[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.414435][ T1658] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.038011][ T1693] random: sshd: uninitialized urandom read (32 bytes read) [ 17.110494][ C1] random: crng init done Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. executing program [ 23.956999][ T101] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.197014][ T101] usb 1-1: Using ep0 maxpacket: 16 [ 24.317099][ T101] usb 1-1: config 128 has an invalid interface number: 97 but max is 0 [ 24.325611][ T101] usb 1-1: config 128 has no interface number 0 [ 24.331932][ T101] usb 1-1: config 128 interface 97 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 24.343065][ T101] usb 1-1: config 128 interface 97 altsetting 0 endpoint 0x83 has wMaxPacketSize 0, skipping [ 24.353294][ T101] usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=48.e9 [ 24.362623][ T101] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.409452][ T101] em28xx 1-1:128.97: New device @ 480 Mbps (2040:0265, interface 97, class 97) [ 24.418713][ T101] em28xx 1-1:128.97: Audio interface 97 found (Vendor Class) executing program [ 24.657088][ T101] em28xx 1-1:128.97: unknown em28xx chip ID (0) [ 24.677048][ T101] em28xx 1-1:128.97: Config register raw data: 0xfffffffb [ 24.697050][ T101] em28xx 1-1:128.97: AC97 chip type couldn't be determined [ 24.704272][ T101] em28xx 1-1:128.97: No AC97 audio processor [ 24.710361][ T101] em28xx 1-1:128.97: We currently don't support analog TV or stream capture on dual tuners. [ 24.847090][ T101] em28xx 1-1:128.97: unknown em28xx chip ID (0) [ 24.867043][ T101] em28xx 1-1:128.97: Config register raw data: 0xfffffffb [ 24.886998][ T101] em28xx 1-1:128.97: AC97 chip type couldn't be determined [ 24.894224][ T101] em28xx 1-1:128.97: No AC97 audio processor [ 25.139844][ T101] usb 1-1: USB disconnect, device number 2 [ 25.147030][ T101] em28xx 1-1:128.97: Disconnecting em28xx #1 [ 25.153136][ T101] em28xx 1-1:128.97: Disconnecting em28xx [ 25.161132][ T101] em28xx 1-1:128.97: Freeing device [ 25.166605][ T101] em28xx 1-1:128.97: Freeing device [ 25.517009][ T101] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 25.756984][ T101] usb 1-1: Using ep0 maxpacket: 16 [ 25.877301][ T101] usb 1-1: config 128 has an invalid interface number: 97 but max is 0 [ 25.885675][ T101] usb 1-1: config 128 has no interface number 0 [ 25.892015][ T101] usb 1-1: config 128 interface 97 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 25.903173][ T101] usb 1-1: config 128 interface 97 altsetting 0 endpoint 0x83 has wMaxPacketSize 0, skipping [ 25.913410][ T101] usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=48.e9 [ 25.922447][ T101] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 25.969059][ T101] em28xx 1-1:128.97: New device @ 480 Mbps (2040:0265, interface 97, class 97) [ 25.978270][ T101] em28xx 1-1:128.97: Audio interface 97 found (Vendor Class) executing program [ 26.217054][ T101] em28xx 1-1:128.97: unknown em28xx chip ID (0) [ 26.237043][ T101] em28xx 1-1:128.97: Config register raw data: 0xfffffffb [ 26.257075][ T101] em28xx 1-1:128.97: AC97 chip type couldn't be determined [ 26.264310][ T101] em28xx 1-1:128.97: No AC97 audio processor [ 26.270602][ T101] ================================================================== [ 26.278781][ T101] BUG: KASAN: use-after-free in __list_add_valid+0xd8/0xf0 [ 26.286315][ T101] Read of