./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4168833399 <...> Warning: Permanently added '10.128.0.82' (ED25519) to the list of known hosts. execve("./syz-executor4168833399", ["./syz-executor4168833399"], 0x7ffe49bb64f0 /* 10 vars */) = 0 brk(NULL) = 0x555591917000 brk(0x555591917d00) = 0x555591917d00 arch_prctl(ARCH_SET_FS, 0x555591917380) = 0 set_tid_address(0x555591917650) = 282 set_robust_list(0x555591917660, 24) = 0 rseq(0x555591917ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4168833399", 4096) = 28 getrandom("\x8d\xca\x35\x13\xa5\xf7\x92\xd0", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555591917d00 brk(0x555591938d00) = 0x555591938d00 brk(0x555591939000) = 0x555591939000 mprotect(0x7f4476f08000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/usbmon0", O_RDONLY|O_APPEND) = 3 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 4 ioctl(4, USB_RAW_IOCTL_INIT, 0x7ffd5baccf30) = 0 ioctl(4, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 [ 35.462936][ T24] audit: type=1400 audit(1755515383.120:64): avc: denied { execmem } for pid=282 comm="syz-executor416" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 35.483225][ T24] audit: type=1400 audit(1755515383.140:65): avc: denied { read append } for pid=282 comm="syz-executor416" name="usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 35.507801][ T24] audit: type=1400 audit(1755515383.140:66): avc: denied { open } for pid=282 comm="syz-executor416" path="/dev/usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 35.531880][ T24] audit: type=1400 audit(1755515383.140:67): avc: denied { read write } for pid=282 comm="syz-executor416" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 35.555584][ T24] audit: type=1400 audit(1755515383.140:68): avc: denied { open } for pid=282 comm="syz-executor416" path="/dev/raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 35.579226][ T24] audit: type=1400 audit(1755515383.140:69): avc: denied { ioctl } for pid=282 comm="syz-executor416" path="/dev/raw-gadget" dev="devtmpfs" ino=253 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd5bacbf20) = 18 [ 35.752564][ T15] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd5bacbf20) = 18 [ 35.992582][ T15] usb 1-1: Using ep0 maxpacket: 16 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd5bacbf20) = 9 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd5bacbf20) = 36 [ 36.112697][ T15] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 36.123658][ T15] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 36.133459][ T15] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 36.146354][ T15] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf30) = 0 ioctl(4, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(4, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(4, USB_RAW_IOCTL_EP_ENABLE, 0x7f4476f0e3cc) = -1 EINVAL (Invalid argument) ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffd5bacbf20) = 0 [ 36.155463][ T15] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 36.165689][ T15] usb 1-1: config 0 descriptor?? ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf60) = 0 ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffd5bacbf50) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffd5baccf60) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffd5bacbf50) = 34 [ 36.645149][ T15] microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 [ 36.652677][ T15] microsoft 0003:045E:07DA.0001: ignoring exceeding usage max [ 36.668897][ T15] ================================================================== [ 36.677031][ T15] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x1307/0x24e0 [ 36.684675][ T15] Read of size 832 at addr ffff888105999be1 by task kworker/0:1/15 [ 36.692560][ T15] [ 36.694921][ T15] CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 5.10.240-syzkaller #0 [ 36.703030][ T15] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 36.713127][ T15] Workqueue: usb_hub_wq hub_event [ 36.718171][ T15] Call Trace: [ 36.721481][ T15] __dump_stack+0x21/0x24 [ 36.725831][ T15] dump_stack_lvl+0x169/0x1d8 [ 36.730530][ T15] ? show_regs_print_info+0x18/0x18 [ 36.735762][ T15] ? thaw_kernel_threads+0x220/0x220 [ 36.741075][ T15] print_address_description+0x7f/0x2c0 [ 36.746643][ T15] ? mon_bin_event+0x1307/0x24e0 [ 36.751597][ T15] kasan_report+0xe2/0x130 [ 36.756050][ T15] ? mon_bin_event+0x1307/0x24e0 [ 36.761023][ T15] ? mon_bin_event+0x1307/0x24e0 [ 36.765978][ T15] kasan_check_range+0x280/0x290 [ 36.770948][ T15] memcpy+0x2d/0x70 [ 36.774784][ T15] mon_bin_event+0x1307/0x24e0 [ 36.779580][ T15] ? mon_bin_complete+0x30/0x30 [ 36.784452][ T15] ? __kasan_kmalloc+0xec/0x110 [ 36.789321][ T15] ? __kasan_kmalloc+0xda/0x110 [ 36.794190][ T15] ? __kmalloc+0x1a7/0x330 [ 36.798624][ T15] ? mon_bin_vma_fault+0x1e0/0x1e0 [ 36.803763][ T15] mon_bin_submit+0x27/0x30 [ 36.808283][ T15] mon_submit+0x185/0x200 [ 36.812631][ T15] usb_hcd_submit_urb+0x117/0x1780 [ 36.817760][ T15] ? really_probe+0x3d8/0xa90 [ 36.822468][ T15] ? bus_for_each_drv+0x175/0x200 [ 36.827543][ T15] ? device_initial_probe+0x1a/0x20 [ 36.832756][ T15] ? usb_set_configuration+0x1a47/0x1f80 [ 36.838403][ T15] ? usb_generic_driver_probe+0x91/0x150 [ 36.844088][ T15] usb_submit_urb+0x10eb/0x1620 [ 36.849044][ T15] ? device_add+0x8b4/0xbf0 [ 36.853580][ T15] usb_start_wait_urb+0x117/0x2f0 [ 36.858622][ T15] ? usb_api_blocking_completion+0xb0/0xb0 [ 36.864451][ T15] ? __kasan_check_write+0x14/0x20 [ 36.869582][ T15] usb_control_msg+0x241/0x3f0 [ 36.874363][ T15] ? hid_output_report+0x722/0x7b0 [ 36.879493][ T15] usbhid_raw_request+0x453/0x580 [ 36.884538][ T15] ? usbhid_request+0x60/0x60 [ 36.889232][ T15] __hid_request+0x1d2/0x390 [ 36.893859][ T15] hidinput_connect+0x1d6d/0x2c30 [ 36.899114][ T15] hid_connect+0x458/0xdf0 [ 36.903548][ T15] ? usbhid_start+0x1a3c/0x2450 [ 36.908418][ T15] ? hid_match_id+0x340/0x340 [ 36.913124][ T15] hid_hw_start+0xaa/0x130 [ 36.917558][ T15] ms_probe+0x190/0x460 [ 36.921744][ T15] ? magicmouse_emit_touch+0x10f0/0x10f0 [ 36.927403][ T15] hid_device_probe+0x287/0x380 [ 36.932292][ T15] really_probe+0x386/0xa90 [ 36.936826][ T15] ? __kasan_check_write+0x14/0x20 [ 36.941960][ T15] driver_probe_device+0xe7/0x190 [ 36.947016][ T15] __device_attach_driver+0x282/0x3f0 [ 36.952405][ T15] ? state_synced_show+0x90/0x90 [ 36.957361][ T15] bus_for_each_drv+0x175/0x200 [ 36.962242][ T15] ? __kasan_check_write+0x14/0x20 [ 36.967380][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 36.973125][ T15] __device_attach+0x29a/0x400 [ 36.977911][ T15] ? kfree+0xc0/0x270 [ 36.981910][ T15] ? device_attach+0x20/0x20 [ 36.986520][ T15] ? kobject_uevent_env+0x34d/0x700 [ 36.991739][ T15] device_initial_probe+0x1a/0x20 [ 36.996785][ T15] bus_probe_device+0xc0/0x1e0 [ 37.001565][ T15] device_add+0x8b4/0xbf0 [ 37.005914][ T15] hid_add_device+0x356/0x4b0 [ 37.010608][ T15] usbhid_probe+0xb2e/0xee0 [ 37.015150][ T15] usb_probe_interface+0x5ff/0xae0 [ 37.020287][ T15] really_probe+0x3d8/0xa90 [ 37.024809][ T15] ? __kasan_check_write+0x14/0x20 [ 37.029945][ T15] driver_probe_device+0xe7/0x190 [ 37.035019][ T15] __device_attach_driver+0x282/0x3f0 [ 37.040416][ T15] ? state_synced_show+0x90/0x90 [ 37.045384][ T15] bus_for_each_drv+0x175/0x200 [ 37.050253][ T15] ? __kasan_check_write+0x14/0x20 [ 37.055396][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 37.061149][ T15] __device_attach+0x29a/0x400 [ 37.065948][ T15] ? device_attach+0x20/0x20 [ 37.070576][ T15] device_initial_probe+0x1a/0x20 [ 37.075620][ T15] bus_probe_device+0xc0/0x1e0 [ 37.080402][ T15] device_add+0x8b4/0xbf0 [ 37.084749][ T15] usb_set_configuration+0x1a47/0x1f80 [ 37.090250][ T15] usb_generic_driver_probe+0x91/0x150 [ 37.095740][ T15] usb_probe_device+0x148/0x260 [ 37.100612][ T15] really_probe+0x3d8/0xa90 [ 37.105140][ T15] ? __kasan_check_write+0x14/0x20 [ 37.110272][ T15] driver_probe_device+0xe7/0x190 [ 37.115317][ T15] __device_attach_driver+0x282/0x3f0 [ 37.120725][ T15] ? state_synced_show+0x90/0x90 [ 37.125696][ T15] bus_for_each_drv+0x175/0x200 [ 37.130567][ T15] ? __kasan_check_write+0x14/0x20 [ 37.135697][ T15] ? subsys_find_device_by_id+0x350/0x350 [ 37.141440][ T15] __device_attach+0x29a/0x400 [ 37.146227][ T15] ? device_attach+0x20/0x20 [ 37.150835][ T15] ? kobject_uevent_env+0x34d/0x700 [ 37.156071][ T15] device_initial_probe+0x1a/0x20 [ 37.161117][ T15] bus_probe_device+0xc0/0x1e0 [ 37.165915][ T15] device_add+0x8b4/0xbf0 [ 37.170266][ T15] usb_new_device+0xcd1/0x1450 [ 37.175056][ T15] ? wq_worker_last_func+0x50/0x50 [ 37.180194][ T15] ? usb_disconnect+0x850/0x850 [ 37.185128][ T15] hub_event+0x2679/0x4120 [ 37.189586][ T15] ? __kasan_check_write+0x14/0x20 [ 37.194757][ T15] ? led_work+0x5f0/0x5f0 [ 37.199124][ T15] ? __kasan_check_write+0x14/0x20 [ 37.204262][ T15] ? _raw_spin_lock_irq+0x8f/0xe0 [ 37.209314][ T15] ? __kasan_check_read+0x11/0x20 [ 37.214374][ T15] ? read_word_at_a_time+0x12/0x20 [ 37.219527][ T15] ? strscpy+0x9b/0x290 [ 37.223706][ T15] process_one_work+0x6e1/0xba0 [ 37.228588][ T15] worker_thread+0xa6a/0x13b0 [ 37.233288][ T15] ? _raw_spin_lock_irqsave+0xb0/0x110 [ 37.238774][ T15] kthread+0x346/0x3d0 [ 37.242861][ T15] ? worker_clr_flags+0x190/0x190 [ 37.248027][ T15] ? kthread_blkcg+0xd0/0xd0 [ 37.252649][ T15] ret_from_fork+0x1f/0x30 [ 37.257072][ T15] [ 37.259404][ T15] Allocated by task 15: [ 37.263572][ T15] __kasan_kmalloc+0xda/0x110 [ 37.268269][ T15] __kmalloc+0x1a7/0x330 [ 37.272530][ T15] __hid_request+0x9a/0x390 [ 37.277052][ T15] hidinput_connect+0x1d6d/0x2c30 [ 37.282107][ T15] hid_connect+0x458/0xdf0 [ 37.286538][ T15] hid_hw_start+0xaa/0x130 [ 37.290969][ T15] ms_probe+0x190/0x460 [ 37.295157][ T15] hid_device_probe+0x287/0x380 [ 37.300044][ T15] really_probe+0x386/0xa90 [ 37.304569][ T15] driver_probe_device+0xe7/0x190 [ 37.309610][ T15] __device_attach_driver+0x282/0x3f0 [ 37.314996][ T15] bus_for_each_drv+0x175/0x200 [ 37.319881][ T15] __device_attach+0x29a/0x400 [ 37.324663][ T15] device_initial_probe+0x1a/0x20 [ 37.329701][ T15] bus_probe_device+0xc0/0x1e0 [ 37.334475][ T15] device_add+0x8b4/0xbf0 [ 37.338822][ T15] hid_add_device+0x356/0x4b0 [ 37.343512][ T15] usbhid_probe+0xb2e/0xee0 [ 37.348046][ T15] usb_probe_interface+0x5ff/0xae0 [ 