./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4173586720 <...> [ 12.750954][ T28] audit: type=1400 audit(1733083939.449:64): avc: denied { rlimitinh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.756131][ T28] audit: type=1400 audit(1733083939.449:65): avc: denied { siginh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.305850][ T236] sshd (236) used greatest stack depth: 21416 bytes left Warning: Permanently added '10.128.0.208' (ED25519) to the list of known hosts. execve("./syz-executor4173586720", ["./syz-executor4173586720"], 0x7ffd0e4cd870 /* 10 vars */) = 0 brk(NULL) = 0x55556236c000 brk(0x55556236cd00) = 0x55556236cd00 arch_prctl(ARCH_SET_FS, 0x55556236c380) = 0 set_tid_address(0x55556236c650) = 295 set_robust_list(0x55556236c660, 24) = 0 rseq(0x55556236cca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4173586720", 4096) = 28 getrandom("\x65\xba\xe7\xbf\x1c\xdc\xc6\x51", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556236cd00 brk(0x55556238dd00) = 0x55556238dd00 brk(0x55556238e000) = 0x55556238e000 mprotect(0x7f30cb88f000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 296 ./strace-static-x86_64: Process 296 attached [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 296] set_robust_list(0x55556236c660, 24) = 0 [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 297 attached [pid 295] <... clone resumed>, child_tidptr=0x55556236c650) = 297 [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] set_robust_list(0x55556236c660, 24 [pid 296] <... clone resumed>, child_tidptr=0x55556236c650) = 298 [pid 297] <... set_robust_list resumed>) = 0 [pid 295] <... clone resumed>, child_tidptr=0x55556236c650) = 299 ./strace-static-x86_64: Process 299 attached [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 298 attached [pid 299] set_robust_list(0x55556236c660, 24) = 0 [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 295] <... clone resumed>, child_tidptr=0x55556236c650) = 300 [pid 298] set_robust_list(0x55556236c660, 24 [pid 297] <... clone resumed>, child_tidptr=0x55556236c650) = 301 [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 298] <... set_robust_list resumed>) = 0 [pid 299] <... clone resumed>, child_tidptr=0x55556236c650) = 302 [pid 295] <... clone resumed>, child_tidptr=0x55556236c650) = 303 [pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL./strace-static-x86_64: Process 303 attached ./strace-static-x86_64: Process 300 attached ) = 0 [pid 300] set_robust_list(0x55556236c660, 24 [pid 298] setpgid(0, 0./strace-static-x86_64: Process 301 attached [pid 303] set_robust_list(0x55556236c660, 24 [pid 300] <... set_robust_list resumed>) = 0 [pid 298] <... setpgid resumed>) = 0 ./strace-static-x86_64: Process 302 attached [pid 303] <... set_robust_list resumed>) = 0 [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 303] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 301] set_robust_list(0x55556236c660, 24) = 0 [pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 301] setpgid(0, 0) = 0 [pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 298] <... openat resumed>) = 3 [pid 301] write(3, "1000", 4) = 4 [pid 301] close(3 [pid 300] <... clone resumed>, child_tidptr=0x55556236c650) = 304 [pid 298] write(3, "1000", 4 [pid 303] <... clone resumed>, child_tidptr=0x55556236c650) = 305 [pid 302] set_robust_list(0x55556236c660, 24 [pid 298] <... write resumed>) = 4 [pid 302] <... set_robust_list resumed>) = 0 [pid 301] <... close resumed>) = 0 [pid 298] close(3 [pid 301] write(1, "executing program\n", 18 [pid 298] <... close resumed>) = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL executing program executing program [pid 298] write(1, "executing program\n", 18./strace-static-x86_64: Process 304 attached ) = 18 [pid 301] <... write resumed>) = 18 [pid 298] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI [pid 301] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI./strace-static-x86_64: Process 305 attached [pid 304] set_robust_list(0x55556236c660, 24 [pid 302] <... prctl resumed>) = 0 [pid 301] <... socket resumed>) = 3 [pid 298] <... socket resumed>) = 3 [pid 302] setpgid(0, 0 [pid 298] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY [pid 302] <... setpgid resumed>) = 0 [pid 298] <... openat resumed>) = 4 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 298] ioctl(4, TIOCSETD, [15] [pid 302] <... openat resumed>) = 3 [pid 298] <... ioctl resumed>) = 0 [pid 302] write(3, "1000", 4 [pid 301] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY [pid 298] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 302] <... write resumed>) = 4 [pid 301] <... openat resumed>) = 4 [pid 298] <... ioctl resumed>, 0) = 0 [pid 302] close(3 [pid 298] ioctl(3, HCISETLINKPOL [pid 302] <... close resumed>) = 0 [pid 301] ioctl(4, TIOCSETD, [15]executing program [pid 302] write(1, "executing program\n", 18 [pid 301] <... ioctl resumed>) = 0 [pid 302] <... write resumed>) = 18 [pid 302] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI [pid 301] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 304] <... set_robust_list resumed>) = 0 [pid 302] <... socket resumed>) = 3 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 302] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY [pid 304] <... prctl resumed>) = 0 [pid 302] <... openat resumed>) = 4 [pid 301] <... ioctl resumed>, 0) = 0 [pid 304] setpgid(0, 0 [pid 302] ioctl(4, TIOCSETD, [15] [pid 301] ioctl(3, HCISETLINKPOL [pid 304] <... setpgid resumed>) = 0 [pid 