program: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) r1 = fsmount(0xffffffffffffffff, 0x0, 0xfc) ioctl$vim2m_VIDIOC_CREATE_BUFS(r1, 0xc100565c, &(0x7f0000000040)={0xfffffff7, 0x0, 0x3, {0x1, @sliced={0x40, [0x800, 0xffa7, 0x3, 0x5, 0x8, 0x21b2, 0x5, 0x2, 0x3, 0xad, 0x2, 0x1, 0x7, 0x24, 0x2, 0x800, 0x4, 0xa, 0x8001, 0xc, 0x7545, 0x7, 0x401, 0x3, 0x8, 0x8, 0x6, 0x1, 0x4, 0xd, 0x5, 0x0, 0x81, 0x81, 0xfffa, 0x5336, 0x1000, 0x80, 0x7f, 0x800, 0x73d, 0x9, 0x8, 0x4, 0x7, 0x9, 0x9, 0xc43a], 0x1}}, 0x7fffffff}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000140), 0x4) ioctl$vim2m_VIDIOC_STREAMON(r1, 0x40045612, &(0x7f0000000180)) r2 = syz_usb_connect(0x2, 0x341, &(0x7f00000001c0)={{0x12, 0x1, 0x310, 0x2b, 0xbf, 0x9a, 0x40, 0x424, 0xcf30, 0x342e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x32f, 0x2, 0x8, 0x5, 0x60, 0x0, [{{0x9, 0x4, 0x37, 0x0, 0xb, 0x18, 0x68, 0xe6, 0x5, [], [{{0x9, 0x5, 0x5, 0x8, 0x10, 0x3, 0x0, 0x6e, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0x814b}]}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x0, 0x8b, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x4, 0xd78}]}}, {{0x9, 0x5, 0xd, 0x3, 0x3ff, 0xa3, 0x2, 0x40}}, {{0x9, 0x5, 0xb, 0x10, 0x20, 0x1, 0x0, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x80}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x0, 0xe, 0xf8, [@generic={0x2a, 0x21, "535d9d76243ee1115ba179dd8e78140e2eb0a4aad8835ddb945b5f3dbb9532e285920ffe01885b59"}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0xfc, 0x7ff}]}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x3, 0x9}}, {{0x9, 0x5, 0x9, 0x10, 0x3ff, 0x8, 0x5, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x12, 0x3}]}}, {{0x9, 0x5, 0xd, 0x0, 0x20, 0x0, 0x14, 0x1e, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x7, 0x1}]}}, {{0x9, 0x5, 0x9, 0x17, 0x20, 0xc1, 0x7, 0x6, [@generic={0x84, 0x23, "a48cd9be7fd76691864beb7a24b6d7aad9ded92dcac635844851eb55da49fe0e2a86ab9754dba096a7b9ea7f39be06647a2dcc396b9e291cd4e4eac2d947603b39a619d59e5c5a09928cc1a1690d385935c6fb4758caed8d87055c8ab7485b4cf5d20e1bd3b8cbbcbc460ba276c892232333c1e8a5b2b7f9ed5c9825c5a9eee07af7"}, @uac_iso={0x7, 0x25, 0x1, 0x83, 0x7, 0x80}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0xb, 0xf9, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x22, 0x6edf}]}}, {{0x9, 0x5, 0xf, 0x10, 0x200, 0x6, 0x1, 0xe}}]}}, {{0x9, 0x4, 0x9a, 0x9, 0x7, 0xda, 0xf3, 0x52, 0x60, [], [{{0x9, 0x5, 0xd, 0x1c, 0x400, 0xf, 0x5, 0x9, [@generic={0x42, 0x21, "314525044badd51343d14fd6f5b413bfffa1f558e7a17553313a88208f3686332e844aa595ce327fb9b726ac278a03ac433d9c12ead529844b232a0169706695"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x2, 0x8626}]}}, {{0x9, 0x5, 0x4, 0x8, 0x3ff, 0x3, 0x0, 0x7, [@generic={0xb6, 