Warning: Permanently added '10.128.1.3' (ED25519) to the list of known hosts.
executing program
[ 37.734224][ T29] audit: type=1400 audit(1721929125.566:80): avc: denied { execmem } for pid=2644 comm="syz-executor188" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 37.757917][ T29] audit: type=1400 audit(1721929125.566:81): avc: denied { read write } for pid=2645 comm="syz-executor188" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 37.782105][ T29] audit: type=1400 audit(1721929125.566:82): avc: denied { open } for pid=2645 comm="syz-executor188" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 37.805957][ T29] audit: type=1400 audit(1721929125.566:83): avc: denied { ioctl } for pid=2645 comm="syz-executor188" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 38.011427][ T41] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 38.191330][ T41] usb 1-1: Using ep0 maxpacket: 8
[ 38.198665][ T41] usb 1-1: unable to get BOS descriptor or descriptor too short
[ 38.208033][ T41] usb 1-1: config 0 has an invalid interface number: 199 but max is 3
[ 38.216362][ T41] usb 1-1: config 0 has an invalid interface descriptor of length 2, skipping
[ 38.225280][ T41] usb 1-1: config 0 has an invalid interface number: 54 but max is 3
[ 38.233386][ T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping
[ 38.242097][ T41] usb 1-1: config 0 has an invalid interface number: 108 but max is 3
[ 38.250265][ T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x1, skipping
[ 38.258975][ T41] usb 1-1: config 0 has no interface number 1
[ 38.265080][ T41] usb 1-1: config 0 has no interface number 2
[ 38.271196][ T41] usb 1-1: config 0 has no interface number 3
[ 38.277338][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xC has invalid wMaxPacketSize 0
[ 38.287374][ T41] usb 1-1: config 0 interface 199 altsetting 14 bulk endpoint 0x8 has invalid maxpacket 32
[ 38.297408][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0x9 has invalid maxpacket 959, setting to 64
[ 38.308431][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0xA, skipping
[ 38.319273][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 38.330462][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 38.341368][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x9, skipping
[ 38.352265][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 38.363239][ T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xE has invalid maxpacket 443, setting to 64
[ 38.374208][ T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[ 38.385034][ T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[ 38.396072][ T41] usb 1-1: config 0 interface 199 altsetting 14 has 13 endpoint descriptors, different from the interface descriptor's value: 15
[ 38.409494][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x3, skipping
[ 38.420146][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x8, skipping
[ 38.430753][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xE, skipping
[ 38.441343][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x7, skipping
[ 38.451884][ T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xD, skipping
[ 38.462424][ T41] usb 1-1: config 0 interface 0 altsetting 1 has an invalid endpoint descriptor of length 2, skipping
[ 38.473424][ T41] usb 1-1: config 0 interface 0 altsetting 1 endpoint 0xF has invalid maxpacket 1024, setting to 64
[ 38.484224][ T41] usb 1-1: config 0 interface 0 altsetting 1 has 12 endpoint descriptors, different from the interface descriptor's value: 11
[ 38.497303][ T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 38.508488][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 38.519203][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xC, skipping
[ 38.529945][ T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[ 38.540838][ T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[ 38.551841][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x1, skipping
[ 38.562562][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 38.573442][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x9, skipping
[ 38.584182][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an endpoint descriptor with address 0x1A, changing to 0xA
[ 38.595764][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xA, skipping
[ 38.606481][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 38.617482][ T41] usb 1-1: config 0 interface 108 altsetting 8 endpoint 0x5 has an invalid bInterval 118, changing to 7
[ 38.628692][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x5, skipping
[ 38.639478][ T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[ 38.650381][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x8, skipping
[ 38.661106][ T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xE, skipping
[ 38.671861][ T41] usb 1-1: config 0 interface 199 has no altsetting 0
[ 38.678707][ T41] usb 1-1: config 0 interface 0 has no altsetting 0
[ 38.685353][ T41] usb 1-1: config 0 interface 54 has no altsetting 0
[ 38.692070][ T41] usb 1-1: config 0 interface 108 has no altsetting 0
[ 38.701889][ T41] usb 1-1: string descriptor 0 read error: -22
[ 38.708186][ T41] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=1c.8f
[ 38.717279][ T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.728681][ T41] usb 1-1: config 0 descriptor??
[ 38.735055][ T2645] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
executing program
[ 38.945831][ T41] usb 1-1: USB disconnect, device number 2
[ 38.969058][ T41] ==================================================================
[ 38.977155][ T41] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[ 38.984799][ T41] Read of size 8 at addr ffff888112f4d898 by task kworker/1:1/41
[ 38.992496][ T41]
[ 38.994814][ T41] CPU: 1 UID: 0 PID: 41 Comm: kworker/1:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 39.004526][ T41] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 39.014567][ T41] Workqueue: usb_hub_wq hub_event
[ 39.019586][ T41] Call Trace:
[ 39.022855][ T41]
[ 39.025771][ T41] dump_stack_lvl+0x116/0x1f0
[ 39.030481][ T41] print_report+0xc3/0x620
[ 39.034975][ T41] ? __virt_addr_valid+0x5e/0x590
[ 39.039981][ T41] ? __phys_addr+0xc6/0x150
[ 39.044485][ T41] kasan_report+0xd9/0x110
[ 39.048887][ T41] ? hdm_disconnect+0x227/0x250
[ 39.053731][ T41] ? hdm_disconnect+0x227/0x250
[ 39.058565][ T41] hdm_disconnect+0x227/0x250
[ 39.063265][ T41] usb_unbind_interface+0x1e8/0x970
[ 39.068473][ T41] ? kernfs_find_ns+0x2ee/0x3f0
[ 39.073328][ T41] ? __pfx_usb_unbind_interface+0x10/0x10
[ 39.079039][ T41] device_remove+0x122/0x170
[ 39.083624][ T41] device_release_driver_internal+0x44a/0x610
[ 39.089793][ T41] bus_remove_device+0x22f/0x420
[ 39.094750][ T41] device_del+0x396/0x9f0
[ 39.099081][ T41] ? __pfx_device_del+0x10/0x10
[ 39.103921][ T41] ? kobject_put+0x226/0x5b0
[ 39.108500][ T41] usb_disable_device+0x36c/0x7f0
[ 39.113517][ T41] usb_disconnect+0x2e1/0x920
[ 39.118212][ T41] hub_event+0x1be4/0x4f50
[ 39.122624][ T41] ? __pfx_hub_event+0x10/0x10
[ 39.127457][ T41] ? __pfx_lock_acquire+0x10/0x10
[ 39.132464][ T41] ? __pfx_lock_release+0x10/0x10
[ 39.137474][ T41] process_one_work+0x9c5/0x1b40
[ 39.142487][ T41] ? __pfx_lock_acquire+0x10/0x10
[ 39.147493][ T41] ? __pfx_process_one_work+0x10/0x10
[ 39.152861][ T41] ? assign_work+0x1a0/0x250
[ 39.157451][ T41] worker_thread+0x6c8/0xf20
[ 39.162072][ T41] ? __kthread_parkme+0x148/0x220
[ 39.167148][ T41] ? __pfx_worker_thread+0x10/0x10
[ 39.172261][ T41] kthread+0x2c1/0x3a0
[ 39.176450][ T41] ? _raw_spin_unlock_irq+0x23/0x50
[ 39.181651][ T41] ? __pfx_kthread+0x10/0x10
[ 39.186237][ T41] ret_from_fork+0x45/0x80
[ 39.190644][ T41] ? __pfx_kthread+0x10/0x10
[ 39.195233][ T41] ret_from_fork_asm+0x1a/0x30
[ 39.200002][ T41]
[ 39.203008][ T41]
[ 39.205315][ T41] Allocated by task 41:
[ 39.209445][ T41] kasan_save_stack+0x33/0x60
[ 39.214107][ T41] kasan_save_track+0x14/0x30
[ 39.218762][ T41] __kasan_kmalloc+0x8f/0xa0
[ 39.223338][ T41] hdm_probe+0xb3/0x1880
[ 39.227581][ T41] usb_probe_interface+0x309/0x9d0
[ 39.232688][ T41] really_probe+0x23e/0xa90
[ 39.237187][ T41] __driver_probe_device+0x1de/0x440
[ 39.242467][ T41] driver_probe_device+0x4c/0x1b0
[ 39.247482][ T41] __device_attach_driver+0x1df/0x310
[ 39.252857][ T41] bus_for_each_drv+0x157/0x1e0
[ 39.257697][ T41] __device_attach+0x1e8/0x4b0
[ 39.262448][ T41] bus_probe_device+0x17f/0x1c0
[ 39.267281][ T41] device_add+0x114b/0x1a70
[ 39.271773][ T41] usb_set_configuration+0x10cb/0x1c50
[ 39.277220][ T41] usb_generic_driver_probe+0xb1/0x110
[ 39.282667][ T41] usb_probe_device+0xec/0x3e0
[ 39.287413][ T41] really_probe+0x23e/0xa90
[ 39.291902][ T41] __driver_probe_device+0x1de/0x440
[ 39.297301][ T41] driver_probe_device+0x4c/0x1b0
[ 39.302324][ T41] __device_attach_driver+0x1df/0x310
[ 39.307706][ T41] bus_for_each_drv+0x157/0x1e0
[ 39.312631][ T41] __device_attach+0x1e8/0x4b0
[ 39.317383][ T41] bus_probe_device+0x17f/0x1c0
[ 39.322304][ T41] device_add+0x114b/0x1a70
[ 39.326825][ T41] usb_new_device+0xd90/0x1a10
[ 39.331580][ T41] hub_event+0x2e66/0x4f50
[ 39.336001][ T41] process_one_work+0x9c5/0x1b40
[ 39.341012][ T41] worker_thread+0x6c8/0xf20
[ 39.345585][ T41] kthread+0x2c1/0x3a0
[ 39.349638][ T41] ret_from_fork+0x45/0x80
[ 39.354042][ T41] ret_from_fork_asm+0x1a/0x30
[ 39.358807][ T41]
[ 39.361119][ T41] Freed by task 41:
[ 39.364917][ T41] kasan_save_stack+0x33/0x60
[ 39.369599][ T41] kasan_save_track+0x14/0x30
[ 39.374448][ T41] kasan_save_free_info+0x3b/0x60
[ 39.379479][ T41] poison_slab_object+0xf7/0x160
[ 39.384401][ T41] __kasan_slab_free+0x14/0x30
[ 39.389321][ T41] kfree+0x10b/0x380
[ 39.393211][ T41] device_release+0xa1/0x240
[ 39.397786][ T41] kobject_put+0x1fa/0x5b0
[ 39.402203][ T41] device_unregister+0x2f/0xc0
[ 39.406955][ T41] hdm_disconnect+0x10b/0x250
[ 39.411618][ T41] usb_unbind_interface+0x1e8/0x970
[ 39.416824][ T41] device_remove+0x122/0x170
[ 39.421400][ T41] device_release_driver_internal+0x44a/0x610
[ 39.427482][ T41] bus_remove_device+0x22f/0x420
[ 39.432404][ T41] device_del+0x396/0x9f0
[ 39.436728][ T41] usb_disable_device+0x36c/0x7f0
[ 39.441742][ T41] usb_disconnect+0x2e1/0x920
[ 39.446423][ T41] hub_event+0x1be4/0x4f50
[ 39.450844][ T41] process_one_work+0x9c5/0x1b40
[ 39.455770][ T41] worker_thread+0x6c8/0xf20
[ 39.460362][ T41] kthread+0x2c1/0x3a0
[ 39.464424][ T41] ret_from_fork+0x45/0x80
[ 39.468828][ T41] ret_from_fork_asm+0x1a/0x30
[ 39.473585][ T41]
[ 39.475885][ T41] The buggy address belongs to the object at ffff888112f4c000
[ 39.475885][ T41] which belongs to the cache kmalloc-8k of size 8192
[ 39.489927][ T41] The buggy address is located 6296 bytes inside of
[ 39.489927][ T41] freed 8192-byte region [ffff888112f4c000, ffff888112f4e000)
[ 39.503905][ T41]
[ 39.506233][ T41] The buggy address belongs to the physical page:
[ 39.512633][ T41] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112f48
[ 39.521557][ T41] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 39.530034][ T41] flags: 0x200000000000040(head|node=0|zone=2)
[ 39.536177][ T41] page_type: 0xfdffffff(slab)
[ 39.540846][ T41] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 39.549499][ T41] raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 39.558064][ T41] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[ 39.566716][ T41] head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[ 39.575404][ T41] head: 0200000000000003 ffffea00044bd201 ffffffffffffffff 0000000000000000
[ 39.584057][ T41] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 39.592724][ T41] page dumped because: kasan: bad access detected
[ 39.599203][ T41] page_owner tracks the page as allocated
[ 39.604894][ T41] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2645, tgid 2645 (syz-executor188), ts 37739763971, free_ts 37424556495
[ 39.624521][ T41] post_alloc_hook+0x2d1/0x350
[ 39.629276][ T41] get_page_from_freelist+0x1311/0x25f0
[ 39.634838][ T41] __alloc_pages_noprof+0x21e/0x2290
[ 39.640111][ T41] alloc_slab_page+0x4e/0xf0
[ 39.644684][ T41] new_slab+0x84/0x260
[ 39.648737][ T41] ___slab_alloc+0xdac/0x1870
[ 39.653397][ T41] __slab_alloc.constprop.0+0x56/0xb0
[ 39.658755][ T41] __kmalloc_cache_noprof+0x27a/0x2c0
[ 39.664113][ T41] audit_log_d_path+0xce/0x1e0
[ 39.668865][ T41] common_lsm_audit+0x7bf/0x2220
[ 39.673792][ T41] slow_avc_audit+0x17d/0x210
[ 39.678462][ T41] avc_has_extended_perms+0x9c6/0xf90
[ 39.683822][ T41] ioctl_has_perm.constprop.0.isra.0+0x2f0/0x470
[ 39.690138][ T41] selinux_file_ioctl+0x180/0x270
[ 39.695149][ T41] security_file_ioctl+0x75/0xc0
[ 39.700074][ T41] __x64_sys_ioctl+0xbb/0x220
[ 39.704734][ T41] page last free pid 2641 tgid 2641 stack trace:
[ 39.711065][ T41] free_unref_page+0x698/0xce0
[ 39.715901][ T41] qlist_free_all+0x4e/0x140
[ 39.720481][ T41] kasan_quarantine_reduce+0x192/0x1e0
[ 39.725929][ T41] __kasan_slab_alloc+0x4e/0x70
[ 39.730762][ T41] kmem_cache_alloc_noprof+0x11c/0x2b0
[ 39.736229][ T41] getname_flags.part.0+0x4c/0x550
[ 39.741325][ T41] getname+0x8d/0xe0
[ 39.745210][ T41] do_sys_openat2+0x104/0x1e0
[ 39.749868][ T41] __x64_sys_openat+0x175/0x210
[ 39.754700][ T41] do_syscall_64+0xcd/0x250
[ 39.759187][ T41] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 39.765072][ T41]
[ 39.767471][ T41] Memory state around the buggy address:
[ 39.773084][ T41] ffff888112f4d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.781215][ T41] ffff888112f4d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.789255][ T41] >ffff888112f4d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.797319][ T41] ^
[ 39.802154][ T41] ffff888112f4d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.810194][ T41] ffff888112f4d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.818233][ T41] ==================================================================
[ 39.826370][ T41] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 39.833570][ T41] CPU: 1 UID: 0 PID: 41 Comm: kworker/1:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[ 39.843300][ T41] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 39.853374][ T41] Workqueue: usb_hub_wq hub_event
[ 39.858388][ T41] Call Trace:
[ 39.861656][ T41]
[ 39.864571][ T41] dump_stack_lvl+0x3d/0x1f0
[ 39.869149][ T41] panic+0x6f5/0x7a0
[ 39.873028][ T41] ? mark_held_locks+0x9f/0xe0
[ 39.877776][ T41] ? __pfx_panic+0x10/0x10
[ 39.882196][ T41] ? irqentry_exit+0x3b/0x90
[ 39.886789][ T41] ? lockdep_hardirqs_on+0x7c/0x110
[ 39.892062][ T41] ? check_panic_on_warn+0x1f/0xb0
[ 39.897276][ T41] check_panic_on_warn+0xab/0xb0
[ 39.902200][ T41] end_report+0x117/0x180
[ 39.906519][ T41] kasan_report+0xe9/0x110
[ 39.910919][ T41] ? hdm_disconnect+0x227/0x250
[ 39.915752][ T41] ? hdm_disconnect+0x227/0x250
[ 39.920586][ T41] hdm_disconnect+0x227/0x250
[ 39.925248][ T41] usb_unbind_interface+0x1e8/0x970
[ 39.930468][ T41] ? kernfs_find_ns+0x2ee/0x3f0
[ 39.935303][ T41] ? __pfx_usb_unbind_interface+0x10/0x10
[ 39.941006][ T41] device_remove+0x122/0x170
[ 39.945581][ T41] device_release_driver_internal+0x44a/0x610
[ 39.951638][ T41] bus_remove_device+0x22f/0x420
[ 39.956558][ T41] device_del+0x396/0x9f0
[ 39.960878][ T41] ? __pfx_device_del+0x10/0x10
[ 39.965711][ T41] ? kobject_put+0x226/0x5b0
[ 39.970291][ T41] usb_disable_device+0x36c/0x7f0
[ 39.975320][ T41] usb_disconnect+0x2e1/0x920
[ 39.980002][ T41] hub_event+0x1be4/0x4f50
[ 39.984412][ T41] ? __pfx_hub_event+0x10/0x10
[ 39.989161][ T41] ? __pfx_lock_acquire+0x10/0x10
[ 39.994190][ T41] ? __pfx_lock_release+0x10/0x10
[ 39.999197][ T41] process_one_work+0x9c5/0x1b40
[ 40.004125][ T41] ? __pfx_lock_acquire+0x10/0x10
[ 40.009130][ T41] ? __pfx_process_one_work+0x10/0x10
[ 40.014492][ T41] ? assign_work+0x1a0/0x250
[ 40.019069][ T41] worker_thread+0x6c8/0xf20
[ 40.023646][ T41] ? __kthread_parkme+0x148/0x220
[ 40.028670][ T41] ? __pfx_worker_thread+0x10/0x10
[ 40.033765][ T41] kthread+0x2c1/0x3a0
[ 40.037835][ T41] ? _raw_spin_unlock_irq+0x23/0x50
[ 40.043034][ T41] ? __pfx_kthread+0x10/0x10
[ 40.047613][ T41] ret_from_fork+0x45/0x80
[ 40.052019][ T41] ? __pfx_kthread+0x10/0x10
[ 40.056594][ T41] ret_from_fork_asm+0x1a/0x30
[ 40.061442][ T41]
[ 40.064667][ T41] Kernel Offset: disabled
[ 40.068976][ T41] Rebooting in 86400 seconds..