[ 196.113300][ T26] Bluetooth: hci5: command 0x0406 tx timeout [ 196.148396][ T26] Bluetooth: hci2: command 0x0406 tx timeout [ 196.172637][ T26] Bluetooth: hci3: command 0x0406 tx timeout [ 196.218296][ T26] Bluetooth: hci4: command 0x0406 tx timeout [ 255.408722][ T3214] ieee802154 phy0 wpan0: encryption failed: -22 [ 255.415184][ T3214] ieee802154 phy1 wpan1: encryption failed: -22 [ 316.844157][ T3214] ieee802154 phy0 wpan0: encryption failed: -22 [ 316.850826][ T3214] ieee802154 phy1 wpan1: encryption failed: -22 [ 378.281644][ T3214] ieee802154 phy0 wpan0: encryption failed: -22 [ 378.288105][ T3214] ieee802154 phy1 wpan1: encryption failed: -22 [ 432.282198][ T24] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 432.420589][ T24] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 432.566759][ T24] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 432.707346][ T24] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 434.783870][ T24] device hsr_slave_0 left promiscuous mode [ 434.792737][ T24] device hsr_slave_1 left promiscuous mode [ 434.799886][ T24] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 434.808605][ T24] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 434.817458][ T24] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 434.825048][ T24] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 434.833883][ T24] device bridge_slave_1 left promiscuous mode [ 434.840421][ T24] bridge0: port 2(bridge_slave_1) entered disabled state [ 434.851207][ T24] device bridge_slave_0 left promiscuous mode [ 434.857910][ T24] bridge0: port 1(bridge_slave_0) entered disabled state [ 434.870215][ T24] device veth1_macvtap left promiscuous mode [ 434.876276][ T24] device veth0_macvtap left promiscuous mode [ 434.882479][ T24] device veth1_vlan left promiscuous mode [ 434.889371][ T24] device veth0_vlan left promiscuous mode [ 438.722107][ T24] team0 (unregistering): Port device team_slave_1 removed [ 438.736858][ T24] team0 (unregistering): Port device team_slave_0 removed [ 438.749537][ T24] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 438.766208][ T24] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 438.826228][ T24] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts. [ 439.090545][ T35] audit: type=1400 audit(1625679067.038:11): avc: denied { execmem } for pid=3526 comm="syz-executor778" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 439.155440][T18291] ================================================================== [ 439.164210][T18291] BUG: KASAN: double-free or invalid-free in io_req_caches_free.constprop.0+0x35a/0x580 [ 439.174253][T18291] [ 439.176662][T18291] CPU: 1 PID: 18291 Comm: kworker/u4:13 Not tainted 5.11.0-syzkaller #0 [ 439.185174][T18291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 439.195317][T18291] Workqueue: events_unbound io_ring_exit_work [ 439.201592][T18291] Call Trace: [ 439.204886][T18291] dump_stack+0xa5/0xe6 [ 439.209236][T18291] print_address_description.constprop.0.cold+0x5b/0x2c6 [ 439.216345][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.222801][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.229643][T18291] kasan_report_invalid_free+0x51/0x80 [ 439.235537][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.241857][T18291] ____kasan_slab_free+0xcc/0xe0 [ 439.246858][T18291] kmem_cache_free_bulk+0x4b/0x1b0 [ 439.252100][T18291] io_req_caches_free.constprop.0+0x35a/0x580 [ 439.258431][T18291] ? lockdep_hardirqs_on+0x79/0x100 [ 439.263821][T18291] io_ring_exit_work+0x426/0x5a0 [ 439.268762][T18291] process_one_work+0x84c/0x13b0 [ 439.273781][T18291] ? lock_release+0x720/0x720 [ 439.278749][T18291] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 439.284131][T18291] ? rwlock_bug.part.0+0x90/0x90 [ 439.289141][T18291] ? _raw_spin_lock_irq+0x41/0x50 [ 439.294207][T18291] worker_thread+0x598/0xf80 [ 439.298897][T18291] ? __kthread_parkme+0xa2/0x1c0 [ 439.304256][T18291] ? process_one_work+0x13b0/0x13b0 [ 439.309534][T18291] kthread+0x36f/0x450 [ 439.313584][T18291] ? _raw_spin_unlock_irq+0x1f/0x40 [ 439.318758][T18291] ? kthread_create_worker_on_cpu+0xd0/0xd0 [ 439.324625][T18291] ret_from_fork+0x1f/0x30 [ 439.329471][T18291] [ 439.331789][T18291] Allocated by task 3527: [ 439.336173][T18291] kasan_save_stack+0x1b/0x40 [ 439.340821][T18291] ____kasan_kmalloc.constprop.0+0x7f/0xa0 [ 439.346597][T18291] kmem_cache_alloc_bulk+0x2c2/0x460 [ 439.351863][T18291] io_submit_sqes+0x130e/0x2380 [ 439.356770][T18291] __do_sys_io_uring_enter+0xb94/0x17d0 [ 439.362286][T18291] do_syscall_64+0x2d/0x70 [ 439.366680][T18291] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 439.372555][T18291] [ 439.374867][T18291] Freed by task 3527: [ 439.379002][T18291] kasan_save_stack+0x1b/0x40 [ 439.383649][T18291] kasan_set_track+0x1c/0x30 [ 439.388218][T18291] kasan_set_free_info+0x20/0x30 [ 439.393125][T18291] ____kasan_slab_free+0xb0/0xe0 [ 439.398292][T18291] kmem_cache_free_bulk+0x4b/0x1b0 [ 