xpad 1-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 1-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x283/0x2f0 kernel/locking/spinlock_debug.c:114
Read of size 4 at addr ffff88805635f85c by task kworker/u4:4/56

CPU: 1 PID: 56 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events_unbound nsim_dev_trap_report_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x210 mm/kasan/report.c:420
 kasan_report+0x10b/0x140 mm/kasan/report.c:524
 debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 do_raw_spin_lock+0x283/0x2f0 kernel/locking/spinlock_debug.c:114
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0xbc/0x100 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0x107/0x1a0 kernel/sched/wait.c:160
 __usb_hcd_giveback_urb+0x394/0x520 drivers/usb/core/hcd.c:1676
 dummy_timer+0xa21/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2004
 __run_hrtimer kernel/time/hrtimer.c:1751 [inline]
 __hrtimer_run_queues+0x522/0xc90 kernel/time/hrtimer.c:1815
 hrtimer_run_softirq+0x173/0x290 kernel/time/hrtimer.c:1832
 handle_softirqs+0x291/0x910 kernel/softirq.c:596
 __do_softirq kernel/softirq.c:630 [inline]
 invoke_softirq kernel/softirq.c:470 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:crng_make_state+0x618/0xb00 drivers/char/random.c:354
Code: b2 b0 05 e9 e1 fc ff ff e8 05 e2 fd fc e8 20 9b a6 05 4d 85 f6 0f 84 39 ff ff ff e8 f2 e1 fd fc fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 04 3c 00 00 00 00 4b c7 44 3c 08 00 00 00 00 4b c7 44 3c 10
RSP: 0018:ffffc90001577880 EFLAGS: 00000293
RAX: ffffffff84843f1e RBX: 0000000000000000 RCX: ffff88801c6e5a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001577a30 R08: ffffffff90af232f R09: 1ffffffff215e465
R10: dffffc0000000000 R11: fffffbfff215e466 R12: 1ffff920002aef18
R13: ffff8880b8f379d0 R14: 0000000000000200 R15: dffffc0000000000
 _get_random_bytes+0xfc/0x250 drivers/char/random.c:366
 eth_random_addr include/linux/etherdevice.h:232 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:756 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
 nsim_dev_trap_report_work+0x313/0xa80 drivers/net/netdevsim/dev.c:851
 process_one_work+0x8ab/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaf5/0x12a0 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 4443:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 ____kasan_kmalloc mm/kasan/common.c:375 [inline]
 __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:384
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 xpad_probe+0x437/0x1ed0 drivers/input/joystick/xpad.c:1971
 usb_probe_interface+0x5be/0xae0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x24a/0xb40 drivers/base/dd.c:639
 __driver_probe_device+0x1f5/0x390 drivers/base/dd.c:805
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:835
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:963
 bus_for_each_drv+0x184/0x210 drivers/base/bus.c:429
 __device_attach+0x2a7/0x480 drivers/base/dd.c:1035
 bus_probe_device+0xba/0x1d0 drivers/base/bus.c:489
 device_add+0xbcf/0x1050 drivers/base/core.c:3712
 usb_set_configuration+0x19d5/0x2030 drivers/usb/core/message.c:2223
 usb_generic_driver_probe+0x89/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x126/0x250 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x24a/0xb40 drivers/base/dd.c:639
 __driver_probe_device+0x1f5/0x390 drivers/base/dd.c:805
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:835
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:963
 bus_for_each_drv+0x184/0x210 drivers/base/bus.c:429
