Warning: Permanently added '10.128.10.16' (ED25519) to the list of known hosts. 1970/01/01 00:01:01 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:01 parsed 1 programs 1970/01/01 00:01:01 executed programs: 0 [ 61.774615][ T5564] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 61.777047][ T5564] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 61.779582][ T5564] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 61.782473][ T5564] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 61.784531][ T5564] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 61.860583][ T6345] chnl_net:caif_netlink_parms(): no params data found [ 61.888058][ T6345] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.890068][ T6345] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.892645][ T6345] bridge_slave_0: entered allmulticast mode [ 61.894702][ T6345] bridge_slave_0: entered promiscuous mode [ 61.897898][ T6345] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.899830][ T6345] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.902464][ T6345] bridge_slave_1: entered allmulticast mode [ 61.904482][ T6345] bridge_slave_1: entered promiscuous mode [ 61.916954][ T6345] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 61.921035][ T6345] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 61.933630][ T6345] team0: Port device team_slave_0 added [ 61.936528][ T6345] team0: Port device team_slave_1 added [ 61.948312][ T6345] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 61.950200][ T6345] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.957186][ T6345] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 61.961588][ T6345] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 61.963421][ T6345] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.970027][ T6345] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.053368][ T6345] hsr_slave_0: entered promiscuous mode [ 62.101264][ T6345] hsr_slave_1: entered promiscuous mode [ 62.932125][ T6345] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 62.962717][ T6345] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.002383][ T6345] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.072470][ T6345] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.175731][ T6345] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.186643][ T6345] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.193066][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.194991][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.203645][ T6007] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.205626][ T6007] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.325494][ T6345] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.350425][ T6345] veth0_vlan: entered promiscuous mode [ 63.359667][ T6345] veth1_vlan: entered promiscuous mode [ 63.380515][ T6345] veth0_macvtap: entered promiscuous mode [ 63.384958][ T6345] veth1_macvtap: entered promiscuous mode [ 63.395914][ T6345] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 63.403337][ T6345] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 63.408091][ T6345] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.410386][ T6345] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.414504][ T6345] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.416785][ T6345] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.459588][ T2072] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.462656][ T2072] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.482037][ T6007] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.484183][ T6007] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.818855][ T6443] ================================================================== [ 63.821245][ T6443] BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x720/0x7f4 [ 63.823330][ T6443] Read of size 4 at addr ffff0000d188600c by task syz-executor.0/6443 [ 63.825423][ T6443] [ 63.826035][ T6443] CPU: 1 PID: 6443 Comm: syz-executor.0 Not tainted 6.5.0-rc3-syzkaller #0 [ 63.828272][ T6443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 63.830844][ T6443] Call trace: [ 63.831665][ T6443] dump_backtrace+0x1b8/0x1e4 [ 63.832901][ T6443] show_stack+0x2c/0x44 [ 63.833984][ T6443] dump_stack_lvl+0xd0/0x124 [ 63.835156][ T6443] print_report+0x174/0x514 [ 63.836304][ T6443] kasan_report+0xd8/0x138 [ 63.837447][ T6443] __asan_report_load4_noabort+0x20/0x2c [ 63.838873][ T6443] gsm_cleanup_mux+0x720/0x7f4 [ 63.840222][ T6443] gsmld_ioctl+0x13bc/0x221c [ 63.841407][ T6443] tty_ioctl+0x924/0xd8c [ 63.842557][ T6443] __arm64_sys_ioctl+0x14c/0x1c8 [ 63.843876][ T6443] invoke_syscall+0x98/0x2c0 [ 63.845044][ T6443] el0_svc_common+0x138/0x244 [ 63.846242][ T6443] do_el0_svc+0x64/0x198 [ 63.847360][ T6443] el0_svc+0x4c/0x160 [ 63.848373][ T6443] el0t_64_sync_handler+0x84/0xfc [ 63.849665][ T6443] el0t_64_sync+0x190/0x194 [ 63.850817][ T6443] [ 63.851422][ T6443] Allocated by task 6436: [ 63.852540][ T6443] kasan_set_track+0x4c/0x7c [ 63.853706][ T6443] kasan_save_alloc_info+0x24/0x30 [ 63.855026][ T6443] __kasan_kmalloc+0xac/0xc4 [ 63.856206][ T6443] kmalloc_trace+0x70/0x88 [ 63.857373][ T6443] gsm_dlci_alloc+0x64/0x53c [ 63.858556][ T6443] gsm_activate_mux+0x30/0x268 [ 63.859806][ T6443] gsmld_ioctl+0x162c/0x221c [ 63.861004][ T6443] tty_ioctl+0x924/0xd8c [ 63.862115][ T6443] __arm64_sys_ioctl+0x14c/0x1c8 [ 63.863413][ T6443] invoke_syscall+0x98/0x2c0 [ 63.864605][ T6443] el0_svc_common+0x138/0x244 [ 63.865808][ T6443] do_el0_svc+0x64/0x198 [ 63.866947][ T6443] el0_svc+0x4c/0x160 [ 63.868006][ T6443] el0t_64_sync_handler+0x84/0xfc [ 63.869338][ T6443] el0t_64_sync+0x190/0x194 [ 63.870470][ T6443] [ 63.871111][ T6443] Freed by task 6436: [ 63.872156][ T6443] kasan_set_track+0x4c/0x7c [ 63.873396][ T6443] kasan_save_free_info+0x38/0x5c [ 63.874694][ T6443] ____kasan_slab_free+0x144/0x1c0 [ 63.876078][ T6443] __kasan_slab_free+0x18/0x28 [ 63.877318][ T6443] __kmem_cache_free+0x2ac/0x480 [ 63.878581][ T6443] kfree+0xb8/0x19c [ 63.879541][ T6443] gsm_dlci_free+0x11c/0x168 [ 63.880732][ T6443] tty_port_put+0xfc/0x190 [ 63.881974][ T6443] gsm_cleanup_mux+0x4ac/0x7f4 [ 63.883208][ T6443] gsmld_ioctl+0x13bc/0x221c [ 63.884362][ T6443] tty_ioctl+0x924/0xd8c [ 63.885529][ T6443] __arm64_sys_ioctl+0x14c/0x1c8 [ 63.886897][ T6443] invoke_syscall+0x98/0x2c0 [ 63.888172][ T6443] el0_svc_common+0x138/0x244 [ 63.889389][ T6443] do_el0_svc+0x64/0x198 [ 63.890563][ T6443] el0_svc+0x4c/0x160 [ 63.891624][ T6443] el0t_64_sync_handler+0x84/0xfc [ 63.892948][ T6443] el0t_64_sync+0x190/0x194 [ 63.894170][ T6443] [ 63.894749][ T6443] The buggy address belongs to the object at ffff0000d1886000 [ 63.894749][ T6443] which belongs to the cache kmalloc-2k of size 2048 [ 63.898476][ T6443] The buggy address is located 12 bytes inside of [ 63.898476][ T6443] freed 2048-byte region [ffff0000d1886000, ffff0000d1886800) [ 63.902157][ T6443] [ 63.902770][ T6443] The buggy address belongs to the physical page: [ 63.904455][ T6443] page:000000001ebf12d6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111880 [ 63.907182][ T6443] head:000000001ebf12d6 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 63.909596][ T6443] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 