Warning: Permanently added '10.128.0.183' (ED25519) to the list of known hosts.
1970/01/01 00:01:20 ignoring optional flag "sandboxArg"="0"
1970/01/01 00:01:20 ignoring optional flag "type"="gce"
1970/01/01 00:01:21 parsed 1 programs
[   83.694598][ T4409] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SSFS
[   93.149849][  T427] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   93.151670][  T427] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   93.154416][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   93.164267][  T427] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   93.166133][  T427] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   93.168226][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[   93.618533][ T4469] chnl_net:caif_netlink_parms(): no params data found
[   93.650347][ T4469] bridge0: port 1(bridge_slave_0) entered blocking state
[   93.652082][ T4469] bridge0: port 1(bridge_slave_0) entered disabled state
[   93.654387][ T4469] device bridge_slave_0 entered promiscuous mode
[   93.657807][ T4469] bridge0: port 2(bridge_slave_1) entered blocking state
[   93.661098][ T4469] bridge0: port 2(bridge_slave_1) entered disabled state
[   93.663371][ T4469] device bridge_slave_1 entered promiscuous mode
[   93.677676][ T4469] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   93.684236][ T4469] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   93.698007][ T4469] team0: Port device team_slave_0 added
[   93.702401][ T4469] team0: Port device team_slave_1 added
[   93.714693][ T4469] batman_adv: batadv0: Adding interface: batadv_slave_0
[   93.716463][ T4469] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   93.721997][ T4469] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   93.725448][ T4469] batman_adv: batadv0: Adding interface: batadv_slave_1
[   93.727060][ T4469] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   93.733027][ T4469] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   93.790563][ T4469] device hsr_slave_0 entered promiscuous mode
[   93.828984][ T4469] device hsr_slave_1 entered promiscuous mode
[   94.650988][ T4469] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   94.672279][ T4469] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   94.701052][ T4469] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   94.741712][ T4469] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   94.865011][ T4469] 8021q: adding VLAN 0 to HW filter on device bond0
[   94.871573][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   94.873802][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   94.877701][ T4469] 8021q: adding VLAN 0 to HW filter on device team0
[   94.885188][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   94.887591][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   94.890159][  T136] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.891724][  T136] bridge0: port 1(bridge_slave_0) entered forwarding state
[   94.893594][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   94.895859][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   94.898236][  T136] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.899763][  T136] bridge0: port 2(bridge_slave_1) entered forwarding state
[   94.904396][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   94.916266][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   94.919215][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   94.921501][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   94.926025][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   94.934866][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   94.936989][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   94.943207][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   94.945976][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   94.948115][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   94.954820][ T4469] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   94.957585][ T4469] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   94.961869][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   94.964506][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   95.035550][ T4469] 8021q: adding VLAN 0 to HW filter on device batadv0
[   95.040109][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   95.041884][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   95.053149][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   95.055243][ T1696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   95.071030][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   95.073102][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   95.075560][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   95.077844][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   95.083703][ T4469] device veth0_vlan entered promiscuous mode
[   95.089490][ T4469] device veth1_vlan entered promiscuous mode
[   95.104554][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   95.106674][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   95.109374][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   95.112001][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   95.116196][ T4469] device veth0_macvtap entered promiscuous mode
[   95.121105][ T4469] device veth1_macvtap entered promiscuous mode
[   95.131907][ T4469] batman_adv: batadv0: Interface activated: batadv_slave_0
[   95.133465][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   95.135496][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   95.137494][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   95.144022][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   95.149052][ T4469] batman_adv: batadv0: Interface activated: batadv_slave_1
[   95.151844][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   95.154290][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   95.159053][ T4469] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   95.161160][ T4469] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   95.163020][ T4469] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   95.164784][ T4469] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
1970/01/01 00:01:35 executed programs: 0
[   95.553787][ T4586] chnl_net:caif_netlink_parms(): no params data found
[   95.587062][ T4586] bridge0: port 1(bridge_slave_0) entered blocking state
[   95.591312][ T4586] bridge0: port 1(bridge_slave_0) entered disabled state
[   95.593530][ T4586] device bridge_slave_0 entered promiscuous mode
[   95.596498][ T4586] bridge0: port 2(bridge_slave_1) entered blocking state
[   95.597974][ T4586] bridge0: port 2(bridge_slave_1) entered disabled state
[   95.600653][ T4586] device bridge_slave_1 entered promiscuous mode
[   95.615178][ T4586] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   95.622032][ T4586] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   95.636309][ T4586] team0: Port device team_slave_0 added
[   95.642443][ T4586] team0: Port device team_slave_1 added
[   95.654583][ T4586] batman_adv: batadv0: Adding interface: batadv_slave_0
[   95.655972][ T4586] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.661739][ T4586] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   95.665043][ T4586] batman_adv: batadv0: Adding interface: batadv_slave_1
[   95.666628][ T4586] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.672335][ T4586] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   95.720578][ T4586] device hsr_slave_0 entered promiscuous mode
[   95.741410][ T4586] device hsr_slave_1 entered promiscuous mode
[   95.778882][ T4586] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   95.780493][ T4586] Cannot create hsr debugfs directory
[   95.834554][ T4586] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   97.539458][ T4528] Bluetooth: hci0: command 0x0409 tx timeout
[   98.317804][ T4586] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   99.608881][ T4045] Bluetooth: hci0: command 0x041b tx timeout
[  101.007252][ T4586] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  101.055892][ T4586] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  101.197959][ T4586] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  101.231515][ T4586] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  101.280942][ T4586] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  101.347675][ T4586] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  101.422974][ T4586] 8021q: adding VLAN 0 to HW filter on device bond0
[  101.430243][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  101.432312][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  101.437237][ T4586] 8021q: adding VLAN 0 to HW filter on device team0
[  101.442795][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  101.445281][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  101.447475][  T427] bridge0: port 1(bridge_slave_0) entered blocking state
[  101.448999][  T427] bridge0: port 1(bridge_slave_0) entered forwarding state
[  101.455329][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  101.457435][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  101.461004][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  101.463161][  T427] bridge0: port 2(bridge_slave_1) entered blocking state
[  101.464627][  T427] bridge0: port 2(bridge_slave_1) entered forwarding state
[  101.480906][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  101.483117][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  101.485514][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  101.487916][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  101.494964][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  101.497346][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  101.500333][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  101.502705][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  101.504837][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  101.507151][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  101.514995][ T4586] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  101.530850][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  101.586671][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  101.588407][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  101.595901][ T4586] 8021q: adding VLAN 0 to HW filter on device batadv0
[  101.608019][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[  101.611476][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  101.623690][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[  101.625986][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  101.640947][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  101.643644][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  101.647669][ T4586] device veth0_vlan entered promiscuous mode
[  101.655688][ T4586] device veth1_vlan entered promiscuous mode
[  101.681795][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[  101.683976][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[  101.686032][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  101.688245][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  101.695977][ T4586] device veth0_macvtap entered promiscuous mode
[  101.699112][ T4112] Bluetooth: hci0: command 0x040f tx timeout
[  101.700559][ T4586] device veth1_macvtap entered promiscuous mode
[  101.720774][ T4586] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[  101.723021][ T4586] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[  101.726019][ T4586] batman_adv: batadv0: Interface activated: batadv_slave_0
[  101.729536][ T4586] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[  101.731929][ T4586] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
[  101.734933][ T4586] batman_adv: batadv0: Interface activated: batadv_slave_1
[  101.738486][ T4586] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[  101.741798][ T4586] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  101.743539][ T4586] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  101.745480][ T4586] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[  101.755327][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  101.757366][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  101.760468][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  101.762535][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  101.764731][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  101.766917][  T427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[  101.817363][  T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  101.819594][  T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  101.822254][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[  101.838441][  T136] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  101.840496][  T136] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  101.843097][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
1970/01/01 00:01:41 executed programs: 2
[  102.148844][ T4101] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[  102.388718][ T4101] usb 1-1: Using ep0 maxpacket: 32
[  102.528866][ T4101] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  102.530805][ T4101] usb 1-1: config 0 has no interface number 0
[  102.631489][  T579] device hsr_slave_0 left promiscuous mode
[  102.669123][  T579] device hsr_slave_1 left promiscuous mode
[  102.688805][ T4101] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  102.690723][ T4101] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  102.692240][ T4101] usb 1-1: Product: syz
[  102.693148][ T4101] usb 1-1: Manufacturer: syz
[  102.694105][ T4101] usb 1-1: SerialNumber: syz
[  102.699975][ T4101] usb 1-1: config 0 descriptor??
