Warning: Permanently added '10.128.1.174' (ED25519) to the list of known hosts.
executing program
[   44.079378][   T29] audit: type=1400 audit(1721929519.809:80): avc:  denied  { execmem } for  pid=2643 comm="syz-executor273" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   44.113291][   T29] audit: type=1400 audit(1721929519.809:81): avc:  denied  { read write } for  pid=2644 comm="syz-executor273" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.137117][   T29] audit: type=1400 audit(1721929519.809:82): avc:  denied  { open } for  pid=2644 comm="syz-executor273" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.161259][   T29] audit: type=1400 audit(1721929519.809:83): avc:  denied  { ioctl } for  pid=2644 comm="syz-executor273" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.357684][   T41] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   44.537538][   T41] usb 1-1: Using ep0 maxpacket: 16
[   44.544790][   T41] usb 1-1: unable to get BOS descriptor or descriptor too short
[   44.554103][   T41] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   44.562439][   T41] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   44.571263][   T41] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   44.580248][   T41] usb 1-1: config 15 has no interface number 0
[   44.586436][   T41] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   44.597590][   T41] usb 1-1: config 15 interface 79 has no altsetting 0
[   44.607070][   T41] usb 1-1: string descriptor 0 read error: -22
[   44.613472][   T41] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   44.622542][   T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   44.634471][ T2644] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   44.646399][   T41] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   44.653606][   T41] rtw_8822cu 1-1:15.79: failed to init USB interface
[   44.681465][   T24] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   44.692053][   T24] rtw_8822cu 1-1:15.79: failed to request firmware
[   44.699019][  T748] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   44.709222][  T748] rtw_8822cu 1-1:15.79: failed to request firmware
[   44.719301][   T41] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
executing program
[   49.088775][   T41] usb 1-1: USB disconnect, device number 2
[   49.457804][   T41] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   49.637515][   T41] usb 1-1: Using ep0 maxpacket: 16
[   49.644487][   T41] usb 1-1: unable to get BOS descriptor or descriptor too short
[   49.653280][   T41] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   49.661506][   T41] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   49.670320][   T41] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   49.679301][   T41] usb 1-1: config 15 has no interface number 0
[   49.685472][   T41] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   49.696708][   T41] usb 1-1: config 15 interface 79 has no altsetting 0
[   49.705855][   T41] usb 1-1: string descriptor 0 read error: -22
[   49.712199][   T41] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   49.721269][   T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   49.731940][ T2651] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   49.742087][  T748] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   49.752634][   T41] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   49.759555][   T41] rtw_8822cu 1-1:15.79: failed to init USB interface
[   49.766631][   T24] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   49.777166][  T748] rtw_8822cu 1-1:15.79: failed to request firmware
[   49.783780][   T24] rtw_8822cu 1-1:15.79: failed to request firmware
[   49.791177][   T41] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
executing program
[   54.101086][    T9] usb 1-1: USB disconnect, device number 3
[   54.457529][    T9] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[   54.637539][    T9] usb 1-1: Using ep0 maxpacket: 16
[   54.644742][    T9] usb 1-1: unable to get BOS descriptor or descriptor too short
