program:
syz_usb_connect(0x2, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xfa, 0xb3, 0x28, 0x8, 0x424, 0xc001, 0xa2b4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x12, 0x0, 0x0, 0x2c, 0x71, 0x31}}]}}]}}, 0x0)
[ 68.229094][ T5299] Bluetooth: hci0: command tx timeout
[ 68.488797][ T5312] usb 5-1: new full-speed USB device number 2 using dummy_hcd
[ 68.642911][ T5312] usb 5-1: config 0 has an invalid interface number: 18 but max is 0
[ 68.646102][ T5312] usb 5-1: config 0 has no interface number 0
[ 68.655309][ T5312] usb 5-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=a2.b4
[ 68.660222][ T5312] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 68.663776][ T5312] usb 5-1: Product: syz
[ 68.665610][ T5312] usb 5-1: Manufacturer: syz
[ 68.667522][ T5312] usb 5-1: SerialNumber: syz
[ 68.682684][ T5312] usb 5-1: config 0 descriptor??
[ 68.890748][ T5312] usb 5-1: USB disconnect, device number 2
[ 68.905118][ T5312] ==================================================================
[ 68.908723][ T5312] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x10d/0x1c0
[ 68.912095][ T5312] Read of size 8 at addr ffff88803f06d898 by task kworker/0:5/5312
[ 68.915585][ T5312]
[ 68.916678][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: kworker/0:5 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full)
[ 68.916690][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.916698][ T5312] Workqueue: usb_hub_wq hub_event
[ 68.916716][ T5312] Call Trace:
[ 68.916722][ T5312]
[ 68.916727][ T5312] dump_stack_lvl+0x189/0x250
[ 68.916743][ T5312] ? __virt_addr_valid+0x18c/0x540
[ 68.916755][ T5312] ? rcu_is_watching+0x15/0xb0
[ 68.916769][ T5312] ? __kasan_check_byte+0x12/0x40
[ 68.916817][ T5312] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.916826][ T5312] ? rcu_is_watching+0x15/0xb0
[ 68.916834][ T5312] ? lock_release+0x4b/0x3e0
[ 68.916845][ T5312] ? __virt_addr_valid+0x18c/0x540
[ 68.916852][ T5312] ? __virt_addr_valid+0x469/0x540
[ 68.916860][ T5312] print_report+0xb4/0x290
[ 68.916868][ T5312] ? hdm_disconnect+0x10d/0x1c0
[ 68.916877][ T5312] kasan_report+0x118/0x150
[ 68.916885][ T5312] ? hdm_disconnect+0x10d/0x1c0
[ 68.916893][ T5312] hdm_disconnect+0x10d/0x1c0
[ 68.916902][ T5312] usb_unbind_interface+0x26b/0x8f0
[ 68.916912][ T5312] ? __pfx_usb_unbind_interface+0x10/0x10
[ 68.916922][ T5312] device_release_driver_internal+0x4d6/0x7c0
[ 68.916931][ T5312] bus_remove_device+0x34d/0x410
[ 68.916941][ T5312] device_del+0x511/0x8e0
[ 68.916952][ T5312] ? __pm_runtime_barrier+0x212/0x460
[ 68.916964][ T5312] ? __pfx_device_del+0x10/0x10
[ 68.916974][ T5312] ? __pfx___mutex_lock+0x10/0x10
[ 68.916983][ T5312] usb_disable_device+0x3e9/0x8a0
[ 68.916992][ T5312] usb_disconnect+0x330/0x910
[ 68.917001][ T5312] hub_event+0x1cdb/0x4a00
[ 68.917011][ T5312] ? __lock_acquire+0xaac/0xd20
[ 68.917019][ T5312] ? do_raw_spin_lock+0x121/0x290
[ 68.917028][ T5312] ? __lock_acquire+0xaac/0xd20
[ 68.917036][ T5312] ? __pfx_hub_event+0x10/0x10
[ 68.917044][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 68.917054][ T5312] ? _raw_spin_unlock_irq+0x23/0x50
[ 68.917060][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 68.917069][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 68.917078][ T5312] process_scheduled_works+0xadb/0x17a0
[ 68.917090][ T5312] ? __pfx_process_scheduled_works+0x10/0x10
