Warning: Permanently added '10.128.1.143' (ED25519) to the list of known hosts. 1970/01/01 00:01:00 ignoring optional flag "type"="gce" 1970/01/01 00:01:00 parsed 1 programs [ 62.141951][ T4351] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 63.630622][ T148] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.631905][ T148] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.636205][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 63.645336][ T309] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.646676][ T309] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.647984][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 63.882240][ T4494] chnl_net:caif_netlink_parms(): no params data found [ 63.899962][ T4494] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.901160][ T4494] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.902723][ T4494] device bridge_slave_0 entered promiscuous mode [ 63.904657][ T4494] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.905817][ T4494] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.907487][ T4494] device bridge_slave_1 entered promiscuous mode [ 63.915218][ T4494] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 63.917681][ T4494] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 63.925642][ T4494] team0: Port device team_slave_0 added [ 63.927521][ T4494] team0: Port device team_slave_1 added [ 63.935309][ T4494] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 63.936412][ T4494] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.940845][ T4494] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 63.943214][ T4494] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 63.944244][ T4494] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.948455][ T4494] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 63.990218][ T4494] device hsr_slave_0 entered promiscuous mode [ 64.039768][ T4494] device hsr_slave_1 entered promiscuous mode [ 64.749408][ T4494] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 64.819691][ T4494] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 64.860430][ T4494] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 64.891154][ T4494] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 64.957564][ T4494] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.963998][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 64.965520][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 64.968371][ T4494] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.971464][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 64.973106][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 64.974678][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.975822][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.977637][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 64.982034][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 64.983564][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 64.985172][ T309] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.986227][ T309] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.987635][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 64.994547][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 64.996533][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 65.000638][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 65.006011][ T4494] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 65.007525][ T4494] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 65.012202][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 65.014062][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 65.015728][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 65.017300][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 65.018765][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 65.022292][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 65.023903][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 65.027632][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 65.068568][ T4494] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 65.072478][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 65.073753][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 65.080998][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 65.082638][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 65.092282][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 65.093778][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 65.095401][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 