usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2 usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7165 at fs/kernfs/dir.c:526 kernfs_get+0x8c/0xd0 fs/kernfs/dir.c:526 Modules linked in: CPU: 0 PID: 7165 Comm: kworker/0:54 Not tainted 6.10.0-rc7-syzkaller-gc912bf709078 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: events request_firmware_work_func pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kernfs_get+0x8c/0xd0 fs/kernfs/dir.c:526 lr : kernfs_get+0x8c/0xd0 fs/kernfs/dir.c:526 sp : ffff8000a1897540 x29: ffff8000a1897540 x28: ffff0000d85820a8 x27: dfff800000000000 x26: ffff80008c3f16a0 x25: 1fffe00018477685 x24: ffff80008c3f0178 x23: 1fffe00018477686 x22: ffff0000c23bb428 x21: 1fffe000185a5c59 x20: 0000000000000000 x19: ffff0000d04b9c30 x18: ffff8000a1896ae0 x17: 000000000000e2d7 x16: ffff800080d8b1c0 x15: 0000000000000001 x14: 1fffe0001a097386 x13: 0000000000000000 x12: 0000000000000000 x11: ffff60001a097387 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : ffff0000dc181e40 x7 : ffff80008b0b09e8 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800080d8b1e8 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kernfs_get+0x8c/0xd0 fs/kernfs/dir.c:526 sysfs_get include/linux/sysfs.h:795 [inline] create_dir lib/kobject.c:89 [inline] kobject_add_internal+0x614/0xb04 lib/kobject.c:240 kobject_add_varg lib/kobject.c:374 [inline] kobject_add+0x14c/0x224 lib/kobject.c:426 class_dir_create_and_add drivers/base/core.c:3222 [inline] get_device_parent+0x2ec/0x370 drivers/base/core.c:3273 device_add+0x2a0/0xa6c drivers/base/core.c:3603 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:86 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:162 [inline] firmware_fallback_sysfs+0x2bc/0x918 drivers/base/firmware_loader/fallback.c:238 _request_firmware+0xd1c/0xf7c drivers/base/firmware_loader/main.c:914 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1165 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x938/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 1918 hardirqs last enabled at (1917): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (1917): [] _raw_spin_unlock_irq+0x30/0x80 kernel/locking/spinlock.c:202 hardirqs last disabled at (1918): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 softirqs last enabled at (1722): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (1722): [] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] softirqs last enabled at (1722): [] nsim_dev_trap_report_work+0x620/0x924 drivers/net/netdevsim/dev.c:850 softirqs last disabled at (1720): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (1720): [] nsim_dev_trap_report drivers/net/netdevsim/dev.c:816 [inline] softirqs last disabled at (1720): [] nsim_dev_trap_report_work+0x59c/0x924 drivers/net/netdevsim/dev.c:850 ---[ end trace 0000000000000000 ]--- kobject: kobject_add_internal failed for ueagle-atm!eagleI.fw (error: -2 parent: firmware) ------------[ cut here ]------------ ODEBUG: activate active (active state 1) object: 000000001e3945d3 object type: rcu_head hint: 0x0 WARNING: CPU: 0 PID: 7165 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline] WARNING: CPU: 0 PID: 7165 at lib/debugobjects.c:517 debug_object_activate+0x360/0x4ac lib/debugobjects.c:732 Modules linked in: CPU: 0 PID: 7165 Comm: kworker/0:54 Tainted: G W 6.10.0-rc7-syzkaller-gc912bf709078 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: events request_firmware_work_func pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_print_object lib/debugobjects.c:514 [inline] pc : debug_object_activate+0x360/0x4ac lib/debugobjects.c:732 lr : debug_print_object lib/debugobjects.c:514 [inline] lr : debug_object_activate+0x360/0x4ac lib/debugobjects.c:732 sp : ffff8000a1897560 x29: ffff8000a1897560 x28: ffff800093d02000 x27: dfff800000000000 x26: ffff80008b152da0 x25: 0000000000000001 x24: ffff0000d04b9cd0 x23: 0000000000000003 x22: ffff80008b682a40 x21: 0000000000000000 x20: ffff80008b152da0 x19: ffff0000d04b9cd0 x18: 1fffe000367ac9de x17: ffff80008f0fd000 x16: ffff80008032d32c x15: 0000000000000001 x14: 1fffe000367af600 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000001 x10: 0000000000000003 x9 : f5581af65e957400 x8 : f5581af65e957400 x7 : ffff8000802a3bb0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : ffff80008b140360 x0 : ffff800124d1e000 Call trace: debug_print_object lib/debugobjects.c:514 [inline] debug_object_activate+0x360/0x4ac lib/debugobjects.c:732 debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline] __call_rcu_common kernel/rcu/tree.c:3057 [inline] call_rcu+0x48/0xb08 kernel/rcu/tree.c:3176 kernfs_put+0x1cc/0x38c fs/kernfs/dir.c:578 sysfs_put include/linux/sysfs.h:801 [inline] __kobject_del+0xf0/0x2d4 lib/kobject.c:605 kobject_del+0x48/0x68 lib/kobject.c:627 cleanup_glue_dir+0x18c/0x204 drivers/base/core.c:3404 device_add+0x654/0xa6c