Warning: Permanently added '10.128.0.33' (ED25519) to the list of known hosts. 1970/01/01 00:01:30 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:31 parsed 1 programs [ 94.113884][ T4439] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 104.795375][ T153] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 104.797658][ T153] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 104.803404][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 104.810147][ T136] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 104.812309][ T136] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 104.814989][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 105.740729][ T4500] chnl_net:caif_netlink_parms(): no params data found [ 105.771256][ T4500] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.773355][ T4500] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.777604][ T4500] device bridge_slave_0 entered promiscuous mode [ 105.781135][ T4500] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.783099][ T4500] bridge0: port 2(bridge_slave_1) entered disabled state [ 105.785751][ T4500] device bridge_slave_1 entered promiscuous mode [ 105.801629][ T4500] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 105.806567][ T4500] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 105.823600][ T4500] team0: Port device team_slave_0 added [ 105.827250][ T4500] team0: Port device team_slave_1 added [ 105.838670][ T4500] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 105.840602][ T4500] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 105.847712][ T4500] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 105.852509][ T4500] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 105.854433][ T4500] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 105.861333][ T4500] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 105.917836][ T4500] device hsr_slave_0 entered promiscuous mode [ 105.956291][ T4500] device hsr_slave_1 entered promiscuous mode [ 106.722612][ T4500] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 106.768035][ T4500] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 106.802180][ T4500] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 106.847841][ T4500] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 106.942283][ T4500] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.949941][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 106.952503][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 106.956751][ T4500] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.966590][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 106.969191][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 106.971617][ T136] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.973435][ T136] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.975599][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 106.980747][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 106.983284][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.985241][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.988767][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 107.001718][ T4500] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 107.004672][ T4500] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 107.013577][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 107.018110][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 107.027331][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 107.030361][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.032955][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 107.038052][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.040673][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 107.043143][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 107.045773][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 107.049153][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 107.051655][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 107.054206][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 107.136867][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 107.138947][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 107.143262][ T4500] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.155366][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 107.159655][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 107.172642][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 107.175251][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 107.180329][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 107.183359][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 107.188471][ T4500] device veth0_vlan entered promiscuous mode [ 107.194886][ T4500] device veth1_vlan entered promiscuous mode [ 107.210174][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 107.212653][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 107.215077][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 107.219995][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 107.224966][ T4500] device veth0_macvtap entered promiscuous mode [ 107.230067][ T4500] device veth1_macvtap entered promiscuous mode [ 107.242053][ T4500] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.244042][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 107.247677][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 107.250205][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 107.253151][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 107.259968][ T4500] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.263372][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 107.266450][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 107.270465][ T4500] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.272855][ T4500] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.275096][ T4500] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.280662][ T4500] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:47 executed programs: 0 [ 107.844603][ T4624] chnl_net:caif_netlink_parms(): no params data found [ 107.875102][ T4624] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.877153][ T4624] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.879585][ T4624] device bridge_slave_0 entered promiscuous mode [ 107.882912][ T4624] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.885083][ T4624] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.887955][ T4624] device bridge_slave_1 entered promiscuous mode [ 107.905691][ T4624] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 107.911083][ T4624] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 107.962759][ T4624] team0: Port device team_slave_0 added [ 107.965783][ T4624] team0: Port device team_slave_1 added [ 108.021081][ T4624] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.022921][ T4624] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.030699][ T4624] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.034728][ T4624] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.036727][ T4624] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.043521][ T4624] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.137855][ T4624] device hsr_slave_0 entered promiscuous mode [ 108.176185][ T4624] device hsr_slave_1 entered promiscuous mode [ 108.208611][ T4624] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 108.210736][ T4624] Cannot create hsr debugfs directory [ 108.273232][ T4624] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 109.816326][ T4116] Bluetooth: hci0: command 0x0409 tx timeout [ 110.472232][ T4624] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 111.896187][ T4116] Bluetooth: hci0: command 0x041b tx timeout [ 112.301270][ T4624] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 112.374081][ T4624] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 112.561840][ T4624] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 112.608075][ T4624] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 112.657497][ T4624] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 112.698935][ T4624] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 112.768328][ T4624] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.774779][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 112.778312][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 112.782740][ T4624] 8021q: adding VLAN 0 to HW filter on device team0 [ 112.798692][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 112.801345][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 112.803876][ T153] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.805924][ T153] bridge0: port 1(bridge_slave_0) entered forwarding state [ 112.809149][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 112.811884][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 112.814362][ T153] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.816407][ T153] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.821668][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 112.824504][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 112.828295][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 112.831116][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 112.833879][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 112.839729][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 112.845027][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 112.848177][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 112.853032][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 112.855606][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 112.862473][ T4624] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 112.865786][ T4624] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 112.871273][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 112.874065][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 112.943233][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 112.945501][ T1879] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 112.955050][ T4624] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 112.966320][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 112.969010][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 112.981236][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 112.983833][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 112.990516][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 112.993223][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 112.996614][ T4624] device veth0_vlan entered promiscuous mode [ 113.002241][ T4624] device veth1_vlan entered promiscuous mode [ 113.021409][ T4624] device veth0_macvtap entered promiscuous mode [ 113.024890][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 113.028429][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 113.031218][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 113.035762][ T4624] device veth1_macvtap entered promiscuous mode [ 113.044613][ T4624] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 113.048966][ T4624] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 113.052526][ T4624] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 113.054549][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 113.057910][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 113.061133][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 113.065127][ T4624] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 113.069186][ T4624] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 113.072649][ T4624] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 113.366218][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 113.369557][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 113.374180][ T4624] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.376925][ T4624] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.379276][ T4624] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.381602][ T4624] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 113.414323][ T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.420022][ T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.422857][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 113.432811][ T153] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 113.435029][ T153] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 113.439204][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:53 executed programs: 2 [ 113.746528][ T4145] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 113.977206][ T4113] Bluetooth: hci0: command 0x040f tx timeout [ 114.096068][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 114.196015][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 114.198319][ T4145] usb 1-1: config 8 has no interface number 0 [ 114.199931][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 114.356056][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 114.358625][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 114.360790][ T4145] usb 1-1: Product: syz [ 114.361893][ T4145] usb 1-1: Manufacturer: syz [ 114.363191][ T4145] usb 1-1: SerialNumber: syz [ 114.694967][ T4145] usb 1-1: USB disconnect, device number 2 [ 114.699800][ T4145] ================================================================== [ 114.702047][ T4145] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 114.703969][ T4145] Read of size 8 at addr ffff0000dcee1978 by task kworker/0:8/4145 [ 114.706065][ T4145] [ 114.706678][ T4145] CPU: 0 PID: 4145 Comm: kworker/0:8 Not tainted 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 114.709331][ T4145] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 114.712074][ T4145] Workqueue: usb_hub_wq hub_event [ 114.713424][ T4145] Call trace: [ 114.714304][ T4145] dump_backtrace+0x0/0x43c [ 114.715530][ T4145] show_stack+0x2c/0x3c [ 114.716642][ T4145] __dump_stack+0x30/0x40 [ 114.717816][ T4145] dump_stack_lvl+0xf8/0x160 [ 114.719042][ T4145] print_address_description+0x78/0x30c [ 114.720517][ T4145] kasan_report+0xec/0x15c [ 114.721729][ T4145] __asan_report_load8_noabort+0x44/0x50 [ 114.723223][ T4145] hdm_disconnect+0xf4/0x18c [ 114.724452][ T4145] usb_unbind_interface+0x1b8/0x750 [ 114.725809][ T4145] device_release_driver_internal+0x3fc/0x63c [ 114.727422][ T4145] device_release_driver+0x28/0x38 [ 114.728821][ T4145] bus_remove_device+0x294/0x388 [ 114.730150][ T4145] device_del+0x568/0x964 [ 114.731307][ T4145] usb_disable_device+0x33c/0x780 [ 114.732708][ T4145] usb_disconnect+0x290/0x7d0 [ 114.733930][ T4145] hub_event+0x14c8/0x4188 [ 114.735118][ T4145] process_one_work+0x79c/0x1140 [ 114.736483][ T4145] worker_thread+0xb64/0x101c [ 114.737761][ T4145] kthread+0x374/0x454 [ 114.738877][ T4145] ret_from_fork+0x10/0x20 [ 114.740075][ T4145] [ 114.740681][ T4145] Allocated by task 4145: [ 114.741840][ T4145] __kasan_kmalloc+0xb0/0xf0 [ 114.743075][ T4145] kmem_cache_alloc_trace+0x274/0x3fc [ 114.744499][ T4145] hdm_probe+0x9c/0x1044 [ 114.745627][ T4145] usb_probe_interface+0x4fc/0x994 [ 114.747044][ T4145] really_probe+0x26c/0xaec [ 114.748231][ T4145] __driver_probe_device+0x180/0x314 [ 114.749686][ T4145] driver_probe_device+0x78/0x34c [ 114.751041][ T4145] __device_attach_driver+0x274/0x4c4 [ 114.752506][ T4145] bus_for_each_drv+0x150/0x1d8 [ 114.753889][ T4145] __device_attach+0x2a8/0x3d4 [ 114.755244][ T4145] device_initial_probe+0x24/0x34 [ 114.756650][ T4145] bus_probe_device+0xbc/0x1c4 [ 114.757952][ T4145] device_add+0xb04/0xf94 [ 114.759133][ T4145] usb_set_configuration+0x15b8/0x1b2c [ 114.760650][ T4145] usb_generic_driver_probe+0x8c/0x144 [ 114.762110][ T4145] usb_probe_device+0x120/0x25c [ 114.763392][ T4145] really_probe+0x26c/0xaec [ 114.764629][ T4145] __driver_probe_device+0x180/0x314 [ 114.766028][ T4145] driver_probe_device+0x78/0x34c [ 114.767395][ T4145] __device_attach_driver+0x274/0x4c4 [ 114.768849][ T4145] bus_for_each_drv+0x150/0x1d8 [ 114.770175][ T4145] __device_attach+0x2a8/0x3d4 [ 114.771436][ T4145] device_initial_probe+0x24/0x34 [ 114.772793][ T4145] bus_probe_device+0xbc/0x1c4 [ 114.774124][ T4145] device_add+0xb04/0xf94 [ 114.775332][ T4145] usb_new_device+0x7ec/0x1164 [ 114.776614][ T4145] hub_event+0x20cc/0x4188 [ 114.777785][ T4145] process_one_work+0x79c/0x1140 [ 114.779118][ T4145] worker_thread+0x8f4/0x101c [ 114.780375][ T4145] kthread+0x374/0x454 [ 114.781515][ T4145] ret_from_fork+0x10/0x20 [ 114.782781][ T4145] [ 114.783397][ T4145] Freed by task 4145: [ 114.784414][ T4145] kasan_set_track+0x4c/0x84 [ 114.785620][ T4145] kasan_set_free_info+0x28/0x4c [ 114.786936][ T4145] ____kasan_slab_free+0x118/0x164 [ 114.788273][ T4145] __kasan_slab_free+0x18/0x28 [ 114.789612][ T4145] slab_free_freelist_hook+0x128/0x1e8 [ 114.791027][ T4145] kfree+0x170/0x40c [ 114.792065][ T4145] release_mdev+0x20/0x30 [ 114.793225][ T4145] device_release+0x8c/0x1ac [ 114.794457][ T4145] kobject_put+0x2cc/0x454 [ 114.795614][ T4145] device_unregister+0x3c/0xcc [ 114.796911][ T4145] most_deregister_interface+0x3e0/0x42c [ 114.798428][ T4145] hdm_disconnect+0xdc/0x18c [ 114.799658][ T4145] usb_unbind_interface+0x1b8/0x750 [ 114.801087][ T4145] device_release_driver_internal+0x3fc/0x63c [ 114.802722][ T4145] device_release_driver+0x28/0x38 [ 114.804085][ T4145] bus_remove_device+0x294/0x388 [ 114.805505][ T4145] device_del+0x568/0x964 [ 114.806672][ T4145] usb_disable_device+0x33c/0x780 [ 114.808018][ T4145] usb_disconnect+0x290/0x7d0 [ 114.809222][ T4145] hub_event+0x14c8/0x4188 [ 114.810429][ T4145] process_one_work+0x79c/0x1140 [ 114.811749][ T4145] worker_thread+0xb64/0x101c [ 114.813056][ T4145] kthread+0x374/0x454 [ 114.814151][ T4145] ret_from_fork+0x10/0x20 [ 114.815350][ T4145] [ 114.815996][ T4145] Last potentially related work creation: [ 114.817574][ T4145] kasan_save_stack+0x38/0x68 [ 114.818866][ T4145] kasan_record_aux_stack+0xcc/0x114 [ 114.820287][ T4145] insert_work+0x64/0x388 [ 114.821476][ T4145] __queue_work+0xb30/0x1054 [ 114.822661][ T4145] queue_work_on+0xc4/0x17c [ 114.823863][ T4145] le_conn_complete_evt+0x7dc/0x11bc [ 114.825311][ T4145] hci_le_meta_evt+0x85c/0x3010 [ 114.826723][ T4145] hci_event_packet+0xd10/0x11bc [ 114.828052][ T4145] hci_rx_work+0x1cc/0x880 [ 114.829206][ T4145] process_one_work+0x79c/0x1140 [ 114.830569][ T4145] worker_thread+0x8f4/0x101c [ 114.831864][ T4145] kthread+0x374/0x454 [ 114.832936][ T4145] ret_from_fork+0x10/0x20 [ 114.834114][ T4145] [ 114.834732][ T4145] Second to last potentially related work creation: [ 114.836503][ T4145] kasan_save_stack+0x38/0x68 [ 114.837765][ T4145] kasan_record_aux_stack+0xcc/0x114 [ 114.839249][ T4145] insert_work+0x64/0x388 [ 114.840436][ T4145] __queue_work+0xb30/0x1054 [ 114.841668][ T4145] queue_work_on+0xc4/0x17c [ 114.842879][ T4145] hci_send_acl+0x75c/0xa54 [ 114.844066][ T4145] l2cap_send_cmd+0x4e0/0x728 [ 114.845313][ T4145] l2cap_request_info+0x170/0x250 [ 114.846679][ T4145] l2cap_connect_cfm+0x4a4/0xd64 [ 114.848023][ T4145] hci_remote_features_evt+0x474/0x850 [ 114.849502][ T4145] hci_event_packet+0x560/0x11bc [ 114.850870][ T4145] hci_rx_work+0x1cc/0x880 [ 114.852062][ T4145] process_one_work+0x79c/0x1140 [ 114.853390][ T4145] worker_thread+0x8f4/0x101c [ 114.854588][ T4145] kthread+0x374/0x454 [ 114.855671][ T4145] ret_from_fork+0x10/0x20 [ 114.856848][ T4145] [ 114.857451][ T4145] The buggy address belongs to the object at ffff0000dcee0000 [ 114.857451][ T4145] which belongs to the cache kmalloc-8k of size 8192 [ 114.861332][ T4145] The buggy address is located 6520 bytes inside of [ 114.861332][ T4145] 8192-byte region [ffff0000dcee0000, ffff0000dcee2000) [ 114.864981][ T4145] The buggy address belongs to the page: [ 114.866582][ T4145] page:00000000f0820b2d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11cee0 [ 114.869356][ T4145] head:00000000f0820b2d order:3 compound_mapcount:0 compound_pincount:0 [ 114.871605][ T4145] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 114.873782][ T4145] raw: 05ffc00000010200 0000000000000000 0000000100000001 ffff0000c0002c00 [ 114.876132][ T4145] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 114.878437][ T4145] page dumped because: kasan: bad access detected [ 114.880230][ T4145] [ 114.880845][ T4145] Memory state around the buggy address: [ 114.882311][ T4145] ffff0000dcee1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.884511][ T4145] ffff0000dcee1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.886679][ T4145] >ffff0000dcee1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.888848][ T4145] ^ [ 114.891143][ T4145] ffff0000dcee1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.893427][ T4145] ffff0000dcee1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.895672][ T4145] ================================================================== [ 114.897875][ T4145] Disabling lock debugging due to kernel taint [ 114.900030][ T4145] ------------[ cut here ]------------ [ 114.901518][ T4145] refcount_t: underflow; use-after-free. [ 114.903242][ T4145] WARNING: CPU: 0 PID: 4145 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 114.905759][ T4145] Modules linked in: [ 114.906762][ T4145] CPU: 0 PID: 4145 Comm: kworker/0:8 Tainted: G B 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 114.909810][ T4145] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 114.912510][ T4145] Workqueue: usb_hub_wq hub_event [ 114.913887][ T4145] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 114.915977][ T4145] pc : refcount_warn_saturate+0x154/0x1f8 [ 114.917473][ T4145] lr : refcount_warn_saturate+0x154/0x1f8 [ 114.918981][ T4145] sp : ffff80001f8d73e0 [ 114.920069][ T4145] x29: ffff80001f8d73e0 x28: ffff800016094500 x27: 1fffe0001827b600 [ 114.922162][ T4145] x26: 1fffe0001827b607 x25: dfff800000000000 x24: ffff0000e8b53030 [ 114.924330][ T4145] x23: 1fffe0001b9dc0bb x22: ffff0000c13db03c x21: 0000000000000000 [ 114.926473][ T4145] x20: ffff0000c13db038 x19: ffff80001658e000 x18: 0000000000000001 [ 114.928612][ T4145] x17: 0000000000000000 x16: ffff8000083007ec x15: 00000000ffffffff [ 114.930837][ T4145] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 114.932969][ T4145] x11: 0000000000000000 x10: 0000000000000000 x9 : 86ce53521d973a00 [ 114.935113][ T4145] x8 : 86ce53521d973a00 x7 : 0000000000000001 x6 : 0000000000000001 [ 114.937189][ T4145] x5 : ffff80001f8d6cd8 x4 : ffff80001422f280 x3 : ffff8000083008fc [ 114.939319][ T4145] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 114.941473][ T4145] Call trace: [ 114.942335][ T4145] refcount_warn_saturate+0x154/0x1f8 [ 114.943737][ T4145] kobject_put+0x19c/0x454 [ 114.944972][ T4145] put_device+0x28/0x40 [ 114.946051][ T4145] hdm_disconnect+0x16c/0x18c [ 114.947270][ T4145] usb_unbind_interface+0x1b8/0x750 [ 114.948650][ T4145] device_release_driver_internal+0x3fc/0x63c [ 114.950270][ T4145] device_release_driver+0x28/0x38 [ 114.951616][ T4145] bus_remove_device+0x294/0x388 [ 114.952983][ T4145] device_del+0x568/0x964 [ 114.954123][ T4145] usb_disable_device+0x33c/0x780 [ 114.955423][ T4145] usb_disconnect+0x290/0x7d0 [ 114.956628][ T4145] hub_event+0x14c8/0x4188 [ 114.957805][ T4145] process_one_work+0x79c/0x1140 [ 114.959101][ T4145] worker_thread+0xb64/0x101c [ 114.960367][ T4145] kthread+0x374/0x454 [ 114.961461][ T4145] ret_from_fork+0x10/0x20 [ 114.962646][ T4145] irq event stamp: 16844 [ 114.963750][ T4145] hardirqs last enabled at (16843): [] kasan_quarantine_put+0xc4/0x204 [ 114.966396][ T4145] hardirqs last disabled at (16844): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 114.969037][ T4145] softirqs last enabled at (16518): [] handle_softirqs+0xa4c/0xbf0 [ 114.971593][ T4145] softirqs last disabled at (16493): [] __irq_exit_rcu+0x240/0x440 [ 114.974104][ T4145] ---[ end trace b717f358ffd12f28 ]--- [ 115.217833][ T148] device hsr_slave_0 left promiscuous mode [ 115.258032][ T148] device hsr_slave_1 left promiscuous mode [ 115.376013][ T148] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 115.378024][ T148] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 115.380309][ T148] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 115.382278][ T148] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 115.384539][ T148] device bridge_slave_1 left promiscuous mode [ 115.386703][ T148] bridge0: port 2(bridge_slave_1) entered disabled state [ 115.426874][ T148] device bridge_slave_0 left promiscuous mode [ 115.428646][ T148] bridge0: port 1(bridge_slave_0) entered disabled state [ 115.566112][ T148] device veth1_macvtap left promiscuous mode [ 115.567808][ T148] device veth0_macvtap left promiscuous mode [ 115.569533][ T148] device veth1_vlan left promiscuous mode [ 115.571270][ T148] device veth0_vlan left promiscuous mode [ 115.575910][ T4145] usb 1-1: new full-speed USB device number 3 using dummy_hcd [ 115.690420][ T148] team0 (unregistering): Port device team_slave_1 removed [ 115.696050][ T148] team0 (unregistering): Port device team_slave_0 removed [ 115.701311][ T148] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 115.740558][ T148] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 115.860963][ T148] bond0 (unregistering): Released all slaves [ 115.895921][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 115.976013][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 115.978307][ T4145] usb 1-1: config 8 has no interface number 0 [ 115.979916][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 116.056006][ T4116] Bluetooth: hci0: command 0x0419 tx timeout [ 116.136068][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 116.138803][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 116.141065][ T4145] usb 1-1: Product: syz [ 116.142195][ T4145] usb 1-1: Manufacturer: syz [ 116.143445][ T4145] usb 1-1: SerialNumber: syz [ 116.458765][ T4145] usb 1-1: USB disconnect, device number 3 [ 117.175949][ T4538] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 117.505973][ T4538] usb 1-1: not running at top speed; connect to a high speed hub [ 117.585970][ T4538] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 117.588272][ T4538] usb 1-1: config 8 has no interface number 0 [ 117.589867][ T4538] usb 1-1: config 8 interface 33 has no altsetting 0 [ 117.766034][ T4538] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 117.768471][ T4538] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 117.770632][ T4538] usb 1-1: Product: syz [ 117.771825][ T4538] usb 1-1: Manufacturer: syz [ 117.773048][ T4538] usb 1-1: SerialNumber: syz [ 118.089432][ T4538] usb 1-1: USB disconnect, device number 4 1970/01/01 00:01:58 executed programs: 5 [ 118.785978][ T4145] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 119.125959][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 119.205968][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 119.208239][ T4145] usb 1-1: config 8 has no interface number 0 [ 119.209951][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 119.366152][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 119.368683][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 119.370681][ T4145] usb 1-1: Product: syz [ 119.371765][ T4145] usb 1-1: Manufacturer: syz [ 119.372917][ T4145] usb 1-1: SerialNumber: syz [ 119.690383][ T4145] usb 1-1: USB disconnect, device number 5 [ 120.385944][ T4145] usb 1-1: new full-speed USB device number 6 using dummy_hcd [ 120.706031][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 120.785993][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 120.788356][ T4145] usb 1-1: config 8 has no interface number 0 [ 120.790134][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 120.946021][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 120.948459][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 120.950641][ T4145] usb 1-1: Product: syz [ 120.951763][ T4145] usb 1-1: Manufacturer: syz [ 120.952996][ T4145] usb 1-1: SerialNumber: syz [ 121.289131][ T4145] usb 1-1: USB disconnect, device number 6 [ 121.985922][ T4145] usb 1-1: new full-speed USB device number 7 using dummy_hcd [ 122.315938][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 122.396002][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 122.398234][ T4145] usb 1-1: config 8 has no interface number 0 [ 122.399930][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 122.556075][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 122.558621][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 122.560760][ T4145] usb 1-1: Product: syz [ 122.561939][ T4145] usb 1-1: Manufacturer: syz [ 122.563326][ T4145] usb 1-1: SerialNumber: syz [ 122.888720][ T4145] usb 1-1: USB disconnect, device number 7 [ 123.576009][ T4145] usb 1-1: new full-speed USB device number 8 using dummy_hcd [ 123.905952][ T4145] usb 1-1: not running at top speed; connect to a high speed hub [ 123.995983][ T4145] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 123.998405][ T4145] usb 1-1: config 8 has no interface number 0 [ 124.000082][ T4145] usb 1-1: config 8 interface 33 has no altsetting 0 [ 124.166646][ T4145] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 124.169226][ T4145] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 124.171447][ T4145] usb 1-1: Product: syz [ 124.172609][ T4145] usb 1-1: Manufacturer: syz [ 124.173959][ T4145] usb 1-1: SerialNumber: syz [ 124.500581][ T4145] usb 1-1: USB disconnect, device number 8