forked to background, child pid 3188
no interfaces have a carri[   23.581498][ T3189] 8021q: adding VLAN 0 to HW filter on device bond0
er
[   23.593959][ T3189] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
syzkaller login: [   76.299495][   T14] cfg80211: failed to load regulatory.db
Warning: Permanently added '10.128.1.113' (ECDSA) to the list of known hosts.
[  472.407586][ T3638] cgroup: Unknown subsys name 'net'
[  472.533646][ T3638] cgroup: Unknown subsys name 'rlimit'
[  472.675611][ T3640] chnl_net:caif_netlink_parms(): no params data found
[  472.706443][ T3640] bridge0: port 1(bridge_slave_0) entered blocking state
[  472.713900][ T3640] bridge0: port 1(bridge_slave_0) entered disabled state
[  472.721516][ T3640] device bridge_slave_0 entered promiscuous mode
[  472.729988][ T3640] bridge0: port 2(bridge_slave_1) entered blocking state
[  472.737082][ T3640] bridge0: port 2(bridge_slave_1) entered disabled state
[  472.744871][ T3640] device bridge_slave_1 entered promiscuous mode
[  472.760580][ T3640] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  472.771209][ T3640] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  472.789458][ T3640] team0: Port device team_slave_0 added
[  472.796108][ T3640] team0: Port device team_slave_1 added
[  472.809989][ T3640] batman_adv: batadv0: Adding interface: batadv_slave_0
[  472.816942][ T3640] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  472.842975][ T3640] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  472.854473][ T3640] batman_adv: batadv0: Adding interface: batadv_slave_1
[  472.861459][ T3640] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  472.887445][ T3640] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  472.909210][ T3640] device hsr_slave_0 entered promiscuous mode
[  472.915619][ T3640] device hsr_slave_1 entered promiscuous mode
[  472.970432][ T3640] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  472.978846][ T3640] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  472.987124][ T3640] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  472.995451][ T3640] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  473.010665][ T3640] bridge0: port 2(bridge_slave_1) entered blocking state
[  473.017715][ T3640] bridge0: port 2(bridge_slave_1) entered forwarding state
[  473.025001][ T3640] bridge0: port 1(bridge_slave_0) entered blocking state
[  473.032065][ T3640] bridge0: port 1(bridge_slave_0) entered forwarding state
[  473.061816][ T3640] 8021q: adding VLAN 0 to HW filter on device bond0
[  473.072800][ T3639] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  473.081441][ T3639] bridge0: port 1(bridge_slave_0) entered disabled state
[  473.088967][ T3639] bridge0: port 2(bridge_slave_1) entered disabled state
[  473.097009][ T3639] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  473.107199][ T3640] 8021q: adding VLAN 0 to HW filter on device team0
[  473.116785][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  473.125080][ T3647] bridge0: port 1(bridge_slave_0) entered blocking state
[  473.132153][ T3647] bridge0: port 1(bridge_slave_0) entered forwarding state
[  473.149821][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  473.158081][ T3647] bridge0: port 2(bridge_slave_1) entered blocking state
[  473.165162][ T3647] bridge0: port 2(bridge_slave_1) entered forwarding state
[  473.173073][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  473.181679][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  473.193281][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  473.201040][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  473.211764][ T3639] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  473.222250][ T3640] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  473.235126][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  473.242866][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  473.252746][ T3640] 8021q: adding VLAN 0 to HW filter on device batadv0
[  473.348644][ T3640] device veth0_vlan entered promiscuous mode
[  473.355480][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  473.364370][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  473.372782][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  473.380891][ T3647] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  473.391339][ T3640] device veth1_vlan entered promiscuous mode
[  473.406139][ T3640] device veth0_macvtap entered promiscuous mode
[  473.413906][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[  473.421982][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[  473.430122][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  473.438332][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  473.447972][ T3640] device veth1_macvtap entered promiscuous mode
[  473.461209][ T3640] batman_adv: batadv0: Interface activated: batadv_slave_0
[  473.468451][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  473.480348][ T3640] batman_adv: batadv0: Interface activated: batadv_slave_1