302] <... ioctl resumed>) = 0 [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 302] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 304] <... openat resumed>) = 3 [pid 302] <... ioctl resumed>, 0) = 0 [pid 304] write(3, "1000", 4 [pid 302] ioctl(3, HCISETLINKPOL [pid 304] <... write resumed>) = 4 [pid 304] close(3) = 0 [pid 304] write(1, "executing program\n", 18executing program ) = 18 [pid 304] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 304] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 304] ioctl(4, TIOCSETD, [15]) = 0 [pid 304] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 304] ioctl(3, HCISETLINKPOL [pid 305] set_robust_list(0x55556236c660, 24) = 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [ 22.171925][ T28] audit: type=1400 audit(1733083948.889:66): avc: denied { execmem } for pid=295 comm="syz-executor417" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.199182][ T28] audit: type=1400 audit(1733083948.919:67): avc: denied { create } for pid=301 comm="syz-executor417" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [pid 305] setpgid(0, 0) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 305] write(3, "1000", 4) = 4 [pid 305] close(3) = 0 executing program [pid 305] write(1, "executing program\n", 18) = 18 [pid 305] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 305] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 305] ioctl(4, TIOCSETD, [15]) = 0 [pid 305] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 22.224072][ T28] audit: type=1400 audit(1733083948.919:68): avc: denied { create } for pid=298 comm="syz-executor417" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 22.242687][ T8] Bluetooth: hci1: Frame reassembly failed (-84) [ 22.244326][ T28] audit: type=1400 audit(1733083948.919:69): avc: denied { ioctl } for pid=298 comm="syz-executor417" path="socket:[13200]" dev="sockfs" ino=13200 ioctlcmd=0x48e1 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 22.250647][ T43] Bluetooth: hci2: Frame reassembly failed (-84) [ 22.275793][ T8] Bluetooth: hci3: Frame reassembly failed (-84) [ 22.282133][ T10] Bluetooth: hci4: Frame reassembly failed (-84) [pid 305] ioctl(3, HCISETLINKPOL [pid 298] <... ioctl resumed>, 0x200003c0) = -1 ETIMEDOUT (Connection timed out) [pid 298] exit_group(0) = ? [ 24.217812][ T298] Bluetooth: hci0: Opcode 0x080f failed: -110 [ 24.297839][ T316] Bluetooth: hci4: command 0x1003 tx timeout [ 24.297886][ T312] Bluetooth: hci3: Opcode 0x1003 failed: -110 [ 24.303663][ T316] Bluetooth: hci3: command 0x1003 tx timeout [ 24.303682][ T316] Bluetooth: hci1: command 0x1003 tx timeout [ 24.309593][ T311] Bluetooth: hci2: Opcode 0x1003 failed: -110 [ 24.309679][ T309] Bluetooth: hci1: Opcode 0x1003 failed: -110 [ 24.315381][ T313] Bluetooth: hci4: Opcode 0x1003 failed: -110 [pid 301] <... ioctl resumed>, 0x200003c0) = -1 ETIMEDOUT (Connection timed out) [pid 301] exit_group(0) = ? [pid 301] +++ exited with 0 +++ [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=301, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 297] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 323 ./strace-static-x86_64: Process 323 attached [pid 323] set_robust_list(0x55556236c660, 24) = 0 [pid 323] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 323] setpgid(0, 0) = 0 [pid 323] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 323] write(3, "1000", 4) = 4 [pid 323] close(3) = 0 [pid 323] write(1, "executing program\n", 18executing program ) = 18 [pid 323] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 323] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 323] ioctl(4, TIOCSETD, [15]) = 0 [ 26.297771][ T301] Bluetooth: hci0: Opcode 0x080f failed: -110 [pid 323] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 323] ioctl(3, HCISETLINKPOL, 0x200003c0) = -1 ENODEV (No such device) [pid 323] exit_group(0) = ? [ 26.352540][ T10] Bluetooth: hci1: Frame reassembly failed (-84) [pid 303] kill(-305, SIGKILL [pid 300] kill(-304, SIGKILL [pid 299] kill(-302, SIGKILL [pid 296] kill(-298, SIGKILL [pid 300] <... kill resumed>) = 0 [pid 300] kill(304, SIGKILL) = 0 [pid 303] <... kill resumed>) = 0 [pid 303] kill(305, SIGKILL) = 0 [pid 299] <... kill resumed>) = 0 [pid 299] kill(302, SIGKILL) = 0 [pid 296] <... kill resumed>) = 0 [pid 296] kill(298, SIGKILL) = 0 [pid 302] <... ioctl resumed> ) = ? [pid 304] <... ioctl resumed> ) = ? [pid 305] <... ioctl resumed> ) = ? [pid 298] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 325 ./strace-static-x86_64: Process 325 attached [pid 325] set_robust_list(0x55556236c660, 24) = 0 [pid 325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 325] setpgid(0, 0) = 0 [pid 325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 325] write(3, "1000", 4) = 4 [pid 325] close(3) = 0 [pid 325] write(1, "executing program\n", 18executing program ) = 18 [pid 325] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 325] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 325] ioctl(4, TIOCSETD, [15]) = 0 [pid 325] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 325] ioctl(3, HCISETLINKPOL [pid 302] +++ killed by SIGKILL +++ [pid 299] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=302, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 328 attached , child_tidptr=0x55556236c650) = 328 [pid 328] set_robust_list(0x55556236c660, 24) = 0 [pid 328] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 328] setpgid(0, 0) = 0 [pid 328] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 328] write(3, "1000", 4) = 4 [pid 328] close(3) = 0 [pid 328] write(1, "executing program\n", 18executing program ) = 18 [pid 328] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 328] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 328] ioctl(4, TIOCSETD, [15]) = 0 [ 27.201956][ T302] Bluetooth: hci0: Opcode 0x080f failed: -4 [ 27.207799][ T304] Bluetooth: hci0: Opcode 0x080f failed: -4 [ 27.213617][ T305] Bluetooth: hci0: Opcode 0x080f failed: -4 [ 27.231735][ T10] Bluetooth: hci0: Frame reassembly failed (-84) [pid 328] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 328] ioctl(3, HCISETLINKPOL [pid 305] +++ killed by SIGKILL +++ [pid 304] +++ killed by SIGKILL +++ [pid 303] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=305, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 303] restart_syscall(<... resuming interrupted kill ...> [pid 300] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=304, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 300] restart_syscall(<... resuming interrupted kill ...> [pid 303] <... restart_syscall resumed>) = 0 [pid 300] <... restart_syscall resumed>) = 0 [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 303] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 329 attached [pid 329] set_robust_list(0x55556236c660, 24) = 0 [pid 329] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 329] setpgid(0, 0) = 0 [pid 329] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXECexecuting program [pid 300] <... clone resumed>, child_tidptr=0x55556236c650) = 329 [pid 329] <... openat resumed>) = 3 [pid 329] write(3, "1000", 4) = 4 [pid 329] close(3) = 0 [pid 329] write(1, "executing program\n", 18) = 18 [pid 329] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI [pid 303] <... clone resumed>, child_tidptr=0x55556236c650) = 330 [pid 329] <... socket resumed>) = 3 [pid 329] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY./strace-static-x86_64: Process 330 attached [pid 330] set_robust_list(0x55556236c660, 24 [pid 329] <... openat resumed>) = 4 [pid 330] <... set_robust_list resumed>) = 0 [pid 329] ioctl(4, TIOCSETD, [15]) = 0 [pid 330] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 329] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 330] <... prctl resumed>) = 0 [pid 329] <... ioctl resumed>, 0) = 0 [pid 330] setpgid(0, 0) = 0 [ 27.256325][ T10] Bluetooth: hci2: Frame reassembly failed (-84) [pid 330] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 330] write(3, "1000", 4) = 4 [pid 330] close(3) = 0 [pid 330] write(1, "executing program\n", 18executing program ) = 18 [pid 330] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 329] ioctl(3, HCISETLINKPOL [pid 330] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 330] ioctl(4, TIOCSETD, [15]) = 0 [pid 330] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 27.304414][ T10] Bluetooth: hci3: Frame reassembly failed (-84) [ 27.311303][ T10] Bluetooth: hci4: Frame reassembly failed (-84) [pid 330] ioctl(3, HCISETLINKPOL [pid 323] +++ exited with 0 +++ [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=323, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 297] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 332 ./strace-static-x86_64: Process 332 attached [pid 332] set_robust_list(0x55556236c660, 24) = 0 [pid 332] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 332] setpgid(0, 0) = 0 [pid 332] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 332] write(3, "1000", 4) = 4 [pid 332] close(3executing program ) = 0 [pid 332] write(1, "executing program\n", 18) = 18 [pid 332] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 332] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 332] ioctl(4, TIOCSETD, [15]) = 0 [pid 332] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 28.377813][ T312] Bluetooth: hci1: command 0x1003 tx timeout [ 28.377819][ T313] Bluetooth: hci1: Opcode 0x1003 failed: -110 [ 28.398456][ T10] Bluetooth: hci1: Frame reassembly failed (-84) [ 29.257807][ T315] Bluetooth: hci2: Opcode 0x1003 failed: -110 [ 29.257818][ T45] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 29.257868][ T45] Bluetooth: hci2: command 0x1003 tx timeout [ 29.337764][ T315] Bluetooth: hci4: command 0x1003 tx timeout [ 29.337771][ T309] Bluetooth: hci4: Opcode 0x1003 failed: -110 [ 29.337808][ T316] Bluetooth: hci3: Opcode 0x1003 failed: -110 [ 29.343616][ T309] Bluetooth: hci3: command 0x1003 tx timeout [ 30.457814][ T316] Bluetooth: hci1: command 0x1003 tx timeout [ 30.457814][ T313] Bluetooth: hci1: Opcode 0x1003 failed: -110 [pid 332] ioctl(3, HCISETLINKPOL [pid 325] <... ioctl resumed>, 0x200003c0) = -1 ETIMEDOUT (Connection timed out) [pid 325] exit_group(0) = ? [ 31.337799][ T325] Bluetooth: hci0: Opcode 0x080f failed: -110 [pid 296] kill(-325, SIGKILL) = 0 [pid 296] kill(325, SIGKILL) = 0 [pid 299] kill(-328, SIGKILL) = 0 [pid 299] kill(328, SIGKILL) = 0 [pid 328] <... ioctl resumed> ) = ? [pid 328] +++ killed by SIGKILL +++ [pid 299] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=328, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 299] restart_syscall(<... resuming interrupted kill ...>) = 0 [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 338 ./strace-static-x86_64: Process 338 attached [pid 338] set_robust_list(0x55556236c660, 24) = 0 [pid 338] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 338] setpgid(0, 0) = 0 [pid 338] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 338] write(3, "1000", 4) = 4 [pid 338] close(3) = 0 [pid 338] write(1, "executing program\n", 18executing program ) = 18 [pid 338] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 338] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 338] ioctl(4, TIOCSETD, [15]) = 0 [ 32.251328][ T328] Bluetooth: hci0: Opcode 0x080f failed: -4 [pid 338] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 338] ioctl(3, HCISETLINKPOL, 0x200003c0) = -1 ENODEV (No such device) [pid 338] exit_group(0) = ? [pid 300] kill(-329, SIGKILL) = 0 [pid 303] kill(-330, SIGKILL) = 0 [pid 303] kill(330, SIGKILL) = 0 [pid 300] kill(329, SIGKILL) = 0 [pid 329] <... ioctl resumed> ) = ? [pid 330] <... ioctl resumed> ) = ? [ 32.306794][ T10] Bluetooth: hci2: Frame reassembly failed (-84) [ 32.310099][ T329] Bluetooth: hci0: Opcode 0x080f failed: -4 [ 32.319130][ T330] Bluetooth: hci0: Opcode 0x080f failed: -4 [pid 329] +++ killed by SIGKILL +++ [pid 300] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=329, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 300] restart_syscall(<... resuming interrupted kill ...>) = 0 [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 340 ./strace-static-x86_64: Process 340 attached [pid 340] set_robust_list(0x55556236c660, 24) = 0 [pid 340] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 340] setpgid(0, 0) = 0 [pid 340] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 340] write(3, "1000", 4) = 4 [pid 340] close(3) = 0 [pid 340] write(1, "executing program\n", 18executing program ) = 18 [pid 340] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 340] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 340] ioctl(4, TIOCSETD, [15]) = 0 [pid 340] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4) [pid 296] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 340] <... ioctl resumed>, 0) = 0 [pid 340] ioctl(3, HCISETLINKPOL [pid 296] <... openat resumed>) = 3 [pid 340] <... ioctl resumed>, 0x200003c0) = -1 ENODEV (No such device) [pid 340] exit_group(0) = ? [pid 296] newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=0, ...}, AT_EMPTY_PATH) = 0 [pid 296] getdents64(3, 0x55556236d6f0 /* 2 entries */, 32768) = 48 [pid 296] getdents64(3, 0x55556236d6f0 /* 0 entries */, 32768) = 0 [pid 296] close(3) = 0 [pid 330] +++ killed by SIGKILL +++ [pid 303] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=330, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- [pid 303] restart_syscall(<... resuming interrupted kill ...>) = 0 [pid 303] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 341 attached , child_tidptr=0x55556236c650) = 341 [pid 341] set_robust_list(0x55556236c660, 24) = 0 [pid 341] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 341] setpgid(0, 0) = 0 [pid 341] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 341] write(3, "1000", 4) = 4 [pid 341] close(3) = 0 [pid 341] write(1, "executing program\n", 18executing program ) = 18 [pid 341] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 341] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 341] ioctl(4, TIOCSETD, [15]) = 0 [pid 341] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 341] ioctl(3, HCISETLINKPOL, 0x200003c0) = -1 ENODEV (No such device) [pid 341] exit_group(0) = ? [ 32.377187][ T10] Bluetooth: hci3: Frame reassembly failed (-84) [pid 297] kill(-332, SIGKILL) = 0 [pid 297] kill(332, SIGKILL) = 0 [pid 332] <... ioctl resumed> ) = ? [pid 325] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=325, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 343 ./strace-static-x86_64: Process 343 attached [pid 343] set_robust_list(0x55556236c660, 24) = 0 [pid 343] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 343] setpgid(0, 0) = 0 [pid 343] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 343] write(3, "1000", 4) = 4 [pid 343] close(3executing program ) = 0 [pid 343] write(1, "executing program\n", 18) = 18 [pid 343] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 343] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 343] ioctl(4, TIOCSETD, [15]) = 0 [pid 343] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 343] ioctl(3, HCISETLINKPOL [pid 332] +++ killed by SIGKILL +++ [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=332, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=1} --- [pid 297] restart_syscall(<... resuming interrupted kill ...>) = 0 [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 344 ./strace-static-x86_64: Process 344 attached [pid 344] set_robust_list(0x55556236c660, 24) = 0 [pid 344] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 344] setpgid(0, 0) = 0 [pid 344] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 344] write(3, "1000", 4) = 4 [pid 344] close(3) = 0 [pid 344] write(1, "executing program\n", 18executing program ) = 18 [pid 344] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 344] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 344] ioctl(4, TIOCSETD, [15]) = 0 [ 33.402795][ T332] Bluetooth: hci0: Opcode 0x080f failed: -4 [ 33.415428][ T10] Bluetooth: hci0: Frame reassembly failed (-84) [pid 344] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 33.456951][ T10] Bluetooth: hci1: Frame reassembly failed (-84) [pid 344] ioctl(3, HCISETLINKPOL [pid 338] +++ exited with 0 +++ [pid 299] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=338, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 299] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 346 attached [pid 346] set_robust_list(0x55556236c660, 24) = 0 [pid 346] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 