Warning: Permanently added '10.128.0.165' (ED25519) to the list of known hosts. 1970/01/01 00:01:19 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:19 ignoring optional flag "type"="gce" 1970/01/01 00:01:19 parsed 1 programs [ 82.598260][ T4441] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 89.631254][ T1638] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 89.633577][ T1638] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 89.636317][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 89.655456][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 89.657611][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 89.661173][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 90.348919][ T4598] chnl_net:caif_netlink_parms(): no params data found [ 90.436582][ T4598] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.438553][ T4598] bridge0: port 1(bridge_slave_0) entered disabled state [ 90.442979][ T4598] device bridge_slave_0 entered promiscuous mode [ 90.446683][ T4598] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.448678][ T4598] bridge0: port 2(bridge_slave_1) entered disabled state [ 90.451820][ T4598] device bridge_slave_1 entered promiscuous mode [ 90.470275][ T4598] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 90.474692][ T4598] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 90.490662][ T4598] team0: Port device team_slave_0 added [ 90.493895][ T4598] team0: Port device team_slave_1 added [ 90.508368][ T4598] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 90.510303][ T4598] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 90.517243][ T4598] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 90.522357][ T4598] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 90.524241][ T4598] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 90.531850][ T4598] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 90.591619][ T4598] device hsr_slave_0 entered promiscuous mode [ 90.611308][ T4598] device hsr_slave_1 entered promiscuous mode [ 91.430880][ T4598] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 91.472223][ T4598] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 91.532647][ T4598] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 91.571599][ T4598] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 91.674314][ T4598] 8021q: adding VLAN 0 to HW filter on device bond0 [ 91.710183][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 91.712859][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 91.717369][ T4598] 8021q: adding VLAN 0 to HW filter on device team0 [ 91.721773][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 91.724529][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 91.727374][ T520] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.729164][ T520] bridge0: port 1(bridge_slave_0) entered forwarding state [ 91.737709][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 91.750730][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 91.753622][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 91.756186][ T1638] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.757906][ T1638] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.764394][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 91.776092][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 91.778878][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 91.786215][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 91.796085][ T4598] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 91.798729][ T4598] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 91.806074][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 91.808618][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 91.813144][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 91.816262][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 91.818827][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 91.823518][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 91.826097][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 91.834380][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 91.908745][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 91.911778][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 91.919215][ T4598] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 91.941944][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 91.944755][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 91.965599][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 91.968402][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 