Warning: Permanently added '10.128.0.240' (ED25519) to the list of known hosts. executing program [ 44.607176][ T1534] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 44.927214][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 45.007226][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 45.009413][ T1534] usb 1-1: config 8 has no interface number 0 [ 45.011010][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 45.167250][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 45.169651][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 45.171903][ T1534] usb 1-1: Product: syz [ 45.173071][ T1534] usb 1-1: Manufacturer: syz [ 45.174341][ T1534] usb 1-1: SerialNumber: syz executing program [ 45.503194][ T1534] usb 1-1: USB disconnect, device number 2 [ 45.507964][ T1534] ================================================================== [ 45.510163][ T1534] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 45.512060][ T1534] Read of size 8 at addr ffff0000d919d978 by task kworker/1:2/1534 [ 45.514135][ T1534] [ 45.514734][ T1534] CPU: 1 PID: 1534 Comm: kworker/1:2 Not tainted 5.15.179-syzkaller #0 [ 45.516919][ T1534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.519578][ T1534] Workqueue: usb_hub_wq hub_event [ 45.521010][ T1534] Call trace: [ 45.521915][ T1534] dump_backtrace+0x0/0x530 [ 45.523176][ T1534] show_stack+0x2c/0x3c [ 45.524311][ T1534] dump_stack_lvl+0x108/0x170 [ 45.525515][ T1534] print_address_description+0x7c/0x3f0 [ 45.527071][ T1534] kasan_report+0x174/0x1e4 [ 45.528407][ T1534] __asan_report_load8_noabort+0x44/0x50 [ 45.529944][ T1534] hdm_disconnect+0xf8/0x190 [ 45.531228][ T1534] usb_unbind_interface+0x1a4/0x758 [ 45.532716][ T1534] device_release_driver_internal+0x464/0x6ac [ 45.534340][ T1534] device_release_driver+0x28/0x38 [ 45.535779][ T1534] bus_remove_device+0x298/0x38c [ 45.537093][ T1534] device_del+0x57c/0x9b4 [ 45.538275][ T1534] usb_disable_device+0x354/0x760 [ 45.539630][ T1534] usb_disconnect+0x290/0x7e8 [ 45.540936][ T1534] hub_event+0x1718/0x46b8 [ 45.542153][ T1534] process_one_work+0x790/0x11b8 [ 45.543498][ T1534] worker_thread+0xb88/0x1034 [ 45.544684][ T1534] kthread+0x37c/0x45c [ 45.545806][ T1534] ret_from_fork+0x10/0x20 [ 45.547001][ T1534] [ 45.547646][ T1534] Allocated by task 1534: [ 45.548873][ T1534] ____kasan_kmalloc+0xbc/0xfc [ 45.550182][ T1534] __kasan_kmalloc+0x10/0x1c [ 45.551501][ T1534] kmem_cache_alloc_trace+0x27c/0x47c [ 45.552998][ T1534] hdm_probe+0xa4/0x1044 [ 45.554140][ T1534] usb_probe_interface+0x500/0x984 [ 45.555526][ T1534] really_probe+0x26c/0xaec [ 45.556745][ T1534] __driver_probe_device+0x194/0x3b4 [ 45.558253][ T1534] driver_probe_device+0x78/0x34c [ 45.559646][ T1534] __device_attach_driver+0x28c/0x4d8 [ 45.561145][ T1534] bus_for_each_drv+0x158/0x1e0 [ 45.562453][ T1534] __device_attach+0x2f0/0x480 [ 45.563778][ T1534] device_initial_probe+0x24/0x34 [ 45.565143][ T1534] bus_probe_device+0xbc/0x1c8 [ 45.566441][ T1534] device_add+0xae0/0xef4 [ 45.567569][ T1534] usb_set_configuration+0x15e0/0x1b60 [ 45.569060][ T1534] usb_generic_driver_probe+0x8c/0x148 [ 45.570507][ T1534] usb_probe_device+0x120/0x25c [ 45.571736][ T1534] really_probe+0x26c/0xaec [ 45.573014][ T1534] __driver_probe_device+0x194/0x3b4 [ 45.574435][ T1534] driver_probe_device+0x78/0x34c [ 45.575824][ T1534] __device_attach_driver+0x28c/0x4d8 [ 45.577283][ T1534] bus_for_each_drv+0x158/0x1e0 [ 45.578632][ T1534] __device_attach+0x2f0/0x480 [ 45.579926][ T1534] device_initial_probe+0x24/0x34 [ 45.581242][ T1534] bus_probe_device+0xbc/0x1c8 [ 45.582555][ T1534] device_add+0xae0/0xef4 [ 45.583723][ T1534] usb_new_device+0x900/0x1468 [ 45.585006][ T1534] hub_event+0x236c/0x46b8 [ 45.586147][ T1534] process_one_work+0x790/0x11b8 [ 45.587543][ T1534] worker_thread+0x910/0x1034 [ 45.588808][ T1534] kthread+0x37c/0x45c [ 45.589913][ T1534] ret_from_fork+0x10/0x20 [ 45.591158][ T1534] [ 45.591758][ T1534] Freed by task 1534: [ 45.592808][ T1534] kasan_set_track+0x4c/0x84 [ 45.594081][ T1534] kasan_set_free_info+0x28/0x4c [ 45.595398][ T1534] ____kasan_slab_free+0x118/0x164 [ 45.596783][ T1534] __kasan_slab_free+0x18/0x28 [ 45.598055][ T1534] slab_free_freelist_hook+0x128/0x1ec [ 45.599449][ T1534] kfree+0x178/0x410 [ 45.600435][ T1534] release_mdev+0x20/0x30 [ 45.601632][ T1534] device_release+0x8c/0x1ac [ 45.602882][ T1534] kobject_put+0x2c4/0x438 [ 45.604018][ T1534] device_unregister+0x3c/0xcc [ 45.605278][ T1534] most_deregister_interface+0x3e0/0x42c [ 45.606814][ T1534] hdm_disconnect+0xe0/0x190 [ 45.608053][ T1534] usb_unbind_interface+0x1a4/0x758 [ 45.609457][ T1534] device_release_driver_internal+0x464/0x6ac [ 45.611035][ T1534] device_release_driver+0x28/0x38 [ 45.612390][ T1534] bus_remove_device+0x298/0x38c [ 45.613730][ T1534] device_del+0x57c/0x9b4 [ 45.614917][ T1534] usb_disable_device+0x354/0x760 [ 45.616268][ T1534] usb_disconnect+0x290/0x7e8 [ 45.617545][ T1534] hub_event+0x1718/0x46b8 [ 45.618767][ T1534] process_one_work+0x790/0x11b8 [ 45.620095][ T1534] worker_thread+0xb88/0x1034 [ 45.621316][ T1534] kthread+0x37c/0x45c [ 45.622356][ T1534] ret_from_fork+0x10/0x20 [ 45.623509][ T1534] [ 45.624144][ T1534] The buggy address belongs to the object at ffff0000d919c000 [ 45.624144][ T1534] which belongs to the cache kmalloc-8k of size 8192 [ 45.627945][ T1534] The buggy address is located 6520 bytes inside of [ 45.627945][ T1534] 8192-byte region [ffff0000d919c000, ffff0000d919e000) [ 45.631482][ T1534] The buggy address belongs to the page: [ 45.632996][ T1534] page:000000000354411f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119198 [ 45.635730][ T1534] head:000000000354411f order:3 compound_mapcount:0 compound_pincount:0 [ 45.637933][ T1534] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 45.640148][ T1534] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 45.642371][ T1534] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 45.644627][ T1534] page dumped because: kasan: bad access detected [ 45.646346][ T1534] [ 45.646969][ T1534] Memory state around the buggy address: [ 45.648459][ T1534] ffff0000d919d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.650560][ T1534] ffff0000d919d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.652729][ T1534] >ffff0000d919d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.654912][ T1534] ^ [ 45.657056][ T1534] ffff0000d919d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.659198][ T1534] ffff0000d919da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.661250][ T1534] ================================================================== [ 45.663355][ T1534] Disabling lock debugging due to kernel taint [ 45.665214][ T1534] ------------[ cut here ]------------ [ 45.666641][ T1534] refcount_t: underflow; use-after-free. [ 45.668469][ T1534] WARNING: CPU: 1 PID: 1534 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 45.670883][ T1534] Modules linked in: [ 45.671907][ T1534] CPU: 1 PID: 1534 Comm: kworker/1:2 Tainted: G B 5.15.179-syzkaller #0 [ 45.674417][ T1534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.677011][ T1534] Workqueue: usb_hub_wq hub_event [ 45.678419][ T1534] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 45.680471][ T1534] pc : refcount_warn_saturate+0x1c8/0x20c [ 45.682016][ T1534] lr : refcount_warn_saturate+0x1c8/0x20c [ 45.683505][ T1534] sp : ffff800023d072f0 [ 45.684642][ T1534] x29: ffff800023d072f0 x28: ffff800016ad14c0 x27: ffff0000caa72000 [ 45.686796][ T1534] x26: 