Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. executing program [ 43.626197][ T168] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 43.716388][ T168] usb 1-1: Using ep0 maxpacket: 32 [ 43.836171][ T168] usb 1-1: config 0 has an invalid interface number: 254 but max is 0 [ 43.844411][ T168] usb 1-1: config 0 has no interface number 0 [ 43.851542][ T168] usb 1-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 44.016153][ T168] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d [ 44.025591][ T168] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 44.033665][ T168] usb 1-1: Product: syz [ 44.037895][ T168] usb 1-1: Manufacturer: syz [ 44.042485][ T168] usb 1-1: SerialNumber: syz [ 44.049740][ T168] usb 1-1: config 0 descriptor?? executing program [ 44.328159][ T168] em28xx 1-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254) [ 44.338319][ T168] em28xx 1-1:0.254: Video interface 254 found: [ 44.466008][ T168] em28xx 1-1:0.254: unknown em28xx chip ID (0) [ 44.786023][ T168] em28xx 1-1:0.254: reading from i2c device at 0xa0 failed (error=-5) [ 44.794378][ T168] em28xx 1-1:0.254: board has no eeprom [ 44.905934][ T168] em28xx 1-1:0.254: Identified as Kaiomy TVnPC U2 (card=63) [ 44.913405][ T168] em28xx 1-1:0.254: analog set to bulk mode. [ 44.924445][ T168] usb 1-1: USB disconnect, device number 2 [ 44.933304][ T168] em28xx 1-1:0.254: Disconnecting em28xx [ 44.940240][ T12] em28xx 1-1:0.254: Registering V4L2 extension [ 44.981503][ T12] i2c i2c-0: Invalid 7-bit I2C address 0x00 [ 44.992743][ T12] tuner: 0-0061: Tuner -1 found with type(s) Radio TV. [ 45.004422][ T12] xc2028 0-0061: creating new instance [ 45.010128][ T12] xc2028 0-0061: type set to XCeive xc2028/xc3028 tuner [ 45.017561][ T12] em28xx 1-1:0.254: Config register raw data: 0xffffffed [ 45.024669][ T12] em28xx 1-1:0.254: AC97 chip type couldn't be determined [ 45.031914][ T12] em28xx 1-1:0.254: No AC97 audio processor [ 45.039643][ T12] em28xx 1-1:0.254: Registered radio device as radio0 [ 45.046592][ T12] usb 1-1: Decoder not found [ 45.051227][ T12] em28xx 1-1:0.254: failed to create media graph [ 45.061643][ T12] em28xx 1-1:0.254: V4L2 device radio0 deregistered [ 45.069827][ T12] em28xx 1-1:0.254: V4L2 device video0 deregistered [ 45.078415][ T12] xc2028 0-0061: destroying instance [ 45.084454][ T12] em28xx 1-1:0.254: Registering input extension [ 45.093461][ T168] em28xx 1-1:0.254: Closing input extension [ 45.102757][ T168] em28xx 1-1:0.254: Freeing device [ 45.129130][ T12] usb 1-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 [ 45.138446][ T12] ================================================================== [ 45.146685][ T12] BUG: KASAN: use-after-free in load_firmware_cb+0x173/0x18c [ 45.154035][ T12] Read of size 8 at addr ffff8881cd067308 by task kworker/0:1/12 [ 45.161848][ T12] [ 45.164172][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc1-syzkaller #0 [ 45.172339][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.182419][ T12] Workqueue: events request_firmware_work_func [ 45.188569][ T12] Call Trace: [ 45.191865][ T12] dump_stack+0xef/0x16e [ 45.196121][ T12] print_address_description.constprop.0.cold+0xd3/0x314 [ 45.203404][ T12] ? load_firmware_cb+0x173/0x18c [ 45.208418][ T12] __kasan_report.cold+0x37/0x92 [ 45.213363][ T12] ? lockdep_hardirqs_on+0x360/0x5d0 [ 45.218644][ T12] ? load_firmware_cb+0x173/0x18c [ 45.223676][ T12] ? load_firmware_cb+0x173/0x18c [ 45.228843][ T12] kasan_report+0x33/0x50 [ 45.233185][ T12] load_firmware_cb+0x173/0x18c [ 45.238028][ T12] ? _request_firmware+0x941/0x1240 [ 45.243339][ T12] ? kfree+0xd5/0x300 [ 45.247457][ T12] ? _request_firmware+0x10b/0x1240 [ 45.252710][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.257469][ T12] ? assign_fw+0x480/0x480 [ 45.261870][ T12] ? lock_acquire+0x18b/0x7c0 [ 45.266553][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.271312][ T12] request_firmware_work_func+0x126/0x242 [ 45.277013][ T12] ? request_firmware_into_buf+0x90/0x90 [ 45.282627][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 45.288147][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 45.293410][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 45.298585][ T12] process_one_work+0x965/0x1630 [ 45.303675][ T12] ? lock_release+0x720/0x720 [ 45.308482][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.313898][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 45.318822][ T12] worker_thread+0x96/0xe20 [ 45.323529][ T12] ? process_one_work+0x1630/0x1630 [ 45.328726][ T12] kthread+0x326/0x430 [ 45.333057][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 45.338419][ T12] ret_from_fork+0x24/0x30 [ 45.342827][ T12] [ 45.345145][ T12] Allocated by task 12: [ 45.349284][ T12] save_stack+0x1b/0x40 [ 45.353436][ T12] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 45.359075][ T12] tuner_probe+0xa4/0x1182 [ 45.363480][ T12] i2c_device_probe+0x51a/0x800 [ 45.368314][ T12] really_probe+0x290/0xac0 [ 45.372827][ T12] driver_probe_device+0x223/0x350 [ 45.377945][ T12] __device_attach_driver+0x1d1/0x290 [ 45.383561][ T12] bus_for_each_drv+0x162/0x1e0 [ 45.388395][ T12] __device_attach+0x21a/0x390 [ 45.393537][ T12] bus_probe_device+0x1e4/0x290 [ 45.398370][ T12] device_add+0x1367/0x1c20 [ 45.402853][ T12] i2c_new_client_device+0x589/0xa70 [ 45.408122][ T12] v4l2_i2c_new_subdev_board+0xaf/0x2c0 [ 45.413819][ T12] v4l2_i2c_new_subdev+0xb8/0xf0 [ 45.418755][ T12] em28xx_v4l2_init.cold+0x99d/0x33bc [ 45.424162][ T12] em28xx_init_extension+0x12f/0x1f0 [ 45.429798][ T12] request_module_async+0x5d/0x70 [ 45.434916][ T12] process_one_work+0x965/0x1630 [ 45.439940][ T12] worker_thread+0x73e/0xe20 [ 45.444521][ T12] kthread+0x326/0x430 [ 45.448578][ T12] ret_from_fork+0x24/0x30 [ 45.452989][ T12] [ 45.455301][ T12] Freed by task 12: [ 45.459149][ T12] save_stack+0x1b/0x40 [ 45.463369][ T12] __kasan_slab_free+0x117/0x160 [ 45.468284][ T12] kfree+0xd5/0x300 [ 45.472070][ T12] tuner_remove+0x198/0x200 [ 45.476550][ T12] i2c_device_remove+0xcf/0x250 [ 45.481427][ T12] device_release_driver_internal+0x231/0x500 [ 45.487559][ T12] bus_remove_device+0x2eb/0x5a0 [ 45.492472][ T12] device_del+0x481/0xd30 [ 45.496777][ T12] device_unregister+0x22/0xc0 [ 45.501518][ T12] i2c_unregister_device+0x38/0x40 [ 45.506604][ T12] v4l2_i2c_subdev_unregister+0xa2/0xc0 [ 45.512140][ T12] v4l2_device_unregister+0x18a/0x220 [ 45.517499][ T12] em28xx_v4l2_init.cold+0xcf7/0x33bc [ 45.522870][ T12] em28xx_init_extension+0x12f/0x1f0 [ 45.528135][ T12] request_module_async+0x5d/0x70 [ 45.533135][ T12] process_one_work+0x965/0x1630 [ 45.538046][ T12] worker_thread+0x73e/0xe20 [ 45.542626][ T12] kthread+0x326/0x430 [ 45.546680][ T12] ret_from_fork+0x24/0x30 [ 45.551074][ T12] [ 45.553396][ T12] The buggy address belongs to the object at ffff8881cd067000 [ 45.553396][ T12] which belongs