Warning: Permanently added '10.128.1.160' (ED25519) to the list of known hosts. 2026/04/04 01:55:34 parsed 1 programs Setting up swapspace version 1, size = 127995904 bytes [ 110.760522][ T4605] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS [ 112.226455][ T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 112.234701][ T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 112.243440][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 112.265467][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 112.274135][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 112.285216][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 114.424370][ T4671] chnl_net:caif_netlink_parms(): no params data found [ 114.469821][ T4671] bridge0: port 1(bridge_slave_0) entered blocking state [ 114.477725][ T4671] bridge0: port 1(bridge_slave_0) entered disabled state [ 114.486416][ T4671] device bridge_slave_0 entered promiscuous mode [ 114.494879][ T4671] bridge0: port 2(bridge_slave_1) entered blocking state [ 114.502474][ T4671] bridge0: port 2(bridge_slave_1) entered disabled state [ 114.510770][ T4671] device bridge_slave_1 entered promiscuous mode [ 114.532152][ T4671] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 114.543643][ T4671] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 114.567613][ T4671] team0: Port device team_slave_0 added [ 114.576034][ T4671] team0: Port device team_slave_1 added [ 114.595761][ T4671] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 114.603948][ T4671] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 114.630930][ T4671] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 114.643665][ T4671] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 114.651027][ T4671] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 114.677759][ T4671] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 114.709731][ T4671] device hsr_slave_0 entered promiscuous mode [ 114.717304][ T4671] device hsr_slave_1 entered promiscuous mode [ 115.383783][ T4671] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 115.396318][ T4671] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 115.440641][ T4671] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 115.458816][ T4671] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 115.577424][ T4671] 8021q: adding VLAN 0 to HW filter on device bond0 [ 115.592586][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 115.600590][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 115.612992][ T4671] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.625568][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 115.636886][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 115.648038][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.655658][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.692988][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 115.702794][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 115.713234][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 115.729082][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.741222][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.752161][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 115.762067][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 115.793460][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 115.803017][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 115.811978][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 115.822416][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 115.852592][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 115.860785][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 115.872672][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 115.882873][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 115.891744][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 115.902459][ T4671] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 116.075354][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 116.083978][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 116.099813][ T4671] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 116.123916][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 116.138948][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 116.167585][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 116.178042][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 116.187387][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 116.197545][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 116.209097][ T4671] device veth0_vlan entered promiscuous mode [ 116.253445][ T4671] device veth1_vlan entered promiscuous mode [ 116.283465][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 116.294201][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 116.302997][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 116.313604][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 116.325277][ T4671] device veth0_macvtap entered promiscuous mode [ 116.345450][ T4671] device veth1_macvtap entered promiscuous mode [ 116.382502][ T4671] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 116.397480][ T4671] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 116.405536][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 116.415371][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 116.424179][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 116.439466][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 116.449719][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 116.460391][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 116.474734][ T4671] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.486295][ T4671] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.496233][ T4671] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.507658][ T4671] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 2026/04/04 01:55:46 executed programs: 0 [ 118.352225][ T154] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 118.419817][ T4778] chnl_net:caif_netlink_parms(): no params data found [ 118.482505][ T4778] bridge0: port 1(bridge_slave_0) entered blocking state [ 118.489795][ T4778] bridge0: port 1(bridge_slave_0) entered disabled state [ 118.498423][ T4778] device bridge_slave_0 entered promiscuous mode [ 118.507393][ T4778] bridge0: port 2(bridge_slave_1) entered blocking state [ 118.515004][ T4778] bridge0: port 2(bridge_slave_1) entered disabled state [ 118.523646][ T4778] device bridge_slave_1 entered promiscuous mode [ 118.549572][ T4778] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 118.562168][ T4778] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 118.596767][ T4778] team0: Port device team_slave_0 added [ 118.605080][ T4778] team0: Port device team_slave_1 added [ 118.629937][ T4778] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 118.639510][ T4778] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 118.670014][ T4778] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 118.686012][ T4778] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 118.694676][ T4778] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 118.723820][ T4778] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 118.766916][ T4778] device hsr_slave_0 entered promiscuous mode [ 118.776710][ T4778] device hsr_slave_1 entered promiscuous mode [ 118.783875][ T4778] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 118.794507][ T4778] Cannot create hsr debugfs directory [ 120.252150][ T4275] Bluetooth: hci0: command 0x0409 tx timeout [ 121.571077][ T154] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 121.690334][ T154] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 121.760521][ T154] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 122.323952][ T4263] Bluetooth: hci0: command 0x041b tx timeout [ 122.659424][ T4778] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 122.669648][ T4778] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 122.683069][ T4778] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 122.712821][ T4778] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 122.817662][ T4778] 8021q: adding VLAN 0 to HW filter on device bond0 [ 122.848193][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 122.858458][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 122.873452][ T4778] 8021q: adding VLAN 0 to HW filter on device team0 [ 122.886726][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 