[ 29.722832][ T1436] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 29.730557][ T1436] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 29.737744][ T1436] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 29.850734][ T1452] chnl_net:caif_netlink_parms(): no params data found [ 30.747042][ T1452] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.324245][ T1452] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 31.331932][ T1447] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 31.339348][ T1447] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 31.801412][ T1447] Bluetooth: hci0: command 0x0409 tx timeout [ 32.518095][ T7] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.166' (ED25519) to the list of known hosts. 2024/09/08 16:36:36 ignoring optional flag "sandboxArg"="0" 2024/09/08 16:36:36 parsed 1 programs [ 51.539579][ T1870] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 52.247661][ T1907] chnl_net:caif_netlink_parms(): no params data found [ 53.132464][ T1907] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.694739][ T1907] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.701669][ T122] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 53.708996][ T122] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 54.881965][ T40] bond0 (unregistering): Released all slaves [ 54.997179][ T1434] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 55.005803][ T1434] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 55.013110][ T1434] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 55.020602][ T1434] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 55.028071][ T1434] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 55.035387][ T1434] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 2024/09/08 16:36:40 executed programs: 0 [ 55.177993][ T1434] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 55.185224][ T1434] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 55.192493][ T1434] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 55.199978][ T1434] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 55.207676][ T1434] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 55.214893][ T1434] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 55.348995][ T2351] chnl_net:caif_netlink_parms(): no params data found [ 56.243155][ T2351] 8021q: adding VLAN 0 to HW filter on device bond0 [ 56.810135][ T2351] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 56.817896][ T122] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 56.825493][ T122] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 57.241219][ T122] Bluetooth: hci0: command 0x0409 tx timeout [ 58.716391][ T1434] ================================================================== [ 58.724472][ T1434] BUG: KASAN: use-after-free in set_powered_sync+0x2f/0x90 [ 58.731669][ T1434] Read of size 8 at addr ffff88810b3d6818 by task kworker/u5:1/1434 [ 58.739631][ T1434] [ 58.741977][ T1434] CPU: 1 PID: 1434 Comm: kworker/u5:1 Not tainted 5.17.0-rc5-syzkaller #0 [ 58.750441][ T1434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 58.760478][ T1434] Workqueue: hci0 hci_cmd_sync_work [ 58.765659][ T1434] Call Trace: [ 58.768911][ T1434] [ 58.771813][ T1434] dump_stack_lvl+0xf4/0x251 [ 58.776374][ T1434] ? bfq_pos_tree_add_move+0x3bd/0x3bd [ 58.781818][ T1434] ? _printk+0xca/0x10a [ 58.785955][ T1434] ? mutex_lock_nested+0x10/0x10 [ 58.790891][ T1434] ? panic+0x43e/0x43e [ 58.794948][ T1434] ? _raw_spin_lock_irqsave+0xd0/0x110 [ 58.800381][ T1434] ? __mutex_unlock_slowpath+0x209/0x5c0 [ 58.805990][ T1434] print_address_description+0x62/0x370 [ 58.811620][ T1434] ? set_powered_sync+0x2f/0x90 [ 58.816439][ T1434] kasan_report+0x16b/0x1c0 [ 58.820913][ T1434] ? set_powered_sync+0x2f/0x90 [ 58.825734][ T1434] ? kfree+0xdc/0x230 [ 58.829775][ T1434] ? add_adv_patterns_monitor_rssi+0x5d0/0x5d0 [ 58.836041][ T1434] ? set_powered_sync+0x90/0x90 [ 58.840866][ T1434] set_powered_sync+0x2f/0x90 [ 58.845510][ T1434] hci_cmd_sync_work+0x19c/0x200 [ 58.850415][ T1434] process_one_work+0x763/0xd30 [ 58.855237][ T1434] ? worker_detach_from_pool+0x240/0x240 [ 58.860837][ T1434] ? __rwlock_init+0x140/0x140 [ 58.865570][ T1434] ? wq_worker_sleeping+0x19/0x1d0 [ 58.870650][ T1434] worker_thread+0x86e/0xeb0 [ 58.875216][ T1434] ? rcu_lock_release+0x20/0x20 [ 58.880121][ T1434] kthread+0x210/0x260 [ 58.884158][ T1434] ? rcu_lock_release+0x20/0x20 [ 58.888979][ T1434] ? kthread_blkcg+0xa0/0xa0 [ 58.893541][ T1434] ret_from_fork+0x22/0x30 [ 58.897931][ T1434] [ 58.900925][ T1434] [ 58.903219][ T1434] Allocated by task 2753: [ 58.907610][ T1434] ____kasan_kmalloc+0xdb/0x110 [ 58.912603][ T1434] kmem_cache_alloc_trace+0x158/0x2b0 [ 58.918026][ T1434] mgmt_pending_new+0x5d/0x200 [ 58.922753][ T1434] mgmt_pending_add+0x12/0xe0 [ 58.927404][ T1434] set_powered+0x260/0x3f0 [ 58.931788][ T1434] hci_mgmt_cmd+0x820/0xd40 [ 58.936257][ T1434] hci_sock_sendmsg+0x707/0xf60 [ 58.941074][ T1434] sock_write_iter+0x47d/0x490 [ 58.945805][ T1434] vfs_write+0xb05/0xf10 [ 58.950019][ T1434] ksys_write+0x165/0x250 [ 58.954315][ T1434] do_syscall_64+0x4b/0xb0 [ 58.958697][ T1434] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.964555][ T1434] [ 58.966852][ T1434] Freed by task 2752: [ 58.970887][ T1434] kasan_set_track+0x4b/0x70 [ 58.975443][ T1434] kasan_set_free_info+0x1f/0x40 [ 58.980348][ T1434] ____kasan_slab_free+0x11f/0x170 [ 58.985423][ T1434] slab_free_freelist_hook+0x12c/0x1a0 [ 58.990850][ T1434] kfree+0xdc/0x230 [ 58.994630][ T1434] settings_rsp+0x284/0x340 [ 58.999105][ T1434] mgmt_pending_foreach+0x6d/0xd0 [ 59.004091][ T1434] __mgmt_power_off+0x106/0x3c0 [ 59.008908][ T1434] hci_dev_close_sync+0x345/0xd20 [ 59.013898][ T1434] hci_dev_close+0x9d/0x150 [ 59.018370][ T1434] sock_do_ioctl+0x106/0x390 [ 59.022925][ T1434] sock_ioctl+0x47b/0x5f0 [ 59.027222][ T1434] __se_sys_ioctl+0xaa/0xf0 [ 59.031688][ T1434] do_syscall_64+0x4b/0xb0 [ 59.036084][ T1434] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 59.041950][ T1434] [ 59.044255][ T1434] Last potentially related work creation: [ 59.049939][ T1434] kasan_save_stack+0x3b/0x60 [ 59.054591][ T1434] __kasan_record_aux_stack+0xaf/0xc0 [ 59.059952][ T1434] call_rcu+0x19c/0x8d0 [ 59.064079][ T1434] nf_unregister_net_hooks+0x35/0xd0 [ 59.069419][ T1434] cleanup_net+0x504/0xa90 [ 59.073813][ T1434] process_one_work+0x763/0xd30 [ 59.078648][ T1434] worker_thread+0x86e/0xeb0 [ 59.083211][ T1434] kthread+0x210/0x260 [ 59.087248][ T1434] ret_from_fork+0x22/0x30 [ 59.091636][ T1434] [ 59.094017][ T1434] The buggy address belongs to the object at ffff88810b3d6800 [ 59.094017][ T1434] which belongs to the cache kmalloc-96 of size 96 [ 59.107867][ T1434] The buggy address is located 24 bytes inside of [ 59.107867][ T1434] 96-byte region [ffff88810b3d6800, ffff88810b3d6860) [ 59.120932][ T1434] The buggy address belongs to the page: [ 59.126615][ T1434] page:ffffea00042cf580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b3d6 [ 59.136817][ T1434] flags: 0x100000000000200(slab|node=0|zone=2) [ 59.142942][ T1434] raw: 0100000000000200 ffffea0005dbe880 dead000000000003 ffff888100041780 [ 59.151576][ T1434] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 59.160245][ T1434] page dumped because: kasan: bad access detected [ 59.166646][ T1434] page_owner tracks the page as allocated [ 59.172339][ T1434] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 3575937415, free_ts 3574174491 [ 59.187930][ T1434] post_alloc_hook+0x1ef/0x210 [ 59.192670][ T1434] prep_new_page+0x28/0x230 [ 59.197144][ T1434] get_page_from_freelist+0x3a4a/0x3bf0 [ 59.203001][ T1434] __alloc_pages+0x277/0x700 [ 59.207554][ T1434] alloc_page_interleave+0xf/0x130 [ 59.212631][ T1434] alloc_slab_page+0x39/0x90 [ 59.217186][ T1434] new_slab+0x70/0x2a0 [ 59.221222][ T1434] ___slab_alloc+0x5a2/0xab0 [ 59.225777][ T1434] kmem_cache_alloc_trace+0x1af/0x2b0 [ 59.231121][ T1434] acpi_button_add+0x7c/0x880 [ 59.235779][ T1434] acpi_device_probe+0xa4/0x290 [ 59.240792][ T1434] really_probe+0x22a/0xa80 [ 59.245268][ T1434] __driver_probe_device+0x1e1/0x350 [ 59.250533][ T1434] driver_probe_device+0x4b/0x3a0 [ 59.255521][ T1434] __driver_attach+0x282/0x580 [ 59.260250][ T1434] bus_for_each_dev+0x156/0x1b0 [ 59.265063][ T1434] page last free stack trace: [ 59.269791][ T1434] free_unref_page_prepare+0xb4a/0xc10 [ 59.275218][ T1434] free_unref_page+0x95/0x280 [ 59.279876][ T1434] __vunmap+0x331/0x7b0 [ 59.284102][ T1434] free_work+0x3d/0x70 [ 59.288141][ T1434] process_one_work+0x763/0xd30 [ 59.292966][ T1434] worker_thread+0x86e/0xeb0 [ 59.297539][ T1434] kthread+0x210/0x260 [ 59.301587][ T1434] ret_from_fork+0x22/0x30 [ 59.305974][ T1434] [ 59.308271][ T1434] Memory state around the buggy address: [ 59.313868][ T1434] ffff88810b3d6700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 59.321899][ T1434] ffff88810b3d6780: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 59.329927][ T1434] >ffff88810b3d6800: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 59.337953][ T1434] ^ [ 59.342768][ T1434] ffff88810b3d6880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 59.350796][ T1434] ffff88810b3d6900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 59.358835][ T1434] ================================================================== [ 59.366860][ T1434] Disabling lock debugging due to kernel taint [ 59.373059][ T1434] Kernel panic - not syncing: panic_on_warn set ... [ 59.379870][ T1434] Kernel Offset: disabled [ 59.384185][ T1434] Rebooting in 86400 seconds..