Warning: Permanently added '10.128.0.79' (ED25519) to the list of known hosts. 1970/01/01 00:00:49 ignoring optional flag "type"="gce" 1970/01/01 00:00:49 parsed 1 programs [ 49.313523][ T4313] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS 1970/01/01 00:00:49 executed programs: 0 [ 49.381940][ T4319] chnl_net:caif_netlink_parms(): no params data found [ 49.400842][ T4319] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.402190][ T4319] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.403680][ T4319] device bridge_slave_0 entered promiscuous mode [ 49.405702][ T4319] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.406885][ T4319] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.408459][ T4319] device bridge_slave_1 entered promiscuous mode [ 49.416443][ T4319] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 49.419614][ T4319] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 49.428032][ T4319] team0: Port device team_slave_0 added [ 49.429898][ T4319] team0: Port device team_slave_1 added [ 49.436817][ T4319] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 49.437946][ T4319] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.442632][ T4319] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 49.445636][ T4319] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 49.446708][ T4319] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.450795][ T4319] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 49.502935][ T4319] device hsr_slave_0 entered promiscuous mode [ 49.551905][ T4319] device hsr_slave_1 entered promiscuous mode [ 50.147994][ T4319] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 50.194797][ T4319] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 50.243228][ T4319] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 50.283052][ T4319] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 50.319786][ T4319] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.321003][ T4319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.322462][ T4319] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.323646][ T4319] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.345462][ T4319] 8021q: adding VLAN 0 to HW filter on device bond0 [ 50.349947][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 50.352446][ T348] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.354038][ T348] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.355914][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 50.359992][ T4319] 8021q: adding VLAN 0 to HW filter on device team0 [ 50.367918][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.369609][ T136] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.370731][ T136] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.373156][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.374826][ T136] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.375839][ T136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.379432][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 50.383630][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 50.386745][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 50.388936][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 50.394022][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 50.395523][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 50.397236][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 50.403382][ T4319] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 50.405164][ T4319] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 50.407437][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 50.408977][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 50.411302][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 50.413416][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 50.417195][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 50.463904][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 50.465179][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 50.467270][ T4319] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 50.476400][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 50.478088][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 50.485042][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 50.486618][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.488411][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 50.489806][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 50.498105][ T4319] device veth0_vlan entered promiscuous mode [ 50.501571][ T4319] device veth1_vlan entered promiscuous mode [ 50.509876][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 50.511591][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 50.513227][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 50.514995][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.517534][ T4319] device veth0_macvtap entered promiscuous mode [ 50.519936][ T4319] device veth1_macvtap entered promiscuous mode [ 50.527663][ T4319] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 50.528952][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 50.530645][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 50.533713][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 50.535447][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.538371][ T4319] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 50.540708][ T4319] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 50.543335][ T4319] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 50.544764][ T4319] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 50.546194][ T4319] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 50.549260][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 50.550744][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 51.382239][ T3623] Bluetooth: hci0: command 0x0409 tx timeout [ 53.472331][ T4075] Bluetooth: hci0: command 0x041b tx timeout 1970/01/01 00:00:54 executed programs: 255 [ 55.541889][ T21] Bluetooth: hci0: command 0x040f tx timeout [ 57.621955][ T21] Bluetooth: hci0: command 0x0419 tx timeout 1970/01/01 00:00:59 executed programs: 680 1970/01/01 00:01:04 executed programs: 1109 1970/01/01 00:01:09 executed programs: 1537 [ 69.623600][ T1968] cfg80211: failed to load regulatory.db [ 69.632072][ T2063] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.633223][ T2063] ieee802154 phy1 wpan1: encryption failed: -22 1970/01/01 00:01:14 executed programs: 1953 1970/01/01 00:01:19 executed programs: 2378 1970/01/01 00:01:24 executed programs: 2837 1970/01/01 00:01:29 executed programs: 3311 [ 90.751738][ C1] IPv4: Attempt to release TCP socket in state 8 00000000451a500d [ 90.753068][ C1] [ 90.753403][ C1] ========================= [ 90.754124][ C1] WARNING: held lock freed! [ 90.754856][ C1] syzkaller #0 Not tainted [ 90.755571][ C1] ------------------------- [ 90.756332][ C1] syz-executor.0/11498 is freeing memory ffff0000c1da6780-ffff0000c1da7267, with a lock still held there! [ 90.758180][ C1] ffff0000c1da68a0 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_sendmsg+0x154/0x284 [ 90.759599][ C1] 2 locks held by syz-executor.0/11498: [ 90.760536][ C1] #0: ffff0000c1da68a0 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_sendmsg+0x154/0x284 [ 90.762096][ C1] #1: ffff800008017b00 ((&msk->sk.icsk_retransmit_timer)){+.-.