Extracting prog: 10m13.98666934s Minimizing prog: 15m37.561017847s Simplifying prog options: 0s Extracting C: 1m20.876820271s Simplifying C: 10m42.532400704s extracting reproducer from 30 programs testing a last program of every proc single: executing 5 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_MAXSEG detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, 0x0, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_sctp-setsockopt$inet_sctp_SCTP_INITMSG detailed listing: executing program 0: r0 = socket$inet_sctp(0x2, 0x1, 0x84) setsockopt$inet_sctp_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x0, 0x0, 0x0, 0xfff}, 0x8) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000001180)=ANY=[@ANYBLOB="b702000007000000bfa30000000000000703000000feffff7a0af0ff0100000079a4f0ff00000000b7060000ffffffff2d6405000000000065040400010000000404000001007d60b7030000000000006a0a00fe00000000850000000d000000b70000000000000095000000000000005ecefab8f2e85c6c1ca711fcd0cdfa146ec561750379585e5a076d839240d29c034055b67dafe6c8dc3d5d78c07fa1f7e655ce34e4d5b3185fec0e07004e60c08dc8b8dbf11e6e94d75938321a3aa502cd2424a66e6d2ef831ab7ea0c34f17e3946ef3bb622003b538dfd8e012e79578e51bc53099e90f4580d760551b5b341a29f31e3106d1ddd6152f7cbdb9cd38bdb2209c67deca8eeb9c15ab3a14817ac61e4dd11183a13477bf7e860e3670ef0e789f65f1328d6704902cbe7bc04b82d2789cb132b8667c2147661df28d9961b63e1a9cf6c2a660a1fe3c184b751c51160fb20b1c581e7be6ba0dc001c4110555850915148ba532e6ea09c346dfebd38608b3280080005d9a9500000000000000334d83239dd27080851dcac3c12233f9a1fb9c2aec61ce63a38d2fd50117b89a9ab359b4eea0c6e95767d42b4e54861d0227dbfd2e6d7f715a7f3deadd7130856f756436303767d2e24f29e5dad9796edb697aeea0182babd18cac1bd4f4390af9a9ceafd0002cab154ad029a1090000002780870014f51c3c975d5aec84222fd3a0ec4be3e563112b0b39501aafe234870072858dc06e7c337642d3e5a815232f5e16c1b30c3a6a71bc85018e5ff2c91018afc9ffc2cc788bee1b47683db01ac69398685211dfbbae3e2ed0a50e7313bff5d4c391ddece00fc772dd6b4d4de2a41990f05ca3bdfc92c88c5b8dcd36e7487afa447e2edfae4f390a8337841cef386e22cc22ee17476d738952229682e24b92533ac2a9f5a699593f084419cae0b4532bcc97d3ae486aca54183fb01c73f979ca9857399537f5dc2a2d0e0000000000000578673f8b6e74ce23877a6b24db0e067345560942fa629fbef2461c96a088a22e8b15c3e233db7ab22e30d46a9d24d37cef099ece729aa218f9f44a3210223fdae7ed04935c3c90d3add8eebc8619d73415cda2130f5011e48455b5a8b90dfae158b94f50adab988dd8e12baf5cc9398fff00404d5d99f82e20ef6a8c88e18c2977aab37d9ac4cfc1c7b400000000000007ff57c39495c826b956ba859ac8e3c177b91bd7d5e41ff868f7ca1664fe2f3ced846891180604b6dd2499d16d7d9158ffffffff00000000ef069dc42749a89f854797f29d0000002d8c38a967c1bbe09315c29877a308bcc87dc3addb08141bdee5d27874b2f663ddeef0005b3d96c7aabf4df517d90bdc01e73835d5a3e1a90800c66ee2b1ad76dff9f9000071414c99d4894ee7f8249dc1e3428d2129369ee1b85af6eb2eea0d0df414b315f651c8412392191fa83ee830548f11e1036a8debd64cbe359454a3f2239cfe35f81b7a490f167e6d5c1109000000000000000042b8ff8c21ad702ccacad5b39eef213d1ca296d2a27798c8ce2a305c0c7d35cf4b22549a4bd92052188bd1f285f653b6214912a517810200e2ff08644fb94c06006eff1be2f633c1d987591ec3db58a7bb3042ec3f771f7a1338a5c3dd35e926049fe86e09c58e273cd905deb28c13c1ed1c0d9cae846bcbfa8cce7b893e578af7dc7d5e87d44ff828de453f34c2b18660b080efc707e676e1fb4d5825c0ca177a4c7fbb4eda0545c00f576b2b5cc7f819abd0f885cc4806f40300966fcf1e54f5a2d38708294cd6f496e5dee734fe7da3770845cf442d488afdc0e17000000000000000000000000000000000000000000000000000005205000000dc1c56d59f35d367632952a93466ae595c6a8cda690d192a070886df42b27098773b45198b4a34ac977ebd4450e121d01342703f5bf030e935878a6d169c80aa4252d4ea6b8f6216ff202b5b5a182cb5e838b307632d03a7ca6f6d0339f9953c3093c3690d10ecb65dc5b47481edbf1f000000000000004d16d29c28eb5167e9936ed327fb237a56224e49d9ea955a5f0dec1b3ccd35364600000000000000000000000000000000000000000000000000000000000026ded4dd6fe1518