[   45.259378] audit: type=1800 audit(1555483920.448:27): pid=5191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   45.279896] audit: type=1800 audit(1555483920.448:28): pid=5191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   46.091254] audit: type=1800 audit(1555483921.308:29): pid=5191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   46.111067] audit: type=1800 audit(1555483921.308:30): pid=5191 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   56.623673] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   56.863635] usb 1-1: Using ep0 maxpacket: 8
[   56.983712] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[   56.991265] usb 1-1: config 0 has no interface number 0
[   56.996738] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[   57.005089] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   57.016452] usb 1-1: config 0 descriptor??
[   57.253874] ==================================================================
[   57.261369] BUG: KASAN: use-after-free in ds_probe+0x604/0x760
[   57.267325] Read of size 1 at addr ffff88809cbe73e2 by task kworker/0:1/12
[   57.274315] 
[   57.275935] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
[   57.283895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.293247] Workqueue: usb_hub_wq hub_event
[   57.297552] Call Trace:
[   57.300135]  dump_stack+0xe8/0x16e
[   57.303668]  ? ds_probe+0x604/0x760
[   57.307405]  ? ds_probe+0x604/0x760
[   57.311067]  print_address_description+0x6c/0x236
[   57.315944]  ? ds_probe+0x604/0x760
[   57.319563]  ? ds_probe+0x604/0x760
[   57.323175]  kasan_report.cold+0x1a/0x3c
[   57.327226]  ? ds_probe+0x604/0x760
[   57.330837]  ds_probe+0x604/0x760
[   57.334283]  usb_probe_interface+0x31d/0x820
[   57.338705]  ? usb_probe_device+0x150/0x150
[   57.343674]  really_probe+0x2da/0xb10
[   57.347467]  driver_probe_device+0x21d/0x350
[   57.351862]  __device_attach_driver+0x1d8/0x290
[   57.356554]  ? driver_allows_async_probing+0x160/0x160
[   57.361831]  bus_for_each_drv+0x163/0x1e0
[   57.365979]  ? bus_rescan_devices+0x30/0x30
[   57.370309]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.375404]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.379978]  __device_attach+0x223/0x3a0
[   57.384124]  ? device_bind_driver+0xe0/0xe0
[   57.388444]  ? kobject_uevent_env+0x295/0x13d0
[   57.393022]  bus_probe_device+0x1f1/0x2a0
[   57.397161]  ? blocking_notifier_call_chain+0x59/0xb0
executing program
[   57.402339]  device_add+0xad2/0x16e0
[   57.406049]  ? get_device_parent.isra.0+0x560/0x560
[   57.411053]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.416167]  usb_set_configuration+0xdf7/0x1740
[   57.420848]  generic_probe+0xa2/0xda
[   57.424577]  usb_probe_device+0xc0/0x150
[   57.428647]  ? usb_suspend+0x5f0/0x5f0
[   57.432535]  really_probe+0x2da/0xb10
[   57.436335]  driver_probe_device+0x21d/0x350
[   57.440765]  __device_attach_driver+0x1d8/0x290
[   57.445456]  ? driver_allows_async_probing+0x160/0x160
[   57.450722]  bus_for_each_drv+0x163/0x1e0
[   57.454863]  ? bus_rescan_devices+0x30/0x30
[   57.459175]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.464282]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.468870]  __device_attach+0x223/0x3a0
[   57.472920]  ? device_bind_driver+0xe0/0xe0
[   57.477229]  ? kobject_uevent_env+0x295/0x13d0
[   57.481799]  bus_probe_device+0x1f1/0x2a0
[   57.485944]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.491163]  device_add+0xad2/0x16e0
[   57.494867]  ? get_device_parent.isra.0+0x560/0x560
[   57.499874]  usb_new_device.cold+0x537/0xccf
[   57.504286]  hub_event+0x138e/0x3b00
[   57.508090]  ? hub_port_debounce+0x350/0x350
