Warning: Permanently added '10.128.0.104' (ED25519) to the list of known hosts.
executing program
[ 44.466184][ T29] audit: type=1400 audit(1721939833.143:80): avc: denied { execmem } for pid=2643 comm="syz-executor274" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 44.492772][ T29] audit: type=1400 audit(1721939833.143:81): avc: denied { read write } for pid=2644 comm="syz-executor274" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 44.517437][ T29] audit: type=1400 audit(1721939833.143:82): avc: denied { open } for pid=2644 comm="syz-executor274" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 44.541566][ T29] audit: type=1400 audit(1721939833.143:83): avc: denied { ioctl } for pid=2644 comm="syz-executor274" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 44.746012][ T9] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 44.925938][ T9] usb 1-1: Using ep0 maxpacket: 8
[ 44.933131][ T9] usb 1-1: unable to get BOS descriptor or descriptor too short
[ 44.943430][ T9] usb 1-1: config 0 has an invalid interface number: 199 but max is 3
[ 44.951906][ T9] usb 1-1: config 0 has an invalid interface descriptor of length 2, skipping
[ 44.960808][ T9] usb 1-1: config 0 has an invalid interface number: 54 but max is 3
[ 44.969011][ T9] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping
[ 44.977803][ T9] usb 1-1: config 0 has an invalid interface number: 108 but max is 3
[ 44.986136][ T9] usb 1-1: config 0 contains an unexpected descriptor of type 0x1, skipping
[ 44.994891][ T9] usb 1-1: config 0 has no interface number 1
[ 45.001058][ T9] usb 1-1: config 0 has no interface number 2
[ 45.007176][ T9] usb 1-1: config 0 has no interface number 3
[ 45.013357][ T9] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xC has invalid wMaxPacketSize 0
[ 45.023616][ T9] usb 1-1: config 0 interface 199 altsetting 14 bulk endpoint 0x8 has invalid maxpacket 32
[ 45.033670][ T9] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0x9 has invalid maxpacket 959, setting to 64
[ 45.044700][ T9] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0xA, skipping
[ 45.055638][ T9] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 45.066627][ T9] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 45.077443][ T9] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x9, skipping
[ 45.088332][ T9] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 45.099363][ T9] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xE has invalid maxpacket 443, setting to 64
[ 45.110384][ T9] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 45.121199][ T9] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 45.132388][ T9] usb 1-1: config 0 interface 199 altsetting 14 has 13 endpoint descriptors, different from the interface descriptor's value: 15
[ 45.145786][ T9] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x3, skipping
[ 45.156400][ T9] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x8, skipping
[ 45.166955][ T9] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xE, skipping
[ 45.177528][ T9] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x7, skipping
[ 45.188134][ T9] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xD, skipping
[ 45.198697][ T9] usb 1-1: config 0 interface 0 altsetting 1 has an invalid endpoint descriptor of length 2, skipping
[ 45.209695][ T9] usb 1-1: config 0 interface 0 altsetting 1 endpoint 0xF has invalid maxpacket 1024, setting to 64
[ 45.220534][ T9] usb 1-1: config 0 interface 0 altsetting 1 has 12 endpoint descriptors, different from the interface descriptor's value: 11
[ 45.233713][ T9] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 45.244628][ T9] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 45.255426][ T9] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xC, skipping
[ 45.266173][ T9] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 45.277191][ T9] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 45.287957][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x1, skipping
[ 45.298687][ T9] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 45.309588][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x9, skipping
[ 45.320423][ T9] usb 1-1: config 0 interface 108 altsetting 8 has an endpoint descriptor with address 0x1A, changing to 0xA
[ 45.332014][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xA, skipping
[ 45.342849][ T9] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 45.353792][ T9] usb 1-1: config 0 interface 108 altsetting 8 endpoint 0x5 has an invalid bInterval 118, changing to 7
[ 45.365071][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x5, skipping
[ 45.375846][ T9] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 45.386739][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x8, skipping
[ 45.397452][ T9] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xE, skipping
[ 45.408187][ T9] usb 1-1: config 0 interface 199 has no altsetting 0
[ 45.415034][ T9] usb 1-1: config 0 interface 0 has no altsetting 0
[ 45.421659][ T9] usb 1-1: config 0 interface 54 has no altsetting 0
[ 45.428554][ T9] usb 1-1: config 0 interface 108 has no altsetting 0
[ 45.438574][ T9] usb 1-1: string descriptor 0 read error: -22
[ 45.444888][ T9] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=1c.8f
[ 45.454270][ T9] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 45.467417][ T9] usb 1-1: config 0 descriptor??