63.911290][ T6443] page_type: 0xffffffff() [ 63.912127][ T6443] raw: 05ffc00000010200 ffff0000c0002000 dead000000000122 0000000000000000 [ 63.913812][ T6443] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 63.915613][ T6443] page dumped because: kasan: bad access detected [ 63.917290][ T6443] [ 63.917870][ T6443] Memory state around the buggy address: [ 63.919350][ T6443] ffff0000d1885f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.921484][ T6443] ffff0000d1885f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.923650][ T6443] >ffff0000d1886000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.925769][ T6443] ^ [ 63.926974][ T6443] ffff0000d1886080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.929131][ T6443] ffff0000d1886100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.931207][ T6443] ================================================================== [ 63.933547][ T5564] Bluetooth: hci0: command 0x0409 tx timeout [ 63.989344][ T6443] Disabling lock debugging due to kernel taint [ 64.001456][ T6443] list_add corruption. prev is NULL. [ 64.003375][ T6443] ------------[ cut here ]------------ [ 64.004856][ T6443] kernel BUG at lib/list_debug.c:24! [ 64.006289][ T6443] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 64.008376][ T6443] Modules linked in: [ 64.009447][ T6443] CPU: 1 PID: 6443 Comm: syz-executor.0 Tainted: G B 6.5.0-rc3-syzkaller #0 [ 64.012165][ T6443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 64.014837][ T6443] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 64.016906][ T6443] pc : __list_add_valid+0xcc/0x110 [ 64.018332][ T6443] lr : __list_add_valid+0xcc/0x110 [ 64.019696][ T6443] sp : ffff8000971d77e0 [ 64.020811][ T6443] x29: ffff8000971d77e0 x28: ffff0000d418d094 x27: ffff0000c9465918 [ 64.022966][ T6443] x26: ffff0000c9465910 x25: dfff800000000000 x24: 0000000000000000 [ 64.025213][ T6443] x23: 0000000000000000 x22: ffff0000c94658c8 x21: ffff0000d418d080 [ 64.027381][ T6443] x20: 1fffe0001928cb23 x19: ffff0000c9465500 x18: 1fffe0003683f9c6 [ 64.029494][ T6443] x17: 0000000000000000 x16: ffff80008a55b464 x15: 0000000000000001 [ 64.031573][ T6443] x14: 1fffe0003683fa2a x13: 0000000000000000 x12: 0000000000000000 [ 64.033767][ T6443] x11: 0000000000000001 x10: 0000000000000000 x9 : 26da877a02f20a00 [ 64.035876][ T6443] x8 : 26da877a02f20a00 x7 : 0000000000000001 x6 : 0000000000000001 [ 64.038017][ T6443] x5 : ffff8000971d70f8 x4 : ffff80008e15ef00 x3 : ffff8000805a1ab0 [ 64.040121][ T6443] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000022 [ 64.042208][ T6443] Call trace: [ 64.043089][ T6443] __list_add_valid+0xcc/0x110 [ 64.044354][ T6443] gsm_send+0x350/0x604 [ 64.045546][ T6443] gsm_cleanup_mux+0x1a0/0x7f4 [ 64.046771][ T6443] gsmld_ioctl+0x13bc/0x221c [ 64.047949][ T6443] tty_ioctl+0x924/0xd8c [ 64.049086][ T6443] __arm64_sys_ioctl+0x14c/0x1c8 [ 64.050382][ T6443] invoke_syscall+0x98/0x2c0 [ 64.051616][ T6443] el0_svc_common+0x138/0x244 [ 64.052846][ T6443] do_el0_svc+0x64/0x198 [ 64.053974][ T6443] el0_svc+0x4c/0x160 [ 64.055011][ T6443] el0t_64_sync_handler+0x84/0xfc [ 64.056322][ T6443] el0t_64_sync+0x190/0x194 [ 64.057513][ T6443] Code: d4210000 b0040380 913c8000 95e84bb7 (d4210000) [ 64.059357][ T6443] ---[ end trace 0000000000000000 ]--- [ 64.440879][ T6443] Kernel panic - not syncing: Oops - BUG: Fatal exception [ 64.442847][ T6443] SMP: stopping secondary CPUs [ 64.444192][ T6443] Kernel Offset: disabled [ 64.445337][ T6443] CPU features: 0x00000010,38010021,88017203 [ 64.446909][ T6443] Memory Limit: none [ 64.799928][ T6443] Rebooting in 86400 seconds..