Warning: Permanently added '10.128.0.86' (ED25519) to the list of known hosts.
executing program
[ 60.212841][ T4164] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 60.452772][ T4164] usb 1-1: Using ep0 maxpacket: 32
[ 60.572900][ T4164] usb 1-1: config 0 has an invalid interface number: 201 but max is 0
[ 60.581225][ T4164] usb 1-1: config 0 has no interface number 0
[ 60.742954][ T4164] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=c3.55
[ 60.752007][ T4164] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 60.760077][ T4164] usb 1-1: Product: syz
[ 60.764313][ T4164] usb 1-1: Manufacturer: syz
[ 60.768918][ T4164] usb 1-1: SerialNumber: syz
[ 60.777150][ T4164] usb 1-1: config 0 descriptor??
[ 61.022994][ T4164] usb 1-1: USB disconnect, device number 2
[ 61.039462][ T4164] ==================================================================
[ 61.047706][ T4164] BUG: KASAN: use-after-free in hdm_disconnect+0x109/0x1c0
[ 61.054940][ T4164] Read of size 8 at addr ffff8880256d9960 by task kworker/1:3/4164
[ 61.062969][ T4164]
[ 61.065306][ T4164] CPU: 1 PID: 4164 Comm: kworker/1:3 Not tainted 5.15.175-syzkaller #0
[ 61.073628][ T4164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 61.083689][ T4164] Workqueue: usb_hub_wq hub_event
[ 61.088759][ T4164] Call Trace:
[ 61.092031][ T4164]
[ 61.094955][ T4164] dump_stack_lvl+0x1e3/0x2d0
[ 61.099724][ T4164] ? io_uring_drop_tctx_refs+0x1a0/0x1a0
[ 61.105346][ T4164] ? _printk+0xd1/0x120
[ 61.109508][ T4164] ? __wake_up_klogd+0xcc/0x100
[ 61.114351][ T4164] ? panic+0x860/0x860
[ 61.118420][ T4164] ? _raw_spin_lock_irqsave+0xdd/0x120
[ 61.123892][ T4164] print_address_description+0x63/0x3b0
[ 61.129439][ T4164] ? hdm_disconnect+0x109/0x1c0
[ 61.134318][ T4164] kasan_report+0x16b/0x1c0
[ 61.138856][ T4164] ? hdm_disconnect+0x109/0x1c0
[ 61.143714][ T4164] hdm_disconnect+0x109/0x1c0
[ 61.148411][ T4164] usb_unbind_interface+0x1cd/0x840
[ 61.153629][ T4164] ? usb_driver_release_interface+0x1c0/0x1c0
[ 61.159735][ T4164] device_release_driver_internal+0x50e/0x7f0
[ 61.165816][ T4164] bus_remove_device+0x2e5/0x400
[ 61.171135][ T4164] device_del+0x6e2/0xbd0
[ 61.175486][ T4164] ? kill_device+0x160/0x160
[ 61.180119][ T4164] ? usb_disconnect+0xfa/0x8c0
[ 61.184882][ T4164] ? print_irqtrace_events+0x210/0x210
[ 61.190355][ T4164] ? _raw_spin_lock_irq+0xdb/0x110
[ 61.195481][ T4164] ? mutex_lock_io_nested+0x60/0x60
[ 61.200699][ T4164] usb_disable_device+0x3b8/0x840
[ 61.205730][ T4164] usb_disconnect+0x33c/0x8c0
[ 61.210412][ T4164] hub_event+0x1d58/0x54c0
[ 61.214853][ T4164] ? mark_lock+0x98/0x340
[ 61.219199][ T4164] ? led_work+0x700/0x700
[ 61.223525][ T4164] ? read_lock_is_recursive+0x10/0x10
[ 61.228906][ T4164] ? lockdep_hardirqs_on_prepare+0x438/0x7a0
[ 61.234878][ T4164] ? down+0x10/0xc0
[ 61.238675][ T4164] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 61.244594][ T4164] ? do_raw_spin_unlock+0x137/0x8b0
