Warning: Permanently added '10.128.1.24' (ED25519) to the list of known hosts. [ 29.596201][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 29.598929][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 29.601085][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 29.603796][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 29.605893][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 29.607776][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 29.644760][ T5742] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 29.647223][ T5742] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5742, name: kworker/u5:1 [ 29.649392][ T5742] preempt_count: 0, expected: 0 [ 29.650538][ T5742] RCU nest depth: 1, expected: 0 [ 29.651730][ T5742] 4 locks held by kworker/u5:1/5742: [ 29.653206][ T5742] #0: ffff0000d629a538 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x560/0x1204 [ 29.655882][ T5742] #1: ffff80009e477c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x5a0/0x1204 [ 29.658751][ T5742] #2: ffff0000c7c00078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xc0/0x998 [ 29.661332][ T5742] #3: ffff80008ee74ac0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c [ 29.663815][ T5742] CPU: 1 PID: 5742 Comm: kworker/u5:1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 29.666173][ T5742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 29.668549][ T5742] Workqueue: hci0 hci_rx_work [ 29.669684][ T5742] Call trace: [ 29.670538][ T5742] dump_backtrace+0x1b8/0x1e4 [ 29.671691][ T5742] show_stack+0x2c/0x3c [ 29.672717][ T5742] dump_stack_lvl+0xd0/0x124 [ 29.673870][ T5742] dump_stack+0x1c/0x28 [ 29.674905][ T5742] __might_resched+0x374/0x4d0 [ 29.676064][ T5742] __might_sleep+0x90/0xe4 [ 29.677189][ T5742] __mutex_lock_common+0xcc/0x21a0 [ 29.678515][ T5742] mutex_lock_nested+0x2c/0x38 [ 29.679687][ T5742] hci_le_create_big_complete_evt+0x34c/0x998 [ 29.681102][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.682276][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.683554][ T5742] hci_rx_work+0x318/0xa78 [ 29.684603][ T5742] process_one_work+0x694/0x1204 [ 29.685891][ T5742] worker_thread+0x938/0xef4 [ 29.686997][ T5742] kthread+0x288/0x310 [ 29.688031][ T5742] ret_from_fork+0x10/0x20 [ 29.689067][ T5742] [ 29.689480][ T5742] ============================= [ 29.690295][ T5742] [ BUG: Invalid wait context ] [ 29.691317][ T5742] 6.8.0-rc7-syzkaller-g707081b61156 #0 Tainted: G W [ 29.693190][ T5742] ----------------------------- [ 29.694313][ T5742] kworker/u5:1/5742 is trying to lock: [ 29.695686][ T5742] ffff800091aaa2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x34c/0x998 [ 29.698394][ T5742] other info that might help us debug this: [ 29.699786][ T5742] context-{4:4} [ 29.700646][ T5742] 4 locks held by kworker/u5:1/5742: [ 29.701955][ T5742] #0: ffff0000d629a538 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x560/0x1204 [ 29.704394][ T5742] #1: ffff80009e477c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x5a0/0x1204 [ 29.707267][ T5742] #2: ffff0000c7c00078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xc0/0x998 [ 29.709805][ T5742] #3: ffff80008ee74ac0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c [ 29.712096][ T5742] stack backtrace: [ 29.712948][ T5742] CPU: 1 PID: 5742 Comm: kworker/u5:1 Tainted: G W 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 29.715911][ T5742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 29.718323][ T5742] Workqueue: hci0 hci_rx_work [ 29.719546][ T5742] Call trace: [ 29.720354][ T5742] dump_backtrace+0x1b8/0x1e4 [ 29.721493][ T5742] show_stack+0x2c/0x3c [ 29.722522][ T5742] dump_stack_lvl+0xd0/0x124 [ 29.723611][ T5742] dump_stack+0x1c/0x28 [ 29.724585][ T5742] __lock_acquire+0x1be4/0x763c [ 29.725744][ T5742] lock_acquire+0x23c/0x71c [ 29.726920][ T5742] __mutex_lock_common+0x190/0x21a0 [ 29.728313][ T5742] mutex_lock_nested+0x2c/0x38 [ 29.729527][ T5742] hci_le_create_big_complete_evt+0x34c/0x998 [ 29.731008][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.732187][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.733399][ T5742] hci_rx_work+0x318/0xa78 [ 29.734511][ T5742] process_one_work+0x694/0x1204 [ 29.735783][ T5742] worker_thread+0x938/0xef4 [ 29.736901][ T5742] kthread+0x288/0x310 [ 29.737851][ T5742] ret_from_fork+0x10/0x20 [ 29.792397][ T5742] ================================================================== [ 29.794443][ T5742] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x304/0x998 [ 29.796688][ T5742] Read of size 8 at addr ffff0000d78d2000 by task kworker/u5:1/5742 [ 29.798555][ T5742] [ 29.799063][ T5742] CPU: 1 PID: 5742 Comm: kworker/u5:1 Tainted: G W 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 29.801770][ T5742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 29.804169][ T5742] Workqueue: hci0 hci_rx_work [ 29.805341][ T5742] Call trace: [ 29.806096][ T5742] dump_backtrace+0x1b8/0x1e4 [ 29.807253][ T5742] show_stack+0x2c/0x3c [ 29.808321][ T5742] dump_stack_lvl+0xd0/0x124 [ 29.809500][ T5742] print_report+0x178/0x518 [ 29.810499][ T5742] kasan_report+0xd8/0x138 [ 29.811592][ T5742] __asan_report_load8_noabort+0x20/0x2c [ 29.813015][ T5742] hci_le_create_big_complete_evt+0x304/0x998 [ 29.814602][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.815798][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.816966][ T5742] hci_rx_work+0x318/0xa78 [ 29.818058][ T5742] process_one_work+0x694/0x1204 [ 29.819222][ T5742] worker_thread+0x938/0xef4 [ 29.820340][ T5742] kthread+0x288/0x310 [ 29.821326][ T5742] ret_from_fork+0x10/0x20 [ 29.822441][ T5742] [ 29.823002][ T5742] Allocated by task 5742: [ 29.824025][ T5742] kasan_save_track+0x40/0x78 [ 29.825053][ T5742] kasan_save_alloc_info+0x40/0x50 [ 29.826423][ T5742] __kasan_kmalloc+0xac/0xc4 [ 29.827599][ T5742] kmalloc_trace+0x26c/0x49c [ 29.828825][ T5742] hci_conn_add+0xd0/0x1080 [ 29.829883][ T5742] hci_le_big_sync_established_evt+0x1b0/0x950 [ 29.831369][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.832465][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.833725][ T5742] hci_rx_work+0x318/0xa78 [ 29.834812][ T5742] process_one_work+0x694/0x1204 [ 29.836013][ T5742] worker_thread+0x938/0xef4 [ 29.837164][ T5742] kthread+0x288/0x310 [ 29.838206][ T5742] ret_from_fork+0x10/0x20 [ 29.839201][ T5742] [ 29.839780][ T5742] Freed by task 5742: [ 29.840769][ T5742] kasan_save_track+0x40/0x78 [ 29.841992][ T5742] kasan_save_free_info+0x54/0x6c [ 29.843183][ T5742] poison_slab_object+0x124/0x18c [ 29.844383][ T5742] __kasan_slab_free+0x3c/0x70 [ 29.845467][ T5742] kfree+0x144/0x3cc [ 29.846465][ T5742] bt_link_release+0x20/0x30 [ 29.847524][ T5742] device_release+0x8c/0x1ac [ 29.848618][ T5742] kobject_put+0x2a8/0x41c [ 29.849624][ T5742] put_device+0x28/0x40 [ 29.850610][ T5742] hci_conn_del_sysfs+0x7c/0x170 [ 29.851876][ T5742] hci_conn_del+0x7ac/0xb0c [ 29.852924][ T5742] hci_le_create_big_complete_evt+0x55c/0x998 [ 29.854438][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.855603][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.856854][ T5742] hci_rx_work+0x318/0xa78 [ 29.857991][ T5742] process_one_work+0x694/0x1204 [ 29.859172][ T5742] worker_thread+0x938/0xef4 [ 29.860316][ T5742] kthread+0x288/0x310 [ 29.861344][ T5742] ret_from_fork+0x10/0x20 [ 29.862432][ T5742] [ 29.863017][ T5742] The buggy address belongs to the object at ffff0000d78d2000 [ 29.863017][ T5742] which belongs to the cache kmalloc-4k of size 4096 [ 29.866553][ T5742] The buggy address is located 0 bytes inside of [ 29.866553][ T5742] freed 4096-byte region [ffff0000d78d2000, ffff0000d78d3000) [ 29.869970][ T5742] [ 29.870501][ T5742] The buggy address belongs to the physical page: [ 29.872062][ T5742] page:00000000aab359d9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1178d0 [ 29.874613][ T5742] head:00000000aab359d9 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 29.876798][ T5742] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 29.878777][ T5742] page_type: 