./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1633072161 <...> Warning: Permanently added '10.128.1.80' (ED25519) to the list of known hosts. execve("./syz-executor1633072161", ["./syz-executor1633072161"], 0x7fff57e72920 /* 10 vars */) = 0 brk(NULL) = 0x555586dcc000 brk(0x555586dccd00) = 0x555586dccd00 arch_prctl(ARCH_SET_FS, 0x555586dcc380) = 0 set_tid_address(0x555586dcc650) = 282 set_robust_list(0x555586dcc660, 24) = 0 rseq(0x555586dccca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1633072161", 4096) = 28 getrandom("\x67\xa1\x23\x17\x5c\x18\x9d\x78", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555586dccd00 brk(0x555586dedd00) = 0x555586dedd00 brk(0x555586dee000) = 0x555586dee000 mprotect(0x7f9ab2460000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/usbmon0", O_RDONLY) = 3 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 4 ioctl(4, USB_RAW_IOCTL_INIT, 0x7ffca69eac20) = 0 ioctl(4, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 [ 34.636574][ T24] audit: type=1400 audit(1751393729.480:64): avc: denied { execmem } for pid=282 comm="syz-executor163" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 34.656583][ T24] audit: type=1400 audit(1751393729.500:65): avc: denied { read } for pid=282 comm="syz-executor163" name="usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 34.680346][ T24] audit: type=1400 audit(1751393729.500:66): avc: denied { open } for pid=282 comm="syz-executor163" path="/dev/usbmon0" dev="devtmpfs" ino=154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 34.704528][ T24] audit: type=1400 audit(1751393729.500:67): avc: denied { read write } for pid=282 comm="syz-executor163" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 34.728187][ T24] audit: type=1400 audit(1751393729.500:68): avc: denied { open } for pid=282 comm="syz-executor163" path="/dev/raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 34.751883][ T24] audit: type=1400 audit(1751393729.500:69): avc: denied { ioctl } for pid=282 comm="syz-executor163" path="/dev/raw-gadget" dev="devtmpfs" ino=253 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca69e9c10) = 18 [ 34.919780][ T25] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca69e9c10) = 18 [ 35.159754][ T25] usb 1-1: Using ep0 maxpacket: 16 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca69e9c10) = 9 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca69e9c10) = 36 [ 35.279828][ T25] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 35.290728][ T25] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 35.300715][ T25] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 [ 35.313511][ T25] usb 1-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac20) = 0 ioctl(4, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(4, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(4, USB_RAW_IOCTL_EP_ENABLE, 0x7f9ab24663cc) = -1 EINVAL (Invalid argument) ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffca69e9c10) = 0 [ 35.322548][ T25] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 35.331474][ T25] usb 1-1: config 0 descriptor?? ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac50) = 0 ioctl(4, USB_RAW_IOCTL_EP0_READ, 0x7ffca69e9c40) = 0 ioctl(4, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffca69eac50) = 0 ioctl(4, USB_RAW_IOCTL_EP0_WRITE, 0x7ffca69e9c40) = 34 [ 35.810880][ T25] microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 [ 35.818111][ T25] microsoft 0003:045E:07DA.0001: ignoring exceeding usage max [ 35.827197][ T25] ================================================================== [ 35.835274][ T25] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x1307/0x24e0 [ 35.843018][ T25] Read of size 832 at addr ffff88811cf8eed9 by task kworker/1:1/25 [ 35.851006][ T25] [ 35.853328][ T25] CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 5.10.238-syzkaller-00008-g59e9a7228857 #0 [ 35.863093][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 35.873421][ T25] Workqueue: usb_hub_wq hub_event [ 35.878523][ T25] Call Trace: [ 35.881788][ T25] __dump_stack+0x21/0x24 [ 35.886088][ T25] dump_stack_lvl+0x169/0x1d8 [ 35.890748][ T25] ? show_regs_print_info+0x18/0x18 [ 35.895916][ T25] ? thaw_kernel_threads+0x220/0x220 [ 35.901180][ T25] print_address_description+0x7f/0x2c0 [ 35.906716][ T25] ? mon_bin_event+0x1307/0x24e0 [ 35.911633][ T25] kasan_report+0xe2/0x130 [ 35.916016][ T25] ? mon_bin_event+0x1307/0x24e0 [ 35.920917][ T25] ? mon_bin_event+0x1307/0x24e0 [ 35.925819][ T25] kasan_check_range+0x280/0x290 [ 35.930724][ T25] memcpy+0x2d/0x70 [ 35.934499][ T25] mon_bin_event+0x1307/0x24e0 [ 35.939262][ T25] ? mon_bin_complete+0x30/0x30 [ 35.944093][ T25] ? __kasan_kmalloc+0xec/0x110 [ 35.948919][ T25] ? __kasan_kmalloc+0xda/0x110 [ 35.953737][ T25] ? __kmalloc+0x1a7/0x330 [ 35.958121][ T25] ? mon_bin_vma_fault+0x1e0/0x1e0 [ 35.963369][ T25] mon_bin_submit+0x27/0x30 [ 35.967850][ T25] mon_submit+0x185/0x200 [ 35.972258][ T25] usb_hcd_submit_urb+0x117/0x1780 [ 35.977442][ T25] ? really_probe+0x3d8/0xa90 [ 35.982290][ T25] ? bus_for_each_drv+0x175/0x200 [ 35.987288][ T25] ? device_initial_probe+0x1a/0x20 [ 35.992547][ T25] ? usb_set_configuration+0x1a47/0x1f80 [ 35.998324][ T25] ? usb_generic_driver_probe+0x91/0x150 [ 36.003938][ T25] usb_submit_urb+0x10eb/0x1620 [ 36.008968][ T25] ? device_add+0x8b4/0xbf0 [ 36.013647][ T25] usb_start_wait_urb+0x117/0x2f0 [ 36.018738][ T25] ? usb_api_blocking_completion+0xb0/0xb0 [ 36.024524][ T25] ? __kasan_check_write+0x14/0x20 [ 36.029627][ T25] usb_control_msg+0x241/0x3f0 [ 36.034357][ T25] ? hid_output_report+0x722/0x7b0 [ 36.039462][ T25] usbhid_raw_request+0x453/0x580 [ 36.044455][ T25] ? usbhid_request+0x60/0x60 [ 36.049099][ T25] __hid_request+0x1d2/0x390 [ 36.053662][ T25] hidinput_connect+0x1d6d/0x2c30 [ 36.058654][ T25] hid_connect+0x458/0xdf0 [ 36.063035][ T25] ? usbhid_start+0x1a3c/0x2450 [ 36.067851][ T25] ? hid_match_id+0x340/0x340 [ 36.072495][ T25] hid_hw_start+0xaa/0x130 [ 36.076881][ T25] ms_probe+0x190/0x460 [ 36.081002][ T25] ? magicmouse_emit_touch+0x10f0/0x10f0 [ 36.086603][ T25] hid_device_probe+0x287/0x380 [ 36.091441][ T25] really_probe+0x386/0xa90 [ 36.095930][ T25] ? __kasan_check_write+0x14/0x20 [ 36.101097][ T25] driver_probe_device+0xe7/0x190 [ 36.106092][ T25] __device_attach_driver+0x282/0x3f0 [ 36.111436][ T25] ? state_synced_show+0x90/0x90 [ 36.116342][ T25] bus_for_each_drv+0x175/0x200 [ 36.121162][ T25] ? __kasan_check_write+0x14/0x20 [ 36.126242][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 36.132188][ T25] __device_attach+0x29a/0x400 [ 36.136920][ T25] ? kfree+0xc0/0x270 [ 36.140978][ T25] ? device_attach+0x20/0x20 [ 36.145545][ T25] ? kobject_uevent_env+0x34d/0x700 [ 36.150838][ T25] device_initial_probe+0x1a/0x20 [ 36.155844][ T25] bus_probe_device+0xc0/0x1e0 [ 36.160649][ T25] device_add+0x8b4/0xbf0 [ 36.164967][ T25] hid_add_device+0x356/0x4b0 [ 