Warning: Permanently added '10.128.1.45' (ED25519) to the list of known hosts.
2025/07/20 03:15:58 ignoring optional flag "sandboxArg"="0"
2025/07/20 03:15:59 parsed 1 programs
[ 101.249534][ T29] audit: type=1400 audit(1752981361.490:101): avc: denied { unlink } for pid=4013 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[ 101.353511][ T4013] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 102.715502][ T29] audit: type=1400 audit(1752981362.950:102): avc: denied { read } for pid=4019 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 102.737160][ T29] audit: type=1400 audit(1752981362.950:103): avc: denied { open } for pid=4019 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 102.769113][ T29] audit: type=1400 audit(1752981362.980:104): avc: denied { unmount } for pid=4019 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[ 104.401680][ T29] audit: type=1401 audit(1752981364.640:105): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
2025/07/20 03:16:17 executed programs: 0
2025/07/20 03:16:28 executed programs: 2
[ 128.539622][ T29] audit: type=1400 audit(1752981388.780:106): avc: denied { read write } for pid=5040 comm="syz.3.16" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 128.563291][ T29] audit: type=1400 audit(1752981388.780:107): avc: denied { open } for pid=5040 comm="syz.3.16" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 128.586638][ T29] audit: type=1400 audit(1752981388.780:108): avc: denied { ioctl } for pid=5040 comm="syz.3.16" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 128.776543][ T1078] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 128.926472][ T1078] usb 4-1: Using ep0 maxpacket: 8
[ 128.933941][ T1078] usb 4-1: config 162 has an invalid interface number: 3 but max is 2
[ 128.942281][ T1078] usb 4-1: config 162 has an invalid interface number: 3 but max is 2
[ 128.950541][ T1078] usb 4-1: config 162 has 2 interfaces, different from the descriptor's value: 3
[ 128.959707][ T1078] usb 4-1: config 162 has no interface number 0
[ 128.965961][ T1078] usb 4-1: config 162 has no interface number 1
[ 128.972302][ T1078] usb 4-1: config 162 interface 3 altsetting 2 has 1 endpoint descriptor, different from the interface descriptor's value: 3
[ 128.985390][ T1078] usb 4-1: config 162 interface 2 altsetting 1 has a duplicate endpoint with address 0x9, skipping
[ 128.996228][ T1078] usb 4-1: config 162 interface 2 altsetting 1 has an endpoint descriptor with address 0xA6, changing to 0x86
[ 129.008001][ T1078] usb 4-1: config 162 interface 2 altsetting 1 endpoint 0x86 has invalid maxpacket 23105, setting to 1024
[ 129.019484][ T1078] usb 4-1: config 162 interface 2 altsetting 1 bulk endpoint 0x86 has invalid maxpacket 1024
[ 129.029889][ T1078] usb 4-1: config 162 interface 2 altsetting 1 has 5 endpoint descriptors, different from the interface descriptor's value: 4
[ 129.043077][ T1078] usb 4-1: config 162 interface 3 has no altsetting 0
[ 129.049994][ T1078] usb 4-1: config 162 interface 3 has no altsetting 1
[ 129.057060][ T1078] usb 4-1: config 162 interface 2 has no altsetting 0
[ 129.065792][ T1078] usb 4-1: New USB device found, idVendor=0e8d, idProduct=763f, bcdDevice=9b.23
[ 129.074940][ T1078] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 129.083014][ T1078] usb 4-1: Product: syz
[ 129.087224][ T1078] usb 4-1: Manufacturer: syz
[ 129.091842][ T1078] usb 4-1: SerialNumber: syz
[ 129.329631][ T5045] Bluetooth: hci0: Opcode 0x0c03 failed: -71
[ 129.333441][ T1078] usb 4-1: USB disconnect, device number 2
[ 129.347898][ T1078] ==================================================================
[ 129.356012][ T1078] BUG: KASAN: slab-use-after-free in btusb_disconnect+0x4dc/0x580
[ 129.363867][ T1078] Read of size 4 at addr ffff8881062867c0 by task kworker/0:2/1078
[ 129.371784][ T1078]
[ 129.374147][ T1078] CPU: 0 UID: 0 PID: 1078 Comm: kworker/0:2 Not tainted 6.16.0-rc4-syzkaller-00324-gf72b9aa821a2 #0 PREEMPT(voluntary)
[ 129.374176][ T1078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 129.374191][ T1078] Workqueue: usb_hub_wq hub_event
[ 129.374217][ T1078] Call Trace:
[ 129.374225][ T1078]
[ 129.374233][ T1078] dump_stack_lvl+0x116/0x1f0
[ 129.374270][ T1078] print_report+0xcd/0x680
[ 129.374294][ T1078] ? __virt_addr_valid+0x81/0x610
[ 129.374320][ T1078] ? __phys_addr+0xe8/0x180
[ 129.374346][ T1078] ? btusb_disconnect+0x4dc/0x580
[ 129.374367][ T1078] kasan_report+0xe0/0x110
[ 129.374391][ T1078] ? btusb_disconnect+0x4dc/0x580
[ 129.374416][ T1078] btusb_disconnect+0x4dc/0x580
[ 129.374439][ T1078] usb_unbind_interface+0x1da/0x9a0
[ 129.374465][ T1078] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 129.374495][ T1078] ? __pfx_usb_unbind_interface+0x10/0x10
[ 129.374519][ T1078] device_remove+0x125/0x170
[ 129.374541][ T1078] device_release_driver_internal+0x44b/0x620
[ 129.374576][ T1078] bus_remove_device+0x22f/0x420
[ 129.374598][ T1078] device_del+0x396/0x9f0
[ 129.374622][ T1078] ? __pfx_device_del+0x10/0x10
[ 129.374644][ T1078] ? kobject_put+0x210/0x5a0
[ 129.374668][ T1078] usb_disable_device+0x355/0x7d0
[ 129.374692][ T1078] usb_disconnect+0x2e1/0x9c0
[ 129.374715][ T1078] hub_event+0x1aa0/0x5030
[ 129.374745][ T1078] ? __lock_acquire+0xb8a/0x1c90
[ 129.374767][ T1078] ? __pfx_hub_event+0x10/0x10
[ 129.374786][ T1078] ? assoc_array_gc+0xb40/0x15b0
[ 129.374823][ T1078] ? rcu_is_watching+0x12/0xc0
[ 129.374852][ T1078] process_one_work+0x9cc/0x1b70
[ 129.374882][ T1078] ? __pfx_hub_event+0x10/0x10
[ 129.374902][ T1078] ? __pfx_process_one_work+0x10/0x10
[ 129.374931][ T1078] ? assign_work+0x1a0/0x250
[ 129.374954][ T1078] worker_thread+0x6c8/0xf10
[ 129.374983][ T1078] ? __kthread_parkme+0x19e/0x250
[ 129.375014][ T1078] ? __pfx_worker_thread+0x10/0x10
[ 129.375038][ T1078] kthread+0x3c2/0x780
[ 129.375060][ T1078] ? __pfx_kthread+0x10/0x10
[ 129.375082][ T1078] ? rcu_is_watching+0x12/0xc0
[ 129.375108][ T1078] ? __pfx_kthread+0x10/0x10
[ 129.375130][ T1078] ret_from_fork+0x5b3/0x6c0
[ 129.375160][ T1078] ? __pfx_kthread+0x10/0x10
[ 129.375182][ T1078] ret_from_fork_asm+0x1a/0x30
[ 129.375215][ T1078]
[ 129.375222][ T1078]
[ 129.598593][ T1078] Allocated by task 1078:
[ 129.602994][ T1078] kasan_save_stack+0x33/0x60
[ 129.607664][ T1078] kasan_save_track+0x14/0x30
[ 129.612412][ T1078] __kasan_kmalloc+0x8f/0xa0
[ 129.617008][ T1078] __kmalloc_node_track_caller_noprof+0x212/0x4c0
[ 129.623443][ T1078] devm_kmalloc+0xa5/0x260
[ 129.627876][ T1078] btusb_probe+0x23f/0x4480
[ 129.632379][ T1078] usb_probe_interface+0x303/0x9c0
[ 129.637490][ T1078] really_probe+0x23e/0xa90
[ 129.641978][ T1078] __driver_probe_device+0x1de/0x440
[ 129.647250][ T1078] driver_probe_device+0x4c/0x1b0
[ 129.652359][ T1078] __device_attach_driver+0x1df/0x310
[ 129.657724][ T1078] bus_for_each_drv+0x156/0x1e0
[ 129.662576][ T1078] __device_attach+0x1e4/0x4b0
[ 129.667328][ T1078] bus_probe_device+0x17f/0x1c0
[ 129.672176][ T1078] device_add+0x1148/0x1a70
[ 129.676681][ T1078] usb_set_configuration+0x1187/0x1e20
[ 129.682241][ T1078] usb_generic_driver_probe+0xb1/0x110
[ 129.687709][ T1078] usb_probe_device+0xef/0x3e0
[ 129.692470][ T1078] really_probe+0x23e/0xa90
[ 129.696978][ T1078] __driver_probe_device+0x1de/0x440
[ 129.702309][ T1078] driver_probe_device+0x4c/0x1b0
[ 129.707616][ T1078] __device_attach_driver+0x1df/0x310
[ 129.712986][ T1078] bus_for_each_drv+0x156/0x1e0
[ 129.717838][ T1078] __device_attach+0x1e4/0x4b0
[ 129.722685][ T1078] bus_probe_device+0x17f/0x1c0
[ 129.727527][ T1078] device_add+0x1148/0x1a70
[ 129.732034][ T1078] usb_new_device+0xd07/0x1a20
[ 129.736783][ T1078] hub_event+0x2f85/0x5030
[ 129.741181][ T1078] process_one_work+0x9cc/0x1b70
[ 129.746111][ T1078] worker_thread+0x6c8/0xf10
[ 129.750689][ T1078] kthread+0x3c2/0x780
[ 129.754830][ T1078] ret_from_fork+0x5b3/0x6c0
[ 129.759413][ T1078] ret_from_fork_asm+0x1a/0x30
[ 129.764166][ T1078]
[ 129.766472][ T1078] Freed by task 1078:
[ 129.770519][ T1078] kasan_save_stack+0x33/0x60
[ 129.775181][ T1078] kasan_save_track+0x14/0x30
[ 129.779842][ T1078] kasan_save_free_info+0x3b/0x60
[ 129.784856][ T1078] __kasan_slab_free+0x37/0x50
[ 129.789603][ T1078] kfree+0x283/0x470
[ 129.793487][ T1078] release_nodes+0x11e/0x240
[ 129.798063][ T1078] devres_release_all+0x112/0x180
[ 129.803076][ T1078] device_unbind_cleanup+0x19/0x1b0
[ 129.808259][ T1078] device_release_driver_internal+0x4c3/0x620
[ 129.814320][ T1078] usb_driver_release_interface+0x109/0x190
[ 129.820217][ T1078] btusb_disconnect+0x448/0x580
[ 129.825067][ T1078] usb_unbind_interface+0x1da/0x9a0
[ 129.830265][ T1078] device_remove+0x125/0x170
[ 129.834852][ T1078] device_release_driver_internal+0x44b/0x620
[ 129.840920][ T1078] bus_remove_device+0x22f/0x420
[ 129.845857][ T1078] device_del+0x396/0x9f0
[ 129.850183][ T1078] usb_disable_device+0x355/0x7d0
[ 129.855213][ T1078] usb_disconnect+0x2e1/0x9c0
[ 129.859970][ T1078] hub_event+0x1aa0/0x5030
[ 129.864388][ T1078] process_one_work+0x9cc/0x1b70
[ 129.869328][ T1078] worker_thread+0x6c8/0xf10
[ 129.873920][ T1078] kthread+0x3c2/0x780
[ 129.877994][ T1078] ret_from_fork+0x5b3/0x6c0
[ 129.882751][ T1078] ret_from_fork_asm+0x1a/0x30
[ 129.887694][ T1078]
[ 129.890012][ T1078] The buggy address belongs to the object at ffff888106286000
[ 129.890012][ T1078] which belongs to the cache kmalloc-2k of size 2048
[ 129.904065][ T1078] The buggy address is located 1984 bytes inside of
[ 129.904065][ T1078] freed 2048-byte region [ffff888106286000, ffff888106286800)
[ 129.918206][ T1078]
[ 129.920529][ T1078] The buggy address belongs to the physical page:
[ 129.927205][ T1078] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106280
[ 129.936058][ T1078] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 129.944550][ T1078] flags: 0x200000000000040(head|node=0|zone=2)
[ 129.951281][ T1078] page_type: f5(slab)
[ 129.955282][ T1078] raw: 0200000000000040 ffff888100042000 dead000000000100 dead000000000122
[ 129.963875][ T1078] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 129.972478][ T1078] head: 0200000000000040 ffff888100042000 dead000000000100 dead000000000122
[ 129.981169][ T1078] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 129.989938][ T1078] head: 0200000000000003 ffffea000418a001 00000000ffffffff 00000000ffffffff
[ 129.998616][ T1078] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
[ 130.007280][ T1078] page dumped because: kasan: bad access detected
[ 130.013699][ T1078] page_owner tracks the page as allocated
[ 130.019410][ T1078] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2846772293, free_ts 0
[ 130.039052][ T1078] post_alloc_hook+0x1c0/0x230
[ 130.043827][ T1078] get_page_from_freelist+0xf98/0x2ce0
[ 130.049298][ T1078] __alloc_frozen_pages_noprof+0x259/0x21e0
[ 130.055195][ T1078] alloc_pages_mpol+0xe4/0x410
[ 130.059959][ T1078] new_slab+0x23b/0x330
[ 130.064117][ T1078] ___slab_alloc+0xda5/0x1940
[ 130.068797][ T1078] __slab_alloc.constprop.0+0x56/0xb0
[ 130.074191][ T1078] __kmalloc_cache_noprof+0x209/0x3c0
[ 130.079803][ T1078] acpi_ds_create_walk_state+0x78/0x250
[ 130.085433][ T1078] acpi_ps_execute_method+0x253/0xb30
[ 130.090803][ T1078] acpi_ns_evaluate+0x76c/0xca0
[ 130.095654][ T1078] acpi_evaluate_object+0x1fa/0xa90
[ 130.100857][ T1078] acpi_evaluate_integer+0xdd/0x200
[ 130.106057][ T1078] acpi_bus_get_status+0x1a0/0x420
[ 130.111183][ T1078] acpi_add_single_object+0x12c/0x1b80
[ 130.116646][ T1078] acpi_bus_check_add+0x23f/0x910
[ 130.121761][ T1078] page_owner free stack trace missing
[ 130.127118][ T1078]
[ 130.129448][ T1078] Memory state around the buggy address:
[ 130.135156][ T1078] ffff888106286680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.143213][ T1078] ffff888106286700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.151275][ T1078] >ffff888106286780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.159417][ T1078] ^
[ 130.165564][ T1078] ffff888106286800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 130.173714][ T1078] ffff888106286880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 130.181770][ T1078] ==================================================================
[ 130.190088][ T1078] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 130.197400][ T1078] CPU: 0 UID: 0 PID: 1078 Comm: kworker/0:2 Not tainted 6.16.0-rc4-syzkaller-00324-gf72b9aa821a2 #0 PREEMPT(voluntary)
[ 130.209936][ T1078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 130.220009][ T1078] Workqueue: usb_hub_wq hub_event
[ 130.225042][ T1078] Call Trace:
[ 130.228329][ T1078]
[ 130.231358][ T1078] dump_stack_lvl+0x3d/0x1f0
[ 130.236049][ T1078] panic+0x71c/0x800
[ 130.239959][ T1078] ? __pfx_panic+0x10/0x10
[ 130.244377][ T1078] ? irqentry_exit+0x3b/0x90
[ 130.248976][ T1078] ? lockdep_hardirqs_on+0x7c/0x110
[ 130.254181][ T1078] ? btusb_disconnect+0x4dc/0x580
[ 130.259308][ T1078] ? check_panic_on_warn+0x1f/0xb0
[ 130.264436][ T1078] ? btusb_disconnect+0x4dc/0x580
[ 130.269469][ T1078] check_panic_on_warn+0xab/0xb0
[ 130.274409][ T1078] end_report+0x107/0x170
[ 130.278744][ T1078] kasan_report+0xee/0x110
[ 130.283180][ T1078] ? btusb_disconnect+0x4dc/0x580
[ 130.288214][ T1078] btusb_disconnect+0x4dc/0x580
[ 130.293327][ T1078] usb_unbind_interface+0x1da/0x9a0
[ 130.298535][ T1078] ? kernfs_remove_by_name_ns+0xbe/0x110
[ 130.304189][ T1078] ? __pfx_usb_unbind_interface+0x10/0x10
[ 130.309911][ T1078] device_remove+0x125/0x170
[ 130.314592][ T1078] device_release_driver_internal+0x44b/0x620
[ 130.320666][ T1078] bus_remove_device+0x22f/0x420
[ 130.325616][ T1078] device_del+0x396/0x9f0
[ 130.329949][ T1078] ? __pfx_device_del+0x10/0x10
[ 130.334798][ T1078] ? kobject_put+0x210/0x5a0
[ 130.339405][ T1078] usb_disable_device+0x355/0x7d0
[ 130.344437][ T1078] usb_disconnect+0x2e1/0x9c0
[ 130.349120][ T1078] hub_event+0x1aa0/0x5030
[ 130.353567][ T1078] ? __lock_acquire+0xb8a/0x1c90
[ 130.358681][ T1078] ? __pfx_hub_event+0x10/0x10
[ 130.363441][ T1078] ? assoc_array_gc+0xb40/0x15b0
[ 130.368402][ T1078] ? rcu_is_watching+0x12/0xc0
[ 130.373173][ T1078] process_one_work+0x9cc/0x1b70
[ 130.378121][ T1078] ? __pfx_hub_event+0x10/0x10
[ 130.382882][ T1078] ? __pfx_process_one_work+0x10/0x10
[ 130.388271][ T1078] ? assign_work+0x1a0/0x250
[ 130.392880][ T1078] worker_thread+0x6c8/0xf10
[ 130.397487][ T1078] ? __kthread_parkme+0x19e/0x250
[ 130.402533][ T1078] ? __pfx_worker_thread+0x10/0x10
[ 130.407772][ T1078] kthread+0x3c2/0x780
[ 130.411873][ T1078] ? __pfx_kthread+0x10/0x10
[ 130.416477][ T1078] ? rcu_is_watching+0x12/0xc0
[ 130.421267][ T1078] ? __pfx_kthread+0x10/0x10
[ 130.425865][ T1078] ret_from_fork+0x5b3/0x6c0
[ 130.430760][ T1078] ? __pfx_kthread+0x10/0x10
[ 130.435381][ T1078] ret_from_fork_asm+0x1a/0x30
[ 130.440176][ T1078]
[ 130.443431][ T1078] Kernel Offset: disabled
[ 130.447751][ T1078] Rebooting in 86400 seconds..