[ 45.366138][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.375027][ T8] device veth1_macvtap left promiscuous mode [ 45.381009][ T8] device veth0_macvtap left promiscuous mode [ 45.387270][ T8] device veth1_vlan left promiscuous mode [ 45.393178][ T8] device veth0_vlan left promiscuous mode [ 45.438164][ T8] team0 (unregistering): Port device team_slave_1 removed [ 45.446993][ T8] team0 (unregistering): Port device team_slave_0 removed [ 45.456848][ T8] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 45.467737][ T8] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 45.493126][ T8] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.191' (ECDSA) to the list of known hosts. 2022/12/18 14:15:23 ignoring optional flag "sandboxArg"="0" 2022/12/18 14:15:23 parsed 1 programs 2022/12/18 14:15:23 executed programs: 0 [ 60.361831][ T3612] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 62.443306][ T47] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 62.450511][ T47] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 62.457711][ T47] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 62.465280][ T47] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 62.472646][ T47] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 62.479776][ T47] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 62.519824][ T4072] chnl_net:caif_netlink_parms(): no params data found [ 62.540432][ T4072] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.548030][ T4072] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.555816][ T4072] device bridge_slave_0 entered promiscuous mode [ 62.563492][ T4072] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.570551][ T4072] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.578062][ T4072] device bridge_slave_1 entered promiscuous mode [ 62.589978][ T4072] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.599971][ T4072] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.614514][ T4072] team0: Port device team_slave_0 added [ 62.620738][ T4072] team0: Port device team_slave_1 added [ 62.631460][ T4072] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.638500][ T4072] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.664864][ T4072] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.676191][ T4072] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.683241][ T4072] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.709106][ T4072] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.727489][ T4072] device hsr_slave_0 entered promiscuous mode [ 62.733791][ T4072] device hsr_slave_1 entered promiscuous mode [ 63.072443][ T4072] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.080598][ T4072] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.089468][ T4072] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.098126][ T4072] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.112769][ T4072] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.119837][ T4072] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.127185][ T4072] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.134285][ T4072] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.162982][ T4072] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.174962][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.183436][ T26] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.190829][ T26] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.200198][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.209857][ T4072] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.219982][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.229115][ T26] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.236288][ T26] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.253642][ T3626] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.262315][ T3626] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.269360][ T3626] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.277231][ T3626] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.285478][ T3626] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.297087][ T4072] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 63.307590][ T4072] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 63.320169][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.327826][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.336194][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.344673][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 63.393647][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 63.401345][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 63.411051][ T4072] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.425264][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 63.439052][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 63.448353][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 63.456452][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 63.465724][ T4072] device veth0_vlan entered promiscuous mode [ 63.475490][ T4072] device veth1_vlan entered promiscuous mode [ 63.489317][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 63.497912][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 63.506183][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 63.515938][ T4072] device veth0_macvtap entered promiscuous mode [ 63.524764][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 63.533711][ T4072] device veth1_macvtap entered promiscuous mode [ 63.546965][ T4072] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 63.554877][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 63.564369][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 63.574078][ T4072] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 63.583696][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 63.593274][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 63.602227][ T4072] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.611059][ T4072] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.621466][ T4072] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.630860][ T4072] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 2022/12/18 14:15:29 executed programs: 1 [ 63.660204][ T1000] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.669182][ T1000] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.675800][ T8] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.684577][ T3620] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 63.692128][ T8] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.699478][ T2931] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 65.482703][ T1233] ieee802154 phy0 wpan0: encryption failed: -22 [ 65.489163][ T1233] ieee802154 phy1 wpan1: encryption failed: -22 [ 67.802014][ T3620] Bluetooth: hci0: Controller not accepting commands anymore: ncmd = 0 [ 67.819927][ T3620] Bluetooth: hci0: Injecting HCI hardware error event [ 67.833250][ T47] Bluetooth: hci0: hardware error 0x00 [ 67.841527][ T47] ================================================================== [ 67.849931][ T47] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 [ 67.857902][ T47] Read of size 8 at addr ffff888015f644b8 by task kworker/u5:0/47 [ 67.865696][ T47] [ 67.868008][ T47] CPU: 0 PID: 47 Comm: kworker/u5:0 Not tainted 5.19.0-rc7-syzkaller #0 [ 67.876308][ T47] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 67.886353][ T47] Workqueue: hci0 hci_error_reset [ 67.891376][ T47] Call Trace: [ 67.894637][ T47] [ 67.897540][ T47] dump_stack_lvl+0x57/0x7d [ 67.902016][ T47] print_address_description.constprop.0.cold+0xeb/0x495 [ 67.909005][ T47] ? __mutex_unlock_slowpath+0xa6/0x5e0 [ 67.914514][ T47] kasan_report.cold+0xf4/0x1c6 [ 67.919687][ T47] ? __mutex_unlock_slowpath+0xa6/0x5e0 [ 67.925201][ T47] kasan_check_range+0x13d/0x180 [ 67.930106][ T47] __mutex_unlock_slowpath+0xa6/0x5e0 [ 67.935442][ T47] ? wait_for_completion_io_timeout+0x20/0x20 [ 67.941474][ T47] ? l2cap_conn_del+0x39c/0x720 [ 67.946291][ T47] ? kfree+0xd6/0x4d0 [ 67.950241][ T47] l2cap_conn_del+0x3a4/0x720 [ 67.954888][ T47] hci_conn_hash_flush+0xfb/0x210 [ 67.959880][ T47] hci_dev_close_sync+0x462/0xef0 [ 67.964873][ T47] ? hci_dev_open_sync+0x1b20/0x1b20 [ 67.970124][ T47] ? do_raw_spin_lock+0x120/0x2a0 [ 67.975115][ T47] hci_dev_do_close+0x23/0x60 [ 67.979759][ T47] hci_error_reset+0x79/0xf0 [ 67.984316][ T47] process_one_work+0x865/0x13d0 [ 67.989240][ T47] ? lock_release+0x780/0x780 [ 67.993885][ T47] ? pwq_dec_nr_in_flight+0x230/0x230 [ 67.999224][ T47] ? rwlock_bug.part.0+0x90/0x90 [ 68.004130][ T47] worker_thread+0x598/0xec0 [ 68.008688][ T47] ? process_one_work+0x13d0/0x13d0 [ 68.013851][ T47] kthread+0x299/0x340 [ 68.017886][ T47] ? kthread_complete_and_exit+0x20/0x20 [ 68.023483][ T47] ret_from_fork+0x1f/0x30 [ 68.027866][ T47] [ 68.030862][ T47] [ 68.033156][ T47] Allocated by task 47: [ 68.037362][ T47] kasan_save_stack+0x1e/0x40 [ 68.042034][ T47] __kasan_kmalloc+0xa9/0xd0 [ 68.046598][ T47] l2cap_chan_create+0x39/0x530 [ 68.051432][ T47] amp_mgr_create+0x80/0x8e0 [ 68.056006][ T47] a2mp_channel_create+0x61/0x120 [ 68.061005][ T47] l2cap_recv_frame+0x3da7/0x7e80 [ 68.066001][ T47] hci_rx_work+0x3bf/0xba0 [ 68.070384][ T47] process_one_work+0x865/0x13d0 [ 68.075374][ T47] worker_thread+0x598/0xec0 [ 68.079929][ T47] kthread+0x299/0x340 [ 68.083969][ T47] ret_from_fork+0x1f/0x30 [ 68.088357][ T47] [ 68.090654][ T47] Freed by task 47: [ 68.094428][ T47] kasan_save_stack+0x1e/0x40 [ 68.099161][ T47] kasan_set_track+0x21/0x30 [ 68.103723][ T47] kasan_set_free_info+0x20/0x30 [ 68.108624][ T47] ____kasan_slab_free+0x166/0x1a0 [ 68.113703][ T47] slab_free_freelist_hook+0x8b/0x1c0 [ 68.119049][ T47] kfree+0xd6/0x4d0 [ 68.122922][ T47] l2cap_conn_del+0x39c/0x720 [ 68.127571][ T47] hci_conn_hash_flush+0xfb/0x210 [ 68.132564][ T47] hci_dev_close_sync+0x462/0xef0 [ 68.137562][ T47] hci_dev_do_close+0x23/0x60 [ 68.142205][ T47] hci_error_reset+0x79/0xf0 [ 68.146762][ T47] process_one_work+0x865/0x13d0 [ 68.151667][ T47] worker_thread+0x598/0xec0 [ 68.156224][ T47] kthread+0x299/0x340 [ 68.160343][ T47] ret_from_fork+0x1f/0x30 [ 68.164726][ T47] [ 68.167025][ T47] The buggy address belongs to the object at ffff888015f64000 [ 68.167025][ T47] which belongs to the cache kmalloc-2k of size 2048 [ 68.181047][ T47] The buggy address is located 1208 bytes inside of [ 68.181047][ T47] 2048-byte region [ffff888015f64000, ffff888015f64800) [ 68.194466][ T47] [ 68.196760][ T47] The buggy address belongs to the physical page: [ 68.203139][ T47] page:ffffea000057d800 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888015f67000 pfn:0x15f60 [ 68.214583][ T47] head:ffffea000057d800 order:3 compound_mapcount:0 compound_pincount:0 [ 68.222869][ T47] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 68.230836][ T47] raw: 00fff00000010200 ffffea000059c208 ffffea0001da7c08 ffff888010842000 [ 68.239387][ T47] raw: ffff888015f67000 0000000000080001 00000001ffffffff 0000000000000000 [ 68.247932][ T47] page dumped because: kasan: bad access detected [ 68.254308][ T47] page_owner tracks the page as allocated [ 68.260021][ T47] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3620, tgid 3620 (kworker/1:3), ts 63711870858, free_ts 63700203002 [ 68.282998][ T47] get_page_from_freelist+0x1290/0x3b70 [ 68.288537][ T47] __alloc_pages+0x1c7/0x510 [ 68.293101][ T47] allocate_slab+0x26c/0x3c0 [ 68.297659][ T47] ___slab_alloc+0x9c4/0xe20 [ 