last executing test programs: 14.300642852s ago: executing program 0 (id=428): r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000075f84c1071042703a461000000010902120001000000000904"], 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f00000003c0)={0x2c, &(0x7f00000001c0)=ANY=[], 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, &(0x7f00000004c0)={0x44, &(0x7f00000000c0)=ANY=[@ANYBLOB="00000100000011"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) 9.740732595s ago: executing program 1 (id=431): r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@ipv6_newrule={0x1c, 0x18, 0x409, 0x0, 0x0, {0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7}}, 0x1c}}, 0x28000) 9.58747569s ago: executing program 1 (id=432): r0 = socket$nl_netfilter(0x10, 0x3, 0xc) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8923, &(0x7f0000000000)={'bond0\x00', 0x1001}) 9.500942502s ago: executing program 1 (id=433): bpf$MAP_CREATE(0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="1e0000000000000001", @ANYRES32=0x0, @ANYRES32], 0x50) 9.385253516s ago: executing program 1 (id=434): r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000000)={0xa, 0x0, &(0x7f0000000340)={&(0x7f0000000480)={0x2, 0x3, 0x0, 0x2, 0xe, 0x0, 0x0, 0x0, [@sadb_address={0x5, 0x6, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @private1}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0xfb}, @sadb_address={0x5, 0x5, 0x0, 0x0, 0x0, @in6={0xa, 0x0, 0x0, @private0}}]}, 0x70}, 0x1, 0x7}, 0x0) 9.200275011s ago: executing program 1 (id=435): bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) socket$inet6_icmp(0xa, 0x2, 0x3a) setsockopt$SO_TIMESTAMP(0xffffffffffffffff, 0x1, 0x23, 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x11, 0x0, 0x0, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000b80), 0x41, 0x0) 3.541666596s ago: executing program 1 (id=436): bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$PROG_LOAD(0x5, 0x0, 0x0) mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x0, 0x3032, 0xffffffffffffffff, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r3, &(0x7f00000000c0), 0x10) sendmsg$NL80211_CMD_FRAME(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYRES16=r3], 0x448}}, 0x0) sendmmsg$inet(r3, &(0x7f0000001b00)=[{{0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f0000000080)="050000007402b8f4191db62b", 0xc}, {&(0x7f0000000440)="9f336d70bf41f19e47e98b4015e3b0384d86a1ceb4e530554ebc8154bf392bcf9ce0b09f879bd7aaf9d086e3", 0x2c}], 0x2}}, {{0x0, 0x0, &(0x7f0000000100), 0x2}}], 0x40000000000003a, 0x0) r4 = openat$procfs(0xffffffffffffff9c, &(0x7f00000001c0)='/proc/asound/timers\x00', 0x0, 0x0) r5 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) fcntl$lock(r5, 0x5, &(0x7f0000000000)={0x0, 0x2, 0x7ffffffffffffffe, 0x80000001}) read$char_usb(r4, &(0x7f0000000040)=""/4, 0x4) r6 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r6, 0x6, 0x2000000000000020, &(0x7f0000000040)=0xa, 0x1959cc36) 3.41500056s ago: executing program 0 (id=437): socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff) syz_open_procfs$namespace(0xffffffffffffffff, 0x0) r0 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_ENABLE_STREAM_RESET(r0, 0x84, 0x76, &(0x7f0000444ff8)={0x0, 0x7}, 0x8) setsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000000)={0x0, 0x80}, 0x8) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f00000000c0)=[@in6={0xa, 0x4e23, 0x0, @loopback, 0x40}], 0x1c) sendmmsg$inet6(r0, &(0x7f0000003c40)=[{{&(0x7f0000000100)={0xa, 0x4e23, 0x0, @loopback}, 0x1c, &(0x7f0000000240)=[{&(0x7f0000000140)="01", 0x1}], 0x1}}], 0x1, 0x20040840) setsockopt$inet_sctp6_SCTP_RESET_STREAMS(r0, 0x84, 0x77, &(0x7f0000000040)=ANY=[], 0x1000f) 2.869664446s ago: executing program 0 (id=438): r0 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/tcp_dsack\x00', 0x1, 0x0) io_setup(0x8, &(0x7f0000000080)=0x0) io_submit(r1, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x0, 0x0, 0x0, 0x1, 0x0, r0, 0x0}]) 2.594516844s ago: executing program 0 (id=439): syz_usb_connect(0x2, 0x2d, &(0x7f00000006c0)={{0x12, 0x1, 0x250, 0xc7, 0x47, 0x73, 0x8, 0x4bb, 0x93a, 0xca4b, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x80, 0x2, 0x60, 0x6, [{{0x9, 0x4, 0xf9, 0xb1, 0x1, 0x5f, 0xf5, 0xeb, 0x9, [], [{{0x9, 0x5, 0xf, 0x3, 0x3ff, 0x9, 0x9a, 0x7}}]}}]}}]}}, &(0x7f0000000d40)={0x0, 0x0, 0x0, 0x0}) 405.836158ms ago: executing program 0 (id=440): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000080)='lp\x00', 