122.896300][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 122.908183][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 122.916041][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 122.927553][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 122.971931][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 122.981898][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 122.990821][ T155] bridge0: port 2(bridge_slave_1) entered blocking state [ 122.998081][ T155] bridge0: port 2(bridge_slave_1) entered forwarding state [ 123.024829][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 123.035201][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 123.047839][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 123.058857][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 123.071126][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 123.082479][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 123.123216][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 123.136191][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 123.146358][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 123.159177][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 123.168788][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 123.183592][ T4778] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 123.256615][ T154] device hsr_slave_0 left promiscuous mode [ 123.271708][ T154] device hsr_slave_1 left promiscuous mode [ 123.279662][ T154] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 123.291386][ T154] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 123.299889][ T154] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 123.314425][ T154] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 123.322909][ T154] device bridge_slave_1 left promiscuous mode [ 123.329278][ T154] bridge0: port 2(bridge_slave_1) entered disabled state [ 123.339094][ T154] device bridge_slave_0 left promiscuous mode [ 123.346047][ T154] bridge0: port 1(bridge_slave_0) entered disabled state [ 123.359978][ T154] device veth1_macvtap left promiscuous mode [ 123.366712][ T154] device veth0_macvtap left promiscuous mode [ 123.373718][ T154] device veth1_vlan left promiscuous mode [ 123.380053][ T154] device veth0_vlan left promiscuous mode [ 123.540667][ T154] team0 (unregistering): Port device team_slave_1 removed [ 123.556924][ T154] team0 (unregistering): Port device team_slave_0 removed [ 123.571776][ T154] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 123.587205][ T154] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 123.648307][ T154] bond0 (unregistering): Released all slaves [ 123.797809][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 123.806337][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 123.820819][ T4778] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 123.854749][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 123.864412][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 123.887457][ T4778] device veth0_vlan entered promiscuous mode [ 123.903205][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 123.912153][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 123.922379][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 123.932665][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 123.946001][ T4778] device veth1_vlan entered promiscuous mode [ 123.966414][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 123.976242][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 123.986945][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 123.996640][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 124.008222][ T4778] device veth0_macvtap entered promiscuous mode [ 124.019989][ T4778] device veth1_macvtap entered promiscuous mode [ 124.047288][ T4778] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 124.056761][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 124.065949][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 124.074742][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 124.086344][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 124.099732][ T4778] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 