68.302221][ T47] __slab_alloc.constprop.0+0x4d/0xa0 [ 68.307567][ T47] __kmalloc_node_track_caller+0x2cb/0x360 [ 68.313827][ T47] __alloc_skb+0x8a/0x270 [ 68.318135][ T47] alloc_skb_with_frags+0x73/0x6f0 [ 68.323214][ T47] sock_alloc_send_pskb+0x636/0x7c0 [ 68.328376][ T47] mld_newpack.isra.0+0x1b4/0x770 [ 68.333366][ T47] add_grhead+0x273/0x370 [ 68.337662][ T47] add_grec+0xc87/0x1060 [ 68.341873][ T47] mld_ifc_work+0x3bb/0xa90 [ 68.346359][ T47] process_one_work+0x865/0x13d0 [ 68.351353][ T47] worker_thread+0x598/0xec0 [ 68.355910][ T47] kthread+0x299/0x340 [ 68.359954][ T47] page last free stack trace: [ 68.364613][ T47] free_pcp_prepare+0x549/0xd20 [ 68.369428][ T47] free_unref_page+0x19/0x6a0 [ 68.374070][ T47] __unfreeze_partials+0x17c/0x1a0 [ 68.379145][ T47] qlist_free_all+0x6a/0x170 [ 68.383697][ T47] kasan_quarantine_reduce+0x180/0x200 [ 68.389127][ T47] __kasan_slab_alloc+0xa2/0xc0 [ 68.393944][ T47] kmem_cache_alloc+0x204/0x3b0 [ 68.398785][ T47] vm_area_alloc+0x17/0xf0 [ 68.403255][ T47] mmap_region+0x74e/0x11d0 [ 68.407724][ T47] do_mmap+0x5c4/0xd80 [ 68.411760][ T47] vm_mmap_pgoff+0x163/0x210 [ 68.416321][ T47] do_syscall_64+0x35/0xb0 [ 68.420704][ T47] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 68.426563][ T47] [ 68.428859][ T47] Memory state around the buggy address: [ 68.434546][ T47] ffff888015f64380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.442578][ T47] ffff888015f64400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.450607][ T47] >ffff888015f64480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.458636][ T47] ^ [ 68.464603][ T47] ffff888015f64500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.472629][ T47] ffff888015f64580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.480654][ T47] ================================================================== [ 68.489431][ T47] Kernel panic - not syncing: panic_on_warn set ... [ 68.496017][ T47] CPU: 0 PID: 47 Comm: kworker/u5:0 Not tainted 5.19.0-rc7-syzkaller #0 [ 68.504306][ T47] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 68.514352][ T47] Workqueue: hci0 hci_error_reset [ 68.519345][ T47] Call Trace: [ 68.522594][ T47] [ 68.525495][ T47] dump_stack_lvl+0x57/0x7d [ 68.529967][ T47] panic+0x227/0x466 [ 68.533916][ T47] ? panic_print_sys_info.part.0+0x69/0x69 [ 68.539689][ T47] ? preempt_schedule_common+0x59/0xc0 [ 68.545124][ T47] ? __mutex_unlock_slowpath+0xa6/0x5e0 [ 68.550640][ T47] ? preempt_schedule_thunk+0x16/0x18 [ 68.556008][ T47] ? __mutex_unlock_slowpath+0xa6/0x5e0 [ 68.561521][ T47] end_report.part.0+0x3f/0x7c [ 68.566280][ T47] kasan_report.cold+0x93/0x1c6 [ 68.571097][ T47] ? __mutex_unlock_slowpath+0xa6/0x5e0 [ 68.576611][ T47] kasan_check_range+0x13d/0x180 [ 68.581515][ T47] __mutex_unlock_slowpath+0xa6/0x5e0 [ 68.586856][ T47] ? wait_for_completion_io_timeout+0x20/0x20 [ 68.592911][ T47] ? l2cap_conn_del+0x39c/0x720 [ 68.597739][ T47] ? kfree+0xd6/0x4d0 [ 68.601691][ T47] l2cap_conn_del+0x3a4/0x720 [ 68.606343][ T47] hci_conn_hash_flush+0xfb/0x210 [ 68.611340][ T47] hci_dev_close_sync+0x462/0xef0 [ 68.616337][ T47] ? hci_dev_open_sync+0x1b20/0x1b20 [ 68.621590][ T47] ? do_raw_spin_lock+0x120/0x2a0 [ 68.626580][ T47] hci_dev_do_close+0x23/0x60 [ 68.631224][ T47] hci_error_reset+0x79/0xf0 [ 68.635779][ T47] process_one_work+0x865/0x13d0 [ 68.640684][ T47] ? lock_release+0x780/0x780 [ 68.645327][ T47] ? pwq_dec_nr_in_flight+0x230/0x230 [ 68.650664][ T47] ? rwlock_bug.part.0+0x90/0x90 [ 68.655588][ T47] worker_thread+0x598/0xec0 [ 68.660146][ T47] ? process_one_work+0x13d0/0x13d0 [ 68.665312][ T47] kthread+0x299/0x340 [ 68.669347][ T47] ? kthread_complete_and_exit+0x20/0x20 [ 68.674946][ T47] ret_from_fork+0x1f/0x30 [ 68.679356][ T47] [ 68.683065][ T47] Kernel Offset: disabled [ 68.687363][ T47] Rebooting in 86400 seconds..