 __device_attach+0x2a7/0x480 drivers/base/dd.c:1035
 bus_probe_device+0xba/0x1d0 drivers/base/bus.c:489
 device_add+0xbcf/0x1050 drivers/base/core.c:3712
 usb_new_device+0xa01/0x15e0 drivers/usb/core/hub.c:2659
 hub_port_connect drivers/usb/core/hub.c:5517 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5657 [inline]
 port_event drivers/usb/core/hub.c:5817 [inline]
 hub_event+0x2b2f/0x5200 drivers/usb/core/hub.c:5899
 process_one_work+0x8ab/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaf5/0x12a0 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 4864:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1f0 mm/kasan/common.c:237
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1729 [inline]
 slab_free_freelist_hook+0x133/0x1b0 mm/slub.c:1755
 slab_free mm/slub.c:3687 [inline]
 __kmem_cache_free+0xb6/0x200 mm/slub.c:3700
 xpad_disconnect+0x31f/0x440 drivers/input/joystick/xpad.c:2152
 usb_unbind_interface+0x203/0x870 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 __device_release_driver drivers/base/dd.c:1280 [inline]
 device_release_driver_internal+0x4cf/0x7c0 drivers/base/dd.c:1306
 bus_remove_device+0x2dd/0x400 drivers/base/bus.c:531
 device_del+0x63f/0xa80 drivers/base/core.c:3900
 usb_disable_device+0x3e7/0x8a0 drivers/usb/core/message.c:1472
 usb_disconnect+0x33c/0x8a0 drivers/usb/core/hub.c:2314
 hub_port_connect drivers/usb/core/hub.c:5361 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5657 [inline]
 port_event drivers/usb/core/hub.c:5817 [inline]
 hub_event+0x1d27/0x5200 drivers/usb/core/hub.c:5899
 process_one_work+0x8ab/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaf5/0x12a0 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
 insert_work+0x54/0x3c0 kernel/workqueue.c:1361
 __queue_work+0xae2/0xee0 kernel/workqueue.c:1520
 queue_work_on+0x124/0x1f0 kernel/workqueue.c:1548
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:573 [inline]
 xpad360w_process_packet drivers/input/joystick/xpad.c:952 [inline]
 xpad_irq_in+0xa51/0x23a0 drivers/input/joystick/xpad.c:1163
 __usb_hcd_giveback_urb+0x35d/0x520 drivers/usb/core/hcd.c:1673
 dummy_timer+0xa21/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2004
 __run_hrtimer kernel/time/hrtimer.c:1751 [inline]
 __hrtimer_run_queues+0x522/0xc90 kernel/time/hrtimer.c:1815
 hrtimer_run_softirq+0x173/0x290 kernel/time/hrtimer.c:1832
 handle_softirqs+0x291/0x910 kernel/softirq.c:596
 do_softirq+0x142/0x210 kernel/softirq.c:497
 __local_bh_enable_ip+0x180/0x1c0 kernel/softirq.c:421
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 batadv_nc_purge_paths+0x305/0x3a0 net/batman-adv/network-coding.c:471
 batadv_nc_worker+0x31e/0x600 net/batman-adv/network-coding.c:720
 process_one_work+0x8ab/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaf5/0x12a0 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Second to last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
 __kasan_record_aux_stack+0xb2/0xc0 mm/kasan/generic.c:486
 insert_work+0x54/0x3c0 kernel/workqueue.c:1361
 __queue_work+0xae2/0xee0 kernel/workqueue.c:1520
 queue_work_on+0x124/0x1f0 kernel/workqueue.c:1548
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:573 [inline]
 xpad360w_process_packet drivers/input/joystick/xpad.c:952 [inline]
 xpad_irq_in+0xa51/0x23a0 drivers/input/joystick/xpad.c:1163
 __usb_hcd_giveback_urb+0x35d/0x520 drivers/usb/core/hcd.c:1673
 dummy_timer+0xa21/0x3420 drivers/usb/gadget/udc/dummy_hcd.c:2004
 __run_hrtimer kernel/time/hrtimer.c:1751 [inline]
 __hrtimer_run_queues+0x522/0xc90 kernel/time/hrtimer.c:1815
 hrtimer_run_softirq+0x173/0x290 kernel/time/hrtimer.c:1832