drivers/base/core.c:3730 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:86 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:162 [inline] firmware_fallback_sysfs+0x2bc/0x918 drivers/base/firmware_loader/fallback.c:238 _request_firmware+0xd1c/0xf7c drivers/base/firmware_loader/main.c:914 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1165 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x938/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 2168 hardirqs last enabled at (2167): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1418 [inline] hardirqs last enabled at (2167): [] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5162 hardirqs last disabled at (2168): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 softirqs last enabled at (2160): [] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (2160): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 softirqs last disabled at (2063): [] __do_softirq+0x14/0x20 kernel/softirq.c:588 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ ODEBUG: active_state not available (active state 0) object: 000000001e3945d3 object type: rcu_head hint: 0x0 WARNING: CPU: 0 PID: 7165 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline] WARNING: CPU: 0 PID: 7165 at lib/debugobjects.c:517 debug_object_active_state+0x2a8/0x37c lib/debugobjects.c:954 Modules linked in: CPU: 0 PID: 7165 Comm: kworker/0:54 Tainted: G W 6.10.0-rc7-syzkaller-gc912bf709078 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: events request_firmware_work_func pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_print_object lib/debugobjects.c:514 [inline] pc : debug_object_active_state+0x2a8/0x37c lib/debugobjects.c:954 lr : debug_print_object lib/debugobjects.c:514 [inline] lr : debug_object_active_state+0x2a8/0x37c lib/debugobjects.c:954 sp : ffff8000a1897560 x29: ffff8000a1897560 x28: 0000000000000000 x27: dfff800000000000 x26: 0000000000000001 x25: 0000000000000005 x24: ffff800093d02000 x23: 0000000000000000 x22: ffff80008b152da0 x21: ffff0000d04b9cd0 x20: ffff80008b682a80 x19: 0000000000000000 x18: 1fffe000367ac9de x17: ffff80008f0fd000 x16: ffff80008032d32c x15: 0000000000000001 x14: 1fffe000367af600 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000001 x10: 0000000000000003 x9 : f5581af65e957400 x8 : f5581af65e957400 x7 : ffff8000802a3bb0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : ffff80008b140360 x0 : ffff800124d1e000 Call trace: debug_print_object lib/debugobjects.c:514 [inline] debug_object_active_state+0x2a8/0x37c lib/debugobjects.c:954 debug_rcu_head_queue kernel/rcu/rcu.h:228 [inline] __call_rcu_common kernel/rcu/tree.c:3057 [inline] call_rcu+0x60/0xb08 kernel/rcu/tree.c:3176 kernfs_put+0x1cc/0x38c fs/kernfs/dir.c:578 sysfs_put include/linux/sysfs.h:801 [inline] __kobject_del+0xf0/0x2d4 lib/kobject.c:605 kobject_del+0x48/0x68 lib/kobject.c:627 cleanup_glue_dir+0x18c/0x204 drivers/base/core.c:3404 device_add+0x654/0xa6c drivers/base/core.c:3730 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:86 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:162 [inline] firmware_fallback_sysfs+0x2bc/0x918 drivers/base/firmware_loader/fallback.c:238 _request_firmware+0xd1c/0xf7c drivers/base/firmware_loader/main.c:914 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1165 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x938/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 2268 hardirqs last enabled at (2267): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1418 [inline] hardirqs last enabled at (2267): [] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5162 hardirqs last disabled at (2268): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 softirqs last enabled at (2260): [] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (2260): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 softirqs last disabled at (2251): [] __do_softirq+0x14/0x20 kernel/softirq.c:588 ---[ end trace 0000000000000000 ]--- ================================================================== BUG: KASAN: slab-use-after-free in __call_rcu_common kernel/rcu/tree.c:3064 [inline] BUG: KASAN: slab-use-after-free in call_rcu+0x578/0xb08 kernel/rcu/tree.c:3176 Read of size 8 at addr ffff0000d04b9cd8 by task kworker/0:54/7165 CPU: 0 PID: 7165 Comm: kworker/0:54 Tainted: G W 6.10.0-rc7-syzkaller-gc912bf709078 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: events request_firmware_work_func Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __call_rcu_common kernel/rcu/tree.c:3064 [inline] call_rcu+0x578/0xb08 kernel/rcu/tree.c:3176 kernfs_put+0x1cc/0x38c fs/kernfs/dir.c:578 sysfs_put include/linux/sysfs.h:801 [inline] __kobject_del+0xf0/0x2d4 lib/kobject.c:605 kobject_del+0x48/0x68 lib/kobject.c:627 cleanup_glue_dir+0x18c/0x204 drivers/base/core.c:3404 device_add+0x654/0xa6c