Warning: Permanently added '10.128.1.103' (ED25519) to the list of known hosts. 1970/01/01 00:00:59 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:00:59 parsed 1 programs [ 60.071569][ T6439] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS 1970/01/01 00:00:59 executed programs: 0 [ 60.110357][ T5661] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 60.113317][ T5661] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 60.115799][ T5661] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 60.118737][ T5661] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 60.121374][ T5661] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 60.123932][ T5661] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 60.193304][ T6446] chnl_net:caif_netlink_parms(): no params data found [ 60.222660][ T6446] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.224624][ T6446] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.226547][ T6446] bridge_slave_0: entered allmulticast mode [ 60.228626][ T6446] bridge_slave_0: entered promiscuous mode [ 60.232175][ T6446] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.234238][ T6446] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.236189][ T6446] bridge_slave_1: entered allmulticast mode [ 60.238193][ T6446] bridge_slave_1: entered promiscuous mode [ 60.250140][ T6446] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 60.254242][ T6446] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 60.267684][ T6446] team0: Port device team_slave_0 added [ 60.270692][ T6446] team0: Port device team_slave_1 added [ 60.281206][ T6446] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 60.283432][ T6446] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 60.290068][ T6446] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 60.294327][ T6446] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 60.296287][ T6446] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 60.302802][ T6446] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 60.363680][ T6446] hsr_slave_0: entered promiscuous mode [ 60.422402][ T6446] hsr_slave_1: entered promiscuous mode [ 61.367453][ T6446] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 61.404686][ T6446] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 61.433917][ T6446] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 61.474004][ T6446] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 61.544802][ T6446] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.551899][ T6446] 8021q: adding VLAN 0 to HW filter on device team0 [ 61.560074][ T5889] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.561930][ T5889] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.577239][ T6528] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.579101][ T6528] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.674595][ T6446] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 61.698478][ T6446] veth0_vlan: entered promiscuous mode [ 61.705416][ T6446] veth1_vlan: entered promiscuous mode [ 61.720582][ T6446] veth0_macvtap: entered promiscuous mode [ 61.727477][ T6446] veth1_macvtap: entered promiscuous mode [ 61.736445][ T6446] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 61.739889][ T6446] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 61.749895][ T6446] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 61.752300][ T6446] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 61.754560][ T6446] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 61.756813][ T6446] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 61.797417][ T307] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 