Warning: Permanently added '10.128.0.52' (ED25519) to the list of known hosts.
syzkaller login: [   71.788086][    T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   71.801824][    T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   71.816549][   T11] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   71.827571][   T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
executing program
[   71.835861][   T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   71.844417][   T11] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[   72.135352][  T953] usb 1-1: new full-speed USB device number 2 using dummy_hcd
[   72.318139][  T953] usb 1-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice= 0.4a
[   72.327644][  T953] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   72.338769][  T953] usb 1-1: config 0 descriptor??
[   72.552305][   T14] usb 1-1: USB disconnect, device number 2
[   72.561214][   T14] ==================================================================
[   72.569670][   T14] BUG: KASAN: use-after-free in hdm_disconnect+0x109/0x1c0
[   72.577001][   T14] Read of size 8 at addr ffff888030e2d898 by task kworker/0:1/14
[   72.584729][   T14] 
[   72.587062][   T14] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.128-syzkaller #0
[   72.595063][   T14] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   72.605135][   T14] Workqueue: usb_hub_wq hub_event
[   72.610387][   T14] Call Trace:
[   72.613696][   T14]  <TASK>
[   72.616666][   T14]  dump_stack_lvl+0x1e3/0x2cb
[   72.621377][   T14]  ? nf_tcp_handle_invalid+0x642/0x642
[   72.626849][   T14]  ? panic+0x764/0x764
[   72.630938][   T14]  ? _printk+0xd1/0x111
[   72.635126][   T14]  ? __virt_addr_valid+0x17f/0x530
[   72.640261][   T14]  ? __virt_addr_valid+0x17f/0x530
[   72.645383][   T14]  print_report+0x15f/0x4f0
[   72.649885][   T14]  ? __virt_addr_valid+0x17f/0x530
[   72.655090][   T14]  ? __virt_addr_valid+0x17f/0x530
[   72.660223][   T14]  ? __virt_addr_valid+0x45b/0x530
[   72.665344][   T14]  ? __phys_addr+0xb6/0x170
[   72.669885][   T14]  ? hdm_disconnect+0x109/0x1c0
[   72.674746][   T14]  kasan_report+0x136/0x160
[   72.679354][   T14]  ? hdm_disconnect+0x109/0x1c0
[   72.684324][   T14]  hdm_disconnect+0x109/0x1c0
[   72.689044][   T14]  usb_unbind_interface+0x1cd/0x840
[   72.694248][   T14]  ? kernfs_remove_by_name_ns+0x10f/0x150
[   72.699991][   T14]  ? usb_driver_release_interface+0x1c0/0x1c0
[   72.706150][   T14]  device_release_driver_internal+0x59e/0x880
[   72.712239][   T14]  bus_remove_device+0x2e5/0x400
[   72.717185][   T14]  device_del+0x6e2/0xbd0
[   72.721534][   T14]  ? kill_device+0x160/0x160
[   72.726222][   T14]  ? lockdep_hardirqs_on_prepare+0x438/0x7a0
[   72.732225][   T14]  ? usb_disconnect+0xfa/0x8c0
[   72.737001][   T14]  ? mutex_lock_nested+0x10/0x10
[   72.741957][   T14]  usb_disable_device+0x3b8/0x840
[   72.747007][   T14]  usb_disconnect+0x33c/0x8c0
[   72.751742][   T14]  hub_event+0x1f78/0x5730
[   72.756181][   T14]  ? led_work+0x700/0x700
[   72.760520][   T14]  ? read_lock_is_recursive+0x10/0x10
[   72.765931][   T14]  ? lockdep_hardirqs_on_prepare+0x438/0x7a0
[   72.771921][   T14]  ? print_irqtrace_events+0x210/0x210
[   72.777394][   T14]  ? _raw_spin_unlock_irqrestore+0xd9/0x130
[   72.783385][   T14]  ? do_raw_spin_unlock+0x137/0x8a0
[   72.788604][   T14]  ? process_one_work+0x7a9/0x11d0
[   72.793917][   T14]  process_one_work+0x8a9/0x11d0
[   72.798873][   T14]  ? worker_detach_from_pool+0x260/0x260
[   72.804524][   T14]  ? _raw_spin_lock_irqsave+0x120/0x120
[   72.810427][   T14]  ? kthread_data+0x4e/0xc0
[   72.815036][   T14]  ? wq_worker_running+0x97/0x190
[   72.820076][   T14]  worker_thread+0xa47/0x1200
[   72.824779][   T14]  ? _raw_spin_unlock+0x40/0x40
[   72.829642][   T14]  kthread+0x28d/0x320
[   72.833711][   T14]  ? worker_clr_flags+0x190/0x190
[   72.838743][   T14]  ? kthread_blkcg+0xd0/0xd0
[   72.843332][   T14]  ret_from_fork+0x1f/0x30
[   72.847772][   T14]  </TASK>
[   72.850961][   T14] 
[   72.853281][   T14] Allocated by task 953:
[   72.857516][   T14]  kasan_set_track+0x4b/0x70
[   72.862628][   T14]  __kasan_kmalloc+0x97/0xb0
[   72.867242][   T14]  hdm_probe+0x91/0x13d0
[   72.871486][   T14]  usb_probe_interface+0x5c0/0xaf0
[   72.876599][   T14]  really_probe+0x2ab/0xcb0
[   72.881112][   T14]  __driver_probe_device+0x1a2/0x3d0
[   72.886405][   T14]  driver_probe_device+0x50/0x420
[   72.891445][   T14]  __device_attach_driver+0x2cf/0x510
[   72.896843][   T14]  bus_for_each_drv+0x183/0x200
[   72.901704][   T14]  __device_attach+0x359/0x570
[   72.906480][   T14]  bus_probe_device+0xba/0x1e0
[   72.911258][   T14]  device_add+0xb48/0xfd0
[   72.915609][   T14]  usb_set_configuration+0x19dd/0x2020
[   72.921162][   T14]  usb_generic_driver_probe+0x84/0x140
[   72.926749][   T14]  usb_probe_device+0x130/0x260
[   72.931597][   T14]  really_probe+0x2ab/0xcb0
[   72.936100][   T14]  __driver_probe_device+0x1a2/0x3d0
[   72.941388][   T14]  driver_probe_device+0x50/0x420
[   72.946414][   T14]  __device_attach_driver+0x2cf/0x510
[   72.951800][   T14]  bus_for_each_drv+0x183/0x200
[   72.956649][   T14]  __device_attach+0x359/0x570
[   72.961413][   T14]  bus_probe_device+0xba/0x1e0
[   72.966179][   T14]  device_add+0xb48/0xfd0
[   72.970513][   T14]  usb_new_device+0xbdd/0x1900
[   72.975277][   T14]  hub_event+0x2efe/0x5730
[   72.979696][   T14]  process_one_work+0x8a9/0x11d0
[   72.984633][   T14]  worker_thread+0xa47/0x1200
[   72.989308][   T14]  kthread+0x28d/0x320
[   72.993377][   T14]  ret_from_fork+0x1f/0x30
[   72.997799][   T14] 
[   73.000119][   T14] Freed by task 14:
[   73.003917][   T14]  kasan_set_track+0x4b/0x70
[   73.008510][   T14]  kasan_save_free_info+0x27/0x40
[   73.013533][   T14]  ____kasan_slab_free+0xd6/0x120
[   73.018556][   T14]  __kmem_cache_free+0x25c/0x3c0
[   73.023496][   T14]  device_release+0x91/0x1c0
[   73.028089][   T14]  kobject_put+0x224/0x460
[   73.032518][   T14]  hdm_disconnect+0xef/0x1c0
[   73.037138][   T14]  usb_unbind_interface+0x1cd/0x840
[   73.042337][   T14]  device_release_driver_internal+0x59e/0x880
[   73.048406][   T14]  bus_remove_device+0x2e5/0x400
[   73.053360][   T14]  device_del+0x6e2/0xbd0
[   73.057699][   T14]  usb_disable_device+0x3b8/0x840
[   73.062724][   T14]  usb_disconnect+0x33c/0x8c0
[   73.067427][   T14]  hub_event+0x1f78/0x5730
[   73.071884][   T14]  process_one_work+0x8a9/0x11d0
[   73.076889][   T14]  worker_thread+0xa47/0x1200
[   73.081571][   T14]  kthread+0x28d/0x320
[   73.085667][   T14]  ret_from_fork+0x1f/0x30
[   73.090179][   T14] 
[   73.092498][   T14] The buggy address belongs to the object at ffff888030e2c000
[   73.092498][   T14]  which belongs to the cache kmalloc-8k of size 8192
[   73.106641][   T14] The buggy address is located 6296 bytes inside of
[   73.106641][   T14]  8192-byte region [ffff888030e2c000, ffff888030e2e000)
[   73.120350][   T14] 
[   73.122707][   T14] The buggy address belongs to the physical page:
[   73.129163][   T14] page:ffffea0000c38a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30e28
[   73.140020][   T14] head:ffffea0000c38a00 order:3 compound_mapcount:0 compound_pincount:0
[   73.148520][   T14] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   73.156613][   T14] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017c42280
[   73.165199][   T14] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[   73.173948][   T14] page dumped because: kasan: bad access detected
[   73.180467][   T14] page_owner tracks the page as allocated
[   73.186265][   T14] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 22, tgid 22 (kworker/1:0), ts 71875604607, free_ts 71863915419
[   73.205142][   T14]  post_alloc_hook+0x18d/0x1b0
[   73.209983][   T14]  get_page_from_freelist+0x3731/0x38d0
[   73.215533][   T14]  __alloc_pages+0x28d/0x770
[   73.220224][   T14]  alloc_slab_page+0x6a/0x150
[   73.224909][   T14]  new_slab+0x84/0x2d0
[   73.228989][   T14]  ___slab_alloc+0xc20/0x1270
[   73.233668][   T14]  __kmem_cache_alloc_node+0x19f/0x260
[   73.239179][   T14]  __kmalloc+0xa1/0x230
[   73.243347][   T14]  __sta_info_alloc+0x93/0x1f20
[   73.248238][   T14]  ieee80211_ibss_rx_no_sta+0x414/0x740
[   73.254220][   T14]  ieee80211_prepare_and_rx_handle+0x20b9/0x5f10
[   73.260563][   T14]  ieee80211_rx_list+0x29a2/0x3380
[   73.265688][   T14]  ieee80211_rx_napi+0x186/0x3b0
[   73.270636][   T14]  ieee80211_handle_queued_frames+0x103/0x1b0
[   73.276717][   T14]  tasklet_action_common+0x3cb/0x4a0
[   73.282096][   T14]  handle_softirqs+0x2ee/0xa40
[   73.286876][   T14] page last free stack trace:
[   73.291548][   T14]  free_unref_page_prepare+0x12a6/0x15b0
[   73.297183][   T14]  free_unref_page+0x33/0x3e0
[   73.301861][   T14]  __unfreeze_partials+0x1b7/0x210
[   73.306987][   T14]  put_cpu_partial+0x17b/0x250
[   73.311755][   T14]  qlist_free_all+0x76/0xe0
[   73.316282][   T14]  kasan_quarantine_reduce+0x156/0x170
[   73.321784][   T14]  __kasan_slab_alloc+0x1f/0x70
[   73.326722][   T14]  slab_post_alloc_hook+0x52/0x3a0
[   73.331953][   T14]  __kmem_cache_alloc_node+0x137/0x260
[   73.337420][   T14]  kmalloc_trace+0x26/0xe0
[   73.341844][   T14]  tomoyo_init_log+0x1bd/0x2040
[   73.346709][   T14]  tomoyo_supervisor+0x396/0x12d0
[   73.351742][   T14]  tomoyo_path_number_perm+0x58d/0x7f0
[   73.357206][   T14]  tomoyo_path_mkdir+0xe3/0x120
[   73.362057][   T14]  security_path_mkdir+0xdc/0x130
[   73.367087][   T14]  do_mkdirat+0x185/0x360
[   73.371423][   T14] 
[   73.373745][   T14] Memory state around the buggy address:
[   73.379369][   T14]  ffff888030e2d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.387452][   T14]  ffff888030e2d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.395512][   T14] >ffff888030e2d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.403571][   T14]