Warning: Permanently added '10.128.1.44' (ED25519) to the list of known hosts. 1970/01/01 00:01:02 ignoring optional flag "type"="gce" 1970/01/01 00:01:02 parsed 1 programs [ 63.608135][ T4573] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 65.649024][ T4663] chnl_net:caif_netlink_parms(): no params data found [ 65.667555][ T4663] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.668577][ T4663] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.669997][ T4663] device bridge_slave_0 entered promiscuous mode [ 65.671974][ T4663] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.673105][ T4663] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.674450][ T4663] device bridge_slave_1 entered promiscuous mode [ 65.683801][ T4663] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 65.686297][ T4663] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 65.694699][ T4663] team0: Port device team_slave_0 added [ 65.696429][ T4663] team0: Port device team_slave_1 added [ 65.705229][ T4663] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 65.706264][ T4663] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.710893][ T4663] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 65.713167][ T4663] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 65.714245][ T4663] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.719290][ T4663] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 65.778415][ T4663] device hsr_slave_0 entered promiscuous mode [ 65.816989][ T4663] device hsr_slave_1 entered promiscuous mode [ 66.495202][ T4663] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 66.538631][ T4663] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 66.569923][ T4663] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 66.588416][ T4663] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 66.714513][ T4663] 8021q: adding VLAN 0 to HW filter on device bond0 [ 66.719038][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 66.720451][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 66.723261][ T4663] 8021q: adding VLAN 0 to HW filter on device team0 [ 66.726310][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 66.727981][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 66.729261][ T326] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.730304][ T326] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.735518][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 66.739686][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 66.741209][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 66.742672][ T326] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.743655][ T326] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.745929][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 66.749324][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 66.757866][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 66.759874][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 66.761404][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 66.764417][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 66.766294][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 66.770236][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 66.771828][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 66.775250][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 66.777151][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 66.782114][ T4663] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 66.887145][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 66.888532][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 66.891933][ T4663] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 66.902572][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 66.904116][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 66.911015][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 66.912594][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 66.914064][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 66.915871][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 66.919887][ T4663] device veth0_vlan entered promiscuous mode [ 66.923361][ T4663] device veth1_vlan entered promiscuous mode [ 66.931218][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 66.932658][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 66.934045][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 66.935402][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 66.940768][ T4663] device veth0_macvtap entered promiscuous mode [ 66.943238][ T4663] device veth1_macvtap entered promiscuous mode [ 66.952309][ T4663] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 66.953533][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 66.954905][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 66.956293][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 66.958924][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 66.962432][ T4663] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 66.964412][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 66.965956][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 66.969729][ T4663] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.971200][ T4663] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.972596][ T4663] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.974022][ T4663] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 67.083053][ T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.084302][ T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.085859][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 67.102661][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.103967][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.105581][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 67.621597][ T136] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:07 executed programs: 0 [ 68.057704][ T4965] chnl_net:caif_netlink_parms(): no params data found [ 68.077999][ T4965] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.079193][ T4965] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.080765][ T4965] device bridge_slave_0 entered promiscuous mode [ 68.084352][ T4965] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.085454][ T4965] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.087526][ T4965] device bridge_slave_1 entered promiscuous mode [ 68.096293][ T4965] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.101172][ T4965] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.109894][ T4965] team0: Port device team_slave_0 added [ 68.111719][ T4965] team0: Port device team_slave_1 added [ 68.118547][ T4965] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.119730][ T4965] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.123857][ T4965] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.126278][ T4965] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.129501][ T4965] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.133451][ T4965] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.177959][ T4965] device hsr_slave_0 entered promiscuous mode [ 68.206955][ T4965] device hsr_slave_1 entered promiscuous mode [ 68.246842][ T4965] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 68.248172][ T4965] Cannot create hsr debugfs directory [ 69.607613][ T2064] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.608333][ T3342] cfg80211: failed to load regulatory.db [ 69.608807][ T2064] ieee802154 phy1 wpan1: encryption failed: -22 [ 69.979618][ T136] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.076808][ T1541] Bluetooth: hci0: command 0x0409 tx timeout [ 72.157124][ T3342] Bluetooth: hci0: command 0x041b tx timeout [ 72.170681][ T136] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 72.219996][ T136] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 73.252011][ T4965] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 73.298599][ T4965] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 73.348143][ T4965] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 73.418031][ T4965] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 73.490545][ T4965] 8021q: adding VLAN 0 to HW filter on device bond0 [ 73.494601][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 73.496021][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.499240][ T4965] 8021q: adding VLAN 0 to HW filter on device team0 [ 73.501573][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 73.502937][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 73.504265][ T326] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.505298][ T326] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.506944][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 73.510400][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 73.511983][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 73.513361][ T326] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.514414][ T326] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.518459][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 73.520140][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 73.523223][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 73.525258][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 73.526863][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 73.529489][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 73.531429][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 73.534226][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 73.535788][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 73.541264][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 73.542938][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 73.545556][ T4965] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 73.585081][ T622] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 73.586314][ T622] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 73.590885][ T4965] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 73.597608][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 73.599135][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 73.605005][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 73.606449][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 73.608242][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 73.609617][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 73.611872][ T4965] device veth0_vlan entered promiscuous mode [ 73.615214][ T4965] device veth1_vlan entered promiscuous mode [ 73.623124][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 73.624732][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 73.626185][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 73.628264][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 