0x24, "4282d72b0ae72ac6295812a0e77745f738b70f906713e08386bff0eeeeb565409fa22401e62ae0a5b2ac041e26e5de3aba96d27e815e309d126e550be62a1e91f4c9d48ff9c86e9140587aab116cd72fd4a93a1eeb15bdcd8c9d3572c3d93403ada0f8afe21c69e93e2ff5f1aaaa572d9680ea9cca28527e403323cbb36eb137fa599de797fd8cea95d64a6aa5fd7e2ebebcbbcf2acd36d0e60e02090d2557d723f4fcc075423070f451704d8b2d4e12b112eeb2"}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x0, 0xe46}]}}, {{0x9, 0x5, 0x9, 0xc, 0x10, 0x7, 0x2, 0x8, [@generic={0x37, 0x22, "9f5403a045241f1aec87e53a37ff9d581760c30b0f2e3314b1533d40fb4d94e850f3cd3df2ea36c31b392e9ceb6f087ec4ac054830"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x0, 0x0, 0xa8, 0x8b, [@generic={0x33, 0x7, "ce83e283f08dea9e56852344c19da71237f11b2133f84c860622199c05b3f4f583fa02d79bf87ae2f7fdecc4c2cc5a0e06"}]}}, {{0x9, 0x5, 0x80, 0x2, 0x8, 0x1, 0xa, 0x7}}, {{0x9, 0x5, 0xe, 0x8, 0x200, 0x62, 0xff, 0x5, [@generic={0x1c, 0x22, "8c56b77607ba75a757fc7cb77c417ad8514fa12869ac5fa0a381"}]}}, {{0x9, 0x5, 0x4, 0x8, 0x200, 0x0, 0x12, 0x2}}]}}]}}]}}, &(0x7f0000000780)={0xa, &(0x7f0000000540)={0xa, 0x6, 0x200, 0x7, 0x81, 0x7, 0xff}, 0x1b, &(0x7f0000000580)={0x5, 0xf, 0x1b, 0x2, [@wireless={0xb, 0x10, 0x1, 0x2, 0x2, 0x4, 0x1, 0x474, 0xfb}, @wireless={0xb, 0x10, 0x1, 0x8, 0x0, 0x2, 0x1, 0x9, 0x8}]}, 0x5, [{0x4, &(0x7f00000005c0)=@lang_id={0x4, 0x3, 0x4c0a}}, {0x87, &(0x7f0000000600)=@string={0x87, 0x3, "685935229d26d981225a87aaaaf0e3e8b23948c194c927f2b072916f787802b75a9338d85a62159ec78a1a8adb4e036ca0f3b6f63f925c363ed0692a8c26b8e46e12449ffb3d428cb2f01fbf25b5289989b3be7b0c4053412f0df4e78a1f476aebf2b2d3aaed89bf663949357acb3d9e809d8b4ee3ff2bc032ec0f41a53c117f569b8985f3"}}, {0x4, &(0x7f00000006c0)=@lang_id={0x4, 0x3, 0x416}}, {0x4, &(0x7f0000000700)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000000740)=@lang_id={0x4, 0x3, 0x100c}}]}) r3 = syz_open_dev$vcsu(&(0x7f0000000800), 0x680, 0x480000) r4 = bpf$ITER_CREATE(0x21, &(0x7f0000000840)={r3}, 0x8) write$P9_RLCREATE(r4, &(0x7f0000000880)={0x18, 0xf, 0x2, {{0x4, 0x2, 0x3}, 0x6c}}, 0x18) getsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f00000008c0), 0x10) pselect6(0x40, &(0x7f0000000900)={0xcbb, 0xfffffffffffffff7, 0x1, 0x5, 0x6, 0x4, 0x7, 0x200}, &(0x7f0000000940)={0x0, 0x3, 0x9, 0x88c, 0x12e, 0x1, 0x8000000000000001}, &(0x7f0000000980)={0x2, 0x86c4, 0x7fff, 0x3, 0xffffffffffffffff, 0x7, 0x3, 0x1}, &(0x7f00000009c0), &(0x7f0000000a40)={&(0x7f0000000a00)={[0x84]}, 0x8}) r5 = syz_open_dev$sndctrl(&(0x7f0000000a80), 0x6, 0x4) ioctl$SECCOMP_IOCTL_NOTIF_RECV(r3, 0xc0502100, &(0x7f0000000ac0)={0x0, 0x0}) ioctl$SNDRV_CTL_IOCTL_ELEM_INFO(r5, 0xc1105511, &(0x7f0000000b80)={{0x6, 0x1, 0xfffffaf9, 0x3, 'syz0\x00', 0x1ef}, 0x0, 0x10000000, 0x81, r6, 0x5, 0x3, 'syz0\x00', &(0x7f0000000b40)=['\x00', '/dev/vcsu#\x00', '.