Warning: Permanently added '10.128.0.171' (ED25519) to the list of known hosts.
executing program
[ 37.256193][ T29] audit: type=1400 audit(1730057952.234:80): avc: denied { execmem } for pid=2959 comm="syz-executor307" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 37.277838][ T29] audit: type=1400 audit(1730057952.244:81): avc: denied { read write } for pid=2960 comm="syz-executor307" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 37.301648][ T29] audit: type=1400 audit(1730057952.244:82): avc: denied { open } for pid=2960 comm="syz-executor307" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 37.325321][ T29] audit: type=1400 audit(1730057952.244:83): avc: denied { ioctl } for pid=2960 comm="syz-executor307" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 37.497656][ T41] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 37.649446][ T41] usb 1-1: config 0 has an invalid interface number: 8 but max is 0
[ 37.657574][ T41] usb 1-1: config 0 has no interface number 0
[ 37.663651][ T41] usb 1-1: config 0 interface 8 has no altsetting 0
[ 37.672393][ T41] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=e8.b6
[ 37.681463][ T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 37.689475][ T41] usb 1-1: Product: syz
[ 37.693642][ T41] usb 1-1: Manufacturer: syz
[ 37.698270][ T41] usb 1-1: SerialNumber: syz
[ 37.705061][ T41] usb 1-1: config 0 descriptor??
executing program
[ 37.922759][ T41] usb 1-1: USB disconnect, device number 2
[ 37.931252][ T41] ==================================================================
[ 37.939336][ T41] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 37.946991][ T41] Read of size 8 at addr ffff8881256d1890 by task kworker/1:1/41
[ 37.954690][ T41]
[ 37.957010][ T41] CPU: 1 UID: 0 PID: 41 Comm: kworker/1:1 Not tainted 6.12.0-rc4-syzkaller-00052-gc6d9e43954bf #0
[ 37.967593][ T41] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 37.977642][ T41] Workqueue: usb_hub_wq hub_event
[ 37.982674][ T41] Call Trace:
[ 37.985943][ T41]
[ 37.988866][ T41] dump_stack_lvl+0x116/0x1f0
[ 37.993542][ T41] print_report+0xc3/0x620
[ 37.997954][ T41] ? __virt_addr_valid+0x5e/0x590
[ 38.002966][ T41] ? __phys_addr+0xc6/0x150
[ 38.007464][ T41] kasan_report+0xd9/0x110
[ 38.011887][ T41] ? hdm_disconnect+0x227/0x250
[ 38.016727][ T41] ? hdm_disconnect+0x227/0x250
[ 38.021572][ T41] hdm_disconnect+0x227/0x250
[ 38.026238][ T41] usb_unbind_interface+0x1e8/0x970
[ 38.031431][ T41] ? kernfs_find_ns+0x2ee/0x3f0
[ 38.036280][ T41] ? __pfx_usb_unbind_interface+0x10/0x10
[ 38.041996][ T41] device_remove+0x122/0x170
[ 38.046590][ T41] device_release_driver_internal+0x44a/0x610
[ 38.052672][ T41] bus_remove_device+0x22f/0x420
[ 38.057626][ T41] device_del+0x396/0x9f0
[ 38.061945][ T41] ? __pfx_device_del+0x10/0x10
[ 38.066781][ T41] ? __pfx___mutex_lock+0x10/0x10
[ 38.071799][ T41] usb_disable_device+0x36c/0x7f0
[ 38.076836][ T41] ? lockdep_hardirqs_on+0x7c/0x110
[ 38.082029][ T41] usb_disconnect+0x2e1/0x920
[ 38.086701][ T41] hub_event+0x1bed/0x4f40
[ 38.091119][ T41] ? lock_acquire+0x2f/0xb0
[ 38.095635][ T41] ? __pfx_hub_event+0x10/0x10
[ 38.100403][ T41] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 38.106037][ T41] ? rcu_is_watching+0x12/0xc0
[ 38.110789][ T41] ? trace_lock_acquire+0x14a/0x1d0
[ 38.115974][ T41] ? process_one_work+0x921/0x1ba0
[ 38.121084][ T41] ? lock_acquire+0x2f/0xb0
[ 38.125594][ T41] ? process_one_work+0x921/0x1ba0
[ 38.130701][ T41] process_one_work+0x9c5/0x1ba0
[ 38.135636][ T41] ? __pfx_hub_event+0x10/0x10
[ 38.140419][ T41] ? __pfx_process_one_work+0x10/0x10
[ 38.145786][ T41] ? assign_work+0x1a0/0x250
[ 38.150373][ T41] worker_thread+0x6c8/0xf00
[ 38.154963][ T41] ? __kthread_parkme+0x148/0x220
[ 38.159979][ T41] ? __pfx_worker_thread+0x10/0x10
[ 38.165084][ T41] kthread+0x2c1/0x3a0
[ 38.169140][ T41] ? _raw_spin_unlock_irq+0x23/0x50
[ 38.174334][ T41] ? __pfx_kthread+0x10/0x10
[ 38.178913][ T41] ret_from_fork+0x45/0x80
[ 38.183325][ T41] ? __pfx_kthread+0x10/0x10
[ 38.187906][ T41] ret_from_fork_asm+0x1a/0x30
[ 38.192670][ T41]
[ 38.195671][ T41]
[ 38.197976][ T41] Allocated by task 41:
[ 38.202110][ T41] kasan_save_stack+0x33/0x60
[ 38.206781][ T41] kasan_save_track+0x14/0x30
[ 38.211450][ T41] __kasan_kmalloc+0x8f/0xa0
[ 38.216031][ T41] hdm_probe+0xb3/0x1880
[ 38.220272][ T41] usb_probe_interface+0x309/0x9d0
[ 38.225376][ T41] really_probe+0x23e/0xa90
[ 38.229865][ T41] __driver_probe_device+0x1de/0x440
[ 38.235138][ T41] driver_probe_device+0x4c/0x1b0
[ 38.240157][ T41] __device_attach_driver+0x1df/0x310
[ 38.245516][ T41] bus_for_each_drv+0x157/0x1e0
[ 38.250357][ T41] __device_attach+0x1e8/0x4b0
[ 38.255113][ T41] bus_probe_device+0x17f/0x1c0
[ 38.259959][ T41] device_add+0x114b/0x1a70
[ 38.264449][ T41] usb_set_configuration+0x10cb/0x1c50
[ 38.269901][ T41] usb_generic_driver_probe+0xb1/0x110
[ 38.275350][ T41] usb_probe_device+0xec/0x3e0
[ 38.280097][ T41] really_probe+0x23e/0xa90
[ 38.284586][ T41] __driver_probe_device+0x1de/0x440
[ 38.289883][ T41] driver_probe_device+0x4c/0x1b0
[ 38.294918][ T41] __device_attach_driver+0x1df/0x310
[ 38.300278][ T41] bus_for_each_drv+0x157/0x1e0
[ 38.305120][ T41] __device_attach+0x1e8/0x4b0
[ 38.309891][ T41] bus_probe_device+0x17f/0x1c0
[ 38.314753][ T41] device_add+0x114b/0x1a70
[ 38.319246][ T41] usb_new_device+0xd90/0x1a10
[ 38.324019][ T41] hub_event+0x2e58/0x4f40
[ 38.328432][ T41] process_one_work+0x9c5/0x1ba0
[ 38.333363][ T41] worker_thread+0x6c8/0xf00
[ 38.337946][ T41] kthread+0x2c1/0x3a0
[ 38.342001][ T41] ret_from_fork+0x45/0x80
[ 38.346409][ T41] ret_from_fork_asm+0x1a/0x30
[ 38.351173][ T41]
[ 38.353480][ T41] Freed by task 41:
[ 38.357264][ T41] kasan_save_stack+0x33/0x60
[ 38.361940][ T41] kasan_save_track+0x14/0x30
[ 38.366606][ T41] kasan_save_free_info+0x3b/0x60
[ 38.371620][ T41] __kasan_slab_free+0x37/0x50
[ 38.376375][ T41] kfree+0x130/0x480
[ 38.380275][ T41] device_release+0xa1/0x240
[ 38.384857][ T41] kobject_put+0x1e4/0x5a0
[ 38.389264][ T41] device_unregister+0x2f/0xc0
[ 38.394012][ T41] hdm_disconnect+0x10b/0x250
[ 38.398680][ T41] usb_unbind_interface+0x1e8/0x970
[ 38.403868][ T41] device_remove+0x122/0x170
[ 38.408442][ T41] device_release_driver_internal+0x44a/0x610
[ 38.414494][ T41] bus_remove_device+0x22f/0x420
[ 38.419439][ T41] device_del+0x396/0x9f0
[ 38.423752][ T41] usb_disable_device+0x36c/0x7f0
[ 38.428770][ T41] usb_disconnect+0x2e1/0x920
[ 38.433441][ T41] hub_event+0x1bed/0x4f40
[ 38.437851][ T41] process_one_work+0x9c5/0x1ba0
[ 38.442783][ T41] worker_thread+0x6c8/0xf00
[ 38.447380][ T41] kthread+0x2c1/0x3a0
[ 38.451438][ T41] ret_from_fork+0x45/0x80
[ 38.455845][ T41] ret_from_fork_asm+0x1a/0x30
[ 38.460597][ T41]
[ 38.462903][ T41] The buggy address belongs to the object at ffff8881256d0000
[ 38.462903][ T41] which belongs to the cache kmalloc-8k of size 8192
[ 38.476939][ T41] The buggy address is located 6288 bytes inside of
[ 38.476939][ T41] freed 8192-byte region [ffff8881256d0000, ffff8881256d2000)
[ 38.490896][ T41]
[ 38.493202][ T41] The buggy address belongs to the physical page:
[ 38.499599][ T41] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1256d0
[ 38.508432][ T41] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 38.516911][ T41] flags: 0x200000000000040(head|node=0|zone=2)
[ 38.523049][ T41] page_type: f5(slab)
[ 38.527021][ T41] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 38.535591][ T41] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 38.544162][ T41] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 38.552818][ T41] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 38.561474][ T41] head: 0200000000000003 ffffea000495b401 ffffffffffffffff 0000000000000000
[ 38.570134][ T41] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 38.578785][ T41] page dumped because: kasan: bad access detected
[ 38.585179][ T41] page_owner tracks the page as allocated
[ 38.590871][ T41] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 41, tgid 41 (kworker/1:1), ts 37917823491, free_ts 28843489482
[ 38.611782][ T41] post_alloc_hook+0x2d1/0x350
[ 38.616536][ T41] get_page_from_freelist+0xd5c/0x2630
[ 38.622002][ T41] __alloc_pages_noprof+0x221/0x2270
[ 38.627273][ T41] alloc_pages_mpol_noprof+0xeb/0x400
[ 38.632647][ T41] new_slab+0x2ba/0x3f0
[ 38.636788][ T41] ___slab_alloc+0xd45/0x1760
[ 38.641451][ T41] __slab_alloc.constprop.0+0x56/0xb0
[ 38.646813][ T41] __kmalloc_cache_noprof+0x27a/0x2c0
[ 38.652170][ T41] hdm_probe+0xb3/0x1880
[ 38.656402][ T41] usb_probe_interface+0x309/0x9d0
[ 38.661501][ T41] really_probe+0x23e/0xa90
[ 38.665990][ T41] __driver_probe_device+0x1de/0x440
[ 38.671263][ T41] driver_probe_device+0x4c/0x1b0
[ 38.676271][ T41] __device_attach_driver+0x1df/0x310
[ 38.681644][ T41] bus_for_each_drv+0x157/0x1e0
[ 38.686486][ T41] __device_attach+0x1e8/0x4b0
[ 38.691236][ T41] page last free pid 2946 tgid 2946 stack trace:
[ 38.697649][ T41] free_unref_page+0x58a/0xb50
[ 38.702398][ T41] __folio_put+0x1cd/0x250
[ 38.706804][ T41] anon_pipe_buf_release+0x36c/0x430
[ 38.712094][ T41] pipe_read+0x701/0x1020
[ 38.716409][ T41] vfs_read+0xa3b/0xbd0
[ 38.720556][ T41] ksys_read+0x1fa/0x260
[ 38.724787][ T41] do_syscall_64+0xcd/0x250
[ 38.729284][ T41] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 38.735168][ T41]
[ 38.737488][ T41] Memory state around the buggy address:
[ 38.743116][ T41] ffff8881256d1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.751161][ T41] ffff8881256d1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.759204][ T41] >ffff8881256d1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.767247][ T41] ^
[ 38.771814][ T41] ffff8881256d1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.779858][ T41] ffff8881256d1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 38.787901][ T41] ==================================================================
[ 38.796259][ T41] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 38.803463][ T41] CPU: 1 UID: 0 PID: 41 Comm: kworker/1:1 Not tainted 6.12.0-rc4-syzkaller-00052-gc6d9e43954bf #0
[ 38.814059][ T41] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 38.824103][ T41] Workqueue: usb_hub_wq hub_event
[ 38.829135][ T41] Call Trace:
[ 38.832401][ T41]
[ 38.835323][ T41] dump_stack_lvl+0x3d/0x1f0
[ 38.839907][ T41] panic+0x71d/0x800
[ 38.843796][ T41] ? mark_held_locks+0x9f/0xe0
[ 38.848554][ T41] ? __pfx_panic+0x10/0x10
[ 38.852963][ T41] ? irqentry_exit+0x3b/0x90
[ 38.857545][ T41] ? lockdep_hardirqs_on+0x7c/0x110
[ 38.862738][ T41] ? check_panic_on_warn+0x1f/0xb0
[ 38.867843][ T41] check_panic_on_warn+0xab/0xb0
[ 38.872773][ T41] end_report+0x117/0x180
[ 38.877099][ T41] kasan_report+0xe9/0x110
[ 38.881512][ T41] ? hdm_disconnect+0x227/0x250
[ 38.886352][ T41] ? hdm_disconnect+0x227/0x250
[ 38.891195][ T41] hdm_disconnect+0x227/0x250
[ 38.895864][ T41] usb_unbind_interface+0x1e8/0x970
[ 38.901054][ T41] ? kernfs_find_ns+0x2ee/0x3f0
[ 38.905900][ T41] ? __pfx_usb_unbind_interface+0x10/0x10
[ 38.911608][ T41] device_remove+0x122/0x170
[ 38.916184][ T41] device_release_driver_internal+0x44a/0x610
[ 38.922242][ T41] bus_remove_device+0x22f/0x420
[ 38.927174][ T41] device_del+0x396/0x9f0
[ 38.931499][ T41] ? __pfx_device_del+0x10/0x10
[ 38.936339][ T41] ? __pfx___mutex_lock+0x10/0x10
[ 38.941361][ T41] usb_disable_device+0x36c/0x7f0
[ 38.946384][ T41] ? lockdep_hardirqs_on+0x7c/0x110
[ 38.951583][ T41] usb_disconnect+0x2e1/0x920
[ 38.956282][ T41] hub_event+0x1bed/0x4f40
[ 38.960703][ T41] ? lock_acquire+0x2f/0xb0
[ 38.965201][ T41] ? __pfx_hub_event+0x10/0x10
[ 38.969961][ T41] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 38.975586][ T41] ? rcu_is_watching+0x12/0xc0
[ 38.980338][ T41] ? trace_lock_acquire+0x14a/0x1d0
[ 38.985568][ T41] ? process_one_work+0x921/0x1ba0
[ 38.990685][ T41] ? lock_acquire+0x2f/0xb0
[ 38.995186][ T41] ? process_one_work+0x921/0x1ba0
[ 39.000292][ T41] process_one_work+0x9c5/0x1ba0
[ 39.005229][ T41] ? __pfx_hub_event+0x10/0x10
[ 39.010009][ T41] ? __pfx_process_one_work+0x10/0x10
[ 39.015380][ T41] ? assign_work+0x1a0/0x250
[ 39.019964][ T41] worker_thread+0x6c8/0xf00
[ 39.024561][ T41] ? __kthread_parkme+0x148/0x220
[ 39.029597][ T41] ? __pfx_worker_thread+0x10/0x10
[ 39.034705][ T41] kthread+0x2c1/0x3a0
[ 39.038762][ T41] ? _raw_spin_unlock_irq+0x23/0x50
[ 39.043950][ T41] ? __pfx_kthread+0x10/0x10
[ 39.048532][ T41] ret_from_fork+0x45/0x80
[ 39.052943][ T41] ? __pfx_kthread+0x10/0x10
[ 39.057531][ T41] ret_from_fork_asm+0x1a/0x30
[ 39.062294][ T41]
[ 39.065567][ T41] Kernel Offset: disabled
[ 39.069898][ T41] Rebooting in 86400 seconds..