] generic_probe+0xa2/0xda [ 69.489005] usb_probe_device+0xc0/0x150 [ 69.493067] ? usb_suspend+0x5f0/0x5f0 [ 69.497035] really_probe+0x2da/0xb10 [ 69.500849] driver_probe_device+0x21d/0x350 [ 69.505266] __device_attach_driver+0x1d8/0x290 [ 69.510076] ? driver_allows_async_probing+0x160/0x160 [ 69.515354] bus_for_each_drv+0x163/0x1e0 [ 69.519504] ? bus_rescan_devices+0x30/0x30 [ 69.523828] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 69.528925] ? lockdep_hardirqs_on+0x37e/0x580 [ 69.533710] __device_attach+0x223/0x3a0 [ 69.537789] ? device_bind_driver+0xe0/0xe0 [ 69.542126] ? kobject_uevent_env+0x295/0x13d0 [ 69.546705] bus_probe_device+0x1f1/0x2a0 [ 69.550868] ? blocking_notifier_call_chain+0x59/0xb0 [ 69.556075] device_add+0xad2/0x16e0 [ 69.559812] ? get_device_parent.isra.0+0x560/0x560 [ 69.564843] usb_new_device.cold+0x537/0xccf [ 69.569254] hub_event+0x138e/0x3b00 [ 69.573111] ? hub_port_debounce+0x350/0x350 [ 69.577520] ? _raw_spin_unlock_irq+0x29/0x40 [ 69.582174] process_one_work+0x90f/0x1580 [ 69.586465] ? wq_pool_ids_show+0x300/0x300 [ 69.590783] ? do_raw_spin_lock+0x11f/0x290 [ 69.595098] worker_thread+0x9b/0xe20 [ 69.599022] ? process_one_work+0x1580/0x1580 [ 69.603509] kthread+0x313/0x420 [ 69.606877] ? kthread_park+0x1a0/0x1a0 [ 69.611069] ret_from_fork+0x3a/0x50 [ 69.614917] [ 69.616583] Allocated by task 576: [ 69.620129] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.625080] hub_port_init+0x79b/0x2d30 [ 69.629093] hub_event+0x11b8/0x3b00 [ 69.632806] process_one_work+0x90f/0x1580 [ 69.637128] worker_thread+0x9b/0xe20 [ 69.640964] kthread+0x313/0x420 [ 69.644325] ret_from_fork+0x3a/0x50 [ 69.648024] [ 69.649681] Freed by task 576: [ 69.652872] __kasan_slab_free+0x130/0x180 [ 69.657152] slab_free_freelist_hook+0x5e/0x140 [ 69.661947] kfree+0xce/0x290 [ 69.665055] hub_port_init+0x91f/0x2d30 [ 69.669160] hub_event+0x11b8/0x3b00 [ 69.672870] process_one_work+0x90f/0x1580 [ 69.677184] worker_thread+0x9b/0xe20 [ 69.680986] kthread+0x313/0x420 [ 69.684489] ret_from_fork+0x3a/0x50 [ 69.688194] [ 69.689818] The buggy address belongs to the object at ffff8880a50321e0 [ 69.689818] which belongs to the cache kmalloc-64 of size 64 [ 69.702365] The buggy address is located 34 bytes inside of [ 69.702365] 64-byte region [ffff8880a50321e0, ffff8880a5032220) [ 69.714070] The buggy address belongs to the page: [ 69.719095] page:ffffea0002940c80 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 69.727232] flags: 0xfff00000000200(slab) [ 69.731486] raw: 00fff00000000200 ffffea00025fad00 0000000900000009 ffff88812c3f5600 [ 69.739434] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 69.747317] page dumped because: kasan: bad access detected [ 69.753018] [ 69.754636] Memory state around the buggy address: [ 69.759557] ffff8880a5032100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 69.766917] ffff8880a5032180: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 69.774367] >ffff8880a5032200: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 69.781732] ^ [ 69.785095] ffff8880a5032280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 69.792462] ffff8880a5032300: 