./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor276712316 <...> DUID 00:04:98:96:05:40:f2:aa:0a:66:7a:29:c2:20:2e:76:e0:ec forked to background, child pid 3185 [ 27.110424][ T3186] 8021q: adding VLAN 0 to HW filter on device bond0 [ 27.120751][ T3186] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. execve("./syz-executor276712316", ["./syz-executor276712316"], 0x7ffe13cf5520 /* 10 vars */) = 0 brk(NULL) = 0x555556c55000 brk(0x555556c55c40) = 0x555556c55c40 arch_prctl(ARCH_SET_FS, 0x555556c55300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556c555d0) = 3613 set_robust_list(0x555556c555e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f2eb653e830, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f2eb653ef00}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f2eb653e8d0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f2eb653ef00}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor276712316", 4096) = 27 brk(0x555556c76c40) = 0x555556c76c40 brk(0x555556c77000) = 0x555556c77000 mprotect(0x7f2eb6600000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3614 attached , child_tidptr=0x555556c555d0) = 3614 [pid 3614] set_robust_list(0x555556c555e0, 24) = 0 [pid 3614] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 3614] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 3614] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 3614] dup2(4, 202) = 202 [pid 3614] close(4) = 0 [pid 3614] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 3614] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2eb5d2e000 [pid 3614] mprotect(0x7f2eb5d2f000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 3614] clone(child_stack=0x7f2eb652e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7f2eb652e700, child_tidptr=0x7f2eb652e9d0) = 2 [pid 3614] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 3618 attached [pid 3618] set_robust_list(0x7f2eb652e9e0, 24) = 0 [pid 3618] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 3618] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 3618] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 syzkaller login: [ 50.090461][ T3616] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 50.098966][ T3616] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 50.108043][ T3616] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 50.117916][ T3616] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 50.127076][ T3616] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [pid 3618] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3618] read(202, [pid 3614] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 3614] ioctl(3, HCISETSCAN [pid 3618] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 3618] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 3618] madvise(0x7f2eb5d2e000, 8372224, MADV_DONTNEED [pid 3614] <... ioctl resumed>, 0x7ffc13826b34) = 0 [pid 3614] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13 [pid 3614] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14 [pid 3614] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 3614] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 3614] futex(0x7f2eb652e9d0, FUTEX_WAIT, 2, NULL [pid 3618] <... madvise resumed>) = 0 [pid 3618] exit(0) = ? [pid 3614] <... futex resumed>) = 0 [pid 3614] close(3) = 0 [pid 3618] +++ exited with 0 +++ [pid 3614] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3614] setsid() = 1 [pid 3614] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 3614] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 3614] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 3614] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 3614] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 [pid 3614] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 3614] unshare(CLONE_NEWNS) = 0 [pid 3614] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 3614] unshare(CLONE_NEWIPC) = 0 [pid 3614] unshare(CLONE_NEWCGROUP) = 0 [pid 3614] unshare(CLONE_NEWUTS) = 0 [pid 3614] unshare(CLONE_SYSVSEM) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "16777216", 8) = 8 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "536870912", 9) = 9 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1024", 4) = 4 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "8192", 4) = 4 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1024", 4) = 4 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1024", 4) = 4 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1024 1048576 500 1024", 21) = 21 [pid 3614] close(3) = 0 [pid 3614] getpid() = 1 [pid 3614] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< 2 [pid 3614] unshare(CLONE_NEWNET) = 0 [pid 3614] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "0 65535", 7) = 7 [pid 3614] close(3) = 0 [pid 3614] mkdir("/dev/binderfs", 0777) = 0 [pid 3614] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0 [pid 3614] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3614] write(202, "\x04\x3e\x1d\x19\x00\xc9\x00\xa2\xfc\xc4\xd6\x6c\x2e\x1a\x21\x96\x83\x25\xa5\x00\x00\x00\x00\x00\x00\x00\xc3\x00\x00\x00\x09\x00", 32) = 32 [pid 3614] write(202, "\x04\x3e\x13\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x50\x0b\x04\x00\xff\x03\x04", 22) = 22 [pid 3614] exit_group(1) = ? [ 50.210721][ T3616] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201' [ 50.220659][ T3616] CPU: 0 PID: 3616 Comm: kworker/u5:2 Not tainted 6.0.0-rc6-syzkaller-00045-gdc164f4fb00a #0 [ 50.230849][ T3616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/16/2022 [ 50.240910][ T3616] Workqueue: hci0 hci_rx_work [ 50.245615][ T3616] Call Trace: [ 50.248897][ T3616] [ 50.251823][ T3616] dump_stack_lvl+0xcd/0x134 [ 50.256418][ T3616] sysfs_warn_dup.cold+0x1c/0x29 [ 50.261358][ T3616] sysfs_create_dir_ns+0x233/0x290 [ 50.266472][ T3616] ? sysfs_create_mount_point+0xb0/0xb0 [ 50.272016][ T3616] ? rwlock_bug.part.0+0x90/0x90 [ 50.276952][ T3616] ? do_raw_spin_unlock+0x171/0x230 [ 50.282147][ T3616] kobject_add_internal+0x2c9/0x8f0 [ 50.287428][ T3616] ? kasan_quarantine_put+0x81/0x210 [ 50.292711][ T3616] kobject_add+0x150/0x1c0 [ 50.297157][ T3616] ? kset_create_and_add+0x1a0/0x1a0 [ 50.302439][ T3616] ? kfree_const+0x51/0x60 [ 50.306860][ T3616] ? kfree+0xe2/0x580 [ 50.310861][ T3616] ? rcu_read_lock_sched_held+0x3a/0x70 [ 50.316433][ T3616] device_add+0x368/0x1e90 [ 50.320866][ T3616] ? dev_set_name+0xbb/0xf0 [ 50.325381][ T3616] ? device_initialize+0x540/0x540 [ 50.330507][ T3616] ? __fw_devlink_link_to_suppliers+0x2d0/0x2d0 [ 50.336764][ T3616] ? hci_le_cis_estabilished_evt+0x1ee/0xae0 [ 50.342762][ T3616] ? lock_downgrade+0x6e0/0x6e0 [ 50.347622][ T3616] ? hci_event_packet+0x425/0xfd0 [ 50.352663][ T3616] hci_conn_add_sysfs+0x9b/0x1b0 [ 50.357616][ T3616] hci_le_cis_estabilished_evt+0x57c/0xae0 [ 50.363449][ T3616] ? hci_cc_le_set_random_addr+0x290/0x290 [ 50.369272][ T3616] ? wait_for_completion_io_timeout+0x20/0x20 [ 50.375458][ T3616] hci_le_meta_evt+0x2b8/0x510 [ 50.380256][ T3616] ? hci_cc_le_set_random_addr+0x290/0x290 [ 50.386089][ T3616] hci_event_packet+0x63d/0xfd0 [ 50.390955][ T3616] ? hci_conn_drop+0x2f0/0x2f0 [ 50.395738][ T3616] ? hci_cs_create_conn+0x3a0/0x3a0 [ 50.401123][ T3616] ? kcov_remote_start+0x156/0x7a0 [ 50.406263][ T3616] hci_rx_work+0xae7/0x1230 [ 50.410855][ T3616] process_one_work+0x991/0x1610 [ 50.415906][ T3616] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 50.421297][ T3616] ? rwlock_bug.part.0+0x90/0x90 [ 50.426247][ T3616] ? _raw_spin_lock_irq+0x41/0x50 [ 50.431289][ T3616] worker_thread+0x665/0x1080 [ 50.436075][ T3616] ? __kthread_parkme+0x15f/0x220 [ 50.441113][ T3616] ? process_one_work+0x1610/0x1610 [ 50.446330][ T3616] kthread+0x2e4/0x3a0 [ 50.450438][ T3616] ? kthread_complete_and_exit+0x40/0x40 [ 50.456084][ T3616] ret_from_fork+0x1f/0x30 [ 50.460532][ T3616] [ 50.468910][ T3616] kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 50.482321][ T3616] Bluetooth: hci0: failed to register connection device [ 50.490271][ T3616] ================================================================== [ 50.498347][ T3616] BUG: KASAN: use-after-free in __list_add_valid+0xa5/0xb0 [ 50.505553][ T3616] Read of size 8 at addr ffff88807dc87468 by task kworker/u5:2/3616 [ 50.513531][ T3616] [ 50.515841][ T3616] CPU: 0 PID: 3616 Comm: kworker/u5:2 Not tainted 6.0.0-rc6-syzkaller-00045-gdc164f4fb00a #0 [ 50.525977][ T3616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/16/2022 [ 50.536021][ T3616] Workqueue: hci0 hci_rx_work [ 50.540690][ T3616] Call Trace: [ 50.543957][ T3616] [ 50.546875][ T3616] dump_stack_lvl+0xcd/0x134 [ 50.551461][ T3616] print_report.cold+0x2ba/0x719 [ 50.556393][ T3616] ? __list_add_valid+0xa5/0xb0 [ 50.561235][ T3616] kasan_report+0xb1/0x1e0 [ 50.565652][ T3616] ? __list_add_valid+0xa5/0xb0 [ 50.570497][ T3616] __list_add_valid+0xa5/0xb0 [ 50.575168][ T3616] klist_add_tail+0x158/0x2a0 [ 50.579840][ T3616] device_add+0xcc2/0x1e90 [ 50.584246][ T3616] ? device_initialize+0x540/0x540 [ 50.589433][ T3616] ? __fw_devlink_link_to_suppliers+0x2d0/0x2d0 [ 50.595682][ T3616] ? kfree_skbmem+0xef/0x1b0 [ 50.600285][ T3616] hci_conn_add_sysfs+0x9b/0x1b0 [ 50.605228][ T3616] le_conn_complete_evt+0xf04/0x1560 [ 50.610526][ T3616] ? rcu_read_lock_sched_held+0x3a/0x70 [ 50.616074][ T3616] ? hci_auth_complete_evt+0xfe0/0xfe0 [ 50.621547][ T3616] ? __mutex_lock+0x231/0x1350 [ 50.626317][ T3616] ? kmem_cache_alloc+0x46/0x3b0 [ 50.631267][ T3616] hci_le_conn_complete_evt+0x238/0x340 [ 50.636828][ T3616] ? skb_pull_data+0xf7/0x130 [ 50.641512][ T3616] hci_le_meta_evt+0x2b8/0x510 [ 50.646282][ T3616] ? hci_le_enh_conn_complete_evt+0x350/0x350 [ 50.652361][ T3616] hci_event_packet+0x63d/0xfd0 [ 50.657218][ T3616] ? hci_conn_drop+0x2f0/0x2f0 [ 50.661988][ T3616] ? hci_cs_create_conn+0x3a0/0x3a0 [ 50.667189][ T3616] ? kcov_remote_start+0x156/0x7a0 [ 50.672323][ T3616] hci_rx_work+0xae7/0x1230 [ 50.676841][ T3616] process_one_work+0x991/0x1610 [ 50.681793][ T3616] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 50.687178][ T3616] ? rwlock_bug.part.0+0x90/0x90 [ 50.692120][ T3616] ? _raw_spin_lock_irq+0x41/0x50 [ 50.697153][ T3616] worker_thread+0x665/0x1080 [ 50.701842][ T3616] ? __kthread_parkme+0x15f/0x220 [ 50.706872][ T3616] ? process_one_work+0x1610/0x1610 [ 50.712076][ T3616] kthread+0x2e4/0x3a0 [ 50.716147][ T3616] ? kthread_complete_and_exit+0x40/0x40 [ 50.721881][ T3616] ret_from_fork+0x1f/0x30 [ 50.726315][ T3616] [ 50.729328][ T3616] [ 