[ 45.927431] audit: type=1800 audit(1555472716.324:27): pid=5202 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 45.946926] audit: type=1800 audit(1555472716.324:28): pid=5202 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 46.605936] audit: type=1800 audit(1555472717.034:29): pid=5202 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 46.625477] audit: type=1800 audit(1555472717.034:30): pid=5202 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.150' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.922193] IPVS: ftp: loaded support on port[0] = 21 [ 60.213743] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 60.453686] usb 1-1: Using ep0 maxpacket: 8 [ 60.573752] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 60.581352] usb 1-1: config 0 has no interface number 0 [ 60.586849] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 60.595371] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 60.606928] usb 1-1: config 0 descriptor?? [ 60.833905] ================================================================== [ 60.841407] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 60.847369] Read of size 1 at addr ffff88809a1e68c2 by task kworker/0:1/12 [ 60.854404] [ 60.856024] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 60.863974] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.873326] Workqueue: usb_hub_wq hub_event [ 60.877639] Call Trace: [ 60.880235] dump_stack+0xe8/0x16e [ 60.883762] ? ds_probe+0x604/0x760 [ 60.887375] ? ds_probe+0x604/0x760 [ 60.891077] print_address_description+0x6c/0x236 [ 60.896013] ? ds_probe+0x604/0x760 [ 60.899631] ? ds_probe+0x604/0x760 [ 60.903247] kasan_report.cold+0x1a/0x3c [ 60.907339] ? ds_probe+0x604/0x760 [ 60.910964] ds_probe+0x604/0x760 [ 60.914417] usb_probe_interface+0x31d/0x820 [ 60.918825] ? usb_probe_device+0x150/0x150 [ 60.923141] really_probe+0x2da/0xb10 [ 60.926933] driver_probe_device+0x21d/0x350 [ 60.931335] __device_attach_driver+0x1d8/0x290 [ 60.936090] ? driver_allows_async_probing+0x160/0x160 [ 60.941362] bus_for_each_drv+0x163/0x1e0 [ 60.945562] ? bus_rescan_devices+0x30/0x30 [ 60.949881] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.954981] ? lockdep_hardirqs_on+0x37e/0x580 [ 60.959558] __device_attach+0x223/0x3a0 [ 60.963626] ? device_bind_driver+0xe0/0xe0 [ 60.967987] ? kobject_uevent_env+0x295/0x13d0 [ 60.972564] bus_probe_device+0x1f1/0x2a0 [ 60.976697] ? blocking_notifier_call_chain+0x59/0xb0 [ 60.981870] device_add+0xad2/0x16e0 [ 60.985580] ? get_device_parent.isra.0+0x560/0x560 [ 60.990651] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.995770] usb_set_configuration+0xdf7/0x1740 [ 61.000528] generic_probe+0xa2/0xda [ 61.004237] usb_probe_device+0xc0/0x150 [ 61.008296] ? usb_suspend+0x5f0/0x5f0 [ 61.012253] really_probe+0x2da/0xb10 [ 61.016089] driver_probe_device+0x21d/0x350 [ 61.020494] __device_attach_driver+0x1d8/0x290 [ 61.025154] ? driver_allows_async_probing+0x160/0x160 [ 61.030451] bus_for_each_drv+0x163/0x1e0 [ 61.034588] ? bus_rescan_devices+0x30/0x30 [ 61.038894] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 61.043987] ? lockdep_hardirqs_on+0x37e/0x580 [ 61.048566] __device_attach+0x223/0x3a0 [ 61.052621] ? device_bind_driver+0xe0/0xe0 [ 61.056975] ? kobject_uevent_env+0x295/0x13d0 [ 61.061558] bus_probe_device+0x1f1/0x2a0 [ 61.065700] ? blocking_notifier_call_chain+0x59/0xb0 [ 61.070917] device_add+0xad2/0x16e0 [ 61.074627] ? get_device_parent.isra.0+0x560/0x560 [ 61.079638] usb_new_device.cold+0x537/0xccf [ 61.084041] hub_event+0x138e/0x3b00 [ 61.087764] ? hub_port_debounce+0x350/0x350 [ 61.092161] ? _raw_spin_unlock_irq+0x29/0x40 [ 61.096640] process_one_work+0x90f/0x1580 [ 61.100878] ? wq_pool_ids_show+0x300/0x300 [ 61.105188] ? do_raw_spin_lock+0x11f/0x290 [ 61.109495] worker_thread+0x9b/0xe20 [ 61.113281] ? process_one_work+0x1580/0x1580 [ 61.117761] kthread+0x313/0x420 [ 61.121121] ? kthread_park+0x1a0/0x1a0 [ 61.125102] ret_from_fork+0x3a/0x50 [ 61.128840] [ 61.130455] Allocated by task 4599: [ 61.134080] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.139001] security_task_alloc+0x113/0x180 [ 61.143396] copy_process.part.0+0x1c62/0x76b0 [ 61.148042] _do_fork+0x234/0xed0 [ 61.151498] do_syscall_64+0xcf/0x4f0 [ 61.155290] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.160454] [ 61.162057] Freed by task 9: [ 61.165074] __kasan_slab_free+0x130/0x180 [ 61.169291] slab_free_freelist_hook+0x5e/0x140 [ 61.173946] kfree+0xce/0x290 [ 