Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   56.801133][ T3608] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   56.808349][ T3608] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   56.815517][ T3608] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   56.823078][ T3608] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   56.830546][ T3608] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   56.837688][ T3608] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   56.845269][ T3606] Bluetooth: hci0: HCI_REQ-0x0c1a
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   58.849538][ T3766] ==================================================================
[   58.857617][ T3766] BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270
[   58.864725][ T3766] Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766
[   58.872962][ T3766] 
[   58.875268][ T3766] CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
[   58.885676][ T3766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   58.895715][ T3766] Call Trace:
[   58.898977][ T3766]  <TASK>
[   58.901896][ T3766]  dump_stack_lvl+0xcd/0x134
[   58.906480][ T3766]  print_report+0x15e/0x45d
[   58.910971][ T3766]  ? __phys_addr+0xc4/0x140
[   58.915461][ T3766]  ? task_work_run+0x1b0/0x270
[   58.920217][ T3766]  kasan_report+0xbb/0x1f0
[   58.924630][ T3766]  ? task_work_run+0x1b0/0x270
[   58.929386][ T3766]  task_work_run+0x1b0/0x270
[   58.933968][ T3766]  ? task_work_cancel+0x30/0x30
[   58.938811][ T3766]  ? do_raw_spin_unlock+0x171/0x230
[   58.943999][ T3766]  do_exit+0xb35/0x2a20
[   58.948143][ T3766]  ? mm_update_next_owner+0x7b0/0x7b0
[   58.953509][ T3766]  do_group_exit+0xd0/0x2a0
[   58.958020][ T3766]  get_signal+0x21a1/0x2430
[   58.962540][ T3766]  ? exit_signals+0x8b0/0x8b0
[   58.967229][ T3766]  arch_do_signal_or_restart+0x82/0x2300
[   58.972871][ T3766]  ? do_futex+0x12e/0x300
[   58.977211][ T3766]  ? __ia32_sys_get_robust_list+0x3b0/0x3b0
[   58.983115][ T3766]  ? get_sigframe_size+0x10/0x10
[   58.988057][ T3766]  ? asm_sysvec_irq_work+0x16/0x20
[   58.993186][ T3766]  ? trace_hardirqs_on+0x2d/0x160
[   58.998214][ T3766]  ? asm_sysvec_irq_work+0x16/0x20
[   59.003344][ T3766]  ? arch_do_signal_or_restart+0x6/0x2300
[   59.009067][ T3766]  exit_to_user_mode_prepare+0x15f/0x250
[   59.014709][ T3766]  syscall_exit_to_user_mode+0x19/0x50
[   59.020174][ T3766]  do_syscall_64+0x42/0xb0
[   59.024604][ T3766]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.030510][ T3766] RIP: 0033:0x7fb9f674b089
[   59.034923][ T3766] Code: Unable to access opcode bytes at 0x7fb9f674b05f.
[   59.041935][ T3766] RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   59.050349][ T3766] RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089
[   59.058322][ T3766] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac
[   59.066293][ T3766] RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000
[   59.074261][ T3766] R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400
[   59.082230][ T3766] R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000
[   59.090208][ T3766]  </TASK>
[   59.093227][ T3766] 
[   59.095546][ T3766] Allocated by task 3766:
[   59.099866][ T3766]  kasan_save_stack+0x1e/0x40
[   59.104558][ T3766]  kasan_set_track+0x21/0x30
[   59.109160][ T3766]  __kasan_slab_alloc+0x7e/0x80
[   59.114021][ T3766]  kmem_cache_alloc_node+0x2fc/0x400
[   59.119317][ T3766]  perf_event_alloc.part.0+0x69/0x3bc0
[   59.124786][ T3766]  __do_sys_perf_event_open+0x4ae/0x32d0
[   59.130442][ T3766]  do_syscall_64+0x35/0xb0
[   59.134872][ T3766]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.140781][ T3766] 
[   59.143097][ T3766] Freed by task 0:
[   59.146808][ T3766]  kasan_save_stack+0x1e/0x40
[   59.151494][ T3766]  kasan_set_track+0x21/0x30
[   59.156096][ T3766]  kasan_save_free_info+0x2a/0x40
