Warning: Permanently added '10.128.1.28' (ED25519) to the list of known hosts. 2023/12/07 00:03:55 ignoring optional flag "sandboxArg"="0" 2023/12/07 00:03:55 parsed 1 programs 2023/12/07 00:03:55 executed programs: 0 [ 48.406575][ T1949] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 48.438208][ T1439] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 48.446931][ T1439] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 48.455069][ T1439] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 48.462813][ T1439] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 48.470503][ T1439] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 48.478879][ T1439] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 48.611063][ T1954] chnl_net:caif_netlink_parms(): no params data found [ 49.684085][ T1954] 8021q: adding VLAN 0 to HW filter on device bond0 [ 50.411562][ T1954] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 50.501322][ T1439] Bluetooth: hci0: command 0x0409 tx timeout [ 52.571129][ T1439] Bluetooth: hci0: command 0x041b tx timeout 2023/12/07 00:04:01 executed programs: 3 [ 54.651073][ T1274] Bluetooth: hci0: command 0x040f tx timeout [ 56.731058][ T1274] Bluetooth: hci0: command 0x0419 tx timeout [ 58.811139][ T1274] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:06 executed programs: 9 [ 60.891095][ T1439] Bluetooth: hci0: command 0x0405 tx timeout [ 62.971146][ T1274] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:11 executed programs: 15 [ 65.061037][ T1439] Bluetooth: hci0: command 0x0405 tx timeout [ 67.131056][ T1439] Bluetooth: hci0: command 0x0405 tx timeout [ 69.211051][ T1274] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:16 executed programs: 21 [ 71.291064][ T1274] Bluetooth: hci0: command 0x0405 tx timeout [ 73.371206][ T1439] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:21 executed programs: 27 [ 75.451039][ T2435] Bluetooth: hci0: command 0x0405 tx timeout [ 77.531052][ T2435] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:26 executed programs: 33 [ 79.621068][ T2435] Bluetooth: hci0: command 0x0405 tx timeout [ 81.701072][ T1274] Bluetooth: hci0: command 0x0405 tx timeout [ 83.771055][ T1274] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:31 executed programs: 39 [ 85.851081][ T1274] Bluetooth: hci0: command 0x0405 tx timeout [ 87.931098][ T44] Bluetooth: hci0: command 0x0405 tx timeout 2023/12/07 00:04:36 executed programs: 45 [ 90.011134][ T2435] Bluetooth: hci0: command 0x0405 tx timeout [ 92.011198][ T28] ================================================================== [ 92.019710][ T28] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x57/0x1f0 [ 92.027591][ T28] Write of size 4 at addr ffff888174b8b080 by task kworker/1:1/28 [ 92.035378][ T28] [ 92.037775][ T28] CPU: 1 PID: 28 Comm: kworker/1:1 Not tainted 6.7.0-rc3-syzkaller #0 [ 92.047605][ T28] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 92.058909][ T28] Workqueue: events sco_sock_timeout [ 92.064548][ T28] Call Trace: [ 92.068081][ T28] [ 92.071079][ T28] dump_stack_lvl+0x3d/0x60 [ 92.076136][ T28] print_report+0xc4/0x620 [ 92.080844][ T28] kasan_report+0xda/0x110 [ 92.085686][ T28] ? sco_sock_timeout+0x57/0x1f0 [ 92.090957][ T28] ? sco_sock_timeout+0x57/0x1f0 [ 92.096060][ T28] kasan_check_range+0xef/0x190 [ 92.101176][ T28] sco_sock_timeout+0x57/0x1f0 [ 92.106020][ T28] process_one_work+0x72e/0x11b0 [ 92.111103][ T2435] Bluetooth: hci0: command 0x0405 tx timeout [ 92.111442][ T28] ? wq_sysfs_prep_attrs+0x3f0/0x3f0 [ 92.111454][ T28] ? assign_work+0x163/0x230 [ 92.127752][ T28] worker_thread+0x6b3/0x1080 [ 92.132404][ T28] ? do_raw_spin_unlock+0x173/0x230 [ 92.137670][ T28] ? __kthread_parkme+0x7e/0x150 [ 92.142593][ T28] ? process_one_work+0x11b0/0x11b0 [ 92.147757][ T28] kthread+0x278/0x330 [ 92.151798][ T28] ? kthread_complete_and_exit+0x20/0x20 [ 92.157515][ T28] ret_from_fork+0x2c/0x70 [ 92.161999][ T28] ? kthread_complete_and_exit+0x20/0x20 [ 92.167772][ T28] ret_from_fork_asm+0x11/0x20 [ 92.172689][ T28] [ 92.175683][ T28] [ 92.177981][ T28] Allocated by task 2356: [ 92.182632][ T28] kasan_save_stack+0x33/0x50 [ 92.187471][ T28] kasan_set_track+0x25/0x30 [ 92.192514][ T28] __kasan_kmalloc+0xa2/0xb0 [ 92.198402][ T28] __kmalloc+0x60/0x160 [ 92.202814][ T28] sk_prot_alloc+0x14f/0x210 [ 92.207577][ T28] sk_alloc+0x30/0x590 [ 92.211717][ T28] bt_sock_alloc+0x29/0x350 [ 92.216280][ T28] sco_sock_create+0xc0/0x370 [ 92.220927][ T28] bt_sock_create+0x11e/0x250 [ 92.225587][ T28] __sock_create+0x200/0x470 [ 92.230260][ T28] __sys_socket+0x115/0x1d0 [ 92.235045][ T28] __x64_sys_socket+0x6d/0xb0 [ 92.239987][ T28] do_syscall_64+0x40/0x110 [ 92.245330][ T28] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 92.251209][ T28] [ 92.253612][ T28] Freed by task 2358: [ 92.257822][ T28] kasan_save_stack+0x33/0x50 [ 92.262886][ T28] kasan_set_track+0x25/0x30 [ 92.267675][ T28] kasan_save_free_info+0x2b/0x40 [ 92.272945][ T28] ____kasan_slab_free+0x15b/0x1b0 [ 92.278303][ T28] slab_free_freelist_hook+0x114/0x1e0 [ 92.283756][ T28] __kmem_cache_free+0xba/0x320 [ 92.288598][ T28] __sk_destruct+0x4a6/0x6b0 [ 92.293527][ T28] sco_sock_release+0x130/0x280 [ 92.298886][ T28] __sock_release+0x9b/0x250 [ 92.303670][ T28] sock_close+0x13/0x20 [ 92.308000][ T28] __fput+0x1e9/0xab0 [ 92.312406][ T28] task_work_run+0x114/0x1f0 [ 92.316982][ T28] get_signal+0x194/0x1fc0 [ 92.321643][ T28] arch_do_signal_or_restart+0x89/0x5f0 [ 92.327441][ T28] exit_to_user_mode_prepare+0xc3/0x150 [ 92.333738][ T28] syscall_exit_to_user_mode+0x17/0x40 [ 92.340067][ T28] do_syscall_64+0x4d/0x110 [ 92.345325][ T28] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 92.352244][ T28] [ 92.354804][ T28] The buggy address belongs to the object at ffff888174b8b000 [ 92.354804][ T28] which belongs to the cache kmalloc-2k of size 2048 [ 92.369452][ T28] The buggy address is located 128 bytes inside of [ 92.369452][ T28] freed 2048-byte region [ffff888174b8b000, ffff888174b8b800) [ 92.384050][ T28] [ 92.386370][ T28] The buggy address belongs to the physical page: [ 92.393204][ T28] page:ffffea0005d2e200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x174b88 [ 92.404383][ T28] head:ffffea0005d2e200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 92.414118][ T28] anon flags: 0x100000000000840(slab|head|node=0|zone=2) [ 92.421850][ T28] page_type: 0xffffffff() [ 92.426156][ T28] raw: 0100000000000840 ffff888100042000 0000000000000000 0000000000000001 [ 92.435157][ T28] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 92.444073][ T28] page dumped because: kasan: bad access detected [ 92.450729][ T28] page_owner tracks the page as allocated [ 92.456678][ T28] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1438, tgid 1438 (syz-executor.0), ts 25569589143, free_ts 25567897155 [ 92.481838][ T28] post_alloc_hook+0x27f/0x2f0 [ 92.486694][ T28] get_page_from_freelist+0x670/0x4230 [ 92.492315][ T28] __alloc_pages+0x1d0/0x470 [ 92.496912][ T28] alloc_pages_mpol+0x175/0x4a0 [ 92.501920][ T28] allocate_slab+0x24b/0x360 [ 92.506509][ T28] ___slab_alloc+0x8ce/0x10e0 [ 92.511269][ T28] __slab_alloc.constprop.0+0x4d/0x90 [ 92.516969][ T28] __kmem_cache_alloc_node+0x150/0x350 [ 92.522403][ T28] kmalloc_trace+0x25/0xb0 [ 92.526799][ T28] rtnl_newlink+0x44/0x90 [ 92.531280][ T28] rtnetlink_rcv_msg+0x398/0xac0 [ 92.536879][ T28] netlink_rcv_skb+0x137/0x3a0 [ 92.541901][ T28] netlink_unicast+0x4f4/0x750 [ 92.547010][ T28] netlink_sendmsg+0x777/0xc40 [ 92.551918][ T28] __sock_sendmsg+0xbc/0x150 [ 92.556569][ T28] __sys_sendto+0x1f1/0x2b0 [ 92.561567][ T28] page last free stack trace: [ 92.566512][ T28] free_unref_page_prepare+0x5a2/0xcb0 [ 92.572222][ T28] free_unref_page+0x33/0x350 [ 92.577177][ T28] __unfreeze_partials+0x1f3/0x210 [ 92.582364][ T28] qlist_free_all+0x6a/0x170 [ 92.587556][ T28] kasan_quarantine_reduce+0x180/0x1b0 [ 92.593277][ T28] __kasan_slab_alloc+0x65/0x90 [ 92.598562][ T28] kmem_cache_alloc+0x190/0x370 [ 92.603848][ T28] ptlock_alloc+0x1d/0x60 [ 92.608455][ T28] pte_alloc_one+0x57/0x250 [ 92.613653][ T28] __pte_alloc+0x66/0x290 [ 92.618327][ T28] __handle_mm_fault+0x1fd7/0x2280 [ 92.624763][ T28] handle_mm_fault+0x161/0x580 [ 92.629965][ T28] do_user_addr_fault+0x1fd/0x920 [ 92.634977][ T28] exc_page_fault+0x5e/0xb0 [ 92.640008][ T28] asm_exc_page_fault+0x26/0x30 [ 92.645162][ T28] [ 92.647634][ T28] Memory state around the buggy address: [ 92.653670][ T28] ffff888174b8af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.661731][ T28] ffff888174b8b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.671230][ T28] >ffff888174b8b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.679712][ T28] ^ [ 92.683934][ T28] ffff888174b8b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.692080][ T28] ffff888174b8b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.700240][ T28] ================================================================== [ 92.708723][ T28] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 92.716440][ T28] Kernel Offset: disabled [ 92.721750][ T28] Rebooting in 86400 seconds..