Warning: Permanently added '10.128.10.14' (ED25519) to the list of known hosts. 2023/09/22 11:55:09 ignoring optional flag "sandboxArg"="0" 2023/09/22 11:55:09 parsed 1 programs 2023/09/22 11:55:10 executed programs: 0 [ 46.718128][ T1909] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 46.746650][ T1398] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 46.754059][ T1398] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 46.761224][ T1398] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 46.768627][ T1398] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 46.776177][ T1398] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 46.783360][ T1398] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 46.923313][ T1914] chnl_net:caif_netlink_parms(): no params data found [ 48.195168][ T1914] 8021q: adding VLAN 0 to HW filter on device bond0 [ 48.808824][ T1240] Bluetooth: hci0: command 0x0409 tx timeout [ 49.029096][ T1914] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.036119][ T1800] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.043741][ T1800] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 50.888801][ T1240] Bluetooth: hci0: command 0x041b tx timeout 2023/09/22 11:55:15 executed programs: 2 [ 52.968782][ T1240] Bluetooth: hci0: command 0x040f tx timeout [ 55.048800][ T1240] Bluetooth: hci0: command 0x0419 tx timeout [ 57.128769][ T1240] Bluetooth: hci0: command 0x0405 tx timeout 2023/09/22 11:55:20 executed programs: 8 [ 59.208783][ T1240] Bluetooth: hci0: command 0x0405 tx timeout 2023/09/22 11:55:25 executed programs: 14 2023/09/22 11:55:30 executed programs: 20 2023/09/22 11:55:35 executed programs: 26 2023/09/22 11:55:40 executed programs: 32 2023/09/22 11:55:45 executed programs: 38 2023/09/22 11:55:51 executed programs: 44 2023/09/22 11:55:56 executed programs: 50 [ 93.218923][ T38] ================================================================== [ 93.227087][ T38] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x57/0x1f0 [ 93.234869][ T38] Write of size 4 at addr ffff88817da94080 by task kworker/0:1/38 [ 93.242637][ T38] [ 93.244935][ T38] CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 6.3.0-rc5-syzkaller #0 [ 93.253051][ T38] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 93.263341][ T38] Workqueue: events sco_sock_timeout [ 93.268601][ T38] Call Trace: [ 93.271868][ T38] [ 93.274779][ T38] dump_stack_lvl+0x3d/0x60 [ 93.279262][ T38] print_report+0xc4/0x620 [ 93.283673][ T38] ? __lock_acquire.constprop.0+0x496/0xf30 [ 93.289556][ T38] kasan_report+0xdc/0x110 [ 93.293944][ T38] ? sco_sock_timeout+0x57/0x1f0 [ 93.298858][ T38] ? sco_sock_timeout+0x57/0x1f0 [ 93.303782][ T38] kasan_check_range+0x143/0x190 [ 93.308704][ T38] sco_sock_timeout+0x57/0x1f0 [ 93.313541][ T38] process_one_work+0x850/0x1270 [ 93.318452][ T38] ? pwq_dec_nr_in_flight+0x230/0x230 [ 93.323809][ T38] ? spin_bug+0x1d0/0x1d0 [ 93.328135][ T38] ? lock_acquire+0x134/0x2b0 [ 93.332783][ T38] worker_thread+0xf1/0xdd0 [ 93.337276][ T38] ? do_raw_spin_unlock+0x173/0x230 [ 93.342444][ T38] ? __kthread_parkme+0x7e/0x150 [ 93.347350][ T38] ? process_one_work+0x1270/0x1270 [ 93.352517][ T38] kthread+0x22c/0x2b0 [ 93.356555][ T38] ? kthread_complete_and_exit+0x20/0x20 [ 93.362153][ T38] ret_from_fork+0x1f/0x30 [ 93.366542][ T38] [ 93.369532][ T38] [ 93.371826][ T38] Allocated by task 2326: [ 93.376251][ T38] kasan_save_stack+0x33/0x50 [ 93.380918][ T38] kasan_set_track+0x25/0x30 [ 93.385475][ T38] __kasan_kmalloc+0xa2/0xb0 [ 93.390034][ T38] __kmalloc+0x5d/0x160 [ 93.394417][ T38] sk_prot_alloc+0x14f/0x210 [ 93.399335][ T38] sk_alloc+0x30/0x580 [ 93.403454][ T38] sco_sock_alloc.constprop.0+0x22/0x2f0 [ 93.409400][ T38] sco_sock_create+0xb3/0x160 [ 93.414069][ T38] bt_sock_create+0x11e/0x250 [ 93.418889][ T38] __sock_create+0x1fd/0x460 [ 93.423539][ T38] __sys_socket+0x114/0x1b0 [ 93.428010][ T38] __x64_sys_socket+0x6d/0xb0 [ 93.432654][ T38] do_syscall_64+0x38/0xb0 [ 