[ 45.473862][ T2644] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
executing program
[ 45.685024][ T9] usb 1-1: USB disconnect, device number 2
[ 45.705902][ T9] ==================================================================
[ 45.714002][ T9] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 45.721774][ T9] Read of size 8 at addr ffff88811314d898 by task kworker/0:1/9
[ 45.729407][ T9]
[ 45.731761][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 45.741574][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 45.751717][ T9] Workqueue: usb_hub_wq hub_event
[ 45.756754][ T9] Call Trace:
[ 45.760024][ T9]
[ 45.762940][ T9] dump_stack_lvl+0x116/0x1f0
[ 45.767725][ T9] print_report+0xc3/0x620
[ 45.772145][ T9] ? __virt_addr_valid+0x5e/0x590
[ 45.777177][ T9] ? __phys_addr+0xc6/0x150
[ 45.781666][ T9] kasan_report+0xd9/0x110
[ 45.786181][ T9] ? hdm_disconnect+0x227/0x250
[ 45.791021][ T9] ? hdm_disconnect+0x227/0x250
[ 45.795861][ T9] hdm_disconnect+0x227/0x250
[ 45.800529][ T9] usb_unbind_interface+0x1e8/0x970
[ 45.805766][ T9] ? kernfs_find_ns+0x2ee/0x3f0
[ 45.810824][ T9] ? __pfx_usb_unbind_interface+0x10/0x10
[ 45.816633][ T9] device_remove+0x122/0x170
[ 45.821677][ T9] device_release_driver_internal+0x44a/0x610
[ 45.827744][ T9] bus_remove_device+0x22f/0x420
[ 45.832678][ T9] device_del+0x396/0x9f0
[ 45.836995][ T9] ? __pfx_device_del+0x10/0x10
[ 45.841919][ T9] ? kobject_put+0x226/0x5b0
[ 45.846502][ T9] usb_disable_device+0x36c/0x7f0
[ 45.851519][ T9] usb_disconnect+0x2e1/0x920
[ 45.856205][ T9] hub_event+0x1be4/0x4f50
[ 45.860625][ T9] ? __pfx_hub_event+0x10/0x10
[ 45.865389][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 45.870407][ T9] ? __pfx_lock_release+0x10/0x10
[ 45.875417][ T9] process_one_work+0x9c5/0x1b40
[ 45.880348][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 45.885443][ T9] ? __pfx_process_one_work+0x10/0x10
[ 45.890907][ T9] ? assign_work+0x1a0/0x250
[ 45.895488][ T9] worker_thread+0x6c8/0xf20
[ 45.900082][ T9] ? __kthread_parkme+0x148/0x220
[ 45.905208][ T9] ? __pfx_worker_thread+0x10/0x10
[ 45.910484][ T9] kthread+0x2c1/0x3a0
[ 45.914565][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 45.919761][ T9] ? __pfx_kthread+0x10/0x10
[ 45.924352][ T9] ret_from_fork+0x45/0x80
[ 45.928788][ T9] ? __pfx_kthread+0x10/0x10
[ 45.933478][ T9] ret_from_fork_asm+0x1a/0x30
[ 45.938254][ T9]
[ 45.941360][ T9]
[ 45.944010][ T9] Allocated by task 9:
[ 45.948174][ T9] kasan_save_stack+0x33/0x60
[ 45.952976][ T9] kasan_save_track+0x14/0x30
[ 45.957697][ T9] __kasan_kmalloc+0x8f/0xa0
[ 45.962353][ T9] hdm_probe+0xb3/0x1880
[ 45.966688][ T9] usb_probe_interface+0x309/0x9d0
[ 45.971809][ T9] really_probe+0x23e/0xa90
[ 45.976327][ T9] __driver_probe_device+0x1de/0x440
[ 45.981719][ T9] driver_probe_device+0x4c/0x1b0
[ 45.986762][ T9] __device_attach_driver+0x1df/0x310
[ 45.992324][ T9] bus_for_each_drv+0x157/0x1e0
[ 45.997212][ T9] __device_attach+0x1e8/0x4b0
[ 46.002104][ T9] bus_probe_device+0x17f/0x1c0
[ 46.007302][ T9] device_add+0x114b/0x1a70
[ 46.011827][ T9] usb_set_configuration+0x10cb/0x1c50
[ 46.017372][ T9] usb_generic_driver_probe+0xb1/0x110
[ 46.022841][ T9] usb_probe_device+0xec/0x3e0
[ 46.027592][ T9] really_probe+0x23e/0xa90
[ 46.032085][ T9] __driver_probe_device+0x1de/0x440
[ 46.037375][ T9] driver_probe_device+0x4c/0x1b0
[ 46.042855][ T9] __device_attach_driver+0x1df/0x310
[ 46.048315][ T9] bus_for_each_drv+0x157/0x1e0
