./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3464161076

<...>
Warning: Permanently added '10.128.1.64' (ED25519) to the list of known hosts.
execve("./syz-executor3464161076", ["./syz-executor3464161076"], 0x7ffdde46e860 /* 10 vars */) = 0
brk(NULL)                               = 0x55557360c000
brk(0x55557360cd40)                     = 0x55557360cd40
arch_prctl(ARCH_SET_FS, 0x55557360c3c0) = 0
set_tid_address(0x55557360c690)         = 5067
set_robust_list(0x55557360c6a0, 24)     = 0
rseq(0x55557360cce0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor3464161076", 4096) = 28
getrandom("\xe5\x02\xd2\xc6\x29\x90\x56\xb9", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55557360cd40
brk(0x55557362dd40)                     = 0x55557362dd40
brk(0x55557362e000)                     = 0x55557362e000
mprotect(0x7fb99fbd4000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55557360c690) = 5068
./strace-static-x86_64: Process 5068 attached
[pid  5068] set_robust_list(0x55557360c6a0, 24) = 0
[pid  5068] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5068] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[pid  5068] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4
[pid  5068] dup2(4, 202)                = 202
[pid  5068] close(4)                    = 0
[pid  5068] write(202, "\xff\x00", 2)   = 2
[pid  5068] read(202, "\xff\x00\x00\x00", 4) = 4
[pid  5068] rt_sigaction(SIGRT_1, {sa_handler=0x7fb99fb76540, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fb99fb67bc0}, NULL, 8) = 0
[pid  5068] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
[pid  5068] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb99f200000
[pid  5068] mprotect(0x7fb99f201000, 8388608, PROT_READ|PROT_WRITE) = 0
[pid  5068] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
[pid  5068] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fb99fa00990, parent_tid=0x7fb99fa00990, exit_signal=0, stack=0x7fb99f200000, stack_size=0x800300, tls=0x7fb99fa006c0}./strace-static-x86_64: Process 5072 attached
 => {parent_tid=[2]}, 88) = 2
[pid  5068] rt_sigprocmask(SIG_SETMASK, [],  <unfinished ...>
[pid  5072] rseq(0x7fb99fa00fe0, 0x20, 0, 0x53053053) = 0
[pid  5068] <... rt_sigprocmask resumed>NULL, 8) = 0
[pid  5072] set_robust_list(0x7fb99fa009a0, 24) = 0
[pid  5072] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  5072] read(202,  <unfinished ...>
[pid  5068] ioctl(3, HCIDEVUP <unfinished ...>
[pid  5072] <... read resumed>"\x01\x03\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x03\x10\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x01\x10\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x09\x10\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13
[pid  5072] read(202, "\x01\x05\x10\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14
[   62.834212][ T5070] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   62.853609][ T5070] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   62.864453][ T5070] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[pid  5072] read(202, "\x01\x23\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x14\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x25\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x38\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x39\x0c\x00", 1024) = 4
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6
[   62.926859][ T5070] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   62.949880][ T5070] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   62.968385][ T5070] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5072] read(202,  <unfinished ...>
[pid  5068] <... ioctl resumed>, 0)     = -1 EALREADY (Operation already in progress)
[pid  5068] ioctl(3, HCISETSCAN <unfinished ...>
[pid  5072] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5
[pid  5072] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7
[pid  5072] rt_sigprocmask(SIG_BLOCK, ~[RT_1],  <unfinished ...>
[pid  5068] <... ioctl resumed>, 0x7ffd6284a644) = 0
[pid  5072] <... rt_sigprocmask resumed>NULL, 8) = 0
[pid  5068] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 <unfinished ...>
[pid  5072] madvise(0x7fb99f200000, 8372224, MADV_DONTNEED) = 0
[pid  5068] <... writev resumed>)       = 13
[pid  5072] exit(0)                     = ?
[pid  5072] +++ exited with 0 +++
[pid  5068] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14
[pid  5068] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14
[pid  5068] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22
[pid  5068] close(3)                    = 0
[pid  5068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5068] setsid()                    = 1
[pid  5068] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5068] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5068] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5068] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5068] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5068] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5068] unshare(CLONE_NEWNS)        = 0
[pid  5068] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5068] unshare(CLONE_NEWIPC)       = 0
[pid  5068] unshare(CLONE_NEWCGROUP)    = 0
[pid  5068] unshare(CLONE_NEWUTS)       = 0
[pid  5068] unshare(CLONE_SYSVSEM)      = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "16777216", 8)     = 8
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "536870912", 9)    = 9
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "1024", 4)         = 4
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "8192", 4)         = 4
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "1024", 4)         = 4
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "1024", 4)         = 4
[pid  5068] close(3)                    = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5068] close(3)                    = 0
[pid  5068] getpid()                    = 1
[pid  5068] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5068] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5068] unshare(CLONE_NEWNET)       = 0
[pid  5068] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5068] write(3, "0 65535", 7)      = 7
[pid  5068] close(3)                    = 0
[pid  5068] mkdir("/dev/binderfs", 0777) = 0
[pid  5068] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5068] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5068] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000000, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_UDP6_SENDMSG, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144) = -1 EFAULT (Bad address)
[pid  5068] write(202, "\x04\x3e\x75\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x01\xa2\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 36) = 36
[pid  5068] write(202, "\x04\x3e\x07\x1b\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 34) = 34
[pid  5068] exit_group(1)               = ?
[   63.422681][ T5070] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
[   63.432505][ T5070] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2
[   63.441802][ T5070] preempt_count: 0, expected: 0
[   63.446735][ T5070] RCU nest depth: 1, expected: 0
[   63.451704][ T5070] 4 locks held by kworker/u9:2/5070:
[   63.457243][ T5070]  #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770
[   63.468325][ T5070]  #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770
[   63.480480][ T5070]  #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[   63.491548][ T5070]  #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[   63.502387][ T5070] CPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0
[   63.512382][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[   63.522899][ T5070] Workqueue: hci0 hci_rx_work
[   63.530475][ T5070] Call Trace:
[   63.533914][ T5070]  <TASK>
[   63.536880][ T5070]  dump_stack_lvl+0x241/0x360
[   63.541601][ T5070]  ? __pfx_dump_stack_lvl+0x10/0x10
[   63.546924][ T5070]  ? __pfx__printk+0x10/0x10
[   63.551546][ T5070]  __might_resched+0x5d4/0x780
[   63.556311][ T5070]  ? __mutex_lock+0x112/0xd70
[   63.560979][ T5070]  ? __pfx___might_resched+0x10/0x10
[   63.566366][ T5070]  __mutex_lock+0xc1/0xd70
[   63.570772][ T5070]  ? __pfx_lock_acquire+0x10/0x10
[   63.575784][ T5070]  ? hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.582032][ T5070]  ? __pfx_lock_release+0x10/0x10
[   63.587049][ T5070]  ? __pfx___mutex_lock+0x10/0x10
[   63.592065][ T5070]  ? trace_contention_end+0x3c/0x100
[   63.597340][ T5070]  ? skb_pull_data+0x112/0x230
[   63.602250][ T5070]  ? hci_conn_set_handle+0x19a/0x270
[   63.607550][ T5070]  hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.613882][ T5070]  ? __copy_skb_header+0x437/0x5b0
[   63.621113][ T5070]  ? hci_le_create_big_complete_evt+0xdb/0xae0
[   63.629005][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   63.635860][ T5070]  ? hci_le_meta_evt+0x366/0x580
[   63.640850][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   63.647478][ T5070]  hci_event_packet+0xa53/0x1540
[   63.652431][ T5070]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   63.657730][ T5070]  ? __pfx_hci_event_packet+0x10/0x10
[   63.663085][ T5070]  ? do_raw_spin_unlock+0x13c/0x8b0
[   63.668273][ T5070]  ? kcov_remote_start+0x9e/0x7e0
[   63.673303][ T5070]  ? hci_send_to_monitor+0xd8/0x7f0
[   63.678613][ T5070]  ? skb_dequeue+0x113/0x150
[   63.683236][ T5070]  hci_rx_work+0x3e8/0xca0
[   63.687697][ T5070]  ? process_scheduled_works+0x91b/0x1770
[   63.693466][ T5070]  process_scheduled_works+0xa00/0x1770
[   63.699017][ T5070]  ? __pfx_process_scheduled_works+0x10/0x10
[   63.705018][ T5070]  ? assign_work+0x364/0x3d0
[   63.709625][ T5070]  worker_thread+0x86d/0xd70
[   63.714220][ T5070]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   63.720121][ T5070]  ? __kthread_parkme+0x169/0x1d0
[   63.727076][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   63.733087][ T5070]  kthread+0x2f0/0x390
[   63.737194][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   63.742417][ T5070]  ? __pfx_kthread+0x10/0x10
[   63.747474][ T5070]  ret_from_fork+0x4b/0x80
[   63.751949][ T5070]  ? __pfx_kthread+0x10/0x10
[   63.756544][ T5070]  ret_from_fork_asm+0x1a/0x30
[   63.761308][ T5070]  </TASK>
[   63.764472][ T5070] 
[   63.766820][ T5070] =============================
[   63.771667][ T5070] [ BUG: Invalid wait context ]
[   63.776499][ T5070] 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Tainted: G        W         
[   63.784635][ T5070] -----------------------------
[   63.789479][ T5070] kworker/u9:2/5070 is trying to lock:
[   63.794948][ T5070] ffffffff8f4f5aa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.805589][ T5070] other info that might help us debug this:
[   63.811466][ T5070] context-{4:4}
[   63.814998][ T5070] 4 locks held by kworker/u9:2/5070:
[   63.820303][ T5070]  #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770
[   63.831449][ T5070]  #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770
[   63.843629][ T5070]  #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[   63.854413][ T5070]  #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[   63.865143][ T5070] stack backtrace:
[   63.868945][ T5070] CPU: 0 PID: 5070 Comm: kworker/u9:2 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0
[   63.880652][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[   63.890788][ T5070] Workqueue: hci0 hci_rx_work
[   63.895514][ T5070] Call Trace:
[   63.899002][ T5070]  <TASK>
[   63.901943][ T5070]  dump_stack_lvl+0x241/0x360
[   63.906625][ T5070]  ? __pfx_dump_stack_lvl+0x10/0x10
[   63.912908][ T5070]  ? __pfx__printk+0x10/0x10
[   63.918924][ T5070]  __lock_acquire+0x1507/0x1fd0
[   63.925192][ T5070]  lock_acquire+0x1e4/0x530
[   63.929797][ T5070]  ? hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.936351][ T5070]  ? __pfx_lock_acquire+0x10/0x10
[   63.941380][ T5070]  ? __mutex_lock+0x112/0xd70
[   63.946049][ T5070]  ? __pfx___might_resched+0x10/0x10
[   63.951333][ T5070]  __mutex_lock+0x136/0xd70
[   63.955837][ T5070]  ? hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.962102][ T5070]  ? __pfx_lock_acquire+0x10/0x10
[   63.967132][ T5070]  ? hci_le_create_big_complete_evt+0x3d9/0xae0
[   63.973368][ T5070]  ? __pfx_lock_release+0x10/0x10
[   63.978400][ T5070]  ? __pfx___mutex_lock+0x10/0x10
[   63.983481][ T5070]  ? trace_contention_end+0x3c/0x100
[   63.988772][ T5070]  ? skb_pull_data+0x112/0x230
[   63.993540][ T5070]  ? hci_conn_set_handle+0x19a/0x270
[   63.998945][ T5070]  hci_le_create_big_complete_evt+0x3d9/0xae0
[   64.005159][ T5070]  ? __copy_skb_header+0x437/0x5b0
[   64.010295][ T5070]  ? hci_le_create_big_complete_evt+0xdb/0xae0
[   64.016671][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   64.026269][ T5070]  ? hci_le_meta_evt+0x366/0x580
[   64.031736][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   64.038554][ T5070]  hci_event_packet+0xa53/0x1540
[   64.043792][ T5070]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   64.049102][ T5070]  ? __pfx_hci_event_packet+0x10/0x10
[   64.054556][ T5070]  ? do_raw_spin_unlock+0x13c/0x8b0
[   64.059750][ T5070]  ? kcov_remote_start+0x9e/0x7e0
[   64.064767][ T5070]  ? hci_send_to_monitor+0xd8/0x7f0
[   64.069986][ T5070]  ? skb_dequeue+0x113/0x150
[   64.074589][ T5070]  hci_rx_work+0x3e8/0xca0
[   64.079014][ T5070]  ? process_scheduled_works+0x91b/0x1770
[   64.084746][ T5070]  process_scheduled_works+0xa00/0x1770
[   64.090330][ T5070]  ? __pfx_process_scheduled_works+0x10/0x10
[   64.096324][ T5070]  ? assign_work+0x364/0x3d0
[   64.100998][ T5070]  worker_thread+0x86d/0xd70
[   64.105586][ T5070]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   64.111508][ T5070]  ? __kthread_parkme+0x169/0x1d0
[   64.117308][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   64.122449][ T5070]  kthread+0x2f0/0x390
[   64.126686][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   64.132196][ T5070]  ? __pfx_kthread+0x10/0x10
[   64.137005][ T5070]  ret_from_fork+0x4b/0x80
[   64.141435][ T5070]  ? __pfx_kthread+0x10/0x10
[   64.146019][ T5070]  ret_from_fork_asm+0x1a/0x30
[   64.150806][ T5070]  </TASK>
[   64.155069][ T5070] ==================================================================
[   64.163170][ T5070] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0
[   64.172841][ T5070] Read of size 8 at addr ffff88807cb1c000 by task kworker/u9:2/5070
[   64.180908][ T5070] 
[   64.183224][ T5070] CPU: 0 PID: 5070 Comm: kworker/u9:2 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0
[   64.194506][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[   64.204591][ T5070] Workqueue: hci0 hci_rx_work
[   64.209400][ T5070] Call Trace:
[   64.213332][ T5070]  <TASK>
[   64.217559][ T5070]  dump_stack_lvl+0x241/0x360
[   64.225957][ T5070]  ? __pfx_dump_stack_lvl+0x10/0x10
[   64.231205][ T5070]  ? __pfx__printk+0x10/0x10
[   64.236129][ T5070]  ? _printk+0xd5/0x120
[   64.240328][ T5070]  ? __virt_addr_valid+0x183/0x520
[   64.245459][ T5070]  ? __virt_addr_valid+0x183/0x520
[   64.250596][ T5070]  print_report+0x169/0x550
[   64.255136][ T5070]  ? __virt_addr_valid+0x183/0x520
[   64.260273][ T5070]  ? __virt_addr_valid+0x183/0x520
[   64.265382][ T5070]  ? __virt_addr_valid+0x44e/0x520
[   64.270514][ T5070]  ? __phys_addr+0xba/0x170
[   64.275015][ T5070]  ? hci_le_create_big_complete_evt+0x383/0xae0
[   64.281261][ T5070]  kasan_report+0x143/0x180
[   64.285769][ T5070]  ? hci_le_create_big_complete_evt+0x383/0xae0
[   64.292014][ T5070]  hci_le_create_big_complete_evt+0x383/0xae0
[   64.298135][ T5070]  ? __copy_skb_header+0x437/0x5b0
[   64.303269][ T5070]  ? hci_le_create_big_complete_evt+0xdb/0xae0
[   64.309432][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   64.316222][ T5070]  ? hci_le_meta_evt+0x366/0x580
[   64.321721][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   64.329836][ T5070]  hci_event_packet+0xa53/0x1540
[   64.334955][ T5070]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   64.340278][ T5070]  ? __pfx_hci_event_packet+0x10/0x10
[   64.345656][ T5070]  ? do_raw_spin_unlock+0x13c/0x8b0
[   64.350855][ T5070]  ? kcov_remote_start+0x9e/0x7e0
[   64.355880][ T5070]  ? hci_send_to_monitor+0xd8/0x7f0
[   64.361075][ T5070]  ? skb_dequeue+0x113/0x150
[   64.365661][ T5070]  hci_rx_work+0x3e8/0xca0
[   64.370074][ T5070]  ? process_scheduled_works+0x91b/0x1770
[   64.377227][ T5070]  process_scheduled_works+0xa00/0x1770
[   64.382862][ T5070]  ? __pfx_process_scheduled_works+0x10/0x10
[   64.388841][ T5070]  ? assign_work+0x364/0x3d0
[   64.393946][ T5070]  worker_thread+0x86d/0xd70
[   64.398627][ T5070]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   64.405016][ T5070]  ? __kthread_parkme+0x169/0x1d0
[   64.410695][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   64.417588][ T5070]  kthread+0x2f0/0x390
[   64.422747][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   64.428832][ T5070]  ? __pfx_kthread+0x10/0x10
[   64.433821][ T5070]  ret_from_fork+0x4b/0x80
[   64.438436][ T5070]  ? __pfx_kthread+0x10/0x10
[   64.443025][ T5070]  ret_from_fork_asm+0x1a/0x30
[   64.447887][ T5070]  </TASK>
[   64.451589][ T5070] 
[   64.453909][ T5070] Allocated by task 5070:
[   64.458410][ T5070]  kasan_save_track+0x3f/0x80
[   64.463126][ T5070]  __kasan_kmalloc+0x98/0xb0
[   64.467776][ T5070]  kmalloc_trace+0x1db/0x360
[   64.472727][ T5070]  hci_conn_add+0xc7/0x13a0
[   64.477249][ T5070]  hci_le_big_sync_established_evt+0x1cf/0xb90
[   64.483585][ T5070]  hci_event_packet+0xa53/0x1540
[   64.489837][ T5070]  hci_rx_work+0x3e8/0xca0
[   64.494607][ T5070]  process_scheduled_works+0xa00/0x1770
[   64.500325][ T5070]  worker_thread+0x86d/0xd70
[   64.504903][ T5070]  kthread+0x2f0/0x390
[   64.509052][ T5070]  ret_from_fork+0x4b/0x80
[   64.514201][ T5070]  ret_from_fork_asm+0x1a/0x30
[   64.519080][ T5070] 
[   64.521538][ T5070] Freed by task 5070:
[   64.526515][ T5070]  kasan_save_track+0x3f/0x80
[   64.531666][ T5070]  kasan_save_free_info+0x40/0x50
[   64.536695][ T5070]  poison_slab_object+0xa6/0xe0
[   64.541642][ T5070]  __kasan_slab_free+0x37/0x60
[   64.546396][ T5070]  kfree+0x14a/0x380
[   64.550326][ T5070]  device_release+0x99/0x1c0