\x00', '\\#\x00', '/dev/vcsu#\x00'], 0x1c}) r7 = syz_init_net_socket$802154_raw(0x24, 0x3, 0x0) ioctl$sock_SIOCSIFBR(r7, 0x8941, &(0x7f0000000d00)=@add_del={0x2, &(0x7f0000000cc0)='dummy0\x00'}) syz_usb_disconnect(r2) socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet_sctp6_SCTP_ADAPTATION_LAYER(r3, 0x84, 0x7, &(0x7f0000000d40)={0x773d82f8}, 0x4) ioctl$SNDCTL_DSP_SETTRIGGER(r4, 0x40045010, &(0x7f0000000d80)=0x9) bpf$LINK_DETACH(0x22, &(0x7f0000000dc0)=r4, 0x4) getsockopt$inet_IP_XFRM_POLICY(r1, 0x0, 0x11, &(0x7f0000000e00)={{{@in=@local, @in6=@private2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}, 0x0, @in6=@remote}}, &(0x7f0000000f00)=0xe8) accept(r3, &(0x7f0000000f40)=@alg, &(0x7f0000000fc0)=0x80) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(0xffffffffffffffff, 0xc018937b, &(0x7f0000001180)={{0x1, 0x1, 0x18, r1, {r8, 0xffffffffffffffff}}, './file0\x00'}) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000001240)=@bpf_tracing={0x1a, 0x12, &(0x7f0000001000)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0xffffff84}, {{0x18, 0x1, 0x1, 0x0, r1}}, {}, [@jmp={0x5, 0x1, 0x2, 0x9, 0x2, 0xffffffffffffffe0, 0xc}, @initr0={0x18, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x2}, {0x85, 0x0, 0x0, 0x85}}}, &(0x7f00000010c0)='GPL\x00', 0x8, 0x0, 0x0, 0x41000, 0x8, '\x00', 0x0, 0x1a, r3, 0x8, &(0x7f0000001100)={0x0, 0x3}, 0x8, 0x10, &(0x7f0000001140)={0x2, 0xb, 0x3}, 0x10, 0x26dd, r9, 0x4, &(0x7f00000011c0)=[r3, r3], &(0x7f0000001200)=[{0x4, 0x3, 0x3, 0x1}, {0x0, 0x1, 0x1, 0x5}, {0x0, 0x4, 0x5, 0xb}, {0x5, 0x2, 0xe, 0xc}], 0x10, 0x3, @void, @value}, 0x94) ioctl$SCSI_IOCTL_PROBE_HOST(r3, 0x5385, &(0x7f0000001300)={0x1000, ""/4096}) ioctl$EVIOCRMFF(r1, 0x40044581, &(0x7f0000002340)=0x4) getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r1, 0x84, 0x70, &(0x7f0000002380)={0x0, @in6={{0xa, 0x4e24, 0x8, @private1={0xfc, 0x1, '\x00', 0x1}, 0x4}}, [0x6, 0x8000000000000000, 0x3, 0x0, 0x1, 0x100, 0xfffffffffffffe00, 0xd3, 0x9, 0xffffffffffff8001, 0x6, 0x9, 0xf8f5, 0x5, 0x10001]}, &(0x7f0000002480)=0x100) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r4, 0x84, 0x75, &(0x7f00000024c0)={r10}, &(0x7f0000002500)=0x8) ioctl$VIDIOC_G_EXT_CTRLS(r1, 0xc0205647, &(0x7f00000025c0)={0xfffffff, 0x20000000, 0xb, r1, 0x0, &(0x7f0000002580)={0x9e0902, 0x9, '\x00', @p_u32=&(0x7f0000002540)=0x3f}}) [ 77.467729][ T4661] Bluetooth: hci0: command tx timeout [ 77.471791][ T1309] ieee802154 phy0 wpan0: encryption failed: -22 [ 77.474341][ T1309] ieee802154 phy1 wpan1: encryption failed: -22 [ 77.828584][ T789] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 77.983014][ T789] usb 5-1: not running at top speed; connect to a high speed hub [ 77.986595][ T789] usb 5-1: config 8 has an invalid interface number: 55 but max is 1 [ 78.000126][ T789] usb 5-1: config 8 has an invalid interface number: 154 but max is 1 [ 78.002932][ T789] usb 5-1: config 8 has no interface number 0 [ 78.005044][ T789] usb 5-1: config 