Warning: Permanently added '10.128.1.150' (ED25519) to the list of known hosts.
executing program
[   46.152441][   T29] audit: type=1400 audit(1726303924.181:80): avc:  denied  { execmem } for  pid=2645 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   46.172123][   T29] audit: type=1400 audit(1726303924.181:81): avc:  denied  { read write } for  pid=2646 comm="syz-executor155" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   46.196358][   T29] audit: type=1400 audit(1726303924.181:82): avc:  denied  { open } for  pid=2646 comm="syz-executor155" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   46.220100][   T29] audit: type=1400 audit(1726303924.181:83): avc:  denied  { ioctl } for  pid=2646 comm="syz-executor155" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   46.430575][   T42] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   46.622893][   T42] usb 1-1: config 0 has an invalid interface number: 230 but max is 0
[   46.631319][   T42] usb 1-1: config 0 has no interface number 0
[   46.637481][   T42] usb 1-1: config 0 interface 230 altsetting 0 endpoint 0x4 has invalid maxpacket 1024, setting to 64
[   46.648541][   T42] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=7f.ee
[   46.657672][   T42] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   46.670500][   T42] usb 1-1: config 0 descriptor??
executing program
[   46.882287][    T9] usb 1-1: USB disconnect, device number 2
[   46.895006][    T9] ==================================================================
[   46.903195][    T9] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   46.910921][    T9] Read of size 8 at addr ffff888121705898 by task kworker/0:1/9
[   46.918592][    T9] 
[   46.920962][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-syzkaller-00152-g68d4209158f4 #0
[   46.931948][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   46.942017][    T9] Workqueue: usb_hub_wq hub_event
[   46.947086][    T9] Call Trace:
[   46.950375][    T9]  <TASK>
[   46.953309][    T9]  dump_stack_lvl+0x116/0x1f0
[   46.958036][    T9]  print_report+0xc3/0x620
[   46.962470][    T9]  ? __virt_addr_valid+0x5e/0x590
[   46.967500][    T9]  ? __phys_addr+0xc6/0x150
[   46.972012][    T9]  kasan_report+0xd9/0x110
[   46.976443][    T9]  ? hdm_disconnect+0x227/0x250
[   46.981346][    T9]  ? hdm_disconnect+0x227/0x250
[   46.986220][    T9]  hdm_disconnect+0x227/0x250
[   46.990919][    T9]  usb_unbind_interface+0x1e8/0x970
[   46.996156][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   47.001026][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   47.006758][    T9]  device_remove+0x122/0x170
[   47.011396][    T9]  device_release_driver_internal+0x44a/0x610
[   47.017502][    T9]  bus_remove_device+0x22f/0x420
[   47.022476][    T9]  device_del+0x396/0x9f0
[   47.026844][    T9]  ? __pfx_device_del+0x10/0x10
[   47.031727][    T9]  ? kobject_put+0x210/0x5a0
[   47.036333][    T9]  usb_disable_device+0x36c/0x7f0
[   47.041385][    T9]  usb_disconnect+0x2e1/0x920
[   47.046111][    T9]  hub_event+0x1bed/0x4f40
[   47.050573][    T9]  ? __pfx_hub_event+0x10/0x10
[   47.055380][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   47.060422][    T9]  ? __pfx_lock_release+0x10/0x10
[   47.065474][    T9]  process_one_work+0x9c5/0x1b40
[   47.070443][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   47.075510][    T9]  ? __pfx_process_one_work+0x10/0x10
[   47.080908][    T9]  ? assign_work+0x1a0/0x250
[   47.085517][    T9]  worker_thread+0x6c8/0xed0
[   47.090160][    T9]  ? __kthread_parkme+0x148/0x220
[   47.095219][    T9]  ? __pfx_worker_thread+0x10/0x10
[   47.100549][    T9]  kthread+0x2c1/0x3a0
[   47.104643][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   47.109866][    T9]  ? __pfx_kthread+0x10/0x10
[   47.114468][    T9]  ret_from_fork+0x45/0x80
[   47.118910][    T9]  ? __pfx_kthread+0x10/0x10
[   47.123510][    T9]  ret_from_fork_asm+0x1a/0x30
[   47.128319][    T9]  </TASK>
[   47.131341][    T9] 
[   47.133668][    T9] Allocated by task 42:
[   47.137840][    T9]  kasan_save_stack+0x33/0x60
[   47.142530][    T9]  kasan_save_track+0x14/0x30
[   47.147226][    T9]  __kasan_kmalloc+0x8f/0xa0
[   47.151831][    T9]  hdm_probe+0xb3/0x1880
[   47.156094][    T9]  usb_probe_interface+0x309/0x9d0
[   47.161220][    T9]  really_probe+0x23e/0xa90
[   47.165737][    T9]  __driver_probe_device+0x1de/0x440
[   47.171037][    T9]  driver_probe_device+0x4c/0x1b0
[   47.176099][    T9]  __device_attach_driver+0x1df/0x310
[   47.181492][    T9]  bus_for_each_drv+0x157/0x1e0
[   47.186347][    T9]  __device_attach+0x1e8/0x4b0
[   47.191147][    T9]  bus_probe_device+0x17f/0x1c0
[   47.196008][    T9]  device_add+0x114b/0x1a70
[   47.200569][    T9]  usb_set_configuration+0x10cb/0x1c50
[   47.206049][    T9]  usb_generic_driver_probe+0xb1/0x110
[   47.211526][    T9]  usb_probe_device+0xec/0x3e0
[   47.216297][    T9]  really_probe+0x23e/0xa90
[   47.220824][    T9]  __driver_probe_device+0x1de/0x440
[   47.226209][    T9]  driver_probe_device+0x4c/0x1b0
[   47.231253][    T9]  __device_attach_driver+0x1df/0x310
[   47.236742][    T9]  bus_for_each_drv+0x157/0x1e0
[   47.241599][    T9]  __device_attach+0x1e8/0x4b0
[   47.246377][    T9]  bus_probe_device+0x17f/0x1c0
[   47.251236][    T9]  device_add+0x114b/0x1a70
[   47.255774][    T9]  usb_new_device+0xd90/0x1a10
[   47.260566][    T9]  hub_event+0x2e58/0x4f40
[   47.265018][    T9]  process_one_work+0x9c5/0x1b40
[   47.269975][    T9]  worker_thread+0x6c8/0xed0
[   47.274585][    T9]  kthread+0x2c1/0x3a0
[   47.278668][    T9]  ret_from_fork+0x45/0x80
[   47.283116][    T9]  ret_from_fork_asm+0x1a/0x30
[   47.287899][    T9] 
[   47.290227][    T9] Freed by task 9:
[   47.293987][    T9]  kasan_save_stack+0x33/0x60
[   47.298849][    T9]  kasan_save_track+0x14/0x30
[   47.303532][    T9]  kasan_save_free_info+0x3b/0x60
[   47.308578][    T9]  poison_slab_object+0xf7/0x160
[   47.313524][    T9]  __kasan_slab_free+0x14/0x30
[   47.318328][    T9]  kfree+0x10b/0x380
[   47.322244][    T9]  device_release+0xa1/0x240
[   47.326855][    T9]  kobject_put+0x1e4/0x5a0
[   47.331295][    T9]  device_unregister+0x2f/0xc0
[   47.336075][    T9]  hdm_disconnect+0x10b/0x250
[   47.340774][    T9]  usb_unbind_interface+0x1e8/0x970
[   47.345981][    T9]  device_remove+0x122/0x170
[   47.350590][    T9]  device_release_driver_internal+0x44a/0x610
[   47.356712][    T9]  bus_remove_device+0x22f/0x420
[   47.361840][    T9]  device_del+0x396/0x9f0
[   47.366193][    T9]  usb_disable_device+0x36c/0x7f0
[   47.371241][    T9]  usb_disconnect+0x2e1/0x920
[   47.375940][    T9]  hub_event+0x1bed/0x4f40