1fffe0001954ea07 x25: dfff800000000000 x24: ffff0000caa73030 [ 45.688967][ T1534] x23: 1fffe0001b2338bb x22: ffff0000caa7503c x21: 0000000000000003 [ 45.691084][ T1534] x20: ffff0000caa75038 x19: ffff800016fd2000 x18: 0000000000000001 [ 45.693172][ T1534] x17: 0000000000000000 x16: ffff800011b59ca8 x15: 00000000ffffffff [ 45.695417][ T1534] x14: ffff0000ccce1b40 x13: 0000000000000001 x12: 0000000000000001 [ 45.697610][ T1534] x11: 0000000000000000 x10: 0000000000000000 x9 : dfb4ed2fcf04b900 [ 45.699770][ T1534] x8 : dfb4ed2fcf04b900 x7 : 0000000000000000 x6 : ffff800011c1d92c [ 45.701992][ T1534] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800008046154 [ 45.704207][ T1534] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 45.706331][ T1534] Call trace: [ 45.707200][ T1534] refcount_warn_saturate+0x1c8/0x20c [ 45.708704][ T1534] kobject_put+0x1a8/0x438 [ 45.709840][ T1534] put_device+0x28/0x40 [ 45.710979][ T1534] hdm_disconnect+0x170/0x190 [ 45.712205][ T1534] usb_unbind_interface+0x1a4/0x758 [ 45.713611][ T1534] device_release_driver_internal+0x464/0x6ac [ 45.715263][ T1534] device_release_driver+0x28/0x38 [ 45.716657][ T1534] bus_remove_device+0x298/0x38c [ 45.718035][ T1534] device_del+0x57c/0x9b4 [ 45.719215][ T1534] usb_disable_device+0x354/0x760 [ 45.720585][ T1534] usb_disconnect+0x290/0x7e8 [ 45.721837][ T1534] hub_event+0x1718/0x46b8 [ 45.723048][ T1534] process_one_work+0x790/0x11b8 [ 45.724316][ T1534] worker_thread+0xb88/0x1034 [ 45.725565][ T1534] kthread+0x37c/0x45c [ 45.726775][ T1534] ret_from_fork+0x10/0x20 [ 45.727997][ T1534] irq event stamp: 41648 [ 45.729193][ T1534] hardirqs last enabled at (41647): [] kasan_quarantine_put+0xdc/0x204 [ 45.731832][ T1534] hardirqs last disabled at (41648): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 45.734598][ T1534] softirqs last enabled at (41426): [] handle_softirqs+0xb88/0xdbc [ 45.737111][ T1534] softirqs last disabled at (41415): [] __irq_exit_rcu+0x268/0x4d8 [ 45.739715][ T1534] ---[ end trace 4091f0d58e001bfa ]--- [ 46.087094][ T1534] usb 1-1: new full-speed USB device number 3 using dummy_hcd [ 46.407124][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 46.487171][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 46.489446][ T1534] usb 1-1: config 8 has no interface number 0 [ 46.491114][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 46.647087][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 46.649667][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 46.651825][ T1534] usb 1-1: Product: syz [ 46.652916][ T1534] usb 1-1: Manufacturer: syz [ 46.654112][ T1534] usb 1-1: SerialNumber: syz executing program [ 46.980369][ T1534] usb 1-1: USB disconnect, device number 3 [ 47.327096][ T1534] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 47.647072][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 47.727177][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 47.729463][ T1534] usb 1-1: config 8 has no interface number 0 [ 47.731161][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 47.887175][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 47.889610][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 47.891660][ T1534] usb 1-1: Product: syz [ 47.892825][ T1534] usb 1-1: Manufacturer: syz [ 47.893993][ T1534] usb 1-1: SerialNumber: syz executing program [ 48.214286][ T1534] usb 1-1: USB disconnect, device number 4 [ 48.567097][ T1534] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 48.887168][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 48.967194][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 48.969459][ T1534] usb 1-1: config 8 has no interface number 0 [ 48.971081][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 