[   49.362819] audit: type=1800 audit(1555582084.020:30): pid=5295 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.12' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   57.124291] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   57.364242] usb 1-1: Using ep0 maxpacket: 8
[   57.484307] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[   57.491979] usb 1-1: config 0 has no interface number 0
[   57.498410] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[   57.507135] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   57.517851] usb 1-1: config 0 descriptor??
[   57.754481] ==================================================================
[   57.762733] BUG: KASAN: use-after-free in ds_probe+0x604/0x760
[   57.768838] Read of size 1 at addr ffff88809fc00b02 by task kworker/0:2/533
[   57.776745] 
[   57.778373] CPU: 0 PID: 533 Comm: kworker/0:2 Not tainted 5.1.0-rc5-319617-gd34f951 #4
[   57.786410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.795762] Workqueue: usb_hub_wq hub_event
[   57.800184] Call Trace:
[   57.802810]  dump_stack+0xe8/0x16e
[   57.806428]  ? ds_probe+0x604/0x760
[   57.810220]  ? ds_probe+0x604/0x760
[   57.813839]  print_address_description+0x6c/0x236
[   57.818690]  ? ds_probe+0x604/0x760
[   57.822321]  ? ds_probe+0x604/0x760
[   57.826511]  kasan_report.cold+0x1a/0x3c
[   57.832326]  ? ds_probe+0x604/0x760
[   57.835942]  ds_probe+0x604/0x760
[   57.839409]  usb_probe_interface+0x31d/0x820
[   57.843831]  ? usb_probe_device+0x150/0x150
[   57.848594]  really_probe+0x2da/0xb10
[   57.852421]  driver_probe_device+0x21d/0x350
[   57.856842]  __device_attach_driver+0x1d8/0x290
[   57.861622]  ? driver_allows_async_probing+0x160/0x160
[   57.866891]  bus_for_each_drv+0x163/0x1e0
[   57.871056]  ? bus_rescan_devices+0x30/0x30
[   57.875384]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.880503]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.885105]  __device_attach+0x223/0x3a0
[   57.889617]  ? device_bind_driver+0xe0/0xe0
[   57.894152]  ? kobject_uevent_env+0x295/0x13d0
[   57.898923]  bus_probe_device+0x1f1/0x2a0
executing program
[   57.904377]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.910077]  device_add+0xad2/0x16e0
[   57.913962]  ? get_device_parent.isra.0+0x560/0x560
[   57.919088]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.931153]  usb_set_configuration+0xdf7/0x1740
[   57.936325]  generic_probe+0xa2/0xda
[   57.940604]  usb_probe_device+0xc0/0x150
[   57.944722]  ? usb_suspend+0x5f0/0x5f0
[   57.948675]  really_probe+0x2da/0xb10
[   57.952477]  driver_probe_device+0x21d/0x350
[   57.957206]  __device_attach_driver+0x1d8/0x290
[   57.963037]  ? driver_allows_async_probing+0x160/0x160
[   57.972952]  bus_for_each_drv+0x163/0x1e0
[   57.977308]  ? bus_rescan_devices+0x30/0x30
[   57.982289]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.987392]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.992787]  __device_attach+0x223/0x3a0
[   57.997630]  ? device_bind_driver+0xe0/0xe0
[   58.001946]  ? kobject_uevent_env+0x295/0x13d0
[   58.006691]  bus_probe_device+0x1f1/0x2a0
[   58.010873]  ? blocking_notifier_call_chain+0x59/0xb0
[   58.016080]  device_add+0xad2/0x16e0
[   58.019791]  ? get_device_parent.isra.0+0x560/0x560
[   58.024818]  usb_new_device.cold+0x537/0xccf
[   58.029223]  hub_event+0x1398/0x3b00
[   58.032958]  ? hub_port_debounce+0x350/0x350
[   58.037487]  ? _raw_spin_unlock_irq+0x29/0x40
[   58.042129]  process_one_work+0x90f/0x1580
[   58.046530]  ? wq_pool_ids_show+0x300/0x300
[   58.050871]  ? do_raw_spin_lock+0x11f/0x290
[   58.055208]  worker_thread+0x9b/0xe20
[   58.059017]  ? process_one_work+0x1580/0x1580
[   58.063552]  kthread+0x313/0x420
[   58.066999]  ? kthread_park+0x1a0/0x1a0
[   58.071654]  ret_from_fork+0x3a/0x50
[   58.077287] 
[   58.079080] Allocated by task 5299:
[   58.091357]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   58.097763]  security_task_alloc+0x113/0x180
[   58.102981]  copy_process.part.0+0x1c62/0x76b0
[   58.107745]  _do_fork+0x234/0xed0
[   58.111207]  do_syscall_64+0xcf/0x4f0
[   58.115012]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.120563] 
[   58.122266] Freed by task 5337:
[   58.126416]  __kasan_slab_free+0x130/0x180
[   58.131624]  slab_free_freelist_hook+0x5e/0x140
[   58.136301]  kfree+0xce/0x280
[   58.139517]  security_task_free+0x9a/0xf0
[   58.143680]  __put_task_struct+0xec/0x4d0
[   58.147910]  delayed_put_task_struct+0x189/0x290
[   58.153930]  rcu_core+0x843/0x1a90
[   58.157472]  __do_softirq+0x22a/0x8cd
[   58.161267] 
[   58.162906] The buggy address belongs to the object at ffff88809fc00ae0
[   58.162906]  which belongs to the cache kmalloc-64 of size 64
[   58.178565] The buggy address is located 34 bytes inside of
[   58.178565]  64-byte region [ffff88809fc00ae0, ffff88809fc00b20)
[   58.196867] The buggy address belongs to the page:
[   58.205797] page:ffffea00027f0000 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0
[   58.214208] flags: 0xfff00000000200(slab)
[   58.219078] raw: 00fff00000000200 ffffea0004b0fa80 0000000c0000000c ffff88812c3f5600
[   58.227810] raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000
[   58.243430] page dumped because: kasan: bad access detected
[   58.254806] 
[   58.256967] Memory state around the buggy address:
[   58.261894]  ffff88809fc00a00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
[   58.269251]  ffff88809fc00a80: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
[   58.276616] >ffff88809fc00b00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[   58.283959]                    ^
[   58.287310]  ffff88809fc00b80: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
[   58.294678]  ffff88809fc00c00: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
[   58.302028] ==================================================================
[   58.309385] Disabling lock debugging due to kernel taint
[   58.315253] Kernel panic - not syncing: panic_on_warn set ...
