[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 42.094756] kauditd_printk_skb: 8 callbacks suppressed [ 42.094766] audit: type=1800 audit(1555454509.423:29): pid=5014 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 42.119915] audit: type=1800 audit(1555454509.433:30): pid=5014 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.147' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 72.197100] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 72.437036] usb 1-1: Using ep0 maxpacket: 8 [ 72.557161] usb 1-1: config 0 has an invalid interface number: 28 but max is 0 [ 72.564659] usb 1-1: config 0 has no interface number 0 [ 72.570158] usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, bcdDevice=74.f9 [ 72.578522] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 72.588263] usb 1-1: config 0 descriptor?? [ 72.827318] ================================================================== [ 72.834887] BUG: KASAN: slab-out-of-bounds in ds_probe+0x604/0x760 [ 72.841199] Read of size 1 at addr ffff8880a7c45fe2 by task kworker/0:1/12 [ 72.848194] [ 72.849808] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 [ 72.857839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.867194] Workqueue: usb_hub_wq hub_event [ 72.871504] Call Trace: [ 72.874089] dump_stack+0xe8/0x16e [ 72.877616] ? ds_probe+0x604/0x760 [ 72.881241] ? ds_probe+0x604/0x760 [ 72.884864] print_address_description+0x6c/0x236 [ 72.889832] ? ds_probe+0x604/0x760 [ 72.893450] ? ds_probe+0x604/0x760 [ 72.897067] kasan_report.cold+0x1a/0x3c [ 72.901108] ? ds_probe+0x604/0x760 [ 72.904714] ds_probe+0x604/0x760 [ 72.908156] usb_probe_interface+0x31d/0x820 [ 72.912617] ? usb_probe_device+0x150/0x150 [ 72.916929] really_probe+0x2da/0xb10 [ 72.920728] driver_probe_device+0x21d/0x350 [ 72.925123] __device_attach_driver+0x1d8/0x290 [ 72.929782] ? driver_allows_async_probing+0x160/0x160 [ 72.935048] bus_for_each_drv+0x163/0x1e0 [ 72.939194] ? bus_rescan_devices+0x30/0x30 [ 72.943510] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 72.948609] ? lockdep_hardirqs_on+0x37e/0x580 [ 72.953266] __device_attach+0x223/0x3a0 [ 72.957317] ? device_bind_driver+0xe0/0xe0 [ 72.961721] ? kobject_uevent_env+0x295/0x13d0 [ 72.966378] bus_probe_device+0x1f1/0x2a0 [ 72.970518] ? blocking_notifier_call_chain+0x59/0xb0 [ 72.975707] device_add+0xad2/0x16e0 [ 72.979545] ? get_device_parent.isra.0+0x560/0x560 [ 72.984618] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 72.989717] usb_set_configuration+0xdf7/0x1740 [ 72.994379] generic_probe+0xa2/0xda [ 72.998088] usb_probe_device+0xc0/0x150 [ 73.002144] ? usb_suspend+0x5f0/0x5f0 [ 73.006063] really_probe+0x2da/0xb10 [ 73.009860] driver_probe_device+0x21d/0x350 [ 73.014654] __device_attach_driver+0x1d8/0x290 [ 73.019305] ? driver_allows_async_probing+0x160/0x160 [ 73.024566] bus_for_each_drv+0x163/0x1e0 [ 73.028714] ? bus_rescan_devices+0x30/0x30 [ 73.033030] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 73.038122] ? lockdep_hardirqs_on+0x37e/0x580 [ 73.042687] __device_attach+0x223/0x3a0 [ 73.046726] ? device_bind_driver+0xe0/0xe0 [ 73.051143] ? kobject_uevent_env+0x295/0x13d0 [ 73.055728] bus_probe_device+0x1f1/0x2a0 [ 73.059950] ? blocking_notifier_call_chain+0x59/0xb0 [ 73.065270] device_add+0xad2/0x16e0 [ 73.068978] ? get_device_parent.isra.0+0x560/0x560 [ 73.073994] usb_new_device.cold+0x537/0xccf [ 73.078386] hub_event+0x138e/0x3b00 [ 73.082100] ? hub_port_debounce+0x350/0x350 [ 73.086509] ? _raw_spin_unlock_irq+0x29/0x40 [ 73.091037] process_one_work+0x90f/0x1580 [ 73.095260] ? wq_pool_ids_show+0x300/0x300 [ 73.099675] ? do_raw_spin_lock+0x11f/0x290 [ 73.104073] worker_thread+0x9b/0xe20 [ 73.108122] ? process_one_work+0x1580/0x1580 [ 73.112598] kthread+0x313/0x420 [ 73.115949] ? kthread_park+0x1a0/0x1a0 [ 73.119924] ret_from_fork+0x3a/0x50 [ 73.124755] [ 73.126370] Allocated by task 12: [ 73.129821] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 73.134742] usb_get_configuration+0xc4c/0x32b0 [ 73.139634] usb_new_device+0x2fe/0x450 [ 73.143590] hub_event+0x138e/0x3b00 [ 73.147285] process_one_work+0x90f/0x1580 [ 73.151500] worker_thread+0x9b/0xe20 [ 73.155278] kthread+0x313/0x420 [ 73.158645] ret_from_fork+0x3a/0x50 [ 73.162334] [ 73.163941] Freed by task 1258: [ 73.167205] __kasan_slab_free+0x130/0x180 [ 73.171439] slab_free_freelist_hook+0x5e/0x140 [ 73.176091] kfree+0xce/0x290 [ 73.179181] security_task_free+0x9a/0xf0 [ 