Warning: Permanently added '10.128.10.4' (ED25519) to the list of known hosts.
executing program
[   57.408933][   T29] audit: type=1400 audit(1749949419.349:61): avc:  denied  { execmem } for  pid=2953 comm="syz-executor248" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   57.432851][   T29] audit: type=1400 audit(1749949419.359:62): avc:  denied  { read write } for  pid=2954 comm="syz-executor248" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   57.458612][   T29] audit: type=1400 audit(1749949419.359:63): avc:  denied  { open } for  pid=2954 comm="syz-executor248" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   57.485027][   T29] audit: type=1400 audit(1749949419.359:64): avc:  denied  { ioctl } for  pid=2954 comm="syz-executor248" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   57.673456][   T38] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   57.833326][   T38] usb 1-1: Using ep0 maxpacket: 8
[   57.842046][   T38] usb 1-1: config 0 has an invalid interface number: 111 but max is 0
[   57.851330][   T38] usb 1-1: config 0 has no interface number 0
[   57.857832][   T38] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=b7.8b
[   57.867308][   T38] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   57.880368][   T38] usb 1-1: config 0 descriptor??
[   58.093641][   T38] usb 1-1: USB disconnect, device number 2
[   58.103749][   T38] ==================================================================
[   58.112723][   T38] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   58.121372][   T38] Read of size 8 at addr ffff8881263a1890 by task kworker/1:1/38
[   58.130040][   T38] 
[   58.132985][   T38] CPU: 1 UID: 0 PID: 38 Comm: kworker/1:1 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(voluntary) 
[   58.133021][   T38] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   58.133041][   T38] Workqueue: usb_hub_wq hub_event
[   58.133080][   T38] Call Trace:
[   58.133093][   T38]  <TASK>
[   58.133104][   T38]  dump_stack_lvl+0x116/0x1f0
[   58.133159][   T38]  print_report+0xcd/0x680
[   58.133191][   T38]  ? __virt_addr_valid+0x81/0x610
[   58.133228][   T38]  ? __phys_addr+0xe8/0x180
[   58.133264][   T38]  ? hdm_disconnect+0x227/0x250
[   58.133291][   T38]  kasan_report+0xe0/0x110
[   58.133325][   T38]  ? hdm_disconnect+0x227/0x250
[   58.133356][   T38]  hdm_disconnect+0x227/0x250
[   58.133384][   T38]  usb_unbind_interface+0x1dd/0x9a0
[   58.133418][   T38]  ? kernfs_remove_by_name_ns+0xbe/0x110
[   58.133461][   T38]  ? __pfx_usb_unbind_interface+0x10/0x10
[   58.133494][   T38]  device_remove+0x122/0x170
[   58.133524][   T38]  device_release_driver_internal+0x44b/0x620
[   58.133565][   T38]  bus_remove_device+0x22f/0x420
[   58.133595][   T38]  device_del+0x396/0x9f0
[   58.133627][   T38]  ? __pfx_device_del+0x10/0x10
[   58.133657][   T38]  ? __pfx___mutex_lock+0x10/0x10
[   58.133696][   T38]  ? __pfx___pm_runtime_barrier+0x10/0x10
[   58.133730][   T38]  ? do_raw_spin_lock+0x12c/0x2b0
[   58.133766][   T38]  usb_disable_device+0x355/0x7d0
[   58.133816][   T38]  usb_disconnect+0x2e1/0x920
[   58.133866][   T38]  hub_event+0x1aa0/0x5030
[   58.133904][   T38]  ? __lock_acquire+0xb8a/0x1c90
[   58.133932][   T38]  ? __pfx_hub_event+0x10/0x10
[   58.133956][   T38]  ? debug_stats_show+0xf0/0x270
