Warning: Permanently added '10.128.1.235' (ED25519) to the list of known hosts.
2025/11/17 02:38:29 ignoring optional flag "type"="gce"
2025/11/17 02:38:29 parsed 1 programs
2025/11/17 02:38:30 executed programs: 0
[ 97.479832][ T6012] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 97.527935][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 97.535810][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 97.543625][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 97.552854][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 97.561401][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 97.570621][ T5146] ==================================================================
[ 97.578711][ T5146] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 97.586153][ T5146] Read of size 2 at addr ffff888076c96b78 by task kworker/u9:1/5146
[ 97.594107][ T5146]
[ 97.596426][ T5146] CPU: 0 UID: 0 PID: 5146 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full)
[ 97.596438][ T5146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 97.596446][ T5146] Workqueue: hci0 hci_cmd_work
[ 97.596475][ T5146] Call Trace:
[ 97.596482][ T5146]
[ 97.596489][ T5146] dump_stack_lvl+0x189/0x250
[ 97.596510][ T5146] ? __virt_addr_valid+0x1c8/0x5c0
[ 97.596525][ T5146] ? rcu_is_watching+0x15/0xb0
[ 97.596538][ T5146] ? __pfx_dump_stack_lvl+0x10/0x10
[ 97.596556][ T5146] ? rcu_is_watching+0x15/0xb0
[ 97.596569][ T5146] ? lock_release+0x4b/0x3d0
[ 97.596588][ T5146] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 97.596599][ T5146] ? __virt_addr_valid+0x1c8/0x5c0
[ 97.596608][ T5146] ? __virt_addr_valid+0x4a5/0x5c0
[ 97.596618][ T5146] print_report+0xca/0x240
[ 97.596630][ T5146] ? hci_cmd_work+0x5d0/0x7b0
[ 97.596641][ T5146] kasan_report+0x118/0x150
[ 97.596654][ T5146] ? hci_cmd_work+0x5d0/0x7b0
[ 97.596666][ T5146] hci_cmd_work+0x5d0/0x7b0
[ 97.596678][ T5146] ? process_one_work+0x868/0x15e0
[ 97.596690][ T5146] process_one_work+0x93a/0x15e0
[ 97.596701][ T5146] ? __lock_acquire+0xab9/0xd20
[ 97.596716][ T5146] ? __pfx_process_one_work+0x10/0x10
[ 97.596729][ T5146] ? assign_work+0x3a1/0x410
[ 97.596741][ T5146] worker_thread+0x9b0/0xee0
[ 97.596758][ T5146] kthread+0x711/0x8a0
[ 97.596768][ T5146] ? __pfx_worker_thread+0x10/0x10
[ 97.596779][ T5146] ? __pfx_kthread+0x10/0x10
[ 97.596787][ T5146] ? _raw_spin_unlock_irq+0x23/0x50
[ 97.596796][ T5146] ? lockdep_hardirqs_on+0x9c/0x150
[ 97.596807][ T5146] ? __pfx_kthread+0x10/0x10
[ 97.596815][ T5146] ret_from_fork+0x599/0xb30
[ 97.596828][ T5146] ? __pfx_ret_from_fork+0x10/0x10
[ 97.596840][ T5146] ? __switch_to_asm+0x39/0x70
[ 97.596849][ T5146] ? __switch_to_asm+0x33/0x70
[ 97.596858][ T5146] ? __pfx_kthread+0x10/0x10
[ 97.596866][ T5146] ret_from_fork_asm+0x1a/0x30
[ 97.596878][ T5146]
[ 97.596882][ T5146]
[ 97.785800][ T5146] Allocated by task 6019:
[ 97.790107][ T5146] kasan_save_track+0x3e/0x80
[ 97.794761][ T5146] __kasan_slab_alloc+0x6c/0x80
[ 97.799587][ T5146] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 97.805467][ T5146] __alloc_skb+0x112/0x2d0
[ 97.809894][ T5146] hci_cmd_sync_alloc+0x3d/0x3b0
[ 97.814812][ T5146] __hci_cmd_sync_sk+0x1a7/0xc70
