Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts.
[ 71.782998][ T46] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 71.792085][ T46] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 71.800196][ T46] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 71.808205][ T46] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 71.815900][ T46] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 71.823441][ T46] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 73.859148][ T1045] Bluetooth: hci0: command 0x0409 tx timeout
[ 75.938177][ T917] Bluetooth: hci0: command 0x041b tx timeout
[ 76.340165][ T8] cfg80211: failed to load regulatory.db
[ 78.028201][ T917] Bluetooth: hci0: command 0x040f tx timeout
[ 80.098120][ T917] Bluetooth: hci0: command 0x0419 tx timeout
[ 82.188320][ T917] Bluetooth: hci0: command 0x0405 tx timeout
[ 84.258327][ T917] Bluetooth: hci0: command 0x0405 tx timeout
[ 112.179177][ T8] ==================================================================
[ 112.187569][ T8] BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290
[ 112.195064][ T8] Write of size 4 at addr ffff88801d165080 by task kworker/0:1/8
[ 112.202784][ T8]
[ 112.205098][ T8] CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0
[ 112.215521][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 112.225580][ T8] Workqueue: events sco_sock_timeout
[ 112.231125][ T8] Call Trace:
[ 112.234496][ T8]
[ 112.237421][ T8] dump_stack_lvl+0xcd/0x134
[ 112.242023][ T8] print_address_description.constprop.0.cold+0x8d/0x336
[ 112.249056][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.253985][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.258924][ T8] kasan_report.cold+0x83/0xdf
[ 112.263776][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.268719][ T8] kasan_check_range+0x13d/0x180
[ 112.273754][ T8] sco_sock_timeout+0x64/0x290
[ 112.278615][ T8] process_one_work+0x9ac/0x1650
[ 112.283575][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 112.288963][ T8] ? rwlock_bug.part.0+0x90/0x90
[ 112.293996][ T8] ? _raw_spin_lock_irq+0x41/0x50
[ 112.299040][ T8] worker_thread+0x657/0x1110
[ 112.303722][ T8] ? process_one_work+0x1650/0x1650
[ 112.308920][ T8] kthread+0x2e9/0x3a0
[ 112.313006][ T8] ? kthread_complete_and_exit+0x40/0x40
[ 112.318650][ T8] ret_from_fork+0x1f/0x30
[ 112.323073][ T8]
[ 112.326080][ T8]
[ 112.328390][ T8] Allocated by task 4059:
[ 112.332715][ T8] kasan_save_stack+0x1e/0x40
[ 112.337562][ T8] __kasan_kmalloc+0xa9/0xd0
[ 112.342153][ T8] sk_prot_alloc+0x110/0x290
[ 112.346912][ T8] sk_alloc+0x32/0xa80
[ 112.350981][ T8] sco_sock_alloc.constprop.0+0x31/0x330
[ 112.356604][ T8] sco_sock_create+0xd5/0x1b0
[ 112.361270][ T8] bt_sock_create+0x17c/0x340
[ 112.365947][ T8] __sock_create+0x353/0x790
[ 112.370533][ T8] __sys_socket+0xef/0x200
[ 112.374949][ T8] __x64_sys_socket+0x6f/0xb0
[ 112.379622][ T8] do_syscall_64+0x35/0xb0
[ 112.384039][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 112.389924][ T8]
[ 112.392321][ T8] Freed by task 4060:
[ 112.396378][ T8] kasan_save_stack+0x1e/0x40
[ 112.401140][ T8] kasan_set_track+0x21/0x30
[ 112.405817][ T8] kasan_set_free_info+0x20/0x30
