./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1918648175

<...>
Warning: Permanently added '10.128.0.79' (ED25519) to the list of known hosts.
execve("./syz-executor1918648175", ["./syz-executor1918648175"], 0x7ffe6ac1cd00 /* 10 vars */) = 0
brk(NULL)                               = 0x55555604a000
brk(0x55555604ad40)                     = 0x55555604ad40
arch_prctl(ARCH_SET_FS, 0x55555604a3c0) = 0
set_tid_address(0x55555604a690)         = 5037
set_robust_list(0x55555604a6a0, 24)     = 0
rseq(0x55555604ace0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1918648175", 4096) = 28
getrandom("\x6e\xff\x19\x25\x7b\xcd\x86\xae", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55555604ad40
brk(0x55555606bd40)                     = 0x55555606bd40
brk(0x55555606c000)                     = 0x55555606c000
mprotect(0x7fa90fb2a000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555604a690) = 5038
./strace-static-x86_64: Process 5038 attached
[pid  5038] set_robust_list(0x55555604a6a0, 24) = 0
[pid  5038] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5038] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[pid  5038] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4
[pid  5038] dup2(4, 202)                = 202
[pid  5038] close(4)                    = 0
[pid  5038] write(202, "\xff\x00", 2)   = 2
[pid  5038] read(202, "\xff\x00\x00\x00", 4) = 4
[pid  5038] rt_sigaction(SIGRT_1, {sa_handler=0x7fa90facc4f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa90fabdb70}, NULL, 8) = 0
[pid  5038] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
[pid  5038] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa90f267000
[pid  5038] mprotect(0x7fa90f268000, 8388608, PROT_READ|PROT_WRITE) = 0
[pid  5038] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
[pid  5038] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa90fa67990, parent_tid=0x7fa90fa67990, exit_signal=0, stack=0x7fa90f267000, stack_size=0x800300, tls=0x7fa90fa676c0} => {parent_tid=[2]}, 88) = 2
[pid  5038] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  5038] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 5040 attached
 <unfinished ...>
[pid  5040] rseq(0x7fa90fa67fe0, 0x20, 0, 0x53053053) = 0
[pid  5040] set_robust_list(0x7fa90fa679a0, 24) = 0
[pid  5040] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  5040] read(202, "\x01\x03\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x03\x10\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x01\x10\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x09\x10\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13
[pid  5040] read(202, "\x01\x05\x10\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14
[pid  5040] read(202, "\x01\x23\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x14\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x25\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x38\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[   72.047806][ T5039] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   72.063229][ T5039] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   72.071583][ T5039] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   72.081812][ T5039] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   72.090506][ T5039] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[pid  5040] read(202, "\x01\x39\x0c\x00", 1024) = 4
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5040] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4 <unfinished ...>
[pid  5038] <... ioctl resumed>, 0)     = -1 EALREADY (Operation already in progress)
[pid  5040] <... writev resumed>)       = 255
[pid  5038] ioctl(3, HCISETSCAN <unfinished ...>
[pid  5040] read(202, "\x01\x1a\x0c\x01\x02", 1024) = 5
[pid  5040] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7
[pid  5040] rt_sigprocmask(SIG_BLOCK, ~[RT_1], NULL, 8) = 0
[pid  5040] madvise(0x7fa90f267000, 8372224, MADV_DONTNEED) = 0
[pid  5040] exit(0)                     = ?
