Warning: Permanently added '10.128.1.149' (ED25519) to the list of known hosts.
executing program
[ 45.959941][ T29] audit: type=1400 audit(1748170753.635:64): avc: denied { execmem } for pid=2951 comm="syz-executor227" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 45.979703][ T29] audit: type=1400 audit(1748170753.635:65): avc: denied { read write } for pid=2952 comm="syz-executor227" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 46.003770][ T29] audit: type=1400 audit(1748170753.635:66): avc: denied { open } for pid=2952 comm="syz-executor227" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 46.027626][ T29] audit: type=1400 audit(1748170753.635:67): avc: denied { ioctl } for pid=2952 comm="syz-executor227" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 46.194235][ T38] usb 1-1: new full-speed USB device number 2 using dummy_hcd
[ 46.346481][ T38] usb 1-1: config 0 has an invalid interface number: 226 but max is 0
[ 46.354987][ T38] usb 1-1: config 0 has no interface number 0
[ 46.361780][ T38] usb 1-1: config 0 interface 226 has no altsetting 0
[ 46.368683][ T38] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=a5.88
[ 46.377789][ T38] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 46.391205][ T38] usb 1-1: config 0 descriptor??
executing program
[ 46.601384][ T38] usb 1-1: string descriptor 0 read error: -71
[ 46.623565][ T38] usb 1-1: USB disconnect, device number 2
[ 46.635930][ T38] ==================================================================
[ 46.644406][ T38] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 46.652125][ T38] Read of size 8 at addr ffff88811b4dd890 by task kworker/1:1/38
[ 46.659889][ T38]
[ 46.662271][ T38] CPU: 1 UID: 0 PID: 38 Comm: kworker/1:1 Not tainted 6.15.0-rc6-syzkaller-00177-g882826f58b2c #0 PREEMPT(voluntary)
[ 46.662309][ T38] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 46.662328][ T38] Workqueue: usb_hub_wq hub_event
[ 46.662371][ T38] Call Trace:
[ 46.662381][ T38]
[ 46.662392][ T38] dump_stack_lvl+0x116/0x1f0
[ 46.662445][ T38] print_report+0xc3/0x670
[ 46.662480][ T38] ? __virt_addr_valid+0x5e/0x590
[ 46.662511][ T38] ? __phys_addr+0xc6/0x150
[ 46.662542][ T38] ? hdm_disconnect+0x227/0x250
[ 46.662578][ T38] kasan_report+0xe0/0x110
[ 46.662614][ T38] ? hdm_disconnect+0x227/0x250
[ 46.662655][ T38] hdm_disconnect+0x227/0x250
[ 46.662691][ T38] usb_unbind_interface+0x1da/0x9a0
[ 46.662737][ T38] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 46.662788][ T38] ? __pfx_usb_unbind_interface+0x10/0x10
[ 46.662831][ T38] device_remove+0x122/0x170
[ 46.662878][ T38] device_release_driver_internal+0x44b/0x620
[ 46.662913][ T38] bus_remove_device+0x22f/0x420
[ 46.662959][ T38] device_del+0x396/0x9f0
[ 46.663009][ T38] ? __pfx_device_del+0x10/0x10
[ 46.663055][ T38] ? __pfx___mutex_lock+0x10/0x10
[ 46.663095][ T38] ? __pfx___pm_runtime_barrier+0x10/0x10
[ 46.663144][ T38] ? do_raw_spin_lock+0x12c/0x2b0
[ 46.663195][ T38] usb_disable_device+0x355/0x7d0
[ 46.663231][ T38] ? lockdep_hardirqs_on+0x7c/0x110
[ 46.663274][ T38] usb_disconnect+0x2e1/0x920
[ 46.663313][ T38] hub_event+0x1aa0/0x5030
[ 46.663361][ T38] ? __lock_acquire+0xaa4/0x1ba0
[ 46.663405][ T38] ? __pfx_hub_event+0x10/0x10
[ 46.663440][ T38] ? debug_object_deactivate+0x1ec/0x3a0
