Warning: Permanently added '10.128.0.243' (ED25519) to the list of known hosts. executing program syzkaller login: [ 44.483683][ T7] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 44.723670][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 44.843824][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 44.845976][ T7] usb 1-1: config 0 has no interface number 0 [ 45.003844][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 45.006248][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 45.008207][ T7] usb 1-1: Product: syz [ 45.009210][ T7] usb 1-1: Manufacturer: syz [ 45.010310][ T7] usb 1-1: SerialNumber: syz [ 45.014284][ T7] usb 1-1: config 0 descriptor?? [ 45.256014][ T7] usb 1-1: USB disconnect, device number 2 [ 45.260017][ T7] ================================================================== [ 45.262055][ T7] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 45.263865][ T7] Read of size 8 at addr ffff0000c8ae9978 by task kworker/0:0/7 [ 45.265884][ T7] [ 45.266579][ T7] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 5.15.165-syzkaller #0 [ 45.268693][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 45.271470][ T7] Workqueue: usb_hub_wq hub_event [ 45.272735][ T7] Call trace: [ 45.273521][ T7] dump_backtrace+0x0/0x530 [ 45.274663][ T7] show_stack+0x2c/0x3c [ 45.275781][ T7] dump_stack_lvl+0x108/0x170 [ 45.276949][ T7] print_address_description+0x7c/0x3f0 [ 45.278356][ T7] kasan_report+0x174/0x1e4 [ 45.279530][ T7] __asan_report_load8_noabort+0x44/0x50 [ 45.281003][ T7] hdm_disconnect+0xf8/0x190 [ 45.282251][ T7] usb_unbind_interface+0x1a4/0x758 [ 45.283580][ T7] device_release_driver_internal+0x464/0x6ac [ 45.285250][ T7] device_release_driver+0x28/0x38 [ 45.286561][ T7] bus_remove_device+0x298/0x38c [ 45.288004][ T7] device_del+0x57c/0x9b4 [ 45.289213][ T7] usb_disable_device+0x354/0x760 [ 45.290546][ T7] usb_disconnect+0x290/0x7e8 [ 45.291912][ T7] hub_event+0x1718/0x46b8 [ 45.292992][ T7] process_one_work+0x790/0x11b8 [ 45.294268][ T7] worker_thread+0x910/0x1034 [ 45.295491][ T7] kthread+0x37c/0x45c [ 45.296568][ T7] ret_from_fork+0x10/0x20 [ 45.297712][ T7] [ 45.298308][ T7] Allocated by task 7: [ 45.299356][ T7] ____kasan_kmalloc+0xbc/0xfc [ 45.300704][ T7] __kasan_kmalloc+0x10/0x1c [ 45.301935][ T7] kmem_cache_alloc_trace+0x27c/0x47c [ 45.303416][ T7] hdm_probe+0xa4/0x1044 [ 45.304539][ T7] usb_probe_interface+0x500/0x984 [ 45.305870][ T7] really_probe+0x26c/0xaec [ 45.307054][ T7] __driver_probe_device+0x194/0x3b4 [ 45.308483][ T7] driver_probe_device+0x78/0x34c [ 45.309775][ T7] __device_attach_driver+0x28c/0x4d8 [ 45.311231][ T7] bus_for_each_drv+0x158/0x1e0 [ 45.312515][ T7] __device_attach+0x2f0/0x480 [ 45.313728][ T7] device_initial_probe+0x24/0x34 [ 45.315243][ T7] bus_probe_device+0xbc/0x1c8 [ 45.316580][ T7] device_add+0xae0/0xef4 [ 45.317872][ T7] usb_set_configuration+0x15e0/0x1b60 [ 45.319377][ T7] usb_generic_driver_probe+0x8c/0x148 [ 45.320936][ T7] usb_probe_device+0x120/0x25c [ 45.322279][ T7] really_probe+0x26c/0xaec [ 45.323474][ T7] __driver_probe_device+0x194/0x3b4 [ 45.324879][ T7] driver_probe_device+0x78/0x34c [ 45.326265][ T7] __device_attach_driver+0x28c/0x4d8 [ 45.327938][ T7] bus_for_each_drv+0x158/0x1e0 [ 45.329244][ T7] __device_attach+0x2f0/0x480 [ 45.330511][ T7] device_initial_probe+0x24/0x34 [ 45.331889][ T7] bus_probe_device+0xbc/0x1c8 [ 45.333158][ T7] device_add+0xae0/0xef4 [ 45.334318][ T7] usb_new_device+0x900/0x145c [ 45.335605][ T7] hub_event+0x236c/0x46b8 [ 45.336862][ T7] process_one_work+0x790/0x11b8 [ 45.338192][ T7] worker_thread+0x910/0x1034 [ 45.339430][ T7] kthread+0x37c/0x45c [ 45.340489][ T7] ret_from_fork+0x10/0x20 [ 45.341732][ T7] [ 45.342396][ T7] Freed by task 7: [ 45.343394][ T7] kasan_set_track+0x4c/0x84 [ 45.344705][ T7] kasan_set_free_info+0x28/0x4c [ 45.346137][ T7] ____kasan_slab_free+0x118/0x164 [ 45.347595][ T7] __kasan_slab_free+0x18/0x28 [ 45.348925][ T7] slab_free_freelist_hook+0x128/0x1ec [ 45.350514][ T7] kfree+0x178/0x410 [ 45.351555][ T7] release_mdev+0x20/0x30 [ 45.352868][ T7] device_release+0x8c/0x1ac [ 45.354135][ T7] kobject_put+0x2c4/0x438 [ 45.355478][ T7] device_unregister+0x3c/0xcc [ 45.356795][ T7] most_deregister_interface+0x3e0/0x42c [ 45.358297][ T7] hdm_disconnect+0xe0/0x190 [ 45.359496][ T7] usb_unbind_interface+0x1a4/0x758 [ 45.360941][ T7] device_release_driver_internal+0x464/0x6ac [ 45.362649][ T7] device_release_driver+0x28/0x38 [ 45.363946][ T7] bus_remove_device+0x298/0x38c [ 45.365201][ T7] device_del+0x57c/0x9b4 [ 45.366386][ T7] usb_disable_device+0x354/0x760 [ 45.367790][ T7] usb_disconnect+0x290/0x7e8 [ 45.369100][ T7] hub_event+0x1718/0x46b8 [ 45.370358][ T7] process_one_work+0x790/0x11b8 [ 45.371678][ T7] worker_thread+0x910/0x1034 [ 45.372938][ T7] kthread+0x37c/0x45c [ 45.374042][ T7] ret_from_fork+0x10/0x20 [ 45.375234][ T7] [ 45.375824][ T7] The buggy address belongs to the object at ffff0000c8ae8000 [ 45.375824][ T7] which belongs to the cache kmalloc-8k of size 8192 [ 45.379657][ T7] The buggy address is located 6520 bytes inside of [ 45.379657][ T7] 8192-byte region [ffff0000c8ae8000, ffff0000c8aea000) [ 45.383244][ T7] The buggy address belongs to the page: [ 45.384907][ T7] page:00000000f8d27835 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108ae8 [ 45.387639][ T7] head:00000000f8d27835 order:3 compound_mapcount:0 compound_pincount:0 [ 45.389844][ T7] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 45.392029][ T7] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 45.394461][ T7] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 45.396946][ T7] page dumped because: kasan: bad access detected [ 45.398797][ T7] [ 45.399430][ T7] Memory state around the buggy address: [ 45.400987][ T7] ffff0000c8ae9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.403231][ T7] ffff0000c8ae9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.405406][ T7] >ffff0000c8ae9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.407547][ T7] ^ [ 45.409704][ T7] ffff0000c8ae9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.411924][ T7] ffff0000c8ae9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.414167][ T7] ================================================================== [ 45.416310][ T7] Disabling lock debugging due to kernel taint [ 45.418526][ T7] ------------[ cut here ]------------ executing program [ 45.420023][ T7] refcount_t: underflow; use-after-free. [ 45.422816][ T7] WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 45.425296][ T7] Modules linked in: [ 45.426383][ T7] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 5.15.165-syzkaller #0 [ 45.428949][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 45.431554][ T7] Workqueue: usb_hub_wq hub_event [ 45.432917][ T7] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 45.435013][ T7] pc : refcount_warn_saturate+0x1c8/0x20c [ 45.436555][ T7] lr : refcount_warn_saturate+0x1c8/0x20c [ 45.438174][ T7] sp : ffff800018af72f0 [ 45.439284][ T7] x29: ffff800018af72f0 x28: ffff800016a10240 x27: ffff0000da1ff000 [ 45.441500][ T7] x26: 1fffe0001940c207 x25: dfff800000000000 x24: ffff0000ca060030 [ 