Warning: Permanently added '10.128.0.183' (ED25519) to the list of known hosts.
[ 22.697673][ T28] audit: type=1400 audit(1733090191.087:66): avc: denied { execmem } for pid=288 comm="syz-executor622" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
executing program
[ 22.737920][ T28] audit: type=1400 audit(1733090191.097:67): avc: denied { read } for pid=295 comm="syz-executor622" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.759369][ T28] audit: type=1400 audit(1733090191.097:68): avc: denied { open } for pid=295 comm="syz-executor622" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
executing program
[ 22.792487][ T28] audit: type=1400 audit(1733090191.097:69): avc: denied { mounton } for pid=295 comm="syz-executor622" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 22.813850][ T28] audit: type=1400 audit(1733090191.117:70): avc: denied { mounton } for pid=295 comm="syz-executor622" path="/root/syzkaller.Sja3Zh/syz-tmp" dev="sda1" ino=1931 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
executing program
executing program
executing program
[ 22.819711][ T43] Bluetooth: hci1: Frame reassembly failed (-84)
[ 22.840010][ T28] audit: type=1400 audit(1733090191.117:71): avc: denied { mount } for pid=295 comm="syz-executor622" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 22.866977][ T8] Bluetooth: hci2: Frame reassembly failed (-84)
[ 22.875009][ T28] audit: type=1400 audit(1733090191.117:72): avc: denied { mounton } for pid=295 comm="syz-executor622" path="/root/syzkaller.Sja3Zh/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 22.876393][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
[ 22.900227][ T43] Bluetooth: hci4: Frame reassembly failed (-84)
[ 22.906289][ T28] audit: type=1400 audit(1733090191.117:73): avc: denied { mount } for pid=295 comm="syz-executor622" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 22.934648][ T28] audit: type=1400 audit(1733090191.117:74): avc: denied { mounton } for pid=295 comm="syz-executor622" path="/root/syzkaller.Sja3Zh/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[ 22.961184][ T28] audit: type=1400 audit(1733090191.117:75): avc: denied { mounton } for pid=295 comm="syz-executor622" path="/root/syzkaller.Sja3Zh/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=13928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[ 24.857930][ T300] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 24.857954][ T305] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 24.858022][ T305] Bluetooth: hci1: command 0x1003 tx timeout
[ 24.875600][ T303] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 24.937902][ T309] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 24.937933][ T302] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 24.943838][ T309] Bluetooth: hci3: command 0x1003 tx timeout
executing program
[ 26.937951][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 26.937970][ T302] Bluetooth: hci0: command 0x080f tx timeout
[ 26.938077][ T302] Bluetooth: hci0: sending frame failed (-49)
[ 26.966995][ T43] Bluetooth: hci5: Frame reassembly failed (-84)
executing program
[ 27.822850][ T304] Bluetooth: hci0: Opcode 0x080f failed: -4
[ 27.852063][ T306] Bluetooth: hci0: Opcode 0x080f failed: -4
[ 27.857943][ T307] Bluetooth: hci0: Opcode 0x080f failed: -4
[ 27.864417][ T308] Bluetooth: hci0: Opcode 0x080f failed: -4
executing program
executing program
executing program
[ 27.874487][ T43] Bluetooth: hci0: Frame reassembly failed (-84)
[ 27.914054][ T309] Bluetooth: hci1: sending frame failed (-49)
[ 27.919160][ T43] Bluetooth: hci2: Frame reassembly failed (-84)
[ 27.920200][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
[ 27.926183][ T313] Bluetooth: hci1: Opcode 0x1003 failed: -49
executing program
[ 29.017901][ T45] Bluetooth: hci5: Opcode 0x1003 failed: -110
[ 29.017913][ T313] Bluetooth: hci5: command 0x1003 tx timeout
[ 29.042140][ T10] Bluetooth: hci4: Frame reassembly failed (-84)
executing program
[ 29.897963][ T326] Bluetooth: hci0: command 0x1003 tx timeout
[ 29.898010][ T302] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 29.909903][ T322] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 29.915803][ T323] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 29.921645][ T325] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 29.927795][ T324] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 29.933964][ T328] Bluetooth: hci0: Opcode 0x080f failed: -22
executing program
executing program
executing program
[ 29.972746][ T10] Bluetooth: hci0: Frame reassembly failed (-84)
[ 29.978014][ T305] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 29.979037][ T313] Bluetooth: hci2: command 0x1003 tx timeout
[ 29.984899][ T303] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 29.996478][ T10] Bluetooth: hci1: Frame reassembly failed (-84)
[ 30.005570][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 30.010179][ T43] Bluetooth: hci3: Frame reassembly failed (-84)
executing program
[ 31.097938][ T305] Bluetooth: hci4: command 0x1003 tx timeout
[ 31.097936][ T45] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 31.116523][ T43] Bluetooth: hci4: Frame reassembly failed (-84)
[ 31.977949][ T305] Bluetooth: hci0: command 0x1003 tx timeout
[ 31.977963][ T302] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 31.990060][ T330] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 31.996050][ T331] Bluetooth: hci0: Opcode 0x080f failed: -22
executing program
[ 32.057970][ T326] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 32.058014][ T313] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 32.063904][ T326] Bluetooth: hci2: command 0x1003 tx timeout
[ 32.069848][ T302] Bluetooth: hci1: command 0x1003 tx timeout
[ 32.075611][ T303] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 33.178002][ T45] Bluetooth: hci4: Opcode 0x1003 failed: -110
executing program
executing program
[ 34.057944][ T45] Bluetooth: hci0: command 0x080f tx timeout
[ 34.057944][ T333] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 34.070189][ T332] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 34.076590][ T335] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 34.095165][ T43] Bluetooth: hci0: Frame reassembly failed (-84)
executing program
executing program
executing program
[ 34.123432][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 34.129669][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 34.137929][ T303] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 34.138123][ T313] Bluetooth: hci1: command 0x1003 tx timeout
[ 34.156886][ T342] Bluetooth: hci1: Frame reassembly failed (-84)
[ 34.163309][ T342] Bluetooth: hci1: Frame reassembly failed (-84)
[ 34.169774][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
[ 34.174027][ T10] Bluetooth: hci4: Frame reassembly failed (-84)
[ 34.176204][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
[ 34.183291][ T342] Bluetooth: hci4: Frame reassembly failed (-84)
[ 36.137944][ T305] Bluetooth: hci2: command 0x1003 tx timeout
[ 36.137970][ T326] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 36.143891][ T305] Bluetooth: hci0: command 0x1003 tx timeout
[ 36.149817][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 36.161577][ T340] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 36.167407][ T341] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 36.173353][ T343] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 36.179242][ T344] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 36.185042][ T345] Bluetooth: hci0: Opcode 0x080f failed: -22
executing program
executing program
executing program
[ 36.217965][ T45] Bluetooth: hci3: command 0x1003 tx timeout
[ 36.218041][ T313] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 36.223785][ T45] Bluetooth: hci4: command 0x1003 tx timeout
[ 36.229783][ T302] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 36.235565][ T45] Bluetooth: hci1: command 0x1003 tx timeout
[ 36.241484][ T303] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 36.255823][ T342] Bluetooth: hci0: Frame reassembly failed (-84)
executing program
executing program
[ 36.263015][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 36.264366][ T342] Bluetooth: hci1: Frame reassembly failed (-84)
[ 36.271794][ T10] Bluetooth: hci3: Frame reassembly failed (-84)
[ 36.288639][ T8] Bluetooth: hci4: Frame reassembly failed (-84)
[ 36.294835][ T8] Bluetooth: hci4: Frame reassembly failed (-84)
[ 38.297935][ T303] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 38.297983][ T305] Bluetooth: hci4: command 0x1003 tx timeout
[ 38.303894][ T303] Bluetooth: hci3: command 0x1003 tx timeout
[ 38.309702][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 38.315478][ T303] Bluetooth: hci2: command 0x1003 tx timeout
[ 38.321392][ T326] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 38.327228][ T303] Bluetooth: hci0: command 0x1003 tx timeout
[ 38.333192][ T302] Bluetooth: hci3: Opcode 0x1003 failed: -110
executing program
executing program
executing program
executing program
[ 38.339087][ T313] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 38.345785][ T349] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 38.356740][ T350] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 38.362719][ T351] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 38.368639][ T352] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 38.374562][ T353] Bluetooth: hci0: Opcode 0x080f failed: -22
executing program
[ 38.417243][ T8] Bluetooth: hci1: Frame reassembly failed (-84)
[ 40.458000][ T309] Bluetooth: hci3: command 0x1003 tx timeout
[ 40.458005][ T357] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 40.458185][ T45] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 40.463866][ T313] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 40.469786][ T302] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 40.475917][ T309] Bluetooth: hci4: command 0x1003 tx timeout
[ 40.481543][ T326] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 40.487426][ T309] Bluetooth: hci2: command 0x1003 tx timeout
executing program
executing program
executing program
[ 40.487444][ T309] Bluetooth: hci1: command 0x1003 tx timeout
[ 40.510839][ T8] Bluetooth: hci2: Frame reassembly failed (-84)
[ 40.515049][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
executing program
executing program
executing program
executing program
[ 42.537913][ T309] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 42.537944][ T313] Bluetooth: hci4: command 0x1003 tx timeout
[ 42.543845][ T326] Bluetooth: hci3: command 0x1003 tx timeout
[ 42.549760][ T45] Bluetooth: hci2: command 0x1003 tx timeout
[ 42.556027][ T358] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 42.561390][ T302] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 42.567895][ T303] Bluetooth: hci2: Opcode 0x1003 failed: -110
executing program
[ 42.594041][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
[ 42.624918][ T342] Bluetooth: hci4: Frame reassembly failed (-84)
executing program
executing program
[ 44.617978][ T313] Bluetooth: hci3: command 0x1003 tx timeout
