Warning: Permanently added '10.128.0.52' (ED25519) to the list of known hosts. syzkaller login: [ 71.788086][ T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.801824][ T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.816549][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 71.827571][ T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 executing program [ 71.835861][ T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.844417][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 72.135352][ T953] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 72.318139][ T953] usb 1-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice= 0.4a [ 72.327644][ T953] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 72.338769][ T953] usb 1-1: config 0 descriptor?? [ 72.552305][ T14] usb 1-1: USB disconnect, device number 2 [ 72.561214][ T14] ================================================================== [ 72.569670][ T14] BUG: KASAN: use-after-free in hdm_disconnect+0x109/0x1c0 [ 72.577001][ T14] Read of size 8 at addr ffff888030e2d898 by task kworker/0:1/14 [ 72.584729][ T14] [ 72.587062][ T14] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.128-syzkaller #0 [ 72.595063][ T14] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 72.605135][ T14] Workqueue: usb_hub_wq hub_event [ 72.610387][ T14] Call Trace: [ 72.613696][ T14] [ 72.616666][ T14] dump_stack_lvl+0x1e3/0x2cb [ 72.621377][ T14] ? nf_tcp_handle_invalid+0x642/0x642 [ 72.626849][ T14] ? panic+0x764/0x764 [ 72.630938][ T14] ? _printk+0xd1/0x111 [ 72.635126][ T14] ? __virt_addr_valid+0x17f/0x530 [ 72.640261][ T14] ? __virt_addr_valid+0x17f/0x530 [ 72.645383][ T14] print_report+0x15f/0x4f0 [ 72.649885][ T14] ? __virt_addr_valid+0x17f/0x530 [ 72.655090][ T14] ? __virt_addr_valid+0x17f/0x530 [ 72.660223][ T14] ? __virt_addr_valid+0x45b/0x530 [ 72.665344][ T14] ? __phys_addr+0xb6/0x170 [ 72.669885][ T14] ? hdm_disconnect+0x109/0x1c0 [ 72.674746][ T14] kasan_report+0x136/0x160 [ 72.679354][ T14] ? hdm_disconnect+0x109/0x1c0 [ 72.684324][ T14] hdm_disconnect+0x109/0x1c0 [ 72.689044][ T14] usb_unbind_interface+0x1cd/0x840 [ 72.694248][ T14] ? kernfs_remove_by_name_ns+0x10f/0x150 [ 72.699991][ T14] ? usb_driver_release_interface+0x1c0/0x1c0 [ 72.706150][ T14] device_release_driver_internal+0x59e/0x880 [ 72.712239][ T14] bus_remove_device+0x2e5/0x400 [ 72.717185][ T14] device_del+0x6e2/0xbd0 [ 72.721534][ T14] ? kill_device+0x160/0x160 [ 72.726222][ T14] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 72.732225][ T14] ? usb_disconnect+0xfa/0x8c0 [ 72.737001][ T14] ? mutex_lock_nested+0x10/0x10 [ 72.741957][ T14] usb_disable_device+0x3b8/0x840 [ 72.747007][ T14] usb_disconnect+0x33c/0x8c0 [ 72.751742][ T14] hub_event+0x1f78/0x5730 [ 72.756181][ T14] ? led_work+0x700/0x700 [ 72.760520][ T14] ? read_lock_is_recursive+0x10/0x10 [ 72.765931][ T14] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 72.771921][ T14] ? print_irqtrace_events+0x210/0x210 [ 72.777394][ T14] ? _raw_spin_unlock_irqrestore+0xd9/0x130 [ 72.783385][ T14] ? do_raw_spin_unlock+0x137/0x8a0 [ 72.788604][ T14] ? process_one_work+0x7a9/0x11d0 [ 72.793917][ T14] process_one_work+0x8a9/0x11d0 [ 72.798873][ T14] ? worker_detach_from_pool+0x260/0x260 [ 72.804524][ T14] ? _raw_spin_lock_irqsave+0x120/0x120 [ 72.810427][ T14] ? kthread_data+0x4e/0xc0 [ 72.815036][ T14] ? wq_worker_running+0x97/0x190 [ 72.820076][ T14] worker_thread+0xa47/0x1200 [ 72.824779][ T14] ? _raw_spin_unlock+0x40/0x40 [ 72.829642][ T14] kthread+0x28d/0x320 [ 72.833711][ T14] ? worker_clr_flags+0x190/0x190 [ 72.838743][ T14] ? kthread_blkcg+0xd0/0xd0 [ 72.843332][ T14] ret_from_fork+0x1f/0x30 [ 72.847772][ T14] [ 72.850961][ T14] [ 72.853281][ T14] Allocated by task 953: [ 72.857516][ T14] kasan_set_track+0x4b/0x70 [ 72.862628][ T14] __kasan_kmalloc+0x97/0xb0 [ 72.867242][ T14] hdm_probe+0x91/0x13d0 [ 72.871486][ T14] usb_probe_interface+0x5c0/0xaf0 [ 72.876599][ T14] really_probe+0x2ab/0xcb0 [ 72.881112][ T14] __driver_probe_device+0x1a2/0x3d0 [ 72.886405][ T14] driver_probe_device+0x50/0x420 [ 72.891445][ T14] __device_attach_driver+0x2cf/0x510 [ 72.896843][ T14] bus_for_each_drv+0x183/0x200 [ 72.901704][ T14] __device_attach+0x359/0x570 [ 72.906480][ T14] bus_probe_device+0xba/0x1e0 [ 72.911258][ T14] device_add+0xb48/0xfd0 [ 72.915609][ T14] usb_set_configuration+0x19dd/0x2020 [ 72.921162][ T14] usb_generic_driver_probe+0x84/0x140 [ 72.926749][ T14] usb_probe_device+0x130/0x260 [ 72.931597][ T14] really_probe+0x2ab/0xcb0 [ 72.936100][ T14] __driver_probe_device+0x1a2/0x3d0 [ 72.941388][ T14] driver_probe_device+0x50/0x420 [ 72.946414][ T14] __device_attach_driver+0x2cf/0x510 [ 72.951800][ T14] bus_for_each_drv+0x183/0x200 [ 72.956649][ T14] __device_attach+0x359/0x570 [ 72.961413][ T14] bus_probe_device+0xba/0x1e0 [ 72.966179][ T14] device_add+0xb48/0xfd0 [ 72.970513][ T14] usb_new_device+0xbdd/0x1900 [ 72.975277][ T14] hub_event+0x2efe/0x5730 [ 72.979696][ T14] process_one_work+0x8a9/0x11d0 [ 72.984633][ T14] worker_thread+0xa47/0x1200 [ 72.989308][ T14] kthread+0x28d/0x320 [ 72.993377][ T14] ret_from_fork+0x1f/0x30 [ 72.997799][ T14] [ 73.000119][ T14] Freed by task 14: [ 73.003917][ T14] kasan_set_track+0x4b/0x70 [ 73.008510][ T14] kasan_save_free_info+0x27/0x40 [ 73.013533][ T14] ____kasan_slab_free+0xd6/0x120 [ 73.018556][ T14] __kmem_cache_free+0x25c/0x3c0 [ 73.023496][ T14] device_release+0x91/0x1c0 [ 73.028089][ T14] kobject_put+0x224/0x460 [ 73.032518][ T14] hdm_disconnect+0xef/0x1c0 [ 73.037138][ T14] usb_unbind_interface+0x1cd/0x840 [ 73.042337][ T14] device_release_driver_internal+0x59e/0x880 [ 73.048406][ T14] bus_remove_device+0x2e5/0x400 [ 73.053360][ T14] device_del+0x6e2/0xbd0 [ 73.057699][ T14] usb_disable_device+0x3b8/0x840 [ 73.062724][ T14] usb_disconnect+0x33c/0x8c0 [ 73.067427][ T14] hub_event+0x1f78/0x5730 [ 73.071884][ T14] process_one_work+0x8a9/0x11d0 [ 73.076889][ T14] worker_thread+0xa47/0x1200 [ 73.081571][ T14] kthread+0x28d/0x320 [ 73.085667][ T14] ret_from_fork+0x1f/0x30 [ 73.090179][ T14] [ 