Warning: Permanently added '10.128.0.251' (ED25519) to the list of known hosts.
executing program
[ 39.450626][ T29] audit: type=1400 audit(1735398107.022:80): avc: denied { execmem } for pid=2943 comm="syz-executor124" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 39.470915][ T29] audit: type=1400 audit(1735398107.022:81): avc: denied { read write } for pid=2944 comm="syz-executor124" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 39.494828][ T29] audit: type=1400 audit(1735398107.022:82): avc: denied { open } for pid=2944 comm="syz-executor124" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 39.518683][ T29] audit: type=1400 audit(1735398107.022:83): avc: denied { ioctl } for pid=2944 comm="syz-executor124" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 39.697343][ T9] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 39.857163][ T9] usb 1-1: Using ep0 maxpacket: 32
[ 39.864669][ T9] usb 1-1: config 0 has an invalid interface number: 201 but max is 0
[ 39.872986][ T9] usb 1-1: config 0 has no interface number 0
[ 39.881132][ T9] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=c3.55
[ 39.890238][ T9] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 39.898287][ T9] usb 1-1: Product: syz
[ 39.902454][ T9] usb 1-1: Manufacturer: syz
[ 39.907102][ T9] usb 1-1: SerialNumber: syz
[ 39.915478][ T9] usb 1-1: config 0 descriptor??
executing program
[ 40.125002][ T36] usb 1-1: USB disconnect, device number 2
[ 40.132964][ T36] ==================================================================
[ 40.141065][ T36] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 40.148782][ T36] Read of size 8 at addr ffff8881188b1890 by task kworker/1:1/36
[ 40.156545][ T36]
[ 40.158915][ T36] CPU: 1 UID: 0 PID: 36 Comm: kworker/1:1 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0
[ 40.170250][ T36] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 40.180334][ T36] Workqueue: usb_hub_wq hub_event
[ 40.185388][ T36] Call Trace:
[ 40.188672][ T36]
[ 40.191612][ T36] dump_stack_lvl+0x116/0x1f0
[ 40.196316][ T36] print_report+0xc3/0x620
[ 40.200748][ T36] ? __virt_addr_valid+0x5e/0x590
[ 40.205796][ T36] ? __phys_addr+0xc6/0x150
[ 40.210322][ T36] kasan_report+0xd9/0x110
[ 40.214754][ T36] ? hdm_disconnect+0x227/0x250
[ 40.219624][ T36] ? hdm_disconnect+0x227/0x250
[ 40.224497][ T36] hdm_disconnect+0x227/0x250
[ 40.229206][ T36] usb_unbind_interface+0x1e2/0x960
[ 40.234425][ T36] ? kernfs_find_ns+0x2ee/0x3f0
[ 40.239300][ T36] ? __pfx_usb_unbind_interface+0x10/0x10
[ 40.245042][ T36] device_remove+0x122/0x170
[ 40.249660][ T36] device_release_driver_internal+0x44a/0x610
[ 40.255753][ T36] bus_remove_device+0x22f/0x420
[ 40.260716][ T36] device_del+0x396/0x9f0
[ 40.265150][ T36] ? __pfx_device_del+0x10/0x10
[ 40.270017][ T36] ? __pfx_lock_release+0x10/0x10
[ 40.275494][ T36] usb_disable_device+0x36c/0x7f0
[ 40.280535][ T36] ? lockdep_hardirqs_on+0x7c/0x110
[ 40.285753][ T36] usb_disconnect+0x2e1/0x920
[ 40.290447][ T36] hub_event+0x1bed/0x4f40
[ 40.294885][ T36] ? lock_acquire+0x2f/0xb0
[ 40.299411][ T36] ? __pfx_hub_event+0x10/0x10
[ 40.304188][ T36] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 40.309848][ T36] ? rcu_is_watching+0x12/0xc0
