[ 45.462965] audit: type=1800 audit(1555234767.479:27): pid=5253 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 45.482584] audit: type=1800 audit(1555234767.479:28): pid=5253 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 46.210212] audit: type=1800 audit(1555234768.259:29): pid=5253 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 46.229506] audit: type=1800 audit(1555234768.259:30): pid=5253 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.956186] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 58.206185] usb 1-1: Using ep0 maxpacket: 8 [ 58.326236] usb 1-1: config 0 has an invalid interface number: 230 but max is 0 [ 58.334779] usb 1-1: config 0 has no interface number 0 [ 58.340271] usb 1-1: New USB device found, idVendor=9022, idProduct=d421, bcdDevice=50.db [ 58.348983] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 58.358512] usb 1-1: config 0 descriptor?? [ 58.398332] dw2102: su3000_identify_state [ 58.402640] dvb-usb: found a 'TeVii S421 PCI' in warm state. [ 58.408729] dw2102: su3000_power_ctrl: 1, initialized 0 [ 58.414500] dvb-usb: bulk message failed: -22 (2/-1471307592) [ 58.424935] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 58.446642] dvbdev: DVB: registering new adapter (TeVii S421 PCI) [ 58.453727] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.459839] dw2102: i2c transfer failed. [ 58.464124] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.470352] dw2102: i2c transfer failed. [ 58.474602] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.480662] dw2102: i2c transfer failed. [ 58.484747] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.491051] dw2102: i2c transfer failed. [ 58.495324] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.501450] dw2102: i2c transfer failed. [ 58.505830] dvb-usb: bulk message failed: -22 (6/-1861366664) [ 58.511886] dw2102: i2c transfer failed. [ 58.516058] dvb-usb: MAC address: 02:02:02:02:02:02 [ 58.528711] dvb-usb: bulk message failed: -22 (1/2) [ 58.533958] dw2102: command 0x51 transfer failed. [ 58.541482] dvb-usb: bulk message failed: -22 (5/-1861366664) executing program [ 58.547949] dw2102: i2c transfer failed. [ 58.552198] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.558200] dw2102: i2c transfer failed. [ 58.562291] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.568521] dw2102: i2c transfer failed. [ 58.572831] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.579131] dw2102: i2c transfer failed. [ 58.583257] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.589474] dw2102: i2c transfer failed. [ 58.593610] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.600066] dw2102: i2c transfer failed. [ 58.646270] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.652438] dw2102: i2c transfer failed. [ 58.657224] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.664871] dw2102: i2c transfer failed. [ 58.669376] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.675718] dw2102: i2c transfer failed. [ 58.679959] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.685855] dw2102: i2c transfer failed. [ 58.690171] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.696291] dw2102: i2c transfer failed. [ 58.700586] dvb-usb: bulk message failed: -22 (5/-1861366664) [ 58.706661] dw2102: i2c transfer failed. [ 58.710773] ts2020 0-0060: Montage Technology TS2020 successfully identified [ 58.719090] dw2102: Attached RS2000/TS2020! [ 58.723622] usb 1-1: DVB: registering adapter 0 frontend 0 (M88RS2000 DVB-S)... [ 58.776396] Registered IR keymap rc-su3000 [ 58.781700] rc rc1: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1 [ 58.791004] input: TeVii S421 PCI as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1/input10 [ 58.803584] rc rc1: lirc_dev: driver dw2102 registered at minor = 1, scancode receiver, no transmitter [ 