Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.248991][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 40.338573][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 40.458428][ T83] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 40.467580][ T83] usb 1-1: config 0 has no interface number 0 [ 40.474817][ T83] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 40.638933][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 40.648399][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 40.656374][ T83] usb 1-1: Product: syz [ 40.669205][ T83] usb 1-1: Manufacturer: syz [ 40.673789][ T83] usb 1-1: SerialNumber: syz [ 40.680524][ T83] usb 1-1: config 0 descriptor?? executing program [ 40.918951][ T386] udc-core: couldn't find an available UDC or it's busy [ 40.926058][ T386] misc raw-gadget: fail, usb_gadget_probe_driver returned -16 [ 40.960183][ T83] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 40.970115][ T83] em28xx 1-1:0.254: Video interface 254 found: [ 41.098220][ T83] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 41.418236][ T83] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 41.426761][ T83] em28xx 1-1:0.254: board has no eeprom [ 41.538655][ T83] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 41.545957][ T83] em28xx 1-1:0.254: analog set to bulk mode. [ 41.555006][ T17] em28xx 1-1:0.254: Registering V4L2 extension [ 41.565067][ T83] usb 1-1: USB disconnect, device number 2 [ 41.573050][ T83] em28xx 1-1:0.254: Disconnecting em28xx [ 41.615904][ T17] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 41.626394][ T17] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 41.636871][ T17] xc2028 0-0061: creating new instance [ 41.642760][ T17] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 41.650195][ T17] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 41.657524][ T17] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 41.664725][ T17] em28xx 1-1:0.254: No AC97 audio processor [ 41.674275][ T17] em28xx 1-1:0.254: Registered radio device as radio0 [ 41.681249][ T17] usb 1-1: Decoder not found [ 41.686198][ T17] em28xx 1-1:0.254: failed to create media graph [ 41.693372][ T17] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 41.701133][ T393] em28xx 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 41.711681][ T393] xc2028 0-0061: Could not load firmware xc3028-v27.fw. [ 41.720274][ T17] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 41.729871][ T17] xc2028 0-0061: destroying instance [ 41.736302][ T17] em28xx 1-1:0.254: Registering input extension [ 41.738607][ T400] ================================================================== [ 41.746129][ T83] em28xx 1-1:0.254: Closing input extension [ 41.750675][ T400] BUG: KASAN: use-after-free in v4l2_fh_init+0x279/0x2c0 [ 41.750687][ T400] Read of size 8 at addr ffff8881cc9808c8 by task v4l_id/400 [ 41.750690][ T400] [ 41.750705][ T400] CPU: 0 PID: 400 Comm: v4l_id Not tainted 5.7.0-rc1-syzkaller #0 [ 41.750712][ T400] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.750717][ T400] Call Trace: [ 41.750733][ T400] dump_stack+0xef/0x16e [ 41.750748][ T400] print_address_description.constprop.0.cold+0xd3/0x314 [ 41.750760][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 41.750773][ T400] __kasan_report.cold+0x37/0x92 [ 41.750785][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 41.750798][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 41.750809][ T400] kasan_report+0x33/0x50 [ 41.750821][ T400] v4l2_fh_init+0x279/0x2c0 [ 41.750834][ T400] v4l2_fh_open+0x88/0xc0 [ 41.750847][ T400] em28xx_v4l2_open+0x11a/0x570 [ 41.750862][ T400] v4l2_open+0x20f/0x3d0 [ 41.750872][ T400] ? v4l2_release+0x390/0x390 [ 41.750890][ T400] chrdev_open+0x219/0x5c0 [ 41.857301][ T400] ? cdev_put.part.0+0x50/0x50 [ 41.862053][ T400] ? security_file_open+0x84/0x410 [ 41.867291][ T400] do_dentry_open+0x4ac/0x1160 [ 41.872062][ T400] ? cdev_put.part.0+0x50/0x50 [ 41.876939][ T400] ? chmod_common+0x3c0/0x3c0 [ 41.881622][ T400] ? inode_permission+0xbe/0x3a0 [ 41.886577][ T400] path_openat+0x1a0b/0x2740 [ 41.891154][ T400] ? do_sys_openat2+0x3fc/0x7d0 [ 41.896071][ T400] ? path_lookupat.isra.0+0x530/0x530 [ 41.901437][ T400] do_filp_open+0x192/0x260 [ 41.905937][ T400] ? may_open_dev+0xf0/0xf0 [ 41.910438][ T400] ? __alloc_fd+0x46d/0x600 [ 41.914923][ T400] ? do_raw_spin_lock+0x129/0x290 [ 41.919948][ T400] ? _raw_spin_unlock+0x1a/0x30 [ 41.925094][ T400] ? __alloc_fd+0x46d/0x600 [ 41.929860][ T400] do_sys_openat2+0x585/0x7d0 [ 41.934796][ T400] ? file_open_root+0x400/0x400 [ 41.939711][ T400] ? __secure_computing+0xb4/0x280 [ 41.952663][ T400] ? syscall_trace_enter+0x41d/0xcd0 [ 41.957936][ T400] do_sys_open+0xc3/0x140 [ 41.962255][ T400] ? filp_open+0x70/0x70 [ 41.966492][ T400] ? trace_hardirqs_off_caller+0x55/0x200 [ 41.972220][ T400] do_syscall_64+0xb6/0x5a0 [ 41.976840][ T400] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 41.982813][ T400] RIP: 0033:0x7f4561b26840 [ 41.987210][ T400] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 42.006803][ T400] RSP: 002b:00007fff746fe318 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 42.015196][ T400] RAX: ffffffffffffffda RBX: 00007fff746fe488 RCX: 00007f4561b26840 [ 42.023232][ T400] RDX: 00007f4561b12ea0 RSI: 0000000000000000 RDI: 00007fff746fef23 [ 42.031197][ T400] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 42.039165][ T400] R10: 0000000000000002 R11: 0000000000000246 R12: 000055ab0a94c8d0 [ 42.047112][ T400] R13: 00007fff746fe480 R14: 0000000000000000 R15: 0000000000000000 [ 42.055096][ T400] [ 42.057430][ T400] The buggy address belongs to the page: [ 42.063060][ T400] page:ffffea0007326000 refcount:0 mapcount:-128 mapping:000000008a2d6f98 index:0x0 [ 42.072408][ T400] flags: 0x200000000000000() [ 42.076978][ T400] raw: 0200000000000000 ffffea00070aad08 ffff88821fffabd0 0000000000000000 [ 42.085764][ T400] raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000 [ 42.094342][ T400] page dumped because: kasan: bad access detected [ 42.100728][ T400] [ 42.103029][ T400] Memory state around the buggy address: [ 42.112375][ T400] ffff8881cc980780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.121390][ T400] ffff8881cc980800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.129451][ T400] >ffff8881cc980880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.137501][ T400] ^ [ 42.143910][ T400] ffff8881cc980900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.152919][ T400] ffff8881cc980980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.161057][ T400] ================================================================== [ 42.169097][ T400] Disabling lock debugging due to kernel taint [ 42.175350][ T400] Kernel panic - not syncing: panic_on_warn set ... [ 42.181941][ T400] CPU: 0 PID: 400 Comm: v4l_id Tainted: G B 5.7.0-rc1-syzkaller #0 [ 42.191124][ T400] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.201259][ T400] Call Trace: [ 42.204536][ T400] dump_stack+0xef/0x16e [ 42.208772][ T400] panic+0x2aa/0x6e1 [ 42.212643][ T400] ? add_taint.cold+0x16/0x16 [ 42.217292][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 42.221944][ T400] ? trace_hardirqs_on+0x55/0x200 [ 42.226965][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 42.231616][ T400] end_report+0x4d/0x53 [ 42.235755][ T400] __kasan_report.cold+0x72/0x92 [ 42.240853][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 42.245507][ T400] ? v4l2_fh_init+0x279/0x2c0 [ 42.250274][ T400] kasan_report+0x33/0x50 [ 42.254581][ T400] v4l2_fh_init+0x279/0x2c0 [ 42.259333][ T400] v4l2_fh_open+0x88/0xc0 [ 42.263637][ T400] em28xx_v4l2_open+0x11a/0x570 [ 42.268576][ T400] v4l2_open+0x20f/0x3d0 [ 42.272800][ T400] ? v4l2_release+0x390/0x390 [ 42.277453][ T400] chrdev_open+0x219/0x5c0 [ 42.281849][ T400] ? cdev_put.part.0+0x50/0x50 [ 42.286590][ T400] ? security_file_open+0x84/0x410 [ 42.291682][ T400] do_dentry_open+0x4ac/0x1160 [ 42.296517][ T400] ? cdev_put.part.0+0x50/0x50 [ 42.301263][ T400] ? chmod_common+0x3c0/0x3c0 [ 42.306030][ T400] ? inode_permission+0xbe/0x3a0 [ 42.310973][ T400] path_openat+0x1a0b/0x2740 [ 42.315561][ T400] ? do_sys_openat2+0x3fc/0x7d0 [ 42.320386][ T400] ? path_lookupat.isra.0+0x530/0x530 [ 42.325730][ T400] do_filp_open+0x192/0x260 [ 42.330221][ T400] ? may_open_dev+0xf0/0xf0 [ 42.334696][ T400] ? __alloc_fd+0x46d/0x600 [ 42.339188][ T400] ? do_raw_spin_lock+0x129/0x290 [ 42.344549][ T400] ? _raw_spin_unlock+0x1a/0x30 [ 42.349394][ T400] ? __alloc_fd+0x46d/0x600 [ 42.354152][ T400] do_sys_openat2+0x585/0x7d0 [ 42.358802][ T400] ? file_open_root+0x400/0x400 [ 42.363643][ T400] ? __secure_computing+0xb4/0x280 [ 42.368727][ T400] ? syscall_trace_enter+0x41d/0xcd0 [ 42.374011][ T400] do_sys_open+0xc3/0x140 [ 42.378337][ T400] ? filp_open+0x70/0x70 [ 42.382554][ T400] ? trace_hardirqs_off_caller+0x55/0x200 [ 42.388363][ T400] do_syscall_64+0xb6/0x5a0 [ 42.392940][ T400] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 42.398816][ T400] RIP: 0033:0x7f4561b26840 [ 42.403326][ T400] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 42.422932][ T400] RSP: 002b:00007fff746fe318 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 42.431324][ T400] RAX: ffffffffffffffda RBX: 00007fff746fe488 RCX: 00007f4561b26840 [ 42.439272][ T400] RDX: 00007f4561b12ea0 RSI: 0000000000000000 RDI: 00007fff746fef23 [ 42.447243][ T400] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 42.455206][ T400] R10: 0000000000000002 R11: 0000000000000246 R12: 000055ab0a94c8d0 [ 42.463170][ T400] R13: 00007fff746fe480 R14: 0000000000000000 R15: 0000000000000000 [ 42.472163][ T400] Kernel Offset: disabled [ 42.476471][ T400] Rebooting in 86400 seconds..