[ 97.819753][ T5146] hci_cmd_sync_status+0x4d/0x150
[ 97.824765][ T5146] hci_dev_cmd+0x431/0x7d0
[ 97.829159][ T5146] sock_do_ioctl+0xdc/0x300
[ 97.833642][ T5146] sock_ioctl+0x576/0x790
[ 97.837949][ T5146] __se_sys_ioctl+0xfc/0x170
[ 97.842553][ T5146] do_syscall_64+0xfa/0xfa0
[ 97.847040][ T5146] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 97.852911][ T5146]
[ 97.855216][ T5146] Freed by task 6020:
[ 97.859177][ T5146] kasan_save_track+0x3e/0x80
[ 97.863829][ T5146] kasan_save_free_info+0x46/0x50
[ 97.868829][ T5146] __kasan_slab_free+0x5c/0x80
[ 97.873655][ T5146] kmem_cache_free+0x197/0x640
[ 97.878398][ T5146] vhci_read+0x49a/0x5b0
[ 97.882621][ T5146] vfs_read+0x200/0xa30
[ 97.886751][ T5146] ksys_read+0x145/0x250
[ 97.891045][ T5146] do_syscall_64+0xfa/0xfa0
[ 97.895542][ T5146] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 97.901421][ T5146]
[ 97.903724][ T5146] The buggy address belongs to the object at ffff888076c96b40
[ 97.903724][ T5146] which belongs to the cache skbuff_head_cache of size 240
[ 97.918278][ T5146] The buggy address is located 56 bytes inside of
[ 97.918278][ T5146] freed 240-byte region [ffff888076c96b40, ffff888076c96c30)
[ 97.931963][ T5146]
[ 97.934265][ T5146] The buggy address belongs to the physical page:
[ 97.940657][ T5146] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76c96
[ 97.949397][ T5146] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 97.956486][ T5146] page_type: f5(slab)
[ 97.960455][ T5146] raw: 00fff00000000000 ffff8881416be000 dead000000000122 0000000000000000
[ 97.969011][ T5146] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 97.977564][ T5146] page dumped because: kasan: bad access detected
[ 97.983960][ T5146] page_owner tracks the page as allocated
[ 97.989648][ T5146] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 53, tgid 53 (kworker/u9:0), ts 97561379057, free_ts 97551861869
[ 98.008636][ T5146] post_alloc_hook+0x240/0x2a0
[ 98.013382][ T5146] get_page_from_freelist+0x2365/0x2440
[ 98.018904][ T5146] __alloc_frozen_pages_noprof+0x181/0x370
[ 98.024684][ T5146] alloc_pages_mpol+0x232/0x4a0
[ 98.029508][ T5146] allocate_slab+0x86/0x3b0
[ 98.033990][ T5146] ___slab_alloc+0xf56/0x1990
[ 98.038641][ T5146] __slab_alloc+0x65/0x100
[ 98.043032][ T5146] kmem_cache_alloc_noprof+0x40f/0x700
[ 98.048460][ T5146] skb_clone+0x212/0x3a0
[ 98.052677][ T5146] hci_event_packet+0x3f4/0x1260
[ 98.057591][ T5146] hci_rx_work+0x45d/0xfc0
[ 98.061989][ T5146] process_one_work+0x93a/0x15e0
[ 98.066901][ T5146] worker_thread+0x9b0/0xee0
[ 98.071505][ T5146] kthread+0x711/0x8a0
[ 98.075547][ T5146] ret_from_fork+0x599/0xb30
[ 98.080136][ T5146] ret_from_fork_asm+0x1a/0x30
[ 98.084873][ T5146] page last free pid 53 tgid 53 stack trace:
[ 98.090831][ T5146] __free_frozen_pages+0xbc8/0xd30
[ 98.095916][ T5146] __put_partials+0x146/0x170
[ 98.100660][ T5146] put_cpu_partial+0x1f2/0x2e0
[ 98.105415][ T5146] __slab_free+0x288/0x2a0
[ 98.109816][ T5146] qlist_free_all+0x97/0x100
[ 98.114386][ T5146] kasan_quarantine_reduce+0x148/0x160
[ 98.119824][ T5146] __kasan_slab_alloc+0x22/0x80
[ 98.124684][ T5146] kmem_cache_alloc_noprof+0x37d/0x700
[ 98.130121][ T5146] skb_clone+0x212/0x3a0
