[ 48.004994] audit: type=1800 audit(1555433507.998:27): pid=5474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 48.024657] audit: type=1800 audit(1555433507.998:28): pid=5474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 48.958023] audit: type=1800 audit(1555433508.998:29): pid=5474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 48.977391] audit: type=1800 audit(1555433508.998:30): pid=5474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.417700] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 59.657626] usb 1-1: Using ep0 maxpacket: 8 [ 59.777686] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 59.785275] usb 1-1: config 0 has no interface number 0 [ 59.790964] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 59.799316] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 59.808480] usb 1-1: config 0 descriptor?? [ 60.047894] ================================================================== [ 60.055414] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 60.061478] Read of size 1 at addr ffff88809c7fef82 by task kworker/1:1/21 [ 60.068492] [ 60.070118] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 60.078072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.087426] Workqueue: usb_hub_wq hub_event [ 60.091730] Call Trace: [ 60.094388] dump_stack+0xe8/0x16e [ 60.097924] ? ds_probe+0x604/0x760 [ 60.101543] ? ds_probe+0x604/0x760 [ 60.105157] print_address_description+0x6c/0x236 [ 60.109994] ? ds_probe+0x604/0x760 [ 60.113604] ? ds_probe+0x604/0x760 [ 60.117227] kasan_report.cold+0x1a/0x3c [ 60.121423] ? ds_probe+0x604/0x760 [ 60.125061] ds_probe+0x604/0x760 [ 60.128606] usb_probe_interface+0x31d/0x820 [ 60.133007] ? usb_probe_device+0x150/0x150 [ 60.137314] really_probe+0x2da/0xb10 [ 60.141104] driver_probe_device+0x21d/0x350 [ 60.145505] __device_attach_driver+0x1d8/0x290 [ 60.150161] ? driver_allows_async_probing+0x160/0x160 [ 60.155427] bus_for_each_drv+0x163/0x1e0 [ 60.159579] ? bus_rescan_devices+0x30/0x30 [ 60.164089] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.169187] ? lockdep_hardirqs_on+0x37e/0x580 [ 60.173758] __device_attach+0x223/0x3a0 [ 60.177822] ? device_bind_driver+0xe0/0xe0 [ 60.182242] ? kobject_uevent_env+0x295/0x13d0 [ 60.186813] bus_probe_device+0x1f1/0x2a0 [ 60.190946] ? blocking_notifier_call_chain+0x59/0xb0 [ 60.196244] device_add+0xad2/0x16e0 [ 60.199955] ? get_device_parent.isra.0+0x560/0x560 [ 60.205005] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.210099] usb_set_configuration+0xdf7/0x1740 [ 60.214825] generic_probe+0xa2/0xda [ 60.218532] usb_probe_device+0xc0/0x150 [ 60.222585] ? usb_suspend+0x5f0/0x5f0 [ 60.226459] really_probe+0x2da/0xb10 [ 60.230349] driver_probe_device+0x21d/0x350 [ 60.234808] __device_attach_driver+0x1d8/0x290 [ 60.239466] ? driver_allows_async_probing+0x160/0x160 [ 60.244770] bus_for_each_drv+0x163/0x1e0 [ 60.248908] ? bus_rescan_devices+0x30/0x30 [ 60.253219] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.258318] ? lockdep_hardirqs_on+0x37e/0x580 [ 60.262884] __device_attach+0x223/0x3a0 [ 60.266939] ? device_bind_driver+0xe0/0xe0 [ 60.271340] ? kobject_uevent_env+0x295/0x13d0 [ 60.276014] bus_probe_device+0x1f1/0x2a0 [ 60.280151] ? blocking_notifier_call_chain+0x59/0xb0 [ 60.285322] device_add+0xad2/0x16e0 [ 60.289028] ? get_device_parent.isra.0+0x560/0x560 [ 60.294049] usb_new_device.cold+0x537/0xccf [ 60.298462] hub_event+0x138e/0x3b00 [ 60.302182] ? hub_port_debounce+0x350/0x350 [ 60.306631] ? _raw_spin_unlock_irq+0x29/0x40 [ 60.311290] process_one_work+0x90f/0x1580 [ 60.315963] ? wq_pool_ids_show+0x300/0x300 [ 60.320279] ? do_raw_spin_lock+0x11f/0x290 [ 60.324589] worker_thread+0x9b/0xe20 [ 60.328389] ? process_one_work+0x1580/0x1580 [ 60.332874] kthread+0x313/0x420 [ 60.336229] ? kthread_park+0x1a0/0x1a0 [ 60.340190] ret_from_fork+0x3a/0x50 [ 60.344029] [ 60.345636] Allocated by task 4121: [ 60.349248] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.354165] __seq_open_private+0x25/0xd0 [ 60.358567] seq_open_private+0x26/0x40 [ 60.362533] mounts_open_common+0x216/0x500 [ 60.366834] do_dentry_open+0x49c/0x1130 [ 60.370887] path_openat+0x147d/0x40b0 [ 60.374764] do_filp_open+0x1a6/0x280 [ 60.378672] do_sys_open+0x3c5/0x590 [ 60.382372] do_syscall_64+0xcf/0x4f0 [ 60.386163] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.391329] [ 60.392933] Freed by task 4121: [ 60.396199] __kasan_slab_free+0x130/0x180 [ 60.400423] slab_free_freelist_hook+0x5e/0x140 [ 60.405078] kfree+0xce/0x290 [ 