[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.382369][ T3456] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 69.662325][ T3456] usb 1-1: Using ep0 maxpacket: 8 [ 69.842524][ T3456] usb 1-1: unable to get BOS descriptor or descriptor too short [ 69.942564][ T3456] usb 1-1: config 64 has an invalid interface number: 138 but max is 1 [ 69.951079][ T3456] usb 1-1: config 64 contains an unexpected descriptor of type 0x1, skipping [ 69.960481][ T3456] usb 1-1: config 64 has an invalid interface association descriptor of length 2, skipping [ 69.971048][ T3456] usb 1-1: config 64 has an invalid interface number: 149 but max is 1 [ 69.980706][ T3456] usb 1-1: config 64 contains an unexpected descriptor of type 0x1, skipping [ 69.990147][ T3456] usb 1-1: config 64 has no interface number 0 [ 69.996993][ T3456] usb 1-1: config 64 has no interface number 1 [ 70.003798][ T3456] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x8 has invalid maxpacket 1935, setting to 1024 [ 70.016289][ T3456] usb 1-1: config 64 interface 138 altsetting 1 bulk endpoint 0x82 has invalid maxpacket 1024 [ 70.027573][ T3456] usb 1-1: config 64 interface 138 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 70.039251][ T3456] usb 1-1: config 64 interface 138 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 70.050720][ T3456] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x7 has an invalid bInterval 63, changing to 7 [ 70.062470][ T3456] usb 1-1: config 64 interface 138 altsetting 1 endpoint 0x1 has invalid maxpacket 1024, setting to 64 [ 70.074058][ T3456] usb 1-1: config 64 interface 138 altsetting 1 has a duplicate endpoint with address 0x8, skipping [ 70.085361][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has an invalid endpoint with address 0x80, skipping [ 70.096651][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x6, skipping [ 70.108095][ T3456] usb 1-1: config 64 interface 149 altsetting 5 endpoint 0xC has invalid maxpacket 512, setting to 64 [ 70.120190][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xD, skipping [ 70.131662][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has an invalid endpoint with address 0xFC, skipping [ 70.143478][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x8, skipping [ 70.155283][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xE, skipping [ 70.166661][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x8, skipping [ 70.177996][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0xC, skipping [ 70.189129][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x2, skipping [ 70.200181][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x7, skipping [ 70.211666][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x2, skipping [ 70.222682][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x1, skipping [ 70.233708][ T3456] usb 1-1: config 64 interface 149 altsetting 5 has a duplicate endpoint with address 0x6, skipping [ 70.245168][ T3456] usb 1-1: config 64 interface 138 has no altsetting 0 [ 70.252041][ T3456] usb 1-1: config 64 interface 149 has no altsetting 0 [ 70.492466][ T3456] usb 1-1: string descriptor 0 read error: -22 [ 70.498968][ T3456] usb 1-1: New USB device found, idVendor=2040, idProduct=1605, bcdDevice=61.fb [ 70.509718][ T3456] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 70.565889][ T3456] hub 1-1:64.138: bad descriptor, ignoring hub [ 70.574744][ T3456] hub: probe of 1-1:64.138 failed with error -5 [ 70.583697][ T3456] em28xx 1-1:64.138: New device @ 480 Mbps (2040:1605, interface 138, class 138) [ 70.593236][ T3456] em28xx 1-1:64.138: Video interface 138 found: bulk executing program [ 70.822635][ T3456] em28xx 1-1:64.138: unknown em28xx chip ID (0) [ 70.962683][ T3456] em28xx 1-1:64.138: reading from i2c device at 0xa0 failed (error=-5) [ 70.971665][ T3456] em28xx 1-1:64.138: board has no eeprom [ 71.092452][ T3456] em28xx 1-1:64.138: Identified as Hauppauge WinTV HVR 930C (card=81) [ 71.100995][ T3456] em28xx 1-1:64.138: Currently, V4L2 is not supported on this model [ 71.112064][ T20] em28xx 1-1:64.138: Binding DVB extension [ 71.118988][ T20] em28xx 1-1:64.138: no endpoint for DVB mode and transfer type 0 [ 71.134844][ T3456] cdc_ether 1-1:64.149: invalid descriptor buffer length [ 71.142997][ T20] em28xx 1-1:64.138: failed to pre-allocate USB transfer buffers for DVB. [ 71.156703][ T3456] usb 1-1: bad CDC descriptors [ 71.169083][ T20] em28xx 1-1:64.138: Registering input extension [ 71.185632][ T3456] usb 1-1: USB disconnect, device number 2 [ 71.199393][ T3456] em28xx 1-1:64.138: Disconnecting em28xx [ 71.205889][ T3456] em28xx 1-1:64.138: Closing input extension [ 71.213001][ T3456] em28xx 1-1:64.138: Freeing device [ 71.218891][ T3456] ================================================================== [ 71.228674][ T3456] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xf0 [ 71.236613][ T3456] Read of size 8 at addr ffff888021aa8258 by task kworker/1:2/3456 [ 71.244700][ T3456] [ 71.247134][ T3456] CPU: 1 PID: 3456 Comm: kworker/1:2 Not tainted 5.13.0-syzkaller #0 [ 71.255334][ T3456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.265408][ T3456] Workqueue: usb_hub_wq hub_event [ 71.270459][ T3456] Call Trace: [ 71.273741][ T3456] dump_stack_lvl+0xcd/0x134 [ 71.278357][ T3456] print_address_description.constprop.0.cold+0x6c/0x309 [ 71.285582][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.290974][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.296976][ T3456] kasan_report.cold+0x83/0xdf [ 71.301753][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.307131][ T3456] __list_del_entry_valid+0xcc/0xf0 [ 71.312581][ T3456] em28xx_close_extension+0x10b/0x2a0 [ 71.318494][ T3456] em28xx_usb_disconnect.cold+0x14b/0x237 [ 71.324851][ T3456] usb_unbind_interface+0x1d8/0x8d0 [ 71.330220][ T3456] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 71.336065][ T3456] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 71.341821][ T3456] ? usb_unbind_device+0x1a0/0x1a0 [ 71.347031][ T3456] __device_release_driver+0x3bd/0x6f0 [ 71.352589][ T3456] device_release_driver+0x26/0x40 [ 71.357700][ T3456] bus_remove_device+0x2eb/0x5a0 [ 71.362649][ T3456] device_del+0x502/0xd40 [ 71.367073][ T3456] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 71.373421][ T3456] ? kobject_put+0x1f3/0x540 [ 71.378108][ T3456] usb_disable_device+0x35b/0x7b0 [ 71.383230][ T3456] usb_disconnect.cold+0x27a/0x78e [ 71.388353][ T3456] hub_event+0x1c9c/0x4330 [ 71.392879][ T3456] ? hub_port_debounce+0x3c0/0x3c0 [ 71.398142][ T3456] ? lock_release+0x720/0x720 [ 71.402956][ T3456] ? lock_downgrade+0x6e0/0x6e0 [ 71.407875][ T3456] ? do_raw_spin_lock+0x120/0x2b0 [ 71.413531][ T3456] process_one_work+0x98d/0x1630 [ 71.418659][ T3456] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.425127][ T3456] ? rwlock_bug.part.0+0x90/0x90 [ 71.430264][ T3456] ? _raw_spin_lock_irq+0x41/0x50 [ 71.435616][ T3456] worker_thread+0x85c/0x11f0 [ 71.440902][ T3456] ? process_one_work+0x1630/0x1630 [ 71.446219][ T3456] kthread+0x3e5/0x4d0 [ 71.450639][ T3456] ? set_kthread_struct+0x130/0x130 [ 71.456011][ T3456] ret_from_fork+0x1f/0x30 [ 71.461022][ T3456] [ 71.463510][ T3456] The buggy address belongs to the page: [ 71.469509][ T3456] page:ffffea000086aa00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21aa8 [ 71.480189][ T3456] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.487563][ T3456] raw: 00fff00000000000 ffffea0000ac0d08 ffff8880b9d3b288 0000000000000000 [ 71.496153][ T3456] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 71.504915][ T3456] page dumped because: kasan: bad access detected [ 71.511341][ T3456] page_owner tracks the page as freed [ 71.516784][ T3456] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 3456, ts 70583523123, free_ts 71218691485 [ 71.533077][ T3456] get_page_from_freelist+0xa72/0x2f80 [ 71.538745][ T3456] __alloc_pages+0x1b2/0x500 [ 71.543599][ T3456] alloc_pages+0x18c/0x2a0 [ 71.548203][ T3456] kmalloc_order+0x34/0xf0 [ 71.552723][ T3456] kmalloc_order_trace+0x14/0x120 [ 71.557922][ T3456] em28xx_usb_probe+0x1f7/0xd00 [ 71.562796][ T3456] usb_probe_interface+0x315/0x7f0 [ 71.568014][ T3456] really_probe+0x291/0xf60 [ 71.572875][ T3456] driver_probe_device+0x298/0x410 [ 71.578189][ T3456] __device_attach_driver+0x203/0x2c0 [ 71.584019][ T3456] bus_for_each_drv+0x15f/0x1e0 [ 71.590257][ T3456] __device_attach+0x228/0x4a0 [ 71.595044][ T3456] bus_probe_device+0x1e4/0x290 [ 71.599908][ T3456] device_add+0xbe0/0x2100 [ 71.604618][ T3456] usb_set_configuration+0x113f/0x1910 [ 71.610165][ T3456] usb_generic_driver_probe+0xba/0x100 [ 71.615652][ T3456] page last free stack trace: [ 71.620315][ T3456] free_pcp_prepare+0x2c5/0x780 [ 71.625165][ T3456] free_unref_page+0x19/0x690 [ 71.630124][ T3456] kref_put.constprop.0.isra.0+0x3d/0x7e [ 71.635845][ T3456] em28xx_ir_fini.cold+0x7c/0x120 [ 71.641060][ T3456] em28xx_close_extension+0xc9/0x2a0 [ 71.646349][ T3456] em28xx_usb_disconnect.cold+0x14b/0x237 [ 71.652156][ T3456] usb_unbind_interface+0x1d8/0x8d0 [ 71.657533][ T3456] __device_release_driver+0x3bd/0x6f0 [ 71.663095][ T3456] device_release_driver+0x26/0x40 [ 71.668223][ T3456] bus_remove_device+0x2eb/0x5a0 [ 71.673240][ T3456] device_del+0x502/0xd40 [ 71.677597][ T3456] usb_disable_device+0x35b/0x7b0 [ 71.682616][ T3456] usb_disconnect.cold+0x27a/0x78e [ 71.687721][ T3456] hub_event+0x1c9c/0x4330 [ 71.692392][ T3456] process_one_work+0x98d/0x1630 [ 71.697605][ T3456] worker_thread+0x85c/0x11f0 [ 71.702280][ T3456] [ 71.704594][ T3456] Memory state around the buggy address: [ 71.710734][ T3456] ffff888021aa8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.718799][ T3456] ffff888021aa8180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.726979][ T3456] >ffff888021aa8200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.735112][ T3456] ^ [ 71.742143][ T3456] ffff888021aa8280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.750196][ T3456] ffff888021aa8300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.758435][ T3456] ================================================================== [ 71.766486][ T3456] Disabling lock debugging due to kernel taint [ 71.773246][ T3456] Kernel panic - not syncing: panic_on_warn set ... [ 71.779838][ T3456] CPU: 1 PID: 3456 Comm: kworker/1:2 Tainted: G B 5.13.0-syzkaller #0 [ 71.789500][ T3456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.799684][ T3456] Workqueue: usb_hub_wq hub_event [ 71.804705][ T3456] Call Trace: [ 71.808088][ T3456] dump_stack_lvl+0xcd/0x134 [ 71.812800][ T3456] panic+0x306/0x73d [ 71.816688][ T3456] ? __warn_printk+0xf3/0xf3 [ 71.821286][ T3456] ? preempt_schedule_common+0x59/0xc0 [ 71.826822][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.832199][ T3456] ? preempt_schedule_thunk+0x16/0x18 [ 71.837686][ T3456] ? trace_hardirqs_on+0x38/0x1c0 [ 71.842790][ T3456] ? trace_hardirqs_on+0x51/0x1c0 [ 71.847804][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.853167][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.858617][ T3456] end_report.cold+0x5a/0x5a [ 71.863289][ T3456] kasan_report.cold+0x71/0xdf [ 71.868046][ T3456] ? __list_del_entry_valid+0xcc/0xf0 [ 71.873414][ T3456] __list_del_entry_valid+0xcc/0xf0 [ 71.879560][ T3456] em28xx_close_extension+0x10b/0x2a0 [ 71.884932][ T3456] em28xx_usb_disconnect.cold+0x14b/0x237 [ 71.890648][ T3456] usb_unbind_interface+0x1d8/0x8d0 [ 71.895840][ T3456] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 71.902025][ T3456] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 71.907670][ T3456] ? usb_unbind_device+0x1a0/0x1a0 [ 71.912784][ T3456] __device_release_driver+0x3bd/0x6f0 [ 71.918242][ T3456] device_release_driver+0x26/0x40 [ 71.923344][ T3456] bus_remove_device+0x2eb/0x5a0 [ 71.928501][ T3456] device_del+0x502/0xd40 [ 71.933018][ T3456] ? __device_links_queue_sync_state+0x3f0/0x3f0 [ 71.939367][ T3456] ? kobject_put+0x1f3/0x540 [ 71.943951][ T3456] usb_disable_device+0x35b/0x7b0 [ 71.948968][ T3456] usb_disconnect.cold+0x27a/0x78e [ 71.954102][ T3456] hub_event+0x1c9c/0x4330 [ 71.959257][ T3456] ? hub_port_debounce+0x3c0/0x3c0 [ 71.964470][ T3456] ? lock_release+0x720/0x720 [ 71.969338][ T3456] ? lock_downgrade+0x6e0/0x6e0 [ 71.974277][ T3456] ? do_raw_spin_lock+0x120/0x2b0 [ 71.979457][ T3456] process_one_work+0x98d/0x1630 [ 71.984503][ T3456] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.990310][ T3456] ? rwlock_bug.part.0+0x90/0x90 [ 71.995421][ T3456] ? _raw_spin_lock_irq+0x41/0x50 [ 72.000633][ T3456] worker_thread+0x85c/0x11f0 [ 72.005759][ T3456] ? process_one_work+0x1630/0x1630 [ 72.011220][ T3456] kthread+0x3e5/0x4d0 [ 72.015815][ T3456] ? set_kthread_struct+0x130/0x130 [ 72.021265][ T3456] ret_from_fork+0x1f/0x30 [ 72.027429][ T3456] Kernel Offset: disabled [ 72.031787][ T3456] Rebooting in 86400 seconds..