Warning: Permanently added '10.128.1.195' (ED25519) to the list of known hosts.
2026/03/19 19:05:47 parsed 1 programs
[ 52.645865][ T29] audit: type=1400 audit(1773947147.146:64): avc: denied { node_bind } for pid=2962 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 52.667938][ T29] audit: type=1400 audit(1773947147.156:65): avc: denied { module_request } for pid=2962 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[ 55.650496][ T29] audit: type=1400 audit(1773947150.156:66): avc: denied { mounton } for pid=2972 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 55.677415][ T29] audit: type=1400 audit(1773947150.176:67): avc: denied { mount } for pid=2972 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 55.686829][ T2972] cgroup: Unknown subsys name 'net'
[ 55.708831][ T29] audit: type=1400 audit(1773947150.216:68): avc: denied { unmount } for pid=2972 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 55.840728][ T2972] cgroup: Unknown subsys name 'cpuset'
[ 55.850673][ T2972] cgroup: Unknown subsys name 'rlimit'
[ 56.005590][ T29] audit: type=1400 audit(1773947150.506:69): avc: denied { setattr } for pid=2972 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 56.029382][ T29] audit: type=1400 audit(1773947150.516:70): avc: denied { create } for pid=2972 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 56.051639][ T29] audit: type=1400 audit(1773947150.516:71): avc: denied { write } for pid=2972 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 56.073242][ T29] audit: type=1400 audit(1773947150.516:72): avc: denied { read } for pid=2972 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 56.104355][ T29] audit: type=1400 audit(1773947150.606:73): avc: denied { sys_module } for pid=2972 comm="syz-executor" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1
Setting up swapspace version 1, size = 127995904 bytes
[ 56.272066][ T2976] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 56.308957][ T2972] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 58.057023][ T29] kauditd_printk_skb: 8 callbacks suppressed
[ 58.057054][ T29] audit: type=1400 audit(1773947152.546:82): avc: denied { execmem } for pid=2979 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 58.187298][ T29] audit: type=1400 audit(1773947152.576:83): avc: denied { create } for pid=2978 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1
[ 58.234565][ T29] audit: type=1400 audit(1773947152.596:84): avc: denied { sys_admin } for pid=2978 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1
[ 58.259961][ T29] audit: type=1400 audit(1773947152.616:85): avc: denied { read } for pid=2983 comm="syz-executor" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 58.288662][ T29] audit: type=1400 audit(1773947152.616:86): avc: denied { open } for pid=2983 comm="syz-executor" path="net:[4026531833]" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 58.315198][ T29] audit: type=1400 audit(1773947152.616:87): avc: denied { mounton } for pid=2983 comm="syz-executor" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 58.367074][ T29] audit: type=1400 audit(1773947152.806:88): avc: denied { mounton } for pid=2983 comm="syz-executor" path="/root/syzkaller.84RJKx/syz-tmp" dev="sda1" ino=2042 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 58.417080][ T29] audit: type=1400 audit(1773947152.806:89): avc: denied { mount } for pid=2983 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 58.480578][ T29] audit: type=1400 audit(1773947152.806:90): avc: denied { mounton } for pid=2983 comm="syz-executor" path="/root/syzkaller.84RJKx/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 58.527052][ T29] audit: type=1400 audit(1773947152.846:91): avc: denied { create } for pid=2984 comm="syz-executor" name="tun" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=chr_file permissive=1
[ 58.702236][ T2985] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
2026/03/19 19:06:10 executed programs: 0
[ 76.041778][ T3013] syz-executor (3013) used greatest stack depth: 23240 bytes left
2026/03/19 19:07:01 executed programs: 10
[ 127.213602][ T29] kauditd_printk_skb: 15 callbacks suppressed
[ 127.213659][ T29] audit: type=1400 audit(1773947221.716:107): avc: denied { read write } for pid=5745 comm="syz.4.21" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 127.307044][ T29] audit: type=1400 audit(1773947221.716:108): avc: denied { open } for pid=5745 comm="syz.4.21" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 127.376972][ T29] audit: type=1400 audit(1773947221.716:109): avc: denied { ioctl } for pid=5745 comm="syz.4.21" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 127.487368][ T2992] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 127.547137][ T28] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[ 127.647096][ T2992] usb 5-1: Using ep0 maxpacket: 16
[ 127.669275][ T2992] usb 5-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 127.707119][ T2992] usb 5-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 127.727063][ T28] usb 6-1: Using ep0 maxpacket: 16