61.799567][ T307] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 61.814436][ T307] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 61.816518][ T307] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 62.172807][ T5661] Bluetooth: hci0: command 0x0409 tx timeout [ 64.252249][ T6096] Bluetooth: hci0: command 0x041b tx timeout [ 64.574855][ T2212] ieee802154 phy0 wpan0: encryption failed: -22 [ 64.576685][ T2212] ieee802154 phy1 wpan1: encryption failed: -22 1970/01/01 00:01:05 executed programs: 4 [ 66.342132][ T6096] Bluetooth: hci0: command 0x040f tx timeout [ 68.412505][ T5661] Bluetooth: hci0: command 0x0419 tx timeout [ 69.693933][ T1365] cfg80211: failed to load regulatory.db 1970/01/01 00:01:10 executed programs: 10 [ 70.492204][ T6096] Bluetooth: hci0: command 0x0407 tx timeout [ 71.201562][ T6829] ================================================================== [ 71.203753][ T6829] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2bc [ 71.205705][ T6829] Write of size 4 at addr ffff0000d750a010 by task syz-executor.0/6829 [ 71.207895][ T6829] [ 71.208503][ T6829] CPU: 0 PID: 6829 Comm: syz-executor.0 Not tainted 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 71.211422][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.214135][ T6829] Call trace: [ 71.214967][ T6829] dump_backtrace+0x1b8/0x1e4 [ 71.216158][ T6829] show_stack+0x2c/0x44 [ 71.217243][ T6829] dump_stack_lvl+0xd0/0x124 [ 71.218414][ T6829] print_report+0x174/0x514 [ 71.219612][ T6829] kasan_report+0xd8/0x138 [ 71.220768][ T6829] kasan_check_range+0x254/0x294 [ 71.222070][ T6829] __kasan_check_write+0x20/0x30 [ 71.223350][ T6829] hci_conn_drop+0x34/0x2bc [ 71.224558][ T6829] __sco_sock_close+0x3a8/0x7d0 [ 71.225859][ T6829] sco_sock_release+0xb4/0x2c0 [ 71.227126][ T6829] sock_close+0xa4/0x1e8 [ 71.228235][ T6829] __fput+0x324/0x7f8 [ 71.229200][ T6829] __fput_sync+0x60/0x9c [ 71.230338][ T6829] __arm64_sys_close+0x150/0x1e0 [ 71.231661][ T6829] invoke_syscall+0x98/0x2b8 [ 71.232826][ T6829] el0_svc_common+0x130/0x23c [ 71.234013][ T6829] do_el0_svc+0x48/0x58 [ 71.235109][ T6829] el0_svc+0x54/0x158 [ 71.236208][ T6829] el0t_64_sync_handler+0x84/0xfc [ 71.237512][ T6829] el0t_64_sync+0x190/0x194 [ 71.238697][ T6829] [ 71.239285][ T6829] Allocated by task 6830: [ 71.240418][ T6829] kasan_set_track+0x4c/0x7c [ 71.241626][ T6829] kasan_save_alloc_info+0x24/0x30 [ 71.243002][ T6829] __kasan_kmalloc+0xac/0xc4 [ 71.244211][ T6829] kmalloc_trace+0x70/0x88 [ 71.245390][ T6829] hci_conn_add+0xcc/0x1210 [ 71.246554][ T6829] hci_connect_sco+0x94/0x2bc [ 71.247787][ T6829] sco_sock_connect+0x278/0x840 [ 71.249048][ T6829] __sys_connect+0x268/0x290 [ 71.250271][ T6829] __arm64_sys_connect+0x7c/0x94 [ 71.251558][ T6829] invoke_syscall+0x98/0x2b8 [ 71.252778][ T6829] el0_svc_common+0x130/0x23c [ 71.254039][ T6829] do_el0_svc+0x48/0x58 [ 71.255158][ T6829] el0_svc+0x54/0x158 [ 71.256211][ T6829] el0t_64_sync_handler+0x84/0xfc [ 71.257597][ T6829] el0t_64_sync+0x190/0x194 [ 71.258744][ T6829] [ 71.259367][ T6829] Freed by task 5661: [ 71.260437][ T6829] kasan_set_track+0x4c/0x7c [ 71.261646][ T6829] kasan_save_free_info+0x38/0x5c [ 71.262973][ T6829] ____kasan_slab_free+0x144/0x1c0 [ 71.264413][ T6829] __kasan_slab_free+0x18/0x28 [ 71.265624][ T6829] __kmem_cache_free+0x2ac/0x480 [ 71.266958][ T6829] kfree+0xb8/0x19c [ 71.267994][ T6829] bt_link_release+0x20/0x30 [ 71.269239][ T6829] device_release+0x8c/0x1ac [ 71.270457][ T6829] kobject_put+0x1c4/0x3c4 [ 71.271633][ T6829] put_device+0x28/0x40 [ 71.272694][ T6829] hci_conn_del+0x78c/0xabc [ 71.273763][ T6829] hci_conn_failed+0x204/0x2c0 [ 71.274901][ T6829] hci_abort_conn_sync+0x688/0xe38 [ 71.276171][ T6829] abort_conn_sync+0x5c/0x8c [ 71.277354][ T6829] hci_cmd_sync_work+0x1cc/0x34c [ 71.278568][ T6829] process_one_work+0x694/0x1204 [ 71.279886][ T6829] worker_thread+0x938/0xef4 [ 71.281054][ T6829] kthread+0x288/0x310 [ 71.282155][ T6829] ret_from_fork+0x10/0x20 [ 71.283304][ T6829] [ 71.283861][ T6829] The buggy address belongs to the object at ffff0000d750a000 [ 71.283861][ T6829] which belongs to the cache kmalloc-4k of size 4096 [ 71.287508][ T6829] The buggy address is located 16 bytes inside of [ 71.287508][ T6829] freed 4096-byte region [ffff0000d750a000, ffff0000d750b000) [ 71.291091][ T6829] [ 71.291705][ T6829] The buggy address belongs to the physical page: [ 71.293364][ T6829] page:00000000d7ff5a94 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117508 [ 71.295988][ T6829] head:00000000d7ff5a94 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 71.298442][ T6829] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 71.300568][ T6829] page_type: 0xffffffff() [ 71.301657][ T6829] raw: 05ffc00000000840 ffff0000c0002140 dead000000000122 0000000000000000 [ 71.303940][ T6829] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 71.306233][ T6829] page dumped because: kasan: bad access detected [ 71.307868][ T6829] [ 71.308476][ T6829] Memory state around the buggy address: [ 71.309922][ T6829] ffff0000d7509f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.311995][ T6829] ffff0000d7509f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.314139][ T6829] >ffff0000d750a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.316313][ T6829] ^ [ 71.317562][ T6829] ffff0000d750a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.319659][ T6829] ffff0000d750a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.321751][ T6829] ================================================================== [ 71.324231][ T6829] Disabling lock debugging due to kernel taint [ 71.325877][ T6829] ------------[ cut here ]------------ [ 71.327425][ T6829] ODEBUG: assert_init not available (active state 0) object: 000000003c9b8964 object type: timer_list hint: hci_conn_timeout+0x0/0x1e8 [ 71.331338][ T6829] WARNING: CPU: 0 PID: 6829 at lib/debugobjects.c:517 debug_print_object+0x168/0x1e0 [ 71.333819][ T6829] Modules linked in: [ 71.334798][ T6829] CPU: 0 PID: 6829 Comm: syz-executor.0 Tainted: G B 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 71.338085][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.340768][ T6829] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 71.342794][ T6829] pc : debug_print_object+0x168/0x1e0 [ 71.344199][ T6829] lr : debug_print_object+0x168/0x1e0 [ 71.345614][ T6829] sp : ffff800096e67790 [ 71.346706][ T6829] x29: ffff800096e67790 x28: dfff800000000000 x27: ffff700012dccf00 [ 71.348807][ T6829] x26: dfff800000000000 x25: dfff800000000000 x24: ffff0000d750a390 [ 71.350970][ T6829] x23: ffff80008ad651a0 x22: ffff800089881d98 x21: ffff80008a89c360 [ 71.353041][ T6829] x20: 0000000000000000 x19: ffff80008ad64cc0 x18: 0000000000000000 [ 71.355135][ T6829] x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001 [ 71.357287][ T6829] x14: 1ffff00012dcce44 x13: 0000000000000000 x12: 0000000000000000 [ 71.359390][ T6829] x11: 0000000000000001 x10: 0000000000000000 x9 : 49493c6eef4d4300 [ 71.361505][ T6829] x8 : 49493c6eef4d4300 x7 : 0000000000000001 x6 : 0000000000000001 [ 71.363682][ T6829] x5 : ffff800096e67078 x4 : ffff80008e4210a0 x3 : ffff800082b180c4 [ 71.365895][ T6829] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 [ 71.367988][ T6829] Call trace: [ 71.368868][ T6829] debug_print_object+0x168/0x1e0 [ 