Warning: Permanently added '10.128.0.46' (ED25519) to the list of known hosts. 1970/01/01 00:01:23 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:23 ignoring optional flag "type"="gce" 1970/01/01 00:01:24 parsed 1 programs [ 86.595404][ T4437] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 94.705556][ T4453] chnl_net:caif_netlink_parms(): no params data found [ 94.733511][ T4453] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.735484][ T4453] bridge0: port 1(bridge_slave_0) entered disabled state [ 94.737859][ T4453] device bridge_slave_0 entered promiscuous mode [ 94.744012][ T4453] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.746044][ T4453] bridge0: port 2(bridge_slave_1) entered disabled state [ 94.748540][ T4453] device bridge_slave_1 entered promiscuous mode [ 94.762538][ T4453] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 94.766614][ T4453] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 94.779868][ T4453] team0: Port device team_slave_0 added [ 94.782747][ T4453] team0: Port device team_slave_1 added [ 94.797383][ T4453] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 94.799639][ T4453] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 94.806522][ T4453] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 94.810988][ T4453] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 94.812856][ T4453] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 94.819975][ T4453] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 94.890490][ T4453] device hsr_slave_0 entered promiscuous mode [ 94.929243][ T4453] device hsr_slave_1 entered promiscuous mode [ 95.584844][ T4453] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 95.624413][ T4453] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 95.690950][ T4453] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 95.732216][ T4453] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 95.838773][ T4453] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.849911][ T4453] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.851987][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 95.854513][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 95.863929][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.866608][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 95.874665][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.876545][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.879481][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 95.899884][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.902701][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 95.905196][ T1381] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.907143][ T1381] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.912705][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 95.915621][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 95.932134][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 95.935485][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 95.939432][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 95.947067][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 95.951429][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 95.962761][ T4453] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 95.965519][ T4453] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 95.970048][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 95.972723][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 95.975827][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 95.978847][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 95.990514][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 96.124918][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 96.127075][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 96.133575][ T4453] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.154489][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 96.157177][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 96.176423][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 96.179548][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 96.183104][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 96.191584][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 96.200566][ T4453] device veth0_vlan entered promiscuous mode [ 96.205784][ T4453] device veth1_vlan entered promiscuous mode [ 96.230414][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 96.233157][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 96.235689][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 96.249583][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 