[ 431.616704][ T5846] status: 1, result: 0, skb: ffff8881131d9200, hci_req_sync_run [ 433.703704][ T5133] Bluetooth: hci0: command 0x041b skb: ffff88810ca09600 tx timeout [ 433.712211][ T5846] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 433.720906][ T5846] remove skb: ffff8881131d9200, __hci_cmd_sync_sk [ 433.728116][ T7012] ------------[ cut here ]------------ [ 433.733772][ T7012] refcount_t: underflow; use-after-free. [ 433.739822][ T7012] WARNING: CPU: 1 PID: 7012 at lib/refcount.c:28 refcount_warn_saturate+0x153/0x1c0 [ 433.749410][ T7012] Modules linked in: [ 433.753682][ T7012] CPU: 1 UID: 0 PID: 7012 Comm: syz.0.106 Not tainted syzkaller #0 PREEMPT(full) [ 433.763150][ T7012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 433.773459][ T7012] RIP: 0010:refcount_warn_saturate+0x153/0x1c0 [ 433.779762][ T7012] Code: ff 89 de e8 5f 97 ce fe 84 db 0f 85 26 ff ff ff e8 42 9f ce fe c6 05 92 31 83 04 01 90 48 c7 c7 40 25 6c 86 e8 de ce b4 fe 90 <0f> 0b 90 90 e9 03 ff ff ff e8 1f 9f ce fe 0f b6 1d 6d 31 83 04 31 [ 433.799664][ T7012] RSP: 0018:ffffc90002e33b68 EFLAGS: 00010282 [ 433.805735][ T7012] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8147c615 [ 433.814059][ T7012] RDX: ffff8881033eb480 RSI: ffffffff8147c61e RDI: 0000000000000001 [ 433.822198][ T7012] RBP: ffff8881135a69e4 R08: 0000000000000001 R09: 0000000000000000 [ 433.830364][ T7012] R10: 0000000000000001 R11: 205d323130375420 R12: 0000000000000068 [ 433.838438][ T7012] R13: 0000000000000000 R14: ffff8881135a69e4 R15: ffff888128a79734 [ 433.846780][ T7012] FS: 0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000 [ 433.855936][ T7012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 433.862681][ T7012] CR2: 0000555559365808 CR3: 0000000108f3c000 CR4: 00000000003526f0 [ 433.870891][ T7012] Call Trace: [ 433.874270][ T7012] [ 433.877285][ T7012] sk_skb_reason_drop+0x1d3/0x240 [ 433.882315][ T7012] skb_queue_purge_reason+0x128/0x160 [ 433.887725][ T7012] ? __pfx_vhci_flush+0x10/0x10 [ 433.892581][ T7012] vhci_flush+0x22/0x30 [ 433.896779][ T7012] hci_dev_close_sync+0x3a3/0x7f0 [ 433.901845][ T7012] ? __cancel_work_sync+0xc0/0xf0 [ 433.906917][ T7012] hci_unregister_dev+0x12c/0x250 [ 433.912032][ T7012] vhci_release+0xc0/0x100 [ 433.916469][ T7012] ? __pfx_vhci_release+0x10/0x10 [ 433.921575][ T7012] __fput+0x1ba/0x4f0 [ 433.925569][ T7012] task_work_run+0x91/0xe0 [ 433.930098][ T7012] do_exit+0x390/0x11c0 [ 433.934280][ T7012] do_group_exit+0x4e/0xd0 [ 433.938715][ T7012] get_signal+0xd96/0xeb0 [ 433.943108][ T7012] arch_do_signal_or_restart+0x43/0x430 [ 433.948680][ T7012] exit_to_user_mode_loop+0x65/0xf0 [ 433.953901][ T7012] do_syscall_64+0x28e/0xfa0 [ 433.958857][ T7012] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 433.964862][ T7012] RIP: 0033:0x7f639f18f6c9 [ 433.969368][ T7012] Code: Unable to access opcode bytes at 0x7f639f18f69f. [ 433.976481][ T7012] RSP: 002b:00007f63a00230e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 433.985331][ T7012] RAX: fffffffffffffe00 RBX: 00007f639f3e5fa8 RCX: 00007f639f18f6c9 [ 433.993289][ T7012] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f639f3e5fa8 [ 434.001458][ T7012] RBP: 00007f639f3e5fa0 R08: 0000000000000000 R09: 0000000000000000 [ 434.009537][ T7012] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 434.017732][ T7012] R13: 00007f639f3e6038 R14: 00007fff74db6f00 R15: 00007fff74db6fe8 [ 434.025712][ T7012] [ 434.028802][ T7012] ---[ end trace 0000000000000000 ]--- [ 434.206027][ T35] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 434.245142][ T35] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 434.284950][ T35] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 434.345260][ T35] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 434.400385][ T35] bridge_slave_1: left allmulticast mode [ 434.406287][ T35] bridge_slave_1: left promiscuous mode [ 434.412058][ T35] bridge0: port 2(bridge_slave_1) entered disabled state [ 434.419575][ T35] bridge_slave_0: left allmulticast mode [ 434.425269][ T35] bridge_slave_0: left promiscuous mode [ 