Warning: Permanently added '[localhost]:12866' (ED25519) to the list of known hosts.
2024/10/16 20:02:09 ignoring optional flag "sandboxArg"="0"
2024/10/16 20:02:09 ignoring optional flag "type"="qemu"
2024/10/16 20:02:10 parsed 1 programs
[ 60.145271][ T39] audit: type=1400 audit(1729108930.005:134): avc: denied { getattr } for pid=5452 comm="syz-execprog" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 60.211003][ T39] audit: type=1400 audit(1729108930.075:135): avc: denied { unlink } for pid=5458 comm="syz-executor" name="swap-file" dev="sda1" ino=1931 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[ 61.357996][ T5458] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
2024/10/16 20:02:11 executed programs: 0
[ 61.396019][ T65] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 61.399643][ T65] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 61.403234][ T65] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 61.406380][ T65] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 61.409347][ T65] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 61.411972][ T65] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 61.495063][ T5469] chnl_net:caif_netlink_parms(): no params data found
[ 61.549607][ T5469] bridge0: port 1(bridge_slave_0) entered blocking state
[ 61.551815][ T5469] bridge0: port 1(bridge_slave_0) entered disabled state
[ 61.553896][ T5469] bridge_slave_0: entered allmulticast mode
[ 61.555954][ T5469] bridge_slave_0: entered promiscuous mode
[ 61.558858][ T5469] bridge0: port 2(bridge_slave_1) entered blocking state
[ 61.561564][ T5469] bridge0: port 2(bridge_slave_1) entered disabled state
[ 61.563830][ T5469] bridge_slave_1: entered allmulticast mode
[ 61.565847][ T5469] bridge_slave_1: entered promiscuous mode
[ 61.594796][ T5469] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 61.600845][ T5469] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 61.628729][ T5469] team0: Port device team_slave_0 added
[ 61.632942][ T5469] team0: Port device team_slave_1 added
[ 61.650966][ T5469] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 61.653005][ T5469] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 61.661244][ T5469] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 61.664812][ T5469] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 61.666883][ T5469] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 61.676573][ T5469] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 61.712771][ T5469] hsr_slave_0: entered promiscuous mode
[ 61.715001][ T5469] hsr_slave_1: entered promiscuous mode
[ 62.184814][ T5469] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 62.190990][ T5469] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 62.196623][ T5469] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 62.202095][ T5469] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 62.218575][ T5469] bridge0: port 2(bridge_slave_1) entered blocking state
[ 62.221261][ T5469] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 62.223853][ T5469] bridge0: port 1(bridge_slave_0) entered blocking state
[ 62.226380][ T5469] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 62.270387][ T5469] 8021q: adding VLAN 0 to HW filter on device bond0
[ 62.279842][ T75] bridge0: port 1(bridge_slave_0) entered disabled state
[ 62.284074][ T75] bridge0: port 2(bridge_slave_1) entered disabled state
[ 62.299886][ T5469] 8021q: adding VLAN 0 to HW filter on device team0
[ 62.306811][ T1194] bridge0: port 1(bridge_slave_0) entered blocking state
[ 62.308733][ T1194] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 62.314161][ T75] bridge0: port 2(bridge_slave_1) entered blocking state
