Warning: Permanently added '10.128.1.119' (ECDSA) to the list of known hosts. syzkaller login: [ 46.857631][ T5973] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 46.860847][ T5973] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 46.862781][ T5973] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 46.864856][ T5973] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 46.867969][ T5973] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 46.869573][ T5973] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 46.924262][ T5971] chnl_net:caif_netlink_parms(): no params data found [ 46.952611][ T5971] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.954121][ T5971] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.955657][ T5971] bridge_slave_0: entered allmulticast mode [ 46.957643][ T5971] bridge_slave_0: entered promiscuous mode [ 46.960839][ T5971] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.962365][ T5971] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.964068][ T5971] bridge_slave_1: entered allmulticast mode [ 46.965811][ T5971] bridge_slave_1: entered promiscuous mode [ 46.978536][ T5971] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 46.982042][ T5971] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 46.993866][ T5971] team0: Port device team_slave_0 added [ 46.998598][ T5971] team0: Port device team_slave_1 added [ 47.008975][ T5971] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 47.010374][ T5971] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 47.015705][ T5971] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 47.020163][ T5971] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 47.021513][ T5971] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 47.026754][ T5971] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 47.107928][ T5971] hsr_slave_0: entered promiscuous mode [ 47.156308][ T5971] hsr_slave_1: entered promiscuous mode [ 47.252730][ T5971] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 47.278015][ T5971] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 47.317688][ T5971] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 47.358592][ T5971] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 47.409326][ T5971] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.410929][ T5971] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.412723][ T5971] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.414285][ T5971] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.444454][ T5971] 8021q: adding VLAN 0 to HW filter on device bond0 [ 47.451700][ T5980] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.455250][ T5980] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.459125][ T5980] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.461517][ T5980] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 47.467016][ T5971] 8021q: adding VLAN 0 to HW filter on device team0 [ 47.477357][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.479732][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.481231][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.482985][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.485063][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.486527][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.493876][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.496537][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 47.505374][ T5971] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 47.508331][ T5971] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 47.511737][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.513652][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 47.515929][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 47.517993][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 47.526557][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 47.528129][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 47.533470][ T5971] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 47.543122][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 47.552540][ T5971] veth0_vlan: entered promiscuous mode [ 47.556391][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 47.558445][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 47.560312][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 47.563635][ T5971] veth1_vlan: entered promiscuous mode [ 47.577652][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 47.579836][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 47.581898][ T5554] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 47.585123][ T5971] veth0_macvtap: entered promiscuous mode [ 47.589497][ T5971] veth1_macvtap: entered promiscuous mode [ 47.597993][ T5971] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 47.599582][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 47.602525][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 47.608519][ T5971] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 47.610633][ T1599] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 47.614227][ T5971] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 47.616491][ T5971] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 47.618281][ T5971] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 47.620120][ T5971] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 47.661340][ T40] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 47.663007][ T40] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 47.665370][ T5980] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 47.679575][ T40] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 47.681168][ T40] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 47.683394][ T5980] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready executing program [ 47.966187][ T24] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 48.326177][ T24] usb 1-1: New USB device found, idVendor=047d, idProduct=5002, bcdDevice=b9.5b [ 48.328195][ T24] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 48.333162][ T24] usb 1-1: config 0 descriptor?? [ 48.370814][ T24] gspca_main: se401-2.14.0 probing 047d:5002 [ 48.739146][ T24] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 48.896655][ T5973] Bluetooth: hci0: command 0x0409 tx timeout [ 48.936213][ T24] usb 1-1: device descriptor read/64, error -32 [ 49.206052][ T24] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 49.406111][ T24] usb 1-1: device descriptor read/64, error -32 [ 49.696151][ T24] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 49.796276][ T24] usb 1-1: Using ep0 maxpacket: 16 [ 50.216179][ T24] usb 1-1: device descriptor read/all, error 1 [ 50.376036][ T24] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 50.486077][ T24] usb 1-1: device descriptor read/8, error -71 [ 50.607203][ T24] gspca_se401: read req failed req 0x06 error -19 [ 50.610035][ T24] usb 1-1: USB disconnect, device number 2 [ 50.610404][ T5970] ================================================================== [ 50.612762][ T5970] BUG: KASAN: slab-out-of-bounds in read_descriptors+0x23c/0x290 [ 50.614251][ T5970] Read of size 2 at addr ffff0000cac75aaa by task udevd/5970 [ 50.615681][ T5970] [ 50.616199][ T5970] CPU: 0 PID: 5970 Comm: udevd Not tainted 6.4.0-rc5-syzkaller-g177239177378 #0 [ 50.618007][ T5970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 50.620162][ T5970] Call trace: [ 50.620926][ T5970] dump_backtrace+0x1b8/0x1e4 [ 50.621838][ T5970] show_stack+0x2c/0x44 [ 50.622708][ T5970] dump_stack_lvl+0xd0/0x124 [ 50.623643][ T5970] print_report+0x174/0x514 [ 50.624546][ T5970] kasan_report+0xd4/0x130 [ 50.625495][ T5970] __asan_report_load2_noabort+0x20/0x2c [ 50.626702][ T5970] read_descriptors+0x23c/0x290 [ 50.627764][ T5970] sysfs_kf_bin_read+0x19c/0x1d4 [ 50.628804][ T5970] kernfs_fop_read_iter+0x3ac/0x5c8 [ 50.629901][ T5970] vfs_read+0x5bc/0x8ac [ 50.630742][ T5970] ksys_read+0x15c/0x26c [ 50.631663][ T5970] __arm64_sys_read+0x7c/0x90 [ 50.632636][ T5970] invoke_syscall+0x98/0x2c0 [ 50.633639][ T5970] el0_svc_common+0x138/0x244 [ 50.634684][ T5970] do_el0_svc+0x64/0x198 [ 50.635564][ T5970] el0_svc+0x4c/0x160 [ 50.636406][ T5970] el0t_64_sync_handler+0x84/0xfc [ 50.637414][ T5970] el0t_64_sync+0x190/0x194 [ 50.638325][ T5970] [ 50.638810][ T5970] Allocated by task 24: [ 50.639703][ T5970] kasan_set_track+0x4c/0x7c [ 50.640712][ T5970] kasan_save_alloc_info+0x24/0x30 [ 50.641801][ T5970] __kasan_kmalloc+0xac/0xc4 [ 50.642754][ T5970] __kmalloc+0xcc/0x1b8 [ 50.643605][ T5970] usb_get_configuration+0xd8/0x4054 [ 50.644723][ T5970] usb_new_device+0x134/0x142c [ 50.645714][ T5970] hub_event+0x25e4/0x474c [ 50.646737][ T5970] process_one_work+0x788/0x12d4 [ 50.647738][ T5970] worker_thread+0x8e0/0xfe8 [ 50.648724][ T5970] kthread+0x288/0x310 [ 50.649585][ T5970] ret_from_fork+0x10/0x20 [ 50.650536][ T5970] [ 50.650995][ T5970] The buggy address belongs to the object at ffff0000cac75800 [ 50.650995][ T5970] which belongs to the cache kmalloc-1k of size 1024 [ 50.653960][ T5970] The buggy address is located 2 bytes to the right of [ 50.653960][ T5970] allocated 680-byte region [ffff0000cac75800, ffff0000cac75aa8) [ 50.657129][ T5970] [ 50.657614][ T5970] The buggy address belongs to the physical page: [ 50.658962][ T5970] page:000000005b6dc155 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ac70 [ 50.661079][ T5970] head:000000005b6dc155 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.662902][ T5970] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 50.664520][ T5970] page_type: 0xffffffff() [ 50.665446][ T5970] raw: 05ffc00000010200 ffff0000c0002780 dead000000000122 0000000000000000 [ 50.667274][ T5970] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 50.669102][ T5970] page dumped because: kasan: bad access detected [ 50.670326][ T5970] [ 50.670830][ T5970] Memory state around the buggy address: [ 50.671951][ T5970] ffff0000cac75980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.673717][ T5970] ffff0000cac75a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.675355][ T5970] >ffff0000cac75a80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 50.676997][ T5970] ^ [ 50.678091][ T5970] ffff0000cac75b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.679770][ T5970] ffff0000cac75b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.681411][ T5970] ================================================================== [ 50.691142][ T5970] Disabling lock debugging