[ 112.410835][ T8] ____kasan_slab_free+0x126/0x160
[ 112.415947][ T8] slab_free_freelist_hook+0x8b/0x1c0
[ 112.421341][ T8] kfree+0xd0/0x390
[ 112.425250][ T8] __sk_destruct+0x6c0/0x920
[ 112.429922][ T8] sk_destruct+0x131/0x180
[ 112.434446][ T8] __sk_free+0xef/0x3d0
[ 112.438687][ T8] sk_free+0x78/0xa0
[ 112.442580][ T8] sco_sock_kill+0x18d/0x1b0
[ 112.447352][ T8] sco_sock_release+0x162/0x2d0
[ 112.452461][ T8] __sock_release+0xcd/0x280
[ 112.457051][ T8] sock_close+0x18/0x20
[ 112.461210][ T8] __fput+0x286/0x9f0
[ 112.465229][ T8] task_work_run+0xdd/0x1a0
[ 112.469909][ T8] get_signal+0x1de2/0x2490
[ 112.474645][ T8] arch_do_signal_or_restart+0x2a9/0x1c40
[ 112.480547][ T8] exit_to_user_mode_prepare+0x17d/0x290
[ 112.486367][ T8] syscall_exit_to_user_mode+0x19/0x60
[ 112.491908][ T8] do_syscall_64+0x42/0xb0
[ 112.496407][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 112.502298][ T8]
[ 112.504747][ T8] Last potentially related work creation:
[ 112.510560][ T8] kasan_save_stack+0x1e/0x40
[ 112.515846][ T8] __kasan_record_aux_stack+0xbe/0xd0
[ 112.521309][ T8] call_rcu+0xb1/0x740
[ 112.525459][ T8] netlink_release+0xf08/0x1db0
[ 112.530513][ T8] __sock_release+0xcd/0x280
[ 112.535110][ T8] sock_close+0x18/0x20
[ 112.539264][ T8] __fput+0x286/0x9f0
[ 112.543247][ T8] task_work_run+0xdd/0x1a0
[ 112.548702][ T8] exit_to_user_mode_prepare+0x27e/0x290
[ 112.554335][ T8] syscall_exit_to_user_mode+0x19/0x60
[ 112.559874][ T8] do_syscall_64+0x42/0xb0
[ 112.564285][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 112.570206][ T8]
[ 112.572556][ T8] Second to last potentially related work creation:
[ 112.579298][ T8] kasan_save_stack+0x1e/0x40
[ 112.584034][ T8] __kasan_record_aux_stack+0xbe/0xd0
[ 112.589402][ T8] call_rcu+0xb1/0x740
[ 112.593468][ T8] netlink_release+0xf08/0x1db0
[ 112.598319][ T8] __sock_release+0xcd/0x280
[ 112.602908][ T8] sock_close+0x18/0x20
[ 112.607055][ T8] __fput+0x286/0x9f0
[ 112.611033][ T8] task_work_run+0xdd/0x1a0
[ 112.615541][ T8] exit_to_user_mode_prepare+0x27e/0x290
[ 112.621265][ T8] syscall_exit_to_user_mode+0x19/0x60
[ 112.626728][ T8] do_syscall_64+0x42/0xb0
[ 112.631228][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 112.637122][ T8]
[ 112.639434][ T8] The buggy address belongs to the object at ffff88801d165000
[ 112.639434][ T8] which belongs to the cache kmalloc-2k of size 2048
[ 112.653563][ T8] The buggy address is located 128 bytes inside of
[ 112.653563][ T8] 2048-byte region [ffff88801d165000, ffff88801d165800)
[ 112.666918][ T8] The buggy address belongs to the page:
[ 112.672620][ T8] page:ffffea0000745800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d160
[ 112.682846][ T8] head:ffffea0000745800 order:3 compound_mapcount:0 compound_pincount:0
[ 112.691156][ T8] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 112.699274][ T8] raw: 00fff00000010200 ffffea000070c000 dead000000000002 ffff888010c42000
[ 112.707848][ T8] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 112.716413][ T8] page dumped because: kasan: bad access detected
[ 112.722810][ T8] page_owner tracks the page as allocated
