Hi Kernel Maintainers, we found a crash "WARNING: refcount bug in put_device" in upstream, we also have successfully reproduced it manually: HEAD Commit: 9852d85ec9d492ebef56dc5f229416c925758edc(tag 'v6.12-rc1') kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/6.12.config console output: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/83e10c2b482009dbb3b32ece907dcc361978f9b9/log0 repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/83e10c2b482009dbb3b32ece907dcc361978f9b9/repro.report syz reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/83e10c2b482009dbb3b32ece907dcc361978f9b9/repro.prog c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/83e10c2b482009dbb3b32ece907dcc361978f9b9/repro.cprog Please let me know if there is anything I can help with. Best, Hui Guo This is the crash log I got by reproducing the bug based on the above environment, I have piped this log through decode_stacktrace.sh to better understand the cause of the bug. ============================================================================================= 2024/10/15 06:23:01 executed programs: 0 [ 52.946160][ T8459] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 52.948146][ T8459] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 52.949830][ T8459] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 52.951676][ T8459] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 52.953434][ T8459] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 52.955077][ T8459] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 52.978855][ T9837] chnl_net:caif_netlink_parms(): no params data found [ 53.007227][ T9837] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.008839][ T9837] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.010425][ T9837] bridge_slave_0: entered allmulticast mode [ 53.011911][ T9837] bridge_slave_0: entered promiscuous mode [ 53.013568][ T9837] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.015128][ T9837] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.016866][ T9837] bridge_slave_1: entered allmulticast mode [ 53.018565][ T9837] bridge_slave_1: entered promiscuous mode [ 53.027144][ T9837] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 53.029674][ T9837] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 53.038127][ T9837] team0: Port device team_slave_0 added [ 53.039716][ T9837] team0: Port device team_slave_1 added [ 53.047451][ T9837] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 53.049010][ T9837] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fr. [ 53.054641][ T9837] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 53.057422][ T9837] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 53.058894][ T9837] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fr. [ 53.063627][ T9837] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 53.070533][ T9837] hsr_slave_0: entered promiscuous mode [ 53.071302][ T9837] hsr_slave_1: entered promiscuous mode [ 53.071985][ T9837] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 53.072789][ T9837] Cannot create hsr debugfs directory [ 53.083987][ T9837] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 53.085055][ T9837] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 53.086039][ T9837] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 53.087330][ T9837] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 53.094030][ T9837] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.094780][ T9837] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.095554][ T9837] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.096307][ T9837] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.101333][ T9837] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.103084][ T2963] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.104186][ T2963] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.106320][ T9837] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.108343][ T92] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.109940][ T92] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.112379][ T2963] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.113257][ T2963] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.137079][ T9837] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.141567][ T9837] veth0_vlan: entered promiscuous mode [ 53.142678][ T9837] veth1_vlan: entered promiscuous mode [ 53.145297][ T9837] veth0_macvtap: entered promiscuous mode [ 53.146206][ T9837] veth1_macvtap: entered promiscuous mode [ 53.147799][ T9837] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 53.148906][ T9837] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 53.150098][ T9837] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 53.151677][ T9837] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 53.152781][ T9837] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 53.153971][ T9837] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 53.155171][ T9837] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.156136][ T9837] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.157153][ T9837] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.158103][ T9837] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.232002][ T3671] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 53.233031][ T3671] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 53.238434][ T119] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 53.239437][ T119] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 53.476459][ T80] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 53.626458][ T80] usb 1-1: Using ep0 maxpacket: 8 [ 53.628120][ T80] usb 1-1: config 8 has an invalid interface number: 207 but max is 3 [ 53.629284][ T80] usb 1-1: config 8 has an invalid interface number: 146 but max is 3 [ 53.630397][ T80] usb 1-1: config 8 has an invalid descriptor of length 0, skipping remainder of the config [ 53.631751][ T80] usb 1-1: config 8 has 2 interfaces, different from the descriptor's value: 4 [ 53.632959][ T80] usb 1-1: config 8 has no interface number 0 [ 53.633781][ T80] usb 1-1: config 8 has no interface number 1 [ 53.634613][ T80] usb 1-1: config 8 interface 207 altsetting 6 has an invalid descriptor for endpoint zero, skipping [ 53.636082][ T80] usb 1-1: config 8 interface 207 altsetting 6 has a duplicate endpoint with address 0x8, skipping [ 53.637583][ T80] usb 1-1: config 8 interface 207 altsetting 6 endpoint 0x5 has invalid maxpacket 959, setting to 64 [ 53.639029][ T80] usb 1-1: config 8 interface 207 altsetting 6 has a duplicate endpoint with address 0xB, skipping [ 53.640479][ T80] usb 1-1: config 8 interface 207 altsetting 6 endpoint 0x2 has invalid maxpacket 512, setting to 64 [ 53.641947][ T80] usb 1-1: config 8 interface 146 altsetting 9 has 0 endpoint descriptors, different from the interface descriptor's value: 8 [ 53.643707][ T80] usb 1-1: config 8 interface 207 has no altsetting 0 [ 53.644636][ T80] usb 1-1: config 8 interface 146 has no altsetting 0 [ 53.646775][ T80] usb 1-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice=86.3f [ 53.648010][ T80] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 53.649089][ T80] usb 1-1: Product: syz [ 53.649662][ T80] usb 1-1: Manufacturer: syz [ 53.650295][ T80] usb 1-1: SerialNumber: syz [ 53.651764][T10865] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 53.856332][ T80] usb 1-1: USB disconnect, device number 2 [ 53.857522][ T80] ------------[ cut here ]------------ [ 53.858121][ T80] refcount_t: underflow; use-after-free. [ 53.858848][ T80] WARNING: CPU: 6 PID: 80 at lib/refcount.c:28 refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.859860][ T80] Modules linked in: [ 53.860298][ T80] CPU: 6 UID: 0 PID: 80 Comm: kworker/6:1 Not tainted 6.12.0-rc1 #5 [ 53.861170][ T80] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 53.862181][ T80] Workqueue: usb_hub_wq hub_event [ 53.862756][ T80] RIP: 0010:refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.863448][ T80] Code: ff 89 de e8 83 16 c8 fe 84 db 0f 85 1c ff ff ff e8 66 14 c8 fe c6 05 81 f8 85 04 01 90 48 c7 c7 98 fc 50 86 e8 e2 ae af fe 90 <0f> 0b 90 90 e9 f9 fe ff ff e8 43 11 All code ======== 0: ff 89 de e8 83 16 decl 0x1683e8de(%rcx) 6: c8 fe 84 db enter $0x84fe,$0xdb a: 0f 85 1c ff ff ff jne 0xffffffffffffff2c 10: e8 66 14 c8 fe call 0xfffffffffec8147b 15: c6 05 81 f8 85 04 01 movb $0x1,0x485f881(%rip) # 0x485f89d 1c: 90 nop 1d: 48 c7 c7 98 fc 50 86 mov $0xffffffff8650fc98,%rdi 24: e8 e2 ae af fe call 0xfffffffffeafaf0b 29: 90 nop 2a:* 0f 0b ud2 <-- trapping instruction 2c: 90 nop 2d: 90 nop 2e: e9 f9 fe ff ff jmp 0xffffffffffffff2c 33: e8 .byte 0xe8 34: 43 rex.XB 35: 11 .byte 0x11 Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 90 nop 3: 90 nop 4: e9 f9 fe ff ff jmp 0xffffffffffffff02 9: e8 .byte 0xe8 a: 43 rex.XB b: 11 .byte 0x11 [ 53.865584][ T80] RSP: 0018:ffff88810036fa60 EFLAGS: 00010282 [ 53.866248][ T80] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c855c [ 53.867170][ T80] RDX: ffff888101400000 RSI: ffffffff811c8565 RDI: 0000000000000001 [ 53.868051][ T80] RBP: ffff88810036fa70 R08: 0000000000000000 R09: 205b5d3132313835 [ 53.868929][ T80] R10: 0000000000000000 R11: 205d303854202020 R12: ffff88812b896838 [ 53.869831][ T80] R13: ffff88812b896838 R14: ffff88812b895c50 R15: 0000000000000000 [ 53.870713][ T80] FS: 0000000000000000(0000) GS:ffff88813bb80000(0000) knlGS:0000000000000000 [ 53.871697][ T80] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.872422][ T80] CR2: 00007fd472328988 CR3: 000000010a042000 CR4: 00000000000006f0 [ 53.873304][ T80] Call Trace: [ 53.873669][ T80] <TASK> [ 53.873995][ T80] ? show_regs (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:479) [ 53.874481][ T80] ? __warn (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/panic.c:748) [ 53.874941][ T80] ? refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.875567][ T80] ? report_bug (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/bug.c:201 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/bug.c:219) [ 53.876074][ T80] ? refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.876738][ T80] ? refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.877369][ T80] ? handle_bug (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:285) [ 53.877864][ T80] ? exc_invalid_op (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:309 (discriminator 1)) [ 53.878399][ T80] ? asm_exc_invalid_op (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./arch/x86/include/asm/idtentry.h:621) [ 53.878964][ T80] ? __warn_printk (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/linux/context_tracking.h:161 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/panic.c:799) [ 53.879493][ T80] ? __warn_printk (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/panic.c:800) [ 53.880017][ T80] ? refcount_warn_saturate (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/refcount.c:28 (discriminator 3)) [ 53.880635][ T80] kobject_put (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/kobject.c:739) [ 53.881131][ T80] put_device (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/core.c:3784) [ 53.881600][ T80] hdm_disconnect (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/most/most_usb.c:1130) [ 53.882102][ T80] usb_unbind_interface (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/driver.c:464) [ 53.882685][ T80] ? __pfx_usb_unbind_interface (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/driver.c:432) [ 53.883329][ T80] device_remove (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/dd.c:570) [ 53.883831][ T80] device_release_driver_internal (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/dd.c:1275 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/dd.c:1296) [ 53.884518][ T80] device_release_driver (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/dd.c:1320) [ 53.885092][ T80] bus_remove_device (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/linux/kobject.h:193 (discriminator 3) /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/base.h:73 (discriminator 3) /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/bus.c:583 (discriminator 3)) [ 53.885648][ T80] device_del (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/core.c:3865) [ 53.886134][ T80] ? device_unregister (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/base/core.c:3907) [ 53.886729][ T80] usb_disable_device (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/message.c:1408 (discriminator 2)) [ 53.887302][ T80] usb_disconnect (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/input/misc/yealink.c:591 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/input/misc/yealink.c:614) [ 53.887830][ T80] ? usb_control_msg (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/message.c:163) [ 53.888388][ T80] ? hub_port_warm_reset_required (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/hub.c:2905) [ 53.889045][ T80] hub_event (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/hub.c:5367 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/hub.c:5661 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/hub.c:5821 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/drivers/usb/core/hub.c:5903) [ 53.889547][ T80] ? kick_pool (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/workqueue.c:1281) [ 53.890032][ T80] process_one_work (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/workqueue.c:3234) [ 53.890582][ T80] worker_thread (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/workqueue.c:3304 /data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/workqueue.c:3391) [ 53.891105][ T80] ? __pfx_worker_thread (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/workqueue.c:3337) [ 53.891687][ T80] kthread (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kthread.c:389) [ 53.892142][ T80] ? __pfx_kthread (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kthread.c:342) [ 53.892666][ T80] ret_from_fork (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/process.c:153) [ 53.893168][ T80] ? __pfx_kthread (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kthread.c:342) [ 53.893687][ T80] ret_from_fork_asm (/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/entry_64.S:257) [ 53.894225][ T80] </TASK>