[ 62.316408][ T75] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 62.439249][ T5469] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 62.463082][ T5469] veth0_vlan: entered promiscuous mode
[ 62.472526][ T5469] veth1_vlan: entered promiscuous mode
[ 62.486970][ T5469] veth0_macvtap: entered promiscuous mode
[ 62.491079][ T5469] veth1_macvtap: entered promiscuous mode
[ 62.500081][ T5469] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 62.507765][ T5469] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 62.513893][ T5469] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.517049][ T5469] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.520908][ T5469] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.523637][ T5469] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.559648][ T1194] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 62.562425][ T1194] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 62.580259][ T75] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 62.583163][ T75] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 62.614976][ T39] audit: type=1400 audit(1729108932.475:136): avc: denied { connect } for pid=5531 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 63.481891][ T5348] Bluetooth: hci0: command tx timeout
[ 65.549302][ T5348] Bluetooth: hci0: command 0x041b tx timeout
2024/10/16 20:02:16 executed programs: 5
[ 67.629247][ T5348] Bluetooth: hci0: command 0x041b tx timeout
[ 69.709647][ T65] Bluetooth: hci0: command 0x041b tx timeout
[ 71.551357][ T1380] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.553474][ T1380] ieee802154 phy1 wpan1: encryption failed: -22
[ 71.789143][ T5348] Bluetooth: hci0: command 0x041b tx timeout
2024/10/16 20:02:21 executed programs: 12
[ 73.869247][ T5348] Bluetooth: hci0: command 0x041b tx timeout
2024/10/16 20:02:26 executed programs: 18
[ 81.791122][ T25] cfg80211: failed to load regulatory.db
2024/10/16 20:02:31 executed programs: 24
2024/10/16 20:02:37 executed programs: 30
2024/10/16 20:02:42 executed programs: 36
2024/10/16 20:02:47 executed programs: 42
2024/10/16 20:02:52 executed programs: 48
[ 102.909960][ T35] ==================================================================
[ 102.912905][ T35] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x97/0x2c0
[ 102.915701][ T35] Write of size 4 at addr ffff88803790f080 by task kworker/3:0/35
[ 102.919989][ T35]
[ 102.920870][ T35] CPU: 3 UID: 0 PID: 35 Comm: kworker/3:0 Not tainted 6.12.0-rc3-syzkaller-g2f87d0916ce0 #0
[ 102.924346][ T35] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 102.928073][ T35] Workqueue: events sco_sock_timeout
[ 102.929927][ T35] Call Trace:
[ 102.931107][ T35]
[ 102.932140][ T35] dump_stack_lvl+0x116/0x1f0
[ 102.933835][ T35] print_report+0xc3/0x620
[ 102.935437][ T35] ? __virt_addr_valid+0x5e/0x590
[ 102.937185][ T35] ? __phys_addr+0xc6/0x150
[ 102.938784][ T35] kasan_report+0xd9/0x110
[ 102.940402][ T35] ? sco_sock_timeout+0x97/0x2c0
[ 102.942206][ T35] ? sco_sock_timeout+0x97/0x2c0
[ 102.944000][ T35] kasan_check_range+0xef/0x1a0
[ 102.945746][ T35] sco_sock_timeout+0x97/0x2c0
[ 102.947456][ T35] process_one_work+0x9c5/0x1ba0
[ 102.949201][ T35] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 102.951163][ T35] ? __pfx_process_one_work+0x10/0x10
[ 102.953042][ T35] ? assign_work+0x1a0/0x250
[ 102.954657][ T35] worker_thread+0x6c8/0xf00
[ 102.956294][ T35] ? __pfx_worker_thread+0x10/0x10
[ 102.958125][ T35] kthread+0x2c1/0x3a0
[ 102.959596][ T35] ? _raw_spin_unlock_irq+0x23/0x50