[ 61.249798][ T4164] process_one_work+0x8a1/0x10c0
[ 61.254742][ T4164] ? worker_detach_from_pool+0x260/0x260
[ 61.260371][ T4164] ? _raw_spin_lock_irqsave+0x120/0x120
[ 61.265910][ T4164] ? kthread_data+0x4e/0xc0
[ 61.270407][ T4164] ? wq_worker_running+0x97/0x170
[ 61.275425][ T4164] worker_thread+0xaca/0x1280
[ 61.280115][ T4164] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 61.286016][ T4164] kthread+0x3f6/0x4f0
[ 61.290077][ T4164] ? rcu_lock_release+0x20/0x20
[ 61.294919][ T4164] ? kthread_blkcg+0xd0/0xd0
[ 61.299505][ T4164] ret_from_fork+0x1f/0x30
[ 61.303922][ T4164]
[ 61.306929][ T4164]
[ 61.309240][ T4164] Allocated by task 4164:
[ 61.313549][ T4164] ____kasan_kmalloc+0xba/0xf0
[ 61.318310][ T4164] kmem_cache_alloc_trace+0x143/0x290
[ 61.323690][ T4164] hdm_probe+0x91/0x13d0
[ 61.328114][ T4164] usb_probe_interface+0x5c0/0xaf0
[ 61.333225][ T4164] really_probe+0x24e/0xb60
[ 61.337727][ T4164] __driver_probe_device+0x1a2/0x3d0
[ 61.343011][ T4164] driver_probe_device+0x50/0x420
[ 61.348030][ T4164] __device_attach_driver+0x2b9/0x500
[ 61.353396][ T4164] bus_for_each_drv+0x183/0x200
[ 61.358239][ T4164] __device_attach+0x359/0x570
[ 61.363008][ T4164] bus_probe_device+0xba/0x1e0
[ 61.367761][ T4164] device_add+0xb48/0xfd0
[ 61.372078][ T4164] usb_set_configuration+0x19dd/0x2020
[ 61.377525][ T4164] usb_generic_driver_probe+0x84/0x140
[ 61.382973][ T4164] usb_probe_device+0x130/0x260
[ 61.387829][ T4164] really_probe+0x24e/0xb60
[ 61.392318][ T4164] __driver_probe_device+0x1a2/0x3d0
[ 61.397590][ T4164] driver_probe_device+0x50/0x420
[ 61.402604][ T4164] __device_attach_driver+0x2b9/0x500
[ 61.407978][ T4164] bus_for_each_drv+0x183/0x200
[ 61.412814][ T4164] __device_attach+0x359/0x570
[ 61.417564][ T4164] bus_probe_device+0xba/0x1e0
[ 61.422312][ T4164] device_add+0xb48/0xfd0
[ 61.426629][ T4164] usb_new_device+0xc17/0x18e0
[ 61.431398][ T4164] hub_event+0x2cdf/0x54c0
[ 61.435808][ T4164] process_one_work+0x8a1/0x10c0
[ 61.440856][ T4164] worker_thread+0xaca/0x1280
[ 61.445592][ T4164] kthread+0x3f6/0x4f0
[ 61.449655][ T4164] ret_from_fork+0x1f/0x30
[ 61.454064][ T4164]
[ 61.456374][ T4164] Freed by task 4164:
[ 61.460336][ T4164] kasan_set_track+0x4b/0x80
[ 61.464915][ T4164] kasan_set_free_info+0x1f/0x40
[ 61.469841][ T4164] ____kasan_slab_free+0xd8/0x120
[ 61.474853][ T4164] slab_free_freelist_hook+0xdd/0x160
[ 61.480217][ T4164] kfree+0xf1/0x270
[ 61.484026][ T4164] device_release+0x91/0x1c0
[ 61.488605][ T4164] kobject_put+0x224/0x460
[ 61.493009][ T4164] hdm_disconnect+0xef/0x1c0
[ 61.497585][ T4164] usb_unbind_interface+0x1cd/0x840
[ 61.502784][ T4164] device_release_driver_internal+0x50e/0x7f0
[ 61.508842][ T4164] bus_remove_device+0x2e5/0x400
[ 61.513779][ T4164] device_del+0x6e2/0xbd0
[ 61.518097][ T4164] usb_disable_device+0x3b8/0x840
[ 61.523126][ T4164] usb_disconnect+0x33c/0x8c0
