Warning: Permanently added '10.128.1.182' (ED25519) to the list of known hosts. 1970/01/01 00:01:06 parsed 1 programs [ 67.989149][ T4454] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 69.608986][ T2064] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.610114][ T2064] ieee802154 phy1 wpan1: encryption failed: -22 [ 69.618669][ T3341] cfg80211: failed to load regulatory.db [ 69.764720][ T789] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 69.766026][ T789] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 69.767433][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 69.781844][ T789] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 69.783051][ T789] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 69.784541][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 70.154019][ T4581] chnl_net:caif_netlink_parms(): no params data found [ 70.171910][ T4581] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.173062][ T4581] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.174582][ T4581] device bridge_slave_0 entered promiscuous mode [ 70.177013][ T4581] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.178442][ T4581] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.179874][ T4581] device bridge_slave_1 entered promiscuous mode [ 70.187764][ T4581] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 70.190333][ T4581] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.198452][ T4581] team0: Port device team_slave_0 added [ 70.200438][ T4581] team0: Port device team_slave_1 added [ 70.206389][ T4581] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 70.207401][ T4581] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.211535][ T4581] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 70.213638][ T4581] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 70.214700][ T4581] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.219123][ T4581] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 70.279000][ T4581] device hsr_slave_0 entered promiscuous mode [ 70.318126][ T4581] device hsr_slave_1 entered promiscuous mode [ 70.884053][ T4581] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 70.929173][ T4581] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 70.959793][ T4581] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 71.019071][ T4581] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 71.077080][ T4581] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.084460][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.085873][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.089709][ T4581] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.092232][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 71.093669][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.095027][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.096142][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.097453][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 71.101464][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 71.103011][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.104416][ T148] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.105478][ T148] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.110450][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 71.112270][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 71.123785][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 71.125936][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 71.127536][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 71.130239][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 71.131754][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 71.133272][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.134728][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 71.136080][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.137555][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 71.140653][ T4581] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 71.175939][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 71.177306][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 71.185069][ T4581] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.191262][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 71.192875][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 71.199123][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 71.200902][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 71.202424][ T4581] device veth0_vlan entered promiscuous mode [ 71.203644][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 