drivers/base/core.c:3730 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:86 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:162 [inline] firmware_fallback_sysfs+0x2bc/0x918 drivers/base/firmware_loader/fallback.c:238 _request_firmware+0xd1c/0xf7c drivers/base/firmware_loader/main.c:914 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1165 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x938/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Allocated by task 7165: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4002 [inline] kmem_cache_alloc_noprof+0x1c0/0x350 mm/slub.c:4009 __kernfs_new_node+0xe4/0x684 fs/kernfs/dir.c:624 kernfs_new_node+0x11c/0x230 fs/kernfs/dir.c:700 kernfs_create_dir_ns+0x58/0x12c fs/kernfs/dir.c:1061 sysfs_create_dir_ns+0x150/0x318 fs/sysfs/dir.c:59 create_dir lib/kobject.c:73 [inline] kobject_add_internal+0x598/0xb04 lib/kobject.c:240 kobject_add_varg lib/kobject.c:374 [inline] kobject_add+0x14c/0x224 lib/kobject.c:426 class_dir_create_and_add drivers/base/core.c:3222 [inline] get_device_parent+0x2ec/0x370 drivers/base/core.c:3273 device_add+0x2a0/0xa6c drivers/base/core.c:3603 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:86 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:162 [inline] firmware_fallback_sysfs+0x2bc/0x918 drivers/base/firmware_loader/fallback.c:238 _request_firmware+0xd1c/0xf7c drivers/base/firmware_loader/main.c:914 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1165 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x938/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579 poison_slab_object+0x128/0x180 mm/kasan/common.c:240 __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2196 [inline] slab_free mm/slub.c:4438 [inline] kmem_cache_free+0x170/0x4d0 mm/slub.c:4513 kernfs_free_rcu+0x104/0x11c fs/kernfs/dir.c:543 rcu_do_batch kernel/rcu/tree.c:2535 [inline] rcu_core+0x888/0x1b3c kernel/rcu/tree.c:2809 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2826 handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 __kasan_record_aux_stack+0xd0/0xec mm/kasan/generic.c:541 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:551 __call_rcu_common kernel/rcu/tree.c:3072 [inline] call_rcu+0x104/0xb08 kernel/rcu/tree.c:3176 kernfs_put+0x1cc/0x38c fs/kernfs/dir.c:578 __kernfs_remove+0x684/0x7b0 fs/kernfs/dir.c:1508 kernfs_remove+0x7c/0xa0 fs/kernfs/dir.c:1528 sysfs_remove_dir+0xa8/0xec fs/sysfs/dir.c:101 __kobject_del+0xe8/0x2d4 lib/kobject.c:604 kobject_del+0x48/0x68 lib/kobject.c:627 device_del+0x6a8/0x828 drivers/base/core.c:3888 usb_disconnect+0x4b0/0x808 drivers/usb/core/hub.c:2332 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1918/0x4280 drivers/usb/core/hub.c:5903 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x970/0xecc kernel/workqueue.c:3409 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 The buggy address belongs to the object at ffff0000d04b9c30 which belongs to the cache kernfs_node_cache of size 176 The buggy address is located 168 bytes inside of freed 176-byte region [ffff0000d04b9c30, ffff0000d04b9ce0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1104b9 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 05ffc00000000000 ffff0000c188e000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080110011 00000001ffffefff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d04b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff0000d04b9c00: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb >ffff0000d04b9c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff0000d04b9d00: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb ffff0000d04b9d80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc ================================================================== rcu: __call_rcu_common(): Double-freed CB 000000001e3945d3->0x0()!!! slab kernfs_node_cache start ffff0000d04b9c30 pointer offset 160 size 176 firmware ueagle-atm!eagleI.fw: fw_load_sysfs_fallback: device_register failed usb 1-1: [UEAGLE-ATM] firmware is not available usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2 usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1) firmware ueagle-atm!eagleI.fw: fw_load_sysfs_fallback: device_register failed usb 1-1: [UEAGLE-ATM] firmware is not available usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2 usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1) firmware ueagle-atm!eagleI.fw: fw_load_sysfs_fallback: device_register failed usb 1-1: [UEAGLE-ATM] firmware is not available usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2 usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1) firmware ueagle-atm!eagleI.fw: fw_load_sysfs_fallback: device_register failed usb 1-1: [UEAGLE-ATM] firmware is not available usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2 usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw