[ 52.864225][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.890790][ T9] device veth1_macvtap left promiscuous mode
[ 52.898727][ T9] device veth0_macvtap left promiscuous mode
[ 52.905757][ T9] device veth1_vlan left promiscuous mode
[ 52.911872][ T9] device veth0_vlan left promiscuous mode
[ 53.068561][ T9] team0 (unregistering): Port device team_slave_1 removed
[ 53.082567][ T9] team0 (unregistering): Port device team_slave_0 removed
[ 53.100496][ T9] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 53.114507][ T9] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 53.168193][ T9] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.10.52' (ECDSA) to the list of known hosts.
[ 70.620710][ T3597] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 70.629793][ T3597] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 70.638073][ T3597] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 70.647146][ T3597] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 70.656032][ T3597] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 70.663721][ T3597] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 72.695710][ T3606] Bluetooth: hci0: command 0x0409 tx timeout
[ 74.774768][ T918] Bluetooth: hci0: command 0x041b tx timeout
[ 76.296998][ T1132] cfg80211: failed to load regulatory.db
[ 76.854683][ T1132] Bluetooth: hci0: command 0x040f tx timeout
[ 78.934834][ T918] Bluetooth: hci0: command 0x0419 tx timeout
[ 81.014703][ T918] Bluetooth: hci0: command 0x0405 tx timeout
[ 83.094707][ T1132] Bluetooth: hci0: command 0x0405 tx timeout
[ 110.855694][ T1132] ==================================================================
[ 110.864141][ T1132] BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290
[ 110.871618][ T1132] Write of size 4 at addr ffff888021031080 by task kworker/0:3/1132
[ 110.879955][ T1132]
[ 110.882360][ T1132] CPU: 0 PID: 1132 Comm: kworker/0:3 Not tainted 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0
[ 110.893464][ T1132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 110.903779][ T1132] Workqueue: events sco_sock_timeout
[ 110.909091][ T1132] Call Trace:
[ 110.912605][ T1132]
[ 110.915916][ T1132] dump_stack_lvl+0xcd/0x134
[ 110.920794][ T1132] print_address_description.constprop.0.cold+0x8d/0x336
[ 110.928022][ T1132] ? sco_sock_timeout+0x64/0x290
[ 110.933245][ T1132] ? sco_sock_timeout+0x64/0x290
[ 110.938317][ T1132] kasan_report.cold+0x83/0xdf
[ 110.943171][ T1132] ? sco_sock_timeout+0x64/0x290
[ 110.948200][ T1132] kasan_check_range+0x13d/0x180
[ 110.953248][ T1132] sco_sock_timeout+0x64/0x290
[ 110.958113][ T1132] process_one_work+0x9ac/0x1650
[ 110.963339][ T1132] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 110.968739][ T1132] ? rwlock_bug.part.0+0x90/0x90
[ 110.973968][ T1132] ? _raw_spin_lock_irq+0x41/0x50
[ 110.979370][ T1132] worker_thread+0x657/0x1110
[ 110.984302][ T1132] ? process_one_work+0x1650/0x1650
[ 110.989588][ T1132] kthread+0x2e9/0x3a0
[ 110.993752][ T1132] ? kthread_complete_and_exit+0x40/0x40
[ 110.999433][ T1132] ret_from_fork+0x1f/0x30
[ 111.004629][ T1132]
[ 111.007640][ T1132]
[ 111.009966][ T1132] Allocated by task 4058:
[ 111.014290][ T1132] kasan_save_stack+0x1e/0x40
[ 111.019231][ T1132] __kasan_kmalloc+0xa9/0xd0
[ 111.023842][ T1132] sk_prot_alloc+0x110/0x290
[ 111.028629][ T1132] sk_alloc+0x32/0xa80
[ 111.032878][ T1132] sco_sock_alloc.constprop.0+0x31/0x330
[ 111.038678][ T1132] sco_sock_create+0xd5/0x1b0
[ 111.043437][ T1132] bt_sock_create+0x17c/0x340
[ 111.048222][ T1132] __sock_create+0x353/0x790
[ 111.052903][ T1132] __sys_socket+0xef/0x200
[ 111.057314][ T1132] __x64_sys_socket+0x6f/0xb0
[ 111.062104][ T1132] do_syscall_64+0x35/0xb0
[ 111.066603][ T1132] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 111.072587][ T1132]
[ 111.074899][ T1132] Freed by task 4058:
[ 111.078952][ T1132] kasan_save_stack+0x1e/0x40
[ 111.083633][ T1132] kasan_set_track+0x21/0x30
[ 111.088219][ T1132] kasan_set_free_info+0x20/0x30
[ 111.093157][ T1132] ____kasan_slab_free+0x126/0x160
[ 111.098265][ T1132] slab_free_freelist_hook+0x8b/0x1c0
[ 111.104144][ T1132] kfree+0xd0/0x390
[ 111.108034][ T1132] __sk_destruct+0x6c0/0x920
[ 111.112719][ T1132] sk_destruct+0x131/0x180
[ 111.117650][ T1132] __sk_free+0xef/0x3d0
[ 111.121981][ T1132] sk_free+0x78/0xa0
[ 111.126066][ T1132] sco_sock_kill+0x18d/0x1b0
[ 111.130672][ T1132] sco_sock_release+0x197/0x310
[ 111.135524][ T1132] __sock_release+0xcd/0x280
[ 111.140979][ T1132] sock_close+0x18/0x20
[ 111.145213][ T1132] __fput+0x286/0x9f0
[ 111.149208][ T1132] task_work_run+0xdd/0x1a0
[ 111.153794][ T1132] get_signal+0x1de2/0x2490
[ 111.158464][ T1132] arch_do_signal_or_restart+0x2a9/0x1c40
[ 111.164180][ T1132] exit_to_user_mode_prepare+0x17d/0x290
[ 111.169811][ T1132] syscall_exit_to_user_mode+0x19/0x60
[ 111.175283][ T1132] do_syscall_64+0x42/0xb0
[ 111.179782][ T1132] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 111.185857][ T1132]
[ 111.188266][ T1132] The buggy address belongs to the object at ffff888021031000
[ 111.188266][ T1132] which belongs to the cache kmalloc-2k of size 2048
[ 111.202485][ T1132] The buggy address is located 128 bytes inside of
[ 111.202485][ T1132] 2048-byte region [ffff888021031000, ffff888021031800)
[ 111.217234][ T1132] The buggy address belongs to the page:
[ 111.223057][ T1132] page:ffffea0000840c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21030
[ 111.233545][ T1132] head:ffffea0000840c00 order:3 compound_mapcount:0 compound_pincount:0
[ 111.242035][ T1132] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 111.250017][ T1132] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c42000
[ 111.258592][ T1132] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 111.267427][ T1132] page dumped because: kasan: bad access detected
[ 111.274008][ T1132] page_owner tracks the page as allocated
[ 111.280104][ T1132] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3595, ts 45073525139, free_ts 36261730425
[ 111.300322][ T1132] get_page_from_freelist+0xa72/0x2f50
[ 111.306059][ T1132] __alloc_pages+0x1b2/0x500
[ 111.310745][ T1132] alloc_pages+0x1aa/0x310
[ 111.315150][ T1132] allocate_slab+0x27f/0x3c0
[ 111.319736][ T1132] ___slab_alloc+0xbe1/0x12b0
[ 111.324409][ T1132] __slab_alloc.constprop.0+0x4d/0xa0
[ 111.329778][ T1132] __kmalloc_node_track_caller+0x339/0x470
[ 111.335584][ T1132] pskb_expand_head+0x15e/0x1060
[ 111.340513][ T1132] netlink_trim+0x1ea/0x240
[ 111.345031][ T1132] netlink_broadcast+0x5b/0xd50
[ 111.349873][ T1132] nlmsg_notify+0x8f/0x280
