[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.659658][ T2959] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 69.899533][ T2959] usb 1-1: Using ep0 maxpacket: 8 [ 70.059630][ T2959] usb 1-1: unable to get BOS descriptor or descriptor too short [ 70.139909][ T2959] usb 1-1: config 64 has an invalid interface number: 138 but max is 1 [ 70.148402][ T2959] usb 1-1: config 64 contains an unexpected descriptor of type 0x1, skipping [ 70.157458][ T2959] usb 1-1: config 64 has an invalid interface association descriptor of length 2, skipping [ 70.167617][ T2959] usb 1-1: config 64 has an invalid interface number: 149 but max is 1 [ 70.176021][ T2959] usb 1-1: config 64 contains an unexpected descriptor of type 0x1, skipping [ 70.185397][ T2959] usb 1-1: config 64 has no interface number 0 [ 70.191710][ T2959] usb 1-1: config 64 has no interface number 1 [ 70.197927][ T2959] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x8 has invalid maxpacket 1935, setting to 1024 [ 70.209282][ T2959] usb 1-1: config 64 interface 138 altsetting 1 bulk endpoint 0x82 has invalid maxpacket 1024 [ 70.219648][ T2959] usb 1-1: config 64 interface 138 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 70.230477][ T2959] usb 1-1: config 64 interface 138 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 70.241318][ T2959] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x7 has an invalid bInterval 63, changing to 7 [ 70.252696][ T2959] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x1 has invalid maxpacket 1024, setting to 64 [ 70.263868][ T2959] usb 1-1: config 64 interface 138 altsetting 1 has a duplicate endpoint with address 0x8, skipping [ 70.274849][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has an invalid endpoint with address 0x80, skipping [ 70.285696][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x6, skipping [ 70.296536][ T2959] usb 1-1: config 64 interface 149 altsetting 5 endpoint 0xC has invalid maxpacket 512, setting to 64 [ 70.307549][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xD, skipping [ 70.318370][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has an invalid endpoint with address 0xFC, skipping [ 70.329224][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x8, skipping [ 70.340090][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xE, skipping [ 70.350927][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x8, skipping [ 70.361789][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xC, skipping [ 70.372625][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x2, skipping [ 70.383475][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x7, skipping [ 70.394307][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x2, skipping [ 70.405194][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x1, skipping [ 70.416059][ T2959] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x6, skipping [ 70.426921][ T2959] usb 1-1: config 64 interface 138 has no altsetting 0 [ 70.433895][ T2959] usb 1-1: config 64 interface 149 has no altsetting 0 [ 70.679626][ T2959] usb 1-1: string descriptor 0 read error: -22 [ 70.685858][ T2959] usb 1-1: New USB device found, idVendor=2040, idProduct=1605, bcdDevice=61.fb [ 70.696076][ T2959] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 70.754861][ T2959] hub 1-1:64.138: bad descriptor, ignoring hub [ 70.761340][ T2959] hub: probe of 1-1:64.138 failed with error -5 [ 70.777892][ T2959] em28xx 1-1:64.138: New device @ 480 Mbps (2040:1605, interface 138, class 138) [ 70.787450][ T2959] em28xx 1-1:64.138: Video interface 138 found: bulk executing program [ 71.019645][ T2959] em28xx 1-1:64.138: unknown em28xx chip ID (0) [ 71.149655][ T2959] em28xx 1-1:64.138: reading from i2c device at 0xa0 failed (error=-5) [ 71.158366][ T2959] em28xx 1-1:64.138: board has no eeprom [ 71.279456][ T2959] em28xx 1-1:64.138: Identified as Hauppauge WinTV HVR 930C (card=81) [ 71.287691][ T2959] em28xx 1-1:64.138: Currently, V4L2 is not supported on this model [ 71.298344][ T30] em28xx 1-1:64.138: Binding DVB extension [ 71.305135][ T30] em28xx 1-1:64.138: no endpoint for DVB mode and transfer type 0 [ 71.316810][ T2959] cdc_ether 1-1:64.149: invalid descriptor buffer length [ 71.329381][ T30] em28xx 1-1:64.138: failed