last executing test programs: 2.18184572s ago: executing program 3 (id=4): syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) 1.883783407s ago: executing program 0 (id=1): r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x2006, 0x118, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0xa0, 0xf, [{{0x9, 0x4, 0x0, 0x0, 0x4, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0xfffa, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x3ff, 0xc9}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, &(0x7f0000000000)={0x0, 0x22, 0x7, {[@main=@item_4={0x3, 0x0, 0xa, "bba899a3"}, @local=@item_012={0x1, 0x2, 0x7, "1c"}]}}, 0x0}, 0x0) 1.728241258s ago: executing program 2 (id=3): r0 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f00000008c0)='.', 0x1) listen(r0, 0x6) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000080)="04", 0x1}], 0x1) 1.525459963s ago: executing program 2 (id=5): sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000003b00010324bd7002fadbdf2501"], 0x14}}, 0x10) 1.52340909s ago: executing program 3 (id=6): socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000007c0)) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000040), 0x20000, 0x0) openat$loop_ctrl(0xffffffffffffff9c, 0x0, 0x0, 0x0) openat2(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', &(0x7f0000000080)={0x420000, 0x82, 0x8}, 0x18) syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x2000000, 0x50, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_STRSET_GET(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={0x0, 0x28}, 0x1, 0x0, 0x0, 0x40080}, 0x4800) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x2, 0xfffffe0000000001, 0xfa11, 0xfffffffb}, 0x0) fsetxattr$security_capability(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x1) r3 = syz_open_dev$I2C(&(0x7f0000000d80), 0x0, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(0xffffffffffffffff, 0x84, 0x66, &(0x7f0000000440)={0x0, 0xc}, &(0x7f0000000480)=0x8) ioctl$EXT4_IOC_GET_ES_CACHE(r4, 0x40086602, 0x0) ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000000580)={0x1, 0x0, 0x7, 0x0}) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 0000096'], 0x2a, 0xfffffffffffffff9) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, &(0x7f0000000100)={0x980000, 0x1, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000080)={0x98f90b, 0x9, '\x00', @p_u16=&(0x7f0000000040)}}) socket$nl_netfilter(0x10, 0x3, 0xc) 1.3165938s ago: executing program 2 (id=7): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @empty, 0x4000006}, 0x1c) listen(r1, 0x6) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r3 = accept(r0, 0x0, 0x0) sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[], 0xfffffdef}}, 0x0) 841.297399ms ago: executing program 1 (id=9): bind$tipc(0xffffffffffffffff, &(0x7f00000000c0)=@name={0x1e, 0x2, 0x0, {{0x42, 0x3}}}, 0x10) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000780), r0) mount$tmpfs(0x0, 0x0, 0x0, 0x10a40a2, &(0x7f0000000040)=ANY=[@ANYBLOB="f4697a653d"]) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000000)=ANY=[@ANYBLOB="88020000", @ANYRES16=r1, @ANYBLOB="010000000000000000003b00000008000300", @ANYRES32, @ANYBLOB="6102330050300100080211000001080211000000505050505050"], 0x288}, 0x1, 0x0, 0x0, 0x800}, 0x0) 572.412328ms ago: executing program 1 (id=10): openat$sndseq(0xffffffffffffff9c, 0x0, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c) listen(r1, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) 407.069344ms ago: executing program 1 (id=11): sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000280)=ANY=[@ANYBLOB="180100002e00010000000000ffdbdf250601f2090c00180008ac0f000000000014000a"], 0x118}], 0x1, 0x0, 0x0, 0x400c445}, 0x0) 374.676606ms ago: executing program 2 (id=12): creat(&(0x7f0000000400)='./bus\x00', 0x0) r0 = open(&(0x7f0000000100)='./bus\x00', 0x0, 0x0) finit_module(r0, 0x0, 0x0) 172.528439ms ago: executing program 3 (id=13): r0 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000440)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000040), 0x8002, 0x0) ioctl$FS_IOC_GETVERSION(r1, 0xc0145b0e, &(0x7f0000000040)) r2 = syz_open_dev$dri(0x0, 0x1, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x2, 0x0) epoll_create1(0x80000) 172.304988ms ago: executing program 2 (id=14): syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) 163.378637ms ago: executing program 1 (id=15): r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, 0x0, 0x10) 99.855277ms ago: executing program 1 (id=16): r0 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000200)={0x82e, 0x101, 0x4}) r1 