Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.628762][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.719055][ T95] usb 1-1: Using ep0 maxpacket: 8 [ 24.838918][ T95] usb 1-1: config 0 has an invalid descriptor of length 36, skipping remainder of the config [ 24.849344][ T95] usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, bcdDevice=69.6a [ 24.858375][ T95] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.868210][ T95] usb 1-1: config 0 descriptor?? [ 25.338853][ T95] uvcvideo: Found UVC 0.00 device (0bd3:0555) [ 25.346162][ T95] uvcvideo 1-1:0.0: Entity type for entity Й was not initialized! [ 25.354584][ T95] uvcvideo 1-1:0.0: Entity type for entity Processing 1 was not initialized! [ 25.363442][ T95] uvcvideo 1-1:0.0: Entity type for entity Input 255 was not initialized! [ 25.541178][ T17] usb 1-1: USB disconnect, device number 2 [ 25.547907][ T17] ================================================================== [ 25.556052][ T17] BUG: KASAN: use-after-free in __media_entity_remove_links+0x134/0x160 [ 25.564369][ T17] Read of size 8 at addr ffff8881ce1c2320 by task kworker/1:0/17 [ 25.572088][ T17] [ 25.574429][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.6.0-rc1-syzkaller #0 [ 25.582556][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.592606][ T17] Workqueue: usb_hub_wq hub_event [ 25.597609][ T17] Call Trace: [ 25.600882][ T17] dump_stack+0xef/0x16e [ 25.605132][ T17] ? __media_entity_remove_links+0x134/0x160 [ 25.611099][ T17] ? __media_entity_remove_links+0x134/0x160 [ 25.617079][ T17] print_address_description.constprop.0.cold+0xd3/0x314 [ 25.624119][ T17] ? __media_entity_remove_links+0x134/0x160 [ 25.630243][ T17] ? __media_entity_remove_links+0x134/0x160 [ 25.636228][ T17] __kasan_report.cold+0x37/0x77 [ 25.641166][ T17] ? __media_entity_remove_links+0x134/0x160 [ 25.647138][ T17] kasan_report+0xe/0x20 [ 25.651365][ T17] __media_entity_remove_links+0x134/0x160 [ 25.657169][ T17] __media_device_unregister_entity+0x187/0x300 [ 25.663489][ T17] media_device_unregister_entity+0x49/0x70 [ 25.669426][ T17] v4l2_device_unregister_subdev+0x257/0x380 [ 25.675401][ T17] v4l2_device_unregister+0x139/0x220 [ 25.680770][ T17] uvc_unregister_video+0x11a/0x210 [ 25.686071][ T17] uvc_disconnect+0xbc/0x160 [ 25.690660][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 25.695991][ T17] ? __pm_runtime_idle+0xd1/0x310 [ 25.701023][ T17] ? usb_autoresume_device+0x60/0x60 [ 25.706299][ T17] device_release_driver_internal+0x42f/0x500 [ 25.712389][ T17] bus_remove_device+0x2eb/0x5a0 [ 25.717333][ T17] device_del+0x481/0xd30 [ 25.721662][ T17] ? mark_held_locks+0x9f/0xe0 [ 25.726508][ T17] ? device_create_with_groups+0x120/0x120 [ 25.732299][ T17] ? lockdep_hardirqs_on+0x382/0x580 [ 25.737582][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 25.742974][ T17] usb_disable_device+0x23d/0x790 [ 25.748041][ T17] usb_disconnect+0x293/0x900 [ 25.752716][ T17] hub_event+0x1a1d/0x4300 [ 25.757134][ T17] ? hub_port_debounce+0x350/0x350 [ 25.762246][ T17] ? find_held_lock+0x2d/0x110 [ 25.767059][ T17] ? mark_held_locks+0xe0/0xe0 [ 25.771817][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.777354][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.782659][ T17] process_one_work+0x94b/0x1620 [ 25.787596][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.793138][ T17] ? do_raw_spin_lock+0x129/0x290 [ 25.798189][ T17] worker_thread+0x96/0xe20 [ 25.802693][ T17] ? process_one_work+0x1620/0x1620 [ 25.807888][ T17] kthread+0x318/0x420 [ 25.811951][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 25.817315][ T17] ret_from_fork+0x24/0x30 [ 25.821713][ T17] [ 25.824037][ T17] Allocated by task 95: [ 25.828198][ T17] save_stack+0x1b/0x80 [ 25.832365][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.838000][ T17] media_add_link+0x47/0x180 [ 25.842591][ T17] media_create_pad_link+0x1fb/0x530 [ 25.847869][ T17] uvc_mc_register_entities+0x468/0x77a [ 25.853406][ T17] uvc_probe.cold+0x205c/0x2a51 [ 25.858252][ T17] usb_probe_interface+0x310/0x800 [ 25.863350][ T17] really_probe+0x290/0xac0 [ 25.867918][ T17] driver_probe_device+0x223/0x350 [ 25.873042][ T17] __device_attach_driver+0x1d1/0x290 [ 25.878396][ T17] bus_for_each_drv+0x162/0x1e0 [ 25.883246][ T17] __device_attach+0x217/0x390 [ 25.888007][ T17] bus_probe_device+0x1e4/0x290 [ 25.892931][ T17] device_add+0x1459/0x1bf0 [ 25.897431][ T17] usb_set_configuration+0xe47/0x17d0 [ 25.902788][ T17] generic_probe+0x9d/0xd5 [ 25.907213][ T17] usb_probe_device+0xaf/0x140 [ 25.911984][ T17] really_probe+0x290/0xac0 [ 25.916501][ T17] driver_probe_device+0x223/0x350 [ 25.921604][ T17] __device_attach_driver+0x1d1/0x290 [ 25.926970][ T17] bus_for_each_drv+0x162/0x1e0 [ 25.931821][ T17] __device_attach+0x217/0x390 [ 25.936698][ T17] bus_probe_device+0x1e4/0x290 [ 25.941639][ T17] device_add+0x1459/0x1bf0 [ 25.946146][ T17] usb_new_device.cold+0x540/0xcd0 [ 25.951252][ T17] hub_event+0x21cb/0x4300 [ 25.955726][ T17] process_one_work+0x94b/0x1620 [ 25.960650][ T17] worker_thread+0x96/0xe20 [ 25.965181][ T17] kthread+0x318/0x420 [ 25.969300][ T17] ret_from_fork+0x24/0x30 [ 25.973694][ T17] [ 25.976012][ T17] Freed by task 17: [ 25.979810][ T17] save_stack+0x1b/0x80 [ 25.983984][ T17] __kasan_slab_free+0x117/0x160 [ 25.988915][ T17] kfree+0xd5/0x300 [ 25.992704][ T17] __media_entity_remove_link+0x28c/0x660 [ 25.998412][ T17] __media_entity_remove_links+0x86/0x160 [ 26.004124][ T17] __media_device_unregister_entity+0x187/0x300 [ 26.010351][ T17] media_device_unregister_entity+0x49/0x70 [ 26.016237][ T17] v4l2_device_unregister_subdev+0x257/0x380 [ 26.022232][ T17] v4l2_device_unregister+0x139/0x220 [ 26.027617][ T17] uvc_unregister_video+0x11a/0x210 [ 26.032818][ T17] uvc_disconnect+0xbc/0x160 [ 26.037414][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 26.042610][ T17] device_release_driver_internal+0x42f/0x500 [ 26.048757][ T17] bus_remove_device+0x2eb/0x5a0 [ 26.053776][ T17] device_del+0x481/0xd30 [ 26.058096][ T17] usb_disable_device+0x23d/0x790 [ 26.063113][ T17] usb_disconnect+0x293/0x900 [ 26.067795][ T17] hub_event+0x1a1d/0x4300 [ 26.072208][ T17] process_one_work+0x94b/0x1620 [ 26.077183][ T17] worker_thread+0x96/0xe20 [ 26.081681][ T17] kthread+0x318/0x420 [ 26.085747][ T17] ret_from_fork+0x24/0x30 [ 26.090145][ T17] [ 26.092623][ T17] The buggy address belongs to the object at ffff8881ce1c2300 [ 26.092623][ T17] which belongs to the cache kmalloc-96 of size 96 [ 26.106753][ T17] The buggy address is located 32 bytes inside of [ 26.106753][ T17] 96-byte region [ffff8881ce1c2300, ffff8881ce1c2360) [ 26.119835][ T17] The buggy address belongs to the page: [ 26.125466][ T17] page:ffffea0007387080 refcount:1 mapcount:0 mapping:ffff8881da002f00 index:0x0 [ 26.134566][ T17] flags: 0x200000000000200(slab) [ 26.139497][ T17] raw: 0200000000000200 ffffea0007397c00 0000000200000002 ffff8881da002f00 [ 26.148082][ T17] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 26.156661][ T17] page dumped because: kasan: bad access detected [ 26.163069][ T17] [ 26.165387][ T17] Memory state around the buggy address: [ 26.171012][ T17] ffff8881ce1c2200: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 26.179068][ T17] ffff8881ce1c2280: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 26.187164][ T17] >ffff8881ce1c2300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.195219][ T17] ^ [ 26.200327][ T17] ffff8881ce1c2380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.208577][ T17] ffff8881ce1c2400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.216657][ T17] ================================================================== [ 26.224868][ T17] Disabling lock debugging due to kernel taint [ 26.231150][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 26.237737][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.6.0-rc1-syzkaller #0 [ 26.247287][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.257520][ T17] Workqueue: usb_hub_wq hub_event [ 26.262532][ T17] Call Trace: [ 26.265827][ T17] dump_stack+0xef/0x16e [ 26.270054][ T17] panic+0x2aa/0x6e1 [ 26.273943][ T17] ? add_taint.cold+0x16/0x16 [ 26.278618][ T17] ? retint_kernel+0x10/0x10 [ 26.283202][ T17] ? trace_hardirqs_on+0x55/0x200 [ 26.288206][ T17] ? __media_entity_remove_links+0x134/0x160 [ 26.294186][ T17] end_report+0x43/0x49 [ 26.298339][ T17] ? __media_entity_remove_links+0x134/0x160 [ 26.304325][ T17] __kasan_report.cold+0x55/0x77 [ 26.309284][ T17] ? __media_entity_remove_links+0x134/0x160 [ 26.315270][ T17] kasan_report+0xe/0x20 [ 26.319600][ T17] __media_entity_remove_links+0x134/0x160 [ 26.325434][ T17] __media_device_unregister_entity+0x187/0x300 [ 26.331762][ T17] media_device_unregister_entity+0x49/0x70 [ 26.337669][ T17] v4l2_device_unregister_subdev+0x257/0x380 [ 26.343654][ T17] v4l2_device_unregister+0x139/0x220 [ 26.349027][ T17] uvc_unregister_video+0x11a/0x210 [ 26.354217][ T17] uvc_disconnect+0xbc/0x160 [ 26.358824][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 26.364017][ T17] ? __pm_runtime_idle+0xd1/0x310 [ 26.369052][ T17] ? usb_autoresume_device+0x60/0x60 [ 26.374371][ T17] device_release_driver_internal+0x42f/0x500 [ 26.380702][ T17] bus_remove_device+0x2eb/0x5a0 [ 26.385658][ T17] device_del+0x481/0xd30 [ 26.389985][ T17] ? mark_held_locks+0x9f/0xe0 [ 26.394851][ T17] ? device_create_with_groups+0x120/0x120 [ 26.400647][ T17] ? lockdep_hardirqs_on+0x382/0x580 [ 26.405912][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 26.411191][ T17] usb_disable_device+0x23d/0x790 [ 26.416214][ T17] usb_disconnect+0x293/0x900 [ 26.420893][ T17] hub_event+0x1a1d/0x4300 [ 26.425295][ T17] ? hub_port_debounce+0x350/0x350 [ 26.430406][ T17] ? find_held_lock+0x2d/0x110 [ 26.435173][ T17] ? mark_held_locks+0xe0/0xe0 [ 26.440027][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.445775][ T17] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.451062][ T17] process_one_work+0x94b/0x1620 [ 26.456091][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.461458][ T17] ? do_raw_spin_lock+0x129/0x290 [ 26.466478][ T17] worker_thread+0x96/0xe20 [ 26.470982][ T17] ? process_one_work+0x1620/0x1620 [ 26.476173][ T17] kthread+0x318/0x420 [ 26.480238][ T17] ? kthread_create_on_node+0xf0/0xf0 [ 26.485636][ T17] ret_from_fork+0x24/0x30 [ 26.490665][ T17] Kernel Offset: disabled [ 26.494983][ T17] Rebooting in 86400 seconds..