Warning: Permanently added '10.128.1.8' (ED25519) to the list of known hosts. 1970/01/01 00:01:02 ignoring optional flag "type"="gce" 1970/01/01 00:01:02 parsed 1 programs [ 63.721990][ T4372] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 66.017046][ T4475] chnl_net:caif_netlink_parms(): no params data found [ 66.037442][ T4475] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.038655][ T4475] bridge0: port 1(bridge_slave_0) entered disabled state [ 66.040186][ T4475] device bridge_slave_0 entered promiscuous mode [ 66.042345][ T4475] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.043533][ T4475] bridge0: port 2(bridge_slave_1) entered disabled state [ 66.045046][ T4475] device bridge_slave_1 entered promiscuous mode [ 66.053593][ T4475] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 66.056073][ T4475] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 66.065988][ T4475] team0: Port device team_slave_0 added [ 66.068396][ T4475] team0: Port device team_slave_1 added [ 66.075121][ T4475] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 66.076267][ T4475] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 66.080272][ T4475] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 66.082535][ T4475] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 66.083603][ T4475] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 66.087655][ T4475] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 66.140930][ T4475] device hsr_slave_0 entered promiscuous mode [ 66.190328][ T4475] device hsr_slave_1 entered promiscuous mode [ 66.766878][ T4475] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 66.791852][ T4475] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 66.841137][ T4475] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 66.892878][ T4475] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 67.001805][ T4475] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.003056][ T4475] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.004280][ T4475] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.005440][ T4475] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.023634][ T4475] 8021q: adding VLAN 0 to HW filter on device bond0 [ 67.027791][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 67.029447][ T355] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.031659][ T355] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.034037][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 67.038876][ T4475] 8021q: adding VLAN 0 to HW filter on device team0 [ 67.043750][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 67.045285][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 67.046813][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.047957][ T355] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.057644][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 67.059212][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 67.064742][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.065790][ T355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.067130][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 67.068758][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 67.077110][ T4475] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 67.078727][ T4475] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 67.082553][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 67.084732][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 67.086596][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 67.088244][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 67.089697][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 67.094454][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 67.096145][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 67.097682][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 67.102942][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 67.104405][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 67.145724][ T4475] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 67.150554][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 67.151811][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 67.155145][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 67.156774][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 67.164866][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 67.166485][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 67.168022][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 67.169442][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 67.173494][ T4475] device veth0_vlan entered promiscuous mode [ 67.176797][ T4475] device veth1_vlan entered promiscuous mode [ 67.185485][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 67.187080][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 67.188477][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 67.191272][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 67.194167][ T4475] device veth0_macvtap entered promiscuous mode [ 67.196631][ T4475] device veth1_macvtap entered promiscuous mode [ 67.204850][ T4475] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 67.206075][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 67.207552][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 67.208890][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 67.211342][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 67.214702][ T4475] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 67.216649][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 67.218193][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 67.221918][ T4475] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 67.223224][ T4475] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 67.224412][ T4475] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 67.225661][ T4475] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 67.387964][ T979] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.389308][ T979] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.392330][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 67.405595][ T355] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.406845][ T355] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.408439][ T979] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 67.884907][ T588] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:08 executed programs: 0 [ 68.379545][ T4757] chnl_net:caif_netlink_parms(): no params data found [ 68.397558][ T4757] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.398817][ T4757] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.402298][ T4757] device bridge_slave_0 entered promiscuous mode [ 68.404722][ T4757] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.405869][ T4757] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.407435][ T4757] device bridge_slave_1 entered promiscuous mode [ 68.416049][ T4757] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.418914][ T4757] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.428792][ T4757] team0: Port device team_slave_0 added [ 68.430810][ T4757] team0: Port device team_slave_1 added [ 68.437662][ T4757] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.438790][ T4757] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.443060][ T4757] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.445475][ T4757] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.446578][ T4757] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.450461][ T4757] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.502215][ T4757] device hsr_slave_0 entered promiscuous mode [ 68.541270][ T4757] device hsr_slave_1 entered promiscuous mode [ 68.561504][ T4757] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 68.562727][ T4757] Cannot create hsr debugfs directory [ 69.621670][ T1969] cfg80211: failed to load regulatory.db [ 69.623859][ T2065] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.624970][ T2065] ieee802154 phy1 wpan1: encryption failed: -22 [ 70.242877][ T588] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.419882][ T1969] Bluetooth: hci0: command 0x0409 tx timeout [ 72.490114][ T4062] Bluetooth: hci0: command 0x041b tx timeout [ 72.642912][ T588] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 72.674510][ T588] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 73.574909][ T4757] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 73.631331][ T4757] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 73.671364][ T4757] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 73.730544][ T4757] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 73.793852][ T4757] 8021q: adding VLAN 0 to HW filter on device bond0 [ 73.797648][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 73.799153][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.802221][ T4757] 8021q: adding VLAN 0 to HW filter on device team0 [ 73.804697][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 73.806368][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 73.807855][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.808961][ T355] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.811630][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 