[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.377273][ C1] random: crng init done [ 16.381575][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.21' (ECDSA) to the list of known hosts. executing program [ 23.570144][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.660250][ T83] usb 1-1: Using ep0 maxpacket: 32 [ 23.790045][ T83] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 23.800068][ T83] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 28 [ 23.979879][ T83] usb 1-1: New USB device found, idVendor=eb1a, idProduct=a316, bcdDevice=5c.26 [ 23.988946][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.997010][ T83] usb 1-1: Product: syz [ 24.001232][ T83] usb 1-1: Manufacturer: syz [ 24.005805][ T83] usb 1-1: SerialNumber: syz [ 24.012759][ T83] usb 1-1: config 0 descriptor?? [ 24.051806][ T83] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:a316, interface 0, class 0) [ 24.061196][ T83] em28xx 1-1:0.0: Video interface 0 found: executing program [ 24.289751][ T83] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 24.509544][ T83] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 24.517798][ T83] em28xx 1-1:0.0: board has no eeprom [ 24.629399][ T83] em28xx 1-1:0.0: Identified as Kworld PlusTV HD Hybrid 330 (card=57) [ 24.637643][ T83] em28xx 1-1:0.0: analog set to bulk mode. [ 24.646756][ T83] usb 1-1: USB disconnect, device number 2 [ 24.654483][ T83] em28xx 1-1:0.0: Disconnecting em28xx [ 24.660600][ T17] em28xx 1-1:0.0: Registering V4L2 extension [ 24.692129][ T17] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 24.699408][ T17] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 24.706783][ T17] em28xx 1-1:0.0: No AC97 audio processor [ 24.714779][ T17] usb 1-1: Decoder not found [ 24.719475][ T17] em28xx 1-1:0.0: failed to create media graph [ 24.725762][ T17] em28xx 1-1:0.0: V4L2 device video0 deregistered [ 24.733742][ T17] em28xx 1-1:0.0: Binding DVB extension [ 24.733864][ T366] ================================================================== [ 24.739476][ T17] em28xx 1-1:0.0: no endpoint for DVB mode and transfer type 0 [ 24.747447][ T366] BUG: KASAN: use-after-free in v4l2_fh_init+0x279/0x2c0 [ 24.747464][ T366] Read of size 8 at addr ffff8881ccdb88c8 by task v4l_id/366 [ 24.755028][ T17] em28xx 1-1:0.0: failed to pre-allocate USB transfer buffers for DVB. [ 24.761975][ T366] [ 24.761991][ T366] CPU: 0 PID: 366 Comm: v4l_id Not tainted 5.7.0-rc1-syzkaller #0 [ 24.761999][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.762008][ T366] Call Trace: [ 24.769421][ T17] em28xx 1-1:0.0: Remote control support is not available for this card. [ 24.777595][ T366] dump_stack+0xef/0x16e [ 24.780232][ T83] em28xx 1-1:0.0: Closing input extension [ 24.788038][ T366] print_address_description.constprop.0.cold+0xd3/0x314 [ 24.788057][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 24.831889][ T366] __kasan_report.cold+0x37/0x92 [ 24.836815][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 24.841474][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 24.846132][ T366] kasan_report+0x33/0x50 [ 24.850551][ T366] v4l2_fh_init+0x279/0x2c0 [ 24.855036][ T366] v4l2_fh_open+0x88/0xc0 [ 24.859348][ T366] em28xx_v4l2_open+0x11a/0x570 [ 24.864188][ T366] v4l2_open+0x20f/0x3d0 [ 24.868428][ T366] ? v4l2_release+0x390/0x390 [ 24.873086][ T366] chrdev_open+0x219/0x5c0 [ 24.877485][ T366] ? cdev_put.part.0+0x50/0x50 [ 24.882230][ T366] ? security_file_open+0x84/0x410 [ 24.887323][ T366] do_dentry_open+0x4ac/0x1160 [ 24.892071][ T366] ? cdev_put.part.0+0x50/0x50 [ 24.899074][ T366] ? chmod_common+0x3c0/0x3c0 [ 24.903736][ T366] ? inode_permission+0xbe/0x3a0 [ 24.908653][ T366] path_openat+0x1a0b/0x2740 [ 24.913224][ T366] ? do_sys_openat2+0x3fc/0x7d0 [ 24.918055][ T366] ? path_lookupat.isra.0+0x530/0x530 [ 24.923413][ T366] do_filp_open+0x192/0x260 [ 24.927898][ T366] ? may_open_dev+0xf0/0xf0 [ 24.932383][ T366] ? __alloc_fd+0x46d/0x600 [ 24.937040][ T366] ? do_raw_spin_lock+0x129/0x290 [ 24.942046][ T366] ? _raw_spin_unlock+0x1a/0x30 [ 24.946888][ T366] ? __alloc_fd+0x46d/0x600 [ 24.951372][ T366] do_sys_openat2+0x585/0x7d0 [ 24.956029][ T366] ? file_open_root+0x400/0x400 [ 24.960873][ T366] ? __secure_computing+0xb4/0x280 [ 24.965966][ T366] ? syscall_trace_enter+0x41d/0xcd0 [ 24.971230][ T366] do_sys_open+0xc3/0x140 [ 24.975541][ T366] ? filp_open+0x70/0x70 [ 24.979766][ T366] ? trace_hardirqs_off_caller+0x55/0x200 [ 24.985481][ T366] do_syscall_64+0xb6/0x5a0 [ 24.989967][ T366] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 24.995848][ T366] RIP: 0033:0x7fb265a1e840 [ 25.000332][ T366] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 