xpad 2-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 2-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88805588b05c by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:115
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock_irqsave+0x4c/0x60 kernel/locking/spinlock.c:166
__wake_up_common_lock+0x2f/0x1f0 kernel/sched/wait.c:124
__usb_hcd_giveback_urb+0x3b0/0x540 drivers/usb/core/hcd.c:1660
dummy_timer+0xbc0/0x4650 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x3c0/0xa20 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x17a/0x240 kernel/time/hrtimer.c:2011
handle_softirqs+0x22a/0x840 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xca/0x220 kernel/softirq.c:739
irq_exit_rcu+0x9/0x30 kernel/softirq.c:756
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: fd 6e 02 e9 93 f0 02 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 13 a3 18 00 fb f4 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8e407dc0 EFLAGS: 00000242
RAX: 0000000003969c5d RBX: ffffffff819b551a RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8df3ffaf RDI: ffffffff8c287c00
RBP: ffffffff8e407eb0 R08: ffff8880b86339db R09: 1ffff110170c673b
R10: dffffc0000000000 R11: ffffed10170c673c R12: 0000000000000000
R13: 1ffffffff1c925d8 R14: 0000000000000000 R15: 1ffffffff1c925d8
arch_safe_halt arch/x86/kernel/process.c:766 [inline]
default_idle+0x9/0x20 arch/x86/kernel/process.c:767
default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x36a/0x5f0 kernel/sched/idle.c:352
cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:451
rest_init+0x2de/0x300 init/main.c:762
start_kernel+0x38f/0x3e0 init/main.c:1214
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x147
Allocated by task 8426:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5412
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
xpad_probe+0x428/0x1fc0 drivers/input/joystick/xpad.c:2080
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:721
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c5/0x450 drivers/base/dd.c:1093
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7b6/0xb70 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:721
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c5/0x450 drivers/base/dd.c:1093
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7b6/0xb70 drivers/base/core.c:3692
usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3288
process_scheduled_works kernel/workqueue.c:3379 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 8608:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6242 [inline]
kfree+0x1c5/0x640 mm/slub.c:6557
xpad_disconnect+0x350/0x480 drivers/input/joystick/xpad.c:2264
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:633 [inline]
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x4d9/0x870 drivers/base/dd.c:1367
bus_remove_device+0x455/0x570 drivers/base/bus.c:657
device_del+0x527/0x8f0 drivers/base/core.c:3881
usb_disable_device+0x3d4/0x8d0 drivers/usb/core/message.c:1478
usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1cc9/0x4f30 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3288
process_scheduled_works kernel/workqueue.c:3379 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88805588b000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 92 bytes inside of
freed 1024-byte region [ffff88805588b000, ffff88805588b400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55888
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b041dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b041dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, tgid 0 (swapper/1), ts 103254381712, free_ts 33430258493
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1859
prep_new_page mm/page_alloc.c:1867 [inline]
get_page_from_freelist+0x2418/0x24b0 mm/page_alloc.c:3926
__alloc_frozen_pages_noprof+0x233/0x3d0 mm/page_alloc.c:5213
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7247
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__do_kmalloc_node mm/slub.c:5291 [inline]
__kmalloc_noprof+0x474/0x760 mm/slub.c:5304
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
ieee802_11_parse_elems_full+0x159/0x2ab0 net/mac80211/parse.c:1051
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2486 [inline]
ieee80211_inform_bss+0x161/0x1160 net/mac80211/scan.c:79
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0xcf9/0x1af0 net/wireless/scan.c:2372
cfg80211_inform_bss_data+0x266/0x3c40 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x3c7/0x730 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x794/0xa40 net/mac80211/scan.c:230
ieee80211_scan_rx+0x552/0xa40 net/mac80211/scan.c:364
__ieee80211_rx_handle_packet net/mac80211/rx.c:5296 [inline]
ieee80211_rx_list+0x29e3/0x3710 net/mac80211/rx.c:5579
ieee80211_rx_napi+0x1b1/0x3e0 net/mac80211/rx.c:5602
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1403 [inline]
__free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2944
__free_pages mm/page_alloc.c:5332 [inline]
free_contig_range+0xb7/0x100 mm/page_alloc.c:7336
destroy_args+0x4e5/0x570 mm/debug_vm_pgtable.c:993
debug_vm_pgtable+0x3f8/0x410 mm/debug_vm_pgtable.c:1368
do_one_initcall+0x250/0x870 init/main.c:1386
do_initcall_level+0x104/0x190 init/main.c:1448
do_initcalls+0x59/0xa0 init/main.c:1464
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1696
kernel_init+0x1d/0x1d0 init/main.c:1586
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff88805588af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805588af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805588b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805588b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805588b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: fd std
1: 6e outsb %ds:(%rsi),(%dx)
2: 02 e9 add %cl,%ch
4: 93 xchg %eax,%ebx
5: f0 02 00 lock add (%rax),%al
8: cc int3
9: cc int3
a: cc int3
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d 13 a3 18 00 verw 0x18a313(%rip) # 0x18a33b
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: cc int3
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop