vxcan1: j1939_xtp_rx_rts_session_active: 0xffff88802d34d000: connection exists (00 02). last cmd: 10 skbuff: skb_under_panic: text:ffffffff8a77db2d len:30 put:14 head:ffff8880571370c0 data:ffff8880571370b2 tail:0x10 end:0x180 dev:bridge_slave_1 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:214! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 15787 Comm: kworker/u8:18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026 RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:214 Code: c7 60 16 dc 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 0e 55 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90000a08228 EFLAGS: 00010286 RAX: 000000000000008f RBX: dffffc0000000000 RCX: 7451b276e3d06800 RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000 RBP: 0000000000000180 R08: ffffc90000a07f87 R09: 1ffff92000140ff0 R10: dffffc0000000000 R11: fffff52000140ff1 R12: ffff888056630650 R13: ffff8880571370c0 R14: ffff8880571370b2 R15: 0000000000000010 FS: 0000000000000000(0000) GS:ffff888125561000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff19fe4eddd CR3: 000000004a11a000 CR4: 00000000003526f0 Call Trace: skb_under_panic net/core/skbuff.c:224 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2674 br_dev_queue_push_xmit+0x2d/0x4a0 net/bridge/br_forward.c:35 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318 __br_forward+0x397/0x540 net/bridge/br_forward.c:115 deliver_clone net/bridge/br_forward.c:131 [inline] maybe_deliver net/bridge/br_forward.c:191 [inline] br_flood+0x6ee/0xb80 net/bridge/br_forward.c:238 br_handle_frame_finish+0x14c2/0x1bb0 net/bridge/br_input.c:229 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline] br_handle_frame+0x80f/0x1510 net/bridge/br_input.c:442 __netif_receive_skb_core+0x98f/0x31a0 net/core/dev.c:6051 __netif_receive_skb_one_core net/core/dev.c:6162 [inline] __netif_receive_skb net/core/dev.c:6277 [inline] process_backlog+0x76d/0x1950 net/core/dev.c:6628 __napi_poll+0xae/0x340 net/core/dev.c:7692 napi_poll net/core/dev.c:7755 [inline] net_rx_action+0x627/0xf70 net/core/dev.c:7912 handle_softirqs+0x22a/0x870 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0xa3/0xc0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:704 RIP: 0010:do_raw_spin_unlock+0xd/0x210 kernel/locking/spinlock_debug.c:139 Code: ff ff e8 f6 b2 8d 00 e9 5b ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 41 57 41 56 41 55 41 54 <53> 48 89 fb 49 bc 00 00 00 00 00 fc ff df 4c 8d 77 04 4c 89 f0 48 RSP: 0018:ffffc900064176d0 EFLAGS: 00000282 RAX: 7451b276e3d06800 RBX: ffff88802a7c8698 RCX: 0000000080000001 RDX: 0000000000000001 RSI: ffffffff8e164b17 RDI: ffff88802a7c8698 RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff52000c82ed0 R12: dffffc0000000000 R13: 1ffff110054f90db R14: ffff88802a7c86d8 R15: 0000000000000000 __raw_spin_unlock include/linux/spinlock_api_smp.h:168 [inline] _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186 spin_unlock include/linux/spinlock.h:389 [inline] lockref_get_not_dead+0x7e/0xc0 lib/lockref.c:160 __legitimize_path fs/namei.c:869 [inline] legitimize_path fs/namei.c:879 [inline] try_to_unlazy+0x3cb/0xc50 fs/namei.c:943 complete_walk+0x11f/0x390 fs/namei.c:1059 do_open fs/namei.c:4637 [inline] path_openat+0x28de/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_open_execat+0x12b/0x580 fs/exec.c:781 alloc_bprm+0x28/0x5c0 fs/exec.c:1401 class_bprm_constructor fs/exec.c:1466 [inline] kernel_execve+0x87/0x930 fs/exec.c:1859 call_usermodehelper_exec_async+0x20f/0x360 kernel/umh.c:109 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:214 Code: c7 60 16 dc 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 0e 55 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90000a08228 EFLAGS: 00010286 RAX: 000000000000008f RBX: dffffc0000000000 RCX: 7451b276e3d06800 RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000 RBP: 0000000000000180 R08: ffffc90000a07f87 R09: 1ffff92000140ff0 R10: dffffc0000000000 R11: fffff52000140ff1 R12: ffff888056630650 R13: ffff8880571370c0 R14: ffff8880571370b2 R15: 0000000000000010 FS: 0000000000000000(0000) GS:ffff888125561000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff19fe4eddd CR3: 000000004a11a000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: ff ljmp (bad) 1: e8 f6 b2 8d 00 call 0x8db2fc 6: e9 5b ff ff ff jmp 0xffffff66 b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 0f 1f 40 d6 nopl -0x2a(%rax) 20: 55 push %rbp 21: 41 57 push %r15 23: 41 56 push %r14 25: 41 55 push %r13 27: 41 54 push %r12 * 29: 53 push %rbx <-- trapping instruction 2a: 48 89 fb mov %rdi,%rbx 2d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 34: fc ff df 37: 4c 8d 77 04 lea 0x4(%rdi),%r14 3b: 4c 89 f0 mov %r14,%rax 3e: 48 rex.W