0xffffffff() [ 29.879895][ T5742] raw: 05ffc00000000840 ffff0000c0002140 dead000000000122 0000000000000000 [ 29.882073][ T5742] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 29.884210][ T5742] page dumped because: kasan: bad access detected [ 29.885718][ T5742] [ 29.886314][ T5742] Memory state around the buggy address: [ 29.887735][ T5742] ffff0000d78d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.889689][ T5742] ffff0000d78d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.891559][ T5742] >ffff0000d78d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.893517][ T5742] ^ [ 29.894519][ T5742] ffff0000d78d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.896389][ T5742] ffff0000d78d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.898373][ T5742] ================================================================== [ 29.900438][ T5742] Unable to handle kernel paging request at virtual address dfff800000000002 [ 29.902666][ T5742] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] [ 29.904782][ T5742] Mem abort info: [ 29.905632][ T5742] ESR = 0x0000000096000005 [ 29.906766][ T5742] EC = 0x25: DABT (current EL), IL = 32 bits [ 29.908319][ T5742] SET = 0, FnV = 0 [ 29.909307][ T5742] EA = 0, S1PTW = 0 [ 29.910269][ T5742] FSC = 0x05: level 1 translation fault [ 29.911595][ T5742] Data abort info: [ 29.912560][ T5742] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 29.914068][ T5742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 29.915475][ T5742] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 29.917010][ T5742] [dfff800000000002] address between user and kernel address ranges [ 29.918859][ T5742] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 29.920603][ T5742] Modules linked in: [ 29.921559][ T5742] CPU: 1 PID: 5742 Comm: kworker/u5:1 Tainted: G B W 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 29.924178][ T5742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 29.926599][ T5742] Workqueue: hci0 hci_rx_work [ 29.927759][ T5742] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 29.929725][ T5742] pc : bcmp+0x134/0x1c8 [ 29.930782][ T5742] lr : hci_le_create_big_complete_evt+0x214/0x998 [ 29.932387][ T5742] sp : ffff80009e477750 [ 29.933369][ T5742] x29: ffff80009e477760 x28: ffff800091aaa220 x27: 1ffff00013c8eefc [ 29.935414][ T5742] x26: 0000000000000047 x25: ffff80009e477800 x24: dfff800000000000 [ 29.937287][ T5742] x23: ffff80009e477800 x22: 0000000000000014 x21: 0000000000000014 [ 29.939218][ T5742] x20: ffff80009e477800 x19: 0000000000000006 x18: 1fffe00036804396 [ 29.941296][ T5742] x17: 3d3d3d3d3d3d3d3d x16: ffff80008aca6dc0 x15: ffff700013c8ef00 [ 29.943234][ T5742] x14: 1ffff00013c8ef00 x13: 0000000000000006 x12: ffffffffffffffff [ 29.945180][ T5742] x11: ffff700013c8ef00 x10: 1ffff00013c8ef00 x9 : 0000000000000004 [ 29.947164][ T5742] x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000001 [ 29.949204][ T5742] x5 : ffff80009e476fb8 x4 : ffff80008ed822c0 x3 : ffff800089ec650c [ 29.951125][ T5742] x2 : 0000000000000006 x1 : ffff80009e477800 x0 : 0000000000000014 [ 29.953076][ T5742] Call trace: [ 29.953950][ T5742] bcmp+0x134/0x1c8 [ 29.954952][ T5742] hci_le_create_big_complete_evt+0x214/0x998 [ 29.956569][ T5742] hci_le_meta_evt+0x2a4/0x478 [ 29.957730][ T5742] hci_event_packet+0x6f0/0x1094 [ 29.958969][ T5742] hci_rx_work+0x318/0xa78 [ 29.960049][ T5742] process_one_work+0x694/0x1204 [ 29.961210][ T5742] worker_thread+0x938/0xef4 [ 29.962387][ T5742] kthread+0x288/0x310 [ 29.963381][ T5742] ret_from_fork+0x10/0x20 [ 29.964574][ T5742] Code: aa1503f6 aa1403f7 d343fea8 12000aa9 (38f86908) [ 29.966216][ T5742] ---[ end trace 0000000000000000 ]--- [ 30.298090][ T5742] Kernel panic - not syncing: Oops: Fatal exception [ 30.299803][ T5742] SMP: stopping secondary CPUs [ 30.301087][ T5742] Kernel Offset: disabled [ 30.302079][ T5742] CPU features: 0x0,00000081,c0080094,42017203 [ 30.303527][ T5742] Memory Limit: none [ 30.630000][ T5742] Rebooting in 86400 seconds..