45.443703][ T7] x23: 1fffe0001915d0bb x22: ffff0000ca06103c x21: 0000000000000003 [ 45.445819][ T7] x20: ffff0000ca061038 x19: ffff800016f0e000 x18: 1fffe000368f698e [ 45.447968][ T7] x17: 1fffe000368f698e x16: ffff800011abb7f8 x15: ffff800014b5ef00 [ 45.450183][ T7] x14: ffff0001b47b4c80 x13: ffff0001b47b4c7c x12: 0000000000000001 [ 45.452315][ T7] x11: 0000000000000000 x10: 0000000000000000 x9 : e40d7123c4c0d300 [ 45.454450][ T7] x8 : e40d7123c4c0d300 x7 : 0000000000000000 x6 : ffff80000826ac0c [ 45.456586][ T7] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000804605c [ 45.458849][ T7] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 45.460993][ T7] Call trace: [ 45.461910][ T7] refcount_warn_saturate+0x1c8/0x20c [ 45.463257][ T7] kobject_put+0x1a8/0x438 [ 45.464471][ T7] put_device+0x28/0x40 [ 45.465589][ T7] hdm_disconnect+0x170/0x190 [ 45.466811][ T7] usb_unbind_interface+0x1a4/0x758 [ 45.468210][ T7] device_release_driver_internal+0x464/0x6ac [ 45.469812][ T7] device_release_driver+0x28/0x38 [ 45.471134][ T7] bus_remove_device+0x298/0x38c [ 45.472575][ T7] device_del+0x57c/0x9b4 [ 45.473755][ T7] usb_disable_device+0x354/0x760 [ 45.475142][ T7] usb_disconnect+0x290/0x7e8 [ 45.476343][ T7] hub_event+0x1718/0x46b8 [ 45.477551][ T7] process_one_work+0x790/0x11b8 [ 45.478988][ T7] worker_thread+0x910/0x1034 [ 45.480271][ T7] kthread+0x37c/0x45c [ 45.481368][ T7] ret_from_fork+0x10/0x20 [ 45.482603][ T7] irq event stamp: 24854 [ 45.483732][ T7] hardirqs last enabled at (24853): [] kasan_quarantine_put+0xdc/0x204 [ 45.486367][ T7] hardirqs last disabled at (24854): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 45.489151][ T7] softirqs last enabled at (22714): [] handle_softirqs+0xb88/0xdbc [ 45.491765][ T7] softirqs last disabled at (22709): [] __irq_exit_rcu+0x268/0x4d8 [ 45.494330][ T7] ---[ end trace b5921c54a714feee ]--- [ 45.843656][ T7] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 46.083673][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 46.203768][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 46.205843][ T7] usb 1-1: config 0 has no interface number 0 [ 46.363756][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 46.366134][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 46.368147][ T7] usb 1-1: Product: syz [ 46.369273][ T7] usb 1-1: Manufacturer: syz [ 46.370390][ T7] usb 1-1: SerialNumber: syz [ 46.373456][ T7] usb 1-1: config 0 descriptor?? [ 46.614922][ T7] usb 1-1: USB disconnect, device number 3 executing program [ 46.963613][ T7] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 47.203603][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 47.323743][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 47.325858][ T7] usb 1-1: config 0 has no interface number 0 [ 47.483709][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 47.485960][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 47.487903][ T7] usb 1-1: Product: syz [ 47.488948][ T7] usb 1-1: Manufacturer: syz [ 47.490079][ T7] usb 1-1: SerialNumber: syz [ 47.493292][ T7] usb 1-1: config 0 descriptor?? [ 47.734760][ T7] usb 1-1: USB disconnect, device number 4 executing program [ 48.143600][ T7] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 48.383581][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 48.503667][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 48.505830][ T7] usb 1-1: config 0 has no interface number 0 [ 48.663645][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 48.666147][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 48.668282][ T7] usb 