91.972761][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 91.975623][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 91.981763][ T4598] device veth0_vlan entered promiscuous mode [ 91.989314][ T4598] device veth1_vlan entered promiscuous mode [ 92.007975][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 92.011578][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 92.014170][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 92.017287][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 92.024337][ T4598] device veth0_macvtap entered promiscuous mode [ 92.028911][ T4598] device veth1_macvtap entered promiscuous mode [ 92.042892][ T4598] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 92.044851][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 92.047472][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 92.052722][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 92.055919][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 92.063540][ T4598] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 92.067464][ T4598] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.071364][ T4598] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.073722][ T4598] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.075809][ T4598] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 92.081253][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 92.083812][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 1970/01/01 00:01:32 executed programs: 0 [ 93.152860][ T4760] chnl_net:caif_netlink_parms(): no params data found [ 93.193909][ T4760] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.195989][ T4760] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.198643][ T4760] device bridge_slave_0 entered promiscuous mode [ 93.202924][ T4760] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.204837][ T4760] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.207393][ T4760] device bridge_slave_1 entered promiscuous mode [ 93.226174][ T4760] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 93.247946][ T4760] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 93.267940][ T4760] team0: Port device team_slave_0 added [ 93.272373][ T4760] team0: Port device team_slave_1 added [ 93.285780][ T4760] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 93.287543][ T4760] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 93.295356][ T4760] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.300154][ T4760] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.302026][ T4760] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 93.308337][ T4760] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.351413][ T4760] device hsr_slave_0 entered promiscuous mode [ 93.390809][ T4760] device hsr_slave_1 entered promiscuous mode [ 93.439587][ T4760] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 93.441824][ T4760] Cannot create hsr debugfs directory [ 93.526065][ T4760] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 95.090124][ T4665] Bluetooth: hci0: command 0x0409 tx timeout [ 96.703568][ T4760] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 97.169510][ T4957] Bluetooth: hci0: command 0x041b tx timeout [ 97.735963][ T4760] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 97.789772][ T4760] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 97.936582][ T4760] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 97.971841][ T4760] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 98.021948][ T4760] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 98.084957][ T4760] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 98.213974][ T4760] 8021q: adding VLAN 0 to HW filter on device bond0 [ 98.228121][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 98.230925][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 98.235887][ T4760] 8021q: adding VLAN 0 to HW filter on device team0 [ 98.242511][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 98.245310][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 98.247840][ T520] bridge0: port 1(bridge_slave_0) entered blocking state [ 98.249792][ T520] bridge0: port 1(bridge_slave_0) entered forwarding state [ 98.253776][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 98.274939][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 98.277678][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 98.282434][ T520] bridge0: port 2(bridge_slave_1) entered blocking state [ 98.284324][ T520] bridge0: port 2(bridge_slave_1) entered forwarding state [ 