INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.435827][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 27.645826][ T94] usb 1-1: config 0 has an invalid interface number: 130 but max is 0 [ 27.654152][ T94] usb 1-1: config 0 has no interface number 0 [ 27.660315][ T94] usb 1-1: config 0 interface 130 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 27.671389][ T94] usb 1-1: New USB device found, idVendor=2040, idProduct=8265, bcdDevice=f3.4a [ 27.680488][ T94] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 27.689553][ T94] usb 1-1: config 0 descriptor?? [ 27.728264][ T94] em28xx 1-1:0.130: New device @ 480 Mbps (2040:8265, interface 130, class 130) [ 27.737653][ T94] em28xx 1-1:0.130: Audio interface 130 found (Vendor Class) executing program [ 27.965933][ T94] em28xx 1-1:0.130: unknown em28xx chip ID (0) [ 27.985818][ T94] em28xx 1-1:0.130: Config register raw data: 0xfffffffb [ 28.005832][ T94] em28xx 1-1:0.130: AC97 chip type couldn't be determined [ 28.012972][ T94] em28xx 1-1:0.130: No AC97 audio processor [ 28.018964][ T94] em28xx 1-1:0.130: We currently don't support analog TV or stream capture on dual tuners. [ 28.155826][ T94] em28xx 1-1:0.130: unknown em28xx chip ID (0) [ 28.175800][ T94] em28xx 1-1:0.130: Config register raw data: 0xfffffffb [ 28.195811][ T94] em28xx 1-1:0.130: AC97 chip type couldn't be determined [ 28.202960][ T94] em28xx 1-1:0.130: No AC97 audio processor [ 28.448590][ T94] usb 1-1: USB disconnect, device number 2 [ 28.455640][ T94] em28xx 1-1:0.130: Disconnecting em28xx #1 [ 28.461604][ T94] em28xx 1-1:0.130: Disconnecting em28xx [ 28.469108][ T94] em28xx 1-1:0.130: Freeing device [ 28.474464][ T94] em28xx 1-1:0.130: Freeing device [ 28.825762][ T94] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 29.035815][ T94] usb 1-1: config 0 has an invalid interface number: 130 but max is 0 [ 29.044071][ T94] usb 1-1: config 0 has no interface number 0 [ 29.050232][ T94] usb 1-1: config 0 interface 130 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 29.061343][ T94] usb 1-1: New USB device found, idVendor=2040, idProduct=8265, bcdDevice=f3.4a [ 29.070406][ T94] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 29.079307][ T94] usb 1-1: config 0 descriptor?? [ 29.117532][ T94] em28xx 1-1:0.130: New device @ 480 Mbps (2040:8265, interface 130, class 130) [ 29.126857][ T94] em28xx 1-1:0.130: Audio interface 130 found (Vendor Class) executing program [ 29.355913][ T94] em28xx 1-1:0.130: unknown em28xx chip ID (0) [ 29.375819][ T94] em28xx 1-1:0.130: Config register raw data: 0xfffffffb [ 29.395799][ T94] em28xx 1-1:0.130: AC97 chip type couldn't be determined [ 29.402927][ T94] em28xx 1-1:0.130: No AC97 audio processor [ 29.409052][ T94] ================================================================== [ 29.417374][ T94] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 29.424563][ T94] Read of size 8 at addr ffff8881cd9ac240 by task kworker/1:2/94 [ 29.432848][ T94] [ 29.435291][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-syzkaller #0 [ 29.443482][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.454001][ T94] Workqueue: usb_hub_wq hub_event [ 29.459138][ T94] Call Trace: [ 29.462434][ T94] dump_stack+0xef/0x16e [ 