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x48240) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000440)={r2, 0x0, 0x0, 0x1, 0x8, 0x8, 0x0, 0xf7b4, 0x1000, 0x7, 0x4d, 0x4}) ioctl$DRM_IOCTL_MODE_SETPLANE(r0, 0xc03064b7, &(0x7f0000000480)={r2, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, 0x8, 0xfffffff2, 0x7, 0x0, 0x9a9e}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000040)={0x0, &(0x7f00000002c0)=[0x0], 0x0, 0x0, 0xfffffd52, 0x1}) ioctl$DRM_IOCTL_MODE_CURSOR(r0, 0xc01c64a3, &(0x7f0000000280)={0x3, r3, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) 0s ago: executing program 1 (id=17): mkdir(&(0x7f0000000400)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100000, 0x0) r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) open_tree(r1, &(0x7f0000000080)='.\x00', 0x9001) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x84000, 0x0) sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000000)=0x2eb4, 0x2000007ff) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.194' (ED25519) to the list of known hosts. [ 74.326763][ T5813] cgroup: Unknown subsys name 'net' [ 74.481109][ T5813] cgroup: Unknown subsys name 'cpuset' [ 74.490569][ T5813] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 75.983659][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 79.419580][ T52] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 79.427669][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 79.435329][ T52] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 79.446931][ T5839] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 79.458291][ T5840] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 79.460398][ T5837] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 79.466026][ T5840] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 79.474529][ T5839] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 79.481318][ T5840] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 79.487618][ T5837] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 79.494363][ T5840] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 79.501787][ T5837] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 79.509004][ T5840] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 79.515122][ T52] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 79.530275][ T52] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 79.533109][ T5841] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 79.538770][ T52] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 79.551615][ T5837] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 79.560104][ T5146] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 79.567607][ T52] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 79.914432][ T5822] chnl_net:caif_netlink_parms(): no params data found [ 80.044571][ T5822] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.052459][ T5822] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.060014][ T5822] bridge_slave_0: entered allmulticast mode [ 80.067172][ T5822] bridge_slave_0: entered promiscuous mode [ 80.106589][ T5822] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.113834][ T5822] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.121315][ T5822] bridge_slave_1: entered allmulticast mode [ 80.128718][ T5822] bridge_slave_1: entered promiscuous mode [ 80.256913][ T5822] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 80.274180][ T5822] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 80.313057][ T5823] chnl_net:caif_netlink_parms(): no params data found [ 80.323583][ T5824] chnl_net:caif_netlink_parms(): no params data found [ 80.378332][ T5822] team0: Port device team_slave_0 added [ 80.391803][ T5825] chnl_net:caif_netlink_parms(): no params data found [ 80.409480][ T5822] team0: Port device team_slave_1 added [ 80.499408][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 80.506453][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 80.532496][ T5822] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 80.565172][ T5822] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 80.572386][ T5822] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 80.598447][ T5822] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 80.625030][ T5823] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.632273][ T5823] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.640094][ T5823] bridge_slave_0: entered allmulticast mode [ 80.647138][ T5823] bridge_slave_0: entered promiscuous mode [ 80.676642][ T5823] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.684013][ T5823] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.691341][ T5823] bridge_slave_1: entered allmulticast mode [ 80.698791][ T5823] bridge_slave_1: entered promiscuous mode [ 80.717859][ T5824] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.725223][ T5824] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.732628][ T5824] bridge_slave_0: entered allmulticast mode [ 80.739677][ T5824] bridge_slave_0: entered promiscuous mode [ 80.784612][ T5823] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 80.794309][ T5824] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.802052][ T5824] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.809355][ T5824] bridge_slave_1: entered allmulticast mode [ 80.816374][ T5824] bridge_slave_1: entered promiscuous mode [ 80.823534][ T5825] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.830940][ T5825] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.838132][ T5825] bridge_slave_0: entered allmulticast mode [ 80.845147][ T5825] bridge_slave_0: entered promiscuous mode [ 80.865608][ T5823] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 80.886621][ T5825] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.894010][ T5825] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.901382][ T5825] bridge_slave_1: entered allmulticast mode [ 80.909025][ T5825] bridge_slave_1: entered promiscuous mode [ 80.966234][ T5822] hsr_slave_0: entered promiscuous mode [ 80.973077][ T5822] hsr_slave_1: entered promiscuous mode [ 80.992827][ T5824] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 81.015870][ T5823] team0: Port device team_slave_0 added [ 81.023936][ T5824] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 81.035676][ T5825] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 81.048225][ T5825] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 81.059766][ T5823] team0: Port device team_slave_1 added [ 81.145270][ T5824] team0: Port device team_slave_0 added [ 81.164336][ T5825] team0: Port device team_slave_0 added [ 81.171092][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 81.178314][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.204721][ T5823] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 81.218931][ T5824] team0: Port device team_slave_1 added [ 81.231840][ T5825] team0: Port device team_slave_1 added [ 81.238349][ T5823] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 81.245294][ T5823] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.271800][ T5823] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 81.345126][ T5824] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 81.352366][ T5824] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.378649][ T5824] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 81.395519][ T5825] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 81.402870][ T5825] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.429270][ T5825] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 81.441944][ T5824] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 81.449254][ T5824] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.475973][ T5824] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 81.515716][ T5825] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 81.522699][ T5825] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 81.548697][ T5825] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 81.618637][ T5823] hsr_slave_0: entered promiscuous mode [ 81.625051][ T5823] hsr_slave_1: entered promiscuous mode [ 81.631147][ T52] Bluetooth: hci0: command tx timeout [ 81.631327][ T52] Bluetooth: hci3: command tx timeout [ 81.637088][ T5838] Bluetooth: hci2: command tx timeout [ 81.644846][ T52] Bluetooth: hci1: command tx timeout [ 81.649013][ T5823] debugfs: 'hsr0' already exists in 'hsr' [ 81.658983][ T5823] Cannot create hsr debugfs directory [ 81.748086][ T5824] hsr_slave_0: entered promiscuous mode [ 81.754577][ T5824] hsr_slave_1: entered promiscuous mode [ 81.760998][ T5824] debugfs: 'hsr0' already exists in 'hsr' [ 81.766752][ T5824] Cannot create hsr debugfs directory [ 81.776757][ T5825] hsr_slave_0: entered promiscuous mode [ 81.783426][ T5825] hsr_slave_1: entered promiscuous mode [ 81.790228][ T5825] debugfs: 'hsr0' already exists in 'hsr' [ 81.795974][ T5825] Cannot create hsr debugfs directory [ 82.069833][ T5822] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 82.101823][ T5822] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 82.141962][ T5822] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 82.171369][ T5822] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 82.291106][ T5823] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 82.305182][ T5823] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 82.315808][ T5823] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 82.329925][ T5823] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 82.437498][ T5825] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 82.452734][ T5825] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 82.463568][ T5825] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 82.474751][ T5825] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 82.616909][ T5824] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 82.632002][ T5824] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 82.647770][ T5824] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 82.660138][ T5824] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 82.695470][ T5822] 8021q: adding VLAN 0 to HW filter on device bond0 [ 82.746840][ T5822] 8021q: adding VLAN 0 to HW filter on device team0 [ 82.771116][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 82.778521][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 82.806687][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 82.814236][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 82.853002][ T5823] 8021q: adding VLAN 0 to HW filter on device bond0 [ 82.882508][ T5825] 8021q: adding VLAN 0 to HW filter on device bond0 [ 82.915086][ T5823] 8021q: adding VLAN 0 to HW filter on device team0 [ 82.937372][ T5825] 8021q: adding VLAN 0 to HW filter on device team0 [ 82.962218][ T3558] bridge0: port 1(bridge_slave_0) entered blocking state [ 82.969382][ T3558] bridge0: port 1(bridge_slave_0) entered forwarding state [ 82.986060][ T3558] bridge0: port 1(bridge_slave_0) entered blocking state [ 82.993237][ T3558] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.010501][ T3558] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.017737][ T3558] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.036864][ T3558] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.043986][ T3558] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.089726][ T5824] 8021q: adding VLAN 0 to HW filter on device bond0 [ 83.181067][ T5824] 8021q: adding VLAN 0 to HW filter on device team0 [ 83.211469][ T1159] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.218685][ T1159] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.275710][ T3558] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.282897][ T3558] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.394875][ T5822] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.556772][ T5825] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.573848][ T5822] veth0_vlan: entered promiscuous mode [ 83.625536][ T5822] veth1_vlan: entered promiscuous mode [ 83.651727][ T5823] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.687728][ T5825] veth0_vlan: entered promiscuous mode [ 83.714724][ T52] Bluetooth: hci2: command tx timeout [ 83.714771][ T5832] Bluetooth: hci1: command tx timeout [ 83.720958][ T52] Bluetooth: hci0: command tx timeout [ 83.725713][ T5838] Bluetooth: hci3: command tx timeout [ 83.747064][ T5822] veth0_macvtap: entered promiscuous mode [ 83.756641][ T5825] veth1_vlan: entered promiscuous mode [ 83.774020][ T5822] veth1_macvtap: entered promiscuous mode [ 83.821714][ T5823] veth0_vlan: entered promiscuous mode [ 83.839763][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 83.852172][ T5822] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 83.872168][ T5824] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.883365][ T5823] veth1_vlan: entered promiscuous mode [ 83.905075][ T5825] veth0_macvtap: entered promiscuous mode [ 83.913297][ T4380] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 83.922990][ T4380] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 83.937718][ T4380] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 83.947253][ T4380] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 83.960954][ T5825] veth1_macvtap: entered promiscuous mode [ 84.027439][ T5825] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 84.064152][ T5823] veth0_macvtap: entered promiscuous mode [ 84.083388][ T5825] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 84.120961][ T5823] veth1_macvtap: entered promiscuous mode [ 84.128580][ T1000] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.138894][ T5824] veth0_vlan: entered promiscuous mode [ 84.143066][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.153413][ T5824] veth1_vlan: entered promiscuous mode [ 84.162558][ T1000] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.162759][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.185070][ T1000] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.220437][ T1000] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.243222][ T1000] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.251312][ T1000] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.264053][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 84.294357][ T5823] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 84.331991][ T76] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.343854][ T76] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.353939][ T5822] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 84.357227][ T76] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.382105][ T76] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.449395][ T1159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.457303][ T1159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.490241][ T5824] veth0_macvtap: entered promiscuous mode [ 84.527555][ T5824] veth1_macvtap: entered promiscuous mode [ 84.560236][ T1159] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.571104][ T1159] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.579973][ T5824] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 84.619545][ T5824] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 84.638795][ T76] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.644863][ T1000] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.646643][ T76] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.682102][ T1000] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.692286][ T1000] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.713124][ T1000] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 84.792195][ T3558] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.801819][ T3558] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.857176][ T1000] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.886351][ T1000] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 84.954320][ T76] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 84.964020][ T76] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 85.008130][ T10] usb 1-1: new full-speed USB device number 2 using dummy_hcd [ 85.192828][ T10] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 1023, setting to 64 [ 85.229269][ T10] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 4 [ 85.316060][ T5940] trusted_key: encrypted_key: keyword 'new' not allowed when called from .update method [ 85.328507][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 85.405058][ T0] NOHZ tick-stop error: local softirq work is pending, handler #140!!! [ 85.413937][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 85.507813][ T0] NOHZ tick-stop error: local softirq work is pending, handler #40!!! [ 85.571390][ T10] usb 1-1: New USB device found, idVendor=2006, idProduct=0118, bcdDevice= 0.00 [ 85.580993][ T10] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 85.603380][ T10] usb 1-1: config 0 descriptor?? [ 85.621663][ T5923] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22 [ 85.638973][ T0] NOHZ tick-stop error: local softirq work is pending, handler #100!!! [ 85.799095][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 85.807687][ T0] NOHZ tick-stop error: local softirq work is pending, handler #200!!! [ 85.829060][ T5832] Bluetooth: hci2: command tx timeout [ 85.829083][ T5837] Bluetooth: hci0: command tx timeout [ 85.834487][ T5146] Bluetooth: hci1: command tx timeout [ 85.834618][ T52] Bluetooth: hci3: command tx timeout [ 85.943909][ T5944] netlink: 8 bytes leftover after parsing attributes in process `syz.1.9'. [ 86.115491][ T10] hkems 0003:2006:0118.0001: unbalanced collection at end of report description [ 86.166763][ T10] hkems 0003:2006:0118.0001: parse failed [ 86.173000][ T10] hkems 0003:2006:0118.0001: probe with driver hkems failed with error -22 [ 86.343378][ T10] usb 1-1: USB disconnect, device number 2 [ 86.595417][ T5838] ================================================================== [ 86.603532][ T5838] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2b0 [ 86.611004][ T5838] Write of size 4 at addr ffff88807d51c010 by task kworker/u9:5/5838 [ 86.619077][ T5838] [ 86.621425][ T5838] CPU: 0 UID: 0 PID: 5838 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) [ 86.621446][ T5838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 86.621459][ T5838] Workqueue: hci0 hci_cmd_sync_work [ 86.621496][ T5838] Call Trace: [ 86.621503][ T5838] [ 86.621510][ T5838] dump_stack_lvl+0x189/0x250 [ 86.621529][ T5838] ? __virt_addr_valid+0x1c8/0x5c0 [ 86.621548][ T5838] ? rcu_is_watching+0x15/0xb0 [ 86.621566][ T5838] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.621581][ T5838] ? rcu_is_watching+0x15/0xb0 [ 86.621598][ T5838] ? lock_release+0x4b/0x3b0 [ 86.621621][ T5838] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 86.621647][ T5838] ? __virt_addr_valid+0x1c8/0x5c0 [ 86.621665][ T5838] ? __virt_addr_valid+0x4a5/0x5c0 [ 86.621685][ T5838] print_report+0xca/0x240 [ 86.621709][ T5838] ? hci_conn_drop+0x34/0x2b0 [ 86.621725][ T5838] kasan_report+0x118/0x150 [ 86.621740][ T5838] ? hci_conn_valid+0x21/0x230 [ 86.621757][ T5838] ? hci_conn_drop+0x34/0x2b0 [ 86.621777][ T5838] kasan_check_range+0x2b0/0x2c0 [ 86.621795][ T5838] hci_conn_drop+0x34/0x2b0 [ 86.621811][ T5838] ? __pfx_le_read_features_complete+0x10/0x10 [ 86.621836][ T5838] hci_cmd_sync_work+0x262/0x400 [ 86.621864][ T5838] ? process_one_work+0x868/0x15a0 [ 86.621887][ T5838] process_one_work+0x93a/0x15a0 [ 86.621920][ T5838] ? __pfx_process_one_work+0x10/0x10 [ 86.621946][ T5838] ? assign_work+0x3a1/0x410 [ 86.621972][ T5838] worker_thread+0x9b0/0xee0 [ 86.622008][ T5838] kthread+0x711/0x8a0 [ 86.622028][ T5838] ? __pfx_worker_thread+0x10/0x10 [ 86.622053][ T5838] ? __pfx_kthread+0x10/0x10 [ 86.622072][ T5838] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.622094][ T5838] ? lockdep_hardirqs_on+0x98/0x140 [ 86.622118][ T5838] ? __pfx_kthread+0x10/0x10 [ 86.622136][ T5838] ret_from_fork+0x599/0xb30 [ 86.622162][ T5838] ? __pfx_ret_from_fork+0x10/0x10 [ 86.622189][ T5838] ? __switch_to_asm+0x39/0x70 [ 86.622208][ T5838] ? __switch_to_asm+0x33/0x70 [ 86.622226][ T5838] ? __pfx_kthread+0x10/0x10 [ 86.622244][ T5838] ret_from_fork_asm+0x1a/0x30 [ 86.622270][ T5838] [ 86.622276][ T5838] [ 86.827954][ T5838] Allocated by task 5838: [ 86.832277][ T5838] kasan_save_track+0x3e/0x80 [ 86.836962][ T5838] __kasan_kmalloc+0x93/0xb0 [ 86.841553][ T5838] __kmalloc_cache_noprof+0x3e2/0x700 [ 86.846940][ T5838] __hci_conn_add+0x3c5/0x1b30 [ 86.851715][ T5838] le_conn_complete_evt+0x6f6/0x1420 [ 86.856999][ T5838] hci_le_enh_conn_complete_evt+0x189/0x4a0 [ 86.862889][ T5838] hci_event_packet+0x78f/0x1260 [ 86.867829][ T5838] hci_rx_work+0x3ee/0x1060 [ 86.872331][ T5838] process_one_work+0x93a/0x15a0 [ 86.877269][ T5838] worker_thread+0x9b0/0xee0 [ 86.881862][ T5838] kthread+0x711/0x8a0 [ 86.885924][ T5838] ret_from_fork+0x599/0xb30 [ 86.890513][ T5838] ret_from_fork_asm+0x1a/0x30 [ 86.895270][ T5838] [ 86.897592][ T5838] Freed by task 52: [ 86.901390][ T5838] kasan_save_track+0x3e/0x80 [ 86.906076][ T5838] kasan_save_free_info+0x46/0x50 [ 86.911101][ T5838] __kasan_slab_free+0x5c/0x80 [ 86.915863][ T5838] kfree+0x1c0/0x660 [ 86.919753][ T5838] device_release+0x9e/0x1d0 [ 86.924352][ T5838] kobject_put+0x228/0x570 [ 86.928788][ T5838] hci_conn_del+0xc36/0x1240 [ 86.933421][ T5838] hci_disconn_complete_evt+0x64e/0x950 [ 86.938971][ T5838] hci_event_packet+0x7e3/0x1260 [ 86.943907][ T5838] hci_rx_work+0x3ee/0x1060 [ 86.948414][ T5838] process_one_work+0x93a/0x15a0 [ 86.953364][ T5838] worker_thread+0x9b0/0xee0 [ 86.957957][ T5838] kthread+0x711/0x8a0 [ 86.962026][ T5838] ret_from_fork+0x599/0xb30 [ 86.966610][ T5838] ret_from_fork_asm+0x1a/0x30 [ 86.971365][ T5838] [ 86.973683][ T5838] The buggy address belongs to the object at ffff88807d51c000 [ 86.973683][ T5838] which belongs to the cache kmalloc-8k of size 8192 [ 86.987723][ T5838] The buggy address is located 16 bytes inside of [ 86.987723][ T5838] freed 8192-byte region [ffff88807d51c000, ffff88807d51e000) [ 87.001510][ T5838] [ 87.003832][ T5838] The buggy address belongs to the physical page: [ 87.010245][ T5838] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d518 [ 87.019006][ T5838] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 87.027495][ T5838] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 87.035037][ T5838] page_type: f5(slab) [ 87.039012][ T5838] raw: 00fff00000000040 ffff88813fe27280 dead000000000122 0000000000000000 [ 87.047588][ T5838] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 87.056166][ T5838] head: 00fff00000000040 ffff88813fe27280 dead000000000122 0000000000000000 [ 87.064828][ T5838] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 87.073488][ T5838] head: 00fff00000000003 ffffea0001f54601 00000000ffffffff 00000000ffffffff [ 87.082153][ T5838] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 87.090825][ T5838] page dumped because: kasan: bad access detected [ 87.097251][ T5838] page_owner tracks the page as allocated [ 87.102953][ T5838] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP), pid 5824, tgid 5824 (syz-executor), ts 83005194087, free_ts 82953103982 [ 