size 8 at addr ffff8881d0b70240 by task kworker/1:2/101 [ 26.294286][ T101] [ 26.296609][ T101] CPU: 1 PID: 101 Comm: kworker/1:2 Not tainted 5.4.0-syzkaller #0 [ 26.304473][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.314540][ T101] Workqueue: usb_hub_wq hub_event [ 26.319543][ T101] Call Trace: [ 26.322826][ T101] dump_stack+0xef/0x16e [ 26.327055][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.331992][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.336827][ T101] print_address_description.constprop.0+0x36/0x50 [ 26.343410][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.348248][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.353083][ T101] __kasan_report.cold+0x1a/0x33 [ 26.358019][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.362849][ T101] kasan_report+0xe/0x20 [ 26.367068][ T101] __list_add_valid+0xd8/0xf0 [ 26.371723][ T101] em28xx_init_extension+0x44/0x1f0 [ 26.377158][ T101] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 26.382599][ T101] ? _dev_info+0xd7/0x109 [ 26.386908][ T101] ? em28xx_usb_disconnect.cold+0x284/0x284 [ 26.392789][ T101] ? lockdep_init_map+0x1b0/0x5e0 [ 26.398570][ T101] ? lockdep_init_map+0x1b0/0x5e0 [ 26.403571][ T101] em28xx_usb_probe.cold+0xcac/0x2515 [ 26.408921][ T101] usb_probe_interface+0x305/0x7a0 [ 26.414103][ T101] ? usb_probe_device+0x100/0x100 [ 26.419109][ T101] really_probe+0x281/0x6d0 [ 26.423598][ T101] driver_probe_device+0x104/0x210 [ 26.428688][ T101] __device_attach_driver+0x1c2/0x220 [ 26.434035][ T101] ? driver_allows_async_probing+0x160/0x160 [ 26.439986][ T101] bus_for_each_drv+0x162/0x1e0 [ 26.444820][ T101] ? bus_rescan_devices+0x20/0x20 [ 26.449830][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.455881][ T101] ? lockdep_hardirqs_on+0x382/0x580 [ 26.461166][ T101] __device_attach+0x217/0x360 [ 26.465919][ T101] ? device_bind_driver+0xd0/0xd0 [ 26.470926][ T101] bus_probe_device+0x1e4/0x290 [ 26.475785][ T101] device_add+0x1480/0x1c20 [ 26.480277][ T101] ? wait_for_completion+0x3c0/0x3c0 [ 26.485551][ T101] ? device_links_flush_sync_list+0x350/0x350 [ 26.491682][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.497472][ T101] usb_set_configuration+0xe67/0x1740 [ 26.502824][ T101] generic_probe+0x9d/0xd5 [ 26.507219][ T101] usb_probe_device+0x99/0x100 [ 26.511966][ T101] ? usb_suspend+0x620/0x620 [ 26.516549][ T101] really_probe+0x281/0x6d0 [ 26.521052][ T101] driver_probe_device+0x104/0x210 [ 26.526152][ T101] __device_attach_driver+0x1c2/0x220 [ 26.531653][ T101] ? driver_allows_async_probing+0x160/0x160 [ 26.537631][ T101] bus_for_each_drv+0x162/0x1e0 [ 26.542554][ T101] ? bus_rescan_devices+0x20/0x20 [ 26.547563][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 26.553615][ T101] ? lockdep_hardirqs_on+0x382/0x580 [ 26.558891][ T101] __device_attach+0x217/0x360 [ 26.563647][ T101] ? device_bind_driver+0xd0/0xd0 [ 26.568651][ T101] bus_probe_device+0x1e4/0x290 [ 26.573491][ T101] device_add+0x1480/0x1c20 [ 26.577983][ T101] ? device_links_flush_sync_list+0x350/0x350 [ 26.584025][ T101] usb_new_device.cold+0x6a4/0xe79 [ 26.589123][ T101] hub_event+0x1e59/0x3860 [ 26.593530][ T101] ? hub_port_debounce+0x260/0x260 [ 26.598654][ T101] ? find_held_lock+0x2d/0x110 [ 26.603528][ T101] ? mark_held_locks+0xe0/0xe0 [ 26.608274][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.613808][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.619083][ T101] process_one_work+0x92b/0x1530 [ 26.624029][ T101] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.629393][ T101] ? do_raw_spin_lock+0x11a/0x280 [ 26.634408][ T101] worker_thread+0x7ab/0xe20 [ 26.638994][ T101] ? process_one_work+0x1530/0x1530 [ 26.644198][ T101] kthread+0x318/0x420 [ 26.648264][ T101] ? kthread_create_on_node+0xf0/0xf0 [ 26.653622][ T101] ret_from_fork+0x24/0x30 [ 26.658011][ T101] [ 26.660318][ T101] Allocated by task 238: [ 26.664544][ T101] save_stack+0x1b/0x80 [ 26.668678][ T101] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.674285][ T101] kmem_cache_alloc+0xd8/0x2e0 [ 26.679112][ T101] shmem_alloc_inode+0x18/0x40 [ 26.683852][ T101] alloc_inode+0x61/0x1e0 [ 26.688170][ T101] new_inode_pseudo+0x14/0xe0 [ 26.692833][ T101] new_inode+0x1b/0x40 [ 26.696891][ T101] shmem_get_inode+0x84/0x7e0 [ 26.702648][ T101] shmem_mknod+0x5a/0x1f0 [ 26.706961][ T101] lookup_open+0x11b1/0x1910 [ 26.711529][ T101] path_openat+0x1040/0x4030 [ 26.716126][ T101] do_filp_open+0x1a1/0x280 [ 26.720611][ T101] do_sys_open+0x3c0/0x580 [ 26.725008][ T101] do_syscall_64+0xb7/0x5b0 [ 26.729501][ T101] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.735362][ T101] [ 26.737667][ T101] Freed by task 0: [ 26.741365][ T101] save_stack+0x1b/0x80 [ 26.745502][ T101] __kasan_slab_free+0x130/0x180 [ 26.750414][ T101] kmem_cache_free+0xb9/0x370 [ 26.755065][ T101] i_callback+0x3f/0x70 [ 26.759206][ T101] rcu_core+0x62b/0x1ce0 [ 26.763423][ T101] __do_softirq+0x221/0x912 [ 26.767908][ T101] [ 26.770213][ T101] The buggy address belongs to the object at ffff8881d0b70000 [ 26.770213][ T101] which belongs to the cache shmem_inode_cache of size 1184 [ 26.784860][ T101] The buggy address is located 576 bytes inside of [ 26.784860][ T101] 1184-byte region [ffff8881d0b70000, ffff8881d0b704a0) [ 26.798200][ T101] The buggy address belongs to the page: [ 26.803833][ T101] page:ffffea000742dc00 refcount:1 mapcount:0 mapping:ffff8881da51d180 index:0x0 compound_mapcount: 0 [ 26.814766][ T101] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da51d180 [ 26.823334][ T101] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.832291][ T101] page dumped because: kasan: bad access detected [ 26.838732][ T101] [ 26.841058][ T101] Memory state around the buggy address: [ 26.846847][ T101] ffff8881d0b70100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.854907][ T101] ffff8881d0b70180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.862959][ T101] >ffff8881d0b70200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.871004][ T101] ^ [ 26.877152][ T101] ffff8881d0b70280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.885190][ T101] ffff8881d0b70300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.893230][ T101] ================================================================== [ 26.901284][ T101] Disabling lock debugging due to kernel taint [ 26.907490][ T101] Kernel panic - not syncing: panic_on_warn set ... [ 26.914089][ T101] CPU: 1 PID: 101 Comm: kworker/1:2 Tainted: G B 5.4.0-syzkaller #0 [ 26.923341][ T101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.933382][ T101] Workqueue: usb_hub_wq hub_event [ 26.938383][ T101] Call Trace: [ 26.941650][ T101] dump_stack+0xef/0x16e [ 26.945868][ T101] panic+0x2aa/0x6e1 [ 26.949751][ T101] ? add_taint.cold+0x16/0x16 [ 26.954417][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.959242][ T101] ? trace_hardirqs_on+0x55/0x1e0 [ 26.964241][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.969065][ T101] end_report+0x43/0x49 [ 26.973195][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.978018][ T101] __kasan_report.cold+0xd/0x33 [ 26.982852][ T101] ? __list_add_valid+0xd8/0xf0 [ 26.987676][ T101] kasan_report+0xe/0x20 [ 26.991893][ T101] __list_add_valid+0xd8/0xf0 [ 26.996547][ T101] em28xx_init_extension+0x44/0x1f0 [ 27.001723][ T101] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 27.007156][ T101] ? _dev_info+0xd7/0x109 [ 27.011471][ T101] ? em28xx_usb_disconnect.cold+0x284/0x284 [ 27.017345][ T101] ? lockdep_init_map+0x1b0/0x5e0 [ 27.022373][ T101] ? lockdep_init_map+0x1b0/0x5e0 [ 27.027374][ T101] em28xx_usb_probe.cold+0xcac/0x2515 [ 27.032728][ T101] usb_probe_interface+0x305/0x7a0 [ 27.037813][ T101] ? usb_probe_device+0x100/0x100 [ 27.042832][ T101] really_probe+0x281/0x6d0 [ 27.047327][ T101] driver_probe_device+0x104/0x210 [ 27.052471][ T101] __device_attach_driver+0x1c2/0x220 [ 27.057880][ T101] ? driver_allows_async_probing+0x160/0x160 [ 27.063841][ T101] bus_for_each_drv+0x162/0x1e0 [ 27.068672][ T101] ? bus_rescan_devices+0x20/0x20 [ 27.073675][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 27.079457][ T101] ? lockdep_hardirqs_on+0x382/0x580 [ 27.084728][ T101] __device_attach+0x217/0x360 [ 27.089467][ T101] ? device_bind_driver+0xd0/0xd0 [ 27.094469][ T101] bus_probe_device+0x1e4/0x290 [ 27.099298][ T101] device_add+0x1480/0x1c20 [ 27.103810][ T101] ? wait_for_completion+0x3c0/0x3c0 [ 27.109080][ T101] ? device_links_flush_sync_list+0x350/0x350 [ 27.115120][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 27.120901][ T101] usb_set_configuration+0xe67/0x1740 [ 27.126247][ T101] generic_probe+0x9d/0xd5 [ 27.130638][ T101] usb_probe_device+0x99/0x100 [ 27.135450][ T101] ? usb_suspend+0x620/0x620 [ 27.140043][ T101] really_probe+0x281/0x6d0 [ 27.144555][ T101] driver_probe_device+0x104/0x210 [ 27.149858][ T101] __device_attach_driver+0x1c2/0x220 [ 27.155215][ T101] ? driver_allows_async_probing+0x160/0x160 [ 27.161188][ T101] bus_for_each_drv+0x162/0x1e0 [ 27.166640][ T101] ? bus_rescan_devices+0x20/0x20 [ 27.171642][ T101] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 27.177439][ T101] ? lockdep_hardirqs_on+0x382/0x580 [ 27.182722][ T101] __device_attach+0x217/0x360 [ 27.187466][ T101] ? device_bind_driver+0xd0/0xd0 [ 27.192494][ T101] bus_probe_device+0x1e4/0x290 [ 27.197331][ T101] device_add+0x1480/0x1c20 [ 27.201819][ T101] ? device_links_flush_sync_list+0x350/0x350 [ 27.207894][ T101] usb_new_device.cold+0x6a4/0xe79 [ 27.212996][ T101] hub_event+0x1e59/0x3860 [ 27.217414][ T101] ? hub_port_debounce+0x260/0x260 [ 27.222526][ T101] ? find_held_lock+0x2d/0x110 [ 27.227269][ T101] ? mark_held_locks+0xe0/0xe0 [ 27.232010][ T101] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 27.237532][ T101] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 27.242793][ T101] process_one_work+0x92b/0x1530 [ 27.247707][ T101] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.253319][ T101] ? do_raw_spin_lock+0x11a/0x280 [ 27.258324][ T101] worker_thread+0x7ab/0xe20 [ 27.263325][ T101] ? process_one_work+0x1530/0x1530 [ 27.268498][ T101] kthread+0x318/0x420 [ 27.272548][ T101] ? kthread_create_on_node+0xf0/0xf0 [ 27.277906][ T101] ret_from_fork+0x24/0x30 [ 27.283011][ T101] Kernel Offset: disabled [ 27.287333][ T101] Rebooting in 86400 seconds..