Warning: Permanently added '10.128.0.104' (ED25519) to the list of known hosts.
[   33.897918][ T6086] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   33.900350][ T6086] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   33.902723][ T6086] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   33.905553][ T6086] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   33.908655][ T6086] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   33.910827][ T6086] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   33.971363][ T6082] chnl_net:caif_netlink_parms(): no params data found
[   34.002991][ T6082] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.005032][ T6082] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.007561][ T6082] bridge_slave_0: entered allmulticast mode
[   34.009704][ T6082] bridge_slave_0: entered promiscuous mode
[   34.013475][ T6082] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.015437][ T6082] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.017632][ T6082] bridge_slave_1: entered allmulticast mode
[   34.019747][ T6082] bridge_slave_1: entered promiscuous mode
[   34.033097][ T6082] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   34.037197][ T6082] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   34.051507][ T6082] team0: Port device team_slave_0 added
[   34.054411][ T6082] team0: Port device team_slave_1 added
[   34.065134][ T6082] batman_adv: batadv0: Adding interface: batadv_slave_0
[   34.067362][ T6082] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   34.074120][ T6082] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   34.078796][ T6082] batman_adv: batadv0: Adding interface: batadv_slave_1
[   34.080623][ T6082] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   34.087465][ T6082] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   34.158031][ T6082] hsr_slave_0: entered promiscuous mode
[   34.206781][ T6082] hsr_slave_1: entered promiscuous mode
[   34.305601][ T6082] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   34.349110][ T6082] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   34.417789][ T6082] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   34.467923][ T6082] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   34.520674][ T6082] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.522640][ T6082] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.524884][ T6082] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.526875][ T6082] bridge0: port 1(bridge_slave_0) entered forwarding state
[   34.555666][ T6082] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.565518][ T6084] bridge0: port 1(bridge_slave_0) entered disabled state
[   34.569649][ T6084] bridge0: port 2(bridge_slave_1) entered disabled state
[   34.577533][ T6082] 8021q: adding VLAN 0 to HW filter on device team0
[   34.587951][ T1651] bridge0: port 1(bridge_slave_0) entered blocking state
[   34.589901][ T1651] bridge0: port 1(bridge_slave_0) entered forwarding state
[   34.593065][ T1651] bridge0: port 2(bridge_slave_1) entered blocking state
[   34.595045][ T1651] bridge0: port 2(bridge_slave_1) entered forwarding state
[   34.612677][ T6082] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   34.615375][ T6082] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   34.632677][ T6082] 8021q: adding VLAN 0 to HW filter on device batadv0
[   34.653974][ T6082] veth0_vlan: entered promiscuous mode
[   34.659399][ T6082] veth1_vlan: entered promiscuous mode
[   34.674431][ T6082] veth0_macvtap: entered promiscuous mode
[   34.679918][ T6082] veth1_macvtap: entered promiscuous mode
[   34.689124][ T6082] batman_adv: batadv0: Interface activated: batadv_slave_0
[   34.693089][ T6082] batman_adv: batadv0: Interface activated: batadv_slave_1
[   34.700142][ T6082] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   34.702573][ T6082] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   34.704908][ T6082] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   34.707644][ T6082] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
executing program
executing program
executing program
executing program
[   35.956918][ T5659] Bluetooth: hci0: command 0x0409 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   38.036259][ T5659] Bluetooth: hci0: command 0x041b tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   40.116264][ T6086] Bluetooth: hci0: command 0x040f tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   42.206615][ T5659] Bluetooth: hci0: command 0x0419 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   44.196835][   T10] ==================================================================
[   44.198954][   T10] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x64/0x25c
[   44.200939][   T10] Write of size 4 at addr ffff0000d838e080 by task kworker/0:1/10
[   44.202974][   T10] 
[   44.203579][   T10] CPU: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
[   44.205964][   T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[   44.208665][   T10] Workqueue: events sco_sock_timeout
[   44.210074][   T10] Call trace:
[   44.210946][   T10]  dump_backtrace+0x1b8/0x1e4
[   44.212200][   T10]  show_stack+0x2c/0x44
[   44.213275][   T10]  dump_stack_lvl+0xd0/0x124
[   44.214487][   T10]  print_report+0x174/0x514
[   44.215673][   T10]  kasan_report+0xd8/0x138
[   44.216828][   T10]  kasan_check_range+0x254/0x294
[   44.218202][   T10]  __kasan_check_write+0x20/0x30
[   44.219508][   T10]  sco_sock_timeout+0x64/0x25c
[   44.220772][   T10]  process_one_work+0x694/0x1204
[   44.222069][   T10]  worker_thread+0x938/0xef4
[   44.223308][   T10]  kthread+0x288/0x310
[   44.224406][   T10]  ret_from_fork+0x10/0x20
[   44.225541][   T10] 
[   44.226163][   T10] Allocated by task 6176:
[   44.227287][   T10]  kasan_set_track+0x4c/0x7c
[   44.228485][   T10]  kasan_save_alloc_info+0x24/0x30
[   44.229866][   T10]  __kasan_kmalloc+0xac/0xc4
[   44.231107][   T10]  __kmalloc+0xcc/0x1b8
[   44.232181][   T10]  sk_prot_alloc+0xc4/0x1f0
[   44.233424][   T10]  sk_alloc+0x44/0x3f4
[   44.234522][   T10]  bt_sock_alloc+0x4c/0x32c
[   44.235669][   T10]  sco_sock_create+0xbc/0x31c
[   44.236883][   T10]  bt_sock_create+0x14c/0x248
[   44.238151][   T10]  __sock_create+0x43c/0x884
[   44.239359][   T10]  __sys_socket+0x134/0x340
[   44.240599][   T10]  __arm64_sys_socket+0x7c/0x94
[   44.241841][   T10]  invoke_syscall+0x98/0x2b8
[   44.243082][   T10]  el0_svc_common+0x130/0x23c
[   44.244382][   T10]  do_el0_svc+0x48/0x58
[   44.245472][   T10]  el0_svc+0x54/0x158
[   44.246560][   T10]  el0t_64_sync_handler+0x84/0xfc
[   44.247885][   T10]  el0t_64_sync+0x190/0x194
[   44.249115][   T10] 
[   44.249721][   T10] Freed by task 6176:
[   44.250756][   T10]  kasan_set_track+0x4c/0x7c
[   44.252019][   T10]  kasan_save_free_info+0x38/0x5c
[   44.253328][   T10]  ____kasan_slab_free+0x144/0x1c0
[   44.254686][   T10]  __kasan_slab_free+0x18/0x28
[   44.255945][   T10]  __kmem_cache_free+0x2ac/0x480
[   44.257231][   T10]  kfree+0xb8/0x19c
[   44.258281][   T10]  __sk_destruct+0x4c0/0x770
[   44.259507][   T10]  __sk_free+0x37c/0x4e8
[   44.260621][   T10]  sk_free+0x60/0xc8
[   44.261641][   T10]  sco_sock_kill+0xfc/0x1b4
[   44.262830][   T10]  sco_sock_release+0x1fc/0x2c0
[   44.264107][   T10]  sock_close+0xa4/0x1e8
[   44.265229][   T10]  __fput+0x324/0x7f8
[   44.266297][   T10]  ____fput+0x20/0x30
[   44.267305][   T10]  task_work_run+0x230/0x2e0
[   44.268490][   T10]  get_signal+0x13f4/0x15ec
[   44.269671][   T10]  do_notify_resume+0x3bc/0x393c
[   44.270968][   T10]  el0_svc+0x9c/0x158
[   44.272053][   T10]  el0t_64_sync_handler+0x84/0xfc
[   44.273382][   T10]  el0t_64_sync+0x190/0x194
[   44.274565][   T10] 
[   44.275187][   T10] The buggy address belongs to the object at ffff0000d838e000
[   44.275187][   T10]  which belongs to the cache kmalloc-2k of size 2048
[   44.278911][   T10] The buggy address is located 128 bytes inside of
[   44.278911][   T10]  freed 2048-byte region [ffff0000d838e000, ffff0000d838e800)
[   44.282610][   T10] 
[   44.283204][   T10] The buggy address belongs to the physical page:
[   44.284986][   T10] page:00000000b7684586 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118388
[   44.287721][   T10] head:00000000b7684586 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   44.290041][   T10] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
[   44.292176][   T10] page_type: 0xffffffff()
[   44.293349][   T10] raw: 05ffc00000000840 ffff0000c0002000 dead000000000122 0000000000000000
[   44.295642][   T10] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   44.297886][   T10] page dumped because: kasan: bad access detected
[   44.299651][   T10] 
[   44.300287][   T10] Memory state around the buggy address:
[   44.301804][   T10]  ffff0000d838df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.304058][   T10]  ffff0000d838e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.306191][   T10] >ffff0000d838e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.308378][   T10]                    ^
[   44.309480][   T10]  ffff0000d838e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.311690][   T10]  ffff0000d838e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.313823][   T10] ==================================================================
[   44.316130][   T10] Disabling lock debugging due to kernel taint
[   44.317719][   T10] ------------[ cut here ]------------
[   44.319105][   T10] refcount_t: addition on 0; use-after-free.
[   44.320948][   T10] WARNING: CPU: 0 PID: 10 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c
[   44.321972][ T6086] Bluetooth: hci0: command 0x0407 tx timeout
[   44.323366][   T10] Modules linked in:
[   44.323378][   T10] CPU: 0 PID: 10 Comm: kworker/0:1 Tainted: G    B              6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
[   44.328887][   T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[   44.331520][   T10] Workqueue: events sco_sock_timeout
[   44.332980][   T10] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   44.335024][   T10] pc : refcount_warn_saturate+0x1a8/0x20c
[   44.336607][   T10] lr : refcount_warn_saturate+0x1a8/0x20c
[   44.338131][   T10] sp : ffff800092d57af0
[   44.339193][   T10] x29: ffff800092d57af0 x28: 1fffe0001accda8a x27: dfff800000000000
[   44.341235][   T10] x26: ffff0000c1084008 x25: ffff0000d666d450 x24: ffff0001b418b500
[   44.343375][   T10] x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000002
[   44.345470][   T10] x20: ffff0000d838e080 x19: ffff8000910a2000 x18: ffff800092d57800
[   44.347590][   T10] x17: 0000000000000000 x16: ffff80008a668900 x15: 0000000000000001
[   44.349748][   T10] x14: 1ffff000125aae78 x13: 0000000000000000 x12: 0000000000000000
[   44.351899][   T10] x11: 0000000000000001 x10: 0000000000000000 x9 : 84f4767814214800
[   44.354010][   T10] x8 : 84f4767814214800 x7 : 0000000000000001 x6 : 0000000000000001
[   44.356121][   T10] x5 : ffff800092d573d8 x4 : ffff80008e4210a0 x3 : ffff8000803639bc
[   44.358273][   T10] x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
[   44.360369][   T10] Call trace:
[   44.361255][   T10]  refcount_warn_saturate+0x1a8/0x20c
[   44.362642][   T10]  sco_sock_timeout+0x19c/0x25c
[   44.363921][   T10]  process_one_work+0x694/0x1204
[   44.365300][   T10]  worker_thread+0x938/0xef4
[   44.366582][   T10]  kthread+0x288/0x310
[   44.367660][   T10]  ret_from_fork+0x10/0x20
[   44.368837][   T10] irq event stamp: 49441
[   44.369936][   T10] hardirqs last  enabled at (49441): [<ffff80008a719090>] exit_to_kernel_mode+0xdc/0x10c
[   44.372532][   T10] hardirqs last disabled at (49440): [<ffff800080021724>] __do_softirq+0x950/0xd54
[   44.375010][   T10] softirqs last  enabled at (49376): [<ffff800085cd6e40>] nsim_dev_trap_report_work+0x620/0x924
[   44.377729][   T10] softirqs last disabled at (49374): [<ffff800085cd6dbc>] nsim_dev_trap_report_work+0x59c/0x924
[   44.380604][   T10] ---[ end trace 0000000000000000 ]---
[   44.385893][   T10] ------------[ cut here ]------------
[   44.387403][   T10] refcount_t: underflow; use-after-free.
[   44.389145][   T10] WARNING: CPU: 0 PID: 10 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c
[   44.391486][   T10] Modules linked in:
[   44.392472][   T10] CPU: 0 PID: 10 Comm: kworker/0:1 Tainted: G    B   W          6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
[   44.395218][   T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[   44.397920][   T10] Workqueue: events sco_sock_timeout
[   44.399305][   T10] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   44.401363][   T10] pc : refcount_warn_saturate+0x1c8/0x20c
[   44.402894][   T10] lr : refcount_warn_saturate+0x1c8/0x20c
[   44.404382][   T10] sp : ffff800092d57af0
[   44.405519][   T10] x29: ffff800092d57af0 x28: 1fffe0001accda8a x27: dfff800000000000
[   44.407618][   T10] x26: ffff0000c1084008 x25: ffff0000d666d450 x24: ffff0001b418b500
[   44.409752][   T10] x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000003
[   44.411799][   T10] x20: ffff0000d838e080 x19: ffff8000910a2000 x18: 1fffe0003682efce
[   44.413924][   T10] x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001
[   44.416061][   T10] x14: 1fffe0003682f032 x13: 0000000000000000 x12: 0000000000000000
[   44.418195][   T10] x11: 0000000000000000 x10: 0000000000000000 x9 : 84f4767814214800
[   44.420278][   T10] x8 : 84f4767814214800 x7 : 0000000000000001 x6 : 0000000000000001
[   44.422384][   T10] x5 : ffff800092d573d8 x4 : ffff80008e4210a0 x3 : ffff8000805a359c
[   44.424527][   T10] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
[   44.426642][   T10] Call trace:
[   44.427512][   T10]  refcount_warn_saturate+0x1c8/0x20c
[   44.428911][   T10]  sco_sock_timeout+0x1b0/0x25c
[   44.430167][   T10]  process_one_work+0x694/0x1204
[   44.431541][   T10]  worker_thread+0x938/0xef4
[   44.432768][   T10]  kthread+0x288/0x310
[   44.433824][   T10]  ret_from_fork+0x10/0x20
[   44.435010][   T10] irq event stamp: 49441
[   44.436094][   T10] hardirqs last  enabled at (49441): [<ffff80008a719090>] exit_to_kernel_mode+0xdc/0x10c
[   44.438676][   T10] hardirqs last disabled at (49440): [<ffff800080021724>] __do_softirq+0x950/0xd54
[   44.441090][   T10] softirqs last  enabled at (49376): [<ffff800085cd6e40>] nsim_dev_trap_report_work+0x620/0x924
[   44.443792][   T10] softirqs last disabled at (49374): [<ffff800085cd6dbc>] nsim_dev_trap_report_work+0x59c/0x924
[   44.446558][   T10] ---[ end trace 0000000000000000 ]---
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   46.356296][ T5659] Bluetooth: hci0: command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   48.436234][ T5659] Bluetooth: hci0: command 0x0407 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   50.516211][ T5659] Bluetooth: hci0: command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   52.596211][ T6086] Bluetooth: hci0: command 0x0407 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program