36.169614][ T25] usbhid_probe+0xb2e/0xee0 [ 36.174090][ T25] usb_probe_interface+0x5ff/0xae0 [ 36.179173][ T25] really_probe+0x3d8/0xa90 [ 36.183735][ T25] ? __kasan_check_write+0x14/0x20 [ 36.188821][ T25] driver_probe_device+0xe7/0x190 [ 36.193816][ T25] __device_attach_driver+0x282/0x3f0 [ 36.199268][ T25] ? state_synced_show+0x90/0x90 [ 36.204858][ T25] bus_for_each_drv+0x175/0x200 [ 36.209849][ T25] ? __kasan_check_write+0x14/0x20 [ 36.215059][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 36.220931][ T25] __device_attach+0x29a/0x400 [ 36.225667][ T25] ? device_attach+0x20/0x20 [ 36.230237][ T25] device_initial_probe+0x1a/0x20 [ 36.235249][ T25] bus_probe_device+0xc0/0x1e0 [ 36.239993][ T25] device_add+0x8b4/0xbf0 [ 36.244451][ T25] usb_set_configuration+0x1a47/0x1f80 [ 36.250089][ T25] usb_generic_driver_probe+0x91/0x150 [ 36.255636][ T25] usb_probe_device+0x148/0x260 [ 36.260456][ T25] really_probe+0x3d8/0xa90 [ 36.264964][ T25] ? __kasan_check_write+0x14/0x20 [ 36.270203][ T25] driver_probe_device+0xe7/0x190 [ 36.275661][ T25] __device_attach_driver+0x282/0x3f0 [ 36.281011][ T25] ? state_synced_show+0x90/0x90 [ 36.286105][ T25] bus_for_each_drv+0x175/0x200 [ 36.291014][ T25] ? __kasan_check_write+0x14/0x20 [ 36.296095][ T25] ? subsys_find_device_by_id+0x350/0x350 [ 36.301937][ T25] __device_attach+0x29a/0x400 [ 36.306750][ T25] ? device_attach+0x20/0x20 [ 36.311313][ T25] ? kobject_uevent_env+0x34d/0x700 [ 36.316477][ T25] device_initial_probe+0x1a/0x20 [ 36.321485][ T25] bus_probe_device+0xc0/0x1e0 [ 36.326338][ T25] device_add+0x8b4/0xbf0 [ 36.330646][ T25] usb_new_device+0xcd1/0x1450 [ 36.335384][ T25] ? wq_worker_last_func+0x50/0x50 [ 36.340462][ T25] ? usb_disconnect+0x850/0x850 [ 36.345309][ T25] hub_event+0x2679/0x4120 [ 36.349703][ T25] ? __kasan_check_write+0x14/0x20 [ 36.354809][ T25] ? led_work+0x5f0/0x5f0 [ 36.359110][ T25] ? __kasan_check_write+0x14/0x20 [ 36.364189][ T25] ? _raw_spin_lock_irq+0x8f/0xe0 [ 36.369177][ T25] ? __kasan_check_read+0x11/0x20 [ 36.374168][ T25] ? read_word_at_a_time+0x12/0x20 [ 36.379246][ T25] ? strscpy+0x9b/0x290 [ 36.383369][ T25] process_one_work+0x6e1/0xba0 [ 36.388187][ T25] worker_thread+0xa6a/0x13b0 [ 36.392832][ T25] ? _raw_spin_lock_irqsave+0xb0/0x110 [ 36.398259][ T25] ? __kasan_check_read+0x11/0x20 [ 36.403253][ T25] kthread+0x346/0x3d0 [ 36.407291][ T25] ? worker_clr_flags+0x190/0x190 [ 36.412280][ T25] ? kthread_blkcg+0xd0/0xd0 [ 36.416834][ T25] ret_from_fork+0x1f/0x30 [ 36.421217][ T25] [ 36.423545][ T25] Allocated by task 25: [ 36.427669][ T25] __kasan_kmalloc+0xda/0x110 [ 36.432312][ T25] __kmalloc+0x1a7/0x330 [ 36.436523][ T25] __hid_request+0x9a/0x390 [ 36.440993][ T25] hidinput_connect+0x1d6d/0x2c30 [ 36.446079][ T25] hid_connect+0x458/0xdf0 [ 36.450461][ T25] hid_hw_start+0xaa/0x130 [ 36.454846][ T25] ms_probe+0x190/0x460 [ 36.458968][ T25] hid_device_probe+0x287/0x380 [ 36.463783][ T25] really_probe+0x386/0xa90 [ 36.468253][ T25] driver_probe_device+0xe7/0x190 [ 36.473261][ T25] __device_attach_driver+0x282/0x3f0 [ 36.478868][ T25] bus_for_each_drv+0x175/0x200 [ 36.483692][ T25] __device_attach+0x29a/0x400 [ 36.488423][ T25] device_initial_probe+0x1a/0x20 [ 36.493417][ T25] bus_probe_device+0xc0/0x1e0 [ 36.498150][ T25] device_add+0x8b4/0xbf0 [ 36.502466][ T25] hid_add_device+0x356/0x4b0 [ 36.507112][ T25] usbhid_probe+0xb2e/0xee0 [ 36.511585][ T25] usb_probe_interface+0x5ff/0xae0 [ 36.516663][ T25] really_probe+0x3d8/0xa90 [ 36.521131][ T25] driver_probe_device+0xe7/0x190 [ 36.526472][ T25] __device_attach_driver+0x282/0x3f0 [ 36.531838][ T25] bus_for_each_drv+0x175/0x200 [ 36.536654][ T25] __device_attach+0x29a/0x400 [ 36.541384][ T25] device_initial_probe+0x1a/0x20 [ 36.546376][ T25] bus_probe_device+0xc0/0x1e0 [ 36.551206][ T25] device_add+0x8b4/0xbf0 [ 36.555501][ T25] usb_set_configuration+0x1a47/0x1f80 [ 36.560931][ T25] usb_generic_driver_probe+0x91/0x150 [ 36.566358][ T25] usb_probe_device+0x148/0x260 [ 36.571176][ T25] really_probe+0x3d8/0xa90 [ 36.575651][ T25] driver_probe_device+0xe7/0x190 [ 36.580639][ T25] __device_attach_driver+0x282/0x3f0 [ 36.585974][ T25] bus_for_each_drv+0x175/0x200 [ 36.590800][ T25] __device_attach+0x29a/0x400 [ 36.595538][ T25] device_initial_probe+0x1a/0x20 [ 36.600535][ T25] bus_probe_device+0xc0/0x1e0 [ 36.605268][ T25] device_add+0x8b4/0xbf0 [ 36.609590][ T25] usb_new_device+0xcd1/0x1450 [ 36.614316][ T25] hub_event+0x2679/0x4120 [ 36.618698][ T25] process_one_work+0x6e1/0xba0 [ 36.623516][ T25] worker_thread+0xa6a/0x13b0 [ 36.628160][ T25] kthread+0x346/0x3d0 [ 36.632364][ T25] ret_from_fork+0x1f/0x30 [ 36.636778][ T25] [ 36.639079][ T25] The buggy address belongs to the object at ffff88811cf8eed8 [ 36.639079][ T25] which belongs to the cache kmalloc-8 of size 8 [ 36.652850][ T25] The buggy address is located 1 bytes inside of [ 36.652850][ T25] 8-byte region [ffff88811cf8eed8, ffff88811cf8eee0) [ 36.665747][ T25] The buggy address belongs to the page: [ 36.671369][ T25] page:ffffea000473e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11cf8e [ 36.681568][ T25] flags: 0x4000000000000200(slab) [ 36.686652][ T25] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888100043c80 [ 36.695207][ T25] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 36.703843][ T25] page dumped because: kasan: bad access detected [ 36.710668][ T25] page_owner tracks the page as allocated [ 36.716370][ T25] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 259, ts 17051480664, free_ts 17051018871 [ 36.732312][ T25] prep_new_page+0x179/0x180 [ 36.736875][ T25] get_page_from_freelist+0x2235/0x23d0 [ 36.742394][ T25] __alloc_pages_nodemask+0x268/0x5f0 [ 36.747749][ T25] new_slab+0x84/0x3f0 [ 36.751785][ T25] ___slab_alloc+0x2a6/0x450 [ 36.756343][ T25] __slab_alloc+0x63/0xa0 [ 36.760647][ T25] __kmalloc+0x201/0x330 [ 36.764857][ T25] kvmalloc_node+0x88/0x130 [ 36.769337][ T25] proc_sys_call_handler+0x3a9/0x790 [ 36.774587][ T25] proc_sys_read+0x1f/0x30 [ 36.778971][ T25] vfs_read+0x874/0xa10 [ 36.783091][ T25] ksys_read+0x140/0x240 [ 36.787307][ T25] __x64_sys_read+0x7b/0x90 [ 36.791802][ T25] do_syscall_64+0x31/0x40 [ 36.796190][ T25] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 36.802047][ T25] page last free stack trace: [ 36.806692][ T25] free_unref_page_prepare+0x2b7/0x2d0 [ 36.812115][ T25] __free_pages+0x14b/0x380 [ 36.816583][ T25] free_pages+0x82/0x90 [ 36.820704][ T25] pgd_free+0x187/0x1a0 [ 36.824823][ T25] __mmdrop+0xad/0x490 [ 36.828857][ T25] finish_task_switch+0x1e2/0x5a0 [ 36.833845][ T25] schedule_tail+0x18/0xc0 [ 36.838227][ T25] ret_from_fork+0x8/0x30 [ 36.842519][ T25] [ 36.844831][ T25] Memory state around the buggy address: [ 36.850429][ T25] ffff88811cf8ed80: fc fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc exit_group(0) = ? +++ exited with 0 +++ [ 36.858544][ T25] ffff88811cf8ee00: fc fc fc fc fc fc fc fa fc fc fc fc fc f