
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   15.064019][    C1] random: crng init done
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   28.637102][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   28.727265][   T83] usb 1-1: Using ep0 maxpacket: 32
[   28.847661][   T83] usb 1-1: config 0 has an invalid interface number: 254 but max is 0
[   28.855892][   T83] usb 1-1: config 0 has no interface number 0
[   28.862056][   T83] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7
[   29.027160][   T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d
[   29.036204][   T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   29.044212][   T83] usb 1-1: Product: syz
[   29.048404][   T83] usb 1-1: Manufacturer: syz
[   29.052979][   T83] usb 1-1: SerialNumber: syz
[   29.059239][   T83] usb 1-1: config 0 descriptor??
executing program
[   29.338878][   T83] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254)
[   29.348721][   T83] em28xx 1-1:0.254: Video interface 254 found:
[   29.477132][   T83] em28xx 1-1:0.254: unknown em28xx chip ID (0)
[   29.797141][   T83] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5)
[   29.805398][   T83] em28xx 1-1:0.254: board has no eeprom
[   29.917523][   T83] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63)
[   29.924890][   T83] em28xx 1-1:0.254: analog set to bulk mode.
[   29.933162][   T83] usb 1-1: USB disconnect, device number 2
[   29.942401][   T83] em28xx 1-1:0.254: Disconnecting em28xx
[   29.948403][  T103] em28xx 1-1:0.254: Registering V4L2 extension
[   29.962950][  T103] i2c i2c-0: Invalid 7-bit I2C address 0x00
[   29.973548][  T103] tuner: 0-0061: Tuner -1 found with type(s) Radio TV.
[   29.981230][  T103] xc2028 0-0061: creating new instance
[   29.986797][  T103] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner
[   29.993986][  T103] em28xx 1-1:0.254: Config register raw data: 0xffffffed
[   30.001071][  T103] em28xx 1-1:0.254: AC97 chip type couldn't be determined
[   30.008200][  T103] em28xx 1-1:0.254: No AC97 audio processor
[   30.015330][  T103] em28xx 1-1:0.254: Registered radio device as radio0
[   30.022170][  T103] usb 1-1: Decoder not found
[   30.026749][  T103] em28xx 1-1:0.254: failed to create media graph
[   30.033141][  T103] em28xx 1-1:0.254: V4L2 device radio0 deregistered
[   30.040522][  T103] em28xx 1-1:0.254: V4L2 device video0 deregistered
[   30.048345][  T103] xc2028 0-0061: destroying instance
[   30.054019][  T103] em28xx 1-1:0.254: Registering input extension
[   30.060625][   T83] em28xx 1-1:0.254: Closing input extension
[   30.069393][   T83] em28xx 1-1:0.254: Freeing device
[   30.099867][  T103] usb 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2
[   30.113432][  T103] ==================================================================
[   30.121592][  T103] BUG: KASAN: use-after-free in load_firmware_cb+0x173/0x18c
[   30.128958][  T103] Read of size 8 at addr ffff8881cdd5c308 by task kworker/1:3/103
[   30.136755][  T103] 
[   30.139092][  T103] CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 5.6.0-rc5-syzkaller #0
[   30.147314][  T103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.157356][  T103] Workqueue: events request_firmware_work_func
[   30.163488][  T103] Call Trace:
[   30.166763][  T103]  dump_stack+0xef/0x16e
[   30.170998][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.176004][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.181017][  T103]  print_address_description.constprop.0.cold+0xd3/0x314
[   30.188032][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.193038][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.198053][  T103]  __kasan_report.cold+0x37/0x77
