Warning: Permanently added '10.128.0.152' (ED25519) to the list of known hosts. executing program [ 34.807617][ T2275] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 34.957485][ T2275] usb 1-1: Using ep0 maxpacket: 16 [ 34.960593][ T2275] usb 1-1: config 0 has an invalid interface number: 6 but max is 0 [ 34.962801][ T2275] usb 1-1: config 0 has no interface number 0 [ 34.964394][ T2275] usb 1-1: config 0 interface 6 altsetting 0 endpoint 0xC has invalid maxpacket 1024, setting to 64 [ 34.967262][ T2275] usb 1-1: config 0 interface 6 altsetting 0 bulk endpoint 0x7 has invalid maxpacket 120 [ 34.969977][ T2275] usb 1-1: config 0 interface 6 altsetting 0 endpoint 0x8A has an invalid bInterval 127, changing to 10 [ 34.972819][ T2275] usb 1-1: config 0 interface 6 altsetting 0 has a duplicate endpoint with address 0x7, skipping [ 34.975531][ T2275] usb 1-1: config 0 interface 6 altsetting 0 bulk endpoint 0x4 has invalid maxpacket 1024 [ 34.980756][ T2275] usb 1-1: New USB device found, idVendor=19d2, idProduct=0078, bcdDevice=74.c0 [ 34.983189][ T2275] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 34.985189][ T2275] usb 1-1: Product: syz [ 34.986310][ T2275] usb 1-1: Manufacturer: syz [ 34.987532][ T2275] usb 1-1: SerialNumber: syz [ 34.990736][ T2275] usb 1-1: config 0 descriptor?? [ 34.997838][ T2275] smsusb:smsusb_probe: board id=15, interface number 6 [ 35.001924][ T2275] smsusb:siano_media_device_register: media controller created [ 35.004588][ T2275] ------------[ cut here ]------------ [ 35.005996][ T2275] usb 1-1: BOGUS urb xfer, pipe 3 != type 1 [ 35.008086][ T2275] WARNING: CPU: 1 PID: 2275 at drivers/usb/core/urb.c:504 usb_submit_urb+0xa00/0x1434 [ 35.010590][ T2275] Modules linked in: [ 35.011563][ T2275] CPU: 1 UID: 0 PID: 2275 Comm: kworker/1:2 Not tainted 6.14.0-rc7-syzkaller-g8571575d6b29 #0 [ 35.014234][ T2275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 35.016824][ T2275] Workqueue: usb_hub_wq hub_event [ 35.018156][ T2275] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 35.020198][ T2275] pc : usb_submit_urb+0xa00/0x1434 [ 35.021546][ T2275] lr : usb_submit_urb+0xa00/0x1434 [ 35.022881][ T2275] sp : ffff8000a1206780 [ 35.023969][ T2275] x29: ffff8000a12067c0 x28: ffff0000d925e000 x27: 0000000000000003 [ 35.026102][ T2275] x26: ffff80008d0f926c x25: ffff0000d50842a0 x24: ffff0000c1da6c50 [ 35.028182][ T2275] x23: ffff80008d100180 x22: dfff800000000000 x21: 0000000000000003 [ 35.030304][ T2275] x20: 0000000000000820 x19: ffff0000c1da6c00 x18: 0000000000000008 [ 35.032409][ T2275] x17: 0000000000000000 x16: ffff80008b7285ac x15: ffff700011f87b50 [ 35.034532][ T2275] x14: 1ffff00011f87b50 x13: 0000000000000004 x12: ffffffffffffffff [ 35.036640][ T2275] x11: 0000000000000002 x10: 0000000000ff0100 x9 : be362ca99e434c00 [ 35.038778][ T2275] x8 : be362ca99e434c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 35.040856][ T2275] x5 : ffff8000a1205f38 x4 : ffff80008fcafb00 x3 : ffff8000804a79e8 [ 35.043014][ T2275] x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000000 [ 35.045143][ T2275] Call trace: [ 35.045968][ T2275] usb_submit_urb+0xa00/0x1434 (P) [ 35.047276][ T2275] smsusb_submit_urb+0x220/0x310 [ 35.048606][ T2275] smsusb_start_streaming+0x30/0x2e0 [ 35.050016][ T2275] smsusb_probe+0x15cc/0x1bfc [ 35.051260][ T2275] usb_probe_interface+0x598/0xa40 [ 35.052610][ T2275] really_probe+0x38c/0x8fc [ 35.053827][ T2275] __driver_probe_device+0x194/0x374 [ 35.055243][ T2275] driver_probe_device+0x78/0x330 [ 35.056623][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.058031][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.059339][ T2275] __device_attach+0x2b4/0x434 [ 35.060599][ T2275] device_initial_probe+0x24/0x34 [ 35.061965][ T2275] bus_probe_device+0x178/0x240 [ 35.063303][ T2275] device_add+0x728/0xa6c [ 35.064481][ T2275] usb_set_configuration+0x15cc/0x1b38 [ 35.065934][ T2275] usb_generic_driver_probe+0x8c/0x148 [ 35.067379][ T2275] usb_probe_device+0x1a4/0x348 [ 35.068623][ T2275] really_probe+0x38c/0x8fc [ 35.069870][ T2275] __driver_probe_device+0x194/0x374 [ 35.071234][ T2275] driver_probe_device+0x78/0x330 [ 35.072588][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.073964][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.075246][ T2275] __device_attach+0x2b4/0x434 [ 35.076482][ T2275] device_initial_probe+0x24/0x34 [ 35.077814][ T2275] bus_probe_device+0x178/0x240 [ 35.079078][ T2275] device_add+0x728/0xa6c [ 35.080218][ T2275] usb_new_device+0x908/0x14ac [ 35.081532][ T2275] hub_event+0x2454/0x4280 [ 35.082723][ T2275] process_one_work+0x810/0x1638 [ 35.083988][ T2275] worker_thread+0x97c/0xeec [ 35.085234][ T2275] kthread+0x65c/0x7b0 [ 35.086286][ T2275] ret_from_fork+0x10/0x20 [ 35.087481][ T2275] irq event stamp: 68172 [ 35.088561][ T2275] hardirqs last enabled at (68171): [<ffff8000804afa4c>] __console_unlock+0x70/0xc4 [ 35.091086][ T2275] hardirqs last disabled at (68172): [<ffff80008b7c3e94>] el1_dbg+0x24/0x80 [ 35.093421][ T2275] softirqs last enabled at (68166): [<ffff8000803128a4>] handle_softirqs+0xb44/0xd34 [ 35.095972][ T2275] softirqs last disabled at (68141): [<ffff800080020dbc>] __do_softirq+0x14/0x20 [ 35.098397][ T2275] ---[ end trace 0000000000000000 ]--- [ 35.100570][ T2275] smsusb:smsusb_start_streaming: smsusb_submit_urb(...) failed [ 35.102578][ T2275] smsusb:smsusb_init_device: smsusb_start_streaming(...) failed [ 35.105193][ T2275] ------------[ cut here ]------------ [ 35.106579][ T2275] WARNING: CPU: 1 PID: 2275 at mm/slub.c:4719 free_large_kmalloc+0x34/0x188 [ 35.108760][ T2275] Modules linked in: [ 35.109789][ T2275] CPU: 1 UID: 0 PID: 2275 Comm: kworker/1:2 Tainted: G W 6.14.0-rc7-syzkaller-g8571575d6b29 #0 [ 35.112898][ T2275] Tainted: [W]=WARN [ 35.113879][ T2275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 35.116513][ T2275] Workqueue: usb_hub_wq hub_event [ 35.117823][ T2275] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 35.119863][ T2275] pc : free_large_kmalloc+0x34/0x188 [ 35.121318][ T2275] lr : kfree+0x25c/0x478 [ 35.122417][ T2275] sp : ffff8000a12067b0 [ 35.123492][ T2275] x29: ffff8000a12067b0 x28: ffff0000c6f08000 x27: ffff0000ccfe1e80 [ 35.125630][ T2275] x26: 1fffe00018de1001 x25: 00000000000003f0 x24: 1fffe0001b24be1e [ 35.127723][ T2275] x23: dfff800000000000 x22: ffff0000dc7e2000 x21: ffff800080b51418 [ 35.129859][ T2275] x20: ffff0000dc7e2000 x19: fffffdffc371f880 x18: ffff8000a1206060 [ 35.131924][ T2275] x17: 000000000000deed x16: ffff8000832b7b9c x15: 0000000000000001 [ 35.134046][ T2275] x14: 1fffe000183b4d80 x13: 0000000000000000 x12: 0000000000000000 [ 35.136192][ T2275] x11: ffff6000183b4d81 x10: 0000000000ff0100 x9 : 00003c000371f880 [ 35.138369][ T2275] x8 : ffff800092f0a000 x7 : ffff800086a37540 x6 : ffff800086a27590 [ 35.140518][ T2275] x5 : ffff0000d67ca348 