[ 19.635895][ T3693] 8021q: adding VLAN 0 to HW filter on device bond0 [ 19.645194][ T3693] eql: remember to turn off Van-Jacobson compression on your slave devices [ 19.693484][ T153] gvnic 0000:00:00.0 enp0s0: Device link is up. [ 19.706681][ T504] IPv6: ADDRCONF(NETDEV_CHANGE): enp0s0: link becomes ready Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.107' (ED25519) to the list of known hosts. executing program syzkaller login: [ 42.755695][ T1534] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 42.995724][ T1534] usb 1-1: Using ep0 maxpacket: 32 [ 43.115828][ T1534] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 43.118270][ T1534] usb 1-1: config 0 has no interface number 0 [ 43.275726][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 43.278096][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 43.280351][ T1534] usb 1-1: Product: syz [ 43.281539][ T1534] usb 1-1: Manufacturer: syz [ 43.282755][ T1534] usb 1-1: SerialNumber: syz [ 43.287353][ T1534] usb 1-1: config 0 descriptor?? [ 43.539184][ T21] usb 1-1: USB disconnect, device number 2 executing program [ 43.543522][ T21] ================================================================== [ 43.545691][ T21] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 43.547657][ T21] Read of size 8 at addr ffff0000dced9978 by task kworker/1:0/21 [ 43.549702][ T21] [ 43.550339][ T21] CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 5.15.165-syzkaller #0 [ 43.552584][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 43.555301][ T21] Workqueue: usb_hub_wq hub_event [ 43.556673][ T21] Call trace: [ 43.557569][ T21] dump_backtrace+0x0/0x530 [ 43.558864][ T21] show_stack+0x2c/0x3c [ 43.559935][ T21] dump_stack_lvl+0x108/0x170 [ 43.561214][ T21] print_address_description+0x7c/0x3f0 [ 43.562748][ T21] kasan_report+0x174/0x1e4 [ 43.563931][ T21] __asan_report_load8_noabort+0x44/0x50 [ 43.565495][ T21] hdm_disconnect+0xf8/0x190 [ 43.566821][ T21] usb_unbind_interface+0x1a4/0x758 [ 43.568209][ T21] device_release_driver_internal+0x464/0x6ac [ 43.569831][ T21] device_release_driver+0x28/0x38 [ 43.571219][ T21] bus_remove_device+0x298/0x38c [ 43.572540][ T21] device_del+0x57c/0x9b4 [ 43.573697][ T21] usb_disable_device+0x354/0x760 [ 43.575051][ T21] usb_disconnect+0x290/0x7e8 [ 43.576354][ T21] hub_event+0x1718/0x46b8 [ 43.577612][ T21] process_one_work+0x790/0x11b8 [ 43.578898][ T21] worker_thread+0x910/0x1034 [ 43.580145][ T21] kthread+0x37c/0x45c [ 43.581240][ T21] ret_from_fork+0x10/0x20 [ 43.582451][ T21] [ 43.583069][ T21] Allocated by task 1534: [ 43.584210][ T21] ____kasan_kmalloc+0xbc/0xfc [ 43.585447][ T21] __kasan_kmalloc+0x10/0x1c [ 43.586721][ T21] kmem_cache_alloc_trace+0x27c/0x47c [ 43.588253][ T21] hdm_probe+0xa4/0x1044 [ 43.589353][ T21] usb_probe_interface+0x500/0x984 [ 43.590718][ T21] really_probe+0x26c/0xaec [ 43.591965][ T21] __driver_probe_device+0x194/0x3b4 [ 43.593420][ T21] driver_probe_device+0x78/0x34c [ 43.594808][ T21] __device_attach_driver+0x28c/0x4d8 [ 43.596287][ T21] bus_for_each_drv+0x158/0x1e0 [ 43.597623][ T21] __device_attach+0x2f0/0x480 [ 43.598969][ T21] device_initial_probe+0x24/0x34 [ 43.600297][ T21] bus_probe_device+0xbc/0x1c8 [ 43.601599][ T21] device_add+0xae0/0xef4 [ 43.602784][ T21] usb_set_configuration+0x15e0/0x1b60 [ 43.604259][ T21] usb_generic_driver_probe+0x8c/0x148 [ 43.605719][ T21] usb_probe_device+0x120/0x25c [ 43.606988][ T21] really_probe+0x26c/0xaec [ 43.608170][ T21] __driver_probe_device+0x194/0x3b4 [ 43.609621][ T21] driver_probe_device+0x78/0x34c [ 43.610949][ T21] __device_attach_driver+0x28c/0x4d8 [ 43.612361][ T21] bus_for_each_drv+0x158/0x1e0 [ 43.613671][ T21] __device_attach+0x2f0/0x480 [ 43.615002][ T21] device_initial_probe+0x24/0x34 [ 43.616332][ T21] bus_probe_device+0xbc/0x1c8 [ 43.617674][ T21] device_add+0xae0/0xef4 [ 43.618837][ T21] usb_new_device+0x900/0x145c [ 43.620108][ T21] hub_event+0x236c/0x46b8 [ 43.621323][ T21] process_one_work+0x790/0x11b8 [ 43.622692][ T21] worker_thread+0x910/0x1034 [ 43.623933][ T21] kthread+0x37c/0x45c [ 43.625012][ T21] ret_from_fork+0x10/0x20 [ 43.626208][ T21] [ 43.626865][ T21] Freed by task 21: [ 43.627851][ T21] kasan_set_track+0x4c/0x84 [ 43.629051][ T21] kasan_set_free_info+0x28/0x4c [ 43.630420][ T21] ____kasan_slab_free+0x118/0x164 [ 43.631815][ T21] __kasan_slab_free+0x18/0x28 [ 43.633109][ T21] slab_free_freelist_hook+0x128/0x1ec [ 43.634564][ T21] kfree+0x178/0x410 [ 43.635613][ T21] release_mdev+0x20/0x30 [ 43.636816][ T21] device_release+0x8c/0x1ac [ 43.638074][ T21] kobject_put+0x2c4/0x438 [ 43.639209][ T21] device_unregister+0x3c/0xcc [ 43.640583][ T21] most_deregister_interface+0x3e0/0x42c [ 43.642114][ T21] hdm_disconnect+0xe0/0x190 [ 43.643392][ T21] usb_unbind_interface+0x1a4/0x758 [ 43.644781][ T21] device_release_driver_internal+0x464/0x6ac [ 43.646442][ T21] device_release_driver+0x28/0x38 [ 43.647887][ T21] bus_remove_device+0x298/0x38c [ 43.649186][ T21] device_del+0x57c/0x9b4 [ 43.650360][ T21] usb_disable_device+0x354/0x760 [ 43.651778][ T21] usb_disconnect+0x290/0x7e8 [ 43.653046][ T21] hub_event+0x1718/0x46b8 [ 43.654282][ T21] process_one_work+0x790/0x11b8 [ 43.655620][ T21] worker_thread+0x910/0x1034 [ 43.656860][ T21] kthread+0x37c/0x45c [ 43.657978][ T21] ret_from_fork+0x10/0x20 [ 43.659238][ T21] [ 43.659877][ T21] The buggy address belongs to the object at ffff0000dced8000 [ 43.659877][ T21] which belongs to the cache kmalloc-8k of size 8192 [ 43.663829][ T21] The buggy address is located 6520 bytes inside of [ 43.663829][ T21] 8192-byte region [ffff0000dced8000, ffff0000dceda000) [ 43.667691][ T21] The buggy address belongs to the page: [ 43.669204][ T21] page:00000000b12d2f03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ced8 [ 43.672052][ T21] head:00000000b12d2f03 order:3 compound_mapcount:0 compound_pincount:0 [ 43.674459][ T21] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 43.676759][ T21] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 43.679074][ T21] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 43.681323][ T21] page dumped because: kasan: bad access detected [ 43.683072][ T21] [ 43.683776][ T21] Memory state around the buggy address: [ 43.685427][ T21] ffff0000dced9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.687628][ T21] ffff0000dced9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.689870][ T21] >ffff0000dced9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.692168][ T21] ^ [ 43.694409][ T21] ffff0000dced9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.696638][ T21] ffff0000dced9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.698786][ T21] ================================================================== [ 43.701110][ T21] Disabling lock debugging due to kernel taint [ 43.702901][ T21] ------------[ cut here ]------------ [ 43.704472][ T21] refcount_t: underflow; use-after-free. [ 43.706332][ T21] WARNING: CPU: 1 PID: 21 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 43.708779][ T21] Modules linked in: [ 43.709817][ T21] CPU: 1 PID: 21 Comm: kworker/1:0 Tainted: G B 5.15.165-syzkaller #0 [ 43.712322][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 43.715018][ T21] Workqueue: usb_hub_wq hub_event [ 43.716361][ T21] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 43.718435][ T21] pc : refcount_warn_saturate+0x1c8/0x20c [ 43.720054][ T21] lr : refcount_warn_saturate+0x1c8/0x20c [ 43.721488][ T21] sp : ffff800018be72f0 [ 43.722594][ T21] x29: ffff800018be72f0 x28: ffff800016a10240 x27: ffff0000d8dec000 [ 43.724790][ T21] x26: 1fffe0001b1bdc07 x25: dfff800000000000 x24: ffff0000d8ded030 [ 43.727061][ T21] x23: 1fffe0001b9db0bb x22: ffff0000d8dee03c x21: 0000000000000003 [ 43.729294][ T21] x20: ffff0000d8dee038 x19: ffff800016f0e000 x18: 0000000000000001 [ 43.731481][ T21] x17: 0000000000000000 x16: ffff800011abb7f8 x15: 00000000ffffffff [ 43.733664][ T21] x14: ffff0000c0a81b40 x13: 0000000000000001 x12: 0000000000000001 [ 43.735848][ T21] x11: 0000000000000000 x10: 0000000000000000 x9 : d39cb44495939300 [ 43.738054][ T21] x8 : d39cb44495939300 x7 : 0000000000000000 x6 : ffff800011b7ebf4 [ 43.740283][ T21] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000804605c [ 43.742615][ T21] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 43.744742][ T21] Call trace: [ 43.745683][ T21] refcount_warn_saturate+0x1c8/0x20c [ 43.747116][ T21] kobject_put+0x1a8/0x438 [ 43.748406][ T21] put_device+0x28/0x40 [ 43.749522][ T21] hdm_disconnect+0x170/0x190 [ 43.750748][ T21] usb_unbind_interface+0x1a4/0x758 [ 43.752153][ T21] device_release_driver_internal+0x464/0x6ac [ 43.753777][ T21] device_release_driver+0x28/0x38 [ 43.755163][ T21] bus_remove_device+0x298/0x38c [ 43.756488][ T21] device_del+0x57c/0x9b4 [ 43.757633][ T21] usb_disable_device+0x354/0x760 [ 43.758969][ T21] usb_disconnect+0x290/0x7e8 [ 43.760199][ T21] hub_event+0x1718/0x46b8 [ 43.761351][ T21] process_one_work+0x790/0x11b8 [ 43.762682][ T21] worker_thread+0x910/0x1034 [ 43.763942][ T21] kthread+0x37c/0x45c [ 43.765084][ T21] ret_from_fork+0x10/0x20 [ 43.766338][ T21] irq event stamp: 23204 [ 43.767496][ T21] hardirqs last enabled at (23203): [] kasan_quarantine_put+0xdc/0x204 [ 43.770117][ T21] hardirqs last disabled at (23204): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 43.772794][ T21] softirqs last enabled at (22614): [] local_bh_enable+0x10/0x34 [ 43.775410][ T21] softirqs last disabled at (22608): [] local_bh_disable+0x10/0x34 [ 43.777952][ T21] ---[ end trace 24072950f25a4612 ]--- [ 44.135586][ T21] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 44.375603][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 44.495575][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 44.497688][ T21] usb 1-1: config 0 has no interface number 0 [ 44.655625][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 44.658229][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 44.660360][ T21] usb 1-1: Product: syz [ 44.661443][ T21] usb 1-1: Manufacturer: syz [ 44.662607][ T21] usb 1-1: SerialNumber: syz [ 44.666051][ T21] usb 1-1: config 0 descriptor?? [ 44.907141][ T21] usb 1-1: USB disconnect, device number 3 executing program [ 45.305589][ T21] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 45.545643][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 45.665682][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 45.667910][ T21] usb 1-1: config 0 has no interface number 0 [ 45.825686][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 45.828085][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 45.830186][ T21] usb 1-1: Product: syz [ 45.831418][ T21] usb 1-1: Manufacturer: syz [ 45.832689][ T21] usb 1-1: SerialNumber: syz [ 45.836572][ T21] usb 1-1: config 0 descriptor?? [ 46.077134][ T1534] usb 1-1: USB disconnect, device number 4 executing program [ 46.425676][ T1534] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 46.665647][ T1534] usb 1-1: Using ep0 maxpacket: 32 [ 46.785635][ T1534] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 46.787829][ T1534] usb 1-1: config 0 has no interface number 0 [ 46.945687][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 