0x3) connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1b}, 0xd}, 0x1c) 0s ago: executing program 0 (id=441): openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000500)='/sys/kernel/debug/binder/state\x00', 0x0, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000140)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) r3 = dup3(r2, r1, 0x0) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000000)=[@acquire], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000740)=[@transaction_sg={0x400c6313, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) lseek(r0, 0x851, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:18265' (ED25519) to the list of known hosts. syzkaller login: [ 119.627080][ T3265] cgroup: Unknown subsys name 'net' [ 119.988370][ T3265] cgroup: Unknown subsys name 'cpuset' [ 120.011789][ T3265] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 120.737528][ T3265] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 129.847062][ T3271] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 129.869469][ T3271] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 130.108769][ T3270] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 130.142957][ T3270] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 131.556291][ T3271] hsr_slave_0: entered promiscuous mode [ 131.605156][ T3271] hsr_slave_1: entered promiscuous mode [ 131.927003][ T3270] hsr_slave_0: entered promiscuous mode [ 131.964107][ T3270] hsr_slave_1: entered promiscuous mode [ 132.032352][ T3270] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 132.033577][ T3270] Cannot create hsr debugfs directory [ 133.226096][ T3271] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 133.258917][ T3271] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 133.277361][ T3271] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 133.297386][ T3271] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 133.508649][ T3270] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 133.534979][ T3270] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 133.554131][ T3270] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 133.593440][ T3270] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 135.020612][ T3270] 8021q: adding VLAN 0 to HW filter on device bond0 [ 135.262494][ T3271] 8021q: adding VLAN 0 to HW filter on device bond0 [ 140.928961][ T3270] veth0_vlan: entered promiscuous mode [ 141.027399][ T3270] veth1_vlan: entered promiscuous mode [ 141.307417][ T3271] veth0_vlan: entered promiscuous mode [ 141.430466][ T3270] veth0_macvtap: entered promiscuous mode [ 141.483026][ T3271] veth1_vlan: entered promiscuous mode [ 141.494857][ T3270] veth1_macvtap: entered promiscuous mode [ 141.720935][ T3270] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 141.723065][ T3270] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 141.723739][ T3270] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 141.724378][ T3270] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 141.838028][ T3271] veth0_macvtap: entered promiscuous mode [ 141.932996][ T3271] veth1_macvtap: entered promiscuous mode [ 142.134318][ T3271] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 142.135697][ T3271] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 142.136973][ T3271] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 142.138110][ T3271] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 142.188718][ T3270] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 146.787155][ T3451] syzkaller0: entered promiscuous mode [ 146.788569][ T3451] syzkaller0: entered allmulticast mode [ 147.819554][ T3464] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 147.836291][ T3464] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 148.934301][ T3476] pim6reg: entered allmulticast mode [ 149.873961][ T3487] netlink: 4 bytes leftover after parsing attributes in process `syz.1.40'. [ 149.874699][ T3487] veth1_macvtap: entered allmulticast mode [ 149.880602][ T3487] netlink: 4 bytes leftover after parsing attributes in process `syz.1.40'. [ 150.180230][ T3488] Zero length message leads to an empty skb [ 150.374004][ T3493] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 152.385373][ T3515] TCP: request_sock_subflow_v6: Possible SYN flooding on port [fe80::aa]:20002. Sending cookies. [ 154.125741][ T3533] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 158.383241][ T3564] syzkaller0: entered promiscuous mode [ 158.385656][ T3564] syzkaller0: entered allmulticast mode [ 158.768144][ T3567] netlink: 4 bytes leftover after parsing attributes in process `syz.0.72'. [ 161.943962][ T3587] xt_TPROXY: Can be used only with -p tcp or -p udp [ 161.966522][ T3587] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 161.968054][ T3587] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 162.154140][ T29] audit: type=1326 audit(161.850:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3588 comm="syz.1.82" exe="/syz-executor" sig=31 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x0 [ 166.006606][ T3600] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 166.009308][ T3600] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 166.795367][ T3604] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 166.798042][ T3604] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 167.473911][ T3608] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 167.476542][ T3608] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 173.320360][ T3634] capability: warning: `syz.0.100' uses deprecated v2 capabilities in a way that may be insecure [ 183.554074][ T29] audit: type=1326 audit(183.240:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.555387][ T29] audit: type=1326 audit(183.240:4): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=198 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.556668][ T29] audit: type=1326 audit(183.260:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.558970][ T29] audit: type=1326 audit(183.260:6): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.586595][ T29] audit: type=1326 audit(183.290:7): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=24 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.587950][ T29] audit: type=1326 audit(183.290:8): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.589093][ T29] audit: type=1326 audit(183.290:9): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3656 comm="syz.1.107" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 183.700714][ T3659] netlink: 44 bytes leftover after parsing attributes in process `syz.1.108'. [ 185.432889][ T3671] skbuff: bad partial csum: csum=65506/2 headroom=144 headlen=65526 [ 185.942702][ T8] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 186.171997][ T3680] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 186.173702][ T3680] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 186.199471][ T8] usb 1-1: unable to get BOS descriptor or descriptor too short [ 186.208564][ T8] usb 1-1: not running at top speed; connect to a high speed hub [ 186.243412][ T8] usb 1-1: config 1 interface 0 has no altsetting 0 [ 186.295205][ T8] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 186.297217][ T8] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 186.298280][ T8] usb 1-1: Product: syz [ 186.299082][ T8] usb 1-1: Manufacturer: syz [ 186.299898][ T8] usb 1-1: SerialNumber: syz [ 186.668105][ T8] cdc_ether 1-1:1.0: probe with driver cdc_ether failed with error -71 [ 186.736719][ T8] usb 1-1: USB disconnect, device number 2 [ 187.079036][ T3688] netlink: 44 bytes leftover after parsing attributes in process `syz.1.120'. [ 187.905926][ T3695] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 187.908517][ T3695] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 192.600467][ T3708] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 192.625689][ T3708] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 193.042675][ T3710] input: syz0 as /devices/virtual/input/input1 [ 203.548869][ T3759] mmap: syz.0.149 (3759): VmData 29028352 exceed data ulimit 3. Update limits or use boot option ignore_rlimit_data. [ 210.780208][ T3802] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 210.794993][ T3802] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 210.956128][ T3804] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 210.957577][ T3804] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 211.265044][ T3810] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 211.266630][ T3810] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 212.042598][ T3821] netlink: 60 bytes leftover after parsing attributes in process `syz.1.176'. [ 212.043538][ T3821] netlink: 20 bytes leftover after parsing attributes in process `syz.1.176'. [ 212.892260][ T3404] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 213.065548][ T3404] usb 1-1: config index 0 descriptor too short (expected 3133, got 61) [ 213.066273][ T3404] usb 1-1: config 0 has an invalid interface number: 156 but max is 1 [ 213.066859][ T3404] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 213.067492][ T3404] usb 1-1: config 0 has 1 interface, different from the descriptor's value: 2 [ 213.068142][ T3404] usb 1-1: config 0 has no interface number 0 [ 213.068789][ T3404] usb 1-1: config 0 interface 156 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 3 [ 213.069684][ T3404] usb 1-1: New USB device found, idVendor=abcd, idProduct=cdee, bcdDevice= 5.b9 [ 213.070315][ T3404] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 213.099236][ T3404] usb 1-1: config 0 descriptor?? [ 213.127383][ T29] audit: type=1326 audit(212.830:10): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.129573][ T29] audit: type=1326 audit(212.830:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=172 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.135037][ T29] audit: type=1326 audit(212.830:12): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.137669][ T29] audit: type=1326 audit(212.830:13): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.139972][ T29] audit: type=1326 audit(212.840:14): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=275 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.169129][ T29] audit: type=1326 audit(212.840:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3836 comm="syz.1.184" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 213.176223][ T3404] usb 1-1: Quirk or no altset; falling back to MIDI 1.0 [ 213.185296][ T3404] usb 1-1: MIDIStreaming interface descriptor not found [ 213.474384][ T3404] usb 1-1: USB disconnect, device number 3 [ 213.819730][ T3843] sit0: entered promiscuous mode [ 213.903296][ T3843] netlink: 'syz.0.186': attribute type 1 has an invalid length. [ 213.904417][ T3843] netlink: 1 bytes leftover after parsing attributes in process `syz.0.186'. [ 214.798542][ T3857] udevd[3857]: error opening ATTR{/sys/devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.156/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 215.169841][ T3864] binder: 3863:3864 tried to acquire reference to desc 0, got 1 instead [ 215.180492][ T3864] binder: tried to use weak ref as strong ref [ 215.182202][ T3864] binder: 3863:3864 got transaction with invalid handle, 0 [ 215.182983][ T3864] binder: 3864:3863 translate handle failed [ 215.184673][ T3864] binder: 3863:3864 transaction call to 3863:0 failed 5/29201/-22, size 80-24 line 3496 [ 215.188612][ T8] binder: undelivered TRANSACTION_ERROR: 29201 [ 224.490593][ T3910] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 224.513850][ T3910] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 224.724024][ T3915] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 224.727497][ T3915] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 225.053595][ T3921] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 225.057539][ T3921] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 225.535458][ T3928] cgroup: Bad value for 'name' [ 225.683008][ T3930] A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. [ 227.190677][ T29] audit: type=1326 audit(226.890:16): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.193311][ T29] audit: type=1326 audit(226.900:17): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.197893][ T29] audit: type=1326 audit(226.900:18): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=56 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.209734][ T29] audit: type=1326 audit(226.910:19): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.217085][ T29] audit: type=1326 audit(226.920:20): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.219691][ T29] audit: type=1326 audit(226.920:21): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=0 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.235123][ T29] audit: type=1326 audit(226.940:22): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.244101][ T29] audit: type=1326 audit(226.940:23): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.254831][ T29] audit: type=1326 audit(226.950:24): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=2 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 227.266481][ T29] audit: type=1326 audit(226.960:25): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=3945 comm="syz.1.223" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffffbe74a2a8 