73.183503] __put_task_struct+0xec/0x4d0 [ 73.187637] delayed_put_task_struct+0x189/0x290 [ 73.192471] rcu_core+0x83b/0x1a80 [ 73.196133] __do_softirq+0x22a/0x8cd [ 73.199922] [ 73.201537] The buggy address belongs to the object at ffff8880a7c45f60 [ 73.201537] which belongs to the cache kmalloc-64 of size 64 [ 73.214004] The buggy address is located 66 bytes to the right of [ 73.214004] 64-byte region [ffff8880a7c45f60, ffff8880a7c45fa0) [ 73.226210] The buggy address belongs to the page: [ 73.231134] page:ffffea00029f1140 count:1 mapcount:0 mapping:ffff88812c3f5600 index:0x0 [ 73.239263] flags: 0xfff00000000200(slab) [ 73.243399] raw: 00fff00000000200 ffffea00025f69c0 0000000500000005 ffff88812c3f5600 [ 73.251365] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 73.259227] page dumped because: kasan: bad access detected [ 73.265028] [ 73.266644] Memory state around the buggy address: [ 73.271562] ffff8880a7c45e80: fc fc fc fc 00 00 00 00 00 00 00 fc fc fc fc fc [ 73.278919] ffff8880a7c45f00: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 73.286268] >ffff8880a7c45f80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.293611] ^ [ 73.300092] ffff8880a7c46000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.307446] ffff8880a7c46080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 [ 73.314910] ================================================================== [ 73.322250] Disabling lock debugging due to kernel taint [ 73.327840] Kernel panic - not syncing: panic_on_warn set ... [ 73.333712] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.1.0-rc4-319354-g9a33b36 #3 [ 73.343053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.352466] Workqueue: usb_hub_wq hub_event [ 73.356770] Call Trace: [ 73.359351] dump_stack+0xe8/0x16e [ 73.362887] panic+0x29d/0x5f2 [ 73.366068] ? __warn_printk+0xf8/0xf8 [ 73.369949] ? retint_kernel+0x10/0x10 [ 73.373830] ? trace_hardirqs_on+0x55/0x1c0 [ 73.378136] ? ds_probe+0x604/0x760 [ 73.381755] end_report+0x48/0x4e [ 73.385204] ? ds_probe+0x604/0x760 [ 73.388814] kasan_report.cold+0xd/0x3c [ 73.392771] ? ds_probe+0x604/0x760 [ 73.396393] ds_probe+0x604/0x760 [ 73.399849] usb_probe_interface+0x31d/0x820 [ 73.404246] ? usb_probe_device+0x150/0x150 [ 73.408556] really_probe+0x2da/0xb10 [ 73.412388] driver_probe_device+0x21d/0x350 [ 73.416788] __device_attach_driver+0x1d8/0x290 [ 73.421459] ? driver_allows_async_probing+0x160/0x160 [ 73.426816] bus_for_each_drv+0x163/0x1e0 [ 73.430948] ? bus_rescan_devices+0x30/0x30 [ 73.435252] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 73.440431] ? lockdep_hardirqs_on+0x37e/0x580 [ 73.444999] __device_attach+0x223/0x3a0 [ 73.449156] ? device_bind_driver+0xe0/0xe0 [ 73.453474] ? kobject_uevent_env+0x295/0x13d0 [ 73.458051] bus_probe_device+0x1f1/0x2a0 [ 73.462193] ? blocking_notifier_call_chain+0x59/0xb0 [ 73.467450] device_add+0xad2/0x16e0 [ 73.471161] ? get_device_parent.isra.0+0x560/0x560 [ 73.476158] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 73.481250] usb_set_configuration+0xdf7/0x1740 [ 73.485906] generic_probe+0xa2/0xda [ 73.489609] usb_probe_device+0xc0/0x150 [ 73.493659] ? usb_suspend+0x5f0/0x5f0 [ 73.497538] really_probe+0x2da/0xb10 [ 73.501328] driver_probe_device+0x21d/0x350 [ 73.505740] __device_attach_driver+0x1d8/0x290 [ 73.510390] ? driver_allows_async_probing+0x160/0x160 [ 73.515664] bus_for_each_drv+0x163/0x1e0 [ 73.519844] ? bus_rescan_devices+0x30/0x30 [ 73.524164] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 73.529258] ? lockdep_hardirqs_on+0x37e/0x580 [ 73.533830] __device_attach+0x223/0x3a0 [ 73.537953] ? device_bind_driver+0xe0/0xe0 [ 73.542262] ? kobject_uevent_env+0x295/0x13d0 [ 73.546838] bus_probe_device+0x1f1/0x2a0 [ 73.550977] ? blocking_notifier_call_chain+0x59/0xb0 [ 73.556161] device_add+0xad2/0x16e0 [ 73.559872] ? get_device_parent.isra.0+0x560/0x560 [ 73.564877] usb_new_device.cold+0x537/0xccf [ 73.569283] hub_event+0x138e/0x3b00 [ 73.572983] ? hub_port_debounce+0x350/0x350 [ 73.577381] ? _raw_spin_unlock_irq+0x29/0x40 [ 73.581864] process_one_work+0x90f/0x1580 [ 73.586089] ? wq_pool_ids_show+0x300/0x300 [ 73.590501] ? do_raw_spin_lock+0x11f/0x290 [ 73.594821] worker_thread+0x9b/0xe20 [ 73.598612] ? process_one_work+0x1580/0x1580 [ 73.603088] kthread+0x313/0x420 [ 73.606551] ? kthread_park+0x1a0/0x1a0 [ 73.610520] ret_from_fork+0x3a/0x50 [ 73.615088] Kernel Offset: disabled [ 73.618704] Rebooting in 86400 seconds..