[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   40.288368] kauditd_printk_skb: 8 callbacks suppressed
[   40.288378] audit: type=1800 audit(1555749487.447:29): pid=4835 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   40.313724] audit: type=1800 audit(1555749487.447:30): pid=4835 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   49.982017] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   50.221963] usb 1-1: Using ep0 maxpacket: 8
[   50.341997] usb 1-1: config 252 has an invalid interface number: 115 but max is 0
[   50.349915] usb 1-1: config 252 contains an unexpected descriptor of type 0x1, skipping
[   50.358104] usb 1-1: config 252 has an invalid descriptor of length 47, skipping remainder of the config
[   50.367750] usb 1-1: config 252 has no interface number 0
[   50.373504] usb 1-1: config 252 interface 115 altsetting 0 bulk endpoint 0x3 has invalid maxpacket 4
[   50.382838] usb 1-1: config 252 interface 115 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 4
[   50.395311] usb 1-1: New USB device found, idVendor=1618, idProduct=9113, bcdDevice=32.21
[   50.403748] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.454155] rsi_91x: rsi_probe: Failed to init usb interface
[   50.461265] ==================================================================
[   50.468768] BUG: KASAN: double-free or invalid-free in kfree+0xce/0x280
[   50.475502] 
[   50.477114] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc5-319617-gd34f951 #4
[   50.485172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.494519] Workqueue: usb_hub_wq hub_event
[   50.498829] Call Trace:
[   50.501409]  dump_stack+0xe8/0x16e
[   50.504938]  print_address_description+0x6c/0x236
[   50.509764]  ? kfree+0xce/0x280
[   50.513024]  kasan_report_invalid_free+0x66/0xa0
[   50.517759]  ? kfree+0xce/0x280
[   50.521019]  __kasan_slab_free+0x162/0x180
[   50.525369]  slab_free_freelist_hook+0x5e/0x140
[   50.530028]  ? rsi_91x_deinit+0x27b/0x300
[   50.534165]  ? rsi_91x_deinit+0x27b/0x300
[   50.538293]  kfree+0xce/0x280
[   50.541390]  rsi_91x_deinit+0x27b/0x300
[   50.545355]  rsi_probe+0xdf3/0x140d
[   50.549051]  ? rsi_disconnect+0x450/0x450
[   50.553298]  ? lockdep_hardirqs_on+0x37e/0x580
[   50.557882]  ? __pm_runtime_resume+0x116/0x180
[   50.562462]  usb_probe_interface+0x31d/0x820
[   50.566852]  ? usb_probe_device+0x150/0x150
[   50.571153]  really_probe+0x2da/0xb10
[   50.574943]  driver_probe_device+0x21d/0x350
[   50.579361]  __device_attach_driver+0x1d8/0x290
[   50.584064]  ? driver_allows_async_probing+0x160/0x160
[   50.589337]  bus_for_each_drv+0x163/0x1e0
[   50.593481]  ? bus_rescan_devices+0x30/0x30
[   50.597799]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   50.602888]  ? lockdep_hardirqs_on+0x37e/0x580
[   50.607468]  __device_attach+0x223/0x3a0
[   50.611516]  ? device_bind_driver+0xe0/0xe0
[   50.615825]  ? kobject_uevent_env+0x295/0x13d0
[   50.620471]  bus_probe_device+0x1f1/0x2a0
[   50.624612]  ? blocking_notifier_call_chain+0x59/0xb0
[   50.629793]  device_add+0xad2/0x16e0
[   50.633499]  ? get_device_parent.isra.0+0x560/0x560
[   50.638579]  usb_set_configuration+0xdf7/0x1740
[   50.643256]  generic_probe+0xa2/0xda
[   50.646956]  usb_probe_device+0xc0/0x150
[   50.651000]  ? usb_suspend+0x5f0/0x5f0
[   50.654868]  really_probe+0x2da/0xb10
[   50.658649]  driver_probe_device+0x21d/0x350
[   50.663039]  __device_attach_driver+0x1d8/0x290
[   50.667691]  ? driver_allows_async_probing+0x160/0x160
[   50.672954]  bus_for_each_drv+0x163/0x1e0
[   50.677085]  ? bus_rescan_devices+0x30/0x30
[   50.681403]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   50.686514]  ? lockdep_hardirqs_on+0x37e/0x580
[   50.691092]  __device_attach+0x223/0x3a0
[   50.695337]  ? device_bind_driver+0xe0/0xe0
[   50.699664]  ? kobject_uevent_env+0x295/0x13d0
[   50.704325]  bus_probe_device+0x1f1/0x2a0
[   50.708471]  ? blocking_notifier_call_chain+0x59/0xb0
[   50.713716]  device_add+0xad2/0x16e0
[   50.717433]  ? get_device_parent.isra.0+0x560/0x560
[   50.722445]  usb_new_device.cold+0x537/0xccf
[   50.726854]  hub_event+0x1398/0x3b00