49.127186][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 49.129568][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 49.131793][ T1534] usb 1-1: Product: syz [ 49.132876][ T1534] usb 1-1: Manufacturer: syz [ 49.134119][ T1534] usb 1-1: SerialNumber: syz executing program [ 49.463407][ T1534] usb 1-1: USB disconnect, device number 5 [ 49.817141][ T1534] usb 1-1: new full-speed USB device number 6 using dummy_hcd [ 50.137220][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 50.217196][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 50.219556][ T1534] usb 1-1: config 8 has no interface number 0 [ 50.221125][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 50.377244][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 50.379820][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.381908][ T1534] usb 1-1: Product: syz [ 50.382994][ T1534] usb 1-1: Manufacturer: syz [ 50.384177][ T1534] usb 1-1: SerialNumber: syz executing program [ 50.730142][ T1534] usb 1-1: USB disconnect, device number 6 [ 51.077107][ T1534] usb 1-1: new full-speed USB device number 7 using dummy_hcd [ 51.397257][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 51.477190][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 51.479406][ T1534] usb 1-1: config 8 has no interface number 0 [ 51.481005][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 51.637168][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 51.639736][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 51.641861][ T1534] usb 1-1: Product: syz [ 51.642991][ T1534] usb 1-1: Manufacturer: syz [ 51.644212][ T1534] usb 1-1: SerialNumber: syz executing program [ 51.973429][ T1534] usb 1-1: USB disconnect, device number 7 [ 52.327056][ T1534] usb 1-1: new full-speed USB device number 8 using dummy_hcd [ 52.647189][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 52.727208][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 52.729434][ T1534] usb 1-1: config 8 has no interface number 0 [ 52.731062][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 52.887262][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 52.889909][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 52.891996][ T1534] usb 1-1: Product: syz [ 52.893083][ T1534] usb 1-1: Manufacturer: syz [ 52.894302][ T1534] usb 1-1: SerialNumber: syz executing program [ 53.231608][ T1534] usb 1-1: USB disconnect, device number 8 [ 53.587122][ T1534] usb 1-1: new full-speed USB device number 9 using dummy_hcd [ 53.907124][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 53.987148][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 53.989409][ T1534] usb 1-1: config 8 has no interface number 0 [ 53.990992][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 54.147153][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 54.149650][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 54.151855][ T1534] usb 1-1: Product: syz [ 54.152939][ T1534] usb 1-1: Manufacturer: syz [ 54.154128][ T1534] usb 1-1: SerialNumber: syz executing program [ 54.480660][ T1534] usb 1-1: USB disconnect, device number 9 [ 54.827132][ T1534] usb 1-1: new full-speed USB device number 10 using dummy_hcd [ 55.147263][ T1534] usb 1-1: not running at top speed; connect to a high speed hub [ 55.227185][ T1534] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 55.229478][ T1534] usb 1-1: config 8 has no interface number 0 [ 55.231149][ T1534] usb 1-1: config 8 interface 33 has no altsetting 0 [ 55.387282][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 55.389888][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 55.392081][ T1534] usb 1-1: Product: syz [ 55.393235][ T1534] usb 1-1: Manufacturer: syz [ 55.394473][ T1534] usb 1-1: SerialNumber: syz