8 has no interface number 1 [ 78.007204][ T789] usb 5-1: config 8 interface 55 altsetting 0 endpoint 0xC has invalid maxpacket 512, setting to 64 [ 78.013127][ T789] usb 5-1: config 8 interface 55 altsetting 0 endpoint 0xD has invalid maxpacket 1023, setting to 64 [ 78.017119][ T789] usb 5-1: config 8 interface 55 altsetting 0 endpoint 0x9 has invalid maxpacket 1023, setting to 64 [ 78.022470][ T789] usb 5-1: config 8 interface 55 altsetting 0 has a duplicate endpoint with address 0xD, skipping [ 78.027052][ T789] usb 5-1: config 8 interface 55 altsetting 0 has a duplicate endpoint with address 0x9, skipping [ 78.032617][ T789] usb 5-1: config 8 interface 55 altsetting 0 has a duplicate endpoint with address 0x5, skipping [ 78.039517][ T789] usb 5-1: config 8 interface 55 altsetting 0 endpoint 0xF has invalid maxpacket 512, setting to 64 [ 78.043689][ T789] usb 5-1: config 8 interface 154 altsetting 9 has a duplicate endpoint with address 0xD, skipping [ 78.047361][ T789] usb 5-1: config 8 interface 154 altsetting 9 endpoint 0x4 has invalid maxpacket 1023, setting to 64 [ 78.051578][ T789] usb 5-1: config 8 interface 154 altsetting 9 has a duplicate endpoint with address 0x9, skipping [ 78.055471][ T789] usb 5-1: config 8 interface 154 altsetting 9 has a duplicate endpoint with address 0x9, skipping [ 78.060337][ T789] usb 5-1: config 8 interface 154 altsetting 9 has an invalid descriptor for endpoint zero, skipping [ 78.064525][ T789] usb 5-1: config 8 interface 154 altsetting 9 endpoint 0xE has invalid maxpacket 512, setting to 64 [ 78.069170][ T789] usb 5-1: config 8 interface 154 altsetting 9 has a duplicate endpoint with address 0x4, skipping [ 78.073221][ T789] usb 5-1: config 8 interface 154 has no altsetting 0 [ 78.080102][ T789] usb 5-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice=34.2e [ 78.083507][ T789] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 78.086614][ T789] usb 5-1: Product: Ж [ 78.088231][ T789] usb 5-1: Manufacturer: 奨∵⚝臙娢ꪇ㦲셈즔犰澑硸뜂鍚扚鸕談訚仛氃鈿㙜퀾⩩⚌ቮ齄㷻豂뼟딥館뎉箾䀌䅓യᾊ橇펲뾉㥦㕉쭺鸽鶀事 ̄쀫䄏㲥缑魖薉 [ 78.097490][ T789] usb 5-1: SerialNumber: М [ 78.116670][ T5314] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 78.376392][ T789] usb 5-1: USB disconnect, device number 2 [ 78.405568][ T789] ================================================================== [ 78.408630][ T789] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x10d/0x1c0 [ 78.411634][ T789] Read of size 8 at addr ffff88804338d898 by task kworker/0:2/789 [ 78.414509][ T789] [ 78.415534][ T789] CPU: 0 UID: 0 PID: 789 Comm: kworker/0:2 Not tainted 6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0 [ 78.419592][ T789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 78.423715][ T789] Workqueue: usb_hub_wq hub_event [ 78.425682][ T789] Call Trace: [ 78.426948][ T789] [ 78.428052][ T789] dump_stack_lvl+0x241/0x360 [ 78.429827][ T789] ? __pfx_dump_stack_lvl+0x10/0x10 [ 78.431828][ T789] ? __pfx__printk+0x10/0x10 [ 78.433593][ T789] ? _printk+0xd5/0x120 [ 78.435194][ T789] ? __virt_addr_valid+0x183/0x530 [ 78.437277][ T789] ? __virt_addr_valid+0x183/0x530 [ 78.439234][ T789] print_report+0x169/0x550 [ 78.440985][ T789] ? __virt_addr_valid+0x183/0x530 [ 78.442873][ T789] ? __virt_addr_valid+0x183/0x530 [ 78.444832][ T789] ? __virt_addr_valid+0x45f/0x530 [ 78.446744][ T789] ? __phys_addr+0xba/0x170 [ 78.448452][ T789] ? hdm_disconnect+0x10d/0x1c0 [ 78.450267][ T789] kasan_report+0x143/0x180 [ 78.451953][ T789] ? kobject_put+0x272/0x480 [ 78.453713][ T789] ? hdm_disconnect+0x10d/0x1c0 [ 78.455560][ T789] hdm_disconnect+0x10d/0x1c0 [ 78.457406][ T789] usb_unbind_interface+0x25b/0x940 [ 78.459409][ T789] ? kernfs_remove_by_name_ns+0x11b/0x160 [ 78.461756][ T789] ? __pfx_usb_unbind_interface+0x10/0x10 [ 78.464061][ T789] device_release_driver_internal+0x503/0x7c0 [ 78.466553][ T789] bus_remove_device+0x34f/0x420 [ 78.468688][ T789] device_del+0x57a/0x9b0 [ 78.470578][ T789] ? kobject_put+0x272/0x480 [ 78.472360][ T789] ? __pfx_device_del+0x10/0x10 [ 78.474177][ T789] ? kobject_put+0x44d/0x480 [ 78.475889][ T789] usb_disable_device+0x3bf/0x850 [ 78.477746][ T789] usb_disconnect+0x340/0x950 [ 78.479660][ T789] hub_event+0x1ebc/0x5150 [ 78.481387][ T789] ? debug_object_deactivate+0x2d5/0x390 [ 78.483469][ T789] ? do_raw_spin_unlock+0x58/0x8b0 [ 78.485366][ T789] ? __pfx_hub_event+0x10/0x10 [ 78.487303][ T789] ? __pfx_lock_acquire+0x10/0x10 [ 78.489491][ T789] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 78.491964][ T789] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 78.494564][ T789] ? process_scheduled_works+0x976/0x1840 [ 78.496694][ T789] process_scheduled_works+0xa66/0x1840 [ 78.498771][ T789] ? __pfx_process_scheduled_works+0x10/0x10 [ 78.500997][ T789] ? assign_work+0x364/0x3d0 [ 78.502776][ T789] worker_thread+0x870/0xd30 [ 78.504482][ T789] ? __kthread_parkme+0x169/0x1d0 [ 78.506395][ T789] ? __pfx_worker_thread+0x10/0x10 [ 78.508364][ T789] kthread+0x2f0/0x390 [ 78.509937][ T789] ? __pfx_worker_thread+0x10/0x10 [ 78.512623][ T789] ? __pfx_kthread+0x10/0x10 [ 78.514457][ T789] ret_from_fork+0x4b/0x80 [ 78.516216][ T789] ? __pfx_kthread+0x10/0x10 [ 78.518007][ T789] ret_from_fork_asm+0x1a/0x30 [ 78.519906][ T789] [ 78.521095][ T789] [ 78.522018][ T789] Allocated by task 789: [ 78.523643][ T789] kasan_save_track+0x3f/0x80 [ 78.525413][ T789] __kasan_kmalloc+0x98/0xb0 [ 78.527223][ T789] __kmalloc_cache_noprof+0x243/0x390 [ 78.529277][ T789] hdm_probe+0x98/0x13e0 [ 78.530973][ T789] usb_probe_interface+0x641/0xbb0 [ 78.533008][ T789] really_probe+0x2b8/0xad0 [ 78.534773][ T789] __driver_probe_device+0x1a2/0x390 [ 78.536843][ T789] driver_probe_device+0x50/0x430 [ 78.538581][ T789] __device_attach_driver+0x2d6/0x530 [ 78.540482][ T789] bus_for_each_drv+0x24e/0x2e0 [ 78.542226][ T789] __device_attach+0x333/0x520 [ 78.543917][ T789] bus_probe_device+0x189/0x260 [ 78.545622][ T789] device_add+0x856/0xbf0 [ 78.547110][ T789] usb_set_configuration+0x1976/0x1fb0 [ 78.548986][ T789] usb_generic_driver_probe+0x88/0x140 [ 78.550857][ T789] usb_probe_device+0x1b8/0x380 [ 78.552717][ T789] really_probe+0x2b8/0xad0 [ 78.554360][ T789] __driver_probe_device+0x1a2/0x390 [ 78.556299][ T789] driver_probe_device+0x50/0x430 [ 78.558140][ T789] __device_attach_driver+0x2d6/0x530 [ 78.560229][ T789] bus_for_each_drv+0x24e/0x2e0 [ 78.562110][ T789] __device_attach+0x333/0x520 [ 78.563950][ T789] bus_probe_device+0x189/0x260 [ 78.565816][ T789] device_add+0x856/0xbf0 [ 78.567483][ T789] usb_new_device+0x104a/0x19a0 [ 78.569419][ T789] hub_event+0x2d6d/0x5150 [ 78.571152][ T789] process_scheduled_works+0xa66/0x1840 [ 78.573315][ T789] worker_thread+0x870/0xd30 [ 78.575094][ T789] kthread+0x2f0/0x390 [ 78.576628][ T789] ret_from_fork+0x4b/0x80 [ 78.578294][ T789] ret_from_fork_asm+0x1a/0x30 [ 78.580187][ T789] [ 78.581072][ T789] Freed by task 789: [ 78.582840][ T789] kasan_save_track+0x3f/0x80 [ 78.585055][ T789] kasan_save_free_info+0x40/0x50 [ 78.587154][ T789] __kasan_slab_free+0x59/0x70 [ 78.589015][ T789] kfree+0x196/0x430 [ 78.590549][ T789] device_release+0x99/0x1c0 [ 78.592336][ T789] kobject_put+0x22f/0x480 [ 78.593996][ T789] hdm_disconnect+0xf3/0x1c0 [ 78.595768][ T789] usb_unbind_interface+0x25b/0x940 [ 78.597588][ T789] device_release_driver_internal+0x503/0x7c0 [ 78.599728][ T789] bus_remove_device+0x34f/0x420 [ 78.601512][ T789] device_del+0x57a/0x9b0 [ 78.603074][ T789] usb_disable_device+0x3bf/0x850 [ 78.604900][ T789] usb_disconnect+0x340/0x950 [ 78.606647][ T789] hub_event+0x1ebc/0x5150 [ 78.608210][ T789] process_scheduled_works+0xa66/0x1840 [ 78.610191][ T789] worker_thread+0x870/0xd30 [ 78.611904][ T789] kthread+0x2f0/0x390 [ 78.613459][ T789] ret_from_fork+0x4b/0x80 [ 78.615234][ T789] ret_from_fork_asm+0x1a/0x30 [ 78.616971][ T789] [ 78.617823][ T789] The buggy address belongs to the object at ffff88804338c000 [ 78.617823][ T789] which belongs to the cache kmalloc-8k of size 8192 [ 78.622510][ T789] The buggy address is located 6296 bytes inside of [ 78.622510][ T789] freed 8192-byte region [ffff88804338c000, ffff88804338e000) [ 78.627275][ T789] [ 78.628230][ T789] The buggy address belongs to the physical page: [ 78.630625][ T789] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43388 [ 78.633972][ T789] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 78.637281][ T789] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 78.640268][ T789] page_type: f5(slab) [ 78.641829][ T789] raw: 04fff00000000040 ffff88801ac42280 ffffea0000fcca00 