98.289160][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 98.297104][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 98.303159][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 98.306511][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 98.309175][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 98.314582][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 98.317314][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 98.327520][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 98.330569][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 98.333625][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 98.336118][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 98.339219][ T4760] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 98.411215][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 98.413263][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 98.421425][ T4760] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 98.459127][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 98.462206][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 98.474807][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 98.477540][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 98.483940][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 98.486512][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 98.494490][ T4760] device veth0_vlan entered promiscuous mode [ 98.501130][ T4760] device veth1_vlan entered promiscuous mode [ 98.514985][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 98.517709][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 98.521452][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 98.524089][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 98.528713][ T4760] device veth0_macvtap entered promiscuous mode [ 98.536045][ T4760] device veth1_macvtap entered promiscuous mode [ 98.546331][ T4760] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 98.549429][ T4760] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 98.553262][ T4760] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 98.555274][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 98.557874][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 98.560807][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 98.563543][ T1638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 98.567863][ T4760] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 98.570992][ T4760] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 98.574591][ T4760] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 98.576675][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 98.580610][ T447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 98.585686][ T4760] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 98.587852][ T4760] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 98.590305][ T4760] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 98.592637][ T4760] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 98.629221][ T520] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 98.631515][ T520] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 98.635305][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 98.648206][ T520] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 98.650817][ T520] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 98.653581][ T520] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:38 executed programs: 2 [ 98.979493][ T4269] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 99.229452][ T4269] usb 1-1: Using ep0 maxpacket: 32 [ 99.250081][ T4062] Bluetooth: hci0: command 0x040f tx timeout [ 99.359686][ T4269] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 99.362031][ T4269] usb 1-1: config 0 has no interface number 0 [ 99.539625][ T4269] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 99.542056][ T4269] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 99.544206][ T4269] usb 1-1: Product: syz [ 99.545289][ T4269] usb 1-1: Manufacturer: syz [ 99.546504][ T4269] usb 1-1: SerialNumber: syz [ 99.551716][ T4269] usb 1-1: config 0 descriptor?? [ 99.713210][ T9] device hsr_slave_0 left promiscuous mode [ 99.750119][ T9] device hsr_slave_1 left promiscuous mode [ 99.793918][ T4195] usb 1-1: USB disconnect, device number 2 [ 99.799083][ T4195] ================================================================== [ 99.801410][ T4195] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 99.803364][ T4195] Read of size 8 at addr ffff0000d66e1978 by task kworker/0:5/4195 [ 99.805450][ T4195] [ 99.806019][ T4195] CPU: 