Warning: Permanently added '10.128.1.62' (ED25519) to the list of known hosts.
executing program
[   58.167001][   T29] audit: type=1400 audit(1721914346.430:80): avc:  denied  { execmem } for  pid=2644 comm="syz-executor311" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   58.186702][   T29] audit: type=1400 audit(1721914346.430:81): avc:  denied  { read write } for  pid=2645 comm="syz-executor311" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   58.210606][   T29] audit: type=1400 audit(1721914346.430:82): avc:  denied  { open } for  pid=2645 comm="syz-executor311" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   58.234549][   T29] audit: type=1400 audit(1721914346.440:83): avc:  denied  { ioctl } for  pid=2645 comm="syz-executor311" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   58.444962][    T8] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   58.634803][    T8] usb 1-1: Using ep0 maxpacket: 16
[   58.642452][    T8] usb 1-1: unable to get BOS descriptor or descriptor too short
[   58.652617][    T8] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   58.661017][    T8] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   58.669852][    T8] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   58.678945][    T8] usb 1-1: config 15 has no interface number 0
[   58.685402][    T8] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   58.697031][    T8] usb 1-1: config 15 interface 79 has no altsetting 0
[   58.707321][    T8] usb 1-1: string descriptor 0 read error: -22
[   58.713697][    T8] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   58.722982][    T8] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   58.738059][ T2645] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   58.752511][    T8] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   58.759484][    T8] rtw_8822cu 1-1:15.79: failed to init USB interface
[   58.800688][    T9] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   58.811872][   T42] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   58.822136][    T9] rtw_8822cu 1-1:15.79: failed to request firmware
[   58.828849][   T42] rtw_8822cu 1-1:15.79: failed to request firmware
[   58.839791][    T8] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
executing program
[   58.957695][    T8] usb 1-1: USB disconnect, device number 2
[   59.335025][    T8] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   59.514822][    T8] usb 1-1: Using ep0 maxpacket: 16
[   59.522256][    T8] usb 1-1: unable to get BOS descriptor or descriptor too short
[   59.531503][    T8] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   59.539781][    T8] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   59.548709][    T8] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   59.557726][    T8] usb 1-1: config 15 has no interface number 0
[   59.563936][    T8] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   59.575132][    T8] usb 1-1: config 15 interface 79 has no altsetting 0
[   59.585128][    T8] usb 1-1: string descriptor 0 read error: -22
[   59.591517][    T8] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   59.600640][    T8] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   59.612049][ T2651] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   59.623753][    T8] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   59.630643][    T8] rtw_8822cu 1-1:15.79: failed to init USB interface
[   59.638531][   T42] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   59.650079][    T9] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   59.660669][   T42] rtw_8822cu 1-1:15.79: failed to request firmware
[   59.668235][    T8] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
[   59.677465][    T9] ==================================================================
[   59.685661][    T9] BUG: KASAN: use-after-free in rtw_load_firmware_cb+0x917/0x9f0
[   59.693413][    T9] Read of size 8 at addr ffff888113508bc0 by task kworker/0:1/9
[   59.701063][    T9] 
[   59.703439][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   59.713081][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   59.723164][    T9] Workqueue: events request_firmware_work_func
[   59.729348][    T9] Call Trace:
[   59.732638][    T9]  <TASK>
[   59.735574][    T9]  dump_stack_lvl+0x116/0x1f0
[   59.740278][    T9]  print_report+0xc3/0x620
[   59.744723][    T9]  ? __virt_addr_valid+0x5e/0x590
[   59.749756][    T9]  ? __phys_addr+0xc6/0x150
[   59.754273][    T9]  kasan_report+0xd9/0x110
[   59.759135][    T9]  ? rtw_load_firmware_cb+0x917/0x9f0
[   59.764519][    T9]  ? rtw_load_firmware_cb+0x917/0x9f0
[   59.770167][    T9]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   59.775900][    T9]  rtw_load_firmware_cb+0x917/0x9f0
[   59.781127][    T9]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   59.786857][    T9]  request_firmware_work_func+0x13a/0x250
[   59.792589][    T9]  ? __pfx_request_firmware_work_func+0x10/0x10
[   59.798854][    T9]  process_one_work+0x9c5/0x1b40
[   59.803807][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   59.808880][    T9]  ? __pfx_process_one_work+0x10/0x10
[   59.814273][    T9]  ? assign_work+0x1a0/0x250
[   59.818894][    T9]  worker_thread+0x6c8/0xf20
[   59.823526][    T9]  ? __pfx_worker_thread+0x10/0x10
[   59.828651][    T9]  kthread+0x2c1/0x3a0