[   58.133990][   T38]  ? rcu_is_watching+0x12/0xc0
[   58.134030][   T38]  process_one_work+0x9cf/0x1b70
[   58.134080][   T38]  ? __pfx_process_one_work+0x10/0x10
[   58.134120][   T38]  ? assign_work+0x1a0/0x250
[   58.134151][   T38]  worker_thread+0x6c8/0xf10
[   58.134190][   T38]  ? __kthread_parkme+0x19e/0x250
[   58.134235][   T38]  ? __pfx_worker_thread+0x10/0x10
[   58.134270][   T38]  kthread+0x3c5/0x780
[   58.134299][   T38]  ? __pfx_kthread+0x10/0x10
[   58.134332][   T38]  ? rcu_is_watching+0x12/0xc0
[   58.134369][   T38]  ? __pfx_kthread+0x10/0x10
[   58.134399][   T38]  ret_from_fork+0x5b3/0x6c0
[   58.134444][   T38]  ? __pfx_kthread+0x10/0x10
[   58.134492][   T38]  ret_from_fork_asm+0x1a/0x30
[   58.134538][   T38]  </TASK>
[   58.134547][   T38] 
[   58.387234][   T38] Allocated by task 38:
[   58.391512][   T38]  kasan_save_stack+0x33/0x60
[   58.396864][   T38]  kasan_save_track+0x14/0x30
[   58.402026][   T38]  __kasan_kmalloc+0x8f/0xa0
[   58.407501][   T38]  hdm_probe+0xb3/0x19a0
[   58.411888][   T38]  usb_probe_interface+0x300/0x9c0
[   58.417494][   T38]  really_probe+0x241/0xa90
[   58.422268][   T38]  __driver_probe_device+0x1de/0x440
[   58.428599][   T38]  driver_probe_device+0x4c/0x1b0
[   58.433686][   T38]  __device_attach_driver+0x1df/0x310
[   58.439378][   T38]  bus_for_each_drv+0x159/0x1e0
[   58.445004][   T38]  __device_attach+0x1e4/0x4b0
[   58.450221][   T38]  bus_probe_device+0x17f/0x1c0
[   58.455374][   T38]  device_add+0x1148/0x1a70
[   58.460032][   T38]  usb_set_configuration+0x1187/0x1e20
[   58.466503][   T38]  usb_generic_driver_probe+0xb1/0x110
[   58.472581][   T38]  usb_probe_device+0xec/0x3e0
[   58.477926][   T38]  really_probe+0x241/0xa90
[   58.482493][   T38]  __driver_probe_device+0x1de/0x440
[   58.488522][   T38]  driver_probe_device+0x4c/0x1b0
[   58.493867][   T38]  __device_attach_driver+0x1df/0x310
[   58.499382][   T38]  bus_for_each_drv+0x159/0x1e0
[   58.504396][   T38]  __device_attach+0x1e4/0x4b0
[   58.509527][   T38]  bus_probe_device+0x17f/0x1c0
[   58.514798][   T38]  device_add+0x1148/0x1a70
[   58.519529][   T38]  usb_new_device+0xd07/0x1a20
[   58.524515][   T38]  hub_event+0x2f85/0x5030
[   58.529079][   T38]  process_one_work+0x9cf/0x1b70
[   58.534162][   T38]  worker_thread+0x6c8/0xf10
[   58.538887][   T38]  kthread+0x3c5/0x780
[   58.543008][   T38]  ret_from_fork+0x5b3/0x6c0
[   58.547671][   T38]  ret_from_fork_asm+0x1a/0x30
[   58.552518][   T38] 
[   58.554887][   T38] Freed by task 38:
[   58.558740][   T38]  kasan_save_stack+0x33/0x60
[   58.563561][   T38]  kasan_save_track+0x14/0x30
[   58.568387][   T38]  kasan_save_free_info+0x3b/0x60
[   58.573647][   T38]  __kasan_slab_free+0x37/0x50
[   58.578839][   T38]  kfree+0x283/0x470
[   58.582862][   T38]  device_release+0xa4/0x240
[   58.587961][   T38]  kobject_put+0x1e7/0x5a0
[   58.592603][   T38]  device_unregister+0x2f/0xc0
[   58.597884][   T38]  hdm_disconnect+0x10b/0x250
[   58.602958][   T38]  usb_unbind_interface+0x1dd/0x9a0
[   58.608200][   T38]  device_remove+0x122/0x170
[   58.613002][   T38]  device_release_driver_internal+0x44b/0x620
[   58.619542][   T38]  bus_remove_device+0x22f/0x420
[   58.624609][   T38]  device_del+0x396/0x9f0
[   58.629074][   T38]  usb_disable_device+0x355/0x7d0