[   47.380407][    T9]  process_one_work+0x9c5/0x1b40
[   47.385386][    T9]  worker_thread+0x6c8/0xed0
[   47.389997][    T9]  kthread+0x2c1/0x3a0
[   47.394081][    T9]  ret_from_fork+0x45/0x80
[   47.398518][    T9]  ret_from_fork_asm+0x1a/0x30
[   47.403299][    T9] 
[   47.405627][    T9] The buggy address belongs to the object at ffff888121704000
[   47.405627][    T9]  which belongs to the cache kmalloc-8k of size 8192
[   47.419716][    T9] The buggy address is located 6296 bytes inside of
[   47.419716][    T9]  freed 8192-byte region [ffff888121704000, ffff888121706000)
[   47.433720][    T9] 
[   47.436062][    T9] The buggy address belongs to the physical page:
[   47.442471][    T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121700
[   47.451335][    T9] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   47.460012][    T9] flags: 0x200000000000040(head|node=0|zone=2)
[   47.466196][    T9] page_type: 0xfdffffff(slab)
[   47.470899][    T9] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   47.479513][    T9] raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   47.488112][    T9] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   47.496793][    T9] head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
[   47.505471][    T9] head: 0200000000000003 ffffea000485c001 ffffffffffffffff 0000000000000000
[   47.514151][    T9] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   47.522842][    T9] page dumped because: kasan: bad access detected
[   47.529262][    T9] page_owner tracks the page as allocated
[   47.535014][    T9] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2646, tgid 2646 (syz-executor155), ts 46159892161, free_ts 40465312009
[   47.554585][    T9]  post_alloc_hook+0x2d1/0x350
[   47.559389][    T9]  get_page_from_freelist+0x1311/0x25f0
[   47.564973][    T9]  __alloc_pages_noprof+0x21e/0x2290
[   47.570289][    T9]  alloc_slab_page+0x4e/0xf0
[   47.574900][    T9]  new_slab+0x84/0x260
[   47.579003][    T9]  ___slab_alloc+0xdac/0x1870
[   47.583703][    T9]  __slab_alloc.constprop.0+0x56/0xb0
[   47.589131][    T9]  __kmalloc_cache_noprof+0x27a/0x2c0
[   47.594521][    T9]  audit_log_d_path+0xce/0x1e0
[   47.599316][    T9]  common_lsm_audit+0x7bf/0x2220
[   47.604262][    T9]  slow_avc_audit+0x17d/0x210
[   47.608992][    T9]  avc_has_extended_perms+0x9c6/0xf90
[   47.614390][    T9]  ioctl_has_perm.constprop.0.isra.0+0x2f0/0x470
[   47.620751][    T9]  selinux_file_ioctl+0x180/0x270
[   47.625786][    T9]  security_file_ioctl+0x75/0xc0
[   47.630733][    T9]  __x64_sys_ioctl+0xbb/0x220
[   47.635429][    T9] page last free pid 2638 tgid 2638 stack trace:
[   47.641761][    T9]  free_unref_page+0x698/0xce0
[   47.646540][    T9]  __folio_put+0x1dc/0x260
[   47.651057][    T9]  skb_release_data+0x5dd/0x920
[   47.655918][    T9]  skb_attempt_defer_free+0x1b9/0x630
[   47.661315][    T9]  tcp_recvmsg_locked+0x11cd/0x26b0
[   47.666654][    T9]  tcp_recvmsg+0x12e/0x680
[   47.671085][    T9]  inet_recvmsg+0x12b/0x6a0
[   47.675635][    T9]  sock_recvmsg+0x1b2/0x250
[   47.680172][    T9]  sock_read_iter+0x2c7/0x3c0
[   47.684882][    T9]  vfs_read+0xa39/0xbd0
[   47.689053][    T9]  ksys_read+0x1f8/0x260
[   47.693311][    T9]  do_syscall_64+0xcd/0x250
[   47.697856][    T9]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   47.703768][    T9] 
