syzbot

map[ReproOpts:{
    "procs": 1,
    "repeat": true,
    "sandbox": "none",
    "fault_call": -1,
    "enable_tun": true,
    "enable_netdev": true,
    "enable_cgroups": true,
    "enable_bpf": true
} ReproSyz:r0 = syz_usb_connect(0x0, 0x3, &(0x7f0000000080)={0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x0, 0x40, 0x5e, 0x4, 0x8e, 0x2, 0x0, 0x1, 0x1, 0x2, 0x3, 0x1}, &(0x7f0000000100)={0x9, 0x2, 0x20, 0x0, 0x1, 0x1, 0x0, 0x80, 0x32, 0x9, 0x4, 0x0, 0x0, 0x2, 0xff, 0x5d, 0x1, 0x0, 0x7, 0x5, 0x81, 0x3, 0x20, 0x0, 0x4, 0x7, 0x5, 0x2, 0x3, 0x20, 0x0, 0x4})
r1 = syz_open_dev(&(0x7f0000000200)='input/event#\x00', 0x0, 0x2)
ioctl$EVIOCSFF(r1, 0x40304580, &(0x7f0000000300)={0x50, 0xffff, 0x0, {0x0, 0x0}, {0x0, 0x0}, @rumble={0xc000, 0xc000}})
write(r1, &(0x7f0000000400)="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x00\x01\x00\x00\x00", 0x18)
syz_usb_disconnect(r0) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/fb9fc4b35d5e053c159b83c60c7a33fded2a20fc]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/622a481f2470a2153f8292c1d2b6473dea98b4ff]

gemini-3-pro-preview

map[ReproOpts:{
    "procs": 1,
    "repeat": true,
    "sandbox": "none",
    "fault_call": -1,
    "enable_tun": true,
    "enable_netdev": true,
    "enable_cgroups": true,
    "enable_bpf": true
}]

You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug.
Print only the syz program that could be executed directly, without backticks.




Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Bug Title: KASAN: use-after-free Read in usb_anchor_resume_wakeups

Original Crash Report:
xpad 6-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 6-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: use-after-free in register_lock_class+0xe6a/0x1120 kernel/locking/lockdep.c:1336
Read of size 1 at addr ffff88801ebd7891 by task kswapd1/128

