./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3692539452 <...> Warning: Permanently added '10.128.1.95' (ECDSA) to the list of known hosts. execve("./syz-executor3692539452", ["./syz-executor3692539452"], 0x7ffc4a1668d0 /* 10 vars */) = 0 brk(NULL) = 0x555555ad4000 brk(0x555555ad4c40) = 0x555555ad4c40 arch_prctl(ARCH_SET_FS, 0x555555ad4300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3692539452", 4096) = 28 brk(0x555555af5c40) = 0x555555af5c40 brk(0x555555af6000) = 0x555555af6000 mprotect(0x7f80f8120000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3610 attached , child_tidptr=0x555555ad45d0) = 3610 [pid 3610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3610] setpgid(0, 0) = 0 [pid 3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3610] write(3, "1000", 4) = 4 [pid 3610] close(3) = 0 [pid 3610] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 [pid 3610] ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 18 syzkaller login: [ 41.555941][ T3273] usb 1-1: new high-speed USB device number 2 using dummy_hcd [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 18 [ 41.795901][ T3273] usb 1-1: Using ep0 maxpacket: 16 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 36 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 4 [ 41.916082][ T3273] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x81 has invalid maxpacket 1024 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca5afc050) = 8 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca5afd060) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 [pid 3610] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [ 42.085979][ T3273] usb 1-1: New USB device found, idVendor=1435, idProduct=0826, bcdDevice=1c.50 [ 42.095116][ T3273] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 42.103385][ T3273] usb 1-1: Product: syz [ 42.107580][ T3273] usb 1-1: Manufacturer: syz [ 42.112252][ T3273] usb 1-1: SerialNumber: syz [ 42.121938][ T3273] usb 1-1: config 0 descriptor?? [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f80f812646c) = -1 EINVAL (Invalid argument) [pid 3610] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f80f812647c) = 9 [pid 3610] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffca5afc050) = 0 [ 42.148077][ T3610] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 42.185883][ C0] usb 1-1: RX USB error -71. [ 42.205899][ C0] usb 1-1: RX USB error -71. [ 42.225870][ C0] usb 1-1: RX USB error -71. [ 42.245897][ C0] usb 1-1: RX USB error -71. [ 42.265890][ C0] usb 1-1: RX USB error -71. [ 42.285886][ C0] usb 1-1: RX USB error -71. [ 42.305895][ C0] usb 1-1: RX USB error -71. [ 42.325877][ C0] usb 1-1: RX USB error -71. [ 42.345876][ C0] usb 1-1: RX USB error -71. [ 42.365893][ C0] usb 1-1: RX USB error -71. [ 42.385883][ C0] usb 1-1: RX USB error -71. [ 42.405887][ C0] usb 1-1: RX USB error -71. [ 42.425885][ C0] usb 1-1: RX USB error -71. [ 42.445897][ C0] usb 1-1: RX USB error -71. [ 42.465870][ C0] usb 1-1: RX USB error -71. [ 42.485871][ C0] usb 1-1: RX USB error -71. [ 42.505882][ C0] usb 1-1: RX USB error -71. [ 42.525887][ C0] usb 1-1: RX USB error -71. [ 42.545877][ C0] usb 1-1: RX USB error -71. [ 42.565891][ C0] usb 1-1: RX USB error -71. [ 42.585891][ C0] usb 1-1: RX USB error -71. [ 42.605902][ C0] usb 1-1: RX USB error -71. [ 42.625885][ C0] usb 1-1: RX USB error -71. [ 42.645887][ C0] usb 1-1: RX USB error -71. [ 42.665881][ C0] usb 1-1: RX USB error -71. [ 42.685879][ C0] usb 1-1: RX USB error -71. [ 42.705889][ C0] usb 1-1: RX USB error -71. [ 42.725887][ C0] usb 1-1: RX USB error -71. [ 42.745892][ C0] usb 1-1: RX USB error -71. [ 42.765877][ C0] usb 1-1: RX USB error -71. [ 42.785885][ C0] usb 1-1: RX USB error -71. [ 42.805882][ C0] usb 1-1: RX USB error -71. [ 42.825904][ C0] usb 1-1: RX USB error -71. [ 42.845916][ C0] usb 1-1: RX USB error -71. [ 42.865933][ C0] usb 1-1: RX USB error -71. [ 42.885892][ C0] usb 1-1: RX USB error -71. [ 42.905885][ C0] usb 1-1: RX USB error -71. [ 42.925891][ C0] usb 1-1: RX USB error -71. [ 42.945896][ C0] usb 1-1: RX USB error -71. [ 42.965869][ C0] usb 1-1: RX USB error -71. [ 42.985890][ C0] usb 1-1: RX USB error -71. [ 43.005883][ C0] usb 1-1: RX USB error -71. [ 43.025894][ C0] usb 1-1: RX USB error -71. [ 43.045928][ C0] usb 1-1: RX USB error -71. [ 43.065904][ C0] usb 1-1: RX USB error -71. [ 43.085883][ C0] usb 1-1: RX USB error -71. [ 43.105882][ C0] usb 1-1: RX USB error -71. [ 43.125886][ C0] usb 1-1: RX USB error -71. [ 43.145874][ C0] usb 1-1: RX USB error -71. [ 43.165888][ C0] usb 1-1: RX USB error -71. [ 43.185890][ C0] usb 1-1: RX USB error -71. [ 43.205880][ C0] usb 1-1: RX USB error -71. [ 43.225884][ C0] usb 1-1: RX USB error -71. [ 43.245891][ C0] usb 1-1: RX USB error -71. [ 43.265882][ C0] usb 1-1: RX USB error -71. [ 43.285877][ C0] usb 1-1: RX USB error -71. [ 43.305883][ C0] usb 1-1: RX USB error -71. [ 43.325897][ C0] usb 1-1: RX USB error -71. [ 43.345905][ C0] usb 1-1: RX USB error -71. [ 43.365891][ C0] usb 1-1: RX USB error -71. [ 43.385888][ C0] usb 1-1: RX USB error -71. [ 43.405874][ C0] usb 1-1: RX USB error -71. [ 43.425880][ C0] usb 1-1: RX USB error -71. [ 43.445901][ C0] usb 1-1: RX USB error -71. [ 43.465882][ C0] usb 1-1: RX USB error -71. [ 43.485878][ C0] usb 1-1: RX USB error -71. [ 43.505916][ C0] usb 1-1: RX USB error -71. [ 43.525883][ C0] usb 1-1: RX USB error -71. [ 43.545885][ C0] usb 1-1: RX USB error -71. [ 43.565883][ C0] usb 1-1: RX USB error -71. [ 43.585903][ C0] usb 1-1: RX USB error -71. [ 43.605890][ C0] usb 1-1: RX USB error -71. [ 43.625890][ C0] usb 1-1: RX USB error -71. [ 43.645880][ C0] usb 1-1: RX USB error -71. [ 43.665885][ C0] usb 1-1: RX USB error -71. [ 43.685909][ C0] usb 1-1: RX USB error -71. [ 43.705867][ C0] usb 1-1: RX USB error -71. [ 43.725880][ C0] usb 1-1: RX USB error -71. [ 43.745882][ C0] usb 1-1: RX USB error -71. [ 43.765905][ C0] usb 1-1: RX USB error -71. [ 43.785880][ C0] usb 1-1: RX USB error -71. [ 43.805880][ C0] usb 1-1: RX USB error -71. [ 43.825883][ C0] usb 1-1: RX USB error -71. [ 43.845890][ C0] usb 1-1: RX USB error -71. [ 43.865885][ C0] usb 1-1: RX USB error -71. [ 43.885896][ C0] usb 1-1: RX USB error -71. [ 43.905902][ C0] usb 1-1: RX USB error -71. [ 43.925895][ C0] usb 1-1: RX USB error -71. [ 43.945889][ C0] usb 1-1: RX USB error -71. [ 43.965887][ C0] usb 1-1: RX USB error -71. [ 43.985884][ C0] usb 1-1: RX USB error -71. [ 44.005878][ C0] usb 1-1: RX USB error -71. [ 44.025880][ C0] usb 1-1: RX USB error -71. [ 44.045912][ C0] usb 1-1: RX USB error -71. [ 44.065914][ C0] usb 1-1: RX USB error -71. [ 44.085880][ C0] usb 1-1: RX USB error -71. [ 44.105882][ C0] usb 1-1: RX USB error -71. [ 44.125872][ C0] usb 1-1: RX USB error -71. [ 44.145906][ C0] usb 1-1: RX USB error -71. [ 44.165872][ C0] usb 1-1: RX USB error -71. [ 44.185880][ C0] usb 1-1: RX USB error -71. [ 44.205929][ C0] usb 1-1: RX USB error -71. [ 44.225886][ C0] usb 1-1: RX USB error -71. [ 44.230556][ T3273] usb 1-1: timeout waiting for command 01 reply [ 44.237055][ T3273] usb 1-1: could not initialize adapter [ 44.245933][ C0] usb 1-1: RX USB error -2. [ 44.250497][ C0] usb 1-1: error -1 when submitting rx urb [ 44.256993][ T3273] ar5523: probe of 1-1:0.0 failed with error -110 [pid 3610] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH [pid 3609] kill(-3610, SIGKILL) = 0 [pid 3610] <... ioctl resumed> ) = ? [pid 3609] kill(3610, SIGKILL [pid 3610] +++ killed by SIGKILL +++ <... kill resumed>) = 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=3610, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=1} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3615 attached , child_tidptr=0x555555ad45d0) = 3615 [pid 3615] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3615] setpgid(0, 0) = 0 [ 46.295156][ T3273] usb 1-1: USB disconnect, device number 2 [ 46.305907][ C0] ================================================================== [ 46.313981][ C0] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 46.321377][ C0] Read of size 8 at addr ffff8880781af450 by task sshd/3604 [ 46.328638][ C0] [ 46.330944][ C0] CPU: 0 PID: 3604 Comm: sshd Not tainted 6.0.0-rc6-next-20220923-syzkaller #0 [ 46.339861][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 46.349895][ C0] Call Trace: [ 46.353183][ C0] [ 46.356018][ C0] dump_stack_lvl+0xcd/0x134 [ 46.360629][ C0] print_report+0x15e/0x45d [ 46.365121][ C0] ? __phys_addr+0xc4/0x140 [ 46.369607][ C0] ? ar5523_cmd_tx_cb+0x220/0x240 [ 46.374621][ C0] kasan_report+0xbb/0x1f0 [ 46.379044][ C0] ? ar5523_cmd_tx_cb+0x220/0x240 [ 46.384056][ C0] ar5523_cmd_tx_cb+0x220/0x240 [ 46.388897][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 46.394252][ C0] usb_hcd_giveback_urb+0x380/0x430 [ 46.399432][ C0] dummy_timer+0x11ff/0x32c0 [ 46.404011][ C0] ? do_raw_spin_unlock+0x171/0x230 [ 46.409207][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 46.414704][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 46.420351][ C0] ? lock_release+0x5cb/0x810 [ 46.425222][ C0] ? __queue_work+0x6d3/0x13b0 [ 46.429990][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 46.435482][ C0] ? lock_acquire+0x4fc/0x630 [ 