[pid  5040] +++ exited with 0 +++
[pid  5038] <... ioctl resumed>, 0x7ffc6a6f17d4) = 0
[pid  5038] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13
[pid  5038] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14
[pid  5038] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14
[pid  5038] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22
[pid  5038] close(3)                    = 0
[pid  5038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5038] setsid()                    = 1
[pid  5038] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5038] dup2(3, 201)                = 201
[pid  5038] close(3)                    = 0
[pid  5038] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5038] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5038] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5038] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5038] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5038] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5038] unshare(CLONE_NEWNS)        = 0
[pid  5038] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5038] unshare(CLONE_NEWIPC)       = 0
[pid  5038] unshare(CLONE_NEWCGROUP)    = 0
[pid  5038] unshare(CLONE_NEWUTS)       = 0
[pid  5038] unshare(CLONE_SYSVSEM)      = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "16777216", 8)     = 8
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "536870912", 9)    = 9
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "1024", 4)         = 4
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "8192", 4)         = 4
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "1024", 4)         = 4
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "1024", 4)         = 4
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5038] close(3)                    = 0
[pid  5038] getpid()                    = 1
[pid  5038] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5038] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[   72.098715][ T5039] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[pid  5038] unshare(CLONE_NEWNET)       = 0
[pid  5038] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "0 65535", 7)      = 7
[pid  5038] close(3)                    = 0
[pid  5038] mkdir("/dev/binderfs", 0777) = 0
[pid  5038] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5038] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5038] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5038] setns(201, 0)               = 0
[pid  5038] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 4
[pid  5038] setns(3, 0)                 = 0
[pid  5038] close(3)                    = 0
[   72.200204][ T5038] ==================================================================
[   72.208325][ T5038] BUG: KASAN: slab-out-of-bounds in create_monitor_event+0x88d/0x930
[   72.216414][ T5038] Read of size 8 at addr ffff88801e5458c7 by task syz-executor191/5038
[   72.224682][ T5038] 
[   72.227002][ T5038] CPU: 0 PID: 5038 Comm: syz-executor191 Not tainted 6.6.0-rc4-syzkaller-00158-gf291209eca5e #0
[   72.237414][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[   72.247475][ T5038] Call Trace:
[   72.250753][ T5038]  <TASK>
[   72.253685][ T5038]  dump_stack_lvl+0x1e7/0x2d0
[   72.258370][ T5038]  ? nf_tcp_handle_invalid+0x650/0x650
[   72.263922][ T5038]  ? panic+0x770/0x770
[   72.267999][ T5038]  ? _printk+0xd5/0x120
[   72.272164][ T5038]  print_report+0x163/0x540
[   72.276672][ T5038]  ? __virt_addr_valid+0x22f/0x2e0
[   72.281784][ T5038]  ? __phys_addr+0xba/0x170
[   72.286290][ T5038]  ? create_monitor_event+0x88d/0x930
[   72.291662][ T5038]  kasan_report+0x175/0x1b0
[   72.296186][ T5038]  ? create_monitor_event+0x88d/0x930
[   72.301575][ T5038]  create_monitor_event+0x88d/0x930
[   72.306790][ T5038]  send_monitor_replay+0x7a/0x5d0
[   72.311839][ T5038]  hci_sock_bind+0x85c/0x1140
[   72.316560][ T5038]  ? __might_fault+0xa5/0x120
[   72.321251][ T5038]  ? hci_sock_release+0x4f0/0x4f0
[   72.326376][ T5038]  ? bpf_lsm_socket_bind+0x9/0x10