CPU: 1 PID: 128 Comm: kswapd1 Not tainted 6.0.0-rc7-syzkaller-00029-g3800a713b607 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 register_lock_class+0xe6a/0x1120 kernel/locking/lockdep.c:1336
 __lock_acquire+0x109/0x56d0 kernel/locking/lockdep.c:4932
 lock_acquire kernel/locking/lockdep.c:5666 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:136
 usb_anchor_resume_wakeups drivers/usb/core/urb.c:958 [inline]
 usb_anchor_resume_wakeups+0xbe/0xe0 drivers/usb/core/urb.c:951
 __usb_hcd_giveback_urb+0x2df/0x5c0 drivers/usb/core/hcd.c:1674
 usb_hcd_giveback_urb+0x380/0x430 drivers/usb/core/hcd.c:1754
 dummy_timer+0x11ff/0x32c0 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
 __run_timers kernel/time/timer.c:1768 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:lock_acquire+0x1ef/0x570 kernel/locking/lockdep.c:5634
Code: d1 a3 7e 83 f8 01 0f 85 e8 02 00 00 9c 58 f6 c4 02 0f 85 fb 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffffc90001faf970 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff920003f5f30 RCX: 62e6639de71c39f1
RDX: 1ffff1100314f556 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff908e1947
R10: fffffbfff211c328 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: ffffffff8bf86900 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:280 [inline]
 rcu_read_lock include/linux/rcupdate.h:706 [inline]
 percpu_ref_put_many.constprop.0+0x2c/0x1a0 include/linux/percpu-refcount.h:330
 percpu_ref_put include/linux/percpu-refcount.h:351 [inline]
 css_put include/linux/cgroup.h:404 [inline]
 mem_cgroup_iter+0x2df/0x6e0 mm/memcontrol.c:1102
 shrink_node_memcgs mm/vmscan.c:3191 [inline]
 shrink_node+0x5c6/0x1e80 mm/vmscan.c:3304
 kswapd_shrink_node mm/vmscan.c:4086 [inline]
 balance_pgdat+0x8ef/0x1580 mm/vmscan.c:4277
 kswapd+0x79b/0xf80 mm/vmscan.c:4537
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 3966:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 ____kasan_kmalloc mm/kasan/common.c:516 [inline]
 ____kasan_kmalloc mm/kasan/common.c:475 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:525
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 kmem_cache_alloc_trace+0x25a/0x460 mm/slab.c:3559
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 xpad_probe+0x26c/0x1c20 drivers/input/joystick/xpad.c:1757
 usb_probe_interface+0x30b/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:560 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:639
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
 __device_attach_driver+0x1d0/0x2e0 drivers/base/dd.c:936
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xbd5/0x1e90 drivers/base/core.c:3517
 usb_set_configuration+0x1019/0x1900 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd4/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:560 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:639
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
 __device_attach_driver+0x1d0/0x2e0 drivers/base/dd.c:936
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xbd5/0x1e90 drivers/base/core.c:3517
 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573
 hub_port_connect drivers/usb/core/hub.c:5353 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x26c7/0x4610 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 3889:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x13d/0x1a0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x173/0x390 mm/slab.c:3786
 xpad_disconnect+0x1cb/0x530 drivers/input/joystick/xpad.c:1905
 usb_unbind_interface+0x1d8/0x8e0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:550 [inline]
 device_remove+0x11f/0x170 drivers/base/dd.c:542
 __device_release_driver drivers/base/dd.c:1249 [inline]
 device_release_driver_internal+0x4a1/0x700 drivers/base/dd.c:1275
