./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3581092695 <...> Warning: Permanently added '10.128.1.37' (ED25519) to the list of known hosts. execve("./syz-executor3581092695", ["./syz-executor3581092695"], 0x7ffd09d1ccf0 /* 10 vars */) = 0 brk(NULL) = 0x555585584000 brk(0x555585584d40) = 0x555585584d40 arch_prctl(ARCH_SET_FS, 0x5555855843c0) = 0 set_tid_address(0x555585584690) = 295 set_robust_list(0x5555855846a0, 24) = 0 rseq(0x555585584ce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3581092695", 4096) = 28 getrandom("\xec\xb9\x03\xfa\x80\xde\xa8\xe6", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555585584d40 brk(0x5555855a5d40) = 0x5555855a5d40 brk(0x5555855a6000) = 0x5555855a6000 mprotect(0x7f9155767000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555585584690) = 296 ./strace-static-x86_64: Process 296 attached [pid 296] set_robust_list(0x5555855846a0, 24) = 0 [pid 296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 296] getppid() = 0 [pid 296] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 296] dup2(3, 201) = 201 [pid 296] close(3) = 0 [pid 296] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 296] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 296] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 296] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 296] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 296] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 296] unshare(CLONE_NEWNS) = 0 [pid 296] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 296] unshare(CLONE_NEWIPC) = -1 EINVAL (Invalid argument) [pid 296] unshare(CLONE_NEWCGROUP) = 0 [pid 296] unshare(CLONE_NEWUTS) = 0 [pid 296] unshare(CLONE_SYSVSEM) = 0 [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 296] getpid() = 1 [pid 296] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< {parent_tid=[3]}, 88) = 3 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x7f91556a39a0, 24) = 0 [pid 298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 298] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 298] setns(201, 0) = 0 [pid 298] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 4 [pid 298] setns(3, 0) = 0 [pid 298] close(3) = 0 [pid 298] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 3 [pid 298] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] ioctl(3, TIOCSETD, [15]) = 0 [pid 298] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] ioctl(3, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 298] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [ 23.143275][ T28] audit: type=1400 audit(1733027921.606:68): avc: denied { open } for pid=296 comm="syz-executor358" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 23.166583][ T28] audit: type=1400 audit(1733027921.606:69): avc: denied { mounton } for pid=296 comm="syz-executor358" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [pid 298] ioctl(4, HCISETLINKPOL [pid 297] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 297] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 23.187891][ T28] audit: type=1400 audit(1733027921.626:70): avc: denied { mounton } for pid=296 comm="syz-executor358" path="/root/syz-tmp" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 23.210553][ T28] audit: type=1400 audit(1733027921.626:71): avc: denied { mount } for pid=296 comm="syz-executor358" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 23.232409][ T28] audit: type=1400 audit(1733027921.626:72): avc: denied { mounton } for pid=296 comm="syz-executor358" path="/root/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 23.256152][ T28] audit: type=1400 audit(1733027921.636:73): avc: denied { mount } for pid=296 comm="syz-executor358" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 23.278276][ T28] audit: type=1400 audit(1733027921.636:74): avc: denied { mounton } for pid=296 comm="syz-executor358" path="/root/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 23.303267][ T28] audit: type=1400 audit(1733027921.636:75): avc: denied { mounton } for pid=296 comm="syz-executor358" path="/root/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=14331 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [pid 297] close(3 [pid 298] <... ioctl resumed>, 0x200003c0) = -1 ETIMEDOUT (Connection timed out) [pid 298] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] <... close resumed>) = 0 [pid 298] futex(0x7f915576d328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 297] close(4) = 0 [pid 297] close(5) = -1 EBADF (Bad file descriptor) [pid 297] close(6) = -1 EBADF (Bad file descriptor) [pid 297] close(7) = -1 EBADF (Bad file descriptor) [pid 297] close(8) = -1 EBADF (Bad file descriptor) [pid 297] close(9) = -1 EBADF (Bad file descriptor) [pid 297] close(10) = -1 EBADF (Bad file descriptor) [pid 297] close(11) = -1 EBADF (Bad file descriptor) [pid 297] close(12) = -1 EBADF (Bad file descriptor) [pid 297] close(13) = -1 EBADF (Bad file descriptor) [pid 297] close(14) = -1 EBADF (Bad file descriptor) [pid 297] close(15) = -1 EBADF (Bad file descriptor) [pid 297] close(16) = -1 EBADF (Bad file descriptor) [pid 297] close(17) = -1 EBADF (Bad file descriptor) [pid 297] close(18) = -1 EBADF (Bad file descriptor) [pid 297] close(19) = -1 EBADF (Bad file descriptor) [pid 297] close(20) = -1 EBADF (Bad file descriptor) [pid 297] close(21) = -1 EBADF (Bad file descriptor) [pid 297] close(22) = -1 EBADF (Bad file descriptor) [pid 297] close(23) = -1 EBADF (Bad file descriptor) [pid 297] close(24) = -1 EBADF (Bad file descriptor) [pid 297] close(25) = -1 EBADF (Bad file descriptor) [pid 297] close(26) = -1 EBADF (Bad file descriptor) [pid 297] close(27) = -1 EBADF (Bad file descriptor) [pid 297] close(28) = -1 EBADF (Bad file descriptor) [pid 297] close(29) = -1 EBADF (Bad file descriptor) [pid 297] exit_group(0 [pid 298] <... futex resumed>) = ? [pid 297] <... exit_group resumed>) = ? [pid 298] +++ exited with 0 +++ [pid 297] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 296] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 304 attached , child_tidptr=0x555585584690) = 4 [pid 304] set_robust_list(0x5555855846a0, 24) = 0 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 304] setpgid(0, 0) = 0 [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 304] write(3, "1000", 4) = 4 [pid 304] close(3) = 0 executing program [pid 304] write(1, "executing program\n", 18) = 18 [pid 304] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] rt_sigaction(SIGRT_1, {sa_handler=0x7f9155708a60, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f91556fa0e0}, NULL, 8) = 0 [pid 304] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9155683000 [pid 304] mprotect(0x7f9155684000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 304] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 304] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f91556a3990, parent_tid=0x7f91556a3990, exit_signal=0, stack=0x7f9155683000, stack_size=0x20300, tls=0x7f91556a36c0}./strace-static-x86_64: Process 305 attached => {parent_tid=[5]}, 88) = 5 [pid 304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 304] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] set_robust_list(0x7f91556a39a0, 24) = 0 [pid 305] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 305] setns(201, 0) = 0 [pid 305] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 4 [pid 305] setns(3, 0) = 0 [pid 305] close(3) = 0 [pid 305] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY [pid 304] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... openat resumed>) = 3 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] ioctl(3, TIOCSETD, [15] [pid 304] <... futex resumed>) = 0 [pid 305] <... ioctl resumed>) = 0 [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] ioctl(3, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 304] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] <... ioctl resumed>, 0) = 0 [pid 305] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 0 [pid 304] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] ioctl(4, HCISETLINKPOL [pid 304] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 304] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 25.268157][ T298] Bluetooth: hci0: Opcode 0x080f failed: -110 [ 25.297029][ T43] Bluetooth: hci0: Frame reassembly failed (-84) [pid 304] close(3) = 0 [pid 304] close(4) = 0 [pid 304] close(5) = -1 EBADF (Bad file descriptor) [pid 304] close(6) = -1 EBADF (Bad file descriptor) [pid 304] close(7) = -1 EBADF (Bad file descriptor) [pid 304] close(8) = -1 EBADF (Bad file descriptor) [pid 304] close(9) = -1 EBADF (Bad file descriptor) [pid 304] close(10) = -1 EBADF (Bad file descriptor) [pid 304] close(11) = -1 EBADF (Bad file descriptor) [pid 304] close(12) = -1 EBADF (Bad file descriptor) [pid 304] close(13) = -1 EBADF (Bad file descriptor) [pid 304] close(14) = -1 EBADF (Bad file descriptor) [pid 304] close(15) = -1 EBADF (Bad file descriptor) [pid 304] close(16) = -1 EBADF (Bad file descriptor) [pid 304] close(17) = -1 EBADF (Bad file descriptor) [pid 304] close(18) = -1 EBADF (Bad file descriptor) [pid 304] close(19) = -1 EBADF (Bad file descriptor) [pid 304] close(20) = -1 EBADF (Bad file descriptor) [pid 304] close(21) = -1 EBADF (Bad file descriptor) [pid 304] close(22) = -1 EBADF (Bad file descriptor) [pid 304] close(23) = -1 EBADF (Bad file descriptor) [pid 304] close(24) = -1 EBADF (Bad file descriptor) [pid 304] close(25) = -1 EBADF (Bad file descriptor) [pid 304] close(26) = -1 EBADF (Bad file descriptor) [pid 304] close(27) = -1 EBADF (Bad file descriptor) [pid 304] close(28) = -1 EBADF (Bad file descriptor) [pid 304] close(29) = -1 EBADF (Bad file descriptor) [pid 304] exit_group(0) = ? [pid 305] <... ioctl resumed> ) = ? [pid 305] +++ exited with 0 +++ [pid 304] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 296] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 308 attached , child_tidptr=0x555585584690) = 6 [pid 308] set_robust_list(0x5555855846a0, 24) = 0 [pid 308] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 308] setpgid(0, 0) = 0 [pid 308] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 308] write(3, "1000", 4) = 4 [pid 308] close(3) = 0 executing program [pid 308] write(1, "executing program\n", 18) = 18 [pid 308] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] rt_sigaction(SIGRT_1, {sa_handler=0x7f9155708a60, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f91556fa0e0}, NULL, 8) = 0 [pid 308] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 308] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9155683000 [pid 308] mprotect(0x7f9155684000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 308] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 308] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f91556a3990, parent_tid=0x7f91556a3990, exit_signal=0, stack=0x7f9155683000, stack_size=0x20300, tls=0x7f91556a36c0} => {parent_tid=[7]}, 88) = 7 [pid 308] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 308] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x7f91556a39a0, 24) = 0 [pid 309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 309] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 309] setns(201, 0) = 