bridge0: port 1(bridge_slave_0) entered disabled state bridge0: port 2(bridge_slave_1) entered disabled state usb usb9: usbfs: process 28542 (syz-executor.2) did not claim interface 0 before use ip6t_srh: unknown srh match flags 4800 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:373 [inline] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x387/0x6f0 drivers/usb/core/hcd.c:771 Write of size 2 at addr ffff88809b517dc0 by task syz-executor.5/28387 CPU: 1 PID: 28387 Comm: syz-executor.5 Not tainted 4.19.143-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report+0x8f/0x96 mm/kasan/report.c:412 memcpy+0x35/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:373 [inline] usb_hcd_poll_rh_status+0x387/0x6f0 drivers/usb/core/hcd.c:771 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1716 8021q: adding VLAN 0 to HW filter on device bond0 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x215/0x260 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline] RIP: 0010:do_syscall_64+0x56/0x620 arch/x86/entry/common.c:281 Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 2d 05 00 00 48 83 3d 14 c3 d1 07 00 0f 84 44 04 00 00 e8 81 19 69 00 fb 66 0f 1f 44 00 00 <65> 4c 8b 24 25 40 ee 01 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 RSP: 0018:ffff88805068ff28 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready RAX: ffff8880a94aa280 RBX: 000000000000003d RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8100984f RDI: ffff8880a94aab04 RBP: ffff88805068ff58 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff88d25b58 R14: 0000000000000000 R15: 0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4171fb Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44 RSP: 002b:00007ffe92a4b6b0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb RDX: 0000000040000001 RSI: 00007ffe92a4b710 RDI: ffffffffffffffff RBP: 00007ffe92a4b710 R08: 0000000000000000 R09: 00000000033d8940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001 R13: 00007ffe92a4b710 R14: 00000000001946e0 R15: 00007ffe92a4b720 Allocated by task 28542: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x3c0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] proc_do_submiturb+0x2d08/0x3af0 drivers/usb/core/devio.c:1668 proc_submiturb drivers/usb/core/devio.c:1822 [inline] usbdev_do_ioctl+0x773/0x3030 drivers/usb/core/devio.c:2476 usbdev_ioctl+0x21/0x30 drivers/usb/core/devio.c:2580 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 kfree_const+0x51/0x60 mm/util.c:38 kernfs_put.part.0+0x159/0x590 fs/kernfs/dir.c:532 kernfs_put+0x42/0x50 fs/kernfs/dir.c:515 sysfs_put include/linux/sysfs.h:547 [inline] kobject_del lib/kobject.c:593 [inline] kobject_del lib/kobject.c:584 [inline] kobject_cleanup lib/kobject.c:656 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x16e/0x350 lib/kobject.c:708 netdev_queue_update_kobjects+0x28b/0x3c0 net/core/net-sysfs.c:1524 remove_queue_kobjects net/core/net-sysfs.c:1577 [inline] netdev_unregister_kobject+0x159/0x1e0 net/core/net-sysfs.c:1727 IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready rollback_registered_many+0x646/0xde0 net/core/dev.c:8211 unregister_netdevice_many.part.0+0x1a/0x300 net/core/dev.c:9310 IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready unregister_netdevice_many net/core/dev.c:9309 [inline] default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:9781 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:156 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready The buggy address belongs to the object at ffff88809b517dc0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff88809b517dc0, ffff88809b517de0) The buggy address belongs to the page: page:ffffea00026d45c0 count:1 mapcount:0 mapping:ffff88812c39c1c0 index:0xffff88809b517fc1 8021q: adding VLAN 0 to HW filter on device team0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea000258d548 ffffea00028f1d48 ffff88812c39c1c0 raw: ffff88809b517fc1 ffff88809b517000 000000010000003b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809b517c80: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc ffff88809b517d00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff88809b517d80: fb fb fb fb fc fc fc fc 01 fc fc fc fc fc fc fc ^ ffff88809b517e00: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ffff88809b517e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ==================================================================