[ 44.617975][ T305] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 44.618026][ T309] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 44.623853][ T305] Bluetooth: hci2: command 0x1003 tx timeout
[ 44.629735][ T303] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 44.635599][ T370] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 44.646975][ T342] Bluetooth: hci1: Frame reassembly failed (-84)
[ 44.697986][ T309] Bluetooth: hci4: command 0x1003 tx timeout
[ 44.697979][ T45] Bluetooth: hci4: Opcode 0x1003 failed: -110
executing program
executing program
[ 46.697990][ T45] Bluetooth: hci1: command 0x1003 tx timeout
[ 46.697988][ T305] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 46.698021][ T45] Bluetooth: hci2: command 0x1003 tx timeout
[ 46.703840][ T311] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 46.709989][ T305] Bluetooth: hci0: command 0x080f tx timeout
[ 46.715522][ T302] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 46.723455][ T305] Bluetooth: hci0: sending frame failed (-49)
executing program
[ 47.600737][ T373] Bluetooth: hci0: Opcode 0x080f failed: -4
[ 47.631153][ T374] Bluetooth: hci0: Opcode 0x080f failed: -4
executing program
[ 47.690548][ T342] Bluetooth: hci4: Frame reassembly failed (-84)
executing program
executing program
[ 48.777975][ T305] Bluetooth: hci5: Opcode 0x1003 failed: -110
[ 48.777974][ T302] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 48.778039][ T305] Bluetooth: hci2: command 0x1003 tx timeout
[ 48.803016][ T342] Bluetooth: hci5: Frame reassembly failed (-84)
executing program
[ 49.646666][ T377] Bluetooth: hci0: Opcode 0x080f failed: -110
[ 49.691470][ T8] Bluetooth: hci0: Frame reassembly failed (-84)
[ 49.697792][ T8] Bluetooth: hci0: Frame reassembly failed (-84)
executing program
executing program
[ 49.737961][ T311] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 49.737973][ T313] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 49.738017][ T309] Bluetooth: hci4: command 0x1003 tx timeout
[ 49.755658][ T8] Bluetooth: hci1: Frame reassembly failed (-84)
[ 49.764519][ T342] Bluetooth: hci3: Frame reassembly failed (-84)
[ 49.770781][ T342] Bluetooth: hci3: Frame reassembly failed (-84)
executing program
executing program
[ 50.857978][ T303] Bluetooth: hci5: command 0x1003 tx timeout
[ 50.857973][ T305] Bluetooth: hci5: Opcode 0x1003 failed: -110
[ 50.858006][ T303] Bluetooth: hci2: command 0x1003 tx timeout
[ 50.863972][ T302] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 50.885403][ T8] Bluetooth: hci2: Frame reassembly failed (-84)
[ 50.891787][ T8] Bluetooth: hci2: Frame reassembly failed (-84)
[ 50.900292][ T8] Bluetooth: hci4: Frame reassembly failed (-84)
executing program
[ 51.737947][ T305] Bluetooth: hci0: command 0x1003 tx timeout
[ 51.737947][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 51.749880][ T390] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 51.755758][ T391] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 51.761684][ T392] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 51.767695][ T394] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 51.773602][ T395] Bluetooth: hci0: Opcode 0x080f failed: -22
[ 51.814523][ T45] ==================================================================
[ 51.822402][ T45] BUG: KASAN: use-after-free in enqueue_timer+0xa6/0x480
[ 51.829258][ T45] Write of size 8 at addr ffff888113104a00 by task kworker/u5:0/45
[ 51.836981][ T45]
[ 51.839162][ T45] CPU: 0 PID: 45 Comm: kworker/u5:0 Not tainted 6.1.115-syzkaller-00041-ga887a44ace2a #0
[ 51.848800][ T45] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 51.858701][ T45] Workqueue: hci0 hci_power_on
[ 51.863281][ T45] Call Trace:
[ 51.866414][ T45]
[ 51.869186][ T45] dump_stack_lvl+0x151/0x1b7