[   59.161119][ T3766]  ____kasan_slab_free+0x160/0x1c0
[   59.166242][ T3766]  slab_free_freelist_hook+0x8b/0x1c0
[   59.171621][ T3766]  kmem_cache_free+0xea/0x5b0
[   59.176318][ T3766]  rcu_core+0x81f/0x1980
[   59.180570][ T3766]  __do_softirq+0x1f7/0xad8
[   59.185087][ T3766] 
[   59.187403][ T3766] Last potentially related work creation:
[   59.193107][ T3766]  kasan_save_stack+0x1e/0x40
[   59.197793][ T3766]  __kasan_record_aux_stack+0xbc/0xd0
[   59.203183][ T3766]  call_rcu+0x99/0x820
[   59.207258][ T3766]  perf_event_release_kernel+0x6f2/0x940
[   59.212902][ T3766]  perf_release+0x33/0x40
[   59.217241][ T3766]  __fput+0x27c/0xa90
[   59.221223][ T3766]  task_work_run+0x16b/0x270
[   59.225829][ T3766]  exit_to_user_mode_prepare+0x23c/0x250
[   59.231474][ T3766]  syscall_exit_to_user_mode+0x19/0x50
[   59.236943][ T3766]  do_syscall_64+0x42/0xb0
[   59.241369][ T3766]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.247278][ T3766] 
[   59.249595][ T3766] Second to last potentially related work creation:
[   59.256172][ T3766]  kasan_save_stack+0x1e/0x40
[   59.260864][ T3766]  __kasan_record_aux_stack+0xbc/0xd0
[   59.266255][ T3766]  task_work_add+0x7b/0x2c0
[   59.270775][ T3766]  event_sched_out+0xe35/0x1190
[   59.275641][ T3766]  __perf_remove_from_context+0x87/0xc40
[   59.281290][ T3766]  event_function+0x29e/0x3e0
[   59.285975][ T3766]  remote_function+0x11e/0x1a0
[   59.290744][ T3766]  __flush_smp_call_function_queue+0x205/0x9a0
[   59.296913][ T3766]  __sysvec_call_function_single+0xca/0x4d0
[   59.302829][ T3766]  sysvec_call_function_single+0x8e/0xc0
[   59.308488][ T3766]  asm_sysvec_call_function_single+0x16/0x20
[   59.314483][ T3766] 
[   59.316820][ T3766] The buggy address belongs to the object at ffff8880752b17c0
[   59.316820][ T3766]  which belongs to the cache perf_event of size 1392
[   59.330883][ T3766] The buggy address is located 1112 bytes inside of
[   59.330883][ T3766]  1392-byte region [ffff8880752b17c0, ffff8880752b1d30)
[   59.344333][ T3766] 
[   59.346650][ T3766] The buggy address belongs to the physical page:
[   59.353065][ T3766] page:ffffea0001d4ac00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x752b0
[   59.363227][ T3766] head:ffffea0001d4ac00 order:3 compound_mapcount:0 compound_pincount:0
[   59.371551][ T3766] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   59.379561][ T3766] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0
[   59.388151][ T3766] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[   59.397507][ T3766] page dumped because: kasan: bad access detected
[   59.403918][ T3766] page_owner tracks the page as allocated
[   59.409626][ T3766] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3754, tgid 3753 (syz-executor361), ts 58662170660, free_ts 58383135648
[   59.431265][ T3766]  get_page_from_freelist+0x10b5/0x2d50
[   59.436828][ T3766]  __alloc_pages+0x1c7/0x5a0
[   59.441420][ T3766]  alloc_pages+0x1a6/0x270
[   59.445846][ T3766]  allocate_slab+0x213/0x300
[   59.450449][ T3766]  ___slab_alloc+0xa91/0x1400
[   59.455137][ T3766]  __slab_alloc.constprop.0+0x56/0xa0
[   59.460519][ T3766]  kmem_cache_alloc_node+0x189/0x400
[   59.465818][ T3766]  perf_event_alloc.part.0+0x69/0x3bc0
[   59.471289][ T3766]  __do_sys_perf_event_open+0x4ae/0x32d0
[   59.476949][ T3766]  do_syscall_64+0x35/0xb0
[   59.481401][ T3766]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.487307][ T3766] page last free stack trace:
[   59.491974][ T3766]  free_pcp_prepare+0x65c/0xd90
[   59.496842][ T3766]  free_unref_page+0x19/0x4d0
[   59.501519][ T3766]  __unfreeze_partials+0x17c/0x1a0
[   59.506638][ T3766]  qlist_free_all+0x6a/0x170
[   59.511231][ T3766]  kasan_quarantine_reduce+0x180/0x200
[   59.516699][ T3766]  __kasan_slab_alloc+0x62/0x80
[   59.521568][ T3766]  kmem_cache_alloc+0x2ac/0x3c0