96.253634][ T4453] device veth0_macvtap entered promiscuous mode [ 96.258075][ T4453] device veth1_macvtap entered promiscuous mode [ 96.275985][ T4453] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 96.278079][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 96.282117][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 96.290604][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 96.293256][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 96.301536][ T4453] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 96.304833][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 96.307607][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 96.312283][ T4453] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.314649][ T4453] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.316949][ T4453] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.329544][ T4453] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 96.950600][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 96.952773][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 96.955395][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 96.973603][ T340] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 96.975870][ T340] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 96.978520][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 97.582205][ T136] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 99.404324][ T136] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 101.443765][ T136] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 101.484956][ T136] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:42 executed programs: 0 [ 102.363388][ T4888] chnl_net:caif_netlink_parms(): no params data found [ 102.396204][ T4888] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.398156][ T4888] bridge0: port 1(bridge_slave_0) entered disabled state [ 102.403146][ T4888] device bridge_slave_0 entered promiscuous mode [ 102.406491][ T4888] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.408460][ T4888] bridge0: port 2(bridge_slave_1) entered disabled state [ 102.411199][ T4888] device bridge_slave_1 entered promiscuous mode [ 102.426519][ T4888] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 102.433224][ T4888] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 102.447691][ T4888] team0: Port device team_slave_0 added [ 102.453142][ T4888] team0: Port device team_slave_1 added [ 102.465501][ T4888] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 102.467375][ T4888] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 102.477072][ T4888] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 102.489489][ T4888] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 102.491411][ T4888] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 102.498399][ T4888] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 102.550576][ T4888] device hsr_slave_0 entered promiscuous mode [ 102.599285][ T4888] device hsr_slave_1 entered promiscuous mode [ 102.639051][ T4888] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 102.641212][ T4888] Cannot create hsr debugfs directory [ 103.175720][ T4888] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 103.210549][ T4888] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 103.251360][ T4888] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 103.291002][ T4888] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 103.428153][ T4888] 8021q: adding VLAN 0 to HW filter on device bond0 [ 103.434797][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 103.437372][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 103.446168][ T4888] 8021q: adding VLAN 0 to HW filter on device team0 [ 103.454867][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 103.457545][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 103.462996][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.465056][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.467368][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 103.492490][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 103.495245][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 103.497659][ T153] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.499594][ T153] bridge0: port 2(bridge_slave_1) entered forwarding state [ 103.502518][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 103.505386][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 103.508164][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 103.516172][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 103.526089][ T4888] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 