Warning: Permanently added '10.128.0.204' (ED25519) to the list of known hosts. 1970/01/01 00:01:21 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:21 ignoring optional flag "type"="gce" 1970/01/01 00:01:21 parsed 1 programs [ 84.308481][ T4445] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 91.380064][ T4481] chnl_net:caif_netlink_parms(): no params data found [ 91.410745][ T4481] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.412883][ T4481] bridge0: port 1(bridge_slave_0) entered disabled state [ 91.415359][ T4481] device bridge_slave_0 entered promiscuous mode [ 91.418687][ T4481] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.420646][ T4481] bridge0: port 2(bridge_slave_1) entered disabled state [ 91.423302][ T4481] device bridge_slave_1 entered promiscuous mode [ 91.436064][ T4481] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 91.440139][ T4481] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 91.458175][ T4481] team0: Port device team_slave_0 added [ 91.461189][ T4481] team0: Port device team_slave_1 added [ 91.471968][ T4481] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 91.474054][ T4481] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 91.481049][ T4481] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 91.487722][ T4481] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 91.489630][ T4481] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 91.497337][ T4481] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 91.564007][ T4481] device hsr_slave_0 entered promiscuous mode [ 91.612420][ T4481] device hsr_slave_1 entered promiscuous mode [ 92.271988][ T4481] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 92.304393][ T4481] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 92.347087][ T4481] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 92.397739][ T4481] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 92.548753][ T4481] 8021q: adding VLAN 0 to HW filter on device bond0 [ 92.555690][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 92.558209][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 92.567716][ T4481] 8021q: adding VLAN 0 to HW filter on device team0 [ 92.571854][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 92.575958][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 92.578504][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.580533][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 92.587169][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 92.596960][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 92.599715][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 92.613606][ T148] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.615645][ T148] bridge0: port 2(bridge_slave_1) entered forwarding state [ 92.619872][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 92.627113][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 92.644017][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 92.647594][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 92.654916][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 92.665474][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 92.668440][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 92.673617][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 92.676196][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 92.693936][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 92.697264][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 92.701258][ T4481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 92.843170][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 92.845367][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 92.858002][ T4481] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 92.879746][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 92.882938][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 92.900588][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 92.903418][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 92.906710][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 92.909486][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 92.916565][ T4481] device veth0_vlan entered promiscuous mode [ 92.922995][ T4481] device veth1_vlan entered promiscuous mode [ 92.938658][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 92.941346][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 92.945357][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 92.948593][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 92.957211][ T4481] device veth0_macvtap entered promiscuous mode [ 92.961549][ T4481] device veth1_macvtap entered promiscuous mode [ 92.976735][ T4481] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 92.978984][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 92.981718][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 92.984747][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 92.987815][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 92.995956][ T4481] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 93.000190][ T4481] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.003516][ T4481] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.005938][ T4481] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.008357][ T4481] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 93.011795][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 93.021342][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 94.240378][ T153] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 94.303679][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 94.303714][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 94.307991][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 94.322353][ T148] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 94.325243][ T148] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 94.328593][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 96.407559][ T153] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 98.447678][ T153] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 98.488850][ T153] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:39 executed programs: 0 [ 99.239056][ T4906] chnl_net:caif_netlink_parms(): no params data found [ 99.283592][ T4906] bridge0: port 1(bridge_slave_0) entered blocking state [ 99.285764][ T4906] bridge0: port 1(bridge_slave_0) entered disabled state [ 99.288327][ T4906] device bridge_slave_0 entered promiscuous mode [ 99.291727][ T4906] bridge0: port 2(bridge_slave_1) entered blocking state [ 99.294278][ T4906] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.296857][ T4906] device bridge_slave_1 entered promiscuous mode [ 99.323702][ T4906] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 99.327951][ T4906] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 99.342547][ T4906] team0: Port device team_slave_0 added [ 99.352938][ T4906] team0: Port device team_slave_1 added [ 99.367258][ T4906] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 99.369202][ T4906] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 99.376377][ T4906] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 99.380398][ T4906] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 99.385033][ T4906] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 99.391974][ T4906] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 99.463915][ T4906] device hsr_slave_0 entered promiscuous mode [ 99.512483][ T4906] device hsr_slave_1 entered promiscuous mode [ 99.542194][ T4906] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 99.544309][ T4906] Cannot create hsr debugfs directory [ 100.080095][ T4906] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 100.126485][ T4906] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 100.174780][ T4906] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 100.204295][ T4906] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 100.300820][ T4906] 8021q: adding VLAN 0 to HW filter on device bond0 [ 100.309085][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 100.311629][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.319321][ T4906] 8021q: adding VLAN 0 to HW filter on device team0 [ 100.324390][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 100.327130][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 100.329654][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 100.331523][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 100.342404][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 100.344943][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 100.347720][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 100.350318][ T148] bridge0: port 2(bridge_slave_1) entered blocking state [ 100.352349][ T148] bridge0: port 2(bridge_slave_1) entered forwarding state [ 100.358131][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 100.378329][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 100.383216][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 100.387056][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 100.389818][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 100.393658][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 100.396361][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 100.398939][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 100.401501][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 100.405207][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 100.407862][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 100.412519][ T4906] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 100.513440][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 100.515652][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 100.519428][ T4906] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 100.534183][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 100.536968][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 100.551364][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 100.555371][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 100.558128][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 100.560877][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 100.568237][ T4906] device veth0_vlan entered promiscuous mode [ 100.574646][ T4906] device veth1_vlan entered promiscuous mode [ 100.590123][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 100.593576][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 100.596121][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 100.599121][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 100.607064][ T4906] device veth0_macvtap entered promiscuous mode [ 100.611371][ T4906] device veth1_macvtap entered promiscuous mode [ 100.621330][ T4906] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 100.627636][ T4906] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 100.631245][ T4906] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 100.654467][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 