[ 74.766843][ T21] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.1.128' (ED25519) to the list of known hosts. 1970/01/01 00:01:18 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:18 ignoring optional flag "type"="gce" 1970/01/01 00:01:18 parsed 1 programs [ 81.272701][ T4416] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 86.319036][ T338] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 86.321191][ T338] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 86.324062][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 86.339297][ T338] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 86.341391][ T338] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 86.344235][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 87.004603][ T4471] chnl_net:caif_netlink_parms(): no params data found [ 87.038812][ T4471] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.040735][ T4471] bridge0: port 1(bridge_slave_0) entered disabled state [ 87.043277][ T4471] device bridge_slave_0 entered promiscuous mode [ 87.049004][ T4471] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.050889][ T4471] bridge0: port 2(bridge_slave_1) entered disabled state [ 87.053368][ T4471] device bridge_slave_1 entered promiscuous mode [ 87.070707][ T4471] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 87.075104][ T4471] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 87.094336][ T4471] team0: Port device team_slave_0 added [ 87.097790][ T4471] team0: Port device team_slave_1 added [ 87.112852][ T4471] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 87.114551][ T4471] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.121972][ T4471] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 87.127640][ T4471] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 87.129449][ T4471] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 87.136835][ T4471] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 87.238227][ T4471] device hsr_slave_0 entered promiscuous mode [ 87.275802][ T4471] device hsr_slave_1 entered promiscuous mode [ 88.108466][ T4471] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 88.164497][ T4471] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 88.197708][ T4471] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 88.247793][ T4471] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 88.352702][ T4471] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.361911][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 88.364462][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 88.369435][ T4471] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.374159][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 88.378123][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 88.380697][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.382559][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.385337][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 88.395904][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 88.398661][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 88.401049][ T1768] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.402894][ T1768] bridge0: port 2(bridge_slave_1) entered forwarding state [ 88.405093][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 88.411410][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 88.419058][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 88.422418][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 88.425199][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 88.431389][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 88.434177][ T1768] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 88.444310][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 88.448309][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 88.450933][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 88.453369][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 88.458243][ T4471] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 88.534610][ T4471] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 88.540832][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 88.542864][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 88.554848][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 88.558460][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 88.573120][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 88.576144][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 88.604542][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 88.609007][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 88.612280][ T4471] device veth0_vlan entered promiscuous mode [ 88.621058][ T4471] device veth1_vlan entered promiscuous mode [ 88.638911][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 88.641466][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 88.644038][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 88.650535][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 88.656040][ T4471] device veth0_macvtap entered promiscuous mode [ 88.660380][ T4471] device veth1_macvtap entered promiscuous mode [ 88.672180][ T4471] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 88.674138][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 88.680300][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 88.684048][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 