./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor411049962 <...> Warning: Permanently added '10.128.0.157' (ED25519) to the list of known hosts. execve("./syz-executor411049962", ["./syz-executor411049962"], 0x7ffd335b6fc0 /* 10 vars */) = 0 brk(NULL) = 0x55556e6e1000 brk(0x55556e6e1d00) = 0x55556e6e1d00 arch_prctl(ARCH_SET_FS, 0x55556e6e1380) = 0 set_tid_address(0x55556e6e1650) = 282 set_robust_list(0x55556e6e1660, 24) = 0 rseq(0x55556e6e1ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor411049962", 4096) = 27 getrandom("\x17\x3d\x0b\x12\xed\x96\xca\x1a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556e6e1d00 brk(0x55556e702d00) = 0x55556e702d00 brk(0x55556e703000) = 0x55556e703000 mprotect(0x7ff3daaed000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0executing program ) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18) = 18 openat(AT_FDCWD, "/dev/usbmon0", O_RDONLY) = 3 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 4 ioctl(4, USB_RAW_IOCTL_INIT, 0x7fff89df1a90) = 0 ioctl(4, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 [ 24.424105][ T24] audit: type=1400 audit(1755971230.070:64): avc: denied { execmem } for pid=282 comm="syz-executor411" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.443801][ T24] audit: type=1400 audit(1755971230.070:65): avc: denied { read } for pid=282 comm="syz-executor411" name="usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 24.467476][ T24] audit: type=1400 audit(1755971230.070:66): avc: denied { open } for pid=282 comm="syz-executor411" path="/dev/usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 24.491618][ T24] audit: type=1400 audit(1755971230.070:67): avc: denied { read write } for pid=282 comm="syz-executor411" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.515277][ T24] audit: type=1400 audit(1755971230.070:68): avc: denied { open } for pid=282 comm="syz-executor411" path="/dev/raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.538847][ T24] audit: type=1400 audit(1755971230.070:69): avc: denied { ioctl } for pid=282 comm="syz-executor411" path="/dev/raw-gadget" dev="devtmpfs" ino=253 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7fff89df0a80) = 18 [ 24.710183][ T25] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7fff89df0a80) = 18 [ 24.950166][ T25] usb 1-1: Using ep0 maxpacket: 16 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7fff89df0a80) = 9 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7fff89df0a80) = 36 [ 25.070260][ T25] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 25.081283][ T25] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 25.091040][ T25] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 25.103828][ T25] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1a90) = 0 ioctl(4, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(4, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(4, USB_RAW_IOCTL_EP_ENABLE, 0x7ff3daaf33cc) = -1 EINVAL (Invalid argument) ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7fff89df0a80) = 0 [ 25.112888][ T25] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 25.121954][ T25] usb 1-1: config 0 descriptor?? ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1ac0) = 0 ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7fff89df0ab0) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7fff89df1ac0) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7fff89df0ab0) = 34 [ 25.601495][ T25] microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 [ 25.608851][ T25] microsoft 0003:045E:07DA.0001: ignoring exceeding usage max [ 25.619048][ T25] ================================================================== [ 25.627134][ T25] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x1307/0x24e0 [ 25.634746][ T25] Read of size 832 at addr ffff888119e87579 by task kworker/1:1/25 [ 25.642614][ T25] [ 25.644934][ T25] CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 5.10.240-syzkaller #0 [ 25.652975][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025 [ 25.663019][ T25] Workqueue: usb_hub_wq hub_event [ 25.668032][ T25] Call Trace: [ 25.671315][ T25] __dump_stack+0x21/0x24 [ 25.675640][ T25] dump_stack_lvl+0x169/0x1d8 [ 25.680312][ T25] ? show_regs_print_info+0x18/0x18 [ 25.685503][ T25] ? thaw_kernel_threads+0x220/0x220 [ 25.690791][ T25] print_address_description+0x7f/0x2c0 [ 25.696329][ T25] ? mon_bin_event+0x1307/0x24e0 [ 25.701260][ T25] kasan_report+0xe2/0x130 [ 25.705694][ T25] ? mon_bin_event+0x1307/0x24e0 [ 25.710634][ T25] ? mon_bin_event+0x1307/0x24e0 [ 25.715565][ T25] kasan_check_range+0x280/0x290 [ 25.720495][ T25] memcpy+0x2d/0x70 [ 25.724294][ T25] mon_bin_event+0x1307/0x24e0 [ 25.729054][ T25] ? mon_bin_complete+0x30/0x30 [ 25.733897][ T25] ? __kasan_kmalloc+0xec/0x110 [ 25.738740][ T25] ? __kasan_kmalloc+0xda/0x110 [ 25.743583][ T25] ? __kmalloc+0x1a7/0x330 [ 25.747997][ T25] ? mon_bin_vma_fault+0x1e0/0x1e0 [ 25.753105][ T25] mon_bin_submit+0x27/0x30 [ 25.757597][ T25] mon_submit+0x185/0x200 [ 25.761928][ T25] usb_hcd_submit_urb+0x117/0x1780 [ 25.767034][ T25] ? really_probe+0x3d8/0xa90 [ 25.771841][ T25] ? bus_for_each_drv+0x175/0x200 [ 25.776859][ T25] ? device_initial_probe+0x1a/0x20 [ 25.782053][ T25] ? usb_set_configuration+0x1a47/0x1f80 [ 25.787683][ T25] ? usb_generic_driver_probe+0x91/0x150 [ 25.793310][ T25] usb_submit_urb+0x10eb/0x1620 [ 25.798169][ T25] ? device_add+0x8b4/0xbf0 [ 25.802666][ T25] usb_start_wait_urb+0x117/0x2f0 [ 25.807682][ T25] ? usb_api_blocking_completion+0xb0/0xb0 [ 25.813480][ T25] ? __kasan_check_write+0x14/0x20 [ 25.818589][ T25] usb_control_msg+0x241/0x3f0 [ 25.823362][ T25] ? hid_output_report+0x722/0x7b0 [ 25.828478][ T25] usbhid_raw_request+0x453/0x580 [ 25.833500][ T25] ? usbhid_request+0x60/0x60 [ 25.838173][ T25] __hid_request+0x1d2/0x390 [ 25.842755][ T25] hidinput_connect+0x1d6d/0x2c30 [ 25.847778][ T25] hid_connect+0x458/0xdf0 [ 25.852196][ T25] ? usbhid_start+0x1a3c/0x2450 [ 25.857044][ T25] ? hid_match_id+0x340/0x340 [ 25.861849][ T25] hid_hw_start+0xaa/0x130 [ 25.866289][ T25] ms_probe+0x190/0x460 [ 25.870448][ T25] ? magicmouse_emit_touch+0x10f0/0x10f0 [ 25.876084][ T25] hid_device_probe+0x287/0x380 [ 25.880933][ T25] really_probe+0x386/0xa90 [ 25.885431][ T25] ? __kasan_check_write+0x14/0x20 [ 25.890559][ T25] driver_probe_device+0xe7/0x190 [ 25.895577][ T25] __device_attach_driver+0x282/0x3f0 [ 25.900951][ T25] ? state_synced_show+0x90/0x90 [ 25.905884][ T25] bus_for_each_drv+0x175/0x200 [ 25.910727][ T25] ? __kasan_check_write+0x14/0x20 [ 25.915827][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 25.921655][ T25] __device_attach+0x29a/0x400 [ 25.926428][ T25] ? kfree+0xc0/0x270 [ 25.930439][ T25] ? device_attach+0x20/0x20 [ 25.935059][ T25] ? kobject_uevent_env+0x34d/0x700 [ 25.940256][ T25] device_initial_probe+0x1a/0x20 [ 25.945271][ T25] bus_probe_device+0xc0/0x1e0 [ 25.950551][ T25] device_add+0x8b4/0xbf0 [ 25.954873][ T25] hid_add_device+0x356/0x4b0 [ 25.959540][ T25] usbhid_probe+0xb2e/0xee0 [ 25.964037][ T25] usb_probe_interface+0x5ff/0xae0 [ 25.969142][ T25] really_probe+0x3d8/0xa90 [ 25.973637][ T25] ? __kasan_check_write+0x14/0x20 [ 25.978744][ T25] driver_probe_device+0xe7/0x190 [ 25.983763][ T25] __device_attach_driver+0x282/0x3f0 [ 25.989131][ T25] ? state_synced_show+0x90/0x90 [ 25.994063][ T25] bus_for_each_drv+0x175/0x200 [ 25.998906][ T25] ? __kasan_check_write+0x14/0x20 [ 26.004009][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 26.009720][ T25] __device_attach+0x29a/0x400 [ 26.014475][ T25] ? device_attach+0x20/0x20 [ 26.019060][ T25] device_initial_probe+0x1a/0x20 [ 26.024076][ T25] bus_probe_device+0xc0/0x1e0 [ 26.028834][ T25] device_add+0x8b4/0xbf0 [ 26.033156][ T25] usb_set_configuration+0x1a47/0x1f80 [ 26.038612][ T25] usb_generic_driver_probe+0x91/0x150 [ 26.044062][ T25] usb_probe_device+0x148/0x260 [ 26.048904][ T25] really_probe+0x3d8/0xa90 [ 26.053404][ T25] ? __kasan_check_write+0x14/0x20 [ 26.058524][ T25] driver_probe_device+0xe7/0x190 [ 26.063550][ T25] __device_attach_driver+0x282/0x3f0 [ 26.068911][ T25] ? state_synced_show+0x90/0x90 [ 26.073838][ T25] bus_for_each_drv+0x175/0x200 [ 26.078677][ T25] ? __kasan_check_write+0x14/0x20 [ 26.083796][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 26.089511][ T25] __device_attach+0x29a/0x400 [ 26.094266][ T25] ? device_attach+0x20/0x20 [ 26.098852][ T25] ? kobject_uevent_env+0x34d/0x700 [ 26.104042][ T25] device_initial_probe+0x1a/0x20 [ 26.109056][ T25] bus_probe_device+0xc0/0x1e0 [ 26.113828][ T25] device_add+0x8b4/0xbf0 [ 26.118191][ T25] usb_new_device+0xcd1/0x1450 [ 26.122969][ T25] ? wq_worker_last_func+0x50/0x50 [ 26.128074][ T25] ? usb_disconnect+0x850/0x850 [ 26.132923][ T25] hub_event+0x2679/0x4120 [ 26.137336][ T25] ? __kasan_check_write+0x14/0x20 [ 26.142468][ T25] ? led_work+0x5f0/0x5f0 [ 26.146975][ T25] ? __kasan_check_write+0x14/0x20 [ 26.152109][ T25] ? _raw_spin_lock_irq+0x8f/0xe0 [ 26.157131][ T25] ? __kasan_check_read+0x11/0x20 [ 26.162156][ T25] ? read_word_at_a_time+0x12/0x20 [ 26.167261][ T25] ? strscpy+0x9b/0x290 [ 26.171413][ T25] process_one_work+0x6e1/0xba0 [ 26.176270][ T25] worker_thread+0xa6a/0x13b0 [ 26.180943][ T25] ? _raw_spin_lock_irqsave+0xb0/0x110 [ 26.186491][ T25] kthread+0x346/0x3d0 [ 26.190566][ T25] ? worker_clr_flags+0x190/0x190 [ 26.195581][ T25] ? kthread_blkcg+0xd0/0xd0 [ 26.200160][ T25] ret_from_fork+0x1f/0x30 [ 26.204564][ T25] [ 26.206884][ T25] Allocated by task 25: [ 26.211031][ T25] __kasan_kmalloc+0xda/0x110 [ 26.215695][ T25] __kmalloc+0x1a7/0x330 [ 26.219928][ T25] __hid_request+0x9a/0x390 [ 26.224422][ T25] hidinput_connect+0x1d6d/0x2c30 [ 26.229438][ T25] hid_connect+0x458/0xdf0 [ 26.233845][ T25] hid_hw_start+0xaa/0x130 [ 26.238253][ T25] ms_probe+0x190/0x460 [ 26.242399][ T25] hid_device_probe+0x287/0x380 [ 26.247326][ T25] really_probe+0x386/0xa90 [ 26.251819][ T25] driver_probe_device+0xe7/0x190 [ 26.256833][ T25] __device_attach_driver+0x282/0x3f0 [ 26.262193][ T25] bus_for_each_drv+0x175/0x200 [ 26.267049][ T25] __device_attach+0x29a/0x400 [ 26.271976][ T25] device_initial_probe+0x1a/0x20 [ 26.276985][ T25] bus_probe_device+0xc0/0x1e0 [ 26.281737][ T25] device_add+0x8b4/0xbf0 [ 26.286053][ T25] hid_add_device+0x356/0x4b0 [ 26.290717][ T25] usbhid_probe+0xb2e/0xee0 [ 26.295308][ T25] usb_probe_interface+0x5ff/0xae0 [ 26.300423][ T25] really_probe+0x3d8/0xa90 [ 