 bus_remove_device+0x2e3/0x590 drivers/base/bus.c:529
 device_del+0x4f3/0xc80 drivers/base/core.c:3704
 usb_disable_device+0x356/0x7a0 drivers/usb/core/message.c:1419
 usb_disconnect.cold+0x259/0x6ed drivers/usb/core/hub.c:2235
 hub_port_connect drivers/usb/core/hub.c:5197 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x1f86/0x4610 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88801ebd7800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 145 bytes inside of
 1024-byte region [ffff88801ebd7800, ffff88801ebd7c00)

The buggy address belongs to the physical page:
page:ffffea00007af5c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ebd7
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00007c1a48 ffffea00006c7b48 ffff888011840700
raw: 0000000000000000 ffff88801ebd7000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 3637, tgid 3637 (sshd), ts 59138614373, free_ts 55806174800
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages_slowpath.constprop.0+0x34d/0x2300 mm/page_alloc.c:5084
 __alloc_pages+0x43d/0x510 mm/page_alloc.c:5562
 __alloc_pages_node include/linux/gfp.h:243 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x360 mm/slab.c:2569
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
 ____cache_alloc mm/slab.c:3018 [inline]
 ____cache_alloc mm/slab.c:3001 [inline]
 slab_alloc_node mm/slab.c:3220 [inline]
 kmem_cache_alloc_node_trace+0x50a/0x570 mm/slab.c:3601
 __do_kmalloc_node mm/slab.c:3623 [inline]
 __kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3638
 kmalloc_reserve net/core/skbuff.c:362 [inline]
 __alloc_skb+0xd9/0x2f0 net/core/skbuff.c:434
 alloc_skb_fclone include/linux/skbuff.h:1307 [inline]
 tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861
 tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 sock_write_iter+0x291/0x3d0 net/socket.c:1108
 call_write_iter include/linux/fs.h:2187 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x9e9/0xdd0 fs/read_write.c:578
 ksys_write+0x1e8/0x250 fs/read_write.c:631
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
 slab_destroy mm/slab.c:1615 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1635
 cache_flusharray mm/slab.c:3389 [inline]
 ___cache_free+0x2a8/0x3d0 mm/slab.c:3452
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x4f/0x1b0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:447
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slab.c:3232 [inline]
 kmem_cache_alloc_node+0x2f1/0x560 mm/slab.c:3583
 alloc_task_struct_node kernel/fork.c:172 [inline]
 dup_task_struct kernel/fork.c:969 [inline]
 copy_process+0x5c2/0x7090 kernel/fork.c:2085
 kernel_clone+0xe7/0xab0 kernel/fork.c:2671
 __do_sys_clone+0xba/0x100 kernel/fork.c:2805
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88801ebd7780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ebd7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801ebd7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88801ebd7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ebd7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	d1 a3 7e 83 f8 01    	shll   0x1f8837e(%rbx)
   6:	0f 85 e8 02 00 00    	jne    0x2f4
   c:	9c                   	pushfq
   d:	58                   	pop    %rax
   e:	f6 c4 02             	test   $0x2,%ah
  11:	0f 85 fb 02 00 00    	jne    0x312
  17:	48 83 7c 24 08 00    	cmpq   $0x0,0x8(%rsp)
  1d:	74 01                	je     0x20
  1f:	fb                   	sti
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	48 01 c3             	add    %rax,%rbx <-- trapping instruction
  2d:	48 c7 03 00 00 00 00 	movq   $0x0,(%rbx)
  34:	48 c7 43 08 00 00 00 	movq   $0x0,0x8(%rbx)
  3b:	00
  3c:	48                   	rex.W
  3d:	8b                   	.byte 0x8b
  3e:	84                   	.byte 0x84
  3f:	24                   	.byte 0x24


