Warning: Permanently added '10.128.0.140' (ED25519) to the list of known hosts. 1970/01/01 00:01:22 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:22 ignoring optional flag "type"="gce" 1970/01/01 00:01:22 parsed 1 programs [ 84.921804][ T4459] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 92.842751][ T4486] chnl_net:caif_netlink_parms(): no params data found [ 92.874783][ T4486] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.876796][ T4486] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.879511][ T4486] device bridge_slave_0 entered promiscuous mode [ 92.882863][ T4486] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.884830][ T4486] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.887285][ T4486] device bridge_slave_1 entered promiscuous mode [ 92.900672][ T4486] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.904844][ T4486] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.921208][ T4486] team0: Port device team_slave_0 added [ 92.924136][ T4486] team0: Port device team_slave_1 added [ 92.936616][ T4486] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 92.938504][ T4486] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 92.945833][ T4486] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 92.950856][ T4486] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 92.952820][ T4486] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 92.960073][ T4486] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.011077][ T4486] device hsr_slave_0 entered promiscuous mode [ 93.049466][ T4486] device hsr_slave_1 entered promiscuous mode [ 93.737721][ T4486] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 93.800800][ T4486] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 93.841876][ T4486] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 93.884874][ T4486] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 94.009889][ T4486] 8021q: adding VLAN 0 to HW filter on device bond0 [ 94.017514][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 94.021862][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 94.026713][ T4486] 8021q: adding VLAN 0 to HW filter on device team0 [ 94.033110][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 94.035962][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 94.038605][ T136] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.040633][ T136] bridge0: port 1(bridge_slave_0) entered forwarding state [ 94.053027][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 94.057128][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 94.061596][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 94.064415][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.066314][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 94.068618][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 94.083439][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 94.086216][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 94.089901][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 94.092632][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 94.095384][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 94.098040][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 94.104467][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 94.123680][ T4486] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 94.127154][ T4486] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 94.131523][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 94.134372][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 94.136990][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 94.262058][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 94.264163][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 94.282472][ T4486] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 94.303390][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 94.306149][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 94.317446][ T4486] device veth0_vlan entered promiscuous mode [ 94.326519][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 94.329055][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 94.332113][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 94.334932][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 94.344349][ T4486] device veth1_vlan entered promiscuous mode [ 94.370695][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 94.373275][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 94.375742][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 94.386950][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 94.391791][ T4486] device veth0_macvtap entered promiscuous mode [ 94.395819][ T4486] device veth1_macvtap entered promiscuous mode [ 94.407143][ T4486] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 94.409213][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 94.412049][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 94.414489][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 94.420750][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 94.425490][ T4486] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 94.428584][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 94.432166][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 94.436194][ T4486] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 94.438530][ T4486] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 94.442478][ T4486] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 94.444807][ T4486] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 94.675676][ T339] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 94.677991][ T339] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 94.682166][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 94.701943][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 94.704175][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 94.706947][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 95.146651][ T382] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:35 executed programs: 0 [ 95.894714][ T4668] chnl_net:caif_netlink_parms(): no params data found [ 95.925203][ T4668] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.927219][ T4668] bridge0: port 1(bridge_slave_0) entered disabled state [ 95.930187][ T4668] device bridge_slave_0 entered promiscuous mode [ 95.933544][ T4668] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.935502][ T4668] bridge0: port 2(bridge_slave_1) entered disabled state [ 95.938004][ T4668] device bridge_slave_1 entered promiscuous mode [ 95.959977][ T4668] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 95.964260][ T4668] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 95.982217][ T4668] team0: Port device team_slave_0 added [ 95.985443][ T4668] team0: Port device team_slave_1 added [ 96.001075][ T4668] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 96.003012][ T4668] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 96.012616][ T4668] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 96.016686][ T4668] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 96.018541][ T4668] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 96.025821][ T4668] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 96.091077][ T4668] device hsr_slave_0 entered promiscuous mode [ 96.139618][ T4668] device hsr_slave_1 entered promiscuous mode [ 96.179508][ T4668] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 96.181543][ T4668] Cannot create hsr debugfs directory [ 97.846555][ T382] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 97.859393][ T3323] Bluetooth: hci0: command 0x0409 tx timeout [ 99.939902][ T3323] Bluetooth: hci0: command 0x041b tx timeout [ 100.024482][ T382] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 100.075303][ T382] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 101.071726][ T4668] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 101.091514][ T4668] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 101.120874][ T4668] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 101.160903][ T4668] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 101.267226][ T4668] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.274772][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 101.277280][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.282029][ T4668] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.286335][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 101.289059][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 101.291771][ T339] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.293698][ T339] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.296022][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 101.300814][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 101.303513][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 101.306036][ T339] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.308187][ T339] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.314329][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 101.318755][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 101.324579][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 101.327847][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 101.331038][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 101.336523][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 101.340206][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 101.345039][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 101.347687][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 101.352918][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 101.355675][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 101.360797][ T4668] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 101.428820][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 101.431036][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 101.436924][ T4668] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 101.447824][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 101.450794][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 101.476249][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 101.478873][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 101.481957][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 101.484307][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 101.488418][ T4668] device veth0_vlan entered promiscuous mode [ 101.496121][ T4668] device veth1_vlan entered promiscuous mode [ 101.523103][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 101.525627][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 101.528083][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 101.530908][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 101.535444][ T4668] device veth0_macvtap entered promiscuous mode [ 101.542341][ T4668] device veth1_macvtap entered promiscuous mode [ 101.561635][ T4668] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 