[   43.314127] audit: type=1800 audit(1555464913.036:27): pid=5058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   43.339781] audit: type=1800 audit(1555464913.036:28): pid=5058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   44.247724] audit: type=1800 audit(1555464913.966:29): pid=5058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   44.267687] audit: type=1800 audit(1555464913.966:30): pid=5058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.148' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   55.501813] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   55.741750] usb 1-1: Using ep0 maxpacket: 8
[   55.861815] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[   55.869380] usb 1-1: config 0 has no interface number 0
[   55.875209] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[   55.883867] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   55.892969] usb 1-1: config 0 descriptor??
[   56.121840] usb 1-1: Failed to set alternative setting 3 for 178 interface: err=-22.
[   56.130123] DS9490R: probe of 1-1:0.28 failed with error -22
executing program
[   56.314525] usb 1-1: USB disconnect, device number 2
[   56.671751] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   56.911718] usb 1-1: Using ep0 maxpacket: 8
[   57.031796] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[   57.039343] usb 1-1: config 0 has no interface number 0
[   57.044805] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[   57.053262] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   57.061541] usb 1-1: config 0 descriptor??
[   57.302006] ==================================================================
[   57.309574] BUG: KASAN: use-after-free in ds_probe+0x604/0x760
[   57.315542] Read of size 1 at addr ffff88809e4199e2 by task kworker/1:2/936
[   57.322625] 
[   57.324244] CPU: 1 PID: 936 Comm: kworker/1:2 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
[   57.332347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.341799] Workqueue: usb_hub_wq hub_event
[   57.346111] Call Trace:
[   57.348701]  dump_stack+0xe8/0x16e
[   57.352236]  ? ds_probe+0x604/0x760
[   57.355857]  ? ds_probe+0x604/0x760
[   57.359470]  print_address_description+0x6c/0x236
[   57.364297]  ? ds_probe+0x604/0x760
[   57.367921]  ? ds_probe+0x604/0x760
[   57.371533]  kasan_report.cold+0x1a/0x3c
[   57.375589]  ? ds_probe+0x604/0x760
[   57.379203]  ds_probe+0x604/0x760
[   57.382708]  usb_probe_interface+0x31d/0x820
[   57.387119]  ? usb_probe_device+0x150/0x150
[   57.391518]  really_probe+0x2da/0xb10
[   57.395305]  driver_probe_device+0x21d/0x350
[   57.399699]  __device_attach_driver+0x1d8/0x290
[   57.404414]  ? driver_allows_async_probing+0x160/0x160
[   57.409997]  bus_for_each_drv+0x163/0x1e0
[   57.414132]  ? bus_rescan_devices+0x30/0x30
[   57.418560]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.423646]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.428210]  __device_attach+0x223/0x3a0
[   57.432253]  ? device_bind_driver+0xe0/0xe0
[   57.436580]  ? kobject_uevent_env+0x295/0x13d0
[   57.441245]  bus_probe_device+0x1f1/0x2a0
[   57.445417]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.450658]  device_add+0xad2/0x16e0
[   57.454374]  ? get_device_parent.isra.0+0x560/0x560
[   57.459496]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.464601]  usb_set_configuration+0xdf7/0x1740
[   57.469273]  generic_probe+0xa2/0xda
[   57.472970]  usb_probe_device+0xc0/0x150
[   57.477010]  ? usb_suspend+0x5f0/0x5f0
[   57.480877]  really_probe+0x2da/0xb10
[   57.484677]  driver_probe_device+0x21d/0x350
[   57.489076]  __device_attach_driver+0x1d8/0x290
[   57.493740]  ? driver_allows_async_probing+0x160/0x160
[   57.499007]  bus_for_each_drv+0x163/0x1e0
[   57.503138]  ? bus_rescan_devices+0x30/0x30
[   57.507528]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.512625]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.517197]  __device_attach+0x223/0x3a0
[   57.521243]  ? device_bind_driver+0xe0/0xe0
[   57.525555]  ? kobject_uevent_env+0x295/0x13d0
[   57.530128]  bus_probe_device+0x1f1/0x2a0
[   57.534369]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.539548]  device_add+0xad2/0x16e0
[   57.543249]  ? get_device_parent.isra.0+0x560/0x560
[   57.548257]  usb_new_device.cold+0x537/0xccf
[   57.552664]  hub_event+0x138e/0x3b00
[   57.556382]  ? hub_port_debounce+0x350/0x350
[   57.560781]  ? _raw_spin_unlock_irq+0x29/0x40
[   57.565262]  process_one_work+0x90f/0x1580
[   57.569482]  ? wq_pool_ids_show+0x300/0x300
[   57.573800]  ? do_raw_spin_lock+0x11f/0x290
[   57.578118]  worker_thread+0x9b/0xe20
[   57.581906]  ? process_one_work+0x1580/0x1580
[   57.586391]  kthread+0x313/0x420
[   57.589740]  ? kthread_park+0x1a0/0x1a0
[   57.593698]  ret_from_fork+0x3a/0x50
[   57.597396] 
[   57.599004] Allocated by task 936:
[   57.602525]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   57.607719]  hub_port_init+0x79b/0x2d30
[   57.611685]  hub_event+0x11b8/0x3b00
[   57.615399]  process_one_work+0x90f/0x1580
[   57.619612]  worker_thread+0x9b/0xe20
[   57.623393]  kthread+0x313/0x420
[   57.626948]  ret_from_fork+0x3a/0x50
[   57.630680] 
[   57.632292] Freed by task 936:
[   57.635470]  __kasan_slab_free+0x130/0x180
[   57.639695]  slab_free_freelist_hook+0x5e/0x140
[   57.644351]  kfree+0xce/0x290
[   57.647438]  hub_port_init+0x91f/0x2d30
[   57.651390]  hub_event+0x11b8/0x3b00
[   57.655081]  process_one_work+0x90f/0x1580
[   57.659297]  worker_thread+0x9b/0xe20
[   57.663093]  kthread+0x313/0x420
[   57.666511]  ret_from_fork+0x3a/0x50
[   57.670255] 
[   57.671885] The buggy address belongs to the object at ffff88809e4199c0
[   57.671885]  which belongs to the cache kmalloc-64 of size 64
[   57.684359] The buggy address is located 34 bytes inside of
[   57.684359]  64-byte region [ffff88809e4199c0, ffff88809e419a00)
[   57.696048] The buggy address belongs to the page:
[   57.700973] page:ffffea0002790640 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0
[   57.709199] flags: 0xfff00000000200(slab)
[   57.713338] raw: 00fff00000000200 ffffea000252c100 0000001900000019 ffff88812c3f5600
[   57.721256] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
[   57.729133] page dumped because: kasan: bad access detected
[   57.734831] 
[   57.736439] Memory state around the buggy address:
[   57.741414]  ffff88809e419880: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
executing program
[   57.748760]  ffff88809e419900: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
[   57.756112] >ffff88809e419980: 00 00 fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   57.763457]                                                        ^
[   57.769946]  ffff88809e419a00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
[   57.777379]  ffff88809e419a80: 00 00 00 00 00 00 00 fc fc fc fc fc 00 00 00 00
[   57.784777] ==================================================================
[   57.792482] Disabling lock debugging due to kernel taint
[   57.798031] Kernel panic - not syncing: panic_on_warn set ...