46.440246][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 46.445094][ C0] ? dummy_dequeue+0x500/0x500 [ 46.449868][ C0] call_timer_fn+0x1da/0x7c0 [ 46.454467][ C0] ? dummy_dequeue+0x500/0x500 [ 46.459240][ C0] ? lock_release+0x5cb/0x810 [ 46.463915][ C0] ? timer_fixup_activate+0x3e0/0x3e0 [ 46.469290][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 46.474142][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 46.479193][ C0] ? __next_timer_interrupt+0x234/0x2b0 [ 46.484779][ C0] ? dummy_dequeue+0x500/0x500 [ 46.489570][ C0] ? dummy_dequeue+0x500/0x500 [ 46.494350][ C0] ? dummy_dequeue+0x500/0x500 [ 46.499127][ C0] __run_timers.part.0+0x6a2/0xaf0 [ 46.504255][ C0] ? call_timer_fn+0x7c0/0x7c0 [ 46.509027][ C0] ? cpuacct_stats_show+0x5f0/0x5f0 [ 46.514230][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 46.519437][ C0] ? sched_clock_cpu+0x69/0x2b0 [ 46.524396][ C0] ? tick_program_event+0xb4/0x140 [ 46.529513][ C0] run_timer_softirq+0xb3/0x1d0 [ 46.534376][ C0] __do_softirq+0x1f7/0xad8 [ 46.538893][ C0] do_softirq.part.0+0xde/0x130 [ 46.543754][ C0] [ 46.546684][ C0] [ 46.549613][ C0] ? ip_finish_output2+0x7a2/0x2170 [ 46.554828][ C0] __local_bh_enable_ip+0x102/0x120 [ 46.560037][ C0] ip_finish_output2+0x7d0/0x2170 [ 46.565081][ C0] ? ip_fragment.constprop.0+0x240/0x240 [ 46.570731][ C0] ? ip_mc_finish_output+0x5a0/0x5a0 [ 46.576031][ C0] ? lock_acquire+0x4fc/0x630 [ 46.580714][ C0] __ip_finish_output+0x396/0x650 [ 46.585757][ C0] ip_finish_output+0x2d/0x280 [ 46.590556][ C0] ip_output+0x19f/0x310 [ 46.594829][ C0] __ip_queue_xmit+0x8de/0x1be0 [ 46.599706][ C0] __tcp_transmit_skb+0x1967/0x3800 [ 46.604915][ C0] ? __tcp_select_window+0xde0/0xde0 [ 46.610218][ C0] ? lock_release+0x810/0x810 [ 46.614907][ C0] ? tcp_write_xmit+0x31/0x6050 [ 46.619771][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 46.624655][ C0] ? trace_hardirqs_on+0x2d/0x160 [ 46.629685][ C0] ? ktime_get+0x38a/0x470 [ 46.634116][ C0] tcp_write_xmit+0xd89/0x6050 [ 46.638895][ C0] __tcp_push_pending_frames+0xaa/0x380 [ 46.644463][ C0] tcp_push+0x499/0x720 [ 46.648629][ C0] ? tcp_tx_timestamp+0x5b/0x2d0 [ 46.653576][ C0] tcp_sendmsg_locked+0x2439/0x2f90 [ 46.658795][ C0] ? lock_release+0x5cb/0x810 [ 46.663509][ C0] ? tcp_sendpage+0xd0/0xd0 [ 46.668062][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 46.673041][ C0] ? __local_bh_enable_ip+0xa0/0x120 [ 46.678349][ C0] tcp_sendmsg+0x2b/0x40 [ 46.682619][ C0] inet_sendmsg+0x99/0xe0 [ 46.686983][ C0] ? inet_send_prepare+0x4e0/0x4e0 [ 46.692144][ C0] sock_sendmsg+0xcf/0x120 [ 46.696585][ C0] sock_write_iter+0x291/0x3d0 [ 46.701367][ C0] ? sock_sendmsg+0x120/0x120 [ 46.706054][ C0] ? ns_to_timespec64+0xc0/0xc0 [ 46.710929][ C0] ? bpf_lsm_file_permission+0x5/0x10 [ 46.716315][ C0] ? security_file_permission+0xab/0xd0 [ 46.721899][ C0] vfs_write+0x9e9/0xdd0 [ 46.726160][ C0] ? vfs_read+0x930/0x930 [ 46.730532][ C0] ? __ct_user_exit+0xff/0x150 [ 46.735323][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 46.740197][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 46.745064][ C0] ? __fget_light+0x20a/0x270 [ 46.749789][ C0] ksys_write+0x1e8/0x250 [ 46.754147][ C0] ? __ia32_sys_read+0xb0/0xb0 [ 46.758933][ C0] ? syscall_enter_from_user_mode+0x22/0xb0 [ 46.764856][ C0] ? trace_hardirqs_on+0x2d/0x160 [ 46.769883][ C0] do_syscall_64+0x35/0xb0 [ 46.774561][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.780468][ C0] RIP: 0033:0x7fdf26d259a3 [ 46.784899][ C0] Code: 8b 15 d9 f4 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 [ 46.804512][ C0] RSP: 002b:00007ffe57c1f998 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 46.812925][ C0] RAX: ffffffffffffffda RBX: 0000000000000074 RCX: 00007fdf26d259a3 [ 46.820906][ C0] RDX: 0000000000000074 RSI: 0000556870250640 RDI: 0000000000000004 [ 46.828879][ C0] RBP: 0000556870259410 R08: 0000000000000000 R09: 00007ffe57d07080 [ 46.836877][ C0] R10: 00007ffe57d070f0 R11: 0000000000000246 R12: 0000000000000004 [ 46.844855][ C0] R13: 0000000000000001 R14: 00007ffe57c1fa08 R15: 00007ffe57c1fa88 [ 46.852853][ C0] [ 46.855897][ C0] [ 46.858214][ C0] The buggy address belongs to the physical page: [ 46.866624][ C0] page:ffffea0001e06bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x781af [ 46.876774][ C0] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 46.883892][ C0] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 46.892667][ C0] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 46.901245][ C0] page dumped because: kasan: bad access detected [ 46.907653][ C0] page_owner tracks the page as freed [ 46.913009][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x2800(GFP_NOWAIT|__GFP_NOWARN), pid 3610, tgid 3610 (syz-executor369), ts 46289065833, free_ts 46289067130 [ 46.930293][ C0] get_page_from_freelist+0x1092/0x2d20 [ 46.935848][ C0] __alloc_pages+0x1c7/0x5a0 [ 46.940443][ C0] alloc_pages+0x1a6/0x270 [ 46.944883][ C0] __stack_depot_save+0x3e9/0x560 [ 46.949916][ C0] kasan_save_stack+0x31/0x40 [ 46.954618][ C0] kasan_set_track+0x21/0x30 [ 46.959218][ C0] kasan_save_free_info+0x2a/0x40 [ 46.964275][ C0] ____kasan_slab_free+0x160/0x1c0 [ 46.969401][ C0] slab_free_freelist_hook+0x8b/0x1c0 [ 46.974781][ C0] kmem_cache_free+0xea/0x5b0 [ 46.979469][ C0] kfree_skbmem+0xef/0x1b0 [ 46.983913][ C0] consume_skb+0xcf/0x160 [ 46.988255][ C0] kobject_uevent_env+0xc6c/0x1640 [ 46.993371][ C0] device_release_driver_internal+0x5c9/0x700 [ 46.999443][ C0] driver_detach+0xd5/0x1a0 [ 47.004038][ C0] bus_remove_driver+0x104/0x300 [ 47.008978][ C0] page last free stack trace: [ 47.013641][ C0] free_pcp_prepare+0x65c/0xd90 [ 47.018527][ C0] free_unref_page+0x19/0x4d0 [ 47.023235][ C0] __stack_depot_save+0x169/0x560 [ 47.028269][ C0] kasan_save_stack+0x31/0x40 [ 47.032973][ C0] kasan_set_track+0x21/0x30 [ 47.037575][ C0] kasan_save_free_info+0x2a/0x40 [ 47.042605][ C0] ____kasan_slab_free+0x160/0x1c0 [ 47.047729][ C0] slab_free_freelist_hook+0x8b/0x1c0 [ 47.053112][ C0] kmem_cache_free+0xea/0x5b0 [ 47.057803][ C0] kfree_skbmem+0xef/0x1b0 [ 47.062236][ C0] consume_skb+0xcf/0x160 [ 47.066576][ C0] kobject_uevent_env+0xc6c/0x1640 [ 47.071690][ C0] device_release_driver_internal+0x5c9/0x700 [ 47.077763][ C0] driver_detach+0xd5/0x1a0 [ 47.082634][ C0] bus_remove_driver+0x104/0x300 [ 47.087572][ C0] driver_unregister+0x73/0xb0 [ 47.092356][ C0] [ 47.094689][ C0] Memory state around the buggy address: [ 47.100313][ C0] ffff8880781af300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.108406][ C0] ffff8880781af380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.116470][ C0] >ffff8880781af400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.124527][ C0] ^ [ 47.131193][ C0] ffff8880781af480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.139249][ C0] ffff8880781af500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.147303][ C0] ================================================================== [ 47.155369][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 47.161947][ C0] CPU: 0 PID: 3604 Comm: sshd Not tainted 6.0.0-rc6-next-20220923-syzkaller #0 [ 47.170881][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 47.180962][ C0] Call Trace: [ 47.184242][ C0] [ 47.187094][ C0] dump_stack_lvl+0xcd/0x134 [ 47.191713][ C0] panic+0x2c8/0x622 [ 47.195611][ C0] ? panic_print_sys_info.part.0+0x110/0x110 [ 47.201620][ C0] end_report.part.0+0x3f/0x7c [ 47.206416][ C0] ? ar5523_cmd_tx_cb+0x220/0x240 [ 47.211559][ C0] kasan_report.cold+0xa/0xf [ 47.216161][ C0] ? ar5523_cmd_tx_cb+0x220/0x240 [ 47.221212][ C0] ar5523_cmd_tx_cb+0x220/0x240 [ 47.226097][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 47.231477][ C0] usb_hcd_giveback_urb+0x380/0x430 [ 47.236682][ C0] dummy_timer+0x11ff/0x32c0 [ 47.241286][ C0] ? do_raw_spin_unlock+0x171/0x230 [ 47.246514][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 47.251987][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 47.257472][ C0] ? lock_release+0x5cb/0x810 [ 47.262168][ C0] ? __queue_work+0x6d3/0x13b0 [ 47.267116][ C0] ? rcu_read_lock_sched_held+0xd/0x70 [ 47.272682][ C0] ? lock_acquire+0x4fc/0x630 [ 47.277366][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 47.282307][ C0] ? dummy_dequeue+0x500/0x500 [ 47.287093][ C0] call_timer_fn+0x1da/0x7c0 [ 47.291703][ C0] ? dummy_dequeue+0x500/0x500 [ 47.296475][ C0] ? lock_release+0x5cb/0x810 [ 47.301155][ C0] ? timer_fixup_activate+0x3e0/0x3e0 [ 47.306534][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 47.311388][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 47.316506][ C0] ? __next_timer_interrupt+0x234/0x2b0 [ 47.322072][ C0] ? dummy_dequeue+0x500/0x500 [ 47.326847][ C0] ? dummy_dequeue+0x500/0x500 [ 47.331643][ C0] ? dummy_dequeue+0x500/0x500 [ 47.336446][ C0] __run_timers.part.0+0x6a2/0xaf0 [ 47.341670][ C0] ? call_timer_fn+0x7c0/0x7c0 [ 47.346445][ C0] ? cpuacct_stats_show+0x5f0/0x5f0 [ 47.351667][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 47.356870][ C0] ? sched_clock_cpu+0x69/0x2b0 [ 47.361813][ C0] ? tick_program_event+0xb4/0x140 [ 47.366929][ C0] run_timer_softirq+0xb3/0x1d0 [ 47.371790][ C0] __do_softirq+0x1f7/0xad8 [ 47.376299][ C0] do_softirq.part.0+0xde/0x130 [ 47.381180][ C0] [ 47.384134][ C0] [ 47.387063][ C0] ? ip_finish_output2+0x7a2/0x2170 [ 47.392271][ C0] __local_bh_enable_ip+0x102/0x120 [ 47.397563][ C0] ip_finish_output2+0x7d0/0x2170 [ 47.402604][ C0] ? ip_fragment.constprop.0+0x240/0x240 [ 47.408249][ C0] ? ip_mc_finish_output+0x5a0/0x5a0 [ 47.413637][ C0] ? lock_acquire+0x4fc/0x630 [ 47.418420][ C0] __ip_finish_output+0x396/0x650 [ 47.423460][ C0] ip_finish_output+0x2d/0x280 [ 47.428334][ C0] ip_output+0x19f/0x310 [ 47.432591][ C0] __ip_queue_xmit+0x8de/0x1be0 [ 47.437492][ C0] __tcp_transmit_skb+0x1967/0x3800 [ 47.442716][ C0] ? __tcp_select_window+0xde0/0xde0 [ 47.448031][ C0] ? lock_release+0x810/0x810 [ 47.452809][ C0] ? tcp_write_xmit+0x31/0x6050 [ 47.457700][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 47.462583][ C0] ? trace_hardirqs_on+0x2d/0x160 [ 47.467617][ C0] ? ktime_get+0x38a/0x470 [ 47.472061][ C0] tcp_write_xmit+0xd89/0x6050 [ 47.476844][ C0] __tcp_push_pending_frames+0xaa/0x380 [ 47.482396][ C0] tcp_push+0x499/0x720 [ 47.486566][ C0] ? tcp_tx_timestamp+0x5b/0x2d0 [ 47.491523][ C0] tcp_sendmsg_locked+0x2439/0x2f90 [ 47.496735][ C0] ? lock_release+0x5cb/0x810 [ 47.501412][ C0] ? tcp_sendpage+0xd0/0xd0 [ 47.506109][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 47.511085][ C0] ? __local_bh_enable_ip+0xa0/0x120 [ 47.516477][ C0] tcp_sendmsg+0x2b/0x40 [ 47.520739][ C0] inet_sendmsg+0x99/0xe0 [ 47.525086][ C0] ? inet_send_prepare+0x4e0/0x4e0 [ 47.530214][ C0] sock_sendmsg+0xcf/0x120 [ 47.534641][ C0] sock_write_iter+0x291/0x3d0 [ 47.539412][ C0] ? sock_sendmsg+0x120/0x120 [ 47.544094][ C0] ? ns_to_timespec64+0xc0/0xc0 [ 47.548991][ C0] ? bpf_lsm_file_permission+0x5/0x10 [ 47.554404][ C0] ? security_file_permission+0xab/0xd0 [ 47.559975][ C0] vfs_write+0x9e9/0xdd0 [ 47.564239][ C0] ? vfs_read+0x930/0x930 [ 47.568612][ C0] ? __ct_user_exit+0xff/0x150 [ 47.573518][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 47.578379][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 47.583238][ C0] ? __fget_light+0x20a/0x270 [ 47.587936][ C0] ksys_write+0x1e8/0x250 [ 47.592301][ C0] ? __ia32_sys_read+0xb0/0xb0 [ 47.597081][ C0] ? syscall_enter_from_user_mode+0x22/0xb0 [ 47.602985][ C0] ? trace_hardirqs_on+0x2d/0x160 [ 47.608017][ C0] do_syscall_64+0x35/0xb0 [ 47.612437][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 47.618346][ C0] RIP: 0033:0x7fdf26d259a3 [ 47.622763][ C0] Code: 8b 15 d9 f4 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 [ 47.642399][ C0] RSP: 002b:00007ffe57c1f998 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 47.650834][ C0] RAX: ffffffffffffffda RBX: 0000000000000074 RCX: 00007fdf26d259a3 [ 47.658817][ C0] RDX: 0000000000000074 RSI: 0000556870250640 RDI: 0000000000000004 [ 47.666794][ C0] RBP: 0000556870259410 R08: 0000000000000000 R09: 00007ffe57d07080 [ 47.674787][ C0] R10: 00007ffe57d070f0 R11: 0000000000000246 R12: 0000000000000004 [ 47.682761][ C0] R13: 0000000000000001 R14: 00007ffe57c1fa08 R15: 00007ffe57c1fa88 [ 47.690743][ C0] [ 47.693906][ C0] Kernel Offset: disabled [ 47.698222][ C0] Rebooting in 86400 seconds..