no interfaces have a carrier
[ 56.657328][ T3855] 8021q: adding VLAN 0 to HW filter on device bond0
[ 56.702489][ T3855] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting crond: OK
Starting sshd: OK
syzkaller
syzkaller login: [ 99.580024][ T1110] cfg80211: failed to load regulatory.db
Warning: Permanently added '10.128.1.43' (ED25519) to the list of known hosts.
2025/10/20 10:30:33 parsed 1 programs
[ 108.919181][ T4203] cgroup: Unknown subsys name 'net'
[ 109.060566][ T4203] cgroup: Unknown subsys name 'rlimit'
[ 110.744627][ T4203] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 113.727683][ T4233] chnl_net:caif_netlink_parms(): no params data found
[ 113.801648][ T4233] bridge0: port 1(bridge_slave_0) entered blocking state
[ 113.811195][ T4233] bridge0: port 1(bridge_slave_0) entered disabled state
[ 113.822376][ T4233] device bridge_slave_0 entered promiscuous mode
[ 113.834393][ T4233] bridge0: port 2(bridge_slave_1) entered blocking state
[ 113.843472][ T4233] bridge0: port 2(bridge_slave_1) entered disabled state
[ 113.853024][ T4233] device bridge_slave_1 entered promiscuous mode
[ 113.887628][ T4233] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 113.900895][ T4233] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 113.934783][ T4233] team0: Port device team_slave_0 added
[ 113.944134][ T4233] team0: Port device team_slave_1 added
[ 113.972636][ T4233] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 113.980236][ T4233] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 114.009954][ T4233] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 114.026142][ T4233] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 114.034535][ T4233] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 114.064096][ T4233] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 114.110991][ T4233] device hsr_slave_0 entered promiscuous mode
[ 114.119000][ T4233] device hsr_slave_1 entered promiscuous mode
[ 114.273696][ T4233] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 114.287689][ T4233] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 114.302239][ T4233] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 114.314567][ T4233] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 114.355801][ T4233] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.365568][ T4233] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 114.374437][ T4233] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.381781][ T4233] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 114.449849][ T4233] 8021q: adding VLAN 0 to HW filter on device bond0
[ 114.468402][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 114.481258][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
[ 114.491657][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.509492][ T4233] 8021q: adding VLAN 0 to HW filter on device team0
[ 114.527263][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 114.539542][ T9] bridge0: port 1(bridge_slave_0) entered blocking state
[ 114.547794][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 114.573902][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 114.589789][ T9] bridge0: port 2(bridge_slave_1) entered blocking state
[ 114.597717][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 114.619409][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 114.635030][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 114.671579][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 114.685461][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 114.702260][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 114.713488][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 114.723322][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 114.736838][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 114.746696][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 114.762726][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 114.772925][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 114.789226][ T4233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 114.900531][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 114.910722][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 114.930493][ T4233] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 114.970090][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 114.982727][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 115.022820][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 115.033905][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 115.047062][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 115.056982][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 115.072951][ T4233] device veth0_vlan entered promiscuous mode
[ 115.102734][ T4233] device veth1_vlan entered promiscuous mode
[ 115.127662][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 115.138380][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 115.149928][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 115.161480][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 115.175483][ T4233] device veth0_macvtap entered promiscuous mode
[ 115.189764][ T4233] device veth1_macvtap entered promiscuous mode
[ 115.215773][ T4233] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 115.224876][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 115.234707][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 115.246093][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 115.258742][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 115.285732][ T4233] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 115.295202][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 115.305109][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 115.319254][ T4233] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 115.328833][ T4233] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 115.339167][ T4233] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 115.349713][ T4233] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 115.480574][ T4233] syz-executor (4233) used greatest stack depth: 21120 bytes left
[ 116.847707][ T9] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 116.883518][ T9] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 116.906337][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 116.924949][ T9] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 116.936025][ T9] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 116.954139][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 117.357639][ T154] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/10/20 10:30:44 executed programs: 0
[ 117.662093][ T4298] chnl_net:caif_netlink_parms(): no params data found
[ 117.715544][ T4298] bridge0: port 1(bridge_slave_0) entered blocking state
[ 117.723540][ T4298] bridge0: port 1(bridge_slave_0) entered disabled state
[ 117.734107][ T4298] device bridge_slave_0 entered promiscuous mode
[ 117.743040][ T4298] bridge0: port 2(bridge_slave_1) entered blocking state
[ 117.751397][ T4298] bridge0: port 2(bridge_slave_1) entered disabled state
[ 117.761965][ T4298] device bridge_slave_1 entered promiscuous mode
[ 117.788787][ T4298] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 117.802546][ T4298] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 117.832563][ T4298] team0: Port device team_slave_0 added
[ 117.842400][ T4298] team0: Port device team_slave_1 added
[ 117.870070][ T4298] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 117.879472][ T4298] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 117.913138][ T4298] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 117.930290][ T4298] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 117.938687][ T4298] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 117.970615][ T4298] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 118.007729][ T4298] device hsr_slave_0 entered promiscuous mode
[ 118.016942][ T4298] device hsr_slave_1 entered promiscuous mode
[ 118.025196][ T4298] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 118.035189][ T4298] Cannot create hsr debugfs directory
[ 119.578774][ T4253] Bluetooth: hci0: command 0x0409 tx timeout
[ 120.577332][ T154] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 120.636586][ T154] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 120.717441][ T154] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 121.516699][ T4298] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 121.528853][ T4298] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 121.539657][ T4298] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 121.551343][ T4298] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 121.658885][ T4336] Bluetooth: hci0: command 0x041b tx timeout
