Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.366458][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 52.456593][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 52.576490][ T83] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 52.736520][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=a316, bcdDevice=5c.26 [ 52.745559][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 52.753564][ T83] usb 1-1: Product: syz [ 52.757742][ T83] usb 1-1: Manufacturer: syz [ 52.762332][ T83] usb 1-1: SerialNumber: syz [ 52.768685][ T83] usb 1-1: config 0 descriptor?? [ 52.808424][ T83] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:a316, interface 0, class 0) [ 52.817775][ T83] em28xx 1-1:0.0: Video interface 0 found: executing program [ 53.056472][ T83] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 53.286462][ T83] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 53.294552][ T83] em28xx 1-1:0.0: board has no eeprom [ 53.406402][ T83] em28xx 1-1:0.0: Identified as Kworld PlusTV HD Hybrid 330 (card=57) [ 53.414610][ T83] em28xx 1-1:0.0: analog set to bulk mode. [ 53.421351][ T17] em28xx 1-1:0.0: Registering V4L2 extension [ 53.429922][ T83] usb 1-1: USB disconnect, device number 2 [ 53.437843][ T83] em28xx 1-1:0.0: Disconnecting em28xx [ 53.455561][ T17] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 53.462522][ T17] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 53.469489][ T17] em28xx 1-1:0.0: No AC97 audio processor [ 53.476475][ T17] usb 1-1: Decoder not found [ 53.481068][ T17] em28xx 1-1:0.0: failed to create media graph [ 53.487515][ T17] em28xx 1-1:0.0: V4L2 device video0 deregistered [ 53.494919][ T17] em28xx 1-1:0.0: Binding DVB extension [ 53.500598][ T17] em28xx 1-1:0.0: no endpoint for DVB mode and transfer type 0 [ 53.508186][ T17] em28xx 1-1:0.0: failed to pre-allocate USB transfer buffers for DVB. [ 53.516502][ T17] em28xx 1-1:0.0: Remote control support is not available for this card. [ 53.525037][ T83] em28xx 1-1:0.0: Closing input extension [ 53.532778][ T83] em28xx 1-1:0.0: Freeing device [ 53.886451][ T83] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 53.976491][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 54.096491][ T83] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 54.256531][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=a316, bcdDevice=5c.26 [ 54.265600][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 54.273610][ T83] usb 1-1: Product: syz [ 54.277827][ T83] usb 1-1: Manufacturer: syz [ 54.282431][ T83] usb 1-1: SerialNumber: syz [ 54.288373][ T83] usb 1-1: config 0 descriptor?? [ 54.327707][ T83] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:a316, interface 0, class 0) [ 54.336940][ T83] em28xx 1-1:0.0: Video interface 0 found: executing program [ 54.566623][ T83] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 54.786447][ T83] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 54.794460][ T83] em28xx 1-1:0.0: board has no eeprom [ 54.906399][ T83] em28xx 1-1:0.0: Identified as Kworld PlusTV HD Hybrid 330 (card=57) [ 54.914598][ T83] em28xx 1-1:0.0: analog set to bulk mode. [ 54.920905][ T17] em28xx 1-1:0.0: Registering V4L2 extension [ 54.928854][ T83] usb 1-1: USB disconnect, device number 3 [ 54.942787][ T17] em28xx 1-1:0.0: reading from i2c device at 0xb8 failed (error=-19) [ 54.951473][ T83] em28xx 1-1:0.0: Disconnecting em28xx [ 54.961272][ T17] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 54.968198][ T17] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 54.975111][ T17] em28xx 1-1:0.0: No AC97 audio processor [ 54.981595][ T17] usb 1-1: Decoder not found [ 54.986202][ T17] em28xx 1-1:0.0: failed to create media graph [ 54.992473][ T17] em28xx 1-1:0.0: V4L2 device video0 deregistered [ 54.999671][ T17] em28xx 1-1:0.0: Binding DVB extension [ 54.999820][ T1810] ================================================================== [ 55.005232][ T17] em28xx 1-1:0.0: no endpoint for DVB mode and transfer type 0 [ 55.013325][ T1810] BUG: KASAN: use-after-free in v4l2_fh_init+0x279/0x2c0 [ 55.013335][ T1810] Read of size 8 at addr ffff8881cdbd4870 by task v4l_id/1810 [ 