87.122656][ T5838] post_alloc_hook+0x234/0x290 [ 87.127422][ T5838] get_page_from_freelist+0x2365/0x2440 [ 87.132972][ T5838] __alloc_frozen_pages_noprof+0x181/0x370 [ 87.138778][ T5838] alloc_pages_mpol+0x232/0x4a0 [ 87.143618][ T5838] allocate_slab+0x86/0x3b0 [ 87.148119][ T5838] ___slab_alloc+0xf2b/0x1960 [ 87.152805][ T5838] __slab_alloc+0x65/0x100 [ 87.157234][ T5838] __kvmalloc_node_noprof+0x6b6/0x920 [ 87.162607][ T5838] pfifo_fast_init+0x372/0x6c0 [ 87.167385][ T5838] qdisc_create_dflt+0x13b/0x4c0 [ 87.172340][ T5838] dev_activate+0x378/0x1150 [ 87.176933][ T5838] __dev_open+0x647/0x800 [ 87.181266][ T5838] __dev_change_flags+0x1f7/0x680 [ 87.186285][ T5838] netif_change_flags+0x88/0x1a0 [ 87.191217][ T5838] do_setlink+0xc55/0x41c0 [ 87.195626][ T5838] rtnl_newlink+0x161c/0x1c90 [ 87.200310][ T5838] page last free pid 5824 tgid 5824 stack trace: [ 87.206633][ T5838] __free_frozen_pages+0xbc8/0xd30 [ 87.211816][ T5838] __slab_free+0x21b/0x2a0 [ 87.216226][ T5838] qlist_free_all+0x97/0x100 [ 87.220815][ T5838] kasan_quarantine_reduce+0x148/0x160 [ 87.226303][ T5838] __kasan_slab_alloc+0x22/0x80 [ 87.231155][ T5838] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 87.237041][ T5838] __alloc_skb+0x255/0x430 [ 87.241473][ T5838] netlink_sendmsg+0x5c6/0xb30 [ 87.246230][ T5838] sock_sendmsg_nosec+0x18f/0x1d0 [ 87.251248][ T5838] __sys_sendto+0x3ce/0x540 [ 87.255755][ T5838] __x64_sys_sendto+0xde/0x100 [ 87.260522][ T5838] do_syscall_64+0xfa/0xf80 [ 87.265039][ T5838] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.270941][ T5838] [ 87.273264][ T5838] Memory state around the buggy address: [ 87.278888][ T5838] ffff88807d51bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.286957][ T5838] ffff88807d51bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.295025][ T5838] >ffff88807d51c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.303079][ T5838] ^ [ 87.307664][ T5838] ffff88807d51c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.315717][ T5838] ffff88807d51c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.323763][ T5838] ================================================================== [ 87.348378][ T5838] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.355693][ T5838] CPU: 0 UID: 0 PID: 5838 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) [ 87.365156][ T5838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 87.375219][ T5838] Workqueue: hci0 hci_cmd_sync_work [ 87.380449][ T5838] Call Trace: [ 87.383740][ T5838] [ 87.386706][ T5838] dump_stack_lvl+0x99/0x250 [ 87.391341][ T5838] ? __asan_memcpy+0x40/0x70 [ 87.395951][ T5838] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.401157][ T5838] ? __pfx__printk+0x10/0x10 [ 87.405762][ T5838] vpanic+0x237/0x6d0 [ 87.409762][ T5838] ? __pfx_vpanic+0x10/0x10 [ 87.414283][ T5838] ? preempt_schedule+0xae/0xc0 [ 87.419131][ T5838] ? __pfx_preempt_schedule+0x10/0x10 [ 87.424510][ T5838] panic+0xb9/0xc0 [ 87.428254][ T5838] ? __pfx_panic+0x10/0x10 [ 87.432680][ T5838] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 87.438573][ T5838] ? is_module_address+0x17/0xf0 [ 87.443523][ T5838] ? hci_conn_drop+0x34/0x2b0 [ 87.448192][ T5838] check_panic_on_warn+0x89/0xb0 [ 87.453128][ T5838] ? hci_conn_drop+0x34/0x2b0 [ 87.457809][ T5838] end_report+0x6f/0x140 [ 87.462053][ T5838] kasan_report+0x129/0x150 [ 87.466558][ T5838] ? hci_conn_valid+0x21/0x230 [ 87.471310][ T5838] ? hci_conn_drop+0x34/0x2b0 [ 87.475981][ T5838] kasan_check_range+0x2b0/0x2c0 [ 87.480916][ T5838] hci_conn_drop+0x34/0x2b0 [ 87.485421][ T5838] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.491570][ T5838] hci_cmd_sync_work+0x262/0x400 [ 87.496514][ T5838] ? process_one_work+0x868/0x15a0 [ 87.501618][ T5838] process_one_work+0x93a/0x15a0 [ 87.506563][ T5838] ? __pfx_process_one_work+0x10/0x10 [ 87.511941][ T5838] ? assign_work+0x3a1/0x410 [ 87.516548][ T5838] worker_thread+0x9b0/0xee0 [ 87.521143][ T5838] kthread+0x711/0x8a0 [ 87.525206][ T5838] ? __pfx_worker_thread+0x10/0x10 [ 87.530317][ T5838] ? __pfx_kthread+0x10/0x10 [ 87.534897][ T5838] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.540091][ T5838] ? lockdep_hardirqs_on+0x98/0x140 [ 87.545293][ T5838] ? __pfx_kthread+0x10/0x10 [ 87.549878][ T5838] ret_from_fork+0x599/0xb30 [ 87.554466][ T5838] ? __pfx_ret_from_fork+0x10/0x10 [ 87.559586][ T5838] ? __switch_to_asm+0x39/0x70 [ 87.564342][ T5838] ? __switch_to_asm+0x33/0x70 [ 87.569097][ T5838] ? __pfx_kthread+0x10/0x10 [ 87.573699][ T5838] ret_from_fork_asm+0x1a/0x30 [ 87.578471][ T5838] [ 87.581882][ T5838] Kernel Offset: disabled [ 87.586208][ T5838] Rebooting in 86400 seconds..