Warning: Permanently added '10.128.1.128' (ED25519) to the list of known hosts.
executing program
[   49.942142][   T29] audit: type=1400 audit(1726943362.120:80): avc:  denied  { execmem } for  pid=2647 comm="syz-executor122" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   49.962204][   T29] audit: type=1400 audit(1726943362.120:81): avc:  denied  { read write } for  pid=2648 comm="syz-executor122" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   49.986087][   T29] audit: type=1400 audit(1726943362.120:82): avc:  denied  { open } for  pid=2648 comm="syz-executor122" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   50.010029][   T29] audit: type=1400 audit(1726943362.120:83): avc:  denied  { ioctl } for  pid=2648 comm="syz-executor122" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   50.230256][   T42] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   50.422625][   T42] usb 1-1: config 0 has an invalid interface number: 230 but max is 0
[   50.431037][   T42] usb 1-1: config 0 has no interface number 0
[   50.437174][   T42] usb 1-1: config 0 interface 230 altsetting 0 endpoint 0x4 has invalid maxpacket 1024, setting to 64
[   50.448185][   T42] usb 1-1: config 0 interface 230 altsetting 0 endpoint 0xE has invalid maxpacket 512, setting to 64
[   50.459134][   T42] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=7f.ee
[   50.468223][   T42] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   50.489779][   T42] usb 1-1: config 0 descriptor??
executing program
[   50.701355][   T42] usb 1-1: USB disconnect, device number 2
[   50.715643][   T42] ==================================================================
[   50.723767][   T42] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   50.731494][   T42] Read of size 8 at addr ffff888113819898 by task kworker/0:2/42
[   50.739245][   T42] 
[   50.741588][   T42] CPU: 0 UID: 0 PID: 42 Comm: kworker/0:2 Not tainted 6.11.0-rc7-syzkaller-00152-g68d4209158f4 #0
[   50.752188][   T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   50.762252][   T42] Workqueue: usb_hub_wq hub_event
[   50.767346][   T42] Call Trace:
[   50.770638][   T42]  <TASK>
[   50.773580][   T42]  dump_stack_lvl+0x116/0x1f0
[   50.778316][   T42]  print_report+0xc3/0x620
[   50.782773][   T42]  ? __virt_addr_valid+0x5e/0x590
[   50.787893][   T42]  ? __phys_addr+0xc6/0x150
[   50.792411][   T42]  kasan_report+0xd9/0x110
[   50.796864][   T42]  ? hdm_disconnect+0x227/0x250
[   50.801758][   T42]  ? hdm_disconnect+0x227/0x250
[   50.806632][   T42]  hdm_disconnect+0x227/0x250
[   50.811340][   T42]  usb_unbind_interface+0x1e8/0x970
[   50.816562][   T42]  ? kernfs_find_ns+0x2ee/0x3f0
[   50.821527][   T42]  ? __pfx_usb_unbind_interface+0x10/0x10
[   50.827271][   T42]  device_remove+0x122/0x170
[   50.831886][   T42]  device_release_driver_internal+0x44a/0x610
[   50.837993][   T42]  bus_remove_device+0x22f/0x420
[   50.842949][   T42]  device_del+0x396/0x9f0
[   50.847302][   T42]  ? __pfx_device_del+0x10/0x10
[   50.852172][   T42]  ? kobject_put+0x210/0x5a0
[   50.856783][   T42]  usb_disable_device+0x36c/0x7f0
[   50.861843][   T42]  usb_disconnect+0x2e1/0x920
[   50.866568][   T42]  hub_event+0x1bed/0x4f40
[   50.871022][   T42]  ? __pfx_hub_event+0x10/0x10
[   50.876000][   T42]  ? __pfx_lock_acquire+0x10/0x10