[ 121.663180][ T4298] 8021q: adding VLAN 0 to HW filter on device bond0
[ 121.701302][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 121.711433][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 121.723364][ T4298] 8021q: adding VLAN 0 to HW filter on device team0
[ 121.735810][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 121.748566][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 121.760608][ T9] bridge0: port 1(bridge_slave_0) entered blocking state
[ 121.768910][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 121.781629][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 121.800317][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 121.810948][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 121.820412][ T9] bridge0: port 2(bridge_slave_1) entered blocking state
[ 121.828155][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 121.862894][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[ 121.877768][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 121.899544][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 121.910961][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 121.921323][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 121.932667][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 121.943278][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 121.953394][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 121.963632][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 121.976273][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 121.987361][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 122.002769][ T4298] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 122.173248][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 122.182246][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 122.198361][ T4298] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 122.240316][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 122.250239][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 122.298491][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 122.309060][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 122.319225][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 122.329491][ T140] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 122.340492][ T4298] device veth0_vlan entered promiscuous mode
[ 122.361194][ T4298] device veth1_vlan entered promiscuous mode
[ 122.399939][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 122.411522][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 122.420627][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 122.431073][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 122.447445][ T4298] device veth0_macvtap entered promiscuous mode
[ 122.464136][ T154] device hsr_slave_0 left promiscuous mode
[ 122.473445][ T154] device hsr_slave_1 left promiscuous mode
[ 122.481821][ T154] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 122.491782][ T154] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 122.502353][ T154] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 122.513423][ T154] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 122.524576][ T154] device bridge_slave_1 left promiscuous mode
[ 122.534323][ T154] bridge0: port 2(bridge_slave_1) entered disabled state
[ 122.554074][ T154] device bridge_slave_0 left promiscuous mode
[ 122.561926][ T154] bridge0: port 1(bridge_slave_0) entered disabled state
[ 122.583906][ T154] device veth1_macvtap left promiscuous mode
[ 122.592618][ T154] device veth0_macvtap left promiscuous mode
[ 122.601483][ T154] device veth1_vlan left promiscuous mode
[ 122.609792][ T154] device veth0_vlan left promiscuous mode
[ 122.806554][ T154] team0 (unregistering): Port device team_slave_1 removed
[ 122.826754][ T154] team0 (unregistering): Port device team_slave_0 removed
[ 122.843780][ T154] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 122.864283][ T154] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 122.933563][ T154] bond0 (unregistering): Released all slaves
[ 122.988558][ T4298] device veth1_macvtap entered promiscuous mode
