[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.746542] kauditd_printk_skb: 7 callbacks suppressed [ 39.746553] audit: type=1800 audit(1555238187.508:29): pid=4784 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 39.771685] audit: type=1800 audit(1555238187.508:30): pid=4784 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.170' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.218450] usb 1-1: new low-speed USB device number 2 using dummy_hcd [ 52.578305] usb 1-1: config 0 has an invalid interface number: 205 but max is 0 [ 52.585785] usb 1-1: config 0 has no interface number 0 [ 52.591284] usb 1-1: New USB device found, idVendor=14f7, idProduct=0500, bcdDevice=de.42 [ 52.599619] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 52.608101] usb 1-1: config 0 descriptor?? [ 52.649846] technisat-usb2: could not set alternate setting to 0 [ 52.848292] technisat-usb2: firmware version: 181.247 [ 52.853490] dvb-usb: found a 'Technisat SkyStar USB HD (DVB-S/S2)' in warm state. [ 53.901702] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 53.928546] dvbdev: DVB: registering new adapter (Technisat SkyStar USB HD (DVB-S/S2)) [ 53.936802] technisat-usb2: i2c-error: out failed 53 = -22 [ 53.942573] dvb-usb: MAC address reading failed. [ 53.953477] technisat-usb2: i2c-error: out failed 68 = -22 [ 54.478281] dvb-usb: no frontend was attached by 'Technisat SkyStar USB HD (DVB-S/S2)' [ 54.486439] Registered IR keymap rc-technisat-usb2 [ 54.491979] rc rc1: Technisat SkyStar USB HD (DVB-S/S2) as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1 [ 54.502196] input: Technisat SkyStar USB HD (DVB-S/S2) as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1/input10 [ 54.515126] rc rc1: lirc_dev: driver technisat-usb2 registered at minor = 1, raw IR receiver, no transmitter [ 54.526206] dvb-usb: schedule remote query interval to 100 msecs. [ 55.288561] ================================================================== [ 55.296006] BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660 [ 55.303599] Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12 [ 55.310576] [ 55.312181] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 55.320114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.329442] Workqueue: events dvb_usb_read_remote_control [ 55.334945] Call Trace: [ 55.337506] dump_stack+0xe8/0x16e [ 55.341014] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.345914] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.350824] print_address_description+0x6c/0x236 [ 55.355635] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.360532] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.365450] kasan_report.cold+0x1a/0x3c [ 55.369496] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.374395] technisat_usb2_rc_query+0x5fa/0x660 [ 55.379123] ? technisat_usb2_power_ctrl+0xc0/0xc0 [ 55.384023] dvb_usb_read_remote_control+0xe5/0x1c0 [ 55.389013] process_one_work+0x90f/0x1580 [ 55.393232] ? wq_pool_ids_show+0x300/0x300 [ 55.397524] ? do_raw_spin_lock+0x11f/0x290 [ 55.401819] worker_thread+0x9b/0xe20 [ 55.405597] ? process_one_work+0x1580/0x1580 [ 55.410060] kthread+0x313/0x420 [ 55.413396] ? kthread_park+0x1a0/0x1a0 [ 55.417353] ret_from_fork+0x3a/0x50 [ 55.421058] [ 55.422690] Allocated by task 615: [ 55.426218] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 55.431117] dvb_usb_device_init.cold+0x317/0x10b3 [ 55.436013] technisat_usb2_probe+0x82/0x2d0 [ 55.440401] usb_probe_interface+0x31d/0x820 [ 55.444806] really_probe+0x2da/0xb10 [ 55.448572] driver_probe_device+0x21d/0x350 [ 55.452951] __device_attach_driver+0x1d8/0x290 [ 55.457634] bus_for_each_drv+0x163/0x1e0 [ 55.461763] __device_attach+0x223/0x3a0 [ 