71.205100][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 71.208596][ T4581] device veth1_vlan entered promiscuous mode [ 71.218683][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 71.220121][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 71.221575][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 71.222988][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 71.225749][ T4581] device veth0_macvtap entered promiscuous mode [ 71.231255][ T4581] device veth1_macvtap entered promiscuous mode [ 71.236233][ T4581] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.237441][ T361] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 71.239347][ T361] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 71.240817][ T361] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 71.242336][ T361] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 71.245140][ T4581] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.246331][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 71.247801][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 71.251532][ T4581] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.252870][ T4581] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.254256][ T4581] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.255613][ T4581] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:11 executed programs: 0 [ 71.775080][ T4786] chnl_net:caif_netlink_parms(): no params data found [ 71.793431][ T4786] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.794600][ T4786] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.796043][ T4786] device bridge_slave_0 entered promiscuous mode [ 71.799398][ T4786] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.800401][ T4786] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.801852][ T4786] device bridge_slave_1 entered promiscuous mode [ 71.810668][ T4786] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 71.813082][ T4786] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 71.821716][ T4786] team0: Port device team_slave_0 added [ 71.823447][ T4786] team0: Port device team_slave_1 added [ 71.830737][ T4786] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 71.831883][ T4786] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 71.836155][ T4786] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 71.839472][ T4786] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 71.840519][ T4786] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 71.844338][ T4786] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 71.889248][ T4786] device hsr_slave_0 entered promiscuous mode [ 71.928235][ T4786] device hsr_slave_1 entered promiscuous mode [ 71.968077][ T4786] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 71.969262][ T4786] Cannot create hsr debugfs directory [ 72.008748][ T4786] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 73.768054][ T3341] Bluetooth: hci0: command 0x0409 tx timeout [ 74.554504][ T4786] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 75.847921][ T4673] Bluetooth: hci0: command 0x041b tx timeout [ 76.982048][ T4786] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 77.041980][ T4786] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 77.220723][ T4786] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 77.249508][ T4786] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 77.299606][ T4786] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 77.339184][ T4786] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 77.410134][ T4786] 8021q: adding VLAN 0 to HW filter on device bond0 [ 77.413836][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 77.415209][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 77.417636][ T4786] 8021q: adding VLAN 0 to HW filter on device team0 [ 77.432686][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 77.434244][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 77.435662][ T1644] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.436735][ T1644] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.439796][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 77.442308][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 77.443906][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 77.445584][ T1644] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.446676][ T1644] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.453090][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 77.455759][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 77.460278][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 