37.353173][ T15] really_probe+0x3d8/0xa90 [ 37.357781][ T15] driver_probe_device+0xe7/0x190 [ 37.362834][ T15] __device_attach_driver+0x282/0x3f0 [ 37.368221][ T15] bus_for_each_drv+0x175/0x200 [ 37.373096][ T15] __device_attach+0x29a/0x400 [ 37.377885][ T15] device_initial_probe+0x1a/0x20 [ 37.382929][ T15] bus_probe_device+0xc0/0x1e0 [ 37.387804][ T15] device_add+0x8b4/0xbf0 [ 37.392155][ T15] usb_set_configuration+0x1a47/0x1f80 [ 37.397626][ T15] usb_generic_driver_probe+0x91/0x150 [ 37.403098][ T15] usb_probe_device+0x148/0x260 [ 37.407969][ T15] really_probe+0x3d8/0xa90 [ 37.412486][ T15] driver_probe_device+0xe7/0x190 [ 37.417527][ T15] __device_attach_driver+0x282/0x3f0 [ 37.422911][ T15] bus_for_each_drv+0x175/0x200 [ 37.427778][ T15] __device_attach+0x29a/0x400 [ 37.432556][ T15] device_initial_probe+0x1a/0x20 [ 37.437607][ T15] bus_probe_device+0xc0/0x1e0 [ 37.442381][ T15] device_add+0x8b4/0xbf0 [ 37.446725][ T15] usb_new_device+0xcd1/0x1450 [ 37.451504][ T15] hub_event+0x2679/0x4120 [ 37.455931][ T15] process_one_work+0x6e1/0xba0 [ 37.460793][ T15] worker_thread+0xa6a/0x13b0 [ 37.465484][ T15] kthread+0x346/0x3d0 [ 37.469563][ T15] ret_from_fork+0x1f/0x30 [ 37.473994][ T15] [ 37.476368][ T15] The buggy address belongs to the object at ffff888105999be0 [ 37.476368][ T15] which belongs to the cache kmalloc-8 of size 8 [ 37.490096][ T15] The buggy address is located 1 bytes inside of [ 37.490096][ T15] 8-byte region [ffff888105999be0, ffff888105999be8) [ 37.503040][ T15] The buggy address belongs to the page: [ 37.508810][ T15] page:ffffea0004166640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105999 [ 37.519080][ T15] flags: 0x4000000000000200(slab) [ 37.524135][ T15] raw: 4000000000000200 ffffea00041971c0 0000001100000011 ffff888100043c80 [ 37.532745][ T15] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 37.541332][ T15] page dumped because: kasan: bad access detected [ 37.547746][ T15] page_owner tracks the page as allocated [ 37.553503][ T15] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 3120006206, free_ts 0 [ 37.568353][ T15] prep_new_page+0x179/0x180 [ 37.572968][ T15] get_page_from_freelist+0x2235/0x23d0 [ 37.578538][ T15] __alloc_pages_nodemask+0x268/0x5f0 [ 37.583966][ T15] new_slab+0x84/0x3f0 [ 37.588069][ T15] ___slab_alloc+0x2a6/0x450 [ 37.592674][ T15] __slab_alloc+0x63/0xa0 [ 37.597019][ T15] __kmalloc+0x201/0x330 [ 37.601282][ T15] acpi_ns_internalize_name+0x2bc/0x3a0 [ 37.606839][ T15] acpi_ns_get_node+0x1a0/0x340 [ 37.611701][ T15] acpi_get_handle+0x17e/0x290 [ 37.616477][ T15] acpi_has_method+0x83/0xd0 [ 37.621081][ T15] pnpacpi_add_device+0x22f/0x81e [ 37.626132][ T15] pnpacpi_add_device_handler+0xeb/0xf2 [ 37.631693][ T15] acpi_ns_get_device_callback+0x334/0x480 [ 37.637512][ T15] acpi_ns_walk_namespace+0x23e/0x680 [ 37.642898][ T15] acpi_get_devices+0xfa/0x150 [ 37.647660][ T15] page_owner free stack trace missing [ 37.653037][ T15] [ 37.655368][ T15] Memory state around the buggy address: [ 37.661012][ T15] ffff888105999a80: fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc [ 37.669091][ T15] ffff888105999b00: fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc [ 37.677168][ T15] >ffff888105999b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 07 fc fc fc [ 37.685382][ T15] ^ exit_group(0) = ? +++ exited with 0 +++ [ 37.692616][ T15] ffff888105999c00: fc fb fc fc fc fc fb fc fc fc fc fb fc fc