Warning: Permanently added '10.128.0.191' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.932102][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 36.022201][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 36.142113][ T83] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 36.150318][ T83] usb 1-1: config 0 has no interface number 0 [ 36.156436][ T83] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 36.322125][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 36.331162][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 36.339172][ T83] usb 1-1: Product: syz [ 36.343335][ T83] usb 1-1: Manufacturer: syz [ 36.347903][ T83] usb 1-1: SerialNumber: syz [ 36.354325][ T83] usb 1-1: config 0 descriptor?? executing program [ 36.643792][ T83] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 36.657382][ T83] em28xx 1-1:0.254: Video interface 254 found: [ 36.792123][ T83] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 37.112133][ T83] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 37.120381][ T83] em28xx 1-1:0.254: board has no eeprom [ 37.232069][ T83] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 37.239479][ T83] em28xx 1-1:0.254: analog set to bulk mode. [ 37.246398][ T17] em28xx 1-1:0.254: Registering V4L2 extension [ 37.254715][ T83] usb 1-1: USB disconnect, device number 2 [ 37.267977][ T17] em28xx 1-1:0.254: reading from i2c device at 0xb8 failed (error=-19) [ 37.276379][ T83] em28xx 1-1:0.254: Disconnecting em28xx [ 37.285897][ T17] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 37.296240][ T17] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 37.303783][ T17] xc2028 0-0061: creating new instance [ 37.309310][ T17] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 37.316685][ T17] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 37.323843][ T17] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 37.330932][ T17] em28xx 1-1:0.254: No AC97 audio processor [ 37.339115][ T17] em28xx 1-1:0.254: Registered radio device as radio0 [ 37.346224][ T1789] em28xx 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 37.355333][ T17] usb 1-1: Decoder not found [ 37.359916][ T17] em28xx 1-1:0.254: failed to create media graph [ 37.366327][ T1789] xc2028 0-0061: Could not load firmware xc3028-v27.fw. [ 37.373364][ T17] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 37.380806][ T17] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 37.388511][ T17] xc2028 0-0061: destroying instance [ 37.394272][ T17] em28xx 1-1:0.254: Registering input extension [ 37.400750][ T83] em28xx 1-1:0.254: Closing input extension [ 37.408498][ T83] em28xx 1-1:0.254: Freeing device [ 37.762083][ T83] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 37.852120][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 37.972112][ T83] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 37.980284][ T83] usb 1-1: config 0 has no interface number 0 [ 37.986437][ T83] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 38.152114][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 38.161158][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 38.169160][ T83] usb 1-1: Product: syz [ 38.173322][ T83] usb 1-1: Manufacturer: syz [ 38.177895][ T83] usb 1-1: SerialNumber: syz [ 38.183620][ T83] usb 1-1: config 0 descriptor?? executing program [ 38.463391][ T83] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 38.473233][ T83] em28xx 1-1:0.254: Video interface 254 found: [ 38.602105][ T83] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 38.922116][ T83] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 38.930288][ T83] em28xx 1-1:0.254: board has no eeprom [ 39.042074][ T83] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 39.049392][ T83] em28xx 1-1:0.254: analog set to bulk mode. [ 39.057098][ T83] usb 1-1: USB disconnect, device number 3 [ 39.065289][ T83] em28xx 1-1:0.254: Disconnecting em28xx [ 39.071030][ T17] em28xx 1-1:0.254: Registering V4L2 extension [ 39.084986][ T17] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 39.094943][ T17] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 39.101991][ T17] xc2028 0-0061: creating new instance [ 