Warning: Permanently added '10.128.0.206' (ED25519) to the list of known hosts. 2025/12/05 12:04:41 parsed 1 programs [ 63.213200][ T2398] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 64.303987][ T1536] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 64.311728][ T1536] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 64.319720][ T1536] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 64.328971][ T1536] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 64.337812][ T1536] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 64.345326][ T1536] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 64.691075][ T2489] chnl_net:caif_netlink_parms(): no params data found [ 66.060304][ T2489] 8021q: adding VLAN 0 to HW filter on device bond0 [ 66.933906][ T2489] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 68.826671][ T13] bond0 (unregistering): Released all slaves 2025/12/05 12:04:48 executed programs: 0 [ 68.977661][ T1299] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 68.985224][ T1299] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 68.993365][ T1299] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.001574][ T1299] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.009310][ T1299] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.016684][ T1299] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 69.190215][ T2899] chnl_net:caif_netlink_parms(): no params data found [ 70.578697][ T2899] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.032756][ T1536] Bluetooth: hci0: command tx timeout [ 71.475965][ T2899] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 73.112725][ T1536] Bluetooth: hci0: command tx timeout [ 73.225131][ T3301] block nbd2: not configured, cannot reconfigure [ 73.231892][ T1536] block nbd0: Receive control failed (result -32) [ 73.286260][ T3304] block nbd2: not configured, cannot reconfigure [ 73.293359][ T1536] block nbd1: Receive control failed (result -32) [ 73.334293][ T3306] block nbd2: shutting down sockets [ 73.340558][ T3306] block nbd2: reconnected socket [ 73.340617][ T1536] block nbd2: Receive control failed (result -32) [ 73.352815][ T1536] block nbd2: shutting down sockets [ 73.362841][ T1536] ================================================================== [ 73.371106][ T1536] BUG: KASAN: slab-use-after-free in recv_work+0x1832/0x19e0 [ 73.378579][ T1536] Write of size 4 at addr ffff888171763e78 by task kworker/u5:2/1536 [ 73.386624][ T1536] [ 73.389105][ T1536] CPU: 0 PID: 1536 Comm: kworker/u5:2 Not tainted syzkaller #0 [ 73.396630][ T1536] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 73.406998][ T1536] Workqueue: nbd2-recv recv_work [ 73.412032][ T1536] Call Trace: [ 73.415506][ T1536] [ 73.418502][ T1536] dump_stack_lvl+0xe0/0x160 [ 73.423073][ T1536] ? show_regs_print_info+0x10/0x10 [ 73.428527][ T1536] ? load_image+0x550/0x550 [ 73.433033][ T1536] ? _raw_spin_lock_irqsave+0xa6/0xe0 [ 73.438383][ T1536] ? __virt_addr_valid+0x13d/0x270 [ 73.443630][ T1536] ? __virt_addr_valid+0x21e/0x270 [ 73.448800][ T1536] print_report+0xac/0x220 [ 73.453191][ T1536] ? recv_work+0x1832/0x19e0 [ 73.457829][ T1536] kasan_report+0x117/0x150 [ 73.462350][ T1536] ? recv_work+0x1832/0x19e0 [ 73.467011][ T1536] kasan_check_range+0x288/0x290 [ 73.471943][ T1536] recv_work+0x1832/0x19e0 [ 73.476340][ T1536] ? register_lock_class+0x5df/0x770 [ 73.481622][ T1536] ? __lock_acquire+0x5c5/0xba0 [ 73.486620][ T1536] ? is_dynamic_key+0x1e0/0x1e0 [ 73.491458][ T1536] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 73.497974][ T1536] ? backend_show+0xa0/0xa0 [ 73.502452][ T1536] ? lock_acquire+0x1d1/0x350 [ 73.507196][ T1536] ? process_scheduled_works+0x895/0x11f0 [ 73.513149][ T1536] process_scheduled_works+0x92b/0x11f0 [ 73.518678][ T1536] ? assign_work+0x370/0x370 [ 73.523252][ T1536] ? assign_work+0x25c/0x370 [ 73.527912][ T1536] worker_thread+0x856/0xc80 [ 73.532566][ T1536] kthread+0x229/0x280 [ 73.536709][ T1536] ? pr_cont_work+0x4a0/0x4a0 [ 73.541500][ T1536] ? kthread_blkcg+0xa0/0xa0 [ 73.546182][ T1536] ret_from_fork+0x2f/0x60 [ 73.551050][ T1536] ? kthread_blkcg+0xa0/0xa0 [ 73.555794][ T1536] ret_from_fork_asm+0x11/0x20 [ 73.560981][ T1536] [ 73.564075][ T1536] [ 73.566390][ T1536] Allocated by task 3306: [ 73.570877][ T1536] kasan_set_track+0x4e/0x70 [ 73.575477][ T1536] __kasan_kmalloc+0x8f/0xa0 [ 73.580114][ T1536] nbd_alloc_and_init_config+0x8f/0x230 [ 73.585781][ T1536] nbd_genl_connect+0x77a/0x1620 [ 73.590975][ T1536] genl_family_rcv_msg_doit+0x1c1/0x2a0 [ 73.596501][ T1536] genl_rcv_msg+0x417/0x6a0 [ 73.601068][ T1536] netlink_rcv_skb+0x1fe/0x3c0 [ 73.605804][ T1536] genl_rcv+0x23/0x30 [ 73.609842][ T1536] netlink_unicast+0x553/0x760 [ 73.614756][ T1536] netlink_sendmsg+0x702/0xa10 [ 73.619686][ T1536] ____sys_sendmsg+0x4cd/0x830 [ 73.624562][ T1536] ___sys_sendmsg+0x1d8/0x240 [ 73.629235][ T1536] __se_sys_sendmsg+0x13f/0x1c0 [ 73.634333][ T1536] do_syscall_64+0x55/0xb0 [ 73.638743][ T1536] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 73.644612][ T1536] [ 73.646936][ T1536] Freed by task 1536: [ 73.650916][ T1536] kasan_set_track+0x4e/0x70 [ 73.655497][ T1536] kasan_save_free_info+0x2e/0x50 [ 73.660554][ T1536] ____kasan_slab_free+0x126/0x1e0 [ 73.665738][ T1536] slab_free_freelist_hook+0x130/0x1b0 [ 73.671270][ T1536] __kmem_cache_free+0xba/0x1f0 [ 73.676104][ T1536] nbd_config_put+0x5a2/0x7d0 [ 73.680769][ T1536] recv_work+0x181c/0x19e0 [ 73.685162][ T1536] process_scheduled_works+0x92b/0x11f0 [ 73.690967][ T1536] worker_thread+0x856/0xc80 [ 73.695543][ T1536] kthread+0x229/0x280 [ 73.699595][ T1536] ret_from_fork+0x2f/0x60 [ 73.704345][ T1536] ret_from_fork_asm+0x11/0x20 [ 73.709236][ T1536] [ 73.711743][ T1536] Last potentially related work creation: [ 73.717435][ T1536] kasan_save_stack+0x3e/0x60 [ 73.722190][ T1536] __kasan_record_aux_stack+0xaf/0xc0 [ 73.727558][ T1536] kvfree_call_rcu+0xb5/0x710 [ 73.732213][ T1536] drop_sysctl_table+0x2e3/0x430 [ 73.737142][ T1536] drop_sysctl_table+0x2f0/0x430 [ 73.742081][ T1536] unregister_sysctl_table+0x26/0x40 [ 73.747353][ T1536] neigh_sysctl_unregister+0x6e/0x90 [ 73.752653][ T1536] addrconf_ifdown+0x116d/0x13d0 [ 73.758058][ T1536] addrconf_notify+0x155/0xc00 [ 73.762894][ T1536] notifier_call_chain+0x123/0x220 [ 73.767995][ T1536] unregister_netdevice_many_notify+0xd28/0x1390 [ 73.774323][ T1536] default_device_exit_batch+0x70a/0x9a0 [ 73.780026][ T1536] cleanup_net+0x74a/0xa90 [ 73.784533][ T1536] process_scheduled_works+0x92b/0x11f0 [ 73.790248][ T1536] worker_thread+0x856/0xc80 [ 73.794819][ T1536] kthread+0x229/0x280 [ 73.798866][ T1536] ret_from_fork+0x2f/0x60 [ 73.803261][ T1536] ret_from_fork_asm+0x11/0x20 [ 73.808067][ T1536] [ 73.810460][ T1536] The buggy address belongs to the object at ffff888171763e00 [ 73.810460][ T1536] which belongs to the cache kmalloc-256 of size 256 [ 73.824756][ T1536] The buggy address is located 120 bytes inside of [ 73.824756][ T1536] freed 256-byte region [ffff888171763e00, ffff888171763f00) [ 73.838884][ T1536] [ 73.841192][ T1536] The buggy address belongs to the physical page: [ 73.847626][ T1536] page:ffffea0005c5d880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171762 [ 73.857855][ T1536] head:ffffea0005c5d880 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 73.866921][ T1536] anon flags: 0x100000000000840(slab|head|node=0|zone=2) [ 73.874035][ T1536] page_type: 0xffffffff() [ 73.878365][ T1536] raw: 0100000000000840 ffff888100041b40 0000000000000000 dead000000000001 [ 73.887018][ T1536] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 73.895582][ T1536] page dumped because: kasan: bad access detected [ 73.902496][ T1536] page_owner tracks the page as allocated [ 73.908184][ T1536] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1506, tgid 1506 (syz-executor), ts 33048737051, free_ts 23422203936 [ 73.931255][ T1536] post_alloc_hook+0x26b/0x290 [ 73.936125][ T1536] get_page_from_freelist+0x3447/0x35f0 [ 73.941827][ T1536] __alloc_pages+0x1e3/0x430 [ 73.946400][ T1536] alloc_slab_page+0x5d/0x170 [ 73.951052][ T1536] new_slab+0x70/0x260 [ 73.955188][ T1536] ___slab_alloc+0xa3e/0xee0 [ 73.959940][ T1536] __kmem_cache_alloc_node+0x19c/0x250 [ 73.965384][ T1536] __kmalloc+0x97/0x1c0 [ 73.969520][ T1536] __register_sysctl_table+0x911/0x10f0 [ 73.975050][ T1536] neigh_sysctl_register+0x9bb/0xa90 [ 73.980413][ T1536] addrconf_sysctl_register+0x9e/0x140 [ 73.985859][ T1536] ipv6_add_dev+0x9c8/0xe60 [ 73.990345][ T1536] addrconf_notify+0x3f0/0xc00 [ 73.995089][ T1536] notifier_call_chain+0x123/0x220 [ 74.000271][ T1536] call_netdevice_notifiers+0xc9/0x100 [ 74.005877][ T1536] register_netdevice+0x10e4/0x14a0 [ 74.011062][ T1536] page last free stack trace: [ 74.015720][ T1536] free_unref_page_prepare+0x7f9/0x910 [ 74.021195][ T1536] free_unref_page+0x32/0x290 [ 74.025939][ T1536] pipe_read+0x4d2/0xe00 [ 74.030367][ T1536] vfs_read+0x577/0x710 [ 74.034644][ T1536] ksys_read+0x100/0x1c0 [ 74.039390][ T1536] do_syscall_64+0x55/0xb0 [ 74.043804][ T1536] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 74.049778][ T1536] [ 74.052190][ T1536] Memory state around the buggy address: [ 74.057928][ T1536] ffff888171763d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.065992][ T1536] ffff888171763d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.074135][ T1536] >ffff888171763e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.082368][ T1536] ^ [ 74.090340][ T1536] ffff888171763e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.098486][ T1536] ffff888171763f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.106636][ T1536] ================================================================== [ 74.115324][ T1536] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.122923][ T1536] Kernel Offset: disabled [ 74.127438][ T1536] Rebooting in 86400 seconds..