[   57.512497]  ? _raw_spin_unlock_irq+0x29/0x40
[   57.516983]  process_one_work+0x90f/0x1580
[   57.521210]  ? wq_pool_ids_show+0x300/0x300
[   57.525530]  ? do_raw_spin_lock+0x11f/0x290
[   57.529867]  worker_thread+0x9b/0xe20
[   57.533658]  ? process_one_work+0x1580/0x1580
[   57.538157]  kthread+0x313/0x420
[   57.541515]  ? kthread_park+0x1a0/0x1a0
[   57.545481]  ret_from_fork+0x3a/0x50
[   57.549187] 
[   57.550813] Allocated by task 12:
[   57.554251]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   57.559179]  __kmalloc_node_track_caller+0xf3/0x320
[   57.564206]  __devres_alloc_node+0x65/0x150
[   57.568512]  devm_pinctrl_get+0x34/0xc0
[   57.572470]  pinctrl_bind_pins+0xcb/0x950
[   57.576602]  really_probe+0x126/0xb10
[   57.580385]  driver_probe_device+0x21d/0x350
[   57.584799]  __device_attach_driver+0x1d8/0x290
[   57.589458]  bus_for_each_drv+0x163/0x1e0
[   57.593609]  __device_attach+0x223/0x3a0
[   57.597654]  bus_probe_device+0x1f1/0x2a0
[   57.601799]  device_add+0xad2/0x16e0
[   57.605498]  usb_new_device.cold+0x537/0xccf
[   57.609895]  hub_event+0x138e/0x3b00
[   57.613594]  process_one_work+0x90f/0x1580
[   57.617811]  worker_thread+0x9b/0xe20
[   57.621596]  kthread+0x313/0x420
[   57.624956]  ret_from_fork+0x3a/0x50
[   57.628648] 
[   57.630270] Freed by task 12:
[   57.633360]  __kasan_slab_free+0x130/0x180
[   57.637754]  slab_free_freelist_hook+0x5e/0x140
[   57.642410]  kfree+0xce/0x290
[   57.645502]  devres_free+0x4a/0x70
[   57.649022]  devres_release+0x52/0x70
[   57.652803]  devm_pinctrl_put+0x46/0x80
[   57.656761]  pinctrl_bind_pins+0x333/0x950
[   57.660981]  really_probe+0x126/0xb10
[   57.664765]  driver_probe_device+0x21d/0x350
[   57.669156]  __device_attach_driver+0x1d8/0x290
[   57.673999]  bus_for_each_drv+0x163/0x1e0
[   57.678136]  __device_attach+0x223/0x3a0
[   57.682184]  bus_probe_device+0x1f1/0x2a0
[   57.686320]  device_add+0xad2/0x16e0
[   57.690016]  usb_new_device.cold+0x537/0xccf
[   57.694407]  hub_event+0x138e/0x3b00
[   57.698208]  process_one_work+0x90f/0x1580
[   57.702448]  worker_thread+0x9b/0xe20
[   57.706232]  kthread+0x313/0x420
[   57.709603]  ret_from_fork+0x3a/0x50
[   57.713296] 
[   57.714909] The buggy address belongs to the object at ffff88809cbe73c0
[   57.714909]  which belongs to the cache kmalloc-64 of size 64
[   57.727371] The buggy address is located 34 bytes inside of
[   57.727371]  64-byte region [ffff88809cbe73c0, ffff88809cbe7400)
[   57.739056] The buggy address belongs to the page:
[   57.743974] page:ffffea000272f9c0 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0
[   57.752132] flags: 0xfff00000000200(slab)
[   57.756280] raw: 00fff00000000200 ffffea00025d96c0 0000000900000009 ffff88812c3f5600
[   57.764152] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
[   57.772016] page dumped because: kasan: bad access detected
[   57.777728] 
[   57.779337] Memory state around the buggy address:
[   57.784257]  ffff88809cbe7280: fc fc fc fc 00 00 00 00 00 fc fc fc fc fc fc fc
[   57.791610]  ffff88809cbe7300: 00 00 00 00 00 fc fc fc fc fc fc fc 00 00 00 00
[   57.798974] >ffff88809cbe7380: 00 00 fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   57.806322]                                                        ^
[   57.812798]  ffff88809cbe7400: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
[   57.820148]  ffff88809cbe7480: 00 00 00 00 00 06 fc fc fc fc fc fc 00 00 00 00
[   57.827486] ==================================================================
[   57.834830] Disabling lock debugging due to kernel taint
[   57.840466] Kernel panic - not syncing: panic_on_warn set ...