[   59.832768][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   59.838005][    T9]  ? __pfx_kthread+0x10/0x10
[   59.842635][    T9]  ret_from_fork+0x45/0x80
[   59.847074][    T9]  ? __pfx_kthread+0x10/0x10
[   59.851685][    T9]  ret_from_fork_asm+0x1a/0x30
[   59.856491][    T9]  </TASK>
[   59.859510][    T9] 
[   59.861828][    T9] The buggy address belongs to the physical page:
[   59.868260][    T9] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811350d700 pfn:0x113508
[   59.878505][    T9] flags: 0x200000000000000(node=0|zone=2)
[   59.884242][    T9] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
[   59.892921][    T9] raw: ffff88811350d700 0000000000000000 00000000ffffffff 0000000000000000
[   59.901508][    T9] page dumped because: kasan: bad access detected
[   59.907923][    T9] page_owner tracks the page as freed
[   59.913287][    T9] page last allocated via order 4, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 8, tgid 8 (kworker/0:0), ts 59621688376, free_ts 59668103006
[   59.930670][    T9]  post_alloc_hook+0x2d1/0x350
[   59.935456][    T9]  get_page_from_freelist+0x1311/0x25f0
[   59.941019][    T9]  __alloc_pages_noprof+0x21e/0x2290
[   59.946408][    T9]  ___kmalloc_large_node+0x7f/0x1a0
[   59.951618][    T9]  __kmalloc_large_node_noprof+0x1c/0x70
[   59.957263][    T9]  __kmalloc_noprof.cold+0xc/0x61
[   59.962294][    T9]  wiphy_new_nm+0x701/0x2120
[   59.967002][    T9]  ieee80211_alloc_hw_nm+0x1b7a/0x2260
[   59.972475][    T9]  rtw_usb_probe+0x32/0x1d80
[   59.977249][    T9]  usb_probe_interface+0x309/0x9d0
[   59.982373][    T9]  really_probe+0x23e/0xa90
[   59.986889][    T9]  __driver_probe_device+0x1de/0x440
[   59.992188][    T9]  driver_probe_device+0x4c/0x1b0
[   59.997254][    T9]  __device_attach_driver+0x1df/0x310
[   60.002640][    T9]  bus_for_each_drv+0x157/0x1e0
[   60.007586][    T9]  __device_attach+0x1e8/0x4b0
[   60.012367][    T9] page last free pid 8 tgid 8 stack trace:
[   60.018170][    T9]  __free_pages_ok+0x5c1/0xba0
[   60.022947][    T9]  __folio_put+0x1dc/0x260
[   60.027383][    T9]  device_release+0xa1/0x240
[   60.031978][    T9]  kobject_put+0x1fa/0x5b0
[   60.036933][    T9]  put_device+0x1f/0x30
[   60.041094][    T9]  rtw_usb_probe+0x7a4/0x1d80
[   60.045785][    T9]  usb_probe_interface+0x309/0x9d0
[   60.050908][    T9]  really_probe+0x23e/0xa90
[   60.055445][    T9]  __driver_probe_device+0x1de/0x440
[   60.060755][    T9]  driver_probe_device+0x4c/0x1b0
[   60.065793][    T9]  __device_attach_driver+0x1df/0x310
[   60.071207][    T9]  bus_for_each_drv+0x157/0x1e0
[   60.076073][    T9]  __device_attach+0x1e8/0x4b0
[   60.080872][    T9]  bus_probe_device+0x17f/0x1c0
[   60.085731][    T9]  device_add+0x114b/0x1a70
[   60.090252][    T9]  usb_set_configuration+0x10cb/0x1c50
[   60.095743][    T9] 
[   60.098066][    T9] Memory state around the buggy address:
[   60.103696][    T9]  ffff888113508a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   60.111762][    T9]  ffff888113508b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   60.119828][    T9] >ffff888113508b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   60.127895][    T9]                                            ^
[   60.134066][    T9]  ffff888113508c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   60.142144][    T9]  ffff888113508c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   60.150210][    T9] ==================================================================
[   60.158394][    T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   60.165620][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   60.175297][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   60.185386][    T9] Workqueue: events request_firmware_work_func
[   60.191569][    T9] Call Trace:
[   60.195381][    T9]  <TASK>
[   60.198323][    T9]  dump_stack_lvl+0x3d/0x1f0
[   60.202976][    T9]  panic+0x6f5/0x7a0
[   60.206922][    T9]  ? __pfx_panic+0x10/0x10
[   60.211366][    T9]  ? check_panic_on_warn+0x1f/0xb0
[   60.216507][    T9]  check_panic_on_warn+0xab/0xb0
[   60.221467][    T9]  end_report+0x117/0x180
[   60.225934][    T9]  kasan_report+0xe9/0x110
[   60.230372][    T9]  ? rtw_load_firmware_cb+0x917/0x9f0
[   60.235765][    T9]  ? rtw_load_firmware_cb+0x917/0x9f0
[   60.241164][    T9]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   60.247005][    T9]  rtw_load_firmware_cb+0x917/0x9f0
[   60.252226][    T9]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   60.257972][    T9]  request_firmware_work_func+0x13a/0x250
[   60.263716][    T9]  ? __pfx_request_firmware_work_func+0x10/0x10
[   60.270013][    T9]  process_one_work+0x9c5/0x1b40
[   60.274981][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   60.280030][    T9]  ? __pfx_process_one_work+0x10/0x10
[   60.285435][    T9]  ? assign_work+0x1a0/0x250
[   60.290055][    T9]  worker_thread+0x6c8/0xf20
[   60.294678][    T9]  ? __pfx_worker_thread+0x10/0x10
[   60.299811][    T9]  kthread+0x2c1/0x3a0
[   60.303929][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   60.309243][    T9]  ? __pfx_kthread+0x10/0x10
[   60.313868][    T9]  ret_from_fork+0x45/0x80
[   60.318320][    T9]  ? __pfx_kthread+0x10/0x10
[   60.322950][    T9]  ret_from_fork_asm+0x1a/0x30
[   60.327751][    T9]  </TASK>
[   60.331157][    T9] Kernel Offset: disabled
[   60.335574][    T9] Rebooting in 86400 seconds..