[   50.881052][   T42]  ? __pfx_lock_release+0x10/0x10
[   50.886128][   T42]  process_one_work+0x9c5/0x1b40
[   50.891102][   T42]  ? __pfx_lock_acquire+0x10/0x10
[   50.896148][   T42]  ? __pfx_process_one_work+0x10/0x10
[   50.901552][   T42]  ? assign_work+0x1a0/0x250
[   50.906249][   T42]  worker_thread+0x6c8/0xed0
[   50.910866][   T42]  ? __kthread_parkme+0x148/0x220
[   50.915903][   T42]  ? __pfx_worker_thread+0x10/0x10
[   50.921033][   T42]  kthread+0x2c1/0x3a0
[   50.925113][   T42]  ? _raw_spin_unlock_irq+0x23/0x50
[   50.930345][   T42]  ? __pfx_kthread+0x10/0x10
[   50.934951][   T42]  ret_from_fork+0x45/0x80
[   50.939388][   T42]  ? __pfx_kthread+0x10/0x10
[   50.943988][   T42]  ret_from_fork_asm+0x1a/0x30
[   50.948777][   T42]  </TASK>
[   50.951798][   T42] 
[   50.954120][   T42] Allocated by task 42:
[   50.958269][   T42]  kasan_save_stack+0x33/0x60
[   50.962956][   T42]  kasan_save_track+0x14/0x30
[   50.967659][   T42]  __kasan_kmalloc+0x8f/0xa0
[   50.972257][   T42]  hdm_probe+0xb3/0x1880
[   50.976536][   T42]  usb_probe_interface+0x309/0x9d0
[   50.981663][   T42]  really_probe+0x23e/0xa90
[   50.986191][   T42]  __driver_probe_device+0x1de/0x440
[   50.991510][   T42]  driver_probe_device+0x4c/0x1b0
[   50.996563][   T42]  __device_attach_driver+0x1df/0x310
[   51.001965][   T42]  bus_for_each_drv+0x157/0x1e0
[   51.006832][   T42]  __device_attach+0x1e8/0x4b0
[   51.011610][   T42]  bus_probe_device+0x17f/0x1c0
[   51.016479][   T42]  device_add+0x114b/0x1a70
[   51.021000][   T42]  usb_set_configuration+0x10cb/0x1c50
[   51.026479][   T42]  usb_generic_driver_probe+0xb1/0x110
[   51.031955][   T42]  usb_probe_device+0xec/0x3e0
[   51.036740][   T42]  really_probe+0x23e/0xa90
[   51.041263][   T42]  __driver_probe_device+0x1de/0x440
[   51.046573][   T42]  driver_probe_device+0x4c/0x1b0
[   51.051633][   T42]  __device_attach_driver+0x1df/0x310
[   51.057028][   T42]  bus_for_each_drv+0x157/0x1e0
[   51.061891][   T42]  __device_attach+0x1e8/0x4b0
[   51.066669][   T42]  bus_probe_device+0x17f/0x1c0
[   51.071544][   T42]  device_add+0x114b/0x1a70
[   51.076063][   T42]  usb_new_device+0xd90/0x1a10
[   51.080859][   T42]  hub_event+0x2e58/0x4f40
[   51.085299][   T42]  process_one_work+0x9c5/0x1b40
[   51.090257][   T42]  worker_thread+0x6c8/0xed0
[   51.094862][   T42]  kthread+0x2c1/0x3a0
[   51.098938][   T42]  ret_from_fork+0x45/0x80
[   51.103374][   T42]  ret_from_fork_asm+0x1a/0x30
[   51.108156][   T42] 
[   51.110484][   T42] Freed by task 42:
[   51.114322][   T42]  kasan_save_stack+0x33/0x60
[   51.119169][   T42]  kasan_save_track+0x14/0x30
[   51.123855][   T42]  kasan_save_free_info+0x3b/0x60
[   51.128896][   T42]  poison_slab_object+0xf7/0x160
[   51.133840][   T42]  __kasan_slab_free+0x14/0x30
[   51.138621][   T42]  kfree+0x10b/0x380
[   51.142603][   T42]  device_release+0xa1/0x240
[   51.147215][   T42]  kobject_put+0x1e4/0x5a0
[   51.151655][   T42]  device_unregister+0x2f/0xc0
[   51.156442][   T42]  hdm_disconnect+0x10b/0x250
[   51.161142][   T42]  usb_unbind_interface+0x1e8/0x970
[   51.166350][   T42]  device_remove+0x122/0x170
[   51.171060][   T42]  device_release_driver_internal+0x44a/0x610
[   51.177140][   T42]  bus_remove_device+0x22f/0x420
[   51.182087][   T42]  device_del+0x396/0x9f0
[   51.186438][   T42]  usb_disable_device+0x36c/0x7f0