[ 112.728503][ T8] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 54, ts 8464675040, free_ts 0
[ 112.746899][ T8] get_page_from_freelist+0xa72/0x2f50
[ 112.752355][ T8] __alloc_pages+0x1b2/0x500
[ 112.756937][ T8] alloc_pages+0x1aa/0x310
[ 112.761338][ T8] allocate_slab+0x27f/0x3c0
[ 112.765921][ T8] ___slab_alloc+0xbe1/0x12b0
[ 112.770590][ T8] __slab_alloc.constprop.0+0x4d/0xa0
[ 112.776082][ T8] __kmalloc+0x372/0x450
[ 112.780498][ T8] scsi_alloc_target+0x132/0xc60
[ 112.785430][ T8] __scsi_scan_target+0x13a/0xdb0
[ 112.790534][ T8] scsi_scan_channel+0x148/0x1e0
[ 112.795471][ T8] scsi_scan_host_selected+0x2df/0x3b0
[ 112.800939][ T8] do_scsi_scan_host+0x1e8/0x260
[ 112.805869][ T8] do_scan_async+0x3e/0x500
[ 112.810362][ T8] async_run_entry_fn+0x9d/0x550
[ 112.815299][ T8] process_one_work+0x9ac/0x1650
[ 112.820226][ T8] worker_thread+0x657/0x1110
[ 112.824892][ T8] page_owner free stack trace missing
[ 112.830417][ T8]
[ 112.832731][ T8] Memory state around the buggy address:
[ 112.838346][ T8] ffff88801d164f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 112.846393][ T8] ffff88801d165000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.854708][ T8] >ffff88801d165080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.862750][ T8] ^
[ 112.866806][ T8] ffff88801d165100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.874939][ T8] ffff88801d165180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.883079][ T8] ==================================================================
[ 112.891123][ T8] Disabling lock debugging due to kernel taint
[ 112.897579][ T8] Kernel panic - not syncing: panic_on_warn set ...
[ 112.904250][ T8] CPU: 0 PID: 8 Comm: kworker/0:1 Tainted: G B 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0
[ 112.916147][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 112.926368][ T8] Workqueue: events sco_sock_timeout
[ 112.931821][ T8] Call Trace:
[ 112.935085][ T8]
[ 112.938005][ T8] dump_stack_lvl+0xcd/0x134
[ 112.942593][ T8] panic+0x2b0/0x6dd
[ 112.946476][ T8] ? __warn_printk+0xf3/0xf3
[ 112.951070][ T8] ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 112.957226][ T8] ? trace_hardirqs_on+0x38/0x1c0
[ 112.962423][ T8] ? trace_hardirqs_on+0x51/0x1c0
[ 112.967450][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.972376][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.977385][ T8] end_report.cold+0x63/0x6f
[ 112.982062][ T8] kasan_report.cold+0x71/0xdf
[ 112.986930][ T8] ? sco_sock_timeout+0x64/0x290
[ 112.991855][ T8] kasan_check_range+0x13d/0x180
[ 112.996794][ T8] sco_sock_timeout+0x64/0x290
[ 113.001904][ T8] process_one_work+0x9ac/0x1650
[ 113.007026][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 113.012750][ T8] ? rwlock_bug.part.0+0x90/0x90
[ 113.017696][ T8] ? _raw_spin_lock_irq+0x41/0x50
[ 113.022892][ T8] worker_thread+0x657/0x1110
[ 113.027748][ T8] ? process_one_work+0x1650/0x1650
[ 113.032936][ T8] kthread+0x2e9/0x3a0
[ 113.037001][ T8] ? kthread_complete_and_exit+0x40/0x40
[ 113.042626][ T8] ret_from_fork+0x1f/0x30
[ 113.047154][ T8]
[ 113.050456][ T8] Kernel Offset: disabled
[ 113.054778][ T8] Rebooting in 86400 seconds..