program: r0 = syz_usb_connect(0x0, 0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="31010000dccd5e08cb060700000800000001090224000100007e000904340102d469e7000905", @ANYRES32], 0x0) setfsuid(0xffffffffffffffff) syz_usb_control_io$uac1(r0, 0x0, 0x0) r1 = openat$mice(0xffffffffffffff9c, &(0x7f0000000000), 0x22002) r2 = openat$mice(0xffffffffffffff9c, &(0x7f0000000340), 0x8000) syz_open_dev$usbfs(&(0x7f0000000080), 0xf, 0x8041) r3 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$SIOCX25SFACILITIES(r3, 0x89e3, &(0x7f00000000c0)={0x1c, 0xd, 0x6, 0xc, 0x38e2, 0x81}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, 0x0, 0x0, 0x2, 0x0, 0x0, 0x41100, 0x44, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) syz_usb_connect$cdc_ncm(0x0, 0x6e, &(0x7f00000000c0)=ANY=[@ANYBLOB="12010000020000102505a1a440000102030109025c0002010000000904000001020d000005"], 0x0) r4 = syz_open_dev$evdev(&(0x7f0000000040), 0x0, 0x0) syz_usb_disconnect(r4) syz_usb_connect(0x0, 0x24, &(0x7f0000000100)={{0x12, 0x1, 0x0, 0xdb, 0x9d, 0x1b, 0x8, 0x12d1, 0xfae2, 0x708b, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1}}]}}, 0x0) ioctl$EVIOCRMFF(r4, 0xc0085508, 0x0) syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) ioctl$USBDEVFS_BULK(r2, 0xc0185502, &(0x7f00000001c0)={{{0x5, 0x1}}, 0x0, 0x57, 0x0}) r5 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x38, 0x1403, 0x1, 0x70bd2d, 0x25dfdbfe, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'rxe\x00'}, {0x14, 0x33, 'ipvlan0\x00'}}]}, 0x38}, 0x1, 0x0, 0x0, 0x4000840}, 0x2400c000) syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) r7 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r7, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB="380000000314230c2abd7000ff05df250900020073797a310000000008004100727865001400330073797a5f74756e"], 0x38}, 0x1, 0x0, 0x0, 0x48845}, 0x4000) socket$nl_netfilter(0x10, 0x3, 0xc) ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(0xffffffffffffffff, 0x89f0, 0x0) sendmsg$nl_route_sched(r6, 0x0, 0x4000000) open(&(0x7f0000000380)='./file0\x00', 0x80000, 0x40) sendmsg$RDMA_NLDEV_CMD_STAT_SET(0xffffffffffffffff, 0x0, 0x4c891) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'veth0_vlan\x00', 0x0}) sendmsg$nl_route_sched(r6, &(0x7f0000000040)={0x0, 0xfffffffffffffc96, &(0x7f00000003c0)={&(0x7f0000000440)=@getchain={0x24, 0x11, 0x43d, 0x0, 0x0, {0x0, 0x0, 0x0, r8}}, 0x24}}, 0x0) ioctl$HIDIOCGREPORT(r1, 0x400c4807, &(0x7f0000000300)={0x2, 0x100, 0x4}) [ 103.181490][ T5304] Bluetooth: hci0: command tx timeout [ 103.513564][ T10] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 103.663486][ T10] usb 5-1: Using ep0 maxpacket: 8 [ 103.669901][ T10] usb 5-1: config 0 has an invalid interface number: 52 but max is 0 [ 103.674017][ T10] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 103.678509][ T10] usb 5-1: config 0 has no interface number 0 [ 103.681276][ T10] usb 5-1: config 0 interface 52 altsetting 1 has an endpoint descriptor with address 0xFF, changing to 0x8F [ 103.688012][ T10] usb 5-1: config 0 interface 52 altsetting 1 endpoint 0x8F has an invalid bInterval 0, changing to 7 [ 103.692847][ T10] usb 5-1: config 0 interface 52 altsetting 1 endpoint 0x8F has invalid maxpacket 59391, setting to 1024 [ 103.698089][ T10] usb 5-1: config 0 interface 52 altsetting 1 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 103.706761][ T10] usb 5-1: config 0 interface 52 has no altsetting 0 [ 103.709570][ T10] usb 5-1: New USB device found, idVendor=06cb, idProduct=0007, bcdDevice= 8.00 [ 103.713007][ T10] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 103.725443][ T10] usb 5-1: config 0 descriptor?? [ 103.944568][ T10] input: USB Synaptics Device 06cb:0007 (Stick) as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.52/input/input5 [ 104.251357][ T5326] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 104.274246][ T5326] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 104.493399][ T5326] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 104.502704][ T5326] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 104.648642][ T5333] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'. [ 105.253713][ T5304] Bluetooth: hci0: command tx timeout [ 105.281909][ T5326] infiniband syz0: set down [ 105.288353][ T5326] infiniband syz0: added ipvlan0 [ 105.431459][ T5326] RDS/IB: syz0: added [ 105.437596][ T5326] smc: adding ib device syz0 with port count 1 [ 105.440645][ T5326] smc: ib device syz0 port 1 has no pnetid [ 105.452793][ T53] ================================================================== [ 105.455941][ T53] BUG: KASAN: slab-use-after-free in __ethtool_get_link_ksettings+0x5e/0x170 [ 105.460094][ T53] Read of size 8 at addr ffff88803b0402f0 by task kworker/0:2/53 [ 105.463899][ T53] [ 105.464936][ T53] CPU: 0 UID: 0 PID: 53 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) [ 105.464951][ T53] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.464960][ T53] Workqueue: events smc_ib_port_event_work [ 105.464984][ T53] Call Trace: [ 105.464993][ T53] [ 105.464999][ T53] dump_stack_lvl+0xe8/0x150 [ 105.465019][ T53] print_report+0xba/0x230 [ 105.465032][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.465053][ T53] kasan_report+0x117/0x150 [ 105.465067][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.465085][ T53] __ethtool_get_link_ksettings+0x5e/0x170 [ 105.465103][ T53] ib_get_eth_speed+0x180/0x7f0 [ 105.465165][ T53] ? rxe_query_port+0x7e/0x3d0 [ 105.465178][ T53] ? __pfx_ib_get_eth_speed+0x10/0x10 [ 105.465192][ T53] ? do_raw_spin_unlock+0x4d/0x210 [ 105.465206][ T53] rxe_query_port+0x93/0x3d0 [ 105.465219][ T53] ib_query_port+0x170/0x830 [ 105.465234][ T53] smc_ib_port_event_work+0x15a/0x940 [ 105.465250][ T53] ? process_scheduled_works+0xa8d/0x18c0 [ 105.465265][ T53] ? process_scheduled_works+0xa8d/0x18c0 [ 105.465279][ T53] process_scheduled_works+0xb6e/0x18c0 [ 105.465297][ T53] ? __pfx_process_scheduled_works+0x10/0x10 [ 105.465310][ T53] ? assign_work+0x3d5/0x5e0 [ 105.465322][ T53] worker_thread+0xa53/0xfc0 [ 105.465342][ T53] kthread+0x388/0x470 [ 105.465354][ T53] ? __pfx_worker_thread+0x10/0x10 [ 105.465367][ T53] ? __pfx_kthread+0x10/0x10 [ 105.465377][ T53] ret_from_fork+0x51e/0xb90 [ 105.465391][ T53] ? __pfx_ret_from_fork+0x10/0x10 [ 105.465400][ T53] ? __switch_to+0xc7d/0x1450 [ 105.465409][ T53] ? __pfx_kthread+0x10/0x10 [ 105.465415][ T53] ret_from_fork_asm+0x1a/0x30 [ 105.465429][ T53] [ 105.465432][ T53] [ 105.549730][ T53] Allocated by task 5303: [ 105.551854][ T53] kasan_save_track+0x3e/0x80 [ 105.554072][ T53] __kasan_kmalloc+0x93/0xb0 [ 105.556201][ T53] __kvmalloc_node_noprof+0x528/0x8a0 [ 105.559104][ T53] alloc_netdev_mqs+0xa6/0x11b0 [ 105.561698][ T53] rtnl_create_link+0x31f/0xd70 [ 105.563778][ T53] rtnl_newlink_create+0x277/0xb70 [ 105.566162][ T53] rtnl_newlink+0x1666/0x1be0 [ 105.568347][ T53] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 105.570560][ T53] netlink_rcv_skb+0x232/0x4b0 [ 105.574232][ T53] netlink_unicast+0x80f/0x9b0 [ 105.577477][ T53] netlink_sendmsg+0x813/0xb40 [ 105.580298][ T53] __sys_sendto+0x672/0x710 [ 105.582596][ T53] __x64_sys_sendto+0xde/0x100 [ 105.584695][ T53] do_syscall_64+0x14d/0xf80 [ 105.587073][ T53] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.590092][ T53] [ 105.591199][ T53] Freed by task 5333: [ 105.592971][ T53] kasan_save_track+0x3e/0x80 [ 105.595039][ T53] kasan_save_free_info+0x46/0x50 [ 105.597284][ T53] __kasan_slab_free+0x5c/0x80 [ 105.599404][ T53] kfree+0x1c1/0x630 [ 105.601203][ T53] device_release+0x9e/0x1d0 [ 105.603288][ T53] kobject_put+0x228/0x560 [ 105.605373][ T53] netdev_run_todo+0xc75/0xde0 [ 105.607698][ T53] rtnl_dellink+0x6a7/0x820 [ 105.609736][ T53] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 105.611953][ T53] netlink_rcv_skb+0x232/0x4b0 [ 105.614007][ T53] netlink_unicast+0x80f/0x9b0 [ 105.616124][ T53] netlink_sendmsg+0x813/0xb40 [ 105.618473][ T53] ____sys_sendmsg+0x972/0x9f0 [ 105.620626][ T53] ___sys_sendmsg+0x2a5/0x360 [ 105.622637][ T53] __x64_sys_sendmsg+0x1bd/0x2a0 [ 105.624880][ T53] do_syscall_64+0x14d/0xf80 [ 105.626995][ T53] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.629857][ T53] [ 105.631797][ T53] The buggy address belongs to the object at ffff88803b040000 [ 105.631797][ T53] which belongs to the cache kmalloc-cg-4k of size 4096 [ 105.638448][ T53] The buggy address is located 752 bytes inside of [ 105.638448][ T53] freed 4096-byte region [ffff88803b040000, ffff88803b041000) [ 105.644239][ T53] [ 105.645234][ T53] The buggy address belongs to the physical page: [ 105.647795][ T53] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3b040 [ 105.651274][ T53] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 105.654876][ T53] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 105.658088][ T53] page_type: f5(slab) [ 105.659989][ T53] raw: 04fff00000000040 ffff88801ac58500 dead000000000122 0000000000000000 [ 105.663921][ T53] raw: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 [ 105.668012][ T53] head: 04fff00000000040 ffff88801ac58500 dead000000000122 0000000000000000 [ 105.672980][ T53] head: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 [ 105.677115][ T53] head: 04fff00000000003 ffffea0000ec1001 00000000ffffffff 00000000ffffffff [ 105.681025][ T53] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 105.684892][ T53] page dumped because: kasan: bad access detected [ 105.689036][ T53] page_owner tracks the page as allocated [ 105.691887][ T53] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5303, tgid 5303 (syz-executor), ts 99135384940, free_ts 98625337109 [ 105.701129][ T53] post_alloc_hook+0x231/0x280 [ 105.703556][ T53] get_page_from_freelist+0x24dc/0x2580 [ 105.706155][ T53] __alloc_frozen_pages_noprof+0x18d/0x380 [ 105.708663][ T53] allocate_slab+0x77/0x660 [ 105.710722][ T53] refill_objects+0x331/0x3c0 [ 105.712751][ T53] __pcs_replace_empty_main+0x2e6/0x730 [ 105.715350][ T53] __kmalloc_cache_noprof+0x392/0x660 [ 105.718429][ T53] ipv6_add_dev+0x6aa/0x13a0 [ 105.720783][ T53] addrconf_notify+0x771/0x1050 [ 105.722963][ T53] notifier_call_chain+0x1be/0x400 [ 105.725191][ T53] register_netdevice+0x173a/0x1cf0 [ 105.727583][ T53] virt_wifi_newlink+0x428/0x860 [ 105.730202][ T53] rtnl_newlink_create+0x329/0xb70 [ 105.732862][ T53] rtnl_newlink+0x1666/0x1be0 [ 105.735295][ T53] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 105.737604][ T53] netlink_rcv_skb+0x232/0x4b0 [ 105.739726][ T53] page last free pid 5303 tgid 5303 stack trace: [ 105.743463][ T53] __free_frozen_pages+0xc2b/0xdb0 [ 105.746253][ T53] __slab_free+0x263/0x2b0 [ 105.748875][ T53] qlist_free_all+0x97/0x100 [ 105.751371][ T53] kasan_quarantine_reduce+0x148/0x160 [ 105.753610][ T53] __kasan_slab_alloc+0x22/0x80 [ 105.755587][ T53] kmem_cache_alloc_noprof+0x2bc/0x650 [ 105.757881][ T53] __kernfs_new_node+0xe9/0x8e0 [ 105.760169][ T53] kernfs_new_node+0x102/0x210 [ 105.762728][ T53] kernfs_create_dir_ns+0x44/0x130 [ 105.765498][ T53] internal_create_group+0x425/0x1180 [ 105.768848][ T53] dpm_sysfs_add+0x6a/0x270 [ 105.771520][ T53] device_add+0x4d8/0xb70 [ 105.774253][ T53] netdev_register_kobject+0x178/0x310 [ 105.776974][ T53] register_netdevice+0x12c0/0x1cf0 [ 105.779222][ T53] register_netdev+0x40/0x60 [ 105.781545][ T53] loopback_net_init+0x75/0x150 [ 105.784289][ T53] [ 105.785673][ T53] Memory state around the buggy address: [ 105.788304][ T53] ffff88803b040180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.792172][ T53] ffff88803b040200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.796009][ T53] >ffff88803b040280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.800573][ T53] ^ [ 105.804034][ T53] ffff88803b040300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.807463][ T53] ffff88803b040380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.811110][ T53] ================================================================== [ 105.853847][ T53] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 105.857838][ T53] CPU: 0 UID: 0 PID: 53 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) [ 105.862337][ T53] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.867525][ T53] Workqueue: events smc_ib_port_event_work [ 105.870144][ T53] Call Trace: [ 105.871676][ T53] [ 105.872949][ T53] vpanic+0x56c/0xa60 [ 105.874761][ T53] ? __pfx_vpanic+0x10/0x10 [ 105.876962][ T53] ? __pfx___schedule+0x10/0x10 [ 105.879658][ T53] panic+0xc5/0xd0 [ 105.881758][ T53] ? __pfx_panic+0x10/0x10 [ 105.883862][ T53] ? preempt_schedule_common+0x82/0xd0 [ 105.886593][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.889705][ T53] check_panic_on_warn+0x89/0xb0 [ 105.891967][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.894784][ T53] end_report+0x73/0x180 [ 105.896961][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.900048][ T53] kasan_report+0x128/0x150 [ 105.902278][ T53] ? __ethtool_get_link_ksettings+0x5e/0x170 [ 105.905040][ T53] __ethtool_get_link_ksettings+0x5e/0x170 [ 105.907957][ T53] ib_get_eth_speed+0x180/0x7f0 [ 105.910915][ T53] ? rxe_query_port+0x7e/0x3d0 [ 105.913659][ T53] ? __pfx_ib_get_eth_speed+0x10/0x10 [ 105.917274][ T53] ? do_raw_spin_unlock+0x4d/0x210 [ 105.919631][ T53] rxe_query_port+0x93/0x3d0 [ 105.921747][ T53] ib_query_port+0x170/0x830 [ 105.924009][ T53] smc_ib_port_event_work+0x15a/0x940 [ 105.926737][ T53] ? process_scheduled_works+0xa8d/0x18c0 [ 105.929252][ T53] ? process_scheduled_works+0xa8d/0x18c0 [ 105.931779][ T53] process_scheduled_works+0xb6e/0x18c0 [ 105.934245][ T53] ? __pfx_process_scheduled_works+0x10/0x10 [ 105.937974][ T53] ? assign_work+0x3d5/0x5e0 [ 105.940749][ T53] worker_thread+0xa53/0xfc0 [ 105.943106][ T53] kthread+0x388/0x470 [ 105.944960][ T53] ? __pfx_worker_thread+0x10/0x10 [ 105.947267][ T53] ? __pfx_kthread+0x10/0x10 [ 105.949450][ T53] ret_from_fork+0x51e/0xb90 [ 105.951555][ T53] ? __pfx_ret_from_fork+0x10/0x10 [ 105.953863][ T53] ? __switch_to+0xc7d/0x1450 [ 105.956125][ T53] ? __pfx_kthread+0x10/0x10 [ 105.958648][ T53] ret_from_fork_asm+0x1a/0x30 [ 105.961129][ T53] [ 105.963037][ T53] Kernel Offset: disabled [ 105.965102][ T53] Rebooting in 86400 seconds..