73.631177][ T4965] device veth0_macvtap entered promiscuous mode [ 73.634000][ T4965] device veth1_macvtap entered promiscuous mode [ 73.639188][ T4965] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 73.640915][ T4965] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 73.642879][ T4965] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 73.644088][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 73.645557][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 73.647652][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 73.649202][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 73.651756][ T4965] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 73.653321][ T4965] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 73.655939][ T4965] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 73.658278][ T622] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 73.659866][ T622] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 73.662159][ T4965] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.663531][ T4965] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.664844][ T4965] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.666159][ T4965] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.685470][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 73.687247][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 73.689941][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 73.697862][ T622] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 73.699080][ T622] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 73.700871][ T326] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:13 executed programs: 2 [ 73.986760][ T4399] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 74.226812][ T4399] usb 1-1: Using ep0 maxpacket: 32 [ 74.236964][ T25] Bluetooth: hci0: command 0x040f tx timeout [ 74.347101][ T4399] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 74.348442][ T4399] usb 1-1: config 0 has no interface number 0 [ 74.506814][ T4399] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 74.508192][ T4399] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 74.509323][ T4399] usb 1-1: Product: syz [ 74.509983][ T4399] usb 1-1: Manufacturer: syz [ 74.510751][ T4399] usb 1-1: SerialNumber: syz [ 74.514084][ T4399] usb 1-1: config 0 descriptor?? [ 74.748367][ T21] usb 1-1: USB disconnect, device number 2 [ 74.751276][ T21] ================================================================== [ 74.752578][ T21] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 74.753721][ T21] Read of size 8 at addr ffff0000c6155978 by task kworker/1:0/21 [ 74.754997][ T21] [ 74.755372][ T21] CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted syzkaller #0 [ 74.756514][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 74.758163][ T21] Workqueue: usb_hub_wq hub_event [ 74.758960][ T21] Call trace: [ 74.759464][ T21] dump_backtrace+0x0/0x43c [ 74.760202][ T21] show_stack+0x2c/0x3c [ 74.760879][ T21] __dump_stack+0x30/0x40 [ 74.761558][ T21] dump_stack_lvl+0xf8/0x160 [ 74.762239][ T21] print_address_description+0x78/0x30c [ 74.763162][ T21] kasan_report+0xec/0x15c [ 74.763782][ T21] __asan_report_load8_noabort+0x44/0x50 [ 74.764657][ T21] hdm_disconnect+0xf4/0x18c [ 74.765373][ T21] usb_unbind_interface+0x1b8/0x750 [ 74.766204][ T21] device_release_driver_internal+0x3fc/0x63c [ 74.767060][ T21] device_release_driver+0x28/0x38 [ 74.767968][ T21] bus_remove_device+0x294/0x388 [ 74.768751][ T21] device_del+0x568/0x964 [ 74.769455][ T21] usb_disable_device+0x33c/0x780 [ 74.770168][ T21] usb_disconnect+0x290/0x7d0 [ 74.770908][ T21] hub_event+0x1610/0x42c0 [ 74.771619][ T21] process_one_work+0x79c/0x1140 [ 74.772485][ T21] worker_thread+0x8f4/0x101c [ 74.773231][ T21] kthread+0x374/0x454 [ 74.773889][ T21] ret_from_fork+0x10/0x20 [ 74.774526][ T21] [ 74.774876][ T21] Allocated by task 4399: [ 74.775517][ T21] __kasan_kmalloc+0xb0/0xf0 [ 74.776296][ T21] kmem_cache_alloc_trace+0x274/0x3fc [ 74.777177][ T21] hdm_probe+0x9c/0x1044 [ 74.777773][ T21] usb_probe_interface+0x4fc/0x994 [ 74.778526][ T21] really_probe+0x26c/0xaec [ 74.779230][ T21] __driver_probe_device+0x180/0x314 [ 74.780045][ T21] driver_probe_device+0x78/0x34c [ 74.780856][ T21] __device_attach_driver+0x274/0x4c4 [ 74.781744][ T21] bus_for_each_drv+0x150/0x1d8 [ 74.782470][ T21] __device_attach+0x2a8/0x3d4 [ 74.783178][ T21] device_initial_probe+0x24/0x34 [ 74.784042][ T21] bus_probe_device+0xbc/0x1c4 [ 74.784780][ T21] device_add+0xb04/0xf94 [ 74.785413][ T21] usb_set_configuration+0x15b8/0x1b2c [ 74.786203][ T21] usb_generic_driver_probe+0x8c/0x144 [ 74.786955][ T21] usb_probe_device+0x120/0x25c [ 74.787636][ T21] really_probe+0x26c/0xaec [ 74.788346][ T21] __driver_probe_device+0x180/0x314 [ 74.789119][ T21] driver_probe_device+0x78/0x34c [ 74.789851][ T21] __device_attach_driver+0x274/0x4c4 [ 74.790667][ T21] bus_for_each_drv+0x150/0x1d8 [ 74.791310][ T21] __device_attach+0x2a8/0x3d4 [ 74.791963][ T21] device_initial_probe+0x24/0x34 [ 74.792668][ T21] bus_probe_device+0xbc/0x1c4 [ 74.793357][ T21] device_add+0xb04/0xf94 [ 74.794111][ T21] usb_new_device+0x7ec/0x1164 [ 74.794903][ T21] hub_event+0x2240/0x42c0 [ 74.795663][ T21] process_one_work+0x79c/0x1140 [ 74.796407][ T21] worker_thread+0x8f4/0x101c [ 74.797122][ T21] kthread+0x374/0x454 [ 74.797771][ T21] ret_from_fork+0x10/0x20 [ 74.798492][ T21] [ 74.798845][ T21] Freed by task 21: [ 74.799561][ T21] kasan_set_track+0x4c/0x84 [ 74.800153][ T21] kasan_set_free_info+0x28/0x4c [ 74.800953][ T21] ____kasan_slab_free+0x118/0x164 [ 74.801755][ T21] __kasan_slab_free+0x18/0x28 [ 74.802514][ T21] slab_free_freelist_hook+0x128/0x1e8 [ 74.803362][ T21] kfree+0x170/0x40c [ 74.803945][ T21] release_mdev+0x20/0x30 [ 74.804694][ T21] device_release+0x8c/0x1ac [ 74.805444][ T21] kobject_put+0x2cc/0x454 [ 74.806202][ T21] device_unregister+0x3c/0xcc [ 74.806958][ T21] most_deregister_interface+0x3e0/0x42c [ 74.807870][ T21] hdm_disconnect+0xdc/0x18c [ 74.808563][ T21] usb_unbind_interface+0x1b8/0x750 [ 74.809313][ T21] device_release_driver_internal+0x3fc/0x63c [ 74.810257][ T21] device_release_driver+0x28/0x38 [ 74.811044][ T21] bus_remove_device+0x294/0x388 [ 74.811876][ T21] device_del+0x568/0x964 [ 74.812553][ T21] usb_disable_device+0x33c/0x780 [ 74.813404][ T21] usb_disconnect+0x290/0x7d0 [ 74.814174][ T21] hub_event+0x1610/0x42c0 [ 74.814962][ T21] process_one_work+0x79c/0x1140 [ 74.815710][ T21] worker_thread+0x8f4/0x101c [ 74.816428][ T21] kthread+0x374/0x454 [ 74.817071][ T21] ret_from_fork+0x10/0x20 [ 74.817727][ T21] [ 74.818081][ T21] The buggy address belongs to the object at ffff0000c6154000 [ 74.818081][ T21] which belongs to the cache kmalloc-8k of size 8192 [ 74.820363][ T21] The buggy address is located 6520 bytes inside of [ 74.820363][ T21] 8192-byte region [ffff0000c6154000, ffff0000c6156000) [ 74.822520][ T21] The buggy address belongs to the page: [ 74.823455][ T21] page:000000009ba3771d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106150 [ 74.825098][ T21] head:000000009ba3771d order:3 compound_mapcount:0 compound_pincount:0 [ 74.826378][ T21] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 74.827599][ T21] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 74.829020][ T21] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 74.830463][ T21] page dumped because: kasan: bad access detected [ 74.831571][ T21] [ 74.831939][ T21] Memory state around the buggy address: [ 74.832780][ T21] ffff0000c6155800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.834149][ T21] ffff0000c6155880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.835416][ T21] >ffff0000c6155900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.836605][ T21] ^ [ 74.837992][ T21] ffff0000c6155980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.839296][ T21] ffff0000c6155a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.840533][ T21] ================================================================== [ 74.841766][ T21] Disabling lock debugging due to kernel taint [ 74.843007][ T21] ------------[ cut here ]------------ [ 74.843836][ T21] refcount_t: underflow; use-after-free. [ 74.844769][ T21] WARNING: CPU: 1 PID: 21 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 74.846036][ T21] Modules linked in: [ 74.846561][ T21] CPU: 1 PID: 21 Comm: kworker/1:0 Tainted: G B syzkaller #0 [ 74.847812][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 74.849208][ T21] Workqueue: usb_hub_wq hub_event [ 74.849977][ T21] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 74.851260][ T21] pc : refcount_warn_saturate+0x154/0x1f8 [ 74.852110][ T21] lr : refcount_warn_saturate+0x154/0x1f8 [ 74.852984][ T21] sp : ffff80001b3c73e0 [ 74.853613][ T21] x29: ffff80001b3c73e0 x28: ffff8000160ca660 x27: 1fffe0001aea0800 [ 74.854904][ T21] x26: 1fffe0001aea0807 x25: dfff800000000000 x24: ffff0000d7503030 [ 74.856119][ T21] x23: 1fffe00018c2a8bb x22: ffff0000d750403c x21: 0000000000000000 [ 74.857448][ T21] x20: ffff0000d7504038 x19: ffff8000165c5000 x18: 0000000000000001 [ 74.858669][ T21] x17: 0000000000000000 x16: ffff800008302168 x15: 00000000ffffffff [ 74.859861][ T21] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 74.861078][ T21] x11: 0000000000000000 x10: 0000000000000000 x9 : b7ac2698ff20f800 [ 74.862249][ T21] x8 : b7ac2698ff20f800 x7 : 0000000000000001 x6 : 0000000000000001 [ 74.863481][ T21] x5 : ffff80001b3c6cd8 x4 : ffff80001425f420 x3 : ffff800008302278 [ 74.864684][ T21] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 74.865806][ T21] Call trace: [ 74.866269][ T21] refcount_warn_saturate+0x154/0x1f8 [ 74.867080][ T21] kobject_put+0x19c/0x454 [ 74.867678][ T21] put_device+0x28/0x40 [ 74.868318][ T21] hdm_disconnect+0x16c/0x18c [ 74.869048][ T21] usb_unbind_interface+0x1b8/0x750 [ 74.869821][ T21] device_release_driver_internal+0x3fc/0x63c [ 74.870736][ T21] device_release_driver+0x28/0x38 [ 74.871488][ T21] bus_remove_device+0x294/0x388 [ 74.872182][ T21] device_del+0x568/0x964 [ 74.872768][ T21] usb_disable_device+0x33c/0x780 [ 74.873550][ T21] usb_disconnect+0x290/0x7d0 [ 74.874321][ T21] hub_event+0x1610/0x42c0 [ 74.875002][ T21] process_one_work+0x79c/0x1140 [ 74.875773][ T21] worker_thread+0x8f4/0x101c [ 74.876521][ T21] kthread+0x374/0x454 [ 74.877175][ T21] ret_from_fork+0x10/0x20 [ 74.877836][ T21] irq event stamp: 109812 [ 74.878437][ T21] hardirqs last enabled at (109811): [] kasan_quarantine_put+0xc4/0x204 [ 74.879812][ T21] hardirqs last disabled at (109812): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 74.881239][ T21] softirqs last enabled at (109284): [] local_bh_enable+0x10/0x34 [ 74.882546][ T21] softirqs last disabled at (109282): [] local_bh_disable+0x10/0x34 [ 74.883934][ T21] ---[ end trace de3f0e2245ad16c3 ]--- [ 75.556683][ T4399] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 75.796685][ T4399] usb 1-1: Using ep0 maxpacket: 32 [ 75.916955][ T4399] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 75.918261][ T4399] usb 1-1: config 0 has no interface number 0 [ 76.076972][ T4399] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 76.078306][ T4399] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 76.079559][ T4399] usb 1-1: Product: syz [ 76.080209][ T4399] usb 1-1: Manufacturer: syz [ 76.080915][ T4399] usb 1-1: SerialNumber: syz [ 76.083848][ T4399] usb 1-1: config 0 descriptor?? [ 76.151095][ T136] device hsr_slave_0 left promiscuous mode [ 76.186869][ T136] device hsr_slave_1 left promiscuous mode [ 76.276690][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 76.277976][ T136] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 76.279338][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 76.280441][ T136] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 76.281582][ T136] device bridge_slave_1 left promiscuous mode [ 76.282589][ T136] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.316937][ T1541] Bluetooth: hci0: command 0x0419 tx timeout [ 76.318034][ T4399] usb 1-1: USB disconnect, device number 3 [ 76.327255][ T136] device bridge_slave_0 left promiscuous mode [ 76.328187][ T136] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.466754][ T136] device veth1_macvtap left promiscuous mode [ 76.467720][ T136] device veth0_macvtap left promiscuous mode [ 76.468705][ T136] device veth1_vlan left promiscuous mode [ 76.469592][ T136] device veth0_vlan left promiscuous mode [ 76.536103][ T136] team0 (unregistering): Port device team_slave_1 removed [ 76.539869][ T136] team0 (unregistering): Port device team_slave_0 removed [ 76.542888][ T136] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 76.580153][ T136] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 76.679452][ T136] bond0 (unregistering): Released all slaves [ 77.086688][ T25] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 77.326685][ T25] usb 1-1: Using ep0 maxpacket: 32 [ 77.446756][ T25] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 77.448036][ T25] usb 1-1: config 0 has no interface number 0 [ 77.606796][ T25] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 77.608201][ T25] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 77.609562][ T25] usb 1-1: Product: syz [ 77.610198][ T25] usb 1-1: Manufacturer: syz [ 77.610882][ T25] usb 1-1: SerialNumber: syz [ 77.612803][ T25] usb 1-1: config 0 descriptor?? [ 77.857289][ T21] usb 1-1: USB disconnect, device number 4 [ 78.626704][ T4399] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 78.877384][ T4399] usb 1-1: Using ep0 maxpacket: 32 [ 78.996730][ T4399] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 78.998036][ T4399] usb 1-1: config 0 has no interface number 0 [ 79.156737][ T4399] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 79.158159][ T4399] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 79.159298][ T4399] usb 1-1: Product: syz [ 79.159893][ T4399] usb 1-1: Manufacturer: syz [ 79.160512][ T4399] usb 1-1: SerialNumber: syz [ 79.162592][ T4399] usb 1-1: config 0 descriptor?? [ 79.397430][ T4399] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:19 executed programs: 6 [ 80.166679][ T5138] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 80.426667][ T5138] usb 1-1: Using ep0 maxpacket: 32 [ 80.547039][ T5138] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 80.548341][ T5138] usb 1-1: config 0 has no interface number 0 [ 80.706769][ T5138] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 80.708134][ T5138] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 80.709293][ T5138] usb 1-1: Product: syz [ 80.709934][ T5138] usb 1-1: Manufacturer: syz [ 80.710697][ T5138] usb 1-1: SerialNumber: syz [ 80.712299][ T5138] usb 1-1: config 0 descriptor?? [ 80.957767][ T4399] usb 1-1: USB disconnect, device number 6 [ 81.726693][ T5138] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 81.976744][ T5138] usb 1-1: Using ep0 maxpacket: 32 [ 82.096707][ T5138] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 82.098082][ T5138] usb 1-1: config 0 has no interface number 0 [ 82.266725][ T5138] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 82.268090][ T5138] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 82.269309][ T5138] usb 1-1: Product: syz [ 82.269905][ T5138] usb 1-1: Manufacturer: syz [ 82.270590][ T5138] usb 1-1: SerialNumber: syz [ 82.272199][ T5138] usb 1-1: config 0 descriptor?? [ 82.507217][ T4408] usb 1-1: USB disconnect, device number 7 [ 83.296672][ T5138] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 83.536668][ T5138] usb 1-1: Using ep0 maxpacket: 32 [ 83.656729][ T5138] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 83.657953][ T5138] usb 1-1: config 0 has no interface number 0 [ 83.826694][ T5138] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 83.828158][ T5138] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 83.829333][ T5138] usb 1-1: Product: syz [ 83.829931][ T5138] usb 1-1: Manufacturer: syz [ 83.830621][ T5138] usb 1-1: SerialNumber: syz [ 83.832221][ T5138] usb 1-1: config 0 descriptor?? [ 84.067626][ T5138] usb 1-1: USB disconnect, device number 8