103.530121][ T4888] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 103.539107][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 103.541753][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 103.544607][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 103.547499][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 103.553286][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 103.556179][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 103.558796][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 103.561925][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 103.644003][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 103.646179][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 103.650258][ T4888] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 103.661270][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 103.664006][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 103.677599][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 103.681316][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 103.684156][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 103.686963][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 103.694533][ T4888] device veth0_vlan entered promiscuous mode [ 103.701506][ T4888] device veth1_vlan entered promiscuous mode [ 103.717917][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 103.722081][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 103.724598][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 103.727558][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 103.735556][ T4888] device veth0_macvtap entered promiscuous mode [ 103.740013][ T4888] device veth1_macvtap entered promiscuous mode [ 103.752195][ T4888] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 103.755027][ T4888] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 103.758728][ T4888] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 103.762142][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 103.764776][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 103.767182][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 103.773233][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 103.778289][ T4888] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 103.781320][ T4888] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 103.784705][ T4888] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 103.787318][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 103.790101][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 103.795954][ T4888] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.798359][ T4888] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.801483][ T4888] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.803837][ T4888] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 103.862779][ T1381] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.864937][ T1381] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.867637][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 103.886926][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 103.889549][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 103.914353][ T1381] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 104.219075][ T4050] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 104.339630][ T1535] Bluetooth: hci0: command 0x0409 tx timeout [ 104.489005][ T4050] usb 1-1: Using ep0 maxpacket: 32 [ 104.629071][ T4050] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 104.631439][ T4050] usb 1-1: config 0 has no interface number 0 [ 104.809029][ T4050] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 104.811540][ T4050] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 104.813737][ T4050] usb 1-1: Product: syz [ 104.814847][ T4050] usb 1-1: Manufacturer: syz [ 104.816047][ T4050] usb 1-1: SerialNumber: syz [ 104.825737][ T4050] usb 1-1: config 0 descriptor?? [ 105.074925][ T4050] usb 1-1: USB disconnect, device number 2 [ 105.079849][ T4050] ================================================================== [ 105.082131][ T4050] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 105.084081][ T4050] Read of size 8 at addr ffff0000dad71978 by task kworker/1:3/4050 [ 105.086226][ T4050] [ 105.086841][ T4050] CPU: 1 PID: 4050 Comm: kworker/1:3 Not tainted 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 105.089581][ T4050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 105.092322][ T4050] Workqueue: usb_hub_wq hub_event [ 105.093664][ T4050] Call trace: [ 105.094536][ T4050] dump_backtrace+0x0/0x43c [ 105.095763][ T4050] show_stack+0x2c/0x3c [ 105.096894][ T4050] __dump_stack+0x30/0x40 [ 105.098148][ T4050] dump_stack_lvl+0xf8/0x160 [ 105.099403][ T4050] print_address_description+0x78/0x30c [ 105.100913][ T4050] kasan_report+0xec/0x15c [ 105.102132][ T4050] __asan_report_load8_noabort+0x44/0x50 [ 105.103668][ T4050] hdm_disconnect+0xf4/0x18c [ 105.104886][ T4050] usb_unbind_interface+0x1b8/0x750 [ 105.106316][ T4050] device_release_driver_internal+0x3fc/0x63c [ 105.107924][ T4050] device_release_driver+0x28/0x38 [ 105.109312][ T4050] bus_remove_device+0x294/0x388 [ 105.110637][ T4050] device_del+0x568/0x964 [ 105.111791][ T4050] usb_disable_device+0x33c/0x780 [ 105.113200][ T4050] usb_disconnect+0x290/0x7d0 [ 105.114456][ T4050] hub_event+0x14c8/0x4188 [ 105.115622][ T4050] process_one_work+0x79c/0x1140 [ 105.116942][ T4050] worker_thread+0x8f4/0x101c [ 105.118198][ T4050] kthread+0x374/0x454 [ 105.119300][ T4050] ret_from_fork+0x10/0x20 [ 105.120491][ T4050] [ 105.121116][ T4050] Allocated by task 4050: [ 105.122276][ T4050] __kasan_kmalloc+0xb0/0xf0 [ 105.123504][ T4050] kmem_cache_alloc_trace+0x274/0x3fc [ 105.124961][ T4050] hdm_probe+0x9c/0x1044 [ 105.126075][ T4050] usb_probe_interface+0x4fc/0x994 [ 105.127440][ T4050] really_probe+0x26c/0xaec [ 105.128619][ T4050] __driver_probe_device+0x180/0x314 [ 105.130100][ T4050] driver_probe_device+0x78/0x34c [ 105.131422][ T4050] __device_attach_driver+0x274/0x4c4 [ 105.132830][ T4050] bus_for_each_drv+0x150/0x1d8 [ 105.134155][ T4050] __device_attach+0x2a8/0x3d4 [ 105.135466][ T4050] device_initial_probe+0x24/0x34 [ 105.136808][ T4050] bus_probe_device+0xbc/0x1c4 [ 105.138100][ T4050] device_add+0xb04/0xf94 [ 105.139289][ T4050] usb_set_configuration+0x15b8/0x1b2c [ 105.140748][ T4050] usb_generic_driver_probe+0x8c/0x144 [ 105.142167][ T4050] usb_probe_device+0x120/0x25c [ 105.143466][ T4050] really_probe+0x26c/0xaec [ 105.144729][ T4050] __driver_probe_device+0x180/0x314 [ 105.146109][ T4050] driver_probe_device+0x78/0x34c [ 105.147502][ T4050] __device_attach_driver+0x274/0x4c4 [ 105.148953][ T4050] bus_for_each_drv+0x150/0x1d8 [ 105.150256][ T4050] __device_attach+0x2a8/0x3d4 [ 105.151528][ T4050] device_initial_probe+0x24/0x34 [ 105.152883][ T4050] bus_probe_device+0xbc/0x1c4 [ 105.154153][ T4050] device_add+0xb04/0xf94 [ 105.155337][ T4050] usb_new_device+0x7ec/0x1164 [ 105.156616][ T4050] hub_event+0x20cc/0x4188 [ 105.157792][ T4050] process_one_work+0x79c/0x1140 [ 105.159112][ T4050] worker_thread+0x8f4/0x101c [ 105.160385][ T4050] kthread+0x374/0x454 [ 105.161448][ T4050] ret_from_fork+0x10/0x20 [ 105.162670][ T4050] [ 105.163335][ T4050] Freed by task 4050: [ 105.164422][ T4050] kasan_set_track+0x4c/0x84 [ 105.165645][ T4050] kasan_set_free_info+0x28/0x4c [ 105.166989][ T4050] ____kasan_slab_free+0x118/0x164 [ 105.168362][ T4050] __kasan_slab_free+0x18/0x28 [ 105.169673][ T4050] slab_free_freelist_hook+0x128/0x1e8 [ 105.171101][ T4050] kfree+0x170/0x40c [ 105.172139][ T4050] release_mdev+0x20/0x30 [ 105.173295][ T4050] device_release+0x8c/0x1ac [ 105.174544][ T4050] kobject_put+0x2cc/0x454 [ 105.175723][ T4050] device_unregister+0x3c/0xcc [ 105.177000][ T4050] most_deregister_interface+0x3e0/0x42c [ 105.178508][ T4050] hdm_disconnect+0xdc/0x18c [ 105.179763][ T4050] usb_unbind_interface+0x1b8/0x750 [ 105.181224][ T4050] device_release_driver_internal+0x3fc/0x63c [ 105.182881][ T4050] device_release_driver+0x28/0x38 [ 105.184296][ T4050] bus_remove_device+0x294/0x388 [ 105.185661][ T4050] device_del+0x568/0x964 [ 105.186798][ T4050] usb_disable_device+0x33c/0x780 [ 105.188133][ T4050] usb_disconnect+0x290/0x7d0 [ 105.189350][ T4050] hub_event+0x14c8/0x4188 [ 105.190504][ T4050] process_one_work+0x79c/0x1140 [ 105.191804][ T4050] worker_thread+0x8f4/0x101c [ 105.193043][ T4050] kthread+0x374/0x454 [ 105.194100][ T4050] ret_from_fork+0x10/0x20 [ 105.195276][ T4050] [ 105.195859][ T4050] The buggy address belongs to the object at ffff0000dad70000 [ 105.195859][ T4050] which belongs to the cache kmalloc-8k of size 8192 [ 105.199587][ T4050] The buggy address is located 6520 bytes inside of [ 105.199587][ T4050] 8192-byte region [ffff0000dad70000, ffff0000dad72000) [ 105.203291][ T4050] The buggy address belongs to the page: [ 105.204756][ T4050] page:00000000e4d05153 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ad70 [ 105.207540][ T4050] head:00000000e4d05153 order:3 compound_mapcount:0 compound_pincount:0 [ 105.209775][ T4050] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 105.212000][ T4050] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 105.214296][ T4050] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 