Warning: Permanently added '10.128.1.189' (ED25519) to the list of known hosts.
2025/07/20 03:26:08 ignoring optional flag "sandboxArg"="0"
2025/07/20 03:26:09 parsed 1 programs
[ 99.368996][ T29] kauditd_printk_skb: 10 callbacks suppressed
[ 99.369015][ T29] audit: type=1400 audit(1752981971.026:101): avc: denied { unlink } for pid=4013 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[ 99.434148][ T4013] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 100.916704][ T29] audit: type=1400 audit(1752981972.566:102): avc: denied { read } for pid=4020 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 100.945935][ T29] audit: type=1400 audit(1752981972.566:103): avc: denied { open } for pid=4020 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 100.970072][ T29] audit: type=1400 audit(1752981972.596:104): avc: denied { unmount } for pid=4020 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[ 102.203095][ T29] audit: type=1401 audit(1752981973.856:105): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
2025/07/20 03:26:26 executed programs: 0
2025/07/20 03:26:37 executed programs: 2
[ 125.677459][ T29] audit: type=1400 audit(1752981997.326:106): avc: denied { read write } for pid=5040 comm="syz.3.16" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 125.701158][ T29] audit: type=1400 audit(1752981997.326:107): avc: denied { open } for pid=5040 comm="syz.3.16" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 125.724743][ T29] audit: type=1400 audit(1752981997.326:108): avc: denied { ioctl } for pid=5040 comm="syz.3.16" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 125.937565][ T3448] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 126.087380][ T3448] usb 4-1: Using ep0 maxpacket: 8
[ 126.094910][ T3448] usb 4-1: config 162 has an invalid interface number: 3 but max is 2
[ 126.103469][ T3448] usb 4-1: config 162 has an invalid interface number: 3 but max is 2
[ 126.111710][ T3448] usb 4-1: config 162 has 2 interfaces, different from the descriptor's value: 3
[ 126.121174][ T3448] usb 4-1: config 162 has no interface number 0
[ 126.127490][ T3448] usb 4-1: config 162 has no interface number 1
[ 126.133959][ T3448] usb 4-1: config 162 interface 3 altsetting 2 has 1 endpoint descriptor, different from the interface descriptor's value: 3
[ 126.147056][ T3448] usb 4-1: config 162 interface 2 altsetting 1 has a duplicate endpoint with address 0x9, skipping
[ 126.158088][ T3448] usb 4-1: config 162 interface 2 altsetting 1 has an endpoint descriptor with address 0xA6, changing to 0x86
[ 126.169780][ T3448] usb 4-1: config 162 interface 2 altsetting 1 endpoint 0x86 has invalid maxpacket 23105, setting to 1024
[ 126.181133][ T3448] usb 4-1: config 162 interface 2 altsetting 1 bulk endpoint 0x86 has invalid maxpacket 1024
[ 126.191427][ T3448] usb 4-1: config 162 interface 2 altsetting 1 has 5 endpoint descriptors, different from the interface descriptor's value: 4
[ 126.204890][ T3448] usb 4-1: config 162 interface 3 has no altsetting 0
[ 126.211713][ T3448] usb 4-1: config 162 interface 3 has no altsetting 1
[ 126.218847][ T3448] usb 4-1: config 162 interface 2 has no altsetting 0
[ 126.228561][ T3448] usb 4-1: New USB device found, idVendor=0e8d, idProduct=763f, bcdDevice=9b.23
[ 126.237821][ T3448] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 126.245916][ T3448] usb 4-1: Product: syz
[ 126.250221][ T3448] usb 4-1: Manufacturer: syz
[ 126.254857][ T3448] usb 4-1: SerialNumber: syz
[ 126.489551][ T5044] Bluetooth: hci0: Opcode 0x0c03 failed: -71
[ 126.502429][ T3448] usb 4-1: USB disconnect, device number 2
[ 126.512705][ T3448] ==================================================================
[ 126.521083][ T3448] BUG: KASAN: slab-use-after-free in btusb_disconnect+0x4dc/0x580
[ 126.529036][ T3448] Read of size 4 at addr ffff8881175ae7c0 by task kworker/0:2/3448
[ 126.536954][ T3448]
[ 126.539341][ T3448] CPU: 0 UID: 0 PID: 3448 Comm: kworker/0:2 Not tainted 6.16.0-rc4-syzkaller-00324-gf72b9aa821a2 #0 PREEMPT(voluntary)
[ 126.539373][ T3448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 126.539389][ T3448] Workqueue: usb_hub_wq hub_event
[ 126.539417][ T3448] Call Trace:
[ 126.539426][ T3448]
[ 126.539434][ T3448] dump_stack_lvl+0x116/0x1f0
[ 126.539473][ T3448] print_report+0xcd/0x680
[ 126.539499][ T3448] ? __virt_addr_valid+0x81/0x610
[ 126.539527][ T3448] ? __phys_addr+0xe8/0x180
[ 126.539555][ T3448] ? btusb_disconnect+0x4dc/0x580
[ 126.539579][ T3448] kasan_report+0xe0/0x110
[ 126.539605][ T3448] ? btusb_disconnect+0x4dc/0x580
[ 126.539638][ T3448] btusb_disconnect+0x4dc/0x580
[ 126.539664][ T3448] usb_unbind_interface+0x1da/0x9a0
[ 126.539691][ T3448] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 126.539723][ T3448] ? __pfx_usb_unbind_interface+0x10/0x10
[ 126.539748][ T3448] device_remove+0x125/0x170
[ 126.539772][ T3448] device_release_driver_internal+0x44b/0x620
[ 126.539803][ T3448] bus_remove_device+0x22f/0x420
[ 126.539836][ T3448] device_del+0x396/0x9f0
[ 126.539862][ T3448] ? __pfx_device_del+0x10/0x10
[ 126.539886][ T3448] ? kobject_put+0x210/0x5a0
[ 126.539912][ T3448] usb_disable_device+0x355/0x7d0
[ 126.539938][ T3448] usb_disconnect+0x2e1/0x9c0
[ 126.539963][ T3448] hub_event+0x1aa0/0x5030
[ 126.539996][ T3448] ? __lock_acquire+0xb8a/0x1c90
[ 126.540020][ T3448] ? __pfx_hub_event+0x10/0x10
[ 126.540040][ T3448] ? assoc_array_gc+0xb40/0x15b0
[ 126.540081][ T3448] ? rcu_is_watching+0x12/0xc0
[ 126.540113][ T3448] process_one_work+0x9cc/0x1b70
[ 126.540144][ T3448] ? __pfx_hub_event+0x10/0x10
[ 126.540166][ T3448] ? __pfx_process_one_work+0x10/0x10
[ 126.540196][ T3448] ? assign_work+0x1a0/0x250
[ 126.540222][ T3448] worker_thread+0x6c8/0xf10
[ 126.540254][ T3448] ? __kthread_parkme+0x19e/0x250
[ 126.540287][ T3448] ? __pfx_worker_thread+0x10/0x10
[ 126.540313][ T3448] kthread+0x3c2/0x780
[ 126.540337][ T3448] ? __pfx_kthread+0x10/0x10
[ 126.540361][ T3448] ? rcu_is_watching+0x12/0xc0
[ 126.540388][ T3448] ? __pfx_kthread+0x10/0x10
[ 126.540411][ T3448] ret_from_fork+0x5b3/0x6c0
[ 126.540443][ T3448] ? __pfx_kthread+0x10/0x10
[ 126.540467][ T3448] ret_from_fork_asm+0x1a/0x30
[ 126.540499][ T3448]
[ 126.540507][ T3448]
[ 126.766133][ T3448] Allocated by task 3448:
[ 126.770446][ T3448] kasan_save_stack+0x33/0x60
[ 126.775122][ T3448] kasan_save_track+0x14/0x30
[ 126.779901][ T3448] __kasan_kmalloc+0x8f/0xa0
[ 126.784526][ T3448] __kmalloc_node_track_caller_noprof+0x212/0x4c0
[ 126.791116][ T3448] devm_kmalloc+0xa5/0x260
[ 126.795999][ T3448] btusb_probe+0x23f/0x4480
[ 126.800688][ T3448] usb_probe_interface+0x303/0x9c0
[ 126.805890][ T3448] really_probe+0x23e/0xa90
[ 126.810489][ T3448] __driver_probe_device+0x1de/0x440
[ 126.815849][ T3448] driver_probe_device+0x4c/0x1b0
[ 126.820950][ T3448] __device_attach_driver+0x1df/0x310
[ 126.826484][ T3448] bus_for_each_drv+0x156/0x1e0
[ 126.831517][ T3448] __device_attach+0x1e4/0x4b0
[ 126.836308][ T3448] bus_probe_device+0x17f/0x1c0
[ 126.841334][ T3448] device_add+0x1148/0x1a70
[ 126.845830][ T3448] usb_set_configuration+0x1187/0x1e20
[ 126.851385][ T3448] usb_generic_driver_probe+0xb1/0x110
[ 126.856865][ T3448] usb_probe_device+0xef/0x3e0
[ 126.861893][ T3448] really_probe+0x23e/0xa90
[ 126.866401][ T3448] __driver_probe_device+0x1de/0x440
[ 126.871862][ T3448] driver_probe_device+0x4c/0x1b0
[ 126.876967][ T3448] __device_attach_driver+0x1df/0x310
[ 126.883285][ T3448] bus_for_each_drv+0x156/0x1e0
[ 126.888411][ T3448] __device_attach+0x1e4/0x4b0
[ 126.893411][ T3448] bus_probe_device+0x17f/0x1c0
[ 126.898260][ T3448] device_add+0x1148/0x1a70
[ 126.902849][ T3448] usb_new_device+0xd07/0x1a20
[ 126.907738][ T3448] hub_event+0x2f85/0x5030
[ 126.912259][ T3448] process_one_work+0x9cc/0x1b70
[ 126.917313][ T3448] worker_thread+0x6c8/0xf10
[ 126.921939][ T3448] kthread+0x3c2/0x780
[ 126.926111][ T3448] ret_from_fork+0x5b3/0x6c0
[ 126.931001][ T3448] ret_from_fork_asm+0x1a/0x30
[ 126.936042][ T3448]
[ 126.938378][ T3448] Freed by task 3448:
[ 126.942440][ T3448] kasan_save_stack+0x33/0x60
[ 126.947203][ T3448] kasan_save_track+0x14/0x30
[ 126.951894][ T3448] kasan_save_free_info+0x3b/0x60
[ 126.957201][ T3448] __kasan_slab_free+0x37/0x50
[ 126.962221][ T3448] kfree+0x283/0x470
[ 126.966526][ T3448] release_nodes+0x11e/0x240
[ 126.971137][ T3448] devres_release_all+0x112/0x180
[ 126.976310][ T3448] device_unbind_cleanup+0x19/0x1b0
[ 126.982761][ T3448] device_release_driver_internal+0x4c3/0x620
[ 126.989107][ T3448] usb_driver_release_interface+0x109/0x190
[ 126.995092][ T3448] btusb_disconnect+0x448/0x580
[ 127.000034][ T3448] usb_unbind_interface+0x1da/0x9a0
[ 127.005242][ T3448] device_remove+0x125/0x170
[ 127.009939][ T3448] device_release_driver_internal+0x44b/0x620
[ 127.016513][ T3448] bus_remove_device+0x22f/0x420
[ 127.021915][ T3448] device_del+0x396/0x9f0
[ 127.026347][ T3448] usb_disable_device+0x355/0x7d0
[ 127.031376][ T3448] usb_disconnect+0x2e1/0x9c0
[ 127.036225][ T3448] hub_event+0x1aa0/0x5030
[ 127.041696][ T3448] process_one_work+0x9cc/0x1b70
[ 127.046741][ T3448] worker_thread+0x6c8/0xf10
[ 127.051341][ T3448] kthread+0x3c2/0x780
[ 127.055498][ T3448] ret_from_fork+0x5b3/0x6c0
[ 127.060096][ T3448] ret_from_fork_asm+0x1a/0x30
[ 127.065048][ T3448]
[ 127.067554][ T3448] The buggy address belongs to the object at ffff8881175ae000
[ 127.067554][ T3448] which belongs to the cache kmalloc-2k of size 2048
[ 127.081783][ T3448] The buggy address is located 1984 bytes inside of
[ 127.081783][ T3448] freed 2048-byte region [ffff8881175ae000, ffff8881175ae800)
[ 127.095790][ T3448]
[ 127.098115][ T3448] The buggy address belongs to the physical page:
[ 127.105064][ T3448] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1175a8
[ 127.113925][ T3448] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 127.122441][ T3448] flags: 0x200000000000040(head|node=0|zone=2)
[ 127.128708][ T3448] page_type: f5(slab)
[ 127.132703][ T3448] raw: 0200000000000040 ffff888100042000 dead000000000100 dead000000000122
[ 127.141458][ T3448] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 127.150385][ T3448] head: 0200000000000040 ffff888100042000 dead000000000100 dead000000000122
[ 127.159060][ T3448] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 127.168011][ T3448] head: 0200000000000003 ffffea00045d6a01 00000000ffffffff 00000000ffffffff
[ 127.176881][ T3448] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
[ 127.185638][ T3448] page dumped because: kasan: bad access detected
[ 127.192175][ T3448] page_owner tracks the page as allocated
[ 127.198064][ T3448] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2830, tgid 2830 (klogd), ts 12265422861, free_ts 0
[ 127.218839][ T3448] post_alloc_hook+0x1c0/0x230
[ 127.223617][ T3448] get_page_from_freelist+0xf98/0x2ce0
[ 127.229171][ T3448] __alloc_frozen_pages_noprof+0x259/0x21e0
[ 127.235155][ T3448] alloc_pages_mpol+0xe4/0x410
[ 127.240037][ T3448] new_slab+0x23b/0x330
[ 127.244207][ T3448] ___slab_alloc+0xda5/0x1940
[ 127.248978][ T3448] __slab_alloc.constprop.0+0x56/0xb0
[ 127.254447][ T3448] __kmalloc_cache_noprof+0x209/0x3c0
[ 127.259818][ T3448] syslog_print+0xf6/0x620
[ 127.264236][ T3448] do_syslog+0x3dc/0x6c0
[ 127.268646][ T3448] __x64_sys_syslog+0x74/0xb0
[ 127.273509][ T3448] do_syscall_64+0xcd/0x4b0
[ 127.278021][ T3448] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 127.284100][ T3448] page_owner free stack trace missing
[ 127.289456][ T3448]
[ 127.291862][ T3448] Memory state around the buggy address:
[ 127.297494][ T3448] ffff8881175ae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 127.305670][ T3448] ffff8881175ae700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 127.313807][ T3448] >ffff8881175ae780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 127.322412][ T3448] ^
[ 127.328563][ T3448] ffff8881175ae800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 127.336978][ T3448] ffff8881175ae880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 127.345404][ T3448] ==================================================================
[ 127.354158][ T3448] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 127.361557][ T3448] CPU: 0 UID: 0 PID: 3448 Comm: kworker/0:2 Not tainted 6.16.0-rc4-syzkaller-00324-gf72b9aa821a2 #0 PREEMPT(voluntary)
[ 127.374431][ T3448] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 127.384682][ T3448] Workqueue: usb_hub_wq hub_event
[ 127.389814][ T3448] Call Trace:
[ 127.393101][ T3448]
[ 127.396038][ T3448] dump_stack_lvl+0x3d/0x1f0
[ 127.400732][ T3448] panic+0x71c/0x800
[ 127.404633][ T3448] ? __pfx_panic+0x10/0x10
[ 127.409144][ T3448] ? irqentry_exit+0x3b/0x90
[ 127.413864][ T3448] ? lockdep_hardirqs_on+0x7c/0x110
[ 127.419335][ T3448] ? btusb_disconnect+0x4dc/0x580
[ 127.424982][ T3448] ? check_panic_on_warn+0x1f/0xb0
[ 127.430211][ T3448] ? btusb_disconnect+0x4dc/0x580
[ 127.435350][ T3448] check_panic_on_warn+0xab/0xb0
[ 127.440303][ T3448] end_report+0x107/0x170
[ 127.444899][ T3448] kasan_report+0xee/0x110
[ 127.449327][ T3448] ? btusb_disconnect+0x4dc/0x580
[ 127.454373][ T3448] btusb_disconnect+0x4dc/0x580
[ 127.459243][ T3448] usb_unbind_interface+0x1da/0x9a0
[ 127.464713][ T3448] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 127.470355][ T3448] ? __pfx_usb_unbind_interface+0x10/0x10
[ 127.476179][ T3448] device_remove+0x125/0x170
[ 127.480770][ T3448] device_release_driver_internal+0x44b/0x620
[ 127.487028][ T3448] bus_remove_device+0x22f/0x420
[ 127.492058][ T3448] device_del+0x396/0x9f0
[ 127.496393][ T3448] ? __pfx_device_del+0x10/0x10
[ 127.501242][ T3448] ? kobject_put+0x210/0x5a0
[ 127.505933][ T3448] usb_disable_device+0x355/0x7d0
[ 127.511244][ T3448] usb_disconnect+0x2e1/0x9c0
[ 127.515933][ T3448] hub_event+0x1aa0/0x5030
[ 127.520449][ T3448] ? __lock_acquire+0xb8a/0x1c90
[ 127.525415][ T3448] ? __pfx_hub_event+0x10/0x10
[ 127.530190][ T3448] ? assoc_array_gc+0xb40/0x15b0
[ 127.535237][ T3448] ? rcu_is_watching+0x12/0xc0
[ 127.540009][ T3448] process_one_work+0x9cc/0x1b70
[ 127.545046][ T3448] ? __pfx_hub_event+0x10/0x10
[ 127.549808][ T3448] ? __pfx_process_one_work+0x10/0x10
[ 127.555248][ T3448] ? assign_work+0x1a0/0x250
[ 127.560122][ T3448] worker_thread+0x6c8/0xf10
[ 127.564724][ T3448] ? __kthread_parkme+0x19e/0x250
[ 127.570200][ T3448] ? __pfx_worker_thread+0x10/0x10
[ 127.575412][ T3448] kthread+0x3c2/0x780
[ 127.579589][ T3448] ? __pfx_kthread+0x10/0x10
[ 127.584235][ T3448] ? rcu_is_watching+0x12/0xc0
[ 127.589278][ T3448] ? __pfx_kthread+0x10/0x10
[ 127.593993][ T3448] ret_from_fork+0x5b3/0x6c0
[ 127.598875][ T3448] ? __pfx_kthread+0x10/0x10
[ 127.603751][ T3448] ret_from_fork_asm+0x1a/0x30
[ 127.608624][ T3448]
[ 127.612034][ T3448] Kernel Offset: disabled
[ 127.616442][ T3448] Rebooting in 86400 seconds..