last executing test programs: 23.056402583s ago: executing program 0 (id=1): r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000140)="2c385aa3d49100dc6626c892b6bc436a", 0x10) r1 = accept4(r0, 0x0, 0x0, 0x0) sendmsg$alg(r1, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000080)=[@assoc={0x18, 0x117, 0x4, 0x1fd}], 0x18}, 0x0) sendmsg$nl_route_sched_retired(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000012100), 0xe078}}, 0x0) recvmmsg(r1, &(0x7f0000000180)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000500)=""/229, 0xe5}, {&(0x7f0000000840)=""/127, 0x7f}, {&(0x7f0000000400)=""/115, 0x73}, {&(0x7f00000000c0)=""/33, 0x21}, {&(0x7f00000004c0)=""/21, 0x15}], 0x11}}], 0x2, 0x60, 0x0) 19.373817816s ago: executing program 0 (id=4): r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000140)={{0x12, 0x1, 0x0, 0xb5, 0x40, 0x33, 0x40, 0x1a86, 0x7522, 0x3536, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xe4, 0xd6, 0x24}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f00000004c0)={0x2c, &(0x7f0000000340)=ANY=[@ANYBLOB="00001b"], 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) 11.797586977s ago: executing program 1 (id=7): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x20000008b}, 0x0) r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x147c40, 0x0) preadv2(r0, &(0x7f0000000080)=[{&(0x7f0000001200)=""/4096, 0xffe00}], 0x1c, 0x0, 0x0, 0x0) 10.452008518s ago: executing program 1 (id=8): socket$can_bcm(0x1d, 0x2, 0x2) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_COALESCE_SET(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000580)=ANY=[@ANYBLOB='d\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="010000000000000000001400000018000180140002006e657464657673696d3000000000000005000c0001000000050018000000000008001000ffffff7f080009002205000005001900010000000800070000000000080015"], 0x64}}, 0x0) 7.938030096s ago: executing program 1 (id=9): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0xf, 0x9, &(0x7f0000000540)=ANY=[@ANYBLOB="180800000000000000000000000000008510000005000000850000000f0000005f0201000000000018000000000000000000000000000000950000000000000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) 7.415056612s ago: executing program 0 (id=10): seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x8, 0x0) write$FUSE_DIRENT(0xffffffffffffffff, &(0x7f0000000080)=ANY=[@ANYBLOB='X\x00\x00\x00\x00\x00\x00\x00', @ANYRES64=0x0, @ANYBLOB="070000000000001400000000000000000800000000000000402d2f5c260d802d00000000100000000000000000000000359b00000000000000002f3e0d762f"], 0x58) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) syz_open_dev$sndpcmp(0x0, 0x0, 0x0) r0 = socket(0x10, 0x803, 0x0) r1 = socket(0x200000100000011, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'syz_tun\x00', 0x0}) sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000080)=ANY=[@ANYBLOB="480000001400b59500000000000000000a000000", @ANYRES32=r2, @ANYBLOB="14000200fe8000000000000000000000000000aa080009003f0c0000140001"], 0x48}}, 0x0) 4.984128563s ago: executing program 1 (id=11): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000000c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)={{0x14}, [@NFT_MSG_NEWRULE={0x54, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x28, 0x4, 0x0, 0x1, [{0x24, 0x1, 0x0, 0x1, @meta={{0x9}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_META_DREG={0x8}, @NFTA_META_KEY={0x8, 0x2, 0x1, 0x0, 0x2}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x7c}}, 0x0) 4.650864761s ago: executing program 0 (id=12): open(&(0x7f00009e1000)='./file0\x00', 0x60840, 0x0) r0 = socket$unix(0x1, 0x5, 0x0) fchmodat(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0xfffffffb) setresuid(0xee00, 0xee00, 0x0) connect$unix(r0, &(0x7f000057eff8)=@file={0x1, './file0\x00'}, 0x3b) 2.949127424s ago: executing program 1 (id=13): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) listen(r0, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000680)={0x10, 0x4, &(0x7f0000000380)=ANY=[@ANYBLOB="1802000000c4400000000000e0feff00850000000f00000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000023c0)=@base={0x12, 0x4, 0x8, 0xb, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000540)=ANY=[@ANYRES32=r2, @ANYRES32=r1, @ANYBLOB='\a'], 0x10) bpf$ENABLE_STATS(0x20, 0x0, 0x0) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) sendmmsg$inet6(r0, &(0x7f00000008c0)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000500)=[{&(0x7f0000000300)="16", 0x1}], 0x1}}], 0x2, 0x4000050) 1.367646264s ago: executing program 0 (id=14): r0 = syz_usb_connect$hid(0x5, 0x3f, &(0x7f0000000040)=ANY=[@ANYBLOB="12010000000000204f045db600000000000109022d0001000060020904001005030001000921000036012205000905810300000c000709050203"], 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io(r0, &(0x7f0000000380)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000457"], 0x0, 0x0, 0x0, 0x0}, 0x0) socket$unix(0x1, 0x5, 0x0) 0s ago: executing program 1 (id=15): r0 = socket$inet6(0xa, 0x2, 0x0) ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x89f1, &(0x7f0000000480)={'ip6_vti0\x00', &(0x7f0000000300)={'syztnl0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @mcast1, @mcast1, 0x0, 0x0, 0x0, 0x1004}}) ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(r0, 0x89f0, &(0x7f0000000440)={'syztnl0\x00', &(0x7f00000000c0)={'ip6tnl0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @loopback}}) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:29107' (ED25519) to the list of known hosts. syzkaller login: [ 279.734440][ T3170] cgroup: Unknown subsys name 'net' [ 280.206820][ T3170] cgroup: Unknown subsys name 'cpuset' [ 280.327889][ T3170] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 330.639967][ T3170] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 382.415917][ T3175] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 382.508355][ T3176] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 382.616191][ T3175] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 382.724800][ T3176] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 394.095250][ T3176] hsr_slave_0: entered promiscuous mode [ 394.122256][ T3176] hsr_slave_1: entered promiscuous mode [ 395.735792][ T3175] hsr_slave_0: entered promiscuous mode [ 395.786379][ T3175] hsr_slave_1: entered promiscuous mode [ 395.822160][ T3175] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 395.825267][ T3175] Cannot create hsr debugfs directory [ 402.618760][ T3176] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 402.800737][ T3176] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 403.000083][ T3176] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 403.137128][ T3176] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 403.796996][ T3175] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 403.883219][ T3175] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 404.006727][ T3175] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 404.586162][ T3175] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 410.956110][ T3176] 8021q: adding VLAN 0 to HW filter on device bond0 [ 414.760531][ T3175] 8021q: adding VLAN 0 to HW filter on device bond0 [ 437.958218][ T3176] veth0_vlan: entered promiscuous mode [ 438.124665][ T3176] veth1_vlan: entered promiscuous mode [ 438.736196][ T3176] veth0_macvtap: entered promiscuous mode [ 438.890060][ T3176] veth1_macvtap: entered promiscuous mode [ 440.991621][ T3176] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 440.995589][ T3176] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 440.998000][ T3176] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 441.002473][ T3176] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 443.677918][ T3175] veth0_vlan: entered promiscuous mode [ 443.991140][ T3175] veth1_vlan: entered promiscuous mode [ 445.055798][ T3176] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 445.257101][ T3175] veth0_macvtap: entered promiscuous mode [ 445.407709][ T3175] veth1_macvtap: entered promiscuous mode [ 446.854627][ T3175] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 446.856906][ T3175] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 446.864122][ T3175] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 446.866375][ T3175] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 449.353009][ T3873] random: crng reseeded on system resumption [ 449.794451][ T3873] Hibernate image not generated by this kernel! [ 449.797307][ T3873] PM: hibernation: Image mismatch: architecture specific data [ 451.721866][ T3875] trusted_key: syz.0.1 sent an empty control message without MSG_MORE. [ 455.572397][ T1825] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 456.450358][ T1825] usb 1-1: New USB device found, idVendor=1a86, idProduct=7522, bcdDevice=35.36 [ 456.453367][ T1825] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 456.455142][ T1825] usb 1-1: Product: syz [ 456.456563][ T1825] usb 1-1: Manufacturer: syz [ 456.457978][ T1825] usb 1-1: SerialNumber: syz [ 456.634842][ T1825] usb 1-1: config 0 descriptor?? [ 456.797734][ T1825] ch341 1-1:0.0: ch341-uart converter detected [ 458.262965][ T1825] ch341-uart ttyUSB0: break control not supported, using simulated break [ 458.297183][ T3886] Zero length message leads to an empty skb [ 458.386571][ T1825] usb 1-1: ch341-uart converter now attached to ttyUSB0 [ 458.582996][ T1825] usb 1-1: USB disconnect, device number 2 [ 458.914247][ T1825] ch341-uart ttyUSB0: ch341-uart converter now disconnected from ttyUSB0 [ 458.955395][ T1825] ch341 1-1:0.0: device disconnected [ 472.644308][ T3881] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 472.940295][ T3881] usb 1-1: Using ep0 maxpacket: 32 [ 472.985838][ T3881] usb 1-1: config 0 interface 0 altsetting 16 endpoint 0x81 has invalid wMaxPacketSize 0 [ 472.987735][ T3881] usb 1-1: config 0 interface 0 altsetting 16 endpoint 0x2 has an invalid bInterval 0, changing to 7 [ 472.999658][ T3881] usb 1-1: config 0 interface 0 altsetting 16 endpoint 0x2 has invalid wMaxPacketSize 0 [ 473.001146][ T3881] usb 1-1: config 0 interface 0 altsetting 16 has 2 endpoint descriptors, different from the interface