cc7802043ecfe69f743f1213bf8179ecd9e5a225d67521dc728eac7d80a5656ac2cbde21d3ebfbf69ff861f4394836ddf128d6d19079e64336e7c676505c78ad67548f4b192be1827fcd95cf107753cb0a6a979d3db0c407081c6281e2d8429a863903ca75f4c7df3ea8fc2018d07af1491ef060cd4403a099f32468f65bd06b4082d43e121861b5cc03f1a1561f0589e0d12969bc982ff5d8e9b986c0c6c747d9a1cc500bb892c3a16ff10feea20bdac0000000000000000ca06f256c8028e0f9b65f037b21f3289f86a6826c69fa35ba5cbc3f2db1516ffc5c6e3fa618b24a6ce16d6c7010bb37b61fa0a2d8974e69115d33394e86e4b838297ba20f96936b7e4746e92dea6c5d1d33d84d96b50fb000000ae07c65b71088dd7d5d1e1bab9000000000000000000000000b5ace293bec833c13e3229432ad71d646218b5229dd88137fc7c59aa242af3bb4efb82055a3b61227ad40f52c9f2500579aca11033ec14bb9cc16bd83a00840e31d828ec78e116ae46c4897e2795b6ff92e9a1e24b0b855c02f2b7add58ffb25f339297729a7a51810134d3dfbf71f6516737be55c06d9cdcfb1e2bb10b50000eb4acff90756dba1ecf9f58afd3c19b5c4558ba9af6b7333c894a1fb29ade9ad75c9c022e8d03fe28bc358684492aa771dbfe80745fe89ad349ffaad76ff9dd643796caffdf67af5dd476c37e7e9a84e2e5da2696e285a59b53f2fb0e16d8262c080c159ce40c14089c82759106f422582b42e3e8484ea5a6ad9aa52106eafe0e0caea1ad4cb23f3c2b8a0f455ba69ea284c268d54b43158a8b1d128d02af263b3dc1cab794c9ac57a2a7332f4d8764c302ccd5aac114482b619fc575aa0dd2777e881e29a854380e2f1e49db5a1517ec40bb3fa44f9959bad67ccaba76408da35c9f1534c8bd48bbd61627a2e0a74b5e6aefb7eee403502734837ff47257f164391c673b6079e65d7295eed164ca63e4ea26dce0fb3ce0f6591d80dfb8f386bb74b5589829b6b0679b5d65a6d072034cecc457776c5fa1f33b0203c07052c6bc314b0ac5c63bc2083c9cda0b7480e0b17854ffcc76176ce266bc698f7921b8afe798a7a5ed33ab0374455ee368fda99a0e681bf9426831b193395cb01a7332a50aac841cb7d48a1768a7640a9820631ba775a"], &(0x7f0000000340)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={r0, 0x18000000000002a0, 0xe2c, 0x60000000, &(0x7f0000000100)="b9ff03076844268cb89e14f008004be0ffff00124000632f77fbac141416ac14141607089f034d2f87e544026aab845013f2325f1a39010702038da1880b25181aa59d943be3f4aed50ea5a6b8686731cb89ef77123c899b699eeaa8eaa0073461119663906400f30c0600000000000059b6d3296e8ca31bce1d8392078b72f24996ae17dffc2e43c8174b54b620636894aaacf28ff62616363c70a440aec4014caf28c0adc043084617d7ecf41e9d134589d46e5dfc4ca5780d38cae870b9a1df48b238190da450296b0ac01496ace23eefc9d4246dd14afbf79a2283a0bb7e1d235f3df126c3acc240d75a058f6efa6d1f5f7ff4000000000000000000", 0x0, 0xfe, 0x60000000}, 0x2c) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-mount$overlay detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f0000000140)='ext4\x00', &(0x7f0000000000)='./bus\x00', 0xe, &(0x7f0000000200)={[{@lazytime}, {@resuid={'resuid', 0x3d, 0xee01}}, {@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x2e}}, {@nombcache}, {@quota}, {@quota}]}, 0xff, 0x443, &(0x7f0000000940)="$eJzs3MtvG0UYAPBv10mgLxJKefQBBMqj4pE0aYEeuIBA4gASEhzKMSRpVeo2qAkSrSoICJUjqsQdcUTiL+BELwg4IXGFAzdUqUK9tHAyWnu3cYztNsbuQv37SevM7I4182V37JmdbAIYWpPZSxKxNSJ+iYjxRnZ9gcnGj6uXz87/efnsfBK12ht/JPVyVy6fnS+KFu/bkmf2pRHpJ0nsblPv8ukzx+eq1cVTeX565cS708unzzx97MTc0cWjiydnDx06eGDmuWdnn+lLnFlcV3Z9sLRn5ytvnX9t/vD5t3/4Oinib4mjTya7HXy0VutzdeXa1pRORkpsCBtSiYjsdI3W+/94VGLt5I3Hyx+X2jhgoGq5DodXa8AtLImyWwCUo/iiz+a/xXbzRh/lu/RCYwKUxX013xpHRiLNy4y2zG/7aTIiDq/+9UW2xWDuQwAArPNtNv55qt34L417msrdka+hTETEnRGxPSLuiogdEXF3RL3svRFx3wbrb10k+ef4J73YU2A3KBv/PZ+vba0f/xWjv5io5Llt9fhHkyPHqov7G8dWs5csP9Oljgsv/fxZp2PN479sy+ovxoJ5Oy6O3Lb+PQtzK3O9xtvq0kcRu0baxZ9cWwlIImJnROzqsY5jT3y1p9Ox68ffRR/WmWpfRjzeOP+r0RJ/Iem+Pjl9e1QX9083XRUtfvzp3Oud6v9X8fdBdv43t73+r8U/kTSv1y5vvI5zv37acU7T6/U/lrxZT4/l+96fW1k5NRMxlrzaaHTz/tm19xb5onwW/7697fv/9lj7TeyOiOwivj8iHoiIB/O2PxQRD0fE3i7xf//iI+/0Hv9gZfEvbOj8ryXGonVP+0Tl+HffrKt0YiPxZ+f/YD21L99T//xLusd1I+3q7WoGAACA/580IrZGkk5dS6fp1FTjb/h3xOa0urS88uSRpfdOLjSeEZiI0bS40zXedD90Jp/WF/nZlvyB/L7x55VN9fzU/FJ1oezgYcht6dD/M79Xym4dMHCe14Lhpf/D8NL/YXjp/zC82vT/TWW0A7j52n3/fxgRFx4roTHATdXS/y37wRAx/4fhpf/D8LqB/v/brfXvqoGIWN4U139IfrCJSpRZu0SPiUj/E82QGFCi7E8mAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACA/vg7AAD//9aZ7PU=") mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10010, &(0x7f0000007b00)={[{@redirect_dir_off}, {@userxattr}], [], 