[   57.846356] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.1.0-rc4-319354-g9a33b36 #3
[   57.855689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.865052] Workqueue: usb_hub_wq hub_event
[   57.869361] Call Trace:
[   57.871947]  dump_stack+0xe8/0x16e
[   57.875476]  panic+0x29d/0x5f2
[   57.878652]  ? __warn_printk+0xf8/0xf8
[   57.882530]  ? retint_kernel+0x10/0x10
[   57.886410]  ? trace_hardirqs_on+0x55/0x1c0
[   57.890718]  ? ds_probe+0x604/0x760
[   57.894326]  end_report+0x48/0x4e
[   57.897760]  ? ds_probe+0x604/0x760
[   57.901392]  kasan_report.cold+0xd/0x3c
[   57.905351]  ? ds_probe+0x604/0x760
[   57.908965]  ds_probe+0x604/0x760
[   57.912419]  usb_probe_interface+0x31d/0x820
[   57.916812]  ? usb_probe_device+0x150/0x150
[   57.921129]  really_probe+0x2da/0xb10
[   57.924938]  driver_probe_device+0x21d/0x350
[   57.929329]  __device_attach_driver+0x1d8/0x290
[   57.933979]  ? driver_allows_async_probing+0x160/0x160
[   57.939243]  bus_for_each_drv+0x163/0x1e0
[   57.943374]  ? bus_rescan_devices+0x30/0x30
[   57.947683]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.952771]  ? lockdep_hardirqs_on+0x37e/0x580
[   57.957356]  __device_attach+0x223/0x3a0
[   57.961406]  ? device_bind_driver+0xe0/0xe0
[   57.965711]  ? kobject_uevent_env+0x295/0x13d0
[   57.970281]  bus_probe_device+0x1f1/0x2a0
[   57.974417]  ? blocking_notifier_call_chain+0x59/0xb0
[   57.979590]  device_add+0xad2/0x16e0
[   57.983288]  ? get_device_parent.isra.0+0x560/0x560
[   57.988289]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   57.993396]  usb_set_configuration+0xdf7/0x1740
[   57.998071]  generic_probe+0xa2/0xda
[   58.001768]  usb_probe_device+0xc0/0x150
[   58.005812]  ? usb_suspend+0x5f0/0x5f0
[   58.009682]  really_probe+0x2da/0xb10
[   58.013480]  driver_probe_device+0x21d/0x350
[   58.017874]  __device_attach_driver+0x1d8/0x290
[   58.022546]  ? driver_allows_async_probing+0x160/0x160
[   58.027822]  bus_for_each_drv+0x163/0x1e0
[   58.031962]  ? bus_rescan_devices+0x30/0x30
[   58.036264]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   58.041374]  ? lockdep_hardirqs_on+0x37e/0x580
[   58.045955]  __device_attach+0x223/0x3a0
[   58.049999]  ? device_bind_driver+0xe0/0xe0
[   58.054306]  ? kobject_uevent_env+0x295/0x13d0
[   58.058879]  bus_probe_device+0x1f1/0x2a0
[   58.063014]  ? blocking_notifier_call_chain+0x59/0xb0
[   58.068225]  device_add+0xad2/0x16e0
[   58.071940]  ? get_device_parent.isra.0+0x560/0x560
[   58.076943]  usb_new_device.cold+0x537/0xccf
[   58.081353]  hub_event+0x138e/0x3b00
[   58.085088]  ? hub_port_debounce+0x350/0x350
[   58.089512]  ? _raw_spin_unlock_irq+0x29/0x40
[   58.093993]  process_one_work+0x90f/0x1580
[   58.098232]  ? wq_pool_ids_show+0x300/0x300
[   58.102539]  ? do_raw_spin_lock+0x11f/0x290
[   58.106884]  worker_thread+0x9b/0xe20
[   58.110678]  ? process_one_work+0x1580/0x1580
[   58.115176]  kthread+0x313/0x420
[   58.118530]  ? kthread_park+0x1a0/0x1a0
[   58.122579]  ret_from_fork+0x3a/0x50
[   58.127048] Kernel Offset: disabled
[   58.130671] Rebooting in 86400 seconds..