[   57.803904] CPU: 1 PID: 936 Comm: kworker/1:2 Tainted: G    B             5.1.0-rc4-319354-g9a33b36 #3
[   57.813443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.822794] Workqueue: usb_hub_wq hub_event
[   57.827098] Call Trace:
[   57.829746]  dump_stack+0xe8/0x16e
[   57.833276]  panic+0x29d/0x5f2
[   57.836452]  ? __warn_printk+0xf8/0xf8
[   57.840331]  ? retint_kernel+0x10/0x10
[   57.844218]  ? trace_hardirqs_on+0x55/0x1c0
[   57.848542]  ? ds_probe+0x604/0x760
[   57.852229]  end_report+0x48/0x4e
[   57.855677]  ? ds_probe+0x604/0x760
[   57.859362]  kasan_report.cold+0xd/0x3c
[   57.871181]  ? ds_probe+0x604/0x760
[   57.874793]  ds_probe+0x604/0x760
[   57.878231]  usb_probe_interface+0x31d/0x820
[   57.882732]  ? usb_probe_device+0x150/0x150
[   57.887153]  really_probe+0x2da/0xb10
[   57.891157]  driver_probe_device+0x21d/0x350
[   57.895553]  __device_attach_driver+0x1d8/0x290
[   57.900275]  ? driver_allows_async_probing+0x160/0x160
[   57.905550]  bus_for_each_drv+0x163/0x1e0
[   57.909686]  ? bus_rescan_devices+0x30/0x30
[   57.913991]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.919083]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.923653]  __device_attach+0x223/0x3a0
[   57.927706]  ? device_bind_driver+0xe0/0xe0
[   57.932017]  ? kobject_uevent_env+0x295/0x13d0
[   57.936582]  bus_probe_device+0x1f1/0x2a0
[   57.940715]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.945890]  device_add+0xad2/0x16e0
[   57.949594]  ? get_device_parent.isra.0+0x560/0x560
[   57.954649]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.959758]  usb_set_configuration+0xdf7/0x1740
[   57.964423]  generic_probe+0xa2/0xda
[   57.968140]  usb_probe_device+0xc0/0x150
[   57.972187]  ? usb_suspend+0x5f0/0x5f0
[   57.976076]  really_probe+0x2da/0xb10
[   57.979876]  driver_probe_device+0x21d/0x350
[   57.984272]  __device_attach_driver+0x1d8/0x290
[   57.988921]  ? driver_allows_async_probing+0x160/0x160
[   57.994176]  bus_for_each_drv+0x163/0x1e0
[   57.998314]  ? bus_rescan_devices+0x30/0x30
[   58.002726]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   58.007914]  ? lockdep_hardirqs_on+0x37e/0x580
[   58.012574]  __device_attach+0x223/0x3a0
[   58.016621]  ? device_bind_driver+0xe0/0xe0
[   58.020925]  ? kobject_uevent_env+0x295/0x13d0
[   58.025526]  bus_probe_device+0x1f1/0x2a0
[   58.029663]  ? blocking_notifier_call_chain+0x59/0xb0
[   58.034837]  device_add+0xad2/0x16e0
[   58.038552]  ? get_device_parent.isra.0+0x560/0x560
[   58.043561]  usb_new_device.cold+0x537/0xccf
[   58.047960]  hub_event+0x138e/0x3b00
[   58.051677]  ? hub_port_debounce+0x350/0x350
[   58.056076]  ? _raw_spin_unlock_irq+0x29/0x40
[   58.060560]  process_one_work+0x90f/0x1580
[   58.064810]  ? wq_pool_ids_show+0x300/0x300
[   58.069145]  ? do_raw_spin_lock+0x11f/0x290
[   58.073470]  worker_thread+0x9b/0xe20
[   58.077275]  ? process_one_work+0x1580/0x1580
[   58.081771]  kthread+0x313/0x420
[   58.085148]  ? kthread_park+0x1a0/0x1a0
[   58.089132]  ret_from_fork+0x3a/0x50
[   58.093763] Kernel Offset: disabled
[   58.097380] Rebooting in 86400 seconds..