55.465792] bus_probe_device+0x1f1/0x2a0 [ 55.469909] device_add+0xad2/0x16e0 [ 55.473604] usb_set_configuration+0xdf7/0x1740 [ 55.478256] generic_probe+0xa2/0xda [ 55.481935] usb_probe_device+0xc0/0x150 [ 55.485974] really_probe+0x2da/0xb10 [ 55.489749] driver_probe_device+0x21d/0x350 [ 55.494131] __device_attach_driver+0x1d8/0x290 [ 55.498770] bus_for_each_drv+0x163/0x1e0 [ 55.502884] __device_attach+0x223/0x3a0 [ 55.506916] bus_probe_device+0x1f1/0x2a0 [ 55.511034] device_add+0xad2/0x16e0 [ 55.514716] usb_new_device.cold+0x537/0xccf [ 55.519091] hub_event+0x138e/0x3b00 [ 55.522775] process_one_work+0x90f/0x1580 [ 55.526979] worker_thread+0x9b/0xe20 [ 55.530745] kthread+0x313/0x420 [ 55.534077] ret_from_fork+0x3a/0x50 [ 55.537752] [ 55.539347] Freed by task 1: [ 55.542344] __kasan_slab_free+0x130/0x180 [ 55.546547] slab_free_freelist_hook+0x5e/0x140 [ 55.551182] kfree+0xce/0x290 [ 55.554256] krealloc+0x7d/0xc0 [ 55.557521] add_sysfs_param.isra.0+0xcd/0x930 [ 55.562127] param_sysfs_init+0x364/0x435 [ 55.566298] do_one_initcall+0xde/0x597 [ 55.570243] kernel_init_freeable+0x4da/0x5c7 [ 55.574706] kernel_init+0x12/0x1ca [ 55.578300] ret_from_fork+0x3a/0x50 [ 55.582012] [ 55.583624] The buggy address belongs to the object at ffff8880a8791dc0 [ 55.583624] which belongs to the cache kmalloc-256 of size 256 [ 55.596245] The buggy address is located 232 bytes inside of [ 55.596245] 256-byte region [ffff8880a8791dc0, ffff8880a8791ec0) [ 55.608081] The buggy address belongs to the page: [ 55.612994] page:ffffea0002a1e440 count:1 mapcount:0 mapping:ffff88812c3f4e00 index:0x0 [ 55.621127] flags: 0xfff00000000200(slab) [ 55.625247] raw: 00fff00000000200 dead000000000100 dead000000000200 ffff88812c3f4e00 [ 55.633098] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 55.640958] page dumped because: kasan: bad access detected [ 55.646632] [ 55.648229] Memory state around the buggy address: [ 55.653142] ffff8880a8791d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 55.660471] ffff8880a8791e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.667801] >ffff8880a8791e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 55.675128] ^ [ 55.679767] ffff8880a8791f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.687116] ffff8880a8791f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.694445] ================================================================== [ 55.701774] Disabling lock debugging due to kernel taint [ 55.707284] Kernel panic - not syncing: panic_on_warn set ... [ 55.713165] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 55.722489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.731814] Workqueue: events dvb_usb_read_remote_control [ 55.737331] Call Trace: [ 55.739888] dump_stack+0xe8/0x16e [ 55.743398] panic+0x29d/0x5f2 [ 55.746561] ? __warn_printk+0xf8/0xf8 [ 55.750418] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.755318] ? trace_hardirqs_on+0x55/0x1c0 [ 55.759646] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.764562] end_report+0x48/0x4e [ 55.767996] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.772930] kasan_report.cold+0xd/0x3c [ 55.776892] ? technisat_usb2_rc_query+0x5fa/0x660 [ 55.781804] technisat_usb2_rc_query+0x5fa/0x660 [ 55.786547] ? technisat_usb2_power_ctrl+0xc0/0xc0 [ 55.791457] dvb_usb_read_remote_control+0xe5/0x1c0 [ 55.796443] process_one_work+0x90f/0x1580 [ 55.800682] ? wq_pool_ids_show+0x300/0x300 [ 55.804994] ? do_raw_spin_lock+0x11f/0x290 [ 55.809300] worker_thread+0x9b/0xe20 [ 55.813068] ? process_one_work+0x1580/0x1580 [ 55.817544] kthread+0x313/0x420 [ 55.820878] ? kthread_park+0x1a0/0x1a0 [ 55.824831] ret_from_fork+0x3a/0x50 [ 55.829225] Kernel Offset: disabled [ 55.832840] Rebooting in 86400 seconds..