88.687838][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 88.693413][ T4471] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 88.698711][ T4471] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.701024][ T4471] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.703271][ T4471] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.706159][ T4471] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 88.709362][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 88.712177][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 1970/01/01 00:01:29 executed programs: 0 [ 89.547173][ T4611] chnl_net:caif_netlink_parms(): no params data found [ 89.602182][ T4611] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.604117][ T4611] bridge0: port 1(bridge_slave_0) entered disabled state [ 89.607102][ T4611] device bridge_slave_0 entered promiscuous mode [ 89.610600][ T4611] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.612473][ T4611] bridge0: port 2(bridge_slave_1) entered disabled state [ 89.615097][ T4611] device bridge_slave_1 entered promiscuous mode [ 89.632229][ T4611] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 89.637712][ T4611] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 89.670068][ T4611] team0: Port device team_slave_0 added [ 89.673339][ T4611] team0: Port device team_slave_1 added [ 89.686370][ T4611] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 89.688158][ T4611] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 89.694488][ T4611] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 89.702753][ T4611] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 89.704469][ T4611] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 89.712220][ T4611] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 89.789874][ T4611] device hsr_slave_0 entered promiscuous mode [ 89.817243][ T4611] device hsr_slave_1 entered promiscuous mode [ 89.875625][ T4611] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 89.877547][ T4611] Cannot create hsr debugfs directory [ 89.941026][ T4611] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 91.396185][ T4099] Bluetooth: hci0: command 0x0409 tx timeout [ 93.051700][ T4611] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 93.475693][ T4113] Bluetooth: hci0: command 0x041b tx timeout [ 94.681177][ T4611] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 94.757088][ T4611] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 94.949047][ T4611] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 94.992689][ T4611] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 95.027752][ T4611] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 95.067811][ T4611] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 95.189733][ T4611] 8021q: adding VLAN 0 to HW filter on device bond0 [ 95.196739][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 95.199189][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 95.203782][ T4611] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.210250][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.212936][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 95.216541][ T153] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.218416][ T153] bridge0: port 1(bridge_slave_0) entered forwarding state [ 95.220725][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 95.239913][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.242514][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 95.245014][ T153] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.247019][ T153] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.252327][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 95.257541][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 95.262409][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 95.268367][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 95.271082][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 95.277933][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 95.280847][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 95.297068][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 95.299699][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 95.302158][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 95.304651][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 95.309605][ T4611] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 95.384019][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 95.388106][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 95.405275][ T4611] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 95.417386][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 95.420114][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 95.431393][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 95.433958][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 95.437059][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 95.439327][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 95.443943][ T4611] device veth0_vlan entered promiscuous mode [ 95.452949][ T4611] device veth1_vlan entered promiscuous mode [ 95.470606][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 95.473111][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 95.476212][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 95.479085][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 95.483815][ T4611] device veth0_macvtap entered promiscuous mode [ 95.488317][ T4611] device veth1_macvtap entered promiscuous mode [ 95.499811][ T4611] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 95.502333][ T4611] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 95.506946][ T4611] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 95.522771][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 95.525336][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 95.528794][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 95.531243][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 95.535268][ T4611] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 95.538888][ T4611] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 95.542250][ T4611] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 95.544535][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 95.547811][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 95.552852][ T4611] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 95.555082][ T4611] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 95.558121][ T4098] Bluetooth: hci0: command 0x040f tx timeout [ 95.559872][ T4611] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 95.562237][ T4611] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 95.621197][ T338] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 95.623365][ T338] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 95.630207][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 95.641909][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 95.644043][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 95.647414][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:35 executed programs: 2 [ 95.945698][ T4520] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 96.185537][ T4520] usb 1-1: Using ep0 maxpacket: 32 [ 96.279645][ T532] device hsr_slave_0 left promiscuous mode [ 96.305909][ T4520] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 96.308261][ T4520] usb 1-1: config 0 has no interface number 0 [ 96.316382][ T532] device hsr_slave_1 left promiscuous mode [ 96.415528][ T532] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 96.417704][ T532] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 96.420144][ T532] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 96.422152][ T532] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 96.424461][ T532] device bridge_slave_1 left promiscuous mode [ 96.426442][ T532] bridge0: port 2(bridge_slave_1) entered disabled state [ 96.465523][ T4520] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 96.467866][ T4520] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 96.469837][ T4520] usb 1-1: Product: syz [ 96.470917][ T4520] usb 1-1: Manufacturer: syz [ 96.472136][ T4520] usb 1-1: SerialNumber: syz [ 96.477835][ T532] device bridge_slave_0 left promiscuous mode [ 96.479223][ T4520] usb 1-1: config 0 descriptor?? [ 96.479500][ T532] bridge0: port 1(bridge_slave_0) entered disabled state [ 96.615821][ T532] device veth1_macvtap left promiscuous mode [ 96.617414][ T532] device veth0_macvtap left promiscuous mode [ 96.619156][ T532] device veth1_vlan left promiscuous mode [ 96.620729][ T532] device veth0_vlan left promiscuous mode [ 96.720484][ T13] usb 1-1: USB disconnect, device number 2 [ 96.729672][ T13] ================================================================== [ 96.731906][ T13] BUG: KASAN: use-after-free in hdm_disconnect+0xf8/0x190 [ 96.733825][ T13] Read of size 8 at addr ffff0000c2165978 by task kworker/0:1/13 [ 96.735931][ T13] [ 96.736559][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.15.174-syzkaller #0 [ 96.738792][ T13] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 [ 96.741603][ T13] Workqueue: usb_hub_wq hub_event [ 96.742976][ T13] Call trace: [ 96.743816][ T13] dump_backtrace+0x0/0x530 [ 96.745047][ T13] show_stack+0x2c/0x3c [ 96.746158][ T13] dump_stack_lvl+0x108/0x170 [ 96.747384][ T13] print_address_description+0x7c/0x3f0 [ 96.748873][ T13] kasan_report+0x174/0x1e4 [ 96.750122][ T13] __asan_report_load8_noabort+0x44/0x50 [ 96.751589][ T13] hdm_disconnect+0xf8/0x190 [ 96.752801][ T13] usb_unbind_interface+0x1a4/0x758 [ 96.754217][ T13] device_release_driver_internal+0x464/0x6ac [ 96.755829][ T13] device_release_driver+0x28/0x38 [ 96.757193][ T13] bus_remove_device+0x298/0x38c [ 96.758470][ T13] device_del+0x57c/0x9b4 [ 96.759600][ T13] usb_disable_device+0x354/0x760 [ 96.760958][ T13] usb_disconnect+0x290/0x7e8 [ 96.762228][ T13] hub_event+0x1718/0x46b8 [ 96.763366][ T13] process_one_work+0x790/0x11b8 [ 96.764675][ T13] worker_thread+0x910/0x1034 [ 96.765943][ T13] kthread+0x37c/0x45c [ 96.767035][ T13] ret_from_fork+0x10/0x20 [ 96.768200][ T13] [ 96.768826][ T13] Allocated by task 4520: [ 96.770020][ T13] ____kasan_kmalloc+0xbc/0xfc [ 96.771256][ T13] __kasan_kmalloc+0x10/0x1c [ 96.772491][ T13] kmem_cache_alloc_trace+0x27c/0x47c [ 96.773944][ T13] hdm_probe+0xa4/0x1044 [ 96.775042][ T13] usb_probe_interface+0x500/0x984 [ 96.776457][ T13] really_probe+0x26c/0xaec [ 96.777696][ T13] __driver_probe_device+0x194/0x3b4 [ 96.779137][ T13] driver_probe_device+0x78/0x34c [ 96.780436][ T13] __device_attach_driver+0x28c/0x4d8 [ 96.781984][ T13] bus_for_each_drv+0x158/0x1e0 [ 96.783248][ T13] __device_attach+0x2f0/0x480 [ 96.784400][ T13] device_initial_probe+0x24/0x34 [ 96.785715][ T13] bus_probe_device+0xbc/0x1c8 [ 96.786950][ T13] device_add+0xae0/0xef4 [ 96.788093][ T13] usb_set_configuration+0x15e0/0x1b60 [ 96.789616][ T13] usb_generic_driver_probe+0x8c/0x148 [ 96.791093][ T13] usb_probe_device+0x120/0x25c [ 96.792396][ T13] really_probe+0x26c/0xaec [ 96.793561][ T13] __driver_probe_device+0x194/0x3b4 [ 96.794983][ T13] driver_probe_device+0x78/0x34c [ 96.796319][ T13] __device_attach_driver+0x28c/0x4d8 [ 96.797751][ T13] bus_for_each_drv+0x158/0x1e0 [ 96.799073][ T13] __device_attach+0x2f0/0x480 [ 96.800366][ T13] device_initial_probe+0x24/0x34 [ 96.801765][ T13] bus_probe_device+0xbc/0x1c8 [ 96.803005][ T13] device_add+0xae0/0xef4 [ 96.804167][ T13] usb_new_device+0x900/0x145c [ 96.805382][ T13] hub_event+0x236c/0x46b8 [ 96.806436][ T13] process_one_work+0x790/0x11b8 [ 96.807708][ T13] worker_thread+0x910/0x1034 [ 96.808957][ T13] kthread+0x37c/0x45c [ 96.810057][ T13] ret_from_fork+0x10/0x20 [ 96.811249][ T13] [ 96.811843][ T13] Freed by task 13: [ 96.812852][ T13] kasan_set_track+0x4c/0x84 [ 96.814038][ T13] kasan_set_free_info+0x28/0x4c [ 96.815282][ T13] ____kasan_slab_free+0x118/0x164 [ 96.816706][ T13] __kasan_slab_free+0x18/0x28 [ 96.818002][ T13] slab_free_freelist_hook+0x128/0x1ec [ 96.819444][ T13] kfree+0x178/0x410 [ 96.820514][ T13] release_mdev+0x20/0x30 [ 96.821682][ T13] device_release+0x8c/0x1ac [ 96.822886][ T13] kobject_put+0x2c4/0x438 [ 96.824050][ T13] device_unregister+0x3c/0xcc [ 96.825306][ T13] most_deregister_interface+0x3e0/0x42c [ 96.826774][ T13] hdm_disconnect+0xe0/0x190 [ 96.828037][ T13] usb_unbind_interface+0x1a4/0x758 [ 96.829497][ T13] device_release_driver_internal+0x464/0x6ac [ 96.831203][ T13] device_release_driver+0x28/0x38 [ 96.832573][ T13] bus_remove_device+0x298/0x38c [ 96.833911][ T13] device_del+0x57c/0x9b4 [ 96.835022][ T13] usb_disable_device+0x354/0x760 [ 96.836344][ T13] usb_disconnect+0x290/0x7e8 [ 96.837520][ T13] hub_event+0x1718/0x46b8 [ 96.838718][ T13] process_one_work+0x790/0x11b8 [ 96.840001][ T13] worker_thread+0x910/0x1034 [ 96.841180][ T13] kthread+0x37c/0x45c [ 96.842297][ T13] ret_from_fork+0x10/0x20 [ 96.843516][ T13] [ 96.844112][ T13] The buggy address belongs to the object at ffff0000c2164000 [ 96.844112][ T13] which belongs to the cache kmalloc-8k of size 8192 [ 96.847945][ T13] The buggy address is located 6520 bytes inside of [ 96.847945][ T13] 8192-byte region [ffff0000c2164000, ffff0000c2166000) [ 96.851612][ T13] The buggy address belongs to the page: [ 96.853217][ T13] page:000000005cd7af73 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102160 [ 96.856047][ T13] head:000000005cd7af73 order:3 compound_mapcount:0 compound_pincount:0 [ 96.858325][ T13] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 96.860571][ T13] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 96.862842][ T13] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 96.865169][ T13] page dumped because: kasan: bad access detected [ 96.866923][ T13] [ 96.867562][ T13] Memory state around the buggy address: [ 96.869117][ T13] ffff0000c2165800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.871280][ T13] ffff0000c2165880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.873440][ T13] >ffff0000c2165900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.875556][ T13] ^ [ 96.877700][ T13] ffff0000c2165980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.879947][ T13] ffff0000c2165a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.882153][ T13] ================================================================== [ 96.884320][ T13] Disabling lock debugging due to kernel taint [ 96.886777][ T13] ------------[ cut here ]------------ [ 96.888154][ T13] refcount_t: underflow; use-after-free. [ 96.889945][ T13] WARNING: CPU: 0 PID: 13 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c [ 96.892280][ T13] Modules linked in: [ 96.893303][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Tainted: G B 5.15.174-syzkaller #0 [ 96.895741][ T13] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 [ 96.898381][ T13] Workqueue: usb_hub_wq hub_event [ 96.899724][ T13] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 96.901807][ T13] pc : refcount_warn_saturate+0x1c8/0x20c [ 96.903339][ T13] lr : refcount_warn_saturate+0x1c8/0x20c [ 96.904826][ T13] sp : ffff80001bd372f0 [ 96.905937][ T13] x29: ffff80001bd372f0 x28: ffff800016aced00 x27: ffff0000caf87000 [ 96.908143][ T13] x26: 1fffe0001956c607 x25: dfff800000000000 x24: ffff0000cab61030 [ 96.910344][ T13] x23: 1fffe0001842c8bb x22: ffff0000cab6303c x21: 0000000000000003 [ 96.912475][ T13] x20: ffff0000cab63038 x19: ffff800016fcd000 x18: 0000000000000001 [ 96.914629][ T13] x17: 0000000000000000 x16: ffff800008336558 x15: 00000000ffffffff [ 96.916851][ T13] x14: ffff0000c0950000 x13: 0000000000000001 x12: 0000000000000001 [ 96.919045][ T13] x11: 0000000000000000 x10: 0000000000000000 x9 : ac0a99b67684d500 [ 96.921221][ T13] x8 : ac0a99b67684d500 x7 : 0000000000000001 x6 : 0000000000000001 [ 96.923346][ T13] x5 : ffff80001bd36a58 x4 : ffff800014c50660 x3 : ffff8000083366a4 [ 96.925513][ T13] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 96.927724][ T13] Call trace: [ 96.928567][ T13] refcount_warn_saturate+0x1c8/0x20c [ 96.930074][ T13] kobject_put+0x1a8/0x438 [ 96.931304][ T13] put_device+0x28/0x40 [ 96.932397][ T13] hdm_disconnect+0x170/0x190 [ 96.933676][ T13] usb_unbind_interface+0x1a4/0x758 [ 96.935104][ T13] device_release_driver_internal+0x464/0x6ac [ 96.936715][ T13] device_release_driver+0x28/0x38 [ 96.938132][ T13] bus_remove_device+0x298/0x38c [ 96.939358][ T13] device_del+0x57c/0x9b4 [ 96.940545][ T13] usb_disable_device+0x354/0x760 [ 96.941929][ T13] usb_disconnect+0x290/0x7e8 [ 96.943241][ T13] hub_event+0x1718/0x46b8 [ 96.944416][ T13] process_one_work+0x790/0x11b8 [ 96.945737][ T13] worker_thread+0x910/0x1034 [ 96.947064][ T13] kthread+0x37c/0x45c [ 96.948107][ T13] ret_from_fork+0x10/0x20 [ 96.949326][ T13] irq event stamp: 162580 [ 96.950453][ T13] hardirqs last enabled at (162579): [] kasan_quarantine_put+0xdc/0x204 [ 96.953149][ T13] hardirqs last disabled at (162580): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 96.955895][ T13] softirqs last enabled at (162432): [] handle_softirqs+0xb88/0xdbc [ 96.958524][ T13] softirqs last disabled at (162335): [] __irq_exit_rcu+0x268/0x4d8 [ 96.961041][ T13] ---[ end trace ba2463d6456d7e56 ]--- [ 97.022727][ T532] team0 (unregistering): Port device team_slave_1 removed [ 97.033528][ T532] team0 (unregistering): Port device team_slave_0 removed [ 97.040735][ T532] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 97.081600][ T532] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 97.192552][ T532] bond0 (unregistering): Released all slaves [ 97.595537][ T4104] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 97.645870][ T4098] Bluetooth: hci0: command 0x0419 tx timeout [ 97.855485][ T4104] usb 1-1: Using ep0 maxpacket: 32 [ 97.985712][ T4104] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 97.987879][ T4104] usb 1-1: config 0 has no interface number 0 [ 98.175763][ T4104] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 98.178188][ T4104] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 98.180184][ T4104] usb 1-1: Product: syz [ 98.181329][ T4104] usb 1-1: Manufacturer: syz [ 98.182444][ T4104] usb 1-1: SerialNumber: syz [ 98.185474][ T4104] usb 1-1: config 0 descriptor?? [ 98.426441][ T13] usb 1-1: USB disconnect, device number 3 [ 99.225559][ T4109] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 99.485541][ T4109] usb 1-1: Using ep0 maxpacket: 32 [ 99.615537][ T4109] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 99.617816][ T4109] usb 1-1: config 0 has no interface number 0 [ 99.775656][ T4109] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 99.778337][ T4109] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 99.780412][ T4109] usb 1-1: Product: syz [ 99.781510][ T4109] usb 1-1: Manufacturer: syz [ 99.782663][ T4109] usb 1-1: SerialNumber: syz [ 99.786218][ T4109] usb 1-1: config 0 descriptor?? [ 100.026452][ T4520] usb 1-1: USB disconnect, device number 4 [ 100.805465][ T4109] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 101.055471][ T4109] usb 1-1: Using ep0 maxpacket: 32 [ 101.195683][ T4109] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 101.197731][ T4109] usb 1-1: config 0 has no interface number 0 [ 101.355658][ T4109] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 101.357987][ T4109] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 101.359867][ T4109] usb 1-1: Product: syz [ 101.360920][ T4109] usb 1-1: Manufacturer: syz [ 101.362122][ T4109] usb 1-1: SerialNumber: syz [ 101.365192][ T4109] usb 1-1: config 0 descriptor?? [ 101.606799][ T4109] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:42 executed programs: 6 [ 102.395469][ T4109] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 102.635516][ T4109] usb 1-1: Using ep0 maxpacket: 32 [ 102.765543][ T4109] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 102.767825][ T4109] usb 1-1: config 0 has no interface number 0 [ 102.936893][ T4109] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 102.939333][ T4109] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 102.941321][ T4109] usb 1-1: Product: syz [ 102.942340][ T4109] usb 1-1: Manufacturer: syz [ 102.943559][ T4109] usb 1-1: SerialNumber: syz [ 102.946730][ T4109] usb 1-1: config 0 descriptor?? [ 103.196351][ T4109] usb 1-1: USB disconnect, device number 6 [ 103.975505][ T13] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 104.225504][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 104.345534][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 104.347742][ T13] usb 1-1: config 0 has no interface number 0 [ 104.505553][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 104.507756][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 104.509798][ T13] usb 1-1: Product: syz [ 104.510831][ T13] usb 1-1: Manufacturer: syz [ 104.511975][ T13] usb 1-1: SerialNumber: syz [ 104.515960][ T13] usb 1-1: config 0 descriptor?? [ 104.756890][ T4109] usb 1-1: USB disconnect, device number 7 [ 105.535476][ T13] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 105.775512][ T13] usb 1-1: Using ep0 maxpacket: 32 [ 105.895557][ T13] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 105.897901][ T13] usb 1-1: config 0 has no interface number 0 [ 106.055523][ T13] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 106.057907][ T13] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 106.059850][ T13] usb 1-1: Product: syz [ 106.060878][ T13] usb 1-1: Manufacturer: syz [ 106.062093][ T13] usb 1-1: SerialNumber: syz [ 106.065689][ T13] usb 1-1: config 0 descriptor?? [ 106.306232][ T13] usb 1-1: USB disconnect, device number 8