x4 : ffff8000a1206638 x3 : ffff800086a4c940 [ 35.142586][ T2275] x2 : 0000000000000001 x1 : ffff0000dc7e2000 x0 : fffffdffc371f880 [ 35.144966][ T2275] Call trace: [ 35.145833][ T2275] free_large_kmalloc+0x34/0x188 (P) [ 35.147246][ T2275] kfree+0x25c/0x478 [ 35.148242][ T2275] usb_free_urb+0xd0/0x140 [ 35.149399][ T2275] smsusb_term_device+0x1ac/0x32c [ 35.150728][ T2275] smsusb_probe+0x1664/0x1bfc [ 35.151984][ T2275] usb_probe_interface+0x598/0xa40 [ 35.153334][ T2275] really_probe+0x38c/0x8fc [ 35.154573][ T2275] __driver_probe_device+0x194/0x374 [ 35.155938][ T2275] driver_probe_device+0x78/0x330 [ 35.157236][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.158611][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.159899][ T2275] __device_attach+0x2b4/0x434 [ 35.161176][ T2275] device_initial_probe+0x24/0x34 [ 35.162508][ T2275] bus_probe_device+0x178/0x240 [ 35.163757][ T2275] device_add+0x728/0xa6c [ 35.164877][ T2275] usb_set_configuration+0x15cc/0x1b38 [ 35.166347][ T2275] usb_generic_driver_probe+0x8c/0x148 [ 35.167851][ T2275] usb_probe_device+0x1a4/0x348 [ 35.169103][ T2275] really_probe+0x38c/0x8fc [ 35.170306][ T2275] __driver_probe_device+0x194/0x374 [ 35.171719][ T2275] driver_probe_device+0x78/0x330 [ 35.173040][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.174497][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.175790][ T2275] __device_attach+0x2b4/0x434 [ 35.177015][ T2275] device_initial_probe+0x24/0x34 [ 35.178364][ T2275] bus_probe_device+0x178/0x240 [ 35.179647][ T2275] device_add+0x728/0xa6c [ 35.180877][ T2275] usb_new_device+0x908/0x14ac [ 35.182146][ T2275] hub_event+0x2454/0x4280 [ 35.183291][ T2275] process_one_work+0x810/0x1638 [ 35.184569][ T2275] worker_thread+0x97c/0xeec [ 35.185774][ T2275] kthread+0x65c/0x7b0 [ 35.186857][ T2275] ret_from_fork+0x10/0x20 [ 35.188020][ T2275] irq event stamp: 68688 [ 35.189145][ T2275] hardirqs last enabled at (68687): [<ffff800080bf9240>] kasan_quarantine_put+0x1a0/0x1c8 [ 35.191726][ T2275] hardirqs last disabled at (68688): [<ffff80008b7c3e94>] el1_dbg+0x24/0x80 [ 35.193999][ T2275] softirqs last enabled at (68186): [<ffff8000803128a4>] handle_softirqs+0xb44/0xd34 [ 35.196477][ T2275] softirqs last disabled at (68175): [<ffff800080020dbc>] __do_softirq+0x14/0x20 [ 35.198925][ T2275] ---[ end trace 0000000000000000 ]--- [ 35.201532][ T2275] object pointer: 0x00000000cdb2f07c [ 35.203511][ T2275] ================================================================== executing program [ 35.205619][ T2275] BUG: KASAN: double-free in kfree+0x25c/0x478 [ 35.207263][ T2275] Free of addr ffff0000dc7e2000 by task kworker/1:2/2275 [ 35.209134][ T2275] [ 35.209733][ T2275] CPU: 1 UID: 0 PID: 2275 Comm: kworker/1:2 Tainted: G W 6.14.0-rc7-syzkaller-g8571575d6b29 #0 [ 35.209750][ T2275] Tainted: [W]=WARN [ 35.209754][ T2275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 35.209761][ T2275] Workqueue: usb_hub_wq hub_event [ 35.209775][ T2275] Call trace: [ 35.209779][ T2275] show_stack+0x2c/0x3c (C) [ 35.209795][ T2275] dump_stack_lvl+0xe4/0x150 [ 35.209809][ T2275] print_report+0x198/0x550 [ 35.209822][ T2275] kasan_report_invalid_free+0xc4/0x118 [ 35.209834][ T2275] check_page_allocation+0x1d8/0x2a8 [ 35.209846][ T2275] __kasan_kfree_large+0x10/0x1c [ 35.209857][ T2275] free_large_kmalloc+0x64/0x188 [ 35.209870][ T2275] kfree+0x25c/0x478 [ 35.209881][ T2275] usb_free_urb+0xd0/0x140 [ 35.209893][ T2275] smsusb_term_device+0x1ac/0x32c [ 35.209907][ T2275] smsusb_probe+0x1664/0x1bfc [ 35.209919][ T2275] usb_probe_interface+0x598/0xa40 [ 35.209933][ T2275] really_probe+0x38c/0x8fc [ 35.209946][ T2275] __driver_probe_device+0x194/0x374 [ 35.209958][ T2275] driver_probe_device+0x78/0x330 [ 35.209970][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.209982][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.209993][ T2275] __device_attach+0x2b4/0x434 [ 35.210005][ T2275] device_initial_probe+0x24/0x34 [ 35.210017][ T2275] bus_probe_device+0x178/0x240 [ 35.210028][ T2275] device_add+0x728/0xa6c [ 35.210041][ T2275] usb_set_configuration+0x15cc/0x1b38 [ 35.210055][ T2275] usb_generic_driver_probe+0x8c/0x148 [ 35.210069][ T2275] usb_probe_device+0x1a4/0x348 [ 35.210082][ T2275] really_probe+0x38c/0x8fc [ 35.210094][ T2275] __driver_probe_device+0x194/0x374 [ 35.210106][ T2275] driver_probe_device+0x78/0x330 [ 35.210118][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.210130][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.210141][ T2275] __device_attach+0x2b4/0x434 [ 35.210153][ T2275] device_initial_probe+0x24/0x34 [ 35.210165][ T2275] bus_probe_device+0x178/0x240 [ 35.210176][ T2275] device_add+0x728/0xa6c [ 35.210189][ T2275] usb_new_device+0x908/0x14ac [ 35.210200][ T2275] hub_event+0x2454/0x4280 [ 35.210211][ T2275] process_one_work+0x810/0x1638 [ 35.210223][ T2275] worker_thread+0x97c/0xeec [ 35.210235][ T2275] kthread+0x65c/0x7b0 [ 35.210246][ T2275] ret_from_fork+0x10/0x20 [ 35.210257][ T2275] [ 35.269434][ T2275] The buggy address belongs to the physical page: [ 35.271092][ T2275] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c7e2 [ 35.273451][ T2275] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 35.275371][ T2275] raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 [ 35.277656][ T2275] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 35.279927][ T2275] page dumped because: kasan: bad access detected [ 35.281605][ T2275] [ 35.282197][ T2275] Memory state around the buggy address: [ 35.283710][ T2275] ffff0000dc7e1f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.285954][ T2275] ffff0000dc7e1f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.288082][ T2275] >ffff0000dc7e2000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.290175][ T2275] ^ [ 35.291241][ T2275] ffff0000dc7e2080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.293327][ T2275] ffff0000dc7e2100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.295474][ T2275] ================================================================== [ 35.306510][ T2275] Disabling lock debugging due to kernel taint [ 35.308154][ T2275] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c7e2 [ 35.310482][ T2275] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 35.312342][ T2275] raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 [ 35.314544][ T2275] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 35.316704][ T2275] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) [ 35.318903][ T2275] ------------[ cut here ]------------ [ 35.320306][ T2275] kernel BUG at ./include/linux/mm.h:1153! [ 35.321779][ T2275] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 35.323775][ T2275] Modules linked in: [ 35.324818][ T2275] CPU: 1 UID: 0 PID: 2275 Comm: kworker/1:2 Tainted: G B W 6.14.0-rc7-syzkaller-g8571575d6b29 #0 [ 