[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 43.103178] kauditd_printk_skb: 8 callbacks suppressed [ 43.103187] audit: type=1800 audit(1555312556.081:29): pid=4821 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 43.128518] audit: type=1800 audit(1555312556.081:30): pid=4821 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.747451] IPVS: ftp: loaded support on port[0] = 21 [ 53.049020] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 53.289031] usb 1-1: Using ep0 maxpacket: 8 [ 53.409018] usb 1-1: config 0 has an invalid interface number: 157 but max is 0 [ 53.416742] usb 1-1: config 0 has no interface number 0 [ 53.422601] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=f5.2f [ 53.431123] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 53.440350] usb 1-1: config 0 descriptor?? [ 53.679448] ================================================================== [ 53.687085] BUG: KASAN: use-after-free in ds_probe+0x604/0x760 [ 53.693061] Read of size 1 at addr ffff88821b3f48c2 by task kworker/0:1/12 [ 53.700065] [ 53.701695] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 53.709662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.719270] Workqueue: usb_hub_wq hub_event [ 53.723691] Call Trace: [ 53.726279] dump_stack+0xe8/0x16e [ 53.729812] ? ds_probe+0x604/0x760 [ 53.733422] ? ds_probe+0x604/0x760 [ 53.737197] print_address_description+0x6c/0x236 [ 53.742048] ? ds_probe+0x604/0x760 [ 53.745762] ? ds_probe+0x604/0x760 [ 53.749373] kasan_report.cold+0x1a/0x3c [ 53.753455] ? ds_probe+0x604/0x760 [ 53.757158] ds_probe+0x604/0x760 [ 53.760674] usb_probe_interface+0x31d/0x820 [ 53.765086] ? usb_probe_device+0x150/0x150 [ 53.769396] really_probe+0x2da/0xb10 [ 53.773184] driver_probe_device+0x21d/0x350 [ 53.777676] __device_attach_driver+0x1d8/0x290 [ 53.782474] ? driver_allows_async_probing+0x160/0x160 [ 53.787861] bus_for_each_drv+0x163/0x1e0 [ 53.792009] ? bus_rescan_devices+0x30/0x30 [ 53.796324] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 53.801420] ? lockdep_hardirqs_on+0x37e/0x580 [ 53.806109] __device_attach+0x223/0x3a0 [ 53.810170] ? device_bind_driver+0xe0/0xe0 [ 53.814482] ? kobject_uevent_env+0x295/0x13d0 [ 53.819054] bus_probe_device+0x1f1/0x2a0 [ 53.823191] ? blocking_notifier_call_chain+0x59/0xb0 [ 53.828386] device_add+0xad2/0x16e0 [ 53.832164] ? get_device_parent.isra.0+0x560/0x560 [ 53.837182] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 53.842291] usb_set_configuration+0xdf7/0x1740 [ 53.846975] generic_probe+0xa2/0xda [ 53.850677] usb_probe_device+0xc0/0x150 [ 53.854795] ? usb_suspend+0x5f0/0x5f0 [ 53.858678] really_probe+0x2da/0xb10 [ 53.862500] driver_probe_device+0x21d/0x350 [ 53.866894] __device_attach_driver+0x1d8/0x290 [ 53.871546] ? driver_allows_async_probing+0x160/0x160 [ 53.876820] bus_for_each_drv+0x163/0x1e0 [ 53.880965] ? bus_rescan_devices+0x30/0x30 [ 53.885291] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 53.890400] ? lockdep_hardirqs_on+0x37e/0x580 [ 53.895136] __device_attach+0x223/0x3a0 [ 53.899190] ? device_bind_driver+0xe0/0xe0 [ 53.903505] ? kobject_uevent_env+0x295/0x13d0 [ 53.908071] bus_probe_device+0x1f1/0x2a0 [ 53.912210] ? blocking_notifier_call_chain+0x59/0xb0 [ 