Warning: Permanently added '10.128.0.86' (ED25519) to the list of known hosts.
executing program
[   44.187139][   T29] audit: type=1400 audit(1721937383.736:80): avc:  denied  { execmem } for  pid=2647 comm="syz-executor777" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   44.217290][   T29] audit: type=1400 audit(1721937383.736:81): avc:  denied  { read write } for  pid=2648 comm="syz-executor777" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.241158][   T29] audit: type=1400 audit(1721937383.736:82): avc:  denied  { open } for  pid=2648 comm="syz-executor777" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.264904][   T29] audit: type=1400 audit(1721937383.736:83): avc:  denied  { ioctl } for  pid=2648 comm="syz-executor777" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   44.456958][  T800] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   44.636906][  T800] usb 1-1: Using ep0 maxpacket: 16
[   44.644030][  T800] usb 1-1: unable to get BOS descriptor or descriptor too short
[   44.653276][  T800] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   44.661568][  T800] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   44.670366][  T800] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   44.679345][  T800] usb 1-1: config 15 has no interface number 0
[   44.685520][  T800] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   44.696680][  T800] usb 1-1: config 15 interface 79 has no altsetting 0
[   44.706083][  T800] usb 1-1: string descriptor 0 read error: -22
[   44.712467][  T800] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   44.721622][  T800] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   44.733692][ T2648] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   44.745873][  T800] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   44.752775][  T800] rtw_8822cu 1-1:15.79: failed to init USB interface
[   44.793851][   T24] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   44.804706][   T41] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   44.814906][   T24] rtw_8822cu 1-1:15.79: failed to request firmware
[   44.821582][   T41] rtw_8822cu 1-1:15.79: failed to request firmware
[   44.831689][  T800] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
executing program
[   44.944414][  T800] usb 1-1: USB disconnect, device number 2
[   45.366949][  T800] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   45.546873][  T800] usb 1-1: Using ep0 maxpacket: 16
[   45.553967][  T800] usb 1-1: unable to get BOS descriptor or descriptor too short
[   45.562999][  T800] usb 1-1: config 15 has an invalid interface number: 79 but max is 1
[   45.571233][  T800] usb 1-1: config 15 contains an unexpected descriptor of type 0x1, skipping
[   45.580054][  T800] usb 1-1: config 15 has 1 interface, different from the descriptor's value: 2
[   45.589054][  T800] usb 1-1: config 15 has no interface number 0
[   45.595235][  T800] usb 1-1: config 15 interface 79 altsetting 9 endpoint 0x1 has invalid maxpacket 9228, setting to 1024
[   45.606401][  T800] usb 1-1: config 15 interface 79 has no altsetting 0
[   45.616073][  T800] usb 1-1: string descriptor 0 read error: -22
[   45.622597][  T800] usb 1-1: New USB device found, idVendor=0bda, idProduct=d82b, bcdDevice=7f.9d
[   45.631679][  T800] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   45.642103][ T2654] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   45.652089][  T800] rtw_8822cu 1-1:15.79: invalid number of endpoints 0
[   45.658934][  T800] rtw_8822cu 1-1:15.79: failed to init USB interface
[   45.666251][   T41] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_fw.bin failed with error -2
[   45.677098][   T24] rtw_8822cu 1-1:15.79: Direct firmware load for rtw88/rtw8822c_wow_fw.bin failed with error -2
[   45.687690][   T41] rtw_8822cu 1-1:15.79: failed to request firmware
[   45.694847][  T800] rtw_8822cu 1-1:15.79: probe with driver rtw_8822cu failed with error -22
[   45.703870][   T24] ==================================================================
[   45.711950][   T24] BUG: KASAN: use-after-free in rtw_load_firmware_cb+0x917/0x9f0
[   45.719677][   T24] Read of size 8 at addr ffff888113218bc0 by task kworker/1:0/24
[   45.727378][   T24] 
[   45.729698][   T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   45.739400][   T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   45.749449][   T24] Workqueue: events request_firmware_work_func
[   45.755605][   T24] Call Trace:
[   45.758889][   T24]  <TASK>
[   45.761807][   T24]  dump_stack_lvl+0x116/0x1f0
[   45.766486][   T24]  print_report+0xc3/0x620
[   45.770892][   T24]  ? __virt_addr_valid+0x5e/0x590
[   45.775901][   T24]  ? __phys_addr+0xc6/0x150
[   45.780389][   T24]  kasan_report+0xd9/0x110
[   45.784795][   T24]  ? rtw_load_firmware_cb+0x917/0x9f0
[   45.790155][   T24]  ? rtw_load_firmware_cb+0x917/0x9f0
[   45.795524][   T24]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   45.801231][   T24]  rtw_load_firmware_cb+0x917/0x9f0
[   45.806417][   T24]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   45.812133][   T24]  request_firmware_work_func+0x13a/0x250
[   45.817844][   T24]  ? __pfx_request_firmware_work_func+0x10/0x10
[   45.824083][   T24]  process_one_work+0x9c5/0x1b40
[   45.829097][   T24]  ? __pfx_lock_acquire+0x10/0x10
[   45.834107][   T24]  ? __pfx_process_one_work+0x10/0x10
[   45.839466][   T24]  ? assign_work+0x1a0/0x250
executing program
[   45.844055][   T24]  worker_thread+0x6c8/0xf20
[   45.848654][   T24]  ? __pfx_worker_thread+0x10/0x10
[   45.853770][   T24]  kthread+0x2c1/0x3a0
[   45.857878][   T24]  ? _raw_spin_unlock_irq+0x23/0x50
[   45.863112][   T24]  ? __pfx_kthread+0x10/0x10
[   45.867733][   T24]  ret_from_fork+0x45/0x80
[   45.872178][   T24]  ? __pfx_kthread+0x10/0x10
[   45.876812][   T24]  ret_from_fork_asm+0x1a/0x30
[   45.881679][   T24]  </TASK>
[   45.884686][   T24] 
[   45.887001][   T24] The buggy address belongs to the physical page:
[   45.893396][   T24] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88811321e000 pfn:0x113218
[   45.903535][   T24] flags: 0x200000000000000(node=0|zone=2)
[   45.909291][   T24] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
[   45.917864][   T24] raw: ffff88811321e000 0000000000000000 00000000ffffffff 0000000000000000
[   45.926431][   T24] page dumped because: kasan: bad access detected
[   45.932842][   T24] page_owner tracks the page as freed
[   45.938209][   T24] page last allocated via order 4, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 800, tgid 800 (kworker/1:2), ts 45650744583, free_ts 45694748540
[   45.955825][   T24]  post_alloc_hook+0x2d1/0x350
[   45.960589][   T24]  get_page_from_freelist+0x1311/0x25f0
[   45.966136][   T24]  __alloc_pages_noprof+0x21e/0x2290
[   45.971428][   T24]  ___kmalloc_large_node+0x7f/0x1a0
[   45.976615][   T24]  __kmalloc_large_node_noprof+0x1c/0x70
[   45.982241][   T24]  __kmalloc_noprof.cold+0xc/0x61
[   45.987253][   T24]  wiphy_new_nm+0x701/0x2120
[   45.991826][   T24]  ieee80211_alloc_hw_nm+0x1b7a/0x2260
[   45.997286][   T24]  rtw_usb_probe+0x32/0x1d80
[   46.001895][   T24]  usb_probe_interface+0x309/0x9d0
[   46.007007][   T24]  really_probe+0x23e/0xa90
[   46.011505][   T24]  __driver_probe_device+0x1de/0x440
[   46.016782][   T24]  driver_probe_device+0x4c/0x1b0
[   46.021799][   T24]  __device_attach_driver+0x1df/0x310
[   46.027180][   T24]  bus_for_each_drv+0x157/0x1e0
[   46.032016][   T24]  __device_attach+0x1e8/0x4b0
[   46.036768][   T24] page last free pid 800 tgid 800 stack trace:
[   46.042900][   T24]  __free_pages_ok+0x5c1/0xba0
[   46.047654][   T24]  __folio_put+0x1dc/0x260
[   46.052053][   T24]  device_release+0xa1/0x240
[   46.056625][   T24]  kobject_put+0x1fa/0x5b0
[   46.061033][   T24]  put_device+0x1f/0x30
[   46.065171][   T24]  rtw_usb_probe+0x7a4/0x1d80
[   46.069834][   T24]  usb_probe_interface+0x309/0x9d0
[   46.074931][   T24]  really_probe+0x23e/0xa90
[   46.079423][   T24]  __driver_probe_device+0x1de/0x440
[   46.084693][   T24]  driver_probe_device+0x4c/0x1b0
[   46.089708][   T24]  __device_attach_driver+0x1df/0x310
[   46.095082][   T24]  bus_for_each_drv+0x157/0x1e0
[   46.099936][   T24]  __device_attach+0x1e8/0x4b0
[   46.104705][   T24]  bus_probe_device+0x17f/0x1c0
[   46.109595][   T24]  device_add+0x114b/0x1a70
[   46.114093][   T24]  usb_set_configuration+0x10cb/0x1c50
[   46.119547][   T24] 
[   46.121856][   T24] Memory state around the buggy address:
[   46.127466][   T24]  ffff888113218a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.135511][   T24]  ffff888113218b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.143557][   T24] >ffff888113218b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.151606][   T24]                                            ^
[   46.157742][   T24]  ffff888113218c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.165811][   T24]  ffff888113218c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.173874][   T24] ==================================================================
[   46.182068][   T24] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   46.189275][   T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   46.199009][   T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   46.209055][   T24] Workqueue: events request_firmware_work_func
[   46.215203][   T24] Call Trace:
[   46.218467][   T24]  <TASK>
[   46.221384][   T24]  dump_stack_lvl+0x3d/0x1f0
[   46.225968][   T24]  panic+0x6f5/0x7a0
[   46.229857][   T24]  ? __pfx_panic+0x10/0x10
[   46.234264][   T24]  ? check_panic_on_warn+0x1f/0xb0
[   46.239366][   T24]  check_panic_on_warn+0xab/0xb0
[   46.244292][   T24]  end_report+0x117/0x180
[   46.248608][   T24]  kasan_report+0xe9/0x110
[   46.253101][   T24]  ? rtw_load_firmware_cb+0x917/0x9f0
[   46.258466][   T24]  ? rtw_load_firmware_cb+0x917/0x9f0
[   46.263912][   T24]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   46.269617][   T24]  rtw_load_firmware_cb+0x917/0x9f0
[   46.274800][   T24]  ? __pfx_rtw_load_firmware_cb+0x10/0x10
[   46.280505][   T24]  request_firmware_work_func+0x13a/0x250
[   46.286214][   T24]  ? __pfx_request_firmware_work_func+0x10/0x10
[   46.292461][   T24]  process_one_work+0x9c5/0x1b40
[   46.297398][   T24]  ? __pfx_lock_acquire+0x10/0x10
[   46.302500][   T24]  ? __pfx_process_one_work+0x10/0x10
[   46.307863][   T24]  ? assign_work+0x1a0/0x250
[   46.312445][   T24]  worker_thread+0x6c8/0xf20
[   46.317026][   T24]  ? __pfx_worker_thread+0x10/0x10
[   46.322125][   T24]  kthread+0x2c1/0x3a0
[   46.326186][   T24]  ? _raw_spin_unlock_irq+0x23/0x50
[   46.331374][   T24]  ? __pfx_kthread+0x10/0x10
[   46.336038][   T24]  ret_from_fork+0x45/0x80
[   46.340451][   T24]  ? __pfx_kthread+0x10/0x10
[   46.345032][   T24]  ret_from_fork_asm+0x1a/0x30
[   46.349796][   T24]  </TASK>
[   46.353098][   T24] Kernel Offset: disabled
[   46.357411][   T24] Rebooting in 86400 seconds..