93.437307][ T38] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.443390][ T38] [ 93.445713][ T38] Freed by task 2327: [ 93.449846][ T38] kasan_save_stack+0x33/0x50 [ 93.454505][ T38] kasan_set_track+0x25/0x30 [ 93.459158][ T38] kasan_save_free_info+0x2e/0x40 [ 93.464253][ T38] ____kasan_slab_free+0x15e/0x1b0 [ 93.469439][ T38] slab_free_freelist_hook+0x10b/0x1e0 [ 93.475047][ T38] __kmem_cache_free+0xab/0x320 [ 93.480191][ T38] __sk_destruct+0x4a5/0x6b0 [ 93.484778][ T38] sco_sock_release+0x130/0x280 [ 93.489691][ T38] __sock_release+0xbb/0x280 [ 93.494250][ T38] sock_close+0x13/0x20 [ 93.498372][ T38] __fput+0x1e3/0x9b0 [ 93.502321][ T38] task_work_run+0x114/0x1f0 [ 93.507087][ T38] get_signal+0x194/0x1f00 [ 93.511524][ T38] arch_do_signal_or_restart+0x89/0x5f0 [ 93.517324][ T38] exit_to_user_mode_prepare+0xc3/0x150 [ 93.522930][ T38] syscall_exit_to_user_mode+0x16/0x30 [ 93.528369][ T38] do_syscall_64+0x44/0xb0 [ 93.532798][ T38] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.538666][ T38] [ 93.540991][ T38] The buggy address belongs to the object at ffff88817da94000 [ 93.540991][ T38] which belongs to the cache kmalloc-2k of size 2048 [ 93.555101][ T38] The buggy address is located 128 bytes inside of [ 93.555101][ T38] freed 2048-byte region [ffff88817da94000, ffff88817da94800) [ 93.568991][ T38] [ 93.571304][ T38] The buggy address belongs to the physical page: [ 93.577773][ T38] page:ffffea0005f6a400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88817da96000 pfn:0x17da90 [ 93.589322][ T38] head:ffffea0005f6a400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.598240][ T38] flags: 0x100000000010200(slab|head|node=0|zone=2) [ 93.605035][ T38] raw: 0100000000010200 ffff888100042000 ffffea000438b210 ffffea0004239c10 [ 93.613621][ T38] raw: ffff88817da96000 0000000000080007 00000001ffffffff 0000000000000000 [ 93.622181][ T38] page dumped because: kasan: bad access detected [ 93.628654][ T38] page_owner tracks the page as allocated [ 93.634365][ T38] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1277, tgid 1277 (klogd), ts 7386005285, free_ts 6062958026 [ 93.655092][ T38] post_alloc_hook+0x281/0x2f0 [ 93.659929][ T38] get_page_from_freelist+0xc0a/0x41a0 [ 93.665422][ T38] __alloc_pages+0x1d0/0x470 [ 93.670005][ T38] allocate_slab+0x24e/0x360 [ 93.674651][ T38] ___slab_alloc+0x7e8/0xf30 [ 93.679209][ T38] __slab_alloc.constprop.0+0x4d/0x90 [ 93.684550][ T38] __kmem_cache_alloc_node+0x144/0x390 [ 93.689989][ T38] kmalloc_trace+0x25/0xb0 [ 93.694508][ T38] syslog_print+0xf0/0x460 [ 93.698895][ T38] do_syslog+0x212/0x3c0 [ 93.703103][ T38] __x64_sys_syslog+0x6f/0xb0 [ 93.707770][ T38] do_syscall_64+0x38/0xb0 [ 93.712171][ T38] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.718041][ T38] page last free stack trace: [ 93.722686][ T38] free_pcp_prepare+0x4de/0xa50 [ 93.727507][ T38] free_unref_page+0x1c/0x460 [ 93.732152][ T38] free_contig_range+0xa1/0x150 [ 93.736970][ T38] destroy_args+0x4fc/0x6b0 [ 93.741447][ T38] debug_vm_pgtable+0x1a00/0x2d20 [ 93.746440][ T38] do_one_initcall+0xcd/0x350 [ 93.751085][ T38] kernel_init_freeable+0x53c/0x890 [ 93.756256][ T38] kernel_init+0x1a/0x1c0 [ 93.760550][ T38] ret_from_fork+0x1f/0x30 [ 93.765036][ T38] [ 93.767348][ T38] Memory state around the buggy address: [ 93.772964][ T38] ffff88817da93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.781012][ T38] ffff88817da94000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.789044][ T38] >ffff88817da94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.797089][ T38] ^ [ 93.801152][ T38] ffff88817da94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.809197][ T38] ffff88817da94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.817312][ T38] ================================================================== [ 93.825496][ T38] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.832956][ T38] Kernel Offset: disabled [ 93.837281][ T38] Rebooting in 86400 seconds..