124.109665][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 124.119417][ T155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 124.132576][ T4778] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 124.141580][ T4778] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 124.150506][ T4778] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 124.160094][ T4778] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 124.229367][ T155] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 124.253621][ T155] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 124.263318][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready 2026/04/04 01:55:52 executed programs: 2 [ 124.289535][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 124.299839][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 124.311019][ T1442] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 124.377308][ T4216] [ 124.379933][ T4216] ===================================== [ 124.385833][ T4216] WARNING: bad unlock balance detected! [ 124.391930][ T4216] syzkaller #0 Not tainted [ 124.397110][ T4216] ------------------------------------- [ 124.403406][ T4216] kworker/u5:2/4216 is trying to release lock (&chan->lock) at: [ 124.411996][ T4216] [] l2cap_recv_frame+0xd0c/0x88d0 [ 124.419466][ T4216] but there are no more locks to release! [ 124.425441][ T4216] [ 124.425441][ T4216] other info that might help us debug this: [ 124.434141][ T4216] 2 locks held by kworker/u5:2/4216: [ 124.439654][ T4216] #0: ffff888078cbb938 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x761/0x1010 [ 124.450793][ T4216] #1: ffffc90002f0fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x79f/0x1010 [ 124.463755][ T4216] [ 124.463755][ T4216] stack backtrace: [ 124.470222][ T4216] CPU: 0 PID: 4216 Comm: kworker/u5:2 Not tainted syzkaller #0 [ 124.478098][ T4216] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 124.489064][ T4216] Workqueue: hci0 hci_rx_work [ 124.494278][ T4216] Call Trace: [ 124.497611][ T4216] [ 124.500711][ T4216] dump_stack_lvl+0x188/0x250 [ 124.505944][ T4216] ? show_regs_print_info+0x20/0x20 [ 124.511295][ T4216] ? l2cap_recv_frame+0xd0c/0x88d0 [ 124.516632][ T4216] lock_release+0x538/0x8a0 [ 124.521707][ T4216] ? l2cap_recv_frame+0xd0c/0x88d0 [ 124.526956][ T4216] ? __lock_acquire+0x7d10/0x7d10 [ 124.532029][ T4216] ? lock_chain_count+0x20/0x20 [ 124.536986][ T4216] ? lockdep_hardirqs_on_prepare+0x770/0x770 [ 124.543279][ T4216] __mutex_unlock_slowpath+0xc8/0x6c0 [ 124.549186][ T4216] ? __local_bh_enable_ip+0x136/0x1c0 [ 124.554699][ T4216] ? mutex_unlock+0x10/0x10 [ 124.559358][ T4216] ? l2cap_sock_recv_cb+0x18b/0x1e0 [ 124.564627][ T4216] ? l2cap_sock_recv_cb+0x18b/0x1e0 [ 124.569978][ T4216] l2cap_recv_frame+0xd0c/0x88d0 [ 124.575178][ T4216] ? __lock_acquire+0x7d10/0x7d10 [ 124.580642][ T4216] ? l2cap_recv_frag+0x290/0x290 [ 124.585717][ T4216] ? __mutex_unlock_slowpath+0x1b0/0x6c0 [ 124.591549][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 124.597804][ T4216] ? mutex_unlock+0x10/0x10 [ 124.602451][ T4216] ? l2cap_recv_acldata+0x633/0x17c0 [ 124.607978][ T4216] hci_rx_work+0x4a4/0xa10 [ 124.612457][ T4216] process_one_work+0x85f/0x1010 [ 124.617529][ T4216] ? worker_detach_from_pool+0x240/0x240 [ 124.623202][ T4216] ? lockdep_hardirqs_off+0x70/0x100 [ 124.628628][ T4216] ? _raw_spin_lock_irq+0xb7/0xf0 [ 124.634099][ T4216] ? _raw_spin_lock_irqsave+0x100/0x100 [ 124.639774][ T4216] ? wq_worker_running+0x97/0x170 [ 124.644931][ T4216] worker_thread+0xaa6/0x1290 [ 124.649655][ T4216] ? lockdep_hardirqs_on+0x94/0x140 [ 124.655061][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 124.661286][ T4216] kthread+0x436/0x520 [ 124.665522][ T4216] ? rcu_lock_release+0x20/0x20 [ 124.670644][ T4216] ? kthread_blkcg+0xd0/0xd0 [ 124.675880][ T4216] ret_from_fork+0x1f/0x30 [ 124.680673][ T4216] [ 124.686378][ T4261] Bluetooth: hci0: command 0x040f tx timeout [ 126.721645][ T4261] Bluetooth: hci0: command 0x0419 tx timeout 2026/04/04 01:55:57 executed programs: 266 [ 131.492101][ T4216] ================================================================== [ 131.500569][ T4216] BUG: KASAN: use-after-free in do_raw_spin_lock+0x283/0x2f0 [ 131.508088][ T4216] Read of