0 PID: 4195 Comm: kworker/0:5 Not tainted 5.15.167-syzkaller #0 [ 99.808198][ T4195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 99.810929][ T4195] Workqueue: usb_hub_wq hub_event [ 99.812216][ T4195] Call trace: [ 99.813030][ T4195] dump_backtrace+0x0/0x530 [ 99.814247][ T4195] show_stack+0x2c/0x3c [ 99.815402][ T4195] dump_stack_lvl+0x108/0x170 [ 99.816658][ T4195] print_address_description+0x7c/0x3f0 [ 99.818101][ T4195] kasan_report+0x174/0x1e4 [ 99.819288][ T4195] __asan_report_load8_noabort+0x44/0x50 [ 99.820839][ T4195] hdm_disconnect+0xf8/0x190 [ 99.822044][ T4195] usb_unbind_interface+0x1a4/0x758 [ 99.823463][ T4195] device_release_driver_internal+0x464/0x6ac [ 99.825015][ T4195] device_release_driver+0x28/0x38 [ 99.826279][ T4195] bus_remove_device+0x298/0x38c [ 99.827601][ T4195] device_del+0x57c/0x9b4 [ 99.828757][ T4195] usb_disable_device+0x354/0x760 [ 99.829992][ T4195] usb_disconnect+0x290/0x7e8 [ 99.831179][ T4195] hub_event+0x1718/0x46b8 [ 99.832407][ T4195] process_one_work+0x790/0x11b8 [ 99.833718][ T4195] worker_thread+0x910/0x1034 [ 99.834923][ T4195] kthread+0x37c/0x45c [ 99.835946][ T4195] ret_from_fork+0x10/0x20 [ 99.837139][ T4195] [ 99.837738][ T4195] Allocated by task 4269: [ 99.838799][ T4195] ____kasan_kmalloc+0xbc/0xfc [ 99.840178][ T4195] __kasan_kmalloc+0x10/0x1c [ 99.841506][ T4195] kmem_cache_alloc_trace+0x27c/0x47c [ 99.843023][ T4195] hdm_probe+0xa4/0x1044 [ 99.844097][ T4195] usb_probe_interface+0x500/0x984 [ 99.845467][ T4195] really_probe+0x26c/0xaec [ 99.846650][ T4195] __driver_probe_device+0x194/0x3b4 [ 99.847906][ T4195] driver_probe_device+0x78/0x34c [ 99.849249][ T4195] __device_attach_driver+0x28c/0x4d8 [ 99.850582][ T4195] bus_for_each_drv+0x158/0x1e0 [ 99.851729][ T4195] __device_attach+0x2f0/0x480 [ 99.852886][ T4195] device_initial_probe+0x24/0x34 [ 99.854317][ T4195] bus_probe_device+0xbc/0x1c8 [ 99.855482][ T4195] device_add+0xae0/0xef4 [ 99.856722][ T4195] usb_set_configuration+0x15e0/0x1b60 [ 99.858150][ T4195] usb_generic_driver_probe+0x8c/0x148 [ 99.859596][ T4195] usb_probe_device+0x120/0x25c [ 99.860855][ T4195] really_probe+0x26c/0xaec [ 99.861919][ T4195] __driver_probe_device+0x194/0x3b4 [ 99.863322][ T4195] driver_probe_device+0x78/0x34c [ 99.864570][ T4195] __device_attach_driver+0x28c/0x4d8 [ 99.865993][ T4195] bus_for_each_drv+0x158/0x1e0 [ 99.867248][ T4195] __device_attach+0x2f0/0x480 [ 99.868422][ T4195] device_initial_probe+0x24/0x34 [ 99.869612][ T4195] bus_probe_device+0xbc/0x1c8 [ 99.870834][ T4195] device_add+0xae0/0xef4 [ 99.872005][ T4195] usb_new_device+0x900/0x145c [ 99.873248][ T4195] hub_event+0x236c/0x46b8 [ 99.874468][ T4195] process_one_work+0x790/0x11b8 [ 99.875531][ T4195] worker_thread+0x910/0x1034 [ 99.876714][ T4195] kthread+0x37c/0x45c [ 99.877807][ T4195] ret_from_fork+0x10/0x20 [ 99.879012][ T4195] [ 99.879590][ T4195] Freed by task 4195: [ 99.880518][ T4195] kasan_set_track+0x4c/0x84 [ 99.881774][ T4195] kasan_set_free_info+0x28/0x4c [ 99.882964][ T4195] ____kasan_slab_free+0x118/0x164 [ 99.884321][ T4195] __kasan_slab_free+0x18/0x28 [ 99.885572][ T4195] slab_free_freelist_hook+0x128/0x1ec [ 99.886981][ T4195] kfree+0x178/0x410 [ 99.887979][ T4195] release_mdev+0x20/0x30 [ 99.889087][ T4195] device_release+0x8c/0x1ac [ 99.890251][ T4195] kobject_put+0x2c4/0x438 [ 99.891351][ T4195] device_unregister+0x3c/0xcc [ 99.892571][ T4195] most_deregister_interface+0x3e0/0x42c [ 99.893952][ T4195] hdm_disconnect+0xe0/0x190 [ 99.895132][ T4195] usb_unbind_interface+0x1a4/0x758 [ 99.896555][ T4195] device_release_driver_internal+0x464/0x6ac [ 99.898108][ T4195] device_release_driver+0x28/0x38 [ 99.899485][ T4195] bus_remove_device+0x298/0x38c [ 99.900701][ T4195] device_del+0x57c/0x9b4 [ 99.901788][ T4195] usb_disable_device+0x354/0x760 [ 99.903099][ T4195] usb_disconnect+0x290/0x7e8 [ 99.904338][ T4195] hub_event+0x1718/0x46b8 [ 99.905491][ T4195] process_one_work+0x790/0x11b8 [ 99.906782][ T4195] worker_thread+0x910/0x1034 [ 99.908037][ T4195] kthread+0x37c/0x45c [ 99.909160][ T4195] ret_from_fork+0x10/0x20 [ 99.910273][ T4195] [ 99.910907][ T4195] The buggy address belongs to the object at ffff0000d66e0000 [ 99.910907][ T4195] which belongs to the cache kmalloc-8k of size 8192 [ 99.914774][ T4195] The buggy address is located 6520 bytes inside of [ 99.914774][ T4195] 8192-byte region [ffff0000d66e0000, ffff0000d66e2000) [ 99.918252][ T4195] The buggy address belongs to the page: [ 99.919740][ T4195] page:000000006becfd98 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1166e0 [ 99.922406][ T4195] head:000000006becfd98 order:3 compound_mapcount:0 compound_pincount:0 [ 99.924512][ T4195] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 99.926643][ T4195] raw: 05ffc00000010200 0000000000000000 0000000100000001 ffff0000c0002c00 [ 99.928890][ T4195] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 99.931010][ T4195] page dumped because: kasan: bad access detected [ 99.932692][ T4195] [ 99.933329][ T4195] Memory state around the buggy address: [ 99.934836][ T4195] ffff0000d66e1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.936962][ T4195] ffff0000d66e1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.939143][ T4195] >ffff0000d66e1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.941162][ T4195] ^ [ 99.943243][ T4195] ffff0000d66e1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.945345][ T4195] ffff0000d66e1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.947393][ T4195] ================================================================== [ 99.949406][ T4195] Disabling lock debugging due to kernel taint [ 99.951470][ T4195] ------------[ cut here ]------------ [ 99.952913][ T4195] refcount_t: underflow; use-after-free. [ 99.954570][ T4195] WARNING: CPU: 0 PID: 4195 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 99.956882][ T4195] Modules linked in: [ 99.957835][ T4195] CPU: 0 PID: 4195 Comm: kworker/0:5 Tainted: G B 5.15.167-syzkaller #0 [ 99.960146][ T4195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 99.962629][ T4195] Workqueue: usb_hub_wq hub_event [ 99.963926][ T4195] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 99.965920][ T4195] pc : refcount_warn_saturate+0x1c8/0x20c [ 99.967316][ T4195] lr : refcount_warn_saturate+0x1c8/0x20c [ 99.968753][ T4195] sp : ffff80001fc172f0 [ 99.969861][ T4195] x29: ffff80001fc172f0 x28: ffff800016a0e140 x27: ffff0000d7024000 [ 99.972113][ T4195] x26: 1fffe0001a1f2c07 x25: dfff800000000000 x24: ffff0000cd966030 [ 99.974041][ T4195] x23: 1fffe0001acdc0bb x22: ffff0000d0f9603c x21: 0000000000000003 [ 99.976086][ T4195] x20: ffff0000d0f96038 x19: ffff800016f0c000 x18: 0000000000000001 [ 99.978202][ T4195] x17: 0000000000000000 x16: ffff800008336530 x15: 00000000ffffffff [ 99.980309][ T4195] x14: ffff0000da590000 x13: 0000000000000001 x12: 0000000000000001 [ 99.982376][ T4195] x11: 0000000000000000 x10: 0000000000000000 x9 : b6d6f0d16b3f8400 [ 99.984375][ T4195] x8 : b6d6f0d16b3f8400 x7 : 0000000000000001 x6 : 0000000000000001 [ 99.986220][ T4195] x5 : ffff80001fc16a58 x4 : ffff800014b9fae0 x3 : ffff80000833667c [ 99.988198][ T4195] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 99.990376][ T4195] Call trace: [ 99.991169][ T4195] refcount_warn_saturate+0x1c8/0x20c [ 99.992663][ T4195] kobject_put+0x1a8/0x438 [ 99.993850][ T4195] put_device+0x28/0x40 [ 99.994842][ T4195] hdm_disconnect+0x170/0x190 [ 99.996147][ T4195] usb_unbind_interface+0x1a4/0x758 [ 99.997539][ T4195] device_release_driver_internal+0x464/0x6ac [ 99.999093][ T4195] device_release_driver+0x28/0x38 [ 100.000474][ T4195] bus_remove_device+0x298/0x38c [ 100.001881][ T4195] device_del+0x57c/0x9b4 [ 100.003019][ T4195] usb_disable_device+0x354/0x760 [ 100.004221][ T4195] usb_disconnect+0x290/0x7e8 [ 100.005507][ T4195] hub_event+0x1718/0x46b8 [ 100.006641][ T4195] process_one_work+0x790/0x11b8 [ 100.007893][ T4195] worker_thread+0x910/0x1034 [ 100.009120][ T4195] kthread+0x37c/0x45c [ 100.010219][ T4195] ret_from_fork+0x10/0x20 [ 100.011378][ T4195] irq event stamp: 41366 [ 100.012577][ T4195] hardirqs last enabled at (41365): [] kasan_quarantine_put+0xdc/0x204 [ 100.015117][ T4195] hardirqs last disabled at (41366): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 100.017722][ T4195] softirqs last enabled at (40848): [] handle_softirqs+0xb88/0xdbc [ 100.020235][ T4195] softirqs last disabled at (40833): [] __irq_exit_rcu+0x268/0x4d8 [ 100.022756][ T4195] ---[ end trace cc9c53be1070581f ]--- [ 100.029884][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 100.031956][ T9] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 100.034188][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 100.036239][ T9] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 100.038372][ T9] device bridge_slave_1 left promiscuous mode [ 100.040606][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 100.080433][ T9] device bridge_slave_0 left promiscuous mode [ 100.082101][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 100.230030][ T9] device veth1_macvtap left promiscuous mode [ 100.231718][ T9] device veth0_macvtap left promiscuous