73.814421][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 73.815987][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 73.817452][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.818444][ T355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.822870][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 73.825660][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 73.828311][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 73.831804][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 73.833328][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 73.836032][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 73.837639][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 73.840877][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 73.842304][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 73.844853][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 73.846274][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 73.849191][ T4757] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 73.888121][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 73.889489][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 73.893404][ T4757] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 73.899414][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 73.901471][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 73.907945][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 73.909417][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 73.911315][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 73.912648][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 73.915082][ T4757] device veth0_vlan entered promiscuous mode [ 73.918519][ T4757] device veth1_vlan entered promiscuous mode [ 73.926341][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 73.927950][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 73.929377][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 73.931276][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 73.933764][ T4757] device veth0_macvtap entered promiscuous mode [ 73.936551][ T4757] device veth1_macvtap entered promiscuous mode [ 73.949098][ T4757] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 73.951092][ T4757] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 73.953478][ T4757] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 73.954724][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 73.956423][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 73.957797][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 73.959290][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 73.962468][ T4757] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 73.964084][ T4757] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 73.966162][ T4757] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 73.967407][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 73.969556][ T355] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 73.972676][ T4757] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.973891][ T4757] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.975269][ T4757] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.976611][ T4757] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 73.994787][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 73.996130][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 73.997733][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 74.006653][ T355] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 74.007916][ T355] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 74.009526][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:14 executed programs: 2 [ 74.299892][ T4146] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 74.559891][ T4146] usb 1-1: Using ep0 maxpacket: 32 [ 74.570142][ T1969] Bluetooth: hci0: command 0x040f tx timeout [ 74.710021][ T4146] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 74.711541][ T4146] usb 1-1: config 0 has no interface number 0 [ 74.909928][ T4146] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 74.911311][ T4146] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 74.912462][ T4146] usb 1-1: Product: syz [ 74.913116][ T4146] usb 1-1: Manufacturer: syz [ 74.913896][ T4146] usb 1-1: SerialNumber: syz [ 74.916942][ T4146] usb 1-1: config 0 descriptor?? [ 75.161621][ T4121] usb 1-1: USB disconnect, device number 2 [ 75.164328][ T4121] ================================================================== [ 75.165651][ T4121] BUG: KASAN: use-after-free in hdm_disconnect+0xf4/0x18c [ 75.166714][ T4121] Read of size 8 at addr ffff0000d6ce5978 by task kworker/0:5/4121 [ 75.167903][ T4121] [ 75.168244][ T4121] CPU: 0 PID: 4121 Comm: kworker/0:5 Not tainted syzkaller #0 [ 75.169242][ T4121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 75.170711][ T4121] Workqueue: usb_hub_wq hub_event [ 75.171529][ T4121] Call trace: [ 75.172035][ T4121] dump_backtrace+0x0/0x43c [ 75.172745][ T4121] show_stack+0x2c/0x3c [ 75.173353][ T4121] __dump_stack+0x30/0x40 [ 75.174009][ T4121] dump_stack_lvl+0xf8/0x160 [ 75.174705][ T4121] print_address_description+0x78/0x30c [ 75.175582][ T4121] kasan_report+0xec/0x15c [ 75.176265][ T4121] __asan_report_load8_noabort+0x44/0x50 [ 75.177143][ T4121] hdm_disconnect+0xf4/0x18c [ 75.177846][ T4121] usb_unbind_interface+0x1b8/0x750 [ 75.178615][ T4121] device_release_driver_internal+0x3fc/0x63c [ 75.179584][ T4121] device_release_driver+0x28/0x38 [ 75.180458][ T4121] bus_remove_device+0x294/0x388 [ 75.181266][ T4121] device_del+0x568/0x964 [ 75.181986][ T4121] usb_disable_device+0x33c/0x780 [ 75.182813][ T4121] usb_disconnect+0x290/0x7d0 [ 75.183592][ T4121] hub_event+0x1610/0x42c0 [ 75.184343][ T4121] process_one_work+0x79c/0x1140 [ 75.185148][ T4121] worker_thread+0x8f4/0x101c [ 75.185930][ T4121] kthread+0x374/0x454 [ 75.186562][ T4121] ret_from_fork+0x10/0x20 [ 75.187272][ T4121] [ 75.187654][ T4121] Allocated by task 4146: [ 75.188288][ T4121] __kasan_kmalloc+0xb0/0xf0 [ 75.189068][ T4121] kmem_cache_alloc_trace+0x274/0x3fc [ 75.189955][ T4121] hdm_probe+0x9c/0x1044 [ 75.190625][ T4121] usb_probe_interface+0x4fc/0x994 [ 75.191374][ T4121] really_probe+0x26c/0xaec [ 75.192037][ T4121] __driver_probe_device+0x180/0x314 [ 75.192857][ T4121] driver_probe_device+0x78/0x34c [ 75.193652][ T4121] __device_attach_driver+0x274/0x4c4 [ 75.194434][ T4121] bus_for_each_drv+0x150/0x1d8 [ 75.195195][ T4121] __device_attach+0x2a8/0x3d4 [ 75.196013][ T4121] device_initial_probe+0x24/0x34 [ 75.196864][ T4121] bus_probe_device+0xbc/0x1c4 [ 75.197683][ T4121] device_add+0xb04/0xf94 [ 75.198444][ T4121] usb_set_configuration+0x15b8/0x1b2c [ 75.199359][ T4121] usb_generic_driver_probe+0x8c/0x144 [ 75.200231][ T4121] usb_probe_device+0x120/0x25c [ 75.200977][ T4121] really_probe+0x26c/0xaec [ 75.201654][ T4121] __driver_probe_device+0x180/0x314 [ 75.202436][ T4121] driver_probe_device+0x78/0x34c [ 75.203246][ T4121] __device_attach_driver+0x274/0x4c4 [ 75.204034][ T4121] bus_for_each_drv+0x150/0x1d8 [ 75.204770][ T4121] __device_attach+0x2a8/0x3d4 [ 75.205483][ T4121] device_initial_probe+0x24/0x34 [ 75.206234][ T4121] bus_probe_device+0xbc/0x1c4 [ 75.206957][ T4121] device_add+0xb04/0xf94 [ 75.207603][ T4121] usb_new_device+0x7ec/0x1164 [ 75.208282][ T4121] hub_event+0x2240/0x42c0 [ 75.208950][ T4121] process_one_work+0x79c/0x1140 [ 75.209741][ T4121] worker_thread+0x8f4/0x101c [ 75.210448][ T4121] kthread+0x374/0x454 [ 75.211125][ T4121] ret_from_fork+0x10/0x20 [ 75.211820][ T4121] [ 75.212156][ T4121] Freed by task 4121: [ 75.212779][ T4121] kasan_set_track+0x4c/0x84 [ 75.213443][ T4121] kasan_set_free_info+0x28/0x4c [ 75.214214][ T4121] ____kasan_slab_free+0x118/0x164 [ 75.215078][ T4121] __kasan_slab_free+0x18/0x28 [ 75.215852][ T4121] slab_free_freelist_hook+0x128/0x1e8 [ 75.216731][ T4121] kfree+0x170/0x40c [ 75.217362][ T4121] release_mdev+0x20/0x30 [ 75.218024][ T4121] device_release+0x8c/0x1ac [ 75.218647][ T4121] kobject_put+0x2cc/0x454 [ 75.219376][ T4121] device_unregister+0x3c/0xcc [ 75.220106][ T4121] most_deregister_interface+0x3e0/0x42c [ 75.221017][ T4121] hdm_disconnect+0xdc/0x18c [ 75.221783][ T4121] usb_unbind_interface+0x1b8/0x750 [ 75.222552][ T4121] device_release_driver_internal+0x3fc/0x63c [ 75.223480][ T4121] device_release_driver+0x28/0x38 [ 75.224229][ T4121] bus_remove_device+0x294/0x388 [ 75.224940][ T4121] device_del+0x568/0x964 [ 75.225584][ T4121] usb_disable_device+0x33c/0x780 [ 75.226352][ T4121] usb_disconnect+0x290/0x7d0 [ 75.227100][ T4121] hub_event+0x1610/0x42c0 [ 75.227760][ T4121] process_one_work+0x79c/0x1140 [ 75.228548][ T4121] worker_thread+0x8f4/0x101c [ 75.229322][ T4121] kthread+0x374/0x454 [ 75.229994][ T4121] ret_from_fork+0x10/0x20 [ 75.230696][ T4121] [ 75.231064][ T4121] The buggy address belongs to the object at ffff0000d6ce4000 [ 75.231064][ T4121] which belongs to the cache kmalloc-8k of size 8192 [ 75.233203][ T4121] The buggy address is located 6520 bytes inside of [ 75.233203][ T4121] 8192-byte region [ffff0000d6ce4000, ffff0000d6ce6000) [ 75.235453][ T4121] The buggy address belongs to the page: [ 75.236363][ T4121] page:0000000040a11b3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116ce0 [ 75.237927][ T4121] head:0000000040a11b3c