[   45.526752] audit: type=1800 audit(1555480659.272:27): pid=5229 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
[   45.546258] audit: type=1800 audit(1555480659.272:28): pid=5229 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   46.026777] audit: type=1800 audit(1555480659.802:29): pid=5229 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   46.046330] audit: type=1800 audit(1555480659.802:30): pid=5229 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts.
syzkaller login: [   75.910569] IPVS: ftp: loaded support on port[0] = 21
[   75.987702] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.995130] bridge0: port 1(bridge_slave_0) entered disabled state
[   76.003774] device bridge_slave_0 entered promiscuous mode
[   76.012966] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.021736] bridge0: port 2(bridge_slave_1) entered disabled state
[   76.029735] device bridge_slave_1 entered promiscuous mode
[   76.048290] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   76.060356] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   76.080455] team0: Port device team_slave_0 added
[   76.089955] team0: Port device team_slave_1 added
[   76.118008] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.128329] bridge0: port 2(bridge_slave_1) entered forwarding state
[   76.136921] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.145051] bridge0: port 1(bridge_slave_0) entered forwarding state
[   76.186998] 8021q: adding VLAN 0 to HW filter on device bond0
[   76.201899] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   76.215206] bridge0: port 1(bridge_slave_0) entered disabled state
[   76.225314] bridge0: port 2(bridge_slave_1) entered disabled state
[   76.234230] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   76.246514] 8021q: adding VLAN 0 to HW filter on device team0
[   76.256266] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   76.267246] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.274396] bridge0: port 1(bridge_slave_0) entered forwarding state
[   76.290885] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   76.303378] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.309882] bridge0: port 2(bridge_slave_1) entered forwarding state
[   76.326087] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   76.334400] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   76.342725] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   76.351265] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   76.359772] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
executing program
[   76.402701] 8021q: adding VLAN 0 to HW filter on device batadv0
[   76.699453] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   76.939382] usb 1-1: Using ep0 maxpacket: 8
[   77.059528] usb 1-1: config 0 has an invalid interface number: 28 but max is 0
[   77.059558] usb 1-1: config 0 has no interface number 0
[   77.059597] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9
[   77.080931] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   77.090552] usb 1-1: config 0 descriptor??
[   77.329889] ==================================================================
[   77.337418] BUG: KASAN: use-after-free in ds_probe+0x604/0x760
[   77.343416] Read of size 1 at addr ffff888219299c22 by task kworker/1:1/21
[   77.350533] 
[   77.352145] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
[   77.360097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.369706] Workqueue: usb_hub_wq hub_event
[   77.374013] Call Trace:
[   77.376590]  dump_stack+0xe8/0x16e
[   77.380129]  ? ds_probe+0x604/0x760
[   77.383940]  ? ds_probe+0x604/0x760
[   77.387595]  print_address_description+0x6c/0x236
[   77.392502]  ? ds_probe+0x604/0x760
[   77.396118]  ? ds_probe+0x604/0x760
[   77.399767]  kasan_report.cold+0x1a/0x3c
[   77.403825]  ? ds_probe+0x604/0x760
[   77.407448]  ds_probe+0x604/0x760
[   77.410934]  usb_probe_interface+0x31d/0x820
[   77.415455]  ? usb_probe_device+0x150/0x150
[   77.419804]  really_probe+0x2da/0xb10
[   77.423596]  driver_probe_device+0x21d/0x350
[   77.427989]  __device_attach_driver+0x1d8/0x290
[   77.432651]  ? driver_allows_async_probing+0x160/0x160
[   77.437973]  bus_for_each_drv+0x163/0x1e0
[   77.442150]  ? bus_rescan_devices+0x30/0x30
[   77.446475]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   77.451573]  ? lockdep_hardirqs_on+0x37e/0x580
[   77.456153]  __device_attach+0x223/0x3a0
[   77.460250]  ? device_bind_driver+0xe0/0xe0
[   77.464613]  ? kobject_uevent_env+0x295/0x13d0
[   77.469643]  bus_probe_device+0x1f1/0x2a0
[   77.473825]  ? blocking_notifier_call_chain+0x59/0xb0
[   77.479022]  device_add+0xad2/0x16e0