[ 61.527795][ T4164] hub_event+0x1d58/0x54c0
[ 61.532194][ T4164] process_one_work+0x8a1/0x10c0
[ 61.537118][ T4164] worker_thread+0xaca/0x1280
[ 61.541782][ T4164] kthread+0x3f6/0x4f0
[ 61.545851][ T4164] ret_from_fork+0x1f/0x30
[ 61.550270][ T4164]
[ 61.552581][ T4164] The buggy address belongs to the object at ffff8880256d8000
[ 61.552581][ T4164] which belongs to the cache kmalloc-8k of size 8192
[ 61.566625][ T4164] The buggy address is located 6496 bytes inside of
[ 61.566625][ T4164] 8192-byte region [ffff8880256d8000, ffff8880256da000)
[ 61.580146][ T4164] The buggy address belongs to the page:
[ 61.585769][ T4164] page:ffffea000095b600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x256d8
[ 61.595994][ T4164] head:ffffea000095b600 order:3 compound_mapcount:0 compound_pincount:0
[ 61.604320][ T4164] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 61.612304][ T4164] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff888017442280
[ 61.620881][ T4164] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[ 61.629446][ T4164] page dumped because: kasan: bad access detected
[ 61.635869][ T4164] page_owner tracks the page as allocated
[ 61.641566][ T4164] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 11788827686, free_ts 0
[ 61.659535][ T4164] get_page_from_freelist+0x3b78/0x3d40
[ 61.665077][ T4164] __alloc_pages+0x272/0x700
[ 61.669671][ T4164] alloc_page_interleave+0x22/0x1c0
[ 61.674854][ T4164] new_slab+0xbb/0x4b0
[ 61.678912][ T4164] ___slab_alloc+0x6f6/0xe10
[ 61.683494][ T4164] __kmalloc+0x1c9/0x300
[ 61.687730][ T4164] __usb_create_hcd+0x5f/0x840
[ 61.692486][ T4164] vhci_hcd_probe+0x1d8/0x3b0
[ 61.697164][ T4164] platform_probe+0x131/0x1b0
[ 61.701832][ T4164] really_probe+0x24e/0xb60
[ 61.706320][ T4164] __driver_probe_device+0x1a2/0x3d0
[ 61.711590][ T4164] driver_probe_device+0x50/0x420
[ 61.716601][ T4164] __device_attach_driver+0x2b9/0x500
[ 61.721968][ T4164] bus_for_each_drv+0x183/0x200
[ 61.726818][ T4164] __device_attach+0x359/0x570
[ 61.731568][ T4164] bus_probe_device+0xba/0x1e0
[ 61.736332][ T4164] page_owner free stack trace missing
[ 61.741687][ T4164]
[ 61.743997][ T4164] Memory state around the buggy address:
[ 61.749611][ T4164] ffff8880256d9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.757667][ T4164] ffff8880256d9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.765824][ T4164] >ffff8880256d9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.773868][ T4164] ^
[ 61.781132][ T4164] ffff8880256d9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.789177][ T4164] ffff8880256d9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.797219][ T4164] ==================================================================
[ 61.805263][ T4164] Disabling lock debugging due to kernel taint
[ 61.812334][ T4164] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 61.819544][ T4164] CPU: 1 PID: 4164 Comm: kworker/1:3 Tainted: G B 5.15.175-syzkaller #0