[   54.653699][    T9] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   54.662040][    T9] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   54.670883][    T9] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   54.679872][    T9] usb 1-1: config 15 has no interface number 0
[   54.686085][    T9] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   54.697258][    T9] usb 1-1: config 15 interface 79 has no altsetting 0
[   54.706689][    T9] usb 1-1: string descriptor 0 read error: -22
[   54.713022][    T9] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   54.722100][    T9] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   54.732732][ T2657] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   54.743050][ T2656] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   54.753264][    T9] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   54.760088][    T9] rtw_8822cu 1-1:15.79: failed to init USB interface
[   54.766876][ T2656] rtw_8822cu 1-1:15.79: failed to request firmware
[   54.774366][    T9] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
[   54.783659][    T8] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   54.797458][    T8] ==================================================================
[   54.805522][    T8] BUG: KASAN: use-after-free in rtw_load_firmware_cb+0x917/0x9f0
[   54.813265][    T8] Read of size 8 at addr ffff888113598bc0 by task kworker/0:0/8
[   54.820880][    T8] 
[   54.823198][    T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   54.833414][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   54.843457][    T8] Workqueue: events request_firmware_work_func
[   54.849609][    T8] Call Trace:
[   54.852919][    T8]  <TASK>
[   54.855858][    T8]  dump_stack_lvl+0x116/0x1f0
[   54.860557][    T8]  print_report+0xc3/0x620
[   54.865126][    T8]  ? __virt_addr_valid+0x5e/0x590
[   54.870144][    T8]  ? __phys_addr+0xc6/0x150
[   54.874638][    T8]  kasan_report+0xd9/0x110
[   54.879055][    T8]  ? rtw_load_firmware_cb+0x917/0x9f0
[   54.884427][    T8]  ? rtw_load_firmware_cb+0x917/0x9f0
[   54.889805][    T8]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   54.895519][    T8]  rtw_load_firmware_cb+0x917/0x9f0
[   54.900731][    T8]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   54.906615][    T8]  request_firmware_work_func+0x13a/0x250
[   54.912337][    T8]  ? __pfx_request_firmware_work_func+0x10/0x10
[   54.918580][    T8]  process_one_work+0x9c5/0x1b40
[   54.923514][    T8]  ? rcuwait_wake_up+0xdf/0x290
[   54.928359][    T8]  ? __pfx_process_one_work+0x10/0x10
[   54.934421][    T8]  ? assign_work+0x1a0/0x250
[   54.939005][    T8]  worker_thread+0x6c8/0xf20
[   54.943598][    T8]  ? __pfx_worker_thread+0x10/0x10
[   54.948704][    T8]  kthread+0x2c1/0x3a0
[   54.952771][    T8]  ? _raw_spin_unlock_irq+0x23/0x50
[   54.957971][    T8]  ? __pfx_kthread+0x10/0x10
[   54.962557][    T8]  ret_from_fork+0x45/0x80
[   54.966983][    T8]  ? __pfx_kthread+0x10/0x10
[   54.971569][    T8]  ret_from_fork_asm+0x1a/0x30
[   54.976325][    T8]  </TASK>
[   54.979336][    T8] 
[   54.981654][    T8] The buggy address belongs to the physical page:
[   54.988063][    T8] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811359d700 pfn:0x113598
[   54.998380][    T8] flags: 0x200000000000000(node=0|zone=2)
[   55.004107][    T8] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
[   55.012681][    T8] raw: ffff88811359d700 0000000000000000 00000000ffffffff 0000000000000000
[   55.021246][    T8] page dumped because: kasan: bad access detected
[   55.027642][    T8] page_owner tracks the page as freed
[   55.033018][    T8] page last allocated via order 4, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 9, tgid 9 (kworker/0:1), ts 54741596219, free_ts 54774261673
[   55.050282][    T8]  post_alloc_hook+0x2d1/0x350
[   55.055036][    T8]  get_page_from_freelist+0x1311/0x25f0
[   55.060571][    T8]  __alloc_pages_noprof+0x21e/0x2290
[   55.065844][    T8]  ___kmalloc_large_node+0x7f/0x1a0
[   55.071029][    T8]  __kmalloc_large_node_noprof+0x1c/0x70