101.566147][ T4668] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 101.570650][ T4668] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 101.574101][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 101.576606][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 101.579134][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 101.586164][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 101.589908][ T4668] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 101.592615][ T4668] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 101.596105][ T4668] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 101.598244][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 101.602312][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 101.617688][ T4668] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.620274][ T4668] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.622753][ T4668] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.625029][ T4668] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 101.663555][ T339] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 101.666087][ T339] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 101.668939][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 101.683382][ T153] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 101.685559][ T153] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 101.688448][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:41 executed programs: 2 [ 101.989313][ T25] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 102.020092][ T4137] Bluetooth: hci0: command 0x040f tx timeout [ 102.239357][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 102.389372][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 102.391921][ T25] usb 1-1: config 0 has no interface number 0 [ 102.599436][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 102.601970][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 102.604029][ T25] usb 1-1: Product: syz [ 102.605122][ T25] usb 1-1: Manufacturer: syz [ 102.606429][ T25] usb 1-1: SerialNumber: syz [ 102.611446][ T25] usb 1-1: config 0 descriptor?? [ 102.862991][ T3323] usb 1-1: USB disconnect, device number 2 [ 102.868438][ T3323] ================================================================== [ 102.870799][ T3323] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 102.872848][ T3323] Read of size 8 at addr ffff0000dc9e5978 by task kworker/0:2/3323 [ 102.875012][ T3323] [ 102.875651][ T3323] CPU: 0 PID: 3323 Comm: kworker/0:2 Not tainted 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 102.878333][ T3323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 102.881117][ T3323] Workqueue: usb_hub_wq hub_event [ 102.882491][ T3323] Call trace: [ 102.883411][ T3323] dump_backtrace+0x0/0x43c [ 102.884645][ T3323] show_stack+0x2c/0x3c [ 102.885787][ T3323] __dump_stack+0x30/0x40 [ 102.886989][ T3323] dump_stack_lvl+0xf8/0x160 [ 102.888177][ T3323] print_address_description+0x78/0x30c [ 102.889620][ T3323] kasan_report+0xec/0x15c [ 102.890842][ T3323] __asan_report_load8_noabort+0x44/0x50 [ 102.892351][ T3323] hdm_disconnect+0xf4/0x18c [ 102.893675][ T3323] usb_unbind_interface+0x1b8/0x750 [ 102.895110][ T3323] device_release_driver_internal+0x3fc/0x63c [ 102.896711][ T3323] device_release_driver+0x28/0x38 [ 102.898127][ T3323] bus_remove_device+0x294/0x388 [ 102.899505][ T3323] device_del+0x568/0x964 [ 102.900713][ T3323] usb_disable_device+0x33c/0x780 [ 102.902104][ T3323] usb_disconnect+0x290/0x7d0 [ 102.903393][ T3323] hub_event+0x14c8/0x4188 [ 102.904587][ T3323] process_one_work+0x79c/0x1140 [ 102.906005][ T3323] worker_thread+0x8f4/0x101c [ 102.907294][ T3323] kthread+0x374/0x454 [ 102.908406][ T3323] ret_from_fork+0x10/0x20 [ 102.909578][ T3323] [ 102.910238][ T3323] Allocated by task 25: [ 102.911372][ T3323] __kasan_kmalloc+0xb0/0xf0 [ 102.912694][ T3323] kmem_cache_alloc_trace+0x274/0x3fc [ 102.914192][ T3323] hdm_probe+0x9c/0x1044 [ 102.915359][ T3323] usb_probe_interface+0x4fc/0x994 [ 102.916785][ T3323] really_probe+0x26c/0xaec [ 102.918013][ T3323] __driver_probe_device+0x180/0x314 [ 102.919462][ T3323] driver_probe_device+0x78/0x34c [ 102.920872][ T3323] __device_attach_driver+0x274/0x4c4 [ 102.922307][ T3323] bus_for_each_drv+0x150/0x1d8 [ 102.923678][ T3323] __device_attach+0x2a8/0x3d4 [ 102.925012][ T3323] device_initial_probe+0x24/0x34 [ 102.926402][ T3323] bus_probe_device+0xbc/0x1c4 [ 102.927710][ T3323] device_add+0xb04/0xf94 [ 102.928922][ T3323] usb_set_configuration+0x15b8/0x1b2c [ 102.930450][ T3323] usb_generic_driver_probe+0x8c/0x144 [ 102.932017][ T3323] usb_probe_device+0x120/0x25c [ 102.933303][ T3323] really_probe+0x26c/0xaec [ 102.934470][ T3323] __driver_probe_device+0x180/0x314 [ 102.935916][ T3323] driver_probe_device+0x78/0x34c [ 102.937283][ T3323] __device_attach_driver+0x274/0x4c4 [ 102.938716][ T3323] bus_for_each_drv+0x150/0x1d8 [ 102.940003][ T3323] __device_attach+0x2a8/0x3d4 [ 102.941291][ T3323] device_initial_probe+0x24/0x34 [ 102.942619][ T3323] bus_probe_device+0xbc/0x1c4 [ 102.943913][ T3323] device_add+0xb04/0xf94 [ 102.945159][ T3323] usb_new_device+0x7ec/0x1164 [ 102.946437][ T3323] hub_event+0x20cc/0x4188 [ 102.947644][ T3323] process_one_work+0x79c/0x1140 [ 102.949003][ T3323] worker_thread+0x8f4/0x101c [ 102.950262][ T3323] kthread+0x374/0x454 [ 102.951403][ T3323] ret_from_fork+0x10/0x20 [ 102.952551][ T3323] [ 102.953206][ T3323] Freed by task 3323: [ 102.954317][ T3323] kasan_set_track+0x4c/0x84 [ 102.955650][ T3323] kasan_set_free_info+0x28/0x4c [ 102.957021][ T3323] ____kasan_slab_free+0x118/0x164 [ 102.958414][ T3323] __kasan_slab_free+0x18/0x28 [ 102.959754][ T3323] slab_free_freelist_hook+0x128/0x1e8 [ 102.961263][ T3323] kfree+0x170/0x40c [ 102.962339][ T3323] release_mdev+0x20/0x30 [ 102.963562][ T3323] device_release+0x8c/0x1ac [ 102.964833][ T3323] kobject_put+0x2cc/0x454 [ 102.966072][ T3323] device_unregister+0x3c/0xcc [ 102.967383][ T3323] most_deregister_interface+0x3e0/0x42c [ 102.968945][ T3323] hdm_disconnect+0xdc/0x18c [ 102.970273][ T3323] usb_unbind_interface+0x1b8/0x750 [ 102.971700][ T3323] device_release_driver_internal+0x3fc/0x63c [ 102.973363][ T3323] device_release_driver+0x28/0x38 [ 102.974832][ T3323] bus_remove_device+0x294/0x388 [ 102.976128][ T3323] device_del+0x568/0x964 [ 102.977302][ T3323] usb_disable_device+0x33c/0x780 [ 102.978679][ T3323] usb_disconnect+0x290/0x7d0 [ 102.979955][ T3323] hub_event+0x14c8/0x4188 [ 102.981219][ T3323] process_one_work+0x79c/0x1140 [ 102.982594][ T3323] worker_thread+0x8f4/0x101c [ 102.983887][ T3323] kthread+0x374/0x454 [ 102.985064][ T3323] ret_from_fork+0x10/0x20 [ 102.986265][ T3323] [ 102.986887][ T3323] The buggy address belongs to the object at ffff0000dc9e4000 [ 102.986887][ T3323] which belongs to the cache kmalloc-8k of size 8192 [ 102.990798][ T3323] The buggy address is located 6520 bytes inside of [ 102.990798][ T3323] 8192-byte region [ffff0000dc9e4000, ffff0000dc9e6000) [ 102.994545][ T3323] The buggy address belongs to the page: [ 102.996061][ T3323] page:00000000369e16da refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c9e0 [ 102.998934][ T3323] head:00000000369e16da order:3 compound_mapcount:0 compound_pincount:0 [ 103.001229][ T3323] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 103.003456][ T3323] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 103.005785][ T3323] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 103.008193][ T3323] page dumped because: kasan: bad access detected [ 103.009929][ T3323] [ 103.010549][ T3323] Memory state around the buggy address: [ 103.012104][ T3323] ffff0000dc9e5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.014325][ T3323] ffff0000dc9e5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.016529][ T3323] >ffff0000dc9e5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.018757][ T3323] ^ [ 103.021007][ T3323] ffff0000dc9e5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.023247][ T3323] ffff0000dc9e5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.025384][ T3323] ================================================================== [ 103.027595][ T3323] Disabling lock debugging due to kernel taint [ 103.029932][ T3323] ------------[ cut here ]------------ [ 103.031419][ T3323] refcount_t: underflow; use-after-free. [ 103.033124][ T3323] WARNING: CPU: 0 PID: 3323 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 103.035731][ T3323] Modules linked in: [ 103.036816][ T3323] CPU: 0 PID: 3323 Comm: kworker/0:2 Tainted: G B 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 103.039994][ T3323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 103.042712][ T3323] Workqueue: usb_hub_wq hub_event [ 103.044187][ T3323] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 103.046408][ T3323] pc : refcount_warn_saturate+0x154/0x1f8 [ 103.047982][ T3323] lr : refcount_warn_saturate+0x154/0x1f8 [ 103.049618][ T3323] sp : ffff8000201a73e0 [ 103.050759][ T3323] x29: ffff8000201a73e0 x28: ffff800016094500 x27: 1fffe0001a10a200 [ 103.053018][ T3323] x26: 1fffe0001a10a207 x25: dfff800000000000 x24: ffff0000d0853030 [ 103.055182][ T3323] x23: 1fffe0001b93c8bb x22: ffff0000d085103c x21: 0000000000000000 [ 103.057396][ T3323] x20: ffff0000d0851038 x19: ffff80001658e000 x18: 0000000000000001 [ 103.059603][ T3323] x17: 0000000000000000 x16: ffff8000083007ec x15: 00000000ffffffff [ 103.061818][ T3323] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 103.064050][ T3323] x11: 0000000000000000 x10: 0000000000000000 x9 : ac960fd8134d9600 [ 103.066233][ T3323] x8 : ac960fd8134d9600 x7 : 0000000000000001 x6 : 0000000000000001 [ 103.068397][ T3323] x5 : ffff8000201a6cd8 x4 : ffff80001422f280 x3 : ffff8000083008fc [ 103.070667][ T3323] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 103.072864][ T3323] Call trace: [ 103.073757][ T3323] refcount_warn_saturate+0x154/0x1f8 [ 103.075242][ T3323] kobject_put+0x19c/0x454 [ 103.076412][ T3323] put_device+0x28/0x40 [ 103.077577][ T3323] hdm_disconnect+0x16c/0x18c [ 103.078901][ T3323] usb_unbind_interface+0x1b8/0x750 [ 103.080315][ T3323] device_release_driver_internal+0x3fc/0x63c [ 103.081998][ T3323] device_release_driver+0x28/0x38 [ 103.083435][ T3323] bus_remove_device+0x294/0x388 [ 103.084817][ T3323] device_del+0x568/0x964 [ 103.085994][ T3323] usb_disable_device+0x33c/0x780 [ 103.087523][ T3323] usb_disconnect+0x290/0x7d0 [ 103.088956][ T3323] hub_event+0x14c8/0x4188 [ 103.090167][ T3323] process_one_work+0x79c/0x1140 [ 103.091699][ T3323] worker_thread+0x8f4/0x101c [ 103.093045][ T3323] kthread+0x374/0x454 [ 103.094170][ T3323] ret_from_fork+0x10/0x20 [ 103.095435][ T3323] irq event stamp: 96550 [ 103.096634][ T3323] hardirqs last enabled at (96549): [] kasan_quarantine_put+0xc4/0x204 [ 103.099654][ T3323] hardirqs last disabled at (96550): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 103.102569][ T3323] softirqs last enabled at (96050): [] handle_softirqs+0xa4c/0xbf0 [ 103.105352][ T3323] softirqs last disabled at (96031): [] do_softirq+0xfc/0x1b0 [ 103.107896][ T3323] ---[ end trace b7e5dc78598092bf ]--- [ 103.565460][ T382] device hsr_slave_0 left promiscuous mode [ 103.599826][ T382] device hsr_slave_1 left promiscuous mode [ 103.679306][ T382] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 103.681543][ T382] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 103.684114][ T382] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 103.686241][ T382] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 103.688656][ T382] device bridge_slave_1 left promiscuous mode [ 103.690712][ T382] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.709292][ T3323] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 103.729930][ T382] device bridge_slave_0 left promiscuous mode [ 103.731757][ T382] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.889375][ T382] device veth1_macvtap left promiscuous mode [ 103.891097][ T382] device veth0_macvtap left promiscuous mode [ 103.892823][ T382] device veth1_vlan left promiscuous mode [ 103.894449][ T382] device veth0_vlan left promiscuous mode [ 103.949237][ T3323] usb 1-1: Using ep0 maxpacket: 32 [ 104.015158][ T382] team0 (unregistering): Port device team_slave_1 removed [ 104.022555][ T382] team0 (unregistering): Port device team_slave_0 removed [ 104.028063][ T382] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 104.069278][ T3323] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 104.071656][ T3323] usb 1-1: config 0 has no interface number 0 [ 104.084238][ T382] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 104.099415][ T4134] Bluetooth: hci0: command 0x0419 tx timeout [ 104.193986][ T382] bond0 (unregistering): Released all slaves [ 104.229309][ T3323] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 104.231859][ T3323] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 104.234077][ T3323] usb 1-1: Product: syz [ 104.235193][ T3323] usb 1-1: Manufacturer: syz [ 104.236519][ T3323] usb 1-1: SerialNumber: syz [ 104.239875][ T3323] usb 1-1: config 0 descriptor?? [ 104.480104][ T3323] usb 1-1: USB disconnect, device number 3 [ 105.259264][ T3323] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 105.499305][ T3323] usb 1-1: Using ep0 maxpacket: 32 [ 105.619403][ T3323] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 105.621676][ T3323] usb 1-1: config 0 has no interface number 0 [ 105.779336][ T3323] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 105.781815][ T3323] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 105.783941][ T3323] usb 1-1: Product: syz [ 105.785084][ T3323] usb 1-1: Manufacturer: syz [ 105.786295][ T3323] usb 1-1: SerialNumber: syz [ 105.789090][ T3323] usb 1-1: config 0 descriptor?? [ 106.030158][ T4683] usb 1-1: USB disconnect, device number 4 [ 106.799257][ T4130] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 107.039306][ T4130] usb 1-1: Using ep0 maxpacket: 32 [ 107.159372][ T4130] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 107.161641][ T4130] usb 1-1: config 0 has no interface number 0 [ 107.319280][ T4130] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 107.321857][ T4130] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 107.324066][ T4130] usb 1-1: Product: syz [ 107.325198][ T4130] usb 1-1: Manufacturer: syz [ 107.326449][ T4130] usb 1-1: SerialNumber: syz [ 107.329898][ T4130] usb 1-1: config 0 descriptor?? [ 107.570027][ T21] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:48 executed programs: 6 [ 108.369360][ T21] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 108.619279][ T21] usb 1-1: Using ep0 maxpacket: 32 [ 108.739754][ T21] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 108.742024][ T21] usb 1-1: config 0 has no interface number 0 [ 108.899536][ T21] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 108.902097][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 108.904264][ T21] usb 1-1: Product: syz [ 108.905440][ T21] usb 1-1: Manufacturer: syz [ 108.906712][ T21] usb 1-1: SerialNumber: syz [ 108.910027][ T21] usb 1-1: config 0 descriptor?? [ 109.150028][ T21] usb 1-1: USB disconnect, device number 6 [ 109.929298][ T7] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 110.169282][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 110.289317][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 110.291713][ T7] usb 1-1: config 0 has no interface number 0 [ 110.449356][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 110.452282][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 110.454614][ T7] usb 1-1: Product: syz [ 110.455820][ T7] usb 1-1: Manufacturer: syz [ 110.457149][ T7] usb 1-1: SerialNumber: syz [ 110.460740][ T7] usb 1-1: config 0 descriptor?? [ 110.700248][ T7] usb 1-1: USB disconnect, device number 7 [ 111.479260][ T7] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 111.729244][ T7] usb 1-1: Using ep0 maxpacket: 32 [ 111.849295][ T7] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 111.851693][ T7] usb 1-1: config 0 has no interface number 0 [ 112.009390][ T7] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 112.012196][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 112.014321][ T7] usb 1-1: Product: syz [ 112.015415][ T7] usb 1-1: Manufacturer: syz [ 112.016625][ T7] usb 1-1: SerialNumber: syz [ 112.019972][ T7] usb 1-1: config 0 descriptor?? [ 112.260035][ T21] usb 1-1: USB disconnect, device number 8