55.013339][ T1810] [ 55.013351][ T1810] CPU: 0 PID: 1810 Comm: v4l_id Not tainted 5.6.0-rc3-syzkaller #0 [ 55.013358][ T1810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.013362][ T1810] Call Trace: [ 55.013377][ T1810] dump_stack+0xef/0x16e [ 55.013388][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.013398][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.013414][ T1810] print_address_description.constprop.0.cold+0xd3/0x314 [ 55.013430][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.020991][ T17] em28xx 1-1:0.0: failed to pre-allocate USB transfer buffers for DVB. [ 55.027953][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.027968][ T1810] __kasan_report.cold+0x37/0x77 [ 55.027979][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.027998][ T1810] kasan_report+0xe/0x20 [ 55.035446][ T17] em28xx 1-1:0.0: Remote control support is not available for this card. [ 55.037738][ T1810] v4l2_fh_init+0x279/0x2c0 [ 55.037749][ T1810] v4l2_fh_open+0x88/0xc0 [ 55.037762][ T1810] em28xx_v4l2_open+0x11a/0x570 [ 55.037779][ T1810] v4l2_open+0x20f/0x3d0 [ 55.045721][ T83] em28xx 1-1:0.0: Closing input extension [ 55.055690][ T1810] ? v4l2_release+0x390/0x390 [ 55.055702][ T1810] chrdev_open+0x219/0x5c0 [ 55.055714][ T1810] ? cdev_put.part.0+0x50/0x50 [ 55.055728][ T1810] do_dentry_open+0x494/0x1120 [ 55.055744][ T1810] ? cdev_put.part.0+0x50/0x50 [ 55.165951][ T1810] ? chmod_common+0x3c0/0x3c0 [ 55.170618][ T1810] ? inode_permission+0xbe/0x3a0 [ 55.175533][ T1810] path_openat+0x1222/0x32a0 [ 55.180103][ T1810] ? path_mountpoint.isra.0+0x370/0x370 [ 55.185623][ T1810] ? __lock_acquire+0x145e/0x3b60 [ 55.190621][ T1810] do_filp_open+0x192/0x260 [ 55.195110][ T1810] ? may_open_dev+0xf0/0xf0 [ 55.199587][ T1810] ? __alloc_fd+0x46d/0x600 [ 55.204067][ T1810] ? do_raw_spin_lock+0x129/0x290 [ 55.209065][ T1810] ? _raw_spin_unlock+0x1a/0x30 [ 55.213888][ T1810] ? __alloc_fd+0x46d/0x600 [ 55.218365][ T1810] do_sys_openat2+0x54c/0x740 [ 55.223016][ T1810] ? file_open_root+0x3d0/0x3d0 [ 55.227843][ T1810] ? up_read+0x1ab/0x750 [ 55.232058][ T1810] do_sys_open+0xc3/0x140 [ 55.236378][ T1810] ? filp_open+0x70/0x70 [ 55.240620][ T1810] ? trace_hardirqs_off_caller+0x55/0x200 [ 55.246316][ T1810] do_syscall_64+0xb6/0x5a0 [ 55.250811][ T1810] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.256712][ T1810] RIP: 0033:0x7ff248bcf120 [ 55.261106][ T1810] Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24 [ 55.280685][ T1810] RSP: 002b:00007fff212825a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 55.289116][ T1810] RAX: ffffffffffffffda RBX: 00007fff21282708 RCX: 00007ff248bcf120 [ 55.297069][ T1810] RDX: 00007ff248e84138 RSI: 0000000000000000 RDI: 00007fff21283f1f [ 55.305015][ T1810] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.312962][ T1810] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884 [ 55.320909][ T1810] R13: 00007fff21282700 R14: 0000000000000000 R15: 0000000000000000 [ 55.328856][ T1810] [ 55.331162][ T1810] Allocated by task 17: [ 55.335304][ T1810] save_stack+0x1b/0x80 [ 55.339453][ T1810] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 55.345074][ T1810] em28xx_v4l2_init.cold+0x93/0x33eb [ 55.350334][ T1810] em28xx_init_extension+0x12f/0x1f0 [ 55.355600][ T1810] request_module_async+0x5d/0x70 [ 55.360613][ T1810] process_one_work+0x94b/0x1620 [ 55.365527][ T1810] worker_thread+0x96/0xe20 [ 55.370004][ T1810] kthread+0x318/0x420 [ 55.374052][ T1810] ret_from_fork+0x24/0x30 [ 55.378437][ T1810] [ 55.380759][ T1810] Freed by task 17: [ 55.384542][ T1810] save_stack+0x1b/0x80 [ 55.388672][ T1810] __kasan_slab_free+0x117/0x160 [ 55.393594][ T1810] kfree+0xd5/0x300 [ 55.397385][ T1810] em28xx_v4l2_init.cold+0x2d4/0x33eb [ 55.402747][ T1810] em28xx_init_extension+0x12f/0x1f0 [ 55.408008][ T1810] request_module_async+0x5d/0x70 [ 55.413013][ T1810] process_one_work+0x94b/0x1620 [ 55.417924][ T1810] worker_thread+0x96/0xe20 [ 55.422398][ T1810] kthread+0x318/0x420 [ 55.426442][ T1810] ret_from_fork+0x24/0x30 [ 55.430829][ T1810] [ 55.433142][ T1810] The buggy address belongs to the object at ffff8881cdbd4000 [ 55.433142][ T1810] which belongs to the cache kmalloc-8k