[ 46.053167][ T9] __device_attach+0x1e8/0x4b0
[ 46.058019][ T9] bus_probe_device+0x17f/0x1c0
[ 46.063061][ T9] device_add+0x114b/0x1a70
[ 46.067564][ T9] usb_new_device+0xd90/0x1a10
[ 46.072321][ T9] hub_event+0x2e66/0x4f50
[ 46.076806][ T9] process_one_work+0x9c5/0x1b40
[ 46.081821][ T9] worker_thread+0x6c8/0xf20
[ 46.086405][ T9] kthread+0x2c1/0x3a0
[ 46.090485][ T9] ret_from_fork+0x45/0x80
[ 46.094894][ T9] ret_from_fork_asm+0x1a/0x30
[ 46.099731][ T9]
[ 46.102070][ T9] Freed by task 9:
[ 46.105781][ T9] kasan_save_stack+0x33/0x60
[ 46.110461][ T9] kasan_save_track+0x14/0x30
[ 46.115118][ T9] kasan_save_free_info+0x3b/0x60
[ 46.120162][ T9] poison_slab_object+0xf7/0x160
[ 46.125459][ T9] __kasan_slab_free+0x14/0x30
[ 46.130461][ T9] kfree+0x10b/0x380
[ 46.134382][ T9] device_release+0xa1/0x240
[ 46.138979][ T9] kobject_put+0x1fa/0x5b0
[ 46.143398][ T9] device_unregister+0x2f/0xc0
[ 46.148157][ T9] hdm_disconnect+0x10b/0x250
[ 46.152837][ T9] usb_unbind_interface+0x1e8/0x970
[ 46.158030][ T9] device_remove+0x122/0x170
[ 46.162706][ T9] device_release_driver_internal+0x44a/0x610
[ 46.168855][ T9] bus_remove_device+0x22f/0x420
[ 46.173782][ T9] device_del+0x396/0x9f0
[ 46.178102][ T9] usb_disable_device+0x36c/0x7f0
[ 46.183480][ T9] usb_disconnect+0x2e1/0x920
[ 46.188284][ T9] hub_event+0x1be4/0x4f50
[ 46.192691][ T9] process_one_work+0x9c5/0x1b40
[ 46.197653][ T9] worker_thread+0x6c8/0xf20
[ 46.202701][ T9] kthread+0x2c1/0x3a0
[ 46.206776][ T9] ret_from_fork+0x45/0x80
[ 46.211203][ T9] ret_from_fork_asm+0x1a/0x30
[ 46.216047][ T9]
[ 46.218353][ T9] The buggy address belongs to the object at ffff88811314c000
[ 46.218353][ T9] which belongs to the cache kmalloc-8k of size 8192
[ 46.232481][ T9] The buggy address is located 6296 bytes inside of
[ 46.232481][ T9] freed 8192-byte region [ffff88811314c000, ffff88811314e000)
[ 46.246443][ T9]
[ 46.248778][ T9] The buggy address belongs to the physical page:
[ 46.255173][ T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113148
[ 46.264192][ T9] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 46.272683][ T9] flags: 0x200000000000040(head|node=0|zone=2)
[ 46.279012][ T9] page_type: 0xfdffffff(slab)
[ 46.283878][ T9] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 46.292637][ T9] raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 46.301321][ T9] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 46.310022][ T9] head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 46.318884][ T9] head: 0200000000000003 ffffea00044c5201 ffffffffffffffff 0000000000000000
[ 46.327903][ T9] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 46.336564][ T9] page dumped because: kasan: bad access detected
[ 46.343148][ T9] page_owner tracks the page as allocated
[ 46.348855][ T9] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2644, tgid 2644 (syz-executor274), ts 44471884834, free_ts 39926477070
[ 46.368566][ T9] post_alloc_hook+0x2d1/0x350
[ 46.373342][ T9] get_page_from_freelist+0x1311/0x25f0
[ 46.378907][ T9] __alloc_pages_noprof+0x21e/0x2290
[ 46.384202][ T9] alloc_slab_page+0x4e/0xf0
[ 46.388959][ T9] new_slab+0x84/0x260
[ 46.393036][ T9] ___slab_alloc+0xdac/0x1870
[ 46.397718][ T9] __slab_alloc.constprop.0+0x56/0xb0
[ 46.403112][ T9] __kmalloc_cache_noprof+0x27a/0x2c0
[ 46.408571][ T9] audit_log_d_path+0xce/0x1e0
[ 46.413329][ T9] common_lsm_audit+0x7bf/0x2220
[ 46.418258][ T9] slow_avc_audit+0x17d/0x210