mode [ 100.233363][ T9] device veth1_vlan left promiscuous mode [ 100.235038][ T9] device veth0_vlan left promiscuous mode [ 100.402822][ T9] team0 (unregistering): Port device team_slave_1 removed [ 100.412806][ T9] team0 (unregistering): Port device team_slave_0 removed [ 100.419229][ T9] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 100.456038][ T9] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 100.576452][ T9] bond0 (unregistering): Released all slaves [ 100.649422][ T4195] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 100.899471][ T4195] usb 1-1: Using ep0 maxpacket: 32 [ 101.049529][ T4195] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 101.051794][ T4195] usb 1-1: config 0 has no interface number 0 [ 101.209396][ T4195] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 101.211763][ T4195] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 101.213816][ T4195] usb 1-1: Product: syz [ 101.214925][ T4195] usb 1-1: Manufacturer: syz [ 101.216104][ T4195] usb 1-1: SerialNumber: syz [ 101.219046][ T4195] usb 1-1: config 0 descriptor?? [ 101.329434][ T4958] Bluetooth: hci0: command 0x0419 tx timeout [ 101.460350][ T4195] usb 1-1: USB disconnect, device number 3 [ 102.259379][ T7] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 102.499480][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 102.619447][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 102.621713][ T7] usb 1-1: config 0 has no interface number 0 [ 102.779460][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 102.781925][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 102.784064][ T7] usb 1-1: Product: syz [ 102.785162][ T7] usb 1-1: Manufacturer: syz [ 102.786349][ T7] usb 1-1: SerialNumber: syz [ 102.789696][ T7] usb 1-1: config 0 descriptor?? [ 103.030396][ T4062] usb 1-1: USB disconnect, device number 4 [ 103.809452][ T4062] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 104.049429][ T4062] usb 1-1: Using ep0 maxpacket: 32 [ 104.169529][ T4062] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 104.171743][ T4062] usb 1-1: config 0 has no interface number 0 [ 104.330204][ T4062] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 104.332634][ T4062] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 104.334709][ T4062] usb 1-1: Product: syz [ 104.335794][ T4062] usb 1-1: Manufacturer: syz [ 104.336989][ T4062] usb 1-1: SerialNumber: syz [ 104.340648][ T4062] usb 1-1: config 0 descriptor?? [ 104.581121][ T4269] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:45 executed programs: 6 [ 105.359395][ T4269] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 105.619350][ T4269] usb 1-1: Using ep0 maxpacket: 32 [ 105.759440][ T4269] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 105.761603][ T4269] usb 1-1: config 0 has no interface number 0 [ 105.919445][ T4269] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 105.921950][ T4269] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 105.924071][ T4269] usb 1-1: Product: syz [ 105.925159][ T4269] usb 1-1: Manufacturer: syz [ 105.926367][ T4269] usb 1-1: SerialNumber: syz [ 105.930200][ T4269] usb 1-1: config 0 descriptor?? [ 106.171706][ T4062] usb 1-1: USB disconnect, device number 6 [ 106.959394][ T4269] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 107.200132][ T4269] usb 1-1: Using ep0 maxpacket: 32 [ 107.319560][ T4269] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 107.321799][ T4269] usb 1-1: config 0 has no interface number 0 [ 107.479576][ T4269] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 107.482063][ T4269] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 107.484137][ T4269] usb 1-1: Product: syz [ 107.485251][ T4269] usb 1-1: Manufacturer: syz [ 107.486468][ T4269] usb 1-1: SerialNumber: syz [ 107.489421][ T4269] usb 1-1: config 0 descriptor?? [ 107.731358][ T4269] usb 1-1: USB disconnect, device number 7 [ 108.509390][ T4664] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 108.749383][ T4664] usb 1-1: Using ep0 maxpacket: 32 [ 108.869400][ T4664] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 108.871763][ T4664] usb 1-1: config 0 has no interface number 0 [ 109.029569][ T4664] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 109.032117][ T4664] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 109.034177][ T4664] usb 1-1: Product: syz [ 109.035227][ T4664] usb 1-1: Manufacturer: syz [ 109.036420][ T4664] usb 1-1: SerialNumber: syz [ 109.039121][ T4664] usb 1-1: config 0 descriptor?? [ 109.280236][ T4664] usb 1-1: USB disconnect, device number 8