[  421.943810][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  422.441128][  T297] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  422.499415][  T297] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  422.551315][  T297] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  422.621306][  T297] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[  423.923637][  T297] hsr_slave_0: left promiscuous mode
[  423.992969][  T297] hsr_slave_1: left promiscuous mode
[  424.063923][  T297] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  424.066000][  T297] batman_adv: batadv0: Removing interface: batadv_slave_0
[  424.070153][  T297] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  424.072150][  T297] batman_adv: batadv0: Removing interface: batadv_slave_1
[  424.076211][  T297] bridge_slave_1: left allmulticast mode
[  424.077678][  T297] bridge_slave_1: left promiscuous mode
[  424.079167][  T297] bridge0: port 2(bridge_slave_1) entered disabled state
[  424.124545][  T297] bridge_slave_0: left allmulticast mode
[  424.126285][  T297] bridge_slave_0: left promiscuous mode
[  424.127745][  T297] bridge0: port 1(bridge_slave_0) entered disabled state
[  424.244298][  T297] veth1_macvtap: left promiscuous mode
[  424.245896][  T297] veth0_macvtap: left promiscuous mode
[  424.247434][  T297] veth1_vlan: left promiscuous mode
[  424.248764][  T297] veth0_vlan: left promiscuous mode
[  424.380643][  T297] team0 (unregistering): Port device team_slave_1 removed
[  424.388113][  T297] team0 (unregistering): Port device team_slave_0 removed
[  424.394720][  T297] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[  424.421444][  T297] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[  424.549169][  T297] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.0.232' (ED25519) to the list of known hosts.
[  427.255592][ T7785] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  427.258189][ T7785] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  427.260478][ T7785] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  427.264909][ T7785] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  427.267414][ T7785] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[  427.269520][ T7785] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  427.313602][  T297] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  427.318904][  T297] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  427.328961][  T297] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[  427.331129][  T297] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[  429.303939][ T6094] Bluetooth: hci0: command 0x0409 tx timeout
[  431.384107][ T7785] Bluetooth: hci0: command 0x041b tx timeout
[  433.144294][ T2211] ieee802154 phy0 wpan0: encryption failed: -22
[  433.146039][ T2211] ieee802154 phy1 wpan1: encryption failed: -22
[  433.463750][ T6094] Bluetooth: hci0: command 0x040f tx timeout
[  435.543846][ T7785] Bluetooth: hci0: command 0x0419 tx timeout
[  437.623743][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  439.703782][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  441.793725][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  443.863743][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  445.943817][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  448.023744][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  450.103804][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  452.183734][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  454.263768][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  456.343785][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  458.423747][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  460.503787][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  462.583832][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  464.663770][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  466.743732][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  468.833731][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  470.903754][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  472.984052][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  475.063774][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  477.143776][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  479.223814][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  481.313902][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  483.383776][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  485.463811][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  487.543821][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  489.623738][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  491.703763][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  493.783738][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  494.594539][ T2211] ieee802154 phy0 wpan0: encryption failed: -22
[  494.596247][ T2211] ieee802154 phy1 wpan1: encryption failed: -22
[  495.863736][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  497.943779][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  500.033745][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  502.103801][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  504.183779][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  506.274014][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  508.343772][ T6094] Bluetooth: hci0: command 0x0405 tx timeout
[  510.221484][ T9434] ==================================================================
[  510.223546][ T9434] BUG: KASAN: slab-use-after-free in __sco_sock_close+0x274/0x788
[  510.225597][ T9434] Read of size 8 at addr ffff0000c7299400 by task syz-executor661/9434
[  510.227855][ T9434] 
[  510.228465][ T9434] CPU: 1 PID: 9434 Comm: syz-executor661 Not tainted 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0
