program:
syz_usb_connect(0x5, 0x24, &(0x7f0000001440)={{0x12, 0x1, 0x200, 0x1b, 0xec, 0x9f, 0x8, 0x424, 0xcf30, 0x2c40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0xa, 0x7f, 0x30, 0x5, [{{0x9, 0x4, 0x81, 0x7, 0x0, 0x6e, 0xa, 0x15, 0x10}}]}}]}}, 0x0)
[ 85.460226][ T5304] Bluetooth: hci0: command tx timeout
[ 85.727364][ T5325] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 85.878407][ T5325] usb 5-1: Using ep0 maxpacket: 8
[ 85.885342][ T5325] usb 5-1: config 10 has an invalid interface number: 129 but max is 0
[ 85.890107][ T5325] usb 5-1: config 10 has no interface number 0
[ 85.893218][ T5325] usb 5-1: config 10 interface 129 has no altsetting 0
[ 85.899898][ T5325] usb 5-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice=2c.40
[ 85.904143][ T5325] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 85.909821][ T5325] usb 5-1: Product: syz
[ 85.912139][ T5325] usb 5-1: Manufacturer: syz
[ 85.914501][ T5325] usb 5-1: SerialNumber: syz
[ 86.150718][ T5325] usb 5-1: USB disconnect, device number 2
[ 86.162213][ T5325] ==================================================================
[ 86.166062][ T5325] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x10d/0x1c0
[ 86.169558][ T5325] Read of size 8 at addr ffff888043839898 by task kworker/0:5/5325
[ 86.173182][ T5325]
[ 86.174385][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: kworker/0:5 Not tainted 6.16.0-rc4-syzkaller-00013-g66701750d556 #0 PREEMPT(full)
[ 86.174399][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 86.174406][ T5325] Workqueue: usb_hub_wq hub_event
[ 86.174425][ T5325] Call Trace:
[ 86.174432][ T5325]
[ 86.174437][ T5325] dump_stack_lvl+0x189/0x250
[ 86.174454][ T5325] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.174463][ T5325] ? rcu_is_watching+0x15/0xb0
[ 86.174477][ T5325] ? __kasan_check_byte+0x12/0x40
[ 86.174528][ T5325] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.174540][ T5325] ? rcu_is_watching+0x15/0xb0
[ 86.174553][ T5325] ? lock_release+0x4b/0x3e0
[ 86.174568][ T5325] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.174577][ T5325] ? __virt_addr_valid+0x4a5/0x5c0
[ 86.174587][ T5325] print_report+0xd2/0x2b0
[ 86.174600][ T5325] ? hdm_disconnect+0x10d/0x1c0
[ 86.174610][ T5325] kasan_report+0x118/0x150
[ 86.174620][ T5325] ? hdm_disconnect+0x10d/0x1c0
[ 86.174633][ T5325] hdm_disconnect+0x10d/0x1c0
[ 86.174645][ T5325] usb_unbind_interface+0x26b/0x8f0
[ 86.174662][ T5325] ? __pfx_usb_unbind_interface+0x10/0x10
[ 86.174676][ T5325] device_release_driver_internal+0x4d6/0x7c0
[ 86.174689][ T5325] bus_remove_device+0x34d/0x410
[ 86.174702][ T5325] device_del+0x511/0x8e0
[ 86.174713][ T5325] ? __pm_runtime_barrier+0x212/0x460
[ 86.174723][ T5325] ? __pfx_device_del+0x10/0x10
[ 86.174731][ T5325] ? __pfx___mutex_lock+0x10/0x10
[ 86.174780][ T5325] usb_disable_device+0x3e9/0x8a0
[ 86.174795][ T5325] usb_disconnect+0x330/0x910
[ 86.174809][ T5325] hub_event+0x1cdb/0x4a00
[ 86.174827][ T5325] ? do_raw_spin_lock+0x121/0x290
[ 86.174839][ T5325] ? register_lock_class+0x51/0x320
[ 86.174855][ T5325] ? __pfx_hub_event+0x10/0x10
[ 86.174868][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.174883][ T5325] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.174895][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.174907][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.174921][ T5325] process_scheduled_works+0xade/0x17b0
[ 86.174939][ T5325] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.174956][ T5325] worker_thread+0x8a0/0xda0
[ 86.174969][ T5325] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 86.174983][ T5325] ? __kthread_parkme+0x7b/0x200
[ 86.175001][ T5325] kthread+0x70e/0x8a0
[ 86.175013][ T5325] ? __pfx_worker_thread+0x10/0x10
[ 86.175025][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.175034][ T5325] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.175045][ T5325] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.175057][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.175067][ T5325] ret_from_fork+0x3fc/0x770
[ 86.175082][ T5325] ? __pfx_ret_from_fork+0x10/0x10
[ 86.175095][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.175105][ T5325] ret_from_fork_asm+0x1a/0x30
[ 86.175118][ T5325]
[ 86.175122][ T5325]
[ 86.310371][ T5325] Allocated by task 5325:
[ 86.312367][ T5325] kasan_save_track+0x3e/0x80
[ 86.315488][ T5325] __kasan_kmalloc+0x93/0xb0
[ 86.317957][ T5325] __kmalloc_cache_noprof+0x230/0x3d0
[ 86.320482][ T5325] hdm_probe+0x96/0x1400
[ 86.322542][ T5325] usb_probe_interface+0x641/0xbc0
[ 86.324896][ T5325] really_probe+0x26a/0x9a0
[ 86.327066][ T5325] __driver_probe_device+0x18c/0x2f0
[ 86.329472][ T5325] driver_probe_device+0x4f/0x430
[ 86.331865][ T5325] __device_attach_driver+0x2ce/0x530
[ 86.334670][ T5325] bus_for_each_drv+0x251/0x2e0
[ 86.337135][ T5325] __device_attach+0x2b8/0x400
[ 86.339441][ T5325] bus_probe_device+0x185/0x260
[ 86.341793][ T5325] device_add+0x7b6/0xb50
[ 86.343751][ T5325] usb_set_configuration+0x1a87/0x20e0
[ 86.346222][ T5325] usb_generic_driver_probe+0x8d/0x150
[ 86.348739][ T5325] usb_probe_device+0x1c1/0x390
[ 86.350931][ T5325] really_probe+0x26a/0x9a0
[ 86.352966][ T5325] __driver_probe_device+0x18c/0x2f0
[ 86.355430][ T5325] driver_probe_device+0x4f/0x430
[ 86.357720][ T5325] __device_attach_driver+0x2ce/0x530
[ 86.360217][ T5325] bus_for_each_drv+0x251/0x2e0
[ 86.362505][ T5325] __device_attach+0x2b8/0x400
[ 86.364634][ T5325] bus_probe_device+0x185/0x260
[ 86.366925][ T5325] device_add+0x7b6/0xb50
[ 86.368892][ T5325] usb_new_device+0xa39/0x16c0
[ 86.371080][ T5325] hub_event+0x2941/0x4a00
[ 86.373260][ T5325] process_scheduled_works+0xade/0x17b0
[ 86.375689][ T5325] worker_thread+0x8a0/0xda0
[ 86.377878][ T5325] kthread+0x70e/0x8a0
[ 86.379749][ T5325] ret_from_fork+0x3fc/0x770
[ 86.381955][ T5325] ret_from_fork_asm+0x1a/0x30
[ 86.384510][ T5325]
[ 86.387017][ T5325] Freed by task 5325:
[ 86.388974][ T5325] kasan_save_track+0x3e/0x80
[ 86.391059][ T5325] kasan_save_free_info+0x46/0x50
[ 86.393391][ T5325] __kasan_slab_free+0x62/0x70
[ 86.395606][ T5325] kfree+0x18e/0x440
[ 86.397410][ T5325] device_release+0x99/0x1c0
[ 86.399526][ T5325] kobject_put+0x22b/0x480
[ 86.401627][ T5325] hdm_disconnect+0xf3/0x1c0
[ 86.403975][ T5325] usb_unbind_interface+0x26b/0x8f0
[ 86.406892][ T5325] device_release_driver_internal+0x4d6/0x7c0
[ 86.410095][ T5325] bus_remove_device+0x34d/0x410
[ 86.412509][ T5325] device_del+0x511/0x8e0
[ 86.414560][ T5325] usb_disable_device+0x3e9/0x8a0
[ 86.416998][ T5325] usb_disconnect+0x330/0x910
[ 86.419221][ T5325] hub_event+0x1cdb/0x4a00
[ 86.421197][ T5325] process_scheduled_works+0xade/0x17b0
[ 86.423650][ T5325] worker_thread+0x8a0/0xda0
[ 86.425721][ T5325] kthread+0x70e/0x8a0
[ 86.427572][ T5325] ret_from_fork+0x3fc/0x770
[ 86.429690][ T5325] ret_from_fork_asm+0x1a/0x30
[ 86.432543][ T5325]
[ 86.433821][ T5325] The buggy address belongs to the object at ffff888043838000
[ 86.433821][ T5325] which belongs to the cache kmalloc-8k of size 8192
[ 86.440101][ T5325] The buggy address is located 6296 bytes inside of
[ 86.440101][ T5325] freed 8192-byte region [ffff888043838000, ffff88804383a000)
[ 86.446362][ T5325]
[ 86.447488][ T5325] The buggy address belongs to the physical page:
[ 86.450600][ T5325] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43838
[ 86.454808][ T5325] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 86.458561][ T5325] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 86.462152][ T5325] page_type: f5(slab)
[ 86.464042][ T5325] raw: 04fff00000000040 ffff88801a442280 ffffea0001023200 0000000000000002
[ 86.467879][ T5325] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 86.471809][ T5325] head: 04fff00000000040 ffff88801a442280 ffffea0001023200 0000000000000002
[ 86.476003][ T5325] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[ 86.479907][ T5325] head: 04fff00000000003 ffffea00010e0e01 00000000ffffffff 00000000ffffffff
[ 86.483558][ T5325] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 86.487213][ T5325] page dumped because: kasan: bad access detected
[ 86.490198][ T5325] page_owner tracks the page as allocated
[ 86.492817][ T5325] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5291, tgid 5291 (nohup), ts 69940573687, free_ts 67802461516
[ 86.502135][ T5325] post_alloc_hook+0x240/0x2a0
[ 86.504380][ T5325] get_page_from_freelist+0x21e4/0x22c0
[ 86.507033][ T5325] __alloc_frozen_pages_noprof+0x181/0x370
[ 86.509848][ T5325] alloc_pages_mpol+0x232/0x4a0
[ 86.512395][ T5325] allocate_slab+0x8a/0x3b0
[ 86.514762][ T5325] ___slab_alloc+0xbfc/0x1480
[ 86.517218][ T5325] __kmalloc_cache_noprof+0x296/0x3d0
[ 86.519593][ T5325] tomoyo_init_log+0x111f/0x1f70
[ 86.521825][ T5325] tomoyo_supervisor+0x340/0x1480
[ 86.524185][ T5325] tomoyo_env_perm+0x149/0x1e0
[ 86.526418][ T5325] tomoyo_find_next_domain+0x15cf/0x1aa0
[ 86.529467][ T5325] tomoyo_bprm_check_security+0x11c/0x180
[ 86.533126][ T5325] security_bprm_check+0x89/0x270
[ 86.535424][ T5325] bprm_execve+0x8ee/0x1450
[ 86.537435][ T5325] do_execveat_common+0x510/0x6a0
[ 86.539686][ T5325] __x64_sys_execve+0x94/0xb0
[ 86.541931][ T5325] page last free pid 5279 tgid 5279 stack trace:
[ 86.544965][ T5325] __free_frozen_pages+0xc71/0xe70
[ 86.547299][ T5325] __put_partials+0x161/0x1c0
[ 86.549540][ T5325] put_cpu_partial+0x17c/0x250
[ 86.552240][ T5325] __slab_free+0x2f7/0x400
[ 86.555193][ T5325] qlist_free_all+0x97/0x140
[ 86.557741][ T5325] kasan_quarantine_reduce+0x148/0x160
[ 86.560218][ T5325] __kasan_slab_alloc+0x22/0x80
[ 86.562528][ T5325] kmem_cache_alloc_noprof+0x1c1/0x3c0
[ 86.565026][ T5325] getname_flags+0xb8/0x540
[ 86.567211][ T5325] do_sys_openat2+0xbc/0x1c0
[ 86.569395][ T5325] __x64_sys_openat+0x138/0x170
[ 86.571576][ T5325] do_syscall_64+0xfa/0x3b0
[ 86.573723][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.576851][ T5325]
[ 86.578135][ T5325] Memory state around the buggy address:
[ 86.580918][ T5325] ffff888043839780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.584609][ T5325] ffff888043839800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.588212][ T5325] >ffff888043839880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.591801][ T5325] ^
[ 86.594057][ T5325] ffff888043839900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.597954][ T5325] ffff888043839980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.601764][ T5325] ==================================================================
[ 86.654583][ T5325] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 86.658084][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: kworker/0:5 Not tainted 6.16.0-rc4-syzkaller-00013-g66701750d556 #0 PREEMPT(full)
[ 86.663747][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 86.668893][ T5325] Workqueue: usb_hub_wq hub_event
[ 86.671370][ T5325] Call Trace:
[ 86.673094][ T5325]
[ 86.674603][ T5325] dump_stack_lvl+0x99/0x250
[ 86.676953][ T5325] ? __asan_memcpy+0x40/0x70
[ 86.679182][ T5325] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.681566][ T5325] ? __pfx__printk+0x10/0x10
[ 86.683809][ T5325] panic+0x2db/0x790
[ 86.685684][ T5325] ? __pfx_panic+0x10/0x10
[ 86.688016][ T5325] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 86.691006][ T5325] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 86.694002][ T5325] ? print_memory_metadata+0x314/0x400
[ 86.696591][ T5325] ? hdm_disconnect+0x10d/0x1c0
[ 86.698899][ T5325] check_panic_on_warn+0x89/0xb0
[ 86.701236][ T5325] ? hdm_disconnect+0x10d/0x1c0
[ 86.703954][ T5325] end_report+0x78/0x160
[ 86.706724][ T5325] kasan_report+0x129/0x150
[ 86.708987][ T5325] ? hdm_disconnect+0x10d/0x1c0
[ 86.711284][ T5325] hdm_disconnect+0x10d/0x1c0
[ 86.713529][ T5325] usb_unbind_interface+0x26b/0x8f0
[ 86.715985][ T5325] ? __pfx_usb_unbind_interface+0x10/0x10
[ 86.718813][ T5325] device_release_driver_internal+0x4d6/0x7c0
[ 86.722482][ T5325] bus_remove_device+0x34d/0x410
[ 86.725437][ T5325] device_del+0x511/0x8e0
[ 86.727543][ T5325] ? __pm_runtime_barrier+0x212/0x460
[ 86.730249][ T5325] ? __pfx_device_del+0x10/0x10
[ 86.732644][ T5325] ? __pfx___mutex_lock+0x10/0x10
[ 86.735174][ T5325] usb_disable_device+0x3e9/0x8a0
[ 86.737589][ T5325] usb_disconnect+0x330/0x910
[ 86.739892][ T5325] hub_event+0x1cdb/0x4a00
[ 86.742073][ T5325] ? do_raw_spin_lock+0x121/0x290
[ 86.744626][ T5325] ? register_lock_class+0x51/0x320
[ 86.747181][ T5325] ? __pfx_hub_event+0x10/0x10
[ 86.749469][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.751866][ T5325] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.754122][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.756752][ T5325] ? process_scheduled_works+0x9ef/0x17b0
[ 86.759168][ T5325] process_scheduled_works+0xade/0x17b0
[ 86.761524][ T5325] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.764545][ T5325] worker_thread+0x8a0/0xda0
[ 86.767173][ T5325] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 86.770251][ T5325] ? __kthread_parkme+0x7b/0x200
[ 86.772615][ T5325] kthread+0x70e/0x8a0
[ 86.774476][ T5325] ? __pfx_worker_thread+0x10/0x10
[ 86.776809][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.778775][ T5325] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.781005][ T5325] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.783650][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.785906][ T5325] ret_from_fork+0x3fc/0x770
[ 86.788118][ T5325] ? __pfx_ret_from_fork+0x10/0x10
[ 86.790598][ T5325] ? __pfx_kthread+0x10/0x10
[ 86.792913][ T5325] ret_from_fork_asm+0x1a/0x30
[ 86.795236][ T5325]
[ 86.797082][ T5325] Kernel Offset: disabled
[ 86.799149][ T5325] Rebooting in 86400 seconds..