100.657145][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 100.660033][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 100.663116][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 100.667179][ T4906] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 100.670089][ T4906] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 100.674392][ T4906] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 100.676761][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 100.679900][ T578] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 100.685240][ T4906] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.687787][ T4906] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.690142][ T4906] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.692907][ T4906] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 100.739833][ T578] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 100.742019][ T578] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 100.748415][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 100.767096][ T578] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 100.769306][ T578] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 100.772339][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 100.821208][ T4055] BUG: sleeping function called from invalid context at net/core/sock.c:3253 [ 100.823938][ T4055] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4055, name: kworker/u5:1 [ 100.826418][ T4055] 6 locks held by kworker/u5:1/4055: [ 100.827846][ T4055] #0: ffff0000d5e5e138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x678/0x1140 [ 100.830666][ T4055] #1: ffff80001f897c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6b8/0x1140 [ 100.833892][ T4055] #2: ffff0000dbb28078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb0/0x89c [ 100.836680][ T4055] #3: ffff8000163b8da8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x400/0x89c [ 100.839620][ T4055] #4: ffff0000cf5dc820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x25c/0x8c0 [ 100.842263][ T4055] #5: ffff0000d6723120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3cc/0x8c0 [ 100.845292][ T4055] Preemption disabled at: [ 100.845304][ T4055] [] sco_connect_cfm+0x25c/0x8c0 [ 100.848200][ T4055] CPU: 1 PID: 4055 Comm: kworker/u5:1 Not tainted 5.15.184-syzkaller #0 [ 100.850392][ T4055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 100.853074][ T4055] Workqueue: hci0 hci_rx_work [ 100.854321][ T4055] Call trace: [ 100.855213][ T4055] dump_backtrace+0x0/0x43c [ 100.856444][ T4055] show_stack+0x2c/0x3c [ 100.857579][ T4055] __dump_stack+0x30/0x40 [ 100.858785][ T4055] dump_stack_lvl+0xf8/0x160 [ 100.860072][ T4055] dump_stack+0x1c/0x5c [ 100.861262][ T4055] ___might_sleep+0x358/0x4d4 [ 100.862551][ T4055] __might_sleep+0x98/0x124 [ 100.863756][ T4055] lock_sock_nested+0xec/0x1d4 [ 100.865025][ T4055] sco_connect_cfm+0x3cc/0x8c0 [ 100.866340][ T4055] hci_sync_conn_complete_evt+0x468/0x89c [ 100.867883][ T4055] hci_event_packet+0xa24/0x11bc [ 100.869284][ T4055] hci_rx_work+0x1cc/0x880 [ 100.870480][ T4055] process_one_work+0x79c/0x1140 [ 100.871795][ T4055] worker_thread+0x8f4/0x101c [ 100.873059][ T4055] kthread+0x374/0x454 [ 100.874249][ T4055] ret_from_fork+0x10/0x20 [ 100.875637][ T4055] ================================================================== [ 100.877802][ T4055] BUG: KASAN: use-after-free in __lock_acquire+0xf0/0x651c [ 100.879700][ T4055] Read of size 8 at addr ffff0000d67230a0 by task kworker/u5:1/4055 [ 100.881936][ T4055] [ 100.882589][ T4055] CPU: 1 PID: 4055 Comm: kworker/u5:1 Tainted: G W 5.15.184-syzkaller #0 [ 100.885266][ T4055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 100.888079][ T4055] Workqueue: hci0 hci_rx_work [ 100.889468][ T4055] Call trace: [ 100.890353][ T4055] dump_backtrace+0x0/0x43c [ 100.891626][ T4055] show_stack+0x2c/0x3c [ 100.892789][ T4055] __dump_stack+0x30/0x40 [ 100.894009][ T4055] dump_stack_lvl+0xf8/0x160 [ 100.895256][ T4055] print_address_description+0x78/0x30c [ 100.896788][ T4055] kasan_report+0xec/0x15c [ 100.898004][ T4055] __asan_report_load8_noabort+0x44/0x50 [ 100.899566][ T4055] __lock_acquire+0xf0/0x651c [ 100.900780][ T4055] lock_acquire+0x1f4/0x620 [ 100.902040][ T4055] _raw_spin_lock_bh+0x114/0x1b4 [ 100.903357][ T4055] lock_sock_nested+0xf4/0x1d4 [ 100.904661][ T4055] sco_connect_cfm+0x3cc/0x8c0 [ 100.906005][ T4055] hci_sync_conn_complete_evt+0x468/0x89c [ 100.907608][ T4055] hci_event_packet+0xa24/0x11bc [ 100.909015][ T4055] hci_rx_work+0x1cc/0x880 [ 100.910232][ T4055] process_one_work+0x79c/0x1140 [ 100.911634][ T4055] worker_thread+0x8f4/0x101c [ 100.912886][ T4055] kthread+0x374/0x454 [ 100.914005][ T4055] ret_from_fork+0x10/0x20 [ 100.915210][ T4055] [ 100.915904][ T4055] Allocated by task 5009: [ 100.917027][ T4055] __kasan_kmalloc+0xb0/0xf0 [ 100.918380][ T4055] __kmalloc+0x298/0x44c [ 100.919573][ T4055] sk_prot_alloc+0xc4/0x1f0 [ 100.920834][ T4055] sk_alloc+0x40/0x388 [ 100.921960][ T4055] sco_sock_create+0xb8/0x2d4 [ 100.923265][ T4055] bt_sock_create+0x14c/0x24c [ 100.924511][ T4055] __sock_create+0x4b0/0x8b4 [ 100.925740][ T4055] __sys_socket+0xf0/0x18c [ 100.926923][ T4055] __arm64_sys_socket+0x7c/0x94 [ 100.928273][ T4055] invoke_syscall+0x98/0x2b8 [ 100.929589][ T4055] el0_svc_common+0x138/0x258 [ 100.930907][ T4055] do_el0_svc+0x58/0x14c [ 100.932113][ T4055] el0_svc+0x78/0x1e0 [ 100.933214][ T4055] el0t_64_sync_handler+0xcc/0xe4 [ 100.934708][ T4055] el0t_64_sync+0x1a0/0x1a4 [ 100.935931][ T4055] [ 100.936577][ T4055] Freed by task 5008: [ 100.937653][ T4055] kasan_set_track+0x4c/0x84 [ 100.938877][ T4055] kasan_set_free_info+0x28/0x4c [ 100.940187][ T4055] ____kasan_slab_free+0x118/0x164 [ 100.941533][ T4055] __kasan_slab_free+0x18/0x28 [ 100.942814][ T4055] slab_free_freelist_hook+0x128/0x1e8 [ 100.944259][ T4055] kfree+0x170/0x40c [ 100.945317][ T4055] __sk_destruct+0x41c/0x604 [ 100.946581][ T4055] __sk_free+0x320/0x430 [ 100.947718][ T4055] sk_free+0x68/0xdc [ 100.948751][ T4055] sco_sock_kill+0x104/0x1c8 [ 100.949977][ T4055] sco_sock_release+0x1f8/0x2c4 [ 100.951261][ T4055] sock_close+0xb4/0x1f8 [ 100.952407][ T4055] __fput+0x1c0/0x7f8 [ 100.953487][ T4055] ____fput+0x20/0x30 [ 100.954583][ T4055] task_work_run+0x12c/0x1e0 [ 100.955822][ T4055] do_notify_resume+0x24b4/0x3128 [ 100.957176][ T4055] el0_svc+0xf0/0x1e0 [ 100.958203][ T4055] el0t_64_sync_handler+0xcc/0xe4 [ 100.959571][ T4055] el0t_64_sync+0x1a0/0x1a4 [ 100.960775][ T4055] [ 100.961379][ T4055] The buggy address belongs to the object at ffff0000d6723000 [ 100.961379][ T4055] which belongs to the cache kmalloc-2k of size 2048 [ 100.965273][ T4055] The buggy address is located 160 bytes inside of [ 100.965273][ T4055] 2048-byte region [ffff0000d6723000, ffff0000d6723800) [ 100.969118][ T4055] The buggy address belongs to the page: [ 100.970668][ T4055] page:000000008d9684c2 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116720 [ 100.973517][ T4055] head:000000008d9684c2 order:3 compound_mapcount:0 compound_pincount:0 [ 100.975794][ T4055] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 100.978015][ T4055] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002900 [ 100.980362][ T4055] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 100.982634][ T4055] page dumped because: kasan: bad access detected [ 100.984415][ T4055] [ 100.985074][ T4055] Memory state around the buggy address: [ 100.986652][ T4055] ffff0000d6722f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 100.988955][ T4055] ffff0000d6723000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.991335][ T4055] >ffff0000d6723080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.993503][ T4055] ^ [ 100.994987][ T4055] ffff0000d6723100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.997198][ T4055] ffff0000d6723180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.999451][ T4055] ================================================================== [ 101.001799][ T4055] Disabling lock debugging due to kernel taint [ 101.003601][ T4055] Unable to handle kernel paging request at virtual address dfff800000000000 [ 101.005940][ T4055] Mem abort info: [ 101.006900][ T4055] ESR = 0x0000000096000006 [ 101.008077][ T4055] EC = 0x25: DABT (current EL), IL = 32 bits [ 101.009764][ T4055] SET = 0, FnV = 0 [ 101.010801][ T4055] EA = 0, S1PTW = 0 [ 101.011848][ T4055] FSC = 0x06: level 2 translation fault [ 101.013389][ T4055] Data abort info: [ 101.014402][ T4055] ISV = 0, ISS = 0x00000006 [ 101.015716][ T4055] CM = 0, WnR = 0 [ 101.016789][ T4055] [dfff800000000000] address between user and kernel address ranges [ 101.018891][ T4055] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP [ 101.020787][ T4055] Modules linked in: [ 101.021884][ T4055] CPU: 1 PID: 4055 Comm: kworker/u5:1 Tainted: G B W 5.15.184-syzkaller #0 [ 101.024617][ T4055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 101.027430][ T4055] Workqueue: hci0 hci_rx_work [ 101.028761][ T4055] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 101.030874][ T4055] pc : apparmor_sk_clone_security+0xf4/0x3e0 [ 101.032437][ T4055] lr : apparmor_sk_clone_security+0xd4/0x3e0 [ 101.034051][ T4055] sp : ffff80001f897780 [ 101.035182][ T4055] x29: ffff80001f897780 x28: 1ffff00003f12f04 x27: dfff800000000000 [ 101.037437][ T4055] x26: 1fffe00019ebb909 x25: ffff0000d67273aa x24: 1fffe0001d50cfe0 [ 101.039696][ T4055] x23: dfff800000000000 x22: dfff800000000000 x21: 0000000000000000 [ 101.041976][ T4055] x20: 0000000000000000 x19: ffff0000ea867f00 x18: 0000000000000204 [ 101.044178][ T4055] x17: ffff8000104ca460 x16: ffff8000082d55bc x15: ffff80000f67ad3c [ 101.046375][ T4055] x14: ffff80000f67b164 x13: ffff80000802cae0 x12: 0000000000ff0100 [ 101.048511][ T4055] x11: 0000000000000001 x10: 0000000000000000 x9 : ffff80000a423cc0 [ 101.050826][ T4055] x8 : 0000000000000000 x7 : ffffffffffffffff x6 : ffff80001048f6c0 [ 101.053048][ T4055] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000a423c34 [ 101.055216][ T4055] x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 [ 101.057429][ T4055] Call trace: [ 101.058316][ T4055] apparmor_sk_clone_security+0xf4/0x3e0 [ 101.059834][ T4055] security_sk_clone+0x58/0x9c [ 101.061249][ T4055] sco_connect_cfm+0x578/0x8c0 [ 101.062583][ T4055] hci_sync_conn_complete_evt+0x468/0x89c [ 101.064251][ T4055] hci_event_packet+0xa24/0x11bc [ 101.065734][ T4055] hci_rx_work+0x1cc/0x880 [ 101.066911][ T4055] process_one_work+0x79c/0x1140 [ 101.068321][ T4055] worker_thread+0x8f4/0x101c [ 101.069664][ T4055] kthread+0x374/0x454 [ 101.070720][ T4055] ret_from_fork+0x10/0x20 [ 101.071943][ T4055] Code: 710006df 540010cb 9781530a d343fe88 (38776908) [ 101.073883][ T4055] ---[ end trace cb3c7419a5ef6627 ]--- [ 101.480509][ T4055] Kernel panic - not syncing: Oops: Fatal exception [ 101.482437][ T4055] SMP: stopping secondary CPUs [ 101.483770][ T4055] Kernel Offset: disabled [ 101.484960][ T4055] CPU features: 0x8,000081c1,21302e40 [ 101.486417][ T4055] Memory Limit: none [ 101.837629][ T4055] Rebooting in 86400 seconds..