1-1: Product: syz [ 48.669332][ T7] usb 1-1: Manufacturer: syz [ 48.670497][ T7] usb 1-1: SerialNumber: syz [ 48.673442][ T7] usb 1-1: config 0 descriptor?? [ 48.914820][ T21] usb 1-1: USB disconnect, device number 5 executing program [ 49.323640][ T21] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 49.563622][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 49.683646][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 49.685806][ T21] usb 1-1: config 0 has no interface number 0 [ 49.843667][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 49.846023][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 49.848098][ T21] usb 1-1: Product: syz [ 49.849226][ T21] usb 1-1: Manufacturer: syz [ 49.850422][ T21] usb 1-1: SerialNumber: syz [ 49.853840][ T21] usb 1-1: config 0 descriptor?? [ 50.094817][ T21] usb 1-1: USB disconnect, device number 6 executing program [ 50.443621][ T21] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 50.683599][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 50.803655][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 50.805814][ T21] usb 1-1: config 0 has no interface number 0 [ 50.963689][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 50.966197][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.968329][ T21] usb 1-1: Product: syz [ 50.969389][ T21] usb 1-1: Manufacturer: syz [ 50.970647][ T21] usb 1-1: SerialNumber: syz [ 50.974416][ T21] usb 1-1: config 0 descriptor?? [ 51.214789][ T21] usb 1-1: USB disconnect, device number 7 executing program [ 51.613597][ T21] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 51.853571][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 51.973671][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 51.975878][ T21] usb 1-1: config 0 has no interface number 0 [ 52.133670][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 52.136073][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 52.138233][ T21] usb 1-1: Product: syz [ 52.139359][ T21] usb 1-1: Manufacturer: syz [ 52.140504][ T21] usb 1-1: SerialNumber: syz [ 52.143688][ T21] usb 1-1: config 0 descriptor?? [ 52.384901][ T7] usb 1-1: USB disconnect, device number 8 executing program [ 52.783644][ T7] usb 1-1: new high-speed USB device number 9 using dummy_hcd [ 53.023608][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 53.143766][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 53.145989][ T7] usb 1-1: config 0 has no interface number 0 [ 53.303833][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 53.306288][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 53.308375][ T7] usb 1-1: Product: syz [ 53.309510][ T7] usb 1-1: Manufacturer: syz [ 53.310712][ T7] usb 1-1: SerialNumber: syz [ 53.315052][ T7] usb 1-1: config 0 descriptor?? [ 53.554879][ T7] usb 1-1: USB disconnect, device number 9 executing program [ 53.953625][ T7] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 54.193582][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 54.313734][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 54.315861][ T7] usb 1-1: config 0 has no interface number 0 [ 54.473758][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 54.476261][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 54.478327][ T7] usb 1-1: Product: syz [ 54.479396][ T7] usb 1-1: Manufacturer: syz [ 54.480538][ T7] usb 1-1: SerialNumber: syz [ 54.484686][ T7] usb 1-1: config 0 descriptor?? [ 54.724851][ T7] usb 1-1: USB disconnect, device number 10 executing program [ 55.073625][ T7] usb 1-1: new high-speed USB device number 11 using dummy_hcd