Warning: Permanently added '10.128.0.23' (ED25519) to the list of known hosts.
executing program
[   60.229480][   T29] audit: type=1400 audit(1721917203.822:80): avc:  denied  { execmem } for  pid=2645 comm="syz-executor413" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   60.261611][   T29] audit: type=1400 audit(1721917203.832:81): avc:  denied  { read write } for  pid=2646 comm="syz-executor413" name="raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   60.285449][   T29] audit: type=1400 audit(1721917203.832:82): avc:  denied  { open } for  pid=2646 comm="syz-executor413" path="/dev/raw-gadget" dev="devtmpfs" ino=140 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   60.309161][   T29] audit: type=1400 audit(1721917203.832:83): avc:  denied  { ioctl } for  pid=2646 comm="syz-executor413" path="/dev/raw-gadget" dev="devtmpfs" ino=140 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   60.499715][   T41] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   60.679584][   T41] usb 1-1: Using ep0 maxpacket: 8
[   60.686639][   T41] usb 1-1: unable to get BOS descriptor or descriptor too short
[   60.696078][   T41] usb 1-1: config 0 has an invalid interface number: 199 but max is 3
[   60.704391][   T41] usb 1-1: config 0 has an invalid interface descriptor of length 2, skipping
[   60.713315][   T41] usb 1-1: config 0 has an invalid interface number: 54 but max is 3
[   60.721429][   T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x2, skipping
[   60.730136][   T41] usb 1-1: config 0 has an invalid interface number: 108 but max is 3
[   60.738301][   T41] usb 1-1: config 0 contains an unexpected descriptor of type 0x1, skipping
[   60.747083][   T41] usb 1-1: config 0 has no interface number 1
[   60.753213][   T41] usb 1-1: config 0 has no interface number 2
[   60.759291][   T41] usb 1-1: config 0 has no interface number 3
[   60.765480][   T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xC has invalid wMaxPacketSize 0
[   60.775536][   T41] usb 1-1: config 0 interface 199 altsetting 14 bulk endpoint 0x8 has invalid maxpacket 32
[   60.785566][   T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0x9 has invalid maxpacket 959, setting to 64
[   60.796612][   T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0xA, skipping
[   60.807432][   T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[   60.818413][   T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[   60.829214][   T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x9, skipping
[   60.840020][   T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[   60.850997][   T41] usb 1-1: config 0 interface 199 altsetting 14 endpoint 0xE has invalid maxpacket 443, setting to 64
[   60.861993][   T41] usb 1-1: config 0 interface 199 altsetting 14 has a duplicate endpoint with address 0x8, skipping
[   60.872794][   T41] usb 1-1: config 0 interface 199 altsetting 14 has an invalid descriptor for endpoint zero, skipping
[   60.883767][   T41] usb 1-1: config 0 interface 199 altsetting 14 has 13 endpoint descriptors, different from the interface descriptor's value: 15
[   60.897119][   T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x3, skipping
[   60.907684][   T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x8, skipping
[   60.918232][   T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xE, skipping
[   60.928775][   T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0x7, skipping
[   60.939312][   T41] usb 1-1: config 0 interface 0 altsetting 1 has a duplicate endpoint with address 0xD, skipping
[   60.949852][   T41] usb 1-1: config 0 interface 0 altsetting 1 has an invalid endpoint descriptor of length 2, skipping
[   60.960827][   T41] usb 1-1: config 0 interface 0 altsetting 1 endpoint 0xF has invalid maxpacket 1024, setting to 64
[   60.971634][   T41] usb 1-1: config 0 interface 0 altsetting 1 has 12 endpoint descriptors, different from the interface descriptor's value: 11
[   60.984721][   T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[   60.995607][   T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[   61.006314][   T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xC, skipping
[   61.017035][   T41] usb 1-1: config 0 interface 54 altsetting 10 has an invalid descriptor for endpoint zero, skipping
[   61.027923][   T41] usb 1-1: config 0 interface 54 altsetting 10 has a duplicate endpoint with address 0xF, skipping
[   61.038699][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x1, skipping
[   61.049559][   T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[   61.060465][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x9, skipping
[   61.071178][   T41] usb 1-1: config 0 interface 108 altsetting 8 has an endpoint descriptor with address 0x1A, changing to 0xA
[   61.082770][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xA, skipping
[   61.093480][   T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[   61.104371][   T41] usb 1-1: config 0 interface 108 altsetting 8 endpoint 0x5 has an invalid bInterval 118, changing to 7
[   61.115580][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x5, skipping
[   61.126588][   T41] usb 1-1: config 0 interface 108 altsetting 8 has an invalid descriptor for endpoint zero, skipping
[   61.137489][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0x8, skipping
[   61.148234][   T41] usb 1-1: config 0 interface 108 altsetting 8 has a duplicate endpoint with address 0xE, skipping
[   61.158963][   T41] usb 1-1: config 0 interface 199 has no altsetting 0
[   61.165763][   T41] usb 1-1: config 0 interface 0 has no altsetting 0
[   61.172397][   T41] usb 1-1: config 0 interface 54 has no altsetting 0
[   61.179079][   T41] usb 1-1: config 0 interface 108 has no altsetting 0
[   61.188576][   T41] usb 1-1: string descriptor 0 read error: -22
[   61.194976][   T41] usb 1-1: New USB device found, idVendor=0424, idProduct=c001, bcdDevice=1c.8f
[   61.204043][   T41] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   61.216382][   T41] usb 1-1: config 0 descriptor??
[   61.223246][ T2646] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
executing program
[   61.433627][    T9] usb 1-1: USB disconnect, device number 2
[   61.459280][    T9] ==================================================================
[   61.467365][    T9] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   61.475005][    T9] Read of size 8 at addr ffff888113749898 by task kworker/0:1/9
[   61.482615][    T9] 
[   61.484931][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   61.494557][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   61.504608][    T9] Workqueue: usb_hub_wq hub_event
[   61.509641][    T9] Call Trace:
[   61.512908][    T9]  <TASK>
[   61.515820][    T9]  dump_stack_lvl+0x116/0x1f0
[   61.520500][    T9]  print_report+0xc3/0x620
[   61.524906][    T9]  ? __virt_addr_valid+0x5e/0x590
[   61.529912][    T9]  ? __phys_addr+0xc6/0x150
[   61.534394][    T9]  kasan_report+0xd9/0x110
[   61.538797][    T9]  ? hdm_disconnect+0x227/0x250
[   61.543637][    T9]  ? hdm_disconnect+0x227/0x250
[   61.548474][    T9]  hdm_disconnect+0x227/0x250
[   61.553138][    T9]  usb_unbind_interface+0x1e8/0x970
[   61.558320][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   61.563163][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   61.568863][    T9]  device_remove+0x122/0x170
[   61.573440][    T9]  device_release_driver_internal+0x44a/0x610
[   61.579500][    T9]  bus_remove_device+0x22f/0x420
[   61.584438][    T9]  device_del+0x396/0x9f0
[   61.588751][    T9]  ? __pfx_device_del+0x10/0x10
[   61.593594][    T9]  ? kobject_put+0x226/0x5b0
[   61.598174][    T9]  usb_disable_device+0x36c/0x7f0
[   61.603191][    T9]  usb_disconnect+0x2e1/0x920
[   61.607857][    T9]  hub_event+0x1be4/0x4f50
[   61.612265][    T9]  ? __pfx_hub_event+0x10/0x10
[   61.617013][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   61.622025][    T9]  ? __pfx_lock_release+0x10/0x10
[   61.627039][    T9]  process_one_work+0x9c5/0x1b40
[   61.631968][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   61.636975][    T9]  ? __pfx_process_one_work+0x10/0x10
[   61.642331][    T9]  ? assign_work+0x1a0/0x250
[   61.646903][    T9]  worker_thread+0x6c8/0xf20
[   61.651478][    T9]  ? __kthread_parkme+0x148/0x220
[   61.656490][    T9]  ? __pfx_worker_thread+0x10/0x10
[   61.661587][    T9]  kthread+0x2c1/0x3a0
[   61.665643][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   61.670833][    T9]  ? __pfx_kthread+0x10/0x10
[   61.675425][    T9]  ret_from_fork+0x45/0x80
[   61.679830][    T9]  ? __pfx_kthread+0x10/0x10
[   61.684419][    T9]  ret_from_fork_asm+0x1a/0x30
[   61.689179][    T9]  </TASK>
[   61.692179][    T9] 
[   61.694483][    T9] Allocated by task 41:
[   61.698612][    T9]  kasan_save_stack+0x33/0x60
[   61.703271][    T9]  kasan_save_track+0x14/0x30
[   61.707927][    T9]  __kasan_kmalloc+0x8f/0xa0
[   61.712496][    T9]  hdm_probe+0xb3/0x1880
[   61.716724][    T9]  usb_probe_interface+0x309/0x9d0
[   61.721817][    T9]  really_probe+0x23e/0xa90
[   61.726306][    T9]  __driver_probe_device+0x1de/0x440
[   61.731573][    T9]  driver_probe_device+0x4c/0x1b0
[   61.736590][    T9]  __device_attach_driver+0x1df/0x310
[   61.741948][    T9]  bus_for_each_drv+0x157/0x1e0
[   61.746780][    T9]  __device_attach+0x1e8/0x4b0
[   61.751532][    T9]  bus_probe_device+0x17f/0x1c0
[   61.756365][    T9]  device_add+0x114b/0x1a70
[   61.760854][    T9]  usb_set_configuration+0x10cb/0x1c50
[   61.766304][    T9]  usb_generic_driver_probe+0xb1/0x110
[   61.771747][    T9]  usb_probe_device+0xec/0x3e0
[   61.776490][    T9]  really_probe+0x23e/0xa90
[   61.780979][    T9]  __driver_probe_device+0x1de/0x440
[   61.786248][    T9]  driver_probe_device+0x4c/0x1b0
[   61.791256][    T9]  __device_attach_driver+0x1df/0x310
[   61.796612][    T9]  bus_for_each_drv+0x157/0x1e0
[   61.801446][    T9]  __device_attach+0x1e8/0x4b0
[   61.806193][    T9]  bus_probe_device+0x17f/0x1c0
[   61.811025][    T9]  device_add+0x114b/0x1a70
[   61.815519][    T9]  usb_new_device+0xd90/0x1a10
[   61.820270][    T9]  hub_event+0x2e66/0x4f50
[   61.824666][    T9]  process_one_work+0x9c5/0x1b40
[   61.829588][    T9]  worker_thread+0x6c8/0xf20
[   61.834162][    T9]  kthread+0x2c1/0x3a0
[   61.838214][    T9]  ret_from_fork+0x45/0x80
[   61.842617][    T9]  ret_from_fork_asm+0x1a/0x30
[   61.847365][    T9] 
[   61.849669][    T9] Freed by task 9:
[   61.853367][    T9]  kasan_save_stack+0x33/0x60
[   61.858025][    T9]  kasan_save_track+0x14/0x30
[   61.862682][    T9]  kasan_save_free_info+0x3b/0x60
[   61.867694][    T9]  poison_slab_object+0xf7/0x160
[   61.872612][    T9]  __kasan_slab_free+0x14/0x30
[   61.877354][    T9]  kfree+0x10b/0x380
[   61.881232][    T9]  device_release+0xa1/0x240
[   61.885801][    T9]  kobject_put+0x1fa/0x5b0
[   61.890204][    T9]  device_unregister+0x2f/0xc0
[   61.894951][    T9]  hdm_disconnect+0x10b/0x250
[   61.899621][    T9]  usb_unbind_interface+0x1e8/0x970
[   61.904804][    T9]  device_remove+0x122/0x170
[   61.909401][    T9]  device_release_driver_internal+0x44a/0x610
[   61.915455][    T9]  bus_remove_device+0x22f/0x420
[   61.920375][    T9]  device_del+0x396/0x9f0
[   61.924687][    T9]  usb_disable_device+0x36c/0x7f0
[   61.929699][    T9]  usb_disconnect+0x2e1/0x920
[   61.934361][    T9]  hub_event+0x1be4/0x4f50
[   61.938755][    T9]  process_one_work+0x9c5/0x1b40
[   61.943675][    T9]  worker_thread+0x6c8/0xf20
[   61.948248][    T9]  kthread+0x2c1/0x3a0
[   61.952302][    T9]  ret_from_fork+0x45/0x80
[   61.956707][    T9]  ret_from_fork_asm+0x1a/0x30
[   61.961457][    T9] 
[   61.963760][    T9] The buggy address belongs to the object at ffff888113748000
[   61.963760][    T9]  which belongs to the cache kmalloc-8k of size 8192
[   61.977797][    T9] The buggy address is located 6296 bytes inside of
[   61.977797][    T9]  freed 8192-byte region [ffff888113748000, ffff88811374a000)
[   61.991747][    T9] 
[   61.994053][    T9] The buggy address belongs to the physical page:
[   62.000450][    T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113748
[   62.009281][    T9] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   62.017756][    T9] flags: 0x200000000000040(head|node=0|zone=2)
[   62.023900][    T9] page_type: 0xfdffffff(slab)
[   62.028572][    T9] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   62.037154][    T9] raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[   62.045724][    T9] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   62.054379][    T9] head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
[   62.063035][    T9] head: 0200000000000003 ffffea00044dd201 ffffffffffffffff 0000000000000000
[   62.071691][    T9] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   62.080339][    T9] page dumped because: kasan: bad access detected
[   62.086729][    T9] page_owner tracks the page as allocated
[   62.092433][    T9] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 41, tgid 41 (kworker/1:1), ts 61234634554, free_ts 60210168103
[   62.113343][    T9]  post_alloc_hook+0x2d1/0x350
[   62.118097][    T9]  get_page_from_freelist+0x1311/0x25f0
[   62.123628][    T9]  __alloc_pages_noprof+0x21e/0x2290
[   62.128900][    T9]  alloc_slab_page+0x4e/0xf0
[   62.133472][    T9]  new_slab+0x84/0x260
[   62.137527][    T9]  ___slab_alloc+0xdac/0x1870
[   62.142188][    T9]  __slab_alloc.constprop.0+0x56/0xb0
[   62.147544][    T9]  __kmalloc_cache_noprof+0x27a/0x2c0
[   62.152901][    T9]  hdm_probe+0xb3/0x1880
[   62.157130][    T9]  usb_probe_interface+0x309/0x9d0
[   62.162225][    T9]  really_probe+0x23e/0xa90
[   62.166712][    T9]  __driver_probe_device+0x1de/0x440
[   62.171980][    T9]  driver_probe_device+0x4c/0x1b0
[   62.176991][    T9]  __device_attach_driver+0x1df/0x310
[   62.182349][    T9]  bus_for_each_drv+0x157/0x1e0
[   62.187180][    T9]  __device_attach+0x1e8/0x4b0
[   62.191929][    T9] page last free pid 2645 tgid 2645 stack trace:
[   62.198232][    T9]  free_unref_page+0x698/0xce0
[   62.202980][    T9]  qlist_free_all+0x4e/0x140
[   62.207557][    T9]  kasan_quarantine_reduce+0x192/0x1e0
[   62.213002][    T9]  __kasan_slab_alloc+0x4e/0x70
[   62.217834][    T9]  kmem_cache_alloc_noprof+0x11c/0x2b0
[   62.223276][    T9]  getname_flags.part.0+0x4c/0x550
[   62.228370][    T9]  getname+0x8d/0xe0
[   62.232248][    T9]  do_sys_openat2+0x104/0x1e0
[   62.236905][    T9]  __x64_sys_openat+0x175/0x210
[   62.241735][    T9]  do_syscall_64+0xcd/0x250
[   62.246224][    T9]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.252106][    T9] 
[   62.254408][    T9] Memory state around the buggy address:
[   62.260025][    T9]  ffff888113749780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.268117][    T9]  ffff888113749800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.276164][    T9] >ffff888113749880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.284206][    T9]                             ^
[   62.289032][    T9]  ffff888113749900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.297341][    T9]  ffff888113749980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.305382][    T9] ==================================================================
[   62.313523][    T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   62.320731][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-g933069701c1b #0
[   62.330378][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   62.340446][    T9] Workqueue: usb_hub_wq hub_event
[   62.345463][    T9] Call Trace:
[   62.348724][    T9]  <TASK>
[   62.351817][    T9]  dump_stack_lvl+0x3d/0x1f0
[   62.356414][    T9]  panic+0x6f5/0x7a0
[   62.360298][    T9]  ? mark_held_locks+0x9f/0xe0
[   62.365044][    T9]  ? __pfx_panic+0x10/0x10
[   62.369465][    T9]  ? irqentry_exit+0x3b/0x90
[   62.374136][    T9]  ? lockdep_hardirqs_on+0x7c/0x110
[   62.379321][    T9]  ? check_panic_on_warn+0x1f/0xb0
[   62.384420][    T9]  check_panic_on_warn+0xab/0xb0
[   62.389345][    T9]  end_report+0x117/0x180
[   62.393666][    T9]  kasan_report+0xe9/0x110
[   62.398068][    T9]  ? hdm_disconnect+0x227/0x250
[   62.402993][    T9]  ? hdm_disconnect+0x227/0x250
[   62.407831][    T9]  hdm_disconnect+0x227/0x250
[   62.412496][    T9]  usb_unbind_interface+0x1e8/0x970
[   62.417687][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   62.422529][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   62.428232][    T9]  device_remove+0x122/0x170
[   62.432811][    T9]  device_release_driver_internal+0x44a/0x610
[   62.438866][    T9]  bus_remove_device+0x22f/0x420
[   62.443789][    T9]  device_del+0x396/0x9f0
[   62.448102][    T9]  ? __pfx_device_del+0x10/0x10
[   62.452939][    T9]  ? kobject_put+0x226/0x5b0
[   62.457515][    T9]  usb_disable_device+0x36c/0x7f0
[   62.462536][    T9]  usb_disconnect+0x2e1/0x920
[   62.467291][    T9]  hub_event+0x1be4/0x4f50
[   62.471692][    T9]  ? __pfx_hub_event+0x10/0x10
[   62.476438][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   62.481490][    T9]  ? __pfx_lock_release+0x10/0x10
[   62.486506][    T9]  process_one_work+0x9c5/0x1b40
[   62.491465][    T9]  ? __pfx_lock_acquire+0x10/0x10
[   62.496479][    T9]  ? __pfx_process_one_work+0x10/0x10
[   62.501839][    T9]  ? assign_work+0x1a0/0x250
[   62.506585][    T9]  worker_thread+0x6c8/0xf20
[   62.511192][    T9]  ? __kthread_parkme+0x148/0x220
[   62.516240][    T9]  ? __pfx_worker_thread+0x10/0x10
[   62.521353][    T9]  kthread+0x2c1/0x3a0
[   62.525428][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[   62.530615][    T9]  ? __pfx_kthread+0x10/0x10
[   62.535196][    T9]  ret_from_fork+0x45/0x80
[   62.539605][    T9]  ? __pfx_kthread+0x10/0x10
[   62.544188][    T9]  ret_from_fork_asm+0x1a/0x30
[   62.548941][    T9]  </TASK>
[   62.552168][    T9] Kernel Offset: disabled
[   62.556487][    T9] Rebooting in 86400 seconds..