Warning: Permanently added '10.128.0.103' (ED25519) to the list of known hosts.
executing program
[ 42.470632][ T29] audit: type=1400 audit(1744227137.536:80): avc: denied { execmem } for pid=2946 comm="syz-executor183" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 42.490290][ T29] audit: type=1400 audit(1744227137.536:81): avc: denied { read write } for pid=2947 comm="syz-executor183" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 42.514153][ T29] audit: type=1400 audit(1744227137.536:82): avc: denied { open } for pid=2947 comm="syz-executor183" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 42.537881][ T29] audit: type=1400 audit(1744227137.536:83): avc: denied { ioctl } for pid=2947 comm="syz-executor183" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 42.716120][ T37] usb 1-1: new full-speed USB device number 2 using dummy_hcd
[ 42.867798][ T37] usb 1-1: not running at top speed; connect to a high speed hub
[ 42.876934][ T37] usb 1-1: config 8 has an invalid interface number: 33 but max is 0
[ 42.885038][ T37] usb 1-1: config 8 has no interface number 0
[ 42.891198][ T37] usb 1-1: config 8 interface 33 has no altsetting 0
[ 42.900008][ T37] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06
[ 42.909158][ T37] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 42.917183][ T37] usb 1-1: Product: syz
[ 42.921337][ T37] usb 1-1: Manufacturer: syz
[ 42.925967][ T37] usb 1-1: SerialNumber: syz
executing program
[ 43.156963][ T37] usb 1-1: USB disconnect, device number 2
[ 43.166599][ T37] ==================================================================
[ 43.174706][ T37] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 43.182382][ T37] Read of size 8 at addr ffff888120d95890 by task kworker/1:1/37
[ 43.190103][ T37]
[ 43.192444][ T37] CPU: 1 UID: 0 PID: 37 Comm: kworker/1:1 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(voluntary)
[ 43.192471][ T37] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 43.192486][ T37] Workqueue: usb_hub_wq hub_event
[ 43.192518][ T37] Call Trace:
[ 43.192525][ T37]
[ 43.192533][ T37] dump_stack_lvl+0x116/0x1f0
[ 43.192565][ T37] print_report+0xc3/0x670
[ 43.192588][ T37] ? __virt_addr_valid+0x5e/0x590
[ 43.192607][ T37] ? __phys_addr+0xc6/0x150
[ 43.192626][ T37] ? hdm_disconnect+0x227/0x250
[ 43.192656][ T37] kasan_report+0xe0/0x110
[ 43.192677][ T37] ? hdm_disconnect+0x227/0x250
[ 43.192711][ T37] hdm_disconnect+0x227/0x250
[ 43.192742][ T37] usb_unbind_interface+0x1da/0x9a0
[ 43.192770][ T37] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 43.192796][ T37] ? __pfx_usb_unbind_interface+0x10/0x10
[ 43.192823][ T37] device_remove+0x122/0x170
[ 43.192852][ T37] device_release_driver_internal+0x44b/0x620
[ 43.192887][ T37] bus_remove_device+0x22f/0x420
[ 43.192914][ T37] device_del+0x396/0x9f0
[ 43.192944][ T37] ? __pfx_device_del+0x10/0x10
[ 43.192972][ T37] ? __pfx___mutex_lock+0x10/0x10
[ 43.192994][ T37] ? __pfx___pm_runtime_barrier+0x10/0x10
[ 43.193023][ T37] ? do_raw_spin_lock+0x12c/0x2b0
[ 43.193055][ T37] usb_disable_device+0x355/0x7d0
[ 43.193077][ T37] ? lockdep_hardirqs_on+0x7c/0x110
[ 43.193101][ T37] usb_disconnect+0x2e1/0x920
[ 43.193124][ T37] hub_event+0x1aa0/0x5030
[ 43.193158][ T37] ? __lock_acquire+0xaa4/0x1ba0
