syzkaller login: [   19.058954][ T2550] udevd (2550) used greatest stack depth: 23504 bytes left
[   22.167977][   T29] kauditd_printk_skb: 29 callbacks suppressed
[   22.167998][   T29] audit: type=1400 audit(1724654101.540:73): avc:  denied  { read } for  pid=2613 comm="dhcpcd-run-hook" name="resolv.conf" dev="tmpfs" ino=257 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   22.197630][   T29] audit: type=1400 audit(1724654101.540:74): avc:  denied  { open } for  pid=2613 comm="dhcpcd-run-hook" path="/run/dhcpcd/hook-state/resolv.conf" dev="tmpfs" ino=257 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   26.262997][   T29] audit: type=1400 audit(1724654105.630:75): avc:  denied  { transition } for  pid=2632 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   26.285232][   T29] audit: type=1400 audit(1724654105.640:76): avc:  denied  { noatsecure } for  pid=2632 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   26.304610][   T29] audit: type=1400 audit(1724654105.650:77): avc:  denied  { write } for  pid=2632 comm="sh" path="pipe:[368]" dev="pipefs" ino=368 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[   26.326729][   T29] audit: type=1400 audit(1724654105.650:78): avc:  denied  { rlimitinh } for  pid=2632 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   26.346983][   T29] audit: type=1400 audit(1724654105.650:79): avc:  denied  { siginh } for  pid=2632 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   31.324626][ T2633] sshd (2633) used greatest stack depth: 21824 bytes left
Warning: Permanently added '10.128.0.189' (ED25519) to the list of known hosts.
executing program
[   39.736047][   T29] audit: type=1400 audit(1724654119.110:80): avc:  denied  { execmem } for  pid=2648 comm="syz-executor120" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   39.755943][   T29] audit: type=1400 audit(1724654119.110:81): avc:  denied  { read write } for  pid=2649 comm="syz-executor120" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   39.779972][   T29] audit: type=1400 audit(1724654119.110:82): avc:  denied  { open } for  pid=2649 comm="syz-executor120" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   39.804241][   T29] audit: type=1400 audit(1724654119.120:83): avc:  denied  { ioctl } for  pid=2649 comm="syz-executor120" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   40.012891][  T300] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   40.192868][  T300] usb 1-1: Using ep0 maxpacket: 32
[   40.200242][  T300] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[   40.208640][  T300] usb 1-1: config 0 has no interface number 0
[   40.217331][  T300] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[   40.226528][  T300] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   40.234645][  T300] usb 1-1: Product: syz
[   40.238801][  T300] usb 1-1: Manufacturer: syz
[   40.243516][  T300] usb 1-1: SerialNumber: syz
[   40.251332][  T300] usb 1-1: config 0 descriptor??
executing program
[   40.462913][  T300] usb 1-1: USB disconnect, device number 2
[   40.474352][  T300] ==================================================================
[   40.482447][  T300] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   40.490137][  T300] Read of size 8 at addr ffff888113279898 by task kworker/1:2/300
[   40.497943][  T300] 
[   40.500363][  T300] CPU: 1 UID: 0 PID: 300 Comm: kworker/1:2 Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb116179 #0
[   40.511031][  T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   40.521170][  T300] Workqueue: usb_hub_wq hub_event
[   40.526216][  T300] Call Trace:
[   40.529557][  T300]  <TASK>
[   40.532482][  T300]  dump_stack_lvl+0x116/0x1f0
[   40.537177][  T300]  print_report+0xc3/0x620
[   40.541593][  T300]  ? __virt_addr_valid+0x5e/0x590
[   40.546635][  T300]  ? __phys_addr+0xc6/0x150
[   40.551150][  T300]  kasan_report+0xd9/0x110
[   40.555564][  T300]  ? hdm_disconnect+0x227/0x250
[   40.560417][  T300]  ? hdm_disconnect+0x227/0x250
[   40.565270][  T300]  hdm_disconnect+0x227/0x250
[   40.569945][  T300]  usb_unbind_interface+0x1e8/0x970
[   40.575144][  T300]  ? kernfs_find_ns+0x2ee/0x3f0
[   40.580002][  T300]  ? __pfx_usb_unbind_interface+0x10/0x10
[   40.585723][  T300]  device_remove+0x122/0x170
[   40.590405][  T300]  device_release_driver_internal+0x44a/0x610
[   40.596484][  T300]  bus_remove_device+0x22f/0x420
[   40.601423][  T300]  device_del+0x396/0x9f0
[   40.605933][  T300]  ? __pfx_device_del+0x10/0x10
[   40.610780][  T300]  ? __pfx___mutex_lock+0x10/0x10
[   40.615898][  T300]  usb_disable_device+0x36c/0x7f0
[   40.620931][  T300]  ? lockdep_hardirqs_on+0x7c/0x110
[   40.626222][  T300]  usb_disconnect+0x2e1/0x920
[   40.630994][  T300]  hub_event+0x1bed/0x4f40
[   40.635413][  T300]  ? __pfx_hub_event+0x10/0x10
[   40.640171][  T300]  ? __pfx_lock_acquire+0x10/0x10
[   40.645196][  T300]  ? __pfx_lock_release+0x10/0x10
[   40.650221][  T300]  process_one_work+0x9c5/0x1b40
[   40.655161][  T300]  ? __pfx_lock_acquire+0x10/0x10
[   40.660180][  T300]  ? __pfx_process_one_work+0x10/0x10
[   40.665641][  T300]  ? assign_work+0x1a0/0x250
[   40.670229][  T300]  worker_thread+0x6c8/0xf20
[   40.674823][  T300]  ? __kthread_parkme+0x148/0x220
[   40.679849][  T300]  ? __pfx_worker_thread+0x10/0x10
[   40.684959][  T300]  kthread+0x2c1/0x3a0
[   40.689034][  T300]  ? _raw_spin_unlock_irq+0x23/0x50
[   40.694240][  T300]  ? __pfx_kthread+0x10/0x10
[   40.698833][  T300]  ret_from_fork+0x45/0x80
[   40.703255][  T300]  ? __pfx_kthread+0x10/0x10
[   40.707846][  T300]  ret_from_fork_asm+0x1a/0x30
[   40.712618][  T300]  </TASK>
[   40.715627][  T300] 
[   40.717938][  T300] Allocated by task 300:
[   40.722165][  T300]  kasan_save_stack+0x33/0x60
[   40.726849][  T300]  kasan_save_track+0x14/0x30
[   40.731631][  T300]  __kasan_kmalloc+0x8f/0xa0
[   40.736224][  T300]  hdm_probe+0xb3/0x1880
[   40.740467][  T300]  usb_probe_interface+0x309/0x9d0
[   40.745591][  T300]  really_probe+0x23e/0xa90
[   40.750108][  T300]  __driver_probe_device+0x1de/0x440
[   40.755402][  T300]  driver_probe_device+0x4c/0x1b0
[   40.760431][  T300]  __device_attach_driver+0x1df/0x310
[   40.765817][  T300]  bus_for_each_drv+0x157/0x1e0
[   40.770665][  T300]  __device_attach+0x1e8/0x4b0
[   40.775434][  T300]  bus_probe_device+0x17f/0x1c0
[   40.780281][  T300]  device_add+0x114b/0x1a70
[   40.784786][  T300]  usb_set_configuration+0x10cb/0x1c50
[   40.790248][  T300]  usb_generic_driver_probe+0xb1/0x110
[   40.795709][  T300]  usb_probe_device+0xec/0x3e0
[   40.800476][  T300]  really_probe+0x23e/0xa90
[   40.804977][  T300]  __driver_probe_device+0x1de/0x440
[   40.810261][  T300]  driver_probe_device+0x4c/0x1b0
[   40.815309][  T300]  __device_attach_driver+0x1df/0x310
[   40.820677][  T300]  bus_for_each_drv+0x157/0x1e0
[   40.825519][  T300]  __device_attach+0x1e8/0x4b0
[   40.830552][  T300]  bus_probe_device+0x17f/0x1c0
[   40.835402][  T300]  device_add+0x114b/0x1a70
[   40.839992][  T300]  usb_new_device+0xd90/0x1a10
[   40.844765][  T300]  hub_event+0x2e58/0x4f40
[   40.849264][  T300]  process_one_work+0x9c5/0x1b40
[   40.854199][  T300]  worker_thread+0x6c8/0xf20
[   40.858870][  T300]  kthread+0x2c1/0x3a0
[   40.863025][  T300]  ret_from_fork+0x45/0x80
[   40.867451][  T300]  ret_from_fork_asm+0x1a/0x30