61.177043] security_task_free+0x9a/0xf0 [ 61.181240] __put_task_struct+0xec/0x4d0 [ 61.185432] delayed_put_task_struct+0x189/0x290 [ 61.190348] rcu_core+0x83b/0x1a80 [ 61.194001] __do_softirq+0x22a/0x8cd [ 61.197786] [ 61.199406] The buggy address belongs to the object at ffff88809a1e68a0 [ 61.199406] which belongs to the cache kmalloc-64 of size 64 [ 61.211879] The buggy address is located 34 bytes inside of [ 61.211879] 64-byte region [ffff88809a1e68a0, ffff88809a1e68e0) [ 61.223571] The buggy address belongs to the page: [ 61.228503] page:ffffea0002687980 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 61.236757] flags: 0xfff00000000200(slab) [ 61.240900] raw: 00fff00000000200 0000000000000000 0000000100000001 ffff88812c3f5600 [ 61.248772] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 61.256724] page dumped because: kasan: bad access detected [ 61.262458] [ 61.264085] Memory state around the buggy address: [ 61.269000] ffff88809a1e6780: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 61.276395] ffff88809a1e6800: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 fc fc [ 61.283856] >ffff88809a1e6880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 61.291206] ^ [ 61.296649] ffff88809a1e6900: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 61.303999] ffff88809a1e6980: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 61.311349] ================================================================== [ 61.318693] Disabling lock debugging due to kernel taint [ 61.324349] Kernel panic - not syncing: panic_on_warn set ... [ 61.330344] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 61.339790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.349142] Workqueue: usb_hub_wq hub_event [ 61.353483] Call Trace: [ 61.356072] dump_stack+0xe8/0x16e [ 61.359605] panic+0x29d/0x5f2 [ 61.362835] ? __warn_printk+0xf8/0xf8 [ 61.366720] ? retint_kernel+0x10/0x10 [ 61.370595] ? trace_hardirqs_on+0x55/0x1c0 [ 61.374911] ? ds_probe+0x604/0x760 [ 61.378524] end_report+0x48/0x4e [ 61.381960] ? ds_probe+0x604/0x760 [ 61.385747] kasan_report.cold+0xd/0x3c [ 61.389717] ? ds_probe+0x604/0x760 [ 61.393474] ds_probe+0x604/0x760 [ 61.396924] usb_probe_interface+0x31d/0x820 [ 61.401324] ? usb_probe_device+0x150/0x150 [ 61.405625] really_probe+0x2da/0xb10 [ 61.409408] driver_probe_device+0x21d/0x350 [ 61.413849] __device_attach_driver+0x1d8/0x290 [ 61.418700] ? driver_allows_async_probing+0x160/0x160 [ 61.423958] bus_for_each_drv+0x163/0x1e0 [ 61.428108] ? bus_rescan_devices+0x30/0x30 [ 61.432418] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 61.437590] ? lockdep_hardirqs_on+0x37e/0x580 [ 61.442207] __device_attach+0x223/0x3a0 [ 61.446278] ? device_bind_driver+0xe0/0xe0 [ 61.450584] ? kobject_uevent_env+0x295/0x13d0 [ 61.455156] bus_probe_device+0x1f1/0x2a0 [ 61.459298] ? blocking_notifier_call_chain+0x59/0xb0 [ 61.464549] device_add+0xad2/0x16e0 [ 61.468493] ? get_device_parent.isra.0+0x560/0x560 [ 61.473604] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 61.478695] usb_set_configuration+0xdf7/0x1740 [ 61.483359] generic_probe+0xa2/0xda [ 61.487059] usb_probe_device+0xc0/0x150 [ 61.491127] ? usb_suspend+0x5f0/0x5f0 [ 61.495005] really_probe+0x2da/0xb10 [ 61.498831] driver_probe_device+0x21d/0x350 [ 61.503232] __device_attach_driver+0x1d8/0x290 [ 61.507892] ? driver_allows_async_probing+0x160/0x160 [ 61.513263] bus_for_each_drv+0x163/0x1e0 [ 61.517447] ? bus_rescan_devices+0x30/0x30 [ 61.521762] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 61.526854] ? lockdep_hardirqs_on+0x37e/0x580 [ 61.531782] __device_attach+0x223/0x3a0 [ 61.535831] ? device_bind_driver+0xe0/0xe0 [ 61.540291] ? kobject_uevent_env+0x295/0x13d0 [ 61.544864] bus_probe_device+0x1f1/0x2a0 [ 61.549001] ? blocking_notifier_call_chain+0x59/0xb0 [ 61.554278] device_add+0xad2/0x16e0 [ 61.557983] ? get_device_parent.isra.0+0x560/0x560 [ 61.563031] usb_new_device.cold+0x537/0xccf [ 61.567429] hub_event+0x138e/0x3b00 [ 61.571135] ? hub_port_debounce+0x350/0x350 [ 61.575536] ? _raw_spin_unlock_irq+0x29/0x40 [ 61.580018] process_one_work+0x90f/0x1580 [ 61.584291] ? wq_pool_ids_show+0x300/0x300 [ 61.588607] ? do_raw_spin_lock+0x11f/0x290 [ 61.592922] worker_thread+0x9b/0xe20 [ 61.596927] ? process_one_work+0x1580/0x1580 [ 61.601415] kthread+0x313/0x420 [ 61.604816] ? kthread_park+0x1a0/0x1a0 [ 61.608783] ret_from_fork+0x3a/0x50 [ 61.613151] Kernel Offset: disabled [ 61.627667] Rebooting in 86400 seconds..