[ 46.422949][ T9] avc_has_extended_perms+0x9c6/0xf90
[ 46.428313][ T9] ioctl_has_perm.constprop.0.isra.0+0x2f0/0x470
[ 46.434648][ T9] selinux_file_ioctl+0x180/0x270
[ 46.439690][ T9] security_file_ioctl+0x75/0xc0
[ 46.444623][ T9] __x64_sys_ioctl+0xbb/0x220
[ 46.449324][ T9] page last free pid 2505 tgid 2505 stack trace:
[ 46.455633][ T9] register_dummy_stack+0x8a/0xd0
[ 46.460656][ T9] init_page_owner+0x48/0xbe0
[ 46.465328][ T9] page_ext_init+0x730/0xc40
[ 46.469912][ T9] mm_core_init+0x202/0x240
[ 46.474397][ T9]
[ 46.476704][ T9] Memory state around the buggy address:
[ 46.482449][ T9] ffff88811314d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.490546][ T9] ffff88811314d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.498614][ T9] >ffff88811314d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.506934][ T9] ^
[ 46.511900][ T9] ffff88811314d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.519961][ T9] ffff88811314d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 46.528288][ T9] ==================================================================
[ 46.536856][ T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 46.544066][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 46.553801][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 46.563875][ T9] Workqueue: usb_hub_wq hub_event
[ 46.568921][ T9] Call Trace:
[ 46.572475][ T9]
[ 46.575409][ T9] dump_stack_lvl+0x3d/0x1f0
[ 46.580053][ T9] panic+0x6f5/0x7a0
[ 46.583974][ T9] ? mark_held_locks+0x9f/0xe0
[ 46.588754][ T9] ? __pfx_panic+0x10/0x10
[ 46.593171][ T9] ? irqentry_exit+0x3b/0x90
[ 46.597792][ T9] ? lockdep_hardirqs_on+0x7c/0x110
[ 46.603010][ T9] ? check_panic_on_warn+0x1f/0xb0
[ 46.608223][ T9] check_panic_on_warn+0xab/0xb0
[ 46.613194][ T9] end_report+0x117/0x180
[ 46.617554][ T9] kasan_report+0xe9/0x110
[ 46.621984][ T9] ? hdm_disconnect+0x227/0x250
[ 46.626852][ T9] ? hdm_disconnect+0x227/0x250
[ 46.631712][ T9] hdm_disconnect+0x227/0x250
[ 46.636393][ T9] usb_unbind_interface+0x1e8/0x970
[ 46.641831][ T9] ? kernfs_find_ns+0x2ee/0x3f0
[ 46.646682][ T9] ? __pfx_usb_unbind_interface+0x10/0x10
[ 46.652476][ T9] device_remove+0x122/0x170
[ 46.657075][ T9] device_release_driver_internal+0x44a/0x610
[ 46.663139][ T9] bus_remove_device+0x22f/0x420
[ 46.668076][ T9] device_del+0x396/0x9f0
[ 46.672416][ T9] ? __pfx_device_del+0x10/0x10
[ 46.677255][ T9] ? kobject_put+0x226/0x5b0
[ 46.682077][ T9] usb_disable_device+0x36c/0x7f0
[ 46.688227][ T9] usb_disconnect+0x2e1/0x920
[ 46.692921][ T9] hub_event+0x1be4/0x4f50
[ 46.697414][ T9] ? __pfx_hub_event+0x10/0x10
[ 46.702210][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 46.707463][ T9] ? __pfx_lock_release+0x10/0x10
[ 46.712615][ T9] process_one_work+0x9c5/0x1b40
[ 46.717661][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 46.722739][ T9] ? __pfx_process_one_work+0x10/0x10
[ 46.728114][ T9] ? assign_work+0x1a0/0x250
[ 46.732690][ T9] worker_thread+0x6c8/0xf20
[ 46.737289][ T9] ? __kthread_parkme+0x148/0x220
[ 46.742312][ T9] ? __pfx_worker_thread+0x10/0x10
[ 46.747435][ T9] kthread+0x2c1/0x3a0
[ 46.751504][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 46.756696][ T9] ? __pfx_kthread+0x10/0x10
[ 46.761277][ T9] ret_from_fork+0x45/0x80
[ 46.765697][ T9] ? __pfx_kthread+0x10/0x10
[ 46.770420][ T9] ret_from_fork_asm+0x1a/0x30
[ 46.775193][ T9]
[ 46.778641][ T9] Kernel Offset: disabled
[ 46.782982][ T9] Rebooting in 86400 seconds..