[   30.202974][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.207977][  T103]  kasan_report+0xe/0x20
[   30.212201][  T103]  load_firmware_cb+0x173/0x18c
[   30.217040][  T103]  ? _request_firmware+0x935/0x1210
[   30.222218][  T103]  ? kfree+0xd5/0x300
[   30.226185][  T103]  ? _request_firmware+0x10b/0x1210
[   30.231366][  T103]  ? xc2028_attach+0x2f0/0x2f0
[   30.236116][  T103]  ? assign_fw+0x480/0x480
[   30.240517][  T103]  ? find_held_lock+0x2d/0x110
[   30.245263][  T103]  ? mark_held_locks+0xe0/0xe0
[   30.250020][  T103]  ? xc2028_attach+0x2f0/0x2f0
[   30.254763][  T103]  request_firmware_work_func+0x126/0x242
[   30.260463][  T103]  ? request_firmware_into_buf+0x90/0x90
[   30.266075][  T103]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   30.271600][  T103]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   30.276868][  T103]  process_one_work+0x94b/0x1620
[   30.281785][  T103]  ? pwq_dec_nr_in_flight+0x310/0x310
[   30.287136][  T103]  ? do_raw_spin_lock+0x129/0x290
[   30.292144][  T103]  ? move_linked_works+0x1f6/0x2f0
[   30.297232][  T103]  worker_thread+0x96/0xe20
[   30.301715][  T103]  ? process_one_work+0x1620/0x1620
[   30.306890][  T103]  kthread+0x318/0x420
[   30.310936][  T103]  ? kthread_create_on_node+0xf0/0xf0
[   30.316300][  T103]  ret_from_fork+0x24/0x30
[   30.320694][  T103] 
[   30.323003][  T103] Allocated by task 103:
[   30.327224][  T103]  save_stack+0x1b/0x80
[   30.331358][  T103]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   30.336969][  T103]  tuner_probe+0xa4/0x1182
[   30.341365][  T103]  i2c_device_probe+0x51a/0x800
[   30.346201][  T103]  really_probe+0x290/0xac0
[   30.350692][  T103]  driver_probe_device+0x223/0x350
[   30.355788][  T103]  __device_attach_driver+0x1d1/0x290
[   30.361141][  T103]  bus_for_each_drv+0x162/0x1e0
[   30.365967][  T103]  __device_attach+0x217/0x390
[   30.370714][  T103]  bus_probe_device+0x1e4/0x290
[   30.375549][  T103]  device_add+0x1459/0x1bf0
[   30.380031][  T103]  i2c_new_client_device+0x589/0xa70
[   30.385303][  T103]  i2c_new_device+0x19/0x50
[   30.389786][  T103]  v4l2_i2c_new_subdev_board+0xaf/0x2a0
[   30.395307][  T103]  v4l2_i2c_new_subdev+0xb8/0xf0
[   30.400229][  T103]  em28xx_v4l2_init.cold+0x9cc/0x33eb
[   30.405582][  T103]  em28xx_init_extension+0x12f/0x1f0
[   30.410855][  T103]  request_module_async+0x5d/0x70
[   30.415866][  T103]  process_one_work+0x94b/0x1620
[   30.420807][  T103]  worker_thread+0x73e/0xe20
[   30.425399][  T103]  kthread+0x318/0x420
[   30.429452][  T103]  ret_from_fork+0x24/0x30
[   30.433852][  T103] 
[   30.436159][  T103] Freed by task 103:
[   30.440054][  T103]  save_stack+0x1b/0x80
[   30.444192][  T103]  __kasan_slab_free+0x117/0x160
[   30.449111][  T103]  kfree+0xd5/0x300
[   30.452902][  T103]  tuner_remove+0x198/0x200
[   30.457386][  T103]  i2c_device_remove+0xcf/0x250
[   30.462214][  T103]  device_release_driver_internal+0x231/0x500
[   30.468259][  T103]  bus_remove_device+0x2eb/0x5a0
[   30.473185][  T103]  device_del+0x481/0xd30
[   30.477495][  T103]  device_unregister+0x22/0xc0
[   30.482238][  T103]  i2c_unregister_device+0x38/0x40
[   30.487350][  T103]  v4l2_i2c_subdev_unregister+0xa2/0xc0
[   30.492879][  T103]  v4l2_device_unregister+0x18a/0x220
[   30.498241][  T103]  em28xx_v4l2_init.cold+0xd26/0x33eb
[   30.503592][  T103]  em28xx_init_extension+0x12f/0x1f0
[   30.508857][  T103]  request_module_async+0x5d/0x70
[   30.513872][  T103]  process_one_work+0x94b/0x1620
[   30.518810][  T103]  worker_thread+0x73e/0xe20
[   30.523380][  T103]  kthread+0x318/0x420
[   30.527438][  T103]  ret_from_fork+0x24/0x30
[   30.531827][  T103] 