[   50.730571]  ? hub_port_debounce+0x350/0x350
[   50.734970]  ? _raw_spin_unlock_irq+0x29/0x40
[   50.739457]  process_one_work+0x90f/0x1580
[   50.743825]  ? wq_pool_ids_show+0x300/0x300
[   50.748138]  ? do_raw_spin_lock+0x11f/0x290
[   50.752467]  worker_thread+0x9b/0xe20
[   50.756275]  ? process_one_work+0x1580/0x1580
[   50.760766]  kthread+0x313/0x420
[   50.764226]  ? kthread_park+0x1a0/0x1a0
[   50.768206]  ret_from_fork+0x3a/0x50
[   50.771917] 
[   50.773531] Allocated by task 12:
[   50.777025]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   50.781949]  rsi_probe+0x11a/0x140d
[   50.785561]  usb_probe_interface+0x31d/0x820
[   50.789951]  really_probe+0x2da/0xb10
[   50.793757]  driver_probe_device+0x21d/0x350
[   50.798162]  __device_attach_driver+0x1d8/0x290
[   50.802815]  bus_for_each_drv+0x163/0x1e0
[   50.806947]  __device_attach+0x223/0x3a0
[   50.810993]  bus_probe_device+0x1f1/0x2a0
[   50.815124]  device_add+0xad2/0x16e0
[   50.818819]  usb_set_configuration+0xdf7/0x1740
[   50.823471]  generic_probe+0xa2/0xda
[   50.827160]  usb_probe_device+0xc0/0x150
[   50.831198]  really_probe+0x2da/0xb10
[   50.834979]  driver_probe_device+0x21d/0x350
[   50.839365]  __device_attach_driver+0x1d8/0x290
[   50.844012]  bus_for_each_drv+0x163/0x1e0
[   50.848151]  __device_attach+0x223/0x3a0
[   50.852203]  bus_probe_device+0x1f1/0x2a0
[   50.856447]  device_add+0xad2/0x16e0
[   50.860149]  usb_new_device.cold+0x537/0xccf
[   50.864544]  hub_event+0x1398/0x3b00
[   50.868244]  process_one_work+0x90f/0x1580
[   50.872461]  worker_thread+0x9b/0xe20
[   50.876358]  kthread+0x313/0x420
[   50.879714]  ret_from_fork+0x3a/0x50
[   50.883411] 
[   50.885031] Freed by task 12:
[   50.888133]  __kasan_slab_free+0x130/0x180
[   50.892354]  slab_free_freelist_hook+0x5e/0x140
[   50.897015]  kfree+0xce/0x280
[   50.900104]  rsi_probe+0xf04/0x140d
[   50.903714]  usb_probe_interface+0x31d/0x820
[   50.908101]  really_probe+0x2da/0xb10
[   50.911884]  driver_probe_device+0x21d/0x350
[   50.916273]  __device_attach_driver+0x1d8/0x290
[   50.920943]  bus_for_each_drv+0x163/0x1e0
[   50.925071]  __device_attach+0x223/0x3a0
[   50.929112]  bus_probe_device+0x1f1/0x2a0
[   50.933241]  device_add+0xad2/0x16e0
[   50.936936]  usb_set_configuration+0xdf7/0x1740
[   50.941664]  generic_probe+0xa2/0xda
[   50.945381]  usb_probe_device+0xc0/0x150
[   50.949440]  really_probe+0x2da/0xb10
[   50.953223]  driver_probe_device+0x21d/0x350
[   50.957628]  __device_attach_driver+0x1d8/0x290
[   50.962297]  bus_for_each_drv+0x163/0x1e0
[   50.966430]  __device_attach+0x223/0x3a0
[   50.970475]  bus_probe_device+0x1f1/0x2a0
[   50.974614]  device_add+0xad2/0x16e0
[   50.978669]  usb_new_device.cold+0x537/0xccf
[   50.983065]  hub_event+0x1398/0x3b00
[   50.986762]  process_one_work+0x90f/0x1580
[   50.990988]  worker_thread+0x9b/0xe20
[   50.994776]  kthread+0x313/0x420
[   50.998201]  ret_from_fork+0x3a/0x50
[   51.001903] 
[   51.003528] The buggy address belongs to the object at ffff888214af0c80
[   51.003528]  which belongs to the cache kmalloc-512 of size 512
[   51.016231] The buggy address is located 0 bytes inside of
[   51.016231]  512-byte region [ffff888214af0c80, ffff888214af0e80)
[   51.027916] The buggy address belongs to the page:
[   51.032840] page:ffffea000852bc00 count:1 mapcount:0 mapping:ffff88812c3f4c00 index:0xffff888214af1180 compound_mapcount: 0
[   51.044096] flags: 0x57ff00000010200(slab|head)
[   51.048760] raw: 057ff00000010200 ffffea00086b3780 0000000800000008 ffff88812c3f4c00
[   51.056732] raw: ffff888214af1180 00000000800c000a 00000001ffffffff 0000000000000000
[   51.064653] page dumped because: kasan: bad access detected
[   51.070351] 
[   51.071957] Memory state around the buggy address:
[   51.076867]  ffff888214af0b80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   51.084386]  ffff888214af0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.091728] >ffff888214af0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.099149]                    ^
[   51.102570]  ffff888214af0d00: fb fb fb fb fb fb f