code=0x7ffc0000 [ 232.498312][ T3990] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 232.512762][ T3990] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 233.138904][ T3998] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 233.143714][ T3998] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 237.371994][ T3197] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 237.692898][ T3197] usb 1-1: config 1 interface 0 altsetting 3 endpoint 0x81 has an invalid bInterval 196, changing to 11 [ 237.694586][ T3197] usb 1-1: config 1 interface 0 has no altsetting 0 [ 237.837859][ T3197] usb 1-1: New USB device found, idVendor=04f3, idProduct=074d, bcdDevice= 0.40 [ 237.838531][ T3197] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 237.839058][ T3197] usb 1-1: Product: syz [ 237.839438][ T3197] usb 1-1: Manufacturer: syz [ 237.840660][ T3197] usb 1-1: SerialNumber: syz [ 238.140031][ T3197] usbhid 1-1:1.0: can't add hid device: -71 [ 238.157689][ T3197] usbhid 1-1:1.0: probe with driver usbhid failed with error -71 [ 238.210867][ T3197] usb 1-1: USB disconnect, device number 4 [ 238.763012][ T3197] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 238.992097][ T3197] usb 1-1: unable to get BOS descriptor or descriptor too short [ 239.015215][ T3197] usb 1-1: not running at top speed; connect to a high speed hub [ 239.031968][ T3197] usb 1-1: config 1 interface 0 altsetting 8 endpoint 0x81 has invalid maxpacket 1023, setting to 64 [ 239.033671][ T3197] usb 1-1: config 1 interface 0 has no altsetting 0 [ 239.072340][ T3197] usb 1-1: New USB device found, idVendor=05ac, idProduct=0225, bcdDevice= 0.40 [ 239.073614][ T3197] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 239.081962][ T3197] usb 1-1: Product: syz [ 239.082931][ T3197] usb 1-1: Manufacturer: syz [ 239.083681][ T3197] usb 1-1: SerialNumber: syz [ 239.119069][ T4021] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 239.681495][ T3197] usb 1-1: USB disconnect, device number 5 [ 240.775455][ T4044] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 240.780111][ T4044] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 241.816131][ T4063] sch_tbf: peakrate 8 is lower than or equals to rate 12 ! [ 243.107231][ T29] kauditd_printk_skb: 677 callbacks suppressed [ 243.107497][ T29] audit: type=1326 audit(242.810:703): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.128180][ T29] audit: type=1326 audit(242.820:704): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=198 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.142661][ T29] audit: type=1326 audit(242.840:705): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.144841][ T29] audit: type=1326 audit(242.840:706): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.146662][ T29] audit: type=1326 audit(242.840:707): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=209 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.149265][ T29] audit: type=1326 audit(242.840:708): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.173034][ T29] audit: type=1326 audit(242.840:709): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.175222][ T29] audit: type=1326 audit(242.840:710): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.177382][ T29] audit: type=1326 audit(242.840:711): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=280 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 243.179539][ T29] audit: type=1326 audit(242.860:712): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=4076 comm="syz.0.280" exe="/syz-executor" sig=0 arch=c00000b7 syscall=98 compat=0 ip=0xffff8f34a2a8 code=0x7ffc0000 [ 244.970596][ T4103] netlink: 24 bytes leftover after parsing attributes in process `syz.0.292'. [ 245.113803][ T4103] netlink: 16 bytes leftover after parsing attributes in process `syz.0.292'. [ 245.732098][ T4115] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 245.734754][ T4115] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 247.966521][ T4136] sch_tbf: peakrate 8 is lower than or equals to rate 12 ! [ 251.099780][ T4178] lo speed is unknown, defaulting to 1000 [ 251.103332][ T4178] lo speed is unknown, defaulting to 1000 [ 251.107921][ T4178] lo speed is unknown, defaulting to 1000 [ 251.124830][ T4178] iwpm_register_pid: Unable to send a nlmsg (client = 2) [ 251.174255][ T4178] infiniband syz0: RDMA CMA: cma_listen_on_dev, error -98 [ 251.265509][ T4178] lo speed is unknown, defaulting