order:3 compound_mapcount:0 compound_pincount:0 [ 75.239295][ T4121] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 75.240569][ T4121] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002c00 [ 75.241867][ T4121] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 75.243065][ T4121] page dumped because: kasan: bad access detected [ 75.244010][ T4121] [ 75.244374][ T4121] Memory state around the buggy address: [ 75.245268][ T4121] ffff0000d6ce5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.246472][ T4121] ffff0000d6ce5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.247788][ T4121] >ffff0000d6ce5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.249067][ T4121] ^ [ 75.250403][ T4121] ffff0000d6ce5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.251760][ T4121] ffff0000d6ce5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.252940][ T4121] ================================================================== [ 75.254110][ T4121] Disabling lock debugging due to kernel taint [ 75.255365][ T4121] ------------[ cut here ]------------ [ 75.256234][ T4121] refcount_t: underflow; use-after-free. [ 75.257317][ T4121] WARNING: CPU: 0 PID: 4121 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 75.258794][ T4121] Modules linked in: [ 75.259474][ T4121] CPU: 0 PID: 4121 Comm: kworker/0:5 Tainted: G B syzkaller #0 [ 75.260852][ T4121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 75.262442][ T4121] Workqueue: usb_hub_wq hub_event [ 75.263189][ T4121] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 75.264527][ T4121] pc : refcount_warn_saturate+0x154/0x1f8 [ 75.265494][ T4121] lr : refcount_warn_saturate+0x154/0x1f8 [ 75.266389][ T4121] sp : ffff80001f8773e0 [ 75.267069][ T4121] x29: ffff80001f8773e0 x28: ffff8000160ca660 x27: 1fffe000194a2e00 [ 75.268493][ T4121] x26: 1fffe000194a2e07 x25: dfff800000000000 x24: ffff0000cb33b030 [ 75.269753][ T4121] x23: 1fffe0001ad9c8bb x22: ffff0000ca51703c x21: 0000000000000000 [ 75.271100][ T4121] x20: ffff0000ca517038 x19: ffff8000165c5000 x18: 0000000000000001 [ 75.272467][ T4121] x17: 0000000000000000 x16: ffff800008302168 x15: 00000000ffffffff [ 75.273799][ T4121] x14: 0000000000ff0100 x13: 0000000000000001 x12: 0000000000ff0100 [ 75.275050][ T4121] x11: 0000000000000000 x10: 0000000000000000 x9 : 40853116bcbe3c00 [ 75.276320][ T4121] x8 : 40853116bcbe3c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 75.277643][ T4121] x5 : ffff80001f876cd8 x4 : ffff80001425f420 x3 : ffff800008302278 [ 75.278868][ T4121] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 75.280103][ T4121] Call trace: [ 75.280608][ T4121] refcount_warn_saturate+0x154/0x1f8 [ 75.281365][ T4121] kobject_put+0x19c/0x454 [ 75.282008][ T4121] put_device+0x28/0x40 [ 75.282624][ T4121] hdm_disconnect+0x16c/0x18c [ 75.283377][ T4121] usb_unbind_interface+0x1b8/0x750 [ 75.284140][ T4121] device_release_driver_internal+0x3fc/0x63c [ 75.285018][ T4121] device_release_driver+0x28/0x38 [ 75.285854][ T4121] bus_remove_device+0x294/0x388 [ 75.286691][ T4121] device_del+0x568/0x964 [ 75.287383][ T4121] usb_disable_device+0x33c/0x780 [ 75.288227][ T4121] usb_disconnect+0x290/0x7d0 [ 75.289034][ T4121] hub_event+0x1610/0x42c0 [ 75.289752][ T4121] process_one_work+0x79c/0x1140 [ 75.290548][ T4121] worker_thread+0x8f4/0x101c [ 75.291291][ T4121] kthread+0x374/0x454 [ 75.291967][ T4121] ret_from_fork+0x10/0x20 [ 75.292690][ T4121] irq event stamp: 87196 [ 75.293395][ T4121] hardirqs last enabled at (87195): [] kasan_quarantine_put+0xc4/0x204 [ 75.294840][ T4121] hardirqs last disabled at (87196): [] _raw_spin_lock_irqsave+0xfc/0x14c [ 75.296459][ T4121] softirqs last enabled at (86670): [] local_bh_enable+0x10/0x34 [ 75.297875][ T4121] softirqs last disabled at (86666): [] local_bh_disable+0x10/0x34 [ 75.299274][ T4121] ---[ end trace 0dbd6aa46a42c7c6 ]--- [ 75.914750][ T588] device hsr_slave_0 left promiscuous mode [ 75.950172][ T588] device hsr_slave_1 left promiscuous mode [ 75.989849][ T4148] usb 1-1: new high-speed USB device number 3 using dummy_hcd [ 76.049922][ T588] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 76.051130][ T588] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 76.052469][ T588] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 76.053606][ T588] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 76.054915][ T588] device bridge_slave_1 left promiscuous mode [ 76.055981][ T588] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.090581][ T588] device bridge_slave_0 left promiscuous mode [ 76.091647][ T588] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.239890][ T4148] usb 1-1: Using ep0 maxpacket: 32 [ 76.239927][ T588] device veth1_macvtap left promiscuous mode [ 76.241661][ T588] device veth0_macvtap left promiscuous mode [ 76.242572][ T588] device veth1_vlan left promiscuous mode [ 76.243571][ T588] device veth0_vlan left promiscuous mode [ 76.311950][ T588] team0 (unregistering): Port device team_slave_1 removed [ 76.315074][ T588] team0 (unregistering): Port device team_slave_0 removed [ 76.318115][ T588] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 76.343136][ T588] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 76.389932][ T4148] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 76.391337][ T4148] usb 1-1: config 0 has no interface number 0 [ 76.452191][ T588] bond0 (unregistering): Released all slaves [ 76.570010][ T4148] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 76.571486][ T4148] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 76.572840][ T4148] usb 1-1: Product: syz [ 76.573538][ T4148] usb 1-1: Manufacturer: syz [ 76.574245][ T4148] usb 1-1: SerialNumber: syz [ 76.576070][ T4148] usb 1-1: config 0 descriptor?? [ 76.650084][ T4121] Bluetooth: hci0: command 0x0419 tx timeout [ 76.820532][ T4148] usb 1-1: USB disconnect, device number 3 [ 77.599862][ T4148] usb 1-1: new high-speed USB device number 4 using dummy_hcd [ 77.839860][ T4148] usb 1-1: Using ep0 maxpacket: 32 [ 77.959864][ T4148] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 77.961185][ T4148] usb 1-1: config 0 has no interface number 0 [ 78.119877][ T4148] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 78.121409][ T4148] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 78.122709][ T4148] usb 1-1: Product: syz [ 78.123376][ T4148] usb 1-1: Manufacturer: syz [ 78.124057][ T4148] usb 1-1: SerialNumber: syz [ 78.125656][ T4148] usb 1-1: config 0 descriptor?? [ 78.360438][ T4951] usb 1-1: USB disconnect, device number 4 [ 79.130084][ T4148] usb 1-1: new high-speed USB device number 5 using dummy_hcd [ 79.389874][ T4148] usb 1-1: Using ep0 maxpacket: 32 [ 79.520225][ T4148] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 79.521638][ T4148] usb 1-1: config 0 has no interface number 0 [ 79.690225][ T4148] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 79.691754][ T4148] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 79.693034][ T4148] usb 1-1: Product: syz [ 79.693735][ T4148] usb 1-1: Manufacturer: syz [ 79.694426][ T4148] usb 1-1: SerialNumber: syz [ 79.696031][ T4148] usb 1-1: config 0 descriptor?? [ 79.930494][ T4089] usb 1-1: USB disconnect, device number 5 1970/01/01 00:01:20 executed programs: 6 [ 80.699845][ T4148] usb 1-1: new high-speed USB device number 6 using dummy_hcd [ 80.940197][ T4148] usb 1-1: Using ep0 maxpacket: 32 [ 81.059901][ T4148] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 81.061183][ T4148] usb 1-1: config 0 has no interface number 0 [ 81.219937][ T4148] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 81.221322][ T4148] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 81.222655][ T4148] usb 1-1: Product: syz [ 81.223413][ T4148] usb 1-1: Manufacturer: syz [ 81.224140][ T4148] usb 1-1: SerialNumber: syz [ 81.226142][ T4148] usb 1-1: config 0 descriptor?? [ 81.460785][ T4148] usb 1-1: USB disconnect, device number 6 [ 82.229846][ T4953] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 82.489864][ T4953] usb 1-1: Using ep0 maxpacket: 32 [ 82.619871][ T4953] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 82.621327][ T4953] usb 1-1: config 0 has no interface number 0 [ 82.780125][ T4953] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 82.781611][ T4953] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 82.782869][ T4953] usb 1-1: Product: syz [ 82.783543][ T4953] usb 1-1: Manufacturer: syz [ 82.784207][ T4953] usb 1-1: SerialNumber: syz [ 82.785914][ T4953] usb 1-1: config 0 descriptor?? [ 83.021368][ T4953] usb 1-1: USB disconnect, device number 7 [ 83.789857][ T4953] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 84.029842][ T4953] usb 1-1: Using ep0 maxpacket: 32 [ 84.149899][ T4953] usb 1-1: config 0 has an invalid interface number: 237 but max is 0 [ 84.151140][ T4953] usb 1-1: config 0 has no interface number 0 [ 84.309871][ T4953] usb 1-1: New USB device found, idVendor=0424, idProduct=cf19, bcdDevice=55.89 [ 84.311419][ T4953] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 84.312657][ T4953] usb 1-1: Product: syz [ 84.313251][ T4953] usb 1-1: Manufacturer: syz [ 84.313940][ T4953] usb 1-1: SerialNumber: syz [ 84.315845][ T4953] usb 1-1: config 0 descriptor?? [ 84.550471][ T4147] usb 1-1: USB disconnect, device number 8