Warning: Permanently added '10.128.1.5' (ED25519) to the list of known hosts.
executing program
[   41.452590][   T29] audit: type=1400 audit(1739174582.961:80): avc:  denied  { execmem } for  pid=2946 comm="syz-executor893" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   41.472246][   T29] audit: type=1400 audit(1739174582.971:81): avc:  denied  { read write } for  pid=2947 comm="syz-executor893" name="raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   41.496112][   T29] audit: type=1400 audit(1739174582.971:82): avc:  denied  { open } for  pid=2947 comm="syz-executor893" path="/dev/raw-gadget" dev="devtmpfs" ino=236 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   41.519903][   T29] audit: type=1400 audit(1739174582.971:83): avc:  denied  { ioctl } for  pid=2947 comm="syz-executor893" path="/dev/raw-gadget" dev="devtmpfs" ino=236 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   41.696785][   T54] usb 1-1: new full-speed USB device number 2 using dummy_hcd
[   41.858867][   T54] usb 1-1: New USB device found, idVendor=0424, idProduct=cf30, bcdDevice= 0.4a
[   41.868057][   T54] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   41.879974][   T54] usb 1-1: config 0 descriptor??
executing program
[   42.090346][    T9] usb 1-1: USB disconnect, device number 2
[   42.101756][    T9] ==================================================================
[   42.109971][    T9] BUG: KASAN: slab-use-after-free in hdm_disconnect+0x227/0x250
[   42.117796][    T9] Read of size 8 at addr ffff888118565890 by task kworker/0:1/9
[   42.125470][    T9] 
[   42.127814][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.14.0-rc1-syzkaller-g9682c35ff6ec #0
[   42.127840][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   42.127856][    T9] Workqueue: usb_hub_wq hub_event
[   42.127890][    T9] Call Trace:
[   42.127898][    T9]  <TASK>
[   42.127909][    T9]  dump_stack_lvl+0x116/0x1f0
[   42.127949][    T9]  print_report+0xc3/0x620
[   42.127972][    T9]  ? __virt_addr_valid+0x5e/0x590
[   42.127995][    T9]  ? __phys_addr+0xc6/0x150
[   42.128017][    T9]  kasan_report+0xd9/0x110
[   42.128039][    T9]  ? hdm_disconnect+0x227/0x250
[   42.128074][    T9]  ? hdm_disconnect+0x227/0x250
[   42.128111][    T9]  hdm_disconnect+0x227/0x250
[   42.128145][    T9]  usb_unbind_interface+0x1e2/0x960
[   42.128175][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   42.128210][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   42.128241][    T9]  device_remove+0x122/0x170
[   42.128275][    T9]  device_release_driver_internal+0x44a/0x610
[   42.128301][    T9]  bus_remove_device+0x22f/0x420
[   42.128335][    T9]  device_del+0x396/0x9f0
[   42.128371][    T9]  ? __pfx_device_del+0x10/0x10
[   42.128409][    T9]  usb_disable_device+0x36c/0x7f0
[   42.128437][    T9]  usb_disconnect+0x2e1/0x920
[   42.128464][    T9]  hub_event+0x1bed/0x4f40
[   42.128497][    T9]  ? lock_acquire+0x2f/0xb0
[   42.128517][    T9]  ? debug_object_deactivate+0x13b/0x370
[   42.128562][    T9]  ? __pfx_hub_event+0x10/0x10
[   42.128588][    T9]  ? __pfx_lock_acquire.part.0+0x10/0x10
[   42.128610][    T9]  ? rcu_is_watching+0x12/0xc0
[   42.128638][    T9]  ? trace_lock_acquire+0x14e/0x1f0
[   42.128669][    T9]  ? process_one_work+0x921/0x1ba0
[   42.128705][    T9]  ? lock_acquire+0x2f/0xb0
[   42.128724][    T9]  ? process_one_work+0x921/0x1ba0
[   42.128761][    T9]  process_one_work+0x9c5/0x1ba0
[   42.128800][    T9]  ? __pfx_lock_acquire.part.0+0x10/0x10
[   42.128822][    T9]  ? __pfx_process_one_work+0x10/0x10
[   42.128861][    T9]  ? assign_work+0x1a0/0x250
[   42.128895][    T9]  worker_thread+0x6c8/0xf00
[   42.128933][    T9]  ? __kthread_parkme+0x148/0x220
[   42.128962][    T9]  ? __pfx_worker_thread+0x10/0x10
[   42.128998][    T9]  kthread+0x3af/0x750
[   42.129030][    T9]  ? __pfx_kthread+0x10/0x10
[   42.129062][    T9]  ? lock_acquire+0x2f/0xb0
[   42.129083][    T9]  ? __pfx_kthread+0x10/0x10
[   42.129115][    T9]  ret_from_fork+0x45/0x80
[   42.129149][    T9]  ? __pfx_kthread+0x10/0x10
[   42.129181][    T9]  ret_from_fork_asm+0x1a/0x30
[   42.129216][    T9]  </TASK>
[   42.129223][    T9] 
[   42.369511][    T9] Allocated by task 54:
[   42.373686][    T9]  kasan_save_stack+0x33/0x60
[   42.378404][    T9]  kasan_save_track+0x14/0x30
[   42.383100][    T9]  __kasan_kmalloc+0x8f/0xa0
[   42.387711][    T9]  hdm_probe+0xb3/0x1880
[   42.391973][    T9]  usb_probe_interface+0x300/0x9c0
[   42.397249][    T9]  really_probe+0x23e/0xa90
[   42.401812][    T9]  __driver_probe_device+0x1de/0x440
[   42.407131][    T9]  driver_probe_device+0x4c/0x1b0
[   42.412188][    T9]  __device_attach_driver+0x1df/0x310
[   42.417602][    T9]  bus_for_each_drv+0x157/0x1e0
[   42.422484][    T9]  __device_attach+0x1e8/0x4b0
[   42.427278][    T9]  bus_probe_device+0x17f/0x1c0
[   42.432144][    T9]  device_add+0x114b/0x1a70
[   42.436657][    T9]  usb_set_configuration+0x10cb/0x1c50
[   42.442130][    T9]  usb_generic_driver_probe+0xb1/0x110
[   42.447597][    T9]  usb_probe_device+0xec/0x3e0
[   42.452389][    T9]  really_probe+0x23e/0xa90
[   42.456912][    T9]  __driver_probe_device+0x1de/0x440
[   42.462217][    T9]  driver_probe_device+0x4c/0x1b0
[   42.467261][    T9]  __device_attach_driver+0x1df/0x310
[   42.472655][    T9]  bus_for_each_drv+0x157/0x1e0
[   42.477521][    T9]  __device_attach+0x1e8/0x4b0
[   42.482310][    T9]  bus_probe_device+0x17f/0x1c0
[   42.487180][    T9]  device_add+0x114b/0x1a70
[   42.491693][    T9]  usb_new_device+0xd09/0x1a20
[   42.496665][    T9]  hub_event+0x2e58/0x4f40
[   42.501145][    T9]  process_one_work+0x9c5/0x1ba0
[   42.506111][    T9]  worker_thread+0x6c8/0xf00
[   42.510730][    T9]  kthread+0x3af/0x750
[   42.514821][    T9]  ret_from_fork+0x45/0x80
[   42.519258][    T9]  ret_from_fork_asm+0x1a/0x30
[   42.524036][    T9] 
[   42.526359][    T9] Freed by task 9:
[   42.530077][    T9]  kasan_save_stack+0x33/0x60
[   42.534773][    T9]  kasan_save_track+0x14/0x30
[   42.539469][    T9]  kasan_save_free_info+0x3b/0x60
[   42.544516][    T9]  __kasan_slab_free+0x37/0x50
[   42.549293][    T9]  kfree+0x294/0x480
[   42.553283][    T9]  device_release+0xa1/0x240
[   42.557895][    T9]  kobject_put+0x1e4/0x5a0
[   42.562323][    T9]  device_unregister+0x2f/0xc0
[   42.567114][    T9]  hdm_disconnect+0x10b/0x250
[   42.571817][    T9]  usb_unbind_interface+0x1e2/0x960
[   42.577035][    T9]  device_remove+0x122/0x170
[   42.581651][    T9]  device_release_driver_internal+0x44a/0x610
[   42.587726][    T9]  bus_remove_device+0x22f/0x420
[   42.592684][    T9]  device_del+0x396/0x9f0
[   42.597033][    T9]  usb_disable_device+0x36c/0x7f0
[   42.602071][    T9]  usb_disconnect+0x2e1/0x920
[   42.606759][    T9]  hub_event+0x1bed/0x4f40
[   42.611201][    T9]  process_one_work+0x9c5/0x1ba0
[   42.616172][    T9]  worker_thread+0x6c8/0xf00
[   42.620800][    T9]  kthread+0x3af/0x750
[   42.624906][    T9]  ret_from_fork+0x45/0x80
[   42.629343][    T9]  ret_from_fork_asm+0x1a/0x30
[   42.634122][    T9] 
[   42.636444][    T9] The buggy address belongs to the object at ffff888118564000
[   42.636444][    T9]  which belongs to the cache kmalloc-8k of size 8192
[   42.650535][    T9] The buggy address is located 6288 bytes inside of
[   42.650535][    T9]  freed 8192-byte region [ffff888118564000, ffff888118566000)
[   42.664530][    T9] 
[   42.666858][    T9] The buggy address belongs to the physical page:
[   42.673294][    T9] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118560
[   42.682174][    T9] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   42.690708][    T9] flags: 0x200000000000040(head|node=0|zone=2)
[   42.696872][    T9] page_type: f5(slab)
[   42.700863][    T9] raw: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   42.709542][    T9] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   42.718236][    T9] head: 0200000000000040 ffff888100042280 dead000000000122 0000000000000000
[   42.726916][    T9] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   42.735597][    T9] head: 0200000000000003 ffffea0004615801 ffffffffffffffff 0000000000000000
[   42.744278][    T9] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   42.753080][    T9] page dumped because: kasan: bad access detected
[   42.759509][    T9] page_owner tracks the page as allocated
[   42.765313][    T9] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2947, tgid 2947 (syz-executor893), ts 41458554984, free_ts 35844201513
[   42.784874][    T9]  post_alloc_hook+0x181/0x1b0
[   42.789661][    T9]  get_page_from_freelist+0xe76/0x2b90
[   42.795144][    T9]  __alloc_frozen_pages_noprof+0x21c/0x2290
[   42.801066][    T9]  alloc_pages_mpol+0xe7/0x410
[   42.805843][    T9]  new_slab+0x23d/0x330
[   42.810028][    T9]  ___slab_alloc+0xc41/0x1670
[   42.814719][    T9]  __slab_alloc.constprop.0+0x56/0xb0
[   42.820115][    T9]  __kmalloc_cache_noprof+0x217/0x3e0
[   42.825505][    T9]  audit_log_d_path+0xce/0x1e0
[   42.830290][    T9]  common_lsm_audit+0x12b0/0x2290
[   42.835344][    T9]  slow_avc_audit+0x17d/0x210
[   42.840041][    T9]  avc_has_extended_perms+0xa34/0x1580
[   42.845527][    T9]  ioctl_has_perm.constprop.0.isra.0+0x2f2/0x450
[   42.851875][    T9]  selinux_file_ioctl+0x180/0x270
[   42.856918][    T9]  security_file_ioctl+0x48/0x90
[   42.861872][    T9]  __x64_sys_ioctl+0xb7/0x200
[   42.866560][    T9] page last free pid 2939 tgid 2939 stack trace:
[   42.872886][    T9]  free_frozen_pages+0x653/0xde0
[   42.877835][    T9]  __put_partials+0x14c/0x170
[   42.882520][    T9]  qlist_free_all+0x4e/0x120
[   42.887145][    T9]  kasan_quarantine_reduce+0x195/0x1e0
[   42.892625][    T9]  __kasan_slab_alloc+0x4e/0x70
[   42.897487][    T9]  kmem_cache_alloc_node_noprof+0x150/0x3b0
[   42.903416][    T9]  __alloc_skb+0x2b1/0x380
[   42.907844][    T9]  tcp_stream_alloc_skb+0x34/0x570
[   42.912974][    T9]  tcp_sendmsg_locked+0xf13/0x3720
[   42.918105][    T9]  tcp_sendmsg+0x2e/0x50
[   42.922364][    T9]  inet_sendmsg+0xb9/0x140
[   42.926794][    T9]  sock_write_iter+0x4ac/0x5b0
[   42.931564][    T9]  vfs_write+0x5ae/0x1150
[   42.935902][    T9]  ksys_write+0x207/0x250
[   42.940242][    T9]  do_syscall_64+0xcd/0x250
[   42.944764][    T9]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   42.950673][    T9] 
[   42.952996][    T9] Memory state around the buggy address:
[   42.958626][    T9]  ffff888118565780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.966696][    T9]  ffff888118565800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.974765][    T9] >ffff888118565880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.982826][    T9]                          ^
[   42.987434][    T9]  ffff888118565900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   42.995513][    T9]  ffff888118565980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.003573][    T9] ==================================================================
[   43.011753][    T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   43.018987][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.14.0-rc1-syzkaller-g9682c35ff6ec #0
[   43.029008][    T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   43.039099][    T9] Workqueue: usb_hub_wq hub_event
[   43.044147][    T9] Call Trace:
[   43.047432][    T9]  <TASK>
[   43.050369][    T9]  dump_stack_lvl+0x3d/0x1f0
[   43.054983][    T9]  panic+0x71d/0x800
[   43.058904][    T9]  ? __pfx_panic+0x10/0x10
[   43.063348][    T9]  ? check_panic_on_warn+0x1f/0xb0
[   43.068485][    T9]  check_panic_on_warn+0xab/0xb0
[   43.073442][    T9]  end_report+0x117/0x180
[   43.077786][    T9]  kasan_report+0xe9/0x110
[   43.082212][    T9]  ? hdm_disconnect+0x227/0x250
[   43.087103][    T9]  ? hdm_disconnect+0x227/0x250
[   43.091978][    T9]  hdm_disconnect+0x227/0x250
[   43.096679][    T9]  usb_unbind_interface+0x1e2/0x960
[   43.101902][    T9]  ? kernfs_find_ns+0x2ee/0x3f0
[   43.106782][    T9]  ? __pfx_usb_unbind_interface+0x10/0x10
[   43.112558][    T9]  device_remove+0x122/0x170
[   43.117192][    T9]  device_release_driver_internal+0x44a/0x610
[   43.123303][    T9]  bus_remove_device+0x22f/0x420
[   43.128281][    T9]  device_del+0x396/0x9f0
[   43.132633][    T9]  ? __pfx_device_del+0x10/0x10
[   43.137517][    T9]  usb_disable_device+0x36c/0x7f0
[   43.142576][    T9]  usb_disconnect+0x2e1/0x920
[   43.147266][    T9]  hub_event+0x1bed/0x4f40
[   43.151701][    T9]  ? lock_acquire+0x2f/0xb0
[   43.156226][    T9]  ? debug_object_deactivate+0x13b/0x370
[   43.161885][    T9]  ? __pfx_hub_event+0x10/0x10
[   43.166667][    T9]  ? __pfx_lock_acquire.part.0+0x10/0x10
[   43.172313][    T9]  ? rcu_is_watching+0x12/0xc0
[   43.177093][    T9]  ? trace_lock_acquire+0x14e/0x1f0
[   43.182318][    T9]  ? process_one_work+0x921/0x1ba0
[   43.187478][    T9]  ? lock_acquire+0x2f/0xb0
[   43.192000][    T9]  ? process_one_work+0x921/0x1ba0
[   43.197136][    T9]  process_one_work+0x9c5/0x1ba0
[   43.202118][    T9]  ? __pfx_lock_acquire.part.0+0x10/0x10
[   43.207761][    T9]  ? __pfx_process_one_work+0x10/0x10
[   43.213163][    T9]  ? assign_work+0x1a0/0x250
[   43.217778][    T9]  worker_thread+0x6c8/0xf00
[   43.222395][    T9]  ? __kthread_parkme+0x148/0x220
[   43.227473][    T9]  ? __pfx_worker_thread+0x10/0x10
[   43.232626][    T9]  kthread+0x3af/0x750
[   43.236717][    T9]  ? __pfx_kthread+0x10/0x10
[   43.241322][    T9]  ? lock_acquire+0x2f/0xb0
[   43.245850][    T9]  ? __pfx_kthread+0x10/0x10
[   43.250463][    T9]  ret_from_fork+0x45/0x80
[   43.254898][    T9]  ? __pfx_kthread+0x10/0x10
[   43.259573][    T9]  ret_from_fork_asm+0x1a/0x30
[   43.264402][    T9]  </TASK>
[   43.267748][    T9] Kernel Offset: disabled
[   43.272077][    T9] Rebooting in 86400 seconds..