58.813850] dvb-usb: schedule remote query interval to 150 msecs. [ 58.820290] dw2102: su3000_power_ctrl: 0, initialized 1 [ 58.826150] dvb-usb: TeVii S421 PCI successfully initialized and connected. [ 58.835286] usb 1-1: USB disconnect, device number 2 [ 58.841749] ================================================================== [ 58.849901] BUG: KASAN: use-after-free in dvb_usb_device_exit+0xbb/0xd0 [ 58.857002] Read of size 8 at addr ffff8880a12235d8 by task kworker/1:1/21 [ 58.864230] [ 58.865863] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 58.873999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.883796] Workqueue: usb_hub_wq hub_event [ 58.888303] Call Trace: [ 58.890931] dump_stack+0xe8/0x16e [ 58.894574] ? dvb_usb_device_exit+0xbb/0xd0 [ 58.899269] ? dvb_usb_device_exit+0xbb/0xd0 [ 58.904132] print_address_description+0x6c/0x236 [ 58.909138] ? dvb_usb_device_exit+0xbb/0xd0 [ 58.913694] ? dvb_usb_device_exit+0xbb/0xd0 [ 58.918438] kasan_report.cold+0x1a/0x3c [ 58.922591] ? usb_disable_endpoint+0x1e0/0x1f0 [ 58.927272] ? dvb_usb_device_exit+0xbb/0xd0 [ 58.931689] dvb_usb_device_exit+0xbb/0xd0 [ 58.935930] usb_unbind_interface+0x1c9/0x980 [ 58.940565] ? usb_autoresume_device+0x60/0x60 [ 58.945776] device_release_driver_internal+0x436/0x4f0 [ 58.951950] bus_remove_device+0x302/0x5c0 [ 58.956758] device_del+0x467/0xb90 [ 58.960425] ? mark_held_locks+0x9f/0xe0 [ 58.964851] ? __device_links_no_driver+0x240/0x240 [ 58.969956] ? lockdep_hardirqs_on+0x37e/0x580 [ 58.974537] ? remove_intf_ep_devs+0x144/0x1d0 [ 58.979310] usb_disable_device+0x242/0x790 [ 58.983785] usb_disconnect+0x298/0x870 [ 58.987852] hub_event+0xcd2/0x3b00 [ 58.991624] ? mark_held_locks+0xe0/0xe0 [ 58.995750] ? hub_port_debounce+0x350/0x350 [ 59.000441] ? _raw_spin_unlock_irq+0x29/0x40 [ 59.005116] process_one_work+0x90f/0x1580 [ 59.009614] ? wq_pool_ids_show+0x300/0x300 [ 59.014178] ? do_raw_spin_lock+0x11f/0x290 [ 59.018843] worker_thread+0x7b0/0xe20 [ 59.022846] ? process_one_work+0x1580/0x1580 [ 59.027500] kthread+0x313/0x420 [ 59.030869] ? kthread_park+0x1a0/0x1a0 [ 59.034847] ret_from_fork+0x3a/0x50 [ 59.038566] [ 59.040249] Allocated by task 21: [ 59.043844] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.048861] __kmalloc_track_caller+0xf0/0x2c0 [ 59.053442] kmemdup+0x23/0x50 [ 59.056880] dw2102_probe+0x62c/0xc50 [ 59.060772] usb_probe_interface+0x31d/0x820 [ 59.065331] really_probe+0x2da/0xb10 [ 59.069141] driver_probe_device+0x21d/0x350 [ 59.073703] __device_attach_driver+0x1d8/0x290 [ 59.078583] bus_for_each_drv+0x163/0x1e0 [ 59.083098] __device_attach+0x223/0x3a0 [ 59.087314] bus_probe_device+0x1f1/0x2a0 [ 59.091466] device_add+0xad2/0x16e0 [ 59.095323] usb_set_configuration+0xdf7/0x1740 [ 59.100720] generic_probe+0xa2/0xda [ 59.104571] usb_probe_device+0xc0/0x150 [ 59.109043] really_probe+0x2da/0xb10 [ 59.112949] driver_probe_device+0x21d/0x350 [ 59.117788] __device_attach_driver+0x1d8/0x290 [ 59.122459] bus_for_each_drv+0x163/0x1e0 [ 59.126605] __device_attach+0x223/0x3a0 [ 59.130704] bus_probe_device+0x1f1/0x2a0 [ 59.135072] device_add+0xad2/0x16e0 [ 59.138788] usb_new_device.cold+0x537/0xccf [ 59.143263] hub_event+0x138e/0x3b00 [ 59.147121] process_one_work+0x90f/0x1580 [ 59.151754] worker_thread+0x9b/0xe20 [ 59.155645] kthread+0x313/0x420 [ 59.159076] ret_from_fork+0x3a/0x50 [ 59.162907] [ 59.164546] Freed by task 21: [ 59.167653] __kasan_slab_free+0x130/0x180 [ 59.172262] slab_free_freelist_hook+0x5e/0x140 [ 59.177146] kfree+0xce/0x290 [ 59.180419] dw2102_probe+0x876/0xc50 [ 59.184222] usb_probe_interface+0x31d/0x820 [ 59.188958] really_probe+0x2da/0xb10 [ 59.192945] driver_probe_device+0x21d/0x350 [ 59.197789] __device_attach_driver+0x1d8/0x290 [ 59.202566] bus_for_each_drv+0x163/0x1e0 [ 59.207082] __device_attach+0x223/0x3a0 [ 59.211239] bus_probe_device+0x1f1/0x2a0 [ 59.215577] device_add+0xad2/0x16e0 [ 59.219451] usb_set_configuration+0xdf7/0x1740 [ 59.224207] generic_probe+0xa2/0xda [ 59.227931] usb_probe_device+0xc0/0x150 [ 59.232151] really_probe+0x2da/0xb10 [ 59.236078] driver_probe_device+0x21d/0x350 [ 59.240603] __device_attach_driver+0x1d8/0x290 [ 59.245550] bus_for_each_drv+0x163/0x1e0 [ 59.250251] __device_attach+0x223/0x3a0 [ 59.254600] bus_probe_device+0x1f1/0x2a0 [ 59.258753] device_add+0xad2/0x16e0 [ 59.262563] usb_new_device.cold+0x537/0xccf [ 59.267930] hub_event+0x138e/0x3b00 [ 59.271719] process_one_work+0x90f/0x1580 [ 59.275961] worker_thread+0x9b/0xe20 [ 59.279773] kthread+0x313/0x420 [ 59.283145] ret_from_fork+0x3a/0x50 [ 59.287043] [ 59.288693] The buggy address belongs to the object at ffff8880a1223300 [ 59.288693] which belongs to the cache kmalloc-4k of size 4096 [ 59.301575] The buggy address is located 728 bytes inside of [ 59.301575] 4096-byte region [ffff8880a1223300, ffff8880a1224300) [ 59.314581] The buggy address belongs to the page: [ 59.319516] page:ffffea0002848800 count:1 mapcount:0 mapping:ffff88812c3f4600 index:0x0 compound_mapcount: 0 [ 59.331437] flags: 0xfff00000010200(slab|head) [ 59.336152] raw: 00fff00000010200 0000000000000000 0000000500000001 ffff88812c3f4600 [ 59.344536] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 59.352699] page dumped because: kasan: bad access detected [ 59.358463] [ 59.360099] Memory state around the buggy address: [ 59.365205] ffff8880a1223480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.372870] ffff8880a1223500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.380252] >ffff8880a1223580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.387736] ^ [ 59.394315] ffff8880a1223600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.402059] ffff8880a1223680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.409807] ================================================================== [ 59.417568] Disabling lock debugging due to kernel taint [ 59.423748] Kernel panic - not syncing: panic_on_warn set ... [ 59.429818] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 59.439577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.449609] Workqueue: usb_hub_wq hub_event [ 59.454009] Call Trace: [ 59.456730] dump_stack+0xe8/0x16e [ 59.460486] panic+0x29d/0x5f2 [ 59.463769] ? __warn_printk+0xf8/0xf8 [ 59.467890] ? dvb_usb_device_exit+0xbb/0xd0 [ 59.472474] ? trace_hardirqs_on+0x55/0x1c0 [ 59.476896] ? dvb_usb_device_exit+0xbb/0xd0 [ 59.481725] end_report+0x48/0x4e [ 59.485248] ? dvb_usb_device_exit+0xbb/0xd0 [ 59.490068] kasan_report.cold+0xd/0x3c [ 59.494480] ? usb_disable_endpoint+0x1e0/0x1f0 [ 59.499312] ? dvb_usb_device_exit+0xbb/0xd0 [ 59.504335] dvb_usb_device_exit+0xbb/0xd0 [ 59.508739] usb_unbind_interface+0x1c9/0x980 [ 59.514506] ? usb_autoresume_device+0x60/0x60 [ 59.519596] device_release_driver_internal+0x436/0x4f0 [ 59.525556] bus_remove_device+0x302/0x5c0 [ 59.531276] device_del+0x467/0xb90 [ 59.534972] ? mark_held_locks+0x9f/0xe0 [ 59.539193] ? __device_links_no_driver+0x240/0x240 [ 59.544887] ? lockdep_hardirqs_on+0x37e/0x580 [ 59.549796] ? remove_intf_ep_devs+0x144/0x1d0 [ 59.554468] usb_disable_device+0x242/0x790 [ 59.558791] usb_disconnect+0x298/0x870 [ 59.562772] hub_event+0xcd2/0x3b00 [ 59.568008] ? mark_held_locks+0xe0/0xe0 [ 59.572241] ? hub_port_debounce+0x350/0x350 [ 59.577406] ? _raw_spin_unlock_irq+0x29/0x40 [ 59.582437] process_one_work+0x90f/0x1580 [ 59.587101] ? wq_pool_ids_show+0x300/0x300 [ 59.591764] ? do_raw_spin_lock+0x11f/0x290 [ 59.596305] worker_thread+0x7b0/0xe20 [ 59.600537] ? process_one_work+0x1580/0x1580 [ 59.606221] kthread+0x313/0x420 [ 59.609834] ? kthread_park+0x1a0/0x1a0 [ 59.613998] ret_from_fork+0x3a/0x50 [ 59.619278] Kernel Offset: disabled [ 59.622918] Rebooting in 86400 seconds..