The list of existing description files:
acpi_thermal_rel.txt
aio.txt
auto.txt
binfmt.txt
bpf.txt
bpf_prog.txt
bpf_trace.txt
cgroup.txt
damon.txt
dev_ashmem.txt
dev_bifrost.txt
dev_binder.txt
dev_binderfs.txt
dev_block.txt
dev_bsg.txt
dev_bus_usb.txt
dev_camx.txt
dev_cdrom.txt
dev_cec.txt
dev_char_usb.txt
dev_comedi.txt
dev_dma_heap.txt
dev_dri.txt
dev_dsp.txt
dev_dvb_demux.txt
dev_dvb_dvr.txt
dev_dvb_frontend.txt
dev_fb.txt
dev_floppy.txt
dev_hidraw.txt
dev_i2c.txt
dev_i915.txt
dev_img_rogue.txt
dev_infiniband_rdma.txt
dev_infiniband_rdma_cm.txt
dev_input.txt
dev_iommu.txt
dev_kvm.txt
dev_kvm_amd64.txt
dev_kvm_arm64.txt
dev_kvm_extra.txt
dev_kvm_riscv64.txt
dev_loop.txt
dev_mali.txt
dev_media.txt
dev_msm.txt
dev_msr.txt
dev_nbd.txt
dev_net_tun.txt
dev_panthor.txt
dev_ppp.txt
dev_ptmx.txt
dev_ptp.txt
dev_qat_adf_ctl.txt
dev_qrtr_tun.txt
dev_random.txt
dev_rfkill.txt
dev_rtc.txt
dev_sequencer.txt
dev_sg.txt
dev_snapshot.txt
dev_snd_control.txt
dev_snd_hw.txt
dev_snd_midi.txt
dev_snd_pcm.txt
dev_snd_seq.txt
dev_snd_timer.txt
dev_sr.txt
dev_sw_sync.txt
dev_tlk_device.txt
dev_trusty.txt
dev_udmabuf.txt
dev_uhid.txt
dev_uinput.txt
dev_usb_hiddev.txt
dev_usbmon.txt
dev_userio.txt
dev_vfio.txt
dev_vga_arbiter.txt
dev_vhci.txt
dev_video4linux.txt
dev_video4linux_vim2m.txt
dev_virtual_nci.txt
dev_vtpm.txt
fanotify.txt
filesystem.txt
fs_9p.txt
fs_fuse.txt
fs_incfs.txt
fs_ioctl.txt
fs_ioctl_autofs.txt
fs_ioctl_btrfs.txt
fs_ioctl_ext4.txt
fs_ioctl_f2fs.txt
fs_ioctl_fat.txt
fs_ioctl_fscrypt.txt
fs_ioctl_fsverity.txt
fs_ioctl_xfs.txt
futex.txt
hafnium.txt
inotify.txt
io_uring.txt
ipc.txt
key.txt
kfuzztest.txt
l2cap.txt
landlock.txt
lsm.txt
namespaces.txt
net_80211.txt
netfilter.txt
netfilter_arp.txt
netfilter_bridge.txt
netfilter_ipv4.txt
netfilter_ipv6.txt
netfilter_ipvs.txt
netfilter_targets.txt
pagemap_ioctl.txt
perf.txt
prctl.txt
quotactl.txt
seccomp.txt
security_apparmor.txt
security_selinux.txt
security_smack.txt
socket.txt
socket_alg.txt
socket_ax25.txt
socket_bluetooth.txt
socket_caif.txt
socket_can.txt
socket_ieee802154.txt
socket_inet.txt
socket_inet6.txt
socket_inet_dccp.txt
socket_inet_icmp.txt
socket_inet_igmp.txt
socket_inet_l2tp.txt
socket_inet_sctp.txt
socket_inet_tcp.txt
socket_inet_udp.txt
socket_ip_tunnel.txt
socket_isdn.txt
socket_kcm.txt
socket_key.txt
socket_llc.txt
socket_netlink.txt
socket_netlink_audit.txt
socket_netlink_crypto.txt
socket_netlink_generic.txt
socket_netlink_generic_80211.txt
socket_netlink_generic_batadv.txt
socket_netlink_generic_devlink.txt
socket_netlink_generic_ethtool.txt
socket_netlink_generic_fou.txt
socket_netlink_generic_gtp.txt
socket_netlink_generic_mptcp.txt
socket_netlink_generic_net_dm.txt
socket_netlink_generic_netlabel.txt
socket_netlink_generic_nfc.txt
socket_netlink_generic_seg6.txt
socket_netlink_generic_smc.txt
socket_netlink_generic_team.txt
socket_netlink_generic_wireguard.txt
socket_netlink_netfilter.txt
socket_netlink_netfilter_acct.txt
socket_netlink_netfilter_conntrack.txt
socket_netlink_netfilter_conntrack_exp.txt
socket_netlink_netfilter_conntrack_helper.txt
socket_netlink_netfilter_ipset.txt
socket_netlink_netfilter_log.txt
socket_netlink_netfilter_nft_compat.txt
socket_netlink_netfilter_nftables.txt
socket_netlink_netfilter_osf.txt
socket_netlink_netfilter_queue.txt
socket_netlink_netfilter_timeout.txt
socket_netlink_rdma.txt
socket_netlink_route.txt
socket_netlink_route_sched.txt
socket_netlink_route_sched_retired.txt
socket_netlink_sock_diag.txt
socket_netlink_xfrm.txt
socket_netrom.txt
socket_nfc.txt
socket_nvme_of_tcp.txt
socket_packet.txt
socket_phonet.txt
socket_pppox.txt
socket_qipcrtr.txt
socket_rds.txt
socket_rose.txt
socket_rxrpc.txt
socket_tipc.txt
socket_tipc_netlink.txt
socket_unix.txt
socket_vnet.txt
socket_x25.txt
socket_xdp.txt
sys.txt
uffd.txt
usbip.txt
vmw_vmci.txt
vnet.txt
vnet_mptcp.txt
vusb.txt
watch_queue.txt
xattr.txt