to 1000 [ 251.279621][ T4178] lo speed is unknown, defaulting to 1000 [ 255.878504][ T4224] netlink: 28 bytes leftover after parsing attributes in process `syz.1.346'. [ 257.289475][ T4235] netlink: 16 bytes leftover after parsing attributes in process `syz.1.349'. [ 263.352309][ T8] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 263.532565][ T8] usb 1-1: Using ep0 maxpacket: 16 [ 263.605085][ T8] usb 1-1: config 0 has an invalid interface number: 115 but max is 0 [ 263.606586][ T8] usb 1-1: config 0 has no interface number 0 [ 263.607986][ T8] usb 1-1: config 0 interface 115 altsetting 0 endpoint 0x3 has invalid maxpacket 1024, setting to 64 [ 263.609520][ T8] usb 1-1: config 0 interface 115 altsetting 0 has a duplicate endpoint with address 0xE, skipping [ 263.668523][ T8] usb 1-1: New USB device found, idVendor=eb1a, idProduct=2875, bcdDevice=6f.3f [ 263.670033][ T8] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 263.671186][ T8] usb 1-1: Product: syz [ 263.673154][ T8] usb 1-1: Manufacturer: syz [ 263.673902][ T8] usb 1-1: SerialNumber: syz [ 263.699104][ T8] usb 1-1: config 0 descriptor?? [ 263.766176][ T4274] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 263.792556][ T4274] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 263.954202][ T1874] usb 1-1: USB disconnect, device number 6 [ 264.836155][ T1874] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 265.088640][ T1874] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 265.090116][ T1874] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 265.095079][ T1874] usb 1-1: New USB device found, idVendor=256c, idProduct=006d, bcdDevice= 0.00 [ 265.096346][ T1874] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 265.126319][ T1874] usb 1-1: config 0 descriptor?? [ 265.584828][ T1874] hid (null): bogus close delimiter [ 265.599075][ T1874] hid-generic 0003:256C:006D.0001: bogus close delimiter [ 265.600219][ T1874] hid-generic 0003:256C:006D.0001: item 0 0 2 10 parsing failed [ 265.620547][ T1874] hid-generic 0003:256C:006D.0001: probe with driver hid-generic failed with error -22 [ 265.706003][ T4290] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 265.708721][ T4290] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 266.440637][ T4298] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 266.447233][ T4298] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 272.067755][ T4334] netlink: 8 bytes leftover after parsing attributes in process `syz.1.390'. [ 272.069047][ T4334] netlink: 12 bytes leftover after parsing attributes in process `syz.1.390'. [ 272.217263][ T4336] syz.1.391 uses obsolete (PF_INET,SOCK_PACKET) [ 275.522390][ T4348] vlan2: entered promiscuous mode [ 275.523689][ T4348] erspan0: entered promiscuous mode [ 275.875751][ T3404] usb 1-1: USB disconnect, device number 7 [ 276.525561][ T4367] netlink: 4 bytes leftover after parsing attributes in process `syz.0.404'. [ 279.747796][ T4407] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 279.750974][ T4407] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 280.882347][ T3197] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 281.103409][ T3197] usb 1-1: New USB device found, idVendor=1d50, idProduct=606f, bcdDevice=14.d4 [ 281.104857][ T3197] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 281.128650][ T3197] usb 1-1: config 0 descriptor?? [ 281.586046][ T3197] gs_usb 1-1:0.0: Configuring for 1 interfaces [ 282.223497][ T3197] usb 1-1: USB disconnect, device number 8 [ 282.802528][ T3197] usb 1-1: new high-speed USB device number 9 using dummy_hcd [ 282.982134][ T3197] usb 1-1: Using ep0 maxpacket: 16 [ 283.000462][ T3197] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 283.004499][ T3197] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 283.005689][ T3197] usb 1-1: New USB device found, idVendor=056a, idProduct=0013, bcdDevice= 0.00 [ 283.007336][ T3197] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 283.036273][ T3197] usb 1-1: config 0 descriptor?? [ 283.521827][ T3197] hid-generic 0003:056A:0013.0002: hidraw0: USB HID v0.00 Device [HID 056a:0013] on usb-dummy_hcd.0-1/input0 [ 283.725005][ T3197] usb 1-1: USB disconnect, device number 9 [ 285.961678][ T3404] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 286.112833][ T3404] usb 1-1: Using ep0 maxpacket: 16 [ 286.139663][ T3404] usb 1-1: New USB device found, idVendor=0471, idProduct=0327, bcdDevice=61.a4 [ 286.142212][ T3404] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 286.164504][ T3404] usb 1-1: config 0 descriptor?? [ 290.377893][ T4439] : renamed from bond0 (while UP) [ 292.852730][ T4447] random: crng reseeded on system resumption [ 296.435058][ T1874] usb 1-1: USB disconnect, device number 10 [ 297.723268][ T1874] usb 1-1: new full-speed USB device number 11 using dummy_hcd [ 297.907255][ T1874] usb 1-1: unable to get BOS descriptor or descriptor too short [ 297.917420][ T1874] usb 1-1: not running at top speed; connect to a high speed hub [ 297.931664][ T1874] usb 1-1: config 128 has an invalid interface number: 249 but max is 0 [ 297.932796][ T1874] usb 1-1: config 128 has no interface number 0 [ 297.934025][ T1874] usb 1-1: config 128 interface 249 altsetting 177 endpoint 0xF has invalid maxpacket 1023, setting to 64 [ 297.935533][ T1874] usb 1-1: config 128 interface 249 has no altsetting 0 [ 297.977500][ T1874] usb 1-1: New USB device found, idVendor=04bb, idProduct=093a, bcdDevice=ca.4b [ 297.978923][ T1874] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 297.980021][ T1874] usb 1-1: Product: syz [ 297.980810][ T1874] usb 1-1: Manufacturer: syz [ 297.982645][ T1874] usb 1-1: SerialNumber: syz [ 298.016866][ T4461] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 300.140728][ T4467] binder: 4466:4467 tried to acquire reference to desc 0, got 1 instead [ 300.147385][ T4467] binder: 4466:4467 unknown command 0 [ 300.148482][ T4467] binder: 4466:4467 ioctl c0306201 200001c0 returned -22 [ 300.175796][ T3197] ================================================================== [ 300.184709][ T3197] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x10/0xdc [ 300.187059][ T3197] Read at addr f5f00000094853c0 by task kworker/1:2/3197 [ 300.188551][ T3197] Pointer tag: [f5], memory tag: [fe] [ 300.189222][ T3197] [ 300.192061][ T3197] CPU: 1 UID: 0 PID: 3197 Comm: kworker/1:2 Not tainted 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0 [ 300.193529][ T3197] Hardware name: linux,dummy-virt (DT) [ 300.194521][ T3197] Workqueue: events binder_deferred_func [ 300.196370][ T3197] Call trace: [ 300.197092][ T3197] dump_backtrace+0x94/0xec [ 300.197978][ T3197] show_stack+0x18/0x24 [ 300.198687][ T3197] dump_stack_lvl+0x78/0x90 [ 300.199370][ T3197] print_report+0x108/0x618 [ 300.200064][ T3197] kasan_report+0x88/0xac [ 300.200686][ T3197] __do_kernel_fault+0x170/0x1c8 [ 300.201639][ T3197] do_tag_check_fault+0x78/0x8c [ 300.202247][ T3197] do_mem_abort+0x44/0x94 [ 300.202848][ T3197] el1_abort+0x40/0x60 [ 300.203414][ T3197] el1h_64_sync_handler+0xd8/0xe4 [ 300.204023][ T3197] el1h_64_sync+0x64/0x68 [ 300.204567][ T3197] __list_del_entry_valid_or_report+0x10/0xdc [ 300.205233][ T3197] binder_release_work+0x80/0x25c [ 300.205867][ T3197] binder_deferred_func+0x650/0x7dc [ 300.206491][ T3197] process_one_work+0x15c/0x29c [ 300.207092][ T3197] worker_thread+0x24c/0x354 [ 300.207751][ T3197] kthread+0x114/0x118 [ 300.208326][ T3197] ret_from_fork+0x10/0x20 [ 300.209253][ T3197] [ 300.209724][ T3197] Allocated by task 4467: [ 300.210459][ T3197] kasan_save_stack+0x3c/0x64 [ 300.211593][ T3197] save_stack_info+0x40/0x158 [ 300.212215][ T3197] kasan_save_alloc_info+0x14/0x20 [ 300.212944][ T3197] __kasan_kmalloc+0xb4/0xb8 [ 300.213691][ T3197] __kmalloc_cache_noprof+0x14c/0x2e4 [ 300.214327][ T3197] binder_thread_write+0x748/0x1c28 [ 300.214954][ T3197] binder_ioctl+0xf60/0x1270 [ 300.215553][ T3197] __arm64_sys_ioctl+0xac/0xf0 [ 300.216213][ T3197] invoke_syscall+0x48/0x110 [ 300.216817][ T3197] el0_svc_common.constprop.0+0x40/0xe0 [ 300.217472][ T3197] do_el0_svc+0x1c/0x28 [ 300.218064][ T3197] el0_svc+0x30/0xdc [ 300.218683][ T3197] el0t_64_sync_handler+0x100/0x12c [ 300.219338][ T3197] el0t_64_sync+0x19c/0x1a0 [ 300.220172][ T3197] [ 300.220651][ T3197] Freed by task 3197: [ 300.221533][ T3197] kasan_save_stack+0x3c/0x64 [ 300.222215][ T3197] save_stack_info+0x40/0x158 [ 300.222905][ T3197] kasan_save_free_info+0x18/0x24 [ 300.223557][ T3197] __kasan_slab_free+0x74/0x8c [ 300.224207][ T3197] kfree+0xfc/0x2f0 [ 300.224764][ T3197] binder_deferred_func+0x5ec/0x7dc [ 300.225445][ T3197] process_one_work+0x15c/0x29c [ 300.226122][ T3197] worker_thread+0x24c/0x354 [ 300.226737][ T3197] kthread+0x114/0x118 [ 300.227286][ T3197] ret_from_fork+0x10/0x20 [ 300.227989][ T3197] [ 300.228463][ T3197] The buggy address belongs to the object at fff00000094853c0 [ 300.228463][ T3197] which belongs to