0 [pid 309] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 4 [pid 309] setns(3, 0) = 0 [pid 309] close(3) = 0 [pid 309] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = 0 [pid 308] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 1 [pid 309] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 3 [pid 309] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 308] <... futex resumed>) = 0 [pid 309] ioctl(3, TIOCSETD, [15] [pid 308] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... ioctl resumed>) = 0 [pid 309] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = 0 [pid 308] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 1 [pid 309] ioctl(3, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 309] futex(0x7f915576d32c, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = 0 [pid 308] futex(0x7f915576d328, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 1 [ 27.348173][ T301] Bluetooth: hci0: command 0x1003 tx timeout [ 27.348173][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 27.360090][ T305] Bluetooth: hci0: Opcode 0x080f failed: -22 [ 27.383320][ T45] ================================================================== [ 27.387614][ T43] Bluetooth: hci0: Frame reassembly failed (-84) [pid 309] ioctl(4, HCISETLINKPOL [pid 308] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 308] futex(0x7f915576d32c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 27.391318][ T45] BUG: KASAN: use-after-free in enqueue_timer+0xa6/0x480 [ 27.404560][ T45] Write of size 8 at addr ffff888109fb0a00 by task kworker/u5:0/45 [ 27.412278][ T45] [ 27.414577][ T45] CPU: 0 PID: 45 Comm: kworker/u5:0 Not tainted 6.1.115-syzkaller-00041-ga887a44ace2a #0 [ 27.424196][ T45] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 27.434090][ T45] Workqueue: hci0 hci_power_on [ 27.438693][ T45] Call Trace: [ 27.441823][ T45] [ 27.444683][ T45] dump_stack_lvl+0x151/0x1b7 [ 27.449198][ T45] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 27.454483][ T45] ? _printk+0xd1/0x111 [ 27.458482][ T45] ? __virt_addr_valid+0x242/0x2f0 [ 27.463422][ T45] print_report+0x158/0x4e0 [ 27.467773][ T45] ? __virt_addr_valid+0x242/0x2f0 [ 27.472722][ T45] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 27.478784][ T45] ? enqueue_timer+0xa6/0x480 [ 27.483295][ T45] kasan_report+0x13c/0x170 [ 27.487639][ T45] ? enqueue_timer+0xa6/0x480 [ 27.492153][ T45] __asan_report_store8_noabort+0x17/0x20 [ 27.497726][ T45] enqueue_timer+0xa6/0x480 [ 27.502162][ T45] __mod_timer+0x8d3/0xcf0 [ 27.506412][ T45] ? mod_timer_pending+0x30/0x30 [ 27.511186][ T45] ? insert_work+0x283/0x310 [ 27.515614][ T45] ? __kasan_check_write+0x14/0x20 [ 27.520555][ T45] ? _raw_spin_lock_irqsave+0xf9/0x210 [ 27.525850][ T45] schedule_timeout+0x187/0x380 [ 27.530538][ T45] ? console_conditional_schedule+0x10/0x10 [ 27.536261][ T45] ? queue_work_on+0x135/0x170 [ 27.540865][ T45] ? update_process_times+0x1b0/0x1b0 [ 27.546071][ T45] ? prepare_to_wait_event+0x3e6/0x420 [ 27.551382][ T45] __hci_cmd_sync_sk+0x2ad/0xf70 [ 27.556144][ T45] ? eir_get_service_data+0x2e0/0x2e0 [ 27.561347][ T45] ? wake_bit_function+0x230/0x230 [ 27.566295][ T45] ? __kasan_check_read+0x11/0x20 [ 27.571170][ T45] hci_dev_open_sync+0x1314/0x30a0 [ 27.576201][ T45] ? update_load_avg+0x513/0x1530 [ 27.581057][ T45] ? hci_reset_sync+0x100/0x100 [ 27.585742][ T45] ? __switch_to+0x62c/0x1190 [ 27.590269][ T45] ? __kasan_check_write+0x14/0x20 [ 27.595199][ T45] ? mutex_lock+0xb1/0x1e0 [ 27.599450][ T45] ? bit_wait_io_timeout+0x120/0x120 [ 27.604569][ T45] ? kthread_data+0x53/0xc0 [ 27.608910][ T45] hci_power_on+0x1a7/0x5e0 [ 27.613252][ T45] ? hci_tx_work+0x3790/0x3790 [ 27.617852][ T45] ? __schedule+0xcbd/0x1560 [ 27.622277][ T45] process_one_work+0x73d/0xcb0 [ 27.626964][ T45] worker_thread+0xa60/0x1260 [ 27.631478][ T45] kthread+0x26d/0x300 [ 27.635381][ T45] ? worker_clr_flags+0x1a0/0x1a0 [ 27.640241][ T45] ? kthread_blkcg+0xd0/0xd0 [ 27.644671][ T45] ret_from_fork+0x1f/0x30 [ 27.648924][ T45] [ 27.651785][ T45] [ 27.653954][ T45] Allocated by task 305: [ 27.658037][ T45] kasan_set_track+0x4b/0x70 [ 27.662546][ T45] kasan_save_alloc_info+0x1f/0x30 [ 27.667494][ T45] __kasan_kmalloc+0x9c/0xb0 [ 27.671923][ T45] __kmalloc+0xb4/0x1e0 [ 27.675912][ T45] hci_alloc_dev_priv+0x27/0x1c00 [ 27.680775][ T45] hci_uart_tty_ioctl+0x401/0xa70 [ 27.685635][ T45] tty_ioctl+0x903/0xc50 [ 27.689713][ T45] __se_sys_ioctl+0x114/0x190 [ 27.694226][ T45] __x64_sys_ioctl+0x7b/0x90 [ 27.698652][ T45] x64_sys_call+0x98/0x9a0 [ 27.702909][ T45] do_syscall_64+0x3b/0xb0 [ 27.707269][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.712997][ T45] [ 27.715163][ T45] Freed by task 305: [ 27.718900][ T45] kasan_set_track+0x4b/0x70 [ 27.723325][ T45] kasan_save_free_info+0x2b/0x40 [ 27.728186][ T45] ____kasan_slab_free+0x131/0x180 [ 27.733132][ T45] __kasan_slab_free+0x11/0x20 [ 27.737735][ T45] __kmem_cache_free+0x21d/0x410 [ 27.742507][ T45] kfree+0x7a/0xf0 [ 27.746064][ T45] hci_release_dev+0x14d3/0x1640 [ 27.750837][ T45] bt_host_release+0x83/0xa0 [ 27.755263][ T45] device_release+0x95/0x1c0 [ 27.759778][ T45] kobject_put+0x178/0x260 [ 27.764031][ T45] put_device+0x1f/0x30 [ 27.768026][ T45] hci_dev_cmd+0x2be/0x9b0 [ 27.772275][ T45] hci_sock_ioctl+0x415/0x7f0 [ 27.776788][ T45] sock_do_ioctl+0x152/0x450 [ 27.781217][ T45] sock_ioctl+0x455/0x740 [ 27.785557][ T45] __se_sys_ioctl+0x114/0x190 [ 27.790073][ T45] __x64_sys_ioctl+0x7b/0x90 [ 27.794493][ T45] x64_sys_call+0x98/0x9a0 [ 27.798748][ T45] do_syscall_64+0x3b/0xb0 [ 27.803001][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.808731][ T45] [ 27.810903][ T45] Last potentially related work creation: [ 27.816454][ T45] kasan_save_stack+0x3b/0x60 [ 27.820968][ T45] __kasan_record_aux_stack+0xb4/0xc0 [ 27.826174][ T45] kasan_record_aux_stack_noalloc+0xb/0x10 [ 27.831842][ T45] insert_work+0x56/0x310 [ 27.835983][ T45] __queue_work+0x9b6/0xd70 [ 27.840323][ T45] queue_work_on+0x105/0x170 [ 27.844769][ T45] __hci_cmd_sync_sk+0xc2a/0xf70 [ 27.849522][ T45] hci_cmd_sync_status+0x52/0x130 [ 27.854383][ T45] hci_dev_cmd+0x771/0x9b0 [ 27.858637][ T45] hci_sock_ioctl+0x415/0x7f0 [ 27.863149][ T45] sock_do_ioctl+0x152/0x450 [ 27.867577][ T45] sock_ioctl+0x455/0x740 [ 27.871743][ T45] __se_sys_ioctl+0x114/0x190 [ 27.876258][ T45] __x64_sys_ioctl+0x7b/0x90 [ 27.880686][ T45] x64_sys_call+0x98/0x9a0 [ 27.884970][ T45] do_syscall_64+0x3b/0xb0 [ 27.889189][ T45] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.894937][ T45] [ 27.897087][ T45] Second to last potentially related work creation: [ 27.903513][ T45] kasan_save_stack+0x3b/0x60 [ 27.908025][ T45] __kasan_record_aux_stack+0xb4/0xc0 [ 27.913238][ T45] kasan_record_aux_stack_noalloc+0xb/0x10 [ 27.918969][ T45] insert_work+0x56/0x310 [ 27.923143][ T45] __queue_work+0x9b6/0xd70 [ 27.927469][ T45] queue_work_on+0x105/0x170 [ 27.931894][ T45] hci_cmd_timeout+0x199/0x200 [ 27.936495][ T45] process_one_work+0x73d/0xcb0 [ 27.941179][ T45] worker_thread+0xa60/0x1260 [ 27.945691][ T45] kthread+0x26d/0x300 [ 27.949600][ T45] ret_from_fork+0x1f/0x30 [ 27.953849][ T45] [ 27.956020][ T45] The buggy address belongs to the object at ffff888109fb0000 [ 27.956020][ T45] which belongs to the cache kmalloc-8k of size 8192 [ 27.969908][ T45] The buggy address is located 2560 bytes inside of [ 27.969908][ T45] 8192-byte region [ffff888109fb0000, ffff888109fb2000) [ 27.983185][ T45] [ 27.985365][ T45] The buggy address belongs to the physical page: [ 27.991606][ T45] page:ffffea000427ec00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109fb0 [ 28.001674][ T45] head:ffffea000427ec00 order:3 compound_mapcount:0 compound_pincount:0 [ 28.009832][ T45] flags: 0x4000000000010200(slab|head|zone=1) [ 28.015754][ T45] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043500 [ 28.024160][ T45] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 [ 28.032575][ T45] page dumped because: kasan: bad access detected [ 28.038830][ T45] page_owner tracks the page as allocated [ 28.044377][ T45] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2035218338, free_ts 0 [ 28.063823][ T45] post_alloc_hook+0x213/0x220 [ 28.068458][ T45] prep_new_page+0x1b/0x110 [ 28.072758][ T45] get_page_from_freelist+0x2980/0x2a10 [ 28.078141][ T45] __alloc_pages+0x234/0x610 [ 28.082563][ T45] alloc_slab_page+0x6c/0xf0 [ 28.087013][ T45] new_slab+0x90/0x3e0 [ 28.090985][ T45] ___slab_alloc+0x6f9/0xb80 [ 28.095415][ T45] __slab_alloc+0x5d/0xa0 [ 28.099601][ T45] __kmem_cache_alloc_node+0x207/0x2a0 [ 28.104887][ T45] __kmalloc+0xa3/0x1e0 [ 28.108865][ T45] acpi_ut_initialize_buffer+0x1dd/0x2d0 [ 28.114332][ T45] acpi_rs_create_pci_routing_table+0x112/0xa40 [ 28.120406][ T45] acpi_rs_get_prt_method_data+0xe4/0x140 [ 28.125959][ T45] acpi_get_irq_routing_table+0xac/0xd0 [ 28.131430][ T45] acpi_pci_irq_find_prt_entry+0x167/0xc80 [ 28.137071][ T45] acpi_pci_irq_lookup+0xb1/0x5f0 [ 28.141932][ T45] page_owner free stack trace missing [ 28.147141][ T45] [ 28.149329][ T45] Memory state around the buggy address: [ 28.154781][ T45] ffff888109fb0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.162676][ T45] ffff888109fb0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.170576][ T45] >ffff888109fb0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.178483][ T45] ^ [ 28.182384][ T45] ffff888109fb0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.190280][ T45] ffff888109fb0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.198172][ T45] ================================================================== [ 28.206080][ T45] Disabling lock debugging due to kernel taint [ 29.428191][ C0] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN [ 29.428752][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 29.439721][ C0] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 29.439737][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 6.1.115-syzkaller-00041-ga887a44ace2a #0 [ 29.439759][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 29.439769][ C0] RIP: 0010:__queue_work+0x4f1/0xd70 [ 29.479837][ C0] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6 [ 29.499795][ C0] RSP: 0018:ffffc90000007c78 EFLAGS: 00010046 [ 29.505696][ C0] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffffffff8701d4c0 [ 29.513504][ C0] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff [ 29.521318][ C0] RBP: ffffc90000007d00 R08: ffffffff814b185b R09: 0000000000000007 [ 29.529127][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff888109fb09c8 [ 29.536937][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888109fb09e0 [ 29.544752][ C0] FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 29.553517][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.559944][ C0] CR2: 0000555585584690 CR3: 0000000124aa9000 CR4: 00000000003506b0 [ 29.567782][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.575573][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.583377][ C0] Call Trace: [ 29.586504][ C0] [ 29.589193][ C0] ? __die_body+0x62/0xb0 [ 29.593359][ C0] ? die_addr+0x9f/0xd0 [ 29.597348][ C0] ? exc_general_protection+0x317/0x4c0 [ 29.602743][ C0] ? ttwu_do_wakeup+0xe5/0x430 [ 29.607332][ C0] ? asm_exc_general_protection+0x27/0x30 [ 29.612887][ C0] ? __queue_work+0x28b/0xd70 [ 29.617396][ C0] ? __queue_work+0x4f1/0xd70 [ 29.621914][ C0] ? __queue_work+0x29c/0xd70 [ 29.626425][ C0] delayed_work_timer_fn+0x61/0x80 [ 29.631372][ C0] ? queue_work_node+0x1d0/0x1d0 [ 29.636145][ C0] call_timer_fn+0x3b/0x2d0 [ 29.640486][ C0] ? queue_work_node+0x1d0/0x1d0 [ 29.645260][ C0] __run_timers+0x756/0xa10 [ 29.649628][ C0] ? calc_index+0x270/0x270 [ 29.653944][ C0] ? sched_clock+0x9/0x10 [ 29.658107][ C0] ? sched_clock_cpu+0x71/0x2b0 [ 29.662795][ C0] run_timer_softirq+0x69/0xf0 [ 29.667399][ C0] handle_softirqs+0x1db/0x650 [ 29.671996][ C0] ? irqtime_account_irq+0xdc/0x260 [ 29.677040][ C0] __irq_exit_rcu+0x52/0xf0 [ 29.681369][ C0] irq_exit_rcu+0x9/0x10 [ 29.685445][ C0] sysvec_apic_timer_interrupt+0xa9/0xc0 [ 29.690930][ C0] [ 29.693689][ C0] [ 29.696466][ C0] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 29.702284][ C0] RIP: 0010:acpi_idle_enter+0x416/0x760 [ 29.707668][ C0] Code: 89 de 48 83 e6 08 31 ff e8 27 1c 54 fc 48 83 e3 08 0f 85 b1 00 00 00 0f 1f 44 00 00 e8 d3 17 54 fc 0f 00 2d 7c e8 ce 00 fb f4 e9 e3 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 0f b6 04 30 [ 29.727203][ C0] RSP: 0018:ffffffff87007bd0 EFLAGS: 000002d3 [ 29.733109][ C0] RAX: ffffffff85216edd RBX: 0000000000000000 RCX: ffffffff8701d4c0 [ 29.740910][ C0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.748722][ C0] RBP: ffffffff87007c10 R08: ffffffff85216ec9 R09: fffffbfff0e03a99 [ 29.756529][ C0] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001 [ 29.764339][ C0] R13: ffff888109f13004 R14: dffffc0000000000 R15: ffff888109a57064 [ 29.772154][ C0] ? acpi_idle_enter+0x3f9/0x760 [ 29.776925][ C0] ? acpi_idle_enter+0x40d/0x760 [ 29.781702][ C0] ? intel_idle_xstate+0xa0/0xa0 [ 29.786474][ C0] cpuidle_enter_state+0x5eb/0x17f0 [ 29.791509][ C0] ? cpuidle_enter_s2idle+0x600/0x600 [ 29.796716][ C0] ? menu_enable_device+0x380/0x380 [ 29.801755][ C0] ? __sched_text_start+0x8/0x8 [ 29.806436][ C0] cpuidle_enter+0x5f/0xa0 [ 29.810689][ C0] do_idle+0x3d1/0x580 [ 29.814593][ C0] ? idle_inject_timer_fn+0x60/0x60 [ 29.819630][ C0] ? radix_tree_lookup+0x23a/0x290 [ 29.824576][ C0] ? debug_smp_processor_id+0x17/0x20 [ 29.829796][ C0] cpu_startup_entry+0x44/0x60 [ 29.834382][ C0] rest_init+0x10b/0x130 [ 29.838461][ C0] ? time_init+0x38/0x38 [ 29.842541][ C0] arch_call_rest_init+0xe/0xe [ 29.847142][ C0] start_kernel+0x46c/0x4d8 [ 29.851481][ C0] x86_64_start_reservations+0x2a/0x2c [ 29.856781][ C0] x86_64_start_kernel+0x7c/0x81 [ 29.861671][ C0] secondary_startup_64_no_verify+0xce/0xdb [ 29.867371][ C0] [ 29.870231][ C0] Modules linked in: [ 29.873964][ C0] ---[ end trace 0000000000000000 ]--- [ 29.879256][ C0] RIP: 0010:__queue_work+0x4f1/0xd70 [ 29.884377][ C0] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6 [ 29.903820][ C0] RSP: 0018:ffffc90000007c78 EFLAGS: 00010046 [ 29.909723][ C0] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffffffff8701d4c0 [ 29.917530][ C0] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff [ 29.925345][ C0] RBP: ffffc90000007d00 R08: ffffffff814b185b R09: 0000000000000007 [ 29.933153][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff888109fb09c8 [ 29.940965][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888109fb09e0 [ 29.948780][ C0] FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 29.957548][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.963976][ C0] CR2: 0000555585584690 CR3: 0000000124aa9000 CR4: 00000000003506b0 [ 29.971789][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.979589][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.987487][ C0] Kernel panic - not syncing: Fatal exception in interrupt [ 29.994946][ C0] Kernel Offset: disabled [ 29.999075][ C0] Rebooting in 86400 seconds..