[ 43.193185][ T37] ? __pfx_hub_event+0x10/0x10
[ 43.193207][ T37] ? debug_object_deactivate+0x1ec/0x3a0
[ 43.193241][ T37] ? rcu_is_watching+0x12/0xc0
[ 43.193276][ T37] process_one_work+0x9cc/0x1b70
[ 43.193313][ T37] ? __pfx_hub_event+0x10/0x10
[ 43.193335][ T37] ? __pfx_process_one_work+0x10/0x10
[ 43.193376][ T37] ? assign_work+0x1a0/0x250
[ 43.193406][ T37] worker_thread+0x6c8/0xf10
[ 43.193443][ T37] ? __kthread_parkme+0x19e/0x250
[ 43.193468][ T37] ? __pfx_worker_thread+0x10/0x10
[ 43.193501][ T37] kthread+0x3c2/0x780
[ 43.193530][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193558][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193586][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193614][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193642][ T37] ? rcu_is_watching+0x12/0xc0
[ 43.193675][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193704][ T37] ret_from_fork+0x45/0x80
[ 43.193732][ T37] ? __pfx_kthread+0x10/0x10
[ 43.193761][ T37] ret_from_fork_asm+0x1a/0x30
[ 43.193791][ T37]
[ 43.193798][ T37]
[ 43.444390][ T37] Allocated by task 37:
[ 43.448543][ T37] kasan_save_stack+0x33/0x60
[ 43.453259][ T37] kasan_save_track+0x14/0x30
[ 43.457937][ T37] __kasan_kmalloc+0x8f/0xa0
[ 43.462551][ T37] hdm_probe+0xb3/0x19a0
[ 43.466845][ T37] usb_probe_interface+0x300/0x9c0
[ 43.471963][ T37] really_probe+0x23e/0xa90
[ 43.476515][ T37] __driver_probe_device+0x1de/0x440
[ 43.481829][ T37] driver_probe_device+0x4c/0x1b0
[ 43.486879][ T37] __device_attach_driver+0x1df/0x310
[ 43.492321][ T37] bus_for_each_drv+0x156/0x1e0
[ 43.497211][ T37] __device_attach+0x1e4/0x4b0
[ 43.501990][ T37] bus_probe_device+0x17f/0x1c0
[ 43.506854][ T37] device_add+0x1148/0x1a70
[ 43.511371][ T37] usb_set_configuration+0x1187/0x1e20
[ 43.516836][ T37] usb_generic_driver_probe+0xb1/0x110
[ 43.522325][ T37] usb_probe_device+0xec/0x3e0
[ 43.527094][ T37] really_probe+0x23e/0xa90
[ 43.531608][ T37] __driver_probe_device+0x1de/0x440
[ 43.536905][ T37] driver_probe_device+0x4c/0x1b0
[ 43.541943][ T37] __device_attach_driver+0x1df/0x310
[ 43.547328][ T37] bus_for_each_drv+0x156/0x1e0
[ 43.552194][ T37] __device_attach+0x1e4/0x4b0
[ 43.556989][ T37] bus_probe_device+0x17f/0x1c0
[ 43.561860][ T37] device_add+0x1148/0x1a70
[ 43.566365][ T37] usb_new_device+0xd07/0x1a20
[ 43.571130][ T37] hub_event+0x2f85/0x5030
[ 43.575574][ T37] process_one_work+0x9cc/0x1b70
[ 43.580526][ T37] worker_thread+0x6c8/0xf10
[ 43.585128][ T37] kthread+0x3c2/0x780
[ 43.589209][ T37] ret_from_fork+0x45/0x80
[ 43.593634][ T37] ret_from_fork_asm+0x1a/0x30
[ 43.598408][ T37]
[ 43.600730][ T37] Freed by task 37:
[ 43.604536][ T37] kasan_save_stack+0x33/0x60
[ 43.609235][ T37] kasan_save_track+0x14/0x30
[ 43.613924][ T37] kasan_save_free_info+0x3b/0x60
[ 43.618956][ T37] __kasan_slab_free+0x37/0x50
[ 43.623722][ T37] kfree+0x286/0x470
[ 43.627619][ T37] device_release+0xa1/0x240
[ 43.632228][ T37] kobject_put+0x1e4/0x5a0
[ 43.636657][ T37] device_unregister+0x2f/0xc0
[ 43.641431][ T37] hdm_disconnect+0x10b/0x250
[ 43.646130][ T37] usb_unbind_interface+0x1da/0x9a0
[ 43.651338][ T37] device_remove+0x122/0x170
[ 43.655946][ T37] device_release_driver_internal+0x44b/0x620
[ 43.662061][ T37] bus_remove_device+0x22f/0x420
[ 43.667023][ T37] device_del+0x396/0x9f0
[ 43.671362][ T37] usb_disable_device+0x355/0x7d0
[ 43.676388][ T37] usb_disconnect+0x2e1/0x920
[ 43.681066][ T37] hub_event+0x1aa0/0x5030
[ 43.685487][ T37] process_one_work+0x9cc/0x1b70
[ 43.690438][ T37] worker_thread+0x6c8/0xf10
[ 43.695043][ T37] kthread+0x3c2/0x780
[ 43.699122][ T37] ret_from_fork+0x45/0x80
[ 43.703546][ T37] ret_from_fork_asm+0x1a/0x30
[ 43.708312][ T37]
[ 43.710632][ T37] The buggy address belongs to the object at ffff888120d94000
[ 43.710632][ T37] which belongs to the cache kmalloc-8k of size 8192
[ 43.724691][ T37] The buggy address is located 6288 bytes inside of
[ 43.724691][ T37] freed 8192-byte region [ffff888120d94000, ffff888120d96000)
[ 43.738666][ T37]
[ 43.740992][ T37] The buggy address belongs to the physical page:
[ 43.747422][ T37] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x120d90
[ 43.756275][ T37] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 43.764774][ T37] flags: 0x200000000000040(head|node=0|zone=2)
[ 43.770939][ T37] page_type: f5(slab)
[ 43.774927][ T37] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 43.783518][ T37] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 43.792109][ T37] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 43.800785][ T37] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 43.809482][ T37] head: 0200000000000003 ffffea0004836401 00000000ffffffff 00000000ffffffff
[ 43.818157][ T37] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
[ 43.826839][ T37] page dumped because: kasan: bad access detected
[ 43.833245][ T37] page_owner tracks the page as allocated
[ 43.838956][ T37] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2947, tgid 2947 (syz-executor183), ts 42475231280, free_ts 36723184790
[ 43.858520][ T37] post_alloc_hook+0x181/0x1b0
[ 43.863291][ T37] get_page_from_freelist+0x10ca/0x2fd0
[ 43.868843][ T37] __alloc_frozen_pages_noprof+0x25c/0x2160
[ 43.874742][ T37] alloc_pages_mpol+0xe4/0x410
[ 43.879511][ T37] new_slab+0x23c/0x330
[ 43.883671][ T37] ___slab_alloc+0xda5/0x1940
[ 43.888354][ T37] __slab_alloc.constprop.0+0x56/0xb0
[ 43.893750][ T37] __kmalloc_cache_noprof+0x209/0x3c0
[ 43.899130][ T37] audit_log_d_path+0xe7/0x200
[ 43.903895][ T37] audit_log_lsm_data+0x1085/0x1fe0
[ 43.909104][ T37] common_lsm_audit+0x238/0x300
[ 43.913981][ T37] slow_avc_audit+0x186/0x210
[ 43.918679][ T37] avc_has_extended_perms+0xa40/0x1090
[ 43.924165][ T37] ioctl_has_perm.constprop.0.isra.0+0x2f4/0x450
[ 43.930502][ T37] selinux_file_ioctl+0x180/0x270
[ 43.935530][ T37] security_file_ioctl+0x48/0x90
[ 43.940498][ T37] page last free pid 2941 tgid 2941 stack trace:
[ 43.946820][ T37] __free_frozen_pages+0x66c/0xe70
[ 43.951935][ T37] __folio_put+0x1e7/0x2d0
[ 43.956358][ T37] skb_release_data+0x618/0x960
[ 43.961219][ T37] napi_consume_skb+0x15a/0x220
[ 43.966071][ T37] net_rx_action+0x480/0x1010
[ 43.970752][ T37] handle_softirqs+0x205/0x8d0
[ 43.975514][ T37] __irq_exit_rcu+0xfa/0x160
[ 43.980291][ T37] irq_exit_rcu+0x9/0x30
[ 43.984543][ T37] common_interrupt+0xab/0xd0
[ 43.989233][ T37] asm_common_interrupt+0x26/0x40
[ 43.994287][ T37]
[ 43.996625][ T37] Memory state around the buggy address:
[ 44.002262][ T37] ffff888120d95780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.010332][ T37] ffff888120d95800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.018400][ T37] >ffff888120d95880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.026472][ T37] ^
[ 44.031075][ T37] ffff888120d95900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.039139][ T37] ffff888120d95980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.047198][ T37] ==================================================================
[ 44.055626][ T37] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 44.062860][ T37] CPU: 1 UID: 0 PID: 37 Comm: kworker/1:1 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(voluntary)
[ 44.073486][ T37] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 44.083572][ T37] Workqueue: usb_hub_wq hub_event
[ 44.088624][ T37] Call Trace:
[ 44.091911][ T37]
[ 44.094872][ T37] dump_stack_lvl+0x3d/0x1f0
[ 44.099485][ T37] panic+0x71c/0x800
[ 44.103432][ T37] ? __pfx_panic+0x10/0x10
[ 44.107863][ T37] ? irqentry_exit+0x3b/0x90
[ 44.112459][ T37] ? lockdep_hardirqs_on+0x7c/0x110
[ 44.117684][ T37] ? hdm_disconnect+0x227/0x250
[ 44.122554][ T37] ? check_panic_on_warn+0x1f/0xb0
[ 44.127681][ T37] ? hdm_disconnect+0x227/0x250
[ 44.132547][ T37] check_panic_on_warn+0xab/0xb0
[ 44.137503][ T37] end_report+0x107/0x170
[ 44.141853][ T37] kasan_report+0xee/0x110
[ 44.146288][ T37] ? hdm_disconnect+0x227/0x250
[ 44.151167][ T37] hdm_disconnect+0x227/0x250
[ 44.155871][ T37] usb_unbind_interface+0x1da/0x9a0
[ 44.161106][ T37] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 44.166757][ T37] ? __pfx_usb_unbind_interface+0x10/0x10
[ 44.172488][ T37] device_remove+0x122/0x170
[ 44.177092][ T37] device_release_driver_internal+0x44b/0x620
[ 44.183197][ T37] bus_remove_device+0x22f/0x420
[ 44.188149][ T37] device_del+0x396/0x9f0
[ 44.192516][ T37] ? __pfx_device_del+0x10/0x10
[ 44.197382][ T37] ? __pfx___mutex_lock+0x10/0x10
[ 44.202429][ T37] ? __pfx___pm_runtime_barrier+0x10/0x10
[ 44.208183][ T37] ? do_raw_spin_lock+0x12c/0x2b0
[ 44.213244][ T37] usb_disable_device+0x355/0x7d0
[ 44.218277][ T37] ? lockdep_hardirqs_on+0x7c/0x110
[ 44.223498][ T37] usb_disconnect+0x2e1/0x920
[ 44.228182][ T37] hub_event+0x1aa0/0x5030
[ 44.232610][ T37] ? __lock_acquire+0xaa4/0x1ba0
[ 44.237603][ T37] ? __pfx_hub_event+0x10/0x10
[ 44.242380][ T37] ? debug_object_deactivate+0x1ec/0x3a0
[ 44.248039][ T37] ? rcu_is_watching+0x12/0xc0
[ 44.252829][ T37] process_one_work+0x9cc/0x1b70
[ 44.257815][ T37] ? __pfx_hub_event+0x10/0x10
[ 44.262599][ T37] ? __pfx_process_one_work+0x10/0x10
[ 44.267997][ T37] ? assign_work+0x1a0/0x250
[ 44.272606][ T37] worker_thread+0x6c8/0xf10
[ 44.277223][ T37] ? __kthread_parkme+0x19e/0x250
[ 44.282257][ T37] ? __pfx_worker_thread+0x10/0x10
[ 44.287385][ T37] kthread+0x3c2/0x780
[ 44.291468][ T37] ? __pfx_kthread+0x10/0x10
[ 44.296073][ T37] ? __pfx_kthread+0x10/0x10
[ 44.300680][ T37] ? __pfx_kthread+0x10/0x10
[ 44.305308][ T37] ? __pfx_kthread+0x10/0x10
[ 44.309915][ T37] ? rcu_is_watching+0x12/0xc0
[ 44.314713][ T37] ? __pfx_kthread+0x10/0x10
[ 44.319349][ T37] ret_from_fork+0x45/0x80
[ 44.323784][ T37] ? __pfx_kthread+0x10/0x10
[ 44.328390][ T37] ret_from_fork_asm+0x1a/0x30
[ 44.333174][ T37]
[ 44.336548][ T37] Kernel Offset: disabled
[ 44.340880][ T37] Rebooting in 86400 seconds..