[   55.076646][    T8]  __kmalloc_noprof.cold+0xc/0x61
[   55.081651][    T8]  wiphy_new_nm+0x701/0x2120
[   55.086230][    T8]  ieee80211_alloc_hw_nm+0x1b7a/0x2260
[   55.091679][    T8]  rtw_usb_probe+0x32/0x1d80
[   55.096253][    T8]  usb_probe_interface+0x309/0x9d0
[   55.101349][    T8]  really_probe+0x23e/0xa90
[   55.105838][    T8]  __driver_probe_device+0x1de/0x440
[   55.111113][    T8]  driver_probe_device+0x4c/0x1b0
[   55.116120][    T8]  __device_attach_driver+0x1df/0x310
[   55.121480][    T8]  bus_for_each_drv+0x157/0x1e0
[   55.126319][    T8]  __device_attach+0x1e8/0x4b0
[   55.131069][    T8] page last free pid 9 tgid 9 stack trace:
[   55.136851][    T8]  __free_pages_ok+0x5c1/0xba0
[   55.141608][    T8]  __folio_put+0x1dc/0x260
[   55.146010][    T8]  device_release+0xa1/0x240
[   55.150785][    T8]  kobject_put+0x1fa/0x5b0
[   55.155212][    T8]  put_device+0x1f/0x30
[   55.159356][    T8]  rtw_usb_probe+0x7a4/0x1d80
[   55.164020][    T8]  usb_probe_interface+0x309/0x9d0
[   55.169120][    T8]  really_probe+0x23e/0xa90
[   55.173622][    T8]  __driver_probe_device+0x1de/0x440
[   55.178915][    T8]  driver_probe_device+0x4c/0x1b0
[   55.183928][    T8]  __device_attach_driver+0x1df/0x310
[   55.189313][    T8]  bus_for_each_drv+0x157/0x1e0
[   55.194238][    T8]  __device_attach+0x1e8/0x4b0
[   55.198996][    T8]  bus_probe_device+0x17f/0x1c0
[   55.203880][    T8]  device_add+0x114b/0x1a70
[   55.208481][    T8]  usb_set_configuration+0x10cb/0x1c50
[   55.213945][    T8] 
[   55.216255][    T8] Memory state around the buggy address:
[   55.221918][    T8]  ffff888113598a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.230139][    T8]  ffff888113598b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.238184][    T8] >ffff888113598b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.246328][    T8]                                            ^
[   55.252550][    T8]  ffff888113598c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.260593][    T8]  ffff888113598c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.268639][    T8] ==================================================================
[   55.276751][    T8] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   55.283950][    T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   55.293677][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   55.303722][    T8] Workqueue: events request_firmware_work_func
[   55.309873][    T8] Call Trace:
[   55.313138][    T8]  <TASK>
[   55.316057][    T8]  dump_stack_lvl+0x3d/0x1f0
[   55.320640][    T8]  panic+0x6f5/0x7a0
[   55.324522][    T8]  ? __pfx_panic+0x10/0x10
[   55.328925][    T8]  ? check_panic_on_warn+0x1f/0xb0
[   55.334027][    T8]  check_panic_on_warn+0xab/0xb0
[   55.338952][    T8]  end_report+0x117/0x180
[   55.343273][    T8]  kasan_report+0xe9/0x110
[   55.347674][    T8]  ? rtw_load_firmware_cb+0x917/0x9f0
[   55.353030][    T8]  ? rtw_load_firmware_cb+0x917/0x9f0
[   55.358386][    T8]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   55.364094][    T8]  rtw_load_firmware_cb+0x917/0x9f0
[   55.369280][    T8]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   55.374984][    T8]  request_firmware_work_func+0x13a/0x250
[   55.380690][    T8]  ? __pfx_request_firmware_work_func+0x10/0x10
[   55.386921][    T8]  process_one_work+0x9c5/0x1b40
[   55.391850][    T8]  ? rcuwait_wake_up+0xdf/0x290
[   55.396685][    T8]  ? __pfx_process_one_work+0x10/0x10
[   55.402308][    T8]  ? assign_work+0x1a0/0x250
[   55.406879][    T8]  worker_thread+0x6c8/0xf20
[   55.411457][    T8]  ? __pfx_worker_thread+0x10/0x10
[   55.416552][    T8]  kthread+0x2c1/0x3a0
[   55.420610][    T8]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.425792][    T8]  ? __pfx_kthread+0x10/0x10
[   55.430371][    T8]  ret_from_fork+0x45/0x80
[   55.434852][    T8]  ? __pfx_kthread+0x10/0x10
[   55.439440][    T8]  ret_from_fork_asm+0x1a/0x30
[   55.444200][    T8]  </TASK>
[   55.447439][    T8] Kernel Offset: disabled
[   55.451747][    T8] Rebooting in 86400 seconds..