434.431338][ T35] bridge0: port 1(bridge_slave_0) entered disabled state [ 434.486002][ T35] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 434.495230][ T35] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 434.504337][ T35] bond0 (unregistering): Released all slaves [ 434.646776][ T35] hsr_slave_0: left promiscuous mode [ 434.652475][ T35] hsr_slave_1: left promiscuous mode [ 434.658157][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 434.665838][ T35] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 434.673205][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 434.680637][ T35] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 434.688933][ T35] veth1_macvtap: left promiscuous mode [ 434.694758][ T35] veth0_macvtap: left promiscuous mode [ 434.700342][ T35] veth1_vlan: left promiscuous mode [ 434.705873][ T35] veth0_vlan: left promiscuous mode [ 434.729991][ T35] team0 (unregistering): Port device team_slave_1 removed [ 434.738564][ T35] team0 (unregistering): Port device team_slave_0 removed Warning: Permanently added '10.128.0.191' (ED25519) to the list of known hosts. [ 438.824189][ T1307] ieee802154 phy0 wpan0: encryption failed: -22 [ 438.830773][ T1307] ieee802154 phy1 wpan1: encryption failed: -22 [ 443.131989][ T5846] status: 1, result: 0, skb: ffff8881131d9400, hci_req_sync_run [ 443.140614][ T5133] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 443.147896][ T5846] err: 0, status: 0, result: 0, skb: ffff888126b41900, __hci_cmd_sync_sk [ 443.156339][ T5846] status: 1, result: 0, skb: ffff8881131d9100, hci_req_sync_run [ 443.164070][ T5133] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 443.171227][ T5846] err: 0, status: 0, result: 0, skb: ffff888126b41700, __hci_cmd_sync_sk [ 443.179843][ T5846] status: 1, result: 0, skb: ffff8881131d9a00, hci_req_sync_run [ 443.187637][ T5133] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 443.194913][ T5846] err: 0, status: 0, result: 0, skb: ffff888126b41e00, __hci_cmd_sync_sk [ 443.203522][ T5846] status: 1, result: 0, skb: ffff8881131d9800, hci_req_sync_run [ 443.211275][ T5846] err: 0, status: 0, result: 0, skb: ffff888126b41700, __hci_cmd_sync_sk [ 443.219833][ T5846] status: 1, result: 0, skb: ffff888126b41700, hci_req_sync_run [ 443.227833][ T5846] err: 0, status: 0, result: 0, skb: ffff8881131d9600, __hci_cmd_sync_sk [ 443.236438][ T5846] status: 1, result: 0, skb: ffff888126b41b00, hci_req_sync_run [ 443.244145][ T5133] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 443.251201][ T5846] err: 0, status: 0, result: 0, skb: ffff888126b41f00, __hci_cmd_sync_sk [ 443.259918][ T5846] status: 1, result: 0, skb: ffff8881131d9b00, hci_req_sync_run [ 443.267726][ T5846] err: 0, status: 0, result: 0, skb: ffff8881131d9900, __hci_cmd_sync_sk [ 443.276181][ T5846] status: 1, result: 0, skb: ffff8881131d9900, hci_req_sync_run [ 443.284006][ T5133] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 443.291063][ T5846] err: 0, status: 0, result: 0, skb: ffff8881131d9500, __hci_cmd_sync_sk [ 443.299752][ T5846] status: 1, result: 0, skb: ffff888126b41d00, hci_req_sync_run [ 443.307973][ T5846] err: 0, status: 0, result: 0, skb: ffff8881131d9700, __hci_cmd_sync_sk [ 443.316443][ T5846] status: 1, result: 0, skb: ffff888126b41b00, hci_req_sync_run executing program [ 443.324183][ T5846] err: 0, status: 0, result: 0, skb: ffff8881131d9700, __hci_cmd_sync_sk [ 443.333623][ T7089] status: 1, result: 0, skb: ffff888126b41a00, hci_req_sync_run [ 443.341509][ T7089] err: 0, status: 0, result: 0, skb: ffff8881131d9900, __hci_cmd_sync_sk [ 443.366021][ T7093] Bluetooth: MGMT ver 1.23 [ 443.371086][ T5133] status: 1, result: 0, skb: ffff8881131d9800, hci_req_sync_run [ 445.383656][ T5846] Bluetooth: hci0: command tx timeout [ 447.463669][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 447.471650][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 447.480458][ T5133] remove skb: ffff8881131d9800, __hci_cmd_sync_sk executing program [ 448.644014][ T5133] status: 1, result: 0, skb: ffff888126202500, hci_req_sync_run [ 