Warning: Permanently added '[localhost]:58200' (ED25519) to the list of known hosts.
2024/07/14 10:59:36 ignoring optional flag "sandboxArg"="0"
2024/07/14 10:59:36 parsed 1 programs
[   92.266675][   T39] audit: type=1400 audit(1720954776.784:134): avc:  denied  { getattr } for  pid=5313 comm="syz-execprog" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[   92.396577][   T39] audit: type=1400 audit(1720954776.914:135): avc:  denied  { unlink } for  pid=5319 comm="syz-executor" name="swap-file" dev="sda1" ino=1931 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   92.849588][  T816] cfg80211: failed to load regulatory.db
[   94.336872][ T5319] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
2024/07/14 10:59:38 executed programs: 0
[   94.404337][   T65] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   94.408336][   T65] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   94.412568][   T65] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   94.415980][   T65] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   94.421629][   T65] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   94.425179][   T65] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   94.433440][   T39] audit: type=1400 audit(1720954778.964:136): avc:  denied  { mounton } for  pid=5336 comm="syz-executor.0" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[   94.604771][ T5336] chnl_net:caif_netlink_parms(): no params data found
[   94.759782][ T5336] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.763774][ T5336] bridge0: port 1(bridge_slave_0) entered disabled state
[   94.766938][ T5336] bridge_slave_0: entered allmulticast mode
[   94.773575][ T5336] bridge_slave_0: entered promiscuous mode
[   94.781371][ T5336] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.785567][ T5336] bridge0: port 2(bridge_slave_1) entered disabled state
[   94.788814][ T5336] bridge_slave_1: entered allmulticast mode
[   94.792268][ T5336] bridge_slave_1: entered promiscuous mode
[   94.849723][ T5336] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   94.856130][ T5336] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   94.921272][ T5336] team0: Port device team_slave_0 added
[   94.933738][ T5336] team0: Port device team_slave_1 added
[   95.162893][ T5336] batman_adv: batadv0: Adding interface: batadv_slave_0
[   95.165743][ T5336] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.186329][ T5336] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   95.202243][ T5336] batman_adv: batadv0: Adding interface: batadv_slave_1
[   95.204860][ T5336] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.224907][ T5336] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   95.322427][ T5336] hsr_slave_0: entered promiscuous mode
[   95.326041][ T5336] hsr_slave_1: entered promiscuous mode
[   96.273112][ T5336] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   96.284961][ T5336] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   96.293195][ T5336] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   96.300114][ T5336] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   96.376523][ T5336] 8021q: adding VLAN 0 to HW filter on device bond0
[   96.392363][ T5336] 8021q: adding VLAN 0 to HW filter on device team0
[   96.401175][   T55] bridge0: port 1(bridge_slave_0) entered blocking state
[   96.404543][   T55] bridge0: port 1(bridge_slave_0) entered forwarding state
[   96.419064][  T826] bridge0: port 2(bridge_slave_1) entered blocking state
[   96.424937][  T826] bridge0: port 2(bridge_slave_1) entered forwarding state
[   96.437554][   T65] Bluetooth: hci0: command tx timeout
