[ 49.706528] audit: type=1800 audit(1555580618.261:26): pid=5355 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [ 49.726044] audit: type=1800 audit(1555580618.261:27): pid=5355 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 49.745716] audit: type=1800 audit(1555580618.271:28): pid=5355 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 50.585500] audit: type=1800 audit(1555580619.151:29): pid=5355 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.526559] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 61.766535] usb 1-1: Using ep0 maxpacket: 8 [ 61.886580] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 61.894674] usb 1-1: config 0 has no interface number 0 [ 61.900668] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 61.909249] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 61.919433] usb 1-1: config 0 descriptor?? [ 62.156764] ================================================================== [ 62.165329] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 62.171705] Read of size 1 at addr ffff88809788d9e2 by task kworker/1:3/566 [ 62.179365] [ 62.181008] CPU: 1 PID: 566 Comm: kworker/1:3 Not tainted 5.1.0-rc5-319617-gd34f951 #4 [ 62.189087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.199363] Workqueue: usb_hub_wq hub_event [ 62.204180] Call Trace: [ 62.207160] dump_stack+0xe8/0x16e [ 62.210962] ? ds_probe+0x604/0x760 [ 62.215103] ? ds_probe+0x604/0x760 [ 62.219195] print_address_description+0x6c/0x236 [ 62.224481] ? ds_probe+0x604/0x760 [ 62.228606] ? ds_probe+0x604/0x760 [ 62.232586] kasan_report.cold+0x1a/0x3c [ 62.237432] ? ds_probe+0x604/0x760 [ 62.241606] ds_probe+0x604/0x760 [ 62.245583] usb_probe_interface+0x31d/0x820 [ 62.250167] ? usb_probe_device+0x150/0x150 [ 62.255325] really_probe+0x2da/0xb10 [ 62.259622] driver_probe_device+0x21d/0x350 [ 62.264515] __device_attach_driver+0x1d8/0x290 [ 62.269937] ? driver_allows_async_probing+0x160/0x160 [ 62.275823] bus_for_each_drv+0x163/0x1e0 [ 62.280562] ? bus_rescan_devices+0x30/0x30 [ 62.284903] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.290759] ? lockdep_hardirqs_on+0x37e/0x580 [ 62.296137] __device_attach+0x223/0x3a0 [ 62.301220] ? device_bind_driver+0xe0/0xe0 [ 62.306388] ? kobject_uevent_env+0x295/0x13d0 [ 62.311267] bus_probe_device+0x1f1/0x2a0 [ 62.316196] ? blocking_notifier_call_chain+0x59/0xb0 [ 62.321715] device_add+0xad2/0x16e0 [ 62.325562] ? get_device_parent.isra.0+0x560/0x560 [ 62.331467] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.337419] usb_set_configuration+0xdf7/0x1740 [ 62.342529] generic_probe+0xa2/0xda [ 62.346563] usb_probe_device+0xc0/0x150 [ 62.351096] ? usb_suspend+0x5f0/0x5f0 [ 62.355162] really_probe+0x2da/0xb10 [ 62.359561] driver_probe_device+0x21d/0x350 [ 62.364113] __device_attach_driver+0x1d8/0x290 [ 62.369556] ? driver_allows_async_probing+0x160/0x160 [ 62.375308] bus_for_each_drv+0x163/0x1e0 [ 62.379671] ? bus_rescan_devices+0x30/0x30 [ 62.384865] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.390760] ? lockdep_hardirqs_on+0x37e/0x580 [ 