0x2c}) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_mount_image$vfat detailed listing: executing program 0: syz_usb_connect(0x2, 0x249, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x237, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0xb, 0x57, 0xa1, 0xb5, 0xe, [], [{{0x9, 0x5, 0xf, 0x2, 0x8, 0x4, 0xd, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x1, 0x9}, @generic={0x4e, 0xb, "3198d497815054a1f3048c1c9b19c3ba1c12c7fc94ac0bdbc5b8276b6fafb021998546cff4e4f5b4f1e9fc32f5e53f6dc465ecf36baf355201b067152fd1c5aefe527fa77d5c056cc48cdcdf"}]}}, {{0x9, 0x5, 0x7, 0x0, 0x40, 0x1, 0x10, 0x9, [@generic={0x5f, 0xe, "cfe461cd13b89458fa8d4fb188266705f23f80f0c30fec00355e5296a7ff6a6ff166448695b4572dd47b60f98f68dfe5ea32bfb18d61fc3b88b1752d154f07aeb89872783bedc202e90e65265c3049921b3be119c221612c7489e1200a"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3}]}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0xe, 0xf, 0x9}}, {{0x9, 0x5, 0x7, 0x8, 0x20, 0x5, 0x4, 0x7, [@generic={0xa5, 0x0, "2183db1b073188ca59bbc67c16406fa2d485145e3c5b74e4240110f8a5e1c3004d5ac539fe80b1ba6273f8542f9153496848cbd84044079c12b6a0ea2b79047b302a96f4fe9cea796c1ece5598a3008302eaefd6e423ae30a1e3121973237f930b84bf9c52f7342142c09a1d624f1739d349a6bdee6a6ad7b24d662e1190d68362ad9fc5457b9a88b5c641629b681f49a2460c9c014d56ee15b1c64beabd9fe422e004"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x2, 0xcb, 0x0, [@generic={0x57, 0x21, "1f8de14016aa58582f732c74a3e98da615c96a859b5471f9db30bccc5cb70712080030964b9b2cefce386f9cf37a2d3faad575c4173a266d0ac7802c690aac1ed72787c4c6518a46aad20062774c5f1f05b91f5115"}]}}, {{0x9, 0x5, 0x4, 0x2, 0x200, 0x5, 0x83, 0xb, [@generic={0x2, 0x6}]}}, {{0x9, 0x5, 0x4, 0x0, 0x3ff, 0xfe, 0xf7, 0x10}}, {{0x9, 0x5, 0x80, 0xc, 0x8, 0x4, 0xc, 0xf9}}, {{0x9, 0x5, 0x80, 0xc, 0x3ff, 0x4, 0x6, 0xbb}}, {{0x9, 0x5, 0x7, 0x10, 0x10, 0x3, 0x0, 0x80}}, {{0x9, 0x5, 0x9, 0xc, 0x0, 0x8, 0xfd, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x2, 0x6}, @generic={0x2, 0xd}]}}]}}]}}]}}, &(0x7f0000000380)={0xa, &(0x7f0000000080)={0xa, 0x6, 0x250, 0x4, 0x2, 0x3, 0x20, 0x10}, 0x13, &(0x7f00000000c0)={0x5, 0xf, 0x13, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x2, 0x7, 0x8, 0x4}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x8, 0x8, 0x1d8}]}, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) syz_mount_image$vfat(&(0x7f0000000040), &(0x7f0000000000)='./file0\x00', 0xc1d, &(0x7f0000000280)={[{@fat=@showexec}, {@uni_xlate}, {@numtail}, {@rodir}, {@utf8}, {@numtail}, {@uni_xlate}, {@fat=@uid}, {@uni_xlateno}, {@utf8}, {@uni_xlateno}, {@shortname_winnt}, {@fat=@time_offset={'time_offset', 0x3d, 0x54e}}, {@numtail}, {@fat=@dos1xfloppy}, {@utf8no}]}, 0xf5, 0x2e5, &(0x7f0000000540)="$eJzs3U1rE0Ecx/F/kqZJWmt6EBFRGCqIIl2agDcPFmlBDChtI1hB2NqthmyTkg2FiNgeBK+ePfTgUQQRvHkR8dqLr8CnWy+9WbC4stndNE3WNa32yX4/h3a6M7+dyc6kD9N2s3Lp6WxxxtJ+2HVx8fRLVGJeeVHOf1j6fHr8/RH3Y6VGhycyWaWiInL74cuBd9Xem2+Ovk3Icv+dldXst+VTEyI/J+5LVBUsVbJtpaupcrkaccLTBauoKXXDNHTLUIWSZVSqXr0+ZRpqxizPzdWUXpru65mrGJal9FJNFY2aqpZVtVJT+j29UFKapqm+HkF9snzRtrpIWDD/Ys22ZdWZ+cSi2LYd0HrRL/hrI/F3g8V+0jL/oW3bFkdsJ0eG3bBmd3U8//j/uM//L8+Y/8Np/NbkteFcbmRMqaTI7JP5/Hzefe/Wf+qVgphiyNLYhcl1EbtBIs7b0au5kSFV1y9nZxe8/MJ83v3iMDzj5TOSdr5PacqLn8+4ebU5H5ee5nxW0nIsOJ/18xJtynfLuTNNeU3S8vGulMWUaXGyG/lHGaWuXM+19J+qtwMAAAAAAAAA4CDSVMPG/n2k8avelKYl6n/x0ahPOYeddm6Dxv76kKRlPXh/fihwf79LTnbt4QMHAAAAAOAQsWoPirppGpWdKcSep0K6iIuIUxB5POAMJvSEx70Rd9Z7t4i0V8XCu9hUSF10+3s15g1MdvJC/aOC/88aRd187VelJKhxdEsLYLA78Mond/UBSieNJbm9hZ3oeGm1FiLr/pETgW3syJ/PY+tm3D0iGzMYmrq8pafDbwvJ1gs1+NU9rxnySeN7Y4sPAAAAwAHS9IMTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYI9u6eZh/3/7NVeK9RHz7LdlaXyee+/4DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2Id+BQAA//+FlLca") program