39.107594][ T17] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 39.114564][ T17] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 39.121555][ T17] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 39.128691][ T17] em28xx 1-1:0.254: No AC97 audio processor [ 39.135736][ T17] em28xx 1-1:0.254: Registered radio device as radio0 [ 39.142572][ T17] usb 1-1: Decoder not found [ 39.147153][ T17] em28xx 1-1:0.254: failed to create media graph [ 39.153547][ T17] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 39.160523][ T17] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 39.167872][ T17] xc2028 0-0061: destroying instance [ 39.173529][ T17] em28xx 1-1:0.254: Registering input extension [ 39.179859][ T83] em28xx 1-1:0.254: Closing input extension [ 39.186529][ T83] em28xx 1-1:0.254: Freeing device [ 39.193755][ T17] usb 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 39.204633][ T17] ================================================================== [ 39.212797][ T17] BUG: KASAN: use-after-free in load_firmware_cb+0x173/0x18c [ 39.220159][ T17] Read of size 8 at addr ffff8881cd9a4308 by task kworker/1:0/17 [ 39.227861][ T17] [ 39.230187][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.6.0-rc3-syzkaller #0 [ 39.238330][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.248387][ T17] Workqueue: events request_firmware_work_func [ 39.254522][ T17] Call Trace: [ 39.257786][ T17] dump_stack+0xef/0x16e [ 39.262004][ T17] ? load_firmware_cb+0x173/0x18c [ 39.267009][ T17] ? load_firmware_cb+0x173/0x18c [ 39.272041][ T17] print_address_description.constprop.0.cold+0xd3/0x314 [ 39.279039][ T17] ? load_firmware_cb+0x173/0x18c [ 39.284037][ T17] ? load_firmware_cb+0x173/0x18c [ 39.289091][ T17] __kasan_report.cold+0x37/0x77 [ 39.294007][ T17] ? load_firmware_cb+0x173/0x18c [ 39.299123][ T17] kasan_report+0xe/0x20 [ 39.303359][ T17] load_firmware_cb+0x173/0x18c [ 39.308184][ T17] ? _request_firmware+0x935/0x1210 [ 39.313351][ T17] ? kfree+0xd5/0x300 [ 39.317308][ T17] ? _request_firmware+0x10b/0x1210 [ 39.322479][ T17] ? xc2028_attach+0x2f0/0x2f0 [ 39.327215][ T17] ? assign_fw+0x480/0x480 [ 39.331608][ T17] ? find_held_lock+0x2d/0x110 [ 39.336342][ T17] ? mark_held_locks+0xe0/0xe0 [ 39.341136][ T17] ? xc2028_attach+0x2f0/0x2f0 [ 39.345896][ T17] request_firmware_work_func+0x126/0x242 [ 39.351601][ T17] ? request_firmware_into_buf+0x90/0x90 [ 39.357306][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.362828][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.368121][ T17] process_one_work+0x94b/0x1620 [ 39.373046][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.378389][ T17] ? do_raw_spin_lock+0x129/0x290 [ 39.383387][ T17] worker_thread+0x96/0xe20 [ 39.387883][ T17] ? process_one_work+0x1620/0x1620 [ 39.393069][ T17] kthread+0x318/0x420 [ 39.397137][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 39.402486][ T17] ret_from_fork+0x24/0x30 [ 39.406875][ T17] [ 39.409182][ T17] Allocated by task 17: [ 39.413325][ T17] save_stack+0x1b/0x80 [ 39.417453][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 39.423055][ T17] tuner_probe+0xa4/0x1182 [ 39.427447][ T17] i2c_device_probe+0x51a/0x800 [ 39.432270][ T17] really_probe+0x290/0xac0 [ 39.436743][ T17] driver_probe_device+0x223/0x350 [ 39.441822][ T17] __device_attach_driver+0x1d1/0x290 [ 39.447165][ T17] bus_for_each_drv+0x162/0x1e0 [ 39.451992][ T17] __device_attach+0x217/0x390 [ 39.456739][ T17] bus_probe_device+0x1e4/0x290 [ 39.461574][ T17] device_add+0x1459/0x1bf0 [ 39.466065][ T17] i2c_new_client_device+0x589/0xa70 [ 39.471327][ T17] i2c_new_device+0x19/0x50 [ 39.475806][ T17] v4l2_i2c_new_subdev_board+0xaf/0x2a0 [ 39.481323][ T17] v4l2_i2c_new_subdev+0xb8/0xf0 [ 39.486234][ T17] em28xx_v4l2_init.cold+0x9cc/0x33eb [ 39.491582][ T17] em28xx_init_extension+0x12f/0x1f0 [ 39.496844][ T17] request_module_async+0x5d/0x70 [ 39.501845][ T17] process_one_work+0x94b/0x1620 [ 39.506753][ T17] worker_thread+0x73e/0xe20 [ 39.511321][ T17] kthread+0x318/0x420 [ 39.515362][ T17] ret_from_fork+0x24/0x30 [ 39.519752][ T17] [ 39.522066][ T17] Freed by task 17: [ 39.525888][ T17] save_stack+0x1b/0x80 [ 39.530017][ T17] __kasan_slab_free+0x117/0x160 [ 39.534926][ T17] kfree+0xd5/0x300 [ 39.538708][ T17] tuner_remove+0x198/0x200 [ 39.543180][ T17] i2c_device_remove+0xcf/0x250 [ 39.548005][ T17] device_release_driver_internal+0x231/0x500 [ 39.554187][ T17] bus_remove_device+0x2eb/0x5a0 [ 39.559098][ T17] device_del+0x481/0xd30 [ 39.563427][ T17] device_unregister+0x22/0xc0 [ 39.568166][ T17] i2c_unregister_device+0x38/0x40 [ 39.573247][ T17] v4l2_i2c_subdev_unregister+0xa2/0xc0 [ 39.578760][ T17] v4l2_device_unregister+0x18a/0x220 [ 39.584116][ T17] em28xx_v4l2_init.cold+0xd26/0x33eb [ 39.589457][ T17] em28xx_init_extension+0x12f/0x1f0 [ 39.594710][ T17] request_module_async+0x5d/0x70 [ 39.599706][ T17] process_one_work+0x94b/0x1620 [ 39.604617][ T17] worker_thread+0x73e/0xe20 [ 39.609179][ T17] kthread+0x318/0x420 [ 39.613219][ T17] ret_from_fork+0x24/0x30 [ 39.617603][ T17] [ 39.619907][ T17] The buggy address belongs to the object at ffff8881cd9a4000 [ 39.619907][ T17] which belongs to the cache kmalloc-2k of size 2048 [ 39.633942][ T17] The buggy address is located 776 bytes inside of [ 39.633942][ T17] 2048-byte region [ffff8881cd9a4000, ffff8881cd9a4800) [ 39.647268][ T17] The buggy address belongs to the page: [ 39.652877][ T17] page:ffffea0007366800 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0 [ 39.663778][ T17] flags: 0x200000000010200(slab|head) [ 39.669129][ T17] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000 [ 39.677687][ T17] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 39.686248][ T17] page dumped because: kasan: bad access detected [ 39.692628][ T17] [ 39.694931][ T17] Memory state around the buggy address: [ 39.700537][ T17] ffff8881cd9a4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.708573][ T17] ffff8881cd9a4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.716610][ T17] >ffff8881cd9a4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.724651][ T17] ^ [ 39.728955][ T17] ffff8881cd9a4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.736990][ T17] ffff8881cd9a4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.745020][ T17] ================================================================== [ 39.753060][ T17] Disabling lock debugging due to kernel taint [ 39.759277][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 39.765853][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 39.775361][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.785393][ T17] Workqueue: events request_firmware_work_func [ 39.791527][ T17] Call Trace: [ 39.794790][ T17] dump_stack+0xef/0x16e [ 39.799023][ T17] panic+0x2aa/0x6e1 [ 39.802907][ T17] ? add_taint.cold+0x16/0x16 [ 39.807554][ T17] ? load_firmware_cb+0x173/0x18c [ 39.812550][ T17] ? trace_hardirqs_on+0x55/0x200 [ 39.817558][ T17] ? load_firmware_cb+0x173/0x18c [ 39.822556][ T17] end_report+0x43/0x49 [ 39.826693][ T17] ? load_firmware_cb+0x173/0x18c [ 39.831687][ T17] __kasan_report.cold+0x55/0x77 [ 39.836596][ T17] ? load_firmware_cb+0x173/0x18c [ 39.841593][ T17] kasan_report+0xe/0x20 [ 39.845811][ T17] load_firmware_cb+0x173/0x18c [ 39.850637][ T17] ? _request_firmware+0x935/0x1210 [ 39.855808][ T17] ? kfree+0xd5/0x300 [ 39.859766][ T17] ? _request_firmware+0x10b/0x1210 [ 39.864955][ T17] ? xc2028_attach+0x2f0/0x2f0 [ 39.869692][ T17] ? assign_fw+0x480/0x480 [ 39.874083][ T17] ? find_held_lock+0x2d/0x110 [ 39.878822][ T17] ? mark_held_locks+0xe0/0xe0 [ 39.883562][ T17] ? xc2028_attach+0x2f0/0x2f0 [ 39.888302][ T17] request_firmware_work_func+0x126/0x242 [ 39.894017][ T17] ? request_firmware_into_buf+0x90/0x90 [ 39.899646][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 39.905171][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 39.910429][ T17] process_one_work+0x94b/0x1620 [ 39.915341][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 39.920684][ T17] ? do_raw_spin_lock+0x129/0x290 [ 39.925678][ T17] worker_thread+0x96/0xe20 [ 39.930156][ T17] ? process_one_work+0x1620/0x1620 [ 39.935325][ T17] kthread+0x318/0x420 [ 39.939376][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 39.944726][ T17] ret_from_fork+0x24/0x30 [ 39.949794][ T17] Kernel Offset: disabled [ 39.954106][ T17] Rebooting in 86400 seconds..