[   77.482773]  ? get_device_parent.isra.0+0x560/0x560
[   77.487799]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   77.492903]  usb_set_configuration+0xdf7/0x1740
[   77.497572]  generic_probe+0xa2/0xda
[   77.501320]  usb_probe_device+0xc0/0x150
[   77.506528]  ? usb_suspend+0x5f0/0x5f0
[   77.510472]  really_probe+0x2da/0xb10
[   77.514271]  driver_probe_device+0x21d/0x350
[   77.518672]  __device_attach_driver+0x1d8/0x290
[   77.523398]  ? driver_allows_async_probing+0x160/0x160
[   77.528781]  bus_for_each_drv+0x163/0x1e0
[   77.532972]  ? bus_rescan_devices+0x30/0x30
[   77.537293]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   77.542392]  ? lockdep_hardirqs_on+0x37e/0x580
[   77.546971]  __device_attach+0x223/0x3a0
[   77.551028]  ? device_bind_driver+0xe0/0xe0
[   77.555342]  ? kobject_uevent_env+0x295/0x13d0
[   77.560003]  bus_probe_device+0x1f1/0x2a0
[   77.564232]  ? blocking_notifier_call_chain+0x59/0xb0
[   77.569984]  device_add+0xad2/0x16e0
[   77.573775]  ? get_device_parent.isra.0+0x560/0x560
[   77.578801]  usb_new_device.cold+0x537/0xccf
[   77.583295]  hub_event+0x138e/0x3b00
[   77.587045]  ? hub_port_debounce+0x350/0x350
[   77.591463]  ? _raw_spin_unlock_irq+0x29/0x40
[   77.595944]  process_one_work+0x90f/0x1580
[   77.600279]  ? wq_pool_ids_show+0x300/0x300
[   77.604618]  ? do_raw_spin_lock+0x11f/0x290
[   77.608950]  worker_thread+0x9b/0xe20
[   77.612751]  ? process_one_work+0x1580/0x1580
[   77.617243]  kthread+0x313/0x420
[   77.620709]  ? kthread_park+0x1a0/0x1a0
[   77.624675]  ret_from_fork+0x3a/0x50
[   77.628417] 
[   77.630085] Allocated by task 5383:
[   77.633704]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   77.638625]  __kmalloc_track_caller+0xf0/0x2c0
[   77.643197]  kmemdup+0x23/0x50
[   77.646427]  sctp_addr_wq_mgmt+0x3f7/0x790
[   77.650667]  sctp_inet6addr_event+0x63a/0x800
[   77.655173]  notifier_call_chain+0xca/0x240
[   77.659515]  atomic_notifier_call_chain+0x94/0x180
[   77.664441]  ipv6_add_addr+0x15db/0x1c60
[   77.668499]  addrconf_add_linklocal+0x1db/0x390
[   77.673161]  addrconf_addr_gen+0x352/0x3a0
[   77.677376]  addrconf_dev_config+0x1e0/0x2b0
[   77.681772]  addrconf_notify+0x4be/0x2340
[   77.685906]  notifier_call_chain+0xca/0x240
[   77.690214]  __dev_notify_flags+0x126/0x2d0
[   77.694526]  dev_change_flags+0x105/0x160
[   77.698845]  do_setlink+0x15c5/0x33c0
[   77.702643]  __rtnl_newlink+0xab3/0x14b0
[   77.706696]  rtnl_newlink+0x69/0xa0
[   77.710313]  rtnetlink_rcv_msg+0x45e/0xb00
[   77.714540]  netlink_rcv_skb+0x162/0x410
[   77.718726]  netlink_unicast+0x4da/0x690
[   77.722775]  netlink_sendmsg+0x810/0xcd0
[   77.726868]  sock_sendmsg+0xda/0x130
[   77.730575]  __sys_sendto+0x21f/0x330
[   77.734364]  __x64_sys_sendto+0xe2/0x1b0
[   77.738518]  do_syscall_64+0xcf/0x4f0
[   77.742354]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.747538] 
[   77.749155] Freed by task 0:
[   77.752166]  __kasan_slab_free+0x130/0x180
[   77.756384]  slab_free_freelist_hook+0x5e/0x140
[   77.761074]  kfree+0xce/0x290
[   77.764179]  sctp_addr_wq_timeout_handler+0x2ad/0x540
[   77.769360]  call_timer_fn+0x161/0x5f0
[   77.773239]  run_timer_softirq+0x58b/0x1400
[   77.777556]  __do_softirq+0x22a/0x8cd
[   77.781336] 
[   77.783137] The buggy address belongs to the object at ffff888219299c00
[   77.783137]  which belongs to the cache kmalloc-64 of size 64
[   77.795650] The buggy address is located 34 bytes inside of
[   77.795650]  64-byte region [ffff888219299c00, ffff888219299c40)
[   77.807344] The buggy address belongs to the page:
[   77.812265] page:ffffea000864a640 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0
[   77.820439] flags: 0x57ff00000000200(slab)
[   77.824701] raw: 057ff00000000200 dead000000000100 dead000000000200 ffff88812c3f5600
[   77.832679] raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000
[   77.840577] page dumped because: kasan: bad access detected
[   77.846732] 
[   77.848348] Memory state around the buggy address:
[   77.853269]  ffff888219299b00: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
[   77.860618]  ffff888219299b80: fc fc fc fc 00 00 00 00 00 00 fc fc fc fc fc fc
[   77.867982] >ffff888219299c00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[   77.875372]                                ^
[   77.879862]  ffff888219299c80: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[   77.887356]  ffff888219299d00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[   77.894704] ==================================================================
[   77.902044] Disabling lock debugging due to kernel taint
[   77.907653] Kernel panic - not syncing: panic_on_warn set ...
