xpad 6-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 6-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: slab-use-after-free in register_lock_class+0x7fc/0x890 kernel/locking/lockdep.c:1333
Read of size 1 at addr ffff88805a8ff091 by task udevd/6584

CPU: 0 PID: 6584 Comm: udevd Not tainted 6.6.96-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x230 mm/kasan/report.c:475
 kasan_report+0x117/0x150 mm/kasan/report.c:588
 register_lock_class+0x7fc/0x890 kernel/locking/lockdep.c:1333
 __lock_acquire+0x17a/0x7c80 kernel/locking/lockdep.c:5014
 lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xa8/0xf0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xf8/0x190 kernel/sched/wait.c:160
 __usb_hcd_giveback_urb+0x396/0x520 drivers/usb/core/hcd.c:1653
 dummy_timer+0x8a3/0x31b0 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1755 [inline]
 __hrtimer_run_queues+0x51e/0xc40 kernel/time/hrtimer.c:1819
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1836
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:212
Code: 00 0f 0b 0f 1f 80 00 00 00 00 f3 0f 1e fa 53 48 89 fb e8 13 00 00 00 48 8b 3d 7c eb c4 0c 48 89 de 5b e9 43 de 57 00 cc cc cc <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 23 7e 7e 65 8b 15 91 23 7e
RSP: 0018:ffffc90004b4f5d0 EFLAGS: 00000202
RAX: ffffc90004b4ff01 RBX: ffffc90004b48000 RCX: 0000000000000001
RDX: ffff888030a0bc00 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90004b4f6f8 R08: ffff888030a0bc00 R09: 0000000000000003
R10: 0000000000000004 R11: 0000000000000000 R12: 1ffff92000969ed6
R13: 1ffff92000969ed7 R14: ffffc90004b4ff50 R15: ffffc90004b50000
 stack_access_ok arch/x86/kernel/unwind_orc.c:393 [inline]
 deref_stack_reg arch/x86/kernel/unwind_orc.c:403 [inline]
 unwind_next_frame+0xf3d/0x2970 arch/x86/kernel/unwind_orc.c:585
 arch_stack_walk+0x144/0x190 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1007 [inline]
 __kmalloc+0xb4/0x240 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x20f/0x4b0 security/tomoyo/file.c:822
 tomoyo_path_symlink+0xa4/0xe0 security/tomoyo/tomoyo.c:211
 security_path_symlink+0xe0/0x130 security/security.c:1786
 do_symlinkat+0x108/0x3f0 fs/namei.c:4497
 __do_sys_symlink fs/namei.c:4520 [inline]
 __se_sys_symlink fs/namei.c:4518 [inline]
 __x64_sys_symlink+0x7e/0x90 fs/namei.c:4518
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4ba6315527
Code: f0 ff ff 77 06 c3 0f 1f 44 00 00 48 8b 15 c9 b8 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 a1 b8 0d 00 f7 d8 64 89 02 b8
RSP: 002b:00007ffe30447c58 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007ffe30448630 RCX: 00007f4ba6315527
RDX: 0000000000000000 RSI: 00007ffe30448630 RDI: 00007ffe30447d10
RBP: 00007ffe30448642 R08: 0000000000000075 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055f545a86495
R13: 00007ffe30447d10 R14: 000055f51cb186d7 R15: 000055f545a86490
 </TASK>

Allocated by task 8:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 xpad_probe+0x41c/0x1ec0 drivers/input/joystick/xpad.c:2068
 usb_probe_interface+0x5a4/0xb00 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x25b/0xb40 drivers/base/dd.c:658
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830
 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958
 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459
 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030
 bus_probe_device+0x180/0x260 drivers/base/bus.c:534
 device_add+0x85b/0xc20 drivers/base/core.c:3683
 usb_set_configuration+0x1a79/0x20c0 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x13d/0x280 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x25b/0xb40 drivers/base/dd.c:658
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830
 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958
 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459
 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030
 bus_probe_device+0x180/0x260 drivers/base/bus.c:534
 device_add+0x85b/0xc20 drivers/base/core.c:3683
 usb_new_device+0xa31/0x1630 drivers/usb/core/hub.c:2632
 hub_port_connect drivers/usb/core/hub.c:5501 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5641 [inline]
 port_event drivers/usb/core/hub.c:5801 [inline]
 hub_event+0x2957/0x49c0 drivers/usb/core/hub.c:5883
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

