Warning: Permanently added '10.128.0.61' (ED25519) to the list of known hosts. executing program [ 38.195776][ T9] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 38.358243][ T9] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 38.358313][ T9] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 0 [ 38.358352][ T9] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice= 1.a0 [ 38.358378][ T9] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 38.361270][ T9] usb 1-1: config 0 descriptor?? [ 38.369642][ T9] em28xx 1-1:0.0: New device @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 38.369687][ T9] em28xx 1-1:0.0: Video interface 0 found: bulk executing program [ 38.626375][ T9] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 38.725778][ T9] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 38.725871][ T9] em28xx 1-1:0.0: board has no eeprom [ 38.785731][ T9] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 38.785804][ T9] em28xx 1-1:0.0: analog set to bulk mode. [ 38.792011][ T6522] em28xx 1-1:0.0: Registering V4L2 extension [ 38.796470][ T9] usb 1-1: USB disconnect, device number 2 [ 38.797481][ T9] em28xx 1-1:0.0: Disconnecting em28xx [ 38.824231][ T6522] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 38.840902][ T6522] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 38.841739][ T6522] xc2028 1-0061: creating new instance [ 38.841781][ T6522] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 38.841931][ T6522] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 38.841959][ T6522] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 38.841980][ T6522] em28xx 1-1:0.0: No AC97 audio processor [ 38.843875][ T6522] em28xx 1-1:0.0: Registered radio device as radio2 [ 38.843921][ T6522] usb 1-1: Decoder not found [ 38.843942][ T6522] em28xx 1-1:0.0: failed to create media graph [ 38.843978][ T6522] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 38.845222][ T6522] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 38.847084][ T6522] xc2028 1-0061: destroying instance [ 38.847667][ T6522] em28xx 1-1:0.0: Registering input extension [ 38.848080][ T9] em28xx 1-1:0.0: Cl ** replaying previous printk message ** [ 38.848080][ T9] em28xx 1-1:0.0: Closing input extension [ 38.851572][ T9] em28xx 1-1:0.0: Freeing device [ 38.863095][ T6522] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 38.863130][ T6522] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 38.863193][ T6522] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 38.863259][ T6522] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 38.863351][ T6522] ================================================================== [ 38.863365][ T6522] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 38.863388][ T6522] Read of size 8 at addr ffff0000d4af9318 by task kworker/0:3/6522 [ 38.863403][ T6522] [ 38.863414][ T6522] CPU: 0 UID: 0 PID: 6522 Comm: kworker/0:3 Not tainted 6.16.0-rc1-syzkaller-g39dfc971e42d #0 PREEMPT [ 38.863428][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 38.863436][ T6522] Workqueue: events request_firmware_work_func [ 38.863452][ T6522] Call trace: [ 38.863456][ T6522] show_stack+0x2c/0x3c (C) [ 38.863486][ T6522] __dump_stack+0x30/0x40 [ 38.863500][ T6522] dump_stack_lvl+0xd8/0x12c [ 38.863513][ T6522] print_address_description+0xa8/0x254 [ 38.863526][ T6522] print_report+0x68/0x84 [ 38.863545][ T6522] kasan_report+0xb0/0x110 [ 38.863556][ T6522] __asan_report_load8_noabort+0x20/0x2c [ 38.863568][ T6522] load_firmware_cb+0xbc/0x14f4 [ 38.863579][ T6522] request_firmware_work_func+0xe8/0x19c [ 38.863593][ T6522] process_one_work+0x7e8/0x155c [ 38.863607][ T6522] worker_thread+0x958/0xed8 [ 38.863620][ T6522] kthread+0x5fc/0x75c [ 38.863632][ T6522] ret_from_fork+0x10/0x20 [ 38.863643][ T6522] [ 38.863726][ T6522] Allocated by task 6522: [ 38.863737][ T6522] kasan_save_track+0x40/0x78 [ 38.863755][ T6522] kasan_save_alloc_info+0x44/0x54 [ 38.863770][ T6522] __kasan_kmalloc+0x9c/0xb4 [ 38.863787][ T6522] __kmalloc_cache_noprof+0x2a4/0x3fc [ 38.863802][ T6522] tuner_probe+0xc4/0x1690 [ 38.863818][ T6522] i2c_device_probe+0x864/0x9d0 [ 38.863833][ T6522] really_probe+0x394/0x910 [ 38.863848][ T6522] __driver_probe_device+0x180/0x2d4 [ 38.863863][ T6522] driver_probe_device+0x78/0x330 [ 38.863878][ T6522] __device_attach_driver+0x290/0x4e0 [ 38.863892][ T6522] bus_for_each_drv+0x220/0x2b4 [ 38.863910][ T6522] __device_attach+0x26c/0x388 [ 38.863924][ T6522] device_initial_probe+0x24/0x34 [ 38.863938][ T6522] bus_probe_device+0x178/0x240 [ 38.863955][ T6522] device_add+0x71c/0xa60 [ 38.863971][ T6522] device_register+0x28/0x38 [ 38.863986][ T6522] i2c_new_client_device+0x834/0xe9c [ 38.864001][ T6522] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 38.864019][ T6522] v4l2_i2c_new_subdev+0x138/0x1c0 [ 38.864037][ T6522] em28xx_v4l2_init+0x6f4/0x2918 [ 38.864053][ T6522] em28xx_init_extension+0x10c/0x1b4 [ 38.864067][ T6522] request_module_async+0x68/0x98 [ 38.864081][ T6522] process_one_work+0x7e8/0x155c [ 38.864098][ T6522] worker_thread+0x958/0xed8 [ 38.864115][ T6522] kthread+0x5fc/0x75c [ 38.864130][ T6522] ret_from_fork+0x10/0x20 [ 38.864144][ T6522] [ 38.864153][ T6522] Freed by task 6522: [ 38.864163][ T6522] kasan_save_track+0x40/0x78 [ 38.864181][ T6522] kasan_save_free_info+0x58/0x70 [ 38.864195][ T6522] __kasan_slab_free+0x68/0x88 [ 38.864213][ T6522] kfree+0x17c/0x474 [ 38.864230][ T6522] tuner_remove+0x1d8/0x1f4 [ 38.864245][ T6522] i2c_device_remove+0x8c/0x1dc [ 38.864260][ T6522] device_release_driver_internal+0x3a8/0x658 [ 38.864275][ T6522] device_release_driver+0x28/0x38 [ 38.864289][ T6522] bus_remove_device+0x310/0x3b0 [ 38.864306][ T6522] device_del+0x47c/0x808 [ 38.864322][ T6522] device_unregister+0x2c/0xcc [ 38.864337][ T6522] i2c_unregister_device+0x1a4/0x200 [ 38.864353][ T6522] v4l2_i2c_subdev_unregister+0xa8/0xbc [ 38.864370][ T6522] v4l2_device_unregister+0x170/0x248 [ 38.864385][ T6522] em28xx_v4l2_init+0x1328/0x2918 [ 38.864400][ T6522] em28xx_init_extension+0x10c/0x1b4 [ 38.864414][ T6522] request_module_async+0x68/0x98 [ 38.864428][ T6522] process_one_work+0x7e8/0x155c [ 38.864445][ T6522] worker_thread+0x958/0xed8 [ 38.864462][ T6522] kthread+0x5fc/0x75c [ 38.864487][ T6522] ret_from_fork+0x10/0x20 [ 38.864501][ T6522] [ 38.864509][ T6522] The buggy address belongs to the object at ffff0000d4af9000 [ 38.864509][ T6522] which belongs to the cache kmalloc-2k of size 2048 [ 38.864524][ T6522] The buggy address is located 792 bytes inside of [ 38.864524][ T6522] freed 2048-byte region [ffff0000d4af9000, ffff0000d4af9800) [ 38.864548][ T6522] [ 38.864557][ T6522] The buggy address belongs to the physical page: [ 38.864567][ T6522] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114af8 [ 38.864584][ T6522] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 38.864599][ T6522] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 38.864617][ T6522] page_type: f5(slab) [ 38.864633][ T6522] raw: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 38.864649][ T6522] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 38.864665][ T6522] head: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 38.864680][ T6522] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 38.864696][ T6522] head: 05ffc00000000003 fffffdffc352be01 00000000ffffffff 00000000ffffffff [ 38.864712][ T6522] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 38.864723][ T6522] page dumped because: kasan: bad access