Warning: Permanently added '10.128.1.123' (ED25519) to the list of known hosts. 1970/01/01 00:01:08 parsed 1 programs [ 69.453756][ T4392] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 69.613598][ T7] cfg80211: failed to load regulatory.db [ 69.615403][ T2063] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.616397][ T2063] ieee802154 phy1 wpan1: encryption failed: -22 [ 70.567449][ T4515] chnl_net:caif_netlink_parms(): no params data found [ 70.584861][ T4515] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.586046][ T4515] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.587575][ T4515] device bridge_slave_0 entered promiscuous mode [ 70.589745][ T4515] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.590985][ T4515] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.592889][ T4515] device bridge_slave_1 entered promiscuous mode [ 70.600104][ T4515] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 70.602856][ T4515] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.610322][ T4515] team0: Port device team_slave_0 added [ 70.612589][ T4515] team0: Port device team_slave_1 added [ 70.618644][ T4515] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 70.619778][ T4515] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.624329][ T4515] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 70.626741][ T4515] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 70.627841][ T4515] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.632317][ T4515] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 70.672930][ T4515] device hsr_slave_0 entered promiscuous mode [ 70.711954][ T4515] device hsr_slave_1 entered promiscuous mode [ 71.320834][ T4515] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 71.345203][ T4515] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 71.421896][ T4515] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 71.463179][ T4515] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 71.479068][ T4515] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.480245][ T4515] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.481521][ T4515] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.482784][ T4515] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.518523][ T4515] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.524394][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.526290][ T1646] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.527864][ T1646] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.529627][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 71.543645][ T4515] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.547060][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.548619][ T1646] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.549793][ T1646] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.553533][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.555052][ T1646] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.556270][ T1646] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.563495][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 71.573936][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 71.576637][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 71.578626][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 71.580185][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 71.592508][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 71.594438][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 71.596014][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 71.598010][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.601092][ T4515] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 71.608130][ T4515] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 71.609661][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 71.611310][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.693770][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 71.695173][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 71.698264][ T4515] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.712743][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 71.714440][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 71.727021][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 71.728595][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 71.730339][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 71.731710][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 71.743817][ T4515] device veth0_vlan entered promiscuous mode [ 71.752062][ T4515] device veth1_vlan entered promiscuous mode [ 71.763329][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 71.764782][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 71.766233][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 71.767687][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 71.773203][ T4515] device veth0_macvtap entered promiscuous mode [ 71.778673][ T4515] device veth1_macvtap entered promiscuous mode [ 71.792876][ T4515] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.794155][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 