60.408163] seq_release_private+0x6a/0x130 [ 60.412465] __fput+0x2df/0x8c0 [ 60.415737] task_work_run+0x149/0x1c0 [ 60.419617] exit_to_usermode_loop+0x243/0x270 [ 60.424189] do_syscall_64+0x40c/0x4f0 [ 60.428062] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.433330] [ 60.434939] The buggy address belongs to the object at ffff88809c7fef60 [ 60.434939] which belongs to the cache kmalloc-64 of size 64 [ 60.447407] The buggy address is located 34 bytes inside of [ 60.447407] 64-byte region [ffff88809c7fef60, ffff88809c7fefa0) [ 60.459087] The buggy address belongs to the page: [ 60.464057] page:ffffea000271ff80 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 60.472187] flags: 0xfff00000000200(slab) [ 60.476321] raw: 00fff00000000200 ffffea0002829900 0000000200000002 ffff88812c3f5600 [ 60.484255] raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000 [ 60.492273] page dumped because: kasan: bad access detected [ 60.497967] [ 60.499646] Memory state around the buggy address: [ 60.504566] ffff88809c7fee80: fc fc fc fc 00 00 00 00 00 fc fc fc fc fc fc fc [ 60.511956] ffff88809c7fef00: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb [ 60.519471] >ffff88809c7fef80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 60.526823] ^ [ 60.530180] ffff88809c7ff000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.537527] ffff88809c7ff080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 [ 60.544925] ================================================================== [ 60.552301] Disabling lock debugging due to kernel taint [ 60.557898] Kernel panic - not syncing: panic_on_warn set ... [ 60.563783] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 60.573485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.582910] Workqueue: usb_hub_wq hub_event [ 60.587223] Call Trace: [ 60.589926] dump_stack+0xe8/0x16e [ 60.593559] panic+0x29d/0x5f2 [ 60.596743] ? __warn_printk+0xf8/0xf8 [ 60.600664] ? retint_kernel+0x10/0x10 [ 60.604643] ? trace_hardirqs_on+0x55/0x1c0 [ 60.609056] ? ds_probe+0x604/0x760 [ 60.612678] end_report+0x48/0x4e [ 60.616130] ? ds_probe+0x604/0x760 [ 60.619742] kasan_report.cold+0xd/0x3c [ 60.623708] ? ds_probe+0x604/0x760 [ 60.627325] ds_probe+0x604/0x760 [ 60.630869] usb_probe_interface+0x31d/0x820 [ 60.635392] ? usb_probe_device+0x150/0x150 [ 60.639703] really_probe+0x2da/0xb10 [ 60.643586] driver_probe_device+0x21d/0x350 [ 60.647977] __device_attach_driver+0x1d8/0x290 [ 60.652731] ? driver_allows_async_probing+0x160/0x160 [ 60.658184] bus_for_each_drv+0x163/0x1e0 [ 60.662408] ? bus_rescan_devices+0x30/0x30 [ 60.666781] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.671874] ? lockdep_hardirqs_on+0x37e/0x580 [ 60.676439] __device_attach+0x223/0x3a0 [ 60.680582] ? device_bind_driver+0xe0/0xe0 [ 60.684895] ? kobject_uevent_env+0x295/0x13d0 [ 60.689472] bus_probe_device+0x1f1/0x2a0 [ 60.693792] ? blocking_notifier_call_chain+0x59/0xb0 [ 60.699021] device_add+0xad2/0x16e0 [ 60.702728] ? get_device_parent.isra.0+0x560/0x560 [ 60.708089] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.713187] usb_set_configuration+0xdf7/0x1740 [ 60.717925] generic_probe+0xa2/0xda [ 60.721632] usb_probe_device+0xc0/0x150 [ 60.725725] ? usb_suspend+0x5f0/0x5f0 [ 60.729622] really_probe+0x2da/0xb10 [ 60.733427] driver_probe_device+0x21d/0x350 [ 60.737820] __device_attach_driver+0x1d8/0x290 [ 60.742476] ? driver_allows_async_probing+0x160/0x160 [ 60.748001] bus_for_each_drv+0x163/0x1e0 [ 60.752143] ? bus_rescan_devices+0x30/0x30 [ 60.756541] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 60.761792] ? lockdep_hardirqs_on+0x37e/0x580 [ 60.766779] __device_attach+0x223/0x3a0 [ 60.771091] ? device_bind_driver+0xe0/0xe0 [ 60.775407] ? kobject_uevent_env+0x295/0x13d0 [ 60.780129] bus_probe_device+0x1f1/0x2a0 [ 60.784271] ? blocking_notifier_call_chain+0x59/0xb0 [ 60.789449] device_add+0xad2/0x16e0 [ 60.793474] ? get_device_parent.isra.0+0x560/0x560 [ 60.799909] usb_new_device.cold+0x537/0xccf [ 60.804762] hub_event+0x138e/0x3b00 [ 60.808854] ? hub_port_debounce+0x350/0x350 [ 60.813348] ? _raw_spin_unlock_irq+0x29/0x40 [ 60.817937] process_one_work+0x90f/0x1580 [ 60.822312] ? wq_pool_ids_show+0x300/0x300 [ 60.826795] ? do_raw_spin_lock+0x11f/0x290 [ 60.831164] worker_thread+0x9b/0xe20 [ 60.834966] ? process_one_work+0x1580/0x1580 [ 60.839492] kthread+0x313/0x420 [ 60.842856] ? kthread_park+0x1a0/0x1a0 [ 60.846821] ret_from_fork+0x3a/0x50 [ 60.851291] Kernel Offset: disabled [ 60.854917] Rebooting in 86400 seconds..