449.543632][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 449.551669][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 449.560479][ T5133] remove skb: ffff888126202500, __hci_cmd_sync_sk [ 451.623724][ T5133] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout executing program [ 453.926217][ T5133] status: 1, result: 0, skb: ffff88810ca09b00, hci_req_sync_run [ 455.943718][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 455.951845][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 455.960544][ T5133] remove skb: ffff88810ca09b00, __hci_cmd_sync_sk executing program [ 459.184075][ T5133] status: 1, result: 0, skb: ffff888126202500, hci_req_sync_run [ 461.223684][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 461.231851][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 461.241312][ T5133] remove skb: ffff888126202500, __hci_cmd_sync_sk executing program [ 464.441697][ T5133] status: 1, result: 0, skb: ffff88810ca09c00, hci_req_sync_run [ 466.503653][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 466.511929][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 466.520729][ T5133] remove skb: ffff88810ca09c00, __hci_cmd_sync_sk executing program [ 469.700213][ T5133] status: 1, result: 0, skb: ffff888126202d00, hci_req_sync_run [ 471.783704][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 471.791755][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 471.800455][ T5133] remove skb: ffff888126202d00, __hci_cmd_sync_sk executing program [ 474.962731][ T5133] status: 1, result: 0, skb: ffff888126202b00, hci_req_sync_run [ 476.983690][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 476.991987][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 477.000855][ T5133] remove skb: ffff888126202b00, __hci_cmd_sync_sk executing program [ 480.231562][ T5133] status: 1, result: 0, skb: ffff888126202200, hci_req_sync_run [ 482.263687][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 482.271852][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 482.280714][ T5133] remove skb: ffff888126202200, __hci_cmd_sync_sk executing program [ 485.505487][ T5133] status: 1, result: 0, skb: ffff888126202c00, hci_req_sync_run [ 487.543670][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 487.551670][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 487.560905][ T5133] remove skb: ffff888126202c00, __hci_cmd_sync_sk executing program [ 490.778581][ T5133] status: 1, result: 0, skb: ffff888126202400, hci_req_sync_run [ 492.823737][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 492.831891][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 492.840702][ T5133] remove skb: ffff888126202400, __hci_cmd_sync_sk executing program [ 496.047061][ T5133] status: 1, result: 0, skb: ffff888126202c00, hci_req_sync_run [ 498.103657][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 498.111693][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 498.120838][ T5133] remove skb: ffff888126202c00, __hci_cmd_sync_sk [ 500.264189][ T1307] ieee802154 phy0 wpan0: encryption failed: -22 [ 500.270517][ T1307] ieee802154 phy1 wpan1: encryption failed: -22 executing program [ 501.312638][ T5133] status: 1, result: 0, skb: ffff888126450200, hci_req_sync_run [ 503.383624][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 503.391696][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 503.400393][ T5133] remove skb: ffff888126450200, __hci_cmd_sync_sk executing program [ 506.570614][ T5133] status: 1, result: 0, skb: ffff888126450200, hci_req_sync_run [ 508.583675][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 508.591752][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 508.600539][ T5133] remove skb: ffff888126450200, __hci_cmd_sync_sk executing program [ 511.830237][ T5133] status: 1, result: 0, skb: ffff888126450200, hci_req_sync_run [ 513.863674][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 513.871781][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 513.880473][ T5133] remove skb: ffff888126450200, __hci_cmd_sync_sk executing program [ 517.098665][ T5133] status: 1, result: 0, skb: ffff88810ca09300, hci_req_sync_run [ 519.143668][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 519.151632][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 519.160601][ T5133] remove skb: ffff88810ca09300, __hci_cmd_sync_sk executing program [ 522.344895][ T5133] status: 1, result: 0, skb: ffff888126450400, hci_req_sync_run [ 524.423626][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 524.431843][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 524.440556][ T5133] remove skb: ffff888126450400, __hci_cmd_sync_sk executing program [ 527.597122][ T5133] status: 1, result: 0, skb: ffff888126450a00, hci_req_sync_run [ 529.623627][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 529.631712][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 529.640413][ T5133] remove skb: ffff888126450a00, __hci_cmd_sync_sk executing program [ 532.842886][ T5133] status: 1, result: 0, skb: ffff888126450f00, hci_req_sync_run [ 534.903676][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 534.911716][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 534.920618][ T5133] remove skb: ffff888126450f00, __hci_cmd_sync_sk executing program [ 538.106335][ T5133] status: 1, result: 0, skb: ffff888112652700, hci_req_sync_run [ 540.183730][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 540.191793][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 540.200762][ T5133] remove skb: ffff888112652700, __hci_cmd_sync_sk executing program [ 543.369382][ T5133] status: 1, result: 0, skb: ffff888126450e00, hci_req_sync_run [ 545.383618][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 545.391796][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 545.400501][ T5133] remove skb: ffff888126450e00, __hci_cmd_sync_sk executing program [ 548.655412][ T5133] status: 1, result: 0, skb: ffff888126450c00, hci_req_sync_run [ 550.663666][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 550.671950][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 550.680784][ T5133] remove skb: ffff888126450c00, __hci_cmd_sync_sk executing program [ 553.923316][ T5133] status: 1, result: 0, skb: ffff888126450c00, hci_req_sync_run [ 555.943633][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 555.951796][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 555.960567][ T5133] remove skb: ffff888126450c00, __hci_cmd_sync_sk executing program [ 559.185302][ T5133] status: 1, result: 0, skb: ffff888126450c00, hci_req_sync_run [ 561.223618][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 561.232377][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 561.241238][ T5133] remove skb: ffff888126450c00, __hci_cmd_sync_sk [ 561.704299][ T1307] ieee802154 phy0 wpan0: encryption failed: -22 [ 561.710788][ T1307] ieee802154 phy1 wpan1: encryption failed: -22 executing program [ 564.436837][ T5133] status: 1, result: 0, skb: ffff888112652200, hci_req_sync_run [ 566.503606][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 566.511587][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 566.520349][ T5133] remove skb: ffff888112652200, __hci_cmd_sync_sk [ 566.823683][ T5133] status: 1, result: 0, skb: ffff888112652200, hci_req_sync_run [ 568.903557][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 568.903600][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 568.912342][ T5133] remove skb: ffff888112652200, __hci_cmd_sync_sk executing program [ 569.705412][ T5133] status: 1, result: 0, skb: ffff88811af8df00, hci_req_sync_run [ 571.783599][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 571.791838][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 571.800793][ T5133] remove skb: ffff88811af8df00, __hci_cmd_sync_sk executing program [ 574.968541][ T5133] status: 1, result: 0, skb: ffff888112652500, hci_req_sync_run [ 576.983631][ T5846] Bluetooth: hci0: command 0x041b skb: ffff8881131d9a00 tx timeout [ 576.991672][ T5133] err: -110, status: 0, result: 0, skb: 0000000000000000, __hci_cmd_sync_sk [ 577.000373][ T5133] remove skb: ffff888112652500, __hci_cmd_sync_sk