[   96.662776][ T5336] 8021q: adding VLAN 0 to HW filter on device batadv0
[   96.705348][ T5336] veth0_vlan: entered promiscuous mode
[   96.724038][ T5336] veth1_vlan: entered promiscuous mode
[   96.758568][ T5336] veth0_macvtap: entered promiscuous mode
[   96.765880][ T5336] veth1_macvtap: entered promiscuous mode
[   96.796804][ T5336] batman_adv: batadv0: Interface activated: batadv_slave_0
[   96.808664][ T5336] batman_adv: batadv0: Interface activated: batadv_slave_1
[   96.817597][ T5336] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   96.825524][ T5336] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   96.829185][ T5336] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   96.832657][ T5336] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   96.986409][ T1139] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   96.992255][ T1139] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   97.053032][ T1139] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   97.056689][ T1139] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   97.073427][   T39] audit: type=1400 audit(1720954781.604:137): avc:  denied  { mounton } for  pid=5336 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=2385 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[   97.153380][   T39] audit: type=1400 audit(1720954781.674:138): avc:  denied  { connect } for  pid=5406 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[   98.526186][ T4634] Bluetooth: hci0: command tx timeout
2024/07/14 10:59:44 executed programs: 3
[  100.597584][ T4634] Bluetooth: hci0: command 0x040f tx timeout
[  102.677794][ T4634] Bluetooth: hci0: command 0x040f tx timeout
[  104.760672][   T65] Bluetooth: hci0: command 0x040f tx timeout
2024/07/14 10:59:49 executed programs: 11
[  106.837557][ T4634] Bluetooth: hci0: command 0x040f tx timeout
2024/07/14 10:59:55 executed programs: 17
2024/07/14 11:00:00 executed programs: 24
2024/07/14 11:00:05 executed programs: 31
2024/07/14 11:00:10 executed programs: 38
2024/07/14 11:00:15 executed programs: 44
2024/07/14 11:00:21 executed programs: 50
[  138.278592][  T824] ==================================================================
[  138.281982][  T824] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x97/0x2e0
[  138.285281][  T824] Write of size 4 at addr ffff88802c6ae080 by task kworker/2:3/824
[  138.293518][  T824] 
[  138.294760][  T824] CPU: 2 PID: 824 Comm: kworker/2:3 Not tainted 6.10.0-rc7-syzkaller-g4d145e3f830b #0
[  138.299912][  T824] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  138.305595][  T824] Workqueue: events sco_sock_timeout
[  138.308254][  T824] Call Trace:
[  138.309842][  T824]  <TASK>
[  138.311509][  T824]  dump_stack_lvl+0x116/0x1f0
[  138.313969][  T824]  print_report+0xc3/0x620
[  138.316180][  T824]  ? __virt_addr_valid+0x5e/0x590
[  138.319204][  T824]  ? __phys_addr+0xc6/0x150
[  138.321423][  T824]  kasan_report+0xd9/0x110
[  138.323577][  T824]  ? sco_sock_timeout+0x97/0x2e0
[  138.326256][  T824]  ? sco_sock_timeout+0x97/0x2e0
[  138.328285][  T824]  kasan_check_range+0xef/0x1a0
[  138.330600][  T824]  sco_sock_timeout+0x97/0x2e0
[  138.333042][  T824]  process_one_work+0x9c5/0x1b40
[  138.335602][  T824]  ? __pfx_lock_acquire+0x10/0x10
[  138.338036][  T824]  ? __pfx_process_one_work+0x10/0x10
[  138.340795][  T824]  ? assign_work+0x1a0/0x250
[  138.342932][  T824]  worker_thread+0x6c8/0xf30
[  138.345119][  T824]  ? __kthread_parkme+0x148/0x220
[  138.347557][  T824]  ? __pfx_worker_thread+0x10/0x10
[  138.349866][  T824]  kthread+0x2c1/0x3a0
[  138.351728][  T824]  ? _raw_spin_unlock_irq+0x23/0x50
[  138.354117][  T824]  ? __pfx_kthread+0x10/0x10
