Warning: Permanently added '10.128.0.23' (ED25519) to the list of known hosts.
executing program
[ 60.229480][ T29] audit: type=1400 audit(1721917203.822:80): avc: denied { execmem } for pid=2645 comm="syz-executor413" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 60.261611][ T29] audit: type=1400 audit(1721917203.832:81): avc: denied { read write } for pid=2646 comm="syz-executor413" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 60.285449][ T29] audit: type=1400 audit(1721917203.832:82): avc: denied { open } for pid=2646 comm="syz-executor413" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 60.309161][ T29] audit: type=1400 audit(1721917203.832:83): avc: denied { ioctl } for pid=2646 comm="syz-executor413" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 60.499715][ T41] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 60.679584][ T41] usb 1-1: Using ep0 maxpacket: 8
[ 60.686639][ T41] usb 1-1: unable to get BOS descriptor or descriptor too short
[ 60.696078][ T41] usb 1-1: config 0 has an invalid interface number: 199 but max is 3
[ 60.704391][ T41] usb 1-1: config 0 has an invalid interface descriptor of length 2, skipping
[ 60.713315][ T41] usb 1-1: config 0 has an invalid interface number: 54 but max is 3
[ 60.721429][ T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping
[ 60.730136][ T41] usb 1-1: config 0 has an invalid interface number: 108 but max is 3
[ 60.738301][ T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x1, skipping
[ 60.747083][ T41] usb 1-1: config 0 has no interface number 1
[ 60.753213][ T41] usb 1-1: config 0 has no interface number 2
[ 60.759291][ T41] usb 1-1: config 0 has no interface number 3
[ 60.765480][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xC has invalid wMaxPacketSize 0
[ 60.775536][ T41] usb 1-1: config 0 interface 199 altsetting 14 bulk endpoint 0x8 has invalid maxpacket 32
[ 60.785566][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0x9 has invalid maxpacket 959, setting to 64
[ 60.796612][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0xA, skipping
[ 60.807432][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 60.818413][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 60.829214][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x9, skipping
[ 60.840020][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 60.850997][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xE has invalid maxpacket 443, setting to 64
[ 60.861993][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 60.872794][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 60.883767][ T41] usb 1-1: config 0 interface 199 altsetting 14 has 13 endpoint descriptors, different from the interface descriptor's value: 15
[ 60.897119][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x3, skipping
[ 60.907684][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x8, skipping
[ 60.918232][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xE, skipping
[ 60.928775][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x7, skipping
[ 60.939312][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xD, skipping
[ 60.949852][ T41] usb 1-1: config 0 interface 0 altsetting 1 has an invalid endpoint descriptor of length 2, skipping
[ 60.960827][ T41] usb 1-1: config 0 interface 0 altsetting 1 endpoint 0xF has invalid maxpacket 1024, setting to 64
[ 60.971634][ T41] usb 1-1: config 0 interface 0 altsetting 1 has 12 endpoint descriptors, different from the interface descriptor's value: 11
[ 60.984721][ T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 60.995607][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 61.006314][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xC, skipping
[ 61.017035][ T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 61.027923][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 61.038699][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x1, skipping
[ 61.049559][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 61.060465][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x9, skipping
[ 61.071178][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an endpoint descriptor with address 0x1A, changing to 0xA
[ 61.082770][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xA, skipping
[ 61.093480][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 61.104371][ T41] usb 1-1: config 0 interface 108 altsetting 8 endpoint 0x5 has an invalid bInterval 118, changing to 7
[ 61.115580][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x5, skipping
[ 61.126588][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 61.137489][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x8, skipping
[ 61.148234][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xE, skipping
[ 61.158963][ T41] usb 1-1: config 0 interface 199 has no altsetting 0
[ 61.165763][ T41] usb 1-1: config 0 interface 0 has no altsetting 0
[ 61.172397][ T41] usb 1-1: config 0 interface 54 has no altsetting 0
[ 61.179079][ T41] usb 1-1: config 0 interface 108 has no altsetting 0
[ 61.188576][ T41] usb 1-1: string descriptor 0 read error: -22
[ 61.194976][ T41] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=1c.8f
[ 61.204043][ T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 61.216382][ T41] usb 1-1: config 0 descriptor??
