./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor842668262 <...> Warning: Permanently added '10.128.0.76' (ED25519) to the list of known hosts. execve("./syz-executor842668262", ["./syz-executor842668262"], 0x7ffd3a67ebb0 /* 10 vars */) = 0 brk(NULL) = 0x555581f82000 brk(0x555581f82d00) = 0x555581f82d00 arch_prctl(ARCH_SET_FS, 0x555581f82380) = 0 set_tid_address(0x555581f82650) = 282 set_robust_list(0x555581f82660, 24) = 0 rseq(0x555581f82ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor842668262", 4096) = 27 getrandom("\x9a\x0b\xce\x91\x40\x8b\xfc\x64", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555581f82d00 brk(0x555581fa3d00) = 0x555581fa3d00 brk(0x555581fa4000) = 0x555581fa4000 mprotect(0x7f24284f1000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffda75cdee0) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 [ 22.689410][ T24] audit: type=1400 audit(1756128282.260:64): avc: denied { execmem } for pid=282 comm="syz-executor842" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.698430][ T24] audit: type=1400 audit(1756128282.270:65): avc: denied { read write } for pid=282 comm="syz-executor842" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.713910][ T24] audit: type=1400 audit(1756128282.270:66): avc: denied { open } for pid=282 comm="syz-executor842" path="/dev/raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.742670][ T24] audit: type=1400 audit(1756128282.270:67): avc: denied { ioctl } for pid=282 comm="syz-executor842" path="/dev/raw-gadget" dev="devtmpfs" ino=253 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffda75cced0) = 18 [ 22.965431][ T15] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffda75cced0) = 18 [ 23.205391][ T15] usb 1-1: Using ep0 maxpacket: 16 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffda75cced0) = 9 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffda75cced0) = 36 [ 23.325473][ T15] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 23.337543][ T15] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 23.347994][ T15] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 23.362719][ T15] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdee0) = 0 ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f24284f73cc) = -1 EINVAL (Invalid argument) ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffda75cced0) = 0 [ 23.372128][ T15] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 23.382049][ T15] usb 1-1: config 0 descriptor?? ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdf10) = 0 ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffda75ccf00) = 0 openat(AT_FDCWD, "/dev/usbmon0", O_RDONLY) = 4 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffda75cdf10) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffda75ccf00) = 34 [ 23.846311][ T24] audit: type=1400 audit(1756128283.420:68): avc: denied { read } for pid=282 comm="syz-executor842" name="usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 23.872557][ T24] audit: type=1400 audit(1756128283.420:69): avc: denied { open } for pid=282 comm="syz-executor842" path="/dev/usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 23.873387][ T15] microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 [ 23.906070][ T15] microsoft 0003:045E:07DA.0001: ignoring exceeding usage max [ 23.915203][ T15] ================================================================== [ 23.923652][ T15] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x1307/0x24e0 [ 23.931756][ T15] Read of size 3904 at addr ffff888105b815a1 by task kworker/0:1/15 [ 23.940155][ T15] [ 23.942765][ T15] CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 5.10.240-syzkaller #0 [ 23.951916][ T15] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025 [ 23.962836][ T15] Workqueue: usb_hub_wq hub_event [ 23.968132][ T15] Call Trace: [ 23.971417][ T15] __dump_stack+0x21/0x24 [ 23.975912][ T15] dump_stack_lvl+0x169/0x1d8 [ 23.980755][ T15] ? show_regs_print_info+0x18/0x18 [ 23.986131][ T15] ? thaw_kernel_threads+0x220/0x220 [ 23.991412][ T15] print_address_description+0x7f/0x2c0 [ 23.997157][ T15] ? mon_bin_event+0x1307/0x24e0 [ 24.002437][ T15] kasan_report+0xe2/0x130 [ 24.006836][ T15] ? mon_bin_event+0x1307/0x24e0 [ 24.012009][ T15] ? mon_bin_event+0x1307/0x24e0 [ 24.017375][ T15] kasan_check_range+0x280/0x290 [ 24.022388][ T15] memcpy+0x2d/0x70 [ 24.026192][ T15] mon_bin_event+0x1307/0x24e0 [ 24.031117][ T15] ? mon_bin_complete+0x30/0x30 [ 24.036765][ T15] ? __kasan_kmalloc+0xec/0x110 [ 24.042122][ T15] ? __kasan_kmalloc+0xda/0x110 [ 24.047054][ T15] ? __kmalloc+0x1a7/0x330 [ 24.051558][ T15] ? mon_bin_vma_fault+0x1e0/0x1e0 [ 24.056747][ T15] mon_bin_submit+0x27/0x30 [ 24.061343][ T15] mon_submit+0x185/0x200 [ 24.065864][ T15] usb_hcd_submit_urb+0x117/0x1780 [ 24.071587][ T15] ? really_probe+0x3d8/0xa90 [ 24.076625][ T15] ? bus_for_each_drv+0x175/0x200 [ 24.081665][ T15] ? device_initial_probe+0x1a/0x20 [ 24.087331][ T15] ? usb_set_configuration+0x1a47/0x1f80 [ 24.093394][ T15] ? usb_generic_driver_probe+0x91/0x150 [ 24.099459][ T15] usb_submit_urb+0x10eb/0x1620 [ 24.104315][ T15] ? device_add+0x8b4/0xbf0 [ 24.108904][ T15] usb_start_wait_urb+0x117/0x2f0 [ 24.114199][ T15] ? usb_api_blocking_completion+0xb0/0xb0 [ 24.120223][ T15] ? __kasan_check_write+0x14/0x20 [ 24.125666][ T15] usb_control_msg+0x241/0x3f0 [ 24.130653][ T15] ? hid_output_report+0x722/0x7b0 [ 24.135761][ T15] usbhid_raw_request+0x453/0x580 [ 24.141222][ T15] ? usbhid_request+0x60/0x60 [ 24.145896][ T15] __hid_request+0x1d2/0x390 [ 24.150570][ T15] hidinput_connect+0x1d6d/0x2c30 [ 24.155815][ T15] hid_connect+0x458/0xdf0 [ 24.161184][ T15] ? usbhid_start+0x1a3c/0x2450 [ 24.166511][ T15] ? hid_match_id+0x340/0x340 [ 24.171679][ T15] hid_hw_start+0xaa/0x130 [ 24.176363][ T15] ms_probe+0x190/0x460 [ 24.180677][ T15] ? magicmouse_emit_touch+0x10f0/0x10f0 [ 24.186473][ T15] hid_device_probe+0x287/0x380 [ 24.191433][ T15] really_probe+0x386/0xa90 [ 24.196089][ T15] ? __kasan_check_write+0x14/0x20 [ 24.201827][ T15] driver_probe_device+0xe7/0x190 [ 24.207511][ T15] __device_attach_driver+0x282/0x3f0 [ 24.213006][ T15] ? state_synced_show+0x90/0x90 [ 24.218657][ T15] bus_for_each_drv+0x175/0x200 [ 24.224529][ T15] ? __kasan_check_write+0x14/0x20 [ 24.229857][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 24.236165][ T15] __device_attach+0x29a/0x400 [ 24.241133][ T15] ? kfree+0xc0/0x270 [ 24.245523][ T15] ? device_attach+0x20/0x20 [ 24.250663][ T15] ? kobject_uevent_env+0x34d/0x700 [ 24.256043][ T15] device_initial_probe+0x1a/0x20 [ 24.261782][ T15] bus_probe_device+0xc0/0x1e0 [ 24.266818][ T15] device_add+0x8b4/0xbf0 [ 24.271575][ T15] hid_add_device+0x356/0x4b0 [ 24.276927][ T15] usbhid_probe+0xb2e/0xee0 [ 24.281633][ T15] usb_probe_interface+0x5ff/0xae0 [ 24.287061][ T15] really_probe+0x3d8/0xa90 [ 24.291973][ T15] ? __kasan_check_write+0x14/0x20 [ 24.297295][ T15] driver_probe_device+0xe7/0x190 [ 24.302611][ T15] __device_attach_driver+0x282/0x3f0 [ 24.308339][ T15] ? state_synced_show+0x90/0x90 [ 24.314173][ T15] bus_for_each_drv+0x175/0x200 [ 24.322299][ T15] ? __kasan_check_write+0x14/0x20 [ 24.327702][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 24.333929][ T15] __device_attach+0x29a/0x400 [ 24.339944][ T15] ? device_attach+0x20/0x20 [ 24.344724][ T15] device_initial_probe+0x1a/0x20 [ 24.350223][ T15] bus_probe_device+0xc0/0x1e0 [ 24.355616][ T15] device_add+0x8b4/0xbf0 [ 24.360198][ T15] usb_set_configuration+0x1a47/0x1f80 [ 24.365844][ T15] usb_generic_driver_probe+0x91/0x150 [ 24.371556][ T15] usb_probe_device+0x148/0x260 [ 24.376564][ T15] really_probe+0x3d8/0xa90 [ 24.381242][ T15] ? __kasan_check_write+0x14/0x20 [ 24.386517][ T15] driver_probe_device+0xe7/0x190 [ 24.392048][ T15] __device_attach_driver+0x282/0x3f0 [ 24.397706][ T15] ? state_synced_show+0x90/0x90 [ 24.402961][ T15] bus_for_each_drv+0x175/0x200 [ 24.408543][ T15] ? __kasan_check_write+0x14/0x20 [ 24.414163][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 24.420110][ T15] __device_attach+0x29a/0x400 [ 24.425162][ T15] ? device_attach+0x20/0x20 [ 24.429957][ T15] ? kobject_uevent_env+0x34d/0x700 [ 24.435332][ T15] device_initial_probe+0x1a/0x20 [ 24.440859][ T15] bus_probe_device+0xc0/0x1e0 [ 24.446095][ T15] device_add+0x8b4/0xbf0 [ 24.451713][ T15] usb_new_device+0xcd1/0x1450 [ 24.456902][ T15] ? wq_worker_last_func+0x50/0x50 [ 24.462987][ T15] ? usb_disconnect+0x850/0x850 [ 24.468041][ T15] hub_event+0x2679/0x4120 [ 24.472901][ T15] ? __kasan_check_write+0x14/0x20 [ 24.478480][ T15] ? led_work+0x5f0/0x5f0 [ 24.483340][ T15] ? __kasan_check_write+0x14/0x20 [ 24.488874][ T15] ? _raw_spin_lock_irq+0x8f/0xe0 [ 24.494503][ T15] ? __kasan_check_read+0x11/0x20 [ 24.499613][ T15] ? read_word_at_a_time+0x12/0x20 [ 24.505050][ T15] ? strscpy+0x9b/0x290 [ 24.509352][ T15] process_one_work+0x6e1/0xba0 [ 24.514488][ T15] worker_thread+0xa6a/0x13b0 [ 24.519292][ T15] ? _raw_spin_lock_irqsave+0xb0/0x110 [ 24.525041][ T15] ? __kasan_check_read+0x11/0x20 [ 24.530635][ T15] kthread+0x346/0x3d0 [ 24.534904][ T15] ? worker_clr_flags+0x190/0x190 [ 24.540097][ T15] ? kthread_blkcg+0xd0/0xd0 [ 24.544853][ T15] ret_from_fork+0x1f/0x30 [ 24.549351][ T15] [ 24.551660][ T15] Allocated by task 15: [ 24.556253][ T15] __kasan_kmalloc+0xda/0x110 [ 24.561024][ T15] __kmalloc+0x1a7/0x330 [ 24.565542][ T15] __hid_request+0x9a/0x390 [ 24.571994][ T15] hidinput_connect+0x1d6d/0x2c30 [ 24.577230][ T15] hid_connect+0x458/0xdf0 [ 24.582330][ T15] hid_hw_start+0xaa/0x130 [ 24.586996][ T15] ms_probe+0x190/0x460 [ 24.591412][ T15] hid_device_probe+0x287/0x380 [ 24.597277][ T15] really_probe+0x386/0xa90 [ 24.602530][ T15] driver_probe_device+0xe7/0x190 [ 24.608618][ T15] __device_attach_driver+0x282/0x3f0 [ 24.614879][ T15] bus_for_each_drv+0x175/0x200 [ 24.620495][ T15] __device_attach+0x29a/0x400 [ 24.625380][ T15] device_initial_probe+0x1a/0x20 [ 24.630472][ T15] bus_probe_device+0xc0/0x1e0 [ 24.635311][ T15] device_add+0x8b4/0xbf0 [ 24.639734][ T15] hid_add_device+0x356/0x4b0 [ 24.644598][ T15] usbhid_probe+0xb2e/0xee0 [ 24.649795][ T15] usb_probe_interface+0x5ff/0xae0 [ 24.655226][ T15] really_probe+0x3d8/0xa90 [ 24.660257][ T15] driver_probe_device+0xe7/0x190 [ 24.665270][ T15] __device_attach_driver+0x282/0x3f0 [ 24.670990][ T15] bus_for_each_drv+0x175/0x200 [ 24.676331][ T15] __device_attach+0x29a/0x400 [ 24.681510][ T15] device_initial_probe+0x1a/0x20 [ 24.687010][ T15] bus_probe_device+0xc0/0x1e0 [ 24.692384][ T15] device_add+0x8b4/0xbf0 [ 24.697115][ T15] usb_set_configuration+0x1a47/0x1f80 [ 24.702909][ T15] usb_generic_driver_probe+0x91/0x150 [ 24.708980][ T15] usb_probe_device+0x148/0x260 [ 24.715027][ T15] really_probe+0x3d8/0xa90 [ 24.719557][ T15] driver_probe_device+0xe7/0x190 [ 24.724776][ T15] __device_attach_driver+0x282/0x3f0 [ 24.730476][ T15] bus_for_each_drv+0x175/0x200 [ 24.736140][ T15] __device_attach+0x29a/0x400 [ 24.741301][ T15] device_initial_probe+0x1a/0x20 [ 24.746642][ T15] bus_probe_device+0xc0/0x1e0 [ 24.751571][ T15] device_add+0x8b4/0xbf0 [ 24.757124][ T15] usb_new_device+0xcd1/0x1450 [ 24.761989][ T15] hub_event+0x2679/0x4120 [ 24.766575][ T15] process_one_work+0x6e1/0xba0 [ 24.771756][ T15] worker_thread+0xa6a/0x13b0 [ 24.776498][ T15] kthread+0x346/0x3d0 [ 24.780557][ T15] ret_from_fork+0x1f/0x30 [ 24.785142][ T15] [ 24.787562][ T15] The buggy address belongs to the object at ffff888105b815a0 [ 24.787562][ T15] which belongs to the cache kmalloc-8 of size 8 [ 24.802002][ T15] The buggy address is located 1 bytes inside of [ 24.802002][ T15] 8-byte region [ffff888105b815a0, ffff888105b815a8) [ 24.816401][ T15] The buggy address belongs to the page: [ 24.822265][ T15] page:ffffea000416e040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b81 [ 24.833313][ T15] flags: 0x4000000000000200(slab) [ 24.839272][ T15] raw: 4000000000000200 ffffea0004177b00 0000001400000014 ffff888100043c80 [ 24.848856][ T15] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 24.858585][ T15] page dumped because: kasan: bad access detected [ 24.865242][ T15] page_owner tracks the page as allocated [ 24.871135][ T15] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 1822598967, free_ts 0 [ 24.887349][ T15] prep_new_page+0x179/0x180 [ 24.892947][ T15] get_page_from_freelist+0x2235/0x23d0 [ 24.899527][ T15] __alloc_pages_nodemask+0x268/0x5f0 [ 24.905565][ T15] new_slab+0x84/0x3f0 [ 24.909695][ T15] ___slab_alloc+0x2a6/0x450 [ 24.915054][ T15] __slab_alloc+0x63/0xa0 [ 24.920001][ T15] __kmalloc+0x201/0x330 [ 24.924328][ T15] acpi_ns_internalize_name+0x2bc/0x3a0 [ 24.930118][ T15] acpi_ns_get_node+0x1a0/0x340 [ 24.935268][ T15] acpi_ns_evaluate+0x358/0xa00 [ 24.940237][ T15] acpi_evaluate_object+0x53c/0xa00 [ 24.946462][ T15] acpi_evaluate_integer+0xf5/0x1c0 [ 24.952833][ T15] acpi_bus_get_status+0x165/0x1f0 [ 24.958664][ T15] acpi_bus_attach+0x19c/0xb50 [ 24.963886][ T15] acpi_bus_attach+0x238/0xb50 [ 24.968810][ T15] acpi_bus_attach+0x238/0xb50 [ 24.973583][ T15] page_owner free stack trace missing [ 24.979754][ T15] [ 24.982074][ T15] Memory state around the buggy address: [ 24.988170][ T15] ffff888105b81480: fc fb fc fc fc fc fb fc fc fc fc 00 fc fc fc fc exit_group(0) = ? +++ exited with 0 +++ [ 24.996763][ T15] ffff888105b81500: fa fc fc fc fc