dead000000000002 [ 78.644994][ T789] raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 78.648223][ T789] head: 04fff00000000040 ffff88801ac42280 ffffea0000fcca00 dead000000000002 [ 78.651551][ T789] head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 78.654822][ T789] head: 04fff00000000003 ffffea00010ce201 ffffffffffffffff 0000000000000000 [ 78.658077][ T789] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 78.661482][ T789] page dumped because: kasan: bad access detected [ 78.663929][ T789] page_owner tracks the page as allocated [ 78.666109][ T789] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5017, tgid 5017 (dhcpcd), ts 42537813475, free_ts 42434398093 [ 78.673785][ T789] post_alloc_hook+0x1f3/0x230 [ 78.675535][ T789] get_page_from_freelist+0x365c/0x37a0 [ 78.677658][ T789] __alloc_pages_noprof+0x292/0x710 [ 78.679629][ T789] alloc_pages_mpol_noprof+0x3e8/0x680 [ 78.681731][ T789] alloc_slab_page+0x6a/0x110 [ 78.683454][ T789] allocate_slab+0x5a/0x2b0 [ 78.685211][ T789] ___slab_alloc+0xc27/0x14a0 [ 78.686981][ T789] __slab_alloc+0x58/0xa0 [ 78.688637][ T789] __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 [ 78.691143][ T789] kmalloc_reserve+0x111/0x2a0 [ 78.693020][ T789] __alloc_skb+0x1f3/0x440 [ 78.694763][ T789] netlink_dump+0x1ee/0xe10 [ 78.696537][ T789] netlink_recvmsg+0x6bb/0x11d0 [ 78.698467][ T789] sock_recvmsg+0x22f/0x280 [ 78.700291][ T789] ____sys_recvmsg+0x1c6/0x480 [ 78.702085][ T789] __sys_recvmsg+0x291/0x390 [ 78.703821][ T789] page last free pid 5098 tgid 5098 stack trace: [ 78.706186][ T789] free_unref_page+0xd3f/0x1010 [ 78.708034][ T789] __slab_free+0x2c2/0x380 [ 78.709741][ T789] qlist_free_all+0x9a/0x140 [ 78.711443][ T789] kasan_quarantine_reduce+0x14f/0x170 [ 78.713441][ T789] __kasan_slab_alloc+0x23/0x80 [ 78.715190][ T789] kmem_cache_alloc_noprof+0x1d9/0x380 [ 78.717226][ T789] getname_flags+0xb7/0x540 [ 78.718962][ T789] vfs_fstatat+0x3f/0x130 [ 78.720683][ T789] __x64_sys_newfstatat+0x11d/0x1a0 [ 78.722540][ T789] do_syscall_64+0xf3/0x230 [ 78.724230][ T789] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.726424][ T789] [ 78.727311][ T789] Memory state around the buggy address: [ 78.729339][ T789] ffff88804338d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.732277][ T789] ffff88804338d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.735313][ T789] >ffff88804338d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.738479][ T789] ^ [ 78.740309][ T789] ffff88804338d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.743172][ T789] ffff88804338d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.746224][ T789] ================================================================== [ 78.783321][ T789] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 78.788662][ T789] CPU: 0 UID: 0 PID: 789 Comm: kworker/0:2 Not