UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
==================================================================
BUG: KASAN: use-after-free in driver_register+0x352/0x3a0
Read of size 8 at addr ffff88800e4f5ec8 by task syz-executor.1/214265

CPU: 0 PID: 214265 Comm: syz-executor.1 Not tainted 5.19.0-rc1-next-20220606 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8b/0xb3
 print_report.cold+0x5e/0x5db
 kasan_report+0xbe/0x1c0
 driver_register+0x352/0x3a0
 usb_gadget_register_driver_owner+0xfb/0x1e0
 raw_ioctl+0x133f/0x1e50
 __x64_sys_ioctl+0x196/0x210
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fb0158b88d7
Code: 3c 1c 48 f7 d8 49 39 c4 72 b8 e8 a4 54 02 00 85 c0 78 bd 48 83 c4 08 4c 89 e0 5b 41 5c c3 0f 1f 44 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb012e2c0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb012e2d130 RCX: 00007fb0158b88d7
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003
RBP: 0000000000000003 R08: 000000000000ffff R09: 000000000000000b
R10: 00007fb012e2c180 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000020000c00 R14: 0000000020000ac0 R15: 0000000000000000
 </TASK>

Allocated by task 214267:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x81/0xa0
 bus_add_driver+0xc4/0x5b0
 driver_register+0x220/0x3a0
 usb_gadget_register_driver_owner+0xfb/0x1e0
 raw_ioctl+0x133f/0x1e50
 __x64_sys_ioctl+0x196/0x210
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 214267:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x108/0x170
 kfree+0xcf/0x410
 kobject_put+0x173/0x270
 bus_remove_driver+0x125/0x230
 driver_unregister+0x73/0xb0
 usb_gadget_register_driver_owner.cold+0x6c/0xd0
 raw_ioctl+0x133f/0x1e50
 __x64_sys_ioctl+0x196/0x210
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff88800e4f5e00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
 256-byte region [ffff88800e4f5e00, ffff88800e4f5f00)

The buggy address belongs to the physical page:
page:000000004de36665 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe4f4
head:000000004de36665 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffffea00003f5080 dead000000000003 ffff888007841b40
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88800e4f5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88800e4f5e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800e4f5e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88800e4f5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88800e4f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Error: Driver 'raw-gadget' is already registered, aborting...
UDC core: USB Raw Gadget: driver registration failed: -16
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16
UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
misc raw-gadget: fail, usb_gadget_register_driver returned -16