[ 61.223246][ T2646] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
executing program
[ 61.433627][ T9] usb 1-1: USB disconnect, device number 2
[ 61.459280][ T9] ==================================================================
[ 61.467365][ T9] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 61.475005][ T9] Read of size 8 at addr ffff888113749898 by task kworker/0:1/9
[ 61.482615][ T9]
[ 61.484931][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 61.494557][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 61.504608][ T9] Workqueue: usb_hub_wq hub_event
[ 61.509641][ T9] Call Trace:
[ 61.512908][ T9]
[ 61.515820][ T9] dump_stack_lvl+0x116/0x1f0
[ 61.520500][ T9] print_report+0xc3/0x620
[ 61.524906][ T9] ? __virt_addr_valid+0x5e/0x590
[ 61.529912][ T9] ? __phys_addr+0xc6/0x150
[ 61.534394][ T9] kasan_report+0xd9/0x110
[ 61.538797][ T9] ? hdm_disconnect+0x227/0x250
[ 61.543637][ T9] ? hdm_disconnect+0x227/0x250
[ 61.548474][ T9] hdm_disconnect+0x227/0x250
[ 61.553138][ T9] usb_unbind_interface+0x1e8/0x970
[ 61.558320][ T9] ? kernfs_find_ns+0x2ee/0x3f0
[ 61.563163][ T9] ? __pfx_usb_unbind_interface+0x10/0x10
[ 61.568863][ T9] device_remove+0x122/0x170
[ 61.573440][ T9] device_release_driver_internal+0x44a/0x610
[ 61.579500][ T9] bus_remove_device+0x22f/0x420
[ 61.584438][ T9] device_del+0x396/0x9f0
[ 61.588751][ T9] ? __pfx_device_del+0x10/0x10
[ 61.593594][ T9] ? kobject_put+0x226/0x5b0
[ 61.598174][ T9] usb_disable_device+0x36c/0x7f0
[ 61.603191][ T9] usb_disconnect+0x2e1/0x920
[ 61.607857][ T9] hub_event+0x1be4/0x4f50
[ 61.612265][ T9] ? __pfx_hub_event+0x10/0x10
[ 61.617013][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 61.622025][ T9] ? __pfx_lock_release+0x10/0x10
[ 61.627039][ T9] process_one_work+0x9c5/0x1b40
[ 61.631968][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 61.636975][ T9] ? __pfx_process_one_work+0x10/0x10
[ 61.642331][ T9] ? assign_work+0x1a0/0x250
[ 61.646903][ T9] worker_thread+0x6c8/0xf20
[ 61.651478][ T9] ? __kthread_parkme+0x148/0x220
[ 61.656490][ T9] ? __pfx_worker_thread+0x10/0x10
[ 61.661587][ T9] kthread+0x2c1/0x3a0
[ 61.665643][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 61.670833][ T9] ? __pfx_kthread+0x10/0x10
[ 61.675425][ T9] ret_from_fork+0x45/0x80
[ 61.679830][ T9] ? __pfx_kthread+0x10/0x10
[ 61.684419][ T9] ret_from_fork_asm+0x1a/0x30
[ 61.689179][ T9]
[ 61.692179][ T9]
[ 61.694483][ T9] Allocated by task 41:
[ 61.698612][ T9] kasan_save_stack+0x33/0x60
[ 61.703271][ T9] kasan_save_track+0x14/0x30
[ 61.707927][ T9] __kasan_kmalloc+0x8f/0xa0
[ 61.712496][ T9] hdm_probe+0xb3/0x1880
[ 61.716724][ T9] usb_probe_interface+0x309/0x9d0
[ 61.721817][ T9] really_probe+0x23e/0xa90
[ 61.726306][ T9] __driver_probe_device+0x1de/0x440
[ 61.731573][ T9] driver_probe_device+0x4c/0x1b0
[ 61.736590][ T9] __device_attach_driver+0x1df/0x310
[ 61.741948][ T9] bus_for_each_drv+0x157/0x1e0
[ 61.746780][ T9] __device_attach+0x1e8/0x4b0
[ 61.751532][ T9] bus_probe_device+0x17f/0x1c0
[ 61.756365][ T9] device_add+0x114b/0x1a70
[ 61.760854][ T9] usb_set_configuration+0x10cb/0x1c50
[ 61.766304][ T9] usb_generic_driver_probe+0xb1/0x110
[ 61.771747][ T9] usb_probe_device+0xec/0x3e0
[ 61.776490][ T9] really_probe+0x23e/0xa90
[ 61.780979][ T9] __driver_probe_device+0x1de/0x440
[ 61.786248][ T9] driver_probe_device+0x4c/0x1b0
[ 61.791256][ T9] __device_attach_driver+0x1df/0x310
[ 61.796612][ T9] bus_for_each_drv+0x157/0x1e0
[ 61.801446][ T9] __device_attach+0x1e8/0x4b0
[ 61.806193][ T9] bus_probe_device+0x17f/0x1c0