size 4 at addr ffff88802c04d08c by task kworker/u5:2/4216 [ 131.516424][ T4216] [ 131.518760][ T4216] CPU: 1 PID: 4216 Comm: kworker/u5:2 Not tainted syzkaller #0 [ 131.526441][ T4216] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 131.536537][ T4216] Workqueue: hci0 hci_rx_work [ 131.541617][ T4216] Call Trace: [ 131.545221][ T4216] [ 131.548346][ T4216] dump_stack_lvl+0x188/0x250 [ 131.553310][ T4216] ? show_regs_print_info+0x20/0x20 [ 131.558628][ T4216] ? load_image+0x400/0x400 [ 131.563155][ T4216] ? _raw_spin_lock_irqsave+0xbc/0x100 [ 131.568838][ T4216] print_address_description+0x60/0x2d0 [ 131.574571][ T4216] ? do_raw_spin_lock+0x283/0x2f0 [ 131.579628][ T4216] kasan_report+0xdf/0x130 [ 131.584068][ T4216] ? do_raw_spin_lock+0x283/0x2f0 [ 131.589298][ T4216] do_raw_spin_lock+0x283/0x2f0 [ 131.594625][ T4216] ? __local_bh_enable_ip+0x136/0x1c0 [ 131.600209][ T4216] ? __rwlock_init+0x140/0x140 [ 131.605273][ T4216] ? kthread_data+0x4b/0xc0 [ 131.610019][ T4216] ? __lock_sock+0x166/0x2b0 [ 131.614918][ T4216] __lock_sock+0x166/0x2b0 [ 131.619460][ T4216] ? sk_page_frag_refill+0x200/0x200 [ 131.624778][ T4216] ? do_raw_spin_lock+0x265/0x2f0 [ 131.630315][ T4216] ? init_wait_entry+0xd0/0xd0 [ 131.635175][ T4216] ? __rwlock_init+0x140/0x140 [ 131.639970][ T4216] ? lock_sock_nested+0x68/0x100 [ 131.645611][ T4216] lock_sock_nested+0x9d/0x100 [ 131.650485][ T4216] l2cap_sock_recv_cb+0x4c/0x1e0 [ 131.655439][ T4216] l2cap_recv_frame+0xa86/0x88d0 [ 131.660407][ T4216] ? hci_rx_work+0x45d/0xa10 [ 131.665012][ T4216] ? __mutex_lock_common+0x465/0x2400 [ 131.670395][ T4216] ? __lock_acquire+0x7d10/0x7d10 [ 131.675710][ T4216] ? rcu_is_watching+0x11/0xa0 [ 131.681426][ T4216] ? lock_release+0xb5/0x8a0 [ 131.686542][ T4216] ? l2cap_recv_frag+0x290/0x290 [ 131.691682][ T4216] ? __mutex_unlock_slowpath+0x1b0/0x6c0 [ 131.697748][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 131.703761][ T4216] ? mutex_unlock+0x10/0x10 [ 131.708670][ T4216] ? l2cap_recv_acldata+0x633/0x17c0 [ 131.714709][ T4216] hci_rx_work+0x4a4/0xa10 [ 131.719336][ T4216] process_one_work+0x85f/0x1010 [ 131.724301][ T4216] ? worker_detach_from_pool+0x240/0x240 [ 131.730470][ T4216] ? lockdep_hardirqs_off+0x70/0x100 [ 131.735967][ T4216] ? _raw_spin_lock_irq+0xb7/0xf0 [ 131.742365][ T4216] ? _raw_spin_lock_irqsave+0x100/0x100 [ 131.748290][ T4216] ? wq_worker_running+0x97/0x170 [ 131.753379][ T4216] worker_thread+0xaa6/0x1290 [ 131.758286][ T4216] ? lockdep_hardirqs_on+0x94/0x140 [ 131.763496][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 131.770048][ T4216] kthread+0x436/0x520 [ 131.774354][ T4216] ? rcu_lock_release+0x20/0x20 [ 131.779474][ T4216] ? kthread_blkcg+0xd0/0xd0 [ 131.784249][ T4216] ret_from_fork+0x1f/0x30 [ 131.788874][ T4216] [ 131.792022][ T4216] [ 131.794475][ T4216] Allocated by task 5823: [ 131.798923][ T4216] __kasan_kmalloc+0xb5/0xf0 [ 131.803645][ T4216] sk_prot_alloc+0xe7/0x210 [ 131.808241][ T4216] sk_alloc+0x2f/0x310 [ 131.812399][ T4216] l2cap_sock_alloc+0x33/0x200 [ 131.817505][ T4216] l2cap_sock_create+0x118/0x1d0 [ 131.822840][ T4216] bt_sock_create+0x155/0x220 [ 131.827725][ T4216] __sock_create+0x47b/0x900 [ 131.832855][ T4216] __sys_socket+0xe2/0x170 [ 131.837369][ T4216] __x64_sys_socket+0x76/0x80 [ 131.842141][ T4216] do_syscall_64+0x4c/0xa0 [ 131.846698][ T4216] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 131.852621][ T4216] [ 131.854964][ T4216] Freed by task 5822: [ 131.858939][ T4216] kasan_set_track+0x4b/0x70 [ 131.863899][ T4216] kasan_set_free_info+0x1f/0x40 [ 131.869289][ T4216] ____kasan_slab_free+0xd5/0x110 [ 131.874519][ T4216] slab_free_freelist_hook+0xea/0x170 [ 131.880055][ T4216] kfree+0xef/0x2a0 [ 131.884144][ T4216] __sk_destruct+0x578/0x840 [ 131.888832][ T4216] l2cap_sock_release+0x169/0x1e0 [ 131.894050][ T4216] sock_close+0xd5/0x240 [ 131.898578][ T4216] __fput+0x234/0x930 [ 131.902577][ T4216] task_work_run+0x125/0x1a0 [ 131.907283][ T4216] exit_to_user_mode_loop+0x10f/0x130 [ 131.912876][ T4216] exit_to_user_mode_prepare+0xee/0x180 [ 131.918514][ T4216] syscall_exit_to_user_mode+0x16/0x40 [ 131.924073][ T4216] do_syscall_64+0x58/0xa0 [ 131.928520][ T4216] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 