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00 00 [ 69.800069] ================================================================== [ 69.807430] Disabling lock debugging due to kernel taint [ 69.813178] Kernel panic - not syncing: panic_on_warn set ... [ 69.819064] CPU: 1 PID: 576 Comm: kworker/1:3 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 69.828530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.837898] Workqueue: usb_hub_wq hub_event [ 69.842218] Call Trace: [ 69.844816] dump_stack+0xe8/0x16e [ 69.848377] panic+0x29d/0x5f2 [ 69.851569] ? __warn_printk+0xf8/0xf8 [ 69.855454] ? retint_kernel+0x10/0x10 [ 69.859356] ? trace_hardirqs_on+0x55/0x1c0 [ 69.863771] ? ds_probe+0x604/0x760 [ 69.867401] end_report+0x48/0x4e [ 69.870858] ? ds_probe+0x604/0x760 [ 69.874484] kasan_report.cold+0xd/0x3c [ 69.878463] ? ds_probe+0x604/0x760 [ 69.882087] ds_probe+0x604/0x760 [ 69.885544] usb_probe_interface+0x31d/0x820 [ 69.889977] ? usb_probe_device+0x150/0x150 [ 69.894297] really_probe+0x2da/0xb10 [ 69.898101] driver_probe_device+0x21d/0x350 [ 69.902507] __device_attach_driver+0x1d8/0x290 [ 69.907179] ? driver_allows_async_probing+0x160/0x160 [ 69.912490] bus_for_each_drv+0x163/0x1e0 [ 69.916640] ? bus_rescan_devices+0x30/0x30 [ 69.920962] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 69.926090] ? lockdep_hardirqs_on+0x37e/0x580 [ 69.930788] __device_attach+0x223/0x3a0 [ 69.934852] ? device_bind_driver+0xe0/0xe0 [ 69.939178] ? kobject_uevent_env+0x295/0x13d0 [ 69.943773] bus_probe_device+0x1f1/0x2a0 [ 69.947930] ? blocking_notifier_call_chain+0x59/0xb0 [ 69.953212] device_add+0xad2/0x16e0 [ 69.956944] ? get_device_parent.isra.0+0x560/0x560 [ 69.961976] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 69.967248] usb_set_configuration+0xdf7/0x1740 [ 69.971936] generic_probe+0xa2/0xda [ 69.975658] usb_probe_device+0xc0/0x150 [ 69.979736] ? usb_suspend+0x5f0/0x5f0 [ 69.983632] really_probe+0x2da/0xb10 [ 69.987440] driver_probe_device+0x21d/0x350 [ 69.991848] __device_attach_driver+0x1d8/0x290 [ 69.996523] ? driver_allows_async_probing+0x160/0x160 [ 70.001807] bus_for_each_drv+0x163/0x1e0 [ 70.005959] ? bus_rescan_devices+0x30/0x30 [ 70.010306] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 70.015418] ? lockdep_hardirqs_on+0x37e/0x580 [ 70.020162] __device_attach+0x223/0x3a0 [ 70.024235] ? device_bind_driver+0xe0/0xe0 [ 70.028889] ? kobject_uevent_env+0x295/0x13d0 [ 70.033478] bus_probe_device+0x1f1/0x2a0 [ 70.037653] ? blocking_notifier_call_chain+0x59/0xb0 [ 70.042847] device_add+0xad2/0x16e0 [ 70.046563] ? get_device_parent.isra.0+0x560/0x560 [ 70.051785] usb_new_device.cold+0x537/0xccf [ 70.056220] hub_event+0x138e/0x3b00 [ 70.059950] ? hub_port_debounce+0x350/0x350 [ 70.064367] ? _raw_spin_unlock_irq+0x29/0x40 [ 70.068880] process_one_work+0x90f/0x1580 [ 70.073291] ? wq_pool_ids_show+0x300/0x300 [ 70.077619] ? do_raw_spin_lock+0x11f/0x290 [ 70.081947] worker_thread+0x9b/0xe20 [ 70.085761] ? process_one_work+0x1580/0x1580 [ 70.090313] kthread+0x313/0x420 [ 70.093688] ? kthread_park+0x1a0/0x1a0 [ 70.097677] ret_from_fork+0x3a/0x50 [ 70.102328] Kernel Offset: disabled [ 70.105957] Rebooting in 86400 seconds..