Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.490914][ T71] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 46.770712][ T71] usb 1-1: Using ep0 maxpacket: 8 [ 46.910779][ T71] usb 1-1: config 0 has an invalid interface number: 86 but max is 0 [ 46.919715][ T71] usb 1-1: config 0 has no interface number 0 [ 46.937766][ T71] usb 1-1: config 0 interface 86 altsetting 0 endpoint 0xE has invalid wMaxPacketSize 0 [ 46.947856][ T71] usb 1-1: config 0 interface 86 altsetting 0 bulk endpoint 0xE has invalid maxpacket 0 [ 46.957708][ T71] usb 1-1: config 0 interface 86 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 46.967604][ T71] usb 1-1: New USB device found, idVendor=0ccd, idProduct=10af, bcdDevice=77.fc [ 46.977767][ T71] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 46.988637][ T71] usb 1-1: config 0 descriptor?? [ 47.033513][ T71] em28xx 1-1:0.86: New device @ 480 Mbps (0ccd:10af, interface 86, class 86) [ 47.042835][ T71] em28xx 1-1:0.86: Video interface 86 found: executing program [ 47.280640][ T71] em28xx 1-1:0.86: unknown em28xx chip ID (0) [ 47.440629][ T71] em28xx 1-1:0.86: reading from i2c device at 0xa0 failed (error=-5) [ 47.449151][ T71] em28xx 1-1:0.86: board has no eeprom [ 47.570561][ T71] em28xx 1-1:0.86: Identified as Terratec Grabby (card=67) [ 47.577991][ T71] em28xx 1-1:0.86: analog set to bulk mode. [ 47.592136][ T71] usb 1-1: USB disconnect, device number 2 [ 47.601930][ T71] em28xx 1-1:0.86: Disconnecting em28xx [ 47.610437][ T5] em28xx 1-1:0.86: Registering V4L2 extension [ 47.652694][ T5] em28xx 1-1:0.86: Config register raw data: 0xffffffed [ 47.659726][ T5] em28xx 1-1:0.86: AC97 chip type couldn't be determined [ 47.666831][ T5] em28xx 1-1:0.86: No AC97 audio processor [ 47.674047][ T5] usb 1-1: Decoder not found [ 47.678675][ T5] em28xx 1-1:0.86: failed to create media graph [ 47.685149][ T5] em28xx 1-1:0.86: V4L2 device video0 deregistered [ 47.693066][ T5] em28xx 1-1:0.86: Registering snapshot button... [ 47.702569][ T5] input: em28xx snapshot button as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.86/input/input5 [ 47.714164][ T5] em28xx 1-1:0.86: Remote control support is not available for this card. [ 47.723795][ T71] em28xx 1-1:0.86: Closing input extension [ 47.730671][ T71] em28xx 1-1:0.86: Deregistering snapshot button [ 47.745424][ T71] em28xx 1-1:0.86: Freeing device [ 48.120333][ T71] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 48.360249][ T71] usb 1-1: Using ep0 maxpacket: 8 [ 48.480275][ T71] usb 1-1: config 0 has an invalid interface number: 86 but max is 0 [ 48.488978][ T71] usb 1-1: config 0 has no interface number 0 [ 48.496448][ T71] usb 1-1: config 0 interface 86 altsetting 0 endpoint 0xE has invalid wMaxPacketSize 0 [ 48.506335][ T71] usb 1-1: config 0 interface 86 altsetting 0 bulk endpoint 0xE has invalid maxpacket 0 [ 48.517175][ T71] usb 1-1: config 0 interface 86 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 48.528794][ T71] usb 1-1: New USB device found, idVendor=0ccd, idProduct=10af, bcdDevice=77.fc [ 48.538470][ T71] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.548095][ T71] usb 1-1: config 0 descriptor?? [ 48.592216][ T71] em28xx 1-1:0.86: New device @ 480 Mbps (0ccd:10af, interface 86, class 86) [ 48.602080][ T71] em28xx 1-1:0.86: Video interface 86 found: executing program [ 48.840189][ T71] em28xx 1-1:0.86: unknown em28xx chip ID (0) [ 48.990083][ T71] em28xx 1-1:0.86: reading from i2c device at 0xa0 failed (error=-5) [ 48.998215][ T71] em28xx 1-1:0.86: board has no eeprom [ 49.110017][ T71] em28xx 1-1:0.86: Identified as Terratec Grabby (card=67) [ 49.118078][ T71] em28xx 1-1:0.86: analog set to bulk mode. [ 49.130166][ T71] usb 1-1: USB disconnect, device number 3 [ 49.137233][ T71] em28xx 1-1:0.86: Disconnecting em28xx [ 49.146569][ T5] em28xx 1-1:0.86: Registering V4L2 extension [ 49.156965][ T5] em28xx 1-1:0.86: Config register raw data: 0xffffffed [ 49.163998][ T5] em28xx 1-1:0.86: AC97 chip type couldn't be determined [ 49.171079][ T5] em28xx 1-1:0.86: No AC97 audio processor [ 49.177463][ T5] usb 1-1: Decoder not found [ 49.182147][ T5] em28xx 1-1:0.86: failed to create media graph [ 49.189979][ T5] em28xx 1-1:0.86: V4L2 device video0 deregistered [ 49.198587][ T5] em28xx 1-1:0.86: Registering snapshot button... [ 49.198754][ T361] ================================================================== [ 49.210664][ T5] input: em28xx snapshot button as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.86/input/input6 [ 49.216342][ T361] BUG: KASAN: use-after-free in v4l2_fh_init+0x279/0x2c0 [ 49.228651][ T5] em28xx 1-1:0.86: Remote control support is not available for this card. [ 49.234188][ T361] Read of size 8 at addr ffff8881ccce48c0 by task v4l_id/361 [ 49.234192][ T361] [ 49.234207][ T361] CPU: 1 PID: 361 Comm: v4l_id Not tainted 5.9.0-rc8-syzkaller #0 [ 49.234214][ T361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.234219][ T361] Call Trace: [ 49.234237][ T361] dump_stack+0x107/0x16e [ 49.234251][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.234261][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.234278][ T361] print_address_description.constprop.0+0x1c/0x210 [ 49.234296][ T361] ? vprintk_func+0x93/0x133 [ 49.270662][ T71] em28xx 1-1:0.86: Closing input extension [ 49.277767][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.281159][ T71] em28xx 1-1:0.86: Deregistering snapshot button [ 49.289110][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.289133][ T361] kasan_report.cold+0x37/0x7c [ 49.336883][ T361] ? kasan_unpoison_shadow+0x20/0x40 [ 49.342154][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.346937][ T361] v4l2_fh_init+0x279/0x2c0 [ 49.351696][ T361] v4l2_fh_open+0x88/0xc0 [ 49.356176][ T361] em28xx_v4l2_open+0x11c/0x570 [ 49.361194][ T361] v4l2_open+0x20f/0x3d0 [ 49.365480][ T361] ? v4l2_release+0x390/0x390 [ 49.370148][ T361] chrdev_open+0x266/0x770 [ 49.374632][ T361] ? cdev_device_add+0x210/0x210 [ 49.379570][ T361] ? security_file_open+0x205/0x4f0 [ 49.385334][ T361] do_dentry_open+0x4b4/0x1090 [ 49.390102][ T361] ? cdev_device_add+0x210/0x210 [ 49.395144][ T361] ? may_open+0x1e4/0x400 [ 49.399481][ T361] path_openat+0x190d/0x2690 [ 49.404061][ T361] ? path_lookupat+0x830/0x830 [ 49.408856][ T361] ? lockdep_hardirqs_on_prepare+0x4f0/0x4f0 [ 49.414844][ T361] do_filp_open+0x17e/0x3c0 [ 49.419358][ T361] ? may_open_dev+0xf0/0xf0 [ 49.424078][ T361] ? do_raw_spin_lock+0x120/0x260 [ 49.429240][ T361] ? rwlock_bug.part.0+0x90/0x90 [ 49.434195][ T361] ? _raw_spin_unlock+0x1a/0x30 [ 49.439117][ T361] ? __alloc_fd+0x28d/0x600 [ 49.447252][ T361] do_sys_openat2+0x16d/0x420 [ 49.451922][ T361] ? build_open_flags+0x650/0x650 [ 49.457363][ T361] __x64_sys_open+0x119/0x1c0 [ 49.462213][ T361] ? do_sys_open+0x140/0x140 [ 49.466987][ T361] ? __secure_computing+0xb4/0x290 [ 49.472080][ T361] do_syscall_64+0x2d/0x40 [ 49.476478][ T361] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.484180][ T361] RIP: 0033:0x7f6a35140840 [ 49.488619][ T361] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 49.508439][ T361] RSP: 002b:00007ffe97fa89c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 49.517354][ T361] RAX: ffffffffffffffda RBX: 00007ffe97fa8b38 RCX: 00007f6a35140840 [ 49.525314][ T361] RDX: 00007f6a3512cea0 RSI: 0000000000000000 RDI: 00007ffe97fa8f24 [ 49.535146][ T361] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 49.543246][ T361] R10: 0000000000000002 R11: 0000000000000246 R12: 00005592c8dca8d0 [ 49.553837][ T361] R13: 00007ffe97fa8b30 R14: 0000000000000000 R15: 0000000000000000 [ 49.563463][ T361] [ 49.565871][ T361] The buggy address belongs to the page: [ 49.571507][ T361] page:00000000e811311c refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1ccce4 [ 49.581989][ T361] flags: 0x200000000000000() [ 49.586590][ T361] raw: 0200000000000000 ffffea00073fd408 ffff88821fffabd0 0000000000000000 [ 49.595173][ T361] raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000 [ 49.603863][ T361] page dumped because: kasan: bad access detected [ 49.610750][ T361] [ 49.613057][ T361] Memory state around the buggy address: [ 49.618678][ T361] ffff8881ccce4780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.627151][ T361] ffff8881ccce4800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.635204][ T361] >ffff8881ccce4880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.644430][ T361] ^ [ 49.651397][ T361] ffff8881ccce4900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.659559][ T361] ffff8881ccce4980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 49.668343][ T361] ================================================================== [ 49.679863][ T361] Disabling lock debugging due to kernel taint [ 49.686916][ T361] Kernel panic - not syncing: panic_on_warn set ... [ 49.695027][ T361] CPU: 1 PID: 361 Comm: v4l_id Tainted: G B 5.9.0-rc8-syzkaller #0 [ 49.706203][ T361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.721145][ T361] Call Trace: [ 49.724654][ T361] dump_stack+0x107/0x16e [ 49.728979][ T361] ? v4l2_fh_init+0x250/0x2c0 [ 49.733638][ T361] panic+0x2cb/0x702 [ 49.737644][ T361] ? __warn_printk+0xf3/0xf3 [ 49.742306][ T361] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 49.748539][ T361] ? trace_hardirqs_on+0x55/0x200 [ 49.753537][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.758289][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.763132][ T361] end_report+0x4d/0x53 [ 49.767478][ T361] kasan_report.cold+0x72/0x7c [ 49.772218][ T361] ? kasan_unpoison_shadow+0x20/0x40 [ 49.777693][ T361] ? v4l2_fh_init+0x279/0x2c0 [ 49.782406][ T361] v4l2_fh_init+0x279/0x2c0 [ 49.786907][ T361] v4l2_fh_open+0x88/0xc0 [ 49.798348][ T361] em28xx_v4l2_open+0x11c/0x570 [ 49.803582][ T361] v4l2_open+0x20f/0x3d0 [ 49.807819][ T361] ? v4l2_release+0x390/0x390 [ 49.812507][ T361] chrdev_open+0x266/0x770 [ 49.818117][ T361] ? cdev_device_add+0x210/0x210 [ 49.828916][ T361] ? security_file_open+0x205/0x4f0 [ 49.834303][ T361] do_dentry_open+0x4b4/0x1090 [ 49.843400][ T361] ? cdev_device_add+0x210/0x210 [ 49.848484][ T361] ? may_open+0x1e4/0x400 [ 49.852812][ T361] path_openat+0x190d/0x2690 [ 49.858529][ T361] ? path_lookupat+0x830/0x830 [ 49.863272][ T361] ? lockdep_hardirqs_on_prepare+0x4f0/0x4f0 [ 49.869237][ T361] do_filp_open+0x17e/0x3c0 [ 49.873744][ T361] ? may_open_dev+0xf0/0xf0 [ 49.878350][ T361] ? do_raw_spin_lock+0x120/0x260 [ 49.883354][ T361] ? rwlock_bug.part.0+0x90/0x90 [ 49.888272][ T361] ? _raw_spin_unlock+0x1a/0x30 [ 49.893292][ T361] ? __alloc_fd+0x28d/0x600 [ 49.897778][ T361] do_sys_openat2+0x16d/0x420 [ 49.902430][ T361] ? build_open_flags+0x650/0x650 [ 49.907426][ T361] __x64_sys_open+0x119/0x1c0 [ 49.912728][ T361] ? do_sys_open+0x140/0x140 [ 49.917352][ T361] ? __secure_computing+0xb4/0x290 [ 49.922450][ T361] do_syscall_64+0x2d/0x40 [ 49.926944][ T361] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.946732][ T361] RIP: 0033:0x7f6a35140840 [ 49.951128][ T361] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 49.983214][ T361] RSP: 002b:00007ffe97fa89c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 49.992004][ T361] RAX: ffffffffffffffda RBX: 00007ffe97fa8b38 RCX: 00007f6a35140840 [ 49.999970][ T361] RDX: 00007f6a3512cea0 RSI: 0000000000000000 RDI: 00007ffe97fa8f24 [ 50.010994][ T361] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 50.018959][ T361] R10: 0000000000000002 R11: 0000000000000246 R12: 00005592c8dca8d0 [ 50.027515][ T361] R13: 00007ffe97fa8b30 R14: 0000000000000000 R15: 0000000000000000 [ 50.036576][ T361] Kernel Offset: disabled [ 50.040993][ T361] Rebooting in 86400 seconds..