[ 51.873696][ T45] ? nf_tcp_handle_invalid+0x3f1/0x3f1
[ 51.878989][ T45] ? _printk+0xd1/0x111
[ 51.882982][ T45] ? __virt_addr_valid+0x242/0x2f0
[ 51.887933][ T45] print_report+0x158/0x4e0
[ 51.892269][ T45] ? __virt_addr_valid+0x242/0x2f0
[ 51.897216][ T45] ? kasan_complete_mode_report_info+0x90/0x1b0
[ 51.903293][ T45] ? enqueue_timer+0xa6/0x480
[ 51.907808][ T45] kasan_report+0x13c/0x170
[ 51.912145][ T45] ? enqueue_timer+0xa6/0x480
[ 51.916659][ T45] __asan_report_store8_noabort+0x17/0x20
[ 51.922213][ T45] enqueue_timer+0xa6/0x480
[ 51.926555][ T45] __mod_timer+0x8d3/0xcf0
[ 51.930808][ T45] ? mod_timer_pending+0x30/0x30
[ 51.935579][ T45] ? insert_work+0x283/0x310
[ 51.940017][ T45] ? __kasan_check_write+0x14/0x20
[ 51.944963][ T45] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 51.950250][ T45] schedule_timeout+0x187/0x380
[ 51.954938][ T45] ? console_conditional_schedule+0x10/0x10
[ 51.960666][ T45] ? queue_work_on+0x135/0x170
[ 51.965263][ T45] ? update_process_times+0x1b0/0x1b0
[ 51.970473][ T45] ? prepare_to_wait_event+0x3e6/0x420
[ 51.975774][ T45] __hci_cmd_sync_sk+0x2ad/0xf70
[ 51.980544][ T45] ? eir_get_service_data+0x2e0/0x2e0
[ 51.985747][ T45] ? wake_bit_function+0x230/0x230
[ 51.990692][ T45] ? __kasan_check_read+0x11/0x20
[ 51.995554][ T45] hci_dev_open_sync+0x1314/0x30a0
[ 52.000505][ T45] ? hci_reset_sync+0x100/0x100
[ 52.005187][ T45] ? __switch_to+0x62c/0x1190
[ 52.009791][ T45] ? __kasan_check_write+0x14/0x20
[ 52.014737][ T45] ? mutex_lock+0xb1/0x1e0
[ 52.018988][ T45] ? bit_wait_io_timeout+0x120/0x120
[ 52.024110][ T45] ? kthread_data+0x53/0xc0
[ 52.028450][ T45] hci_power_on+0x1a7/0x5e0
[ 52.032791][ T45] ? hci_tx_work+0x3790/0x3790
[ 52.037387][ T45] ? __schedule+0xcbd/0x1560
[ 52.041814][ T45] process_one_work+0x73d/0xcb0
[ 52.046502][ T45] worker_thread+0xa60/0x1260
[ 52.051020][ T45] kthread+0x26d/0x300
[ 52.054920][ T45] ? worker_clr_flags+0x1a0/0x1a0
[ 52.059778][ T45] ? kthread_blkcg+0xd0/0xd0
[ 52.064213][ T45] ret_from_fork+0x1f/0x30
[ 52.068466][ T45]
[ 52.071326][ T45]
[ 52.073498][ T45] Allocated by task 390:
[ 52.077572][ T45] kasan_set_track+0x4b/0x70
[ 52.081999][ T45] kasan_save_alloc_info+0x1f/0x30
[ 52.086945][ T45] __kasan_kmalloc+0x9c/0xb0
[ 52.091374][ T45] __kmalloc+0xb4/0x1e0
[ 52.095364][ T45] hci_alloc_dev_priv+0x27/0x1c00
[ 52.100225][ T45] hci_uart_tty_ioctl+0x401/0xa70
[ 52.105084][ T45] tty_ioctl+0x903/0xc50
[ 52.109164][ T45] __se_sys_ioctl+0x114/0x190
[ 52.113677][ T45] __x64_sys_ioctl+0x7b/0x90
[ 52.118105][ T45] x64_sys_call+0x98/0x9a0
[ 52.122359][ T45] do_syscall_64+0x3b/0xb0
[ 52.126610][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 52.132339][ T45]
[ 52.134514][ T45] Freed by task 395:
[ 52.138240][ T45] kasan_set_track+0x4b/0x70
[ 52.142693][ T45] kasan_save_free_info+0x2b/0x40
[ 52.147530][ T45] ____kasan_slab_free+0x131/0x180
[ 52.152475][ T45] __kasan_slab_free+0x11/0x20
[ 52.157075][ T45] __kmem_cache_free+0x21d/0x410
[ 52.161851][ T45] kfree+0x7a/0xf0
[ 52.165408][ T45] hci_release_dev+0x14d3/0x1640
[ 52.170180][ T45] bt_host_release+0x83/0xa0
[ 52.174606][ T45] device_release+0x95/0x1c0
[ 52.179037][ T45] kobject_put+0x178/0x260
[ 52.183292][ T45] put_device+0x1f/0x30
[ 52.187281][ T45] hci_dev_cmd+0x2be/0x9b0
[ 52.191532][ T45] hci_sock_ioctl+0x415/0x7f0
[ 52.196044][ T45] sock_do_ioctl+0x152/0x450
[ 52.200470][ T45] sock_ioctl+0x455/0x740
[ 52.204638][ T45] __se_sys_ioctl+0x114/0x190
[ 52.209150][ T45] __x64_sys_ioctl+0x7b/0x90
[ 52.213576][ T45] x64_sys_call+0x98/0x9a0
[ 52.217837][ T45] do_syscall_64+0x3b/0xb0
[ 52.222258][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 52.227988][ T45]
[ 52.230157][ T45] Last potentially related work creation:
[ 52.235712][ T45] kasan_save_stack+0x3b/0x60