[ 46.663489][ T38] ? rcu_is_watching+0x12/0xc0
[ 46.663524][ T38] process_one_work+0x9cc/0x1b70
[ 46.663558][ T38] ? __pfx_hub_event+0x10/0x10
[ 46.663591][ T38] ? __pfx_process_one_work+0x10/0x10
[ 46.663618][ T38] ? assign_work+0x1a0/0x250
[ 46.663656][ T38] worker_thread+0x6c8/0xf10
[ 46.663683][ T38] ? __kthread_parkme+0x19e/0x250
[ 46.663716][ T38] ? __pfx_worker_thread+0x10/0x10
[ 46.663746][ T38] kthread+0x3c2/0x780
[ 46.663785][ T38] ? __pfx_kthread+0x10/0x10
[ 46.663822][ T38] ? __pfx_kthread+0x10/0x10
[ 46.663859][ T38] ? __pfx_kthread+0x10/0x10
[ 46.663899][ T38] ? __pfx_kthread+0x10/0x10
[ 46.663944][ T38] ? rcu_is_watching+0x12/0xc0
[ 46.663972][ T38] ? __pfx_kthread+0x10/0x10
[ 46.664016][ T38] ret_from_fork+0x45/0x80
[ 46.664051][ T38] ? __pfx_kthread+0x10/0x10
[ 46.664084][ T38] ret_from_fork_asm+0x1a/0x30
[ 46.664114][ T38]
[ 46.664122][ T38]
[ 46.917087][ T38] Allocated by task 38:
[ 46.921242][ T38] kasan_save_stack+0x33/0x60
[ 46.925960][ T38] kasan_save_track+0x14/0x30
[ 46.930662][ T38] __kasan_kmalloc+0x8f/0xa0
[ 46.935283][ T38] hdm_probe+0xb3/0x19a0
[ 46.939656][ T38] usb_probe_interface+0x300/0x9c0
[ 46.944795][ T38] really_probe+0x23e/0xa90
[ 46.949328][ T38] __driver_probe_device+0x1de/0x440
[ 46.954654][ T38] driver_probe_device+0x4c/0x1b0
[ 46.959704][ T38] __device_attach_driver+0x1df/0x310
[ 46.965133][ T38] bus_for_each_drv+0x156/0x1e0
[ 46.970012][ T38] __device_attach+0x1e4/0x4b0
[ 46.974816][ T38] bus_probe_device+0x17f/0x1c0
[ 46.979699][ T38] device_add+0x1148/0x1a70
[ 46.984213][ T38] usb_set_configuration+0x1187/0x1e20
[ 46.989689][ T38] usb_generic_driver_probe+0xb1/0x110
[ 46.995159][ T38] usb_probe_device+0xec/0x3e0
[ 46.999956][ T38] really_probe+0x23e/0xa90
[ 47.004668][ T38] __driver_probe_device+0x1de/0x440
[ 47.010004][ T38] driver_probe_device+0x4c/0x1b0
[ 47.015075][ T38] __device_attach_driver+0x1df/0x310
[ 47.020471][ T38] bus_for_each_drv+0x156/0x1e0
[ 47.025341][ T38] __device_attach+0x1e4/0x4b0
[ 47.030125][ T38] bus_probe_device+0x17f/0x1c0
[ 47.034993][ T38] device_add+0x1148/0x1a70
[ 47.039524][ T38] usb_new_device+0xd07/0x1a20
[ 47.044317][ T38] hub_event+0x2f85/0x5030
[ 47.048741][ T38] process_one_work+0x9cc/0x1b70
[ 47.053684][ T38] worker_thread+0x6c8/0xf10
[ 47.058279][ T38] kthread+0x3c2/0x780
[ 47.062366][ T38] ret_from_fork+0x45/0x80
[ 47.066794][ T38] ret_from_fork_asm+0x1a/0x30
[ 47.071578][ T38]
[ 47.073898][ T38] Freed by task 38:
[ 47.077702][ T38] kasan_save_stack+0x33/0x60
[ 47.082396][ T38] kasan_save_track+0x14/0x30
[ 47.087081][ T38] kasan_save_free_info+0x3b/0x60
[ 47.092125][ T38] __kasan_slab_free+0x37/0x50
[ 47.096901][ T38] kfree+0x286/0x470
[ 47.100899][ T38] device_release+0xa1/0x240
[ 47.105503][ T38] kobject_put+0x1e4/0x5a0
[ 47.109937][ T38] device_unregister+0x2f/0xc0
[ 47.114734][ T38] hdm_disconnect+0x10b/0x250
[ 47.119424][ T38] usb_unbind_interface+0x1da/0x9a0
[ 47.124637][ T38] device_remove+0x122/0x170
[ 47.129244][ T38] device_release_driver_internal+0x44b/0x620
[ 47.135317][ T38] bus_remove_device+0x22f/0x420
[ 47.140268][ T38] device_del+0x396/0x9f0
[ 47.144748][ T38] usb_disable_device+0x355/0x7d0
[ 47.150042][ T38] usb_disconnect+0x2e1/0x920
[ 47.154729][ T38] hub_event+0x1aa0/0x5030
[ 47.159159][ T38] process_one_work+0x9cc/0x1b70
[ 47.164103][ T38] worker_thread+0x6c8/0xf10