[ 122.999486][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 123.009556][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 123.036775][ T4298] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 123.048667][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 123.060439][ T1236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 123.076728][ T4298] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 123.086454][ T4367] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 123.097568][ T4367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 123.114791][ T4298] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 123.125292][ T4298] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 123.136103][ T4298] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 123.147384][ T4298] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 123.236922][ T1236] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 123.252264][ T1236] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 123.279465][ T4367] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 123.304100][ T1236] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 123.314481][ T1236] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 123.326881][ T4367] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
2025/10/20 10:30:50 executed programs: 2
[ 123.391276][ T4282] BUG: sleeping function called from invalid context at net/core/sock.c:3258
[ 123.402232][ T4282] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4282, name: kworker/u5:2
[ 123.414631][ T4282] 5 locks held by kworker/u5:2/4282:
[ 123.421243][ T4282] #0: ffff88807707e138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x760/0x1000
[ 123.436494][ T4282] #1: ffffc90002fafd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7a3/0x1000
[ 123.450331][ T4282] #2: ffffffff8d37ece8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm+0x2c/0x130
[ 123.463196][ T4282] #3: ffff888021cadc20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x26c/0xa40
[ 123.475220][ T4282] #4: ffff88807b655120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x464/0xa40
[ 123.488369][ T4282] Preemption disabled at:
[ 123.488384][ T4282] [<0000000000000000>] 0x0
[ 123.499733][ T4282] CPU: 0 PID: 4282 Comm: kworker/u5:2 Not tainted syzkaller #0
[ 123.508984][ T4282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 123.520433][ T4282] Workqueue: hci0 hci_rx_work
[ 123.526136][ T4282] Call Trace:
[ 123.530399][ T4282]
[ 123.533744][ T4282] dump_stack_lvl+0x168/0x230
[ 123.539571][ T4282] ? show_regs_print_info+0x20/0x20
[ 123.545895][ T4282] ? load_image+0x3b0/0x3b0
[ 123.550856][ T4282] ___might_sleep+0x47c/0x600
[ 123.556308][ T4282] ? __might_sleep+0xf0/0xf0
[ 123.561226][ T4282] ? read_lock_is_recursive+0x10/0x10
[ 123.567996][ T4282] ? __lock_acquire+0x7c60/0x7c60
[ 123.574143][ T4282] ? do_raw_spin_lock+0x11d/0x280
[ 123.579833][ T4282] ? __rwlock_init+0x140/0x140
[ 123.585253][ T4282] lock_sock_nested+0x5b/0x100
[ 123.591356][ T4282] sco_connect_cfm+0x464/0xa40
[ 123.597233][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 123.603546][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 123.609344][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 123.614824][ T4282] hci_connect_cfm+0x8f/0x130
[ 123.620517][ T4282] hci_conn_request_evt+0x6a2/0x9f0
[ 123.626530][ T4282] ? hci_conn_complete_evt+0x1440/0x1440
[ 123.633919][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 123.640753][ T4282] ? mark_lock+0x94/0x320
[ 123.645764][ T4282] ? mutex_unlock+0x10/0x10
[ 123.651376][ T4282] ? lockdep_hardirqs_on_prepare+0x3fc/0x760
[ 123.658391][ T4282] ? lock_chain_count+0x20/0x20
[ 123.664339][ T4282] ? __rwlock_init+0x140/0x140
[ 123.670133][ T4282] hci_event_packet+0x743/0x12f0
[ 123.675635][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 123.681564][ T4282] ? rcu_lock_release+0x20/0x20
[ 123.687877][ T4282] ? hci_send_to_monitor+0x9c/0x4a0
[ 123.694031][ T4282] hci_rx_work+0x255/0xa10
[ 123.699393][ T4282] process_one_work+0x863/0x1000
[ 123.705164][ T4282] ? worker_detach_from_pool+0x240/0x240
[ 123.711741][ T4282] ? lockdep_hardirqs_off+0x70/0x100
[ 123.718237][ T4282] ? _raw_spin_lock_irq+0xab/0xe0
[ 123.724475][ T4282] ? _raw_spin_lock_irqsave+0xf0/0xf0
[ 123.731457][ T4282] ? wq_worker_running+0x97/0x170
[ 123.737458][ T4282] worker_thread+0xaa8/0x12a0
[ 123.742506][ T4282] ? _raw_spin_unlock_irqrestore+0x82/0x100