[   58.634158][   T38]  usb_disconnect+0x2e1/0x920
[   58.639186][   T38]  hub_event+0x1aa0/0x5030
[   58.644117][   T38]  process_one_work+0x9cf/0x1b70
[   58.651949][   T38]  worker_thread+0x6c8/0xf10
[   58.658344][   T38]  kthread+0x3c5/0x780
[   58.663226][   T38]  ret_from_fork+0x5b3/0x6c0
[   58.669301][   T38]  ret_from_fork_asm+0x1a/0x30
[   58.675004][   T38] 
[   58.677391][   T38] The buggy address belongs to the object at ffff8881263a0000
[   58.677391][   T38]  which belongs to the cache kmalloc-8k of size 8192
[   58.692284][   T38] The buggy address is located 6288 bytes inside of
[   58.692284][   T38]  freed 8192-byte region [ffff8881263a0000, ffff8881263a2000)
[   58.707353][   T38] 
[   58.709907][   T38] The buggy address belongs to the physical page:
[   58.717016][   T38] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1263a0
[   58.726051][   T38] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   58.735545][   T38] flags: 0x200000000000040(head|node=0|zone=2)
[   58.742222][   T38] page_type: f5(slab)
[   58.746250][   T38] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   58.755162][   T38] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   58.763999][   T38] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   58.772727][   T38] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   58.781630][   T38] head: 0200000000000003 ffffea000498e801 00000000ffffffff 00000000ffffffff
[   58.790446][   T38] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
[   58.800306][   T38] page dumped because: kasan: bad access detected
[   58.807208][   T38] page_owner tracks the page as allocated
[   58.813173][   T38] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 38, tgid 38 (kworker/1:1), ts 57892365010, free_ts 47432362141
[   58.834777][   T38]  post_alloc_hook+0x1c0/0x230
[   58.839870][   T38]  get_page_from_freelist+0xf98/0x2ce0
[   58.845574][   T38]  __alloc_frozen_pages_noprof+0x259/0x21e0
[   58.851534][   T38]  alloc_pages_mpol+0xe4/0x410
[   58.856347][   T38]  new_slab+0x23b/0x330
[   58.860716][   T38]  ___slab_alloc+0xda5/0x1940
[   58.865479][   T38]  __slab_alloc.constprop.0+0x56/0xb0
[   58.870910][   T38]  __kmalloc_cache_noprof+0x209/0x3c0
[   58.876347][   T38]  hdm_probe+0xb3/0x19a0
[   58.880966][   T38]  usb_probe_interface+0x300/0x9c0
[   58.886156][   T38]  really_probe+0x241/0xa90
[   58.890810][   T38]  __driver_probe_device+0x1de/0x440
[   58.896193][   T38]  driver_probe_device+0x4c/0x1b0
[   58.901349][   T38]  __device_attach_driver+0x1df/0x310
[   58.906898][   T38]  bus_for_each_drv+0x159/0x1e0
[   58.911906][   T38]  __device_attach+0x1e4/0x4b0
[   58.916719][   T38] page last free pid 2938 tgid 2938 stack trace:
[   58.923171][   T38]  __free_frozen_pages+0x78a/0x1040
[   58.928656][   T38]  __folio_put+0x1e7/0x2d0
[   58.933559][   T38]  anon_pipe_buf_release+0x3ed/0x500
[   58.939164][   T38]  anon_pipe_read+0x4d8/0xdc0
[   58.944132][   T38]  vfs_read+0xa98/0xc60
[   58.948376][   T38]  ksys_read+0x1f8/0x250
[   58.952734][   T38]  do_syscall_64+0xcd/0x4b0
[   58.957293][   T38]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.963835][   T38] 
[   58.966313][   T38] Memory state around the buggy address:
[   58.972215][   T38]  ffff8881263a1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.980529][   T38]  ffff8881263a1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.988756][   T38] >ffff8881263a1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   58.997393][   T38]                          ^
[   59.002456][   T38]  ffff8881263a1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.013679][   T38]  ffff8881263a1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.022465][   T38] ==================================================================
[   59.031728][   T38] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   59.040113][   T38] CPU: 1 UID: 0 PID: 38 Comm: kworker/1:1 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(voluntary) 
[   59.053752][   T38] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   59.064775][   T38] Workqueue: usb_hub_wq hub_event
[   59.070073][   T38] Call Trace:
[   59.073941][   T38]  <TASK>
[   59.077030][   T38]  dump_stack_lvl+0x3d/0x1f0
[   59.083319][   T38]  panic+0x71c/0x800
[   59.087282][   T38]  ? __pfx_panic+0x10/0x10
[   59.092164][   T38]  ? mark_held_locks+0x49/0x80
[   59.097234][   T38]  ? hdm_disconnect+0x227/0x250
[   59.102153][   T38]  ? check_panic_on_warn+0x1f/0xb0
[   59.107575][   T38]  ? hdm_disconnect+0x227/0x250
[   59.112731][   T38]  check_panic_on_warn+0xab/0xb0
[   59.117707][   T38]  end_report+0x107/0x170
[   59.122335][   T38]  kasan_report+0xee/0x110
[   59.127100][   T38]  ? hdm_disconnect+0x227/0x250
[   59.132202][   T38]  hdm_disconnect+0x227/0x250
[   59.137147][   T38]  usb_unbind_interface+0x1dd/0x9a0
[   59.142667][   T38]  ? kernfs_remove_by_name_ns+0xbe/0x110
[   59.148451][   T38]  ? __pfx_usb_unbind_interface+0x10/0x10
[   59.154361][   T38]  device_remove+0x122/0x170
[   59.159636][   T38]  device_release_driver_internal+0x44b/0x620
[   59.165930][   T38]  bus_remove_device+0x22f/0x420
[   59.171027][   T38]  device_del+0x396/0x9f0
[   59.175409][   T38]  ? __pfx_device_del+0x10/0x10
[   59.180505][   T38]  ? __pfx___mutex_lock+0x10/0x10
[   59.185609][   T38]  ? __pfx___pm_runtime_barrier+0x10/0x10
[   59.191551][   T38]  ? do_raw_spin_lock+0x12c/0x2b0
[   59.196716][   T38]  usb_disable_device+0x355/0x7d0
[   59.201807][   T38]  usb_disconnect+0x2e1/0x920
[   59.206919][   T38]  hub_event+0x1aa0/0x5030
[   59.211641][   T38]  ? __lock_acquire+0xb8a/0x1c90
[   59.217346][   T38]  ? __pfx_hub_event+0x10/0x10
[   59.222787][   T38]  ? debug_stats_show+0xf0/0x270
[   59.228381][   T38]  ? rcu_is_watching+0x12/0xc0
[   59.233569][   T38]  process_one_work+0x9cf/0x1b70
[   59.239221][   T38]  ? __pfx_process_one_work+0x10/0x10
[   59.244814][   T38]  ? assign_work+0x1a0/0x250
[   59.249745][   T38]  worker_thread+0x6c8/0xf10
[   59.254873][   T38]  ? __kthread_parkme+0x19e/0x250
[   59.260136][   T38]  ? __pfx_worker_thread+0x10/0x10
[   59.265813][   T38]  kthread+0x3c5/0x780
[   59.270032][   T38]  ? __pfx_kthread+0x10/0x10
[   59.276831][   T38]  ? rcu_is_watching+0x12/0xc0
[   59.282914][   T38]  ? __pfx_kthread+0x10/0x10
[   59.287854][   T38]  ret_from_fork+0x5b3/0x6c0
[   59.292843][   T38]  ? __pfx_kthread+0x10/0x10
[   59.297485][   T38]  ret_from_fork_asm+0x1a/0x30
[   59.302573][   T38]  </TASK>
[   59.306096][   T38] Kernel Offset: disabled
[   59.310451][   T38] Rebooting in 86400 seconds..