of size 8192 [ 55.447168][ T1810] The buggy address is located 2160 bytes inside of [ 55.447168][ T1810] 8192-byte region [ffff8881cdbd4000, ffff8881cdbd6000) [ 55.460583][ T1810] The buggy address belongs to the page: [ 55.466192][ T1810] page:ffffea000736f400 refcount:1 mapcount:0 mapping:ffff8881da00c500 index:0x0 compound_mapcount: 0 [ 55.477092][ T1810] flags: 0x200000000010200(slab|head) [ 55.482468][ T1810] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500 [ 55.491030][ T1810] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 55.499587][ T1810] page dumped because: kasan: bad access detected [ 55.505978][ T1810] [ 55.508277][ T1810] Memory state around the buggy address: [ 55.513895][ T1810] ffff8881cdbd4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.521975][ T1810] ffff8881cdbd4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.530032][ T1810] >ffff8881cdbd4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.538067][ T1810] ^ [ 55.545764][ T1810] ffff8881cdbd4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.553808][ T1810] ffff8881cdbd4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.561841][ T1810] ================================================================== [ 55.569873][ T1810] Disabling lock debugging due to kernel taint [ 55.576101][ T1810] Kernel panic - not syncing: panic_on_warn set ... [ 55.582691][ T1810] CPU: 0 PID: 1810 Comm: v4l_id Tainted: G B 5.6.0-rc3-syzkaller #0 [ 55.591940][ T1810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.601967][ T1810] Call Trace: [ 55.605231][ T1810] dump_stack+0xef/0x16e [ 55.609451][ T1810] panic+0x2aa/0x6e1 [ 55.613324][ T1810] ? add_taint.cold+0x16/0x16 [ 55.617982][ T1810] ? retint_kernel+0x10/0x10 [ 55.622563][ T1810] ? trace_hardirqs_on+0x55/0x200 [ 55.627563][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.632215][ T1810] end_report+0x43/0x49 [ 55.636356][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.641027][ T1810] __kasan_report.cold+0x55/0x77 [ 55.645942][ T1810] ? v4l2_fh_init+0x279/0x2c0 [ 55.650593][ T1810] kasan_report+0xe/0x20 [ 55.654854][ T1810] v4l2_fh_init+0x279/0x2c0 [ 55.659335][ T1810] v4l2_fh_open+0x88/0xc0 [ 55.663642][ T1810] em28xx_v4l2_open+0x11a/0x570 [ 55.668477][ T1810] v4l2_open+0x20f/0x3d0 [ 55.672699][ T1810] ? v4l2_release+0x390/0x390 [ 55.677350][ T1810] chrdev_open+0x219/0x5c0 [ 55.681738][ T1810] ? cdev_put.part.0+0x50/0x50 [ 55.686482][ T1810] do_dentry_open+0x494/0x1120 [ 55.691220][ T1810] ? cdev_put.part.0+0x50/0x50 [ 55.695957][ T1810] ? chmod_common+0x3c0/0x3c0 [ 55.700607][ T1810] ? inode_permission+0xbe/0x3a0 [ 55.705519][ T1810] path_openat+0x1222/0x32a0 [ 55.710090][ T1810] ? path_mountpoint.isra.0+0x370/0x370 [ 55.715628][ T1810] ? __lock_acquire+0x145e/0x3b60 [ 55.720627][ T1810] do_filp_open+0x192/0x260 [ 55.725104][ T1810] ? may_open_dev+0xf0/0xf0 [ 55.729581][ T1810] ? __alloc_fd+0x46d/0x600 [ 55.734061][ T1810] ? do_raw_spin_lock+0x129/0x290 [ 55.739076][ T1810] ? _raw_spin_unlock+0x1a/0x30 [ 55.743947][ T1810] ? __alloc_fd+0x46d/0x600 [ 55.748446][ T1810] do_sys_openat2+0x54c/0x740 [ 55.753109][ T1810] ? file_open_root+0x3d0/0x3d0 [ 55.757936][ T1810] ? up_read+0x1ab/0x750 [ 55.762155][ T1810] do_sys_open+0xc3/0x140 [ 55.766468][ T1810] ? filp_open+0x70/0x70 [ 55.770688][ T1810] ? trace_hardirqs_off_caller+0x55/0x200 [ 55.776388][ T1810] do_syscall_64+0xb6/0x5a0 [ 55.780877][ T1810] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.786759][ T1810] RIP: 0033:0x7ff248bcf120 [ 55.791180][ T1810] Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24 [ 55.810803][ T1810] RSP: 002b:00007fff212825a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 55.819203][ T1810] RAX: ffffffffffffffda RBX: 00007fff21282708 RCX: 00007ff248bcf120 [ 55.827546][ T1810] RDX: 00007ff248e84138 RSI: 0000000000000000 RDI: 00007fff21283f1f [ 55.835491][ T1810] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.843439][ T1810] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884 [ 55.851385][ T1810] R13: 00007fff21282700 R14: 0000000000000000 R15: 0000000000000000 [ 55.859764][ T1810] Kernel Offset: disabled [ 55.864075][ T1810] Rebooting in 86400 seconds..