Freed by task 5863:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1806 [inline]
 slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1832
 slab_free mm/slub.c:3816 [inline]
 __kmem_cache_free+0xba/0x1f0 mm/slub.c:3829
 xpad_disconnect+0x350/0x480 drivers/input/joystick/xpad.c:2249
 usb_unbind_interface+0x1f2/0x870 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:569 [inline]
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x4cb/0x7a0 drivers/base/dd.c:1295
 bus_remove_device+0x342/0x400 drivers/base/bus.c:576
 device_del+0x50b/0x900 drivers/base/core.c:3872
 usb_disable_device+0x3e9/0x8a0 drivers/usb/core/message.c:1416
 usb_disconnect+0x34c/0x8a0 drivers/usb/core/hub.c:2287
 hub_port_connect drivers/usb/core/hub.c:5341 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5641 [inline]
 port_event drivers/usb/core/hub.c:5801 [inline]
 hub_event+0x1ce5/0x49c0 drivers/usb/core/hub.c:5883
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
 __call_rcu_common kernel/rcu/tree.c:2717 [inline]
 call_rcu+0x14f/0x920 kernel/rcu/tree.c:2833
 netdev_for_each_tx_queue include/linux/netdevice.h:2520 [inline]
 dev_shutdown+0x96/0x440 net/sched/sch_generic.c:1489
 unregister_netdevice_many_notify+0x8d2/0x1810 net/core/dev.c:11064
 unregister_netdevice_many net/core/dev.c:11130 [inline]
 default_device_exit_batch+0x9cb/0xa60 net/core/dev.c:11608
 ops_exit_list net/core/net_namespace.c:178 [inline]
 cleanup_net+0x77f/0xb90 net/core/net_namespace.c:652
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff88805a8ff000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 145 bytes inside of
 freed 1024-byte region [ffff88805a8ff000, ffff88805a8ff400)

The buggy address belongs to the physical page:
page:ffffea00016a3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a8f8
head:ffffea00016a3e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017841dc0 ffffea000092b600 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5863, tgid 5863 (kworker/1:5), ts 93704820452, free_ts 26713172919
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 alloc_slab_page+0x5d/0x170 mm/slub.c:1876
 allocate_slab mm/slub.c:2023 [inline]
 new_slab+0x87/0x2e0 mm/slub.c:2076
 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230
 __slab_alloc mm/slub.c:3329 [inline]
 __slab_alloc_node mm/slub.c:3382 [inline]
 slab_alloc_node mm/slub.c:3475 [inline]
 __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0xa4/0x240 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 neigh_alloc net/core/neighbour.c:494 [inline]
 ___neigh_create+0x6d2/0x2440 net/core/neighbour.c:648
 ip6_finish_output2+0x159e/0x1650 net/ipv6/ip6_output.c:132
 __ip6_finish_output net/ipv6/ip6_output.c:208 [inline]
 ip6_finish_output+0x5d7/0xaf0 net/ipv6/ip6_output.c:219
 dst_output include/net/dst.h:467 [inline]
 NF_HOOK include/linux/netfilter.h:304 [inline]
 ndisc_send_skb+0xbea/0x14b0 net/ipv6/ndisc.c:513
 addrconf_dad_completed+0x79f/0xd40 net/ipv6/addrconf.c:4330
 addrconf_dad_work+0xc4e/0x14e0 net/ipv6/addrconf.c:-1
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 free_contig_range+0xa1/0x160 mm/page_alloc.c:6369
 destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015
 debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395
 do_one_initcall+0x1fd/0x750 init/main.c:1238
 do_initcall_level+0x137/0x1f0 init/main.c:1300
 do_initcalls+0x69/0xd0 init/main.c:1316
 kernel_init_freeable+0x3d2/0x570 init/main.c:1553
 kernel_init+0x1d/0x1c0 init/main.c:1443
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

Memory state around the buggy address:
 ffff88805a8fef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805a8ff000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805a8ff080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88805a8ff100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805a8ff180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	0f 0b                	ud2
   2:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
   9:	f3 0f 1e fa          	endbr64
   d:	53                   	push   %rbx
   e:	48 89 fb             	mov    %rdi,%rbx
  11:	e8 13 00 00 00       	call   0x29
  16:	48 8b 3d 7c eb c4 0c 	mov    0xcc4eb7c(%rip),%rdi        # 0xcc4eb99
  1d:	48 89 de             	mov    %rbx,%rsi
  20:	5b                   	pop    %rbx
  21:	e9 43 de 57 00       	jmp    0x57de69
  26:	cc                   	int3
  27:	cc                   	int3
  28:	cc                   	int3
* 29:	f3 0f 1e fa          	endbr64 <-- trapping instruction
  2d:	48 8b 04 24          	mov    (%rsp),%rax
  31:	65 48 8b 0d 90 23 7e 	mov    %gs:0x7e7e2390(%rip),%rcx        # 0x7e7e23c9
  38:	7e
  39:	65                   	gs
  3a:	8b                   	.byte 0x8b
  3b:	15                   	.byte 0x15
  3c:	91                   	xchg   %eax,%ecx
  3d:	23                   	.byte 0x23
  3e:	7e                   	.byte 0x7e