35.327938][ T2275] Tainted: [B]=BAD_PAGE, [W]=WARN [ 35.329281][ T2275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 35.331941][ T2275] Workqueue: usb_hub_wq hub_event [ 35.333243][ T2275] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 35.335311][ T2275] pc : free_large_kmalloc+0x158/0x188 [ 35.336737][ T2275] lr : free_large_kmalloc+0x158/0x188 [ 35.338137][ T2275] sp : ffff8000a12067b0 [ 35.339197][ T2275] x29: ffff8000a12067b0 x28: ffff0000c6f08000 x27: ffff0000ccfe1e80 [ 35.341331][ T2275] x26: 1fffe00018de1001 x25: 00000000000003f0 x24: 1fffe0001b24be1e [ 35.343439][ T2275] x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000000 [ 35.345580][ T2275] x20: fffffffffffff000 x19: fffffdffc371f880 x18: 0000000000000008 [ 35.347694][ T2275] x17: 0000000000000000 x16: ffff80008b7285ac x15: ffff700011f87b50 [ 35.349797][ T2275] x14: 1ffff00011f87b50 x13: 0000000000000004 x12: ffffffffffffffff [ 35.351992][ T2275] x11: 0000000000000001 x10: 0000000000ff0100 x9 : be362ca99e434c00 [ 35.354074][ T2275] x8 : be362ca99e434c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 35.356233][ T2275] x5 : ffff8000a1205d18 x4 : ffff80008fcafb00 x3 : ffff8000804a79e8 [ 35.358289][ T2275] x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e [ 35.360368][ T2275] Call trace: [ 35.361208][ T2275] free_large_kmalloc+0x158/0x188 (P) [ 35.362668][ T2275] kfree+0x25c/0x478 [ 35.363728][ T2275] usb_free_urb+0xd0/0x140 [ 35.364857][ T2275] smsusb_term_device+0x1ac/0x32c [ 35.366167][ T2275] smsusb_probe+0x1664/0x1bfc [ 35.367428][ T2275] usb_probe_interface+0x598/0xa40 [ 35.368783][ T2275] really_probe+0x38c/0x8fc [ 35.369951][ T2275] __driver_probe_device+0x194/0x374 [ 35.371340][ T2275] driver_probe_device+0x78/0x330 [ 35.372661][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.374042][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.375317][ T2275] __device_attach+0x2b4/0x434 [ 35.376621][ T2275] device_initial_probe+0x24/0x34 [ 35.378008][ T2275] bus_probe_device+0x178/0x240 [ 35.379271][ T2275] device_add+0x728/0xa6c [ 35.380466][ T2275] usb_set_configuration+0x15cc/0x1b38 [ 35.381902][ T2275] usb_generic_driver_probe+0x8c/0x148 [ 35.383339][ T2275] usb_probe_device+0x1a4/0x348 [ 35.384598][ T2275] really_probe+0x38c/0x8fc [ 35.385793][ T2275] __driver_probe_device+0x194/0x374 [ 35.387237][ T2275] driver_probe_device+0x78/0x330 [ 35.388531][ T2275] __device_attach_driver+0x2a8/0x4f4 [ 35.389924][ T2275] bus_for_each_drv+0x228/0x2bc [ 35.391209][ T2275] __device_attach+0x2b4/0x434 [ 35.392432][ T2275] device_initial_probe+0x24/0x34 [ 35.393757][ T2275] bus_probe_device+0x178/0x240 [ 35.395020][ T2275] device_add+0x728/0xa6c [ 35.396149][ T2275] usb_new_device+0x908/0x14ac [ 35.397422][ T2275] hub_event+0x2454/0x4280 [ 35.398585][ T2275] process_one_work+0x810/0x1638 [ 35.399874][ T2275] worker_thread+0x97c/0xeec [ 35.401038][ T2275] kthread+0x65c/0x7b0 [ 35.402083][ T2275] ret_from_fork+0x10/0x20 [ 35.403266][ T2275] Code: 90072f01 912aa821 aa1303e0 97fc2097 (d4210000) [ 35.405065][ T2275] ---[ end trace 0000000000000000 ]--- [ 35.797285][ T2275] Kernel panic - not syncing: Oops - BUG: Fatal exception [ 35.799195][ T2275] SMP: stopping secondary CPUs [ 35.800471][ T2275] Kernel Offset: disabled [ 35.801600][ T2275] CPU features: 0x200,00002070,00800250,82017203 [ 35.803338][ T2275] Memory Limit: none [ 36.128121][ T2275] Rebooting in 86400 seconds..