Extracting prog: 1m25.983772572s
Minimizing prog: 1m28.808936662s
Simplifying prog options: 3m32.19232951s
Extracting C: 58.107548851s
Simplifying C: 12m58.34820985s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=36.374845297s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)

program did not crash
testing program (duration=36.374845297s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=36.374845297s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_close_extension
a never seen crash title: BUG: corrupted list in em28xx_close_extension, ignore
simplifying guilty program options
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
a never seen crash title: BUG: corrupted list in em28xx_close_extension, ignore
testing program (duration=36.374845297s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program did not crash
testing program (duration=36.374845297s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
extracting C reproducer
testing compiled C program (duration=36.374845297s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
simplifying C reproducer
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program did not crash
validation run: crashed=false
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program did not crash
validation run: crashed=false
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
testing program (duration=36.374845297s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
reproducing took 24m41.428745831s
repro crashed as (corrupted=false):
em28xx 5-1:246.0: No AC97 audio processor
 non-slab/vmalloc memory
list_add corruption. prev->next should be next (ffffffff9006eec0), but was ffffffff8276643a. (prev=ffff88802ec80250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 5799 Comm: kworker/3:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 c0 49 1c 8c e8 26 02 20 fc 90 <0f> 0b 4c 89 e7 e8 db 48 74 fd e9 3a ff ff ff 4c 89 ef e8 ce 48 74
RSP: 0018:ffffc9000165ee20 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffffffff9006eec0 RCX: 0000000000000000
RDX: 0000000000000075 RSI: ffffffff81e74ba9 RDI: fffff520002cbdb5
RBP: ffff888035a20250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff9006eec8
R13: ffff88802ec80250 R14: ffff888027a74400 R15: ffff88805464f800
FS:  0000000000000000(0000) GS:ffff8880d6687000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33163fff CR3: 000000002da6c000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 em28xx_init_extension+0x48/0x200 drivers/media/usb/em28xx/em28xx-core.c:1245
 em28xx_init_dev.isra.0+0xb49/0x1829 drivers/media/usb/em28xx/em28xx-cards.c:3887
 em28xx_usb_probe.cold+0xca7/0x25f6 drivers/media/usb/em28xx/em28xx-cards.c:4258
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3314
 process_scheduled_works kernel/workqueue.c:3397 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3478
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 c0 49 1c 8c e8 26 02 20 fc 90 <0f> 0b 4c 89 e7 e8 db 48 74 fd e9 3a ff ff ff 4c 89 ef e8 ce 48 74
RSP: 0018:ffffc9000165ee20 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffffffff9006eec0 RCX: 0000000000000000
RDX: 0000000000000075 RSI: ffffffff81e74ba9 RDI: fffff520002cbdb5
RBP: ffff888035a20250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff9006eec8
R13: ffff88802ec80250 R14: ffff888027a74400 R15: ffff88805464f800
FS:  0000000000000000(0000) GS:ffff8880d6687000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33163fff CR3: 000000003725a000 CR4: 0000000000352ef0

final repro crashed as (corrupted=false):
em28xx 5-1:246.0: No AC97 audio processor
 non-slab/vmalloc memory
list_add corruption. prev->next should be next (ffffffff9006eec0), but was ffffffff8276643a. (prev=ffff88802ec80250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 5799 Comm: kworker/3:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 c0 49 1c 8c e8 26 02 20 fc 90 <0f> 0b 4c 89 e7 e8 db 48 74 fd e9 3a ff ff ff 4c 89 ef e8 ce 48 74
RSP: 0018:ffffc9000165ee20 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffffffff9006eec0 RCX: 0000000000000000
RDX: 0000000000000075 RSI: ffffffff81e74ba9 RDI: fffff520002cbdb5
RBP: ffff888035a20250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff9006eec8
R13: ffff88802ec80250 R14: ffff888027a74400 R15: ffff88805464f800
FS:  0000000000000000(0000) GS:ffff8880d6687000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33163fff CR3: 000000002da6c000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 em28xx_init_extension+0x48/0x200 drivers/media/usb/em28xx/em28xx-core.c:1245
 em28xx_init_dev.isra.0+0xb49/0x1829 drivers/media/usb/em28xx/em28xx-cards.c:3887
 em28xx_usb_probe.cold+0xca7/0x25f6 drivers/media/usb/em28xx/em28xx-cards.c:4258
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3314
 process_scheduled_works kernel/workqueue.c:3397 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3478
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xfb/0x130 lib/list_debug.c:32
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 3d 49 8b 55 00 4c 89 e9 48 89 de 48 c7 c7 c0 49 1c 8c e8 26 02 20 fc 90 <0f> 0b 4c 89 e7 e8 db 48 74 fd e9 3a ff ff ff 4c 89 ef e8 ce 48 74
RSP: 0018:ffffc9000165ee20 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffffffff9006eec0 RCX: 0000000000000000
RDX: 0000000000000075 RSI: ffffffff81e74ba9 RDI: fffff520002cbdb5
RBP: ffff888035a20250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff9006eec8
R13: ffff88802ec80250 R14: ffff888027a74400 R15: ffff88805464f800
FS:  0000000000000000(0000) GS:ffff8880d6687000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33163fff CR3: 000000003725a000 CR4: 0000000000352ef0