[info] Using makefile-style concurrent boot in runlevel 2. [ 13.770998][ C1] random: crng init done [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.249' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.768400][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 65.128504][ T21] usb 1-1: config 0 has an invalid interface number: 240 but max is 0 [ 65.136739][ T21] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 65.146939][ T21] usb 1-1: config 0 has no interface number 0 [ 65.153040][ T21] usb 1-1: config 0 interface 240 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 65.164081][ T21] usb 1-1: New USB device found, idVendor=2040, idProduct=8265, bcdDevice=3c.b9 [ 65.173107][ T21] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 65.182270][ T21] usb 1-1: config 0 descriptor?? [ 65.230405][ T21] em28xx 1-1:0.240: New device @ 480 Mbps (2040:8265, interface 240, class 240) [ 65.239690][ T21] em28xx 1-1:0.240: Audio interface 240 found (Vendor Class) executing program [ 65.468504][ T21] em28xx 1-1:0.240: unknown em28xx chip ID (0) [ 65.488433][ T21] em28xx 1-1:0.240: Config register raw data: 0xfffffffb [ 65.518389][ T21] em28xx 1-1:0.240: AC97 chip type couldn't be determined [ 65.525513][ T21] em28xx 1-1:0.240: No AC97 audio processor [ 65.531461][ T21] em28xx 1-1:0.240: We currently don't support analog TV or stream capture on dual tuners. [ 65.668414][ T21] em28xx 1-1:0.240: unknown em28xx chip ID (0) [ 65.688414][ T21] em28xx 1-1:0.240: Config register raw data: 0xfffffffb [ 65.708388][ T21] em28xx 1-1:0.240: AC97 chip type couldn't be determined [ 65.715484][ T21] em28xx 1-1:0.240: No AC97 audio processor [ 65.961187][ T21] usb 1-1: USB disconnect, device number 2 [ 65.968005][ T21] em28xx 1-1:0.240: Disconnecting em28xx #1 [ 65.973928][ T21] em28xx 1-1:0.240: Disconnecting em28xx [ 65.980829][ T21] em28xx 1-1:0.240: Freeing device [ 65.985946][ T21] em28xx 1-1:0.240: Freeing device [ 66.338392][ T21] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 66.698430][ T21] usb 1-1: config 0 has an invalid interface number: 240 but max is 0 [ 66.706595][ T21] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 66.716685][ T21] usb 1-1: config 0 has no interface number 0 [ 66.722782][ T21] usb 1-1: config 0 interface 240 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 7 [ 66.733835][ T21] usb 1-1: New USB device found, idVendor=2040, idProduct=8265, bcdDevice=3c.b9 [ 66.742859][ T21] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 66.751776][ T21] usb 1-1: config 0 descriptor?? [ 66.800107][ T21] em28xx 1-1:0.240: New device @ 480 Mbps (2040:8265, interface 240, class 240) [ 66.809364][ T21] em28xx 1-1:0.240: Audio interface 240 found (Vendor Class) executing program [ 67.038524][ T21] em28xx 1-1:0.240: unknown em28xx chip ID (0) [ 67.058398][ T21] em28xx 1-1:0.240: Config register raw data: 0xfffffffb [ 67.078390][ T21] em28xx 1-1:0.240: AC97 chip type couldn't be determined [ 67.085484][ T21] em28xx 1-1:0.240: No AC97 audio processor [ 67.091568][ T21] ================================================================== [ 67.099722][ T21] BUG: KASAN: use-after-free in __list_add_valid+0xd8/0xf0 [ 67.106888][ T21] Read of size 8 at addr ffff8881d31d0240 by task kworker/1:1/21 [ 67.114568][ T21] [ 67.116875][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.3.0+ #0 [ 67.123869][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.133913][ T21] Workqueue: usb_hub_wq hub_event [ 67.138908][ T21] Call Trace: [ 67.142175][ T21] dump_stack+0xca/0x13e [ 67.146391][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.151217][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.156039][ T21] print_address_description+0x6a/0x32c [ 67.161556][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.166379][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.171201][ T21] __kasan_report.cold+0x1a/0x33 [ 67.176110][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.180931][ T21] kasan_report+0xe/0x12 [ 67.185149][ T21] __list_add_valid+0xd8/0xf0 [ 67.189800][ T21] em28xx_init_extension+0x44/0x1f0 [ 67.194974][ T21] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 67.200405][ T21] ? _dev_info+0xd7/0x109 [ 67.204707][ T21] ? em28xx_usb_disconnect.cold+0x27a/0x27a [ 67.210573][ T21] ? lockdep_init_map+0x1b0/0x5e0 [ 67.215570][ T21] ? lockdep_init_map+0x1b0/0x5e0 [ 67.220572][ T21] em28xx_usb_probe.cold+0xcac/0x2516 [ 67.225919][ T21] usb_probe_interface+0x305/0x7a0 [ 67.231017][ T21] ? usb_probe_device+0x100/0x100 [ 67.236013][ T21] really_probe+0x281/0x6d0 [ 67.240488][ T21] driver_probe_device+0x101/0x1b0 [ 67.245573][ T21] __device_attach_driver+0x1c2/0x220 [ 67.250937][ T21] ? driver_allows_async_probing+0x160/0x160 [ 67.256887][ T21] bus_for_each_drv+0x162/0x1e0 [ 67.261744][ T21] ? bus_rescan_devices+0x20/0x20 [ 67.266743][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 67.272528][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 67.277794][ T21] __device_attach+0x217/0x360 [ 67.282530][ T21] ? device_bind_driver+0xd0/0xd0 [ 67.287525][ T21] ? kobject_uevent_env+0x29e/0x1150 [ 67.292781][ T21] ? kobject_uevent_env+0x2a8/0x1150 [ 67.298040][ T21] bus_probe_device+0x1e4/0x290 [ 67.302863][ T21] ? blocking_notifier_call_chain+0x54/0xa0 [ 67.308730][ T21] device_add+0xae6/0x16f0 [ 67.313118][ T21] ? uevent_store+0x50/0x50 [ 67.317598][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 67.323387][ T21] usb_set_configuration+0xdf6/0x1670 [ 67.328735][ T21] generic_probe+0x9d/0xd5 [ 67.333157][ T21] usb_probe_device+0x99/0x100 [ 67.337896][ T21] ? usb_suspend+0x620/0x620 [ 67.342456][ T21] really_probe+0x281/0x6d0 [ 67.346935][ T21] driver_probe_device+0x101/0x1b0 [ 67.352020][ T21] __device_attach_driver+0x1c2/0x220 [ 67.357379][ T21] ? driver_allows_async_probing+0x160/0x160 [ 67.363342][ T21] bus_for_each_drv+0x162/0x1e0 [ 67.368168][ T21] ? bus_rescan_devices+0x20/0x20 [ 67.373169][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 67.378953][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 67.384209][ T21] __device_attach+0x217/0x360 [ 67.388951][ T21] ? device_bind_driver+0xd0/0xd0 [ 67.393949][ T21] ? kobject_uevent_env+0x29e/0x1150 [ 67.399213][ T21] ? kobject_uevent_env+0x2a8/0x1150 [ 67.404473][ T21] bus_probe_device+0x1e4/0x290 [ 67.409299][ T21] ? blocking_notifier_call_chain+0x54/0xa0 [ 67.415164][ T21] device_add+0xae6/0x16f0 [ 67.419598][ T21] ? uevent_store+0x50/0x50 [ 67.424078][ T21] usb_new_device.cold+0x6a4/0xe79 [ 67.429163][ T21] hub_event+0x1b5c/0x3640 [ 67.433676][ T21] ? hub_port_debounce+0x260/0x260 [ 67.438765][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 67.444286][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 67.449548][ T21] process_one_work+0x92b/0x1530 [ 67.454476][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 67.459829][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 67.464829][ T21] worker_thread+0x7ab/0xe20 [ 67.469393][ T21] ? process_one_work+0x1530/0x1530 [ 67.474601][ T21] kthread+0x318/0x420 [ 67.478644][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 67.484001][ T21] ret_from_fork+0x24/0x30 [ 67.488398][ T21] [ 67.490709][ T21] Allocated by task 238: [ 67.494930][ T21] save_stack+0x1b/0x80 [ 67.499064][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 67.504666][ T21] kmem_cache_alloc+0xd6/0x2d0 [ 67.509403][ T21] shmem_alloc_inode+0x18/0x40 [ 67.514140][ T21] alloc_inode+0x61/0x1e0 [ 67.518442][ T21] new_inode_pseudo+0x14/0xe0 [ 67.523131][ T21] new_inode+0x1b/0x40 [ 67.527183][ T21] shmem_get_inode+0x84/0x7e0 [ 67.531833][ T21] shmem_mknod+0x5a/0x1f0 [ 67.536137][ T21] lookup_open+0x119a/0x18d0 [ 67.540699][ T21] path_openat+0x1045/0x3f50 [ 67.545264][ T21] do_filp_open+0x1a1/0x280 [ 67.549739][ T21] do_sys_open+0x3c0/0x580 [ 67.554130][ T21] do_syscall_64+0xb7/0x580 [ 67.558608][ T21] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.564468][ T21] [ 67.566771][ T21] Freed by task 0: [ 67.570464][ T21] save_stack+0x1b/0x80 [ 67.574624][ T21] __kasan_slab_free+0x130/0x180 [ 67.579533][ T21] kmem_cache_free+0xb9/0x380 [ 67.584202][ T21] i_callback+0x3f/0x70 [ 67.588342][ T21] rcu_core+0x630/0x1ca0 [ 67.592560][ T21] __do_softirq+0x221/0x912 [ 67.597028][ T21] [ 67.599333][ T21] The buggy address belongs to the object at ffff8881d31d0000 [ 67.599333][ T21] which belongs to the cache shmem_inode_cache of size 1184 [ 67.613965][ T21] The buggy address is located 576 bytes inside of [ 67.613965][ T21] 1184-byte region [ffff8881d31d0000, ffff8881d31d04a0) [ 67.627290][ T21] The buggy address belongs to the page: [ 67.632899][ T21] page:ffffea00074c7400 refcount:1 mapcount:0 mapping:ffff8881da115180 index:0x0 compound_mapcount: 0 [ 67.643807][ T21] flags: 0x200000000010200(slab|head) [ 67.649156][ T21] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da115180 [ 67.657717][ T21] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 67.666277][ T21] page dumped because: kasan: bad access detected [ 67.672666][ T21] [ 67.674967][ T21] Memory state around the buggy address: [ 67.680568][ T21] ffff8881d31d0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.688604][ T21] ffff8881d31d0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.696638][ T21] >ffff8881d31d0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.704668][ T21] ^ [ 67.710791][ T21] ffff8881d31d0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.718828][ T21] ffff8881d31d0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.726865][ T21] ================================================================== [ 67.734916][ T21] Disabling lock debugging due to kernel taint [ 67.741124][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 67.747701][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.3.0+ #0 [ 67.756078][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.766111][ T21] Workqueue: usb_hub_wq hub_event [ 67.771107][ T21] Call Trace: [ 67.774378][ T21] dump_stack+0xca/0x13e [ 67.778608][ T21] panic+0x2a3/0x6da [ 67.782473][ T21] ? add_taint.cold+0x16/0x16 [ 67.787130][ T21] ? retint_kernel+0x10/0x10 [ 67.791700][ T21] ? trace_hardirqs_on+0x55/0x1e0 [ 67.796696][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.801519][ T21] end_report+0x43/0x49 [ 67.805744][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.810578][ T21] __kasan_report.cold+0xd/0x33 [ 67.815404][ T21] ? __list_add_valid+0xd8/0xf0 [ 67.820227][ T21] kasan_report+0xe/0x12 [ 67.824443][ T21] __list_add_valid+0xd8/0xf0 [ 67.829096][ T21] em28xx_init_extension+0x44/0x1f0 [ 67.834311][ T21] em28xx_init_dev.isra.0+0xa7b/0x15d8 [ 67.839753][ T21] ? _dev_info+0xd7/0x109 [ 67.844053][ T21] ? em28xx_usb_disconnect.cold+0x27a/0x27a [ 67.849921][ T21] ? lockdep_init_map+0x1b0/0x5e0 [ 67.854919][ T21] ? lockdep_init_map+0x1b0/0x5e0 [ 67.859949][ T21] em28xx_usb_probe.cold+0xcac/0x2516 [ 67.865294][ T21] usb_probe_interface+0x305/0x7a0 [ 67.870378][ T21] ? usb_probe_device+0x100/0x100 [ 67.875373][ T21] really_probe+0x281/0x6d0 [ 67.879849][ T21] driver_probe_device+0x101/0x1b0 [ 67.884933][ T21] __device_attach_driver+0x1c2/0x220 [ 67.890277][ T21] ? driver_allows_async_probing+0x160/0x160 [ 67.896226][ T21] bus_for_each_drv+0x162/0x1e0 [ 67.901047][ T21] ? bus_rescan_devices+0x20/0x20 [ 67.906043][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 67.911820][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 67.917076][ T21] __device_attach+0x217/0x360 [ 67.921813][ T21] ? device_bind_driver+0xd0/0xd0 [ 67.926810][ T21] ? kobject_uevent_env+0x29e/0x1150 [ 67.932066][ T21] ? kobject_uevent_env+0x2a8/0x1150 [ 67.937366][ T21] bus_probe_device+0x1e4/0x290 [ 67.942187][ T21] ? blocking_notifier_call_chain+0x54/0xa0 [ 67.948051][ T21] device_add+0xae6/0x16f0 [ 67.952440][ T21] ? uevent_store+0x50/0x50 [ 67.956953][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 67.962763][ T21] usb_set_configuration+0xdf6/0x1670 [ 67.968109][ T21] generic_probe+0x9d/0xd5 [ 67.972497][ T21] usb_probe_device+0x99/0x100 [ 67.977232][ T21] ? usb_suspend+0x620/0x620 [ 67.981793][ T21] really_probe+0x281/0x6d0 [ 67.986271][ T21] driver_probe_device+0x101/0x1b0 [ 67.991384][ T21] __device_attach_driver+0x1c2/0x220 [ 67.996728][ T21] ? driver_allows_async_probing+0x160/0x160 [ 68.002677][ T21] bus_for_each_drv+0x162/0x1e0 [ 68.007497][ T21] ? bus_rescan_devices+0x20/0x20 [ 68.012491][ T21] ? _raw_spin_unlock_irqrestore+0x3e/0x50 [ 68.018267][ T21] ? lockdep_hardirqs_on+0x379/0x580 [ 68.023528][ T21] __device_attach+0x217/0x360 [ 68.028264][ T21] ? device_bind_driver+0xd0/0xd0 [ 68.033262][ T21] ? kobject_uevent_env+0x29e/0x1150 [ 68.038515][ T21] ? kobject_uevent_env+0x2a8/0x1150 [ 68.043772][ T21] bus_probe_device+0x1e4/0x290 [ 68.048597][ T21] ? blocking_notifier_call_chain+0x54/0xa0 [ 68.054459][ T21] device_add+0xae6/0x16f0 [ 68.058846][ T21] ? uevent_store+0x50/0x50 [ 68.063326][ T21] usb_new_device.cold+0x6a4/0xe79 [ 68.068406][ T21] hub_event+0x1b5c/0x3640 [ 68.072797][ T21] ? hub_port_debounce+0x260/0x260 [ 68.077884][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 68.083406][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 68.088667][ T21] process_one_work+0x92b/0x1530 [ 68.093577][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 68.098921][ T21] ? do_raw_spin_lock+0x11a/0x280 [ 68.103927][ T21] worker_thread+0x7ab/0xe20 [ 68.108492][ T21] ? process_one_work+0x1530/0x1530 [ 68.113661][ T21] kthread+0x318/0x420 [ 68.117701][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 68.123053][ T21] ret_from_fork+0x24/0x30 [ 68.128098][ T21] Kernel Offset: disabled [ 68.132411][ T21] Rebooting in 86400 seconds..