[   58.321150] CPU: 0 PID: 533 Comm: kworker/0:2 Tainted: G    B             5.1.0-rc5-319617-gd34f951 #4
[   58.330586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.340045] Workqueue: usb_hub_wq hub_event
[   58.344357] Call Trace:
[   58.346948]  dump_stack+0xe8/0x16e
[   58.350490]  panic+0x29d/0x5f2
[   58.353673]  ? __warn_printk+0xf8/0xf8
[   58.357570]  ? retint_kernel+0x10/0x10
[   58.361451]  ? trace_hardirqs_on+0x55/0x1c0
[   58.365760]  ? ds_probe+0x604/0x760
[   58.369534]  end_report+0x48/0x4e
[   58.372976]  ? ds_probe+0x604/0x760
[   58.376671]  kasan_report.cold+0xd/0x3c
[   58.380657]  ? ds_probe+0x604/0x760
[   58.384328]  ds_probe+0x604/0x760
[   58.387797]  usb_probe_interface+0x31d/0x820
[   58.392201]  ? usb_probe_device+0x150/0x150
[   58.396518]  really_probe+0x2da/0xb10
[   58.400316]  driver_probe_device+0x21d/0x350
[   58.404744]  __device_attach_driver+0x1d8/0x290
[   58.409402]  ? driver_allows_async_probing+0x160/0x160
[   58.414671]  bus_for_each_drv+0x163/0x1e0
[   58.418837]  ? bus_rescan_devices+0x30/0x30
[   58.423148]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   58.428243]  ? lockdep_hardirqs_on+0x37e/0x580
[   58.432849]  __device_attach+0x223/0x3a0
[   58.436904]  ? device_bind_driver+0xe0/0xe0
[   58.441234]  ? kobject_uevent_env+0x295/0x13d0
[   58.445899]  bus_probe_device+0x1f1/0x2a0
[   58.450119]  ? blocking_notifier_call_chain+0x59/0xb0
[   58.455320]  device_add+0xad2/0x16e0
[   58.459041]  ? get_device_parent.isra.0+0x560/0x560
[   58.464049]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   58.469178]  usb_set_configuration+0xdf7/0x1740
[   58.473838]  generic_probe+0xa2/0xda
[   58.477575]  usb_probe_device+0xc0/0x150
[   58.481637]  ? usb_suspend+0x5f0/0x5f0
[   58.485513]  really_probe+0x2da/0xb10
[   58.489321]  driver_probe_device+0x21d/0x350
[   58.493721]  __device_attach_driver+0x1d8/0x290
[   58.498379]  ? driver_allows_async_probing+0x160/0x160
[   58.503648]  bus_for_each_drv+0x163/0x1e0
[   58.507905]  ? bus_rescan_devices+0x30/0x30
[   58.512221]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   58.517317]  ? lockdep_hardirqs_on+0x37e/0x580
[   58.521901]  __device_attach+0x223/0x3a0
[   58.525974]  ? device_bind_driver+0xe0/0xe0
[   58.530292]  ? kobject_uevent_env+0x295/0x13d0
[   58.534905]  bus_probe_device+0x1f1/0x2a0
[   58.539049]  ? blocking_notifier_call_chain+0x59/0xb0
[   58.544240]  device_add+0xad2/0x16e0
[   58.547992]  ? get_device_parent.isra.0+0x560/0x560
[   58.553012]  usb_new_device.cold+0x537/0xccf
[   58.557563]  hub_event+0x1398/0x3b00
[   58.561317]  ? hub_port_debounce+0x350/0x350
[   58.565820]  ? _raw_spin_unlock_irq+0x29/0x40
[   58.570356]  process_one_work+0x90f/0x1580
[   58.574603]  ? wq_pool_ids_show+0x300/0x300
[   58.578933]  ? do_raw_spin_lock+0x11f/0x290
[   58.583255]  worker_thread+0x9b/0xe20
[   58.587054]  ? process_one_work+0x1580/0x1580
[   58.591583]  kthread+0x313/0x420
[   58.594978]  ? kthread_park+0x1a0/0x1a0
[   58.599043]  ret_from_fork+0x3a/0x50
[   58.603786] Kernel Offset: disabled
[   58.607434] Rebooting in 86400 seconds..