65.097248][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 65.099934][ T4494] device veth0_vlan entered promiscuous mode [ 65.103140][ T4494] device veth1_vlan entered promiscuous mode [ 65.110265][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 65.111767][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 65.113218][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 65.114850][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 65.117167][ T4494] device veth0_macvtap entered promiscuous mode [ 65.122417][ T4494] device veth1_macvtap entered promiscuous mode [ 65.128687][ T4494] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 65.131900][ T4494] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 65.134191][ T4494] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 65.135862][ T4494] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 65.137312][ T4494] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 65.138702][ T4494] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 65.142057][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 65.143488][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 65.145029][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 65.146539][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 65.148102][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 65.149996][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 1970/01/01 00:01:05 executed programs: 0 [ 65.525121][ T4667] chnl_net:caif_netlink_parms(): no params data found [ 65.546117][ T4667] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.547438][ T4667] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.548986][ T4667] device bridge_slave_0 entered promiscuous mode [ 65.551461][ T4667] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.552615][ T4667] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.554178][ T4667] device bridge_slave_1 entered promiscuous mode [ 65.563623][ T4667] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 65.566218][ T4667] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 65.574533][ T4667] team0: Port device team_slave_0 added [ 65.576424][ T4667] team0: Port device team_slave_1 added [ 65.584334][ T4667] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 65.585350][ T4667] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.589796][ T4667] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 65.592203][ T4667] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 65.593264][ T4667] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.597188][ T4667] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 65.631760][ T4667] device hsr_slave_0 entered promiscuous mode [ 65.679650][ T4667] device hsr_slave_1 entered promiscuous mode [ 65.700967][ T4667] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 65.702225][ T4667] Cannot create hsr debugfs directory [ 65.730710][ T4667] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 67.519661][ T4141] Bluetooth: hci0: command 0x0409 tx timeout [ 68.142137][ T4667] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 69.600431][ T1542] cfg80211: failed to load regulatory.db [ 69.600804][ T2065] ieee802154 phy0 wpan0: encryption failed: -22 [ 69.602692][ T2065] ieee802154 phy1 wpan1: encryption failed: -22 [ 69.606100][ T4114] Bluetooth: hci0: command 0x041b tx timeout [ 70.612395][ T4667] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.673321][ T4667] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.844253][ T4667] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 70.880879][ T4667] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 70.930544][ T4667] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 70.990529][ T4667] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 71.041359][ T4667] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.045587][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.047139][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.050403][ T4667] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.052765][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 71.054462][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.055962][ T148] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.057088][ T148] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.058545][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 71.062136][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 71.063700][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.065219][ T148] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.066353][ T148] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.068923][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 71.072744][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 71.075572][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 71.077555][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 71.079242][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 71.082181][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 71.083686][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 71.086854][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 71.088333][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.092340][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 71.093785][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.096310][ T4667] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 71.133587][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 71.134921][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 71.138073][ T4667] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.144398][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 71.145987][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 71.153507][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 71.155018][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 71.156561][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 71.158049][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 71.161554][ T4667] device veth0_vlan entered promiscuous mode [ 71.164817][ T4667] device veth1_vlan entered promiscuous mode [ 71.171820][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 71.173312][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 71.174810][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 71.176335][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 71.178772][ T4667] device veth0_macvtap entered promiscuous mode [ 71.188646][ T4667] device veth1_macvtap entered promiscuous mode [ 71.194361][ T4667] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 [ 71.195964][ T4667] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.198091][ T4667] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 71.200859][ T4667] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 [ 71.202349][ T4667] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 71.204456][ T4667] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 71.205645][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 71.207228][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 71.208609][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 71.210372][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 71.212002][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 71.213515][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 71.216109][ T4667] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.217471][ T4667] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.218846][ T4667] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.220927][ T4667] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 71.242759][ T136] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.244016][ T136] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.245369][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 71.253369][ T136] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.254614][ T136] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.255864][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 1970/01/01 00:01:11 executed programs: 2 [ 71.279550][ T144] BUG: sleeping function called from invalid context at net/core/sock.c:3261 [ 71.280932][ T144] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 144, name: kworker/u5:0 [ 71.282410][ T144] 6 locks held by kworker/u5:0/144: [ 71.283212][ T144] #0: ffff0000de0e3138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x678/0x1138 [ 71.284866][ T144] #1: ffff80001bf57c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6b8/0x1138 [ 71.286738][ T144] #2: ffff0000d6010078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb0/0x894 [ 71.288455][ T144] #3: ffff8000164fc908 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x400/0x894 [ 71.290211][ T144] #4: ffff0000d1f73c20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x254/0x8c0 [ 71.291760][ T144] #5: ffff0000ceecc120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3e4/0x8c0 [ 71.293677][ T144] Preemption disabled at: [ 71.293694][ T144] [] sco_connect_cfm+0x254/0x8c0 [ 71.295482][ T144] CPU: 0 PID: 144 Comm: kworker/u5:0 Not tainted syzkaller #0 [ 71.296665][ T144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 [ 71.298225][ T144] Workqueue: hci0 hci_rx_work [ 71.298977][ T144] Call trace: [ 71.299518][ T144] dump_backtrace+0x0/0x458 [ 71.300271][ T144] show_stack+0x2c/0x3c [ 71.300981][ T144] __dump_stack+0x30/0x40 [ 71.301728][ T144] dump_stack_lvl+0xf4/0x15c [ 71.302533][ T144] dump_stack+0x1c/0x5c [ 71.303225][ T144] ___might_sleep+0x358/0x4d4 [ 71.304037][ T144] __might_sleep+0x98/0x124 [ 71.304823][ T144] lock_sock_nested+0xec/0x1d4 [ 71.305646][ T144] sco_connect_cfm+0x3e4/0x8c0 [ 71.306378][ T144] hci_sync_conn_complete_evt+0x468/0x894 [ 71.307337][ T144] hci_event_packet+0xa34/0x1208 [ 71.308106][ T144] hci_rx_work+0x1cc/0x868 [ 71.308806][ T144] process_one_work+0x79c/0x1138 [ 71.309589][ T144] worker_thread+0x8f4/0x1034 [ 71.310443][ T144] kthread+0x374/0x454 [ 71.311126][ T144] ret_from_fork+0x10/0x20 [ 71.312011][ T144] ================================================================== [ 71.313270][ T144] BUG: KASAN: use-after-free in __lock_acquire+0x104/0x67ec [ 71.314445][ T144] Read of size 8 at addr ffff0000ceecc0a0 by task kworker/u5:0/144 [ 71.315662][ T144] [ 71.316045][ T144] CPU: 0 PID: 144 Comm: kworker/u5:0 Tainted: G W syzkaller #0 [ 71.317462][ T144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 [ 71.319022][ T144] Workqueue: hci0 hci_rx_work [ 71.319805][ T144] Call trace: [ 71.320322][ T144] dump_backtrace+0x0/0x458 [ 71.321038][ T144] show_stack+0x2c/0x3c [ 71.321727][ T144] __dump_stack+0x30/0x40 [ 71.322375][ T144] dump_stack_lvl+0xf4/0x15c [ 71.323088][ T144] print_address_description+0x78/0x30c [ 71.323941][ T144] kasan_report+0xec/0x158 [ 71.324701][ T144] __asan_report_load8_noabort+0x44/0x50 [ 71.325695][ T144] __lock_acquire+0x104/0x67ec [ 71.326588][ T144] lock_acquire+0x1f4/0x618 [ 71.327370][ T144] _raw_spin_lock_bh+0x114/0x1b4 [ 71.328287][ T144] lock_sock_nested+0xf4/0x1d4 [ 71.329106][ T144] sco_connect_cfm+0x3e4/0x8c0 [ 71.329894][ T144] hci_sync_conn_complete_evt+0x468/0x894 [ 71.330832][ T144] hci_event_packet+0xa34/0x1208 [ 71.331699][ T144] hci_rx_work+0x1cc/0x868 [ 71.332424][ T144] process_one_work+0x79c/0x1138 [ 71.333231][ T144] worker_thread+0x8f4/0x1034 [ 71.334045][ T144] kthread+0x374/0x454 [ 71.334695][ T144] ret_from_fork+0x10/0x20 [ 71.335380][ T144] [ 71.335725][ T144] Allocated by task 4883: [ 71.336391][ T144] __kasan_kmalloc+0xb0/0xf0 [ 71.337123][ T144] __kmalloc+0x290/0x43c [ 71.337794][ T144] sk_prot_alloc+0xc4/0x1ec [ 71.338550][ T144] sk_alloc+0x40/0x384 [ 71.339197][ T144] sco_sock_create+0xb8/0x2cc [ 71.339989][ T144] bt_sock_create+0x14c/0x24c [ 71.340751][ T144] __sock_create+0x4b0/0x8b4 [ 71.341580][ T144] __sys_socket+0xf0/0x18c [ 71.342299][ T144] __arm64_sys_socket+0x7c/0x94 [ 71.343080][ T144] invoke_syscall+0x98/0x2b0 [ 71.343858][ T144] el0_svc_common+0x138/0x258 [ 71.344591][ T144] do_el0_svc+0x58/0x13c [ 71.345267][ T144] el0_svc+0x78/0x1d0 [ 71.345934][ T144] el0t_64_sync_handler+0xcc/0xe4 [ 71.346803][ T144] el0t_64_sync+0x1a0/0x1a4 [ 71.347513][ T144] [ 71.347910][ T144] Freed by task 4882: [ 71.348604][ T144] kasan_set_track+0x4c/0x84 [ 71.349325][ T144] kasan_set_free_info+0x28/0x4c [ 71.350176][ T144] ____kasan_slab_free+0x118/0x164 [ 71.351001][ T144] __kasan_slab_free+0x18/0x28 [ 71.351737][ T144] slab_free_freelist_hook+0x128/0x1e4 [ 71.352592][ T144] kfree+0x16c/0x400 [ 71.353205][ T144] __sk_destruct+0x43c/0x610 [ 71.353963][ T144] __sk_free+0x320/0x430 [ 71.354602][ T144] sk_free+0x68/0xd4 [ 71.355209][ T144] sco_sock_kill+0x178/0x234 [ 71.355948][ T144] sco_sock_release+0x1f8/0x2bc [ 71.356821][ T144] sock_close+0xb4/0x1f8 [ 71.357542][ T144] __fput+0x1c0/0x7e8 [ 71.358179][ T144] ____fput+0x20/0x30 [ 71.358774][ T144] task_work_run+0x12c/0x1d8 [ 71.359474][ T144] do_notify_resume+0x2450/0x309c [ 71.360259][ T144] el0_svc+0xf0/0x1d0 [ 71.360935][ T144] el0t_64_sync_handler+0xcc/0xe4 [ 71.361679][ T144] el0t_64_sync+0x1a0/0x1a4 [ 71.362389][ T144] [ 71.362747][ T144] Last potentially related work creation: [ 71.363723][ T144] kasan_save_stack+0x38/0x68 [ 71.364533][ T144] kasan_record_aux_stack+0xcc/0x114 [ 71.365346][ T144] call_rcu+0x114/0x8f4 [ 71.365963][ T144] in6_dev_finish_destroy+0x154/0x1d8 [ 71.366786][ T144] addrconf_ifdown+0x13e8/0x1680 [ 71.367601][ T144] addrconf_notify+0x36c/0xc50 [ 71.368375][ T144] raw_notifier_call_chain+0xd4/0x164 [ 71.369331][ T144] unregister_netdevice_many+0xe74/0x183c [ 71.370290][ T144] ip6_tnl_exit_batch_net+0x5b0/0x608 [ 71.371203][ T144] cleanup_net+0x654/0xaa4 [ 71.371952][ T144] process_one_work+0x79c/0x1138 [ 71.372756][ T144] worker_thread+0x8f4/0x1034 [ 71.373509][ T144] kthread+0x374/0x454 [ 71.374196][ T144] ret_from_fork+0x10/0x20 [ 71.374925][ T144] [ 71.375291][ T144] The buggy address belongs to the object at ffff0000ceecc000 [ 71.375291][ T144] which belongs to the cache kmalloc-2k of size 2048 [ 71.377626][ T144] The buggy address is located 160 bytes inside of [ 71.377626][ T144] 2048-byte region [ffff0000ceecc000, ffff0000ceecc800) [ 71.379830][ T144] The buggy address belongs to the page: [ 71.380739][ T144] page:00000000a92462ce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10eec8 [ 71.382391][ T144] head:00000000a92462ce order:3 compound_mapcount:0 compound_pincount:0 [ 71.383700][ T144] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 71.385026][ T144] raw: 05ffc00000010200 0000000000000000 0000000100000001 ffff0000c0002900 [ 71.386336][ T144] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 71.387695][ T144] page dumped because: kasan: bad access detected [ 71.388652][ T144] [ 71.388987][ T144] Memory state around the buggy address: [ 71.389885][ T144] ffff0000ceecbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.391080][ T144] ffff0000ceecc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.392265][ T144] >ffff0000ceecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.393471][ T144] ^ [ 71.394279][ T144] ffff0000ceecc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.395555][ T144] ffff0000ceecc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.396826][ T144] ================================================================== [ 71.398165][ T144] Disabling lock debugging due to kernel taint [ 71.399228][ T144] Unable to handle kernel paging request at virtual address dfff800000000000 [ 71.400694][ T144] Mem abort info: [ 71.401280][ T144] ESR = 0x0000000096000006 [ 71.401968][ T144] EC = 0x25: DABT (current EL), IL = 32 bits [ 71.403050][ T144] SET = 0, FnV = 0 [ 71.403728][ T144] EA = 0, S1PTW = 0 [ 71.404350][ T144] FSC = 0x06: level 2 translation fault [ 71.405241][ T144] Data abort info: [ 71.405802][ T144] ISV = 0, ISS = 0x00000006 [ 71.406496][ T144] CM = 0, WnR = 0 [ 71.407056][ T144] [dfff800000000000] address between user and kernel address ranges [ 71.408292][ T144] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP [ 71.409406][ T144] Modules linked in: [ 71.410007][ T144] CPU: 0 PID: 144 Comm: kworker/u5:0 Tainted: G B W syzkaller #0 [ 71.411469][ T144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 [ 71.413064][ T144] Workqueue: hci0 hci_rx_work [ 71.413836][ T144] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 71.415091][ T144] pc : apparmor_sk_clone_security+0xf4/0x3c0 [ 71.416092][ T144] lr : apparmor_sk_clone_security+0xd4/0x3c0 [ 71.417056][ T144] sp : ffff80001bf57780 [ 71.417717][ T144] x29: ffff80001bf57780 x28: dfff800000000000 x27: ffff7000037eaf04 [ 71.419041][ T144] x26: 1fffe0001a3ee789 x25: ffff0000d5b3e3aa x24: 1fffe0001d4af860 [ 71.420373][ T144] x23: dfff800000000000 x22: dfff800000000000 x21: 0000000000000000 [ 71.421662][ T144] x20: 0000000000000000 x19: ffff0000ea57c300 x18: 0000000000000204 [ 71.422919][ T144] x17: ffff8000105601e0 x16: ffff8000082d9354 x15: ffff80000f6f835c [ 71.424141][ T144] x14: 0000000000000001 x13: 1ffff00002ca2f7d x12: 0000000000ff0100 [ 71.425393][ T144] x11: 0000000000000001 x10: 0000000000000000 x9 : ffff80000a44a7c0 [ 71.426676][ T144] x8 : 0000000000000000 x7 : ffffffffffffffff x6 : ffff800010525188 [ 71.428002][ T144] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000a44a734 [ 71.429359][ T144] x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 [ 71.430607][ T144] Call trace: [ 71.431157][ T144] apparmor_sk_clone_security+0xf4/0x3c0 [ 71.432095][ T144] security_sk_clone+0x58/0x9c [ 71.432928][ T144] sco_connect_cfm+0x590/0x8c0 [ 71.433744][ T144] hci_sync_conn_complete_evt+0x468/0x894 [ 71.434745][ T144] hci_event_packet+0xa34/0x1208 [ 71.435533][ T144] hci_rx_work+0x1cc/0x868 [ 71.436231][ T144] process_one_work+0x79c/0x1138 [ 71.437102][ T144] worker_thread+0x8f4/0x1034 [ 71.437818][ T144] kthread+0x374/0x454 [ 71.438492][ T144] ret_from_fork+0x10/0x20 [ 71.439302][ T144] Code: 710006df 540010cb 9780ccd1 d343fe88 (38776908) [ 71.440493][ T144] ---[ end trace 5bfba9e261f3b566 ]--- [ 71.641906][ T144] Kernel panic - not syncing: Oops: Fatal exception [ 71.642898][ T144] SMP: stopping secondary CPUs [ 71.643687][ T144] Kernel Offset: disabled [ 71.644401][ T144] CPU features: 0x8,000003c1,7d33ffd9 [ 71.645321][ T144] Memory Limit: none [ 71.843269][ T144] Rebooting in 86400 seconds..