crashed: KASAN: use-after-free Read in hdm_disconnect single: successfully extracted reproducer found reproducer with 2 syscalls minimizing guilty program testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x249, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x237, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0xb, 0x57, 0xa1, 0xb5, 0xe, [], [{{0x9, 0x5, 0xf, 0x2, 0x8, 0x4, 0xd, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x1, 0x9}, @generic={0x4e, 0xb, "3198d497815054a1f3048c1c9b19c3ba1c12c7fc94ac0bdbc5b8276b6fafb021998546cff4e4f5b4f1e9fc32f5e53f6dc465ecf36baf355201b067152fd1c5aefe527fa77d5c056cc48cdcdf"}]}}, {{0x9, 0x5, 0x7, 0x0, 0x40, 0x1, 0x10, 0x9, [@generic={0x5f, 0xe, "cfe461cd13b89458fa8d4fb188266705f23f80f0c30fec00355e5296a7ff6a6ff166448695b4572dd47b60f98f68dfe5ea32bfb18d61fc3b88b1752d154f07aeb89872783bedc202e90e65265c3049921b3be119c221612c7489e1200a"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x3}]}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0xe, 0xf, 0x9}}, {{0x9, 0x5, 0x7, 0x8, 0x20, 0x5, 0x4, 0x7, [@generic={0xa5, 0x0, "2183db1b073188ca59bbc67c16406fa2d485145e3c5b74e4240110f8a5e1c3004d5ac539fe80b1ba6273f8542f9153496848cbd84044079c12b6a0ea2b79047b302a96f4fe9cea796c1ece5598a3008302eaefd6e423ae30a1e3121973237f930b84bf9c52f7342142c09a1d624f1739d349a6bdee6a6ad7b24d662e1190d68362ad9fc5457b9a88b5c641629b681f49a2460c9c014d56ee15b1c64beabd9fe422e004"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x400, 0x2, 0xcb, 0x0, [@generic={0x57, 0x21, "1f8de14016aa58582f732c74a3e98da615c96a859b5471f9db30bccc5cb70712080030964b9b2cefce386f9cf37a2d3faad575c4173a266d0ac7802c690aac1ed72787c4c6518a46aad20062774c5f1f05b91f5115"}]}}, {{0x9, 0x5, 0x4, 0x2, 0x200, 0x5, 0x83, 0xb, [@generic={0x2, 0x6}]}}, {{0x9, 0x5, 0x4, 0x0, 0x3ff, 0xfe, 0xf7, 0x10}}, {{0x9, 0x5, 0x80, 0xc, 0x8, 0x4, 0xc, 0xf9}}, {{0x9, 0x5, 0x80, 0xc, 0x3ff, 0x4, 0x6, 0xbb}}, {{0x9, 0x5, 0x7, 0x10, 0x10, 0x3, 0x0, 0x80}}, {{0x9, 0x5, 0x9, 0xc, 0x0, 0x8, 0xfd, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x2, 0x6}, @generic={0x2, 0xd}]}}]}}]}}]}}, &(0x7f0000000380)={0xa, &(0x7f0000000080)={0xa, 0x6, 0x250, 0x4, 0x2, 0x3, 0x20, 0x10}, 0x13, &(0x7f00000000c0)={0x5, 0xf, 0x13, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x2, 0x7, 0x8, 0x4}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x8, 0x8, 0x1d8}]}, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) program crashed: KASAN: use-after-free Read in hdm_disconnect testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x0, 0x0, &(0x7f0000000380)={0xa, &(0x7f0000000080)={0xa, 0x6, 0x250, 0x4, 0x2, 0x3, 0x20, 0x10}, 0x13, &(0x7f00000000c0)={0x5, 0xf, 0x13, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x2, 0x7, 0x8, 0x4}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x8, 0x8, 0x1d8}]}, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) program did not crash testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x24, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0x0, 0x57, 0xa1, 0xb5, 0xe}}]}}]}}, &(0x7f0000000380)={0xa, &(0x7f0000000080)={0xa, 0x6, 0x250, 0x4, 0x2, 0x3, 0x20, 0x10}, 0x13, &(0x7f00000000c0)={0x5, 0xf, 0x13, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x2, 0x7, 0x8, 0x4}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x8, 0x8, 0x1d8}]}, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) program crashed: KASAN: use-after-free Read in hdm_disconnect testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x24, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0x0, 0x57, 0xa1, 0xb5, 0xe}}]}}]}}, 0x0) program did not crash testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x24, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0x0, 0x57, 0xa1, 0xb5, 0xe}}]}}]}}, &(0x7f0000000380)={0x0, 0x0, 0x13, &(0x7f00000000c0)={0x5, 0xf, 0x13, 0x2, [@ext_cap={0x7, 0x10, 0x2, 0x2, 0x7, 0x8, 0x4}, @ext_cap={0x7, 0x10, 0x2, 0x4, 0x8, 0x8, 0x1d8}]}, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) program crashed: KASAN: use-after-free Read in hdm_disconnect testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x24, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0x0, 0x57, 0xa1, 0xb5, 0xe}}]}}]}}, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x82, &(0x7f0000000100)=@string={0x82, 0x3, "f063154320b05f3ce59f19c4bc5979670af2e92ad5409ab99055ccdc639e56ab180de1cf4672940934dd5f9858f3a34b59e4e7907052d4508958c1ce1d2b0e0c7bb5d3d37bec462fa7e198140313bed0f8b4b38dbc7e8bcbcbc6f0ef503d118447108faa9a4c824e78e30a9a24b21146bff55f6f8a085176f6485a603714113b"}}, {0x2, &(0x7f00000001c0)=@string={0x2}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0xc2a}}]}) program crashed: KASAN: use-after-free Read in hdm_disconnect testing program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x2, 0x24, &(0x7f0000000840)={{0x12, 0x1, 0x200, 0x1c, 0xb0, 0x25, 0x10, 0x424, 0xcf18, 0x5606, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x8, 0x4, 0xa0, 0x1, [{{0x9, 0x4, 0x21, 0x10, 0x0, 0x57, 0xa1, 0xb5, 0xe}}]}}]}}, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0}) program crashed: KASAN: use-after-free Read in hdm_disconnect extracting C reproducer testing compiled C program (duration=1m1.008079312s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect simplifying C reproducer testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect testing compiled C program (duration=1m1.008079312s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: use-after-free Read in hdm_disconnect reproducing took 37m54.956941161s repro crashed as (corrupted=false): usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 2 ================================================================== BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 drivers/most/most_usb.c:1125 Read of size 8 at addr ffff0000d919d978 by task kworker/1:2/1534 CPU: 1 PID: 1534 Comm: kworker/1:2 Not tainted 5.15.179-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: usb_hub_wq hub_event Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309 hdm_disconnect+0xf8/0x190 drivers/most/most_usb.c:1125 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 Allocated by task 1534: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] hdm_probe+0xa4/0x1044 drivers/most/most_usb.c:959 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26c/0xaec drivers/base/dd.c:595 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755 driver_probe_device+0x78/0x34c drivers/base/dd.c:785 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:429 __device_attach+0x2f0/0x480 drivers/base/dd.c:979 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:489 device_add+0xae0/0xef4 drivers/base/core.c:3412 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26c/0xaec drivers/base/dd.c:595 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755 driver_probe_device+0x78/0x34c drivers/base/dd.c:785 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:429 __device_attach+0x2f0/0x480 drivers/base/dd.c:979 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:489 device_add+0xae0/0xef4 drivers/base/core.c:3412 usb_new_device+0x900/0x1468 drivers/usb/core/hub.c:2604 hub_port_connect drivers/usb/core/hub.c:5467 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 worker_thread+0x910/0x1034 