[  473.487784][ T2938] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[  473.497501][ T3640] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
executing program
[  473.506809][ T3640] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[  473.515697][ T3640] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[  473.525039][ T3640] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
executing program
executing program
executing program
[  473.695192][   T48] Bluetooth: hci0: sending frame failed (-49)
[  473.701469][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -49
executing program
[  475.819270][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
[  475.829226][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
executing program
[  477.899124][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
[  477.909415][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
executing program
[  479.979059][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  479.979701][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
executing program
[  482.059081][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  482.059446][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
executing program
[  484.139078][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  484.139370][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
executing program
executing program
[  486.219058][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  486.225193][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
[  486.239792][   T48] Bluetooth: hci0: sending frame failed (-49)
[  486.245926][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -49
executing program
[  488.299100][ T3647] Bluetooth: hci0: command 0x1003 tx timeout
[  488.309036][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
executing program
executing program
[  490.379094][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  490.385255][ T3647] Bluetooth: hci0: command tx timeout
[  490.400602][   T48] Bluetooth: hci0: sending frame failed (-49)
[  490.406741][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -49
executing program
[  492.459070][ T3639] Bluetooth: hci0: command 0x1003 tx timeout
[  492.459123][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
executing program
[  494.539139][   T26] Bluetooth: hci0: command 0x1003 tx timeout
[  494.539136][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
executing program
[  496.619086][   T26] Bluetooth: hci0: command 0x1003 tx timeout
[  496.619084][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  496.638245][   T48] Bluetooth: hci0: sending frame failed (-49)
[  496.644415][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -49
executing program
[  498.779086][ T3659] Bluetooth: hci0: Opcode 0x1003 failed: -110
[  498.785226][ T3647] ==================================================================
[  498.793295][ T3647] BUG: KASAN: use-after-free in hci_cmd_timeout+0x24b/0x250
[  498.800648][ T3647] Read of size 2 at addr ffff88801cbf5808 by task kworker/0:2/3647
[  498.808548][ T3647] 
[  498.810899][ T3647] CPU: 0 PID: 3647 Comm: kworker/0:2 Not tainted 6.0.0-rc2-next-20220824-syzkaller #0
[  498.820453][ T3647] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[  498.830509][ T3647] Workqueue: events hci_cmd_timeout
[  498.835719][ T3647] Call Trace:
[  498.839008][ T3647]  <TASK>
[  498.841937][ T3647]  dump_stack_lvl+0xcd/0x134
[  498.846607][ T3647]  print_report.cold+0x2ba/0x719
[  498.851563][ T3647]  ? hci_cmd_timeout+0x24b/0x250
[  498.856511][ T3647]  kasan_report+0xb1/0x1e0
[  498.860964][ T3647]  ? calibrate_delay+0x1120/0x1120
[  498.866089][ T3647]  ? hci_cmd_timeout+0x24b/0x250
[  498.871034][ T3647]  hci_cmd_timeout+0x24b/0x250
[  498.875804][ T3647]  process_one_work+0x991/0x1610
[  498.880763][ T3647]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  498.886149][ T3647]  ? rwlock_bug.part.0+0x90/0x90
[  498.891095][ T3647]  worker_thread+0x665/0x1080
[  498.895794][ T3647]  ? __kthread_parkme+0x15f/0x220
[  498.900830][ T3647]  ? process_one_work+0x1610/0x1610
[  498.906039][ T3647]  kthread+0x2e4/0x3a0
[  498.910119][ T3647]  ? kthread_complete_and_exit+0x40/0x40
[  498.915780][ T3647]  ret_from_fork+0x1f/0x30
[  498.920233][ T3647]  </TASK>
[  498.923250][ T3647] 
[  498.925565][ T3647] Allocated by task 3659:
[  498.929893][ T3647]  kasan_save_stack+0x1e/0x40
[  498.934596][ T3647]  __kasan_kmalloc+0xa9/0xd0
[  498.939199][ T3647]  __kmalloc_node_track_caller+0x55/0xc0
[  498.944843][ T3647]  __alloc_skb+0xd9/0x2f0
[  498.949218][ T3647]  __hci_cmd_sync_sk+0x568/0xe20
[  498.954255][ T3647]  hci_read_local_features_sync+0xca/0x1e0
[  498.960077][ T3647]  hci_dev_open_sync+0x177b/0x2190
[  498.965204][ T3647]  hci_dev_do_open+0x2d/0x70
[  498.969813][ T3647]  hci_power_on+0xda/0x620
[  498.974242][ T3647]  process_one_work+0x991/0x1610
[  498.979206][ T3647]  worker_thread+0x665/0x1080
[  498.983906][ T3647]  kthread+0x2e4/0x3a0
[  498.987990][ T3647]  ret_from_fork+0x1f/0x30
[  498.992427][ T3647] 
[  498.994746][ T3647] Freed by task 3659:
[  498.998719][ T3647]  kasan_save_stack+0x1e/0x40
[  499.003411][ T3647]  kasan_set_track+0x21/0x30
[  499.008006][ T3647]  kasan_set_free_info+0x20/0x30
[  499.012970][ T3647]  ____kasan_slab_free+0x166/0x1c0
[  499.018089][ T3647]  slab_free_freelist_hook+0x8b/0x1c0
[  499.023463][ T3647]  __kmem_cache_free+0xab/0x3b0
[  499.028316][ T3647]  skb_free_head+0xac/0x110
[  499.032817][ T3647]  skb_release_data+0x5f1/0x870
[  499.037670][ T3647]  kfree_skb_reason.part.0+0xdd/0x320
[  499.043061][ T3647]  kfree_skb_reason+0x85/0x110
[  499.047847][ T3647]  hci_dev_open_sync+0xbe2/0x2190
[  499.052896][ T3647]  hci_dev_do_open+0x2d/0x70
[  499.057491][ T3647]  hci_power_on+0xda/0x620
[  499.061911][ T3647]  process_one_work+0x991/0x1610
[  499.066868][ T3647]  worker_thread+0x665/0x1080
[  499.071569][ T3647]  kthread+0x2e4/0x3a0
[  499.075648][ T3647]  ret_from_fork+0x1f/0x30
[  499.080075][ T3647] 
[  499.082398][ T3647] The buggy address belongs to the object at ffff88801cbf5800
[  499.082398][ T3647]  which belongs to the cache kmalloc-512 of size 512
[  499.096475][ T3647] The buggy address is located 8 bytes inside of
[  499.096475][ T3647]  512-byte region [ffff88801cbf5800, ffff88801cbf5a00)
[  499.109576][ T3647] 
[  499.111891][ T3647] The buggy address belongs to the physical page:
[  499.118310][ T3647] page:ffffea000072fd00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cbf4
[  499.128456][ T3647] head:ffffea000072fd00 order:2 compound_mapcount:0 compound_pincount:0
[  499.136778][ T3647] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[  499.144763][ T3647] raw: 00fff00000010200 ffffea0001e21d00 dead000000000002 ffff888011841c80
[  499.153345][ T3647] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  499.161919][ T3647] page dumped because: kasan: bad access detected
[  499.168335][ T3647] page_owner tracks the page as allocated
[  499.174052][ T3647] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 639, tgid 639 (kworker/u4:3), ts 7496750158, free_ts 0
[  499.194288][ T3647]  get_page_from_freelist+0x109b/0x2ce0
[  499.199850][ T3647]  __alloc_pages+0x1c7/0x510
[  499.204462][ T3647]  alloc_pages+0x1a6/0x270
[  499.208894][ T3647]  allocate_slab+0x27e/0x3d0
[  499.213498][ T3647]  ___slab_alloc+0xa3e/0x11d0
[  499.218185][ T3647]  __slab_alloc.constprop.0+0x4d/0xa0
[  499.223565][ T3647]  __kmem_cache_alloc_node+0x18a/0x3d0
[  499.229039][ T3647]  kmalloc_trace+0x22/0x60
[  499.233465][ T3647]  alloc_bprm+0x51/0x900
[  499.237715][ T3647]  kernel_execve+0xab/0x500
[  499.242228][ T3647]  call_usermodehelper_exec_async+0x2e3/0x580
[  499.248327][ T3647]  ret_from_fork+0x1f/0x30
[  499.252755][ T3647] page_owner free stack trace missing
[  499.258115][ T3647] 
[  499.260432][ T3647] Memory state around the buggy address:
[  499.266056][ T3647]  ffff88801cbf5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  499.274124][ T3647]  ffff88801cbf5780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  499.282182][ T3647] >ffff88801cbf5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  499.290233][ T3647]                       ^
[  499.294565][ T3647]  ffff88801cbf5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  499.302623][ T3647]  ffff88801cbf5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  499.310676][ T3647] ==================================================================
[  499.323795][ T3647] Kernel panic - not syncing: panic_on_warn set ...
[  499.330405][ T3647] CPU: 0 PID: 3647 Comm: kworker/0:2 Not tainted 6.0.0-rc2-next-20220824-syzkaller #0
[  499.339941][ T3647] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[  499.349989][ T3647] Workqueue: events hci_cmd_timeout
[  499.355190][ T3647] Call Trace:
[  499.358456][ T3647]  <TASK>
[  499.361375][ T3647]  dump_stack_lvl+0xcd/0x134
[  499.365959][ T3647]  panic+0x2c8/0x627
[  499.369864][ T3647]  ? panic_print_sys_info.part.0+0x10b/0x10b
[  499.375835][ T3647]  ? preempt_schedule_common+0x59/0xc0
[  499.381337][ T3647]  ? preempt_schedule_thunk+0x16/0x18
[  499.386703][ T3647]  ? hci_cmd_timeout+0x24b/0x250
[  499.391639][ T3647]  end_report.part.0+0x3f/0x7c
[  499.396395][ T3647]  kasan_report.cold+0xa/0xf
[  499.400979][ T3647]  ? calibrate_delay+0x1120/0x1120
[  499.406079][ T3647]  ? hci_cmd_timeout+0x24b/0x250
[  499.411004][ T3647]  hci_cmd_timeout+0x24b/0x250
[  499.415755][ T3647]  process_one_work+0x991/0x1610
[  499.420693][ T3647]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  499.426079][ T3647]  ? rwlock_bug.part.0+0x90/0x90
[  499.431029][ T3647]  worker_thread+0x665/0x1080
[  499.435720][ T3647]  ? __kthread_parkme+0x15f/0x220
[  499.440752][ T3647]  ? process_one_work+0x1610/0x1610
[  499.445962][ T3647]  kthread+0x2e4/0x3a0
[  499.450036][ T3647]  ? kthread_complete_and_exit+0x40/0x40
[  499.455679][ T3647]  ret_from_fork+0x1f/0x30
[  499.460114][ T3647]  </TASK>
[  499.463289][ T3647] Kernel Offset: disabled
[  499.467610][ T3647] Rebooting in 86400 seconds..