71.370229][ T6829] debug_object_assert_init+0x318/0x3c8 [ 71.371723][ T6829] __timer_delete+0xac/0x2f8 [ 71.373036][ T6829] timer_delete+0x24/0x34 [ 71.374195][ T6829] try_to_grab_pending+0x8c/0x618 [ 71.375528][ T6829] __cancel_work+0xb0/0x2a8 [ 71.376675][ T6829] cancel_delayed_work+0x24/0x38 [ 71.377977][ T6829] hci_conn_drop+0x150/0x2bc [ 71.379203][ T6829] __sco_sock_close+0x3a8/0x7d0 [ 71.380506][ T6829] sco_sock_release+0xb4/0x2c0 [ 71.381781][ T6829] sock_close+0xa4/0x1e8 [ 71.382903][ T6829] __fput+0x324/0x7f8 [ 71.383996][ T6829] __fput_sync+0x60/0x9c [ 71.385162][ T6829] __arm64_sys_close+0x150/0x1e0 [ 71.386500][ T6829] invoke_syscall+0x98/0x2b8 [ 71.387742][ T6829] el0_svc_common+0x130/0x23c [ 71.389006][ T6829] do_el0_svc+0x48/0x58 [ 71.390128][ T6829] el0_svc+0x54/0x158 [ 71.391205][ T6829] el0t_64_sync_handler+0x84/0xfc [ 71.392532][ T6829] el0t_64_sync+0x190/0x194 [ 71.393695][ T6829] irq event stamp: 14487 [ 71.394749][ T6829] hardirqs last enabled at (14487): [] exit_to_kernel_mode+0xdc/0x10c [ 71.397439][ T6829] hardirqs last disabled at (14486): [] __do_softirq+0x950/0xd54 [ 71.399863][ T6829] softirqs last enabled at (14306): [] lock_sock_nested+0xcc/0x11c [ 71.402361][ T6829] softirqs last disabled at (14304): [] lock_sock_nested+0x74/0x11c [ 71.404938][ T6829] ---[ end trace 0000000000000000 ]--- [ 71.406580][ T6829] ------------[ cut here ]------------ [ 71.408005][ T6829] WARNING: CPU: 0 PID: 6829 at kernel/workqueue.c:1939 queue_delayed_work_on+0x214/0x2e4 [ 71.410519][ T6829] Modules linked in: [ 71.411501][ T6829] CPU: 0 PID: 6829 Comm: syz-executor.0 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 71.414778][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.417383][ T6829] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 71.419374][ T6829] pc : queue_delayed_work_on+0x214/0x2e4 [ 71.420806][ T6829] lr : queue_delayed_work_on+0x214/0x2e4 [ 71.422280][ T6829] sp : ffff800096e67af0 [ 71.423361][ T6829] x29: ffff800096e67af0 x28: 1fffe000193ba0c0 x27: dfff800000000000 [ 71.425464][ T6829] x26: 0000000000000000 x25: ffff0000d750a3a8 x24: ffff0000c864c000 [ 71.427567][ T6829] x23: 0000000000000000 x22: ffff0000d750a348 x21: 0000000000000008 [ 71.429740][ T6829] x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 [ 71.431826][ T6829] x17: 0000000000000000 x16: ffff80008a71b23c x15: ffff60001aea1469 [ 71.433895][ T6829] x14: 1fffe0001aea1469 x13: 00000000000000fb x12: ffffffffffffffff [ 71.436039][ T6829] x11: 0000000000000001 x10: 0000000000000000 x9 : 0000000000000000 [ 71.438098][ T6829] x8 : ffff0000d1d29bc0 x7 : 0000000000000000 x6 : 0000000000000000 [ 71.440195][ T6829] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080221e68 [ 71.442290][ T6829] x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 [ 71.444407][ T6829] Call trace: [ 71.445296][ T6829] queue_delayed_work_on+0x214/0x2e4 [ 71.446681][ T6829] hci_conn_drop+0x198/0x2bc [ 71.447845][ T6829] __sco_sock_close+0x3a8/0x7d0 [ 71.449160][ T6829] sco_sock_release+0xb4/0x2c0 [ 71.450409][ T6829] sock_close+0xa4/0x1e8 [ 71.451504][ T6829] __fput+0x324/0x7f8 [ 71.452512][ T6829] __fput_sync+0x60/0x9c [ 71.453642][ T6829] __arm64_sys_close+0x150/0x1e0 [ 71.454995][ T6829] invoke_syscall+0x98/0x2b8 [ 71.456210][ T6829] el0_svc_common+0x130/0x23c [ 71.457440][ T6829] do_el0_svc+0x48/0x58 [ 71.458493][ T6829] el0_svc+0x54/0x158 [ 71.459567][ T6829] el0t_64_sync_handler+0x84/0xfc [ 71.460893][ T6829] el0t_64_sync+0x190/0x194 [ 71.462105][ T6829] irq event stamp: 14487 [ 71.463234][ T6829] hardirqs last enabled at (14487): [] exit_to_kernel_mode+0xdc/0x10c [ 71.465772][ T6829] hardirqs last disabled