[   77.913554] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G    B             5.1.0-rc4-319354-g9a33b36 #3
[   77.922931] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.932299] Workqueue: usb_hub_wq hub_event
[   77.936613] Call Trace:
[   77.939323]  dump_stack+0xe8/0x16e
[   77.942865]  panic+0x29d/0x5f2
[   77.946096]  ? __warn_printk+0xf8/0xf8
[   77.949987]  ? retint_kernel+0x10/0x10
[   77.953895]  ? trace_hardirqs_on+0x55/0x1c0
[   77.958218]  ? ds_probe+0x604/0x760
[   77.961859]  end_report+0x48/0x4e
[   77.965336]  ? ds_probe+0x604/0x760
[   77.968958]  kasan_report.cold+0xd/0x3c
[   77.972932]  ? ds_probe+0x604/0x760
[   77.976554]  ds_probe+0x604/0x760
[   77.980010]  usb_probe_interface+0x31d/0x820
[   77.984412]  ? usb_probe_device+0x150/0x150
[   77.988729]  really_probe+0x2da/0xb10
[   77.992533]  driver_probe_device+0x21d/0x350
[   77.996947]  __device_attach_driver+0x1d8/0x290
[   78.001616]  ? driver_allows_async_probing+0x160/0x160
[   78.006889]  bus_for_each_drv+0x163/0x1e0
[   78.011033]  ? bus_rescan_devices+0x30/0x30
[   78.015351]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   78.020450]  ? lockdep_hardirqs_on+0x37e/0x580
[   78.025036]  __device_attach+0x223/0x3a0
[   78.029181]  ? device_bind_driver+0xe0/0xe0
[   78.033502]  ? kobject_uevent_env+0x295/0x13d0
[   78.038093]  bus_probe_device+0x1f1/0x2a0
[   78.042244]  ? blocking_notifier_call_chain+0x59/0xb0
[   78.047431]  device_add+0xad2/0x16e0
[   78.051145]  ? get_device_parent.isra.0+0x560/0x560
[   78.056160]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   78.061268]  usb_set_configuration+0xdf7/0x1740
[   78.065939]  generic_probe+0xa2/0xda
[   78.069649]  usb_probe_device+0xc0/0x150
[   78.073700]  ? usb_suspend+0x5f0/0x5f0
[   78.077579]  really_probe+0x2da/0xb10
[   78.081378]  driver_probe_device+0x21d/0x350
[   78.085780]  __device_attach_driver+0x1d8/0x290
[   78.090447]  ? driver_allows_async_probing+0x160/0x160
[   78.095716]  bus_for_each_drv+0x163/0x1e0
[   78.099866]  ? bus_rescan_devices+0x30/0x30
[   78.104187]  ? _raw_spin_unlock_irqrestore+0x4b/0x60
[   78.109290]  ? lockdep_hardirqs_on+0x37e/0x580
[   78.113870]  __device_attach+0x223/0x3a0
[   78.117930]  ? device_bind_driver+0xe0/0xe0
[   78.122251]  ? kobject_uevent_env+0x295/0x13d0
[   78.126840]  bus_probe_device+0x1f1/0x2a0
[   78.130987]  ? blocking_notifier_call_chain+0x59/0xb0
[   78.136708]  device_add+0xad2/0x16e0
[   78.140425]  ? get_device_parent.isra.0+0x560/0x560
[   78.145454]  usb_new_device.cold+0x537/0xccf
[   78.149893]  hub_event+0x138e/0x3b00
[   78.153619]  ? hub_port_debounce+0x350/0x350
[   78.158037]  ? _raw_spin_unlock_irq+0x29/0x40
[   78.162532]  process_one_work+0x90f/0x1580
[   78.166765]  ? wq_pool_ids_show+0x300/0x300
[   78.171082]  ? do_raw_spin_lock+0x11f/0x290
[   78.175406]  worker_thread+0x9b/0xe20
[   78.179217]  ? process_one_work+0x1580/0x1580
[   78.183709]  kthread+0x313/0x420
[   78.187072]  ? kthread_park+0x1a0/0x1a0
[   78.191043]  ret_from_fork+0x3a/0x50
[   78.195383] Kernel Offset: disabled
[   78.199015] Rebooting in 86400 seconds..