26.304912][ T25] driver_probe_device+0xe7/0x190 [ 26.309922][ T25] __device_attach_driver+0x282/0x3f0 [ 26.315283][ T25] bus_for_each_drv+0x175/0x200 [ 26.320122][ T25] __device_attach+0x29a/0x400 [ 26.324874][ T25] device_initial_probe+0x1a/0x20 [ 26.329882][ T25] bus_probe_device+0xc0/0x1e0 [ 26.334636][ T25] device_add+0x8b4/0xbf0 [ 26.338959][ T25] usb_set_configuration+0x1a47/0x1f80 [ 26.344410][ T25] usb_generic_driver_probe+0x91/0x150 [ 26.349853][ T25] usb_probe_device+0x148/0x260 [ 26.354689][ T25] really_probe+0x3d8/0xa90 [ 26.359272][ T25] driver_probe_device+0xe7/0x190 [ 26.364290][ T25] __device_attach_driver+0x282/0x3f0 [ 26.369654][ T25] bus_for_each_drv+0x175/0x200 [ 26.374490][ T25] __device_attach+0x29a/0x400 [ 26.379247][ T25] device_initial_probe+0x1a/0x20 [ 26.384259][ T25] bus_probe_device+0xc0/0x1e0 [ 26.389008][ T25] device_add+0x8b4/0xbf0 [ 26.393325][ T25] usb_new_device+0xcd1/0x1450 [ 26.398079][ T25] hub_event+0x2679/0x4120 [ 26.402483][ T25] process_one_work+0x6e1/0xba0 [ 26.407321][ T25] worker_thread+0xa6a/0x13b0 [ 26.411985][ T25] kthread+0x346/0x3d0 [ 26.416039][ T25] ret_from_fork+0x1f/0x30 [ 26.420480][ T25] [ 26.422803][ T25] The buggy address belongs to the object at ffff888119e87578 [ 26.422803][ T25] which belongs to the cache kmalloc-8 of size 8 [ 26.436500][ T25] The buggy address is located 1 bytes inside of [ 26.436500][ T25] 8-byte region [ffff888119e87578, ffff888119e87580) [ 26.449426][ T25] The buggy address belongs to the page: [ 26.455066][ T25] page:ffffea000467a1c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119e87 [ 26.465375][ T25] flags: 0x4000000000000200(slab) [ 26.470390][ T25] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888100043c80 [ 26.478967][ T25] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 26.487540][ T25] page dumped because: kasan: bad access detected [ 26.493938][ T25] page_owner tracks the page as allocated [ 26.499657][ T25] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 133, ts 6370458158, free_ts 0 [ 26.514659][ T25] prep_new_page+0x179/0x180 [ 26.519256][ T25] get_page_from_freelist+0x2235/0x23d0 [ 26.524796][ T25] __alloc_pages_nodemask+0x268/0x5f0 [ 26.530160][ T25] new_slab+0x84/0x3f0 [ 26.534219][ T25] ___slab_alloc+0x2a6/0x450 [ 26.538798][ T25] __slab_alloc+0x63/0xa0 [ 26.543116][ T25] __kmalloc+0x201/0x330 [ 26.547347][ T25] __vmalloc_node_range+0x29f/0x780 [ 26.552540][ T25] module_alloc+0x84/0x90 [ 26.556856][ T25] bpf_jit_alloc_exec+0x15/0x20 [ 26.561696][ T25] bpf_jit_binary_alloc+0x12d/0x250 [ 26.566882][ T25] bpf_int_jit_compile+0x7b39/0x8ae0 [ 26.572163][ T25] bpf_prog_select_runtime+0x742/0x9e0 [ 26.577613][ T25] bpf_prepare_filter+0xed9/0x1080 [ 26.582719][ T25] bpf_prog_create_from_user+0x2c7/0x410 [ 26.588342][ T25] do_seccomp+0x7ad/0x1400 [ 26.592760][ T25] page_owner free stack trace missing [ 26.598117][ T25] [ 26.600434][ T25] Memory state around the buggy address: [ 26.606056][ T25] ffff888119e87400: fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc [ 26.614109][ T25] ffff888119e87480: fc fa fc fc fc fc fa fc fc fc fc fa fc fc fc fc [ 26.622161][ T25] >ffff888119e87500: 00 fc fc fc fc fa fc fc fc fc fa fc fc fc fc 07 [ 26.630209][ T25] ^ [ 26.638175][ T25] ffff888119e87580: fc fc fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc [ 26.646227][ T25] ffff888119e87600: fc fc fc fa fc fc fc fc 00 fc fc fc fc fa fc fc exit_group(0) = ? +++ exited with 0 +++ [ 26.654275][ T25]