detected [ 38.864734][ T6522] [ 38.864742][ T6522] Memory state around the buggy address: [ 38.864754][ T6522] ffff0000d4af9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.864767][ T6522] ffff0000d4af9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.864780][ T6522] >ffff0000d4af9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.864792][ T6522] ^ [ 38.864804][ T6522] ffff0000d4af9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.864817][ T6522] ffff0000d4af9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.864829][ T6522] ================================================================== [ 38.864843][ T6522] Disabling lock debugging due to kernel taint [ 38.864865][ T6522] Unable to handle kernel paging request at virtual address dfff800000000005 [ 38.864883][ T6522] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 38.864901][ T6522] Mem abort info: [ 38.864914][ T6522] ESR = 0x0000000096000005 [ 38.864928][ T6522] EC = 0x25: DABT (current EL), IL = 32 bits [ 38.864945][ T6522] SET = 0, FnV = 0 [ 38.864960][ T6522] EA = 0, S1PTW = 0 [ 38.864975][ T6522] FSC = 0x05: level 1 translation fault [ 38.864990][ T6522] Data abort info: [ 38.865004][ T6522] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 38.865019][ T6522] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 38.865036][ T6522] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 38.865054][ T6522] [dfff800000000005] address between user and kernel address ranges [ 38.865072][ T6522] Internal error: Oops: 0000000096000005 [#1] SMP [ 39.056394][ T6522] Modules linked in: [ 39.057479][ T6522] CPU: 0 UID: 0 PID: 6522 Comm: kworker/0:3 Tainted: G B 6.16.0-rc1-syzkaller-g39dfc971e42d #0 PREEMPT [ 39.061128][ T6522] Tainted: [B]=BAD_PAGE [ 39.062359][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 39.065172][ T6522] Workqueue: events request_firmware_work_func [ 39.066903][ T6522] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 39.069129][ T6522] pc : load_firmware_cb+0x22c/0x14f4 [ 39.070632][ T6522] lr : load_firmware_cb+0xe0/0x14f4 [ 39.072164][ T6522] sp : ffff80009d177880 [ 39.073274][ T6522] x29: ffff80009d1779d0 x28: 1ffff00011ec629b x27: 0000000000000000 [ 39.075572][ T6522] x26: dfff800000000000 x25: ffff700013a2ef24 x24: 1fffe0001a95f263 [ 39.077842][ T6522] x23: ffff80009d177920 x22: 0000000000000000 x21: 0000000000000000 [ 39.080063][ T6522] x20: 0000000000000000 x19: ffff0000d4af9318 x18: 00000000ffffffff [ 39.082376][ T6522] x17: 0000000000000000 x16: ffff80008ae31308 x15: 0000000000000001 [ 39.084648][ T6522] x14: 1ffff000125d08f8 x13: 0000000000000000 x12: 0000000000000000 [ 39.086884][ T6522] x11: ffff7000125d08f9 x10: 0000000000ff0100 x9 : 0000000000000000 [ 39.089178][ T6522] x8 : 0000000000000005 x7 : 0000000000000001 x6 : 0000000000000001 [ 39.091653][ T6522] x5 : ffff80009d1770f8 x4 : ffff80008f727060 x3 : ffff8000803b88c8 [ 39.093903][ T6522] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 39.096173][ T6522] Call trace: [ 39.097108][ T6522] load_firmware_cb+0x22c/0x14f4 (P) [ 39.098652][ T6522] request_firmware_work_func+0xe8/0x19c [ 39.100281][ T6522] process_one_work+0x7e8/0x155c [ 39.101715][ T6522] worker_thread+0x958/0xed8 [ 39.102991][ T6522] kthread+0x5fc/0x75c [ 39.104140][ T6522] ret_from_fork+0x10/0x20 [ 39.105551][ T6522] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 39.107496][ T6522] ---[ end trace 0000000000000000 ]--- [ 39.405491][ T6522] Kernel panic - not syncing: Oops: Fatal exception [ 39.407409][ T6522] SMP: stopping secondary CPUs [ 39.408857][ T6522] Kernel Offset: disabled [ 39.410055][ T6522] CPU features: 0x2000,000081c0,020004a1,04017203 [ 39.411826][ T6522] Memory Limit: none [ 39.705218][ T6522] Rebooting in 86400 seconds..