73.092498][ T14] The buggy address belongs to the object at ffff888030e2c000 [ 73.092498][ T14] which belongs to the cache kmalloc-8k of size 8192 [ 73.106641][ T14] The buggy address is located 6296 bytes inside of [ 73.106641][ T14] 8192-byte region [ffff888030e2c000, ffff888030e2e000) [ 73.120350][ T14] [ 73.122707][ T14] The buggy address belongs to the physical page: [ 73.129163][ T14] page:ffffea0000c38a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30e28 [ 73.140020][ T14] head:ffffea0000c38a00 order:3 compound_mapcount:0 compound_pincount:0 [ 73.148520][ T14] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 73.156613][ T14] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017c42280 [ 73.165199][ T14] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 73.173948][ T14] page dumped because: kasan: bad access detected [ 73.180467][ T14] page_owner tracks the page as allocated [ 73.186265][ T14] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 22, tgid 22 (kworker/1:0), ts 71875604607, free_ts 71863915419 [ 73.205142][ T14] post_alloc_hook+0x18d/0x1b0 [ 73.209983][ T14] get_page_from_freelist+0x3731/0x38d0 [ 73.215533][ T14] __alloc_pages+0x28d/0x770 [ 73.220224][ T14] alloc_slab_page+0x6a/0x150 [ 73.224909][ T14] new_slab+0x84/0x2d0 [ 73.228989][ T14] ___slab_alloc+0xc20/0x1270 [ 73.233668][ T14] __kmem_cache_alloc_node+0x19f/0x260 [ 73.239179][ T14] __kmalloc+0xa1/0x230 [ 73.243347][ T14] __sta_info_alloc+0x93/0x1f20 [ 73.248238][ T14] ieee80211_ibss_rx_no_sta+0x414/0x740 [ 73.254220][ T14] ieee80211_prepare_and_rx_handle+0x20b9/0x5f10 [ 73.260563][ T14] ieee80211_rx_list+0x29a2/0x3380 [ 73.265688][ T14] ieee80211_rx_napi+0x186/0x3b0 [ 73.270636][ T14] ieee80211_handle_queued_frames+0x103/0x1b0 [ 73.276717][ T14] tasklet_action_common+0x3cb/0x4a0 [ 73.282096][ T14] handle_softirqs+0x2ee/0xa40 [ 73.286876][ T14] page last free stack trace: [ 73.291548][ T14] free_unref_page_prepare+0x12a6/0x15b0 [ 73.297183][ T14] free_unref_page+0x33/0x3e0 [ 73.301861][ T14] __unfreeze_partials+0x1b7/0x210 [ 73.306987][ T14] put_cpu_partial+0x17b/0x250 [ 73.311755][ T14] qlist_free_all+0x76/0xe0 [ 73.316282][ T14] kasan_quarantine_reduce+0x156/0x170 [ 73.321784][ T14] __kasan_slab_alloc+0x1f/0x70 [ 73.326722][ T14] slab_post_alloc_hook+0x52/0x3a0 [ 73.331953][ T14] __kmem_cache_alloc_node+0x137/0x260 [ 73.337420][ T14] kmalloc_trace+0x26/0xe0 [ 73.341844][ T14] tomoyo_init_log+0x1bd/0x2040 [ 73.346709][ T14] tomoyo_supervisor+0x396/0x12d0 [ 73.351742][ T14] tomoyo_path_number_perm+0x58d/0x7f0 [ 73.357206][ T14] tomoyo_path_mkdir+0xe3/0x120 [ 73.362057][ T14] security_path_mkdir+0xdc/0x130 [ 73.367087][ T14] do_mkdirat+0x185/0x360 [ 73.371423][ T14] [ 73.373745][ T14] Memory state around the buggy address: [ 73.379369][ T14] ffff888030e2d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.387452][ T14] ffff888030e2d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.395512][ T14] >ffff888030e2d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.403571][ T14]