[ 61.811025][ T9] device_add+0x114b/0x1a70
[ 61.815519][ T9] usb_new_device+0xd90/0x1a10
[ 61.820270][ T9] hub_event+0x2e66/0x4f50
[ 61.824666][ T9] process_one_work+0x9c5/0x1b40
[ 61.829588][ T9] worker_thread+0x6c8/0xf20
[ 61.834162][ T9] kthread+0x2c1/0x3a0
[ 61.838214][ T9] ret_from_fork+0x45/0x80
[ 61.842617][ T9] ret_from_fork_asm+0x1a/0x30
[ 61.847365][ T9]
[ 61.849669][ T9] Freed by task 9:
[ 61.853367][ T9] kasan_save_stack+0x33/0x60
[ 61.858025][ T9] kasan_save_track+0x14/0x30
[ 61.862682][ T9] kasan_save_free_info+0x3b/0x60
[ 61.867694][ T9] poison_slab_object+0xf7/0x160
[ 61.872612][ T9] __kasan_slab_free+0x14/0x30
[ 61.877354][ T9] kfree+0x10b/0x380
[ 61.881232][ T9] device_release+0xa1/0x240
[ 61.885801][ T9] kobject_put+0x1fa/0x5b0
[ 61.890204][ T9] device_unregister+0x2f/0xc0
[ 61.894951][ T9] hdm_disconnect+0x10b/0x250
[ 61.899621][ T9] usb_unbind_interface+0x1e8/0x970
[ 61.904804][ T9] device_remove+0x122/0x170
[ 61.909401][ T9] device_release_driver_internal+0x44a/0x610
[ 61.915455][ T9] bus_remove_device+0x22f/0x420
[ 61.920375][ T9] device_del+0x396/0x9f0
[ 61.924687][ T9] usb_disable_device+0x36c/0x7f0
[ 61.929699][ T9] usb_disconnect+0x2e1/0x920
[ 61.934361][ T9] hub_event+0x1be4/0x4f50
[ 61.938755][ T9] process_one_work+0x9c5/0x1b40
[ 61.943675][ T9] worker_thread+0x6c8/0xf20
[ 61.948248][ T9] kthread+0x2c1/0x3a0
[ 61.952302][ T9] ret_from_fork+0x45/0x80
[ 61.956707][ T9] ret_from_fork_asm+0x1a/0x30
[ 61.961457][ T9]
[ 61.963760][ T9] The buggy address belongs to the object at ffff888113748000
[ 61.963760][ T9] which belongs to the cache kmalloc-8k of size 8192
[ 61.977797][ T9] The buggy address is located 6296 bytes inside of
[ 61.977797][ T9] freed 8192-byte region [ffff888113748000, ffff88811374a000)
[ 61.991747][ T9]
[ 61.994053][ T9] The buggy address belongs to the physical page:
[ 62.000450][ T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113748
[ 62.009281][ T9] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 62.017756][ T9] flags: 0x200000000000040(head|node=0|zone=2)
[ 62.023900][ T9] page_type: 0xfdffffff(slab)
[ 62.028572][ T9] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 62.037154][ T9] raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 62.045724][ T9] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 62.054379][ T9] head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 62.063035][ T9] head: 0200000000000003 ffffea00044dd201 ffffffffffffffff 0000000000000000
[ 62.071691][ T9] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 62.080339][ T9] page dumped because: kasan: bad access detected
[ 62.086729][ T9] page_owner tracks the page as allocated
[ 62.092433][ T9] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 41, tgid 41 (kworker/1:1), ts 61234634554, free_ts 60210168103
[ 62.113343][ T9] post_alloc_hook+0x2d1/0x350
[ 62.118097][ T9] get_page_from_freelist+0x1311/0x25f0
[ 62.123628][ T9] __alloc_pages_noprof+0x21e/0x2290
[ 62.128900][ T9] alloc_slab_page+0x4e/0xf0
[ 62.133472][ T9] new_slab+0x84/0x260
[ 62.137527][ T9] ___slab_alloc+0xdac/0x1870
[ 62.142188][ T9] __slab_alloc.constprop.0+0x56/0xb0
[ 62.147544][ T9] __kmalloc_cache_noprof+0x27a/0x2c0
[ 62.152901][ T9] hdm_probe+0xb3/0x1880
[ 62.157130][ T9] usb_probe_interface+0x309/0x9d0
[ 62.162225][ T9] really_probe+0x23e/0xa90
[ 62.166712][ T9] __driver_probe_device+0x1de/0x440
[ 62.171980][ T9] driver_probe_device+0x4c/0x1b0
[ 62.176991][ T9] __device_attach_driver+0x1df/0x310
[ 62.182349][ T9] bus_for_each_drv+0x157/0x1e0
[ 62.187180][ T9] __device_attach+0x1e8/0x4b0