[   47.706091][    T9] Memory state around the buggy address:
[   47.711722][    T9]  ffff888121705780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.719871][    T9]  ffff888121705800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.727960][    T9] >ffff888121705880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.736026][    T9]                             ^
[   47.740878][    T9]  ffff888121705900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.748958][    T9]  ffff888121705980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.757040][    T9] ==================================================================
[   47.765298][    T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   47.772534][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-syzkaller-00152-g68d4209158f4 #0
[   47.783085][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   47.793180][    T9] Workqueue: usb_hub_wq hub_event
[   47.798274][    T9] Call Trace:
[   47.801573][    T9]  <TASK>
[   47.804647][    T9]  dump_stack_lvl+0x3d/0x1f0
[   47.809270][    T9]  panic+0x6dc/0x7c0
[   47.813201][    T9]  ? mark_held_locks+0x9f/0xe0
[   47.817995][    T9]  ? __pfx_panic+0x10/0x10
[   47.822433][    T9]  ? irqentry_exit+0x3b/0x90
[   47.827039][    T9]  ? lockdep_hardirqs_on+0x7c/0x110
[   47.832268][    T9]  ? check_panic_on_warn+0x1f/0xb0
[   47.837404][    T9]  check_panic_on_warn+0xab/0xb0
[   47.842407][    T9]  end_report+0x117/0x180
[   47.846760][    T9]  kasan_report+0xe9/0x110
[   47.851192][    T9]  ? hdm_disconnect+0x227/0x250
[   47.856069][    T9]  ? hdm_disconnect+0x227/0x250
[   47.860957][    T9]  hdm_disconnect+0x227/0x250
[   47.865684][    T9]  usb_unbind_interface+0x1e8/0x970
[   47.870919][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   47.875792][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   47.881534][    T9]  device_remove+0x122/0x170
[   47.886165][    T9]  device_release_driver_internal+0x44a/0x610
[   47.892256][    T9]  bus_remove_device+0x22f/0x420
[   47.897230][    T9]  device_del+0x396/0x9f0
[   47.901577][    T9]  ? __pfx_device_del+0x10/0x10
[   47.906442][    T9]  ? kobject_put+0x210/0x5a0
[   47.911051][    T9]  usb_disable_device+0x36c/0x7f0
[   47.916113][    T9]  usb_disconnect+0x2e1/0x920
[   47.920824][    T9]  hub_event+0x1bed/0x4f40
[   47.925276][    T9]  ? __pfx_hub_event+0x10/0x10
[   47.930089][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   47.935149][    T9]  ? __pfx_lock_release+0x10/0x10
[   47.940201][    T9]  process_one_work+0x9c5/0x1b40
[   47.945187][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   47.950243][    T9]  ? __pfx_process_one_work+0x10/0x10
[   47.955685][    T9]  ? assign_work+0x1a0/0x250
[   47.960316][    T9]  worker_thread+0x6c8/0xed0
[   47.964954][    T9]  ? __kthread_parkme+0x148/0x220
[   47.970087][    T9]  ? __pfx_worker_thread+0x10/0x10
[   47.975219][    T9]  kthread+0x2c1/0x3a0
[   47.979299][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   47.984522][    T9]  ? __pfx_kthread+0x10/0x10
[   47.989124][    T9]  ret_from_fork+0x45/0x80
[   47.993563][    T9]  ? __pfx_kthread+0x10/0x10
[   47.998163][    T9]  ret_from_fork_asm+0x1a/0x30
[   48.002978][    T9]  </TASK>
[   48.006341][    T9] Kernel Offset: disabled
[   48.010671][    T9] Rebooting in 86400 seconds..