descriptor's value: 5 [ 473.002553][ T3881] usb 1-1: config 0 interface 0 has no altsetting 0 [ 473.003814][ T3881] usb 1-1: New USB device found, idVendor=044f, idProduct=b65d, bcdDevice= 0.00 [ 473.005080][ T3881] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 473.094950][ T3881] usb 1-1: config 0 descriptor?? [ 473.837233][ T3881] hid-thrustmaster 0003:044F:B65D.0001: unknown main item tag 0x0 [ 473.838693][ T3881] hid-thrustmaster 0003:044F:B65D.0001: unknown main item tag 0x0 [ 473.842487][ T3881] hid-thrustmaster 0003:044F:B65D.0001: unknown main item tag 0x0 [ 473.843686][ T3881] hid-thrustmaster 0003:044F:B65D.0001: unknown main item tag 0x0 [ 473.844764][ T3881] hid-thrustmaster 0003:044F:B65D.0001: unknown main item tag 0x0 [ 473.896405][ T3881] hid-thrustmaster 0003:044F:B65D.0001: hidraw0: USB HID v0.00 Device [HID 044f:b65d] on usb-dummy_hcd.0-1/input0 [ 473.902186][ T3881] ================================================================== [ 473.903327][ T3881] BUG: KASAN: stack-out-of-bounds in usb_check_int_endpoints+0x242/0x264 [ 473.905429][ T3881] Read of size 1 at addr ffff8f800d426221 by task kworker/0:4/3881 [ 473.906386][ T3881] [ 473.908141][ T3881] CPU: 0 UID: 0 PID: 3881 Comm: kworker/0:4 Not tainted 6.14.0-rc1-syzkaller-g245aece3750d #0 [ 473.908763][ T3881] Hardware name: riscv-virtio,qemu (DT) [ 473.909160][ T3881] Workqueue: usb_hub_wq hub_event [ 473.909800][ T3881] Call Trace: [ 473.910019][ T3881] [] dump_backtrace+0x2e/0x3c [ 473.910324][ T3881] [] show_stack+0x30/0x3c [ 473.910596][ T3881] [] dump_stack_lvl+0x12e/0x1a6 [ 473.910978][ T3881] [] print_report+0x28e/0x5aa [ 473.911281][ T3881] [] kasan_report+0xf0/0x214 [ 473.911612][ T3881] [] __asan_report_load1_noabort+0x12/0x1a [ 473.911976][ T3881] [] usb_check_int_endpoints+0x242/0x264 [ 473.912300][ T3881] [] thrustmaster_probe+0x45c/0xb9a [ 473.912646][ T3881] [] hid_device_probe+0x312/0x668 [ 473.912937][ T3881] [] really_probe+0x232/0x9be [ 473.913219][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 473.913554][ T3881] [] driver_probe_device+0x60/0x1ce [ 473.913833][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 473.914119][ T3881] [] bus_for_each_drv+0x142/0x1da [ 473.914370][ T3881] [] __device_attach+0x1c4/0x462 [ 473.914654][ T3881] [] device_initial_probe+0x1c/0x26 [ 473.914939][ T3881] [] bus_probe_device+0x15c/0x192 [ 473.915193][ T3881] [] device_add+0x10da/0x181c [ 473.915566][ T3881] [] hid_add_device+0x366/0x9d8 [ 473.915838][ T3881] [] usbhid_probe+0xa6e/0xf88 [ 473.916193][ T3881] [] usb_probe_interface+0x2d6/0x8c4 [ 473.916512][ T3881] [] really_probe+0x232/0x9be [ 473.916789][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 473.917133][ T3881] [] driver_probe_device+0x60/0x1ce [ 473.917447][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 473.917792][ T3881] [] bus_for_each_drv+0x142/0x1da [ 473.918067][ T3881] [] __device_attach+0x1c4/0x462 [ 473.918343][ T3881] [] device_initial_probe+0x1c/0x26 [ 473.918639][ T3881] [] bus_probe_device+0x15c/0x192 [ 473.918946][ T3881] [] device_add+0x10da/0x181c [ 473.919314][ T3881] [] usb_set_configuration+0xf08/0x19dc [ 473.919620][ T3881] [] usb_generic_driver_probe+0xae/0x128 [ 473.919904][ T3881] [] usb_probe_device+0xd6/0x360 [ 473.920196][ T3881] [] really_probe+0x232/0x9be [ 473.920465][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 473.920753][ T3881] [] driver_probe_device+0x60/0x1ce [ 473.921032][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 473.921351][ T3881] [] bus_for_each_drv+0x142/0x1da [ 473.921611][ T3881] [] __device_attach+0x1c4/0x462 [ 473.922030][ T3881] [] device_initial_probe+0x1c/0x26 [ 473.922419][ T3881] [] bus_probe_device+0x15c/0x192 [ 473.922689][ T3881] [] device_add+0x10da/0x181c [ 473.923082][ T3881] [] usb_new_device+0x964/0x1778 [ 473.923433][ T3881] [] hub_event+0x2716/0x48de [ 473.923790][ T3881] [] process_one_work+0x96a/0x1f3a [ 473.924153][ T3881] [] worker_thread+0x5be/0xdc6 [ 473.924515][ T3881] [] kthread+0x37e/0x7b6 [ 473.924828][ T3881] [] ret_from_fork+0xe/0x18 [ 473.925473][ T3881] [ 473.948623][ T3881] The buggy address belongs to stack of task kworker/0:4/3881 [ 473.949392][ T3881] and is located at offset 65 in frame: [ 473.949922][ T3881] thrustmaster_probe+0x0/0xb9a [ 473.950759][ T3881] [ 473.951180][ T3881] This frame has 2 objects: [ 473.951805][ T3881] [48, 52) 'trans' [ 473.952021][ T3881] [64, 65) 'ep_addr' [ 473.952563][ T3881] [ 473.953390][ T3881] The buggy address belongs to the virtual mapping at [ 473.953390][ T3881] [ffff8f800d420000, ffff8f800d429000) created by: [ 473.953390][ T3881] kernel_clone+0x11e/0xc3c [ 473.954634][ T3881] [ 473.955109][ T3881] The buggy address belongs to the physical page: [ 473.956158][ T3881] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9d344 [ 473.957219][ T3881] flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) [ 473.959079][ T3881] raw: 0ffe000000000000 0000000000000000 dead000000000122 0000000000000000 [ 473.959900][ T3881] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 473.960697][ T3881] page dumped because: kasan: bad access detected [ 473.961553][ T3881] page_owner tracks the page as allocated [ 473.962184][ T3881] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 30, tgid 30 (kworker/u9:1), ts 448432200200, free_ts 448196909100 [ 473.963779][ T3881] __set_page_owner+0xa2/0x710 [ 473.964595][ T3881] post_alloc_hook+0xea/0x1e2 [ 473.965268][ T3881] get_page_from_freelist+0xf78/0x2bd6 [ 473.966022][ T3881] __alloc_frozen_pages_noprof+0x1e8/0x20fc [ 473.966709][ T3881] alloc_pages_mpol+0x1fa/0x5b8 [ 473.967490][ T3881] alloc_frozen_pages_noprof+0x174/0x2f0 [ 473.968230][ T3881] alloc_pages_noprof+0x20/0x48 [ 473.969151][ T3881] __vmalloc_node_range_noprof+0x640/0x120a [ 473.969968][ T3881] copy_process+0x2c02/0x6c8e [ 473.970618][ T3881] kernel_clone+0x11e/0xc3c [ 473.971272][ T3881] user_mode_thread+0xea/0x11a [ 473.971925][ T3881] call_usermodehelper_exec_work+0x6c/0x1ac [ 473.972666][ T3881] process_one_work+0x96a/0x1f3a [ 473.973604][ T3881] worker_thread+0x5be/0xdc6 [ 473.974331][ T3881] kthread+0x37e/0x7b6 [ 473.975049][ T3881] ret_from_fork+0xe/0x18 [ 473.975930][ T3881] page last free pid 3175 tgid 3175 stack trace: [ 473.976560][ T3881] __reset_page_owner+0x8c/0x400 [ 473.977345][ T3881] free_frozen_pages+0x96a/0x155c [ 473.978004][ T3881] page_frag_free+0x336/0x382 [ 473.978635][ T3881] skb_free_head+0x1ca/0x2e8 [ 473.979343][ T3881] skb_release_data+0x6ee/0x86c [ 473.980029][ T3881] __kfree_skb+0x46/0x68 [ 473.980703][ T3881] tcp_rcv_established+0xf68/0x268e [ 473.981453][ T3881] tcp_v4_do_rcv+0x68a/0xbaa [ 473.982189][ T3881] tcp_v4_rcv+0x340e/0x4634 [ 473.982913][ T3881] ip_protocol_deliver_rcu+0xa2/0x64a [ 473.983601][ T3881] ip_local_deliver_finish+0x2ee/0x57e [ 473.984287][ T3881] ip_local_deliver+0x1b2/0x568 [ 473.984954][ T3881] ip_sublist_rcv_finish+0x148/0x2ba [ 473.985691][ T3881] ip_sublist_rcv+0x4ec/0x9f2 [ 473.986312][ T3881] ip_list_rcv+0x2ae/0x3ce [ 473.986962][ T3881] __netif_receive_skb_list_core+0x45e/0x75e [ 473.987962][ T3881] [ 473.988447][ T3881] Memory state around the buggy address: [ 473.989680][ T3881] ffff8f800d426100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 473.990428][ T3881] ffff8f800d426180: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 473.991111][ T3881] >ffff8f800d426200: f1 f1 04 f2 01 f3 f3 f3 00 00 00 00 00 00 00 00 [ 473.992088][ T3881] ^ [ 473.993006][ T3881] ffff8f800d426280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 473.993825][ T3881] ffff8f800d426300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 473.994613][ T3881] ================================================================== [ 474.037119][ T3881] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 474.038554][ T3881] CPU: 0 UID: 0 PID: 3881 Comm: kworker/0:4 Not tainted 6.14.0-rc1-syzkaller-g245aece3750d #0 [ 474.039516][ T3881] Hardware name: riscv-virtio,qemu (DT) [ 474.040102][ T3881] Workqueue: usb_hub_wq hub_event [ 474.041020][ T3881] Call Trace: [ 474.041611][ T3881] [] dump_backtrace+0x2e/0x3c [ 474.042569][ T3881] [] show_stack+0x30/0x3c [ 474.043320][ T3881] [] dump_stack_lvl+0x110/0x1a6 [ 474.044131][ T3881] [] dump_stack+0x1c/0x24 [ 474.044987][ T3881] [] panic+0x38c/0x86a [ 474.045782][ T3881] [] check_panic_on_warn+0xc0/0xe4 [ 474.046550][ T3881] [] end_report.part.0+0x4e/0xae [ 474.047375][ T3881] [] kasan_report+0x13a/0x214 [ 474.048184][ T3881] [] __asan_report_load1_noabort+0x12/0x1a [ 474.049322][ T3881] [] usb_check_int_endpoints+0x242/0x264 [ 474.050142][ T3881] [] thrustmaster_probe+0x45c/0xb9a [ 474.050951][ T3881] [] hid_device_probe+0x312/0x668 [ 474.051727][ T3881] [] really_probe+0x232/0x9be [ 474.052460][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 474.053382][ T3881] [] driver_probe_device+0x60/0x1ce [ 474.054318][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 474.055168][ T3881] [] bus_for_each_drv+0x142/0x1da [ 474.056021][ T3881] [] __device_attach+0x1c4/0x462 [ 474.056881][ T3881] [] device_initial_probe+0x1c/0x26 [ 474.058024][ T3881] [] bus_probe_device+0x15c/0x192 [ 474.058834][ T3881] [] device_add+0x10da/0x181c [ 474.059677][ T3881] [] hid_add_device+0x366/0x9d8 [ 474.060509][ T3881] [] usbhid_probe+0xa6e/0xf88 [ 474.061387][ T3881] [] usb_probe_interface+0x2d6/0x8c4 [ 474.062323][ T3881] [] really_probe+0x232/0x9be [ 474.063085][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 474.063843][ T3881] [] driver_probe_device+0x60/0x1ce [ 474.064648][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 474.065497][ T3881] [] bus_for_each_drv+0x142/0x1da [ 474.066209][ T3881] [] __device_attach+0x1c4/0x462 [ 474.066996][ T3881] [] device_initial_probe+0x1c/0x26 [ 474.067852][ T3881] [] bus_probe_device+0x15c/0x192 [ 474.068568][ T3881] [] device_add+0x10da/0x181c [ 474.069516][ T3881] [] usb_set_configuration+0xf08/0x19dc [ 474.070547][ T3881] [] usb_generic_driver_probe+0xae/0x128 [ 474.071398][ T3881] [] usb_probe_device+0xd6/0x360 [ 474.072222][ T3881] [] really_probe+0x232/0x9be [ 474.072997][ T3881] [] __driver_probe_device+0x1d4/0x3f2 [ 474.074149][ T3881] [] driver_probe_device+0x60/0x1ce [ 474.075061][ T3881] [] __device_attach_driver+0x1e2/0x2fc [ 474.075888][ T3881] [] bus_for_each_drv+0x142/0x1da [ 474.076593][ T3881] [] __device_attach+0x1c4/0x462 [ 474.077469][ T3881] [] device_initial_probe+0x1c/0x26 [ 474.078241][ T3881] [] bus_probe_device+0x15c/0x192 [ 474.079110][ T3881] [] device_add+0x10da/0x181c [ 474.079960][ T3881] [] usb_new_device+0x964/0x1778 [ 474.080835][ T3881] [] hub_event+0x2716/0x48de [ 474.081721][ T3881] [] process_one_work+0x96a/0x1f3a [ 474.082679][ T3881] [] worker_thread+0x5be/0xdc6 [ 474.083530][ T3881] [] kthread+0x37e/0x7b6 [ 474.084328][ T3881] [] ret_from_fork+0xe/0x18 [ 474.085581][ T3881] SMP: stopping secondary CPUs [ 474.087883][ T3881] Rebooting in 86400 seconds.. VM DIAGNOSIS: 05:02:59 Registers: info registers vcpu 0 CPU#0 V = 0 pc ffffffff8013a1ba mhartid 0000000000000000 mstatus 0000000a000000a0 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000200 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800004f0 stvec ffffffff86261034 vstvec 0000000000000000 mepc ffffffff80088636 sepc ffffffff803c262c vsepc 0000000000000000 mcause 0000000000000009 scause 8000000000000005 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 000000008004a000 sscratch 0000000000000000 satp 90129000000ae9ff x0/zero 0000000000000000 x1/ra ffffffff8013a1ba x2/sp ffff8f800d425e00 x3/gp ffffffff89c21d80 x4/tp ffffaf801b700000 x5/t0 ffff8f800d425bb4 x6/t1 fffffffef13855e0 x7/t2 7320666f20646165 x8/s0 ffff8f800d425f20 x9/s1 ffffffff87bf0180 x10/a0 0000000000000000 x11/a1 0000000000000000 x12/a2 0000000000100000 x13/a3 ffffffff8013a1ba x14/a4 ffff8f800deeeb30 x15/a5 0000000000695b30 x16/a6 0000000000000003 x17/a7 0000000000000003 x18/s2 0000000000000000 x19/s3 0000000000000000 x20/s4 ffffaf801b81b900 x21/s5 0000000000000000 x22/s6 dfffffff00000000 x23/s7 ffffffff89d29780 x24/s8 ffff8f800d425ea0 x25/s9 1ffff1f001a84c3c x26/s10 1ffff5f003806981 x27/s11 ffffaf802f7d70a8 x28/t3 ffffffff802c6d18 x29/t4 fffffffef13855e0 x30/t5 fffffffef13855e1 x31/t6 ffff8f800d425998 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 CPU#1 V = 0 pc ffffffff802c6e8e mhartid 0000000000000001 mstatus 0000000a000000a0 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000000 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800004f0 stvec ffffffff86261034 vstvec 0000000000000000 mepc ffffffff8040d656 sepc 00000000000db768 vsepc 0000000000000000 mcause 8000000000000003 scause 0000000000000008 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 0000000080048000 sscratch 0000000000000000 satp 90123000000994ca x0/zero 0000000000000000 x1/ra ffffffff8053ffa6 x2/sp ffff8f80074f73d0 x3/gp ffffffff89c21d80 x4/tp ffffaf8012b39a00 x5/t0 dd77315cb8a9b357 x6/t1 fffff5ef03b75f92 x7/t2 0000000000000472 x8/s0 ffff8f80074f7550 x9/s1 0000000000020000 x10/a0 0000000000000005 x11/a1 0000000000000000 x12/a2 0000000000000000 x13/a3 ffffffff80bb9d68 x14/a4 1ffff5f002567461 x15/a5 ffffaf8012b3aa00 x16/a6 0000000000000003 x17/a7 ffffaf801bbba943 x18/s2 0000000000000013 x19/s3 ffffffff80b82a7c x20/s4 ffff8f80074f7730 x21/s5 0000000000000001 x22/s6 ffff8f80074f7740 x23/s7 0000000000000000 x24/s8 0000000000000100 x25/s9 0000000000000000 x26/s10 0000000000000000 x27/s11 ffff8f80074f7a40 x28/t3 ffffaf8012b3a4f0 x29/t4 fffff5ef03198d88 x30/t5 fffff5ef03198d89 x31/t6 0000000000000006 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000