439.403465][T18291] io_req_caches_free.constprop.0+0x35a/0x580 [ 439.409510][T18291] io_uring_flush+0x3ac/0x5c0 [ 439.414244][T18291] filp_close+0x96/0x120 [ 439.418862][T18291] put_files_struct+0x15c/0x2c0 [ 439.423728][T18291] do_exit+0xa60/0x2570 [ 439.427959][T18291] do_group_exit+0xe7/0x290 [ 439.432608][T18291] __x64_sys_exit_group+0x35/0x40 [ 439.437773][T18291] do_syscall_64+0x2d/0x70 [ 439.442174][T18291] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 439.448047][T18291] [ 439.450433][T18291] The buggy address belongs to the object at ffff88803669a900 [ 439.450433][T18291] which belongs to the cache io_kiocb of size 208 [ 439.464819][T18291] The buggy address is located 0 bytes inside of [ 439.464819][T18291] 208-byte region [ffff88803669a900, ffff88803669a9d0) [ 439.477998][T18291] The buggy address belongs to the page: [ 439.483618][T18291] page:000000007071376c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803669a180 pfn:0x3669a [ 439.495320][T18291] flags: 0xfff00000000200(slab) [ 439.500153][T18291] raw: 00fff00000000200 ffffea000053f948 ffffea0000651648 ffff8880167ee100 [ 439.508707][T18291] raw: ffff88803669a180 ffff88803669a040 0000000100000006 0000000000000000 [ 439.517520][T18291] page dumped because: kasan: bad access detected [ 439.524011][T18291] page_owner tracks the page as allocated [ 439.529872][T18291] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 11856, ts 86367571325 [ 439.547059][T18291] post_alloc_hook+0x144/0x1c0 [ 439.551889][T18291] get_page_from_freelist+0x1c6f/0x3fb0 [ 439.557410][T18291] __alloc_pages_nodemask+0x2d6/0x730 [ 439.562774][T18291] cache_grow_begin+0x71/0x430 [ 439.567598][T18291] cache_alloc_refill+0x27f/0x380 [ 439.572856][T18291] kmem_cache_alloc_bulk+0x2f9/0x460 [ 439.578125][T18291] io_submit_sqes+0x130e/0x2380 [ 439.582957][T18291] __do_sys_io_uring_enter+0xb94/0x17d0 [ 439.588482][T18291] do_syscall_64+0x2d/0x70 [ 439.592872][T18291] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 439.598736][T18291] page last free stack trace: [ 439.603387][T18291] free_pcp_prepare+0x2cb/0x410 [ 439.608243][T18291] free_unref_page+0x12/0x1d0 [ 439.612891][T18291] __vunmap+0x5a3/0x950 [ 439.617200][T18291] free_work+0x4b/0x70 [ 439.621238][T18291] process_one_work+0x84c/0x13b0 [ 439.626320][T18291] worker_thread+0x598/0xf80 [ 439.632114][T18291] kthread+0x36f/0x450 [ 439.636244][T18291] ret_from_fork+0x1f/0x30 [ 439.640632][T18291] [ 439.642933][T18291] Memory state around the buggy address: [ 439.648536][T18291] ffff88803669a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 439.656582][T18291] ffff88803669a880: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 439.664636][T18291] >ffff88803669a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 439.673286][T18291] ^ [ 439.677324][T18291] ffff88803669a980: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 439.685454][T18291] ffff88803669aa00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 439.693574][T18291] ================================================================== [ 439.701620][T18291] Disabling lock debugging due to kernel taint [ 439.707736][T18291] Kernel panic - not syncing: panic_on_warn set ... [ 439.714298][T18291] CPU: 1 PID: 18291 Comm: kworker/u4:13 Tainted: G B 5.11.0-syzkaller #0 [ 439.723976][T18291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 439.734268][T18291] Workqueue: events_unbound io_ring_exit_work [ 439.740413][T18291] Call Trace: [ 439.743878][T18291] dump_stack+0xa5/0xe6 [ 439.748003][T18291] ? io_req_caches_free.constprop.0+0x280/0x580 [ 439.754217][T18291] panic+0x256/0x4eb [ 439.758135][T18291] ? __warn_printk+0xee/0xee [ 439.762796][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.769089][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.775382][T18291] end_report+0x58/0x5e [ 439.779627][T18291] kasan_report_invalid_free+0x6d/0x80 [ 439.785368][T18291] ? io_req_caches_free.constprop.0+0x35a/0x580 [ 439.791850][T18291] ____kasan_slab_free+0xcc/0xe0 [ 439.796755][T18291] kmem_cache_free_bulk+0x4b/0x1b0 [ 439.802022][T18291] io_req_caches_free.constprop.0+0x35a/0x580 [ 439.808264][T18291] ? lockdep_hardirqs_on+0x79/0x100 [ 439.813622][T18291] io_ring_exit_work+0x426/0x5a0 [ 439.818527][T18291] process_one_work+0x84c/0x13b0 [ 439.823627][T18291] ? lock_release+0x720/0x720 [ 439.829373][T18291] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 439.835446][T18291] ? rwlock_bug.part.0+0x90/0x90 [ 439.841179][T18291] ? _raw_spin_lock_irq+0x41/0x50 [ 439.846347][T18291] worker_thread+0x598/0xf80 [ 439.850911][T18291] ? __kthread_parkme+0xa2/0x1c0 [ 439.855826][T18291] ? process_one_work+0x13b0/0x13b0 [ 439.861003][T18291] kthread+0x36f/0x450 [ 439.865040][T18291] ? _raw_spin_unlock_irq+0x1f/0x40 [ 439.870216][T18291] ? kthread_create_worker_on_cpu+0xd0/0xd0 [ 439.876073][T18291] ret_from_fork+0x1f/0x30 [ 439.881989][T18291] Kernel Offset: disabled [ 439.886485][T18291] Rebooting in 86400 seconds..