[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.209' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 85.294206][ T37] audit: type=1400 audit(1627458179.614:8): avc: denied { execmem } for pid=8446 comm="syz-executor778" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 85.588459][ T3160] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 85.948425][ T3160] usb 1-1: config 0 has an invalid interface number: 90 but max is 0 [ 85.956804][ T3160] usb 1-1: config 0 has an invalid interface number: 179 but max is 0 [ 85.965474][ T3160] usb 1-1: config 0 has an invalid interface descriptor of length 2, skipping [ 85.974577][ T3160] usb 1-1: config 0 has 2 interfaces, different from the descriptor's value: 1 [ 85.983769][ T3160] usb 1-1: config 0 has no interface number 0 [ 85.990005][ T3160] usb 1-1: config 0 has no interface number 1 [ 85.996175][ T3160] usb 1-1: config 0 interface 90 altsetting 0 endpoint 0xD has invalid maxpacket 1511, setting to 64 [ 86.007454][ T3160] usb 1-1: config 0 interface 90 altsetting 0 endpoint 0x4 has invalid maxpacket 512, setting to 64 [ 86.018624][ T3160] usb 1-1: config 0 interface 90 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 32 [ 86.028828][ T3160] usb 1-1: config 0 interface 90 altsetting 0 has a duplicate endpoint with address 0x1, skipping [ 86.039503][ T3160] usb 1-1: config 0 interface 90 altsetting 0 bulk endpoint 0x6 has invalid maxpacket 8 [ 86.049462][ T3160] usb 1-1: config 0 interface 90 altsetting 0 has a duplicate endpoint with address 0xE, skipping [ 86.060131][ T3160] usb 1-1: config 0 interface 90 altsetting 0 has 9 endpoint descriptors, different from the interface descriptor's value: 12 [ 86.073327][ T3160] usb 1-1: too many endpoints for config 0 interface 179 altsetting 93: 197, using maximum allowed: 30 [ 86.084691][ T3160] usb 1-1: config 0 interface 179 altsetting 93 has 2 endpoint descriptors, different from the interface descriptor's value: 197 [ 86.099869][ T3160] usb 1-1: config 0 interface 179 has no altsetting 0 [ 86.106780][ T3160] usb 1-1: New USB device found, idVendor=0438, idProduct=b002, bcdDevice=9a.d0 [ 86.117965][ T3160] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 86.135192][ T3160] usb 1-1: config 0 descriptor?? executing program [ 86.418572][ T3160] usb 1-1: string descriptor 0 read error: -71 [ 86.427809][ T3160] em28xx 1-1:0.179: New device @ 480 Mbps (0438:b002, interface 179, class 179) [ 86.438120][ T3160] em28xx 1-1:0.179: Video interface 179 found: [ 86.568572][ T3160] em28xx 1-1:0.179: unknown em28xx chip ID (0) [ 86.788662][ T3160] em28xx 1-1:0.179: reading from i2c device at 0xa0 failed (error=-5) [ 86.797537][ T3160] em28xx 1-1:0.179: board has no eeprom [ 86.908243][ T3160] em28xx 1-1:0.179: Identified as AMD ATI TV Wonder HD 600 (card=20) [ 86.916506][ T3160] em28xx 1-1:0.179: analog set to bulk mode. [ 86.938298][ T3160] usb 1-1: USB disconnect, device number 2 [ 86.955469][ T3160] em28xx 1-1:0.179: Disconnecting em28xx [ 86.962908][ T5] em28xx 1-1:0.179: Registering V4L2 extension [ 87.021288][ T5] em28xx 1-1:0.179: Config register raw data: 0xffffffed [ 87.028725][ T5] em28xx 1-1:0.179: AC97 chip type couldn't be determined [ 87.035950][ T5] em28xx 1-1:0.179: No AC97 audio processor [ 87.046679][ T5] usb 1-1: Decoder not found [ 87.055416][ T5] em28xx 1-1:0.179: failed to create media graph [ 87.063065][ T5] em28xx 1-1:0.179: V4L2 device video71 deregistered [ 87.073817][ T5] em28xx 1-1:0.179: Binding DVB extension [ 87.081655][ T5] em28xx 1-1:0.179: no endpoint for DVB mode and transfer type 0 [ 87.090786][ T5] em28xx 1-1:0.179: failed to pre-allocate USB transfer buffers for DVB. [ 87.100703][ T5] em28xx 1-1:0.179: Registering input extension [ 87.107341][ T3160] em28xx 1-1:0.179: Closing input extension [ 87.117066][ T3160] em28xx 1-1:0.179: Freeing device [ 87.123954][ T3160] ================================================================== [ 87.132593][ T3160] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xf0 [ 87.140395][ T3160] Read of size 8 at addr ffff888040e68258 by task kworker/0:3/3160 [ 87.148275][ T3160] [ 87.150627][ T3160] CPU: 0 PID: 3160 Comm: kworker/0:3 Not tainted 5.14.0-rc3-syzkaller #0 [ 87.159033][ T3160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.169260][ T3160] Workqueue: usb_hub_wq hub_event [ 87.174617][ T3160] Call Trace: [ 87.177921][ T3160] dump_stack_lvl+0xcd/0x134 [ 87.182541][ T3160] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 87.189570][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 87.195023][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 87.200396][ T3160] kasan_report.cold+0x83/0xdf [ 87.205213][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 87.210586][ T3160] __list_del_entry_valid+0xcc/0xf0 [ 87.215780][ T3160] em28xx_close_extension+0x10b/0x2a0 [ 87.221143][ T3160] em28xx_usb_disconnect.cold+0x14b/0x237 [ 87.227111][ T3160] usb_unbind_interface+0x1d8/0x8d0 [ 87.232297][ T3160] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 87.238005][ T3160] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 87.243809][ T3160] ? usb_unbind_device+0x1a0/0x1a0 [ 87.249009][ T3160] __device_release_driver+0x3bd/0x6f0 [ 87.254460][ T3160] device_release_driver+0x26/0x40 [ 87.259560][ T3160] bus_remove_device+0x2eb/0x5a0 [ 87.264484][ T3160] device_del+0x502/0xd40 [ 87.268890][ T3160] ? __device_links_queue_sync_state+0x400/0x400 [ 87.275378][ T3160] ? kobject_put+0x1f3/0x540 [ 87.280134][ T3160] usb_disable_device+0x35b/0x7b0 [ 87.285154][ T3160] usb_disconnect.cold+0x27a/0x78e [ 87.290252][ T3160] hub_event+0x1c9c/0x4330 [ 87.294708][ T3160] ? hub_port_debounce+0x3c0/0x3c0 [ 87.299894][ T3160] ? lock_release+0x720/0x720 [ 87.304561][ T3160] ? lock_downgrade+0x6e0/0x6e0 [ 87.309415][ T3160] ? do_raw_spin_lock+0x120/0x2b0 [ 87.314427][ T3160] process_one_work+0x98d/0x1630 [ 87.319367][ T3160] ? pwq_dec_nr_in_flight+0x320/0x320 [ 87.324831][ T3160] ? rwlock_bug.part.0+0x90/0x90 [ 87.329772][ T3160] ? _raw_spin_lock_irq+0x41/0x50 [ 87.334788][ T3160] worker_thread+0x85c/0x11f0 [ 87.339473][ T3160] ? process_one_work+0x1630/0x1630 [ 87.344758][ T3160] kthread+0x3e5/0x4d0 [ 87.348841][ T3160] ? set_kthread_struct+0x130/0x130 [ 87.354052][ T3160] ret_from_fork+0x1f/0x30 [ 87.358928][ T3160] [ 87.361329][ T3160] Allocated by task 3160: [ 87.365733][ T3160] kasan_save_stack+0x1b/0x40 [ 87.370449][ T3160] __kasan_kmalloc+0x98/0xc0 [ 87.375127][ T3160] kmem_cache_alloc_trace+0x1e4/0x480 [ 87.380586][ T3160] em28xx_usb_probe+0x218/0xd30 [ 87.385550][ T3160] usb_probe_interface+0x315/0x7f0 [ 87.391290][ T3160] really_probe+0x23c/0xcd0 [ 87.395794][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.401650][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.406687][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.412057][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.417014][ T3160] __device_attach+0x228/0x4a0 [ 87.421876][ T3160] bus_probe_device+0x1e4/0x290 [ 87.426807][ T3160] device_add+0xc2f/0x2180 [ 87.431218][ T3160] usb_set_configuration+0x113a/0x1910 [ 87.436845][ T3160] usb_generic_driver_probe+0xba/0x100 [ 87.442401][ T3160] usb_probe_device+0xd9/0x2c0 [ 87.447225][ T3160] really_probe+0x23c/0xcd0 [ 87.451807][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.457259][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.462663][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.468024][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.472866][ T3160] __device_attach+0x228/0x4a0 [ 87.477620][ T3160] bus_probe_device+0x1e4/0x290 [ 87.482554][ T3160] device_add+0xc2f/0x2180 [ 87.487024][ T3160] usb_new_device.cold+0x63f/0x108e [ 87.492406][ T3160] hub_event+0x2357/0x4330 [ 87.496916][ T3160] process_one_work+0x98d/0x1630 [ 87.501943][ T3160] worker_thread+0x658/0x11f0 [ 87.506614][ T3160] kthread+0x3e5/0x4d0 [ 87.510739][ T3160] ret_from_fork+0x1f/0x30 [ 87.515148][ T3160] [ 87.517465][ T3160] Freed by task 3160: [ 87.521446][ T3160] kasan_save_stack+0x1b/0x40 [ 87.526348][ T3160] kasan_set_track+0x1c/0x30 [ 87.530941][ T3160] kasan_set_free_info+0x20/0x30 [ 87.535867][ T3160] __kasan_slab_free+0xcd/0x100 [ 87.540798][ T3160] kfree+0x106/0x2c0 [ 87.544789][ T3160] kref_put.constprop.0.isra.0+0x3d/0x7e [ 87.550434][ T3160] em28xx_ir_fini.cold+0x7c/0x120 [ 87.555459][ T3160] em28xx_close_extension+0xc9/0x2a0 [ 87.560752][ T3160] em28xx_usb_disconnect.cold+0x14b/0x237 [ 87.566612][ T3160] usb_unbind_interface+0x1d8/0x8d0 [ 87.571800][ T3160] __device_release_driver+0x3bd/0x6f0 [ 87.577433][ T3160] device_release_driver+0x26/0x40 [ 87.582533][ T3160] bus_remove_device+0x2eb/0x5a0 [ 87.587462][ T3160] device_del+0x502/0xd40 [ 87.591781][ T3160] usb_disable_device+0x35b/0x7b0 [ 87.596973][ T3160] usb_disconnect.cold+0x27a/0x78e [ 87.602098][ T3160] hub_event+0x1c9c/0x4330 [ 87.607038][ T3160] process_one_work+0x98d/0x1630 [ 87.611977][ T3160] worker_thread+0x85c/0x11f0 [ 87.616676][ T3160] kthread+0x3e5/0x4d0 [ 87.620744][ T3160] ret_from_fork+0x1f/0x30 [ 87.625157][ T3160] [ 87.627467][ T3160] Last potentially related work creation: [ 87.633264][ T3160] kasan_save_stack+0x1b/0x40 [ 87.637946][ T3160] kasan_record_aux_stack+0xa4/0xd0 [ 87.643217][ T3160] insert_work+0x48/0x370 [ 87.647578][ T3160] __queue_work+0x5c1/0xed0 [ 87.652073][ T3160] queue_work_on+0xee/0x110 [ 87.656562][ T3160] em28xx_usb_probe.cold+0x15e9/0x2582 [ 87.662055][ T3160] usb_probe_interface+0x315/0x7f0 [ 87.667152][ T3160] really_probe+0x23c/0xcd0 [ 