[   51.191659][   T42]  usb_disconnect+0x2e1/0x920
[   51.196355][   T42]  hub_event+0x1bed/0x4f40
[   51.200789][   T42]  process_one_work+0x9c5/0x1b40
[   51.205743][   T42]  worker_thread+0x6c8/0xed0
[   51.210363][   T42]  kthread+0x2c1/0x3a0
[   51.214453][   T42]  ret_from_fork+0x45/0x80
[   51.218905][   T42]  ret_from_fork_asm+0x1a/0x30
[   51.223713][   T42] 
[   51.226040][   T42] The buggy address belongs to the object at ffff888113818000
[   51.226040][   T42]  which belongs to the cache kmalloc-8k of size 8192
[   51.240126][   T42] The buggy address is located 6296 bytes inside of
[   51.240126][   T42]  freed 8192-byte region [ffff888113818000, ffff88811381a000)
[   51.254128][   T42] 
[   51.256451][   T42] The buggy address belongs to the physical page:
[   51.262866][   T42] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113818
[   51.271994][   T42] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   51.280506][   T42] flags: 0x200000000000040(head|node=0|zone=2)
[   51.286674][   T42] page_type: 0xfdffffff(slab)
[   51.291357][   T42] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   51.300039][   T42] raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   51.308719][   T42] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   51.317412][   T42] head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   51.326097][   T42] head: 0200000000000003 ffffea00044e0601 ffffffffffffffff 0000000000000000
[   51.334874][   T42] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   51.343545][   T42] page dumped because: kasan: bad access detected
[   51.349979][   T42] page_owner tracks the page as allocated
[   51.355781][   T42] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 42, tgid 42 (kworker/0:2), ts 50501464639, free_ts 50486951962
[   51.376813][   T42]  post_alloc_hook+0x2d1/0x350
[   51.381616][   T42]  get_page_from_freelist+0x1311/0x25f0
[   51.387208][   T42]  __alloc_pages_noprof+0x21e/0x2290
[   51.392535][   T42]  alloc_slab_page+0x4e/0xf0
[   51.397199][   T42]  new_slab+0x84/0x260
[   51.401310][   T42]  ___slab_alloc+0xdac/0x1870
[   51.406013][   T42]  __slab_alloc.constprop.0+0x56/0xb0
[   51.411422][   T42]  __kmalloc_cache_noprof+0x27a/0x2c0
[   51.416826][   T42]  hdm_probe+0xb3/0x1880
[   51.421090][   T42]  usb_probe_interface+0x309/0x9d0
[   51.426217][   T42]  really_probe+0x23e/0xa90
[   51.430734][   T42]  __driver_probe_device+0x1de/0x440
[   51.436032][   T42]  driver_probe_device+0x4c/0x1b0
[   51.441604][   T42]  __device_attach_driver+0x1df/0x310
[   51.446991][   T42]  bus_for_each_drv+0x157/0x1e0
[   51.451867][   T42]  __device_attach+0x1e8/0x4b0
[   51.456817][   T42] page last free pid 2649 tgid 2649 stack trace:
[   51.463141][   T42]  free_unref_page+0x698/0xce0
[   51.468009][   T42]  __put_partials+0x14c/0x170
[   51.472728][   T42]  qlist_free_all+0x4e/0x140
[   51.477341][   T42]  kasan_quarantine_reduce+0x192/0x1e0
[   51.483002][   T42]  __kasan_slab_alloc+0x4e/0x70
[   51.487878][   T42]  kmem_cache_alloc_noprof+0x11c/0x2b0
[   51.493379][   T42]  getname_flags.part.0+0x4c/0x550
[   51.498513][   T42]  getname_flags+0x93/0xf0
[   51.502942][   T42]  vfs_fstatat+0x86/0x160
[   51.507290][   T42]  __do_sys_newfstatat+0xa2/0x130
[   51.512335][   T42]  do_syscall_64+0xcd/0x250
[   51.516852][   T42]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   51.522851][   T42] 