to the cache kmalloc-2k of size 2048 [ 45.567427][ T12] The buggy address is located 776 bytes inside of [ 45.567427][ T12] 2048-byte region [ffff8881cd067000, ffff8881cd067800) [ 45.580784][ T12] The buggy address belongs to the page: [ 45.586402][ T12] page:ffffea0007341800 refcount:1 mapcount:0 mapping:00000000f480cbd2 index:0x0 head:ffffea0007341800 order:3 compound_mapcount:0 compound_pincount:0 [ 45.601579][ T12] flags: 0x200000000010200(slab|head) [ 45.606946][ T12] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000 [ 45.615528][ T12] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 45.624096][ T12] page dumped because: kasan: bad access detected [ 45.630505][ T12] [ 45.632817][ T12] Memory state around the buggy address: [ 45.638458][ T12] ffff8881cd067200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.646506][ T12] ffff8881cd067280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.654571][ T12] >ffff8881cd067300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.662609][ T12] ^ [ 45.666920][ T12] ffff8881cd067380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.674962][ T12] ffff8881cd067400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.682998][ T12] ================================================================== [ 45.691034][ T12] Disabling lock debugging due to kernel taint [ 45.697271][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 45.703867][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.7.0-rc1-syzkaller #0 [ 45.713405][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.723471][ T12] Workqueue: events request_firmware_work_func [ 45.729744][ T12] Call Trace: [ 45.733057][ T12] dump_stack+0xef/0x16e [ 45.737301][ T12] panic+0x2aa/0x6e1 [ 45.741175][ T12] ? add_taint.cold+0x16/0x16 [ 45.745844][ T12] ? load_firmware_cb+0x173/0x18c [ 45.750864][ T12] ? trace_hardirqs_on+0x55/0x200 [ 45.755866][ T12] ? load_firmware_cb+0x173/0x18c [ 45.760996][ T12] end_report+0x4d/0x53 [ 45.765144][ T12] __kasan_report.cold+0x72/0x92 [ 45.770072][ T12] ? lockdep_hardirqs_on+0x360/0x5d0 [ 45.775338][ T12] ? load_firmware_cb+0x173/0x18c [ 45.780358][ T12] ? load_firmware_cb+0x173/0x18c [ 45.785370][ T12] kasan_report+0x33/0x50 [ 45.789776][ T12] load_firmware_cb+0x173/0x18c [ 45.794608][ T12] ? _request_firmware+0x941/0x1240 [ 45.799784][ T12] ? kfree+0xd5/0x300 [ 45.803767][ T12] ? _request_firmware+0x10b/0x1240 [ 45.808975][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.813713][ T12] ? assign_fw+0x480/0x480 [ 45.818106][ T12] ? lock_acquire+0x18b/0x7c0 [ 45.822759][ T12] ? xc2028_attach+0x2f0/0x2f0 [ 45.827514][ T12] request_firmware_work_func+0x126/0x242 [ 45.833225][ T12] ? request_firmware_into_buf+0x90/0x90 [ 45.838850][ T12] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 45.844404][ T12] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 45.849665][ T12] ? _raw_spin_unlock_irq+0x1f/0x30 [ 45.854840][ T12] process_one_work+0x965/0x1630 [ 45.859850][ T12] ? lock_release+0x720/0x720 [ 45.864519][ T12] ? pwq_dec_nr_in_flight+0x310/0x310 [ 45.869894][ T12] ? rwlock_bug.part.0+0x90/0x90 [ 45.874821][ T12] worker_thread+0x96/0xe20 [ 45.879324][ T12] ? process_one_work+0x1630/0x1630 [ 45.884497][ T12] kthread+0x326/0x430 [ 45.888549][ T12] ? kthread_create_on_node+0xf0/0xf0 [ 45.893917][ T12] ret_from_fork+0x24/0x30 [ 45.899075][ T12] Kernel Offset: disabled [ 45.903392][ T12] Rebooting in 86400 seconds..