Extracting prog: 4m40.486059504s
Minimizing prog: 2m35.299127255s
Simplifying prog options: 0s
Extracting C: 35.206508714s
Simplifying C: 21m56.946888065s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-openat
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000040), &(0x7f0000000240)='./file1\x00', 0x810010, &(0x7f00000007c0)=ANY=[@ANYBLOB="005901e3fd18fb9c322293c67dcde48bfeffd1843c336e09b34af65ad26aafded7da5cfeeda2b8d8d900c2195f00f646f699eeb47813177405a6a6baf786c0d14f2079a9efa9db8973bcca25eb2973856c6760a483c41d0980c78a4cb096a5affa6b980600000000000000a1eacd2c820176737d4eb55dca564820dd769d8742f6d9ab243775a67afcdf845f978e95365cdf6f30aa43423b381881433e00ccbe6353b21300d8f0ca972589398eef9487db78486fcf174990c488031f8b39cc01bb509f3ea4bcde33d4c9e305ecb4dd88204c5d7bb5e469cabfda0feca3ce70c0acbc34d13e5a5c796eab23abfe3b717834f8e9d7120e1e925c4e210b4152c75210b3e979fbe8ddf23eef2d53733209b22206e0a4afc354c33d7ca2a00116a14d686e4aa86b6ec6a4130178c3ad8c723c0d8506bd7bff780000000000000000004b2ec61cfde813cc124715aaaf5508b93d8cf0860042108b660b74f94b1e4851eeec09fdb7a617eabeeeff8ce8bb99f4b1f9c2896cf31e19c3c24155b0ea7dc3cae1b56acb1946830cad94af3f1caf43ea03b38fc08a7e19480e283a4c0d", @ANYRES64=0x0, @ANYRES16=0x0, @ANYRES32, @ANYRES64=0x0, @ANYRES32, @ANYRESDEC=0x0], 0x1, 0x1fb, &(0x7f0000000280)="$eJzskk9rE08Yxz+zu0n296OlQaKiCEUtWg9tNqnGPwcFLwb1JBVqQTAkaQ2m/mkCNaGHCEIRL4JVaBEPoqSIB/ENmIOn3hSKt1LouYcevEjryuxOtpN34GE+h/3uzDzP99nn2blbe1RLALvb80VIInFI8V0IHGBQBFuU7FBdpdeVxtX5FSvUjtLfSnfPNicmQVSOreeszsHSUZGkL/VrdYMiA7c5//bapx83Yotr+7Y+fJXxV282viBOlgbevfn84vJSf2Avbk3qPnbnyLIrjYCXOxPrG84hUl2vyuLafvfPgdWn7Y+5Z7KD11MIb9kFRr+NLF30+p9byrPWaN4rVKvl2dqlJxZbQamf2/NF+XInAb7v+0HvQB7QY2T7K+zFHHZgHLDxoxiHPdL1mYfpWqM5UpkpTJeny/ez2bGcd9rzzmTTU5Xq+1fyWfaEVkJNEKmnAPmb/tPOY8COivkfWlo1hPZp6lzouXHt1w0fpwdLy+2qoBPlJlScHME4J5CjnWsJbXcocHEIWsojsOfCRcbRvi+s5QYHo8UH1dICAtFNa+NEHplNYtEiqy/GzkVtLygdUppX2la6qXTQ7b2pTuBgqfs83II4jwv1+mwmDit9KkvtZeXgwrdkSx+YrJq0e5u7YGMwGAwGg8FgMBgM/wx/AwAA//+2K50Q")
openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x2000, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-getpid-prlimit64-sched_setscheduler-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap-close_range
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = getpid()
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x749})
ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000200)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
mremap(&(0x7f00003cd000/0x4000)=nil, 0x4000, 0x2000, 0x3, &(0x7f0000c9a000/0x2000)=nil)
close_range(r3, 0xffffffffffffffff, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x2, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xef, 0x1a, 0x6e, 0x40, 0x424, 0xcf19, 0xa588, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xe2, 0x3, 0x0, 0xe2, 0x1c, 0x79, 0x4}}]}}]}}, 0x0)

program crashed: KASAN: use-after-free Read in hdm_disconnect
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=46.904875354s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x2, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=46.904875354s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
simplifying C reproducer
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: u
a never seen crash title: KASAN: u, ignore
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
testing compiled C program (duration=46.904875354s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in hdm_disconnect
reproducing took 29m47.938611637s
repro crashed as (corrupted=false):
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71
usb 1-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: use-after-free in hdm_disconnect+0x109/0x1c0 drivers/most/most_usb.c:1125
Read of size 8 at addr ffff888079a69898 by task kworker/1:1/26

CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.140-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x220 mm/kasan/report.c:427
 kasan_report+0x10b/0x140 mm/kasan/report.c:531
 hdm_disconnect+0x109/0x1c0 drivers/most/most_usb.c:1125
 usb_unbind_interface+0x1ee/0x860 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 __device_release_driver drivers/base/dd.c:1260 [inline]
 device_release_driver_internal+0x522/0x850 drivers/base/dd.c:1286
 bus_remove_device+0x2e2/0x400 drivers/base/bus.c:531
 device_del+0x628/0xa70 drivers/base/core.c:3885
 usb_disable_device+0x3e2/0x890 drivers/usb/core/message.c:1414
 usb_disconnect+0x348/0x8a0 drivers/usb/core/hub.c:2286
 hub_port_connect drivers/usb/core/hub.c:5333 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x1d20/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 26:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 hdm_probe+0x8f/0x13d0 drivers/most/most_usb.c:959
 usb_probe_interface+0x5a0/0xaf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3697
 usb_set_configuration+0x1991/0x1fd0 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x89/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x139/0x270 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3697
 usb_new_device+0xd4d/0x1620 drivers/usb/core/hub.c:2631
 hub_port_connect drivers/usb/core/hub.c:5489 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x2b02/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaa2/0x1250 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 26:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3674
 device_release+0x92/0x1c0 drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x21d/0x460 lib/kobject.c:729
 hdm_disconnect+0xef/0x1c0 drivers/most/most_usb.c:1123
 usb_unbind_interface+0x1ee/0x860 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 __device_release_driver drivers/base/dd.c:1260 [inline]
 device_release_driver_internal+0x522/0x850 drivers/base/dd.c:1286
 bus_remove_device+0x2e2/0x400 drivers/base/bus.c:531
 device_del+0x628/0xa70 drivers/base/core.c:3885
 usb_disable_device+0x3e2/0x890 drivers/usb/core/message.c:1414
 usb_disconnect+0x348/0x8a0 drivers/usb/core/hub.c:2286
 hub_port_connect drivers/usb/core/hub.c:5333 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x1d20/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888079a68000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 6296 bytes inside of
 8192-byte region [ffff888079a68000, ffff888079a6a000)

The buggy address belongs to the physical page:
page:ffffea0001e69a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79a68
head:ffffea0001e69a00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017442280
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26, tgid 26 (kworker/1:1), ts 70577191636, free_ts 61072107354
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5606
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 __kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3437
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 hdm_probe+0x8f/0x13d0 drivers/most/most_usb.c:959
 usb_probe_interface+0x5a0/0xaf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 __skb_frag_unref include/linux/skbuff.h:3436 [inline]
 skb_release_data+0x499/0x7c0 net/core/skbuff.c:785
 skb_release_all net/core/skbuff.c:856 [inline]
 __kfree_skb net/core/skbuff.c:870 [inline]
 skb_attempt_defer_free+0x107/0x410 net/core/skbuff.c:6676
 tcp_eat_recv_skb net/ipv4/tcp.c:1661 [inline]
 tcp_recvmsg_locked+0x1190/0x22f0 net/ipv4/tcp.c:2674
 tcp_recvmsg+0x212/0x810 net/ipv4/tcp.c:2720
 inet_recvmsg+0x12c/0x1e0 net/ipv4/af_inet.c:890
 sock_recvmsg_nosec net/socket.c:1022 [inline]
 sock_recvmsg net/socket.c:1040 [inline]
 sock_read_iter+0x2bf/0x370 net/socket.c:1121
 call_read_iter include/linux/fs.h:2259 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x434/0x920 fs/read_write.c:470
 ksys_read+0x143/0x240 fs/read_write.c:613
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff888079a69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888079a69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888079a69880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888079a69900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888079a69980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71
usb 1-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: use-after-free in hdm_disconnect+0x109/0x1c0 drivers/most/most_usb.c:1125
Read of size 8 at addr ffff888079a69898 by task kworker/1:1/26

CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.140-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x220 mm/kasan/report.c:427
 kasan_report+0x10b/0x140 mm/kasan/report.c:531
 hdm_disconnect+0x109/0x1c0 drivers/most/most_usb.c:1125
 usb_unbind_interface+0x1ee/0x860 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 __device_release_driver drivers/base/dd.c:1260 [inline]
 device_release_driver_internal+0x522/0x850 drivers/base/dd.c:1286
 bus_remove_device+0x2e2/0x400 drivers/base/bus.c:531
 device_del+0x628/0xa70 drivers/base/core.c:3885
 usb_disable_device+0x3e2/0x890 drivers/usb/core/message.c:1414
 usb_disconnect+0x348/0x8a0 drivers/usb/core/hub.c:2286
 hub_port_connect drivers/usb/core/hub.c:5333 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x1d20/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 26:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8e/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 hdm_probe+0x8f/0x13d0 drivers/most/most_usb.c:959
 usb_probe_interface+0x5a0/0xaf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3697
 usb_set_configuration+0x1991/0x1fd0 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x89/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x139/0x270 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
 bus_probe_device+0xbc/0x1e0 drivers/base/bus.c:489
 device_add+0xa00/0xfb0 drivers/base/core.c:3697
 usb_new_device+0xd4d/0x1620 drivers/usb/core/hub.c:2631
 hub_port_connect drivers/usb/core/hub.c:5489 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x2b02/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaa2/0x1250 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 26:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3674
 device_release+0x92/0x1c0 drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x21d/0x460 lib/kobject.c:729
 hdm_disconnect+0xef/0x1c0 drivers/most/most_usb.c:1123
 usb_unbind_interface+0x1ee/0x860 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 __device_release_driver drivers/base/dd.c:1260 [inline]
 device_release_driver_internal+0x522/0x850 drivers/base/dd.c:1286
 bus_remove_device+0x2e2/0x400 drivers/base/bus.c:531
 device_del+0x628/0xa70 drivers/base/core.c:3885
 usb_disable_device+0x3e2/0x890 drivers/usb/core/message.c:1414
 usb_disconnect+0x348/0x8a0 drivers/usb/core/hub.c:2286
 hub_port_connect drivers/usb/core/hub.c:5333 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5629 [inline]
 port_event drivers/usb/core/hub.c:5785 [inline]
 hub_event+0x1d20/0x5210 drivers/usb/core/hub.c:5867
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888079a68000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 6296 bytes inside of
 8192-byte region [ffff888079a68000, ffff888079a6a000)

The buggy address belongs to the physical page:
page:ffffea0001e69a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79a68
head:ffffea0001e69a00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017442280
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26, tgid 26 (kworker/1:1), ts 70577191636, free_ts 61072107354
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5606
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 __kmem_cache_alloc_node+0x1a0/0x260 mm/slub.c:3437
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 hdm_probe+0x8f/0x13d0 drivers/most/most_usb.c:959
 usb_probe_interface+0x5a0/0xaf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2aa/0xc70 drivers/base/dd.c:639
 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:785
 driver_probe_device+0x4f/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2c6/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x175/0x200 drivers/base/bus.c:429
 __device_attach+0x29b/0x460 drivers/base/dd.c:1015
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 __skb_frag_unref include/linux/skbuff.h:3436 [inline]
 skb_release_data+0x499/0x7c0 net/core/skbuff.c:785
 skb_release_all net/core/skbuff.c:856 [inline]
 __kfree_skb net/core/skbuff.c:870 [inline]
 skb_attempt_defer_free+0x107/0x410 net/core/skbuff.c:6676
 tcp_eat_recv_skb net/ipv4/tcp.c:1661 [inline]
 tcp_recvmsg_locked+0x1190/0x22f0 net/ipv4/tcp.c:2674
 tcp_recvmsg+0x212/0x810 net/ipv4/tcp.c:2720
 inet_recvmsg+0x12c/0x1e0 net/ipv4/af_inet.c:890
 sock_recvmsg_nosec net/socket.c:1022 [inline]
 sock_recvmsg net/socket.c:1040 [inline]
 sock_read_iter+0x2bf/0x370 net/socket.c:1121
 call_read_iter include/linux/fs.h:2259 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x434/0x920 fs/read_write.c:470
 ksys_read+0x143/0x240 fs/read_write.c:613
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff888079a69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888079a69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888079a69880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888079a69900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888079a69980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================