77.462450][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 77.464593][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 77.465991][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 77.467621][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 77.470877][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 77.472335][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 77.475553][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 77.477089][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 77.481577][ T4786] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 77.516951][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 77.518366][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 77.521699][ T4786] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 77.527723][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 77.529485][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 77.535342][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 77.536734][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 77.538518][ T789] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 77.539913][ T789] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 77.542386][ T4786] device veth0_vlan entered promiscuous mode [ 77.545571][ T4786] device veth1_vlan entered promiscuous mode [ 77.552375][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 77.553755][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 77.555150][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 77.556584][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 77.559673][ T4786] device veth0_macvtap entered promiscuous mode [ 77.562012][ T4786] device veth1_macvtap entered promiscuous mode [ 77.566453][ T4786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 77.568899][ T4786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 77.570907][ T4786] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 77.572162][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 77.573561][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 77.574969][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 77.576519][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 77.580143][ T4786] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 77.581772][ T4786] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 77.584099][ T4786] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 77.585369][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 77.586877][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 77.589946][ T4786] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.591244][ T4786] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.592645][ T4786] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.593952][ T4786] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.612379][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.613588][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.615515][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 77.623869][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.625086][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.626657][ T1644] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:17 executed programs: 2 [ 77.907951][ T4176] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 77.928323][ T4175] Bluetooth: hci0: command 0x040f tx timeout [ 78.227976][ T4176] usb 1-1: not running at top speed; connect to a high speed hub [ 78.308180][ T4176] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 78.309464][ T4176] usb 1-1: config 8 has no interface number 0 [ 78.310351][ T4176] usb 1-1: config 8 interface 33 has no altsetting 0 [ 78.467972][ T4176] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 78.469498][ T4176] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 78.470702][ T4176] usb 1-1: Product: syz [ 78.471379][ T4176] usb 1-1: Manufacturer: syz [ 78.472092][ T4176] usb 1-1: SerialNumber: syz [ 78.791796][ T4176] usb 1-1: USB disconnect, device number 2 [ 78.794562][ T4176] ================================================================== [ 78.795862][ T4176] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 78.796884][ T4176] Read of size 8 at addr ffff0000e97cd978 by task kworker/1:19/4176 [ 78.798089][ T4176] [ 78.798441][ T4176] CPU: 1 PID: 4176 Comm: kworker/1:19 Not tainted syzkaller #0 [ 78.799583][ T4176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 78.801035][ T4176] Workqueue: usb_hub_wq hub_event [ 78.801812][ T4176] Call trace: [ 78.802310][ T4176] dump_backtrace+0x0/0x43c [ 78.803030][ T4176] show_stack+0x2c/0x3c [ 78.803697][ T4176] __dump_stack+0x30/0x40 [ 78.804376][ T4176] dump_stack_lvl+0xf8/0x160 [ 78.805137][ T4176] print_address_description+0x78/0x30c [ 78.806011][ T4176] kasan_report+0xec/0x15c [ 78.806735][ T4176] __asan_report_load8_noabort+0x44/0x50 [ 78.807625][ T4176] hdm_disconnect+0xf4/0x18c [ 78.808312][ T4176] usb_unbind_interface+0x1b8/0x750 [ 78.809123][ T4176] device_release_driver_internal+0x3fc/0x63c [ 78.810075][ T4176] device_release_driver+0x28/0x38 [ 78.810887][ T4176] bus_remove_device+0x294/0x388 [ 78.811663][ T4176] device_del+0x568/0x964 [ 78.812377][ T4176] usb_disable_device+0x33c/0x780 [ 78.813176][ T4176] usb_disconnect+0x290/0x7d0 [ 78.813859][ T4176] hub_event+0x1610/0x42c0 [ 78.814579][ T4176] process_one_work+0x79c/0x1140 [ 78.815339][ T4176] worker_thread+0xb64/0x101c [ 78.816123][ T4176] kthread+0x374/0x454 [ 78.816781][ T4176] ret_from_fork+0x10/0x20 [ 78.817518][ T4176] [ 78.817906][ T4176] Allocated by task 4176: [ 78.818604][ T4176] __kasan_kmalloc+0xb0/0xf0 [ 78.819331][ T4176] kmem_cache_alloc_trace+0x274/0x3fc [ 78.820201][ T4176] hdm_probe+0x9c/0x1044 [ 78.820882][ T4176] usb_probe_interface+0x4fc/0x994 [ 78.821631][ T4176] really_probe+0x26c/0xaec [ 78.822296][ T4176] __driver_probe_device+0x180/0x314 [ 78.823140][ T4176] driver_probe_device+0x78/0x34c [ 78.823941][ T4176] __device_attach_driver+0x274/0x4c4 [ 78.824756][ T4176] bus_for_each_drv+0x150/0x1d8 [ 78.825585][ T4176] __device_attach+0x2a8/0x3d4 [ 78.826380][ T4176] device_initial_probe+0x24/0x34 [ 78.827155][ T4176] bus_probe_device+0xbc/0x1c4 [ 78.827956][ T4176] device_add+0xb04/0xf94 [ 78.828670][ T4176] usb_set_configuration+0x15b8/0x1b2c [ 78.829553][ T4176] usb_generic_driver_probe+0x8c/0x144 [ 78.830339][ T4176] usb_probe_device+0x120/0x25c [ 78.831036][ T4176] really_probe+0x26c/0xaec [ 78.831657][ T4176] __driver_probe_device+0x180/0x314 [ 78.832524][ T4176] driver_probe_device+0x78/0x34c [ 78.833321][ T4176] __device_attach_driver+0x274/0x4c4 [ 78.834190][ T4176] bus_for_each_drv+0x150/0x1d8 [ 78.834959][ T4176] __device_attach+0x2a8/0x3d4 [ 78.835688][ T4176] device_initial_probe+0x24/0x34 [ 78.836477][ T4176] bus_probe_device+0xbc/0x1c4 [ 78.837212][ T4176] device_add+0xb04/0xf94 [ 78.837863][ T4176] usb_new_device+0x7ec/0x1164 [ 78.838571][ T4176] hub_event+0x2240/0x42c0 [ 78.839239][ T4176] process_one_work+0x79c/0x1140 [ 78.840047][ T4176] worker_thread+0x8f4/0x101c [ 78.840786][ T4176] kthread+0x374/0x454 [ 78.841412][ T4176] ret_from_fork+0x10/0x20 [ 78.842042][ T4176] [ 78.842371][ T4176] Freed by task 4176: [ 78.842975][ T4176] kasan_set_track+0x4c/0x84 [ 78.843683][ T4176] kasan_set_free_info+0x28/0x4c [ 78.844452][ T4176] ____kasan_slab_free+0x118/0x164 [ 78.845286][ T4176] __kasan_slab_free+0x18/0x28 [ 78.846062][ T4176] slab_free_freelist_hook+0x128/0x1e8 [ 78.846978][ T4176] kfree+0x170/0x40c [ 78.847607][ T4176] release_mdev+0x20/0x30 [ 78.848290][ T4176] device_release+0x8c/0x1ac [ 78.848955][ T4176] kobject_put+0x2cc/0x454 [ 78.849661][ T4176] device_unregister+0x3c/0xcc [ 78.850375][ T4176] most_deregister_interface+0x3e0/0x42c [ 78.851209][ T4176] hdm_disconnect+0xdc/0x18c [ 78.851899][ T4176] usb_unbind_interface+0x1b8/0x750 [ 78.852680][ T4176] device_release_driver_internal+0x3fc/0x63c [ 78.853623][ T4176] device_release_driver+0x28/0x38 [ 78.854486][ T4176] bus_remove_device+0x294/0x388 [ 78.855247][ T4176] device_del+0x568/0x964 [ 78.855922][ T4176] usb_disable_device+0x33c/0x780 [ 78.856700][ T4176] usb_disconnect+0x290/0x7d0 [ 78.857472][ T4176] hub_event+0x1610/0x42c0 [ 78.858166][ T4176] process_one_work+0x79c/0x1140 [ 78.858982][ T4176] worker_thread+0xb64/0x101c [ 78.859766][ T4176] kthread+0x374/0x454 [ 78.860443][ T4176] ret_from_fork+0x10/0x20 [ 78.861141][ T4176] [ 78.861489][ T4176] The buggy address belongs to the object at ffff0000e97cc000 [ 78.861489][ T4176] which belongs to the cache kmalloc-8k of size 8192 [ 78.863790][ T4176] The buggy address is located 6520 bytes inside of [ 78.863790][ T4176] 8192-byte region [ffff0000e97cc000, ffff0000e97ce000) [ 78.865638][ T4176] The buggy address belongs to the page: [ 78.866502][ T4176] page:00000000ca5ca92c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1297c8 [ 78.868109][ T4176] head:00000000ca5ca92c order:3 compound_mapcount:0 compound_pincount:0 [ 78.869396][ T4176] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 78.870696][ T4176] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 78.872042][ T4176] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 78.873339][ T4176] page dumped because: kasan: bad access detected [ 