at (14486): [] __do_softirq+0x950/0xd54 [ 71.468223][ T6829] softirqs last enabled at (14306): [] lock_sock_nested+0xcc/0x11c [ 71.470726][ T6829] softirqs last disabled at (14304): [] lock_sock_nested+0x74/0x11c [ 71.473220][ T6829] ---[ end trace 0000000000000000 ]--- [ 71.474657][ T6829] ------------[ cut here ]------------ [ 71.476045][ T6829] ODEBUG: activate not available (active state 0) object: 00000000009b9630 object type: work_struct hint: hci_conn_timeout+0x0/0x1e8 [ 71.479969][ T6829] WARNING: CPU: 0 PID: 6829 at lib/debugobjects.c:517 debug_print_object+0x168/0x1e0 [ 71.482438][ T6829] Modules linked in: [ 71.483471][ T6829] CPU: 0 PID: 6829 Comm: syz-executor.0 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 71.486675][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.489391][ T6829] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 71.491449][ T6829] pc : debug_print_object+0x168/0x1e0 [ 71.492863][ T6829] lr : debug_print_object+0x168/0x1e0 [ 71.494297][ T6829] sp : ffff800096e67870 [ 71.495361][ T6829] x29: ffff800096e67870 x28: dfff800000000000 x27: ffff700012dccf1c [ 71.497495][ T6829] x26: ffff0000c9d81168 x25: dfff800000000000 x24: ffff0000d750a348 [ 71.499539][ T6829] x23: ffff80008ad651a0 x22: ffff800089881d98 x21: ffff80008a8710a0 [ 71.501667][ T6829] x20: 0000000000000000 x19: ffff80008ad64c40 x18: 0000000000000000 [ 71.503761][ T6829] x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001 [ 71.505928][ T6829] x14: 1fffe0003682f032 x13: 0000000000000000 x12: 0000000000000000 [ 71.508106][ T6829] x11: 0000000000000002 x10: 0000000000000000 x9 : 49493c6eef4d4300 [ 71.510232][ T6829] x8 : 49493c6eef4d4300 x7 : 0000000000000001 x6 : 0000000000000001 [ 71.512341][ T6829] x5 : ffff800096e67158 x4 : ffff80008e4210a0 x3 : ffff8000805a359c [ 71.514414][ T6829] x2 : 0000000000000001 x1 : 0000000000000002 x0 : 0000000000000000 [ 71.516547][ T6829] Call trace: [ 71.517380][ T6829] debug_print_object+0x168/0x1e0 [ 71.518668][ T6829] debug_object_activate+0x600/0x7e0 [ 71.519987][ T6829] insert_work+0x4c/0x2d4 [ 71.521086][ T6829] __queue_work+0xcf4/0x1338 [ 71.522309][ T6829] queue_delayed_work_on+0x1f4/0x2e4 [ 71.523645][ T6829] hci_conn_drop+0x198/0x2bc [ 71.524848][ T6829] __sco_sock_close+0x3a8/0x7d0 [ 71.526172][ T6829] sco_sock_release+0xb4/0x2c0 [ 71.527406][ T6829] sock_close+0xa4/0x1e8 [ 71.528499][ T6829] __fput+0x324/0x7f8 [ 71.529526][ T6829] __fput_sync+0x60/0x9c [ 71.530640][ T6829] __arm64_sys_close+0x150/0x1e0 [ 71.531901][ T6829] invoke_syscall+0x98/0x2b8 [ 71.533132][ T6829] el0_svc_common+0x130/0x23c [ 71.534326][ T6829] do_el0_svc+0x48/0x58 [ 71.535387][ T6829] el0_svc+0x54/0x158 [ 71.536386][ T6829] el0t_64_sync_handler+0x84/0xfc [ 71.537748][ T6829] el0t_64_sync+0x190/0x194 [ 71.538905][ T6829] irq event stamp: 14487 [ 71.540043][ T6829] hardirqs last enabled at (14487): [] exit_to_kernel_mode+0xdc/0x10c [ 71.542611][ T6829] hardirqs last disabled at (14486): [] __do_softirq+0x950/0xd54 [ 71.545005][ T6829] softirqs last enabled at (14306): [] lock_sock_nested+0xcc/0x11c [ 71.547468][ T6829] softirqs last disabled at (14304): [] lock_sock_nested+0x74/0x11c [ 71.550007][ T6829] ---[ end trace 0000000000000000 ]--- [ 71.551445][ T5661] ------------[ cut here ]------------ [ 71.552867][ T5661] ODEBUG: deactivate not available (active state 0) object: 00000000009b9630 object type: work_struct hint: hci_conn_timeout+0x0/0x1e8 [ 71.556940][ T5661] WARNING: CPU: 1 PID: 5661 at lib/debugobjects.c:517 debug_object_deactivate+0x340/0x414 [ 71.559553][ T5661] Modules linked in: [ 71.560574][ T5661] CPU: 1 PID: 5661 Comm: kworker/u5:1 