[   40.872213][  T300] 
[   40.874525][  T300] Freed by task 300:
[   40.878491][  T300]  kasan_save_stack+0x33/0x60
[   40.883181][  T300]  kasan_save_track+0x14/0x30
[   40.887857][  T300]  kasan_save_free_info+0x3b/0x60
[   40.892971][  T300]  poison_slab_object+0xf7/0x160
[   40.897913][  T300]  __kasan_slab_free+0x14/0x30
[   40.902675][  T300]  kfree+0x10b/0x380
[   40.906577][  T300]  device_release+0xa1/0x240
[   40.911161][  T300]  kobject_put+0x1e4/0x5a0
[   40.915686][  T300]  device_unregister+0x2f/0xc0
[   40.920467][  T300]  hdm_disconnect+0x10b/0x250
[   40.925154][  T300]  usb_unbind_interface+0x1e8/0x970
[   40.930352][  T300]  device_remove+0x122/0x170
[   40.934944][  T300]  device_release_driver_internal+0x44a/0x610
[   40.941100][  T300]  bus_remove_device+0x22f/0x420
[   40.946037][  T300]  device_del+0x396/0x9f0
[   40.950451][  T300]  usb_disable_device+0x36c/0x7f0
[   40.955482][  T300]  usb_disconnect+0x2e1/0x920
[   40.960168][  T300]  hub_event+0x1bed/0x4f40
[   40.964673][  T300]  process_one_work+0x9c5/0x1b40
[   40.969610][  T300]  worker_thread+0x6c8/0xf20
[   40.974197][  T300]  kthread+0x2c1/0x3a0
[   40.978273][  T300]  ret_from_fork+0x45/0x80
[   40.982693][  T300]  ret_from_fork_asm+0x1a/0x30
[   40.987465][  T300] 
[   40.989781][  T300] The buggy address belongs to the object at ffff888113278000
[   40.989781][  T300]  which belongs to the cache kmalloc-8k of size 8192
[   41.003830][  T300] The buggy address is located 6296 bytes inside of
[   41.003830][  T300]  freed 8192-byte region [ffff888113278000, ffff88811327a000)
[   41.017795][  T300] 
[   41.020111][  T300] The buggy address belongs to the physical page:
[   41.026509][  T300] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113278
[   41.035355][  T300] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   41.043848][  T300] flags: 0x200000000000040(head|node=0|zone=2)
[   41.050170][  T300] page_type: 0xfdffffff(slab)
[   41.054846][  T300] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   41.063421][  T300] raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   41.072173][  T300] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   41.080843][  T300] head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   41.089507][  T300] head: 0200000000000003 ffffea00044c9e01 ffffffffffffffff 0000000000000000
[   41.098176][  T300] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   41.106835][  T300] page dumped because: kasan: bad access detected
[   41.113241][  T300] page_owner tracks the page as allocated
[   41.118941][  T300] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 300, tgid 300 (kworker/1:2), ts 40261677658, free_ts 39784437443
[   41.140128][  T300]  post_alloc_hook+0x2d1/0x350
[   41.144898][  T300]  get_page_from_freelist+0x1311/0x25f0
[   41.150445][  T300]  __alloc_pages_noprof+0x21e/0x2290
[   41.155729][  T300]  alloc_slab_page+0x4e/0xf0
[   41.160316][  T300]  new_slab+0x84/0x260
[   41.164385][  T300]  ___slab_alloc+0xdac/0x1870
[   41.169063][  T300]  __slab_alloc.constprop.0+0x56/0xb0
[   41.174442][  T300]  __kmalloc_cache_noprof+0x27a/0x2c0
[   41.179818][  T300]  hdm_probe+0xb3/0x1880
[   41.184064][  T300]  usb_probe_interface+0x309/0x9d0
[   41.189440][  T300]  really_probe+0x23e/0xa90
[   41.193945][  T300]  __driver_probe_device+0x1de/0x440
[   41.199227][  T300]  driver_probe_device+0x4c/0x1b0
[   41.204248][  T300]  __device_attach_driver+0x1df/0x310
[   41.209619][  T300]  bus_for_each_drv+0x157/0x1e0
[   41.214552][  T300]  __device_attach+0x1e8/0x4b0
[   41.219344][  T300] page last free pid 0 tgid 0 stack trace:
[   41.225140][  T300]  free_unref_page+0x698/0xce0