[ 40.314635][ T36] ? trace_lock_acquire+0x14e/0x1f0
[ 40.319845][ T36] ? process_one_work+0x921/0x1ba0
[ 40.324983][ T36] ? lock_acquire+0x2f/0xb0
[ 40.329504][ T36] ? process_one_work+0x921/0x1ba0
[ 40.334646][ T36] process_one_work+0x9c5/0x1ba0
[ 40.339607][ T36] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 40.345345][ T36] ? __pfx_process_one_work+0x10/0x10
[ 40.350737][ T36] ? rcu_is_watching+0x12/0xc0
[ 40.355531][ T36] ? assign_work+0x1a0/0x250
[ 40.360152][ T36] worker_thread+0x6c8/0xf00
[ 40.364777][ T36] ? __kthread_parkme+0x148/0x220
[ 40.369840][ T36] ? __pfx_worker_thread+0x10/0x10
[ 40.374987][ T36] kthread+0x2c1/0x3a0
[ 40.379103][ T36] ? _raw_spin_unlock_irq+0x23/0x50
[ 40.384317][ T36] ? __pfx_kthread+0x10/0x10
[ 40.388941][ T36] ret_from_fork+0x45/0x80
[ 40.393375][ T36] ? __pfx_kthread+0x10/0x10
[ 40.397991][ T36] ret_from_fork_asm+0x1a/0x30
[ 40.402773][ T36]
[ 40.405882][ T36]
[ 40.408207][ T36] Allocated by task 9:
[ 40.412272][ T36] kasan_save_stack+0x33/0x60
[ 40.416974][ T36] kasan_save_track+0x14/0x30
[ 40.421660][ T36] __kasan_kmalloc+0x8f/0xa0
[ 40.426263][ T36] hdm_probe+0xb3/0x1880
[ 40.430524][ T36] usb_probe_interface+0x300/0x9c0
[ 40.435664][ T36] really_probe+0x23e/0xa90
[ 40.440188][ T36] __driver_probe_device+0x1de/0x440
[ 40.445488][ T36] driver_probe_device+0x4c/0x1b0
[ 40.450527][ T36] __device_attach_driver+0x1df/0x310
[ 40.455914][ T36] bus_for_each_drv+0x157/0x1e0
[ 40.460770][ T36] __device_attach+0x1e8/0x4b0
[ 40.465548][ T36] bus_probe_device+0x17f/0x1c0
[ 40.470413][ T36] device_add+0x114b/0x1a70
[ 40.475037][ T36] usb_set_configuration+0x10cb/0x1c50
[ 40.480624][ T36] usb_generic_driver_probe+0xb1/0x110
[ 40.486102][ T36] usb_probe_device+0xec/0x3e0
[ 40.490880][ T36] really_probe+0x23e/0xa90
[ 40.495401][ T36] __driver_probe_device+0x1de/0x440
[ 40.500701][ T36] driver_probe_device+0x4c/0x1b0
[ 40.505741][ T36] __device_attach_driver+0x1df/0x310
[ 40.511129][ T36] bus_for_each_drv+0x157/0x1e0
[ 40.515987][ T36] __device_attach+0x1e8/0x4b0
[ 40.520767][ T36] bus_probe_device+0x17f/0x1c0
[ 40.525628][ T36] device_add+0x114b/0x1a70
[ 40.530187][ T36] usb_new_device+0xd90/0x1a10
[ 40.534963][ T36] hub_event+0x2e58/0x4f40
[ 40.539392][ T36] process_one_work+0x9c5/0x1ba0
[ 40.544344][ T36] worker_thread+0x6c8/0xf00
[ 40.548950][ T36] kthread+0x2c1/0x3a0
[ 40.553040][ T36] ret_from_fork+0x45/0x80
[ 40.557548][ T36] ret_from_fork_asm+0x1a/0x30
[ 40.562317][ T36]
[ 40.564640][ T36] Freed by task 36:
[ 40.568450][ T36] kasan_save_stack+0x33/0x60
[ 40.573135][ T36] kasan_save_track+0x14/0x30
[ 40.577929][ T36] kasan_save_free_info+0x3b/0x60
[ 40.582971][ T36] __kasan_slab_free+0x37/0x50
[ 40.587746][ T36] kfree+0x130/0x470
[ 40.591657][ T36] device_release+0xa1/0x240
[ 40.596265][ T36] kobject_put+0x1e4/0x5a0
[ 40.600700][ T36] device_unregister+0x2f/0xc0
[ 40.605487][ T36] hdm_disconnect+0x10b/0x250
[ 40.610179][ T36] usb_unbind_interface+0x1e2/0x960
[ 40.615391][ T36] device_remove+0x122/0x170
[ 40.619993][ T36] device_release_driver_internal+0x44a/0x610
[ 40.626076][ T36] bus_remove_device+0x22f/0x420
[ 40.631031][ T36] device_del+0x396/0x9f0
[ 40.635372][ T36] usb_disable_device+0x36c/0x7f0