71.795607][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 71.797115][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 71.798594][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 71.813879][ T4515] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.815081][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 71.816663][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 71.819481][ T4515] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.820971][ T4515] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.822922][ T4515] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.824392][ T4515] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 72.328291][ T136] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 74.754569][ T136] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 77.074558][ T136] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 77.115707][ T136] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 77.330623][ T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.332339][ T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.334158][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 77.342150][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.343534][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.344939][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:17 executed programs: 0 [ 77.619424][ T4926] chnl_net:caif_netlink_parms(): no params data found [ 77.637440][ T4926] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.638611][ T4926] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.640180][ T4926] device bridge_slave_0 entered promiscuous mode [ 77.643671][ T4926] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.644889][ T4926] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.646472][ T4926] device bridge_slave_1 entered promiscuous mode [ 77.655916][ T4926] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 77.660143][ T4926] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 77.668701][ T4926] team0: Port device team_slave_0 added [ 77.677367][ T4926] team0: Port device team_slave_1 added [ 77.684220][ T4926] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 77.685303][ T4926] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.689686][ T4926] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 77.693602][ T4926] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 77.694700][ T4926] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.699059][ T4926] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 77.753157][ T4926] device hsr_slave_0 entered promiscuous mode [ 77.802086][ T4926] device hsr_slave_1 entered promiscuous mode [ 77.841873][ T4926] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 77.843053][ T4926] Cannot create hsr debugfs directory [ 78.357042][ T4926] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 78.393000][ T4926] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 78.438838][ T4926] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 78.473718][ T4926] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 78.533076][ T4926] 8021q: adding VLAN 0 to HW filter on device bond0 [ 78.537251][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 78.538883][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 78.543182][ T4926] 8021q: adding VLAN 0 to HW filter on device team0 [ 78.545856][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.547579][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.549063][ T1646] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.550167][ T1646] bridge0: port 1(bridge_slave_0) entered forwarding state [ 78.555892][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 78.557664][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.559268][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.560720][ T1646] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.561922][ T1646] bridge0: port 2(bridge_slave_1) entered forwarding state [ 78.570973][ T4926] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 78.573309][ T4926] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 78.576489][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 78.578180][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 78.579709][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 78.582435][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 78.584451][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 78.586270][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 78.587985][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 78.589475][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 78.591113][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 78.593817][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 78.597212][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 78.598774][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 78.639698][ T4926] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 78.642943][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 78.644305][ T434] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 78.649880][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 