[ 68.917101][ T5312] worker_thread+0x8a0/0xda0
[ 68.917107][ T5312] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 68.917117][ T5312] ? __kthread_parkme+0x7b/0x200
[ 68.917127][ T5312] kthread+0x70e/0x8a0
[ 68.917138][ T5312] ? __pfx_worker_thread+0x10/0x10
[ 68.917146][ T5312] ? __pfx_kthread+0x10/0x10
[ 68.917156][ T5312] ? __pfx_kthread+0x10/0x10
[ 68.917166][ T5312] ? _raw_spin_unlock_irq+0x23/0x50
[ 68.917172][ T5312] ? lockdep_hardirqs_on+0x9c/0x150
[ 68.917179][ T5312] ? __pfx_kthread+0x10/0x10
[ 68.917185][ T5312] ret_from_fork+0x4b/0x80
[ 68.917192][ T5312] ? __pfx_kthread+0x10/0x10
[ 68.917202][ T5312] ret_from_fork_asm+0x1a/0x30
[ 68.917214][ T5312]
[ 68.917217][ T5312]
[ 69.035538][ T5312] Allocated by task 5312:
[ 69.037479][ T5312] kasan_save_track+0x3e/0x80
[ 69.039352][ T5312] __kasan_kmalloc+0x93/0xb0
[ 69.041388][ T5312] __kmalloc_cache_noprof+0x230/0x3d0
[ 69.043711][ T5312] hdm_probe+0x96/0x1400
[ 69.045570][ T5312] usb_probe_interface+0x641/0xbc0
[ 69.047762][ T5312] really_probe+0x26a/0x9a0
[ 69.049796][ T5312] __driver_probe_device+0x18c/0x2f0
[ 69.052085][ T5312] driver_probe_device+0x4f/0x430
[ 69.054305][ T5312] __device_attach_driver+0x2ce/0x530
[ 69.056577][ T5312] bus_for_each_drv+0x24e/0x2e0
[ 69.058599][ T5312] __device_attach+0x2b8/0x400
[ 69.060531][ T5312] bus_probe_device+0x185/0x260
[ 69.062711][ T5312] device_add+0x7b6/0xb50
[ 69.064570][ T5312] usb_set_configuration+0x1a87/0x20e0
[ 69.066996][ T5312] usb_generic_driver_probe+0x8d/0x150
[ 69.069509][ T5312] usb_probe_device+0x1c1/0x390
[ 69.071749][ T5312] really_probe+0x26a/0x9a0
[ 69.073830][ T5312] __driver_probe_device+0x18c/0x2f0
[ 69.076136][ T5312] driver_probe_device+0x4f/0x430
[ 69.078218][ T5312] __device_attach_driver+0x2ce/0x530
[ 69.080558][ T5312] bus_for_each_drv+0x24e/0x2e0
[ 69.082678][ T5312] __device_attach+0x2b8/0x400
[ 69.084780][ T5312] bus_probe_device+0x185/0x260
[ 69.086797][ T5312] device_add+0x7b6/0xb50
[ 69.088759][ T5312] usb_new_device+0xa39/0x16c0
[ 69.090823][ T5312] hub_event+0x2941/0x4a00
[ 69.092727][ T5312] process_scheduled_works+0xadb/0x17a0
[ 69.095116][ T5312] worker_thread+0x8a0/0xda0
[ 69.097202][ T5312] kthread+0x70e/0x8a0
[ 69.099028][ T5312] ret_from_fork+0x4b/0x80
[ 69.101035][ T5312] ret_from_fork_asm+0x1a/0x30
[ 69.103140][ T5312]
[ 69.104208][ T5312] Freed by task 5312:
[ 69.105989][ T5312] kasan_save_track+0x3e/0x80
[ 69.108125][ T5312] kasan_save_free_info+0x46/0x50
[ 69.110328][ T5312] __kasan_slab_free+0x62/0x70
[ 69.112476][ T5312] kfree+0x193/0x440
[ 69.114114][ T5312] device_release+0x99/0x1c0
[ 69.116078][ T5312] kobject_put+0x228/0x480
[ 69.117980][ T5312] hdm_disconnect+0xf3/0x1c0
[ 69.119968][ T5312] usb_unbind_interface+0x26b/0x8f0
[ 69.122275][ T5312] device_release_driver_internal+0x4d6/0x7c0
[ 69.124832][ T5312] bus_remove_device+0x34d/0x410
[ 69.126898][ T5312] device_del+0x511/0x8e0
[ 69.128640][ T5312] usb_disable_device+0x3e9/0x8a0
[ 69.130826][ T5312] usb_disconnect+0x330/0x910
[ 69.132904][ T5312] hub_event+0x1cdb/0x4a00
[ 69.134894][ T5312] process_scheduled_works+0xadb/0x17a0
[ 69.137268][ T5312] worker_thread+0x8a0/0xda0
[ 69.139092][ T5312] kthread+0x70e/0x8a0
[ 69.140818][ T5312] ret_from_fork+0x4b/0x80
[ 69.142742][ T5312] ret_from_fork_asm+0x1a/0x30
[ 69.144892][ T5312]
[ 69.145950][ T5312] The buggy address belongs to the object at ffff88803f06c000