[ 111.354293][ T1132] rtnetlink_event+0x193/0x1d0
[ 111.359339][ T1132] notifier_call_chain+0xb5/0x200
[ 111.364374][ T1132] call_netdevice_notifiers_info+0xb5/0x130
[ 111.370356][ T1132] __netdev_upper_dev_link+0x3fd/0x7f0
[ 111.376260][ T1132] netdev_upper_dev_link+0x8a/0xc0
[ 111.381458][ T1132] page last free stack trace:
[ 111.386272][ T1132] free_pcp_prepare+0x374/0x870
[ 111.391367][ T1132] free_unref_page+0x19/0x690
[ 111.396236][ T1132] __put_page+0x193/0x1e0
[ 111.400582][ T1132] skb_release_data+0x49d/0x790
[ 111.405510][ T1132] __kfree_skb+0x46/0x60
[ 111.409774][ T1132] tcp_recvmsg+0x1ca/0x610
[ 111.414190][ T1132] inet_recvmsg+0x11b/0x5e0
[ 111.418774][ T1132] sock_read_iter+0x33c/0x470
[ 111.423447][ T1132] new_sync_read+0x5c2/0x6e0
[ 111.428030][ T1132] vfs_read+0x35c/0x600
[ 111.432363][ T1132] ksys_read+0x1ee/0x250
[ 111.436781][ T1132] do_syscall_64+0x35/0xb0
[ 111.441199][ T1132] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 111.447083][ T1132]
[ 111.449395][ T1132] Memory state around the buggy address:
[ 111.455019][ T1132] ffff888021030f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 111.463435][ T1132] ffff888021031000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.471783][ T1132] >ffff888021031080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.479937][ T1132] ^
[ 111.484364][ T1132] ffff888021031100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.492602][ T1132] ffff888021031180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.500858][ T1132] ==================================================================
[ 111.509018][ T1132] Disabling lock debugging due to kernel taint
[ 111.515375][ T1132] Kernel panic - not syncing: panic_on_warn set ...
[ 111.521951][ T1132] CPU: 0 PID: 1132 Comm: kworker/0:3 Tainted: G B 5.17.0-rc4-syzkaller-01424-g922ea87ff6f2-dirty #0
[ 111.534132][ T1132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 111.544229][ T1132] Workqueue: events sco_sock_timeout
[ 111.549526][ T1132] Call Trace:
[ 111.552970][ T1132]
[ 111.555912][ T1132] dump_stack_lvl+0xcd/0x134
[ 111.560524][ T1132] panic+0x2b0/0x6dd
[ 111.564424][ T1132] ? __warn_printk+0xf3/0xf3
[ 111.569104][ T1132] ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 111.575456][ T1132] ? trace_hardirqs_on+0x38/0x1c0
[ 111.580475][ T1132] ? trace_hardirqs_on+0x51/0x1c0
[ 111.585497][ T1132] ? sco_sock_timeout+0x64/0x290
[ 111.590506][ T1132] ? sco_sock_timeout+0x64/0x290
[ 111.595513][ T1132] end_report.cold+0x63/0x6f
[ 111.600200][ T1132] kasan_report.cold+0x71/0xdf
[ 111.605064][ T1132] ? sco_sock_timeout+0x64/0x290
[ 111.610026][ T1132] kasan_check_range+0x13d/0x180
[ 111.614974][ T1132] sco_sock_timeout+0x64/0x290
[ 111.619738][ T1132] process_one_work+0x9ac/0x1650
[ 111.624758][ T1132] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 111.630124][ T1132] ? rwlock_bug.part.0+0x90/0x90
[ 111.635048][ T1132] ? _raw_spin_lock_irq+0x41/0x50
[ 111.640075][ T1132] worker_thread+0x657/0x1110
[ 111.645017][ T1132] ? process_one_work+0x1650/0x1650
[ 111.650235][ T1132] kthread+0x2e9/0x3a0
[ 111.654305][ T1132] ? kthread_complete_and_exit+0x40/0x40
[ 111.659925][ T1132] ret_from_fork+0x1f/0x30
[ 111.664335][ T1132]
[ 111.667773][ T1132] Kernel Offset: disabled
[ 111.672431][ T1132] Rebooting in 86400 seconds..