[  510.231367][ T9434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[  510.233965][ T9434] Call trace:
[  510.234803][ T9434]  dump_backtrace+0x1b8/0x1e4
[  510.236027][ T9434]  show_stack+0x2c/0x44
[  510.237102][ T9434]  dump_stack_lvl+0xd0/0x124
[  510.238277][ T9434]  print_report+0x174/0x514
[  510.239414][ T9434]  kasan_report+0xd8/0x138
[  510.240556][ T9434]  __asan_report_load8_noabort+0x20/0x2c
[  510.242039][ T9434]  __sco_sock_close+0x274/0x788
[  510.243316][ T9434]  sco_sock_release+0xb4/0x2c0
[  510.244561][ T9434]  sock_close+0xa4/0x1e8
[  510.245652][ T9434]  __fput+0x324/0x7f8
[  510.246679][ T9434]  ____fput+0x20/0x30
[  510.247723][ T9434]  task_work_run+0x230/0x2e0
[  510.248918][ T9434]  get_signal+0x13f4/0x15ec
[  510.250106][ T9434]  do_notify_resume+0x3bc/0x393c
[  510.251339][ T9434]  el0_svc+0x9c/0x158
[  510.252323][ T9434]  el0t_64_sync_handler+0x84/0xfc
[  510.253658][ T9434]  el0t_64_sync+0x190/0x194
[  510.254842][ T9434] 
[  510.255441][ T9434] Allocated by task 9431:
[  510.256586][ T9434]  kasan_set_track+0x4c/0x7c
[  510.257842][ T9434]  kasan_save_alloc_info+0x24/0x30
[  510.259156][ T9434]  __kasan_kmalloc+0xac/0xc4
[  510.260345][ T9434]  kmalloc_trace+0x70/0x88
[  510.261485][ T9434]  sco_conn_add+0xc4/0x2cc
[  510.262691][ T9434]  sco_sock_connect+0x2a0/0x848
[  510.263971][ T9434]  __sys_connect+0x268/0x290
[  510.265151][ T9434]  __arm64_sys_connect+0x7c/0x94
[  510.266484][ T9434]  invoke_syscall+0x98/0x2b8
[  510.267683][ T9434]  el0_svc_common+0x130/0x23c
[  510.268862][ T9434]  do_el0_svc+0x48/0x58
[  510.269949][ T9434]  el0_svc+0x54/0x158
[  510.271002][ T9434]  el0t_64_sync_handler+0x84/0xfc
[  510.272334][ T9434]  el0t_64_sync+0x190/0x194
[  510.273535][ T9434] 
[  510.274118][ T9434] Freed by task 6094:
[  510.275137][ T9434]  kasan_set_track+0x4c/0x7c
[  510.276351][ T9434]  kasan_save_free_info+0x38/0x5c
[  510.277683][ T9434]  ____kasan_slab_free+0x144/0x1c0
[  510.279064][ T9434]  __kasan_slab_free+0x18/0x28
[  510.280364][ T9434]  __kmem_cache_free+0x2ac/0x480
[  510.281630][ T9434]  kfree+0xb8/0x19c
[  510.282670][ T9434]  sco_conn_del+0x3b4/0x498
[  510.283833][ T9434]  sco_connect_cfm+0xf0/0x948
[  510.285069][ T9434]  hci_conn_failed+0x17c/0x2c0
[  510.286378][ T9434]  hci_abort_conn_sync+0x688/0xe38
[  510.287789][ T9434]  abort_conn_sync+0x5c/0x8c
[  510.289021][ T9434]  hci_cmd_sync_work+0x1cc/0x34c
[  510.290304][ T9434]  process_one_work+0x694/0x1204
[  510.291612][ T9434]  worker_thread+0x938/0xef4
[  510.292863][ T9434]  kthread+0x288/0x310
[  510.293941][ T9434]  ret_from_fork+0x10/0x20
[  510.295136][ T9434] 
[  510.295765][ T9434] Last potentially related work creation:
[  510.297271][ T9434]  kasan_save_stack+0x40/0x6c
[  510.298552][ T9434]  __kasan_record_aux_stack+0xcc/0xe8
[  510.299997][ T9434]  kasan_record_aux_stack_noalloc+0x14/0x20
[  510.301548][ T9434]  kvfree_call_rcu+0xac/0x674
[  510.302803][ T9434]  drop_sysctl_table+0x2c8/0x410
[  510.304132][ T9434]  drop_sysctl_table+0x2d8/0x410
[  510.305448][ T9434]  unregister_sysctl_table+0x48/0x68
[  510.306840][ T9434]  unregister_net_sysctl_table+0x20/0x30
[  510.308336][ T9434]  mpls_dev_sysctl_unregister+0x88/0xc0
[  510.309787][ T9434]  mpls_dev_notify+0x448/0x654
[  510.311015][ T9434]  notifier_call_chain+0x1a4/0x510
[  510.312357][ T9434]  raw_notifier_call_chain+0x3c/0x50
[  510.313712][ T9434]  unregister_netdevice_many_notify+0xd44/0x17a8
[  510.315421][ T9434]  default_device_exit_batch+0x6c8/0x744
[  510.316929][ T9434]  cleanup_net+0x5dc/0x8d0
[  510.318126][ T9434]  process_one_work+0x694/0x1204
[  510.319522][ T9434]  worker_thread+0x938/0xef4
[  510.320717][ T9434]  kthread+0x288/0x310
[  510.321750][ T9434]  ret_from_fork+0x10/0x20
[  510.322921][ T9434] 
[  510.323508][ T9434] The buggy address belongs to the object at ffff0000c7299400
[  510.323508][ T9434]  which belongs to the cache kmalloc-256 of size 256
[  510.327232][ T9434] The buggy address is located 0 bytes inside of
[  510.327232][ T9434]  freed 256-byte region [ffff0000c7299400, ffff0000c7299500)
[  510.330755][ T9434] 
[  510.331391][ T9434] The buggy address belongs to the physical page:
[  510.333048][ T9434] page:0000000073a3d90c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107298
[  510.335757][ T9434] head:0000000073a3d90c order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  510.338160][ T9434] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
[  510.340321][ T9434] page_type: 0xffffffff()
[  510.341479][ T9434] raw: 05ffc00000000840 ffff0000c0001b40 dead000000000100 dead000000000122
[  510.343760][ T9434] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  510.345978][ T9434] page dumped because: kasan: bad access detected
[  510.347664][ T9434] 
[  510.348272][ T9434] Memory state around the buggy address:
[  510.349744][ T9434]  ffff0000c7299300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  510.351900][ T9434]  ffff0000c7299380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  510.354073][ T9434] >ffff0000c7299400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  510.356201][ T9434]                    ^
[  510.357265][ T9434]  ffff0000c7299480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  510.359361][ T9434]  ffff0000c7299500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  510.361491][ T9434] ==================================================================
[  510.364321][ T9434] Disabling lock debugging due to kernel taint
[  510.423721][ T7785] Bluetooth: hci0: command 0x0407 tx timeout
[  512.503734][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  514.583786][ T6094] Bluetooth: hci0: command 0x0407 tx timeout
[  516.663732][ T7785] Bluetooth: hci0: command 0x0405 tx timeout
[  518.743717][ T6094] Bluetooth: hci0: command 0x0407 tx timeout