Warning: Permanently added '10.128.0.165' (ED25519) to the list of known hosts. 1970/01/01 00:01:04 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:04 parsed 1 programs 1970/01/01 00:01:05 executed programs: 0 [ 65.122439][ T6589] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 65.159617][ T5817] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 65.162950][ T5817] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 65.165319][ T5817] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 65.167846][ T5817] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 65.170103][ T5817] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 65.172476][ T5817] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 65.244437][ T6596] chnl_net:caif_netlink_parms(): no params data found [ 65.271934][ T6596] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.274041][ T6596] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.275954][ T6596] bridge_slave_0: entered allmulticast mode [ 65.278083][ T6596] bridge_slave_0: entered promiscuous mode [ 65.281145][ T6596] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.283309][ T6596] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.285201][ T6596] bridge_slave_1: entered allmulticast mode [ 65.287290][ T6596] bridge_slave_1: entered promiscuous mode [ 65.299237][ T6596] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 65.303231][ T6596] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 65.318322][ T6596] team0: Port device team_slave_0 added [ 65.322290][ T6596] team0: Port device team_slave_1 added [ 65.333325][ T6596] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 65.335154][ T6596] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.342071][ T6596] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 65.346386][ T6596] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 65.348287][ T6596] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.355600][ T6596] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 65.422507][ T6596] hsr_slave_0: entered promiscuous mode [ 65.460982][ T6596] hsr_slave_1: entered promiscuous mode [ 66.151571][ T6596] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 66.155856][ T6596] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 66.159355][ T6596] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 66.167634][ T6596] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 66.179993][ T6596] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.182354][ T6596] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.184358][ T6596] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.186255][ T6596] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.216283][ T6596] 8021q: adding VLAN 0 to HW filter on device bond0 [ 66.224818][ T24] bridge0: port 1(bridge_slave_0) entered disabled state [ 66.227789][ T24] bridge0: port 2(bridge_slave_1) entered disabled state [ 66.237255][ T6596] 8021q: adding VLAN 0 to HW filter on device team0 [ 66.243323][ T24] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.245271][ T24] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.262520][ T24] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.264479][ T24] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.343595][ T6596] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 66.366952][ T6596] veth0_vlan: entered promiscuous mode [ 66.373179][ T6596] veth1_vlan: entered promiscuous mode [ 66.386541][ T6596] veth0_macvtap: entered promiscuous mode [ 66.390403][ T6596] veth1_macvtap: entered promiscuous mode [ 66.398537][ T6596] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 66.406223][ T6596] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 66.411889][ T6596] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.414269][ T6596] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.416572][ T6596] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.418825][ T6596] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.463593][ T297] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 