syzbot

==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
Read of size 1 at addr ffff888078d38b88 by task syz.4.10460/28694

CPU: 0 UID: 0 PID: 28694 Comm: syz.4.10460 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
 _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
 hidraw_report_event+0x5a/0x3b0 drivers/hid/hidraw.c:577
 hid_report_raw_event+0x311/0x1730 drivers/hid/hid-core.c:2076
 __hid_input_report drivers/hid/hid-core.c:2152 [inline]
 hid_input_report+0x44b/0x580 drivers/hid/hid-core.c:2174
 hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
 __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1657
 dummy_timer+0xbc0/0x4650 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x3c0/0xa20 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17a/0x240 kernel/time/hrtimer.c:2011
 handle_softirqs+0x22a/0x840 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x47/0x80 kernel/locking/spinlock.c:198
Code: f7 e8 8d f4 e7 f5 f7 c3 00 02 00 00 74 05 e8 60 7d 13 f6 9c 58 a9 00 02 00 00 75 27 f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> d4 76 d9 f5 65 8b 05 1d e3 85 07 85 c0 74 18 5b 41 5e e9 41 48
RSP: 0018:ffffc90004fa7a78 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000282 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff8dfd5677 RDI: 0000000000000001
RBP: 0000000000000000 R08: ffffffff903364f7 R09: 1ffffffff2066c9e
R10: dffffc0000000000 R11: fffffbfff2066c9f R12: ffff88802be2f6e8
R13: ffff88802be2f6e0 R14: ffffffff9a737998 R15: 0000000000000001
 __debug_check_no_obj_freed lib/debugobjects.c:1125 [inline]
 debug_check_no_obj_freed+0x52e/0x550 lib/debugobjects.c:1146
 slab_free_hook mm/slub.c:2620 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x13e/0x640 mm/slub.c:6561
 raw_ioctl_ep_write drivers/usb/gadget/legacy/raw_gadget.c:1154 [inline]
 raw_ioctl+0x2536/0x41c0 drivers/usb/gadget/legacy/raw_gadget.c:1325
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe9ec79c4ab
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007fe9ed6a8f60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe9ec79c4ab
RDX: 00007fe9ed6a8fe0 RSI: 0000000040085507 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007fe9ecb40320 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000200000000180
R13: 0000000000000000 R14: 00007fe9eca15fa0 R15: 00007fe9ecb3fa48
 </TASK>

Allocated by task 27856:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 hidraw_connect+0x57/0x420 drivers/hid/hidraw.c:606
 hid_connect+0x5bf/0x19d0 drivers/hid/hid-core.c:2277
 hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2387
 corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
 __hid_device_probe drivers/hid/hid-core.c:2783 [inline]
 hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2820
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1101
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7e9/0xbb0 drivers/base/core.c:3706
 hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2964
 usbhid_probe+0xbab/0x1080 drivers/hid/usbhid/hid-core.c:1448
 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1101
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7e9/0xbb0 drivers/base/core.c:3706
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1101
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7e9/0xbb0 drivers/base/core.c:3706
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888078d38b00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 136 bytes inside of
 freed 192-byte region [ffff888078d38b00, ffff888078d38bc0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78d38
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88813fe2d3c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 24161, tgid 24160 (syz.4.8496), ts 566355812900, free_ts 566350512729
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
 prep_new_page mm/page_alloc.c:1866 [inline]
 get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x339/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_node_noprof+0x577/0x7c0 mm/slub.c:5301
 kmalloc_node_noprof include/linux/slab.h:1081 [inline]
 alloc_slab_obj_exts+0xbf/0x250 mm/slub.c:2171
 __memcg_slab_post_alloc_hook+0x5c4/0xe80 mm/memcontrol.c:3466
 memcg_slab_post_alloc_hook mm/slub.c:2461 [inline]
 slab_post_alloc_hook mm/slub.c:4580 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_noprof+0x347/0x650 mm/slub.c:4905
 alloc_buffer_head+0x2a/0x270 fs/buffer.c:2934
 folio_alloc_buffers+0x19b/0x640 fs/buffer.c:831
 create_empty_buffers+0x3a/0x530 fs/buffer.c:1581
 __block_write_begin_int+0x3c2/0x1910 fs/buffer.c:2016
 iomap_write_begin+0x1071/0x14f0 fs/iomap/buffered-io.c:1014
 iomap_write_iter fs/iomap/buffered-io.c:1144 [inline]
 iomap_file_buffered_write+0x47a/0xb30 fs/iomap/buffered-io.c:1225
page last free pid 15 tgid 15 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1402 [inline]
 __free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2943
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x840 kernel/softirq.c:622
 run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888078d38a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888078d38b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888078d38b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff888078d38c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078d38c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	f7 e8                	imul   %eax
   2:	8d                   	lea    (bad),%esi
   3:	f4                   	hlt
   4:	e7 f5                	out    %eax,$0xf5
   6:	f7 c3 00 02 00 00    	test   $0x200,%ebx
   c:	74 05                	je     0x13
   e:	e8 60 7d 13 f6       	call   0xf6137d73
  13:	9c                   	pushf
  14:	58                   	pop    %rax
  15:	a9 00 02 00 00       	test   $0x200,%eax
  1a:	75 27                	jne    0x43
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 d4 76 d9 f5       	call   0xf5d97703 <-- trapping instruction
  2f:	65 8b 05 1d e3 85 07 	mov    %gs:0x785e31d(%rip),%eax        # 0x785e353
  36:	85 c0                	test   %eax,%eax
  38:	74 18                	je     0x52
  3a:	5b                   	pop    %rbx
  3b:	41 5e                	pop    %r14
  3d:	e9                   	.byte 0xe9
  3e:	41                   	rex.B
  3f:	48                   	rex.W