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 71.563786][ T5661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.566472][ T5661] Workqueue: 0x0 (hci0) [ 71.567608][ T5661] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 71.569738][ T5661] pc : debug_object_deactivate+0x340/0x414 [ 71.571257][ T5661] lr : debug_object_deactivate+0x340/0x414 [ 71.572796][ T5661] sp : ffff80009d817b00 [ 71.573892][ T5661] x29: ffff80009d817b00 x28: 1fffe0001aea1469 x27: 0000000000000001 [ 71.576004][ T5661] x26: ffff80008e340000 x25: dfff800000000000 x24: ffff0000c9d81168 [ 71.578123][ T5661] x23: 00000000000000c0 x22: ffff800092b0e000 x21: ffff80008a8710a0 [ 71.580277][ T5661] x20: ffff0000d750a348 x19: ffff800089881d98 x18: 1fffe000368333ce [ 71.582360][ T5661] x17: 0000000000000000 x16: ffff80008a668900 x15: 0000000000000001 [ 71.584458][ T5661] x14: 1ffff00013b02e7c x13: 0000000000000000 x12: 0000000000000000 [ 71.586543][ T5661] x11: 0000000000000001 x10: 0000000000000000 x9 : 4bc99c4707233900 [ 71.588632][ T5661] x8 : 4bc99c4707233900 x7 : 0000000000000001 x6 : 0000000000000001 [ 71.590726][ T5661] x5 : ffff80009d8173f8 x4 : ffff80008e4210a0 x3 : ffff8000803639bc [ 71.592776][ T5661] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 [ 71.594879][ T5661] Call trace: [ 71.595782][ T5661] debug_object_deactivate+0x340/0x414 [ 71.597252][ T5661] process_one_work+0x198/0x1204 [ 71.598544][ T5661] worker_thread+0x938/0xef4 [ 71.599735][ T5661] kthread+0x288/0x310 [ 71.600812][ T5661] ret_from_fork+0x10/0x20 [ 71.602067][ T5661] irq event stamp: 6372 [ 71.603167][ T5661] hardirqs last enabled at (6371): [] _raw_spin_unlock_irq+0x30/0x80 [ 71.605716][ T5661] hardirqs last disabled at (6372): [] __schedule+0x2b4/0x23b4 [ 71.608162][ T5661] softirqs last enabled at (6302): [] release_sock+0x15c/0x1b0 [ 71.610638][ T5661] softirqs last disabled at (6300): [] release_sock+0x3c/0x1b0 [ 71.613173][ T5661] ---[ end trace 0000000000000000 ]--- [ 72.572096][ T5661] Bluetooth: hci0: command 0x0405 tx timeout [ 74.662109][ T6096] Bluetooth: hci0: command 0x0407 tx timeout [ 74.984450][ T6841] ------------[ cut here ]------------ [ 74.985989][ T6841] ODEBUG: assert_init not available (active state 0) object: 00000000c9ef4a86 object type: timer_list hint: hci_conn_timeout+0x0/0x1e8 [ 74.990038][ T6841] WARNING: CPU: 0 PID: 6841 at lib/debugobjects.c:517 debug_print_object+0x168/0x1e0 [ 74.992631][ T6841] Modules linked in: [ 74.993676][ T6841] CPU: 0 PID: 6841 Comm: syz-executor.0 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 74.996912][ T6841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 74.999669][ T6841] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 75.001710][ T6841] pc : debug_print_object+0x168/0x1e0 [ 75.003193][ T6841] lr : debug_print_object+0x168/0x1e0 [ 75.004584][ T6841] sp : ffff800096ff7790 [ 75.005683][ T6841] x29: ffff800096ff7790 x28: dfff800000000000 x27: ffff700012dfef00 [ 75.007839][ T6841] x26: dfff800000000000 x25: dfff800000000000 x24: ffff0000da9ba390 [ 75.009928][ T6841] x23: ffff80008ad651a0 x22: ffff800089881d98 x21: ffff80008a89c360 [ 75.012058][ T6841] x20: 0000000000000000 x19: ffff80008ad64cc0 x18: 0000000000000000 [ 75.014141][ T6841] x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001 [ 75.016261][ T6841] x14: 1fffe0003682f032 x13: 0000000000000000 x12: 0000000000000000 [ 75.018440][ T6841] x11: 0000000000000001 x10: 0000000000000000 x9 : 232218d8bc324900 [ 75.020613][ T6841] x8 : 232218d8bc324900 x7 : 0000000000000001 x6 : 0000000000000001 [ 75.022781][ T6841] x5 : ffff800096ff7078 x4 : ffff80008e4210a0 x3 : ffff8000805a359c [ 75.024946][ T6841] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 [ 75.027141][ T6841] Call trace: [ 75.027977][ T6841] debug_print_object+0x168/0x1e0 [ 75.029285][ T6841] debug_object_assert_init+0x318/0x3c8 [ 75.030754][ T6841] __timer_delete+0xac/0x2f8 [ 75.031945][ T6841] timer_delete+0x24/0x34 [ 75.033058][ T6841] try_to_grab_pending+0x8c/0x618 [ 75.034386][ T6841] __cancel_work+0xb0/0x2a8 [ 75.035595][ T6841] cancel_delayed_work+0x24/0x38 [ 75.036887][ T6841] hci_conn_drop+0x150/0x2bc [ 75.038140][ T6841] __sco_sock_close+0x3a8/0x7d0 [ 75.039397][ T6841] sco_sock_release+0xb4/0x2c0 [ 75.040647][ T6841] sock_close+0xa4/0x1e8 [ 75.041808][ T6841] __fput+0x324/0x7f8 [ 75.042856][ T6841] __fput_sync+0x60/0x9c [ 75.044009][ T6841] __arm64_sys_close+0x150/0x1e0 [ 75.045322][ T6841] invoke_syscall+0x98/0x2b8 [ 75.046521][ T6841] el0_svc_common+0x130/0x23c [ 75.047811][ T6841] do_el0_svc+0x48/0x58 [ 75.048938][ T6841] el0_svc+0x54/0x158 [ 75.049966][ T6841] el0t_64_sync_handler+0x84/0xfc [ 75.051307][ T6841] el0t_64_sync+0x190/0x194 [ 75.052479][ T6841] irq event stamp: 0 [ 75.053487][ T6841] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 75.055376][ T6841] hardirqs last disabled at (0): [] copy_process+0x1318/0x34b8 [ 75.057746][ T6841] softirqs last enabled at (0): [] copy_process+0x1340/0x34b8 [ 75.060152][ T6841] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 75.062054][ T6841] ---[ end trace 0000000000000000 ]--- [ 75.063765][ T6841] ------------[ cut here ]------------ [ 75.065188][ T6841] ODEBUG: activate not available (active state 0) object: 0000000042ee0670 object type: work_struct hint: hci_conn_timeout+0x0/0x1e8 [ 75.069188][ T6841] WARNING: CPU: 0 PID: 6841 at lib/debugobjects.c:517 debug_print_object+0x168/0x1e0 [ 75.071640][ T6841] Modules linked in: [ 75.072677][ T6841] CPU: 0 PID: 6841 Comm: syz-executor.0 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 75.075969][ T6841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 75.078682][ T6841] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 75.080717][ T6841] pc : debug_print_object+0x168/0x1e0 [ 75.082189][ T6841] lr : debug_print_object+0x168/0x1e0 [ 75.083642][ T6841] sp : ffff800096ff7870 [ 75.084722][ T6841] x29: ffff800096ff7870 x28: dfff800000000000 x27: ffff700012dfef1c [ 75.086803][ T6841] x26: ffff0000da4dad38 x25: dfff800000000000 x24: ffff0000da9ba348 [ 75.088901][ T6841] x23: ffff80008ad651a0 x22: ffff800089881d98 x21: ffff80008a8710a0 [ 75.091054][ T6841] x20: 0000000000000000 x19: ffff80008ad64c40 x18: 0000000000000000 [ 75.093155][ T6841] x17: 0000000000000000 x16: ffff80008a71b23c x15: 0000000000000001 [ 75.095321][ T6841] x14: 1ffff00012dfee60 x13: 0000000000000000 x12: 0000000000000000 [ 75.097442][ T6841] x11: 0000000000000002 x10: 0000000000000000 x9 : 232218d8bc324900 [ 75.099612][ T6841] x8 : 232218d8bc324900 x7 : 0000000000000001 x6 : 0000000000000001 [ 75.101782][ T6841] x5 : ffff800096ff7158 x4 : ffff80008e4210a0 x3 : ffff800082b180c4 [ 75.103963][ T6841] x2 : 0000000000000001 x1 : 0000000000000002 x0 : 0000000000000000 [ 75.106066][ T6841] Call trace: [ 75.106920][ T6841] debug_print_object+0x168/0x1e0 [ 75.108274][ T6841] debug_object_activate+0x600/0x7e0 [ 75.109699][ T6841] insert_work+0x4c/0x2d4 [ 75.110876][ T6841] __queue_work+0xcf4/0x1338 [ 75.112058][ T6841] queue_delayed_work_on+0x1f4/0x2e4 [ 75.113450][ T6841] hci_conn_drop+0x198/0x2bc [ 75.114622][ T6841] __sco_sock_close+0x3a8/0x7d0 [ 75.115910][ T6841] sco_sock_release+0xb4/0x2c0 [ 75.117259][ T6841] sock_close+0xa4/0x1e8 [ 75.118368][ T6841] __fput+0x324/0x7f8 [ 75.119387][ T6841] __fput_sync+0x60/0x9c [ 75.120486][ T6841] __arm64_sys_close+0x150/0x1e0 [ 75.121860][ T6841] invoke_syscall+0x98/0x2b8 [ 75.123075][ T6841] el0_svc_common+0x130/0x23c [ 75.124336][ T6841] do_el0_svc+0x48/0x58 [ 75.125428][ T6841] el0_svc+0x54/0x158 [ 75.126482][ T6841] el0t_64_sync_handler+0x84/0xfc [ 75.127813][ T6841] el0t_64_sync+0x190/0x194 [ 75.128995][ T6841] irq event stamp: 0 [ 75.130062][ T6841] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 75.131907][ T6841] hardirqs last disabled at (0): [] copy_process+0x1318/0x34b8 [ 75.134312][ T6841] softirqs last enabled at (0): [] copy_process+0x1340/0x34b8 [ 75.136842][ T6841] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 75.138747][ T6841] ---[ end trace 0000000000000000 ]--- 1970/01/01 00:01:15 executed programs: 16 [ 76.742241][ T5661] Bluetooth: hci0: command 0x0405 tx timeout [ 78.812104][ T5661] Bluetooth: hci0: command 0x0407 tx timeout [ 80.902079][ T6096] Bluetooth: hci0: command 0x0405 tx timeout [ 81.034180][ T6868] ================================================================== [ 81.036320][ T6868] BUG: KFENCE: use-after-free read in hci_conn_drop+0x40/0x2bc [ 81.036320][ T6868] [ 81.038910][ T6868] Use-after-free read at 0x00000000c452e566 (in kfence-#174): [ 81.040821][ T6868] hci_conn_drop+0x40/0x2bc [ 81.042041][ T6868] __sco_sock_close+0x3a8/0x7d0 [ 81.043325][ T6868] sco_sock_release+0xb4/0x2c0 [ 81.044651][ T6868] sock_close+0xa4/0x1e8 [ 81.045821][ T6868] __fput+0x324/0x7f8 [ 81.046883][ T6868] __fput_sync+0x60/0x9c [ 81.047999][ T6868] __arm64_sys_close+0x150/0x1e0 [ 81.049340][ T6868] invoke_syscall+0x98/0x2b8 [ 81.050556][ T6868] el0_svc_common+0x130/0x23c [ 81.051772][ T6868] do_el0_svc+0x48/0x58 [ 81.052830][ T6868] el0_svc+0x54/0x158 [ 81.053877][ T6868] el0t_64_sync_handler+0x84/0xfc [ 81.055204][ T6868] el0t_64_sync+0x190/0x194 [ 81.056376][ T6868] [ 81.056957][ T6868] kfence-#174: 0x00000000edac583e-0x0000000088367bc2, size=2784, cache=kmalloc-4k [ 81.056957][ T6868] [ 81.060040][ T6868] allocated by task 6869 on cpu 0 at 80.442163s: [ 81.061708][ T6868] __kmem_cache_alloc_node+0x31c/0x37c [ 81.063164][ T6868] kmalloc_trace+0x3c/0x88 [ 81.064307][ T6868] hci_conn_add+0xcc/0x1210 [ 81.065501][ T6868] hci_connect_sco+0x94/0x2bc [ 81.066702][ T6868] sco_sock_connect+0x278/0x840 [ 81.067939][ T6868] __sys_connect+0x268/0x290 [ 81.069161][ T6868] __arm64_sys_connect+0x7c/0x94 [ 81.070498][ T6868] invoke_syscall+0x98/0x2b8 [ 81.071696][ T6868] el0_svc_common+0x130/0x23c [ 81.072898][ T6868] do_el0_svc+0x48/0x58 [ 81.074012][ T6868] el0_svc+0x54/0x158 [ 81.075168][ T6868] el0t_64_sync_handler+0x84/0xfc [ 81.076467][ T6868] el0t_64_sync+0x190/0x194 [ 81.077667][ T6868] [ 81.078269][ T6868] freed by task 6096 on cpu 1 at 80.522186s: [ 81.079806][ T6868] bt_link_release+0x20/0x30 [ 81.081048][ T6868] device_release+0x8c/0x1ac [ 81.082249][ T6868] kobject_put+0x1c4/0x3c4 [ 81.083396][ T6868] put_device+0x28/0x40 [ 81.084498][ T6868] hci_conn_del+0x78c/0xabc [ 81.085718][ T6868] hci_conn_failed+0x204/0x2c0 [ 81.086930][ T6868] hci_abort_conn_sync+0x688/0xe38 [ 81.088309][ T6868] abort_conn_sync+0x5c/0x8c [ 81.089508][ T6868] hci_cmd_sync_work+0x1cc/0x34c [ 81.090807][ T6868] process_one_work+0x694/0x1204 [ 81.092069][ T6868] worker_thread+0x938/0xef4 [ 81.093223][ T6868] kthread+0x288/0x310 [ 81.094341][ T6868] ret_from_fork+0x10/0x20 [ 81.095498][ T6868] [ 81.096136][ T6868] CPU: 0 PID: 6868 Comm: syz-executor.0 Tainted: G B W 6.6.0-rc7-syzkaller-00089-g8de1e7afcc1c-dirty #0 [ 81.099464][ T6868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 81.102087][ T6868] ================================================================== 1970/01/01 00:01:21 executed programs: 22