[  102.758780][  T579] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  102.760512][  T579] batman_adv: batadv0: Removing interface: batadv_slave_0
[  102.762613][  T579] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  102.764160][  T579] batman_adv: batadv0: Removing interface: batadv_slave_1
[  102.766061][  T579] device bridge_slave_1 left promiscuous mode
[  102.767489][  T579] bridge0: port 2(bridge_slave_1) entered disabled state
[  102.799688][  T579] device bridge_slave_0 left promiscuous mode
[  102.801468][  T579] bridge0: port 1(bridge_slave_0) entered disabled state
[  102.938909][  T579] device veth1_macvtap left promiscuous mode
[  102.940261][  T579] device veth0_macvtap left promiscuous mode
[  102.941665][  T579] device veth1_vlan left promiscuous mode
[  102.943205][  T579] device veth0_vlan left promiscuous mode
[  102.955443][ T4114] usb 1-1: USB disconnect, device number 2
[  102.964326][ T4114] ==================================================================
[  102.966082][ T4114] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190
[  102.967594][ T4114] Read of size 8 at addr ffff0000cbadd978 by task kworker/1:14/4114
[  102.969105][ T4114] 
[  102.969640][ T4114] CPU: 1 PID: 4114 Comm: kworker/1:14 Not tainted 5.15.167-syzkaller #0
[  102.971568][ T4114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[  102.973681][ T4114] Workqueue: usb_hub_wq hub_event
[  102.974824][ T4114] Call trace:
[  102.975546][ T4114]  dump_backtrace+0x0/0x530
[  102.976538][ T4114]  show_stack+0x2c/0x3c
[  102.977414][ T4114]  dump_stack_lvl+0x108/0x170
[  102.978395][ T4114]  print_address_description+0x7c/0x3f0
[  102.979681][ T4114]  kasan_report+0x174/0x1e4
[  102.980643][ T4114]  __asan_report_load8_noabort+0x44/0x50
[  102.981821][ T4114]  hdm_disconnect+0xf8/0x190
[  102.982696][ T4114]  usb_unbind_interface+0x1a4/0x758
[  102.983719][ T4114]  device_release_driver_internal+0x464/0x6ac
[  102.984968][ T4114]  device_release_driver+0x28/0x38
[  102.986030][ T4114]  bus_remove_device+0x298/0x38c
[  102.987109][ T4114]  device_del+0x57c/0x9b4
[  102.988104][ T4114]  usb_disable_device+0x354/0x760
[  102.989260][ T4114]  usb_disconnect+0x290/0x7e8
[  102.990223][ T4114]  hub_event+0x1718/0x46b8
[  102.991154][ T4114]  process_one_work+0x790/0x11b8
[  102.992261][ T4114]  worker_thread+0x910/0x1034
[  102.993342][ T4114]  kthread+0x37c/0x45c
[  102.994274][ T4114]  ret_from_fork+0x10/0x20
[  102.995272][ T4114] 
[  102.995753][ T4114] Allocated by task 4101:
[  102.996603][ T4114]  ____kasan_kmalloc+0xbc/0xfc
[  102.997659][ T4114]  __kasan_kmalloc+0x10/0x1c
[  102.998629][ T4114]  kmem_cache_alloc_trace+0x27c/0x47c
[  102.999717][ T4114]  hdm_probe+0xa4/0x1044
[  103.000570][ T4114]  usb_probe_interface+0x500/0x984
[  103.001697][ T4114]  really_probe+0x26c/0xaec
[  103.002768][ T4114]  __driver_probe_device+0x194/0x3b4
[  103.003815][ T4114]  driver_probe_device+0x78/0x34c
[  103.004916][ T4114]  __device_attach_driver+0x28c/0x4d8
[  103.006036][ T4114]  bus_for_each_drv+0x158/0x1e0
[  103.007102][ T4114]  __device_attach+0x2f0/0x480
[  103.008053][ T4114]  device_initial_probe+0x24/0x34
[  103.009147][ T4114]  bus_probe_device+0xbc/0x1c8
[  103.010304][ T4114]  device_add+0xae0/0xef4
[  103.011192][ T4114]  usb_set_configuration+0x15e0/0x1b60
[  103.012425][ T4114]  usb_generic_driver_probe+0x8c/0x148
[  103.013590][ T4114]  usb_probe_device+0x120/0x25c
[  103.014674][ T4114]  really_probe+0x26c/0xaec
[  103.015580][ T4114]  __driver_probe_device+0x194/0x3b4
[  103.016755][ T4114]  driver_probe_device+0x78/0x34c
[  103.017832][ T4114]  __device_attach_driver+0x28c/0x4d8