[ 102.961468][ T35] ? __pfx_kthread+0x10/0x10
[ 102.963136][ T35] ret_from_fork+0x45/0x80
[ 102.964784][ T35] ? __pfx_kthread+0x10/0x10
[ 102.966455][ T35] ret_from_fork_asm+0x1a/0x30
[ 102.968119][ T35]
[ 102.969185][ T35]
[ 102.970027][ T35] Allocated by task 5532:
[ 102.971649][ T35] kasan_save_stack+0x33/0x60
[ 102.973501][ T35] kasan_save_track+0x14/0x30
[ 102.975376][ T35] __kasan_kmalloc+0xaa/0xb0
[ 102.977153][ T35] __kmalloc_noprof+0x1e8/0x400
[ 102.978847][ T35] sk_prot_alloc+0x1a8/0x2a0
[ 102.980468][ T35] sk_alloc+0x36/0xb90
[ 102.981882][ T35] bt_sock_alloc+0x3b/0x3a0
[ 102.983529][ T35] sco_sock_create+0xe3/0x3c0
[ 102.985239][ T35] bt_sock_create+0x182/0x350
[ 102.986919][ T35] __sock_create+0x32e/0x840
[ 102.988553][ T35] __sys_socket+0x14f/0x260
[ 102.990162][ T35] __x64_sys_socket+0x72/0xb0
[ 102.991877][ T35] do_syscall_64+0xcd/0x250
[ 102.993552][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 102.995628][ T35]
[ 102.996473][ T35] Freed by task 5532:
[ 102.997871][ T35] kasan_save_stack+0x33/0x60
[ 102.999459][ T35] kasan_save_track+0x14/0x30
[ 103.001054][ T35] kasan_save_free_info+0x3b/0x60
[ 103.002739][ T35] __kasan_slab_free+0x51/0x70
[ 103.004339][ T35] kfree+0x14f/0x4b0
[ 103.005731][ T35] __sk_destruct+0x5eb/0x720
[ 103.007354][ T35] sk_destruct+0xc2/0xf0
[ 103.008835][ T35] __sk_free+0xf4/0x3e0
[ 103.010314][ T35] sk_free+0x6a/0x90
[ 103.011751][ T35] sco_sock_kill+0x11a/0x1c0
[ 103.013460][ T35] sco_sock_release+0x154/0x2d0
[ 103.015162][ T35] __sock_release+0xb0/0x270
[ 103.016731][ T35] sock_close+0x1c/0x30
[ 103.018130][ T35] __fput+0x3f6/0xb60
[ 103.019471][ T35] task_work_run+0x14e/0x250
[ 103.021086][ T35] get_signal+0x1ca/0x2770
[ 103.022592][ T35] arch_do_signal_or_restart+0x90/0x7e0
[ 103.024438][ T35] syscall_exit_to_user_mode+0x150/0x2a0
[ 103.026427][ T35] do_syscall_64+0xda/0x250
[ 103.028164][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 103.030669][ T35]
[ 103.031622][ T35] The buggy address belongs to the object at ffff88803790f000
[ 103.031622][ T35] which belongs to the cache kmalloc-2k of size 2048
[ 103.036498][ T35] The buggy address is located 128 bytes inside of
[ 103.036498][ T35] freed 2048-byte region [ffff88803790f000, ffff88803790f800)
[ 103.041273][ T35]
[ 103.041924][ T35] The buggy address belongs to the physical page:
[ 103.043582][ T35] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803790f000 pfn:0x37908
[ 103.047173][ T35] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 103.050087][ T35] flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
[ 103.052971][ T35] page_type: f5(slab)
[ 103.054241][ T35] raw: 00fff00000000240 ffff88801b042f00 ffffea00009bb010 ffffea0000bc7210
[ 103.056549][ T35] raw: ffff88803790f000 0000000000080005 00000001f5000000 0000000000000000
[ 103.059087][ T35] head: 00fff00000000240 ffff88801b042f00 ffffea00009bb010 ffffea0000bc7210
[ 103.062296][ T35] head: ffff88803790f000 0000000000080005 00000001f5000000 0000000000000000
[ 103.065458][ T35] head: 00fff00000000003 ffffea0000de4201 ffffffffffffffff 0000000000000000
[ 103.068215][ T35] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 103.070917][ T35] page dumped because: kasan: bad access detected
[ 103.073156][ T35] page_owner tracks the page as allocated
[ 103.075022][ T35] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5469, tgid 5469 (syz-executor.0), ts 62545068477, free_ts 62448800975
[ 103.081938][ T35] post_alloc_hook+0x2d1/0x350
[ 103.083587][ T35] get_page_from_freelist+0x101e/0x3070
[ 103.085309][ T35] __alloc_pages_noprof+0x223/0x25a0
[ 103.087101][ T35] alloc_pages_mpol_noprof+0x2c9/0x610
