Warning: Permanently added '10.128.10.8' (ED25519) to the list of known hosts. Setting up swapspace version 1, size = 127995904 bytes [ 35.149663][ T6437] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 35.171576][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 35.174029][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 35.176274][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 35.178823][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 35.181578][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 35.183937][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 35.231898][ T752] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 35.234015][ T752] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 35.243971][ T2146] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 35.246004][ T2146] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 executing program [ 35.283585][ T6012] BUG: sleeping function called from invalid context at net/core/sock.c:3647 [ 35.285886][ T6012] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6012, name: kworker/u9:1 [ 35.288362][ T6012] preempt_count: 1, expected: 0 [ 35.289605][ T6012] RCU nest depth: 0, expected: 0 [ 35.291122][ T6012] 5 locks held by kworker/u9:1/6012: [ 35.292506][ T6012] #0: ffff0000c65ec948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x674/0x1638 [ 35.295119][ T6012] #1: ffff8000a4237ba0 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x708/0x1638 [ 35.298149][ T6012] #2: ffff0000c69ac078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xe4/0x90c [ 35.300796][ T6012] #3: ffff0000cdacda20 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x24c/0x8f4 executing program [ 35.303296][ T6012] #4: ffff0000c6a19258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3d8/0x8f4 [ 35.306396][ T6012] Preemption disabled at: [ 35.306406][ T6012] [] sco_connect_cfm+0x24c/0x8f4 [ 35.309083][ T6012] CPU: 0 UID: 0 PID: 6012 Comm: kworker/u9:1 Not tainted 6.14.0-rc4-syzkaller-ge056da87c780 #0 [ 35.309097][ T6012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 35.309105][ T6012] Workqueue: hci0 hci_rx_work [ 35.309121][ T6012] Call trace: executing program [ 35.309124][ T6012] show_stack+0x2c/0x3c (C) [ 35.309141][ T6012] dump_stack_lvl+0xe4/0x150 [ 35.309154][ T6012] dump_stack+0x1c/0x28 [ 35.309167][ T6012] __might_resched+0x374/0x4d0 [ 35.309178][ T6012] __might_sleep+0x90/0xe4 [ 35.309188][ T6012] lock_sock_nested+0x6c/0x11c [ 35.309200][ T6012] sco_connect_cfm+0x3d8/0x8f4 [ 35.309213][ T6012] hci_sync_conn_complete_evt+0x4cc/0x90c [ 35.309225][ T6012] hci_event_packet+0x8d0/0x1060 [ 35.309235][ T6012] hci_rx_work+0x31c/0xb04 [ 35.309246][ T6012] process_one_work+0x810/0x1638 [ 35.309258][ T6012] worker_thread+0x97c/0xeec [ 35.309270][ T6012] kthread+0x65c/0x7b0 [ 35.309280][ T6012] ret_from_fork+0x10/0x20 [ 35.309293][ T6012] ================================================================== [ 35.335380][ T6012] BUG: KASAN: slab-use-after-free in __lock_acquire+0x10c/0x7904 [ 35.337394][ T6012] Read of size 8 at addr ffff0000c6a191d8 by task kworker/u9:1/6012 [ 35.339426][ T6012] [ 35.340005][ T6012] CPU: 0 UID: 0 PID: 6012 Comm: kworker/u9:1 Tainted: G W 6.14.0-rc4-syzkaller-ge056da87c780 #0 [ 35.340022][ T6012] Tainted: [W]=WARN executing program executing program [ 35.340026][ T6012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 35.340034][ T6012] Workqueue: hci0 hci_rx_work [ 35.340050][ T6012] Call trace: [ 35.340053][ T6012] show_stack+0x2c/0x3c (C) [ 35.340070][ T6012] dump_stack_lvl+0xe4/0x150 [ 35.340084][ T6012] print_report+0x198/0x550 [ 35.340097][ T6012] kasan_report+0xd8/0x138 [ 35.340108][ T6012] __asan_report_load8_noabort+0x20/0x2c [ 35.340121][ T6012] __lock_acquire+0x10c/0x7904 [ 35.340133][ T6012] lock_acquire+0x23c/0x724 [ 35.340144][ T6012] _raw_spin_lock_bh+0x48/0x60 [ 35.340155][ T6012] lock_sock_nested+0x74/0x11c [ 35.340167][ T6012] sco_connect_cfm+0x3d8/0x8f4 [ 35.340180][ T6012] hci_sync_conn_complete_evt+0x4cc/0x90c [ 35.340192][ T6012] hci_event_packet+0x8d0/0x1060 [ 35.340202][ T6012] hci_rx_work+0x31c/0xb04 [ 35.340214][ T6012] process_one_work+0x810/0x1638 [ 35.340227][ T6012] worker_thread+0x97c/0xeec [ 35.340239][ T6012] kthread+0x65c/0x7b0 [ 35.340250][ T6012] ret_from_fork+0x10/0x20 executing program [ 35.340261][ T6012] [ 35.370883][ T6012] Allocated by task 6449: [ 35.372073][ T6012] kasan_save_track+0x40/0x78 [ 35.373339][ T6012] kasan_save_alloc_info+0x40/0x50 [ 35.374757][ T6012] __kasan_kmalloc+0xac/0xc4 [ 35.375990][ T6012] __kmalloc_noprof+0x32c/0x54c [ 35.377253][ T6012] sk_prot_alloc+0xc4/0x1f0 [ 35.378412][ T6012] sk_alloc+0x44/0x3f0 [ 35.379405][ T6012] bt_sock_alloc+0x4c/0x304 [ 35.380636][ T6012] sco_sock_create+0xbc/0x31c [ 35.381963][ T6012] bt_sock_create+0x14c/0x248 [ 35.383157][ T6012] __sock_create+0x448/0x908 [ 35.384472][ T6012] __sys_socket+0x134/0x340 [ 35.385679][ T6012] __arm64_sys_socket+0x7c/0x94 [ 35.386930][ T6012] invoke_syscall+0x98/0x2b8 [ 35.388220][ T6012] el0_svc_common+0x130/0x23c [ 35.389456][ T6012] do_el0_svc+0x48/0x58 [ 35.390552][ T6012] el0_svc+0x54/0x168 [ 35.391649][ T6012] el0t_64_sync_handler+0x84/0x108 [ 35.392995][ T6012] el0t_64_sync+0x198/0x19c [ 35.394191][ T6012] [ 35.394783][ T6012] Freed by task 6448: [ 35.395829][ T6012] kasan_save_track+0x40/0x78 [ 35.397117][ T6012] kasan_save_free_info+0x54/0x6c [ 35.398542][ T6012] __kasan_slab_free+0x64/0x8c [ 35.399863][ T6012] kfree+0x180/0x478 [ 35.400926][ T6012] __sk_destruct+0x4b8/0x74c [ 35.402154][ T6012] __sk_free+0x388/0x4f4 [ 35.403248][ T6012] sk_free+0x60/0xc8 [ 35.404256][ T6012] sco_sock_kill+0xfc/0x1b4 [ 35.405491][ T6012] sco_sock_release+0x1fc/0x2c0 [ 35.406823][ T6012] sock_close+0xa4/0x1e8 [ 35.408019][ T6012] __fput+0x340/0x760 [ 35.409031][ T6012] __fput_sync+0xc8/0x118 [ 35.410191][ T6012] __arm64_sys_close+0x80/0xd8 [ 35.411469][ T6012] invoke_syscall+0x98/0x2b8 [ 35.412753][ T6012] el0_svc_common+0x130/0x23c [ 35.413994][ T6012] do_el0_svc+0x48/0x58 [ 35.415085][ T6012] el0_svc+0x54/0x168 [ 35.416093][ T6012] el0t_64_sync_handler+0x84/0x108 [ 35.417497][ T6012] el0t_64_sync+0x198/0x19c [ 35.418806][ T6012] [ 35.419413][ T6012] The buggy address belongs to the object at ffff0000c6a19000 [ 35.419413][ T6012] which belongs to the cache kmalloc-2k of size 2048 [ 35.423094][ T6012] The buggy address is located 472 bytes inside of [ 35.423094][ T6012] freed 2048-byte region [ffff0000c6a19000, ffff0000c6a19800) [ 35.426640][ T6012] [ 35.427231][ T6012] The buggy address belongs to the physical page: [ 35.428893][ T6012] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a18 [ 35.431287][ T6012] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.433582][ T6012] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 35.435636][ T6012] page_type: f5(slab) [ 35.436683][ T6012] raw: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 35.438969][ T6012] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 35.441303][ T6012] head: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 35.443528][ T6012] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 35.445825][ T6012] head: 05ffc00000000003 fffffdffc31a8601 ffffffffffffffff 0000000000000000 [ 35.448065][ T6012] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 35.450325][ T6012] page dumped because: kasan: bad access detected [ 35.452018][ T6012] [ 35.452597][ T6012] Memory state around the buggy address: [ 35.453982][ T6012] ffff0000c6a19080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.456092][ T6012] ffff0000c6a19100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.458314][ T6012] >ffff0000c6a19180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.460496][ T6012] ^ [ 35.462377][ T6012] ffff0000c6a19200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.464497][ T6012] ffff0000c6a19280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.466656][ T6012] ================================================================== [ 35.468961][ T6012] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program [ 35.471077][ T6012] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 35.473817][ T6012] Mem abort info: [ 35.474744][ T6012] ESR = 0x0000000096000004 [ 35.475938][ T6012] EC = 0x25: DABT (current EL), IL = 32 bits [ 35.477451][ T6012] SET = 0, FnV = 0 [ 35.478472][ T6012] EA = 0, S1PTW = 0 [ 35.479392][ T6012] FSC = 0x04: level 0 translation fault [ 35.480738][ T6012] Data abort info: executing program [ 35.481653][ T6012] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 35.483201][ T6012] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 35.484758][ T6012] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 35.486164][ T6012] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001078bb000 [ 35.487965][ T6012] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 35.489910][ T6012] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 35.491739][ T6012] Modules linked in: executing program [ 35.492753][ T6012] CPU: 0 UID: 0 PID: 6012 Comm: kworker/u9:1 Tainted: G B W 6.14.0-rc4-syzkaller-ge056da87c780 #0 [ 35.495839][ T6012] Tainted: [B]=BAD_PAGE, [W]=WARN [ 35.497143][ T6012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 35.499900][ T6012] Workqueue: hci0 hci_rx_work [ 35.501183][ T6012] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 35.503303][ T6012] pc : __pi_memcpy_generic+0x24/0x22c [ 35.504755][ T6012] lr : __asan_memcpy+0x68/0x84 [ 35.506152][ T6012] sp : ffff8000a4237600 [ 35.507354][ T6012] x29: ffff8000a4237600 x28: 1ffff00014846ed4 x27: dfff800000000000 [ 35.509471][ T6012] x26: 1fffe00018d432ad x25: ffff0000c64df3c4 x24: ffff0000c6a19568 [ 35.511685][ T6012] x23: ffff0000c64df000 x22: ffff800082e7d3c0 x21: ffff0000ce4f1d40 [ 35.513951][ T6012] x20: 0000000000000000 x19: 0000000000000020 x18: ffff800080007b48 executing program executing program [ 35.516101][ T6012] x17: ffff800080380838 x16: ffff80008b727f5c x15: 0000000000000004 [ 35.518270][ T6012] x14: 1fffe00019c9e3a8 x13: 0000000000000000 x12: 0000000000000000 [ 35.520330][ T6012] x11: ffff600019c9e3ac x10: 1fffe00019c9e3ab x9 : dfff800000000000 [ 35.522407][ T6012] x8 : 0000000000000001 x7 : 0000000000000000 x6 : ffff80008a8a9b68 [ 35.524468][ T6012] x5 : ffff0000ce4f1d60 x4 : 0000000000000020 x3 : ffff800082e7d3c0 [ 35.526644][ T6012] x2 : 0000000000000020 x1 : 0000000000000000 x0 : ffff0000ce4f1d40 [ 35.528778][ T6012] Call trace: [ 35.529593][ T6012] __pi_memcpy_generic+0x24/0x22c (P) [ 35.530979][ T6012] smack_sk_clone_security+0x7c/0x90 [ 35.532457][ T6012] security_sk_clone+0x90/0x194 [ 35.533749][ T6012] sco_connect_cfm+0x56c/0x8f4 [ 35.535043][ T6012] hci_sync_conn_complete_evt+0x4cc/0x90c [ 35.536546][ T6012] hci_event_packet+0x8d0/0x1060 [ 35.537848][ T6012] hci_rx_work+0x31c/0xb04 [ 35.539011][ T6012] process_one_work+0x810/0x1638 [ 35.540272][ T6012] worker_thread+0x97c/0xeec [ 35.541486][ T6012] kthread+0x65c/0x7b0 [ 35.542586][ T6012] ret_from_fork+0x10/0x20 [ 35.543843][ T6012] Code: f100805f 540003c8 f100405f 540000c3 (a9401c26) [ 35.545646][ T6012] ---[ end trace 0000000000000000 ]--- executing program executing program executing program executing program executing program [ 35.860792][ T6012] Kernel panic - not syncing: Oops: Fatal exception [ 35.862482][ T6012] SMP: stopping secondary CPUs [ 35.863668][ T6012] Kernel Offset: disabled [ 35.864780][ T6012] CPU features: 0x200,00002070,00800250,82017203 [ 35.866425][ T6012] Memory Limit: none [ 36.142288][ T6012] Rebooting in 86400 seconds..