[  103.018953][ T4114]  bus_for_each_drv+0x158/0x1e0
[  103.020107][ T4114]  __device_attach+0x2f0/0x480
[  103.021100][ T4114]  device_initial_probe+0x24/0x34
[  103.022123][ T4114]  bus_probe_device+0xbc/0x1c8
[  103.023198][ T4114]  device_add+0xae0/0xef4
[  103.024131][ T4114]  usb_new_device+0x900/0x145c
[  103.025164][ T4114]  hub_event+0x236c/0x46b8
[  103.026039][ T4114]  process_one_work+0x790/0x11b8
[  103.027058][ T4114]  worker_thread+0x910/0x1034
[  103.028105][ T4114]  kthread+0x37c/0x45c
[  103.028976][ T4114]  ret_from_fork+0x10/0x20
[  103.029932][ T4114] 
[  103.030429][ T4114] Freed by task 4114:
[  103.031259][ T4114]  kasan_set_track+0x4c/0x84
[  103.032314][ T4114]  kasan_set_free_info+0x28/0x4c
[  103.033345][ T4114]  ____kasan_slab_free+0x118/0x164
[  103.034517][ T4114]  __kasan_slab_free+0x18/0x28
[  103.035512][ T4114]  slab_free_freelist_hook+0x128/0x1ec
[  103.036712][ T4114]  kfree+0x178/0x410
[  103.037601][ T4114]  release_mdev+0x20/0x30
[  103.038554][ T4114]  device_release+0x8c/0x1ac
[  103.039573][ T4114]  kobject_put+0x2c4/0x438
[  103.040588][ T4114]  device_unregister+0x3c/0xcc
[  103.041693][ T4114]  most_deregister_interface+0x3e0/0x42c
[  103.042947][ T4114]  hdm_disconnect+0xe0/0x190
[  103.043982][ T4114]  usb_unbind_interface+0x1a4/0x758
[  103.045053][ T4114]  device_release_driver_internal+0x464/0x6ac
[  103.046302][ T4114]  device_release_driver+0x28/0x38
[  103.047278][ T4114]  bus_remove_device+0x298/0x38c
[  103.048349][ T4114]  device_del+0x57c/0x9b4
[  103.049273][ T4114]  usb_disable_device+0x354/0x760
[  103.050338][ T4114]  usb_disconnect+0x290/0x7e8
[  103.051265][ T4114]  hub_event+0x1718/0x46b8
[  103.052198][ T4114]  process_one_work+0x790/0x11b8
[  103.053298][ T4114]  worker_thread+0x910/0x1034
[  103.054261][ T4114]  kthread+0x37c/0x45c
[  103.055030][ T4114]  ret_from_fork+0x10/0x20
[  103.055873][ T4114] 
[  103.056289][ T4114] The buggy address belongs to the object at ffff0000cbadc000
[  103.056289][ T4114]  which belongs to the cache kmalloc-8k of size 8192
[  103.059293][ T4114] The buggy address is located 6520 bytes inside of
[  103.059293][ T4114]  8192-byte region [ffff0000cbadc000, ffff0000cbade000)
[  103.062074][ T4114] The buggy address belongs to the page:
[  103.063126][ T4114] page:00000000ccaa4ea8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bad8
[  103.065527][ T4114] head:00000000ccaa4ea8 order:3 compound_mapcount:0 compound_pincount:0
[  103.067261][ T4114] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
[  103.068975][ T4114] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00
[  103.070774][ T4114] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[  103.072496][ T4114] page dumped because: kasan: bad access detected
[  103.073874][ T4114] 
[  103.074343][ T4114] Memory state around the buggy address:
[  103.075414][ T4114]  ffff0000cbadd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.077133][ T4114]  ffff0000cbadd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.078952][ T4114] >ffff0000cbadd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.080916][ T4114]                                                                 ^
[  103.082807][ T4114]  ffff0000cbadd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.084553][ T4114]  ffff0000cbadda00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.086384][ T4114] ==================================================================
[  103.087926][ T4114] Disabling lock debugging due to kernel taint
[  103.096882][ T4114] ------------[ cut here ]------------
[  103.098121][ T4114] refcount_t: underflow; use-after-free.
