Warning: Permanently added '10.128.0.131' (ED25519) to the list of known hosts.
[   33.882582][ T5859] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   33.885118][ T5859] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   33.887499][ T5859] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   33.890020][ T5859] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   33.892930][ T5859] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   33.895129][ T5859] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
executing program
executing program
executing program
executing program
executing program
[   33.974259][ T5859] ==================================================================
[   33.976228][ T5859] BUG: KASAN: slab-use-after-free in __lock_acquire+0x114/0x763c
[   33.978170][ T5859] Read of size 8 at addr ffff0000d44a91d8 by task kworker/u9:1/5859
[   33.980208][ T5859] 
[   33.980811][ T5859] CPU: 0 PID: 5859 Comm: kworker/u9:1 Not tainted 6.10.0-rc5-syzkaller-gb4a3f9b4863a #0
[   33.983441][ T5859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   33.985981][ T5859] Workqueue: hci0 hci_rx_work
[   33.987162][ T5859] Call trace:
[   33.988029][ T5859]  dump_backtrace+0x1b8/0x1e4
[   33.989213][ T5859]  show_stack+0x2c/0x3c
[   33.990293][ T5859]  dump_stack_lvl+0xe4/0x150
[   33.991454][ T5859]  print_report+0x198/0x538
[   33.992592][ T5859]  kasan_report+0xd8/0x138
[   33.993733][ T5859]  __asan_report_load8_noabort+0x20/0x2c
[   33.995245][ T5859]  __lock_acquire+0x114/0x763c
[   33.996434][ T5859]  lock_acquire+0x240/0x728
[   33.997591][ T5859]  _raw_spin_lock_bh+0x48/0x60
[   33.998873][ T5859]  __lock_sock+0x170/0x2d4
[   33.999986][ T5859]  lock_sock_nested+0xa4/0x11c
[   34.001222][ T5859]  l2cap_sock_recv_cb+0x5c/0x440
[   34.002521][ T5859]  l2cap_recv_frame+0x6dfc/0xc8e0
[   34.003876][ T5859]  l2cap_recv_acldata+0x4a8/0x15dc
[   34.005210][ T5859]  hci_rx_work+0x2b8/0xa78
[   34.006322][ T5859]  process_one_work+0x79c/0x15b8
[   34.007614][ T5859]  worker_thread+0x938/0xef4
[   34.008810][ T5859]  kthread+0x288/0x310
[   34.009853][ T5859]  ret_from_fork+0x10/0x20
[   34.011088][ T5859] 
[   34.011670][ T5859] Allocated by task 6295:
[   34.012803][ T5859]  kasan_save_track+0x40/0x78
[   34.014022][ T5859]  kasan_save_alloc_info+0x40/0x50
[   34.015348][ T5859]  __kasan_kmalloc+0xac/0xc4
[   34.016515][ T5859]  __kmalloc_noprof+0x2a0/0x494
[   34.017766][ T5859]  sk_prot_alloc+0xc4/0x1f0
[   34.018926][ T5859]  sk_alloc+0x44/0x3f0
[   34.020017][ T5859]  bt_sock_alloc+0x4c/0x304
[   34.021328][ T5859]  l2cap_sock_create+0x140/0x2b8
[   34.022599][ T5859]  bt_sock_create+0x14c/0x248
[   34.023831][ T5859]  __sock_create+0x43c/0x884
[   34.024962][ T5859]  __sys_socket+0x134/0x340
[   34.026143][ T5859]  __arm64_sys_socket+0x7c/0x94
[   34.027490][ T5859]  invoke_syscall+0x98/0x2b8
[   34.028674][ T5859]  el0_svc_common+0x130/0x23c
[   34.029869][ T5859]  do_el0_svc+0x48/0x58
[   34.030952][ T5859]  el0_svc+0x54/0x168
[   34.031984][ T5859]  el0t_64_sync_handler+0x84/0xfc
[   34.033264][ T5859]  el0t_64_sync+0x190/0x194
[   34.034481][ T5859] 
[   34.035112][ T5859] Freed by task 6295:
[   34.036134][ T5859]  kasan_save_track+0x40/0x78
[   34.037349][ T5859]  kasan_save_free_info+0x54/0x6c
[   34.038654][ T5859]  poison_slab_object+0x128/0x180
[   34.039938][ T5859]  __kasan_slab_free+0x3c/0x70
[   34.041132][ T5859]  kfree+0x154/0x3e0
[   34.042159][ T5859]  __sk_destruct+0x4b8/0x74c
[   34.043366][ T5859]  __sk_free+0x388/0x4f4
[   34.044444][ T5859]  sk_free+0x60/0xc8
[   34.045445][ T5859]  l2cap_sock_kill+0x10c/0x214
[   34.046690][ T5859]  l2cap_sock_release+0x138/0x1b4
[   34.048112][ T5859]  sock_close+0xa4/0x1e8
[   34.049263][ T5859]  __fput+0x334/0x760
[   34.050284][ T5859]  ____fput+0x20/0x30
[   34.051308][ T5859]  task_work_run+0x230/0x2e0
[   34.052524][ T5859]  do_notify_resume+0x178/0x1f4
[   34.053898][ T5859]  el0_svc+0xac/0x168
[   34.054972][ T5859]  el0t_64_sync_handler+0x84/0xfc
[   34.056294][ T5859]  el0t_64_sync+0x190/0x194
[   34.057463][ T5859] 
[   34.058065][ T5859] The buggy address belongs to the object at ffff0000d44a9000
[   34.058065][ T5859]  which belongs to the cache kmalloc-2k of size 2048
[   34.061659][ T5859] The buggy address is located 472 bytes inside of
[   34.061659][ T5859]  freed 2048-byte region [ffff0000d44a9000, ffff0000d44a9800)
[   34.065110][ T5859] 
[   34.065694][ T5859] The buggy address belongs to the physical page:
[   34.067366][ T5859] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1144a8
[   34.069699][ T5859] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   34.071847][ T5859] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