[   64.554924][ T5070]  kobject_put+0x22f/0x480
[   64.559349][ T5070]  hci_conn_del+0x900/0xc80
[   64.563959][ T5070]  hci_le_create_big_complete_evt+0x619/0xae0
[   64.570020][ T5070]  hci_event_packet+0xa53/0x1540
[   64.574959][ T5070]  hci_rx_work+0x3e8/0xca0
[   64.580168][ T5070]  process_scheduled_works+0xa00/0x1770
[   64.585704][ T5070]  worker_thread+0x86d/0xd70
[   64.590299][ T5070]  kthread+0x2f0/0x390
[   64.594447][ T5070]  ret_from_fork+0x4b/0x80
[   64.598864][ T5070]  ret_from_fork_asm+0x1a/0x30
[   64.603798][ T5070] 
[   64.610828][ T5070] The buggy address belongs to the object at ffff88807cb1c000
[   64.610828][ T5070]  which belongs to the cache kmalloc-8k of size 8192
[   64.629424][ T5070] The buggy address is located 0 bytes inside of
[   64.629424][ T5070]  freed 8192-byte region [ffff88807cb1c000, ffff88807cb1e000)
[   64.643243][ T5070] 
[   64.645562][ T5070] The buggy address belongs to the physical page:
[   64.652058][ T5070] page:ffffea0001f2c600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7cb18
[   64.662214][ T5070] head:ffffea0001f2c600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   64.671177][ T5070] ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   64.679685][ T5070] page_type: 0xffffffff()
[   64.684006][ T5070] raw: 00fff00000000840 ffff888014c42280 ffffea0001f2cc00 dead000000000003
[   64.692581][ T5070] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[   64.701201][ T5070] page dumped because: kasan: bad access detected
[   64.707622][ T5070] page_owner tracks the page as allocated
[   64.713581][ T5070] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4524, tgid 4524 (S10udev), ts 19996984719, free_ts 17455903844
[   64.736021][ T5070]  post_alloc_hook+0x1ea/0x210
[   64.741502][ T5070]  get_page_from_freelist+0x33ea/0x3580
[   64.747065][ T5070]  __alloc_pages+0x256/0x680
[   64.752098][ T5070]  alloc_slab_page+0x5f/0x160
[   64.757228][ T5070]  new_slab+0x84/0x2f0
[   64.761547][ T5070]  ___slab_alloc+0xc73/0x1260
[   64.766549][ T5070]  kmalloc_trace+0x269/0x360
[   64.771189][ T5070]  tomoyo_init_log+0x11ce/0x2050
[   64.776148][ T5070]  tomoyo_supervisor+0x38a/0x11f0
[   64.781360][ T5070]  tomoyo_env_perm+0x178/0x210
[   64.786139][ T5070]  tomoyo_find_next_domain+0x1384/0x1cf0
[   64.791813][ T5070]  tomoyo_bprm_check_security+0x115/0x180
[   64.797549][ T5070]  security_bprm_check+0x65/0x90
[   64.802589][ T5070]  bprm_execve+0xa56/0x1790
[   64.807218][ T5070]  do_execveat_common+0x553/0x700
[   64.812547][ T5070]  __x64_sys_execve+0x92/0xb0
[   64.817730][ T5070] page last free pid 1 tgid 1 stack trace:
[   64.823697][ T5070]  free_unref_page_prepare+0x968/0xa90
[   64.829294][ T5070]  free_unref_page+0x37/0x3f0
[   64.833992][ T5070]  free_contig_range+0x9e/0x160
[   64.838862][ T5070]  destroy_args+0x8a/0x890
[   64.843293][ T5070]  debug_vm_pgtable+0x4be/0x550
[   64.848157][ T5070]  do_one_initcall+0x238/0x830
[   64.852947][ T5070]  do_initcall_level+0x157/0x210
[   64.857905][ T5070]  do_initcalls+0x3f/0x80
[   64.862237][ T5070]  kernel_init_freeable+0x435/0x5d0
[   64.867433][ T5070]  kernel_init+0x1d/0x2a0
[   64.871755][ T5070]  ret_from_fork+0x4b/0x80
[   64.876163][ T5070]  ret_from_fork_asm+0x1a/0x30
[   64.880925][ T5070] 
[   64.883238][ T5070] Memory state around the buggy address:
[   64.888858][ T5070]  ffff88807cb1bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.896907][ T5070]  ffff88807cb1bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.905131][ T5070] >ffff88807cb1c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.915067][ T5070]                    ^
[   64.919162][ T5070]  ffff88807cb1c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.927835][ T5070]  ffff88807cb1c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.936023][ T5070] ==================================================================
[   64.944473][ T5070] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   64.951685][ T5070] CPU: 0 PID: 5070 Comm: kworker/u9:2 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0
[   64.962981][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[   64.973033][ T5070] Workqueue: hci0 hci_rx_work
[   64.977715][ T5070] Call Trace:
[   64.980988][ T5070]  <TASK>
[   64.983909][ T5070]  dump_stack_lvl+0x241/0x360
[   64.988595][ T5070]  ? __pfx_dump_stack_lvl+0x10/0x10
[   64.993966][ T5070]  ? __pfx__printk+0x10/0x10
[   64.998550][ T5070]  ? rcu_is_watching+0x15/0xb0
[   65.003395][ T5070]  ? preempt_schedule+0xe1/0xf0
[   65.008245][ T5070]  ? vscnprintf+0x5d/0x90
[   65.013169][ T5070]  panic+0x349/0x860
[   65.021054][ T5070]  ? check_panic_on_warn+0x21/0xb0
[   65.026191][ T5070]  ? __pfx_panic+0x10/0x10
[   65.030717][ T5070]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   65.036980][ T5070]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   65.043696][ T5070]  ? print_report+0x502/0x550
[   65.048507][ T5070]  check_panic_on_warn+0x86/0xb0
[   65.053827][ T5070]  ? hci_le_create_big_complete_evt+0x383/0xae0
[   65.060087][ T5070]  end_report+0x6e/0x140
[   65.064324][ T5070]  kasan_report+0x154/0x180
[   65.068920][ T5070]  ? hci_le_create_big_complete_evt+0x383/0xae0
[   65.075161][ T5070]  hci_le_create_big_complete_evt+0x383/0xae0
[   65.081247][ T5070]  ? __copy_skb_header+0x437/0x5b0
[   65.086357][ T5070]  ? hci_le_create_big_complete_evt+0xdb/0xae0
[   65.092518][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   65.099101][ T5070]  ? hci_le_meta_evt+0x366/0x580
[   65.104121][ T5070]  ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[   65.119478][ T5070]  hci_event_packet+0xa53/0x1540
[   65.125093][ T5070]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   65.130976][ T5070]  ? __pfx_hci_event_packet+0x10/0x10
[   65.136645][ T5070]  ? do_raw_spin_unlock+0x13c/0x8b0
[   65.141843][ T5070]  ? kcov_remote_start+0x9e/0x7e0
[   65.147048][ T5070]  ? hci_send_to_monitor+0xd8/0x7f0
[   65.152243][ T5070]  ? skb_dequeue+0x113/0x150
[   65.156825][ T5070]  hci_rx_work+0x3e8/0xca0
[   65.161240][ T5070]  ? process_scheduled_works+0x91b/0x1770
[   65.166953][ T5070]  process_scheduled_works+0xa00/0x1770
[   65.172508][ T5070]  ? __pfx_process_scheduled_works+0x10/0x10
[   65.178485][ T5070]  ? assign_work+0x364/0x3d0
[   65.183071][ T5070]  worker_thread+0x86d/0xd70
[   65.187681][ T5070]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   65.193589][ T5070]  ? __kthread_parkme+0x169/0x1d0
[   65.198625][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   65.203762][ T5070]  kthread+0x2f0/0x390
[   65.207928][ T5070]  ? __pfx_worker_thread+0x10/0x10
[   65.213781][ T5070]  ? __pfx_kthread+0x10/0x10
[   65.221538][ T5070]  ret_from_fork+0x4b/0x80
[   65.226167][ T5070]  ? __pfx_kthread+0x10/0x10
[   65.230941][ T5070]  ret_from_fork_asm+0x1a/0x30
[   65.235852][ T5070]  </TASK>
[   65.239175][ T5070] Kernel Offset: disabled
[   65.243493][ T5070] Rebooting in 86400 seconds..