[  103.100288][ T4114] WARNING: CPU: 1 PID: 4114 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c
[  103.102432][ T4114] Modules linked in:
[  103.103198][ T4114] CPU: 1 PID: 4114 Comm: kworker/1:14 Tainted: G    B             5.15.167-syzkaller #0
[  103.105245][ T4114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[  103.107475][ T4114] Workqueue: usb_hub_wq hub_event
[  103.108434][ T4114] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  103.110096][ T4114] pc : refcount_warn_saturate+0x1c8/0x20c
[  103.111477][ T4114] lr : refcount_warn_saturate+0x1c8/0x20c
[  103.112822][ T4114] sp : ffff8000202f72f0
[  103.113809][ T4114] x29: ffff8000202f72f0 x28: ffff800016a0e140 x27: ffff0000cbba0000
[  103.115569][ T4114] x26: 1fffe00019517607 x25: dfff800000000000 x24: ffff0000ca8ba030
[  103.117156][ T4114] x23: 1fffe0001975b8bb x22: ffff0000ca8bb03c x21: 0000000000000003
[  103.118912][ T4114] x20: ffff0000ca8bb038 x19: ffff800016f0c000 x18: 1fffe00036835d8e
[  103.120606][ T4114] x17: 1fffe00036835d8e x16: ffff800011ac23e0 x15: ffff800014b5ef40
[  103.122330][ T4114] x14: ffff0001b41aec80 x13: ffff0001b41aec7c x12: 0000000000000001
[  103.124039][ T4114] x11: 0000000000000000 x10: 0000000000000000 x9 : 40b944bd365bc800
[  103.125892][ T4114] x8 : 40b944bd365bc800 x7 : 0000000000000000 x6 : ffff80000826acb8
[  103.127577][ T4114] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a987d1c
[  103.129402][ T4114] x2 : ffff0001b41aed10 x1 : 0000000100000000 x0 : 0000000000000026
[  103.131121][ T4114] Call trace:
[  103.131803][ T4114]  refcount_warn_saturate+0x1c8/0x20c
[  103.132979][ T4114]  kobject_put+0x1a8/0x438
[  103.133991][ T4114]  put_device+0x28/0x40
[  103.134931][ T4114]  hdm_disconnect+0x170/0x190
[  103.135909][ T4114]  usb_unbind_interface+0x1a4/0x758
[  103.137041][ T4114]  device_release_driver_internal+0x464/0x6ac
[  103.138397][ T4114]  device_release_driver+0x28/0x38
[  103.139510][ T4114]  bus_remove_device+0x298/0x38c
[  103.140590][ T4114]  device_del+0x57c/0x9b4
[  103.141538][ T4114]  usb_disable_device+0x354/0x760
[  103.142633][ T4114]  usb_disconnect+0x290/0x7e8
[  103.143701][ T4114]  hub_event+0x1718/0x46b8
[  103.144647][ T4114]  process_one_work+0x790/0x11b8
[  103.145706][ T4114]  worker_thread+0x910/0x1034
[  103.146730][ T4114]  kthread+0x37c/0x45c
[  103.147604][ T4114]  ret_from_fork+0x10/0x20
[  103.148609][ T4114] irq event stamp: 73570
[  103.149565][ T4114] hardirqs last  enabled at (73569): [<ffff8000088d70f8>] kasan_quarantine_put+0xdc/0x204
[  103.151921][ T4114] hardirqs last disabled at (73570): [<ffff800011b987c8>] _raw_spin_lock_irqsave+0xfc/0x14c
[  103.154098][ T4114] softirqs last  enabled at (73328): [<ffff8000081b6d74>] handle_softirqs+0xb88/0xdbc
[  103.156170][ T4114] softirqs last disabled at (73303): [<ffff8000081b740c>] __irq_exit_rcu+0x268/0x4d8
[  103.158276][ T4114] ---[ end trace c8433f9930f7a767 ]---
[  103.215722][  T579] team0 (unregistering): Port device team_slave_1 removed
[  103.221606][  T579] team0 (unregistering): Port device team_slave_0 removed
[  103.226605][  T579] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  103.273057][  T579] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  103.412682][  T579] bond0 (unregistering): Released all slaves
[  103.768724][ T4114] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[  103.768731][ T1534] Bluetooth: hci0: command 0x0419 tx timeout
[  104.008775][ T4114] usb 1-1: Using ep0 maxpacket: 32
[  104.128777][ T4114] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  104.130652][ T4114] usb 1-1: config 0 has no interface number 0
[  104.289866][ T4114] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  104.291837][ T4114] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  104.293502][ T4114] usb 1-1: Product: syz
[  104.294294][ T4114] usb 1-1: Manufacturer: syz
[  104.295281][ T4114] usb 1-1: SerialNumber: syz
[  104.297729][ T4114] usb 1-1: config 0 descriptor??