346] setpgid(0, 0) = 0 [pid 340] +++ exited with 0 +++ [pid 300] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=340, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 299] <... clone resumed>, child_tidptr=0x55556236c650) = 346 [pid 346] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 346] write(3, "1000", 4) = 4 [pid 346] close(3) = 0 [pid 346] write(1, "executing program\n", 18) = 18 executing program [pid 346] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 346] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 346] ioctl(4, TIOCSETD, [15]) = 0 [pid 346] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 346] ioctl(3, HCISETLINKPOL [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 347 ./strace-static-x86_64: Process 347 attached [pid 347] set_robust_list(0x55556236c660, 24) = 0 [pid 347] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 347] setpgid(0, 0) = 0 [pid 347] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 347] write(3, "1000", 4) = 4 [pid 347] close(3) = 0 [pid 347] write(1, "executing program\n", 18executing program ) = 18 [pid 347] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 347] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 347] ioctl(4, TIOCSETD, [15]) = 0 [pid 347] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 34.377803][ T313] Bluetooth: hci2: Opcode 0x1003 failed: -110 [ 34.377817][ T45] Bluetooth: hci2: command 0x1003 tx timeout [ 34.377844][ T45] Bluetooth: hci3: command 0x1003 tx timeout [ 34.383813][ T311] Bluetooth: hci3: Opcode 0x1003 failed: -110 [ 34.404518][ T10] Bluetooth: hci2: Frame reassembly failed (-84) [ 34.412979][ T10] Bluetooth: hci3: Frame reassembly failed (-84) [pid 347] ioctl(3, HCISETLINKPOL [pid 341] +++ exited with 0 +++ [pid 303] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=341, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 303] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 303] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 348 ./strace-static-x86_64: Process 348 attached [pid 348] set_robust_list(0x55556236c660, 24) = 0 [pid 348] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 348] setpgid(0, 0) = 0 [pid 348] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 348] write(3, "1000", 4) = 4 [pid 348] close(3) = 0 [pid 348] write(1, "executing program\n", 18executing program ) = 18 [pid 348] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 348] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 348] ioctl(4, TIOCSETD, [15]) = 0 [pid 348] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 34.457775][ T45] Bluetooth: hci4: command 0x1003 tx timeout [ 34.457799][ T316] Bluetooth: hci4: Opcode 0x1003 failed: -110 [ 34.482077][ T317] Bluetooth: hci4: Frame reassembly failed (-84) [ 34.488389][ T317] Bluetooth: hci4: Frame reassembly failed (-84) [pid 348] ioctl(3, HCISETLINKPOL [pid 343] <... ioctl resumed>, 0x200003c0) = -1 EINVAL (Invalid argument) [pid 343] exit_group(0) = ? [pid 344] <... ioctl resumed>, 0x200003c0) = -1 EINVAL (Invalid argument) [pid 344] exit_group(0) = ? [pid 346] <... ioctl resumed>, 0x200003c0) = -1 EINVAL (Invalid argument) [pid 346] exit_group(0) = ? [pid 347] <... ioctl resumed>, 0x200003c0) = -1 EINVAL (Invalid argument) [pid 347] exit_group(0) = ? [pid 348] <... ioctl resumed>, 0x200003c0) = -1 EINVAL (Invalid argument) [pid 348] exit_group(0) = ? [pid 343] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=343, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 296] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 350 ./strace-static-x86_64: Process 350 attached [pid 350] set_robust_list(0x55556236c660, 24) = 0 [pid 350] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 350] setpgid(0, 0) = 0 [pid 350] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 350] write(3, "1000", 4) = 4 [pid 350] close(3) = 0 executing program [pid 350] write(1, "executing program\n", 18) = 18 [pid 350] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 350] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 350] ioctl(4, TIOCSETD, [15]) = 0 [ 35.417771][ T45] Bluetooth: hci0: command 0x1003 tx timeout [ 35.417771][ T309] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 35.429644][ T343] Bluetooth: hci0: Opcode 0x080f failed: -22 [ 35.435868][ T344] Bluetooth: hci0: Opcode 0x080f failed: -22 [ 35.441835][ T346] Bluetooth: hci0: Opcode 0x080f failed: -22 [ 35.447857][ T347] Bluetooth: hci0: Opcode 0x080f failed: -22 [ 35.453740][ T348] Bluetooth: hci0: Opcode 0x080f failed: -22 [pid 350] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 35.493881][ T312] ================================================================== [ 35.501777][ T312] BUG: KASAN: use-after-free in enqueue_timer+0xa6/0x480 [ 35.508647][ T312] Write of size 8 at addr ffff88810e4d0a00 by task kworker/u5:3/312 [ 35.516438][ T312] [ 35.518627][ T312] CPU: 1 PID: 312 Comm: kworker/u5:3 Not tainted 6.1.115-syzkaller-00041-ga887a44ace2a #0 [ 35.528328][ T312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 35.538224][ T312] Workqueue: hci0 hci_cmd_work [ 35.542819][ T312] Call Trace: [ 35.545951][ T312] [ 35.548726][ T312] dump_stack_lvl+0x151/0x1b7 [ 35.553235][ T312] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 35.558536][ T312] ? _printk+0xd1/0x111 [ 35.562524][ T312] ? __virt_addr_valid+0x242/0x2f0 [ 35.567470][ T312] print_report+0x158/0x4e0 [ 35.571811][ T312] ? __virt_addr_valid+0x242/0x2f0 [ 35.576755][ T312] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 35.582832][ T312] ? enqueue_timer+0xa6/0x480 [ 35.587344][ T312] kasan_report+0x13c/0x170 [ 35.591684][ T312] ? enqueue_timer+0xa6/0x480 [ 35.596197][ T312] __asan_report_store8_noabort+0x17/0x20 [ 35.601751][ T312] enqueue_timer+0xa6/0x480 [ 35.606089][ T312] __mod_timer+0x8d3/0xcf0 [ 35.610342][ T312] ? wake_up_process+0x10/0x20 [ 35.614944][ T312] ? insert_work+0x283/0x310 [ 35.619370][ T312] ? __queue_work+0x9d9/0xd70 [ 35.623882][ T312] ? mod_timer_pending+0x30/0x30 [ 35.628656][ T312] ? queue_work_on+0x135/0x170 [ 35.633259][ T312] add_timer+0x68/0x80 [ 35.637160][ T312] __queue_delayed_work+0x16d/0x1f0 [ 35.642198][ T312] queue_delayed_work_on+0x10f/0x180 [ 35.647318][ T312] ? delayed_work_timer_fn+0x80/0x80 [ 35.652437][ T312] hci_cmd_work+0x2b1/0x310 [ 35.656776][ T312] process_one_work+0x73d/0xcb0 [ 35.661467][ T312] worker_thread+0xa60/0x1260 [ 35.665981][ T312] kthread+0x26d/0x300 [ 35.669884][ T312] ? worker_clr_flags+0x1a0/0x1a0 [ 35.674743][ T312] ? kthread_blkcg+0xd0/0xd0 [ 35.679169][ T312] ret_from_fork+0x1f/0x30 [ 35.683423][ T312] [ 35.686284][ T312] [ 35.688454][ T312] Allocated by task 343: [ 35.692533][ T312] kasan_set_track+0x4b/0x70 [ 35.696960][ T312] kasan_save_alloc_info+0x1f/0x30 [ 35.701909][ T312] __kasan_kmalloc+0x9c/0xb0 [ 35.706332][ T312] __kmalloc+0xb4/0x1e0 [ 35.710326][ T312] hci_alloc_dev_priv+0x27/0x1c00 [ 35.715185][ T312] hci_uart_tty_ioctl+0x401/0xa70 [ 35.720061][ T312] tty_ioctl+0x903/0xc50 [ 35.724125][ T312] __se_sys_ioctl+0x114/0x190 [ 35.728643][ T312] __x64_sys_ioctl+0x7b/0x90 [ 35.733065][ T312] x64_sys_call+0x98/0x9a0 [ 35.737318][ T312] do_syscall_64+0x3b/0xb0 [ 35.741571][ T312] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 35.747300][ T312] [ 35.749466][ T312] Freed by task 348: [ 35.753200][ T312] kasan_set_track+0x4b/0x70 [ 35.757628][ T312] kasan_save_free_info+0x2b/0x40 [ 35.762486][ T312] ____kasan_slab_free+0x131/0x180 [ 35.767434][ T312] __kasan_slab_free+0x11/0x20 [ 35.772033][ T312] __kmem_cache_free+0x21d/0x410 [ 35.776808][ T312] kfree+0x7a/0xf0 [ 35.780364][ T312] hci_release_dev+0x14d3/0x1640 [ 35.785139][ T312] bt_host_release+0x83/0xa0 [ 35.789566][ T312] device_release+0x95/0x1c0 [ 35.793991][ T312] kobject_put+0x178/0x260 [ 35.798247][ T312] put_device+0x1f/0x30 [ 35.802237][ T312] hci_dev_cmd+0x2be/0x9b0 [ 35.806490][ T312] hci_sock_ioctl+0x415/0x7f0 [ 35.811005][ T312] sock_do_ioctl+0x152/0x450 [ 35.815428][ T312] sock_ioctl+0x455/0x740 [ 35.819616][ T312] __se_sys_ioctl+0x114/0x190 [ 35.824110][ T312] __x64_sys_ioctl+0x7b/0x90 [ 35.828557][ T312] x64_sys_call+0x98/0x9a0 [ 35.832793][ T312] do_syscall_64+0x3b/0xb0 [ 35.837039][ T312] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 35.842770][ T312] [ 35.844943][ T312] Last potentially related work creation: [ 35.850561][ T312] kasan_save_stack+0x3b/0x60 [ 35.855161][ T312] __kasan_record_aux_stack+0xb4/0xc0 [ 35.860366][ T312] kasan_record_aux_stack_noalloc+0xb/0x10 [ 35.866003][ T312] insert_work+0x56/0x310 [ 35.870174][ T312] __queue_work+0x9b6/0xd70 [ 35.874511][ T312] queue_work_on+0x105/0x170 [ 35.878937][ T312] __hci_cmd_sync_sk+0xc2a/0xf70 [ 35.883707][ T312] hci_cmd_sync_status+0x52/0x130 [ 35.888568][ T312] hci_dev_cmd+0x771/0x9b0 [ 35.892822][ T312] hci_sock_ioctl+0x415/0x7f0 [ 35.897342][ T312] sock_do_ioctl+0x152/0x450 [ 35.901759][ T312] sock_ioctl+0x455/0x740 [ 35.905926][ T312] __se_sys_ioctl+0x114/0x190 [ 35.910440][ T312] __x64_sys_ioctl+0x7b/0x90 [ 35.914870][ T312] x64_sys_call+0x98/0x9a0 [ 35.919118][ T312] do_syscall_64+0x3b/0xb0 [ 35.923371][ T312] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 35.929099][ T312] [ 35.931271][ T312] Second to last potentially related work creation: [ 35.937691][ T312] kasan_save_stack+0x3b/0x60 [ 35.942206][ T312] __kasan_record_aux_stack+0xb4/0xc0 [ 35.947416][ T312] kasan_record_aux_stack_noalloc+0xb/0x10 [ 35.953052][ T312] insert_work+0x56/0x310 [ 35.957332][ T312] __queue_work+0x9b6/0xd70 [ 35.961671][ T312] queue_work_on+0x105/0x170 [ 35.966100][ T312] __hci_cmd_sync_sk+0xc2a/0xf70 [ 35.970874][ T312] hci_cmd_sync_status+0x52/0x130 [ 35.975820][ T312] hci_dev_cmd+0x771/0x9b0 [ 35.980073][ T312] hci_sock_ioctl+0x415/0x7f0 [ 35.984590][ T312] sock_do_ioctl+0x152/0x450 [ 35.989014][ T312] sock_ioctl+0x455/0x740 [ 35.993178][ T312] __se_sys_ioctl+0x114/0x190 [ 35.997691][ T312] __x64_sys_ioctl+0x7b/0x90 [ 36.002117][ T312] x64_sys_call+0x98/0x9a0 [ 36.006369][ T312] do_syscall_64+0x3b/0xb0 [ 36.010625][ T312] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 36.016350][ T312] [ 36.018523][ T312] The buggy address belongs to the object at ffff88810e4d0000 [ 36.018523][ T312] which belongs to the cache kmalloc-8k of size 8192 [ 36.032406][ T312] The buggy address is located 2560 bytes inside of [ 36.032406][ T312] 8192-byte region [ffff88810e4d0000, ffff88810e4d2000) [ 36.045690][ T312] [ 36.047858][ T312] The buggy address belongs to the physical page: [ 36.054117][ T312] page:ffffea0004393400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e4d0 [ 36.064172][ T312] head:ffffea0004393400 order:3 compound_mapcount:0 compound_pincount:0 [ 36.072332][ T312] flags: 0x4000000000010200(slab|head|zone=1) [ 36.078241][ T312] raw: 4000000000010200 ffffea0004300200 dead000000000002 ffff888100043500 [ 36.086666][ T312] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 [ 36.095078][ T312] page dumped because: kasan: bad access detected [ 36.101331][ T312] page_owner tracks the