Warning: Permanently added '10.128.1.59' (ED25519) to the list of known hosts.
[   37.336231][ T6086] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   37.338883][ T6086] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   37.341456][ T6086] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   37.344132][ T6086] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   37.346300][ T6086] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   37.348314][ T6086] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   39.399789][ T6086] Bluetooth: hci0: command 0x0409 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   41.479240][ T6086] Bluetooth: hci0: command 0x041b tx timeout
executing program
[   41.719497][    T8] ==================================================================
[   41.721729][    T8] BUG: KASAN: slab-use-after-free in hci_send_acl+0x54/0xc48
[   41.723719][    T8] Read of size 8 at addr ffff0000d5facb18 by task kworker/0:0/8
[   41.725910][    T8] 
[   41.726555][    T8] CPU: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.6.0-rc7-syzkaller-g8de1e7afcc1c #0
[   41.729059][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[   41.731829][    T8] Workqueue: events l2cap_info_timeout
[   41.733371][    T8] Call trace:
[   41.734193][    T8]  dump_backtrace+0x1b8/0x1e4
[   41.735465][    T8]  show_stack+0x2c/0x44
[   41.736586][    T8]  dump_stack_lvl+0xd0/0x124
[   41.737792][    T8]  print_report+0x174/0x514
[   41.739005][    T8]  kasan_report+0xd8/0x138
[   41.740231][    T8]  __asan_report_load8_noabort+0x20/0x2c
[   41.741753][    T8]  hci_send_acl+0x54/0xc48
[   41.742978][    T8]  l2cap_send_cmd+0x52c/0x76c
[   41.744249][    T8]  l2cap_send_conn_req+0x188/0x2c4
[   41.745630][    T8]  l2cap_start_connection+0x118/0x2fc
executing program
[   41.747092][    T8]  l2cap_conn_start+0x928/0xd8c
[   41.748434][    T8]  l2cap_info_timeout+0x68/0xb8
[   41.749758][    T8]  process_one_work+0x694/0x1204
[   41.751130][    T8]  worker_thread+0x938/0xef4
[   41.752432][    T8]  kthread+0x288/0x310
[   41.753629][    T8]  ret_from_fork+0x10/0x20
[   41.754862][    T8] 
[   41.755521][    T8] Allocated by task 6092:
[   41.756738][    T8]  kasan_set_track+0x4c/0x7c
[   41.758033][    T8]  kasan_save_alloc_info+0x24/0x30
[   41.759446][    T8]  __kasan_kmalloc+0xac/0xc4
[   41.760725][    T8]  kmalloc_trace+0x70/0x88
[   41.761938][    T8]  hci_chan_create+0xb0/0x2b0
[   41.763235][    T8]  l2cap_conn_add+0x78/0x998
[   41.764568][    T8]  l2cap_chan_connect+0x5bc/0xce4
[   41.765993][    T8]  l2cap_sock_connect+0x478/0x6c8
[   41.767452][    T8]  kernel_connect+0x114/0x164
[   41.768848][    T8]  rfcomm_dlc_open+0x610/0xef0
[   41.770172][    T8]  rfcomm_sock_connect+0x260/0x59c
[   41.771629][    T8]  __sys_connect+0x268/0x290
[   41.772937][    T8]  __arm64_sys_connect+0x7c/0x94
[   41.774304][    T8]  invoke_syscall+0x98/0x2b8
[   41.775573][    T8]  el0_svc_common+0x130/0x23c
[   41.776891][    T8]  do_el0_svc+0x48/0x58
[   41.778109][    T8]  el0_svc+0x54/0x158
[   41.779278][    T8]  el0t_64_sync_handler+0x84/0xfc
[   41.780707][    T8]  el0t_64_sync+0x190/0x194
[   41.782011][    T8] 
[   41.782604][    T8] Freed by task 6086:
[   41.783701][    T8]  kasan_set_track+0x4c/0x7c
[   41.784993][    T8]  kasan_save_free_info+0x38/0x5c
[   41.786377][    T8]  ____kasan_slab_free+0x144/0x1c0
[   41.787808][    T8]  __kasan_slab_free+0x18/0x28
[   41.789178][    T8]  __kmem_cache_free+0x2ac/0x480
[   41.790561][    T8]  kfree+0xb8/0x19c
[   41.791701][    T8]  hci_chan_del+0x148/0x1c4
[   41.793006][    T8]  hci_conn_del+0x3cc/0xabc
[   41.794221][    T8]  hci_conn_failed+0x204/0x2c0
[   41.795514][    T8]  hci_abort_conn_sync+0x688/0xe38
[   41.796921][    T8]  abort_conn_sync+0x5c/0x8c
[   41.798242][    T8]  hci_cmd_sync_work+0x1cc/0x34c
[   41.799644][    T8]  process_one_work+0x694/0x1204
[   41.801041][    T8]  worker_thread+0x938/0xef4
[   41.802362][    T8]  kthread+0x288/0x310
[   41.803512][    T8]  ret_from_fork+0x10/0x20
[   41.804742][    T8] 
[   41.805349][    T8] Last potentially related work creation:
[   41.806968][    T8]  kasan_save_stack+0x40/0x6c
[   41.808305][    T8]  __kasan_record_aux_stack+0xcc/0xe8
[   41.809860][    T8]  kasan_record_aux_stack_noalloc+0x14/0x20
[   41.811547][    T8]  kvfree_call_rcu+0xac/0x674
[   41.812884][    T8]  kernfs_unlink_open_file+0x398/0x448
[   41.814380][    T8]  kernfs_fop_release+0x130/0x198
[   41.815747][    T8]  __fput+0x324/0x7f8
[   41.816801][    T8]  __fput_sync+0x60/0x9c
[   41.817987][    T8]  __arm64_sys_close+0x150/0x1e0
[   41.819431][    T8]  invoke_syscall+0x98/0x2b8
[   41.820723][    T8]  el0_svc_common+0x130/0x23c
[   41.822054][    T8]  do_el0_svc+0x48/0x58
[   41.823189][    T8]  el0_svc+0x54/0x158
[   41.824301][    T8]  el0t_64_sync_handler+0x84/0xfc
[   41.825715][    T8]  el0t_64_sync+0x190/0x194
[   41.827000][    T8] 
[   41.827694][    T8] The buggy address belongs to the object at ffff0000d5facb00
[   41.827694][    T8]  which belongs to the cache kmalloc-128 of size 128
[   41.831592][    T8] The buggy address is located 24 bytes inside of
[   41.831592][    T8]  freed 128-byte region [ffff0000d5facb00, ffff0000d5facb80)
[   41.835521][    T8] 
[   41.836148][    T8] The buggy address belongs to the physical page:
[   41.837941][    T8] page:0000000068c01693 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115fac
[   41.840827][    T8] flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff)
[   41.842974][    T8] page_type: 0xffffffff()
[   41.844147][    T8] raw: 05ffc00000000800 ffff0000c00018c0 fffffc0003373780 0000000000000004
[   41.846576][    T8] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   41.848955][    T8] page dumped because: kasan: bad access detected
[   41.850758][    T8] 
[   41.851397][    T8] Memory state around the buggy address:
[   41.853006][    T8]  ffff0000d5faca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.855205][    T8]  ffff0000d5faca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.857479][    T8] >ffff0000d5facb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.859587][    T8]                             ^
[   41.860942][    T8]  ffff0000d5facb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.863180][    T8]  ffff0000d5facc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.865442][    T8] ==================================================================
[   41.867825][    T8] Disabling lock debugging due to kernel taint
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   43.559217][ T6086] Bluetooth: hci0: command 0x040f tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   45.649242][ T6086] Bluetooth: hci0: command 0x0419 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   47.719155][ T6086] Bluetooth: hci0: command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   49.799141][ T6086] Bluetooth: hci0: command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program