29.467586][ T94] ? __list_add_valid+0x93/0xa0 [ 29.472621][ T94] ? __list_add_valid+0x93/0xa0 [ 29.477860][ T94] print_address_description.constprop.0.cold+0xd3/0x314 [ 29.485233][ T94] ? __list_add_valid+0x93/0xa0 [ 29.490452][ T94] ? __list_add_valid+0x93/0xa0 [ 29.495378][ T94] __kasan_report.cold+0x37/0x77 [ 29.500363][ T94] ? __list_add_valid+0x93/0xa0 [ 29.505301][ T94] kasan_report+0xe/0x20 [ 29.509743][ T94] __list_add_valid+0x93/0xa0 [ 29.514451][ T94] em28xx_init_extension+0x44/0x1f0 [ 29.519648][ T94] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 29.525110][ T94] ? _dev_info+0xd7/0x109 [ 29.529434][ T94] ? em28xx_usb_disconnect.cold+0x284/0x284 [ 29.535461][ T94] ? lockdep_init_map+0x1b0/0x5e0 [ 29.540479][ T94] ? lockdep_init_map+0x1b0/0x5e0 [ 29.545502][ T94] em28xx_usb_probe.cold+0xcac/0x2515 [ 29.550970][ T94] usb_probe_interface+0x310/0x800 [ 29.556210][ T94] ? usb_probe_device+0x140/0x140 [ 29.561231][ T94] really_probe+0x290/0xac0 [ 29.565754][ T94] driver_probe_device+0x223/0x350 [ 29.570863][ T94] __device_attach_driver+0x1d1/0x290 [ 29.576231][ T94] ? driver_allows_async_probing+0x160/0x160 [ 29.582609][ T94] bus_for_each_drv+0x162/0x1e0 [ 29.587576][ T94] ? bus_rescan_devices+0x20/0x20 [ 29.592606][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 29.598709][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 29.604120][ T94] __device_attach+0x217/0x390 [ 29.609030][ T94] ? device_bind_driver+0xd0/0xd0 [ 29.614261][ T94] bus_probe_device+0x1e4/0x290 [ 29.619108][ T94] device_add+0x1459/0x1bf0 [ 29.623873][ T94] ? wait_for_completion+0x3c0/0x3c0 [ 29.629235][ T94] ? device_link_remove+0x110/0x110 [ 29.634486][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 29.640281][ T94] usb_set_configuration+0xe47/0x17d0 [ 29.645680][ T94] generic_probe+0x9d/0xd5 [ 29.650135][ T94] usb_probe_device+0xaf/0x140 [ 29.654900][ T94] ? usb_suspend+0x5f0/0x5f0 [ 29.659512][ T94] really_probe+0x290/0xac0 [ 29.664020][ T94] driver_probe_device+0x223/0x350 [ 29.669796][ T94] __device_attach_driver+0x1d1/0x290 [ 29.675179][ T94] ? driver_allows_async_probing+0x160/0x160 [ 29.681165][ T94] bus_for_each_drv+0x162/0x1e0 [ 29.686374][ T94] ? bus_rescan_devices+0x20/0x20 [ 29.691403][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 29.697223][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 29.702512][ T94] __device_attach+0x217/0x390 [ 29.707309][ T94] ? device_bind_driver+0xd0/0xd0 [ 29.712698][ T94] bus_probe_device+0x1e4/0x290 [ 29.717543][ T94] device_add+0x1459/0x1bf0 [ 29.722049][ T94] ? device_link_remove+0x110/0x110 [ 29.727359][ T94] usb_new_device.cold+0x540/0xcd0 [ 29.732686][ T94] hub_event+0x21cb/0x4300 [ 29.737121][ T94] ? hub_port_debounce+0x350/0x350 [ 29.742950][ T94] ? find_held_lock+0x2d/0x110 [ 29.747731][ T94] ? mark_held_locks+0xe0/0xe0 [ 29.752579][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 29.758316][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.763708][ T94] process_one_work+0x94b/0x1620 [ 29.768745][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 29.774127][ T94] ? do_raw_spin_lock+0x129/0x290 [ 29.779332][ T94] worker_thread+0x7ab/0xe20 [ 29.784145][ T94] ? process_one_work+0x1620/0x1620 [ 29.789347][ T94] kthread+0x318/0x420 [ 