78.651555][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 78.660785][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 78.662673][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 78.664717][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 78.666210][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 78.669379][ T4926] device veth0_vlan entered promiscuous mode [ 78.674597][ T4926] device veth1_vlan entered promiscuous mode [ 78.682908][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 78.684426][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 78.685903][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 78.687383][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 78.690225][ T4926] device veth0_macvtap entered promiscuous mode [ 78.693383][ T4926] device veth1_macvtap entered promiscuous mode [ 78.698132][ T4926] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 78.699857][ T4926] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 78.702800][ T4926] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 78.704041][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 78.705806][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 78.707224][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 78.708845][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 78.720960][ T4926] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 78.723192][ T4926] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 78.725653][ T4926] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 78.727152][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 78.728884][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 78.731732][ T4926] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 78.733709][ T4926] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 78.735147][ T4926] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 78.736576][ T4926] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 78.760679][ T1646] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 78.762042][ T1646] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 78.763390][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 78.771387][ T1646] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 78.772822][ T1646] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 78.774876][ T1646] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 78.794262][ T144] [ 78.794715][ T144] ===================================== [ 78.795650][ T144] WARNING: bad unlock balance detected! [ 78.796565][ T144] syzkaller #0 Not tainted [ 78.797253][ T144] ------------------------------------- [ 78.798132][ T144] kworker/u5:0/144 is trying to release lock (&chan->lock) at: [ 78.799432][ T144] [] l2cap_recv_frame+0xeb4/0x74dc [ 78.800515][ T144] but there are no more locks to release! [ 78.801466][ T144] [ 78.801466][ T144] other info that might help us debug this: [ 78.802811][ T144] 2 locks held by kworker/u5:0/144: [ 78.803666][ T144] #0: ffff0000de1de938 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x678/0x1138 [ 78.805410][ T144] #1: ffff80001bed7c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6b8/0x1138 [ 78.807376][ T144] [ 78.807376][ T144] stack backtrace: [ 78.808397][ T144] CPU: 1 PID: 144 Comm: kworker/u5:0 Not tainted syzkaller #0 [ 78.809620][ T144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 78.811364][ T144] Workqueue: hci0 hci_rx_work [ 78.812166][ T144] Call trace: [ 78.812716][ T144] dump_backtrace+0x0/0x458 [ 78.813423][ T144] show_stack+0x2c/0x3c [ 78.814126][ T144] __dump_stack+0x30/0x40 [ 78.814802][ T144] dump_stack_lvl+0xf4/0x15c [ 78.815566][ T144] dump_stack+0x1c/0x5c [ 78.816269][ T144] print_unlock_imbalance_bug+0x11c/0x160 [ 78.817261][ T144] lock_release+0x454/0x8e0 [ 78.818039][ T144] __mutex_unlock_slowpath+0xc4/0x5e4 [ 78.818892][ T144] mutex_unlock+0x90/0xec [ 78.819625][ T144] l2cap_recv_frame+0xeb4/0x74dc [ 78.820413][ T144] l2cap_recv_acldata+0x4dc/0x1364 [ 78.821229][ T144] hci_rx_work+0x3a0/0x868 [ 78.821905][ T144] process_one_work+0x79c/0x1138 [ 78.822639][ T144] worker_thread+0x8f4/0x1034 [ 78.823355][ T144] kthread+0x374/0x454 [ 78.824009][ T144] ret_from_fork+0x10/0x20 [ 79.612725][ T13] Bluetooth: hci0: command 0x0409 tx timeout [ 79.644560][ T136] device hsr_slave_0 left promiscuous mode [ 79.682156][ T136] device hsr_slave_1 left promiscuous mode [ 79.771875][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 79.773149][ T136] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 79.775142][ T136] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 79.776432][ T136] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 79.777851][ T136] device bridge_slave_1 left promiscuous mode [ 79.778883][ T136] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.812779][ T136] device bridge_slave_0 left promiscuous mode [ 79.813888][ T136] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.941882][ T136] device veth1_macvtap left promiscuous mode [ 79.942931][ T136] device veth0_macvtap left promiscuous mode [ 79.943926][ T136] device veth1_vlan left promiscuous mode [ 79.944913][ T136] device veth0_vlan left promiscuous mode [ 80.021030][ T136] team0 (unregistering): Port device team_slave_1 removed [ 80.026542][ T136] team0 (unregistering): Port device team_slave_0 removed [ 80.033669][ T136] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 80.064897][ T136] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 80.164334][ T136] bond0 (unregistering): Released all slaves [ 81.681851][ T25] Bluetooth: hci0: command 0x041b tx timeout 1970/01/01 00:01:22 executed programs: 210 [ 82.930222][ T144] ================================================================== [ 82.931568][ T144] BUG: KASAN: use-after-free in do_raw_spin_lock+0x244/0x2fc [ 82.932882][ T144] Read of size 4 at addr ffff0000e87c608c by task kworker/u5:0/144 [ 82.934314][ T144] [ 82.934696][ T144] CPU: 1 PID: 144 Comm: kworker/u5:0 Not tainted syzkaller #0 [ 82.935998][ T144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 82.937777][ T144] Workqueue: hci0 hci_rx_work [ 82.938535][ T144] Call trace: [ 82.939057][ T144] dump_backtrace+0x0/0x458 [ 82.939742][ T144] show_stack+0x2c/0x3c [ 82.940428][ T144] __dump_stack+0x30/0x40 [ 82.941163][ T144] dump_stack_lvl+0xf4/0x15c [ 82.941953][ T144] print_address_description+0x78/0x30c [ 82.942876][ T144] kasan_report+0xec/0x158 [ 82.943580][ T144] __asan_report_load4_noabort+0x44/0x50 [ 82.944581][ T144] do_raw_spin_lock+0x244/0x2fc [ 82.945388][ T144] _raw_spin_lock_bh+0x11c/0x1b4 [ 82.946212][ T144] __lock_sock+0x114/0x264 [ 82.946975][ T144] lock_sock_nested+0x124/0x1d4 [ 82.947803][ T144] l2cap_sock_recv_cb+0x5c/0x1c4 [ 82.948635][ T144] l2cap_recv_frame+0xe08/0x74dc [ 82.949510][ T144] l2cap_recv_acldata+0x4dc/0x1364 [ 82.950396][ T144] hci_rx_work+0x3a0/0x868 [ 82.951179][ T144] process_one_work+0x79c/0x1138 [ 82.952026][ T144] worker_thread+0x8f4/0x1034 [ 82.952794][ T144] kthread+0x374/0x454 [ 82.953464][ T144] ret_from_fork+0x10/0x20 [ 82.954204][ T144] [ 82.954578][ T144] Allocated by task 5530: [ 82.955303][ T144] __kasan_kmalloc+0xb0/0xf0 [ 82.956072][ T144] __kmalloc+0x290/0x43c [ 82.956738][ T144] sk_prot_alloc+0xc4/0x1ec [ 82.957487][ T144] sk_alloc+0x40/0x384 [ 82.958144][ T144] l2cap_sock_create+0x140/0x350 [ 82.959052][ T144] bt_sock_create+0x14c/0x24c [ 82.959827][ T144] __sock_create+0x4b0/0x8b4 [ 82.960607][ T144] __sys_socket+0xf0/0x18c [ 82.961381][ T144] __arm64_sys_socket+0x7c/0x94 [ 82.962199][ T144] invoke_syscall+0x98/0x2b0 [ 82.962979][ T144] el0_svc_common+0x138/0x258 [ 82.963753][ T144] do_el0_svc+0x58/0x13c [ 82.964413][ T144] el0_svc+0x78/0x1d0 [ 82.965015][ T144] el0t_64_sync_handler+0xcc/0xe4 [ 82.965827][ T144] el0t_64_sync+0x1a0/0x1a4 [ 82.966586][ T144] [ 82.966991][ T144] Freed by task 5529: [ 82.967651][ T144] kasan_set_track+0x4c/0x84 [ 82.968426][ T144] kasan_set_free_info+0x28/0x4c [ 82.969243][ T144] ____kasan_slab_free+0x118/0x164 [ 82.970122][ T144] __kasan_slab_free+0x18/0x28 [ 82.970934][ T144] slab_free_freelist_hook+0x128/0x1e4 [ 82.971821][ T144] kfree+0x16c/0x400 [ 82.972436][ T144] __sk_destruct+0x43c/0x610 [ 82.973195][ T144] __sk_free+0x320/0x430 [ 82.973854][ T144] sk_free+0x68/0xd4 [ 82.974525][ T144] l2cap_sock_kill+0x114/0x21c [ 82.975308][ T144] l2cap_sock_release+0x144/0x1bc [ 82.976177][ T144] sock_close+0xb4/0x1f8 [ 82.976942][ T144] __fput+0x1c0/0x7e8 [ 82.977600][ T144] ____fput+0x20/0x30 [ 82.978323][ T144] task_work_run+0x12c/0x1d8 [ 82.979086][ T144] do_notify_resume+0x2450/0x309c [ 82.979908][ T144] el0_svc+0xf0/0x1d0 [ 82.980567][ T144] el0t_64_sync_handler+0xcc/0xe4 [ 82.981419][ T144] el0t_64_sync+0x1a0/0x1a4 [ 82.982148][ T144] [ 82.982515][ T144] The buggy address belongs to the object at ffff0000e87c6000 [ 82.982515][ T144] which belongs to the cache kmalloc-2k of size 2048 [ 82.984927][ T144] The buggy address is located 140 bytes inside of [ 82.984927][ T144] 2048-byte region [ffff0000e87c6000, ffff0000e87c6800) [ 82.987092][ T144] The buggy address belongs to the page: [ 82.988029][ T144] page:00000000360f27ae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1287c0 [ 82.989756][ T144] head:00000000360f27ae order:3 compound_mapcount:0 compound_pincount:0 [ 82.991188][ T144] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 82.992550][ T144] raw: 05ffc00000010200 fffffc000323b800 0000000300000003 ffff0000c0002900 [ 82.993983][ T144] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 82.995419][ T144] page dumped because: kasan: bad access detected [ 82.996468][ T144] [ 82.996828][ T144] Memory state around the buggy address: [ 82.997708][ T144] ffff0000e87c5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.998983][ T144] ffff0000e87c6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.000318][ T144] >ffff0000e87c6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.001714][ T144] ^ [ 83.002433][ T144] ffff0000e87c6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.003726][ T144] ffff0000e87c6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.004997][ T144] ================================================================== [ 83.761791][ T4170] Bluetooth: hci0: command 0x040f tx timeout [ 85.851846][ T4169] Bluetooth: hci0: command 0x0419 tx timeout 1970/01/01 00:01:27 executed programs: 504