[ 69.145950][ T5312] which belongs to the cache kmalloc-8k of size 8192
[ 69.151737][ T5312] The buggy address is located 6296 bytes inside of
[ 69.151737][ T5312] freed 8192-byte region [ffff88803f06c000, ffff88803f06e000)
[ 69.157381][ T5312]
[ 69.158415][ T5312] The buggy address belongs to the physical page:
[ 69.161116][ T5312] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f068
[ 69.164740][ T5312] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 69.168334][ T5312] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 69.171597][ T5312] page_type: f5(slab)
[ 69.173410][ T5312] raw: 04fff00000000040 ffff88801a042280 dead000000000122 0000000000000000
[ 69.177101][ T5312] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 69.180761][ T5312] head: 04fff00000000040 ffff88801a042280 dead000000000122 0000000000000000
[ 69.184145][ T5312] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 69.187521][ T5312] head: 04fff00000000003 ffffea0000fc1a01 00000000ffffffff 00000000ffffffff
[ 69.190683][ T5312] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 69.193908][ T5312] page dumped because: kasan: bad access detected
[ 69.196630][ T5312] page_owner tracks the page as allocated
[ 69.199028][ T5312] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5307, tgid 5307 (kworker/0:4), ts 66898613546, free_ts 66861896522
[ 69.206905][ T5312] post_alloc_hook+0x1d8/0x230
[ 69.208840][ T5312] get_page_from_freelist+0x21ce/0x22b0
[ 69.211236][ T5312] __alloc_frozen_pages_noprof+0x181/0x370
[ 69.213725][ T5312] alloc_pages_mpol+0x232/0x4a0
[ 69.215765][ T5312] allocate_slab+0x8a/0x3b0
[ 69.217649][ T5312] ___slab_alloc+0xbfc/0x1480
[ 69.219760][ T5312] __kmalloc_noprof+0x305/0x4f0
[ 69.221941][ T5312] __sta_info_alloc+0xce6/0x27a0
[ 69.224078][ T5312] ieee80211_ibss_rx_no_sta+0x3e1/0x730
[ 69.226523][ T5312] ieee80211_prepare_and_rx_handle+0x20c4/0x6200
[ 69.229264][ T5312] ieee80211_rx_list+0x2499/0x2d80
[ 69.231504][ T5312] ieee80211_rx_napi+0x1a8/0x3d0
[ 69.233706][ T5312] ieee80211_handle_queued_frames+0xe8/0x1f0
[ 69.236378][ T5312] tasklet_action_common+0x369/0x580
[ 69.238644][ T5312] handle_softirqs+0x283/0x870
[ 69.240778][ T5312] do_softirq+0xec/0x180
[ 69.242607][ T5312] page last free pid 5298 tgid 5298 stack trace:
[ 69.245375][ T5312] __free_frozen_pages+0xb0e/0xcd0
[ 69.247683][ T5312] __slab_free+0x326/0x400
[ 69.249754][ T5312] qlist_free_all+0x9a/0x140
[ 69.251826][ T5312] kasan_quarantine_reduce+0x148/0x160
[ 69.254265][ T5312] __kasan_slab_alloc+0x22/0x80
[ 69.256474][ T5312] __kmalloc_cache_noprof+0x1be/0x3d0
[ 69.258836][ T5312] netdevice_event+0x3a1/0x8a0
[ 69.260995][ T5312] notifier_call_chain+0x1b3/0x3e0
[ 69.263145][ T5312] __dev_notify_flags+0x18d/0x2e0
[ 69.265328][ T5312] netif_change_flags+0xe8/0x1a0
[ 69.267436][ T5312] dev_change_flags+0x130/0x260
[ 69.269576][ T5312] devinet_ioctl+0xbb4/0x1b50
[ 69.271934][ T5312] inet_ioctl+0x3c0/0x4c0
[ 69.274257][ T5312] sock_do_ioctl+0xd9/0x300
[ 69.276218][ T5312] sock_ioctl+0x576/0x790
[ 69.278012][ T5312] __se_sys_ioctl+0xf9/0x170
[ 69.279931][ T5312]
[ 69.280957][ T5312] Memory state around the buggy address:
[ 69.283384][ T5312] ffff88803f06d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.286822][ T5312] ffff88803f06d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.290309][ T5312] >ffff88803f06d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.293939][ T5312] ^