29.793443][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 29.798815][ T94] ret_from_fork+0x24/0x30 [ 29.803341][ T94] [ 29.805661][ T94] Allocated by task 239: [ 29.809904][ T94] save_stack+0x1b/0x80 [ 29.814125][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 29.819763][ T94] kmem_cache_alloc+0xd8/0x300 [ 29.824648][ T94] shmem_alloc_inode+0x18/0x40 [ 29.829803][ T94] alloc_inode+0x61/0x1e0 [ 29.834128][ T94] new_inode_pseudo+0x14/0xe0 [ 29.838788][ T94] new_inode+0x1b/0x40 [ 29.842880][ T94] shmem_get_inode+0x84/0x7e0 [ 29.847547][ T94] shmem_mknod+0x5a/0x1f0 [ 29.851874][ T94] lookup_open+0x11b1/0x1910 [ 29.856477][ T94] path_openat+0xe87/0x32a0 [ 29.860967][ T94] do_filp_open+0x192/0x260 [ 29.865926][ T94] do_sys_openat2+0x54c/0x740 [ 29.870600][ T94] do_sys_open+0xc3/0x140 [ 29.875045][ T94] do_syscall_64+0xb6/0x5a0 [ 29.879547][ T94] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.886014][ T94] [ 29.888452][ T94] Freed by task 0: [ 29.892180][ T94] save_stack+0x1b/0x80 [ 29.897019][ T94] __kasan_slab_free+0x117/0x160 [ 29.902236][ T94] kmem_cache_free+0x9b/0x360 [ 29.906966][ T94] i_callback+0x3f/0x70 [ 29.911163][ T94] rcu_core+0x5ae/0x1b00 [ 29.915420][ T94] __do_softirq+0x21e/0x950 [ 29.919994][ T94] [ 29.922455][ T94] The buggy address belongs to the object at ffff8881cd9ac000 [ 29.922455][ T94] which belongs to the cache shmem_inode_cache of size 1184 [ 29.937507][ T94] The buggy address is located 576 bytes inside of [ 29.937507][ T94] 1184-byte region [ffff8881cd9ac000, ffff8881cd9ac4a0) [ 29.951020][ T94] The buggy address belongs to the page: [ 29.956953][ T94] page:ffffea0007366b00 refcount:1 mapcount:0 mapping:ffff8881da11d180 index:0x0 compound_mapcount: 0 [ 29.967888][ T94] flags: 0x200000000010200(slab|head) [ 29.973388][ T94] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11d180 [ 29.982458][ T94] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 29.991456][ T94] page dumped because: kasan: bad access detected [ 29.998093][ T94] [ 30.000472][ T94] Memory state around the buggy address: [ 30.006296][ T94] ffff8881cd9ac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.014583][ T94] ffff8881cd9ac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.022923][ T94] >ffff8881cd9ac200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.031153][ T94] ^ [ 30.037398][ T94] ffff8881cd9ac280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.045496][ T94] ffff8881cd9ac300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.053605][ T94] ================================================================== [ 30.061669][ T94] Disabling lock debugging due to kernel taint [ 30.067880][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 30.074584][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Tainted: G B 5.5.0-syzkaller #0 [ 30.083762][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.093817][ T94] Workqueue: usb_hub_wq hub_event [ 30.098858][ T94] Call Trace: [ 30.102143][ T94] dump_stack+0xef/0x16e [ 30.106376][ T94] panic+0x2aa/0x6e1 [ 30.110260][ T94] ? add_taint.cold+0x16/0x16 [ 30.114926][ T94] ? __list_add_valid+0x93/0xa0 [ 30.119766][ T94] ? trace_hardirqs_on+0x55/0x200 [ 30.124786][ T94] ? __list_add_valid+0x93/0xa0 [ 30.129627][ T94] end_report+0x43/0x49 [ 30.133787][ T94] ? __list_add_valid+0x93/0xa0 [ 30.138744][ T94] __kasan_report.cold+0x55/0x77 [ 30.143682][ T94] ? __list_add_valid+0x93/0xa0 [ 30.148571][ T94] kasan_report+0xe/0x20 [ 30.152818][ T94] __list_add_valid+0x93/0xa0 [ 30.157487][ T94] em28xx_init_extension+0x44/0x1f0 [ 30.162724][ T94] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 30.168330][ T94] ? _dev_info+0xd7/0x109 [ 30.172712][ T94] ? em28xx_usb_disconnect.cold+0x284/0x284 [ 30.178703][ T94] ? lockdep_init_map+0x1b0/0x5e0 [ 30.184605][ T94] ? lockdep_init_map+0x1b0/0x5e0 [ 30.189665][ T94] em28xx_usb_probe.cold+0xcac/0x2515 [ 30.195077][ T94] usb_probe_interface+0x310/0x800 [ 30.200303][ T94] ? usb_probe_device+0x140/0x140 [ 30.205321][ T94] really_probe+0x290/0xac0 [ 30.209820][ T94] driver_probe_device+0x223/0x350 [ 30.215033][ T94] __device_attach_driver+0x1d1/0x290 [ 30.220478][ T94] ? driver_allows_async_probing+0x160/0x160 [ 30.226575][ T94] bus_for_each_drv+0x162/0x1e0 [ 30.231578][ T94] ? bus_rescan_devices+0x20/0x20 [ 30.236619][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 30.242424][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 30.247715][ T94] __device_attach+0x217/0x390 [ 30.252484][ T94] ? device_bind_driver+0xd0/0xd0 [ 30.257557][ T94] bus_probe_device+0x1e4/0x290 [ 30.262409][ T94] device_add+0x1459/0x1bf0 [ 30.266898][ T94] ? wait_for_completion+0x3c0/0x3c0 [ 30.272174][ T94] ? device_link_remove+0x110/0x110 [ 30.277367][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 30.283317][ T94] usb_set_configuration+0xe47/0x17d0 [ 30.288837][ T94] generic_probe+0x9d/0xd5 [ 30.293244][ T94] usb_probe_device+0xaf/0x140 [ 30.297989][ T94] ? usb_suspend+0x5f0/0x5f0 [ 30.302624][ T94] really_probe+0x290/0xac0 [ 30.307192][ T94] driver_probe_device+0x223/0x350 [ 30.312296][ T94] __device_attach_driver+0x1d1/0x290 [ 30.318878][ T94] ? driver_allows_async_probing+0x160/0x160 [ 30.324841][ T94] bus_for_each_drv+0x162/0x1e0 [ 30.329761][ T94] ? bus_rescan_devices+0x20/0x20 [ 30.334772][ T94] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 30.340555][ T94] ? lockdep_hardirqs_on+0x382/0x580 [ 30.345968][ T94] __device_attach+0x217/0x390 [ 30.350738][ T94] ? device_bind_driver+0xd0/0xd0 [ 30.355743][ T94] bus_probe_device+0x1e4/0x290 [ 30.360574][ T94] device_add+0x1459/0x1bf0 [ 30.365118][ T94] ? device_link_remove+0x110/0x110 [ 30.370341][ T94] usb_new_device.cold+0x540/0xcd0 [ 30.375452][ T94] hub_event+0x21cb/0x4300 [ 30.379899][ T94] ? hub_port_debounce+0x350/0x350 [ 30.384995][ T94] ? find_held_lock+0x2d/0x110 [ 30.389744][ T94] ? mark_held_locks+0xe0/0xe0 [ 30.394488][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 30.400110][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 30.405379][ T94] process_one_work+0x94b/0x1620 [ 30.410398][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 30.415862][ T94] ? do_raw_spin_lock+0x129/0x290 [ 30.421083][ T94] worker_thread+0x7ab/0xe20 [ 30.425830][ T94] ? process_one_work+0x1620/0x1620 [ 30.431079][ T94] kthread+0x318/0x420 [ 30.435143][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 30.440502][ T94] ret_from_fork+0x24/0x30 [ 30.445855][ T94] Kernel Offset: disabled [ 30.450197][ T94] Rebooting in 86400 seconds..