66.465746][ T297] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 66.484243][ T297] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 66.486380][ T297] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 66.552812][ T5817] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 66.555543][ T5817] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5817, name: kworker/u9:1 [ 66.557918][ T5817] preempt_count: 0, expected: 0 [ 66.559199][ T5817] RCU nest depth: 1, expected: 0 [ 66.560502][ T5817] 4 locks held by kworker/u9:1/5817: [ 66.562191][ T5817] #0: ffff0000d5b2c148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x668/0x15d4 [ 66.565192][ T5817] #1: ffff800097bf7c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6b4/0x15d4 [ 66.568426][ T5817] #2: ffff0000d4dc0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xc0/0x99c [ 66.572085][ T5817] #3: ffff80008f0778c0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c [ 66.574709][ T5817] CPU: 0 PID: 5817 Comm: kworker/u9:1 Not tainted 6.9.0-rc6-syzkaller-00066-g78186bd77b47 #0 [ 66.577396][ T5817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 66.579962][ T5817] Workqueue: hci0 hci_rx_work [ 66.581268][ T5817] Call trace: [ 66.582184][ T5817] dump_backtrace+0x1b8/0x1e4 [ 66.583533][ T5817] show_stack+0x2c/0x3c [ 66.584661][ T5817] dump_stack_lvl+0xe4/0x150 [ 66.585991][ T5817] dump_stack+0x1c/0x28 [ 66.587119][ T5817] __might_resched+0x374/0x4d0 [ 66.588451][ T5817] __might_sleep+0x90/0xe4 [ 66.589625][ T5817] __mutex_lock_common+0xcc/0x21a0 [ 66.591036][ T5817] mutex_lock_nested+0x2c/0x38 [ 66.592409][ T5817] hci_le_create_big_complete_evt+0x34c/0x99c [ 66.594089][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.595413][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.596747][ T5817] hci_rx_work+0x318/0xa78 [ 66.598012][ T5817] process_one_work+0x7b8/0x15d4 [ 66.599400][ T5817] worker_thread+0x938/0xef4 [ 66.600633][ T5817] kthread+0x288/0x310 [ 66.601721][ T5817] ret_from_fork+0x10/0x20 [ 66.605002][ T5817] [ 66.605691][ T5817] ============================= [ 66.606960][ T5817] [ BUG: Invalid wait context ] [ 66.608345][ T5817] 6.9.0-rc6-syzkaller-00066-g78186bd77b47 #0 Tainted: G W [ 66.610651][ T5817] ----------------------------- [ 66.611940][ T5817] kworker/u9:1/5817 is trying to lock: [ 66.613357][ T5817] ffff800091d4df48 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x34c/0x99c [ 66.616308][ T5817] other info that might help us debug this: [ 66.617928][ T5817] context-{4:4} [ 66.618866][ T5817] 4 locks held by kworker/u9:1/5817: [ 66.620355][ T5817] #0: ffff0000d5b2c148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x668/0x15d4 [ 66.623328][ T5817] #1: ffff800097bf7c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6b4/0x15d4 [ 66.626480][ T5817] #2: ffff0000d4dc0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xc0/0x99c [ 66.629392][ T5817] #3: ffff80008f0778c0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c [ 66.631959][ T5817] stack backtrace: [ 66.632919][ T5817] CPU: 0 PID: 5817 Comm: kworker/u9:1 Tainted: G W 6.9.0-rc6-syzkaller-00066-g78186bd77b47 #0 [ 66.636196][ T5817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 66.639016][ T5817] Workqueue: hci0 hci_rx_work [ 66.640267][ T5817] Call trace: [ 66.641123][ T5817] dump_backtrace+0x1b8/0x1e4 [ 66.642412][ T5817] show_stack+0x2c/0x3c [ 66.643603][ T5817] dump_stack_lvl+0xe4/0x150 [ 66.644871][ T5817] dump_stack+0x1c/0x28 [ 66.646045][ T5817] __lock_acquire+0x1be4/0x763c [ 66.647381][ T5817] lock_acquire+0x248/0x73c [ 66.648632][ T5817] __mutex_lock_common+0x190/0x21a0 [ 66.650248][ T5817] mutex_lock_nested+0x2c/0x38 [ 66.651526][ T5817] hci_le_create_big_complete_evt+0x34c/0x99c [ 66.653256][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.654512][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.655933][ T5817] hci_rx_work+0x318/0xa78 [ 66.657218][ T5817] process_one_work+0x7b8/0x15d4 [ 66.658600][ T5817] worker_thread+0x938/0xef4 [ 66.659877][ T5817] kthread+0x288/0x310 [ 66.660977][ T5817] ret_from_fork+0x10/0x20 [ 66.701060][ T5817] ================================================================== [ 66.703202][ T5817] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x304/0x99c [ 66.705478][ T5817] Read of size 8 at addr ffff0000e3d80000 by task kworker/u9:1/5817 [ 66.707486][ T5817] [ 66.708082][ T5817] CPU: 0 PID: 5817 Comm: kworker/u9:1 Tainted: G W 6.9.0-rc6-syzkaller-00066-g78186bd77b47 #0 [ 66.711142][ T5817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 66.713948][ T5817] Workqueue: hci0 hci_rx_work [ 66.715197][ T5817] Call trace: [ 66.716110][ T5817] dump_backtrace+0x1b8/0x1e4 [ 66.717471][ T5817] show_stack+0x2c/0x3c [ 66.718580][ T5817] dump_stack_lvl+0xe4/0x150 [ 66.719747][ T5817] print_report+0x198/0x538 [ 66.720954][ T5817] kasan_report+0xd8/0x138 [ 66.722172][ T5817] __asan_report_load8_noabort+0x20/0x2c [ 66.723702][ T5817] hci_le_create_big_complete_evt+0x304/0x99c [ 66.725406][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.726672][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.727983][ T5817] hci_rx_work+0x318/0xa78 [ 66.729249][ T5817] process_one_work+0x7b8/0x15d4 [ 66.730565][ T5817] worker_thread+0x938/0xef4 [ 66.731867][ T5817] kthread+0x288/0x310 [ 66.733008][ T5817] ret_from_fork+0x10/0x20 [ 66.734215][ T5817] [ 66.734828][ T5817] Allocated by task 5817: [ 66.736016][ T5817] kasan_save_track+0x40/0x78 [ 66.737262][ T5817] kasan_save_alloc_info+0x40/0x50 [ 66.738652][ T5817] __kasan_kmalloc+0xac/0xc4 [ 66.739954][ T5817] kmalloc_trace+0x264/0x3f0 [ 66.741220][ T5817] hci_conn_add+0xd0/0x1098 [ 66.742554][ T5817] hci_le_big_sync_established_evt+0x1b0/0x954 [ 66.744270][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.745592][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.747012][ T5817] hci_rx_work+0x318/0xa78 [ 66.748211][ T5817] process_one_work+0x7b8/0x15d4 [ 66.749624][ T5817] worker_thread+0x938/0xef4 [ 66.750891][ T5817] kthread+0x288/0x310 [ 66.752072][ T5817] ret_from_fork+0x10/0x20 [ 66.753227][ T5817] [ 66.753831][ T5817] Freed by task 5817: [ 66.754953][ T5817] kasan_save_track+0x40/0x78 [ 66.756219][ T5817] kasan_save_free_info+0x54/0x6c [ 66.757545][ T5817] poison_slab_object+0x124/0x18c [ 66.758955][ T5817] __kasan_slab_free+0x3c/0x70 [ 66.760291][ T5817] kfree+0x150/0x3e8 [ 66.761373][ T5817] bt_link_release+0x20/0x30 [ 66.762650][ T5817] device_release+0x8c/0x1ac [ 66.763898][ T5817] kobject_put+0x2a8/0x41c [ 66.765085][ T5817] put_device+0x28/0x40 [ 66.766213][ T5817] hci_conn_del_sysfs+0x7c/0x170 [ 66.767591][ T5817] hci_conn_del+0x77c/0xaf0 [ 66.768874][ T5817] hci_le_create_big_complete_evt+0x560/0x99c [ 66.770524][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.771823][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.773201][ T5817] hci_rx_work+0x318/0xa78 [ 66.774399][ T5817] process_one_work+0x7b8/0x15d4 [ 66.775763][ T5817] worker_thread+0x938/0xef4 [ 66.777084][ T5817] kthread+0x288/0x310 [ 66.778258][ T5817] ret_from_fork+0x10/0x20 [ 66.779426][ T5817] [ 66.780135][ T5817] The buggy address belongs to the object at ffff0000e3d80000 [ 66.780135][ T5817] which belongs to the cache kmalloc-8k of size 8192 [ 66.783888][ T5817] The buggy address is located 0 bytes inside of [ 66.783888][ T5817] freed 8192-byte region [ffff0000e3d80000, ffff0000e3d82000) [ 66.787707][ T5817] [ 66.788332][ T5817] The buggy address belongs to the physical page: [ 66.790066][ T5817] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123d80 [ 66.792438][ T5817] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 66.794643][ T5817] ksm flags: 0x5ffe00000000840(slab|head|node=0|zone=2|lastcpupid=0xfff) [ 66.797006][ T5817] page_type: 0xffffffff() [ 66.798198][ T5817] raw: 05ffe00000000840 ffff0000c0002280 fffffdffc323d400 0000000000000003 [ 66.800743][ T5817] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 66.803214][ T5817] head: 05ffe00000000840 ffff0000c0002280 fffffdffc323d400 0000000000000003 [ 66.805516][ T5817] head: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 66.807941][ T5817] head: 05ffe00000000003 fffffdffc38f6001 fffffdffc38f6048 00000000ffffffff [ 66.810313][ T5817] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 66.812673][ T5817] page dumped because: kasan: bad access detected [ 66.814456][ T5817] [ 66.815065][ T5817] Memory state around the buggy address: [ 66.816641][ T5817] ffff0000e3d7ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.818785][ T5817] ffff0000e3d7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.820983][ T5817] >ffff0000e3d80000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.823133][ T5817] ^ [ 66.824245][ T5817] ffff0000e3d80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.826425][ T5817] ffff0000e3d80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.828622][ T5817] ================================================================== [ 66.838980][ T5817] Unable to handle kernel paging request at virtual address dfff800000000002 [ 66.841411][ T5817] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] [ 66.843575][ T5817] Mem abort info: [ 66.844484][ T5817] ESR = 0x0000000096000005 [ 66.845674][ T5817] EC = 0x25: DABT (current EL), IL = 32 bits [ 66.847255][ T5817] SET = 0, FnV = 0 [ 66.848289][ T5817] EA = 0, S1PTW = 0 [ 66.849322][ T5817] FSC = 0x05: level 1 translation fault [ 66.851002][ T5817] Data abort info: [ 66.852068][ T5817] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 66.853706][ T5817] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 66.855294][ T5817] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 66.856948][ T5817] [dfff800000000002] address between user and kernel address ranges [ 66.859039][ T5817] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 66.860983][ T5817] Modules linked in: [ 66.862076][ T5817] CPU: 0 PID: 5817 Comm: kworker/u9:1 Tainted: G B W 6.9.0-rc6-syzkaller-00066-g78186bd77b47 #0 [ 66.865354][ T5817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 66.868137][ T5817] Workqueue: hci0 hci_rx_work [ 66.869388][ T5817] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 66.871484][ T5817] pc : bcmp+0x134/0x1c8 [ 66.872632][ T5817] lr : hci_le_create_big_complete_evt+0x214/0x99c [ 66.874343][ T5817] sp : ffff800097bf7710 [ 66.875399][ T5817] x29: ffff800097bf7720 x28: ffff800091d4dec0 x27: 1ffff00012f7eef4 [ 66.877587][ T5817] x26: ffff0000c9482039 x25: dfff800000000000 x24: dfff800000000000 [ 66.879682][ T5817] x23: ffff800097bf77c0 x22: 0000000000000014 x21: 0000000000000014 [ 66.881943][ T5817] x20: ffff800097bf77c0 x19: 0000000000000006 x18: 1fffe000367b8d96 [ 66.884010][ T5817] x17: ffff80008ee9d000 x16: ffff80008adc3d40 x15: ffff700012f7eef8 [ 66.886290][ T5817] x14: 1ffff00012f7eef8 x13: 0000000000000006 x12: ffffffffffffffff [ 66.888462][ T5817] x11: ffff700012f7eef8 x10: 1ffff00012f7eef8 x9 : 0000000000000004 [ 66.890587][ T5817] x8 : 0000000000000002 x7 : 0000000000000000 x6 : ffff8000802aa3b4 [ 66.892741][ T5817] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff800089ffe208 [ 66.894914][ T5817] x2 : 0000000000000006 x1 : ffff800097bf77c0 x0 : 0000000000000014 [ 66.897085][ T5817] Call trace: [ 66.897972][ T5817] bcmp+0x134/0x1c8 [ 66.899072][ T5817] hci_le_create_big_complete_evt+0x214/0x99c [ 66.900726][ T5817] hci_le_meta_evt+0x2b8/0x47c [ 66.902038][ T5817] hci_event_packet+0x6f4/0x1098 [ 66.903435][ T5817] hci_rx_work+0x318/0xa78 [ 66.904640][ T5817] process_one_work+0x7b8/0x15d4 [ 66.905973][ T5817] worker_thread+0x938/0xef4 [ 66.907264][ T5817] kthread+0x288/0x310 [ 66.908338][ T5817] ret_from_fork+0x10/0x20 [ 66.909554][ T5817] Code: aa1503f6 aa1403f7 d343fea8 12000aa9 (38f86908) [ 66.911528][ T5817] ---[ end trace 0000000000000000 ]--- [ 67.254534][ T5817] Kernel panic - not syncing: Oops: Fatal exception [ 67.256245][ T5817] SMP: stopping secondary CPUs [ 67.257563][ T5817] Kernel Offset: disabled [ 67.258698][ T5817] CPU features: 0x0,00000103,80100128,42017203 [ 67.260304][ T5817] Memory Limit: none [ 67.627289][ T5817] Rebooting in 86400 seconds..