[   41.229903][  T300]  rcu_core+0x828/0x16b0
[   41.234140][  T300]  handle_softirqs+0x209/0x8e0
[   41.238906][  T300]  irq_exit_rcu+0xac/0x110
[   41.243324][  T300]  sysvec_apic_timer_interrupt+0x90/0xb0
[   41.248957][  T300]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   41.254944][  T300] 
[   41.257265][  T300] Memory state around the buggy address:
[   41.262897][  T300]  ffff888113279780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.271036][  T300]  ffff888113279800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.279174][  T300] >ffff888113279880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.287230][  T300]                             ^
[   41.292250][  T300]  ffff888113279900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.300477][  T300]  ffff888113279980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.308542][  T300] ==================================================================
[   41.316783][  T300] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   41.323990][  T300] CPU: 1 UID: 0 PID: 300 Comm: kworker/1:2 Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb116179 #0
[   41.335065][  T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   41.345135][  T300] Workqueue: usb_hub_wq hub_event
[   41.350185][  T300] Call Trace:
[   41.353464][  T300]  <TASK>
[   41.356383][  T300]  dump_stack_lvl+0x3d/0x1f0
[   41.360968][  T300]  panic+0x6f5/0x7a0
[   41.364894][  T300]  ? mark_held_locks+0x9f/0xe0
[   41.369656][  T300]  ? __pfx_panic+0x10/0x10
[   41.374088][  T300]  ? irqentry_exit+0x3b/0x90
[   41.378769][  T300]  ? lockdep_hardirqs_on+0x7c/0x110
[   41.383976][  T300]  ? check_panic_on_warn+0x1f/0xb0
[   41.389076][  T300]  check_panic_on_warn+0xab/0xb0
[   41.394010][  T300]  end_report+0x117/0x180
[   41.398333][  T300]  kasan_report+0xe9/0x110
[   41.402754][  T300]  ? hdm_disconnect+0x227/0x250
[   41.407609][  T300]  ? hdm_disconnect+0x227/0x250
[   41.412458][  T300]  hdm_disconnect+0x227/0x250
[   41.417139][  T300]  usb_unbind_interface+0x1e8/0x970
[   41.422327][  T300]  ? kernfs_find_ns+0x2ee/0x3f0
[   41.427192][  T300]  ? __pfx_usb_unbind_interface+0x10/0x10
[   41.432903][  T300]  device_remove+0x122/0x170
[   41.437516][  T300]  device_release_driver_internal+0x44a/0x610
[   41.443586][  T300]  bus_remove_device+0x22f/0x420
[   41.448537][  T300]  device_del+0x396/0x9f0
[   41.452875][  T300]  ? __pfx_device_del+0x10/0x10
[   41.457738][  T300]  ? __pfx___mutex_lock+0x10/0x10
[   41.462756][  T300]  usb_disable_device+0x36c/0x7f0
[   41.467772][  T300]  ? lockdep_hardirqs_on+0x7c/0x110
[   41.472961][  T300]  usb_disconnect+0x2e1/0x920
[   41.477632][  T300]  hub_event+0x1bed/0x4f40
[   41.482046][  T300]  ? __pfx_hub_event+0x10/0x10
[   41.486806][  T300]  ? __pfx_lock_acquire+0x10/0x10
[   41.491815][  T300]  ? __pfx_lock_release+0x10/0x10
[   41.496842][  T300]  process_one_work+0x9c5/0x1b40
[   41.501786][  T300]  ? __pfx_lock_acquire+0x10/0x10
[   41.506835][  T300]  ? __pfx_process_one_work+0x10/0x10
[   41.512202][  T300]  ? assign_work+0x1a0/0x250
[   41.516798][  T300]  worker_thread+0x6c8/0xf20
[   41.521382][  T300]  ? __kthread_parkme+0x148/0x220
[   41.526396][  T300]  ? __pfx_worker_thread+0x10/0x10
[   41.531558][  T300]  kthread+0x2c1/0x3a0
[   41.535725][  T300]  ? _raw_spin_unlock_irq+0x23/0x50
[   41.540937][  T300]  ? __pfx_kthread+0x10/0x10
[   41.545575][  T300]  ret_from_fork+0x45/0x80
[   41.550002][  T300]  ? __pfx_kthread+0x10/0x10
[   41.554604][  T300]  ret_from_fork_asm+0x1a/0x30
[   41.559384][  T300]  </TASK>
[   41.562514][  T300] Kernel Offset: disabled
[   41.566826][  T300] Rebooting in 86400 seconds..