page as allocated [ 36.106876][ T312] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 3108815772, free_ts 0 [ 36.126320][ T312] post_alloc_hook+0x213/0x220 [ 36.130915][ T312] prep_new_page+0x1b/0x110 [ 36.135256][ T312] get_page_from_freelist+0x2980/0x2a10 [ 36.140636][ T312] __alloc_pages+0x234/0x610 [ 36.145061][ T312] alloc_slab_page+0x6c/0xf0 [ 36.149490][ T312] new_slab+0x90/0x3e0 [ 36.153392][ T312] ___slab_alloc+0x6f9/0xb80 [ 36.157819][ T312] __slab_alloc+0x5d/0xa0 [ 36.162004][ T312] __kmem_cache_alloc_node+0x207/0x2a0 [ 36.167280][ T312] kmalloc_trace+0x2a/0xa0 [ 36.171532][ T312] cryptomgr_notify+0x84/0xc10 [ 36.176133][ T312] blocking_notifier_call_chain+0xbb/0x140 [ 36.181783][ T312] crypto_alg_mod_lookup+0x376/0x570 [ 36.186894][ T312] crypto_alloc_tfm_node+0x11f/0x330 [ 36.192016][ T312] crypto_alloc_akcipher+0x32/0x40 [ 36.196963][ T312] public_key_verify_signature+0x25d/0xe00 [ 36.202605][ T312] page_owner free stack trace missing [ 36.207812][ T312] [ 36.209979][ T312] Memory state around the buggy address: [ 36.215451][ T312] ffff88810e4d0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.223359][ T312] ffff88810e4d0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.231248][ T312] >ffff88810e4d0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.239144][ T312] ^ [pid 350] ioctl(3, HCISETLINKPOL [pid 344] +++ exited with 0 +++ [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=344, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 352 ./strace-static-x86_64: Process 352 attached [pid 352] set_robust_list(0x55556236c660, 24) = 0 [pid 352] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 352] setpgid(0, 0) = 0 [pid 352] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 352] write(3, "1000", 4) = 4 [pid 352] close(3) = 0 executing program [pid 352] write(1, "executing program\n", 18) = 18 [pid 352] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 352] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 352] ioctl(4, TIOCSETD, [15]) = 0 [pid 352] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 36.243048][ T312] ffff88810e4d0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.250955][ T312] ffff88810e4d0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.258847][ T312] ================================================================== [ 36.266741][ T312] Disabling lock debugging due to kernel taint [ 36.272962][ T45] Bluetooth: hci1: command 0x1003 tx timeout [ 36.279024][ T315] Bluetooth: hci1: Opcode 0x1003 failed: -110 [ 36.285016][ T10] Bluetooth: hci0: Frame reassembly failed (-84) [ 36.295599][ T10] Bluetooth: hci1: Frame reassembly failed (-84) [pid 352] ioctl(3, HCISETLINKPOL [pid 346] +++ exited with 0 +++ [pid 299] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=346, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 353 ./strace-static-x86_64: Process 353 attached [pid 353] set_robust_list(0x55556236c660, 24) = 0 [pid 353] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 353] setpgid(0, 0) = 0 [pid 353] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 353] write(3, "1000", 4) = 4 [pid 353] close(3) = 0 [pid 353] write(1, "executing program\n", 18executing program ) = 18 [pid 353] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 353] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 353] ioctl(4, TIOCSETD, [15]) = 0 [pid 353] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [pid 353] ioctl(3, HCISETLINKPOL [pid 347] +++ exited with 0 +++ [pid 300] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=347, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 300] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 354 attached , child_tidptr=0x55556236c650) = 354 [pid 354] set_robust_list(0x55556236c660, 24) = 0 [pid 354] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 354] setpgid(0, 0) = 0 [pid 354] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 354] write(3, "1000", 4executing program ) = 4 [pid 354] close(3) = 0 [pid 354] write(1, "executing program\n", 18) = 18 [pid 354] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 354] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 354] ioctl(4, TIOCSETD, [15]) = 0 [pid 354] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 36.457785][ T311] Bluetooth: hci2: Opcode 0x1003 failed: -110 [ 36.457807][ T315] Bluetooth: hci3: command 0x1003 tx timeout [ 36.457827][ T315] Bluetooth: hci2: command 0x1003 tx timeout [ 36.463938][ T313] Bluetooth: hci3: Opcode 0x1003 failed: -110 [ 36.483325][ T10] Bluetooth: hci2: Frame reassembly failed (-84) [ 36.496152][ T10] Bluetooth: hci3: Frame reassembly failed (-84) [pid 354] ioctl(3, HCISETLINKPOL [pid 348] +++ exited with 0 +++ [pid 303] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=348, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 303] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 303] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556236c650) = 355 ./strace-static-x86_64: Process 355 attached [pid 355] set_robust_list(0x55556236c660, 24) = 0 [pid 355] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 355] setpgid(0, 0) = 0 [pid 355] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 355] write(3, "1000", 4) = 4 [pid 355] close(3) = 0 executing program [pid 355] write(1, "executing program\n", 18) = 18 [pid 355] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 355] openat(AT_FDCWD, "/dev/ptmx", O_RDONLY) = 4 [pid 355] ioctl(4, TIOCSETD, [15]) = 0 [pid 355] ioctl(4, _IOC(_IOC_WRITE, 