[ 52.240223][ T45] __kasan_record_aux_stack+0xb4/0xc0
[ 52.245429][ T45] kasan_record_aux_stack_noalloc+0xb/0x10
[ 52.251332][ T45] insert_work+0x56/0x310
[ 52.255499][ T45] __queue_work+0x9b6/0xd70
[ 52.259842][ T45] queue_work_on+0x105/0x170
[ 52.264267][ T45] __hci_cmd_sync_sk+0xc2a/0xf70
[ 52.269040][ T45] hci_cmd_sync_status+0x52/0x130
[ 52.273983][ T45] hci_dev_cmd+0x771/0x9b0
[ 52.278238][ T45] hci_sock_ioctl+0x415/0x7f0
[ 52.282752][ T45] sock_do_ioctl+0x152/0x450
[ 52.287178][ T45] sock_ioctl+0x455/0x740
[ 52.291346][ T45] __se_sys_ioctl+0x114/0x190
[ 52.295872][ T45] __x64_sys_ioctl+0x7b/0x90
[ 52.300285][ T45] x64_sys_call+0x98/0x9a0
[ 52.304540][ T45] do_syscall_64+0x3b/0xb0
[ 52.308788][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 52.314520][ T45]
[ 52.316690][ T45] Second to last potentially related work creation:
[ 52.323111][ T45] kasan_save_stack+0x3b/0x60
[ 52.327626][ T45] __kasan_record_aux_stack+0xb4/0xc0
[ 52.332833][ T45] kasan_record_aux_stack_noalloc+0xb/0x10
[ 52.338471][ T45] insert_work+0x56/0x310
[ 52.342639][ T45] __queue_work+0x9b6/0xd70
[ 52.346979][ T45] queue_work_on+0x105/0x170
[ 52.351406][ T45] __hci_cmd_sync_sk+0xc2a/0xf70
[ 52.356181][ T45] hci_cmd_sync_status+0x52/0x130
[ 52.361045][ T45] hci_dev_cmd+0x771/0x9b0
[ 52.365388][ T45] hci_sock_ioctl+0x415/0x7f0
[ 52.369894][ T45] sock_do_ioctl+0x152/0x450
[ 52.374318][ T45] sock_ioctl+0x455/0x740
[ 52.378485][ T45] __se_sys_ioctl+0x114/0x190
[ 52.382998][ T45] __x64_sys_ioctl+0x7b/0x90
[ 52.387510][ T45] x64_sys_call+0x98/0x9a0
[ 52.391882][ T45] do_syscall_64+0x3b/0xb0
[ 52.396132][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 52.401862][ T45]
[ 52.404037][ T45] The buggy address belongs to the object at ffff888113104000
[ 52.404037][ T45] which belongs to the cache kmalloc-8k of size 8192
[ 52.417919][ T45] The buggy address is located 2560 bytes inside of
[ 52.417919][ T45] 8192-byte region [ffff888113104000, ffff888113106000)
[ 52.431197][ T45]
[ 52.433367][ T45] The buggy address belongs to the physical page:
[ 52.439628][ T45] page:ffffea00044c4000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113100
[ 52.449690][ T45] head:ffffea00044c4000 order:3 compound_mapcount:0 compound_pincount:0
[ 52.457845][ T45] flags: 0x4000000000010200(slab|head|zone=1)
[ 52.463754][ T45] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043500
[ 52.472170][ T45] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[ 52.480585][ T45] page dumped because: kasan: bad access detected
[ 52.486842][ T45] page_owner tracks the page as allocated
[ 52.492387][ T45] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 390, tgid 390 (syz-executor622), ts 49690393329, free_ts 48797130425
[ 52.513653][ T45] post_alloc_hook+0x213/0x220
[ 52.518254][ T45] prep_new_page+0x1b/0x110
[ 52.522594][ T45] get_page_from_freelist+0x2980/0x2a10
[ 52.527971][ T45] __alloc_pages+0x234/0x610
[ 52.532400][ T45] alloc_slab_page+0x6c/0xf0
[ 52.536829][ T45] new_slab+0x90/0x3e0
[ 52.540731][ T45] ___slab_alloc+0x6f9/0xb80
[ 52.545156][ T45] __slab_alloc+0x5d/0xa0
[ 52.549323][ T45] __kmem_cache_alloc_node+0x207/0x2a0
[ 52.554619][ T45] __kmalloc+0xa3/0x1e0
[ 52.558610][ T45] hci_alloc_dev_priv+0x27/0x1c00
[ 52.563470][ T45] hci_uart_tty_ioctl+0x401/0xa70
[ 52.568331][ T45] tty_ioctl+0x903/0xc50
[ 52.572420][ T45] __se_sys_ioctl+0x114/0x190
[ 52.576943][ T45] __x64_sys_ioctl+0x7b/0x90
[ 52.581352][ T45] x64_sys_call+0x98/0x9a0
[ 52.585605][ T45] page last free stack trace:
[ 52.590117][ T45] free_unref_page_prepare+0x83d/0x850
[ 52.595417][ T45] free_unref_page+0xb2/0x5c0
[ 52.599924][ T45] __free_pages+0x61/0xf0
[ 52.604095][ T45] __free_slab+0xce/0x1a0
[ 52.608345][ T45] __unfreeze_partials+0x165/0x1a0