kernel/workqueue.c:2457 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 Freed by task 1534: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x84 mm/kasan/common.c:46 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0x178/0x410 mm/slub.c:4559 release_mdev+0x20/0x30 drivers/most/most_usb.c:932 device_release+0x8c/0x1ac drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:713 [inline] kobject_release lib/kobject.c:744 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2c4/0x438 lib/kobject.c:761 put_device drivers/base/core.c:3520 [inline] device_unregister+0x3c/0xcc drivers/base/core.c:3634 most_deregister_interface+0x3e0/0x42c drivers/most/core.c:1402 hdm_disconnect+0xe0/0x190 drivers/most/most_usb.c:1123 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 The buggy address belongs to the object at ffff0000d919c000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 6520 bytes inside of 8192-byte region [ffff0000d919c000, ffff0000d919e000) The buggy address belongs to the page: page:000000000354411f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119198 head:000000000354411f order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d919d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d919d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000d919d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d919d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d919da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 1534 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 Modules linked in: CPU: 1 PID: 1534 Comm: kworker/1:2 Tainted: G B 5.15.179-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: usb_hub_wq hub_event pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 sp : ffff800023d072f0 x29: ffff800023d072f0 x28: ffff800016ad14c0 x27: ffff0000caa72000 x26: 1fffe0001954ea07 x25: dfff800000000000 x24: ffff0000caa73030 x23: 1fffe0001b2338bb x22: ffff0000caa7503c x21: 0000000000000003 x20: ffff0000caa75038 x19: ffff800016fd2000 x18: 0000000000000001 x17: 0000000000000000 x16: ffff800011b59ca8 x15: 00000000ffffffff x14: ffff0000ccce1b40 x13: 0000000000000001 x12: 0000000000000001 x11: 0000000000000000 x10: 0000000000000000 x9 : dfb4ed2fcf04b900 x8 : dfb4ed2fcf04b900 x7 : 0000000000000000 x6 : ffff800011c1d92c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800008046154 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] kobject_put+0x1a8/0x438 lib/kobject.c:761 put_device+0x28/0x40 drivers/base/core.c:3520 hdm_disconnect+0x170/0x190 drivers/most/most_usb.c:1129 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 irq event stamp: 41648 hardirqs last enabled at (41647): [] kasan_quarantine_put+0xdc/0x204 mm/kasan/quarantine.c:231 hardirqs last disabled at (41648): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (41648): [] _raw_spin_lock_irqsave+0xfc/0x14c kernel/locking/spinlock.c:162 softirqs last enabled at (41426): [] softirq_handle_end kernel/softirq.c:401 [inline] softirqs last enabled at (41426): [] handle_softirqs+0xb88/0xdbc kernel/softirq.c:586 softirqs last disabled at (41415): [] __do_softirq kernel/softirq.c:592 [inline] softirqs last disabled at (41415): [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] softirqs last disabled at (41415): [] invoke_softirq kernel/softirq.c:439 [inline] softirqs last disabled at (41415): [] __irq_exit_rcu+0x268/0x4d8 kernel/softirq.c:641 ---[ end trace 4091f0d58e001bfa ]--- usb 1-1: new full-speed USB device number 3 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 3 usb 1-1: new full-speed USB device number 4 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 4 usb 1-1: new full-speed USB device number 5 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 5 usb 1-1: new full-speed