[ 127.734254][ T28] usb 6-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 127.745940][ T2992] usb 5-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 127.751237][ T28] usb 6-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 127.766274][ T2992] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 127.771905][ T28] usb 6-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 127.784757][ T28] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 127.787301][ T2992] usb 5-1: Product: syz
[ 127.793229][ T28] usb 6-1: Product: syz
[ 127.802074][ T28] usb 6-1: Manufacturer: syz
[ 127.806733][ T28] usb 6-1: SerialNumber: syz
[ 127.811747][ T2992] usb 5-1: Manufacturer: syz
[ 127.816623][ T2992] usb 5-1: SerialNumber: syz
[ 127.843774][ T28] em28xx 6-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 127.850589][ T2992] em28xx 5-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 127.865081][ T28] em28xx 6-1:246.0: Audio interface 0 found (Vendor Class)
[ 127.887135][ T2992] em28xx 5-1:246.0: Audio interface 0 found (Vendor Class)
[ 127.927045][ T9] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[ 127.947229][ T2812] usb 8-1: new high-speed USB device number 2 using dummy_hcd
[ 128.087037][ T9] usb 3-1: Using ep0 maxpacket: 16
[ 128.089675][ T28] em28xx 6-1:246.0: unknown em28xx chip ID (0)
[ 128.100758][ T2812] usb 8-1: Using ep0 maxpacket: 16
[ 128.102781][ T9] usb 3-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 128.111137][ T28] em28xx 6-1:246.0: Config register raw data: 0xfffffffb
[ 128.120134][ T9] usb 3-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 128.120603][ T2992] em28xx 5-1:246.0: unknown em28xx chip ID (0)
[ 128.131411][ T2812] usb 8-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 128.151607][ T2812] usb 8-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 128.152084][ T28] em28xx 6-1:246.0: AC97 chip type couldn't be determined
[ 128.162509][ T2992] em28xx 5-1:246.0: Config register raw data: 0xfffffffb
[ 128.185287][ T9] usb 3-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 128.188728][ T28] em28xx 6-1:246.0: No AC97 audio processor
[ 128.197980][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 128.198438][ T2992] em28xx 5-1:246.0: AC97 chip type couldn't be determined
[ 128.208654][ T2812] usb 8-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 128.223238][ T2812] usb 8-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 128.229189][ T2992] em28xx 5-1:246.0: No AC97 audio processor
[ 128.238826][ T28] em28xx 6-1:246.0: We currently don't support analog TV or stream capture on dual tuners.
[ 128.243745][ T9] usb 3-1: Product: syz
[ 128.255250][ T2812] usb 8-1: Product: syz
[ 128.260352][ T2992] em28xx 5-1:246.0: We currently don't support analog TV or stream capture on dual tuners.
[ 128.264276][ T2812] usb 8-1: Manufacturer: syz
[ 128.274407][ T9] usb 3-1: Manufacturer: syz
[ 128.279035][ T23] usb 7-1: new high-speed USB device number 2 using dummy_hcd
[ 128.284219][ T9] usb 3-1: SerialNumber: syz
[ 128.296632][ T2812] usb 8-1: SerialNumber: syz
[ 128.310587][ T2812] em28xx 8-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 128.310615][ T9] em28xx 3-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 128.327168][ T2812] em28xx 8-1:246.0: Audio interface 0 found (Vendor Class)
[ 128.339756][ T9] em28xx 3-1:246.0: Audio interface 0 found (Vendor Class)
[ 128.348327][ T2992] em28xx 5-1:246.0: unknown em28xx chip ID (0)
[ 128.355509][ T2992] em28xx 5-1:246.0: Config register raw data: 0xfffffffb
[ 128.359329][ T28] em28xx 6-1:246.0: unknown em28xx chip ID (0)
[ 128.364327][ T2992] em28xx 5-1:246.0: AC97 chip type couldn't be determined
[ 128.375255][ T28] em28xx 6-1:246.0: Config register raw data: 0xfffffffb
[ 128.377624][ T2992] em28xx 5-1:246.0: No AC97 audio processor
[ 128.387458][ T28] em28xx 6-1:246.0: AC97 chip type couldn't be determined
[ 128.398099][ T28] em28xx 6-1:246.0: No AC97 audio processor
[ 128.456941][ T23] usb 7-1: Using ep0 maxpacket: 16
[ 128.474330][ T23] usb 7-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 128.496798][ T23] usb 7-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 128.523417][ T23] usb 7-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 128.543599][ T23] usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 128.563563][ T23] usb 7-1: Product: syz
[ 128.572394][ T23] usb 7-1: Manufacturer: syz
[ 128.588504][ T2812] em28xx 8-1:246.0: unknown em28xx chip ID (0)
[ 128.596178][ T9] em28xx 3-1:246.0: unknown em28xx chip ID (0)
[ 128.598124][ T23] usb 7-1: SerialNumber: syz
[ 128.610107][ T2812] em28xx 8-1:246.0: Config register raw data: 0xfffffffb
[ 128.622430][ T9] em28xx 3-1:246.0: Config register raw data: 0xfffffffb
[ 128.630349][ T2812] em28xx 8-1:246.0: AC97 chip type couldn't be determined
[ 128.644983][ T2812] em28xx 8-1:246.0: No AC97 audio processor
[ 128.656185][ T23] em28xx 7-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 128.657447][ T9] em28xx 3-1:246.0: AC97 chip type couldn't be determined
[ 128.676523][ T2812] em28xx 8-1:246.0: We currently don't support analog TV or stream capture on dual tuners.
[ 128.687481][ T23] em28xx 7-1:246.0: Audio interface 0 found (Vendor Class)
[ 128.706939][ T9] em28xx 3-1:246.0: No AC97 audio processor
[ 128.713176][ T9] em28xx 3-1:246.0: We currently don't support analog TV or stream capture on dual tuners.
[ 128.757570][ T2812] em28xx 8-1:246.0: unknown em28xx chip ID (0)
[ 128.787274][ T2812] em28xx 8-1:246.0: Config register raw data: 0xfffffffb
[ 128.804368][ T2812] em28xx 8-1:246.0: AC97 chip type couldn't be determined
[ 128.816463][ T2812] em28xx 8-1:246.0: No AC97 audio processor
[ 128.824120][ T2992] usb 5-1: USB disconnect, device number 2
[ 128.839168][ T2992] em28xx 5-1:246.0: Disconnecting em28xx #2
[ 128.845435][ T2992] em28xx 5-1:246.0: Disconnecting em28xx
[ 128.849037][ T28] usb 6-1: USB disconnect, device number 2
[ 128.851893][ T9] em28xx 3-1:246.0: unknown em28xx chip ID (0)
[ 128.877033][ T9] em28xx 3-1:246.0: Config register raw data: 0xfffffffb
[ 128.882276][ T28] em28xx 6-1:246.0: Disconnecting em28xx #3
[ 128.893967][ T9] em28xx 3-1:246.0: AC97 chip type couldn't be determined
[ 128.902298][ T28] em28xx 6-1:246.0: Disconnecting em28xx
[ 128.922275][ T2992] em28xx 5-1:246.0: Freeing device
[ 128.930654][ T28] em28xx 6-1:246.0: Freeing device
[ 128.937022][ T9] em28xx 3-1:246.0: No AC97 audio processor
[ 128.944770][ T2992] em28xx 5-1:246.0: Freeing device
[ 128.947701][ T23] em28xx 7-1:246.0: unknown em28xx chip ID (0)
[ 128.964970][ T28] em28xx 6-1:246.0: Freeing device
[ 128.986311][ T23] em28xx 7-1:246.0: Config register raw data: 0xfffffffb
[ 129.011538][ T23] em28xx 7-1:246.0: AC97 chip type couldn't be determined
[ 129.027976][ T23] em28xx 7-1:246.0: No AC97 audio processor
[ 129.068701][ T23] em28xx 7-1:246.0: We currently don't support analog TV or stream capture on dual tuners.
[ 129.158877][ T23] em28xx 7-1:246.0: unknown em28xx chip ID (0)
[ 129.176227][ T23] em28xx 7-1:246.0: Config register raw data: 0xfffffffb
[ 129.196401][ T23] em28xx 7-1:246.0: AC97 chip type couldn't be determined
[ 129.204339][ T23] em28xx 7-1:246.0: No AC97 audio processor
[ 129.262378][ T2812] usb 8-1: USB disconnect, device number 2
[ 129.278782][ T2812] em28xx 8-1:246.0: Disconnecting em28xx #7
[ 129.296245][ T2812] em28xx 8-1:246.0: Disconnecting em28xx
[ 129.297796][ T2992] usb 5-1: new high-speed USB device number 3 using dummy_hcd
[ 129.302826][ T28] usb 6-1: new high-speed USB device number 3 using dummy_hcd
[ 129.329834][ T2812] ==================================================================
[ 129.338334][ T2812] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 129.347964][ T2812] Read of size 8 at addr ffff88811fe0c250 by task kworker/1:3/2812
[ 129.356346][ T2812]
[ 129.358753][ T2812] CPU: 1 UID: 0 PID: 2812 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full)
[ 129.358792][ T2812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 129.358818][ T2812] Workqueue: usb_hub_wq hub_event
[ 129.358879][ T2812] Call Trace:
[ 129.358890][ T2812]
[ 129.358901][ T2812] dump_stack_lvl+0x100/0x190
[ 129.358949][ T2812] print_report+0x156/0x4c9
[ 129.358994][ T2812] ? __virt_addr_valid+0x81/0x620
[ 129.359033][ T2812] ? __phys_addr+0xe8/0x180
[ 129.359072][ T2812] ? __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 129.359109][ T2812] kasan_report+0xdf/0x1e0
[ 129.359161][ T2812] ? __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 129.359201][ T2812] __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 129.359247][ T2812] em28xx_close_extension+0x10b/0x2b0
[ 129.359305][ T2812] em28xx_usb_disconnect.cold+0x13d/0x253
[ 129.359350][ T2812] usb_unbind_interface+0x1dd/0x9e0
[ 129.359388][ T2812] ? kernfs_remove_by_name_ns+0x9f/0xf0
[ 129.359439][ T2812] ? __pfx_usb_unbind_interface+0x10/0x10
[ 129.359474][ T2812] device_remove+0x12a/0x180
[ 129.359516][ T2812] device_release_driver_internal+0x42e/0x600
[ 129.359574][ T2812] bus_remove_device+0x22f/0x440
[ 129.359614][ T2812] device_del+0x376/0x9b0
[ 129.359659][ T2812] ? __pfx_device_del+0x10/0x10
[ 129.359699][ T2812] ? kobject_put+0xb9/0x640
[ 129.359741][ T2812] usb_disable_device+0x367/0x810
[ 129.359797][ T2812] usb_disconnect+0x2e2/0x9a0
[ 129.359852][ T2812] hub_event+0x1d0c/0x4af0
[ 129.359917][ T2812] ? __lock_acquire+0x4a5/0x2630
[ 129.359969][ T2812] ? do_raw_spin_unlock+0x145/0x1e0
[ 129.360006][ T2812] ? __pfx_hub_event+0x10/0x10
[ 129.360057][ T2812] ? debug_object_deactivate+0x2e4/0x3b0
[ 129.360111][ T2812] ? rcu_is_watching+0x12/0xc0
[ 129.360151][ T2812] process_one_work+0xa23/0x19a0
[ 129.360198][ T2812] ? __pfx_process_one_work+0x10/0x10
[ 129.360247][ T2812] ? __pfx_hub_event+0x10/0x10
[ 129.360298][ T2812] worker_thread+0x5ef/0xe50
[ 129.360339][ T2812] ? __pfx_worker_thread+0x10/0x10
[ 129.360377][ T2812] ? kthread+0x13a/0x450
[ 129.360408][ T2812] ? __pfx_worker_thread+0x10/0x10
[ 129.360444][ T2812] kthread+0x370/0x450
[ 129.360476][ T2812] ? __pfx_kthread+0x10/0x10
[ 129.360510][ T2812] ret_from_fork+0x6c3/0xcb0
[ 129.360555][ T2812] ? __pfx_ret_from_fork+0x10/0x10
[ 129.360600][ T2812] ? __switch_to+0x7aa/0x1120
[ 129.360631][ T2812] ? __pfx_kthread+0x10/0x10
[ 129.360666][ T2812] ret_from_fork_asm+0x1a/0x30
[ 129.360735][ T2812]
[ 129.360746][ T2812]
[ 129.368018][ T9] usb 3-1: USB disconnect, device number 2
[ 129.370247][ T2812] Allocated by task 5776:
[ 129.370274][ T2812] kasan_save_stack+0x30/0x50
[ 129.389949][ T9] em28xx 3-1:246.0: Disconnecting em28xx #8
[ 129.391970][ T2812] kasan_save_track+0x14/0x30
[ 129.392018][ T2812] __kasan_slab_alloc+0x6e/0x70
[ 129.397456][ T9] em28xx 3-1:246.0: Disconnecting em28xx
[ 129.401536][ T2812] kmem_cache_alloc_node_noprof+0x26b/0x6b0
[ 129.507302][ T2992] usb 5-1: Using ep0 maxpacket: 16
[ 129.509992][ T2812] kmalloc_reserve+0x148/0x350
[ 129.520063][ T2992] usb 5-1: config 246 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
[ 129.521094][ T2812] __alloc_skb+0x185/0x710
[ 129.528737][ T2992] usb 5-1: config 246 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 34178, setting to 1024
[ 129.532087][ T2812] netlink_alloc_large_skb+0x69/0x150
[ 129.542709][ T2992] usb 5-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
[ 129.547569][ T2812] netlink_sendmsg+0x680/0xda0
[ 129.547615][ T2812] ____sys_sendmsg+0x9e1/0xb70
[ 129.547662][ T2812] ___sys_sendmsg+0x190/0x1e0
[ 129.553412][ T2992] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 129.557131][ T2812] __sys_sendmsg+0x170/0x220
[ 129.557175][ T2812] do_syscall_64+0x106/0x7b0
[ 129.557205][ T2812] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 129.565843][ T2992] usb 5-1: Product: syz
[ 129.567214][ T2812]
[ 129.567223][ T2812] Freed by task 5776:
[ 129.567238][ T2812] kasan_save_stack+0x30/0x50
[ 129.567297][ T2812] kasan_save_track+0x14/0x30
[ 129.574153][ T2992] usb 5-1: Manufacturer: syz
[ 129.576933][ T2812] kasan_save_free_info+0x3b/0x70
[ 129.576973][ T2812] __kasan_slab_free+0x43/0x70
[ 129.584617][ T2992] usb 5-1: SerialNumber: syz
[ 129.586698][ T2812] kmem_cache_free+0x105/0x640
[ 129.631659][ T2992] em28xx 5-1:246.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
[ 129.632938][ T2812] skb_free_head+0x1c6/0x220
[ 129.639469][ T2992] em28xx 5-1:246.0: Audio interface 0 found (Vendor Class)
[ 129.642503][ T2812] skb_release_data+0x79b/0x9d0
[ 129.822511][ T2812] consume_skb+0xc4/0x110
[ 129.828349][ T2812] netlink_unicast+0x5b2/0x870
[ 129.834473][ T2812] netlink_sendmsg+0x8b0/0xda0
[ 129.839666][ T2812] ____sys_sendmsg+0x9e1/0xb70
[ 129.845869][ T2812] ___sys_sendmsg+0x190/0x1e0
[ 129.851193][ T2812] __sys_sendmsg+0x170/0x220
[ 129.856239][ T2812] do_syscall_64+0x106/0x7b0
[ 129.861070][ T2812] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 129.867221][ T2812]
[ 129.869763][ T2812] The buggy address belongs to the object at ffff88811fe0c000
[ 129.869763][ T2812] which belongs to the cache skbuff_small_head of size 704
[ 129.884751][ T2812] The buggy address is located 592 bytes inside of
[ 129.884751][ T2812] freed 704-byte region [ffff88811fe0c000, ffff88811fe0c2c0)
[ 129.888059][ T2992] em28xx 5-1:246.0: unknown em28xx chip ID (0)
[ 129.898950][ T2812]
[ 129.898961][ T2812] The buggy address belongs to the physical page:
[ 129.898986][ T2812] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fe0c
[ 129.899023][ T2812] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 129.899047][ T2812] flags: 0x200000000000040(head|node=0|zone=2)
[ 129.907661][ T2992] em28xx 5-1:246.0: Config register raw data: 0xfffffffb
[ 129.908573][ T2812] page_type: f5(slab)
[ 129.923132][ T2992] em28xx 5-1:246.0: AC97 chip type couldn't be determined
[ 129.924233][ T2812] raw: 0200000000000040 ffff888102affb40 dead000000000100 dead000000000122
[ 129.933833][ T2992] em28xx 5-1:246.0: No AC97 audio processor
[ 129.939087][ T2812] raw: 0000000000000000 0000000800130013 00000000f5000000 0000000000000000
[ 129.939126][ T2812] head: 0200000000000040 ffff888102affb40 dead000000000100 dead000000000122
[ 129.939175][ T2812] head: 0000000000000000 0000000800130013 00000000f5000000 0000000000000000
[ 129.997981][ T2812] head: 0200000000000002 ffffea00047f8301 00000000ffffffff 00000000ffffffff
[ 130.006798][ T2812] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
[ 130.015658][ T2812] page dumped because: kasan: bad access detected
[ 130.022185][ T2812] page_owner tracks the page as allocated
[ 130.027916][ T2812] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 22, tgid 22 (ksoftirqd/1), ts 129087357629, free_ts 128964937459
[ 130.048522][ T2812] post_alloc_hook+0x153/0x170
[ 130.053330][ T2812] get_page_from_freelist+0xf10/0x39f0
[ 130.058890][ T2812] __alloc_frozen_pages_noprof+0x273/0x2860
[ 130.064890][ T2812] new_slab+0xa6/0x6c0
[ 130.068994][ T2812] refill_objects+0x26b/0x400
[ 130.073815][ T2812] __pcs_replace_empty_main+0x1ab/0x660
[ 130.079558][ T2812] kmem_cache_alloc_node_noprof+0x4e9/0x6b0
[ 130.085940][ T2812] kmalloc_reserve+0x148/0x350
[ 130.091168][ T2812] __alloc_skb+0x185/0x710
[ 130.095610][ T2812] __tcp_send_ack.part.0+0x66/0x730
[ 130.101131][ T2812] tcp_send_ack+0x84/0xa0
[ 130.105867][ T2812] __tcp_ack_snd_check+0x1fe/0x9f0
[ 130.111037][ T2812] tcp_rcv_established+0xcf2/0x3970
[ 130.116275][ T2812] tcp_v4_do_rcv+0x5e4/0xad0
[ 130.120909][ T2812] tcp_v4_rcv+0x2d34/0x3fd0
[ 130.125524][ T2812] ip_protocol_deliver_rcu+0xba/0x4d0
[ 130.131217][ T2812] page last free pid 28 tgid 28 stack trace:
[ 130.137579][ T2812] __free_frozen_pages+0x7b1/0xfb0
[ 130.142954][ T2812] kref_put.constprop.0.isra.0+0x4d/0x6d
[ 130.148647][ T2812] em28xx_usb_disconnect.cold+0x1b4/0x253
[ 130.154950][ T2812] usb_unbind_interface+0x1dd/0x9e0
[ 130.160276][ T2812] device_remove+0x12a/0x180
[ 130.165180][ T2812] device_release_driver_internal+0x42e/0x600
[ 130.171939][ T2812] bus_remove_device+0x22f/0x440
[ 130.177093][ T2812] device_del+0x376/0x9b0
[ 130.181500][ T2812] usb_disable_device+0x367/0x810
[ 130.186819][ T2812] usb_disconnect+0x2e2/0x9a0
[ 130.191565][ T2812] hub_event+0x1d0c/0x4af0
[ 130.196052][ T2812] process_one_work+0xa23/0x19a0
[ 130.201417][ T2812] worker_thread+0x5ef/0xe50
[ 130.206200][ T2812] kthread+0x370/0x450
[ 130.210903][ T2812] ret_from_fork+0x6c3/0xcb0
[ 130.215597][ T2812] ret_from_fork_asm+0x1a/0x30
[ 130.220784][ T2812]
[ 130.223168][ T2812] Memory state around the buggy address:
[ 130.229264][ T2812] ffff88811fe0c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.237469][ T2812] ffff88811fe0c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.245647][ T2812] >ffff88811fe0c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 130.253988][ T2812] ^
[ 130.260774][ T2812] ffff88811fe0c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 130.269239][ T2812] ffff88811fe0c300: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 130.277379][ T2812] ==================================================================
[ 130.289656][ T29] audit: type=1400 audit(1773947224.786:110): avc: denied { read } for pid=2834 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 130.316712][ T29] audit: type=1400 audit(1773947224.796:111): avc: denied { search } for pid=2834 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 130.362627][ T29] audit: type=1400 audit(1773947224.796:112): avc: denied { search } for pid=2834 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 130.389287][ T29] audit: type=1400 audit(1773947224.796:113): avc: denied { add_name } for pid=2834 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 130.454711][ T29] audit: type=1400 audit(1773947224.796:114): avc: denied { create } for pid=2834 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 130.477018][ T23] usb 7-1: USB disconnect, device number 2
[ 130.484950][ T23] em28xx 7-1:246.0: Disconnecting em28xx #0
[ 130.494731][ T29] audit: type=1400 audit(1773947224.796:115): avc: denied { append open } for pid=2834 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 130.506555][ T23] em28xx 7-1:246.0: Disconnecting em28xx
[ 130.524560][ T2812] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 130.532100][ T2812] CPU: 1 UID: 0 PID: 2812 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full)
[ 130.541715][ T2812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 130.552083][ T2812] Workqueue: usb_hub_wq hub_event
[ 130.557159][ T2812] Call Trace:
[ 130.560539][ T2812]
[ 130.563888][ T2812] dump_stack_lvl+0x100/0x190
[ 130.568812][ T2812] vpanic+0x552/0x970
[ 130.573297][ T2812] ? __pfx_vpanic+0x10/0x10
[ 130.578011][ T2812] ? __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 130.584513][ T2812] panic+0xd1/0xe0
[ 130.588473][ T2812] ? __pfx_panic+0x10/0x10
[ 130.593044][ T2812] ? __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 130.599536][ T2812] ? preempt_schedule_common+0x42/0xc0
[ 130.605256][ T2812] ? check_panic_on_warn+0x1f/0x90
[ 130.610528][ T2812] check_panic_on_warn.cold+0x19/0x34
[ 130.616056][ T2812] end_report.part.0+0x3a/0x90
[ 130.620986][ T2812] kasan_report.cold+0xe/0x18
[ 130.625736][ T2812] ? __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 130.632320][ T2812] __list_del_entry_valid_or_report+0x1b1/0x1d0
[ 130.638639][ T2812] em28xx_close_extension+0x10b/0x2b0
[ 130.644055][ T2812] em28xx_usb_disconnect.cold+0x13d/0x253
[ 130.649832][ T2812] usb_unbind_interface+0x1dd/0x9e0
[ 130.655241][ T2812] ? kernfs_remove_by_name_ns+0x9f/0xf0
[ 130.660922][ T2812] ? __pfx_usb_unbind_interface+0x10/0x10
[ 130.666747][ T2812] device_remove+0x12a/0x180
[ 130.671379][ T2812] device_release_driver_internal+0x42e/0x600
[ 130.677762][ T2812] bus_remove_device+0x22f/0x440
[ 130.682955][ T2812] device_del+0x376/0x9b0
[ 130.687435][ T2812] ? __pfx_device_del+0x10/0x10
[ 130.692316][ T2812] ? kobject_put+0xb9/0x640
[ 130.697007][ T2812] usb_disable_device+0x367/0x810
[ 130.702269][ T2812] usb_disconnect+0x2e2/0x9a0
[ 130.706997][ T2812] hub_event+0x1d0c/0x4af0
[ 130.711680][ T2812] ? __lock_acquire+0x4a5/0x2630
[ 130.716663][ T2812] ? do_raw_spin_unlock+0x145/0x1e0
[ 130.722076][ T2812] ? __pfx_hub_event+0x10/0x10
[ 130.726908][ T2812] ? debug_object_deactivate+0x2e4/0x3b0
[ 130.732690][ T2812] ? rcu_is_watching+0x12/0xc0
[ 130.737596][ T2812] process_one_work+0xa23/0x19a0
[ 130.742669][ T2812] ? __pfx_process_one_work+0x10/0x10
[ 130.748206][ T2812] ? __pfx_hub_event+0x10/0x10
[ 130.753023][ T2812] worker_thread+0x5ef/0xe50
[ 130.757693][ T2812] ? __pfx_worker_thread+0x10/0x10
[ 130.762955][ T2812] ? kthread+0x13a/0x450
[ 130.767230][ T2812] ? __pfx_worker_thread+0x10/0x10
[ 130.772410][ T2812] kthread+0x370/0x450
[ 130.776607][ T2812] ? __pfx_kthread+0x10/0x10
[ 130.781327][ T2812] ret_from_fork+0x6c3/0xcb0
[ 130.786131][ T2812] ? __pfx_ret_from_fork+0x10/0x10
[ 130.791300][ T2812] ? __switch_to+0x7aa/0x1120
[ 130.796201][ T2812] ? __pfx_kthread+0x10/0x10
[ 130.800833][ T2812] ret_from_fork_asm+0x1a/0x30
[ 130.805667][ T2812]
[ 130.809401][ T2812] Kernel Offset: disabled
[ 130.813753][ T2812] Rebooting in 86400 seconds..