[ 61.829264][ T4164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 61.839308][ T4164] Workqueue: usb_hub_wq hub_event
[ 61.844588][ T4164] Call Trace:
[ 61.847850][ T4164]
[ 61.850764][ T4164] dump_stack_lvl+0x1e3/0x2d0
[ 61.855449][ T4164] ? io_uring_drop_tctx_refs+0x1a0/0x1a0
[ 61.861074][ T4164] ? panic+0x860/0x860
[ 61.865147][ T4164] ? rcu_is_watching+0x11/0xa0
[ 61.869914][ T4164] ? preempt_schedule_common+0xa6/0xd0
[ 61.875359][ T4164] panic+0x318/0x860
[ 61.879243][ T4164] ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 61.885385][ T4164] ? check_panic_on_warn+0x1d/0xa0
[ 61.890486][ T4164] ? fb_is_primary_device+0xd0/0xd0
[ 61.895761][ T4164] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 61.901739][ T4164] ? _raw_spin_unlock+0x40/0x40
[ 61.906576][ T4164] check_panic_on_warn+0x7e/0xa0
[ 61.911501][ T4164] ? hdm_disconnect+0x109/0x1c0
[ 61.916337][ T4164] end_report+0x6d/0xf0
[ 61.920478][ T4164] kasan_report+0x18e/0x1c0
[ 61.924966][ T4164] ? hdm_disconnect+0x109/0x1c0
[ 61.929803][ T4164] hdm_disconnect+0x109/0x1c0
[ 61.934474][ T4164] usb_unbind_interface+0x1cd/0x840
[ 61.939670][ T4164] ? usb_driver_release_interface+0x1c0/0x1c0
[ 61.945724][ T4164] device_release_driver_internal+0x50e/0x7f0
[ 61.951787][ T4164] bus_remove_device+0x2e5/0x400
[ 61.956712][ T4164] device_del+0x6e2/0xbd0
[ 61.961030][ T4164] ? kill_device+0x160/0x160
[ 61.962748][ T7] Bluetooth: hci0: command 0x0409 tx timeout
[ 61.965608][ T4164] ? usb_disconnect+0xfa/0x8c0
[ 61.976322][ T4164] ? print_irqtrace_events+0x210/0x210
[ 61.981773][ T4164] ? _raw_spin_lock_irq+0xdb/0x110
[ 61.986872][ T4164] ? mutex_lock_io_nested+0x60/0x60
[ 61.992057][ T4164] usb_disable_device+0x3b8/0x840
[ 61.997073][ T4164] usb_disconnect+0x33c/0x8c0
[ 62.001743][ T4164] hub_event+0x1d58/0x54c0
[ 62.006150][ T4164] ? mark_lock+0x98/0x340
[ 62.010473][ T4164] ? led_work+0x700/0x700
[ 62.014792][ T4164] ? read_lock_is_recursive+0x10/0x10
[ 62.020153][ T4164] ? lockdep_hardirqs_on_prepare+0x438/0x7a0
[ 62.026142][ T4164] ? down+0x10/0xc0
[ 62.029936][ T4164] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 62.035815][ T4164] ? do_raw_spin_unlock+0x137/0x8b0
[ 62.041003][ T4164] process_one_work+0x8a1/0x10c0
[ 62.045932][ T4164] ? worker_detach_from_pool+0x260/0x260
[ 62.051553][ T4164] ? _raw_spin_lock_irqsave+0x120/0x120
[ 62.057087][ T4164] ? kthread_data+0x4e/0xc0
[ 62.061578][ T4164] ? wq_worker_running+0x97/0x170
[ 62.066588][ T4164] worker_thread+0xaca/0x1280
[ 62.071254][ T4164] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 62.077145][ T4164] kthread+0x3f6/0x4f0
[ 62.081214][ T4164] ? rcu_lock_release+0x20/0x20
[ 62.086050][ T4164] ? kthread_blkcg+0xd0/0xd0
[ 62.090764][ T4164] ret_from_fork+0x1f/0x30
[ 62.095189][ T4164]
[ 62.098485][ T4164] Kernel Offset: disabled
[ 62.102821][ T4164] Rebooting in 86400 seconds..