xpad 4-1:179.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 4-1:179.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x28b/0x2f0
Read of size 4 at addr ffff888115bfa05c by task udevd/5060

CPU: 0 UID: 0 PID: 5060 Comm: udevd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150
 print_address_description+0x55/0x1e0
 print_report+0x58/0x70
 kasan_report+0x117/0x150
 do_raw_spin_lock+0x28b/0x2f0
 _raw_spin_lock_irqsave+0x4c/0x60
 __wake_up_common_lock+0x2f/0x1f0
 __usb_hcd_giveback_urb+0x3b0/0x540
 dummy_timer+0xbc0/0x4650
 __hrtimer_run_queues+0x3c0/0xa20
 hrtimer_run_softirq+0x17a/0x240
 handle_softirqs+0x22a/0x840
 __irq_exit_rcu+0xca/0x220
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:stack_trace_save+0x72/0x100
Code: 03 48 b9 f1 f1 f1 f1 f8 f8 f8 f3 49 be 00 00 00 00 00 fc ff df 4a 89 0c 33 42 c7 44 33 08 f3 f3 f3 f3 66 42 c7 44 33 04 00 00 <42> c6 44 33 06 00 48 89 7c 24 20 89 74 24 28 ff c2 89 54 24 2c 48
RSP: 0018:ffffc90003337a20 EFLAGS: 00000a06
RAX: ffffc90003337a40 RBX: 1ffff92000666f44 RCX: f3f8f8f8f1f1f1f1
RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffffc90003337ac0
RBP: ffffc90003337ab0 R08: 0000000000000007 R09: 0000000000000000
R10: ffffc90003337ac0 R11: fffffbfff20614df R12: ffff88810fd0c888
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffc90003337ac0
 kasan_save_track+0x3e/0x80
 kasan_save_free_info+0x46/0x50
 __kasan_slab_free+0x5c/0x80
 kmem_cache_free+0x182/0x650
 __fput+0x6c5/0xa60
 fput_close_sync+0x11f/0x240
 __x64_sys_close+0x7e/0x110
 do_syscall_64+0x15f/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a1d91a37f
Code: af 6a 0d 00 f7 d8 64 89 02 48 83 c8 ff 44 89 c7 48 89 04 24 e8 e1 fc f9 ff 48 8b 04 24 48 83 c4 28 c3 c3 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 7a 6a 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffdfae6de58 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 000056527362ed70 RCX: 00007f7a1d91a37f
RDX: 00007f7a1d9ed860 RSI: 0000000000000000 RDI: 000000000000000c
RBP: 0000000000000000 R08: 000000000000000c R09: 0000000000000000
R10: fffffffffffff328 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 000056526392cfc1
 </TASK>

Allocated by task 5717:
 kasan_save_track+0x3e/0x80
 __kasan_kmalloc+0x93/0xb0
 __kmalloc_cache_noprof+0x31c/0x660
 xpad_probe+0x428/0x1fc0
 usb_probe_interface+0x659/0xc70
 really_probe+0x267/0xaf0
 __driver_probe_device+0x1ef/0x380
 driver_probe_device+0x4f/0x240
 __device_attach_driver+0x279/0x430
 bus_for_each_drv+0x258/0x2f0
 __device_attach+0x2c5/0x450
 device_initial_probe+0xa1/0xd0
 bus_probe_device+0x12a/0x220
 device_add+0x7e9/0xbb0
 usb_set_configuration+0x1a87/0x2110
 usb_generic_driver_probe+0x8d/0x150
 usb_probe_device+0x1c4/0x3b0
 really_probe+0x267/0xaf0
 __driver_probe_device+0x1ef/0x380
 driver_probe_device+0x4f/0x240
 __device_attach_driver+0x279/0x430
 bus_for_each_drv+0x258/0x2f0
 __device_attach+0x2c5/0x450
 device_initial_probe+0xa1/0xd0
 bus_probe_device+0x12a/0x220
 device_add+0x7e9/0xbb0
 usb_new_device+0xa08/0x16f0
 hub_event+0x2a1c/0x4f30
 process_scheduled_works+0xb5d/0x1860
 worker_thread+0xa53/0xfc0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

Freed by task 24:
 kasan_save_track+0x3e/0x80
 kasan_save_free_info+0x46/0x50
 __kasan_slab_free+0x5c/0x80
 kfree+0x1c5/0x640
 xpad_disconnect+0x350/0x480
 usb_unbind_interface+0x26e/0x910
 device_release_driver_internal+0x4d9/0x870
 bus_remove_device+0x455/0x570
 device_del+0x527/0x8f0
 usb_disable_device+0x3d4/0x8d0
 usb_disconnect+0x32f/0x990
 hub_event+0x1cc9/0x4f30
 process_scheduled_works+0xb5d/0x1860
 worker_thread+0xa53/0xfc0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

The buggy address belongs to the object at ffff888115bfa000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 92 bytes inside of
 freed 1024-byte region [ffff888115bfa000, ffff888115bfa400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888115bfe800 pfn:0x115bf8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000240 ffff888100041dc0 ffffea000478a410 ffffea000480fc10
raw: ffff888115bfe800 000000080010000f 00000000f5000000 0000000000000000
head: 017ff00000000240 ffff888100041dc0 ffffea000478a410 ffffea000480fc10
head: ffff888115bfe800 000000080010000f 00000000f5000000 0000000000000000
head: 017ff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5489, tgid 5489 (dhcpcd), ts 42463080273, free_ts 42409684485
 post_alloc_hook+0x1f9/0x250
 get_page_from_freelist+0x24ba/0x2540
 __alloc_frozen_pages_noprof+0x18d/0x380
 allocate_slab+0x77/0x660
 refill_objects+0x339/0x3d0
 __pcs_replace_empty_main+0x321/0x720
 __kmalloc_node_track_caller_noprof+0x572/0x7b0
 kmemdup_array+0x3f/0x80
 bpf_prepare_filter+0xd6d/0x12d0
 bpf_prog_create_from_user+0x2c8/0x440
 do_seccomp+0x79f/0xdd0
 __se_sys_prctl+0x2a5/0x1980
 do_syscall_64+0x15f/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5355 tgid 5355 stack trace:
 __free_frozen_pages+0xbbf/0xd20
 __slab_free+0x274/0x2c0
 qlist_free_all+0x99/0x100
 kasan_quarantine_reduce+0x148/0x160
 __kasan_slab_alloc+0x22/0x80
 kmem_cache_alloc_node_noprof+0x384/0x690
 __alloc_skb+0x1d0/0x7d0
 alloc_skb_with_frags+0xc8/0x760
 sock_alloc_send_pskb+0x878/0x990
 unix_dgram_sendmsg+0x460/0x18d0
 sock_write_iter+0x49b/0x4f0
 vfs_write+0x61d/0xb90
 ksys_write+0x150/0x270
 do_syscall_64+0x15f/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888115bf9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888115bf9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888115bfa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff888115bfa080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888115bfa100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