[ 123.749140][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 123.755679][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 123.762194][ T4282] ? _raw_spin_unlock_irqrestore+0xaa/0x100
[ 123.770176][ T4282] kthread+0x436/0x520
[ 123.774932][ T4282] ? rcu_lock_release+0x20/0x20
[ 123.780296][ T4282] ? kthread_blkcg+0xd0/0xd0
[ 123.785310][ T4282] ret_from_fork+0x1f/0x30
[ 123.790404][ T4282]
[ 123.794478][ T4282] ==================================================================
[ 123.804935][ T4282] BUG: KASAN: use-after-free in __lock_acquire+0xf7/0x7c60
[ 123.814048][ T4282] Read of size 8 at addr ffff88807b6550a0 by task kworker/u5:2/4282
[ 123.822734][ T4282]
[ 123.826661][ T4282] CPU: 0 PID: 4282 Comm: kworker/u5:2 Tainted: G W syzkaller #0
[ 123.838213][ T4282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 123.850676][ T4282] Workqueue: hci0 hci_rx_work
[ 123.856682][ T4282] Call Trace:
[ 123.860680][ T4282]
[ 123.864570][ T4282] dump_stack_lvl+0x168/0x230
[ 123.870099][ T4282] ? show_regs_print_info+0x20/0x20
[ 123.876211][ T4282] ? load_image+0x3b0/0x3b0
[ 123.881334][ T4282] ? _raw_spin_lock_irqsave+0xb0/0xf0
[ 123.888296][ T4282] ? irq_work_queue+0xbf/0x140
[ 123.894356][ T4282] print_address_description+0x60/0x2d0
[ 123.901073][ T4282] ? __lock_acquire+0xf7/0x7c60
[ 123.906359][ T4282] kasan_report+0xdf/0x130
[ 123.910918][ T4282] ? __lock_acquire+0xf7/0x7c60
[ 123.917156][ T4282] __lock_acquire+0xf7/0x7c60
[ 123.922700][ T4282] ? lockdep_hardirqs_on_prepare+0x3fc/0x760
[ 123.930410][ T4282] ? lock_chain_count+0x20/0x20
[ 123.936904][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 123.943087][ T4282] ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 123.950857][ T4282] ? verify_lock_unused+0x140/0x140
[ 123.956761][ T4282] ? dump_stack_lvl+0x1c6/0x230
[ 123.962196][ T4282] ? dump_stack_lvl+0x1d0/0x230
[ 123.967679][ T4282] ? show_regs_print_info+0x20/0x20
[ 123.973623][ T4282] ? load_image+0x3b0/0x3b0
[ 123.978754][ T4282] lock_acquire+0x197/0x3f0
[ 123.986167][ T4282] ? lock_sock_nested+0x68/0x100
[ 123.992315][ T4282] ? read_lock_is_recursive+0x10/0x10
[ 123.999039][ T4282] ? __bpf_trace_softirq+0x10/0x10
[ 124.005276][ T4282] ? __lock_acquire+0x7c60/0x7c60
[ 124.010938][ T4282] ? do_raw_spin_lock+0x11d/0x280
[ 124.017116][ T4282] ? lock_sock_nested+0x68/0x100
[ 124.022682][ T4282] _raw_spin_lock_bh+0x32/0x50
[ 124.027784][ T4282] ? lock_sock_nested+0x68/0x100
[ 124.033229][ T4282] lock_sock_nested+0x68/0x100
[ 124.038429][ T4282] sco_connect_cfm+0x464/0xa40
[ 124.046001][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 124.052645][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 124.058387][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 124.064141][ T4282] hci_connect_cfm+0x8f/0x130
[ 124.069229][ T4282] hci_conn_request_evt+0x6a2/0x9f0
[ 124.075881][ T4282] ? hci_conn_complete_evt+0x1440/0x1440
[ 124.082594][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 124.088809][ T4282] ? mark_lock+0x94/0x320
[ 124.094540][ T4282] ? mutex_unlock+0x10/0x10
[ 124.100890][ T4282] ? lockdep_hardirqs_on_prepare+0x3fc/0x760
[ 124.107770][ T4282] ? lock_chain_count+0x20/0x20
[ 124.113341][ T4282] ? __rwlock_init+0x140/0x140
[ 124.119333][ T4282] hci_event_packet+0x743/0x12f0
[ 124.125211][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 124.132448][ T4282] ? rcu_lock_release+0x20/0x20
[ 124.137840][ T4282] ? hci_send_to_monitor+0x9c/0x4a0
[ 124.145100][ T4282] hci_rx_work+0x255/0xa10
[ 124.150099][ T4282] process_one_work+0x863/0x1000
[ 124.155493][ T4282] ? worker_detach_from_pool+0x240/0x240
[ 124.162241][ T4282] ? lockdep_hardirqs_off+0x70/0x100
[ 124.168503][ T4282] ? _raw_spin_lock_irq+0xab/0xe0
[ 124.174326][ T4282] ? _raw_spin_lock_irqsave+0xf0/0xf0
[ 124.180862][ T4282] ? wq_worker_running+0x97/0x170
[ 124.186542][ T4282] worker_thread+0xaa8/0x12a0
[ 124.192911][ T4282] ? _raw_spin_unlock_irqrestore+0x82/0x100
[ 124.199934][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 124.205695][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 124.211849][ T4282] ? _raw_spin_unlock_irqrestore+0xaa/0x100
[ 124.218674][ T4282] kthread+0x436/0x520
[ 124.223089][ T4282] ? rcu_lock_release+0x20/0x20
[ 124.228299][ T4282] ? kthread_blkcg+0xd0/0xd0
[ 124.234114][ T4282] ret_from_fork+0x1f/0x30
[ 124.238953][ T4282]
[ 124.242348][ T4282]
[ 124.245333][ T4282] Allocated by task 4368:
[ 124.251144][ T4282] __kasan_kmalloc+0xb5/0xf0
[ 124.256274][ T4282] sk_prot_alloc+0xe7/0x210
[ 124.261190][ T4282] sk_alloc+0x2f/0x310
[ 124.265738][ T4282] sco_sock_create+0xba/0x300
[ 124.271409][ T4282] bt_sock_create+0x155/0x220
[ 124.276429][ T4282] __sock_create+0x47b/0x900
[ 124.281163][ T4282] __sys_socket+0xe2/0x170
[ 124.286248][ T4282] __x64_sys_socket+0x76/0x80
[ 124.291490][ T4282] do_syscall_64+0x4c/0xa0
[ 124.296695][ T4282] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 124.303774][ T4282]
[ 124.306566][ T4282] Freed by task 4368:
[ 124.311027][ T4282] kasan_set_track+0x4b/0x70
[ 124.316348][ T4282] kasan_set_free_info+0x1f/0x40
[ 124.321868][ T4282] ____kasan_slab_free+0xd5/0x110
[ 124.328067][ T4282] slab_free_freelist_hook+0xea/0x170
[ 124.335223][ T4282] kfree+0xef/0x2a0
[ 124.339448][ T4282] __sk_destruct+0x578/0x840
[ 124.344260][ T4282] sco_sock_release+0x254/0x310
[ 124.350160][ T4282] sock_close+0xd5/0x240
[ 124.355111][ T4282] __fput+0x234/0x930
[ 124.360279][ T4282] task_work_run+0x125/0x1a0
[ 124.365465][ T4282] exit_to_user_mode_loop+0x10f/0x130
[ 124.371760][ T4282] exit_to_user_mode_prepare+0xee/0x180
[ 124.377839][ T4282] syscall_exit_to_user_mode+0x16/0x40
[ 124.383906][ T4282] do_syscall_64+0x58/0xa0
[ 124.388630][ T4282] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 124.395962][ T4282]
[ 124.398818][ T4282] The buggy address belongs to the object at ffff88807b655000
[ 124.398818][ T4282] which belongs to the cache kmalloc-2k of size 2048
[ 124.413958][ T4282] The buggy address is located 160 bytes inside of
[ 124.413958][ T4282] 2048-byte region [ffff88807b655000, ffff88807b655800)
[ 124.430132][ T4282] The buggy address belongs to the page:
[ 124.437562][ T4282] page:ffffea0001ed9400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b650
[ 124.448353][ T4282] head:ffffea0001ed9400 order:3 compound_mapcount:0 compound_pincount:0
[ 124.457440][ T4282] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 124.466038][ T4282] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888016842000
[ 124.476609][ T4282] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 124.485950][ T4282] page dumped because: kasan: bad access detected
[ 124.494502][ T4282] page_owner tracks the page as allocated
[ 124.501221][ T4282] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 7, ts 123369251583, free_ts 123350633445
[ 124.525125][ T4282] get_page_from_freelist+0x1b77/0x1c60
[ 124.531493][ T4282] __alloc_pages+0x1e1/0x470
[ 124.537019][ T4282] new_slab+0xc0/0x4b0
[ 124.543310][ T4282] ___slab_alloc+0x81e/0xdf0
[ 124.549185][ T4282] __kmalloc_node_track_caller+0x1fc/0x3a0
[ 124.556760][ T4282] __alloc_skb+0x22c/0x750
[ 124.563079][ T4282] skb_copy+0x139/0x790
[ 124.568550][ T4282] mac80211_hwsim_tx_frame_no_nl+0xcc7/0x15d0
[ 124.576892][ T4282] mac80211_hwsim_tx+0x742/0xe20
[ 124.584746][ T4282] ieee80211_tx_frags+0x3ee/0x8d0
[ 124.591658][ T4282] __ieee80211_tx+0x21b/0x4e0
[ 124.597366][ T4282] ieee80211_tx+0x2e4/0x410
[ 124.604389][ T4282] __ieee80211_subif_start_xmit+0x1094/0x3380
[ 124.611506][ T4282] ieee80211_subif_start_xmit+0xde/0x590
[ 124.618789][ T4282] dev_hard_start_xmit+0x2a5/0x7e0
[ 124.624248][ T4282] sch_direct_xmit+0x24e/0x4a0
[ 124.630442][ T4282] page last free stack trace:
[ 124.635431][ T4282] free_unref_page_prepare+0x637/0x6c0
[ 124.641848][ T4282] free_unref_page+0x94/0x280
[ 124.647072][ T4282] __unfreeze_partials+0x1a5/0x200
[ 124.653226][ T4282] put_cpu_partial+0x12d/0x190
[ 124.658479][ T4282] qlist_free_all+0x35/0x90
[ 124.663841][ T4282] kasan_quarantine_reduce+0x150/0x160
[ 124.671290][ T4282] __kasan_slab_alloc+0x2f/0xd0
[ 124.677878][ T4282] slab_post_alloc_hook+0x4c/0x380
[ 124.683896][ T4282] kmem_cache_alloc_trace+0x103/0x2a0
[ 124.689858][ T4282] get_mountpoint+0x205/0x440
[ 124.695251][ T4282] lock_mount+0xb4/0x2a0
[ 124.700499][ T4282] __se_sys_pivot_root+0x299/0xc00
[ 124.706212][ T4282] do_syscall_64+0x4c/0xa0
[ 124.711279][ T4282] entry_SYSCALL_64_after_hwframe+0x66/0xd0
[ 124.717588][ T4282]
[ 124.720113][ T4282] Memory state around the buggy address:
[ 124.726322][ T4282] ffff88807b654f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 124.735813][ T4282] ffff88807b655000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 124.744447][ T4282] >ffff88807b655080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 124.754275][ T4282] ^