50.731646][ T3616] Allocated by task 48: [ 50.735797][ T3616] kasan_save_stack+0x1e/0x40 [ 50.740481][ T3616] __kasan_kmalloc+0xa9/0xd0 [ 50.745104][ T3616] device_add+0x1168/0x1e90 [ 50.749610][ T3616] hci_conn_add_sysfs+0x9b/0x1b0 [ 50.754547][ T3616] le_conn_complete_evt+0xf04/0x1560 [ 50.759923][ T3616] hci_le_conn_complete_evt+0x238/0x340 [ 50.765469][ T3616] hci_le_meta_evt+0x2b8/0x510 [ 50.770235][ T3616] hci_event_packet+0x63d/0xfd0 [ 50.775083][ T3616] hci_rx_work+0xae7/0x1230 [ 50.779590][ T3616] process_one_work+0x991/0x1610 [ 50.784532][ T3616] worker_thread+0x665/0x1080 [ 50.789216][ T3616] kthread+0x2e4/0x3a0 [ 50.793285][ T3616] ret_from_fork+0x1f/0x30 [ 50.797705][ T3616] [ 50.800021][ T3616] Freed by task 3616: [ 50.803991][ T3616] kasan_save_stack+0x1e/0x40 [ 50.808671][ T3616] kasan_set_track+0x21/0x30 [ 50.813351][ T3616] kasan_set_free_info+0x20/0x30 [ 50.818290][ T3616] ____kasan_slab_free+0x166/0x1c0 [ 50.823405][ T3616] slab_free_freelist_hook+0x8b/0x1c0 [ 50.828781][ T3616] kfree+0xe2/0x580 [ 50.832600][ T3616] device_add+0x453/0x1e90 [ 50.837017][ T3616] hci_conn_add_sysfs+0x9b/0x1b0 [ 50.841957][ T3616] hci_le_cis_estabilished_evt+0x57c/0xae0 [ 50.847859][ T3616] hci_le_meta_evt+0x2b8/0x510 [ 50.852628][ T3616] hci_event_packet+0x63d/0xfd0 [ 50.857479][ T3616] hci_rx_work+0xae7/0x1230 [ 50.861987][ T3616] process_one_work+0x991/0x1610 [ 50.866935][ T3616] worker_thread+0x665/0x1080 [ 50.871619][ T3616] kthread+0x2e4/0x3a0 [ 50.875689][ T3616] ret_from_fork+0x1f/0x30 [ 50.880109][ T3616] [ 50.882428][ T3616] The buggy address belongs to the object at ffff88807dc87400 [ 50.882428][ T3616] which belongs to the cache kmalloc-512 of size 512 [ 50.896490][ T3616] The buggy address is located 104 bytes inside of [ 50.896490][ T3616] 512-byte region [ffff88807dc87400, ffff88807dc87600) [ 50.909770][ T3616] [ 50.912095][ T3616] The buggy address belongs to the physical page: [ 50.918496][ T3616] page:ffffea0001f72100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7dc84 [ 50.928791][ T3616] head:ffffea0001f72100 order:2 compound_mapcount:0 compound_pincount:0 [ 50.937111][ T3616] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 50.945098][ T3616] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841c80 [ 50.953684][ T3616] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 50.962265][ T3616] page dumped because: kasan: bad access detected [ 50.968672][ T3616] page_owner tracks the page as allocated [ 50.974377][ T3616] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2955, tgid 2955 (S02acpid), ts 14276153074, free_ts 13023768508 [ 50.994638][ T3616] get_page_from_freelist+0x109b/0x2ce0 [ 51.000203][ T3616] __alloc_pages+0x1c7/0x510 [ 51.004821][ T3616] alloc_pages+0x1a6/0x270 [ 51.009254][ T3616] allocate_slab+0x27e/0x3d0 [ 51.013864][ T3616] ___slab_alloc+0x7f1/0xe10 [ 51.018472][ T3616] __slab_alloc.constprop.0+0x4d/0xa0 [ 51.023858][ T3616] __kmalloc+0x32b/0x340 [ 51.028106][ T3616] tomoyo_init_log+0x128a/0x1ed0 [ 51.033137][ T3616] tomoyo_supervisor+0x34d/0xf00 [ 51.038078][ T3616] tomoyo_path_permission+0x270/0x3a0 [ 51.043460][ T3616] tomoyo_check_open_permission+0x33e/0x380 [ 51.049366][ T3616] tomoyo_file_open+0x9d/0xc0 [ 51.054044][ T3616] security_file_open+0x45/0xb0 [ 51.058896][ T3616] do_dentry_open+0x349/0x13a0 [ 51.063671][ T3616] path_openat+0x1c92/0x28f0 [ 51.068441][ T3616] do_filp_open+0x1b6/0x400 [ 51.072949][ T3616] page last free stack trace: [ 51.077613][ T3616] free_pcp_prepare+0x5e4/0xd20 [ 51.082473][ T3616] free_unref_page+0x19/0x4d0 [ 51.087157][ T3616] free_contig_range+0xb1/0x180 [ 51.092023][ T3616] destroy_args+0xa8/0x646 [ 51.096445][ T3616] debug_vm_pgtable+0x2945/0x29d6 [ 51.101473][ T3616] do_one_initcall+0xfe/0x650 [ 51.106157][ T3616] kernel_init_freeable+0x6b1/0x73a [ 51.111363][ T3616] kernel_init+0x1a/0x1d0 [ 51.115692][ T3616] ret_from_fork+0x1f/0x30 [ 51.120117][ T3616] [ 51.122435][ T3616] Memory state around the buggy address: [ 51.128061][ T3616] ffff88807dc87300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.136123][ T3616] ffff88807dc87380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.144193][ T3616] >ffff88807dc87400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.152265][ T3616] ^ [ 51.159715][ T3616] ffff88807dc87480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.167777][ T3616] ffff88807dc87500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.175833][ T3616] ================================================================== [ 51.184172][ T3616] Kernel panic - not syncing: panic_on_warn set ... [ 51.190868][ T3616] CPU: 0 PID: 3616 Comm: kworker/u5:2 Not tainted 6.0.0-rc6-syzkaller-00045-gdc164f4fb00a #0 [ 51.201134][ T3616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/16/2022 [ 51.211218][ T3616] Workqueue: hci0 hci_rx_work [ 51.215914][ T3616] Call Trace: [ 51.219282][ T3616] [ 51.222225][ T3616] dump_stack_lvl+0xcd/0x134 [ 51.226872][ T3616] panic+0x2c8/0x627 [ 51.230791][ T3616] ? panic_print_sys_info.part.0+0x10b/0x10b [ 51.236797][ T3616] ? __list_add_valid+0xa5/0xb0 [ 51.241664][ T3616] end_report.part.0+0x3f/0x7c [ 51.246442][ T3616] kasan_report.cold+0xa/0xf [ 51.251049][ T3616] ? __list_add_valid+0xa5/0xb0 [ 51.255918][ T3616] __list_add_valid+0xa5/0xb0 [ 51.260608][ T3616] klist_add_tail+0x158/0x2a0 [ 51.265298][ T3616] device_add+0xcc2/0x1e90 [ 51.269725][ T3616] ? device_initialize+0x540/0x540 [ 51.274842][ T3616] ? __fw_devlink_link_to_suppliers+0x2d0/0x2d0 [ 51.281093][ T3616] ? kfree_skbmem+0xef/0x1b0 [ 51.285699][ T3616] hci_conn_add_sysfs+0x9b/0x1b0 [ 51.290650][ T3616] le_conn_complete_evt+0xf04/0x1560 [ 51.295951][ T3616] ? rcu_read_lock_sched_held+0x3a/0x70 [ 51.301521][ T3616] ? hci_auth_complete_evt+0xfe0/0xfe0 [ 51.307005][ T3616] ? __mutex_lock+0x231/0x1350 [ 51.311816][ T3616] ? kmem_cache_alloc+0x46/0x3b0 [ 51.316857][ T3616] hci_le_conn_complete_evt+0x238/0x340 [ 51.322414][ T3616] ? skb_pull_data+0xf7/0x130 [ 51.327362][ T3616] hci_le_meta_evt+0x2b8/0x510 [ 51.332148][ T3616] ? hci_le_enh_conn_complete_evt+0x350/0x350 [ 51.338230][ T3616] hci_event_packet+0x63d/0xfd0 [ 51.343092][ T3616] ? hci_conn_drop+0x2f0/0x2f0 [ 51.347868][ T3616] ? hci_cs_create_conn+0x3a0/0x3a0 [ 51.353679][ T3616] ? kcov_remote_start+0x156/0x7a0 [ 51.358893][ T3616] hci_rx_work+0xae7/0x1230 [ 51.363592][ T3616] process_one_work+0x991/0x1610 [ 51.368562][ T3616] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 51.374041][ T3616] ? rwlock_bug.part.0+0x90/0x90 [ 51.378998][ T3616] ? _raw_spin_lock_irq+0x41/0x50 [ 51.384053][ T3616] worker_thread+0x665/0x1080 [ 51.388756][ T3616] ? __kthread_parkme+0x15f/0x220 [ 51.393802][ T3616] ? process_one_work+0x1610/0x1610 [ 51.399020][ T3616] kthread+0x2e4/0x3a0 [ 51.403100][ T3616] ? kthread_complete_and_exit+0x40/0x40 [ 51.408745][ T3616] ret_from_fork+0x1f/0x30 [ 51.413192][ T3616] [ 51.416277][ T3616] Kernel Offset: disabled [ 51.421561][ T3616] Rebooting in 86400 seconds..