to pre-allocate USB transfer buffers for DVB. [ 71.337940][ T30] em28xx 1-1:64.138: Registering input extension [ 71.344405][ T2959] usb 1-1: bad CDC descriptors [ 71.364986][ T2959] usb 1-1: USB disconnect, device number 2 [ 71.375836][ T2959] em28xx 1-1:64.138: Disconnecting em28xx [ 71.381857][ T2959] em28xx 1-1:64.138: Closing input extension [ 71.388034][ T2959] em28xx 1-1:64.138: Freeing device [ 71.393848][ T2959] ================================================================== [ 71.402073][ T2959] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xf0 [ 71.409834][ T2959] Read of size 8 at addr ffff88802a160258 by task kworker/1:2/2959 [ 71.417725][ T2959] [ 71.420045][ T2959] CPU: 1 PID: 2959 Comm: kworker/1:2 Not tainted 5.14.0-rc6-syzkaller #0 [ 71.428455][ T2959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.438496][ T2959] Workqueue: usb_hub_wq hub_event [ 71.443527][ T2959] Call Trace: [ 71.446803][ T2959] dump_stack_lvl+0xcd/0x134 [ 71.451444][ T2959] print_address_description.constprop.0.cold+0x6c/0x309 [ 71.458484][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 71.463843][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 71.469205][ T2959] kasan_report.cold+0x83/0xdf [ 71.473975][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 71.479340][ T2959] __list_del_entry_valid+0xcc/0xf0 [ 71.484529][ T2959] em28xx_close_extension+0x10b/0x2a0 [ 71.489898][ T2959] em28xx_usb_disconnect.cold+0x14b/0x237 [ 71.495604][ T2959] usb_unbind_interface+0x1d8/0x8d0 [ 71.500874][ T2959] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 71.506583][ T2959] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 71.512116][ T2959] ? usb_unbind_device+0x1a0/0x1a0 [ 71.517215][ T2959] __device_release_driver+0x3bd/0x6f0 [ 71.522668][ T2959] device_release_driver+0x26/0x40 [ 71.527765][ T2959] bus_remove_device+0x2eb/0x5a0 [ 71.532700][ T2959] device_del+0x502/0xd40 [ 71.537050][ T2959] ? __device_links_queue_sync_state+0x400/0x400 [ 71.543369][ T2959] ? kobject_put+0x1f3/0x540 [ 71.548219][ T2959] usb_disable_device+0x35b/0x7b0 [ 71.553250][ T2959] usb_disconnect.cold+0x27a/0x78e [ 71.558361][ T2959] hub_event+0x1c9c/0x4330 [ 71.562790][ T2959] ? hub_port_debounce+0x3c0/0x3c0 [ 71.567894][ T2959] ? lock_release+0x720/0x720 [ 71.572567][ T2959] ? lock_downgrade+0x6e0/0x6e0 [ 71.577416][ T2959] ? do_raw_spin_lock+0x120/0x2b0 [ 71.582640][ T2959] process_one_work+0x98d/0x1630 [ 71.587613][ T2959] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.592977][ T2959] ? rwlock_bug.part.0+0x90/0x90 [ 71.597902][ T2959] ? _raw_spin_lock_irq+0x41/0x50 [ 71.602923][ T2959] worker_thread+0x85c/0x11f0 [ 71.607598][ T2959] ? process_one_work+0x1630/0x1630 [ 71.612791][ T2959] kthread+0x3e5/0x4d0 [ 71.616849][ T2959] ? set_kthread_struct+0x130/0x130 [ 71.622034][ T2959] ret_from_fork+0x1f/0x30 [ 71.626536][ T2959] [ 71.628842][ T2959] The buggy address belongs to the page: [ 71.634447][ T2959] page:ffffea0000a85800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a160 [ 71.644577][ T2959] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.651674][ T2959] raw: 00fff00000000000 ffffea0000b34d08 ffff8880b9d57350 0000000000000000 [ 71.660237][ T2959] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 71.668800][ T2959] page dumped because: kasan: bad access detected [ 71.675193][ T2959] page_owner tracks the page as freed [ 71.680537][ T2959] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 2959, ts 70777878849, free_ts 71393667615 [ 71.696142][ T2959] get_page_from_freelist+0xa72/0x2f80 [ 71.701658][ T2959] __alloc_pages+0x1b2/0x500 [ 71.706237][ T2959] alloc_pages+0x18c/0x2a0 [ 71.710684][ T2959] kmalloc_order+0x34/0xf0 [ 71.715088][ T2959] kmalloc_order_trace+0x14/0x120 [ 71.720100][ T2959] em28xx_usb_probe+0x1f7/0xd00 [ 71.725051][ T2959] usb_probe_interface+0x315/0x7f0 [ 71.730247][ T2959] really_probe+0x23c/0xcd0 [ 71.734742][ T2959] __driver_probe_device+0x338/0x4d0 [ 71.740015][ T2959] driver_probe_device+0x4c/0x1a0 [ 71.745034][ T2959] __device_attach_driver+0x20b/0x2f0 [ 71.750443][ T2959] bus_for_each_drv+0x15f/0x1e0 [ 71.755550][ T2959] __device_attach+0x228/0x4a0 [ 71.760300][ T2959] bus_probe_device+0x1e4/0x290 [ 71.765138][ T2959] device_add+0xc2f/0x2180 [ 71.769545][ T2959] usb_set_configuration+0x113f/0x1910 [ 71.774990][ T2959] page last free stack trace: [ 71.779649][ T2959] free_pcp_prepare+0x2c5/0x780 [ 71.784517][ T2959] free_unref_page+0x19/0x690 [ 71.789192][ T2959] kref_put.constprop.0.isra.0+0x3d/0x7e [ 71.794822][ T2959] em28xx_ir_fini.cold+0x7c/0x120 [ 71.799832][ T2959] em28xx_close_extension+0xc9/0x2a0 [ 71.805098][ T2959] em28xx_usb_disconnect.cold+0x14b/0x237 [ 71.810801][ T2959] usb_unbind_interface+0x1d8/0x8d0 [ 71.815983][ T2959] __device_release_driver+0x3bd/0x6f0 [ 71.821425][ T2959] device_release_driver+0x26/0x40 [ 71.826521][ T2959] bus_remove_device+0x2eb/0x5a0 [ 71.831440][ T2959] device_del+0x502/0xd40 [ 71.835748][ T2959] usb_disable_device+0x35b/0x7b0 [ 71.840770][ T2959] usb_disconnect.cold+0x27a/0x78e [ 71.845864][ T2959] hub_event+0x1c9c/0x4330 [ 71.850269][ T2959] process_one_work+0x98d/0x1630 [ 71.855193][ T2959] worker_thread+0x85c/0x11f0 [ 71.859860][ T2959] [ 71.862168][ T2959] Memory state around the buggy address: [ 71.867786][ T2959] ffff88802a160100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.876487][ T2959] ffff88802a160180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.884532][ T2959] >ffff88802a160200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.892570][ T2959] ^ [ 71.899482][ T2959] ffff88802a160280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.907523][ T2959] ffff88802a160300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.915563][ T2959] ================================================================== [ 71.923599][ T2959] Disabling lock debugging due to kernel taint [ 71.930024][ T2959] Kernel panic - not syncing: panic_on_warn set ... [ 71.936610][ T2959] CPU: 1 PID: 2959 Comm: kworker/1:2 Tainted: G B 5.14.0-rc6-syzkaller #0 [ 71.946415][ T2959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.956463][ T2959] Workqueue: usb_hub_wq hub_event [ 71.961490][ T2959] Call Trace: [ 71.964756][ T2959] dump_stack_lvl+0xcd/0x134 [ 71.969348][ T2959] panic+0x306/0x73d [ 71.973235][ T2959] ? __warn_printk+0xf3/0xf3 [ 71.977815][ T2959] ? preempt_schedule_common+0x59/0xc0 [ 71.983273][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 71.988639][ T2959] ? preempt_schedule_thunk+0x16/0x18 [ 71.994007][ T2959] ? trace_hardirqs_on+0x38/0x1c0 [ 71.999072][ T2959] ? trace_hardirqs_on+0x51/0x1c0 [ 72.004092][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 72.009455][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 72.014823][ T2959] end_report.cold+0x5a/0x5a [ 72.019415][ T2959] kasan_report.cold+0x71/0xdf [ 72.024176][ T2959] ? __list_del_entry_valid+0xcc/0xf0 [ 72.029541][ T2959] __list_del_entry_valid+0xcc/0xf0 [ 72.034734][ T2959] em28xx_close_extension+0x10b/0x2a0 [ 72.040099][ T2959] em28xx_usb_disconnect.cold+0x14b/0x237 [ 72.045814][ T2959] usb_unbind_interface+0x1d8/0x8d0 [ 72.051005][ T2959] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 72.056718][ T2959] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 72.062274][ T2959] ? usb_unbind_device+0x1a0/0x1a0 [ 72.067382][ T2959] __device_release_driver+0x3bd/0x6f0 [ 72.072839][ T2959] device_release_driver+0x26/0x40 [ 72.077947][ T2959] bus_remove_device+0x2eb/0x5a0 [ 72.082884][ T2959] device_del+0x502/0xd40 [ 72.087208][ T2959] ? __device_links_queue_sync_state+0x400/0x400 [ 72.093533][ T2959] ? kobject_put+0x1f3/0x540 [ 72.098121][ T2959] usb_disable_device+0x35b/0x7b0 [ 72.103141][ T2959] usb_disconnect.cold+0x27a/0x78e [ 72.108265][ T2959] hub_event+0x1c9c/0x4330 [ 72.112687][ T2959] ? hub_port_debounce+0x3c0/0x3c0 [ 72.117796][ T2959] ? lock_release+0x720/0x720 [ 72.122471][ T2959] ? lock_downgrade+0x6e0/0x6e0 [ 72.127312][ T2959] ? do_raw_spin_lock+0x120/0x2b0 [ 72.132336][ T2959] process_one_work+0x98d/0x1630 [ 72.137277][ T2959] ? pwq_dec_nr_in_flight+0x320/0x320 [ 72.142649][ T2959] ? rwlock_bug.part.0+0x90/0x90 [ 72.147582][ T2959] ? _raw_spin_lock_irq+0x41/0x50 [ 72.152876][ T2959] worker_thread+0x85c/0x11f0 [ 72.157560][ T2959] ? process_one_work+0x1630/0x1630 [ 72.162759][ T2959] kthread+0x3e5/0x4d0 [ 72.166826][ T2959] ? set_kthread_struct+0x130/0x130 [ 72.172026][ T2959] ret_from_fork+0x1f/0x30 [ 72.177733][ T2959] Kernel Offset: disabled [ 72.182042][ T2959] Rebooting in 86400 seconds..