[  138.355942][  T824]  ret_from_fork+0x45/0x80
[  138.357940][  T824]  ? __pfx_kthread+0x10/0x10
[  138.359885][  T824]  ret_from_fork_asm+0x1a/0x30
[  138.362074][  T824]  </TASK>
[  138.363446][  T824] 
[  138.364541][  T824] Allocated by task 816:
[  138.366432][  T824]  kasan_save_stack+0x33/0x60
[  138.368719][  T824]  kasan_save_track+0x14/0x30
[  138.371039][  T824]  __kasan_kmalloc+0xaa/0xb0
[  138.373202][  T824]  kmalloc_node_track_caller_noprof+0x20f/0x430
[  138.376215][  T824]  kmalloc_reserve+0xef/0x2c0
[  138.378371][  T824]  __alloc_skb+0x164/0x380
[  138.380365][  T824]  nsim_dev_trap_report_work+0x2a4/0xc80
[  138.382935][  T824]  process_one_work+0x9c5/0x1b40
[  138.385250][  T824]  worker_thread+0x6c8/0xf30
[  138.387357][  T824]  kthread+0x2c1/0x3a0
[  138.389225][  T824]  ret_from_fork+0x45/0x80
[  138.391232][  T824]  ret_from_fork_asm+0x1a/0x30
[  138.393465][  T824] 
[  138.394735][  T824] Freed by task 816:
[  138.396663][  T824]  kasan_save_stack+0x33/0x60
[  138.398876][  T824]  kasan_save_track+0x14/0x30
[  138.401146][  T824]  kasan_save_free_info+0x3b/0x60
[  138.403144][  T824]  poison_slab_object+0xf7/0x160
[  138.405255][  T824]  __kasan_slab_free+0x32/0x50
[  138.407503][  T824]  kfree+0x12a/0x3b0
[  138.409340][  T824]  skb_free_head+0x108/0x1d0
[  138.411512][  T824]  skb_release_data+0x75c/0x980
[  138.413877][  T824]  consume_skb+0xd0/0x170
[  138.415867][  T824]  nsim_dev_trap_report_work+0x878/0xc80
[  138.418512][  T824]  process_one_work+0x9c5/0x1b40
[  138.420946][  T824]  worker_thread+0x6c8/0xf30
[  138.423020][  T824]  kthread+0x2c1/0x3a0
[  138.424859][  T824]  ret_from_fork+0x45/0x80
[  138.426881][  T824]  ret_from_fork_asm+0x1a/0x30
[  138.429036][  T824] 
[  138.430126][  T824] The buggy address belongs to the object at ffff88802c6ae000
[  138.430126][  T824]  which belongs to the cache kmalloc-4k of size 4096
[  138.435915][  T824] The buggy address is located 128 bytes inside of
[  138.435915][  T824]  freed 4096-byte region [ffff88802c6ae000, ffff88802c6af000)
[  138.441296][  T824] 
[  138.442263][  T824] The buggy address belongs to the physical page:
[  138.444974][  T824] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2c6a8
[  138.448906][  T824] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  138.453068][  T824] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  138.456556][  T824] page_type: 0xffffefff(slab)
[  138.458739][  T824] raw: 00fff00000000040 ffff888015443040 dead000000000122 0000000000000000
[  138.462359][  T824] raw: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000
[  138.466277][  T824] head: 00fff00000000040 ffff888015443040 dead000000000122 0000000000000000
[  138.470608][  T824] head: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000
[  138.474353][  T824] head: 00fff00000000003 ffffea0000b1aa01 ffffffffffffffff 0000000000000000
[  138.478254][  T824] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[  138.481854][  T824] page dumped because: kasan: bad access detected
[  138.484256][  T824] page_owner tracks the page as allocated
[  138.487003][  T824] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 816, tgid 816 (kworker/2:2), ts 116989608038, free_ts 116604622460
[  138.496268][  T824]  post_alloc_hook+0x2d1/0x350
[  138.498425][  T824]  get_page_from_freelist+0x1353/0x2e50
[  138.501027][  T824]  __alloc_pages_noprof+0x22b/0x2460
[  138.503239][  T824]  alloc_slab_page+0x56/0x110
[  138.505537][  T824]  new_slab+0x84/0x260
[  138.507351][  T824]  ___slab_alloc+0xdac/0x1870
[  138.509012][  T824]  __slab_alloc.constprop.0+0x56/0xb0
[  138.510699][  T824]  kmalloc_node_track_caller_noprof+0x355/0x430
[  138.513194][  T824]  kmalloc_reserve+0xef/0x2c0