[ 98.134345][ T5146] hci_cmd_work+0xe2/0x7b0
[ 98.138738][ T5146] process_one_work+0x93a/0x15e0
[ 98.143663][ T5146] worker_thread+0x9b0/0xee0
[ 98.148231][ T5146] kthread+0x711/0x8a0
[ 98.152293][ T5146] ret_from_fork+0x599/0xb30
[ 98.156875][ T5146] ret_from_fork_asm+0x1a/0x30
[ 98.161625][ T5146]
[ 98.163929][ T5146] Memory state around the buggy address:
[ 98.169536][ T5146] ffff888076c96a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.177588][ T5146] ffff888076c96a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 98.185637][ T5146] >ffff888076c96b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 98.193677][ T5146] ^
[ 98.201630][ T5146] ffff888076c96b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.209669][ T5146] ffff888076c96c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 98.217705][ T5146] ==================================================================
[ 98.227702][ T5146] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 98.234918][ T5146] CPU: 0 UID: 0 PID: 5146 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full)
[ 98.244371][ T5146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 98.254495][ T5146] Workqueue: hci0 hci_cmd_work
[ 98.259335][ T5146] Call Trace:
[ 98.262600][ T5146]
[ 98.265511][ T5146] dump_stack_lvl+0x99/0x250
[ 98.270089][ T5146] ? __asan_memcpy+0x40/0x70
[ 98.274659][ T5146] ? __pfx_dump_stack_lvl+0x10/0x10
[ 98.279835][ T5146] ? __pfx__printk+0x10/0x10
[ 98.284412][ T5146] vpanic+0x237/0x6d0
[ 98.288550][ T5146] ? __pfx_vpanic+0x10/0x10
[ 98.293032][ T5146] ? preempt_schedule+0xae/0xc0
[ 98.297860][ T5146] ? __pfx_preempt_schedule+0x10/0x10
[ 98.303207][ T5146] panic+0xb9/0xc0
[ 98.306906][ T5146] ? __pfx_panic+0x10/0x10
[ 98.311296][ T5146] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 98.317167][ T5146] ? is_module_address+0x17/0xf0
[ 98.322177][ T5146] ? hci_cmd_work+0x5d0/0x7b0
[ 98.326833][ T5146] check_panic_on_warn+0x89/0xb0
[ 98.331754][ T5146] ? hci_cmd_work+0x5d0/0x7b0
[ 98.336407][ T5146] end_report+0x6f/0x160
[ 98.340628][ T5146] kasan_report+0x129/0x150
[ 98.345115][ T5146] ? hci_cmd_work+0x5d0/0x7b0
[ 98.350121][ T5146] hci_cmd_work+0x5d0/0x7b0
[ 98.354692][ T5146] ? process_one_work+0x868/0x15e0
[ 98.359782][ T5146] process_one_work+0x93a/0x15e0
[ 98.364711][ T5146] ? __lock_acquire+0xab9/0xd20
[ 98.369576][ T5146] ? __pfx_process_one_work+0x10/0x10
[ 98.374960][ T5146] ? assign_work+0x3a1/0x410
[ 98.379535][ T5146] worker_thread+0x9b0/0xee0
[ 98.384117][ T5146] kthread+0x711/0x8a0
[ 98.388164][ T5146] ? __pfx_worker_thread+0x10/0x10
[ 98.393255][ T5146] ? __pfx_kthread+0x10/0x10
[ 98.397822][ T5146] ? _raw_spin_unlock_irq+0x23/0x50
[ 98.402996][ T5146] ? lockdep_hardirqs_on+0x9c/0x150
[ 98.408166][ T5146] ? __pfx_kthread+0x10/0x10
[ 98.412730][ T5146] ret_from_fork+0x599/0xb30
[ 98.417298][ T5146] ? __pfx_ret_from_fork+0x10/0x10
[ 98.422389][ T5146] ? __switch_to_asm+0x39/0x70
[ 98.427126][ T5146] ? __switch_to_asm+0x33/0x70
[ 98.431863][ T5146] ? __pfx_kthread+0x10/0x10
[ 98.436426][ T5146] ret_from_fork_asm+0x1a/0x30
[ 98.441172][ T5146]
[ 98.444462][ T5146] Kernel Offset: disabled
[ 98.448772][ T5146] Rebooting in 86400 seconds..