[ 40.640409][ T36] usb_disconnect+0x2e1/0x920
[ 40.645096][ T36] hub_event+0x1bed/0x4f40
[ 40.649522][ T36] process_one_work+0x9c5/0x1ba0
[ 40.654472][ T36] worker_thread+0x6c8/0xf00
[ 40.659091][ T36] kthread+0x2c1/0x3a0
[ 40.663180][ T36] ret_from_fork+0x45/0x80
[ 40.667623][ T36] ret_from_fork_asm+0x1a/0x30
[ 40.672406][ T36]
[ 40.674728][ T36] The buggy address belongs to the object at ffff8881188b0000
[ 40.674728][ T36] which belongs to the cache kmalloc-8k of size 8192
[ 40.688787][ T36] The buggy address is located 6288 bytes inside of
[ 40.688787][ T36] freed 8192-byte region [ffff8881188b0000, ffff8881188b2000)
[ 40.702764][ T36]
[ 40.705087][ T36] The buggy address belongs to the physical page:
[ 40.711505][ T36] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1188b0
[ 40.720361][ T36] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 40.728862][ T36] flags: 0x200000000000040(head|node=0|zone=2)
[ 40.735023][ T36] page_type: f5(slab)
[ 40.739013][ T36] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 40.747654][ T36] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 40.756342][ T36] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 40.765023][ T36] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 40.773884][ T36] head: 0200000000000003 ffffea0004622c01 ffffffffffffffff 0000000000000000
[ 40.782571][ T36] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 40.791243][ T36] page dumped because: kasan: bad access detected
[ 40.797655][ T36] page_owner tracks the page as allocated
[ 40.803371][ T36] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 9, tgid 9 (kworker/0:1), ts 39925033824, free_ts 39456402898
[ 40.824144][ T36] post_alloc_hook+0x2d1/0x350
[ 40.828926][ T36] get_page_from_freelist+0xe76/0x2b90
[ 40.834421][ T36] __alloc_pages_noprof+0x21c/0x22a0
[ 40.839736][ T36] alloc_pages_mpol_noprof+0xeb/0x400
[ 40.845148][ T36] new_slab+0x2c9/0x410
[ 40.849317][ T36] ___slab_alloc+0xd1d/0x16e0
[ 40.854009][ T36] __slab_alloc.constprop.0+0x56/0xb0
[ 40.859406][ T36] __kmalloc_cache_noprof+0x217/0x3e0
[ 40.864794][ T36] hdm_probe+0xb3/0x1880
[ 40.869052][ T36] usb_probe_interface+0x300/0x9c0
[ 40.874215][ T36] really_probe+0x23e/0xa90
[ 40.878741][ T36] __driver_probe_device+0x1de/0x440
[ 40.884042][ T36] driver_probe_device+0x4c/0x1b0
[ 40.889082][ T36] __device_attach_driver+0x1df/0x310
[ 40.894470][ T36] bus_for_each_drv+0x157/0x1e0
[ 40.899327][ T36] __device_attach+0x1e8/0x4b0
[ 40.904106][ T36] page last free pid 2944 tgid 2944 stack trace:
[ 40.910432][ T36] free_unref_page+0x661/0xe40
[ 40.915211][ T36] __put_partials+0x14c/0x170
[ 40.919903][ T36] qlist_free_all+0x4e/0x120
[ 40.924516][ T36] kasan_quarantine_reduce+0x195/0x1e0
[ 40.929982][ T36] __kasan_slab_alloc+0x4e/0x70
[ 40.934840][ T36] __kmalloc_cache_noprof+0x153/0x3e0
[ 40.940226][ T36] raw_ioctl_init+0x163/0x870
[ 40.944920][ T36] raw_ioctl+0x9de/0x2b90
[ 40.949255][ T36] __x64_sys_ioctl+0x190/0x200
[ 40.954028][ T36] do_syscall_64+0xcd/0x250
[ 40.958545][ T36] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 40.964465][ T36]
[ 40.966801][ T36] Memory state around the buggy address:
