Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. [ 13.185899][ C1] random: crng init done [ 13.185928][ C1] random: 7 urandom warning(s) missed due to ratelimiting Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.580866][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.820578][ T12] usb 1-1: Using ep0 maxpacket: 32 [ 24.960551][ T12] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 24.969588][ T12] usb 1-1: config 0 has no interface number 0 [ 24.976228][ T12] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 25.150247][ T12] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 25.159480][ T12] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 25.167746][ T12] usb 1-1: Product: syz [ 25.172246][ T12] usb 1-1: Manufacturer: syz [ 25.177083][ T12] usb 1-1: SerialNumber: syz [ 25.183759][ T12] usb 1-1: config 0 descriptor?? executing program [ 25.462447][ T12] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 25.472538][ T12] em28xx 1-1:0.254: Video interface 254 found: [ 25.599751][ T12] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 25.929397][ T12] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 25.937810][ T12] em28xx 1-1:0.254: board has no eeprom [ 26.049225][ T12] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 26.056653][ T12] em28xx 1-1:0.254: analog set to bulk mode. [ 26.065499][ T12] usb 1-1: USB disconnect, device number 2 [ 26.073191][ T12] em28xx 1-1:0.254: Disconnecting em28xx [ 26.079235][ T5] em28xx 1-1:0.254: Registering V4L2 extension [ 26.095590][ T5] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 26.105976][ T5] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 26.116211][ T5] xc2028 0-0061: creating new instance [ 26.121891][ T5] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 26.128970][ T5] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 26.136834][ T5] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 26.143998][ T5] em28xx 1-1:0.254: No AC97 audio processor [ 26.151513][ T5] em28xx 1-1:0.254: Registered radio device as radio0 [ 26.158305][ T5] usb 1-1: Decoder not found [ 26.162984][ T5] em28xx 1-1:0.254: failed to create media graph [ 26.169446][ T5] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 26.177566][ T5] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 26.184714][ T69] em28xx 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 26.193995][ T69] xc2028 0-0061: Could not load firmware xc3028-v27.fw. [ 26.202308][ T5] xc2028 0-0061: destroying instance [ 26.208194][ T5] em28xx 1-1:0.254: Registering input extension [ 26.208299][ T354] ================================================================== [ 26.215866][ T12] em28xx 1-1:0.254: Closing input extension [ 26.222529][ T354] BUG: KASAN: use-after-free in v4l2_fh_init+0x279/0x2c0 [ 26.222540][ T354] Read of size 8 at addr ffff8881cd21c8c8 by task v4l_id/354 [ 26.222544][ T354] [ 26.222557][ T354] CPU: 1 PID: 354 Comm: v4l_id Not tainted 5.8.0-rc1-syzkaller #0 [ 26.222564][ T354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.222569][ T354] Call Trace: [ 26.222587][ T354] dump_stack+0xf6/0x16e [ 26.270443][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.275094][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.279748][ T354] print_address_description.constprop.0.cold+0xd3/0x415 [ 26.286801][ T354] ? vprintk_func+0x93/0x133 [ 26.291365][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.296015][ T354] kasan_report.cold+0x37/0x7c [ 26.301760][ T354] ? memmove+0x50/0x60 [ 26.305802][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.310451][ T354] v4l2_fh_init+0x279/0x2c0 [ 26.314928][ T354] v4l2_fh_open+0x88/0xc0 [ 26.319239][ T354] em28xx_v4l2_open+0x11a/0x570 [ 26.324080][ T354] v4l2_open+0x20f/0x3d0 [ 26.328297][ T354] ? v4l2_release+0x390/0x390 [ 26.332947][ T354] chrdev_open+0x219/0x5c0 [ 26.337339][ T354] ? cdev_put.part.0+0x50/0x50 [ 26.342079][ T354] ? security_file_open+0x84/0x410 [ 26.347181][ T354] do_dentry_open+0x4fd/0x1170 [ 26.351930][ T354] ? cdev_put.part.0+0x50/0x50 [ 26.356675][ T354] path_openat+0x1cc5/0x26c0 [ 26.361303][ T354] ? path_lookupat.isra.0+0x530/0x530 [ 26.366656][ T354] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 26.372624][ T354] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 26.378577][ T354] ? filemap_map_pages+0x8a2/0x1010 [ 26.383763][ T354] do_filp_open+0x192/0x260 [ 26.388248][ T354] ? may_open_dev+0xf0/0xf0 [ 26.392738][ T354] ? do_raw_spin_lock+0x120/0x290 [ 26.397743][ T354] ? _raw_spin_unlock+0x1a/0x30 [ 26.403620][ T354] ? __alloc_fd+0x463/0x600 [ 26.408105][ T354] do_sys_openat2+0x585/0x7d0 [ 26.412807][ T354] ? file_open_root+0x400/0x400 [ 26.417632][ T354] ? prepare_exit_to_usermode+0xa/0x30 [ 26.423067][ T354] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.428591][ T354] do_sys_open+0xc3/0x140 [ 26.432895][ T354] ? filp_open+0x70/0x70 [ 26.437112][ T354] ? __secure_computing+0xb4/0x280 [ 26.442199][ T354] ? syscall_trace_enter+0x108/0x320 [ 26.447456][ T354] do_syscall_64+0x50/0x90 [ 26.451849][ T354] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.457716][ T354] RIP: 0033:0x7f9b8fd85840 [ 26.462101][ T354] Code: Bad RIP value. [ 26.466140][ T354] RSP: 002b:00007ffe56bbd5a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 26.474571][ T354] RAX: ffffffffffffffda RBX: 00007ffe56bbd718 RCX: 00007f9b8fd85840 [ 26.482519][ T354] RDX: 00007f9b8fd71ea0 RSI: 0000000000000000 RDI: 00007ffe56bbdf23 [ 26.490487][ T354] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 26.498449][ T354] R10: 0000000000000002 R11: 0000000000000246 R12: 0000565511e988d0 [ 26.506395][ T354] R13: 00007ffe56bbd710 R14: 0000000000000000 R15: 0000000000000000 [ 26.514342][ T354] [ 26.516643][ T354] The buggy address belongs to the page: [ 26.522273][ T354] page:ffffea0007348700 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 26.531614][ T354] flags: 0x200000000000000() [ 26.536282][ T354] raw: 0200000000000000 ffff88821fffabd0 ffff88821fffabd0 0000000000000000 [ 26.544985][ T354] raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000 [ 26.553584][ T354] page dumped because: kasan: bad access detected [ 26.559968][ T354] [ 26.562273][ T354] Memory state around the buggy address: [ 26.567883][ T354] ffff8881cd21c780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.575918][ T354] ffff8881cd21c800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.583988][ T354] >ffff8881cd21c880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.592020][ T354] ^ [ 26.598405][ T354] ffff8881cd21c900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.606571][ T354] ffff8881cd21c980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.614603][ T354] ================================================================== [ 26.622633][ T354] Disabling lock debugging due to kernel taint [ 26.628880][ T354] Kernel panic - not syncing: panic_on_warn set ... [ 26.635468][ T354] CPU: 1 PID: 354 Comm: v4l_id Tainted: G B 5.8.0-rc1-syzkaller #0 [ 26.644666][ T354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.654699][ T354] Call Trace: [ 26.657966][ T354] dump_stack+0xf6/0x16e [ 26.662183][ T354] ? v4l2_fh_init+0x240/0x2c0 [ 26.667093][ T354] panic+0x2aa/0x6e1 [ 26.670964][ T354] ? __warn_printk+0xf3/0xf3 [ 26.675528][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.680180][ T354] ? trace_hardirqs_on+0x55/0x200 [ 26.685177][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.689842][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.694506][ T354] end_report+0x4d/0x53 [ 26.698635][ T354] kasan_report.cold+0x72/0x7c [ 26.703373][ T354] ? memmove+0x50/0x60 [ 26.707414][ T354] ? v4l2_fh_init+0x279/0x2c0 [ 26.712081][ T354] v4l2_fh_init+0x279/0x2c0 [ 26.716555][ T354] v4l2_fh_open+0x88/0xc0 [ 26.720859][ T354] em28xx_v4l2_open+0x11a/0x570 [ 26.725680][ T354] v4l2_open+0x20f/0x3d0 [ 26.729915][ T354] ? v4l2_release+0x390/0x390 [ 26.734566][ T354] chrdev_open+0x219/0x5c0 [ 26.738954][ T354] ? cdev_put.part.0+0x50/0x50 [ 26.743688][ T354] ? security_file_open+0x84/0x410 [ 26.748770][ T354] do_dentry_open+0x4fd/0x1170 [ 26.753602][ T354] ? cdev_put.part.0+0x50/0x50 [ 26.758336][ T354] path_openat+0x1cc5/0x26c0 [ 26.762906][ T354] ? path_lookupat.isra.0+0x530/0x530 [ 26.768258][ T354] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 26.774209][ T354] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 26.780159][ T354] ? filemap_map_pages+0x8a2/0x1010 [ 26.785327][ T354] do_filp_open+0x192/0x260 [ 26.789801][ T354] ? may_open_dev+0xf0/0xf0 [ 26.794279][ T354] ? do_raw_spin_lock+0x120/0x290 [ 26.799293][ T354] ? _raw_spin_unlock+0x1a/0x30 [ 26.804128][ T354] ? __alloc_fd+0x463/0x600 [ 26.808632][ T354] do_sys_openat2+0x585/0x7d0 [ 26.813280][ T354] ? file_open_root+0x400/0x400 [ 26.818107][ T354] ? prepare_exit_to_usermode+0xa/0x30 [ 26.823542][ T354] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.829088][ T354] do_sys_open+0xc3/0x140 [ 26.833422][ T354] ? filp_open+0x70/0x70 [ 26.837652][ T354] ? __secure_computing+0xb4/0x280 [ 26.842734][ T354] ? syscall_trace_enter+0x108/0x320 [ 26.848009][ T354] do_syscall_64+0x50/0x90 [ 26.852403][ T354] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.858285][ T354] RIP: 0033:0x7f9b8fd85840 [ 26.862678][ T354] Code: Bad RIP value. [ 26.866717][ T354] RSP: 002b:00007ffe56bbd5a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 26.875100][ T354] RAX: ffffffffffffffda RBX: 00007ffe56bbd718 RCX: 00007f9b8fd85840 [ 26.883047][ T354] RDX: 00007f9b8fd71ea0 RSI: 0000000000000000 RDI: 00007ffe56bbdf23 [ 26.890991][ T354] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 26.898955][ T354] R10: 0000000000000002 R11: 0000000000000246 R12: 0000565511e988d0 [ 26.906900][ T354] R13: 00007ffe56bbd710 R14: 0000000000000000 R15: 0000000000000000 [ 26.915422][ T354] Kernel Offset: disabled [ 26.919753][ T354] Rebooting in 86400 seconds..