46.948124][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 46.950308][ T1534] usb 1-1: Product: syz [ 46.951401][ T1534] usb 1-1: Manufacturer: syz [ 46.952701][ T1534] usb 1-1: SerialNumber: syz [ 46.955406][ T1534] usb 1-1: config 0 descriptor?? [ 47.207099][ T21] usb 1-1: USB disconnect, device number 5 executing program [ 47.605670][ T21] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 47.845599][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 47.965697][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 47.967953][ T21] usb 1-1: config 0 has no interface number 0 [ 48.125735][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 48.128089][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 48.130246][ T21] usb 1-1: Product: syz [ 48.131347][ T21] usb 1-1: Manufacturer: syz [ 48.132556][ T21] usb 1-1: SerialNumber: syz [ 48.136922][ T21] usb 1-1: config 0 descriptor?? [ 48.377042][ T21] usb 1-1: USB disconnect, device number 6 executing program [ 48.775620][ T21] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 49.015626][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 49.135816][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 49.138099][ T21] usb 1-1: config 0 has no interface number 0 [ 49.295800][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 49.298468][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 49.300710][ T21] usb 1-1: Product: syz [ 49.301843][ T21] usb 1-1: Manufacturer: syz [ 49.303086][ T21] usb 1-1: SerialNumber: syz [ 49.306744][ T21] usb 1-1: config 0 descriptor?? executing program [ 49.547707][ T21] usb 1-1: USB disconnect, device number 7 [ 49.905660][ T21] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 50.145664][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 50.265789][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 50.267933][ T21] usb 1-1: config 0 has no interface number 0 [ 50.425785][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 50.428297][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.430464][ T21] usb 1-1: Product: syz [ 50.431624][ T21] usb 1-1: Manufacturer: syz [ 50.432876][ T21] usb 1-1: SerialNumber: syz [ 50.436394][ T21] usb 1-1: config 0 descriptor?? [ 50.677738][ T21] usb 1-1: USB disconnect, device number 8 executing program [ 51.035625][ T21] usb 1-1: new high-speed USB device number 9 using dummy_hcd [ 51.275541][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 51.395637][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 51.397872][ T21] usb 1-1: config 0 has no interface number 0 [ 51.555618][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 51.558146][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 51.560322][ T21] usb 1-1: Product: syz [ 51.561497][ T21] usb 1-1: Manufacturer: syz [ 51.562658][ T21] usb 1-1: SerialNumber: syz [ 51.565873][ T21] usb 1-1: config 0 descriptor?? [ 51.806949][ T21] usb 1-1: USB disconnect, device number 9 executing program [ 52.215650][ T21] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 52.465659][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 52.585777][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 52.587800][ T21] usb 1-1: config 0 has no interface number 0 [ 52.745785][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 52.747987][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 52.750029][ T21] usb 1-1: Product: syz [ 52.751112][ T21] usb 1-1: Manufacturer: syz [ 52.752205][ T21] usb 1-1: SerialNumber: syz [ 52.756003][ T21] usb 1-1: config 0 descriptor?? [ 52.997049][ T21] usb 1-1: USB disconnect, device number 10 executing program [ 53.395630][ T21] usb 1-1: new high-speed USB device number 11 using dummy_hcd