Hello, syzbot found the following issue on: HEAD commit: 4cece7649650 Linux 6.9-rc1 git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=12eea546180000 kernel config: https://syzkaller.appspot.com/x/.config?x=a2bfc1e92b3816d2 dashboard link: https://syzkaller.appspot.com/bug?extid=73c1dfb19c10b7e49777 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/7f5e2f772df3/disk-4cece764.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/bf6c631b116f/vmlinux-4cece764.xz kernel image: https://storage.googleapis.com/syzbot-assets/bd864ac23a04/bzImage-4cece764.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+73c1dfb19c10b7e49777@xxxxxxxxxxxxxxxxxxxxxxxxx ACPI: PCI: Interrupt link LNKB configured for IRQ 10 ACPI: PCI: Interrupt link LNKC configured for IRQ 11 ACPI: PCI: Interrupt link LNKD configured for IRQ 11 ACPI: PCI: Interrupt link LNKS configured for IRQ 9 iommu: Default domain type: Translated iommu: DMA domain TLB invalidation policy: lazy mode SCSI subsystem initialized ACPI: bus type USB registered usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb mc: Linux media interface: v0.10 videodev: Linux video capture interface: v2.00 pps_core: LinuxPPS API ver. 1 registered pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@xxxxxxxx> PTP clock support registered EDAC MC: Ver: 3.0.0 Advanced Linux Sound Architecture Driver Initialized. Bluetooth: Core ver 2.22 NET: Registered PF_BLUETOOTH protocol family Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP socket layer initialized Bluetooth: SCO socket layer initialized NET: Registered PF_ATMPVC protocol family NET: Registered PF_ATMSVC protocol family NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO NetLabel: unlabeled traffic allowed by default nfc: nfc_init: NFC Core ver 0.1 NET: Registered PF_NFC protocol family PCI: Using ACPI for IRQ routing pci 0000:00:05.0: vgaarb: setting as boot VGA device pci 0000:00:05.0: vgaarb: bridge control possible pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none vgaarb: loaded clocksource: Switched to clocksource kvm-clock VFS: Disk quotas dquot_6.6.0 VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) TOMOYO: 2.6.0 Mandatory Access Control activated. AppArmor: AppArmor Filesystem Enabled pnp: PnP ACPI init pnp: PnP ACPI: found 7 devices clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns NET: Registered PF_INET protocol family IP idents hash table entries: 131072 (order: 8, 1048576 bytes, linear) ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Code: 86 e8 57 23 ca fe 90 0f 0b 90 90 e9 c3 fe ff ff e8 18 fb 03 ff c6 05 33 52 3d 07 01 90 48 c7 c7 00 29 e7 86 e8 34 23 ca fe 90 <0f> 0b 90 90 e9 a0 fe ff ff 48 89 ef e8 b2 d4 55 ff e9 44 fe ff ff RSP: 0000:ffffc9000001fba0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8118c199 RDX: ffff8881012b0000 RSI: ffffffff8118c1a6 RDI: 0000000000000001 RBP: ffff888106eecb6c R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888106eecb6c R13: 0000000000000000 R14: 00000000016a005a R15: ffff888106885f28 FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823ffff000 CR3: 000000000829e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] dec_stack_record_count mm/page_owner.c:215 [inline] __reset_page_owner+0x2ea/0x370 mm/page_owner.c:253 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0x5d0/0xbd0 mm/page_alloc.c:1270 make_alloc_exact+0x165/0x260 mm/page_alloc.c:4829 alloc_large_system_hash+0x4e0/0x640 mm/mm_init.c:2530 inet_hashinfo2_init+0x4b/0xd0 net/ipv4/inet_hashtables.c:1193 tcp_init+0xba/0x9f0 net/ipv4/tcp.c:4708 inet_init+0x419/0x6f0 net/ipv4/af_inet.c:2029 do_one_initcall+0x128/0x700 init/main.c:1238 do_initcall_level init/main.c:1300 [inline] do_initcalls init/main.c:1316 [inline] do_basic_setup init/main.c:1335 [inline] kernel_init_freeable+0x69d/0xca0 init/main.c:1548 kernel_init+0x1c/0x2b0 init/main.c:1437 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup