Warning: Permanently added '10.128.1.209' (ED25519) to the list of known hosts. 1970/01/01 00:01:02 ignoring optional flag "type"="gce" 1970/01/01 00:01:02 parsed 1 programs [ 63.907892][ T4605] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 68.321878][ T4619] chnl_net:caif_netlink_parms(): no params data found [ 68.339751][ T4619] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.341027][ T4619] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.342458][ T4619] device bridge_slave_0 entered promiscuous mode [ 68.344417][ T4619] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.346069][ T4619] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.347516][ T4619] device bridge_slave_1 entered promiscuous mode [ 68.356734][ T4619] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.359272][ T4619] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.368900][ T4619] team0: Port device team_slave_0 added [ 68.370730][ T4619] team0: Port device team_slave_1 added [ 68.378765][ T4619] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.379807][ T4619] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.383472][ T4619] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.385704][ T4619] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.386709][ T4619] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.390652][ T4619] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.446566][ T4619] device hsr_slave_0 entered promiscuous mode [ 68.496371][ T4619] device hsr_slave_1 entered promiscuous mode [ 69.119750][ T4619] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 69.148337][ T4619] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 69.178157][ T4619] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 69.217760][ T4619] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 69.266589][ T4619] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.267827][ T4619] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.269055][ T4619] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.270240][ T4619] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.289569][ T4619] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.293497][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 69.295279][ T136] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.297794][ T136] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.299732][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 69.303786][ T4619] 8021q: adding VLAN 0 to HW filter on device team0 [ 69.308456][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 69.310033][ T136] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.311039][ T136] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.314250][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 69.317655][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 69.319132][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.320274][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.357178][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 69.360331][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 69.363204][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 69.365125][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 69.367960][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 69.372246][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 69.373834][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 69.388257][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 69.389812][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 69.392290][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 69.393799][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 69.406312][ T4619] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 69.458529][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 69.459865][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 69.464181][ T4619] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 69.474384][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 69.476284][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 69.486636][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 69.488244][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 69.490069][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 69.491570][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 69.497591][ T4619] device veth0_vlan entered promiscuous mode [ 69.501853][ T4619] device veth1_vlan entered promiscuous mode [ 69.518992][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 69.520516][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 69.521909][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 69.523372][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 69.536384][ T4619] device veth0_macvtap entered promiscuous mode [ 69.539007][ T4619] device veth1_macvtap entered promiscuous mode [ 69.544162][ T4619] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 69.545325][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 69.548209][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 69.549666][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 69.551256][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 69.557323][ T4619] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 69.559678][ T4619] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.560993][ T4619] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.562317][ T4619] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.563656][ T4619] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.576921][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 69.578720][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 69.617683][ T2064] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.618843][ T2064] ieee802154 phy1 wpan1: encryption failed: -22 [ 69.626314][ T1542] cfg80211: failed to load regulatory.db [ 70.504770][ T509] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.762725][ T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 70.764035][ T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 70.766330][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 70.780787][ T361] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 70.782105][ T361] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 70.783706][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:10 executed programs: 0 [ 71.033927][ T4870] chnl_net:caif_netlink_parms(): no params data found [ 71.052898][ T4870] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.054116][ T4870] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.055791][ T4870] device bridge_slave_0 entered promiscuous mode [ 71.059021][ T4870] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.060182][ T4870] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.061666][ T4870] device bridge_slave_1 entered promiscuous mode [ 71.074171][ T4870] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 71.076963][ T4870] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 71.086207][ T4870] team0: Port device team_slave_0 added [ 71.088141][ T4870] team0: Port device team_slave_1 added [ 71.095577][ T4870] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 71.096659][ T4870] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 71.100337][ T4870] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 71.102525][ T4870] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 71.103608][ T4870] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 71.108535][ T4870] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 71.167365][ T4870] device hsr_slave_0 entered promiscuous mode [ 71.205920][ T4870] device hsr_slave_1 entered promiscuous mode [ 71.245778][ T4870] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 71.247028][ T4870] Cannot create hsr debugfs directory [ 72.518666][ T509] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 73.055983][ T1542] Bluetooth: hci0: command 0x0409 tx timeout [ 75.128717][ T509] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 75.135847][ T1969] Bluetooth: hci0: command 0x041b tx timeout [ 75.170522][ T509] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 76.186786][ T4870] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 76.239550][ T4870] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 76.277054][ T4870] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 76.326920][ T4870] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 76.390923][ T4870] 8021q: adding VLAN 0 to HW filter on device bond0 [ 76.394732][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 76.396227][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 76.399101][ T4870] 8021q: adding VLAN 0 to HW filter on device team0 [ 76.401661][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 76.403260][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 76.404677][ T136] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.405785][ T136] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.408511][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 76.411367][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 76.412910][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 76.414594][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.415801][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.418626][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 76.421465][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 76.424256][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 76.428429][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 76.429987][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 76.432635][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 76.435032][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 76.438724][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 76.440354][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.443031][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 76.444630][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.448295][ T4870] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.488647][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 76.489994][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 76.493275][ T4870] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 76.500480][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 76.502134][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 76.508672][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 76.510124][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 76.511789][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 76.513198][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 76.515727][ T4870] device veth0_vlan entered promiscuous mode [ 76.533363][ T4870] device veth1_vlan entered promiscuous mode [ 76.543363][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 76.544905][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 76.547731][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 76.549266][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 76.551919][ T4870] device veth0_macvtap entered promiscuous mode [ 76.554418][ T4870] device veth1_macvtap entered promiscuous mode [ 76.560252][ T4870] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 76.561942][ T4870] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 76.564214][ T4870] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 76.566665][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 76.568200][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 76.569665][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 76.571172][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 76.574190][ T4870] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 76.576751][ T4870] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 76.578837][ T4870] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 76.580165][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 76.581726][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 76.584350][ T4870] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.586180][ T4870] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.587582][ T4870] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.589049][ T4870] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.610693][ T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 76.615318][ T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 76.619001][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 76.619757][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 76.620230][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 76.622990][ T771] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:16 executed programs: 2 [ 76.915508][ T4139] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 77.165618][ T4139] usb 1-1: Using ep0 maxpacket: 32 [ 77.216527][ T1969] Bluetooth: hci0: command 0x040f tx timeout [ 77.295664][ T4139] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 77.296975][ T4139] usb 1-1: config 0 has no interface number 0 [ 77.455641][ T4139] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 77.457045][ T4139] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 77.458388][ T4139] usb 1-1: Product: syz [ 77.459049][ T4139] usb 1-1: Manufacturer: syz [ 77.459834][ T4139] usb 1-1: SerialNumber: syz [ 77.462948][ T4139] usb 1-1: config 0 descriptor?? [ 77.707500][ T4139] usb 1-1: USB disconnect, device number 2 [ 77.710388][ T4139] ================================================================== [ 77.711755][ T4139] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 77.712817][ T4139] Read of size 8 at addr ffff0000c158d978 by task kworker/0:6/4139 [ 77.714032][ T4139] [ 77.714401][ T4139] CPU: 0 PID: 4139 Comm: kworker/0:6 Not tainted syzkaller #0 [ 77.715677][ T4139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 77.717314][ T4139] Workqueue: usb_hub_wq hub_event [ 77.718171][ T4139] Call trace: [ 77.718732][ T4139] dump_backtrace+0x0/0x43c [ 77.719506][ T4139] show_stack+0x2c/0x3c [ 77.720203][ T4139] __dump_stack+0x30/0x40 [ 77.720902][ T4139] dump_stack_lvl+0xf8/0x160 [ 77.721652][ T4139] print_address_description+0x78/0x30c [ 77.722517][ T4139] kasan_report+0xec/0x15c [ 77.723239][ T4139] __asan_report_load8_noabort+0x44/0x50 [ 77.724118][ T4139] hdm_disconnect+0xf4/0x18c [ 77.724905][ T4139] usb_unbind_interface+0x1b8/0x750 [ 77.725724][ T4139] device_release_driver_internal+0x3fc/0x63c [ 77.726753][ T4139] device_release_driver+0x28/0x38 [ 77.727599][ T4139] bus_remove_device+0x294/0x388 [ 77.728448][ T4139] device_del+0x568/0x964 [ 77.729169][ T4139] usb_disable_device+0x33c/0x780 [ 77.730015][ T4139] usb_disconnect+0x290/0x7d0 [ 77.730808][ T4139] hub_event+0x1610/0x42c0 [ 77.731530][ T4139] process_one_work+0x79c/0x1140 [ 77.732341][ T4139] worker_thread+0x8f4/0x101c [ 77.733081][ T4139] kthread+0x374/0x454 [ 77.733727][ T4139] ret_from_fork+0x10/0x20 [ 77.734461][ T4139] [ 77.734853][ T4139] Allocated by task 4139: [ 77.735587][ T4139] __kasan_kmalloc+0xb0/0xf0 [ 77.736351][ T4139] kmem_cache_alloc_trace+0x274/0x3fc [ 77.737194][ T4139] hdm_probe+0x9c/0x1044 [ 77.737907][ T4139] usb_probe_interface+0x4fc/0x994 [ 77.738715][ T4139] really_probe+0x26c/0xaec [ 77.739440][ T4139] __driver_probe_device+0x180/0x314 [ 77.740276][ T4139] driver_probe_device+0x78/0x34c [ 77.741108][ T4139] __device_attach_driver+0x274/0x4c4 [ 77.742001][ T4139] bus_for_each_drv+0x150/0x1d8 [ 77.742747][ T4139] __device_attach+0x2a8/0x3d4 [ 77.743483][ T4139] device_initial_probe+0x24/0x34 [ 77.744327][ T4139] bus_probe_device+0xbc/0x1c4 [ 77.745026][ T4139] device_add+0xb04/0xf94 [ 77.745681][ T4139] usb_set_configuration+0x15b8/0x1b2c [ 77.746610][ T4139] usb_generic_driver_probe+0x8c/0x144 [ 77.747521][ T4139] usb_probe_device+0x120/0x25c [ 77.748316][ T4139] really_probe+0x26c/0xaec [ 77.749045][ T4139] __driver_probe_device+0x180/0x314 [ 77.749932][ T4139] driver_probe_device+0x78/0x34c [ 77.750683][ T4139] __device_attach_driver+0x274/0x4c4 [ 77.751606][ T4139] bus_for_each_drv+0x150/0x1d8 [ 77.752354][ T4139] __device_attach+0x2a8/0x3d4 [ 77.753078][ T4139] device_initial_probe+0x24/0x34 [ 77.753853][ T4139] bus_probe_device+0xbc/0x1c4 [ 77.754626][ T4139] device_add+0xb04/0xf94 [ 77.755295][ T4139] usb_new_device+0x7ec/0x1164 [ 77.755999][ T4139] hub_event+0x2240/0x42c0 [ 77.756718][ T4139] process_one_work+0x79c/0x1140 [ 77.757524][ T4139] worker_thread+0x8f4/0x101c [ 77.758319][ T4139] kthread+0x374/0x454 [ 77.759028][ T4139] ret_from_fork+0x10/0x20 [ 77.759773][ T4139] [ 77.760161][ T4139] Freed by task 4139: [ 77.760840][ T4139] kasan_set_track+0x4c/0x84 [ 77.761554][ T4139] kasan_set_free_info+0x28/0x4c [ 77.762347][ T4139] ____kasan_slab_free+0x118/0x164 [ 77.763191][ T4139] __kasan_slab_free+0x18/0x28 [ 77.763964][ T4139] slab_free_freelist_hook+0x128/0x1e8 [ 77.764797][ T4139] kfree+0x170/0x40c [ 77.765368][ T4139] release_mdev+0x20/0x30 [ 77.766012][ T4139] device_release+0x8c/0x1ac [ 77.766769][ T4139] kobject_put+0x2cc/0x454 [ 77.767455][ T4139] device_unregister+0x3c/0xcc [ 77.768222][ T4139] most_deregister_interface+0x3e0/0x42c [ 77.769127][ T4139] hdm_disconnect+0xdc/0x18c [ 77.769885][ T4139] usb_unbind_interface+0x1b8/0x750 [ 77.770715][ T4139] device_release_driver_internal+0x3fc/0x63c [ 77.771684][ T4139] device_release_driver+0x28/0x38 [ 77.772520][ T4139] bus_remove_device+0x294/0x388 [ 77.773292][ T4139] device_del+0x568/0x964 [ 77.773999][ T4139] usb_disable_device+0x33c/0x780 [ 77.774801][ T4139] usb_disconnect+0x290/0x7d0 [ 77.775533][ T4139] hub_event+0x1610/0x42c0 [ 77.776225][ T4139] process_one_work+0x79c/0x1140 [ 77.776984][ T4139] worker_thread+0x8f4/0x101c [ 77.777721][ T4139] kthread+0x374/0x454 [ 77.778376][ T4139] ret_from_fork+0x10/0x20 [ 77.779079][ T4139] [ 77.779442][ T4139] The buggy address belongs to the object at ffff0000c158c000 [ 77.779442][ T4139] which belongs to the cache kmalloc-8k of size 8192 [ 77.781670][ T4139] The buggy address is located 6520 bytes inside of [ 77.781670][ T4139] 8192-byte region [ffff0000c158c000, ffff0000c158e000) [ 77.783805][ T4139] The buggy address belongs to the page: [ 77.784730][ T4139] page:000000002cd773f5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101588 [ 77.786455][ T4139] head:000000002cd773f5 order:3 compound_mapcount:0 compound_pincount:0 [ 77.787858][ T4139] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 77.789138][ T4139] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 77.790432][ T4139] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 77.791740][ T4139] page dumped because: kasan: bad access detected [ 77.792804][ T4139] [ 77.793181][ T4139] Memory state around the buggy address: [ 77.794002][ T4139] ffff0000c158d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.795184][ T4139] ffff0000c158d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.796343][ T4139] >ffff0000c158d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.797497][ T4139] ^ [ 77.798654][ T4139] ffff0000c158d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.799933][ T4139] ffff0000c158da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.801211][ T4139] ================================================================== [ 77.802499][ T4139] Disabling lock debugging due to kernel taint [ 77.803924][ T4139] ------------[ cut here ]------------ [ 77.804804][ T4139] refcount_t: underflow; use-after-free. [ 77.805981][ T4139] WARNING: CPU: 0 PID: 4139 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 77.807438][ T4139] Modules linked in: [ 77.808055][ T4139] CPU: 0 PID: 4139 Comm: kworker/0:6 Tainted: G B syzkaller #0 [ 77.809352][ T4139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 77.810826][ T4139] Workqueue: usb_hub_wq hub_event [ 77.811559][ T4139] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 77.812680][ T4139] pc : refcount_warn_saturate+0x154/0x1f8 [ 77.813514][ T4139] lr : refcount_warn_saturate+0x154/0x1f8 [ 77.814400][ T4139] sp : ffff80001f3473e0 [ 77.815007][ T4139] x29: ffff80001f3473e0 x28: ffff8000160ca660 x27: 1fffe00018fc6400 [ 77.816161][ T4139] x26: 1fffe00018fc6407 x25: dfff800000000000 x24: ffff0000c7e31030 [ 77.817397][ T4139] x23: 1fffe000182b18bb x22: ffff0000c7e3203c x21: 0000000000000000 [ 77.818572][ T4139] x20: ffff0000c7e32038 x19: ffff8000165c5000 x18: 0000000000000001 [ 77.819791][ T4139] x17: 0000000000000000 x16: ffff800008302168 x15: 00000000ffffffff [ 77.821064][ T4139] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 77.822365][ T4139] x11: 0000000000000000 x10: 0000000000000000 x9 : a4eee3312fa9e800 [ 77.823610][ T4139] x8 : a4eee3312fa9e800 x7 : 0000000000000001 x6 : 0000000000000001 [ 77.824977][ T4139] x5 : ffff80001f346cd8 x4 : ffff80001425f420 x3 : ffff800008302278 [ 77.826143][ T4139] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 77.827427][ T4139] Call trace: [ 77.827944][ T4139] refcount_warn_saturate+0x154/0x1f8 [ 77.828786][ T4139] kobject_put+0x19c/0x454 [ 77.829505][ T4139] put_device+0x28/0x40 [ 77.830123][ T4139] hdm_disconnect+0x16c/0x18c [ 77.830916][ T4139] usb_unbind_interface+0x1b8/0x750 [ 77.831775][ T4139] device_release_driver_internal+0x3fc/0x63c [ 77.832731][ T4139] device_release_driver+0x28/0x38 [ 77.833532][ T4139] bus_remove_device+0x294/0x388 [ 77.834336][ T4139] device_del+0x568/0x964 [ 77.835034][ T4139] usb_disable_device+0x33c/0x780 [ 77.835819][ T4139] usb_disconnect+0x290/0x7d0 [ 77.836560][ T4139] hub_event+0x1610/0x42c0 [ 77.837310][ T4139] process_one_work+0x79c/0x1140 [ 77.838127][ T4139] worker_thread+0x8f4/0x101c [ 77.838920][ T4139] kthread+0x374/0x454 [ 77.839582][ T4139] ret_from_fork+0x10/0x20 [ 77.840290][ T4139] irq event stamp: 12380 [ 77.840949][ T4139] hardirqs last enabled at (12379): [] kasan_quarantine_put+0xc4/0x204 [ 77.842598][ T4139] hardirqs last disabled at (12380): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 77.844230][ T4139] softirqs last enabled at (11730): [] __fib6_clean_all+0x1ec/0x320 [ 77.845765][ T4139] softirqs last disabled at (11724): [] __fib6_clean_all+0x1ac/0x320 [ 77.847189][ T4139] ---[ end trace 9d0d8511e66983be ]--- [ 78.535475][ T4139] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 78.775478][ T4139] usb 1-1: Using ep0 maxpacket: 32 [ 78.877291][ T509] device hsr_slave_0 left promiscuous mode [ 78.895509][ T4139] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 78.896854][ T4139] usb 1-1: config 0 has no interface number 0 [ 78.915781][ T509] device hsr_slave_1 left promiscuous mode [ 79.005514][ T509] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 79.006748][ T509] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 79.008156][ T509] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 79.009295][ T509] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 79.010653][ T509] device bridge_slave_1 left promiscuous mode [ 79.011627][ T509] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.055556][ T4139] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 79.056946][ T4139] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 79.057146][ T509] device bridge_slave_0 left promiscuous mode [ 79.058120][ T4139] usb 1-1: Product: syz [ 79.059144][ T509] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.059658][ T4139] usb 1-1: Manufacturer: syz [ 79.061471][ T4139] usb 1-1: SerialNumber: syz [ 79.063693][ T4139] usb 1-1: config 0 descriptor?? [ 79.205575][ T509] device veth1_macvtap left promiscuous mode [ 79.206537][ T509] device veth0_macvtap left promiscuous mode [ 79.207461][ T509] device veth1_vlan left promiscuous mode [ 79.208308][ T509] device veth0_vlan left promiscuous mode [ 79.296502][ T509] team0 (unregistering): Port device team_slave_1 removed [ 79.300177][ T509] team0 (unregistering): Port device team_slave_0 removed [ 79.303631][ T509] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 79.305507][ T1969] Bluetooth: hci0: command 0x0419 tx timeout [ 79.308725][ T4139] usb 1-1: USB disconnect, device number 3 [ 79.329588][ T509] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 79.409585][ T509] bond0 (unregistering): Released all slaves [ 80.075568][ T4139] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 80.336017][ T4139] usb 1-1: Using ep0 maxpacket: 32 [ 80.466035][ T4139] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 80.467277][ T4139] usb 1-1: config 0 has no interface number 0 [ 80.645551][ T4139] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 80.646985][ T4139] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 80.648288][ T4139] usb 1-1: Product: syz [ 80.648958][ T4139] usb 1-1: Manufacturer: syz [ 80.649680][ T4139] usb 1-1: SerialNumber: syz [ 80.651371][ T4139] usb 1-1: config 0 descriptor?? [ 80.887090][ T4139] usb 1-1: USB disconnect, device number 4 [ 81.655480][ T1969] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 81.895481][ T1969] usb 1-1: Using ep0 maxpacket: 32 [ 82.025800][ T1969] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 82.027186][ T1969] usb 1-1: config 0 has no interface number 0 [ 82.205560][ T1969] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 82.206909][ T1969] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 82.208316][ T1969] usb 1-1: Product: syz [ 82.208963][ T1969] usb 1-1: Manufacturer: syz [ 82.209700][ T1969] usb 1-1: SerialNumber: syz [ 82.211817][ T1969] usb 1-1: config 0 descriptor?? [ 82.446132][ T4139] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:22 executed programs: 6 [ 83.225489][ T1969] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 83.465494][ T1969] usb 1-1: Using ep0 maxpacket: 32 [ 83.605501][ T1969] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 83.606866][ T1969] usb 1-1: config 0 has no interface number 0 [ 83.765506][ T1969] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 83.766980][ T1969] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 83.768262][ T1969] usb 1-1: Product: syz [ 83.769022][ T1969] usb 1-1: Manufacturer: syz [ 83.769793][ T1969] usb 1-1: SerialNumber: syz [ 83.771433][ T1969] usb 1-1: config 0 descriptor?? [ 84.016103][ T4079] usb 1-1: USB disconnect, device number 6 [ 84.785460][ T1969] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 85.025463][ T1969] usb 1-1: Using ep0 maxpacket: 32 [ 85.145721][ T1969] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 85.146996][ T1969] usb 1-1: config 0 has no interface number 0 [ 85.305503][ T1969] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 85.306906][ T1969] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 85.308183][ T1969] usb 1-1: Product: syz [ 85.308817][ T1969] usb 1-1: Manufacturer: syz [ 85.309478][ T1969] usb 1-1: SerialNumber: syz [ 85.311063][ T1969] usb 1-1: config 0 descriptor?? [ 85.546047][ T4079] usb 1-1: USB disconnect, device number 7 [ 86.315479][ T4065] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 86.555461][ T4065] usb 1-1: Using ep0 maxpacket: 32 [ 86.675482][ T4065] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 86.676664][ T4065] usb 1-1: config 0 has no interface number 0 [ 86.835528][ T4065] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 86.836987][ T4065] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 86.838341][ T4065] usb 1-1: Product: syz [ 86.839023][ T4065] usb 1-1: Manufacturer: syz [ 86.839700][ T4065] usb 1-1: SerialNumber: syz [ 86.841353][ T4065] usb 1-1: config 0 descriptor?? [ 87.076042][ T4065] usb 1-1: USB disconnect, device number 8