25.019927][ T366] RSP: 002b:00007ffde28eef58 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 25.028582][ T366] RAX: ffffffffffffffda RBX: 00007ffde28ef0c8 RCX: 00007fb265a1e840 [ 25.036535][ T366] RDX: 00007fb265a0aea0 RSI: 0000000000000000 RDI: 00007ffde28eff25 [ 25.044503][ T366] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.052456][ T366] R10: 0000000000000002 R11: 0000000000000246 R12: 000055d0b2efe8d0 [ 25.060411][ T366] R13: 00007ffde28ef0c0 R14: 0000000000000000 R15: 0000000000000000 [ 25.068361][ T366] [ 25.070669][ T366] The buggy address belongs to the page: [ 25.076288][ T366] page:ffffea0007336e00 refcount:0 mapcount:-128 mapping:00000000304d2c6c index:0x0 [ 25.085759][ T366] flags: 0x200000000000000() [ 25.090335][ T366] raw: 0200000000000000 ffffea0007322508 ffff88821fffabd0 0000000000000000 [ 25.098901][ T366] raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000 [ 25.107560][ T366] page dumped because: kasan: bad access detected [ 25.113955][ T366] [ 25.116261][ T366] Memory state around the buggy address: [ 25.121883][ T366] ffff8881ccdb8780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.129934][ T366] ffff8881ccdb8800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.137984][ T366] >ffff8881ccdb8880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.146027][ T366] ^ [ 25.152519][ T366] ffff8881ccdb8900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.160566][ T366] ffff8881ccdb8980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.168603][ T366] ================================================================== [ 25.176640][ T366] Disabling lock debugging due to kernel taint [ 25.182928][ T366] Kernel panic - not syncing: panic_on_warn set ... [ 25.189503][ T366] CPU: 0 PID: 366 Comm: v4l_id Tainted: G B 5.7.0-rc1-syzkaller #0 [ 25.198708][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.208757][ T366] Call Trace: [ 25.213114][ T366] dump_stack+0xef/0x16e [ 25.217330][ T366] panic+0x2aa/0x6e1 [ 25.221316][ T366] ? add_taint.cold+0x16/0x16 [ 25.226102][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 25.230756][ T366] ? trace_hardirqs_on+0x55/0x200 [ 25.235809][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 25.240462][ T366] end_report+0x4d/0x53 [ 25.244591][ T366] __kasan_report.cold+0x72/0x92 [ 25.249518][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 25.254183][ T366] ? v4l2_fh_init+0x279/0x2c0 [ 25.258848][ T366] kasan_report+0x33/0x50 [ 25.263171][ T366] v4l2_fh_init+0x279/0x2c0 [ 25.267647][ T366] v4l2_fh_open+0x88/0xc0 [ 25.271964][ T366] em28xx_v4l2_open+0x11a/0x570 [ 25.276801][ T366] v4l2_open+0x20f/0x3d0 [ 25.281024][ T366] ? v4l2_release+0x390/0x390 [ 25.285682][ T366] chrdev_open+0x219/0x5c0 [ 25.290083][ T366] ? cdev_put.part.0+0x50/0x50 [ 25.294834][ T366] ? security_file_open+0x84/0x410 [ 25.300006][ T366] do_dentry_open+0x4ac/0x1160 [ 25.304741][ T366] ? cdev_put.part.0+0x50/0x50 [ 25.309478][ T366] ? chmod_common+0x3c0/0x3c0 [ 25.314129][ T366] ? inode_permission+0xbe/0x3a0 [ 25.319043][ T366] path_openat+0x1a0b/0x2740 [ 25.323612][ T366] ? do_sys_openat2+0x3fc/0x7d0 [ 25.328434][ T366] ? path_lookupat.isra.0+0x530/0x530 [ 25.333788][ T366] do_filp_open+0x192/0x260 [ 25.338262][ T366] ? may_open_dev+0xf0/0xf0 [ 25.342752][ T366] ? __alloc_fd+0x46d/0x600 [ 25.347230][ T366] ? do_raw_spin_lock+0x129/0x290 [ 25.352251][ T366] ? _raw_spin_unlock+0x1a/0x30 [ 25.357088][ T366] ? __alloc_fd+0x46d/0x600 [ 25.361562][ T366] do_sys_openat2+0x585/0x7d0 [ 25.366211][ T366] ? file_open_root+0x400/0x400 [ 25.371036][ T366] ? __secure_computing+0xb4/0x280 [ 25.376129][ T366] ? syscall_trace_enter+0x41d/0xcd0 [ 25.381918][ T366] do_sys_open+0xc3/0x140 [ 25.386220][ T366] ? filp_open+0x70/0x70 [ 25.390445][ T366] ? trace_hardirqs_off_caller+0x55/0x200 [ 25.396149][ T366] do_syscall_64+0xb6/0x5a0 [ 25.400643][ T366] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 25.406522][ T366] RIP: 0033:0x7fb265a1e840 [ 25.410926][ T366] Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 [ 25.430594][ T366] RSP: 002b:00007ffde28eef58 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 25.438982][ T366] RAX: ffffffffffffffda RBX: 00007ffde28ef0c8 RCX: 00007fb265a1e840 [ 25.446934][ T366] RDX: 00007fb265a0aea0 RSI: 0000000000000000 RDI: 00007ffde28eff25 [ 25.454978][ T366] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 25.463011][ T366] R10: 0000000000000002 R11: 0000000000000246 R12: 000055d0b2efe8d0 [ 25.470968][ T366] R13: 00007ffde28ef0c0 R14: 0000000000000000 R15: 0000000000000000 [ 25.479712][ T366] Kernel Offset: disabled [ 25.484370][ T366] Rebooting in 86400 seconds..