0x55, 0xc8, 0x4), 0) = 0 [ 36.537802][ T315] Bluetooth: hci4: command 0x1003 tx timeout [ 36.537812][ T316] Bluetooth: hci4: Opcode 0x1003 failed: -110 [ 36.563940][ T43] Bluetooth: hci4: Frame reassembly failed (-84) [ 36.570156][ T43] Bluetooth: hci4: Frame reassembly failed (-84) [ 37.497794][ T309] Bluetooth: hci0: Opcode 0x1003 failed: -110 [ 37.497834][ C1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN [ 37.515245][ C1] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 37.523555][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 6.1.115-syzkaller-00041-ga887a44ace2a #0 [ 37.534250][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 37.544146][ C1] RIP: 0010:__queue_work+0x4f1/0xd70 [ 37.549264][ C1] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6 [ 37.568707][ C1] RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046 [ 37.574611][ C1] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff8881003aa880 [ 37.582419][ C1] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff [ 37.590230][ C1] RBP: ffffc900001b0d00 R08: ffffffff814b185b R09: 0000000000000007 [ 37.598041][ C1] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810e4d09c8 [ 37.605850][ C1] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810e4d09e0 [ 37.613664][ C1] FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 37.622431][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.628851][ C1] CR2: 00007f30cb7eb6a0 CR3: 00000001104ef000 CR4: 00000000003506a0 [ 37.636663][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 37.644472][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 37.652285][ C1] Call Trace: [ 37.655410][ C1] [ 37.658101][ C1] ? __die_body+0x62/0xb0 [ 37.662267][ C1] ? die_addr+0x9f/0xd0 [ 37.666262][ C1] ? exc_general_protection+0x317/0x4c0 [ 37.671643][ C1] ? cpu_curr_snapshot+0x200/0x200 [ 37.676586][ C1] ? asm_exc_general_protection+0x27/0x30 [ 37.682141][ C1] ? __queue_work+0x28b/0xd70 [ 37.686655][ C1] ? __queue_work+0x4f1/0xd70 [ 37.691168][ C1] ? __queue_work+0x29c/0xd70 [ 37.695682][ C1] delayed_work_timer_fn+0x61/0x80 [ 37.700627][ C1] ? queue_work_node+0x1d0/0x1d0 [ 37.705401][ C1] call_timer_fn+0x3b/0x2d0 [ 37.709739][ C1] ? queue_work_node+0x1d0/0x1d0 [ 37.714512][ C1] __run_timers+0x756/0xa10 [ 37.718856][ C1] ? calc_index+0x270/0x270 [ 37.723201][ C1] ? sched_clock+0x9/0x10 [ 37.727358][ C1] ? sched_clock_cpu+0x71/0x2b0 [ 37.732046][ C1] run_timer_softirq+0x69/0xf0 [ 37.736645][ C1] handle_softirqs+0x1db/0x650 [ 37.741253][ C1] ? irqtime_account_irq+0xdc/0x260 [ 37.746280][ C1] __irq_exit_rcu+0x52/0xf0 [ 37.750621][ C1] irq_exit_rcu+0x9/0x10 [ 37.754695][ C1] sysvec_apic_timer_interrupt+0xa9/0xc0 [ 37.760175][ C1] [ 37.762941][ C1] [ 37.765721][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 37.771537][ C1] RIP: 0010:acpi_idle_enter+0x416/0x760 [ 37.776914][ C1] Code: 89 de 48 83 e6 08 31 ff e8 27 1c 54 fc 48 83 e3 08 0f 85 b1 00 00 00 0f 1f 44 00 00 e8 d3 17 54 fc 0f 00 2d 7c e8 ce 00 fb f4 e9 e3 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 0f b6 04 30 [ 37.796360][ C1] RSP: 0018:ffffc90000147c50 EFLAGS: 000002d3 [ 37.802262][ C1] RAX: ffffffff85216edd RBX: 0000000000000000 RCX: ffff8881003aa880 [ 37.810071][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 37.817879][ C1] RBP: ffffc90000147c90 R08: ffffffff85216ec9 R09: ffffed1020075511 [ 37.825702][ C1] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001 [ 37.833502][ C1] R13: ffff88810a3a0804 R14: dffffc0000000000 R15: ffff8881097d2864 [ 37.841345][ C1] ? acpi_idle_enter+0x3f9/0x760 [ 37.846087][ C1] ? acpi_idle_enter+0x40d/0x760 [ 37.850862][ C1] ? intel_idle_xstate+0xa0/0xa0 [ 37.855636][ C1] cpuidle_enter_state+0x5eb/0x17f0 [ 37.860679][ C1] ? cpuidle_enter_s2idle+0x600/0x600 [ 37.865878][ C1] ? menu_enable_device+0x380/0x380 [ 37.870910][ C1] ? __sched_text_start+0x8/0x8 [ 37.875598][ C1] cpuidle_enter+0x5f/0xa0 [ 37.879848][ C1] do_idle+0x3d1/0x580 [ 37.883755][ C1] ? ct_irq_exit+0x9/0x10 [ 37.887925][ C1] ? idle_inject_timer_fn+0x60/0x60 [ 37.892958][ C1] cpu_startup_entry+0x44/0x60 [ 37.897554][ C1] start_secondary+0xe3/0xf0 [ 37.901981][ C1] secondary_startup_64_no_verify+0xce/0xdb [ 37.907714][ C1] [ 37.910574][ C1] Modules linked in: [ 37.914307][ C1] ---[ end trace 0000000000000000 ]--- [ 37.919599][ C1] RIP: 0010:__queue_work+0x4f1/0xd70 [ 37.924730][ C1] Code: 39 03 0f 84 40 01 00 00 e8 0c 6c 2a 00 4c 89 e7 e8 d4 73 d6 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 d0 da 71 00 49 8b 3e e8 88 6c d6 [ 37.944161][ C1] RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046 [ 37.950061][ C1] RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff8881003aa880 [ 37.957875][ C1] RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff [ 37.965686][ C1] RBP: ffffc900001b0d00 R08: ffffffff814b185b R09: 0000000000000007 [ 37.973497][ C1] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810e4d09c8 [ 37.981308][ C1] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810e4d09e0 [ 37.989118][ C1] FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 37.997886][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 38.004307][ C1] CR2: 00007f30cb7eb6a0 CR3: 00000001104ef000 CR4: 00000000003506a0 [ 38.012122][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 38.019928][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 38.027747][ C1] Kernel panic - not syncing: Fatal exception in interrupt [ 38.035091][ C1] Kernel Offset: disabled [ 38.039221][ C1] Rebooting in 86400 seconds..