[ 62.191929][ T9] page last free pid 2645 tgid 2645 stack trace:
[ 62.198232][ T9] free_unref_page+0x698/0xce0
[ 62.202980][ T9] qlist_free_all+0x4e/0x140
[ 62.207557][ T9] kasan_quarantine_reduce+0x192/0x1e0
[ 62.213002][ T9] __kasan_slab_alloc+0x4e/0x70
[ 62.217834][ T9] kmem_cache_alloc_noprof+0x11c/0x2b0
[ 62.223276][ T9] getname_flags.part.0+0x4c/0x550
[ 62.228370][ T9] getname+0x8d/0xe0
[ 62.232248][ T9] do_sys_openat2+0x104/0x1e0
[ 62.236905][ T9] __x64_sys_openat+0x175/0x210
[ 62.241735][ T9] do_syscall_64+0xcd/0x250
[ 62.246224][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 62.252106][ T9]
[ 62.254408][ T9] Memory state around the buggy address:
[ 62.260025][ T9] ffff888113749780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.268117][ T9] ffff888113749800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.276164][ T9] >ffff888113749880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.284206][ T9] ^
[ 62.289032][ T9] ffff888113749900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.297341][ T9] ffff888113749980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.305382][ T9] ==================================================================
[ 62.313523][ T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 62.320731][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 62.330378][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 62.340446][ T9] Workqueue: usb_hub_wq hub_event
[ 62.345463][ T9] Call Trace:
[ 62.348724][ T9]
[ 62.351817][ T9] dump_stack_lvl+0x3d/0x1f0
[ 62.356414][ T9] panic+0x6f5/0x7a0
[ 62.360298][ T9] ? mark_held_locks+0x9f/0xe0
[ 62.365044][ T9] ? __pfx_panic+0x10/0x10
[ 62.369465][ T9] ? irqentry_exit+0x3b/0x90
[ 62.374136][ T9] ? lockdep_hardirqs_on+0x7c/0x110
[ 62.379321][ T9] ? check_panic_on_warn+0x1f/0xb0
[ 62.384420][ T9] check_panic_on_warn+0xab/0xb0
[ 62.389345][ T9] end_report+0x117/0x180
[ 62.393666][ T9] kasan_report+0xe9/0x110
[ 62.398068][ T9] ? hdm_disconnect+0x227/0x250
[ 62.402993][ T9] ? hdm_disconnect+0x227/0x250
[ 62.407831][ T9] hdm_disconnect+0x227/0x250
[ 62.412496][ T9] usb_unbind_interface+0x1e8/0x970
[ 62.417687][ T9] ? kernfs_find_ns+0x2ee/0x3f0
[ 62.422529][ T9] ? __pfx_usb_unbind_interface+0x10/0x10
[ 62.428232][ T9] device_remove+0x122/0x170
[ 62.432811][ T9] device_release_driver_internal+0x44a/0x610
[ 62.438866][ T9] bus_remove_device+0x22f/0x420
[ 62.443789][ T9] device_del+0x396/0x9f0
[ 62.448102][ T9] ? __pfx_device_del+0x10/0x10
[ 62.452939][ T9] ? kobject_put+0x226/0x5b0
[ 62.457515][ T9] usb_disable_device+0x36c/0x7f0
[ 62.462536][ T9] usb_disconnect+0x2e1/0x920
[ 62.467291][ T9] hub_event+0x1be4/0x4f50
[ 62.471692][ T9] ? __pfx_hub_event+0x10/0x10
[ 62.476438][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 62.481490][ T9] ? __pfx_lock_release+0x10/0x10
[ 62.486506][ T9] process_one_work+0x9c5/0x1b40
[ 62.491465][ T9] ? __pfx_lock_acquire+0x10/0x10
[ 62.496479][ T9] ? __pfx_process_one_work+0x10/0x10
[ 62.501839][ T9] ? assign_work+0x1a0/0x250
[ 62.506585][ T9] worker_thread+0x6c8/0xf20
[ 62.511192][ T9] ? __kthread_parkme+0x148/0x220
[ 62.516240][ T9] ? __pfx_worker_thread+0x10/0x10
[ 62.521353][ T9] kthread+0x2c1/0x3a0
[ 62.525428][ T9] ? _raw_spin_unlock_irq+0x23/0x50
[ 62.530615][ T9] ? __pfx_kthread+0x10/0x10
[ 62.535196][ T9] ret_from_fork+0x45/0x80
[ 62.539605][ T9] ? __pfx_kthread+0x10/0x10
[ 62.544188][ T9] ret_from_fork_asm+0x1a/0x30
[ 62.548941][ T9]
[ 62.552168][ T9] Kernel Offset: disabled
[ 62.556487][ T9] Rebooting in 86400 seconds..