[ 69.296081][ T5312] ffff88803f06d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.299555][ T5312] ffff88803f06d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.302997][ T5312] ==================================================================
[ 69.354073][ T5312] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.357244][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: kworker/0:5 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full)
[ 69.362381][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.366937][ T5312] Workqueue: usb_hub_wq hub_event
[ 69.369187][ T5312] Call Trace:
[ 69.370601][ T5312]
[ 69.371900][ T5312] dump_stack_lvl+0x99/0x250
[ 69.373735][ T5312] ? __asan_memcpy+0x40/0x70
[ 69.375734][ T5312] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.378146][ T5312] ? __pfx__printk+0x10/0x10
[ 69.380009][ T5312] panic+0x2db/0x790
[ 69.381530][ T5312] ? __pfx_panic+0x10/0x10
[ 69.383311][ T5312] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 69.385593][ T5312] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.388132][ T5312] ? print_memory_metadata+0x314/0x400
[ 69.390505][ T5312] ? hdm_disconnect+0x10d/0x1c0
[ 69.392675][ T5312] check_panic_on_warn+0x89/0xb0
[ 69.394739][ T5312] ? hdm_disconnect+0x10d/0x1c0
[ 69.396803][ T5312] end_report+0x78/0x160
[ 69.398622][ T5312] kasan_report+0x129/0x150
[ 69.400583][ T5312] ? hdm_disconnect+0x10d/0x1c0
[ 69.402747][ T5312] hdm_disconnect+0x10d/0x1c0
[ 69.404940][ T5312] usb_unbind_interface+0x26b/0x8f0
[ 69.407173][ T5312] ? __pfx_usb_unbind_interface+0x10/0x10
[ 69.409627][ T5312] device_release_driver_internal+0x4d6/0x7c0
[ 69.412239][ T5312] bus_remove_device+0x34d/0x410
[ 69.414373][ T5312] device_del+0x511/0x8e0
[ 69.416339][ T5312] ? __pm_runtime_barrier+0x212/0x460
[ 69.418606][ T5312] ? __pfx_device_del+0x10/0x10
[ 69.420734][ T5312] ? __pfx___mutex_lock+0x10/0x10
[ 69.422902][ T5312] usb_disable_device+0x3e9/0x8a0
[ 69.425096][ T5312] usb_disconnect+0x330/0x910
[ 69.427212][ T5312] hub_event+0x1cdb/0x4a00
[ 69.429218][ T5312] ? __lock_acquire+0xaac/0xd20
[ 69.431325][ T5312] ? do_raw_spin_lock+0x121/0x290
[ 69.433540][ T5312] ? __lock_acquire+0xaac/0xd20
[ 69.435584][ T5312] ? __pfx_hub_event+0x10/0x10
[ 69.437699][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 69.440176][ T5312] ? _raw_spin_unlock_irq+0x23/0x50
[ 69.442498][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 69.444958][ T5312] ? process_scheduled_works+0x9ec/0x17a0
[ 69.447294][ T5312] process_scheduled_works+0xadb/0x17a0
[ 69.449700][ T5312] ? __pfx_process_scheduled_works+0x10/0x10
[ 69.452295][ T5312] worker_thread+0x8a0/0xda0
[ 69.454289][ T5312] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.456919][ T5312] ? __kthread_parkme+0x7b/0x200
[ 69.459136][ T5312] kthread+0x70e/0x8a0
[ 69.460815][ T5312] ? __pfx_worker_thread+0x10/0x10
[ 69.462803][ T5312] ? __pfx_kthread+0x10/0x10
[ 69.464669][ T5312] ? __pfx_kthread+0x10/0x10
[ 69.466545][ T5312] ? _raw_spin_unlock_irq+0x23/0x50
[ 69.468693][ T5312] ? lockdep_hardirqs_on+0x9c/0x150
[ 69.470679][ T5312] ? __pfx_kthread+0x10/0x10
[ 69.472404][ T5312] ret_from_fork+0x4b/0x80
[ 69.474219][ T5312] ? __pfx_kthread+0x10/0x10
[ 69.476138][ T5312] ret_from_fork_asm+0x1a/0x30
[ 69.478083][ T5312]
[ 69.479717][ T5312] Kernel Offset: disabled
[ 69.481748][ T5312] Rebooting in 86400 seconds..