53.917528] device_add+0xad2/0x16e0 [ 53.921249] ? get_device_parent.isra.0+0x560/0x560 [ 53.926332] usb_new_device.cold+0x537/0xccf [ 53.930749] hub_event+0x138e/0x3b00 [ 53.934475] ? hub_port_debounce+0x350/0x350 [ 53.938897] ? _raw_spin_unlock_irq+0x29/0x40 [ 53.943398] process_one_work+0x90f/0x1580 [ 53.947737] ? wq_pool_ids_show+0x300/0x300 [ 53.952044] ? do_raw_spin_lock+0x11f/0x290 [ 53.956361] worker_thread+0x9b/0xe20 [ 53.960171] ? process_one_work+0x1580/0x1580 [ 53.964676] kthread+0x313/0x420 [ 53.968027] ? kthread_park+0x1a0/0x1a0 [ 53.971994] ret_from_fork+0x3a/0x50 [ 53.975708] [ 53.977325] Allocated by task 4976: [ 53.980949] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 53.985925] kobject_get_path+0xb7/0x200 [ 53.989980] kobject_uevent_env+0x23f/0x13d0 [ 53.994395] netdev_queue_update_kobjects+0x306/0x3e0 [ 53.999589] netdev_register_kobject+0x2b1/0x440 [ 54.004338] register_netdevice+0x803/0xf20 [ 54.008645] register_netdev+0x32/0x50 [ 54.012518] vti6_init_net+0x50a/0x810 [ 54.016387] ops_init+0xb7/0x410 [ 54.019732] setup_net+0x2c7/0x700 [ 54.023250] copy_net_ns+0x1de/0x340 [ 54.027070] create_new_namespaces+0x400/0x7b0 [ 54.031641] unshare_nsproxy_namespaces+0xc2/0x200 [ 54.036568] ksys_unshare+0x43e/0x8a0 [ 54.040372] __x64_sys_unshare+0x32/0x40 [ 54.044438] do_syscall_64+0xcf/0x4f0 [ 54.048248] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.053428] [ 54.055052] Freed by task 4976: [ 54.058397] __kasan_slab_free+0x130/0x180 [ 54.062712] slab_free_freelist_hook+0x5e/0x140 [ 54.067473] kfree+0xce/0x290 [ 54.070574] kobject_uevent_env+0x287/0x13d0 [ 54.074985] netdev_queue_update_kobjects+0x306/0x3e0 [ 54.080163] netdev_register_kobject+0x2b1/0x440 [ 54.085027] register_netdevice+0x803/0xf20 [ 54.089356] register_netdev+0x32/0x50 [ 54.093337] vti6_init_net+0x50a/0x810 [ 54.097221] ops_init+0xb7/0x410 [ 54.100574] setup_net+0x2c7/0x700 [ 54.104096] copy_net_ns+0x1de/0x340 [ 54.107803] create_new_namespaces+0x400/0x7b0 [ 54.112385] unshare_nsproxy_namespaces+0xc2/0x200 [ 54.117305] ksys_unshare+0x43e/0x8a0 [ 54.121180] __x64_sys_unshare+0x32/0x40 [ 54.125239] do_syscall_64+0xcf/0x4f0 [ 54.129034] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.134204] [ 54.135874] The buggy address belongs to the object at ffff88821b3f48a0 [ 54.135874] which belongs to the cache kmalloc-64 of size 64 [ 54.148361] The buggy address is located 34 bytes inside of [ 54.148361] 64-byte region [ffff88821b3f48a0, ffff88821b3f48e0) [ 54.160168] The buggy address belongs to the page: [ 54.165097] page:ffffea00086cfd00 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 54.173238] flags: 0x57ff00000000200(slab) [ 54.177459] raw: 057ff00000000200 dead000000000100 dead000000000200 ffff88812c3f5600 [ 54.185341] raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000 [ 54.193221] page dumped because: kasan: bad access detected [ 54.199014] [ 54.200621] Memory state around the buggy address: [ 54.205542] ffff88821b3f4780: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 54.212998] ffff88821b3f4800: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 fc fc [ 54.220363] >ffff88821b3f4880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 54.227714] ^ [ 54.233250] ffff88821b3f4900: 