[ 43.489704] audit: type=1800 audit(1555406279.133:27): pid=5149 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 43.509436] audit: type=1800 audit(1555406279.133:28): pid=5149 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.321398] audit: type=1800 audit(1555406280.003:29): pid=5149 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 44.341014] audit: type=1800 audit(1555406280.003:30): pid=5149 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.112' (ECDSA) to the list of known hosts. syzkaller login: [ 54.426659] IPVS: ftp: loaded support on port[0] = 21 [ 54.498471] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.505486] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.513010] device bridge_slave_0 entered promiscuous mode [ 54.521006] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.527495] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.534994] device bridge_slave_1 entered promiscuous mode [ 54.549749] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.559423] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.576167] team0: Port device team_slave_0 added [ 54.582799] team0: Port device team_slave_1 added [ 54.606710] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.613176] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.620336] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.626798] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.656574] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.669121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.680700] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.688051] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.696181] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.707062] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.716270] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.724654] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.731134] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.741574] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.749190] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.755575] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.770958] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.779318] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.789488] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.797107] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.807733] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 54.857055] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.160358] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 55.400305] usb 1-1: Using ep0 maxpacket: 8 [ 55.530395] usb 1-1: config 0 has an invalid interface number: 157 but max is 0 [ 55.538087] usb 1-1: config 0 has no interface number 0 [ 55.543799] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=f5.2f [ 55.552181] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 55.561905] usb 1-1: config 0 descriptor?? [ 55.800541] ================================================================== [ 55.808349] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 55.814469] Read of size 1 at addr ffff88809cce7f82 by task kworker/1:1/21 [ 55.821568] [ 55.823187] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 55.831838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.841872] Workqueue: usb_hub_wq hub_event [ 55.846690] Call Trace: [ 55.849283] dump_stack+0xe8/0x16e [ 55.852975] ? ds_probe+0x604/0x760 [ 55.856605] ? ds_probe+0x604/0x760 [ 55.860478] print_address_description+0x6c/0x236 [ 55.865323] ? ds_probe+0x604/0x760 [ 55.869256] ? ds_probe+0x604/0x760 [ 55.873767] kasan_report.cold+0x1a/0x3c [ 55.877883] ? ds_probe+0x604/0x760 [ 55.881625] ds_probe+0x604/0x760 [ 55.885081] usb_probe_interface+0x31d/0x820 [ 55.889722] ? usb_probe_device+0x150/0x150 [ 55.894112] really_probe+0x2da/0xb10 [ 55.897921] driver_probe_device+0x21d/0x350 [ 55.902884] __device_attach_driver+0x1d8/0x290 [ 55.907655] ? driver_allows_async_probing+0x160/0x160 [ 55.913048] bus_for_each_drv+0x163/0x1e0 [ 55.917256] ? bus_rescan_devices+0x30/0x30 [ 55.921592] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 55.926952] ? lockdep_hardirqs_on+0x37e/0x580 [ 55.931531] __device_attach+0x223/0x3a0 [ 55.936022] ? device_bind_driver+0xe0/0xe0 [ 55.940345] ? kobject_uevent_env+0x295/0x13d0 [ 55.945033] bus_probe_device+0x1f1/0x2a0 [ 55.949218] ? blocking_notifier_call_chain+0x59/0xb0 [ 55.954413] device_add+0xad2/0x16e0 [ 55.958137] ? get_device_parent.isra.0+0x560/0x560 [ 55.963326] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 55.968549] usb_set_configuration+0xdf7/0x1740 [ 55.973351] generic_probe+0xa2/0xda [ 55.977077] usb_probe_device+0xc0/0x150 [ 55.981574] ? usb_suspend+0x5f0/0x5f0 [ 55.985459] really_probe+0x2da/0xb10 [ 55.989260] driver_probe_device+0x21d/0x350 [ 55.993666] __device_attach_driver+0x1d8/0x290 [ 55.998357] ? driver_allows_async_probing+0x160/0x160 [ 56.003629] bus_for_each_drv+0x163/0x1e0 [ 56.007794] ? bus_rescan_devices+0x30/0x30 [ 56.012108] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.017332] ? lockdep_hardirqs_on+0x37e/0x580 [ 56.021912] __device_attach+0x223/0x3a0 [ 56.026295] ? device_bind_driver+0xe0/0xe0 [ 56.030605] ? kobject_uevent_env+0x295/0x13d0 [ 56.035173] bus_probe_device+0x1f1/0x2a0 [ 56.039435] ? blocking_notifier_call_chain+0x59/0xb0 [ 56.044629] device_add+0xad2/0x16e0 [ 56.048471] ? get_device_parent.isra.0+0x560/0x560 [ 56.053676] usb_new_device.cold+0x537/0xccf [ 56.058087] hub_event+0x138e/0x3b00 [ 56.061800] ? hub_port_debounce+0x350/0x350 [ 56.066335] ? _raw_spin_unlock_irq+0x29/0x40 [ 56.070825] process_one_work+0x90f/0x1580 [ 56.075201] ? wq_pool_ids_show+0x300/0x300 [ 56.079635] ? do_raw_spin_lock+0x11f/0x290 [ 56.083963] worker_thread+0x9b/0xe20 [ 56.087920] ? process_one_work+0x1580/0x1580 [ 56.092407] kthread+0x313/0x420 [ 56.095781] ? kthread_park+0x1a0/0x1a0 [ 56.099749] ret_from_fork+0x3a/0x50 [ 56.103587] [ 56.105199] Allocated by task 21: [ 56.108643] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.113743] hub_port_init+0x79b/0x2d30 [ 56.117834] hub_event+0x11b8/0x3b00 [ 56.121541] process_one_work+0x90f/0x1580 [ 56.125856] worker_thread+0x9b/0xe20 [ 56.129665] kthread+0x313/0x420 [ 56.133047] ret_from_fork+0x3a/0x50 [ 56.137130] [ 56.138969] Freed by task 21: [ 56.142166] __kasan_slab_free+0x130/0x180 [ 56.146607] slab_free_freelist_hook+0x5e/0x140 [ 56.151270] kfree+0xce/0x290 [ 56.154500] hub_port_init+0x91f/0x2d30 [ 56.158459] hub_event+0x11b8/0x3b00 [ 56.162393] process_one_work+0x90f/0x1580 [ 56.166614] worker_thread+0x9b/0xe20 [ 56.170751] kthread+0x313/0x420 [ 56.174110] ret_from_fork+0x3a/0x50 [ 56.177848] [ 56.179465] The buggy address belongs to the object at ffff88809cce7f60 [ 56.179465] which belongs to the cache kmalloc-64 of size 64 [ 56.192102] The buggy address is located 34 bytes inside of [ 56.192102] 64-byte region [ffff88809cce7f60, ffff88809cce7fa0) [ 56.203798] The buggy address belongs to the page: [ 56.208728] page:ffffea00027339c0 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 56.216866] flags: 0xfff00000000200(slab) [ 56.221168] raw: 00fff00000000200 ffffea00029d7040 0000000300000003 ffff88812c3f5600 [ 56.229043] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 