[ 52.613295][ T45] put_cpu_partial+0xa9/0x100
[ 52.617804][ T45] __slab_free+0x1c8/0x280
[ 52.622059][ T45] ___cache_free+0xc6/0xd0
[ 52.626310][ T45] qlist_free_all+0xc5/0x140
[ 52.630736][ T45] kasan_quarantine_reduce+0x15a/0x180
[ 52.636032][ T45] __kasan_slab_alloc+0x24/0x80
[ 52.640715][ T45] slab_post_alloc_hook+0x53/0x2c0
[ 52.645664][ T45] kmem_cache_alloc_lru+0x102/0x270
[ 52.650696][ T45] __d_alloc+0x34/0x700
[ 52.654690][ T45] d_alloc_parallel+0xe6/0x12e0
[ 52.659378][ T45] __lookup_slow+0x154/0x3e0
[ 52.663811][ T45]
[ 52.665975][ T45] Memory state around the buggy address:
[ 52.671452][ T45] ffff888113104900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.679361][ T45] ffff888113104980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.687254][ T45] >ffff888113104a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.695135][ T45] ^
[ 52.699043][ T45] ffff888113104a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 52.706956][ T45] ffff888113104b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
[ 52.714842][ T45] ==================================================================
[ 52.722828][ T45] Disabling lock debugging due to kernel taint
[ 52.729118][ T311] Bluetooth: hci3: Opcode 0x1003 failed: -110
[ 52.729617][ T305] Bluetooth: hci3: command 0x1003 tx timeout
[ 52.740881][ T309] Bluetooth: hci1: Opcode 0x1003 failed: -110
[ 52.740986][ T10] Bluetooth: hci0: Frame reassembly failed (-84)
[ 52.758803][ T10] Bluetooth: hci0: Frame reassembly failed (-84)
[ 52.765658][ T401] Bluetooth: hci1: Frame reassembly failed (-84)
[ 52.766700][ T8] Bluetooth: hci3: Frame reassembly failed (-84)
executing program
executing program
[ 52.937899][ T302] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 52.937930][ T326] Bluetooth: hci4: command 0x1003 tx timeout
[ 52.949849][ T303] Bluetooth: hci4: Opcode 0x1003 failed: -110
[ 52.950302][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 52.961992][ T10] Bluetooth: hci2: Frame reassembly failed (-84)
[ 52.965966][ T401] Bluetooth: hci4: Frame reassembly failed (-84)
[ 53.817952][ T326] Bluetooth: hci0: command 0x1003 tx timeout
[ 53.817960][ C0] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
[ 53.817986][ C0] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 53.823991][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110
[ 53.835396][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 6.1.115-syzkaller-00041-ga887a44ace2a #0
[ 53.835427][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 53.835437][ C0] RIP: 0010:__queue_work+0x4f1/0xd70
[ 53.835470][ C0] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6
[ 53.835487][ C0] RSP: 0018:ffffc90000007c78 EFLAGS: 00010046
[ 53.900955][ C0] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffffffff8701d4c0
[ 53.908762][ C0] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
[ 53.916668][ C0] RBP: ffffc90000007d00 R08: ffffffff814b185b R09: 0000000000000007
[ 53.924580][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881131049c8
[ 53.932395][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881131049e0
[ 53.940199][ C0] FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[ 53.948965][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.955390][ C0] CR2: 00007f9d496861f0 CR3: 0000000110371000 CR4: 00000000003506b0
[ 53.963203][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 53.971013][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 53.978825][ C0] Call Trace:
[ 53.981948][ C0]
[ 53.984639][ C0] ? __die_body+0x62/0xb0
[ 53.988808][ C0] ? die_addr+0x9f/0xd0
[ 53.992797][ C0] ? exc_general_protection+0x317/0x4c0
[ 53.998192][ C0] ? ttwu_do_wakeup+0xe5/0x430
[ 54.002782][ C0] ? asm_exc_general_protection+0x27/0x30
[ 54.008337][ C0] ? __queue_work+0x28b/0xd70
[ 54.012846][ C0] ? __queue_work+0x4f1/0xd70
[ 54.017381][ C0] ? __queue_work+0x29c/0xd70
[ 54.021874][ C0] delayed_work_timer_fn+0x61/0x80
[ 54.026821][ C0] ? queue_work_node+0x1d0/0x1d0
[ 54.031597][ C0] call_timer_fn+0x3b/0x2d0
[ 54.035935][ C0] ? queue_work_node+0x1d0/0x1d0
[ 54.040706][ C0] __run_timers+0x756/0xa10
[ 54.045048][ C0] ? calc_index+0x270/0x270
[ 54.049389][ C0] ? sched_clock+0x9/0x10
[ 54.053555][ C0] ? sched_clock_cpu+0x71/0x2b0
[ 54.058239][ C0] run_timer_softirq+0x69/0xf0
[ 54.062838][ C0] handle_softirqs+0x1db/0x650
[ 54.067441][ C0] ? irqtime_account_irq+0xdc/0x260
[ 54.072473][ C0] __irq_exit_rcu+0x52/0xf0
[ 54.076813][ C0] irq_exit_rcu+0x9/0x10
[ 54.080893][ C0] sysvec_apic_timer_interrupt+0xa9/0xc0
[ 54.086370][ C0]
[ 54.089147][ C0]
[ 54.091915][ C0] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 54.097733][ C0] RIP: 0010:acpi_idle_enter+0x416/0x760
[ 54.103119][ C0] Code: 89 de 48 83 e6 08 31 ff e8 27 1c 54 fc 48 83 e3 08 0f 85 b1 00 00 00 0f 1f 44 00 00 e8 d3 17 54 fc 0f 00 2d 7c e8 ce 00 fb f4 e9 e3 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 0f b6 04 30
[ 54.122566][ C0] RSP: 0018:ffffffff87007bd0 EFLAGS: 000002d3
[ 54.128463][ C0] RAX: ffffffff85216edd RBX: 0000000000000000 RCX: ffffffff8701d4c0
[ 54.136265][ C0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 54.144230][ C0] RBP: ffffffff87007c10 R08: ffffffff85216ec9 R09: fffffbfff0e03a99
[ 54.152124][ C0] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
[ 54.160392][ C0] R13: ffff888109b6b804 R14: dffffc0000000000 R15: ffff88810974a064
[ 54.168206][ C0] ? acpi_idle_enter+0x3f9/0x760
[ 54.172975][ C0] ? acpi_idle_enter+0x40d/0x760
[ 54.177750][ C0] ? intel_idle_xstate+0xa0/0xa0
[ 54.182522][ C0] cpuidle_enter_state+0x5eb/0x17f0
[ 54.187557][ C0] ? cpuidle_enter_s2idle+0x600/0x600
[ 54.192764][ C0] ? menu_enable_device+0x380/0x380
[ 54.197805][ C0] ? __sched_text_start+0x8/0x8
[ 54.202488][ C0] cpuidle_enter+0x5f/0xa0
[ 54.206745][ C0] do_idle+0x3d1/0x580
[ 54.210646][ C0] ? idle_inject_timer_fn+0x60/0x60
[ 54.215677][ C0] ? radix_tree_lookup+0x23a/0x290
[ 54.220630][ C0] ? debug_smp_processor_id+0x17/0x20
[ 54.225834][ C0] cpu_startup_entry+0x44/0x60
[ 54.230434][ C0] rest_init+0x10b/0x130
[ 54.234511][ C0] ? time_init+0x38/0x38
[ 54.238590][ C0] arch_call_rest_init+0xe/0xe
[ 54.243190][ C0] start_kernel+0x46c/0x4d8
[ 54.247533][ C0] x86_64_start_reservations+0x2a/0x2c
[ 54.252832][ C0] x86_64_start_kernel+0x7c/0x81
[ 54.257601][ C0] secondary_startup_64_no_verify+0xce/0xdb
[ 54.263335][ C0]
[ 54.266310][ C0] Modules linked in:
[ 54.270049][ C0] ---[ end trace 0000000000000000 ]---
[ 54.275339][ C0] RIP: 0010:__queue_work+0x4f1/0xd70
[ 54.280481][ C0] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6
[ 54.299989][ C0] RSP: 0018:ffffc90000007c78 EFLAGS: 00010046
[ 54.306001][ C0] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffffffff8701d4c0
[ 54.313894][ C0] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
[ 54.321705][ C0] RBP: ffffc90000007d00 R08: ffffffff814b185b R09: 0000000000000007
[ 54.329514][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881131049c8
[ 54.337327][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881131049e0
[ 54.345140][ C0] FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[ 54.353904][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.360331][ C0] CR2: 00007f9d496861f0 CR3: 0000000110371000 CR4: 00000000003506b0
[ 54.368142][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 54.375950][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 54.383762][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 54.391141][ C0] Kernel Offset: disabled
[ 54.395270][ C0] Rebooting in 86400 seconds..