USB device number 6 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 6 usb 1-1: new full-speed USB device number 7 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 7 usb 1-1: new full-speed USB device number 8 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 8 usb 1-1: new full-speed USB device number 9 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 9 usb 1-1: new full-speed USB device number 10 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz final repro crashed as (corrupted=false): usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 2 ================================================================== BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 drivers/most/most_usb.c:1125 Read of size 8 at addr ffff0000d919d978 by task kworker/1:2/1534 CPU: 1 PID: 1534 Comm: kworker/1:2 Not tainted 5.15.179-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: usb_hub_wq hub_event Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309 hdm_disconnect+0xf8/0x190 drivers/most/most_usb.c:1125 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 Allocated by task 1534: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] hdm_probe+0xa4/0x1044 drivers/most/most_usb.c:959 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26c/0xaec drivers/base/dd.c:595 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755 driver_probe_device+0x78/0x34c drivers/base/dd.c:785 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:429 __device_attach+0x2f0/0x480 drivers/base/dd.c:979 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:489 device_add+0xae0/0xef4 drivers/base/core.c:3412 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26c/0xaec drivers/base/dd.c:595 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755 driver_probe_device+0x78/0x34c drivers/base/dd.c:785 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:429 __device_attach+0x2f0/0x480 drivers/base/dd.c:979 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:489 device_add+0xae0/0xef4 drivers/base/core.c:3412 usb_new_device+0x900/0x1468 drivers/usb/core/hub.c:2604 hub_port_connect drivers/usb/core/hub.c:5467 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 worker_thread+0x910/0x1034 kernel/workqueue.c:2457 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 Freed by task 1534: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x84 mm/kasan/common.c:46 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0x178/0x410 mm/slub.c:4559 release_mdev+0x20/0x30 drivers/most/most_usb.c:932 device_release+0x8c/0x1ac drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:713 [inline] kobject_release lib/kobject.c:744 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2c4/0x438 lib/kobject.c:761 put_device drivers/base/core.c:3520 [inline] device_unregister+0x3c/0xcc drivers/base/core.c:3634 most_deregister_interface+0x3e0/0x42c drivers/most/core.c:1402 hdm_disconnect+0xe0/0x190 drivers/most/most_usb.c:1123 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 The buggy address belongs to the object at ffff0000d919c000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 6520 bytes inside of 8192-byte region [ffff0000d919c000, ffff0000d919e000) The buggy address belongs to the page: page:000000000354411f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119198 head:000000000354411f order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d919d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d919d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000d919d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d919d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d919da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 1534 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 Modules linked in: CPU: 1 PID: 1534 Comm: kworker/1:2 Tainted: G B 5.15.179-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: usb_hub_wq hub_event pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 sp : ffff800023d072f0 x29: ffff800023d072f0 x28: ffff800016ad14c0 x27: ffff0000caa72000 x26: 1fffe0001954ea07 x25: dfff800000000000 x24: ffff0000caa73030 x23: 1fffe0001b2338bb x22: ffff0000caa7503c x21: 0000000000000003 x20: ffff0000caa75038 x19: ffff800016fd2000 x18: 0000000000000001 x17: 0000000000000000 x16: ffff800011b59ca8 x15: 00000000ffffffff x14: ffff0000ccce1b40 x13: 0000000000000001 x12: 0000000000000001 x11: 0000000000000000 x10: 0000000000000000 x9 : dfb4ed2fcf04b900 x8 : dfb4ed2fcf04b900 x7 : 0000000000000000 x6 : ffff800011c1d92c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800008046154 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] kobject_put+0x1a8/0x438 lib/kobject.c:761 put_device+0x28/0x40 drivers/base/core.c:3520 hdm_disconnect+0x170/0x190 drivers/most/most_usb.c:1129 usb_unbind_interface+0x1a4/0x758 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1229 [inline] device_release_driver_internal+0x464/0x6ac drivers/base/dd.c:1262 device_release_driver+0x28/0x38 drivers/base/dd.c:1285 bus_remove_device+0x298/0x38c drivers/base/bus.c:531 device_del+0x57c/0x9b4 drivers/base/core.c:3600 usb_disable_device+0x354/0x760 drivers/usb/core/message.c:1414 usb_disconnect+0x290/0x7e8 drivers/usb/core/hub.c:2259 hub_port_connect drivers/usb/core/hub.c:5311 [inline] hub_port_connect_change drivers/usb/core/hub.c:5607 [inline] port_event drivers/usb/core/hub.c:5753 [inline] hub_event+0x1718/0x46b8 drivers/usb/core/hub.c:5835 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310 process_scheduled_works kernel/workqueue.c:2373 [inline] worker_thread+0xb88/0x1034 kernel/workqueue.c:2459 kthread+0x37c/0x45c kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 irq event stamp: 41648 hardirqs last enabled at (41647): [] kasan_quarantine_put+0xdc/0x204 mm/kasan/quarantine.c:231 hardirqs last disabled at (41648): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (41648): [] _raw_spin_lock_irqsave+0xfc/0x14c kernel/locking/spinlock.c:162 softirqs last enabled at (41426): [] softirq_handle_end kernel/softirq.c:401 [inline] softirqs last enabled at (41426): [] handle_softirqs+0xb88/0xdbc kernel/softirq.c:586 softirqs last disabled at (41415): [] __do_softirq kernel/softirq.c:592 [inline] softirqs last disabled at (41415): [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] softirqs last disabled at (41415): [] invoke_softirq kernel/softirq.c:439 [inline] softirqs last disabled at (41415): [] __irq_exit_rcu+0x268/0x4d8 kernel/softirq.c:641 ---[ end trace 4091f0d58e001bfa ]--- usb 1-1: new full-speed USB device number 3 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 3 usb 1-1: new full-speed USB device number 4 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 4 usb 1-1: new full-speed USB device number 5 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 5 usb 1-1: new full-speed USB device number 6 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 6 usb 1-1: new full-speed USB device number 7 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 7 usb 1-1: new full-speed USB device number 8 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 8 usb 1-1: new full-speed USB device number 9 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: USB disconnect, device number 9 usb 1-1: new full-speed USB device number 10 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 8 has an invalid interface number: 33 but max is 0 usb 1-1: config 8 has no interface number 0 usb 1-1: config 8 interface 33 has no altsetting 0 usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz