list_add corruption. prev->next should be next (ffffffff8fe479a0), but was ffffffff8262e761. (prev=ffff888026f70250). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:32! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 34 Comm: kworker/3:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32 Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 e0 37 fa 8b e8 86 bf 32 fc 90 <0f> 0b 4c 89 e7 e8 fb c6 81 fd e9 3a ff ff ff 4c 89 ef e8 ee c6 81 RSP: 0018:ffffc900006dedb8 EFLAGS: 00010286 RAX: 0000000000000075 RBX: ffffffff8fe479a0 RCX: 0000000000000000 RDX: 0000000000000075 RSI: ffffffff81e5d6c9 RDI: fffff520000dbda8 RBP: ffff88802d9b0250 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff8fe479a8 R13: ffff888026f70250 R14: ffff88802b84b800 R15: ffff88805d7763a0 FS: 0000000000000000(0000) GS:ffff8880d68db000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000558fe1eb3d60 CR3: 0000000037a00000 CR4: 0000000000352ef0 Call Trace: __list_add_valid include/linux/list.h:96 [inline] __list_add include/linux/list.h:158 [inline] list_add_tail include/linux/list.h:191 [inline] em28xx_init_extension+0x48/0x200 drivers/media/usb/em28xx/em28xx-core.c:1114 em28xx_init_dev.isra.0+0xac3/0x17c4 drivers/media/usb/em28xx/em28xx-cards.c:3679 em28xx_usb_probe.cold+0xc3b/0x24ab drivers/media/usb/em28xx/em28xx-cards.c:4034 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32 Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 e0 37 fa 8b e8 86 bf 32 fc 90 <0f> 0b 4c 89 e7 e8 fb c6 81 fd e9 3a ff ff ff 4c 89 ef e8 ee c6 81 RSP: 0018:ffffc900006dedb8 EFLAGS: 00010286 RAX: 0000000000000075 RBX: ffffffff8fe479a0 RCX: 0000000000000000 RDX: 0000000000000075 RSI: ffffffff81e5d6c9 RDI: fffff520000dbda8 RBP: ffff88802d9b0250 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff8fe479a8 R13: ffff888026f70250 R14: ffff88802b84b800 R15: ffff88805d7763a0 FS: 0000000000000000(0000) GS:ffff8880d68db000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000558fe1eb3d60 CR3: 0000000037a00000 CR4: 0000000000352ef0