[   30.534139][  T103] The buggy address belongs to the object at ffff8881cdd5c000
[   30.534139][  T103]  which belongs to the cache kmalloc-2k of size 2048
[   30.548168][  T103] The buggy address is located 776 bytes inside of
[   30.548168][  T103]  2048-byte region [ffff8881cdd5c000, ffff8881cdd5c800)
[   30.561500][  T103] The buggy address belongs to the page:
[   30.567113][  T103] page:ffffea0007375600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
[   30.578035][  T103] flags: 0x200000000010200(slab|head)
[   30.583404][  T103] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[   30.591978][  T103] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[   30.600549][  T103] page dumped because: kasan: bad access detected
[   30.606943][  T103] 
[   30.609252][  T103] Memory state around the buggy address:
[   30.614879][  T103]  ffff8881cdd5c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.622919][  T103]  ffff8881cdd5c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.630963][  T103] >ffff8881cdd5c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.639000][  T103]                       ^
[   30.643311][  T103]  ffff8881cdd5c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.651352][  T103]  ffff8881cdd5c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.659388][  T103] ==================================================================
[   30.667423][  T103] Disabling lock debugging due to kernel taint
[   30.673738][  T103] Kernel panic - not syncing: panic_on_warn set ...
[   30.680322][  T103] CPU: 1 PID: 103 Comm: kworker/1:3 Tainted: G    B             5.6.0-rc5-syzkaller #0
[   30.690017][  T103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.700063][  T103] Workqueue: events request_firmware_work_func
[   30.706198][  T103] Call Trace:
[   30.709506][  T103]  dump_stack+0xef/0x16e
[   30.713758][  T103]  panic+0x2aa/0x6e1
[   30.717638][  T103]  ? add_taint.cold+0x16/0x16
[   30.722292][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.727299][  T103]  ? trace_hardirqs_on+0x55/0x200
[   30.732298][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.737297][  T103]  end_report+0x43/0x49
[   30.741428][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.746439][  T103]  __kasan_report.cold+0x55/0x77
[   30.751354][  T103]  ? load_firmware_cb+0x173/0x18c
[   30.756353][  T103]  kasan_report+0xe/0x20
[   30.760588][  T103]  load_firmware_cb+0x173/0x18c
[   30.765452][  T103]  ? _request_firmware+0x935/0x1210
[   30.770626][  T103]  ? kfree+0xd5/0x300
[   30.774616][  T103]  ? _request_firmware+0x10b/0x1210
[   30.779789][  T103]  ? xc2028_attach+0x2f0/0x2f0
[   30.784526][  T103]  ? assign_fw+0x480/0x480
[   30.788925][  T103]  ? find_held_lock+0x2d/0x110
[   30.793707][  T103]  ? mark_held_locks+0xe0/0xe0
[   30.798446][  T103]  ? xc2028_attach+0x2f0/0x2f0
[   30.803198][  T103]  request_firmware_work_func+0x126/0x242
[   30.808946][  T103]  ? request_firmware_into_buf+0x90/0x90
[   30.814561][  T103]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   30.820128][  T103]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   30.825390][  T103]  process_one_work+0x94b/0x1620
[   30.830302][  T103]  ? pwq_dec_nr_in_flight+0x310/0x310
[   30.835648][  T103]  ? do_raw_spin_lock+0x129/0x290
[   30.840647][  T103]  ? move_linked_works+0x1f6/0x2f0
[   30.845730][  T103]  worker_thread+0x96/0xe20
[   30.850207][  T103]  ? process_one_work+0x1620/0x1620
[   30.855377][  T103]  kthread+0x318/0x420
[   30.859421][  T103]  ? kthread_create_on_node+0xf0/0xf0
[   30.864767][  T103]  ret_from_fork+0x24/0x30
[   30.869692][  T103] Kernel Offset: disabled
[   30.874045][  T103] Rebooting in 86400 seconds..