r0 = syz_usb_connect(0x0, 0x3, &(0x7f0000000080)={0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x0, 0x40, 0x5e, 0x4, 0x8e, 0x2, 0x0, 0x1, 0x1, 0x2, 0x3, 0x1}, &(0x7f0000000100)={0x9, 0x2, 0x20, 0x0, 0x1, 0x1, 0x0, 0x80, 0x32, 0x9, 0x4, 0x0, 0x0, 0x2, 0xff, 0x5d, 0x1, 0x0, 0x7, 0x5, 0x81, 0x3, 0x20, 0x0, 0x4, 0x7, 0x5, 0x2, 0x3, 0x20, 0x0, 0x4})
r1 = syz_open_dev(&(0x7f0000000200)='input/event#\x00', 0x0, 0x2)
ioctl$EVIOCSFF(r1, 0x40304580, &(0x7f0000000300)={0x50, 0xffff, 0x0, {0x0, 0x0}, {0x0, 0x0}, @rumble={0xc000, 0xc000}})
write(r1, &(0x7f0000000400)="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x00\x01\x00\x00\x00", 0x18)
syz_usb_disconnect(r0)

gemini-3-pro-preview

							input: 8098
							output: 92
							thoughts: 15347
						

**Reproducing the KASAN UAF in `usb_anchor_resume_wakeups`**

Alright, let's break this down. The goal is a syzkaller program to trigger a KASAN use-after-free in `usb_anchor_resume_wakeups`, specifically within the `dummy_hcd` context, related to an Xbox controller's disconnection. The crash report pinpoints a UAF within `register_lock_class`, called through a chain involving `usb_anchor_resume_wakeups`, likely accessing a freed lock in a context of URB (USB Request Block) completion.

The key is `xpad`, the Xbox controller driver. The scenario: an `xpad` device is probed, URBs are submitted, the device is disconnected via `xpad_disconnect`, the `xpad` structure is freed, but the URB completion handler (`usb_anchor_resume_wakeups`) still tries to access freed memory via the anchor.  The specific object freed appears to be a structure, and the use-after-free is on `anchor->wait` - part of the `usb_anchor` structure, embedded within the `xpad` struct.

The driver code confirms the presence of `usb_anchor irq_out_anchor` within the `usb_xpad` structure. `xpad_probe` initializes this anchor. During disconnection, `xpad_disconnect` calls `usb_kill_anchored_urbs` *only* if the device type is Xbox 360 Wireless (`XTYPE_XBOX360W`). The issue? For a standard wired Xbox 360 controller (not the wireless one), the `usb_kill_anchored_urbs` call, which would prevent the UAF by waiting for the URBs to finish, is skipped. `xpad_disconnect` *immediately* frees the `xpad` structure.  Meanwhile, in `dummy_hcd`, the timer fires, the URB completes, and `usb_anchor_resume_wakeups` accesses the freed anchor within the `xpad` structure.

To trigger this, the strategy involves emulating an Xbox 360 *wired* controller using `syz_usb_connect`. It must have an output endpoint, so force feedback is possible. I will provide the correct USB descriptors for an Xbox 360 controller with an interrupt IN and interrupt OUT endpoint. The descriptors include Vendor/Product IDs and interface class/protocol. The plan involves sending force feedback commands, submitting and anchoring a URB, and then disconnecting the controller. This is done with `ioctl(fd, EVIOCSFF, ...)` to upload a force feedback effect and `write(fd, ...)` to trigger it. Then,  `syz_usb_disconnect` will lead to the vulnerable sequence.

I need to construct the USB descriptors for `syz_usb_connect`.  I'll define device, configuration, interface, and endpoint descriptors (18 + 9 + 9 + 7 + 7 = 50 bytes total) for an Xbox 360 wired controller. The controller is assigned VID 0x045e, PID 0x028e.

The `syzkaller` program must perform these actions:

1.  Connect the emulated device with `syz_usb_connect`, supplying the descriptors (50 bytes).
2.  Open the input device, using `syz_open_dev`, and then using the returned file descriptor,
3.  Upload a force feedback effect (rumble effect) with `ioctl$EVIOCSFF` (command = 0x40304580, struct ff\_effect).
4.  Play the effect using `write(fd, &event, len)` where the event has type `EV_FF` (0x15), code (0) and value = 1.
5.  Disconnect with `syz_usb_disconnect`.

