Warning: Permanently added '10.128.1.33' (ED25519) to the list of known hosts. 1970/01/01 00:01:30 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:30 ignoring optional flag "type"="gce" 1970/01/01 00:01:30 parsed 1 programs [ 93.054547][ T4438] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 100.568602][ T4494] chnl_net:caif_netlink_parms(): no params data found [ 100.623081][ T4494] bridge0: port 1(bridge_slave_0) entered blocking state [ 100.625078][ T4494] bridge0: port 1(bridge_slave_0) entered disabled state [ 100.627644][ T4494] device bridge_slave_0 entered promiscuous mode [ 100.631218][ T4494] bridge0: port 2(bridge_slave_1) entered blocking state [ 100.633724][ T4494] bridge0: port 2(bridge_slave_1) entered disabled state [ 100.636343][ T4494] device bridge_slave_1 entered promiscuous mode [ 100.652412][ T4494] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 100.657069][ T4494] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 100.674227][ T4494] team0: Port device team_slave_0 added [ 100.677525][ T4494] team0: Port device team_slave_1 added [ 100.698898][ T4494] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 100.700814][ T4494] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 100.709212][ T4494] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 100.714292][ T4494] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 100.716179][ T4494] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 100.724394][ T4494] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 100.794806][ T4494] device hsr_slave_0 entered promiscuous mode [ 100.863233][ T4494] device hsr_slave_1 entered promiscuous mode [ 101.615298][ T4494] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 101.655781][ T4494] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 101.696465][ T4494] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 101.737181][ T4494] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 101.839111][ T4494] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.850166][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 101.852713][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.860095][ T4494] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.871232][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 101.875072][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 101.877679][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.879473][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.882535][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 101.890063][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 101.897403][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 101.900137][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.902102][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.922626][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 101.925938][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 101.928747][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 101.932384][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 101.939390][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 101.942291][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 101.946308][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 101.967836][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 101.970525][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 101.973228][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 101.976062][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 101.980640][ T4494] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 102.065881][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 102.067999][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 102.077125][ T4494] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 102.089774][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 102.092539][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 102.108198][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 102.110914][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 102.115728][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 102.118632][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 102.125125][ T4494] device veth0_vlan entered promiscuous mode [ 102.131959][ T4494] device veth1_vlan entered promiscuous mode [ 102.151168][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 102.155340][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 102.157899][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 102.162234][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 102.168761][ T4494] device veth0_macvtap entered promiscuous mode [ 102.172701][ T4494] device veth1_macvtap entered promiscuous mode [ 102.187198][ T4494] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 102.191936][ T4494] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 102.194885][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 102.197475][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 102.200011][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 102.202632][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 102.210242][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 102.213101][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 102.218401][ T4494] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.220775][ T4494] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.223573][ T4494] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.225835][ T4494] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 