hid-u2fzero 0003:10C4:8ACF.0002: hidraw0: USB HID v0.00 Device [HID 10c4:8acf] on usb-dummy_hcd.0-1/input0
hid-u2fzero 0003:10C4:8ACF.0002: U2F Zero LED initialised
general protection fault, probably for non-canonical address 0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 4333 Comm: kworker/0:19 Not tainted 6.1.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
RIP: 0010:u2fzero_rng_read+0x27d/0x710 drivers/hid/hid-u2fzero.c:223
Code: 68 fd ff ff 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 f2 72 c6 f9 bb a8 00 00 00 49 03 1e 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 54 73 c6 f9 48 8d 84 24 80 00 00
RSP: 0018:ffffc9000be6e720 EFLAGS: 00010202
RAX: 0000000000000015 RBX: 00000000000000a8 RCX: 0000000000000000
RDX: 000000000000003b RSI: 0000000000000000 RDI: ffff8880219b3b69
RBP: ffffc9000be6e8d0 R08: dffffc0000000000 R09: ffff8880219b3b2e
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8880795493e0
R13: 1ffff1100f2a9206 R14: ffff888079549030 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70bd7afa70 CR3: 000000005816f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rng_get_data drivers/char/hw_random/core.c:201 [inline]
 add_early_randomness+0x78/0x140 drivers/char/hw_random/core.c:73
 hwrng_register+0x3a0/0x440 drivers/char/hw_random/core.c:593
 devm_hwrng_register+0x43/0xb0 drivers/char/hw_random/core.c:665
 u2fzero_probe+0x31a/0x410 drivers/hid/hid-u2fzero.c:359
 hid_device_probe+0x298/0x3a0 drivers/hid/hid-core.c:2630
 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
 driver_probe_device+0x50/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:1015
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3692
 hid_add_device+0x3a5/0x510 drivers/hid/hid-core.c:2782
 usbhid_probe+0xb2d/0xeb0 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396
 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
 driver_probe_device+0x50/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:1015
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3692
 usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238
 usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293
 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
 driver_probe_device+0x50/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:1015
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3692
 usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620
 hub_port_connect drivers/usb/core/hub.c:5477 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]
 port_event drivers/usb/core/hub.c:5773 [inline]
 hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
RIP: 0010:u2fzero_rng_read+0x27d/0x710 drivers/hid/hid-u2fzero.c:223
Code: 68 fd ff ff 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 f2 72 c6 f9 bb a8 00 00 00 49 03 1e 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 54 73 c6 f9 48 8d 84 24 80 00 00
RSP: 0018:ffffc9000be6e720 EFLAGS: 00010202
RAX: 0000000000000015 RBX: 00000000000000a8 RCX: 0000000000000000
RDX: 000000000000003b RSI: 0000000000000000 RDI: ffff8880219b3b69
RBP: ffffc9000be6e8d0 R08: dffffc0000000000 R09: ffff8880219b3b2e
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8880795493e0
R13: 1ffff1100f2a9206 R14: ffff888079549030 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70bd7afa70 CR3: 000000000d08e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	68 fd ff ff 4d       	push   $0x4dfffffd
   5:	89 f5                	mov    %esi,%ebp
   7:	49 c1 ed 03          	shr    $0x3,%r13
   b:	43 80 7c 3d 00 00    	cmpb   $0x0,0x0(%r13,%r15,1)
  11:	74 08                	je     0x1b
  13:	4c 89 f7             	mov    %r14,%rdi
  16:	e8 f2 72 c6 f9       	call   0xf9c6730d
  1b:	bb a8 00 00 00       	mov    $0xa8,%ebx
  20:	49 03 1e             	add    (%r14),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 54 73 c6 f9       	call   0xf9c6738d
  39:	48                   	rex.W
  3a:	8d                   	.byte 0x8d
  3b:	84 24 80             	test   %ah,(%rax,%rax,4)