Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.156714][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 44.246988][ T94] usb 1-1: Using ep0 maxpacket: 32 [ 44.366775][ T94] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 44.375052][ T94] usb 1-1: config 0 has no interface number 0 [ 44.381210][ T94] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 44.546782][ T94] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 44.555848][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 44.563906][ T94] usb 1-1: Product: syz [ 44.568095][ T94] usb 1-1: Manufacturer: syz [ 44.572682][ T94] usb 1-1: SerialNumber: syz [ 44.579205][ T94] usb 1-1: config 0 descriptor?? executing program [ 44.858750][ T94] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 44.868620][ T94] em28xx 1-1:0.254: Video interface 254 found: [ 44.996735][ T94] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 45.316749][ T94] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 45.325062][ T94] em28xx 1-1:0.254: board has no eeprom [ 45.436654][ T94] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 45.444019][ T94] em28xx 1-1:0.254: analog set to bulk mode. [ 45.452607][ T94] usb 1-1: USB disconnect, device number 2 [ 45.460305][ T94] em28xx 1-1:0.254: Disconnecting em28xx [ 45.466451][ T12] em28xx 1-1:0.254: Registering V4L2 extension [ 45.482649][ T12] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 45.493974][ T12] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 45.501904][ T12] xc2028 0-0061: creating new instance [ 45.507521][ T12] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 45.514822][ T12] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 45.521943][ T12] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 45.529215][ T12] em28xx 1-1:0.254: No AC97 audio processor [ 45.537059][ T12] em28xx 1-1:0.254: Registered radio device as radio0 [ 45.543917][ T12] usb 1-1: Decoder not found [ 45.548620][ T12] em28xx 1-1:0.254: failed to create media graph [ 45.554996][ T12] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 45.562705][ T12] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 45.570417][ T12] xc2028 0-0061: destroying instance [ 45.576491][ T12] em28xx 1-1:0.254: Registering input extension [ 45.583362][ T94] em28xx 1-1:0.254: Closing input extension [ 45.591658][ T94] em28xx 1-1:0.254: Freeing device [ 45.613599][ T12] usb 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 45.622786][ T12] ================================================================== [ 45.631019][ T12] BUG: KASAN: use-after-free in load_firmware_cb+0x173/0x18c [ 45.638403][ T12] Read of size 8 at addr ffff8881cd828308 by task kworker/0:1/12 [ 45.646124][ T12] [ 45.648472][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc3-syzkaller #0 [ 45.656628][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.666704][ T12] Workqueue: events request_firmware_work_func [ 45.672850][ T12] Call Trace: [ 45.676140][ T12] dump_stack+0xef/0x16e [ 45.680422][ T12] ? load_firmware_cb+0x173/0x18c [ 45.685452][ T12] ? load_firmware_cb+0x173/0x18c [ 45.690521][ T12] print_address_description.constprop.0.cold+0xd3/0x314 [ 45.697546][ T12] ? load_firmware_cb+0x173/0x18c [ 45.702569][ T12] ? load_firmware_cb+0x173/0x18c [ 45.707596][ T12] __kasan_report.cold+0x37/0x77 [ 45.712539][ T12] ? load_firmware_cb+0x173/0x18c [ 45.717562][ T12] kasan_report+0xe/0x20 [ 45.721908][ T12] load_firmware_cb+0x173/0x18c [ 45.726753][ T12] ? _request_firmware+0x935/0x1210 [ 45.731959][ T12] ? kfree+0xd5/0x300 [ 45.736073][ T12] ? _request_firmware+0x10b/0x1210 [ 45.741287][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.746055][ T12] ? assign_fw+0x480/0x480 [ 45.750455][ T12] ? find_held_lock+0x2d/0x110 [ 45.755219][ T12] ? mark_held_locks+0xe0/0xe0 [ 45.759970][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.764828][ T12] request_firmware_work_func+0x126/0x242 [ 45.770545][ T12] ? request_firmware_into_buf+0x90/0x90 [ 45.776167][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 45.781720][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 45.787068][ T12] process_one_work+0x94b/0x1620 [ 45.792048][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.797463][ T12] ? do_raw_spin_lock+0x129/0x290 [ 45.802484][ T12] worker_thread+0x96/0xe20 [ 45.806997][ T12] ? process_one_work+0x1620/0x1620 [ 45.812204][ T12] kthread+0x318/0x420 [ 45.816261][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 45.821627][ T12] ret_from_fork+0x24/0x30 [ 45.826034][ T12] [ 45.828360][ T12] Allocated by task 12: [ 45.832522][ T12] save_stack+0x1b/0x80 [ 45.836663][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 45.843254][ T12] tuner_probe+0xa4/0x1182 [ 45.847671][ T12] i2c_device_probe+0x51a/0x800 [ 45.852565][ T12] really_probe+0x290/0xac0 [ 45.857110][ T12] driver_probe_device+0x223/0x350 [ 45.862219][ T12] __device_attach_driver+0x1d1/0x290 [ 45.867582][ T12] bus_for_each_drv+0x162/0x1e0 [ 45.872794][ T12] __device_attach+0x217/0x390 [ 45.877541][ T12] bus_probe_device+0x1e4/0x290 [ 45.882386][ T12] device_add+0x1459/0x1bf0 [ 45.886893][ T12] i2c_new_client_device+0x589/0xa70 [ 45.892209][ T12] i2c_new_device+0x19/0x50 [ 45.896699][ T12] v4l2_i2c_new_subdev_board+0xaf/0x2a0 [ 45.902293][ T12] v4l2_i2c_new_subdev+0xb8/0xf0 [ 45.907253][ T12] em28xx_v4l2_init.cold+0x9cc/0x33eb [ 45.912622][ T12] em28xx_init_extension+0x12f/0x1f0 [ 45.917891][ T12] request_module_async+0x5d/0x70 [ 45.922898][ T12] process_one_work+0x94b/0x1620 [ 45.927826][ T12] worker_thread+0x73e/0xe20 [ 45.932414][ T12] kthread+0x318/0x420 [ 45.936473][ T12] ret_from_fork+0x24/0x30 [ 45.940872][ T12] [ 45.943263][ T12] Freed by task 12: [ 45.947070][ T12] save_stack+0x1b/0x80 [ 45.951223][ T12] __kasan_slab_free+0x117/0x160 [ 45.956188][ T12] kfree+0xd5/0x300 [ 45.959980][ T12] tuner_remove+0x198/0x200 [ 45.964475][ T12] i2c_device_remove+0xcf/0x250 [ 45.969316][ T12] device_release_driver_internal+0x231/0x500 [ 45.975429][ T12] bus_remove_device+0x2eb/0x5a0 [ 45.980410][ T12] device_del+0x481/0xd30 [ 45.984735][ T12] device_unregister+0x22/0xc0 [ 45.989495][ T12] i2c_unregister_device+0x38/0x40 [ 45.994590][ T12] v4l2_i2c_subdev_unregister+0xa2/0xc0 [ 46.000130][ T12] v4l2_device_unregister+0x18a/0x220 [ 46.005499][ T12] em28xx_v4l2_init.cold+0xd26/0x33eb [ 46.010855][ T12] em28xx_init_extension+0x12f/0x1f0 [ 46.016123][ T12] request_module_async+0x5d/0x70 [ 46.021161][ T12] process_one_work+0x94b/0x1620 [ 46.026083][ T12] worker_thread+0x73e/0xe20 [ 46.030718][ T12] kthread+0x318/0x420 [ 46.034774][ T12] ret_from_fork+0x24/0x30 [ 46.039169][ T12] [ 46.041486][ T12] The buggy address belongs to the object at ffff8881cd828000 [ 46.041486][ T12] which belongs to the cache kmalloc-2k of size 2048 [ 46.055620][ T12] The buggy address is located 776 bytes inside of [ 46.055620][ T12] 2048-byte region [ffff8881cd828000, ffff8881cd828800) [ 46.068970][ T12] The buggy address belongs to the page: [ 46.074600][ T12] page:ffffea0007360a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0 [ 46.085563][ T12] flags: 0x200000000010200(slab|head) [ 46.090930][ T12] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000 [ 46.099510][ T12] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 46.108074][ T12] page dumped because: kasan: bad access detected [ 46.114636][ T12] [ 46.116952][ T12] Memory state around the buggy address: [ 46.122581][ T12] ffff8881cd828200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.130656][ T12] ffff8881cd828280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.138769][ T12] >ffff8881cd828300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.146814][ T12] ^ [ 46.151165][ T12] ffff8881cd828380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.159226][ T12] ffff8881cd828400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.167268][ T12] ================================================================== [ 46.175361][ T12] Disabling lock debugging due to kernel taint [ 46.181624][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 46.188209][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 46.197728][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.207782][ T12] Workqueue: events request_firmware_work_func [ 46.213911][ T12] Call Trace: [ 46.217195][ T12] dump_stack+0xef/0x16e [ 46.221473][ T12] panic+0x2aa/0x6e1 [ 46.225391][ T12] ? add_taint.cold+0x16/0x16 [ 46.230060][ T12] ? load_firmware_cb+0x173/0x18c [ 46.235065][ T12] ? trace_hardirqs_on+0x55/0x200 [ 46.240082][ T12] ? load_firmware_cb+0x173/0x18c [ 46.245138][ T12] end_report+0x43/0x49 [ 46.249295][ T12] ? load_firmware_cb+0x173/0x18c [ 46.254299][ T12] __kasan_report.cold+0x55/0x77 [ 46.259220][ T12] ? load_firmware_cb+0x173/0x18c [ 46.264386][ T12] kasan_report+0xe/0x20 [ 46.268614][ T12] load_firmware_cb+0x173/0x18c [ 46.273457][ T12] ? _request_firmware+0x935/0x1210 [ 46.278642][ T12] ? kfree+0xd5/0x300 [ 46.282617][ T12] ? _request_firmware+0x10b/0x1210 [ 46.287808][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 46.292563][ T12] ? assign_fw+0x480/0x480 [ 46.296971][ T12] ? find_held_lock+0x2d/0x110 [ 46.301730][ T12] ? mark_held_locks+0xe0/0xe0 [ 46.306483][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 46.311228][ T12] request_firmware_work_func+0x126/0x242 [ 46.317724][ T12] ? request_firmware_into_buf+0x90/0x90 [ 46.323357][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 46.328892][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 46.334170][ T12] process_one_work+0x94b/0x1620 [ 46.339113][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 46.344534][ T12] ? do_raw_spin_lock+0x129/0x290 [ 46.349571][ T12] worker_thread+0x96/0xe20 [ 46.354072][ T12] ? process_one_work+0x1620/0x1620 [ 46.359259][ T12] kthread+0x318/0x420 [ 46.363313][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 46.368669][ T12] ret_from_fork+0x24/0x30 [ 46.373661][ T12] Kernel Offset: disabled [ 46.377984][ T12] Rebooting in 86400 seconds..