the cache kmalloc-64 of size 64 [ 300.229877][ T3197] The buggy address is located 0 bytes inside of [ 300.229877][ T3197] 64-byte region [fff00000094853c0, fff0000009485400) [ 300.231211][ T3197] [ 300.232266][ T3197] The buggy address belongs to the physical page: [ 300.233219][ T3197] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xfbf0000009485180 pfn:0x49485 [ 300.234795][ T3197] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 300.236359][ T3197] page_type: f5(slab) [ 300.237603][ T3197] raw: 01ffc00000000000 f2f0000003001600 dead000000000122 0000000000000000 [ 300.238820][ T3197] raw: fbf0000009485180 0000000080400020 00000001f5000000 0000000000000000 [ 300.240055][ T3197] page dumped because: kasan: bad access detected [ 300.240801][ T3197] [ 300.241473][ T3197] Memory state around the buggy address: [ 300.242399][ T3197] fff0000009485100: f2 f2 f2 f2 f3 f3 f3 fe fe fe fe fe f6 f6 f6 f6 [ 300.243307][ T3197] fff0000009485200: fa fa fa fe f1 f1 f1 f1 f3 f3 f3 fe f3 f3 f3 f3 [ 300.244241][ T3197] >fff0000009485300: f6 f6 f6 f6 fe fe fe fe f0 f0 f0 fe fe fe fe fe [ 300.245268][ T3197] ^ [ 300.246295][ T3197] fff0000009485400: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 300.247454][ T3197] fff0000009485500: fe fe fe fe fe fe fe fe fc fc fc fe fe fe fe fe [ 300.248699][ T3197] ================================================================== [ 300.251845][ T3197] Disabling lock debugging due to kernel taint [ 300.543327][ T3197] binder: unexpected work type, 10, not freed [ 300.998994][ T1874] pegasus 1-1:128.249: probe with driver pegasus failed with error -71 [ 301.010286][ T1874] usb 1-1: USB disconnect, device number 11 VM DIAGNOSIS: 14:57:48 Registers: info registers vcpu 0 CPU#0 PC=ffff8000802fad58 X00=ffff800082a1d408 X01=0000000000000065 X02=f3f0000004440efc X03=0000000000000ee0 X04=0000000000000003 X05=000000000000000c X06=000000000000000c X07=fbf000000475f53c X08=00000000000000d8 X09=000000000000000d X10=000000000016e360 X11=00000045e4b64520 X12=0000000000000000 X13=00000000000002d6 X14=00000000000002d6 X15=185009c703d9927a X16=6f290000898fffff X17=95ee4f5e9840f8c5 X18=0000000000000000 X19=fbf0000008ffeb00 X20=f3f0000004b81680 X21=0000000000000240 X22=0000000000000000 X23=fbf000000518d062 X24=ffff800082a59bc0 X25=0000000000000000 X26=fbf000000518d04e X27=ffff800082a59bc0 X28=f7f0000006433900 X29=ffff8000800036f0 X30=ffff80008174a87c SP=ffff8000800036f0 PSTATE=404000c9 -Z-- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6418:0000ffffbe8d6430 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6428:0000ffffbe8d6470 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbf43ca20:0000ffffbe8d6410 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6448:0000ffffbe8d6420 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6458:0000ffffbe8d6450 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6458:0000ffffbe8d6450 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffbe8d6468:0000ffffbe8d6460 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd0a6d4e0:0000ffffd0a6d4e0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd0a6d4b0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081a11ce8 X00=0000000000000000 X01=fcf00000063f00c0 X02=0000000000000001 X03=0000000000000001 X04=0000000000000001 X05=f1f0000005b9c900 X06=ffff8000829da718 X07=0000000000000018 X08=0000000080000000 X09=ffff80008274e5d0 X10=ffff8000827fe5d0 X11=0000000000000402 X12=0000000000000c06 X13=ffff80008274e5d0 X14=0000000000000000 X15=ffff800088cbb370 X16=696c61765f797274 X17=7065725f726f5f64 X18=ffffffffffffffff X19=00000000000000c0 X20=f1f0000005b9d070 X21=ffff80008226cce8 X22=ffff80008226cce8 X23=ffffc1ffc0252140 X24=0000000000000001 X25=0000000000000c7d X26=0000000000000000 X27=ffff800081d979f0 X28=f1f0000005b9c900 X29=ffff800088cbb8a0 X30=ffff800081a11c20 SP=ffff800088cbb880 PSTATE=624000c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000006808000000:0000006808000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000068 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000028:0000000000000368 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6edc4d3a2914b135:d8e9c869e2695c88 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:b20fae707afde253:388e9c6c4fa85ca0 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd0a6d4e0:0000ffffd0a6d4e0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffd0a6d4b0 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000