usb 2-1: USB disconnect, device number 5 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 47 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28 refcount_t: underflow; use-after-free. Modules linked in: Kernel panic - not syncing: kernel: panic_on_warn set ... CPU: 0 UID: 0 PID: 47 Comm: kworker/0:2 Not tainted 6.11.0-rc5-syzkaller #0 Hardware name: ARM-Versatile Express Workqueue: usb_hub_wq hub_event Call trace: [<81955560>] (dump_backtrace) from [<8195565c>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257) r7:00000000 r6:826228c4 r5:00000000 r4:8200be6c [<81955644>] (show_stack) from [<81973340>] (__dump_stack lib/dump_stack.c:93 [inline]) [<81955644>] (show_stack) from [<81973340>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:119) [<819732ec>] (dump_stack_lvl) from [<81973380>] (dump_stack+0x18/0x1c lib/dump_stack.c:128) r5:00000000 r4:8286bd18 [<81973368>] (dump_stack) from [<81956104>] (panic+0x120/0x368 kernel/panic.c:354) [<81955fe4>] (panic) from [<80242204>] (check_panic_on_warn kernel/panic.c:243 [inline]) [<81955fe4>] (panic) from [<80242204>] (get_taint+0x0/0x1c kernel/panic.c:238) r3:8260c5c4 r2:00000001 r1:81ff4690 r0:81ffc468 r7:8080cc0c [<80242190>] (check_panic_on_warn) from [<80242358>] (__warn+0x7c/0x180 kernel/panic.c:741) [<802422dc>] (__warn) from [<80242644>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:774) r8:00000009 r7:82059bcc r6:df921c04 r5:82fe8000 r4:00000000 [<80242460>] (warn_slowpath_fmt) from [<8080cc0c>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28) r10:827c7398 r9:85187080 r8:00000044 r7:85185430 r6:845277b4 r5:85185400 r4:8418bc00 [<8080cad0>] (refcount_warn_saturate) from [<8192f460>] (__refcount_sub_and_test include/linux/refcount.h:275 [inline]) [<8080cad0>] (refcount_warn_saturate) from [<8192f460>] (__refcount_dec_and_test include/linux/refcount.h:307 [inline]) [<8080cad0>] (refcount_warn_saturate) from [<8192f460>] (refcount_dec_and_test include/linux/refcount.h:325 [inline]) [<8080cad0>] (refcount_warn_saturate) from [<8192f460>] (kref_put include/linux/kref.h:64 [inline]) [<8080cad0>] (refcount_warn_saturate) from [<8192f460>] (kobject_put+0x158/0x1f4 lib/kobject.c:737) [<8192f308>] (kobject_put) from [<80a6daac>] (put_device+0x18/0x1c drivers/base/core.c:3790) r7:85185430 r6:845277b4 r5:85185400 r4:84527000 [<80a6da94>] (put_device) from [<8133d4d4>] (hdm_disconnect+0x90/0x9c drivers/most/most_usb.c:1129) [<8133d444>] (hdm_disconnect) from [<80db7018>] (usb_unbind_interface+0x84/0x2c4 drivers/usb/core/driver.c:461) r7:85185430 r6:827c7398 r5:00000000 r4:85185400 [<80db6f94>] (usb_unbind_interface) from [<80a75984>] (device_remove drivers/base/dd.c:568 [inline]) [<80db6f94>] (usb_unbind_interface) from [<80a75984>] (device_remove+0x64/0x6c drivers/base/dd.c:560) r10:00000000 r9:85187080 r8:00000044 r7:85185474 r6:827c7398 r5:00000000 r4:85185430 [<80a75920>] (device_remove) from [<80a76e9c>] (__device_release_driver drivers/base/dd.c:1272 [inline]) [<80a75920>] (device_remove) from [<80a76e9c>] (device_release_driver_internal+0x18c/0x200 drivers/base/dd.c:1295) r5:00000000 r4:85185430 [<80a76d10>] (device_release_driver_internal) from [<80a76f28>] (device_release_driver+0x18/0x1c drivers/base/dd.c:1318) r9:85187080 r8:82f98d40 r7:82f98d38 r6:82f98d0c r5:85185430 r4:82f98d30 [<80a76f10>] (device_release_driver) from [<80a75008>] (bus_remove_device+0xcc/0x120 drivers/base/bus.c:574) [<80a74f3c>] (bus_remove_device) from [<80a6f118>] (device_del+0x148/0x38c drivers/base/core.c:3871) r9:85187080 r8:82fe8000 r7:04208060 r6:00000000 r5:85185430 r4:85185474 [<80a6efd0>] (device_del) from [<80db4a34>] (usb_disable_device+0xdc/0x1f0 drivers/usb/core/message.c:1418) r10:00000000 r9:00000000 r8:85185400 r7:85187000 r6:8508a3c8 r5:85187000 r4:60000013 [<80db4958>] (usb_disable_device) from [<80da9898>] (usb_disconnect+0xec/0x29c drivers/usb/core/hub.c:2304) r10:00000001 r9:8418b800 r8:851870c4 r7:83411800 r6:85187080 r5:85187000 r4:60000013 [<80da97ac>] (usb_disconnect) from [<80dac548>] (hub_port_connect drivers/usb/core/hub.c:5361 [inline]) [<80da97ac>] (usb_disconnect) from [<80dac548>] (hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]) [<80da97ac>] (usb_disconnect) from [<80dac548>] (port_event drivers/usb/core/hub.c:5821 [inline]) [<80da97ac>] (usb_disconnect) from [<80dac548>] (hub_event+0xe78/0x194c drivers/usb/core/hub.c:5903) r10:00000001 r9:00000100 r8:83771d00 r7:85187000 r6:83411000 r5:83411a10 r4:00000001 [<80dab6d0>] (hub_event) from [<80265f30>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3231) r10:82e6e805 r9:82fe8000 r8:00800000 r7:dddd0000 r6:82e6e800 r5:83771d00 r4:82f96500 [<80265d7c>] (process_one_work) from [<80266b14>] (process_scheduled_works kernel/workqueue.c:3312 [inline]) [<80265d7c>] (process_one_work) from [<80266b14>] (worker_thread+0x1ec/0x3b4 kernel/workqueue.c:3389) r10:82fe8000 r9:82f9652c r8:61c88647 r7:dddd0020 r6:82604d40 r5:dddd0000 r4:82f96500 [<80266928>] (worker_thread) from [<8026fb2c>] (kthread+0x104/0x134 kernel/kthread.c:389) r10:00000000 r9:df839e78 r8:82f9fc40 r7:82f96500 r6:80266928 r5:82fe8000 r4:82f9fb40 [<8026fa28>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137) Exception stack(0xdf921fb0 to 0xdf921ff8) 1fa0: 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fa28 r4:82f9fb40 Rebooting in 86400 seconds..