00 00 00 00 00 00 fc fc fc fc fc fc 00 00 00 00 [ 54.240623] ffff88821b3f4980: 00 00 00 fc fc fc fc fc 00 00 00 00 00 00 fc fc [ 54.247977] ================================================================== [ 54.255398] Disabling lock debugging due to kernel taint [ 54.261473] Kernel panic - not syncing: panic_on_warn set ... [ 54.267378] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 54.278585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.287938] Workqueue: usb_hub_wq hub_event [ 54.292373] Call Trace: [ 54.294966] dump_stack+0xe8/0x16e [ 54.298501] panic+0x29d/0x5f2 [ 54.301681] ? __warn_printk+0xf8/0xf8 [ 54.305553] ? retint_kernel+0x10/0x10 [ 54.309513] ? trace_hardirqs_on+0x55/0x1c0 [ 54.313820] ? ds_probe+0x604/0x760 [ 54.317429] end_report+0x48/0x4e [ 54.320878] ? ds_probe+0x604/0x760 [ 54.324489] kasan_report.cold+0xd/0x3c [ 54.328449] ? ds_probe+0x604/0x760 [ 54.332062] ds_probe+0x604/0x760 [ 54.335527] usb_probe_interface+0x31d/0x820 [ 54.340781] ? usb_probe_device+0x150/0x150 [ 54.345296] really_probe+0x2da/0xb10 [ 54.349091] driver_probe_device+0x21d/0x350 [ 54.353490] __device_attach_driver+0x1d8/0x290 [ 54.358146] ? driver_allows_async_probing+0x160/0x160 [ 54.363495] bus_for_each_drv+0x163/0x1e0 [ 54.367643] ? bus_rescan_devices+0x30/0x30 [ 54.372222] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 54.377314] ? lockdep_hardirqs_on+0x37e/0x580 [ 54.381890] __device_attach+0x223/0x3a0 [ 54.385951] ? device_bind_driver+0xe0/0xe0 [ 54.390271] ? kobject_uevent_env+0x295/0x13d0 [ 54.394843] bus_probe_device+0x1f1/0x2a0 [ 54.398990] ? blocking_notifier_call_chain+0x59/0xb0 [ 54.404161] device_add+0xad2/0x16e0 [ 54.407861] ? get_device_parent.isra.0+0x560/0x560 [ 54.412876] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 54.417966] usb_set_configuration+0xdf7/0x1740 [ 54.422622] generic_probe+0xa2/0xda [ 54.426320] usb_probe_device+0xc0/0x150 [ 54.430360] ? usb_suspend+0x5f0/0x5f0 [ 54.434226] really_probe+0x2da/0xb10 [ 54.438011] driver_probe_device+0x21d/0x350 [ 54.442403] __device_attach_driver+0x1d8/0x290 [ 54.447054] ? driver_allows_async_probing+0x160/0x160 [ 54.452433] bus_for_each_drv+0x163/0x1e0 [ 54.456587] ? bus_rescan_devices+0x30/0x30 [ 54.460893] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 54.465977] ? lockdep_hardirqs_on+0x37e/0x580 [ 54.470538] __device_attach+0x223/0x3a0 [ 54.474594] ? device_bind_driver+0xe0/0xe0 [ 54.478905] ? kobject_uevent_env+0x295/0x13d0 [ 54.483471] bus_probe_device+0x1f1/0x2a0 [ 54.487605] ? blocking_notifier_call_chain+0x59/0xb0 [ 54.492789] device_add+0xad2/0x16e0 [ 54.496488] ? get_device_parent.isra.0+0x560/0x560 [ 54.501490] usb_new_device.cold+0x537/0xccf [ 54.505893] hub_event+0x138e/0x3b00 [ 54.509603] ? hub_port_debounce+0x350/0x350 [ 54.514001] ? _raw_spin_unlock_irq+0x29/0x40 [ 54.518499] process_one_work+0x90f/0x1580 [ 54.522720] ? wq_pool_ids_show+0x300/0x300 [ 54.527031] ? do_raw_spin_lock+0x11f/0x290 [ 54.531342] worker_thread+0x9b/0xe20 [ 54.535128] ? process_one_work+0x1580/0x1580 [ 54.539602] kthread+0x313/0x420 [ 54.543046] ? kthread_park+0x1a0/0x1a0 [ 54.547019] ret_from_fork+0x3a/0x50 [ 54.551888] Kernel Offset: disabled [ 54.555508] Rebooting in 86400 seconds..