131.934691][ T4216] [ 131.937055][ T4216] Last potentially related work creation: [ 131.942780][ T4216] kasan_save_stack+0x35/0x60 [ 131.947574][ T4216] kasan_record_aux_stack+0xb8/0x100 [ 131.953189][ T4216] kvfree_call_rcu+0x105/0x7d0 [ 131.958240][ T4216] drop_sysctl_table+0x359/0x4e0 [ 131.963210][ T4216] unregister_sysctl_table+0x87/0x130 [ 131.968811][ T4216] inetdev_event+0x6da/0x1370 [ 131.973878][ T4216] raw_notifier_call_chain+0xcb/0x160 [ 131.979438][ T4216] unregister_netdevice_many+0x1049/0x19f0 [ 131.985371][ T4216] default_device_exit_batch+0x364/0x3c0 [ 131.991330][ T4216] cleanup_net+0x791/0xba0 [ 131.995857][ T4216] process_one_work+0x85f/0x1010 [ 132.000976][ T4216] worker_thread+0xaa6/0x1290 [ 132.005832][ T4216] kthread+0x436/0x520 [ 132.009995][ T4216] ret_from_fork+0x1f/0x30 [ 132.014638][ T4216] [ 132.016981][ T4216] Second to last potentially related work creation: [ 132.023756][ T4216] kasan_save_stack+0x35/0x60 [ 132.029019][ T4216] kasan_record_aux_stack+0xb8/0x100 [ 132.034481][ T4216] call_rcu+0x189/0x950 [ 132.038842][ T4216] addrconf_ifdown+0x1742/0x19c0 [ 132.044331][ T4216] addrconf_notify+0x445/0xf00 [ 132.049447][ T4216] raw_notifier_call_chain+0xcb/0x160 [ 132.054919][ T4216] unregister_netdevice_many+0x1049/0x19f0 [ 132.061109][ T4216] unregister_netdevice_queue+0x324/0x370 [ 132.066833][ T4216] nsim_destroy+0x49/0x150 [ 132.071297][ T4216] __nsim_dev_port_del+0x155/0x1c0 [ 132.076666][ T4216] nsim_dev_reload_destroy+0x16c/0x240 [ 132.082239][ T4216] nsim_dev_reload_down+0xf9/0x160 [ 132.087504][ T4216] devlink_reload+0x273/0x790 [ 132.092582][ T4216] devlink_pernet_pre_exit+0x1aa/0x310 [ 132.098054][ T4216] cleanup_net+0x591/0xba0 [ 132.102493][ T4216] process_one_work+0x85f/0x1010 [ 132.107674][ T4216] worker_thread+0xaa6/0x1290 [ 132.112368][ T4216] kthread+0x436/0x520 [ 132.117223][ T4216] ret_from_fork+0x1f/0x30 [ 132.122120][ T4216] [ 132.124470][ T4216] The buggy address belongs to the object at ffff88802c04d000 [ 132.124470][ T4216] which belongs to the cache kmalloc-2k of size 2048 [ 132.139009][ T4216] The buggy address is located 140 bytes inside of [ 132.139009][ T4216] 2048-byte region [ffff88802c04d000, ffff88802c04d800) [ 132.152642][ T4216] The buggy address belongs to the page: [ 132.158293][ T4216] page:ffffea0000b01200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2c048 [ 132.169937][ T4216] head:ffffea0000b01200 order:3 compound_mapcount:0 compound_pincount:0 [ 132.179265][ T4216] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 132.188368][ T4216] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888016c42000 [ 132.197521][ T4216] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 132.206844][ T4216] page dumped because: kasan: bad access detected [ 132.214048][ T4216] page_owner tracks the page as allocated [ 132.220248][ T4216] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4297, ts 81734969286, free_ts 81711061671 [ 132.241583][ T4216] get_page_from_freelist+0x1bbd/0x1ca0 [ 132.241618][ T4216] __alloc_pages+0x1ee/0x480 [ 132.252852][ T4216] new_slab+0xc0/0x4b0 [ 132.256941][ T4216] ___slab_alloc+0x80a/0xdd0 [ 132.261979][ T4216] __kmalloc_track_caller+0x1cb/0x330 [ 132.267927][ T4216] kmemdup+0x22/0x50 [ 132.272221][ T4216] neigh_sysctl_register+0xaa/0xa90 [ 132.277714][ T4216] addrconf_sysctl_register+0xac/0x1b0 [ 132.283460][ T4216] ipv6_add_dev+0xbf3/0x1190 [ 132.288071][ T4216] addrconf_notify+0x66f/0xf00 [ 132.293416][ T4216] raw_notifier_call_chain+0xcb/0x160 [ 132.298909][ T4216] register_netdevice+0x12a6/0x1710 [ 132.304507][ T4216] nsim_create+0x32d/0x3e0 [ 132.309033][ T4216] __nsim_dev_port_add+0x698/0xab0 [ 132.314344][ T4216] nsim_dev_port_add_all+0x37/0x100 [ 132.319577][ T4216] nsim_dev_probe+0x763/0x9c0 [ 132.324464][ T4216] page last free stack trace: [ 132.329577][ T4216] free_unref_page_prepare+0x637/0x6c0 [ 132.335355][ T4216] free_unref_page+0x8f/0x2a0 [ 132.340060][ T4216] __unfreeze_partials+0x1a5/0x200 [ 132.345465][ T4216] put_cpu_partial+0x12d/0x190 [ 132.350463][ T4216] qlist_free_all+0x35/0x90 [ 132.355009][ T4216] kasan_quarantine_reduce+0x150/0x160 [ 132.360476][ T4216] __kasan_slab_alloc+0x2f/0xd0 [ 132.365666][ T4216] slab_post_alloc_hook+0x4c/0x380 [ 132.370876][ T4216] kmem_cache_alloc_node+0x12d/0x2d0 [ 132.376352][ T4216] __alloc_skb+0xf4/0x750 [ 132.380861][ T4216] devlink_trap_notify+0x2d/0x160 [ 132.385890][ T4216] devlink_trap_unregister+0xf2/0x270 [ 132.391889][ T4216] devlink_traps_unregister+0x1f6/0x230 [ 132.397885][ T4216] nsim_dev_traps_exit+0x64/0x120 [ 132.403460][ T4216] nsim_dev_reload_destroy+0x1bd/0x240 [ 132.409350][ T4216] nsim_dev_remove+0x59/0x100 [ 132.414051][ T4216] [ 132.416576][ T4216] Memory state around the buggy address: [ 132.422696][ T4216] ffff88802c04cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 132.431305][ T4216] ffff88802c04d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.439812][ T4216] >ffff88802c04d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.448572][ T4216] ^ [ 132.453200][ T4216] ffff88802c04d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.461645][ T4216] ffff88802c04d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 132.470653][ T4216] ================================================================== [ 132.479149][ T4216] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 132.486750][ T4216] CPU: 1 PID: 4216 Comm: kworker/u5:2 Tainted: G B syzkaller #0 [ 132.496065][ T4216] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 132.506418][ T4216] Workqueue: hci0 hci_rx_work [ 132.511155][ T4216] Call Trace: [ 132.514546][ T4216] [ 132.517617][ T4216] dump_stack_lvl+0x188/0x250 [ 132.522333][ T4216] ? show_regs_print_info+0x20/0x20 [ 132.527838][ T4216] ? load_image+0x400/0x400 [ 132.533001][ T4216] panic+0x2e5/0x810 [ 132.537089][ T4216] ? bpf_jit_dump+0xd0/0xd0 [ 132.541739][ T4216] ? _raw_spin_unlock_irqrestore+0xbc/0x120 [ 132.547673][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 132.553662][ T4216] ? _raw_spin_unlock+0x40/0x40 [ 132.558522][ T4216] ? do_raw_spin_lock+0x283/0x2f0 [ 132.563919][ T4216] check_panic_on_warn+0x80/0xa0 [ 132.568893][ T4216] ? do_raw_spin_lock+0x283/0x2f0 [ 132.574537][ T4216] end_report+0x6d/0xf0 [ 132.578706][ T4216] kasan_report+0x102/0x130 [ 132.583221][ T4216] ? do_raw_spin_lock+0x283/0x2f0 [ 132.588452][ T4216] do_raw_spin_lock+0x283/0x2f0 [ 132.593540][ T4216] ? __local_bh_enable_ip+0x136/0x1c0 [ 132.598950][ T4216] ? __rwlock_init+0x140/0x140 [ 132.603732][ T4216] ? kthread_data+0x4b/0xc0 [ 132.608398][ T4216] ? __lock_sock+0x166/0x2b0 [ 132.613012][ T4216] __lock_sock+0x166/0x2b0 [ 132.617527][ T4216] ? sk_page_frag_refill+0x200/0x200 [ 132.622820][ T4216] ? do_raw_spin_lock+0x265/0x2f0 [ 132.627971][ T4216] ? init_wait_entry+0xd0/0xd0 [ 132.632831][ T4216] ? __rwlock_init+0x140/0x140 [ 132.637600][ T4216] ? lock_sock_nested+0x68/0x100 [ 132.642632][ T4216] lock_sock_nested+0x9d/0x100 [ 132.647496][ T4216] l2cap_sock_recv_cb+0x4c/0x1e0 [ 132.652446][ T4216] l2cap_recv_frame+0xa86/0x88d0 [ 132.657427][ T4216] ? hci_rx_work+0x45d/0xa10 [ 132.662328][ T4216] ? __mutex_lock_common+0x465/0x2400 [ 132.667737][ T4216] ? __lock_acquire+0x7d10/0x7d10 [ 132.672906][ T4216] ? rcu_is_watching+0x11/0xa0 [ 132.677680][ T4216] ? lock_release+0xb5/0x8a0 [ 132.682522][ T4216] ? l2cap_recv_frag+0x290/0x290 [ 132.687781][ T4216] ? __mutex_unlock_slowpath+0x1b0/0x6c0 [ 132.693567][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 132.699672][ T4216] ? mutex_unlock+0x10/0x10 [ 132.704373][ T4216] ? l2cap_recv_acldata+0x633/0x17c0 [ 132.709850][ T4216] hci_rx_work+0x4a4/0xa10 [ 132.714549][ T4216] process_one_work+0x85f/0x1010 [ 132.719611][ T4216] ? worker_detach_from_pool+0x240/0x240 [ 132.725257][ T4216] ? lockdep_hardirqs_off+0x70/0x100 [ 132.730552][ T4216] ? _raw_spin_lock_irq+0xb7/0xf0 [ 132.735579][ T4216] ? _raw_spin_lock_irqsave+0x100/0x100 [ 132.741130][ T4216] ? wq_worker_running+0x97/0x170 [ 132.746194][ T4216] worker_thread+0xaa6/0x1290 [ 132.751143][ T4216] ? lockdep_hardirqs_on+0x94/0x140 [ 132.756427][ T4216] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 132.762518][ T4216] kthread+0x436/0x520 [ 132.766626][ T4216] ? rcu_lock_release+0x20/0x20 [ 132.771868][ T4216] ? kthread_blkcg+0xd0/0xd0 [ 132.776605][ T4216] ret_from_fork+0x1f/0x30 [ 132.781040][ T4216] [ 132.784517][ T4216] Kernel Offset: disabled [ 132.789254][ T4216] Rebooting in 86400 seconds..