./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor238292578 <...> Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts. execve("./syz-executor238292578", ["./syz-executor238292578"], 0x7ffc422a51c0 /* 10 vars */) = 0 brk(NULL) = 0x555555a6d000 brk(0x555555a6dc40) = 0x555555a6dc40 arch_prctl(ARCH_SET_FS, 0x555555a6d300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555555a6d5d0) = 5006 set_robust_list(0x555555a6d5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f09bc731380, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f09bc731a50}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f09bc731420, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f09bc731a50}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor238292578", 4096) = 27 brk(0x555555a8ec40) = 0x555555a8ec40 brk(0x555555a8f000) = 0x555555a8f000 mprotect(0x7f09bc7f3000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 5006 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "5006", 4) = 4 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=784, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5006}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x2e\x00\x00\x00\x98\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 784 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 access("/proc/net", R_OK) = 0 access("/proc/net/unix", R_OK) = 0 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5006}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a6d5d0) = 5008 ./strace-static-x86_64: Process 5008 attached [pid 5008] set_robust_list(0x555555a6d5e0, 24) = 0 [pid 5008] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5008] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 5008] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 5008] dup2(4, 202) = 202 [pid 5008] close(4) = 0 [pid 5008] write(202, "\xff\x00", 2) = 2 [pid 5008] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 5008] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f09bbf20000 [pid 5008] mprotect(0x7f09bbf21000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 5008] clone(child_stack=0x7f09bc7203f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5011 attached , parent_tid=[2], tls=0x7f09bc720700, child_tidptr=0x7f09bc7209d0) = 2 [pid 5008] ioctl(3, HCIDEVUP [pid 5011] set_robust_list(0x7f09bc7209e0, 24) = 0 [pid 5011] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 5011] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 5011] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x38\x0c\x00", 1024) = 4 [ 69.835054][ T5010] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.844084][ T5010] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.852175][ T5010] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.862598][ T5010] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.871087][ T5010] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5011] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4 [pid 5008] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 5008] ioctl(3, HCISETSCAN [pid 5011] <... writev resumed>) = 255 [pid 5011] read(202, "\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 5011] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 5011] madvise(0x7f09bbf20000, 8372224, MADV_DONTNEED [pid 5008] <... ioctl resumed>, 0x7ffe17db6840) = 0 [pid 5008] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13 [pid 5008] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14 [pid 5008] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 5008] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 5008] futex(0x7f09bc7209d0, FUTEX_WAIT, 2, NULL [pid 5011] <... madvise resumed>) = 0 [pid 5011] exit(0) = ? [pid 5011] +++ exited with 0 +++ [pid 5008] <... futex resumed>) = 0 [pid 5008] close(3) = 0 [pid 5008] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5008] setsid() = 1 [pid 5008] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 5008] dup2(3, 201) = 201 [pid 5008] close(3) = 0 [pid 5008] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5008] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5008] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5008] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5008] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5008] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5008] unshare(CLONE_NEWNS) = 0 [pid 5008] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5008] unshare(CLONE_NEWIPC) = 0 [pid 5008] unshare(CLONE_NEWCGROUP) = 0 [pid 5008] unshare(CLONE_NEWUTS) = 0 [pid 5008] unshare(CLONE_SYSVSEM) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "16777216", 8) = 8 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "536870912", 9) = 9 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "1024", 4) = 4 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "8192", 4) = 4 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "1024", 4) = 4 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "1024", 4) = 4 [pid 5008] close(3) = 0 [pid 5008] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5008] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5008] close(3) = 0 [pid 5008] getpid() = 1 [ 69.879179][ T5010] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 5008] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [ 70.013470][ T5013] dump_stack_lvl+0x136/0x150 [ 70.018152][ T5013] should_fail_ex+0x4a3/0x5b0 [ 70.022835][ T5013] should_failslab+0x9/0x20 [ 70.027326][ T5013] __kmem_cache_alloc_node+0x5b/0x320 [ 70.032696][ T5013] ? hci_conn_link+0x145/0x3e0 [ 70.037472][ T5013] ? hci_conn_add+0xe06/0x16b0 [ 70.042250][ T5013] kmalloc_trace+0x26/0xe0 [ 70.046687][ T5013] hci_conn_link+0x145/0x3e0 [ 70.051378][ T5013] hci_connect_sco+0x1e7/0x1050 [ 70.056248][ T5013] sco_sock_connect+0x2d7/0xae0 [ 70.061114][ T5013] ? sco_sock_recvmsg+0x510/0x510 [ 70.066150][ T5013] __sys_connect_file+0x153/0x1a0 [ 70.071186][ T5013] __sys_connect+0x165/0x1a0 [ 70.075790][ T5013] ? __sys_connect_file+0x1a0/0x1a0 [ 70.081000][ T5013] ? lock_downgrade+0x690/0x690 [ 70.085870][ T5013] ? _raw_spin_unlock_irq+0x23/0x50 [ 70.091074][ T5013] ? lockdep_hardirqs_on+0x7d/0x100 [ 70.096286][ T5013] ? _raw_spin_unlock_irq+0x2e/0x50 [ 70.101492][ T5013] __x64_sys_connect+0x73/0xb0 [ 70.106291][ T5013] do_syscall_64+0x39/0xb0 [ 70.110732][ T5013] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 70.116630][ T5013] RIP: 0033:0x7f09bc777879 [ 70.121053][ T5013] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.140666][ T5013] RSP: 002b:00007ffe17db67f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 70.149084][ T5013] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f09bc777879 [ 70.157059][ T5013] RDX: 0000000000000008 RSI: 0000000020000200 RDI: 0000000000000004 [ 70.165033][ T5013] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000800000015 [ 70.173006][ T5013] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555555a6d2b8 [ 70.181065][ T5013] R13: 00007ffe17db6850 R14: 0000000000000072 R15: 00007ffe17db6860 [ 70.189056][ T5013] [ 70.194141][ T5013] general protection fault, probably for non-canonical address 0xdffffc000000013b: 0000 [#1] PREEMPT SMP KASAN [ 70.205875][ T5013] KASAN: null-ptr-deref in range [0x00000000000009d8-0x00000000000009df] [ 70.214280][ T5013] CPU: 1 PID: 5013 Comm: syz-executor238 Not tainted 6.4.0-rc7-syzkaller-01944-g3674fbf0451d #0 [ 70.224683][ T5013] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 70.234734][ T5013] RIP: 0010:sco_conn_add+0x2a/0x330 [ 70.239931][ T5013] Code: 41 57 41 56 41 55 49 89 fd 41 54 55 49 8d ad d8 09 00 00 53 e8 b7 f1 5a f8 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 02 00 00 4d 8b a5 d8 09 00 00 4d 85 e4 74 13 [ 70.259529][ T5013] RSP: 0018:ffffc90003a8fd50 EFLAGS: 00010202 [ 70.265587][ T5013] RAX: dffffc0000000000 RBX: ffff888028830000 RCX: 0000000000000000 [ 70.273550][ T5013] RDX: 000000000000013b RSI: ffffffff892957a9 RDI: 0000000000000000 [ 70.281527][ T5013] RBP: 00000000000009d8 R08: 0000000000000005 R09: 0000000000000000 [ 70.289491][ T5013] R10: 0000000000000010 R11: 0000000000000001 R12: 0000000000000000 [ 70.297451][ T5013] R13: 0000000000000000 R14: ffff8880203cf540 R15: ffff888028830010 [ 70.305417][ T5013] FS: 0000555555a6d300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 70.314341][ T5013] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 70.320918][ T5013] CR2: 00007f09bc7db6e3 CR3: 0000000025e98000 CR4: 00000000003506e0 [ 70.328889][ T5013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 70.336873][ T5013] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 70.344838][ T5013] Call Trace: [ 70.348103][ T5013] [ 70.351019][ T5013] ? die_addr+0x3c/0xa0 [ 70.355176][ T5013] ? exc_general_protection+0x129/0x230 [ 70.360727][ T5013] ? asm_exc_general_protection+0x26/0x30 [ 70.366443][ T5013] ? sco_conn_add+0x19/0x330 [ 70.371026][ T5013] ? sco_conn_add+0x2a/0x330 [ 70.375625][ T5013] sco_sock_connect+0x321/0xae0 [ 70.380498][ T5013] ? sco_sock_recvmsg+0x510/0x510 [ 70.385540][ T5013] __sys_connect_file+0x153/0x1a0 [ 70.390556][ T5013] __sys_connect+0x165/0x1a0 [ 70.395142][ T5013] ? __sys_connect_file+0x1a0/0x1a0 [ 70.400353][ T5013] ? lock_downgrade+0x690/0x690 [ 70.405207][ T5013] ? _raw_spin_unlock_irq+0x23/0x50 [ 70.410402][ T5013] ? lockdep_hardirqs_on+0x7d/0x100 [ 70.415598][ T5013] ? _raw_spin_unlock_irq+0x2e/0x50 [ 70.420790][ T5013] __x64_sys_connect+0x73/0xb0 [ 70.425550][ T5013] do_syscall_64+0x39/0xb0 [ 70.429970][ T5013] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 70.435854][ T5013] RIP: 0033:0x7f09bc777879 [ 70.440252][ T5013] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.459853][ T5013] RSP: 002b:00007ffe17db67f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 70.468270][ T5013] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f09bc777879 [ 70.476243][ T5013] RDX: 0000000000000008 RSI: 0000000020000200 RDI: 0000000000000004 [ 70.484220][ T5013] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000800000015 [ 70.492187][ T5013] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555555a6d2b8 [ 70.500173][ T5013] R13: 00007ffe17db6850 R14: 0000000000000072 R15: 00007ffe17db6860 [ 70.508145][ T5013] [ 70.511151][ T5013] Modules linked in: [ 70.516945][ T5013] ---[ end trace 0000000000000000 ]--- [ 70.522455][ T5013] RIP: 0010:sco_conn_add+0x2a/0x330 [ 70.527654][ T5013] Code: 41 57 41 56 41 55 49 89 fd 41 54 55 49 8d ad d8 09 00 00 53 e8 b7 f1 5a f8 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 02 00 00 4d 8b a5 d8 09 00 00 4d 85 e4 74 13 [ 70.547601][ T5013] RSP: 0018:ffffc90003a8fd50 EFLAGS: 00010202 [ 70.553846][ T5013] RAX: dffffc0000000000 RBX: ffff888028830000 RCX: 0000000000000000 [ 70.561832][ T5013] RDX: 000000000000013b RSI: ffffffff892957a9 RDI: 0000000000000000 [ 70.569925][ T5013] RBP: 00000000000009d8 R08: 0000000000000005 R09: 0000000000000000 [ 70.578081][ T5013] R10: 0000000000000010 R11: 0000000000000001 R12: 0000000000000000 [ 70.586269][ T5013] R13: 0000000000000000 R14: ffff8880203cf540 R15: ffff888028830010 [ 70.594479][ T5013] FS: 0000555555a6d300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 70.603608][ T5013] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 70.610186][ T5013] CR2: 00005653cab3d008 CR3: 0000000025e98000 CR4: 00000000003506e0 [ 70.618349][ T5013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 70.626469][ T5013] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 70.634617][ T5013] Kernel panic - not syncing: Fatal exception [ 70.640841][ T5013] Kernel Offset: disabled [ 70.645157][ T5013] Rebooting in 86400 seconds..