102.877069][ T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.879330][ T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.882443][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 102.898933][ T136] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.901109][ T136] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.905294][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:42 executed programs: 0 [ 103.141819][ T4637] chnl_net:caif_netlink_parms(): no params data found [ 103.184305][ T4637] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.186482][ T4637] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.189312][ T4637] device bridge_slave_0 entered promiscuous mode [ 103.196927][ T4637] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.198896][ T4637] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.201633][ T4637] device bridge_slave_1 entered promiscuous mode [ 103.224305][ T4637] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 103.229037][ T4637] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 103.248478][ T4637] team0: Port device team_slave_0 added [ 103.251911][ T4637] team0: Port device team_slave_1 added [ 103.270202][ T4637] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 103.272175][ T4637] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.279430][ T4637] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 103.286392][ T4637] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 103.288367][ T4637] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.295466][ T4637] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 103.345781][ T4637] device hsr_slave_0 entered promiscuous mode [ 103.393584][ T4637] device hsr_slave_1 entered promiscuous mode [ 103.436021][ T4637] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 103.438136][ T4637] Cannot create hsr debugfs directory [ 103.540935][ T4637] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 105.032907][ T4133] Bluetooth: hci0: command 0x0409 tx timeout [ 105.910634][ T4637] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 107.103366][ T4048] Bluetooth: hci0: command 0x041b tx timeout [ 107.149218][ T4637] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 107.202162][ T4637] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 107.373896][ T4637] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 107.416156][ T4637] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 107.445979][ T4637] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 107.495370][ T4637] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 107.578771][ T4637] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.586958][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 107.589522][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.594406][ T4637] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.599077][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.601835][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.604555][ T153] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.606480][ T153] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.608807][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 107.615402][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.618343][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.620900][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.622878][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.628333][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 107.662666][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 107.675343][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 107.678258][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.680880][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 107.684646][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.687837][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 107.690454][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 107.693120][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 107.699557][ T4637] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 107.703857][ T4637] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 107.706515][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 107.708900][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 107.783077][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 107.785105][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 107.790987][ T4637] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.804630][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 107.807478][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 107.819262][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 107.822020][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 107.825498][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 107.828067][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 107.832302][ T4637] device veth0_vlan entered promiscuous mode [ 107.839811][ T4637] device veth1_vlan entered promiscuous mode [ 107.857526][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 107.860184][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 107.862701][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 107.866010][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 107.870867][ T4637] device veth0_macvtap entered promiscuous mode [ 107.877500][ T4637] device veth1_macvtap entered promiscuous mode [ 107.887003][ T4637] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 107.889863][ T4637] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 107.896718][ T4637] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.898687][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 107.901426][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 107.904208][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 107.906959][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 107.912036][ T4637] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 107.915929][ T4637] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 107.919433][ T4637] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.921483][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 107.924742][ T153] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 107.929486][ T4637] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.931765][ T4637] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.936505][ T4637] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.938854][ T4637] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.000079][ T153] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.011451][ T153] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.013640][ T1628] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 108.013677][ T1628] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 108.014903][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 108.024722][ T1628] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready 1970/01/01 00:01:47 executed programs: 2 [ 108.322986][ T4130] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 108.582937][ T4130] usb 1-1: Using ep0 maxpacket: 32 [ 108.743212][ T4130] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 108.745497][ T4130] usb 1-1: config 0 has no interface number 0 [ 108.933048][ T4130] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 108.935519][ T4130] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 108.937663][ T4130] usb 1-1: Product: syz [ 108.938812][ T4130] usb 1-1: Manufacturer: syz [ 108.940110][ T4130] usb 1-1: SerialNumber: syz [ 108.944734][ T4130] usb 1-1: config 0 descriptor?? [ 109.191240][ T1534] usb 1-1: USB disconnect, device number 2 [ 109.192943][ T4128] Bluetooth: hci0: command 0x040f tx timeout [ 109.200782][ T1534] ================================================================== [ 109.203130][ T1534] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 109.205089][ T1534] Read of size 8 at addr ffff0000d8edd978 by task kworker/1:2/1534 [ 109.207265][ T1534] [ 109.207921][ T1534] CPU: 1 PID: 1534 Comm: kworker/1:2 Not tainted 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 109.210660][ T1534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 109.213365][ T1534] Workqueue: usb_hub_wq hub_event [ 109.214784][ T1534] Call trace: [ 109.215657][ T1534] dump_backtrace+0x0/0x43c [ 109.216881][ T1534] show_stack+0x2c/0x3c [ 109.218028][ T1534] __dump_stack+0x30/0x40 [ 109.219193][ T1534] dump_stack_lvl+0xf8/0x160 [ 109.220497][ T1534] print_address_description+0x78/0x30c [ 109.221985][ T1534] kasan_report+0xec/0x15c [ 109.223193][ T1534] __asan_report_load8_noabort+0x44/0x50 [ 109.224719][ T1534] hdm_disconnect+0xf4/0x18c [ 109.226003][ T1534] usb_unbind_interface+0x1b8/0x750 [ 109.227479][ T1534] device_release_driver_internal+0x3fc/0x63c [ 109.229172][ T1534] device_release_driver+0x28/0x38 [ 109.230515][ T1534] bus_remove_device+0x294/0x388 [ 109.231804][ T1534] device_del+0x568/0x964 [ 109.233005][ T1534] usb_disable_device+0x33c/0x780 [ 109.234390][ T1534] usb_disconnect+0x290/0x7d0 [ 109.235612][ T1534] hub_event+0x14c8/0x4188 [ 109.236736][ T1534] process_one_work+0x79c/0x1140 [ 109.238081][ T1534] worker_thread+0x8f4/0x101c [ 109.239370][ T1534] kthread+0x374/0x454 [ 109.240410][ T1534] ret_from_fork+0x10/0x20 [ 109.241579][ T1534] [ 109.242228][ T1534] Allocated by task 4130: [ 109.243412][ T1534] __kasan_kmalloc+0xb0/0xf0 [ 109.244606][ T1534] kmem_cache_alloc_trace+0x274/0x3fc [ 109.246013][ T1534] hdm_probe+0x9c/0x1044 [ 109.247200][ T1534] usb_probe_interface+0x4fc/0x994 [ 109.248519][ T1534] really_probe+0x26c/0xaec [ 109.249794][ T1534] __driver_probe_device+0x180/0x314 [ 109.251173][ T1534] driver_probe_device+0x78/0x34c [ 109.252518][ T1534] __device_attach_driver+0x274/0x4c4 [ 109.253940][ T1534] bus_for_each_drv+0x150/0x1d8 [ 109.255269][ T1534] __device_attach+0x2a8/0x3d4 [ 109.256570][ T1534] device_initial_probe+0x24/0x34 [ 109.257797][ T1534] bus_probe_device+0xbc/0x1c4 [ 109.259081][ T1534] device_add+0xb04/0xf94 [ 109.260206][ T1534] usb_set_configuration+0x15b8/0x1b2c [ 109.261655][ T1534] usb_generic_driver_probe+0x8c/0x144 [ 109.263110][ T1534] usb_probe_device+0x120/0x25c [ 109.264382][ T1534] really_probe+0x26c/0xaec [ 109.265613][ T1534] __driver_probe_device+0x180/0x314 [ 109.267022][ T1534] driver_probe_device+0x78/0x34c [ 109.268366][ T1534] __device_attach_driver+0x274/0x4c4 [ 109.269732][ T1534] bus_for_each_drv+0x150/0x1d8 [ 109.271154][ T1534] __device_attach+0x2a8/0x3d4 [ 109.272440][ T1534] device_initial_probe+0x24/0x34 [ 109.273798][ T1534] bus_probe_device+0xbc/0x1c4 [ 109.275093][ T1534] device_add+0xb04/0xf94 [ 109.276252][ T1534] usb_new_device+0x7ec/0x1164 [ 109.277533][ T1534] hub_event+0x20cc/0x4188 [ 109.278778][ T1534] process_one_work+0x79c/0x1140 [ 109.280103][ T1534] worker_thread+0x8f4/0x101c [ 109.281227][ T1534] kthread+0x374/0x454 [ 109.282348][ T1534] ret_from_fork+0x10/0x20 [ 109.283519][ T1534] [ 109.284149][ T1534] Freed by task 1534: [ 109.285256][ T1534] kasan_set_track+0x4c/0x84 [ 109.286516][ T1534] kasan_set_free_info+0x28/0x4c [ 109.287896][ T1534] ____kasan_slab_free+0x118/0x164 [ 109.289226][ T1534] __kasan_slab_free+0x18/0x28 [ 109.290591][ T1534] slab_free_freelist_hook+0x128/0x1e8 [ 109.292083][ T1534] kfree+0x170/0x40c [ 109.293144][ T1534] release_mdev+0x20/0x30 [ 109.294312][ T1534] device_release+0x8c/0x1ac [ 109.295586][ T1534] kobject_put+0x2cc/0x454 [ 109.296760][ T1534] device_unregister+0x3c/0xcc [ 109.298171][ T1534] most_deregister_interface+0x3e0/0x42c [ 109.299689][ T1534] hdm_disconnect+0xdc/0x18c [ 109.300927][ T1534] usb_unbind_interface+0x1b8/0x750 [ 109.302283][ T1534] device_release_driver_internal+0x3fc/0x63c [ 109.303888][ T1534] device_release_driver+0x28/0x38 [ 109.305212][ T1534] bus_remove_device+0x294/0x388 [ 109.306502][ T1534] device_del+0x568/0x964 [ 109.307682][ T1534] usb_disable_device+0x33c/0x780 [ 109.309040][ T1534] usb_disconnect+0x290/0x7d0 [ 109.310283][ T1534] hub_event+0x14c8/0x4188 [ 109.311440][ T1534] process_one_work+0x79c/0x1140 [ 109.312755][ T1534] worker_thread+0x8f4/0x101c [ 109.314007][ T1534] kthread+0x374/0x454 [ 109.315074][ T1534] ret_from_fork+0x10/0x20 [ 109.316235][ T1534] [ 109.316822][ T1534] The buggy address belongs to the object at ffff0000d8edc000 [ 109.316822][ T1534] which belongs to the cache kmalloc-8k of size 8192 [ 109.320626][ T1534] The buggy address is located 6520 bytes inside of [ 109.320626][ T1534] 8192-byte region [ffff0000d8edc000, ffff0000d8ede000) [ 109.324254][ T1534] The buggy address belongs to the page: [ 109.325756][ T1534] page:000000007ed78e66 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118ed8 [ 109.328578][ T1534] head:000000007ed78e66 order:3 compound_mapcount:0 compound_pincount:0 [ 109.330825][ T1534] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 109.333019][ T1534] raw: 05ffc00000010200 0000000000000000 0000000100000001 ffff0000c0002c00 [ 109.335323][ T1534] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 109.337617][ T1534] page dumped because: kasan: bad access detected [ 109.339329][ T1534] [ 109.339917][ T1534] Memory state around the buggy address: [ 109.341450][ T1534] ffff0000d8edd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.343557][ T1534] ffff0000d8edd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.345722][ T1534] >ffff0000d8edd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.347848][ T1534] ^ [ 109.349914][ T1534] ffff0000d8edd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.352072][ T1534] ffff0000d8edda00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.354301][ T1534] ================================================================== [ 109.356449][ T1534] Disabling lock debugging due to kernel taint [ 109.359305][ T1534] ------------[ cut here ]------------ [ 109.360724][ T1534] refcount_t: underflow; use-after-free. [ 109.362450][ T1534] WARNING: CPU: 1 PID: 1534 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 109.364858][ T1534] Modules linked in: [ 109.365941][ T1534] CPU: 1 PID: 1534 Comm: kworker/1:2 Tainted: G B 5.15.183-syzkaller-00055-ga68c15152131 #0 [ 109.368858][ T1534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 109.371538][ T1534] Workqueue: usb_hub_wq hub_event [ 109.372874][ T1534] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 109.374962][ T1534] pc : refcount_warn_saturate+0x154/0x1f8 [ 109.376488][ T1534] lr : refcount_warn_saturate+0x154/0x1f8 [ 109.378032][ T1534] sp : ffff8000226d73e0 [ 109.379166][ T1534] x29: ffff8000226d73e0 x28: ffff800016094500 x27: 1fffe0001d51c600 [ 109.381458][ T1534] x26: 1fffe0001d51c607 x25: dfff800000000000 x24: ffff0000cd572030 [ 109.383605][ T1534] x23: 1fffe0001b1db8bb x22: ffff0000ea8e303c x21: 0000000000000000 [ 109.385735][ T1534] x20: ffff0000ea8e3038 x19: ffff80001658e000 x18: 0000000000000001 [ 109.387826][ T1534] x17: 0000000000000000 x16: ffff8000083007ec x15: 00000000ffffffff [ 109.389909][ T1534] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 109.392041][ T1534] x11: 0000000000000000 x10: 0000000000000000 x9 : c9f163f86b56ed00 [ 109.394216][ T1534] x8 : c9f163f86b56ed00 x7 : 0000000000000001 x6 : 0000000000000001 [ 109.396286][ T1534] x5 : ffff8000226d6cd8 x4 : ffff80001422f280 x3 : ffff8000083008fc [ 109.398478][ T1534] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 109.400502][ T1534] Call trace: [ 109.401370][ T1534] refcount_warn_saturate+0x154/0x1f8 [ 109.402784][ T1534] kobject_put+0x19c/0x454 [ 109.403898][ T1534] put_device+0x28/0x40 [ 109.405026][ T1534] hdm_disconnect+0x16c/0x18c [ 109.406301][ T1534] usb_unbind_interface+0x1b8/0x750 [ 109.407693][ T1534] device_release_driver_internal+0x3fc/0x63c [ 109.409326][ T1534] device_release_driver+0x28/0x38 [ 109.410639][ T1534] bus_remove_device+0x294/0x388 [ 109.412053][ T1534] device_del+0x568/0x964 [ 109.413245][ T1534] usb_disable_device+0x33c/0x780 [ 109.414572][ T1534] usb_disconnect+0x290/0x7d0 [ 109.415877][ T1534] hub_event+0x14c8/0x4188 [ 109.417042][ T1534] process_one_work+0x79c/0x1140 [ 109.418367][ T1534] worker_thread+0x8f4/0x101c [ 109.419651][ T1534] kthread+0x374/0x454 [ 109.420666][ T1534] ret_from_fork+0x10/0x20 [ 109.421875][ T1534] irq event stamp: 211962 [ 109.423126][ T1534] hardirqs last enabled at (211961): [] kasan_quarantine_put+0xc4/0x204 [ 109.425823][ T1534] hardirqs last disabled at (211962): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 109.428558][ T1534] softirqs last enabled at (211438): [] handle_softirqs+0xa4c/0xbf0 [ 109.431199][ T1534] softirqs last disabled at (211413): [] __irq_exit_rcu+0x240/0x440 [ 109.433791][ T1534] ---[ end trace 00095797295f62c6 ]--- [ 110.062934][ T4130] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 110.312915][ T4130] usb 1-1: Using ep0 maxpacket: 32 [ 110.463016][ T4130] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 110.465240][ T4130] usb 1-1: config 0 has no interface number 0 [ 110.643125][ T4130] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 110.645446][ T4130] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 110.647514][ T4130] usb 1-1: Product: syz [ 110.648616][ T4130] usb 1-1: Manufacturer: syz [ 110.649793][ T4130] usb 1-1: SerialNumber: syz [ 110.653777][ T4130] usb 1-1: config 0 descriptor?? [ 110.829843][ T148] device hsr_slave_0 left promiscuous mode [ 110.883678][ T148] device hsr_slave_1 left promiscuous mode [ 110.894127][ T4086] usb 1-1: USB disconnect, device number 3 [ 110.963012][ T148] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 110.964998][ T148] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 110.967395][ T148] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 110.969363][ T148] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 110.971559][ T148] device bridge_slave_1 left promiscuous mode [ 110.973622][ T148] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.013661][ T148] device bridge_slave_0 left promiscuous mode [ 111.015453][ T148] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.153058][ T148] device veth1_macvtap left promiscuous mode [ 111.154679][ T148] device veth0_macvtap left promiscuous mode [ 111.156381][ T148] device veth1_vlan left promiscuous mode [ 111.157946][ T148] device veth0_vlan left promiscuous mode [ 111.263114][ T4048] Bluetooth: hci0: command 0x0419 tx timeout [ 111.313932][ T148] team0 (unregistering): Port device team_slave_1 removed [ 111.321392][ T148] team0 (unregistering): Port device team_slave_0 removed [ 111.327721][ T148] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 111.359633][ T148] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 111.477930][ T148] bond0 (unregistering): Released all slaves [ 111.693372][ T4048] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 111.932866][ T4048] usb 1-1: Using ep0 maxpacket: 32 [ 112.052928][ T4048] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 112.055220][ T4048] usb 1-1: config 0 has no interface number 0 [ 112.232979][ T4048] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 112.235502][ T4048] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 112.237529][ T4048] usb 1-1: Product: syz [ 112.238657][ T4048] usb 1-1: Manufacturer: syz [ 112.239856][ T4048] usb 1-1: SerialNumber: syz [ 112.242664][ T4048] usb 1-1: config 0 descriptor?? [ 112.485576][ T1534] usb 1-1: USB disconnect, device number 4 [ 113.272950][ T4048] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 113.542918][ T4048] usb 1-1: Using ep0 maxpacket: 32 [ 113.682958][ T4048] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 113.685180][ T4048] usb 1-1: config 0 has no interface number 0 [ 113.843073][ T4048] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 113.845528][ T4048] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 113.847726][ T4048] usb 1-1: Product: syz [ 113.848828][ T4048] usb 1-1: Manufacturer: syz [ 113.850046][ T4048] usb 1-1: SerialNumber: syz [ 113.852689][ T4048] usb 1-1: config 0 descriptor?? [ 114.094728][ T4048] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:54 executed programs: 6 [ 114.872884][ T3605] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 115.122915][ T3605] usb 1-1: Using ep0 maxpacket: 32 [ 115.252982][ T3605] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 115.255343][ T3605] usb 1-1: config 0 has no interface number 0 [ 115.413032][ T3605] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 115.415509][ T3605] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 115.417651][ T3605] usb 1-1: Product: syz [ 115.418810][ T3605] usb 1-1: Manufacturer: syz [ 115.420043][ T3605] usb 1-1: SerialNumber: syz [ 115.423366][ T3605] usb 1-1: config 0 descriptor?? [ 115.663749][ T4130] usb 1-1: USB disconnect, device number 6 [ 116.442874][ T4130] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 116.692923][ T4130] usb 1-1: Using ep0 maxpacket: 32 [ 116.813064][ T4130] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 116.815329][ T4130] usb 1-1: config 0 has no interface number 0 [ 116.983054][ T4130] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 116.985531][ T4130] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 116.987650][ T4130] usb 1-1: Product: syz [ 116.988786][ T4130] usb 1-1: Manufacturer: syz [ 116.989949][ T4130] usb 1-1: SerialNumber: syz [ 116.993785][ T4130] usb 1-1: config 0 descriptor?? [ 117.243816][ T4086] usb 1-1: USB disconnect, device number 7 [ 118.032878][ T4130] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 118.282910][ T4130] usb 1-1: Using ep0 maxpacket: 32 [ 118.412947][ T4130] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 118.415282][ T4130] usb 1-1: config 0 has no interface number 0 [ 118.573142][ T4130] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 118.575608][ T4130] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 118.577800][ T4130] usb 1-1: Product: syz [ 118.579041][ T4130] usb 1-1: Manufacturer: syz [ 118.580328][ T4130] usb 1-1: SerialNumber: syz [ 118.583735][ T4130] usb 1-1: config 0 descriptor?? [ 118.834499][ T1534] usb 1-1: USB disconnect, device number 8