[ 124.760038][ T4282] ffff88807b655100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 124.768698][ T4282] ffff88807b655180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 124.777601][ T4282] ==================================================================
[ 124.786786][ T4282] Disabling lock debugging due to kernel taint
[ 124.793140][ T4282] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 124.800637][ T4282] CPU: 0 PID: 4282 Comm: kworker/u5:2 Tainted: G B W syzkaller #0
[ 124.810198][ T4282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 124.821309][ T4282] Workqueue: hci0 hci_rx_work
[ 124.826652][ T4282] Call Trace:
[ 124.830665][ T4282]
[ 124.834079][ T4282] dump_stack_lvl+0x168/0x230
[ 124.838908][ T4282] ? show_regs_print_info+0x20/0x20
[ 124.845960][ T4282] ? load_image+0x3b0/0x3b0
[ 124.851202][ T4282] panic+0x2c9/0x7f0
[ 124.855819][ T4282] ? bpf_jit_dump+0xd0/0xd0
[ 124.860714][ T4282] ? _raw_spin_unlock_irqrestore+0xaa/0x100
[ 124.867002][ T4282] ? _raw_spin_unlock+0x40/0x40
[ 124.872706][ T4282] ? __lock_acquire+0xf7/0x7c60
[ 124.878129][ T4282] check_panic_on_warn+0x80/0xa0
[ 124.883544][ T4282] ? __lock_acquire+0xf7/0x7c60
[ 124.888584][ T4282] end_report+0x6d/0xf0
[ 124.893454][ T4282] kasan_report+0x102/0x130
[ 124.898727][ T4282] ? __lock_acquire+0xf7/0x7c60
[ 124.904235][ T4282] __lock_acquire+0xf7/0x7c60
[ 124.909165][ T4282] ? lockdep_hardirqs_on_prepare+0x3fc/0x760
[ 124.915931][ T4282] ? lock_chain_count+0x20/0x20
[ 124.921608][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 124.927707][ T4282] ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 124.934352][ T4282] ? verify_lock_unused+0x140/0x140
[ 124.939974][ T4282] ? dump_stack_lvl+0x1c6/0x230
[ 124.944982][ T4282] ? dump_stack_lvl+0x1d0/0x230
[ 124.950308][ T4282] ? show_regs_print_info+0x20/0x20
[ 124.955900][ T4282] ? load_image+0x3b0/0x3b0
[ 124.960670][ T4282] lock_acquire+0x197/0x3f0
[ 124.965298][ T4282] ? lock_sock_nested+0x68/0x100
[ 124.970608][ T4282] ? read_lock_is_recursive+0x10/0x10
[ 124.976604][ T4282] ? __bpf_trace_softirq+0x10/0x10
[ 124.982275][ T4282] ? __lock_acquire+0x7c60/0x7c60
[ 124.987437][ T4282] ? do_raw_spin_lock+0x11d/0x280
[ 124.993013][ T4282] ? lock_sock_nested+0x68/0x100
[ 124.998531][ T4282] _raw_spin_lock_bh+0x32/0x50
[ 125.003554][ T4282] ? lock_sock_nested+0x68/0x100
[ 125.008534][ T4282] lock_sock_nested+0x68/0x100
[ 125.013470][ T4282] sco_connect_cfm+0x464/0xa40
[ 125.018378][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 125.024140][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 125.029507][ T4282] ? sco_skb_put_cmsg+0xa0/0xa0
[ 125.034986][ T4282] hci_connect_cfm+0x8f/0x130
[ 125.039954][ T4282] hci_conn_request_evt+0x6a2/0x9f0
[ 125.045243][ T4282] ? hci_conn_complete_evt+0x1440/0x1440
[ 125.052806][ T4282] ? __mutex_unlock_slowpath+0x19e/0x6a0
[ 125.059532][ T4282] ? mark_lock+0x94/0x320
[ 125.065272][ T4282] ? mutex_unlock+0x10/0x10
[ 125.070494][ T4282] ? lockdep_hardirqs_on_prepare+0x3fc/0x760
[ 125.077407][ T4282] ? lock_chain_count+0x20/0x20
[ 125.082505][ T4282] ? __rwlock_init+0x140/0x140
[ 125.087796][ T4282] hci_event_packet+0x743/0x12f0
[ 125.092995][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 125.098337][ T4282] ? rcu_lock_release+0x20/0x20
[ 125.103512][ T4282] ? hci_send_to_monitor+0x9c/0x4a0
[ 125.109143][ T4282] hci_rx_work+0x255/0xa10
[ 125.113809][ T4282] process_one_work+0x863/0x1000
[ 125.118790][ T4282] ? worker_detach_from_pool+0x240/0x240
[ 125.124869][ T4282] ? lockdep_hardirqs_off+0x70/0x100
[ 125.130443][ T4282] ? _raw_spin_lock_irq+0xab/0xe0
[ 125.135857][ T4282] ? _raw_spin_lock_irqsave+0xf0/0xf0
[ 125.141451][ T4282] ? wq_worker_running+0x97/0x170
[ 125.146865][ T4282] worker_thread+0xaa8/0x12a0
[ 125.153162][ T4282] ? _raw_spin_unlock_irqrestore+0x82/0x100
[ 125.160018][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 125.165655][ T4282] ? lockdep_hardirqs_on+0x94/0x140
[ 125.171068][ T4282] ? _raw_spin_unlock_irqrestore+0xaa/0x100
[ 125.177586][ T4282] kthread+0x436/0x520
[ 125.181827][ T4282] ? rcu_lock_release+0x20/0x20
[ 125.187173][ T4282] ? kthread_blkcg+0xd0/0xd0
[ 125.192038][ T4282] ret_from_fork+0x1f/0x30
[ 125.197301][ T4282]
[ 125.200844][ T4282] Kernel Offset: disabled
[ 125.205472][ T4282] Rebooting in 86400 seconds..