Warning: Permanently added '10.128.0.2' (ED25519) to the list of known hosts. executing program [ 46.410676][ T13] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 46.650699][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 46.770815][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 46.772982][ T13] usb 1-1: config 0 has no interface number 0 [ 46.930871][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 46.933118][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 46.935073][ T13] usb 1-1: Product: syz [ 46.936152][ T13] usb 1-1: Manufacturer: syz [ 46.937269][ T13] usb 1-1: SerialNumber: syz [ 46.941204][ T13] usb 1-1: config 0 descriptor?? [ 47.183529][ T13] usb 1-1: USB disconnect, device number 2 [ 47.187707][ T13] ================================================================== [ 47.189836][ T13] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 47.191653][ T13] Read of size 8 at addr ffff0000ca009978 by task kworker/0:1/13 [ 47.193693][ T13] [ 47.194274][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.15.165-syzkaller #0 [ 47.196326][ T13] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 47.198970][ T13] Workqueue: usb_hub_wq hub_event [ 47.200384][ T13] Call trace: [ 47.201202][ T13] dump_backtrace+0x0/0x530 [ 47.202367][ T13] show_stack+0x2c/0x3c [ 47.203499][ T13] dump_stack_lvl+0x108/0x170 [ 47.204677][ T13] print_address_description+0x7c/0x3f0 [ 47.206081][ T13] kasan_report+0x174/0x1e4 [ 47.207236][ T13] __asan_report_load8_noabort+0x44/0x50 [ 47.208768][ T13] hdm_disconnect+0xf8/0x190 [ 47.210026][ T13] usb_unbind_interface+0x1a4/0x758 [ 47.211330][ T13] device_release_driver_internal+0x464/0x6ac [ 47.212891][ T13] device_release_driver+0x28/0x38 [ 47.214273][ T13] bus_remove_device+0x298/0x38c [ 47.215552][ T13] device_del+0x57c/0x9b4 [ 47.216685][ T13] usb_disable_device+0x354/0x760 [ 47.218043][ T13] usb_disconnect+0x290/0x7e8 [ 47.219264][ T13] hub_event+0x1718/0x46b8 [ 47.220413][ T13] process_one_work+0x790/0x11b8 [ 47.221694][ T13] worker_thread+0x910/0x1034 [ 47.222887][ T13] kthread+0x37c/0x45c [ 47.223931][ T13] ret_from_fork+0x10/0x20 [ 47.225081][ T13] [ 47.225672][ T13] Allocated by task 13: [ 47.226725][ T13] ____kasan_kmalloc+0xbc/0xfc [ 47.228019][ T13] __kasan_kmalloc+0x10/0x1c [ 47.229229][ T13] kmem_cache_alloc_trace+0x27c/0x47c [ 47.230641][ T13] hdm_probe+0xa4/0x1044 [ 47.231804][ T13] usb_probe_interface+0x500/0x984 [ 47.233188][ T13] really_probe+0x26c/0xaec [ 47.234407][ T13] __driver_probe_device+0x194/0x3b4 [ 47.235823][ T13] driver_probe_device+0x78/0x34c [ 47.237065][ T13] __device_attach_driver+0x28c/0x4d8 [ 47.238480][ T13] bus_for_each_drv+0x158/0x1e0 [ 47.239855][ T13] __device_attach+0x2f0/0x480 [ 47.241116][ T13] device_initial_probe+0x24/0x34 [ 47.242425][ T13] bus_probe_device+0xbc/0x1c8 [ 47.243711][ T13] device_add+0xae0/0xef4 [ 47.244912][ T13] usb_set_configuration+0x15e0/0x1b60 [ 47.246480][ T13] usb_generic_driver_probe+0x8c/0x148 [ 47.247974][ T13] usb_probe_device+0x120/0x25c [ 47.249269][ T13] really_probe+0x26c/0xaec [ 47.250473][ T13] __driver_probe_device+0x194/0x3b4 [ 47.251947][ T13] driver_probe_device+0x78/0x34c [ 47.253286][ T13] __device_attach_driver+0x28c/0x4d8 [ 47.254727][ T13] bus_for_each_drv+0x158/0x1e0 [ 47.256024][ T13] __device_attach+0x2f0/0x480 [ 47.257261][ T13] device_initial_probe+0x24/0x34 [ 47.258624][ T13] bus_probe_device+0xbc/0x1c8 [ 47.259876][ T13] device_add+0xae0/0xef4 [ 47.261019][ T13] usb_new_device+0x900/0x145c [ 47.262310][ T13] hub_event+0x236c/0x46b8 [ 47.263487][ T13] process_one_work+0x790/0x11b8 [ 47.264880][ T13] worker_thread+0x910/0x1034 [ 47.266081][ T13] kthread+0x37c/0x45c [ 47.267116][ T13] ret_from_fork+0x10/0x20 [ 47.268290][ T13] [ 47.268905][ T13] Freed by task 13: [ 47.269866][ T13] kasan_set_track+0x4c/0x84 [ 47.271140][ T13] kasan_set_free_info+0x28/0x4c [ 47.272505][ T13] ____kasan_slab_free+0x118/0x164 [ 47.273908][ T13] __kasan_slab_free+0x18/0x28 [ 47.275184][ T13] slab_free_freelist_hook+0x128/0x1ec [ 47.276577][ T13] kfree+0x178/0x410 [ 47.277649][ T13] release_mdev+0x20/0x30 [ 47.278774][ T13] device_release+0x8c/0x1ac [ 47.279995][ T13] kobject_put+0x2c4/0x438 [ 47.281228][ T13] device_unregister+0x3c/0xcc [ 47.282532][ T13] most_deregister_interface+0x3e0/0x42c [ 47.284028][ T13] hdm_disconnect+0xe0/0x190 [ 47.285280][ T13] usb_unbind_interface+0x1a4/0x758 [ 47.286681][ T13] device_release_driver_internal+0x464/0x6ac [ 47.288355][ T13] device_release_driver+0x28/0x38 [ 47.289775][ T13] bus_remove_device+0x298/0x38c [ 47.291093][ T13] device_del+0x57c/0x9b4 [ 47.292264][ T13] usb_disable_device+0x354/0x760 [ 47.293634][ T13] usb_disconnect+0x290/0x7e8 [ 47.294905][ T13] hub_event+0x1718/0x46b8 [ 47.296056][ T13] process_one_work+0x790/0x11b8 [ 47.297398][ T13] worker_thread+0x910/0x1034 [ 47.298714][ T13] kthread+0x37c/0x45c [ 47.299810][ T13] ret_from_fork+0x10/0x20 [ 47.300979][ T13] [ 47.301608][ T13] The buggy address belongs to the object at ffff0000ca008000 [ 47.301608][ T13] which belongs to the cache kmalloc-8k of size 8192 [ 47.305453][ T13] The buggy address is located 6520 bytes inside of [ 47.305453][ T13] 8192-byte region [ffff0000ca008000, ffff0000ca00a000) [ 47.309180][ T13] The buggy address belongs to the page: [ 47.310703][ T13] page:00000000f2b809db refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a008 [ 47.313569][ T13] head:00000000f2b809db order:3 compound_mapcount:0 compound_pincount:0 [ 47.315736][ T13] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 47.317894][ T13] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 47.320294][ T13] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 47.322563][ T13] page dumped because: kasan: bad access detected [ 47.324288][ T13] [ 47.324949][ T13] Memory state around the buggy address: [ 47.326447][ T13] ffff0000ca009800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.328579][ T13] ffff0000ca009880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.330671][ T13] >ffff0000ca009900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.332852][ T13] ^ [ 47.335010][ T13] ffff0000ca009980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.337158][ T13] ffff0000ca009a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.339305][ T13] ================================================================== [ 47.341447][ T13] Disabling lock debugging due to kernel taint [ 47.343636][ T13] ------------[ cut here ]------------ executing program [ 47.345086][ T13] refcount_t: underflow; use-after-free. [ 47.348529][ T13] WARNING: CPU: 0 PID: 13 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 47.350991][ T13] Modules linked in: [ 47.352086][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Tainted: G B 5.15.165-syzkaller #0 [ 47.354688][ T13] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 47.357273][ T13] Workqueue: usb_hub_wq hub_event [ 47.358593][ T13] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 47.360738][ T13] pc : refcount_warn_saturate+0x1c8/0x20c [ 47.362249][ T13] lr : refcount_warn_saturate+0x1c8/0x20c [ 47.363762][ T13] sp : ffff800018b572f0 [ 47.364827][ T13] x29: ffff800018b572f0 x28: ffff800016a10240 x27: ffff0000d2982000 [ 47.367062][ T13] x26: 1fffe0001a530807 x25: dfff800000000000 x24: ffff0000d2983030 [ 47.369118][ T13] x23: 1fffe000194010bb x22: ffff0000d298403c x21: 0000000000000003 [ 47.371235][ T13] x20: ffff0000d2984038 x19: ffff800016f0e000 x18: 1fffe000368f698e [ 47.373420][ T13] x17: 1fffe000368f698e x16: ffff800011abb7f8 x15: ffff800014b5ef00 [ 47.375574][ T13] x14: ffff0001b47b4c80 x13: ffff0001b47b4c7c x12: 0000000000000001 [ 47.377694][ T13] x11: 0000000000000000 x10: 0000000000000000 x9 : 7f15107de47dc900 [ 47.379863][ T13] x8 : 7f15107de47dc900 x7 : 0000000000000000 x6 : ffff80000826ac0c [ 47.382051][ T13] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000804605c [ 47.384153][ T13] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 47.386267][ T13] Call trace: [ 47.387068][ T13] refcount_warn_saturate+0x1c8/0x20c [ 47.388437][ T13] kobject_put+0x1a8/0x438 [ 47.389594][ T13] put_device+0x28/0x40 [ 47.390739][ T13] hdm_disconnect+0x170/0x190 [ 47.391917][ T13] usb_unbind_interface+0x1a4/0x758 [ 47.393317][ T13] device_release_driver_internal+0x464/0x6ac [ 47.394885][ T13] device_release_driver+0x28/0x38 [ 47.396221][ T13] bus_remove_device+0x298/0x38c [ 47.397547][ T13] device_del+0x57c/0x9b4 [ 47.398697][ T13] usb_disable_device+0x354/0x760 [ 47.399995][ T13] usb_disconnect+0x290/0x7e8 [ 47.401262][ T13] hub_event+0x1718/0x46b8 [ 47.402465][ T13] process_one_work+0x790/0x11b8 [ 47.403812][ T13] worker_thread+0x910/0x1034 [ 47.405098][ T13] kthread+0x37c/0x45c [ 47.406241][ T13] ret_from_fork+0x10/0x20 [ 47.407440][ T13] irq event stamp: 170046 [ 47.408596][ T13] hardirqs last enabled at (170045): [] kasan_quarantine_put+0xdc/0x204 [ 47.411341][ T13] hardirqs last disabled at (170046): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 47.414098][ T13] softirqs last enabled at (167842): [] handle_softirqs+0xb88/0xdbc [ 47.416715][ T13] softirqs last disabled at (167831): [] __irq_exit_rcu+0x268/0x4d8 [ 47.419322][ T13] ---[ end trace 5260e5880dfdc692 ]--- [ 47.780704][ T13] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 48.020694][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 48.140707][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 48.142760][ T13] usb 1-1: config 0 has no interface number 0 [ 48.300681][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 48.303009][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 48.305036][ T13] usb 1-1: Product: syz [ 48.306079][ T13] usb 1-1: Manufacturer: syz [ 48.307182][ T13] usb 1-1: SerialNumber: syz [ 48.309877][ T13] usb 1-1: config 0 descriptor?? [ 48.552225][ T25] usb 1-1: USB disconnect, device number 3 executing program [ 48.950650][ T25] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 49.190634][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 49.310717][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 49.312759][ T25] usb 1-1: config 0 has no interface number 0 [ 49.470744][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 49.473056][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 49.474979][ T25] usb 1-1: Product: syz [ 49.475984][ T25] usb 1-1: Manufacturer: syz [ 49.477109][ T25] usb 1-1: SerialNumber: syz [ 49.480411][ T25] usb 1-1: config 0 descriptor?? [ 49.722037][ T13] usb 1-1: USB disconnect, device number 4 executing program [ 50.120671][ T13] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 50.360684][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 50.480764][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 50.482916][ T13] usb 1-1: config 0 has no interface number 0 [ 50.640871][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 50.643267][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.645235][ T13] usb 1-1: Product: syz [ 50.646307][ T13] usb 1-1: Manufacturer: syz [ 50.647508][ T13] usb 1-1: SerialNumber: syz [ 50.650701][ T13] usb 1-1: config 0 descriptor?? [ 50.892116][ T13] usb 1-1: USB disconnect, device number 5 executing program [ 51.240708][ T13] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 51.480671][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 51.600791][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 51.602800][ T13] usb 1-1: config 0 has no interface number 0 [ 51.760740][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 51.763046][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 51.764983][ T13] usb 1-1: Product: syz [ 51.765953][ T13] usb 1-1: Manufacturer: syz [ 51.767080][ T13] usb 1-1: SerialNumber: syz [ 51.771280][ T13] usb 1-1: config 0 descriptor?? [ 52.012114][ T25] usb 1-1: USB disconnect, device number 6 executing program [ 52.360688][ T25] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 52.600629][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 52.720711][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 52.722733][ T25] usb 1-1: config 0 has no interface number 0 [ 52.880698][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 52.882993][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 52.884933][ T25] usb 1-1: Product: syz [ 52.885961][ T25] usb 1-1: Manufacturer: syz [ 52.887115][ T25] usb 1-1: SerialNumber: syz [ 52.890549][ T25] usb 1-1: config 0 descriptor?? executing program [ 53.132081][ T25] usb 1-1: USB disconnect, device number 7 [ 53.490688][ T25] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 53.730657][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 53.850682][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 53.852755][ T25] usb 1-1: config 0 has no interface number 0 [ 54.010790][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 54.013187][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 54.015035][ T25] usb 1-1: Product: syz [ 54.016086][ T25] usb 1-1: Manufacturer: syz [ 54.017198][ T25] usb 1-1: SerialNumber: syz [ 54.021821][ T25] usb 1-1: config 0 descriptor?? [ 54.262044][ T25] usb 1-1: USB disconnect, device number 8 executing program [ 54.660679][ T25] usb 1-1: new high-speed USB device number 9 using dummy_hcd [ 54.900625][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 55.020724][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 55.022772][ T25] usb 1-1: config 0 has no interface number 0 [ 55.180698][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 55.182933][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 55.184883][ T25] usb 1-1: Product: syz [ 55.185891][ T25] usb 1-1: Manufacturer: syz [ 55.186983][ T25] usb 1-1: SerialNumber: syz [ 55.190000][ T25] usb 1-1: config 0 descriptor?? [ 55.432025][ T13] usb 1-1: USB disconnect, device number 9 executing program [ 55.840670][ T13] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 56.080657][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 56.200695][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 56.202830][ T13] usb 1-1: config 0 has no interface number 0 [ 56.360818][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 56.363145][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 56.365140][ T13] usb 1-1: Product: syz [ 56.366177][ T13] usb 1-1: Manufacturer: syz [ 56.367333][ T13] usb 1-1: SerialNumber: syz [ 56.370890][ T13] usb 1-1: config 0 descriptor?? executing program [ 56.612106][ T13] usb 1-1: USB disconnect, device number 10 [ 56.970652][ T13] usb 1-1: new high-speed USB device number 11 using dummy_hcd