[  138.515077][  T824]  __alloc_skb+0x164/0x380
[  138.516762][  T824]  nsim_dev_trap_report_work+0x2a4/0xc80
[  138.518990][  T824]  process_one_work+0x9c5/0x1b40
[  138.520916][  T824]  worker_thread+0x6c8/0xf30
[  138.522818][  T824]  kthread+0x2c1/0x3a0
[  138.524453][  T824]  ret_from_fork+0x45/0x80
[  138.526490][  T824]  ret_from_fork_asm+0x1a/0x30
[  138.528487][  T824] page last free pid 4690 tgid 4690 stack trace:
[  138.531016][  T824]  free_unref_page+0x64a/0xe40
[  138.532953][  T824]  qlist_free_all+0x4e/0x140
[  138.534817][  T824]  kasan_quarantine_reduce+0x192/0x1e0
[  138.537449][  T824]  __kasan_slab_alloc+0x69/0x90
[  138.539758][  T824]  kmem_cache_alloc_noprof+0x121/0x2f0
[  138.541943][  T824]  getname_flags.part.0+0x50/0x4f0
[  138.544053][  T824]  getname_flags+0x9b/0xf0
[  138.546077][  T824]  user_path_at_empty+0x2c/0x60
[  138.548220][  T824]  do_readlinkat+0xdd/0x310
[  138.550330][  T824]  __x64_sys_readlink+0x78/0xc0
[  138.552527][  T824]  do_syscall_64+0xcd/0x250
[  138.554547][  T824]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  138.557336][  T824] 
[  138.558440][  T824] Memory state around the buggy address:
[  138.560946][  T824]  ffff88802c6adf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  138.564425][  T824]  ffff88802c6ae000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  138.567809][  T824] >ffff88802c6ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  138.571107][  T824]                    ^
[  138.572879][  T824]  ffff88802c6ae100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  138.576051][  T824]  ffff88802c6ae180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  138.579161][  T824] ==================================================================
[  138.583837][  T824] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  138.587145][  T824] CPU: 2 PID: 824 Comm: kworker/2:3 Not tainted 6.10.0-rc7-syzkaller-g4d145e3f830b #0
[  138.591097][  T824] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  138.595669][  T824] Workqueue: events sco_sock_timeout
[  138.598262][  T824] Call Trace:
[  138.599677][  T824]  <TASK>
[  138.600911][  T824]  dump_stack_lvl+0x3d/0x1f0
[  138.603107][  T824]  panic+0x6f5/0x7a0
[  138.604786][  T824]  ? mark_held_locks+0x9f/0xe0
[  138.606637][  T824]  ? __pfx_panic+0x10/0x10
[  138.608424][  T824]  ? irqentry_exit+0x3b/0x90
[  138.610379][  T824]  ? lockdep_hardirqs_on+0x7c/0x110
[  138.612757][  T824]  ? check_panic_on_warn+0x1f/0xb0
[  138.615395][  T824]  check_panic_on_warn+0xab/0xb0
[  138.618199][  T824]  end_report+0x117/0x180
[  138.620395][  T824]  kasan_report+0xe9/0x110
[  138.622542][  T824]  ? sco_sock_timeout+0x97/0x2e0
[  138.624615][  T824]  ? sco_sock_timeout+0x97/0x2e0
[  138.626862][  T824]  kasan_check_range+0xef/0x1a0
[  138.628942][  T824]  sco_sock_timeout+0x97/0x2e0
[  138.631006][  T824]  process_one_work+0x9c5/0x1b40
[  138.633341][  T824]  ? __pfx_lock_acquire+0x10/0x10
[  138.635559][  T824]  ? __pfx_process_one_work+0x10/0x10
[  138.637916][  T824]  ? assign_work+0x1a0/0x250
[  138.639666][  T824]  worker_thread+0x6c8/0xf30
[  138.641577][  T824]  ? __kthread_parkme+0x148/0x220
[  138.643458][  T824]  ? __pfx_worker_thread+0x10/0x10
[  138.645331][  T824]  kthread+0x2c1/0x3a0
[  138.646826][  T824]  ? _raw_spin_unlock_irq+0x23/0x50
[  138.648803][  T824]  ? __pfx_kthread+0x10/0x10
[  138.650707][  T824]  ret_from_fork+0x45/0x80
[  138.652437][  T824]  ? __pfx_kthread+0x10/0x10
[  138.654288][  T824]  ret_from_fork_asm+0x1a/0x30
[  138.656159][  T824]  </TASK>
[  138.661264][  T824] Kernel Offset: disabled
[  138.662977][  T824] Rebooting in 86400 seconds..