 handle_softirqs+0x291/0x910 kernel/softirq.c:596
 __do_softirq kernel/softirq.c:630 [inline]
 invoke_softirq kernel/softirq.c:470 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691

The buggy address belongs to the object at ffff88805635f800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 92 bytes inside of
 1024-byte region [ffff88805635f800, ffff88805635fc00)

The buggy address belongs to the physical page:
page:ffffea000158d600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56358
head:ffffea000158d600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888017441dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4318, tgid 4318 (kworker/1:3), ts 83346165383, free_ts 25916779881
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2560
 prep_new_page mm/page_alloc.c:2567 [inline]
 get_page_from_freelist+0x206b/0x2180 mm/page_alloc.c:4358
 __alloc_pages+0x1ec/0x4f0 mm/page_alloc.c:5658
 alloc_slab_page+0x5d/0x180 mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x87/0x2d0 mm/slub.c:1997
 ___slab_alloc+0xbc5/0x1240 mm/slub.c:3154
 __slab_alloc mm/slub.c:3240 [inline]
 slab_alloc_node mm/slub.c:3325 [inline]
 __kmem_cache_alloc_node+0x126/0x270 mm/slub.c:3398
 __do_kmalloc_node mm/slab_common.c:935 [inline]
 __kmalloc+0xa3/0x240 mm/slab_common.c:949
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 neigh_alloc net/core/neighbour.c:495 [inline]
 ___neigh_create+0x6f4/0x2450 net/core/neighbour.c:649
 ip6_finish_output2+0x150e/0x15c0 net/ipv6/ip6_output.c:129
 dst_output include/net/dst.h:453 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ndisc_send_skb+0xc04/0x1520 net/ipv6/ndisc.c:513
 ndisc_send_ns+0xd4/0x160 net/ipv6/ndisc.c:671
 addrconf_dad_work+0xa07/0x1500 net/ipv6/addrconf.c:4219
 process_one_work+0x8ab/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaf5/0x12a0 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1487 [inline]
 free_pcp_prepare mm/page_alloc.c:1537 [inline]
 free_unref_page_prepare+0x8e5/0x9e0 mm/page_alloc.c:3414
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3509
 free_contig_range+0x9d/0x150 mm/page_alloc.c:9626
 destroy_args+0xef/0xa0e mm/debug_vm_pgtable.c:1031
 debug_vm_pgtable+0x33c/0x38e mm/debug_vm_pgtable.c:1359
 do_one_initcall+0x257/0x800 init/main.c:1309
 do_initcall_level+0x13d/0x1ed init/main.c:1382
 do_initcalls+0x4b/0x8a init/main.c:1398
 kernel_init_freeable+0x401/0x5ab init/main.c:1637
 kernel_init+0x19/0x1b0 init/main.c:1525
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88805635f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805635f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805635f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88805635f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805635f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	b2 b0                	mov    $0xb0,%dl
   2:	05 e9 e1 fc ff       	add    $0xfffce1e9,%eax
   7:	ff                   	ljmp   (bad)
   8:	e8 05 e2 fd fc       	call   0xfcfde212
   d:	e8 20 9b a6 05       	call   0x5a69b32
  12:	4d 85 f6             	test   %r14,%r14
  15:	0f 84 39 ff ff ff    	je     0xffffff54
  1b:	e8 f2 e1 fd fc       	call   0xfcfde212
  20:	fb                   	sti
  21:	48 c7 44 24 40 0e 36 	movq   $0x45e0360e,0x40(%rsp)
  28:	e0 45
* 2a:	4b c7 04 3c 00 00 00 	movq   $0x0,(%r12,%r15,1) <-- trapping instruction
  31:	00
  32:	4b c7 44 3c 08 00 00 	movq   $0x0,0x8(%r12,%r15,1)
  39:	00 00
  3b:	4b                   	rex.WXB
  3c:	c7                   	.byte 0xc7
  3d:	44 3c 10             	rex.R cmp $0x10,%al