62.395344] __device_attach+0x223/0x3a0 [ 62.399570] ? device_bind_driver+0xe0/0xe0 [ 62.404079] ? kobject_uevent_env+0x295/0x13d0 [ 62.409003] bus_probe_device+0x1f1/0x2a0 [ 62.413184] ? blocking_notifier_call_chain+0x59/0xb0 [ 62.418629] device_add+0xad2/0x16e0 [ 62.422684] ? get_device_parent.isra.0+0x560/0x560 [ 62.427863] usb_new_device.cold+0x537/0xccf [ 62.432577] hub_event+0x1398/0x3b00 [ 62.436307] ? hub_port_debounce+0x350/0x350 [ 62.441085] ? _raw_spin_unlock_irq+0x29/0x40 [ 62.445768] process_one_work+0x90f/0x1580 [ 62.450979] ? wq_pool_ids_show+0x300/0x300 [ 62.455802] ? do_raw_spin_lock+0x11f/0x290 [ 62.460571] worker_thread+0x9b/0xe20 [ 62.464391] ? process_one_work+0x1580/0x1580 [ 62.469313] kthread+0x313/0x420 [ 62.472911] ? kthread_park+0x1a0/0x1a0 [ 62.477228] ret_from_fork+0x3a/0x50 [ 62.481190] [ 62.482828] Allocated by task 5502: [ 62.487397] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.492637] ext4_ext_remove_space+0xe1b/0x4810 [ 62.497613] ext4_ext_truncate+0x1b8/0x200 [ 62.502653] ext4_truncate+0xd39/0x12d0 [ 62.506628] ext4_setattr+0x1b36/0x23b0 [ 62.510607] notify_change+0xade/0xfa0 [ 62.514648] do_truncate+0x139/0x1f0 [ 62.518661] do_sys_ftruncate+0x49e/0x570 [ 62.523137] do_syscall_64+0xcf/0x4f0 [ 62.527296] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.532750] [ 62.534504] Freed by task 5502: [ 62.537989] __kasan_slab_free+0x130/0x180 [ 62.542429] slab_free_freelist_hook+0x5e/0x140 [ 62.547509] kfree+0xce/0x280 [ 62.550614] ext4_ext_remove_space+0x828/0x4810 [ 62.555751] ext4_ext_truncate+0x1b8/0x200 [ 62.560104] ext4_truncate+0xd39/0x12d0 [ 62.564408] ext4_setattr+0x1b36/0x23b0 [ 62.568668] notify_change+0xade/0xfa0 [ 62.572970] do_truncate+0x139/0x1f0 [ 62.576796] do_sys_ftruncate+0x49e/0x570 [ 62.581268] do_syscall_64+0xcf/0x4f0 [ 62.585438] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.591199] [ 62.593144] The buggy address belongs to the object at ffff88809788d9c0 [ 62.593144] which belongs to the cache kmalloc-64 of size 64 [ 62.606911] The buggy address is located 34 bytes inside of [ 62.606911] 64-byte region [ffff88809788d9c0, ffff88809788da00) [ 62.619056] The buggy address belongs to the page: [ 62.624559] page:ffffea00025e2340 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 62.633300] flags: 0xfff00000000200(slab) [ 62.637981] raw: 00fff00000000200 ffffea00025e28c0 0000001600000016 ffff88812c3f5600 [ 62.646565] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 62.655494] page dumped because: kasan: bad access detected [ 62.661293] [ 62.663426] Memory state around the buggy address: [ 62.668535] ffff88809788d880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 62.676329] ffff88809788d900: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 62.683810] >ffff88809788d980: 00 00 fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 62.691257] ^ [ 62.698355] ffff88809788da00: fc fc fc fc 00 00 00 00 00 fc fc fc fc fc fc fc [ 62.706290] ffff88809788da80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 62.714503] ================================================================== [ 62.722074] Disabling lock debugging due to kernel taint [ 62.727962] Kernel panic - not syncing: panic_on_warn set ... [ 62.733987] CPU: 1 PID: 566 Comm: kworker/1:3 Tainted: G B 5.1.0-rc5-319617-gd34f951 #4 [ 62.743570] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.753060] Workqueue: usb_hub_wq hub_event [ 62.757508] Call Trace: [ 62.760112] dump_stack+0xe8/0x16e [ 62.763667] panic+0x29d/0x5f2 [ 62.766872] ? __warn_printk+0xf8/0xf8 [ 62.770996] ? retint_kernel+0x10/0x10 [ 62.775199] ? trace_hardirqs_on+0x55/0x1c0 [ 62.779532] ? ds_probe+0x604/0x760 [ 62.783165] end_report+0x48/0x4e [ 62.786654] ? ds_probe+0x604/0x760 [ 62.790534] kasan_report.cold+0xd/0x3c [ 62.794522] ? ds_probe+0x604/0x760 [ 62.798482] ds_probe+0x604/0x760 [ 62.802143] usb_probe_interface+0x31d/0x820 [ 62.806562] ? usb_probe_device+0x150/0x150 [ 62.810891] really_probe+0x2da/0xb10 [ 62.814701] driver_probe_device+0x21d/0x350 [ 62.819120] __device_attach_driver+0x1d8/0x290 [ 62.823905] ? driver_allows_async_probing+0x160/0x160 [ 62.829189] bus_for_each_drv+0x163/0x1e0 [ 62.833525] ? bus_rescan_devices+0x30/0x30 [ 62.837921] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.843128] ? lockdep_hardirqs_on+0x37e/0x580 [ 62.847838] __device_attach+0x223/0x3a0 [ 62.851907] ? device_bind_driver+0xe0/0xe0 [ 62.856660] ? kobject_uevent_env+0x295/0x13d0 [ 62.861487] bus_probe_device+0x1f1/0x2a0 [ 62.865651] ? blocking_notifier_call_chain+0x59/0xb0 [ 62.870850] device_add+0xad2/0x16e0 [ 62.874662] ? get_device_parent.isra.0+0x560/0x560 [ 62.879688] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.884918] usb_set_configuration+0xdf7/0x1740 [ 62.890071] generic_probe+0xa2/0xda [ 62.893798] usb_probe_device+0xc0/0x150 [ 62.897871] ? usb_suspend+0x5f0/0x5f0 [ 62.901769] really_probe+0x2da/0xb10 [ 62.905890] driver_probe_device+0x21d/0x350 [ 62.910410] __device_attach_driver+0x1d8/0x290 [ 62.915269] ? driver_allows_async_probing+0x160/0x160 [ 62.920556] bus_for_each_drv+0x163/0x1e0 [ 62.924806] ? bus_rescan_devices+0x30/0x30 [ 62.929229] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 62.934429] ? lockdep_hardirqs_on+0x37e/0x580 [ 62.939047] __device_attach+0x223/0x3a0 [ 62.943159] ? device_bind_driver+0xe0/0xe0 [ 62.947628] ? kobject_uevent_env+0x295/0x13d0 [ 62.952312] bus_probe_device+0x1f1/0x2a0 [ 62.956557] ? blocking_notifier_call_chain+0x59/0xb0 [ 62.961908] device_add+0xad2/0x16e0 [ 62.965634] ? get_device_parent.isra.0+0x560/0x560 [ 62.970665] usb_new_device.cold+0x537/0xccf [ 62.975174] hub_event+0x1398/0x3b00 [ 62.978910] ? hub_port_debounce+0x350/0x350 [ 62.983338] ? _raw_spin_unlock_irq+0x29/0x40 [ 62.987945] process_one_work+0x90f/0x1580 [ 62.992283] ? wq_pool_ids_show+0x300/0x300 [ 62.996612] ? do_raw_spin_lock+0x11f/0x290 [ 63.001139] worker_thread+0x9b/0xe20 [ 63.005124] ? process_one_work+0x1580/0x1580 [ 63.009628] kthread+0x313/0x420 [ 63.013558] ? kthread_park+0x1a0/0x1a0 [ 63.017841] ret_from_fork+0x3a/0x50 [ 63.023378] Kernel Offset: disabled [ 63.027562] Rebooting in 86400 seconds..