[ 103.089063][ T35] new_slab+0x2ba/0x3f0
[ 103.090525][ T35] ___slab_alloc+0xdac/0x1880
[ 103.092034][ T35] __slab_alloc.constprop.0+0x56/0xb0
[ 103.093689][ T35] __kmalloc_cache_noprof+0x2b4/0x300
[ 103.095674][ T35] device_create_groups_vargs+0x8a/0x270
[ 103.097963][ T35] device_create+0xe9/0x130
[ 103.099817][ T35] mac80211_hwsim_new_radio+0x36b/0x54d0
[ 103.101763][ T35] hwsim_new_radio_nl+0xb42/0x12b0
[ 103.103197][ T35] genl_family_rcv_msg_doit+0x202/0x2f0
[ 103.105249][ T35] genl_rcv_msg+0x565/0x800
[ 103.106861][ T35] netlink_rcv_skb+0x16b/0x440
[ 103.108520][ T35] genl_rcv+0x28/0x40
[ 103.109892][ T35] page last free pid 5522 tgid 5522 stack trace:
[ 103.112083][ T35] free_unref_page+0x5f4/0xdc0
[ 103.113571][ T35] __put_partials+0x14c/0x170
[ 103.115017][ T35] qlist_free_all+0x4e/0x120
[ 103.116288][ T35] kasan_quarantine_reduce+0x192/0x1e0
[ 103.117792][ T35] __kasan_slab_alloc+0x69/0x90
[ 103.119105][ T35] kmem_cache_alloc_noprof+0x121/0x2f0
[ 103.120769][ T35] getname_flags.part.0+0x4c/0x550
[ 103.122600][ T35] getname+0x8d/0xe0
[ 103.123988][ T35] do_sys_openat2+0x104/0x1e0
[ 103.125665][ T35] __x64_sys_openat+0x175/0x210
[ 103.127438][ T35] do_syscall_64+0xcd/0x250
[ 103.129129][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 103.131207][ T35]
[ 103.131931][ T35] Memory state around the buggy address:
[ 103.133909][ T35] ffff88803790ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 103.136795][ T35] ffff88803790f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 103.139698][ T35] >ffff88803790f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 103.142666][ T35] ^
[ 103.144073][ T35] ffff88803790f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 103.146621][ T35] ffff88803790f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 103.149380][ T35] ==================================================================
[ 103.152326][ T35] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 103.154787][ T35] CPU: 3 UID: 0 PID: 35 Comm: kworker/3:0 Not tainted 6.12.0-rc3-syzkaller-g2f87d0916ce0 #0
[ 103.158167][ T35] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 103.161937][ T35] Workqueue: events sco_sock_timeout
[ 103.163886][ T35] Call Trace:
[ 103.165055][ T35]
[ 103.166096][ T35] dump_stack_lvl+0x3d/0x1f0
[ 103.167727][ T35] panic+0x71d/0x800
[ 103.169109][ T35] ? mark_held_locks+0x9f/0xe0
[ 103.170765][ T35] ? __pfx_panic+0x10/0x10
[ 103.172327][ T35] ? irqentry_exit+0x3b/0x90
[ 103.173941][ T35] ? lockdep_hardirqs_on+0x7c/0x110
[ 103.175732][ T35] ? check_panic_on_warn+0x1f/0xb0
[ 103.177585][ T35] check_panic_on_warn+0xab/0xb0
[ 103.179424][ T35] end_report+0x117/0x180
[ 103.181071][ T35] kasan_report+0xe9/0x110
[ 103.182632][ T35] ? sco_sock_timeout+0x97/0x2c0
[ 103.184337][ T35] ? sco_sock_timeout+0x97/0x2c0
[ 103.185845][ T35] kasan_check_range+0xef/0x1a0
[ 103.187534][ T35] sco_sock_timeout+0x97/0x2c0
[ 103.189198][ T35] process_one_work+0x9c5/0x1ba0
[ 103.190935][ T35] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 103.192866][ T35] ? __pfx_process_one_work+0x10/0x10
[ 103.194805][ T35] ? assign_work+0x1a0/0x250
[ 103.196652][ T35] worker_thread+0x6c8/0xf00
[ 103.198483][ T35] ? __pfx_worker_thread+0x10/0x10
[ 103.200383][ T35] kthread+0x2c1/0x3a0
[ 103.201905][ T35] ? _raw_spin_unlock_irq+0x23/0x50
[ 103.203921][ T35] ? __pfx_kthread+0x10/0x10
[ 103.205551][ T35] ret_from_fork+0x45/0x80
[ 103.207020][ T35] ? __pfx_kthread+0x10/0x10
[ 103.208663][ T35] ret_from_fork_asm+0x1a/0x30
[ 103.210335][ T35]
[ 103.211916][ T35] Kernel Offset: disabled
[ 103.213586][ T35] Rebooting in 86400 seconds..