The critical point is that, in `xpad_play_effect`,  `irq_out` is anchored. `xpad_disconnect` does *not* call `usb_kill_anchored_urbs` to cancel the URB, and the timer completes after the xpad struct is freed.  The `ioctl` setup uses a `ff_effect` struct set with type `FF_RUMBLE` to 0x50, id to 0xffffffff (so we let the driver set it). And force magnitude to maximum (0xc000, 0xc000).

The syzkaller program should look like this (slightly tweaked for clarity and potential type compatibility within syzkaller):

```
r0 = syz_usb_connect(0x0, 0x1, &(

map[ReproOpts:{
    "procs": 1,
    "repeat": true,
    "sandbox": "none",
    "fault_call": -1,
    "enable_tun": true,
    "enable_netdev": true,
    "enable_cgroups": true,
    "enable_bpf": true
}]

map[ReproOpts:{
    "procs": 1,
    "repeat": true,
    "sandbox": "none",
    "fault_call": -1,
    "enable_tun": true,
    "enable_netdev": true,
    "enable_cgroups": true,
    "enable_bpf": true
}]

gemini-3-pro-preview

							input: 24652
							output: 584
							thoughts: 5370
						

**Finalized Syz Program for USB Device Interaction**

Okay, let's break this down. My goal here is to craft a `syz` program to interact with a USB device, specifically targeting a rumble effect on a controller. I'm building this piece by piece, ensuring that everything lines up with the expected device behavior and syzkaller's idiosyncrasies.

First, I need a connection. The core function is `syz_usb_connect`.  I've got the signature now: `syz_usb_connect(port int64, speed int64, dev ptr[in, usb_device_descriptor], extra ptr[in, array[int8]])`. It's crucial to split the device descriptor data correctly here.  The `dev` pointer references the standard 18-byte `usb_device_descriptor`, while `extra` covers all the other descriptors like configuration, interfaces, and endpoints.  I have the bytes for all of these. I am using `High Speed`.

Next, I need to open the input device, which I am doing via `syz_open_dev`, and I have the correct path, permissions and flags.

I then use `ioctl$EVIOCSFF` to upload a force feedback effect.  The `ff_effect` struct initialization is a bit of a tricky beast, particularly regarding unions and alignment, so I re-verified the correct struct size and the necessary initializer values. The command number `0x40304580` is what I need. I am creating a rumble effect (type `0x50`), with a value of `0xc000`, a signed 16-bit value in the rumble union.

Now the critical part – triggering the effect using `write`. The `input_event` struct has the form of `struct input_event { time, type, code, value }`.  I need to make sure I get the byte layout right. The `time` field is a `struct timeval`, or the equivalent of two 64-bit integers. I'm carefully constructing the 24-byte payload.

Finally, I disconnect the device using `syz_usb_disconnect` to clean up.

With a final check on the sizes, speed, and device characteristics, I am using:

```
r0 = syz_usb_connect(0x0, 0x3, &(0x7f0000000080)={0x12, 0x1, 0x0, 0x2, 0x0, 0x0, 0x0, 0x40, 0x5e, 0x4, 0x8e, 0x2, 0x0, 0x1, 0x1, 0x2, 0x3, 0x1}, &(0x7f0000000100)={0x9, 0x2, 0x20, 0x0, 0x1, 0x1, 0x0, 0x80, 0x32, 0x9, 0x4, 0x0, 0x0, 0x2, 0xff, 0x5d, 0x1, 0x0, 0x7, 0x5, 0x81, 0x3, 0x20, 0x0, 0x4, 0x7, 0x5, 0x2, 0x3, 0x20, 0x0, 0x4})
r1 = syz_open_dev(&(0x7f0000000200)='input/event#\x00', 0x0, 0x2)
ioctl$EVIOCSFF(r1, 0x40304580, &(0x7f0000000300)={0x50, 0xffff, 0x0, {0x0, 0x0}, {0x0, 0x0}, @rumble={0xc000, 0xc000}})
write(r1, &(0x7f0000000400)="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x