78.874396][ T4176] [ 78.874766][ T4176] Memory state around the buggy address: [ 78.875709][ T4176] ffff0000e97cd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.877100][ T4176] ffff0000e97cd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.878319][ T4176] >ffff0000e97cd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.879665][ T4176] ^ [ 78.880873][ T4176] ffff0000e97cd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.882239][ T4176] ffff0000e97cda00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.883540][ T4176] ================================================================== [ 78.884789][ T4176] Disabling lock debugging due to kernel taint [ 78.886026][ T4176] ------------[ cut here ]------------ [ 78.886838][ T4176] refcount_t: underflow; use-after-free. [ 78.887808][ T4176] WARNING: CPU: 1 PID: 4176 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 78.889240][ T4176] Modules linked in: [ 78.889823][ T4176] CPU: 1 PID: 4176 Comm: kworker/1:19 Tainted: G B syzkaller #0 [ 78.891137][ T4176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 78.892641][ T4176] Workqueue: usb_hub_wq hub_event [ 78.893382][ T4176] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 78.894424][ T4176] pc : refcount_warn_saturate+0x154/0x1f8 [ 78.895205][ T4176] lr : refcount_warn_saturate+0x154/0x1f8 [ 78.896030][ T4176] sp : ffff8000205973e0 [ 78.896617][ T4176] x29: ffff8000205973e0 x28: ffff8000160ca660 x27: 1fffe0001dc11a00 [ 78.897870][ T4176] x26: 1fffe0001dc11a07 x25: dfff800000000000 x24: ffff0000ebbb8030 [ 78.899164][ T4176] x23: 1fffe0001d2f98bb x22: ffff0000ee08d03c x21: 0000000000000000 [ 78.900445][ T4176] x20: ffff0000ee08d038 x19: ffff8000165c5000 x18: 0000000000000001 [ 78.901708][ T4176] x17: 0000000000000000 x16: ffff800008302168 x15: 00000000ffffffff [ 78.903022][ T4176] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 78.904236][ T4176] x11: 0000000000000000 x10: 0000000000000000 x9 : 94b48f0964367f00 [ 78.905433][ T4176] x8 : 94b48f0964367f00 x7 : 0000000000000001 x6 : 0000000000000001 [ 78.906677][ T4176] x5 : ffff800020596cd8 x4 : ffff80001425f420 x3 : ffff800008302278 [ 78.907827][ T4176] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 78.909126][ T4176] Call trace: [ 78.909679][ T4176] refcount_warn_saturate+0x154/0x1f8 [ 78.910547][ T4176] kobject_put+0x19c/0x454 [ 78.911213][ T4176] put_device+0x28/0x40 [ 78.911828][ T4176] hdm_disconnect+0x16c/0x18c [ 78.912527][ T4176] usb_unbind_interface+0x1b8/0x750 [ 78.913277][ T4176] device_release_driver_internal+0x3fc/0x63c [ 78.914167][ T4176] device_release_driver+0x28/0x38 [ 78.914905][ T4176] bus_remove_device+0x294/0x388 [ 78.915727][ T4176] device_del+0x568/0x964 [ 78.916439][ T4176] usb_disable_device+0x33c/0x780 [ 78.917301][ T4176] usb_disconnect+0x290/0x7d0 [ 78.918084][ T4176] hub_event+0x1610/0x42c0 [ 78.918825][ T4176] process_one_work+0x79c/0x1140 [ 78.919636][ T4176] worker_thread+0xb64/0x101c [ 78.920373][ T4176] kthread+0x374/0x454 [ 78.920981][ T4176] ret_from_fork+0x10/0x20 [ 78.921642][ T4176] irq event stamp: 8572 [ 78.922238][ T4176] hardirqs last enabled at (8571): [] kasan_quarantine_put+0xc4/0x204 [ 78.923856][ T4176] hardirqs last disabled at (8572): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 78.925440][ T4176] softirqs last enabled at (4300): [] handle_softirqs+0xa4c/0xbf0 [ 78.926942][ T4176] softirqs last disabled at (4281): [] do_softirq+0xfc/0x1b0 [ 78.928332][ T4176] ---[ end trace 16994227bfd4f747 ]--- [ 79.557910][ T4681] usb 1-1: new full-speed USB device number 3 using dummy_hcd [ 79.769367][ T136] device hsr_slave_0 left promiscuous mode [ 79.808102][ T136] device hsr_slave_1 left promiscuous mode [ 79.877933][ T4681] usb 1-1: not running at top speed; connect to a high speed hub [ 79.897954][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 79.899128][ T136] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 79.900476][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 79.901528][ T136] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 79.902727][ T136] device bridge_slave_1 left promiscuous mode [ 79.903638][ T136] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.938799][ T136] device bridge_slave_0 left promiscuous mode [ 79.939805][ T136] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.958042][ T4681] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 79.959212][ T4681] usb 1-1: config 8 has no interface number 0 [ 79.960092][ T4681] usb 1-1: config 8 interface 33 has no altsetting 0 [ 80.008105][ T4175] Bluetooth: hci0: command 0x0419 tx timeout [ 80.078089][ T136] device veth1_macvtap left promiscuous mode [ 80.079028][ T136] device veth0_macvtap left promiscuous mode [ 80.079931][ T136] device veth1_vlan left promiscuous mode [ 80.080794][ T136] device veth0_vlan left promiscuous mode [ 80.117998][ T4681] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 80.119255][ T4681] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 80.120471][ T4681] usb 1-1: Product: syz [ 80.121078][ T4681] usb 1-1: Manufacturer: syz [ 80.121717][ T4681] usb 1-1: SerialNumber: syz [ 80.150643][ T136] team0 (unregistering): Port device team_slave_1 removed [ 80.153804][ T136] team0 (unregistering): Port device team_slave_0 removed [ 80.156799][ T136] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 80.181696][ T136] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 80.270416][ T136] bond0 (unregistering): Released all slaves [ 80.449648][ T4681] usb 1-1: USB disconnect, device number 3 [ 81.157921][ T4673] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 81.497917][ T4673] usb 1-1: not running at top speed; connect to a high speed hub [ 81.577938][ T4673] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 81.579191][ T4673] usb 1-1: config 8 has no interface number 0 [ 81.580085][ T4673] usb 1-1: config 8 interface 33 has no altsetting 0 [ 81.777969][ T4673] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 81.779456][ T4673] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 81.780689][ T4673] usb 1-1: Product: syz [ 81.781285][ T4673] usb 1-1: Manufacturer: syz [ 81.782031][ T4673] usb 1-1: SerialNumber: syz [ 82.089547][ T4673] usb 1-1: USB disconnect, device number 4 [ 82.787911][ T4673] usb 1-1: new full-speed USB device number 5 using dummy_hcd [ 83.117917][ T4673] usb 1-1: not running at top speed; connect to a high speed hub [ 83.197967][ T4673] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 83.199175][ T4673] usb 1-1: config 8 has no interface number 0 [ 83.200038][ T4673] usb 1-1: config 8 interface 33 has no altsetting 0 [ 83.367956][ T4673] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 83.369236][ T4673] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 83.370565][ T4673] usb 1-1: Product: syz [ 83.371272][ T4673] usb 1-1: Manufacturer: syz [ 83.372145][ T4673] usb 1-1: SerialNumber: syz [ 83.691172][ T4673] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:24 executed programs: 6 [ 84.387896][ T4183] usb 1-1: new full-speed USB device number 6 using dummy_hcd [ 84.707916][ T4183] usb 1-1: not running at top speed; connect to a high speed hub [ 84.787909][ T4183] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 84.789160][ T4183] usb 1-1: config 8 has no interface number 0 [ 84.790091][ T4183] usb 1-1: config 8 interface 33 has no altsetting 0 [ 84.947920][ T4183] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 84.949413][ T4183] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 84.950722][ T4183] usb 1-1: Product: syz [ 84.951359][ T4183] usb 1-1: Manufacturer: syz [ 84.952056][ T4183] usb 1-1: SerialNumber: syz [ 85.271945][ T4183] usb 1-1: USB disconnect, device number 6 [ 85.957910][ T4673] usb 1-1: new full-speed USB device number 7 using dummy_hcd [ 86.277918][ T4673] usb 1-1: not running at top speed; connect to a high speed hub [ 86.357929][ T4673] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 86.358998][ T4673] usb 1-1: config 8 has no interface number 0 [ 86.359939][ T4673] usb 1-1: config 8 interface 33 has no altsetting 0 [ 86.527992][ T4673] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 86.529361][ T4673] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 86.530484][ T4673] usb 1-1: Product: syz [ 86.531040][ T4673] usb 1-1: Manufacturer: syz [ 86.531684][ T4673] usb 1-1: SerialNumber: syz [ 86.851216][ T4673] usb 1-1: USB disconnect, device number 7 [ 87.537925][ T4175] usb 1-1: new full-speed USB device number 8 using dummy_hcd [ 87.888163][ T4175] usb 1-1: not running at top speed; connect to a high speed hub [ 87.967981][ T4175] usb 1-1: config 8 has an invalid interface number: 33 but max is 0 [ 87.969237][ T4175] usb 1-1: config 8 has no interface number 0 [ 87.970134][ T4175] usb 1-1: config 8 interface 33 has no altsetting 0 [ 88.127942][ T4175] usb 1-1: New USB device found, idVendor=0424, idProduct=cf18, bcdDevice=56.06 [ 88.129334][ T4175] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 88.130533][ T4175] usb 1-1: Product: syz [ 88.131139][ T4175] usb 1-1: Manufacturer: syz [ 88.131836][ T4175] usb 1-1: SerialNumber: syz [ 88.450449][ T4175] usb 1-1: USB disconnect, device number 8