105.216535][ T4050] page dumped because: kasan: bad access detected [ 105.218271][ T4050] [ 105.218895][ T4050] Memory state around the buggy address: [ 105.220370][ T4050] ffff0000dad71800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.222516][ T4050] ffff0000dad71880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.224713][ T4050] >ffff0000dad71900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.226836][ T4050] ^ [ 105.228982][ T4050] ffff0000dad71980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.231183][ T4050] ffff0000dad71a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.233360][ T4050] ================================================================== [ 105.235496][ T4050] Disabling lock debugging due to kernel taint [ 105.237754][ T4050] ------------[ cut here ]------------ [ 105.239298][ T4050] refcount_t: underflow; use-after-free. [ 105.241101][ T4050] WARNING: CPU: 1 PID: 4050 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 105.243576][ T4050] Modules linked in: [ 105.244585][ T4050] CPU: 1 PID: 4050 Comm: kworker/1:3 Tainted: G B 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 105.247553][ T4050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 105.250176][ T4050] Workqueue: usb_hub_wq hub_event [ 105.251544][ T4050] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 105.253617][ T4050] pc : refcount_warn_saturate+0x154/0x1f8 [ 105.255159][ T4050] lr : refcount_warn_saturate+0x154/0x1f8 [ 105.256678][ T4050] sp : ffff80001f5673e0 [ 105.257795][ T4050] x29: ffff80001f5673e0 x28: ffff800016094500 x27: 1fffe0001a8ecc00 [ 105.259937][ T4050] x26: 1fffe0001a8ecc07 x25: dfff800000000000 x24: ffff0000c1667030 [ 105.262078][ T4050] x23: 1fffe0001b5ae0bb x22: ffff0000d476603c x21: 0000000000000000 [ 105.264209][ T4050] x20: ffff0000d4766038 x19: ffff80001658e000 x18: 0000000000000001 [ 105.266407][ T4050] x17: 0000000000000000 x16: ffff8000083007ec x15: 00000000ffffffff [ 105.268545][ T4050] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 105.270723][ T4050] x11: 0000000000000000 x10: 0000000000000000 x9 : 035a1f3a3647ba00 [ 105.272932][ T4050] x8 : 035a1f3a3647ba00 x7 : 0000000000000001 x6 : 0000000000000001 [ 105.275070][ T4050] x5 : ffff80001f566cd8 x4 : ffff80001422f280 x3 : ffff8000083008fc [ 105.277224][ T4050] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 105.279479][ T4050] Call trace: [ 105.280373][ T4050] refcount_warn_saturate+0x154/0x1f8 [ 105.281778][ T4050] kobject_put+0x19c/0x454 [ 105.282952][ T4050] put_device+0x28/0x40 [ 105.284077][ T4050] hdm_disconnect+0x16c/0x18c [ 105.285374][ T4050] usb_unbind_interface+0x1b8/0x750 [ 105.286793][ T4050] device_release_driver_internal+0x3fc/0x63c [ 105.288479][ T4050] device_release_driver+0x28/0x38 [ 105.289899][ T4050] bus_remove_device+0x294/0x388 [ 105.291244][ T4050] device_del+0x568/0x964 [ 105.292435][ T4050] usb_disable_device+0x33c/0x780 [ 105.293808][ T4050] usb_disconnect+0x290/0x7d0 [ 105.295062][ T4050] hub_event+0x14c8/0x4188 [ 105.296305][ T4050] process_one_work+0x79c/0x1140 [ 105.297583][ T4050] worker_thread+0x8f4/0x101c [ 105.298896][ T4050] kthread+0x374/0x454 [ 105.300047][ T4050] ret_from_fork+0x10/0x20 [ 105.301264][ T4050] irq event stamp: 16802 [ 105.302397][ T4050] hardirqs last enabled at (16801): [] kasan_quarantine_put+0xc4/0x204 [ 105.305059][ T4050] hardirqs last disabled at (16802): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 105.307732][ T4050] softirqs last enabled at (16556): [] handle_softirqs+0xa4c/0xbf0 [ 105.310339][ T4050] softirqs last disabled at (16545): [] __irq_exit_rcu+0x240/0x440 [ 105.312826][ T4050] ---[ end trace 5e8c60a34d1e15ed ]--- [ 105.814405][ T136] device hsr_slave_0 left promiscuous mode [ 105.870496][ T136] device hsr_slave_1 left promiscuous mode [ 105.918977][ T4114] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 105.959608][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 105.961699][ T136] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 105.964003][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 105.966001][ T136] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 105.968361][ T136] device bridge_slave_1 left promiscuous mode [ 105.970663][ T136] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.019627][ T136] device bridge_slave_0 left promiscuous mode [ 106.021337][ T136] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.139080][ T136] device veth1_macvtap left promiscuous mode [ 106.140712][ T136] device veth0_macvtap left promiscuous mode [ 106.142435][ T136] device veth1_vlan left promiscuous mode [ 106.143972][ T136] device veth0_vlan left promiscuous mode [ 106.189303][ T4114] usb 1-1: Using ep0 maxpacket: 32 [ 106.270877][ T136] team0 (unregistering): Port device team_slave_1 removed [ 106.276532][ T136] team0 (unregistering): Port device team_slave_0 removed [ 106.283952][ T136] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 106.319009][ T4114] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 106.321240][ T4114] usb 1-1: config 0 has no interface number 0 [ 106.324661][ T136] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 106.419632][ T4118] Bluetooth: hci0: command 0x041b tx timeout [ 106.432364][ T136] bond0 (unregistering): Released all slaves [ 106.529029][ T4114] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 106.531441][ T4114] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 106.533547][ T4114] usb 1-1: Product: syz [ 106.534614][ T4114] usb 1-1: Manufacturer: syz [ 106.535824][ T4114] usb 1-1: SerialNumber: syz [ 106.539692][ T4114] usb 1-1: config 0 descriptor?? [ 106.779755][ T4050] usb 1-1: USB disconnect, device number 3 1970/01/01 00:01:47 executed programs: 4 [ 107.559055][ T1535] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 107.798958][ T1535] usb 1-1: Using ep0 maxpacket: 32 [ 107.918979][ T1535] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 107.921237][ T1535] usb 1-1: config 0 has no interface number 0 [ 108.109754][ T1535] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 108.112261][ T1535] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 108.114401][ T1535] usb 1-1: Product: syz [ 108.115442][ T1535] usb 1-1: Manufacturer: syz [ 108.116664][ T1535] usb 1-1: SerialNumber: syz [ 108.124319][ T1535] usb 1-1: config 0 descriptor?? [ 108.359814][ T4582] usb 1-1: USB disconnect, device number 4 [ 108.499008][ T1535] Bluetooth: hci0: command 0x040f tx timeout [ 109.128974][ T1535] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 109.379074][ T1535] usb 1-1: Using ep0 maxpacket: 32 [ 109.499007][ T1535] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 109.501169][ T1535] usb 1-1: config 0 has no interface number 0 [ 109.659033][ T1535] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 109.661640][ T1535] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 109.663714][ T1535] usb 1-1: Product: syz [ 109.664808][ T1535] usb 1-1: Manufacturer: syz [ 109.666014][ T1535] usb 1-1: SerialNumber: syz [ 109.670148][ T1535] usb 1-1: config 0 descriptor?? [ 109.910504][ T1535] usb 1-1: USB disconnect, device number 5 [ 110.579046][ T1535] Bluetooth: hci0: command 0x0419 tx timeout [ 110.688957][ T4582] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 110.938978][ T4582] usb 1-1: Using ep0 maxpacket: 32 [ 111.069045][ T4582] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 111.071320][ T4582] usb 1-1: config 0 has no interface number 0 [ 111.229057][ T4582] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 111.231527][ T4582] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 111.233678][ T4582] usb 1-1: Product: syz [ 111.234788][ T4582] usb 1-1: Manufacturer: syz [ 111.236069][ T4582] usb 1-1: SerialNumber: syz [ 111.239447][ T4582] usb 1-1: config 0 descriptor?? [ 111.479840][ T4127] usb 1-1: USB disconnect, device number 6 [ 112.269016][ T4582] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 112.518981][ T4582] usb 1-1: Using ep0 maxpacket: 32 [ 112.638988][ T4582] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 112.641262][ T4582] usb 1-1: config 0 has no interface number 0 [ 112.799044][ T4582] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 112.801629][ T4582] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 112.803709][ T4582] usb 1-1: Product: syz [ 112.804826][ T4582] usb 1-1: Manufacturer: syz [ 112.805990][ T4582] usb 1-1: SerialNumber: syz [ 112.808619][ T4582] usb 1-1: config 0 descriptor?? [ 113.050495][ T4582] usb 1-1: USB disconnect, device number 7 1970/01/01 00:01:53 executed programs: 8 [ 113.828961][ T4127] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 114.078973][ T4127] usb 1-1: Using ep0 maxpacket: 32 [ 114.198975][ T4127] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 114.201346][ T4127] usb 1-1: config 0 has no interface number 0 [ 114.359121][ T4127] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 114.361676][ T4127] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 114.363916][ T4127] usb 1-1: Product: syz [ 114.365037][ T4127] usb 1-1: Manufacturer: syz [ 114.366285][ T4127] usb 1-1: SerialNumber: syz [ 114.369274][ T4127] usb 1-1: config 0 descriptor?? [ 114.609684][ T4127] usb 1-1: USB disconnect, device number 8