87.671663][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.677017][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.682025][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.687380][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.692231][ T3160] __device_attach+0x228/0x4a0 [ 87.696983][ T3160] bus_probe_device+0x1e4/0x290 [ 87.701824][ T3160] device_add+0xc2f/0x2180 [ 87.706397][ T3160] usb_set_configuration+0x113a/0x1910 [ 87.711846][ T3160] usb_generic_driver_probe+0xba/0x100 [ 87.717294][ T3160] usb_probe_device+0xd9/0x2c0 [ 87.722042][ T3160] really_probe+0x23c/0xcd0 [ 87.726619][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.731892][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.736994][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.742369][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.747220][ T3160] __device_attach+0x228/0x4a0 [ 87.751984][ T3160] bus_probe_device+0x1e4/0x290 [ 87.756822][ T3160] device_add+0xc2f/0x2180 [ 87.761241][ T3160] usb_new_device.cold+0x63f/0x108e [ 87.766434][ T3160] hub_event+0x2357/0x4330 [ 87.771006][ T3160] process_one_work+0x98d/0x1630 [ 87.776022][ T3160] worker_thread+0x658/0x11f0 [ 87.780692][ T3160] kthread+0x3e5/0x4d0 [ 87.784765][ T3160] ret_from_fork+0x1f/0x30 [ 87.789188][ T3160] [ 87.791505][ T3160] The buggy address belongs to the object at ffff888040e68000 [ 87.791505][ T3160] which belongs to the cache kmalloc-16k of size 16384 [ 87.805717][ T3160] The buggy address is located 600 bytes inside of [ 87.805717][ T3160] 16384-byte region [ffff888040e68000, ffff888040e6c000) [ 87.820369][ T3160] The buggy address belongs to the page: [ 87.826018][ T3160] page:ffffea0001039a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40e68 [ 87.836423][ T3160] head:ffffea0001039a00 order:3 compound_mapcount:0 compound_pincount:0 [ 87.844752][ T3160] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 87.852754][ T3160] raw: 00fff00000010200 ffffea0001039808 ffffea0001039c08 ffff888010840b00 [ 87.861380][ T3160] raw: 0000000000000000 ffff888040e68000 0000000100000001 0000000000000000 [ 87.870008][ T3160] page dumped because: kasan: bad access detected [ 87.876887][ T3160] page_owner tracks the page as allocated [ 87.882609][ T3160] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3160, ts 86427781608, free_ts 0 [ 87.899926][ T3160] get_page_from_freelist+0xa72/0x2f80 [ 87.905580][ T3160] __alloc_pages+0x1b2/0x500 [ 87.910160][ T3160] cache_grow_begin+0x75/0x460 [ 87.914911][ T3160] cache_alloc_refill+0x27f/0x380 [ 87.919930][ T3160] kmem_cache_alloc_trace+0x38c/0x480 [ 87.925481][ T3160] em28xx_usb_probe+0x218/0xd30 [ 87.930325][ T3160] usb_probe_interface+0x315/0x7f0 [ 87.935422][ T3160] really_probe+0x23c/0xcd0 [ 87.939924][ T3160] __driver_probe_device+0x338/0x4d0 [ 87.945204][ T3160] driver_probe_device+0x4c/0x1a0 [ 87.950321][ T3160] __device_attach_driver+0x20b/0x2f0 [ 87.955770][ T3160] bus_for_each_drv+0x15f/0x1e0 [ 87.960613][ T3160] __device_attach+0x228/0x4a0 [ 87.965362][ T3160] bus_probe_device+0x1e4/0x290 [ 87.970195][ T3160] device_add+0xc2f/0x2180 [ 87.974608][ T3160] usb_set_configuration+0x113a/0x1910 [ 87.980083][ T3160] page_owner free stack trace missing [ 87.985453][ T3160] [ 87.987766][ T3160] Memory state around the buggy address: [ 87.993389][ T3160] ffff888040e68100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.001561][ T3160] ffff888040e68180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.009779][ T3160] >ffff888040e68200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.017835][ T3160] ^ [ 88.024865][ T3160] ffff888040e68280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.032922][ T3160] ffff888040e68300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.041051][ T3160] ================================================================== [ 88.049527][ T3160] Disabling lock debugging due to kernel taint [ 88.068229][ T3160] Kernel panic - not syncing: panic_on_warn set ... [ 88.074842][ T3160] CPU: 0 PID: 3160 Comm: kworker/0:3 Tainted: G B 5.14.0-rc3-syzkaller #0 [ 88.084738][ T3160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.094902][ T3160] Workqueue: usb_hub_wq hub_event [ 88.099942][ T3160] Call Trace: [ 88.103217][ T3160] dump_stack_lvl+0xcd/0x134 [ 88.107923][ T3160] panic+0x306/0x73d [ 88.111822][ T3160] ? __warn_printk+0xf3/0xf3 [ 88.116479][ T3160] ? preempt_schedule_common+0x59/0xc0 [ 88.121922][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 88.127289][ T3160] ? preempt_schedule_thunk+0x16/0x18 [ 88.132732][ T3160] ? trace_hardirqs_on+0x38/0x1c0 [ 88.137740][ T3160] ? trace_hardirqs_on+0x51/0x1c0 [ 88.142749][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 88.148194][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 88.153559][ T3160] end_report.cold+0x5a/0x5a [ 88.158235][ T3160] kasan_report.cold+0x71/0xdf [ 88.163287][ T3160] ? __list_del_entry_valid+0xcc/0xf0 [ 88.168672][ T3160] __list_del_entry_valid+0xcc/0xf0 [ 88.173968][ T3160] em28xx_close_extension+0x10b/0x2a0 [ 88.179415][ T3160] em28xx_usb_disconnect.cold+0x14b/0x237 [ 88.185133][ T3160] usb_unbind_interface+0x1d8/0x8d0 [ 88.190323][ T3160] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 88.196113][ T3160] ? kernfs_remove_by_name_ns+0x62/0xb0 [ 88.201666][ T3160] ? usb_unbind_device+0x1a0/0x1a0 [ 88.206760][ T3160] __device_release_driver+0x3bd/0x6f0 [ 88.212210][ T3160] device_release_driver+0x26/0x40 [ 88.217479][ T3160] bus_remove_device+0x2eb/0x5a0 [ 88.222413][ T3160] device_del+0x502/0xd40 [ 88.226811][ T3160] ? __device_links_queue_sync_state+0x400/0x400 [ 88.233221][ T3160] ? kobject_put+0x1f3/0x540 [ 88.237811][ T3160] usb_disable_device+0x35b/0x7b0 [ 88.243099][ T3160] usb_disconnect.cold+0x27a/0x78e [ 88.248285][ T3160] hub_event+0x1c9c/0x4330 [ 88.253397][ T3160] ? hub_port_debounce+0x3c0/0x3c0 [ 88.258675][ T3160] ? lock_release+0x720/0x720 [ 88.263430][ T3160] ? lock_downgrade+0x6e0/0x6e0 [ 88.268351][ T3160] ? do_raw_spin_lock+0x120/0x2b0 [ 88.273645][ T3160] process_one_work+0x98d/0x1630 [ 88.279262][ T3160] ? pwq_dec_nr_in_flight+0x320/0x320 [ 88.284622][ T3160] ? rwlock_bug.part.0+0x90/0x90 [ 88.289631][ T3160] ? _raw_spin_lock_irq+0x41/0x50 [ 88.294661][ T3160] worker_thread+0x85c/0x11f0 [ 88.299334][ T3160] ? process_one_work+0x1630/0x1630 [ 88.304527][ T3160] kthread+0x3e5/0x4d0 [ 88.308621][ T3160] ? set_kthread_struct+0x130/0x130 [ 88.314260][ T3160] ret_from_fork+0x1f/0x30 [ 88.320640][ T3160] Kernel Offset: disabled [ 88.326442][ T3160] Rebooting in 86400 seconds..