56.236908] page dumped because: kasan: bad access detected [ 56.242720] [ 56.244331] Memory state around the buggy address: [ 56.249347] ffff88809cce7e80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 56.256696] ffff88809cce7f00: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 56.264249] >ffff88809cce7f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 56.271680] ^ [ 56.275235] ffff88809cce8000: fb fb fb fb fc fc 00 00 00 00 fc fc fb fb fb fb [ 56.282793] ffff88809cce8080: fc fc fb fb fb fb fc fc fb fb fb fb fc fc 00 00 [ 56.290138] ================================================================== [ 56.297912] Disabling lock debugging due to kernel taint [ 56.304689] Kernel panic - not syncing: panic_on_warn set ... [ 56.310584] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 56.320009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.329373] Workqueue: usb_hub_wq hub_event [ 56.333778] Call Trace: [ 56.336361] dump_stack+0xe8/0x16e [ 56.339885] panic+0x29d/0x5f2 [ 56.343068] ? __warn_printk+0xf8/0xf8 [ 56.347075] ? retint_kernel+0x10/0x10 [ 56.351400] ? trace_hardirqs_on+0x55/0x1c0 [ 56.355716] ? ds_probe+0x604/0x760 [ 56.359426] end_report+0x48/0x4e [ 56.362871] ? ds_probe+0x604/0x760 [ 56.366590] kasan_report.cold+0xd/0x3c [ 56.370559] ? ds_probe+0x604/0x760 [ 56.374197] ds_probe+0x604/0x760 [ 56.377640] usb_probe_interface+0x31d/0x820 [ 56.382033] ? usb_probe_device+0x150/0x150 [ 56.386342] really_probe+0x2da/0xb10 [ 56.390234] driver_probe_device+0x21d/0x350 [ 56.394652] __device_attach_driver+0x1d8/0x290 [ 56.399318] ? driver_allows_async_probing+0x160/0x160 [ 56.404677] bus_for_each_drv+0x163/0x1e0 [ 56.408838] ? bus_rescan_devices+0x30/0x30 [ 56.413335] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.418426] ? lockdep_hardirqs_on+0x37e/0x580 [ 56.423002] __device_attach+0x223/0x3a0 [ 56.427046] ? device_bind_driver+0xe0/0xe0 [ 56.431373] ? kobject_uevent_env+0x295/0x13d0 [ 56.435940] bus_probe_device+0x1f1/0x2a0 [ 56.440071] ? blocking_notifier_call_chain+0x59/0xb0 [ 56.445256] device_add+0xad2/0x16e0 [ 56.448966] ? get_device_parent.isra.0+0x560/0x560 [ 56.453964] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.459063] usb_set_configuration+0xdf7/0x1740 [ 56.463719] generic_probe+0xa2/0xda [ 56.467507] usb_probe_device+0xc0/0x150 [ 56.471560] ? usb_suspend+0x5f0/0x5f0 [ 56.475435] really_probe+0x2da/0xb10 [ 56.479232] driver_probe_device+0x21d/0x350 [ 56.483625] __device_attach_driver+0x1d8/0x290 [ 56.488294] ? driver_allows_async_probing+0x160/0x160 [ 56.493682] bus_for_each_drv+0x163/0x1e0 [ 56.498090] ? bus_rescan_devices+0x30/0x30 [ 56.502407] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 56.507733] ? lockdep_hardirqs_on+0x37e/0x580 [ 56.512913] __device_attach+0x223/0x3a0 [ 56.517090] ? device_bind_driver+0xe0/0xe0 [ 56.521536] ? kobject_uevent_env+0x295/0x13d0 [ 56.526125] bus_probe_device+0x1f1/0x2a0 [ 56.530264] ? blocking_notifier_call_chain+0x59/0xb0 [ 56.535543] device_add+0xad2/0x16e0 [ 56.539259] ? get_device_parent.isra.0+0x560/0x560 [ 56.544376] usb_new_device.cold+0x537/0xccf [ 56.548770] hub_event+0x138e/0x3b00 [ 56.552497] ? hub_port_debounce+0x350/0x350 [ 56.557055] ? _raw_spin_unlock_irq+0x29/0x40 [ 56.561547] process_one_work+0x90f/0x1580 [ 56.565772] ? wq_pool_ids_show+0x300/0x300 [ 56.570091] ? do_raw_spin_lock+0x11f/0x290 [ 56.574694] worker_thread+0x9b/0xe20 [ 56.578508] ? process_one_work+0x1580/0x1580 [ 56.583278] kthread+0x313/0x420 [ 56.586648] ? kthread_park+0x1a0/0x1a0 [ 56.590909] ret_from_fork+0x3a/0x50 [ 56.596272] Kernel Offset: disabled [ 56.600143] Rebooting in 86400 seconds..