tainted 6.13.0-rc3-syzkaller-00073-geabcdba3ad40 #0 [ 78.792765][ T789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 78.796789][ T789] Workqueue: usb_hub_wq hub_event [ 78.798737][ T789] Call Trace: [ 78.800026][ T789] [ 78.801152][ T789] dump_stack_lvl+0x241/0x360 [ 78.802967][ T789] ? __pfx_dump_stack_lvl+0x10/0x10 [ 78.805064][ T789] ? __pfx__printk+0x10/0x10 [ 78.806834][ T789] ? preempt_schedule+0xe1/0xf0 [ 78.808741][ T789] ? vscnprintf+0x5d/0x90 [ 78.810470][ T789] panic+0x349/0x880 [ 78.812050][ T789] ? check_panic_on_warn+0x21/0xb0 [ 78.814055][ T789] ? __pfx_panic+0x10/0x10 [ 78.815756][ T789] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 78.818002][ T789] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 78.820488][ T789] ? print_report+0x502/0x550 [ 78.822331][ T789] check_panic_on_warn+0x86/0xb0 [ 78.824116][ T789] ? hdm_disconnect+0x10d/0x1c0 [ 78.825839][ T789] end_report+0x77/0x160 [ 78.827385][ T789] kasan_report+0x154/0x180 [ 78.829014][ T789] ? kobject_put+0x272/0x480 [ 78.830701][ T789] ? hdm_disconnect+0x10d/0x1c0 [ 78.832452][ T789] hdm_disconnect+0x10d/0x1c0 [ 78.834144][ T789] usb_unbind_interface+0x25b/0x940 [ 78.836024][ T789] ? kernfs_remove_by_name_ns+0x11b/0x160 [ 78.838114][ T789] ? __pfx_usb_unbind_interface+0x10/0x10 [ 78.840457][ T789] device_release_driver_internal+0x503/0x7c0 [ 78.842867][ T789] bus_remove_device+0x34f/0x420 [ 78.844844][ T789] device_del+0x57a/0x9b0 [ 78.846733][ T789] ? kobject_put+0x272/0x480 [ 78.848491][ T789] ? __pfx_device_del+0x10/0x10 [ 78.850354][ T789] ? kobject_put+0x44d/0x480 [ 78.852180][ T789] usb_disable_device+0x3bf/0x850 [ 78.854193][ T789] usb_disconnect+0x340/0x950 [ 78.856058][ T789] hub_event+0x1ebc/0x5150 [ 78.857843][ T789] ? debug_object_deactivate+0x2d5/0x390 [ 78.860233][ T789] ? do_raw_spin_unlock+0x58/0x8b0 [ 78.862169][ T789] ? __pfx_hub_event+0x10/0x10 [ 78.864032][ T789] ? __pfx_lock_acquire+0x10/0x10 [ 78.865955][ T789] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 78.868296][ T789] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 78.870742][ T789] ? process_scheduled_works+0x976/0x1840 [ 78.872876][ T789] process_scheduled_works+0xa66/0x1840 [ 78.874985][ T789] ? __pfx_process_scheduled_works+0x10/0x10 [ 78.877315][ T789] ? assign_work+0x364/0x3d0 [ 78.879105][ T789] worker_thread+0x870/0xd30 [ 78.880935][ T789] ? __kthread_parkme+0x169/0x1d0 [ 78.882852][ T789] ? __pfx_worker_thread+0x10/0x10 [ 78.884845][ T789] kthread+0x2f0/0x390 [ 78.886416][ T789] ? __pfx_worker_thread+0x10/0x10 [ 78.888435][ T789] ? __pfx_kthread+0x10/0x10 [ 78.890370][ T789] ret_from_fork+0x4b/0x80 [ 78.892183][ T789] ? __pfx_kthread+0x10/0x10 [ 78.893983][ T789] ret_from_fork_asm+0x1a/0x30 [ 78.895858][ T789] [ 78.897372][ T789] Kernel Offset: disabled [ 78.899049][ T789] Rebooting in 86400 seconds..