[ 40.972430][ T36] ffff8881188b1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.980498][ T36] ffff8881188b1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.988562][ T36] >ffff8881188b1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.996624][ T36] ^
[ 41.001211][ T36] ffff8881188b1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.009276][ T36] ffff8881188b1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.017351][ T36] ==================================================================
[ 41.025544][ T36] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 41.032769][ T36] CPU: 1 UID: 0 PID: 36 Comm: kworker/1:1 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0
[ 41.043418][ T36] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 41.053503][ T36] Workqueue: usb_hub_wq hub_event
[ 41.058553][ T36] Call Trace:
[ 41.061833][ T36]
[ 41.064767][ T36] dump_stack_lvl+0x3d/0x1f0
[ 41.069379][ T36] panic+0x71d/0x800
[ 41.073294][ T36] ? mark_held_locks+0x9f/0xe0
[ 41.078104][ T36] ? __pfx_panic+0x10/0x10
[ 41.082531][ T36] ? irqentry_exit+0x3b/0x90
[ 41.087136][ T36] ? lockdep_hardirqs_on+0x7c/0x110
[ 41.092350][ T36] ? check_panic_on_warn+0x1f/0xb0
[ 41.097490][ T36] check_panic_on_warn+0xab/0xb0
[ 41.102441][ T36] end_report+0x117/0x180
[ 41.106873][ T36] kasan_report+0xe9/0x110
[ 41.111304][ T36] ? hdm_disconnect+0x227/0x250
[ 41.116186][ T36] ? hdm_disconnect+0x227/0x250
[ 41.121077][ T36] hdm_disconnect+0x227/0x250
[ 41.125779][ T36] usb_unbind_interface+0x1e2/0x960
[ 41.131092][ T36] ? kernfs_find_ns+0x2ee/0x3f0
[ 41.135977][ T36] ? __pfx_usb_unbind_interface+0x10/0x10
[ 41.141720][ T36] device_remove+0x122/0x170
[ 41.146329][ T36] device_release_driver_internal+0x44a/0x610
[ 41.152422][ T36] bus_remove_device+0x22f/0x420
[ 41.157378][ T36] device_del+0x396/0x9f0
[ 41.161726][ T36] ? __pfx_device_del+0x10/0x10
[ 41.166599][ T36] ? __pfx_lock_release+0x10/0x10
[ 41.171650][ T36] usb_disable_device+0x36c/0x7f0
[ 41.176713][ T36] ? lockdep_hardirqs_on+0x7c/0x110
[ 41.181932][ T36] usb_disconnect+0x2e1/0x920
[ 41.186631][ T36] hub_event+0x1bed/0x4f40
[ 41.191085][ T36] ? lock_acquire+0x2f/0xb0
[ 41.195616][ T36] ? __pfx_hub_event+0x10/0x10
[ 41.200410][ T36] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 41.206151][ T36] ? rcu_is_watching+0x12/0xc0
[ 41.210940][ T36] ? trace_lock_acquire+0x14e/0x1f0
[ 41.216152][ T36] ? process_one_work+0x921/0x1ba0
[ 41.221286][ T36] ? lock_acquire+0x2f/0xb0
[ 41.225807][ T36] ? process_one_work+0x921/0x1ba0
[ 41.230959][ T36] process_one_work+0x9c5/0x1ba0
[ 41.235928][ T36] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 41.241595][ T36] ? __pfx_process_one_work+0x10/0x10
[ 41.246988][ T36] ? rcu_is_watching+0x12/0xc0
[ 41.251882][ T36] ? assign_work+0x1a0/0x250
[ 41.256488][ T36] worker_thread+0x6c8/0xf00
[ 41.261109][ T36] ? __kthread_parkme+0x148/0x220
[ 41.266158][ T36] ? __pfx_worker_thread+0x10/0x10
[ 41.271375][ T36] kthread+0x2c1/0x3a0
[ 41.275468][ T36] ? _raw_spin_unlock_irq+0x23/0x50
[ 41.280677][ T36] ? __pfx_kthread+0x10/0x10
[ 41.285300][ T36] ret_from_fork+0x45/0x80
[ 41.289737][ T36] ? __pfx_kthread+0x10/0x10
[ 41.294436][ T36] ret_from_fork_asm+0x1a/0x30
[ 41.299218][ T36]
[ 41.302586][ T36] Kernel Offset: disabled
[ 41.306926][ T36] Rebooting in 86400 seconds..