}-{0:0}, at: call_timer_fn+0xd0/0x850 [ 90.763981][ C1] [ 90.763981][ C1] stack backtrace: [ 90.764983][ C1] CPU: 1 PID: 11498 Comm: syz-executor.0 Not tainted syzkaller #0 [ 90.766239][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.767654][ C1] Call trace: [ 90.768139][ C1] dump_backtrace+0x0/0x458 [ 90.768862][ C1] show_stack+0x2c/0x3c [ 90.769456][ C1] __dump_stack+0x30/0x40 [ 90.770180][ C1] dump_stack_lvl+0xf4/0x15c [ 90.770879][ C1] dump_stack+0x1c/0x5c [ 90.771501][ C1] debug_check_no_locks_freed+0x20c/0x29c [ 90.772240][ C1] slab_free_freelist_hook+0x88/0x1e4 [ 90.772933][ C1] kmem_cache_free+0xdc/0x3b0 [ 90.773653][ C1] __sk_destruct+0x42c/0x610 [ 90.774412][ C1] __sk_free+0x320/0x430 [ 90.774967][ C1] sk_free+0x68/0xd4 [ 90.775463][ C1] mptcp_retransmit_timer+0x190/0x29c [ 90.776151][ C1] call_timer_fn+0x19c/0x850 [ 90.776880][ C1] __run_timers+0xb34/0xd8c [ 90.777518][ C1] run_timer_softirq+0x7c/0x114 [ 90.778278][ C1] handle_softirqs+0x344/0xbe4 [ 90.779009][ C1] __irq_exit_rcu+0x240/0x43c [ 90.779687][ C1] irq_exit+0x14/0x88 [ 90.780237][ C1] handle_domain_irq+0x14c/0x1fc [ 90.780945][ C1] gic_handle_irq+0x78/0x1b8 [ 90.781618][ C1] call_on_irq_stack+0x30/0x48 [ 90.782295][ C1] do_interrupt_handler+0x6c/0x88 [ 90.783035][ C1] el1_interrupt+0x30/0x58 [ 90.783651][ C1] el1h_64_irq_handler+0x18/0x24 [ 90.784384][ C1] el1h_64_irq+0x78/0x7c [ 90.785060][ C1] _raw_spin_unlock_irqrestore+0xb8/0x14c [ 90.786023][ C1] __mod_timer+0xa98/0xb44 [ 90.786737][ C1] mod_timer+0x2c/0x3c [ 90.787389][ C1] sk_reset_timer+0x30/0xf4 [ 90.788077][ C1] __mptcp_push_pending+0x57c/0x694 [ 90.788952][ C1] mptcp_sendmsg+0x14a8/0x19b0 [ 90.789728][ C1] inet_sendmsg+0x154/0x284 [ 90.790437][ C1] ____sys_sendmsg+0x62c/0x940 [ 90.791194][ C1] ___sys_sendmsg+0x1f0/0x27c [ 90.791821][ C1] __arm64_sys_sendmsg+0x1bc/0x278 [ 90.792628][ C1] invoke_syscall+0x98/0x2b0 [ 90.793390][ C1] el0_svc_common+0x138/0x258 [ 90.794180][ C1] do_el0_svc+0x58/0x13c [ 90.794850][ C1] el0_svc+0x78/0x1d0 [ 90.795488][ C1] el0t_64_sync_handler+0xcc/0xe4 [ 90.796306][ C1] el0t_64_sync+0x1a0/0x1a4 [ 90.797444][T11498] ------------[ cut here ]------------ [ 90.798311][T11498] refcount_t: addition on 0; use-after-free. [ 90.799312][T11498] WARNING: CPU: 1 PID: 11498 at lib/refcount.c:25 refcount_warn_saturate+0x134/0x1f8 [ 90.800654][T11498] Modules linked in: [ 90.801146][T11498] CPU: 1 PID: 11498 Comm: syz-executor.0 Not tainted syzkaller #0 [ 90.802187][T11498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.803678][T11498] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 90.804876][T11498] pc : refcount_warn_saturate+0x134/0x1f8 [ 90.805690][T11498] lr : refcount_warn_saturate+0x134/0x1f8 [ 90.806592][T11498] sp : ffff8000202074b0 [ 90.807244][T11498] x29: ffff8000202074b0 x28: ffff0000ce280180 x27: 0000000000000000 [ 90.808473][T11498] x26: 00000000000000d0 x25: dfff800000000000 x24: ffff0000ce280170 [ 90.809636][T11498] x23: ffff0000c1da7000 x22: 0000000000000000 x21: ffff0000c1da6e38 [ 90.810910][T11498] x20: ffff0000c1da6800 x19: ffff8000166e2000 x18: 0000000000000001 [ 90.812139][T11498] x17: 0000000000000000 x16: ffff800008304af8 x15: 00000000ffffffff [ 90.813342][T11498] x14: 0000000000000001 x13: 1ffff00004040db4 x12: 0000000000ff0100 [ 90.814719][T11498] x11: 0000000000000000 x10: 0000000000000000 x9 : fbfef0c5bcd32500 [ 90.815965][T11498] x8 : fbfef0c5bcd32500 x7 : 0000000000000001 x6 : 0000000000000001 [ 90.817201][T11498] x5 : ffff800020206db8 x4 : ffff80001437f3e0 x3 : ffff800008304c08 [ 90.818425][T11498] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000002a [ 90.819601][T11498] Call trace: [ 90.820112][T11498] refcount_warn_saturate+0x134/0x1f8 [ 90.820949][T11498] sk_reset_timer+0xcc/0xf4 [ 90.821618][T11498] __mptcp_push_pending+0x57c/0x694 [ 90.822432][T11498] mptcp_sendmsg+0x14a8/0x19b0 [ 90.823158][T11498] inet_sendmsg+0x154/0x284 [ 90.823826][T11498] ____sys_sendmsg+0x62c/0x940 [ 90.824632][T11498] ___sys_sendmsg+0x1f0/0x27c [ 90.825383][T11498] __arm64_sys_sendmsg+0x1bc/0x278 [ 90.826187][T11498] invoke_syscall+0x98/0x2b0 [ 90.826921][T11498] el0_svc_common+0x138/0x258 [ 90.827626][T11498] do_el0_svc+0x58/0x13c [ 90.828323][T11498] el0_svc+0x78/0x1d0 [ 90.828961][T11498] el0t_64_sync_handler+0xcc/0xe4 [ 90.829795][T11498] el0t_64_sync+0x1a0/0x1a4 [ 90.830500][T11498] irq event stamp: 1560 [ 90.831088][T11498] hardirqs last enabled at (1560): [] kasan_quarantine_put+0xc4/0x200 [ 90.832536][T11498] hardirqs last disabled at (1559): [] kasan_quarantine_put+0x108/0x200 [ 90.834183][T11498] softirqs last enabled at (1524): [] mptcp_sendmsg+0xcd4/0x19b0 [ 90.835622][T11498] softirqs last disabled at (1531): [] __irq_exit_rcu+0x240/0x43c [ 90.837060][T11498] ---[ end trace 013c1dd2002ed255 ]--- [ 90.839217][T11497] ------------[ cut here ]------------ [ 90.840176][T11497] refcount_t: saturated; leaking memory. [ 90.841169][T11497] WARNING: CPU: 0 PID: 11497 at lib/refcount.c:22 refcount_warn_saturate+0x1b4/0x1f8 [ 90.842774][T11497] Modules linked in: [ 90.843409][T11497] CPU: 0 PID: 11497 Comm: syz-executor.0 Tainted: G W syzkaller #0 [ 90.844934][T11497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.846521][T11497] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 90.847772][T11497] pc : refcount_warn_saturate+0x1b4/0x1f8 [ 90.848680][T11497] lr : refcount_warn_saturate+0x1b4/0x1f8 [ 90.849652][T11497] sp : ffff800022d779a0 [ 90.850326][T11497] x29: ffff800022d779a0 x28: ffff0000e53b3318 x27: 1fffe0001a91e2d5 [ 90.851585][T11497] x26: ffff0000c1da6780 x25: ffff80001421f000 x24: 1ffff00002843e30 [ 90.852878][T11497] x23: ffff0000c1da7150 x22: 00000000c0000000 x21: ffff0000c1da6800 [ 90.854123][T11497] x20: ffff0000c1da6800 x19: ffff8000166e2000 x18: 0000000000000001 [ 90.855485][T11497] x17: 0000000000000000 x16: ffff80001125f0fc x15: 00000000ffffffff [ 90.856807][T11497] x14: 0000000000000001 x13: 1fffe000341f05ab x12: 0000000000ff0100 [ 90.857993][T11497] x11: 0000000000000000 x10: 0000000000000000 x9 : efd09f5fb08f2c00 [ 90.859330][T11497] x8 : efd09f5fb08f2c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 90.860574][T11497] x5 : ffff800022d772b8 x4 : ffff80001437f3e0 x3 : ffff800008509220 [ 90.861826][T11497] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000026 [ 90.863208][T11497] Call trace: [ 90.863760][T11497] refcount_warn_saturate+0x1b4/0x1f8 [ 90.864643][T11497] mptcp_close+0x738/0x9e4 [ 90.865339][T11497] inet_release+0x120/0x16c [ 90.866105][T11497] sock_close+0xb4/0x1f8 [ 90.866804][T11497] __fput+0x1c0/0x7e8 [ 90.867439][T11497] ____fput+0x20/0x30 [ 90.868079][T11497] task_work_run+0x12c/0x1d8 [ 90.868843][T11497] do_notify_resume+0x2450/0x309c [ 90.869721][T11497] el0_svc+0xf0/0x1d0 [ 90.870337][T11497] el0t_64_sync_handler+0xcc/0xe4 [ 90.871194][T11497] el0t_64_sync+0x1a0/0x1a4 [ 90.871953][T11497] irq event stamp: 1552 [ 90.872651][T11497] hardirqs last enabled at (1551): [] _raw_spin_unlock_irqrestore+0xa8/0x14c [ 90.874409][T11497] hardirqs last disabled at (1552): [] __schedule+0x2f0/0x1bc4 [ 90.875898][T11497] softirqs last enabled at (1532): [] local_bh_enable+0x10/0x34 [ 90.877328][T11497] softirqs last disabled at (1530): [] local_bh_disable+0x10/0x34 [ 90.878802][T11497] ---[ end trace 013c1dd2002ed256 ]--- [ 90.880123][T11497] ------------[ cut here ]------------ [ 90.880952][T11497] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: mptcp_retransmit_timer+0x0/0x29c [ 90.882886][T11497] WARNING: CPU: 0 PID: 11497 at lib/debugobjects.c:521 debug_print_object+0x148/0x1d4 [ 90.884291][T11497] Modules linked in: [ 90.884891][T11497] CPU: 0 PID: 11497 Comm: syz-executor.0 Tainted: G W syzkaller #0 [ 90.886230][T11497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.887729][T11497] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 90.888933][T11497] pc : debug_print_object+0x148/0x1d4 [ 90.889727][T11497] lr : debug_print_object+0x148/0x1d4 [ 90.890507][T11497] sp : ffff800022d77760 [ 90.891086][T11497] x29: ffff800022d77760 x28: dfff800000000000 x27: 0000000000000000 [ 90.892332][T11497] x26: ffff8000142a0000 x25: ffff800008381750 x24: dfff800000000000 [ 90.893615][T11497] x23: 0000000000000000 x22: ffff80001114c3cc x21: ffff80001186f260 [ 90.894899][T11497] x20: ffff8000113d3160 x19: ffff80001186eda0 x18: 0000000000000001 [ 90.896156][T11497] x17: 0000000000000000 x16: ffff80001125f0fc x15: 00000000ffffffff [ 90.897473][T11497] x14: 0000000000000001 x13: 1fffe000341f1cd7 x12: 0000000000ff0100 [ 90.898771][T11497] x11: 0000000000000000 x10: 0000000000000000 x9 : efd09f5fb08f2c00 [ 90.900040][T11497] x8 : efd09f5fb08f2c00 x7 : 0000000000000000 x6 : ffff800011324d4c [ 90.901324][T11497] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a75f10c [ 90.902526][T11497] x2 : ffff0001a0f82d50 x1 : 0000000100000000 x0 : 0000000000000071 [ 90.903750][T11497] Call trace: [ 90.904259][T11497] debug_print_object+0x148/0x1d4 [ 90.905048][T11497] debug_object_assert_init+0x24c/0x2c4 [ 90.905886][T11497] __timer_delete+0x50/0x21c [ 90.906580][T11497] timer_delete+0x24/0x34 [ 90.907229][T11497] sk_stop_timer+0x24/0xcc [ 90.907908][T11497] __mptcp_destroy_sock+0x288/0x610 [ 90.908713][T11497] mptcp_close+0x5b8/0x9e4 [ 90.909397][T11497] inet_release+0x120/0x16c [ 90.910188][T11497] sock_close+0xb4/0x1f8 [ 90.910862][T11497] __fput+0x1c0/0x7e8 [ 90.911502][T11497] ____fput+0x20/0x30 [ 90.912162][T11497] task_work_run+0x12c/0x1d8 [ 90.912871][T11497] do_notify_resume+0x2450/0x309c [ 90.913647][T11497] el0_svc+0xf0/0x1d0 [ 90.914276][T11497] el0t_64_sync_handler+0xcc/0xe4 [ 90.915032][T11497] el0t_64_sync+0x1a0/0x1a4 [ 90.915708][T11497] irq event stamp: 1552 [ 90.916345][T11497] hardirqs last enabled at (1551): [] _raw_spin_unlock_irqrestore+0xa8/0x14c [ 90.917959][T11497] hardirqs last disabled at (1552): [] __schedule+0x2f0/0x1bc4 [ 90.919364][T11497] softirqs last enabled at (1532): [] local_bh_enable+0x10/0x34 [ 90.920807][T11497] softirqs last disabled at (1530): [] local_bh_disable+0x10/0x34 [ 90.922345][T11497] ---[ end trace 013c1dd2002ed257 ]--- [ 90.923262][T11497] ------------[ cut here ]------------ [ 90.924087][T11497] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: mptcp_tout_timer+0x0/0xe0 [ 90.925923][T11497] WARNING: CPU: 0 PID: 11497 at lib/debugobjects.c:521 debug_print_object+0x148/0x1d4 [ 90.927371][T11497] Modules linked in: [ 90.927940][T11497] CPU: 0 PID: 11497 Comm: syz-executor.0 Tainted: G W syzkaller #0 [ 90.929227][T11497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.930593][T11497] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 90.931743][T11497] pc : debug_print_object+0x148/0x1d4 [ 90.932536][T11497] lr : debug_print_object+0x148/0x1d4 [ 90.933397][T11497] sp : ffff800022d77760 [ 90.934044][T11497] x29: ffff800022d77760 x28: dfff800000000000 x27: 0000000000000001 [ 90.935327][T11497] x26: ffff8000142a0000 x25: ffff800008381750 x24: dfff800000000000 [ 90.936554][T11497] x23: 0000000000000000 x22: ffff80001114c668 x21: ffff80001186f260 [ 90.937817][T11497] x20: ffff8000113d3160 x19: ffff80001186eda0 x18: 0000000000000001 [ 90.939052][T11497] x17: 0000000000000000 x16: ffff80001125f0fc x15: 00000000ffffffff [ 90.940282][T11497] x14: 0000000000000001 x13: 1fffe000341f1cd7 x12: 0000000000ff0100 [ 90.941589][T11497] x11: 0000000000000000 x10: 0000000000000000 x9 : efd09f5fb08f2c00 [ 90.942901][T11497] x8 : efd09f5fb08f2c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 90.944234][T11497] x5 : ffff800022d77078 x4 : ffff80001437f3e0 x3 : ffff80000a75f10c [ 90.945529][T11497] x2 : ffff0001a0f82d50 x1 : 0000000100000000 x0 : 000000000000006a [ 90.946845][T11497] Call trace: [ 90.947354][T11497] debug_print_object+0x148/0x1d4 [ 90.948168][T11497] debug_object_assert_init+0x24c/0x2c4 [ 90.949066][T11497] __timer_delete+0x50/0x21c [ 90.949792][T11497] timer_delete+0x24/0x34 [ 90.950480][T11497] sk_stop_timer+0x24/0xcc [ 90.951175][T11497] __mptcp_destroy_sock+0x294/0x610 [ 90.951995][T11497] mptcp_close+0x5b8/0x9e4 [ 90.952690][T11497] inet_release+0x120/0x16c [ 90.953377][T11497] sock_close+0xb4/0x1f8 [ 90.954028][T11497] __fput+0x1c0/0x7e8 [ 90.954659][T11497] ____fput+0x20/0x30 [ 90.955240][T11497] task_work_run+0x12c/0x1d8 [ 90.956020][T11497] do_notify_resume+0x2450/0x309c [ 90.956815][T11497] el0_svc+0xf0/0x1d0 [ 90.957431][T11497] el0t_64_sync_handler+0xcc/0xe4 [ 90.958268][T11497] el0t_64_sync+0x1a0/0x1a4 [ 90.959048][T11497] irq event stamp: 1552 [ 90.959687][T11497] hardirqs last enabled at (1551): [] _raw_spin_unlock_irqrestore+0xa8/0x14c [ 90.961383][T11497] hardirqs last disabled at (1552): [] __schedule+0x2f0/0x1bc4 [ 90.963015][T11497] softirqs last enabled at (1532): [] local_bh_enable+0x10/0x34 [ 90.964515][T11497] softirqs last disabled at (1530): [] local_bh_disable+0x10/0x34 [ 90.966122][T11497] ---[ end trace 013c1dd2002ed258 ]--- [ 90.967424][T11497] ------------[ cut here ]------------ [ 90.968221][T11497] refcount_t: underflow; use-after-free. [ 90.969204][T11497] WARNING: CPU: 0 PID: 11497 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 [ 90.970753][T11497] Modules linked in: [ 90.971440][T11497] CPU: 0 PID: 11497 Comm: syz-executor.0 Tainted: G W syzkaller #0 [ 90.973026][T11497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 90.974659][T11497] pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 90.976003][T11497] pc : refcount_warn_saturate+0x154/0x1f8 [ 90.976939][T11497] lr : refcount_warn_saturate+0x154/0x1f8 [ 90.977791][T11497] sp : ffff800022d778c0 [ 90.978472][T11497] x29: ffff800022d778c0 x28: dfff800000000000 x27: ffff7000045aef20 [ 90.979740][T11497] x26: ffff0000c1da6780 x25: 1fffe000183b4e2a x24: ffff0000c1da7150 [ 90.981090][T11497] x23: ffff0000c1da7178 x22: 0000000000000000 x21: 00000000c0000000 [ 90.982496][T11497] x20: ffff0000c1da6800 x19: ffff8000166e2000 x18: 0000000000000001 [ 90.983863][T11497] x17: 0000000000000000 x16: ffff80001125f0fc x15: 00000000ffffffff [ 90.985177][T11497] x14: 0000000000000001 x13: 1fffe000341f1cd7 x12: 0000000000ff0100 [ 90.986599][T11497] x11: 0000000000000000 x10: 0000000000000000 x9 : efd09f5fb08f2c00 [ 90.988072][T11497] x8 : efd09f5fb08f2c00 x7 : 0000000000000001 x6 : 0000000000000001 [ 90.989448][T11497] x5 : ffff800022d771d8 x4 : ffff80001437f3e0 x3 : ffff80000a75f10c [ 90.990748][T11497] x2 : ffff0001a0f82d50 x1 : 0000000100000000 x0 : 0000000000000026 [ 90.992070][T11497] Call trace: [ 90.992696][T11497] refcount_warn_saturate+0x154/0x1f8 [ 90.993621][T11497] __mptcp_destroy_sock+0x570/0x610 [ 90.994493][T11497] mptcp_close+0x5b8/0x9e4 [ 90.995191][T11497] inet_release+0x120/0x16c [ 90.995950][T11497] sock_close+0xb4/0x1f8 [ 90.996610][T11497] __fput+0x1c0/0x7e8 [ 90.997201][T11497] ____fput+0x20/0x30 [ 90.997791][T11497] task_work_run+0x12c/0x1d8 [ 90.998568][T11497] do_notify_resume+0x2450/0x309c [ 90.999411][T11497] el0_svc+0xf0/0x1d0 [ 91.000037][T11497] el0t_64_sync_handler+0xcc/0xe4 [ 91.000951][T11497] el0t_64_sync+0x1a0/0x1a4 [ 91.001702][T11497] irq event stamp: 1552 [ 91.002390][T11497] hardirqs last enabled at (1551): [] _raw_spin_unlock_irqrestore+0xa8/0x14c [ 91.004224][T11497] hardirqs last disabled at (1552): [] __schedule+0x2f0/0x1bc4 [ 91.005751][T11497] softirqs last enabled at (1532): [] local_bh_enable+0x10/0x34 [ 91.007397][T11497] softirqs last disabled at (1530): [] local_bh_disable+0x10/0x34 [ 91.008853][T11497] ---[ end trace 013c1dd2002ed259 ]--- 1970/01/01 00:01:34 executed programs: 3849 1970/01/01 00:01:39 executed programs: 4448