xpad 1-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 1-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: slab-use-after-free in register_lock_class+0xcbb/0x1230 kernel/locking/lockdep.c:1368
Write of size 8 at addr ffff88810cb39878 by task kworker/1:4/4809

CPU: 1 PID: 4809 Comm: kworker/1:4 Not tainted 6.10.0-rc4-syzkaller-00053-g819984a0dd36 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events delayed_vfree_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 register_lock_class+0xcbb/0x1230 kernel/locking/lockdep.c:1368
 __lock_acquire+0x111/0x3b30 kernel/locking/lockdep.c:5014
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:105 [inline]
 __wake_up+0x1c/0x60 kernel/sched/wait.c:127
 __usb_unanchor_urb drivers/usb/core/urb.c:156 [inline]
 usb_anchor_resume_wakeups+0xc2/0xe0 drivers/usb/core/urb.c:150
 __usb_hcd_giveback_urb+0x3b7/0x6e0 drivers/usb/core/hcd.c:1653
 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x17f6/0x3900 drivers/usb/gadget/udc/dummy_hcd.c:1987
 __run_hrtimer kernel/time/hrtimer.c:1687 [inline]
 __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1751
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1813
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x8b/0xb0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_trylock include/linux/spinlock_api_smp.h:90 [inline]
RIP: 0010:_raw_spin_trylock+0x3f/0x80 kernel/locking/spinlock.c:138
Code: ef e8 b5 89 9d fa 85 c0 75 20 89 c3 bf 01 00 00 00 e8 85 01 92 fa 65 8b 05 a6 6d 6f 79 85 c0 74 37 89 d8 5b 5d c3 cc cc cc cc <ff> 74 24 10 48 8d 7d 18 bb 01 00 00 00 45 31 c9 41 b8 01 00 00 00
RSP: 0018:ffffc9000a6bfbc0 EFLAGS: 00000202
RAX: 0000000000000001 RBX: ffffea00044b3e80 RCX: ffffffff8131e271
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881f6543390
RBP: ffff8881f6543380 R08: 0000000000000001 R09: fffff520014d7f6c
R10: 0000000000000003 R11: 0000000000000002 R12: 0000000000112cfa
R13: ffff8881f6543380 R14: ffff88823fff9e00 R15: ffff88823fffa800
 spin_trylock include/linux/spinlock.h:361 [inline]
 free_unref_page+0x42d/0xd40 mm/page_alloc.c:2604
 vfree+0x181/0x7a0 mm/vmalloc.c:3346
 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3267
 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 4780:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:387
 kmalloc_noprof include/linux/slab.h:660 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 xpad_probe+0x27e/0x1f50 drivers/input/joystick/xpad.c:2025
 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
 call_driver_probe drivers/base/dd.c:578 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:656
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:798
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:828
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:956
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:532
 device_add+0x114b/0x1a70 drivers/base/core.c:3679
 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
 call_driver_probe drivers/base/dd.c:578 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:656
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:798
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:828
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:956
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:532
 device_add+0x114b/0x1a70 drivers/base/core.c:3679
 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
 hub_port_connect drivers/usb/core/hub.c:5521 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x2e66/0x4f50 drivers/usb/core/hub.c:5903
 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 730:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x14/0x30 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x10b/0x380 mm/slub.c:4558
 xpad_disconnect+0x1cf/0x580 drivers/input/joystick/xpad.c:2206
 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
 device_remove drivers/base/dd.c:568 [inline]
 device_remove+0x122/0x170 drivers/base/dd.c:560
 __device_release_driver drivers/base/dd.c:1270 [inline]
 device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1293
 bus_remove_device+0x22f/0x420 drivers/base/bus.c:574
 device_del+0x396/0x9f0 drivers/base/core.c:3868
 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
 hub_port_connect drivers/usb/core/hub.c:5361 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x1be4/0x4f50 drivers/usb/core/hub.c:5903
 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88810cb39800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 120 bytes inside of
 freed 1024-byte region [ffff88810cb39800, ffff88810cb39c00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x200000000000040(head|node=0|zone=2)
page_type: 0xffffefff(slab)
raw: 0200000000000040 ffff888100041dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000
head: 0200000000000040 ffff888100041dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000
head: 0200000000000003 ffffea000432ce01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2523, tgid 2523 (syz-executor.0), ts 51382791949, free_ts 51339356326
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x132e/0x2640 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x21e/0x2290 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x56/0x110 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x84/0x260 mm/slub.c:2481
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3667
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_node_noprof+0x151/0x3f0 mm/slub.c:4129
 kmalloc_node_noprof include/linux/slab.h:681 [inline]
 kvmalloc_node_noprof+0x9d/0x1a0 mm/util.c:634
 bucket_table_alloc.isra.0+0x86/0x470 lib/rhashtable.c:186
 rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
 ipc_init_ids+0x92/0x240 ipc/util.c:120
 create_ipc_ns ipc/namespace.c:89 [inline]
 copy_ipcs+0x4f5/0x610 ipc/namespace.c:112
 create_new_namespaces+0x20a/0xb10 kernel/nsproxy.c:90
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x419/0x970 kernel/fork.c:3323
page last free pid 2521 tgid 2521 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0x696/0xd40 mm/page_alloc.c:2583
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x4e/0x70 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_node_noprof+0x1b5/0x3f0 mm/slub.c:4129
 kmalloc_node_noprof include/linux/slab.h:681 [inline]
 kvmalloc_node_noprof+0x9d/0x1a0 mm/util.c:634
 proc_sys_call_handler+0x38b/0x6a0 fs/proc/proc_sysctl.c:575
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0x6b6/0x1140 fs/read_write.c:590
 ksys_write+0x12f/0x260 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88810cb39700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88810cb39780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810cb39800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff88810cb39880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810cb39900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	ef                   	out    %eax,(%dx)
   1:	e8 b5 89 9d fa       	call   0xfa9d89bb
   6:	85 c0                	test   %eax,%eax
   8:	75 20                	jne    0x2a
   a:	89 c3                	mov    %eax,%ebx
   c:	bf 01 00 00 00       	mov    $0x1,%edi
  11:	e8 85 01 92 fa       	call   0xfa92019b
  16:	65 8b 05 a6 6d 6f 79 	mov    %gs:0x796f6da6(%rip),%eax        # 0x796f6dc3
  1d:	85 c0                	test   %eax,%eax
  1f:	74 37                	je     0x58
  21:	89 d8                	mov    %ebx,%eax
  23:	5b                   	pop    %rbx
  24:	5d                   	pop    %rbp
  25:	c3                   	ret
  26:	cc                   	int3
  27:	cc                   	int3
  28:	cc                   	int3
  29:	cc                   	int3
* 2a:	ff 74 24 10          	push   0x10(%rsp) <-- trapping instruction
  2e:	48 8d 7d 18          	lea    0x18(%rbp),%rdi
  32:	bb 01 00 00 00       	mov    $0x1,%ebx
  37:	45 31 c9             	xor    %r9d,%r9d
  3a:	41 b8 01 00 00 00    	mov    $0x1,%r8d