[ 47.168698][ T38] kthread+0x3c2/0x780
[ 47.172782][ T38] ret_from_fork+0x45/0x80
[ 47.177220][ T38] ret_from_fork_asm+0x1a/0x30
[ 47.181997][ T38]
[ 47.184336][ T38] The buggy address belongs to the object at ffff88811b4dc000
[ 47.184336][ T38] which belongs to the cache kmalloc-8k of size 8192
[ 47.198417][ T38] The buggy address is located 6288 bytes inside of
[ 47.198417][ T38] freed 8192-byte region [ffff88811b4dc000, ffff88811b4de000)
[ 47.212395][ T38]
[ 47.214720][ T38] The buggy address belongs to the physical page:
[ 47.221137][ T38] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b4d8
[ 47.229991][ T38] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 47.238505][ T38] flags: 0x200000000000040(head|node=0|zone=2)
[ 47.244777][ T38] page_type: f5(slab)
[ 47.248763][ T38] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 47.257360][ T38] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 47.265953][ T38] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 47.274631][ T38] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 47.283317][ T38] head: 0200000000000003 ffffea00046d3601 00000000ffffffff 00000000ffffffff
[ 47.291998][ T38] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
[ 47.300669][ T38] page dumped because: kasan: bad access detected
[ 47.307079][ T38] page_owner tracks the page as allocated
[ 47.312823][ T38] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2952, tgid 2952 (syz-executor227), ts 45965284362, free_ts 40161370636
[ 47.332460][ T38] post_alloc_hook+0x181/0x1b0
[ 47.337239][ T38] get_page_from_freelist+0xfec/0x2d90
[ 47.342712][ T38] __alloc_frozen_pages_noprof+0x25c/0x2160
[ 47.348625][ T38] alloc_pages_mpol+0xe4/0x410
[ 47.353401][ T38] new_slab+0x244/0x340
[ 47.357571][ T38] ___slab_alloc+0xda5/0x1940
[ 47.362257][ T38] __slab_alloc.constprop.0+0x56/0xb0
[ 47.367643][ T38] __kmalloc_cache_noprof+0x209/0x3c0
[ 47.373029][ T38] audit_log_d_path+0xe7/0x200
[ 47.377804][ T38] audit_log_lsm_data+0x1085/0x1fe0
[ 47.383024][ T38] common_lsm_audit+0x238/0x300
[ 47.387893][ T38] slow_avc_audit+0x186/0x210
[ 47.392670][ T38] avc_has_extended_perms+0xa40/0x1090
[ 47.398140][ T38] ioctl_has_perm.constprop.0.isra.0+0x2f4/0x450
[ 47.404484][ T38] selinux_file_ioctl+0x180/0x270
[ 47.409519][ T38] security_file_ioctl+0x48/0x90
[ 47.414474][ T38] page last free pid 2944 tgid 2944 stack trace:
[ 47.420812][ T38] __free_frozen_pages+0x66c/0xe70
[ 47.425936][ T38] __put_partials+0x16d/0x1c0
[ 47.430623][ T38] qlist_free_all+0x4e/0x120
[ 47.435226][ T38] kasan_quarantine_reduce+0x195/0x1e0
[ 47.440730][ T38] __kasan_slab_alloc+0x4e/0x70
[ 47.445603][ T38] kmem_cache_alloc_node_noprof+0x14d/0x3a0
[ 47.451531][ T38] __alloc_skb+0x2b2/0x380
[ 47.455962][ T38] tcp_stream_alloc_skb+0x34/0x570
[ 47.461095][ T38] tcp_sendmsg_locked+0xebb/0x37e0
[ 47.466236][ T38] tcp_sendmsg+0x2e/0x50
[ 47.470500][ T38] inet_sendmsg+0xb9/0x140
[ 47.474943][ T38] sock_write_iter+0x4aa/0x5b0
[ 47.479723][ T38] vfs_write+0x5ba/0x1180
[ 47.484068][ T38] ksys_write+0x205/0x240
[ 47.488412][ T38] do_syscall_64+0xcd/0x260
[ 47.492931][ T38] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 47.498834][ T38]
[ 47.501156][ T38] Memory state around the buggy address:
[ 47.506793][ T38] ffff88811b4dd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.514875][ T38] ffff88811b4dd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.522945][ T38] >ffff88811b4dd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.531096][ T38] ^
[ 47.535702][ T38] ffff88811b4dd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.543784][ T38] ffff88811b4dd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.551853][ T38] ==================================================================
[ 47.560383][ T38] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 47.567636][ T38] CPU: 1 UID: 0 PID: 38 Comm: kworker/1:1 Not tainted 6.15.0-rc6-syzkaller-00177-g882826f58b2c #0 PREEMPT(voluntary)
[ 47.580008][ T38] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 47.590112][ T38] Workqueue: usb_hub_wq hub_event
[ 47.595165][ T38] Call Trace:
[ 47.598562][ T38]
[ 47.601501][ T38] dump_stack_lvl+0x3d/0x1f0
[ 47.606123][ T38] panic+0x71c/0x800
[ 47.610046][ T38] ? __pfx_panic+0x10/0x10
[ 47.615096][ T38] ? irqentry_exit+0x3b/0x90
[ 47.619714][ T38] ? lockdep_hardirqs_on+0x7c/0x110
[ 47.624945][ T38] ? hdm_disconnect+0x227/0x250
[ 47.629816][ T38] ? check_panic_on_warn+0x1f/0xb0
[ 47.634963][ T38] ? hdm_disconnect+0x227/0x250
[ 47.639859][ T38] check_panic_on_warn+0xab/0xb0
[ 47.644832][ T38] end_report+0x107/0x170
[ 47.649217][ T38] kasan_report+0xee/0x110
[ 47.653655][ T38] ? hdm_disconnect+0x227/0x250
[ 47.658547][ T38] hdm_disconnect+0x227/0x250
[ 47.663287][ T38] usb_unbind_interface+0x1da/0x9a0
[ 47.668534][ T38] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 47.674186][ T38] ? __pfx_usb_unbind_interface+0x10/0x10
[ 47.679942][ T38] device_remove+0x122/0x170
[ 47.684556][ T38] device_release_driver_internal+0x44b/0x620
[ 47.690645][ T38] bus_remove_device+0x22f/0x420
[ 47.695609][ T38] device_del+0x396/0x9f0
[ 47.699968][ T38] ? __pfx_device_del+0x10/0x10
[ 47.704843][ T38] ? __pfx___mutex_lock+0x10/0x10
[ 47.709884][ T38] ? __pfx___pm_runtime_barrier+0x10/0x10
[ 47.715627][ T38] ? do_raw_spin_lock+0x12c/0x2b0
[ 47.720693][ T38] usb_disable_device+0x355/0x7d0
[ 47.725734][ T38] ? lockdep_hardirqs_on+0x7c/0x110
[ 47.730975][ T38] usb_disconnect+0x2e1/0x920
[ 47.735669][ T38] hub_event+0x1aa0/0x5030
[ 47.740119][ T38] ? __lock_acquire+0xaa4/0x1ba0
[ 47.745075][ T38] ? __pfx_hub_event+0x10/0x10
[ 47.749859][ T38] ? debug_object_deactivate+0x1ec/0x3a0
[ 47.755564][ T38] ? rcu_is_watching+0x12/0xc0
[ 47.760346][ T38] process_one_work+0x9cc/0x1b70
[ 47.765334][ T38] ? __pfx_hub_event+0x10/0x10
[ 47.770124][ T38] ? __pfx_process_one_work+0x10/0x10
[ 47.775523][ T38] ? assign_work+0x1a0/0x250
[ 47.780145][ T38] worker_thread+0x6c8/0xf10
[ 47.784752][ T38] ? __kthread_parkme+0x19e/0x250
[ 47.789794][ T38] ? __pfx_worker_thread+0x10/0x10
[ 47.794920][ T38] kthread+0x3c2/0x780
[ 47.799023][ T38] ? __pfx_kthread+0x10/0x10
[ 47.803636][ T38] ? __pfx_kthread+0x10/0x10
[ 47.808247][ T38] ? __pfx_kthread+0x10/0x10
[ 47.812859][ T38] ? __pfx_kthread+0x10/0x10
[ 47.817477][ T38] ? rcu_is_watching+0x12/0xc0
[ 47.822334][ T38] ? __pfx_kthread+0x10/0x10
[ 47.826969][ T38] ret_from_fork+0x45/0x80
[ 47.831428][ T38] ? __pfx_kthread+0x10/0x10
[ 47.836052][ T38] ret_from_fork_asm+0x1a/0x30
[ 47.840843][ T38]
[ 47.844163][ T38] Kernel Offset: disabled
[ 47.848496][ T38] Rebooting in 86400 seconds..