------------[ cut here ]------------ workqueue: work disable count underflowed WARNING: kernel/workqueue.c:4413 at work_offqd_enable kernel/workqueue.c:4413 [inline], CPU#1: kworker/1:2/929 WARNING: kernel/workqueue.c:4413 at enable_work+0x1c7/0x230 kernel/workqueue.c:4584, CPU#1: kworker/1:2/929 Modules linked in: CPU: 1 UID: 0 PID: 929 Comm: kworker/1:2 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: usb_hub_wq hub_event RIP: 0010:work_offqd_enable kernel/workqueue.c:4413 [inline] RIP: 0010:enable_work+0x1c7/0x230 kernel/workqueue.c:4584 Code: bf e4 37 00 4d 85 f6 75 48 e8 b5 e4 37 00 eb 47 e8 ae e4 37 00 90 0f 0b 90 e9 bc fe ff ff e8 a0 e4 37 00 48 8d 3d c9 d4 a8 0e <67> 48 0f b9 3a e9 d2 fe ff ff e8 8a e4 37 00 90 0f 0b 90 e9 1d ff RSP: 0018:ffffc900049b6b58 EFLAGS: 00010083 RAX: ffffffff818e11b0 RBX: 0000000000000000 RCX: 0000000000100000 RDX: ffffc90016cff000 RSI: 00000000000251b8 RDI: ffffffff9036e680 RBP: 0000000000000000 R08: ffff8880b853a483 R09: 1ffff110170a7490 R10: dffffc0000000000 R11: ffffed10170a7491 R12: 1ffff1100525d677 R13: 0000000001800001 R14: ffff8880292eb3b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888125102000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000563bb4dc0010 CR3: 0000000063efc000 CR4: 00000000003526f0 Call Trace: __cancel_work_sync+0xf7/0x110 kernel/workqueue.c:4454 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:183 [inline] smsusb_term_device+0xe2/0x3e0 drivers/media/usb/siano/smsusb.c:345 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline] smsusb_probe+0x1aba/0x2280 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x668/0xc90 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __device_attach_driver+0x2d4/0x4c0 drivers/base/dd.c:961 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1033 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x12a/0x220 drivers/base/bus.c:574 device_add+0x7b6/0xb70 drivers/base/core.c:3689 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2208 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __device_attach_driver+0x2d4/0x4c0 drivers/base/dd.c:961 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1033 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x12a/0x220 drivers/base/bus.c:574 device_add+0x7b6/0xb70 drivers/base/core.c:3689 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953 process_one_work+0x949/0x1650 kernel/workqueue.c:3279 process_scheduled_works kernel/workqueue.c:3362 [inline] worker_thread+0xb46/0x1140 kernel/workqueue.c:3443 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ---------------- Code disassembly (best guess): 0: bf e4 37 00 4d mov $0x4d0037e4,%edi 5: 85 f6 test %esi,%esi 7: 75 48 jne 0x51 9: e8 b5 e4 37 00 call 0x37e4c3 e: eb 47 jmp 0x57 10: e8 ae e4 37 00 call 0x37e4c3 15: 90 nop 16: 0f 0b ud2 18: 90 nop 19: e9 bc fe ff ff jmp 0xfffffeda 1e: e8 a0 e4 37 00 call 0x37e4c3 23: 48 8d 3d c9 d4 a8 0e lea 0xea8d4c9(%rip),%rdi # 0xea8d4f3 * 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: e9 d2 fe ff ff jmp 0xffffff06 34: e8 8a e4 37 00 call 0x37e4c3 39: 90 nop 3a: 0f 0b ud2 3c: 90 nop 3d: e9 .byte 0xe9 3e: 1d .byte 0x1d 3f: ff .byte 0xff