[   72.331419][ T5038]  ? security_socket_bind+0x81/0xa0
[   72.336635][ T5038]  __sys_bind+0x23a/0x2e0
[   72.341066][ T5038]  ? lockdep_hardirqs_on+0x98/0x140
[   72.346269][ T5038]  ? __ia32_sys_socketpair+0xb0/0xb0
[   72.351555][ T5038]  ? ptrace_notify+0x278/0x380
[   72.356331][ T5038]  ? syscall_enter_from_user_mode+0x32/0x230
[   72.362321][ T5038]  __x64_sys_bind+0x7a/0x90
[   72.366828][ T5038]  do_syscall_64+0x41/0xc0
[   72.371245][ T5038]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   72.377137][ T5038] RIP: 0033:0x7fa90faa64f9
[   72.381557][ T5038] Code: 48 83 c4 28 c3 e8 17 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   72.401277][ T5038] RSP: 002b:00007ffc6a6f17b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   72.409689][ T5038] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa90faa64f9
[   72.417664][ T5038] RDX: 0000000000000006 RSI: 0000000020000000 RDI: 0000000000000004
[   72.425645][ T5038] RBP: 0000000000000003 R08: 000000ff00ffb650 R09: 000000ff00ffb650
[   72.433614][ T5038] R10: 0000000000000000 R11: 0000000000000246 R12: 000055555604a370
[   72.441582][ T5038] R13: 0000000000000072 R14: 00007fa90fb2a5b0 R15: 0000000000000001
[   72.449556][ T5038]  </TASK>
[   72.452570][ T5038] 
[   72.454885][ T5038] Allocated by task 5038:
[   72.459205][ T5038]  kasan_set_track+0x4f/0x70
[   72.463801][ T5038]  __kasan_kmalloc+0x98/0xb0
[   72.468409][ T5038]  __kmalloc_node_track_caller+0xb6/0x230
[   72.474125][ T5038]  kvasprintf+0xdf/0x190
[   72.478372][ T5038]  kobject_set_name_vargs+0x61/0x120
[   72.483660][ T5038]  dev_set_name+0xd5/0x120
[   72.488082][ T5038]  hci_register_dev+0x153/0xa40
[   72.492952][ T5038]  vhci_create_device+0x3ba/0x720
[   72.497997][ T5038]  vhci_write+0x3c7/0x480
[   72.502327][ T5038]  vfs_write+0x782/0xaf0
[   72.506623][ T5038]  ksys_write+0x1a0/0x2c0
[   72.510959][ T5038]  do_syscall_64+0x41/0xc0
[   72.515370][ T5038]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   72.521265][ T5038] 
[   72.523586][ T5038] The buggy address belongs to the object at ffff88801e5458c0
[   72.523586][ T5038]  which belongs to the cache kmalloc-8 of size 8
[   72.537383][ T5038] The buggy address is located 2 bytes to the right of
[   72.537383][ T5038]  allocated 5-byte region [ffff88801e5458c0, ffff88801e5458c5)
[   72.551707][ T5038] 
[   72.554038][ T5038] The buggy address belongs to the physical page:
[   72.560441][ T5038] page:ffffea0000795140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e545
[   72.570587][ T5038] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
[   72.578125][ T5038] page_type: 0xffffffff()
[   72.582454][ T5038] raw: 00fff00000000800 ffff888012841280 ffffea00004db540 dead000000000002
[   72.591039][ T5038] raw: 0000000000000000 0000000000660066 00000001ffffffff 0000000000000000
[   72.599627][ T5038] page dumped because: kasan: bad access detected
[   72.606031][ T5038] page_owner tracks the page as allocated
[   72.611738][ T5038] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 25, tgid 25 (kdevtmpfs), ts 9275165846, free_ts 9274763750
[   72.629109][ T5038]  post_alloc_hook+0x1e6/0x210
[   72.633877][ T5038]  get_page_from_freelist+0x31db/0x3360
[   72.639426][ T5038]  __alloc_pages+0x255/0x670
[   72.644033][ T5038]  alloc_slab_page+0x6a/0x160
[   72.648709][ T5038]  new_slab+0x84/0x2f0
[   72.652781][ T5038]  ___slab_alloc+0xc85/0x1310
[   72.657459][ T5038]  __kmem_cache_alloc_node+0x1af/0x270
[   72.662922][ T5038]  __kmalloc_node_track_caller+0xa5/0x230
[   72.668642][ T5038]  kstrdup+0x3a/0x70
[   72.672535][ T5038]  smack_inode_init_security+0x5ed/0x740
[   72.678170][ T5038]  security_inode_init_security+0x1a1/0x470
[   72.684066][ T5038]  shmem_mknod+0xc6/0x1d0
[   72.688501][ T5038]  vfs_mknod+0x308/0x350
[   72.692752][ T5038]  devtmpfs_work_loop+0x95c/0x1030
[   72.697870][ T5038]  devtmpfsd+0x48/0x50
[   72.701939][ T5038]  kthread+0x2d3/0x370
[   72.706001][ T5038] page last free stack trace:
[   72.710694][ T5038]  free_unref_page_prepare+0x8c3/0x9f0
[   72.716157][ T5038]  free_unref_page+0x37/0x3f0
[   72.720843][ T5038]  __mmdrop+0xb8/0x3d0
[   72.724936][ T5038]  free_bprm+0x144/0x330
[   72.729182][ T5038]  kernel_execve+0x8f5/0xa10
[   72.733785][ T5038]  call_usermodehelper_exec_async+0x233/0x370
[   72.739866][ T5038]  ret_from_fork+0x48/0x80
[   72.744328][ T5038]  ret_from_fork_asm+0x11/0x20
[   72.749099][ T5038] 
[   72.751418][ T5038] Memory state around the buggy address:
[   72.757044][ T5038]  ffff88801e545780: 05 fc fc fc fc 05 fc fc fc fc 05 fc fc fc fc 05
[   72.765104][ T5038]  ffff88801e545800: fc fc fc fc 05 fc fc fc fc 00 fc fc fc fc 00 fc
[   72.773166][ T5038] >ffff88801e545880: fc fc fc 00 fc fc fc fc 05 fc fc fc fc 00 fc fc
[   72.781223][ T5038]                                            ^
[   72.787369][ T5038]  ffff88801e545900: fc fc 00 fc fc fc fc 00 fc fc fc fc 05 fc fc fc
[   72.795421][ T5038]  ffff88801e545980: fc 05 fc fc fc fc fa fc fc fc fc 00 fc fc fc fc
[   72.803473][ T5038] ==================================================================
[   72.811770][ T5038] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   72.818977][ T5038] CPU: 0 PID: 5038 Comm: syz-executor191 Not tainted 6.6.0-rc4-syzkaller-00158-gf291209eca5e #0
[   72.829405][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[   72.839461][ T5038] Call Trace:
[   72.842743][ T5038]  <TASK>
[   72.845674][ T5038]  dump_stack_lvl+0x1e7/0x2d0
[   72.850359][ T5038]  ? nf_tcp_handle_invalid+0x650/0x650
[   72.855815][ T5038]  ? panic+0x770/0x770
[   72.859884][ T5038]  ? lock_release+0xbf/0x9d0
[   72.864476][ T5038]  ? vscnprintf+0x5d/0x80
[   72.868815][ T5038]  panic+0x30f/0x770
[   72.872809][ T5038]  ? check_panic_on_warn+0x21/0xa0
[   72.877928][ T5038]  ? __memcpy_flushcache+0x2b0/0x2b0
[   72.883223][ T5038]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   72.889131][ T5038]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   72.895029][ T5038]  ? _raw_spin_unlock+0x40/0x40
[   72.899883][ T5038]  ? print_report+0x4fb/0x540
[   72.904564][ T5038]  check_panic_on_warn+0x82/0xa0
[   72.909504][ T5038]  ? create_monitor_event+0x88d/0x930
[   72.914884][ T5038]  end_report+0x6e/0x130
[   72.919135][ T5038]  kasan_report+0x186/0x1b0
[   72.923731][ T5038]  ? create_monitor_event+0x88d/0x930
[   72.929103][ T5038]  create_monitor_event+0x88d/0x930
[   72.934387][ T5038]  send_monitor_replay+0x7a/0x5d0
[   72.939652][ T5038]  hci_sock_bind+0x85c/0x1140
[   72.944330][ T5038]  ? __might_fault+0xa5/0x120
[   72.949009][ T5038]  ? hci_sock_release+0x4f0/0x4f0
[   72.954036][ T5038]  ? bpf_lsm_socket_bind+0x9/0x10
[   72.959064][ T5038]  ? security_socket_bind+0x81/0xa0
[   72.964276][ T5038]  __sys_bind+0x23a/0x2e0
[   72.968610][ T5038]  ? lockdep_hardirqs_on+0x98/0x140
[   72.973814][ T5038]  ? __ia32_sys_socketpair+0xb0/0xb0
[   72.979096][ T5038]  ? ptrace_notify+0x278/0x380
[   72.983869][ T5038]  ? syscall_enter_from_user_mode+0x32/0x230
[   72.989857][ T5038]  __x64_sys_bind+0x7a/0x90
[   72.994372][ T5038]  do_syscall_64+0x41/0xc0
[   72.998792][ T5038]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   73.004690][ T5038] RIP: 0033:0x7fa90faa64f9
[   73.009105][ T5038] Code: 48 83 c4 28 c3 e8 17 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   73.028710][ T5038] RSP: 002b:00007ffc6a6f17b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   73.037134][ T5038] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa90faa64f9
[   73.045103][ T5038] RDX: 0000000000000006 RSI: 0000000020000000 RDI: 0000000000000004
[   73.053075][ T5038] RBP: 0000000000000003 R08: 000000ff00ffb650 R09: 000000ff00ffb650
[   73.061065][ T5038] R10: 0000000000000000 R11: 0000000000000246 R12: 000055555604a370
[   73.069046][ T5038] R13: 0000000000000072 R14: 00007fa90fb2a5b0 R15: 0000000000000001
[   73.077021][ T5038]  </TASK>
[   73.080369][ T5038] Kernel Offset: disabled
[   73.084694][ T5038] Rebooting in 86400 seconds..