[   59.526433][ T3766]  alloc_buffer_head+0x20/0x140
[   59.531293][ T3766]  alloc_page_buffers+0x280/0x790
[   59.536331][ T3766]  create_empty_buffers+0x2c/0xf20
[   59.541469][ T3766]  ext4_block_write_begin+0x10a7/0x15f0
[   59.547050][ T3766]  ext4_da_write_begin+0x44c/0xb50
[   59.552166][ T3766]  generic_perform_write+0x252/0x570
[   59.557463][ T3766]  ext4_buffered_write_iter+0x15b/0x460
[   59.563036][ T3766]  ext4_file_write_iter+0x8b8/0x16e0
[   59.568340][ T3766]  __kernel_write_iter+0x25e/0x730
[   59.573477][ T3766] 
[   59.575798][ T3766] Memory state around the buggy address:
[   59.581423][ T3766]  ffff8880752b1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.589491][ T3766]  ffff8880752b1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.597549][ T3766] >ffff8880752b1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.605605][ T3766]                             ^
[   59.610447][ T3766]  ffff8880752b1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.618506][ T3766]  ffff8880752b1d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   59.626566][ T3766] ==================================================================
[   59.634889][ T3608] Bluetooth: hci0: command 0x0409 tx timeout
[   59.641089][ T3766] Kernel panic - not syncing: panic_on_warn set ...
[   59.647683][ T3766] CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
[   59.658100][ T3766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   59.668155][ T3766] Call Trace:
[   59.671430][ T3766]  <TASK>
[   59.674376][ T3766]  dump_stack_lvl+0xcd/0x134
[   59.678989][ T3766]  panic+0x2c8/0x622
[   59.682913][ T3766]  ? panic_print_sys_info.part.0+0x110/0x110
[   59.688932][ T3766]  ? preempt_schedule_common+0x59/0xc0
[   59.694415][ T3766]  ? preempt_schedule_thunk+0x16/0x18
[   59.699807][ T3766]  end_report.part.0+0x3f/0x7c
[   59.704576][ T3766]  ? task_work_run+0x1b0/0x270
[   59.709357][ T3766]  kasan_report.cold+0xa/0xf
[   59.713957][ T3766]  ? task_work_run+0x1b0/0x270
[   59.718745][ T3766]  task_work_run+0x1b0/0x270
[   59.723354][ T3766]  ? task_work_cancel+0x30/0x30
[   59.728224][ T3766]  ? do_raw_spin_unlock+0x171/0x230
[   59.733438][ T3766]  do_exit+0xb35/0x2a20
[   59.737602][ T3766]  ? mm_update_next_owner+0x7b0/0x7b0
[   59.742989][ T3766]  do_group_exit+0xd0/0x2a0
[   59.747500][ T3766]  get_signal+0x21a1/0x2430
[   59.752016][ T3766]  ? exit_signals+0x8b0/0x8b0
[   59.756703][ T3766]  arch_do_signal_or_restart+0x82/0x2300
[   59.762341][ T3766]  ? do_futex+0x12e/0x300
[   59.766684][ T3766]  ? __ia32_sys_get_robust_list+0x3b0/0x3b0
[   59.772589][ T3766]  ? get_sigframe_size+0x10/0x10
[   59.777529][ T3766]  ? asm_sysvec_irq_work+0x16/0x20
[   59.782655][ T3766]  ? trace_hardirqs_on+0x2d/0x160
[   59.787684][ T3766]  ? asm_sysvec_irq_work+0x16/0x20
[   59.793163][ T3766]  ? arch_do_signal_or_restart+0x6/0x2300
[   59.798891][ T3766]  exit_to_user_mode_prepare+0x15f/0x250
[   59.804534][ T3766]  syscall_exit_to_user_mode+0x19/0x50
[   59.809998][ T3766]  do_syscall_64+0x42/0xb0
[   59.814429][ T3766]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.820334][ T3766] RIP: 0033:0x7fb9f674b089
[   59.824747][ T3766] Code: Unable to access opcode bytes at 0x7fb9f674b05f.
[   59.831759][ T3766] RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   59.840171][ T3766] RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089
[   59.848143][ T3766] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac
[   59.856112][ T3766] RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000
[   59.864081][ T3766] R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400
[   59.872054][ T3766] R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000
[   59.880033][ T3766]  </TASK>
[   59.883192][ T3766] Kernel Offset: disabled
[   59.887506][ T3766] Rebooting in 86400 seconds..