[   51.525174][   T42] Memory state around the buggy address:
[   51.530888][   T42]  ffff888113819780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.538950][   T42]  ffff888113819800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.547026][   T42] >ffff888113819880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.555099][   T42]                             ^
[   51.559953][   T42]  ffff888113819900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.568051][   T42]  ffff888113819980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.576124][   T42] ==================================================================
[   51.584314][   T42] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   51.591548][   T42] CPU: 0 UID: 0 PID: 42 Comm: kworker/0:2 Not tainted 6.11.0-rc7-syzkaller-00152-g68d4209158f4 #0
[   51.602316][   T42] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   51.612420][   T42] Workqueue: usb_hub_wq hub_event
[   51.617510][   T42] Call Trace:
[   51.620800][   T42]  <TASK>
[   51.623751][   T42]  dump_stack_lvl+0x3d/0x1f0
[   51.628375][   T42]  panic+0x6dc/0x7c0
[   51.632386][   T42]  ? mark_held_locks+0x9f/0xe0
[   51.637164][   T42]  ? __pfx_panic+0x10/0x10
[   51.641609][   T42]  ? irqentry_exit+0x3b/0x90
[   51.646217][   T42]  ? lockdep_hardirqs_on+0x7c/0x110
[   51.651454][   T42]  ? check_panic_on_warn+0x1f/0xb0
[   51.656682][   T42]  check_panic_on_warn+0xab/0xb0
[   51.661647][   T42]  end_report+0x117/0x180
[   51.665993][   T42]  kasan_report+0xe9/0x110
[   51.670425][   T42]  ? hdm_disconnect+0x227/0x250
[   51.675296][   T42]  ? hdm_disconnect+0x227/0x250
[   51.680196][   T42]  hdm_disconnect+0x227/0x250
[   51.684895][   T42]  usb_unbind_interface+0x1e8/0x970
[   51.690109][   T42]  ? kernfs_find_ns+0x2ee/0x3f0
[   51.694998][   T42]  ? __pfx_usb_unbind_interface+0x10/0x10
[   51.700760][   T42]  device_remove+0x122/0x170
[   51.705549][   T42]  device_release_driver_internal+0x44a/0x610
[   51.711730][   T42]  bus_remove_device+0x22f/0x420
[   51.716691][   T42]  device_del+0x396/0x9f0
[   51.721060][   T42]  ? __pfx_device_del+0x10/0x10
[   51.726012][   T42]  ? kobject_put+0x210/0x5a0
[   51.730634][   T42]  usb_disable_device+0x36c/0x7f0
[   51.735717][   T42]  usb_disconnect+0x2e1/0x920
[   51.740421][   T42]  hub_event+0x1bed/0x4f40
[   51.744877][   T42]  ? __pfx_hub_event+0x10/0x10
[   51.749669][   T42]  ? __pfx_lock_acquire+0x10/0x10
[   51.754726][   T42]  ? __pfx_lock_release+0x10/0x10
[   51.759863][   T42]  process_one_work+0x9c5/0x1b40
[   51.764846][   T42]  ? __pfx_lock_acquire+0x10/0x10
[   51.769897][   T42]  ? __pfx_process_one_work+0x10/0x10
[   51.775314][   T42]  ? assign_work+0x1a0/0x250
[   51.779934][   T42]  worker_thread+0x6c8/0xed0
[   51.784571][   T42]  ? __kthread_parkme+0x148/0x220
[   51.789608][   T42]  ? __pfx_worker_thread+0x10/0x10
[   51.794752][   T42]  kthread+0x2c1/0x3a0
[   51.798828][   T42]  ? _raw_spin_unlock_irq+0x23/0x50
[   51.804074][   T42]  ? __pfx_kthread+0x10/0x10
[   51.808675][   T42]  ret_from_fork+0x45/0x80
[   51.813116][   T42]  ? __pfx_kthread+0x10/0x10
[   51.817763][   T42]  ret_from_fork_asm+0x1a/0x30
[   51.823076][   T42]  </TASK>
[   51.826494][   T42] Kernel Offset: disabled
[   51.830832][   T42] Rebooting in 86400 seconds..