[  104.539575][ T4101] usb 1-1: USB disconnect, device number 3
[  105.318718][ T4117] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[  105.558723][ T4117] usb 1-1: Using ep0 maxpacket: 32
[  105.678707][ T4117] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  105.680456][ T4117] usb 1-1: config 0 has no interface number 0
[  105.848912][ T4117] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  105.850917][ T4117] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  105.852576][ T4117] usb 1-1: Product: syz
[  105.853480][ T4117] usb 1-1: Manufacturer: syz
[  105.854434][ T4117] usb 1-1: SerialNumber: syz
[  105.856938][ T4117] usb 1-1: config 0 descriptor??
[  106.089527][ T1534] usb 1-1: USB disconnect, device number 4
[  106.888767][ T4117] usb 1-1: new high-speed USB device number 5 using dummy_hcd
[  107.128751][ T4117] usb 1-1: Using ep0 maxpacket: 32
[  107.248803][ T4117] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  107.250638][ T4117] usb 1-1: config 0 has no interface number 0
[  107.408898][ T4117] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  107.410990][ T4117] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  107.412659][ T4117] usb 1-1: Product: syz
[  107.413474][ T4117] usb 1-1: Manufacturer: syz
[  107.414480][ T4117] usb 1-1: SerialNumber: syz
[  107.416997][ T4117] usb 1-1: config 0 descriptor??
[  107.659726][ T4117] usb 1-1: USB disconnect, device number 5
1970/01/01 00:01:48 executed programs: 6
[  108.438756][ T4117] usb 1-1: new high-speed USB device number 6 using dummy_hcd
[  108.678715][ T4117] usb 1-1: Using ep0 maxpacket: 32
[  108.829314][ T4117] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  108.830961][ T4117] usb 1-1: config 0 has no interface number 0
[  108.988748][ T4117] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  108.990701][ T4117] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  108.992389][ T4117] usb 1-1: Product: syz
[  108.993261][ T4117] usb 1-1: Manufacturer: syz
[  108.994207][ T4117] usb 1-1: SerialNumber: syz
[  108.997975][ T4117] usb 1-1: config 0 descriptor??
[  109.239522][ T4117] usb 1-1: USB disconnect, device number 6
[  110.028738][ T1534] usb 1-1: new high-speed USB device number 7 using dummy_hcd
[  110.278708][ T1534] usb 1-1: Using ep0 maxpacket: 32
[  110.398845][ T1534] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  110.400635][ T1534] usb 1-1: config 0 has no interface number 0
[  110.558860][ T1534] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  110.560903][ T1534] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  110.562520][ T1534] usb 1-1: Product: syz
[  110.563520][ T1534] usb 1-1: Manufacturer: syz
[  110.564456][ T1534] usb 1-1: SerialNumber: syz
[  110.567305][ T1534] usb 1-1: config 0 descriptor??
[  110.800132][ T1534] usb 1-1: USB disconnect, device number 7
[  111.588790][ T4100] usb 1-1: new high-speed USB device number 8 using dummy_hcd
[  111.848814][ T4100] usb 1-1: Using ep0 maxpacket: 32
[  111.968816][ T4100] usb 1-1: config 0 has an invalid interface number: 237 but max is 0
[  111.970566][ T4100] usb 1-1: config 0 has no interface number 0
[  112.128704][ T4100] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89
[  112.130703][ T4100] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  112.132341][ T4100] usb 1-1: Product: syz
[  112.133314][ T4100] usb 1-1: Manufacturer: syz
[  112.134269][ T4100] usb 1-1: SerialNumber: syz
[  112.137033][ T4100] usb 1-1: config 0 descriptor??
[  112.370062][ T4100] usb 1-1: USB disconnect, device number 8