[   34.073841][ T5859] page_type: 0xffffefff(slab)
[   34.075215][ T5859] raw: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000
[   34.077490][ T5859] raw: 0000000000000000 0000000080080008 00000001ffffefff 0000000000000000
[   34.079780][ T5859] head: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000
[   34.082102][ T5859] head: 0000000000000000 0000000080080008 00000001ffffefff 0000000000000000
[   34.084429][ T5859] head: 05ffc00000000003 fffffdffc3512a01 ffffffffffffffff 0000000000000000
[   34.086740][ T5859] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[   34.089052][ T5859] page dumped because: kasan: bad access detected
[   34.090698][ T5859] 
[   34.091281][ T5859] Memory state around the buggy address:
[   34.092702][ T5859]  ffff0000d44a9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.094822][ T5859]  ffff0000d44a9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.096967][ T5859] >ffff0000d44a9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.099119][ T5859]                                                     ^
[   34.100880][ T5859]  ffff0000d44a9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.102990][ T5859]  ffff0000d44a9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.105112][ T5859] ==================================================================
executing program
[   34.107256][ T5859] Disabling lock debugging due to kernel taint
[   34.109842][ T5859] Unable to handle kernel paging request at virtual address dfff80000000002e
[   34.112239][ T5859] KASAN: null-ptr-deref in range [0x0000000000000170-0x0000000000000177]
[   34.114540][ T5859] Mem abort info:
[   34.115433][ T5859]   ESR = 0x0000000096000005
[   34.116599][ T5859]   EC = 0x25: DABT (current EL), IL = 32 bits
executing program
[   34.118171][ T5859]   SET = 0, FnV = 0
[   34.119126][ T5859]   EA = 0, S1PTW = 0
[   34.120152][ T5859]   FSC = 0x05: level 1 translation fault
[   34.121717][ T5859] Data abort info:
[   34.122626][ T5859]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[   34.124340][ T5859]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   34.125781][ T5859]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   34.127289][ T5859] [dfff80000000002e] address between user and kernel address ranges
[   34.129326][ T5859] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[   34.131128][ T5859] Modules linked in:
executing program
[   34.132167][ T5859] CPU: 0 PID: 5859 Comm: kworker/u9:1 Tainted: G    B              6.10.0-rc5-syzkaller-gb4a3f9b4863a #0
[   34.135120][ T5859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   34.137825][ T5859] Workqueue: hci0 hci_rx_work
[   34.139072][ T5859] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   34.141180][ T5859] pc : l2cap_sock_recv_cb+0x154/0x440
[   34.142660][ T5859] lr : l2cap_sock_recv_cb+0x134/0x440
[   34.144039][ T5859] sp : ffff8000a0bd71c0
[   34.145126][ T5859] x29: ffff8000a0bd71c0 x28: ffff0000d8ff4000 x27: 1fffe0001a895405
[   34.147236][ T5859] x26: dfff800000000000 x25: 1fffe0001a895494 x24: 0000000000000000
[   34.149284][ T5859] x23: 0000000000000000 x22: ffff0000d44aa02e x21: ffff0000ca441000
[   34.151449][ T5859] x20: ffff0000d44aa000 x19: ffff0000d44a9000 x18: 1fffe000367aa1de
executing program
executing program
[   34.153624][ T5859] x17: ffff80008f19d000 x16: ffff800080559634 x15: ffff60001a895220
[   34.155743][ T5859] x14: 1fffe0001a895220 x13: 00000000000000fb x12: ffffffffffffffff
[   34.157846][ T5859] x11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000
[   34.160025][ T5859] x8 : 000000000000002e x7 : 0000000000000000 x6 : ffff800089194550
[   34.162191][ T5859] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008919467c
[   34.164248][ T5859] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000174
[   34.166397][ T5859] Call trace:
[   34.167222][ T5859]  l2cap_sock_recv_cb+0x154/0x440
[   34.168512][ T5859]  l2cap_recv_frame+0x6dfc/0xc8e0
executing program
[   34.169905][ T5859]  l2cap_recv_acldata+0x4a8/0x15dc
[   34.171258][ T5859]  hci_rx_work+0x2b8/0xa78
[   34.172430][ T5859]  process_one_work+0x79c/0x15b8
[   34.173759][ T5859]  worker_thread+0x938/0xef4
[   34.175000][ T5859]  kthread+0x288/0x310
[   34.176094][ T5859]  ret_from_fork+0x10/0x20
[   34.177237][ T5859] Code: 97731000 f9400318 9105d300 d343fc08 (38fa6908) 
[   34.179043][ T5859] ---[ end trace 0000000000000000 ]---
[   34.452383][ T5859] Kernel panic - not syncing: Oops: Fatal exception
[   34.454109][ T5859] SMP: stopping secondary CPUs
[   34.455368][ T5859] Kernel Offset: disabled
[   34.456503][ T5859] CPU features: 0x00,00000103,80100128,42017203
[   34.458159][ T5859] Memory Limit: none
[   34.732279][ T5859] Rebooting in 86400 seconds..