./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3360615839 <...> Warning: Permanently added '10.128.1.208' (ED25519) to the list of known hosts. execve("./syz-executor3360615839", ["./syz-executor3360615839"], 0x7ffe458a13f0 /* 10 vars */) = 0 brk(NULL) = 0x5555592fe000 brk(0x5555592fed00) = 0x5555592fed00 arch_prctl(ARCH_SET_FS, 0x5555592fe380) = 0 set_tid_address(0x5555592fe650) = 296 set_robust_list(0x5555592fe660, 24) = 0 rseq(0x5555592feca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3360615839", 4096) = 28 getrandom("\x5e\x41\x0b\x52\xe7\x9a\xaa\x0e", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555592fed00 brk(0x55555931fd00) = 0x55555931fd00 brk(0x555559320000) = 0x555559320000 mprotect(0x7f5413c4f000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/usbmon0", O_RDONLY) = 3 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 4 ioctl(4, USB_RAW_IOCTL_INIT, 0x7ffd91aeea20) = 0 ioctl(4, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 [ 24.904178][ T36] audit: type=1400 audit(1751789019.120:64): avc: denied { execmem } for pid=296 comm="syz-executor336" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.926547][ T36] audit: type=1400 audit(1751789019.120:65): avc: denied { read } for pid=296 comm="syz-executor336" name="usbmon0" dev="devtmpfs" ino=90 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 24.950091][ T36] audit: type=1400 audit(1751789019.120:66): avc: denied { open } for pid=296 comm="syz-executor336" path="/dev/usbmon0" dev="devtmpfs" ino=90 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 24.974003][ T36] audit: type=1400 audit(1751789019.120:67): avc: denied { read write } for pid=296 comm="syz-executor336" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 [ 24.997695][ T36] audit: type=1400 audit(1751789019.120:68): avc: denied { open } for pid=296 comm="syz-executor336" path="/dev/raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 25.021516][ T36] audit: type=1400 audit(1751789019.120:69): avc: denied { ioctl } for pid=296 comm="syz-executor336" path="/dev/raw-gadget" dev="devtmpfs" ino=190 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd91aeda10) = 18 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 [ 25.150978][ T31] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd91aeda10) = 18 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd91aeda10) = 9 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd91aeda10) = 36 [ 25.300999][ T31] usb 1-1: Using ep0 maxpacket: 16 [ 25.307720][ T31] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 25.318669][ T31] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 25.328474][ T31] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 25.341320][ T31] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea20) = 0 ioctl(4, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(4, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(4, USB_RAW_IOCTL_EP_ENABLE, 0x7f5413c553cc) = -1 EINVAL (Invalid argument) ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffd91aeda10) = 0 [ 25.350360][ T31] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 25.359658][ T31] usb 1-1: config 0 descriptor?? ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea50) = 0 ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffd91aeda40) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd91aeea50) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd91aeda40) = 34 [ 25.769241][ T31] microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 [ 25.776567][ T31] microsoft 0003:045E:07DA.0001: ignoring exceeding usage max [ 25.787050][ T31] ================================================================== [ 25.795141][ T31] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x12c1/0x23e0 [ 25.802816][ T31] Read of size 832 at addr ffff88811e892061 by task kworker/1:0/31 [ 25.810706][ T31] [ 25.813039][ T31] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:0 Not tainted 6.12.30-syzkaller-ge2bf362ee23b #0 e1c904518e9113895a28c59b25a6002cdacb68bf [ 25.813062][ T31] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 25.813073][ T31] Workqueue: usb_hub_wq hub_event [ 25.813109][ T31] Call Trace: [ 25.813115][ T31] [ 25.813123][ T31] __dump_stack+0x21/0x30 [ 25.813143][ T31] dump_stack_lvl+0x10c/0x190 [ 25.813161][ T31] ? __cfi_dump_stack_lvl+0x10/0x10 [ 25.813180][ T31] ? __cfi__printk+0x10/0x10 [ 25.813203][ T31] print_address_description+0x71/0x220 [ 25.813218][ T31] print_report+0x4a/0x70 [ 25.813232][ T31] kasan_report+0x163/0x1a0 [ 25.813256][ T31] ? mon_bin_event+0x12c1/0x23e0 [ 25.813275][ T31] ? mon_bin_event+0x12c1/0x23e0 [ 25.813293][ T31] kasan_check_range+0x299/0x2a0 [ 25.813317][ T31] ? mon_bin_event+0x12c1/0x23e0 [ 25.813335][ T31] __asan_memcpy+0x31/0x80 [ 25.813354][ T31] mon_bin_event+0x12c1/0x23e0 [ 25.813375][ T31] ? mon_bin_complete+0x50/0x50 [ 25.813392][ T31] ? __kmalloc_noprof+0x1b1/0x450 [ 25.813412][ T31] ? __hid_request+0x1e5/0x410 [ 25.813431][ T31] ? hid_connect+0x49a/0x1a20 [ 25.813450][ T31] ? hid_hw_start+0xcb/0x160 [ 25.813469][ T31] ? ms_probe+0x194/0x460 [ 25.813486][ T31] ? __cfi_mon_bin_submit+0x10/0x10 [ 25.813504][ T31] mon_bin_submit+0x2b/0x40 [ 25.813522][ T31] mon_submit+0x1b9/0x230 [ 25.813538][ T31] usb_hcd_submit_urb+0x12d/0x1a20 [ 25.813562][ T31] ? bus_probe_device+0x18b/0x270 [ 25.813579][ T31] ? usb_probe_device+0x1d4/0x380 [ 25.813601][ T31] ? really_probe+0x2d3/0x890 [ 25.813622][ T31] ? __driver_probe_device+0x198/0x280 [ 25.813644][ T31] ? driver_probe_device+0x54/0x3f0 [ 25.813666][ T31] ? __device_attach_driver+0x2f1/0x4b0 [ 25.813690][ T31] usb_submit_urb+0x111b/0x1800 [ 25.813708][ T31] usb_start_wait_urb+0x11b/0x2f0 [ 25.813727][ T31] ? usb_api_blocking_completion+0xd0/0xd0 [ 25.813747][ T31] ? __kasan_kmalloc+0x96/0xb0 [ 25.813773][ T31] ? __kasan_check_write+0x18/0x20 [ 25.813792][ T31] ? usb_alloc_urb+0x9b/0x200 [ 25.813808][ T31] usb_control_msg+0x25a/0x490 [ 25.813830][ T31] usbhid_raw_request+0x457/0x590 [ 25.813851][ T31] __hid_request+0x1e5/0x410 [ 25.813871][ T31] hidinput_connect+0x241b/0x3340 [ 25.813899][ T31] hid_connect+0x49a/0x1a20 [ 25.813919][ T31] ? usbhid_start+0x1a67/0x2530 [ 25.813936][ T31] ? __cfi_hid_connect+0x10/0x10 [ 25.813957][ T31] hid_hw_start+0xcb/0x160 [ 25.814039][ T31] ms_probe+0x194/0x460 [ 25.814058][ T31] hid_device_probe+0x2c1/0x5d0 [ 25.814080][ T31] ? __cfi_hid_device_probe+0x10/0x10 [ 25.814101][ T31] really_probe+0x2d3/0x890 [ 25.814126][ T31] __driver_probe_device+0x198/0x280 [ 25.814148][ T31] driver_probe_device+0x54/0x3f0 [ 25.814170][ T31] ? __device_attach_driver+0x2db/0x4b0 [ 25.814193][ T31] __device_attach_driver+0x2f1/0x4b0 [ 25.814217][ T31] bus_for_each_drv+0x260/0x2f0 [ 25.814233][ T31] ? __cfi___device_attach_driver+0x10/0x10 [ 25.814256][ T31] ? __cfi_bus_for_each_drv+0x10/0x10 [ 25.814273][ T31] ? _raw_spin_unlock_irqrestore+0x4a/0x70 [ 25.814290][ T31] __device_attach+0x2bd/0x3a0 [ 25.814311][ T31] ? device_attach+0x40/0x40 [ 25.814331][ T31] ? _raw_spin_lock+0x8c/0x120 [ 25.814344][ T31] ? __cfi__raw_spin_lock+0x10/0x10 [ 25.814359][ T31] device_initial_probe+0x1e/0x30 [ 25.814385][ T31] bus_probe_device+0x18b/0x270 [ 25.814403][ T31] device_add+0x80c/0xc00 [ 25.814424][ T31] hid_add_device+0x39b/0x560 [ 25.814445][ T31] usbhid_probe+0xde3/0x12b0 [ 25.814464][ T31] usb_probe_interface+0x696/0xc00 [ 25.814488][ T31] ? __cfi_usb_probe_interface+0x10/0x10 [ 25.814510][ T31] really_probe+0x2d3/0x890 [ 25.814533][ T31] __driver_probe_device+0x198/0x280 [ 25.814555][ T31] driver_probe_device+0x54/0x3f0 [ 25.814577][ T31] ? __device_attach_driver+0x2db/0x4b0 [ 25.814599][ T31] __device_attach_driver+0x2f1/0x4b0 [ 25.814622][ T31] bus_for_each_drv+0x260/0x2f0 [ 25.814639][ T31] ? __cfi___device_attach_driver+0x10/0x10 [ 25.814662][ T31] ? __cfi_bus_for_each_drv+0x10/0x10 [ 25.814680][ T31] ? _raw_spin_unlock_irqrestore+0x4a/0x70 [ 25.814696][ T31] __device_attach+0x2bd/0x3a0 [ 25.814717][ T31] ? device_attach+0x40/0x40 [ 25.814737][ T31] ? _raw_spin_lock+0x8c/0x120 [ 25.814750][ T31] ? __cfi__raw_spin_lock+0x10/0x10 [ 25.814765][ T31] device_initial_probe+0x1e/0x30 [ 25.814786][ T31] bus_probe_device+0x18b/0x270 [ 25.814803][ T31] device_add+0x80c/0xc00 [ 25.814824][ T31] usb_set_configuration+0x1ad4/0x20b0 [ 25.814849][ T31] usb_generic_driver_probe+0x95/0x160 [ 25.814904][ T31] usb_probe_device+0x1d4/0x380 [ 25.814927][ T31] ? __cfi_usb_probe_device+0x10/0x10 [ 25.814949][ T31] really_probe+0x2d3/0x890 [ 25.814972][ T31] __driver_probe_device+0x198/0x280 [ 25.814994][ T31] driver_probe_device+0x54/0x3f0 [ 25.815016][ T31] ? __device_attach_driver+0x2db/0x4b0 [ 25.815040][ T31] __device_attach_driver+0x2f1/0x4b0 [ 25.815063][ T31] bus_for_each_drv+0x260/0x2f0 [ 25.815080][ T31] ? __cfi___device_attach_driver+0x10/0x10 [ 25.815103][ T31] ? __cfi_bus_for_each_drv+0x10/0x10 [ 25.815123][ T31] ? _raw_spin_unlock_irqrestore+0x4a/0x70 [ 25.815139][ T31] __device_attach+0x2bd/0x3a0 [ 25.815160][ T31] ? device_attach+0x40/0x40 [ 25.815180][ T31] ? _raw_spin_lock+0x8c/0x120 [ 25.815193][ T31] ? __cfi__raw_spin_lock+0x10/0x10 [ 25.815208][ T31] device_initial_probe+0x1e/0x30 [ 25.815229][ T31] bus_probe_device+0x18b/0x270 [ 25.815247][ T31] device_add+0x80c/0xc00 [ 25.815268][ T31] usb_new_device+0x9ed/0x1590 [ 25.815288][ T31] ? __cfi_usb_new_device+0x10/0x10 [ 25.815308][ T31] hub_event+0x265b/0x41a0 [ 25.815335][ T31] ? __cfi_hub_event+0x10/0x10 [ 25.815356][ T31] ? __kasan_check_write+0x18/0x20 [ 25.815374][ T31] ? pwq_dec_nr_in_flight+0x6c7/0xc60 [ 25.815396][ T31] ? __cfi__raw_spin_lock_irq+0x10/0x10 [ 25.815410][ T31] ? kick_pool+0xb9/0x550 [ 25.815424][ T31] process_scheduled_works+0x7d5/0x1020 [ 25.815449][ T31] worker_thread+0xc58/0x1250 [ 25.815473][ T31] kthread+0x2c7/0x370 [ 25.815496][ T31] ? __cfi_worker_thread+0x10/0x10 [ 25.815518][ T31] ? __cfi_kthread+0x10/0x10 [ 25.815540][ T31] ret_from_fork+0x64/0xa0 [ 25.815559][ T31] ? __cfi_kthread+0x10/0x10 [ 25.815581][ T31] ret_from_fork_asm+0x1a/0x30 [ 25.815604][ T31] [ 25.815610][ T31] [ 26.438750][ T31] Allocated by task 31: [ 26.442899][ T31] kasan_save_track+0x3e/0x80 [ 26.447585][ T31] kasan_save_alloc_info+0x40/0x50 [ 26.452694][ T31] __kasan_kmalloc+0x96/0xb0 [ 26.457289][ T31] __kmalloc_noprof+0x1b1/0x450 [ 26.462149][ T31] __hid_request+0xa9/0x410 [ 26.466649][ T31] hidinput_connect+0x241b/0x3340 [ 26.471677][ T31] hid_connect+0x49a/0x1a20 [ 26.476183][ T31] hid_hw_start+0xcb/0x160 [ 26.480603][ T31] ms_probe+0x194/0x460 [ 26.484757][ T31] hid_device_probe+0x2c1/0x5d0 [ 26.489616][ T31] really_probe+0x2d3/0x890 [ 26.494125][ T31] __driver_probe_device+0x198/0x280 [ 26.499411][ T31] driver_probe_device+0x54/0x3f0 [ 26.504451][ T31] __device_attach_driver+0x2f1/0x4b0 [ 26.509851][ T31] bus_for_each_drv+0x260/0x2f0 [ 26.514799][ T31] __device_attach+0x2bd/0x3a0 [ 26.519572][ T31] device_initial_probe+0x1e/0x30 [ 26.524608][ T31] bus_probe_device+0x18b/0x270 [ 26.529464][ T31] device_add+0x80c/0xc00 [ 26.533800][ T31] hid_add_device+0x39b/0x560 [ 26.538477][ T31] usbhid_probe+0xde3/0x12b0 [ 26.543081][ T31] usb_probe_interface+0x696/0xc00 [ 26.548198][ T31] really_probe+0x2d3/0x890 [ 26.552707][ T31] __driver_probe_device+0x198/0x280 [ 26.557993][ T31] driver_probe_device+0x54/0x3f0 [ 26.563017][ T31] __device_attach_driver+0x2f1/0x4b0 [ 26.568394][ T31] bus_for_each_drv+0x260/0x2f0 [ 26.573266][ T31] __device_attach+0x2bd/0x3a0 [ 26.578033][ T31] device_initial_probe+0x1e/0x30 [ 26.583062][ T31] bus_probe_device+0x18b/0x270 [ 26.587998][ T31] device_add+0x80c/0xc00 [ 26.592332][ T31] usb_set_configuration+0x1ad4/0x20b0 [ 26.597792][ T31] usb_generic_driver_probe+0x95/0x160 [ 26.603255][ T31] usb_probe_device+0x1d4/0x380 [ 26.608113][ T31] really_probe+0x2d3/0x890 [ 26.612639][ T31] __driver_probe_device+0x198/0x280 [ 26.617929][ T31] driver_probe_device+0x54/0x3f0 [ 26.622954][ T31] __device_attach_driver+0x2f1/0x4b0 [ 26.628334][ T31] bus_for_each_drv+0x260/0x2f0 [ 26.633182][ T31] __device_attach+0x2bd/0x3a0 [ 26.637946][ T31] device_initial_probe+0x1e/0x30 [ 26.642977][ T31] bus_probe_device+0x18b/0x270 [ 26.647823][ T31] device_add+0x80c/0xc00 [ 26.652160][ T31] usb_new_device+0x9ed/0x1590 [ 26.656923][ T31] hub_event+0x265b/0x41a0 [ 26.661348][ T31] process_scheduled_works+0x7d5/0x1020 [ 26.666896][ T31] worker_thread+0xc58/0x1250 [ 26.671593][ T31] kthread+0x2c7/0x370 [ 26.675664][ T31] ret_from_fork+0x64/0xa0 [ 26.680079][ T31] ret_from_fork_asm+0x1a/0x30 [ 26.684872][ T31] [ 26.687199][ T31] The buggy address belongs to the object at ffff88811e892060 [ 26.687199][ T31] which belongs to the cache kmalloc-8 of size 8 [ 26.700916][ T31] The buggy address is located 1 bytes inside of [ 26.700916][ T31] allocated 7-byte region [ffff88811e892060, ffff88811e892067) [ 26.714711][ T31] [ 26.717033][ T31] The buggy address belongs to the physical page: [ 26.723444][ T31] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e892 [ 26.732293][ T31] flags: 0x4000000000000000(zone=1) [ 26.737515][ T31] page_type: f5(slab) [ 26.741497][ T31] raw: 4000000000000000 ffff888100041500 dead000000000122 0000000000000000 [ 26.750076][ T31] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 26.758653][ T31] page dumped because: kasan: bad access detected [ 26.765064][ T31] page_owner tracks the page as allocated [ 26.770771][ T31] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 151, tgid 151 (dhcpcd), ts 7710712768, free_ts 0 [ 26.788390][ T31] post_alloc_hook+0x3b9/0x3f0 [ 26.793187][ T31] prep_new_page+0x1c/0x120 [ 26.797688][ T31] get_page_from_freelist+0x46bb/0x4750 [ 26.803237][ T31] __alloc_pages_noprof+0x30d/0x6c0 [ 26.808437][ T31] alloc_slab_page+0x6b/0x1f0 [ 26.813123][ T31] allocate_slab+0x69/0x440 [ 26.817629][ T31] ___slab_alloc+0x59a/0x8b0 [ 26.822224][ T31] __kmalloc_node_track_caller_noprof+0x23a/0x440 [ 26.828636][ T31] kstrdup+0x4d/0x140 [ 26.832615][ T31] bprm_change_interp+0x8d/0xd0 [ 26.837463][ T31] load_script+0x75e/0x900 [ 26.841884][ T31] bprm_execve+0x6e6/0x1380 [ 26.846385][ T31] do_execveat_common+0x929/0xa80 [ 26.851404][ T31] __x64_sys_execve+0x96/0xb0 [ 26.856074][ T31] x64_sys_call+0x12c4/0x2ee0 [ 26.860753][ T31] do_syscall_64+0x58/0xf0 [ 26.865168][ T31] page_owner free stack trace missing [ 26.870526][ T31] [ 26.872852][ T31] Memory state around the buggy address: [ 26.878470][ T31] ffff88811e891f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.886523][ T31] ffff88811e891f80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 26.894576][ T31] >ffff88811e892000: fa fc fc fc fa fc fc fc fa fc fc fc 07 fc fc fc [ 26.902627][ T31] ^ [ 26.909813][ T31] ffff88811e892080: 00 fc fc fc fa fc fc fc fc fc fc fc fc fc fc fc exit_group(0) = ? +++ exited with 0 +++ [ 26.917869][ T31] ffff88811e892100: 00 fc fc fc fa fc fc fc 04 fc fc fc f