Debian GNU/Linux 11 syzkaller ttyS0 Warning: Permanently added '[localhost]:18826' (ECDSA) to the list of known hosts. 2025/11/14 08:16:58 fuzzer started 2025/11/14 08:16:58 dialing manager at localhost:37161 syzkaller login: [ 52.902865] cgroup: Unknown subsys name 'net' [ 52.974552] cgroup: Unknown subsys name 'cpuset' [ 52.995463] cgroup: Unknown subsys name 'rlimit' 2025/11/14 08:17:10 syscalls: 2214 2025/11/14 08:17:10 code coverage: enabled 2025/11/14 08:17:10 comparison tracing: enabled 2025/11/14 08:17:10 extra coverage: enabled 2025/11/14 08:17:10 setuid sandbox: enabled 2025/11/14 08:17:10 namespace sandbox: enabled 2025/11/14 08:17:10 Android sandbox: enabled 2025/11/14 08:17:10 fault injection: enabled 2025/11/14 08:17:10 leak checking: enabled 2025/11/14 08:17:10 net packet injection: enabled 2025/11/14 08:17:10 net device setup: enabled 2025/11/14 08:17:10 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/11/14 08:17:10 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/11/14 08:17:10 USB emulation: enabled 2025/11/14 08:17:10 hci packet injection: enabled 2025/11/14 08:17:10 wifi device emulation: enabled 2025/11/14 08:17:10 802.15.4 emulation: enabled 2025/11/14 08:17:10 fetching corpus: 0, signal 0/2000 (executing program) 2025/11/14 08:17:10 fetching corpus: 45, signal 21543/25088 (executing program) 2025/11/14 08:17:10 fetching corpus: 93, signal 33734/38661 (executing program) 2025/11/14 08:17:10 fetching corpus: 143, signal 41409/47668 (executing program) 2025/11/14 08:17:10 fetching corpus: 193, signal 49216/56606 (executing program) 2025/11/14 08:17:10 fetching corpus: 243, signal 57167/65527 (executing program) 2025/11/14 08:17:10 fetching corpus: 293, signal 62175/71574 (executing program) 2025/11/14 08:17:10 fetching corpus: 343, signal 66297/76715 (executing program) 2025/11/14 08:17:10 fetching corpus: 393, signal 71312/82585 (executing program) 2025/11/14 08:17:10 fetching corpus: 443, signal 73667/85970 (executing program) 2025/11/14 08:17:11 fetching corpus: 493, signal 77123/90275 (executing program) 2025/11/14 08:17:11 fetching corpus: 543, signal 79543/93628 (executing program) 2025/11/14 08:17:11 fetching corpus: 593, signal 82877/97744 (executing program) 2025/11/14 08:17:11 fetching corpus: 643, signal 84677/100439 (executing program) 2025/11/14 08:17:11 fetching corpus: 693, signal 87071/103535 (executing program) 2025/11/14 08:17:11 fetching corpus: 743, signal 92405/109106 (executing program) 2025/11/14 08:17:11 fetching corpus: 793, signal 94499/111867 (executing program) 2025/11/14 08:17:11 fetching corpus: 843, signal 98033/115794 (executing program) 2025/11/14 08:17:11 fetching corpus: 893, signal 99517/117937 (executing program) 2025/11/14 08:17:12 fetching corpus: 943, signal 101355/120321 (executing program) 2025/11/14 08:17:12 fetching corpus: 993, signal 102886/122483 (executing program) 2025/11/14 08:17:12 fetching corpus: 1042, signal 104492/124674 (executing program) 2025/11/14 08:17:12 fetching corpus: 1092, signal 106058/126770 (executing program) 2025/11/14 08:17:12 fetching corpus: 1142, signal 107789/128957 (executing program) 2025/11/14 08:17:12 fetching corpus: 1191, signal 109591/131229 (executing program) 2025/11/14 08:17:12 fetching corpus: 1240, signal 111317/133352 (executing program) 2025/11/14 08:17:12 fetching corpus: 1290, signal 112732/135169 (executing program) 2025/11/14 08:17:12 fetching corpus: 1340, signal 113440/136527 (executing program) 2025/11/14 08:17:12 fetching corpus: 1390, signal 114801/138285 (executing program) 2025/11/14 08:17:13 fetching corpus: 1440, signal 116457/140269 (executing program) 2025/11/14 08:17:13 fetching corpus: 1490, signal 118445/142481 (executing program) 2025/11/14 08:17:13 fetching corpus: 1540, signal 119754/144137 (executing program) 2025/11/14 08:17:13 fetching corpus: 1590, signal 121171/145845 (executing program) 2025/11/14 08:17:13 fetching corpus: 1640, signal 122335/147335 (executing program) 2025/11/14 08:17:13 fetching corpus: 1690, signal 125127/149788 (executing program) 2025/11/14 08:17:13 fetching corpus: 1740, signal 125881/150993 (executing program) 2025/11/14 08:17:13 fetching corpus: 1790, signal 127613/152797 (executing program) 2025/11/14 08:17:13 fetching corpus: 1839, signal 129786/154767 (executing program) 2025/11/14 08:17:14 fetching corpus: 1889, signal 130699/155982 (executing program) 2025/11/14 08:17:14 fetching corpus: 1939, signal 131722/157200 (executing program) 2025/11/14 08:17:14 fetching corpus: 1989, signal 132959/158534 (executing program) 2025/11/14 08:17:14 fetching corpus: 2038, signal 134367/159936 (executing program) 2025/11/14 08:17:14 fetching corpus: 2087, signal 135306/161064 (executing program) 2025/11/14 08:17:14 fetching corpus: 2137, signal 136182/162107 (executing program) 2025/11/14 08:17:14 fetching corpus: 2187, signal 137139/163242 (executing program) 2025/11/14 08:17:14 fetching corpus: 2236, signal 137828/164229 (executing program) 2025/11/14 08:17:14 fetching corpus: 2286, signal 138726/165268 (executing program) 2025/11/14 08:17:15 fetching corpus: 2336, signal 139646/166352 (executing program) 2025/11/14 08:17:15 fetching corpus: 2386, signal 140538/167341 (executing program) 2025/11/14 08:17:15 fetching corpus: 2436, signal 141616/168427 (executing program) 2025/11/14 08:17:15 fetching corpus: 2486, signal 142174/169211 (executing program) 2025/11/14 08:17:15 fetching corpus: 2536, signal 142896/170087 (executing program) 2025/11/14 08:17:15 fetching corpus: 2586, signal 143551/170935 (executing program) 2025/11/14 08:17:15 fetching corpus: 2635, signal 144294/171766 (executing program) 2025/11/14 08:17:15 fetching corpus: 2685, signal 144697/172451 (executing program) 2025/11/14 08:17:15 fetching corpus: 2735, signal 145543/173302 (executing program) 2025/11/14 08:17:15 fetching corpus: 2785, signal 146315/174121 (executing program) 2025/11/14 08:17:15 fetching corpus: 2835, signal 146942/174832 (executing program) 2025/11/14 08:17:16 fetching corpus: 2885, signal 147661/175559 (executing program) 2025/11/14 08:17:16 fetching corpus: 2935, signal 148143/176186 (executing program) 2025/11/14 08:17:16 fetching corpus: 2985, signal 148650/176845 (executing program) 2025/11/14 08:17:16 fetching corpus: 3035, signal 149202/177523 (executing program) 2025/11/14 08:17:16 fetching corpus: 3085, signal 149858/178218 (executing program) 2025/11/14 08:17:16 fetching corpus: 3134, signal 150710/178950 (executing program) 2025/11/14 08:17:16 fetching corpus: 3184, signal 151515/179692 (executing program) 2025/11/14 08:17:16 fetching corpus: 3234, signal 152228/180321 (executing program) 2025/11/14 08:17:16 fetching corpus: 3284, signal 153274/181063 (executing program) 2025/11/14 08:17:16 fetching corpus: 3334, signal 153930/181662 (executing program) 2025/11/14 08:17:16 fetching corpus: 3384, signal 154539/182241 (executing program) 2025/11/14 08:17:17 fetching corpus: 3434, signal 155197/182842 (executing program) 2025/11/14 08:17:17 fetching corpus: 3483, signal 155825/183400 (executing program) 2025/11/14 08:17:17 fetching corpus: 3531, signal 156536/183984 (executing program) 2025/11/14 08:17:17 fetching corpus: 3581, signal 157613/184628 (executing program) 2025/11/14 08:17:17 fetching corpus: 3631, signal 158375/185146 (executing program) 2025/11/14 08:17:17 fetching corpus: 3681, signal 158829/185593 (executing program) 2025/11/14 08:17:17 fetching corpus: 3731, signal 159326/186053 (executing program) 2025/11/14 08:17:17 fetching corpus: 3781, signal 159978/186515 (executing program) 2025/11/14 08:17:17 fetching corpus: 3829, signal 160478/187023 (executing program) 2025/11/14 08:17:17 fetching corpus: 3879, signal 161057/187454 (executing program) 2025/11/14 08:17:18 fetching corpus: 3929, signal 161552/187889 (executing program) 2025/11/14 08:17:18 fetching corpus: 3979, signal 162011/188295 (executing program) 2025/11/14 08:17:18 fetching corpus: 4029, signal 162287/188665 (executing program) 2025/11/14 08:17:18 fetching corpus: 4079, signal 162922/189065 (executing program) 2025/11/14 08:17:18 fetching corpus: 4129, signal 163274/189408 (executing program) 2025/11/14 08:17:18 fetching corpus: 4179, signal 163862/189795 (executing program) 2025/11/14 08:17:18 fetching corpus: 4229, signal 164296/190148 (executing program) 2025/11/14 08:17:18 fetching corpus: 4279, signal 164642/190486 (executing program) 2025/11/14 08:17:18 fetching corpus: 4329, signal 165212/190852 (executing program) 2025/11/14 08:17:18 fetching corpus: 4379, signal 165693/191177 (executing program) 2025/11/14 08:17:18 fetching corpus: 4429, signal 166288/191503 (executing program) 2025/11/14 08:17:18 fetching corpus: 4479, signal 166696/191851 (executing program) 2025/11/14 08:17:18 fetching corpus: 4529, signal 167438/192163 (executing program) 2025/11/14 08:17:19 fetching corpus: 4579, signal 168340/192466 (executing program) 2025/11/14 08:17:19 fetching corpus: 4629, signal 168856/192746 (executing program) 2025/11/14 08:17:19 fetching corpus: 4679, signal 169334/193003 (executing program) 2025/11/14 08:17:19 fetching corpus: 4729, signal 170092/193264 (executing program) 2025/11/14 08:17:19 fetching corpus: 4779, signal 170524/193449 (executing program) 2025/11/14 08:17:19 fetching corpus: 4829, signal 170830/193449 (executing program) 2025/11/14 08:17:19 fetching corpus: 4879, signal 171418/193449 (executing program) 2025/11/14 08:17:19 fetching corpus: 4929, signal 171851/193449 (executing program) 2025/11/14 08:17:19 fetching corpus: 4979, signal 172274/193451 (executing program) 2025/11/14 08:17:20 fetching corpus: 5029, signal 172644/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5079, signal 173104/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5129, signal 173631/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5178, signal 174097/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5227, signal 174772/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5277, signal 175192/193512 (executing program) 2025/11/14 08:17:20 fetching corpus: 5327, signal 175484/193532 (executing program) 2025/11/14 08:17:20 fetching corpus: 5377, signal 175919/193563 (executing program) 2025/11/14 08:17:20 fetching corpus: 5427, signal 176578/193563 (executing program) 2025/11/14 08:17:21 fetching corpus: 5477, signal 177114/193563 (executing program) 2025/11/14 08:17:21 fetching corpus: 5527, signal 177422/193563 (executing program) 2025/11/14 08:17:21 fetching corpus: 5577, signal 177835/193566 (executing program) 2025/11/14 08:17:21 fetching corpus: 5627, signal 178185/193566 (executing program) 2025/11/14 08:17:21 fetching corpus: 5677, signal 178570/193577 (executing program) 2025/11/14 08:17:21 fetching corpus: 5727, signal 179043/193584 (executing program) 2025/11/14 08:17:21 fetching corpus: 5777, signal 179460/193584 (executing program) 2025/11/14 08:17:21 fetching corpus: 5827, signal 179971/193584 (executing program) 2025/11/14 08:17:21 fetching corpus: 5877, signal 180271/193584 (executing program) 2025/11/14 08:17:21 fetching corpus: 5927, signal 180696/193597 (executing program) 2025/11/14 08:17:21 fetching corpus: 5977, signal 181226/193616 (executing program) 2025/11/14 08:17:22 fetching corpus: 6026, signal 182418/193616 (executing program) 2025/11/14 08:17:22 fetching corpus: 6076, signal 182690/193616 (executing program) 2025/11/14 08:17:22 fetching corpus: 6126, signal 183014/193616 (executing program) 2025/11/14 08:17:22 fetching corpus: 6176, signal 183600/193616 (executing program) 2025/11/14 08:17:22 fetching corpus: 6226, signal 183859/193625 (executing program) 2025/11/14 08:17:22 fetching corpus: 6276, signal 184060/193625 (executing program) 2025/11/14 08:17:22 fetching corpus: 6325, signal 184329/193631 (executing program) 2025/11/14 08:17:22 fetching corpus: 6375, signal 184769/193631 (executing program) 2025/11/14 08:17:22 fetching corpus: 6425, signal 185048/193631 (executing program) 2025/11/14 08:17:22 fetching corpus: 6475, signal 185570/193631 (executing program) 2025/11/14 08:17:22 fetching corpus: 6525, signal 186240/193631 (executing program) 2025/11/14 08:17:22 fetching corpus: 6575, signal 186489/193635 (executing program) 2025/11/14 08:17:23 fetching corpus: 6625, signal 186803/193635 (executing program) 2025/11/14 08:17:23 fetching corpus: 6675, signal 187155/193635 (executing program) 2025/11/14 08:17:23 fetching corpus: 6725, signal 187553/193652 (executing program) 2025/11/14 08:17:23 fetching corpus: 6775, signal 187782/193652 (executing program) 2025/11/14 08:17:23 fetching corpus: 6825, signal 188340/193692 (executing program) 2025/11/14 08:17:23 fetching corpus: 6874, signal 188647/193720 (executing program) 2025/11/14 08:17:23 fetching corpus: 6924, signal 188935/193723 (executing program) 2025/11/14 08:17:23 fetching corpus: 6974, signal 189871/193723 (executing program) 2025/11/14 08:17:23 fetching corpus: 7024, signal 190180/193723 (executing program) 2025/11/14 08:17:23 fetching corpus: 7074, signal 190443/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7124, signal 190811/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7174, signal 191067/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7224, signal 191380/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7274, signal 191640/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7324, signal 191928/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7374, signal 192276/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7424, signal 192522/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7474, signal 192751/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7495, signal 192877/193723 (executing program) 2025/11/14 08:17:24 fetching corpus: 7495, signal 192877/193723 (executing program) 2025/11/14 08:17:26 starting 8 fuzzer processes 08:17:26 executing program 0: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xe9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) ioctl$sock_TIOCINQ(r0, 0x541b, &(0x7f00000025c0)) 08:17:26 executing program 3: r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000200)={'wlan0\x00', 0x0}) r2 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_mreq(r2, 0x29, 0x1b, &(0x7f0000000040)={@dev, r1}, 0x14) sendmmsg$inet6(r2, &(0x7f0000003400)=[{{&(0x7f0000000000)={0xa, 0x4e23, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, 0x1c, 0x0, 0x0, &(0x7f0000001340)=ANY=[@ANYBLOB="24000000000000002900000032000000fe880000000000000000000000000001", @ANYRES32=r1], 0x28}}], 0x1, 0x0) 08:17:26 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_mreq(r0, 0x0, 0x23, &(0x7f0000000640)={@multicast2, @dev}, 0x8) perf_event_open(&(0x7f0000000340)={0x2, 0x80, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$inet_mreqsrc(r0, 0x0, 0x26, &(0x7f0000000000)={@multicast2, @remote, @multicast2}, 0xc) 08:17:26 executing program 2: r0 = socket$inet6_udplite(0xa, 0x2, 0x88) sendmmsg$sock(r0, &(0x7f00000006c0)=[{{&(0x7f0000000180)=@generic={0x0, "938be6679626046b5e44f4552675d6512b985851a7d46bdc58ae12e552b31d083c597596dde58b97076d4863864a744ec0db0174eebe12c56394d3bad7ccb16743427801db5a0e3653370e75ee6dd5e09a9b34a22380a654182e5622afe7710d8a851056066ebc4c0d777a2bfb229f1d2c60076789a7ddf699c8ededda0d"}, 0x80, 0x0}}], 0x1, 0x0) [ 79.194440] audit: type=1400 audit(1763108246.713:7): avc: denied { execmem } for pid=276 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 08:17:26 executing program 6: perf_event_open(&(0x7f0000000080)={0x2, 0x80, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x22, &(0x7f0000000000), 0x4) 08:17:26 executing program 4: r0 = creat(&(0x7f00000003c0)='./file0\x00', 0x0) ioctl$FS_IOC_FSGETXATTR(r0, 0x660c, 0x0) 08:17:26 executing program 7: r0 = syz_open_dev$tty1(0xc, 0x4, 0x1) writev(r0, &(0x7f0000001180)=[{&(0x7f0000000000)="a20e73f1b1812c8df69b6c", 0xb}], 0x1) 08:17:26 executing program 5: r0 = perf_event_open(&(0x7f0000000340)={0x2, 0x80, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x2000, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) [ 80.299545] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 80.303127] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 80.307041] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 80.309576] ================================================================== [ 80.310860] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 [ 80.312068] Read of size 2 at addr ffff88800e93f7b8 by task kworker/u11:1/293 [ 80.319069] [ 80.319379] CPU: 1 UID: 0 PID: 293 Comm: kworker/u11:1 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) [ 80.319413] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 80.319430] Workqueue: hci0 hci_cmd_work [ 80.319463] Call Trace: [ 80.319472] [ 80.319482] dump_stack_lvl+0xca/0x120 [ 80.319514] print_report+0xcb/0x610 [ 80.319547] ? __virt_addr_valid+0x100/0x5d0 [ 80.319576] ? hci_cmd_work+0x66d/0x6d0 [ 80.319622] ? hci_cmd_work+0x66d/0x6d0 [ 80.319654] kasan_report+0xca/0x100 [ 80.319686] ? hci_cmd_work+0x66d/0x6d0 [ 80.319727] hci_cmd_work+0x66d/0x6d0 [ 80.319761] process_one_work+0x8e1/0x19c0 [ 80.319804] ? __pfx_process_one_work+0x10/0x10 [ 80.319840] ? move_linked_works+0x172/0x270 [ 80.319868] ? assign_work+0x196/0x240 [ 80.319903] worker_thread+0x67e/0xe90 [ 80.319938] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 80.319969] ? __pfx_worker_thread+0x10/0x10 [ 80.320005] kthread+0x3c8/0x740 [ 80.320037] ? __pfx_kthread+0x10/0x10 [ 80.320068] ? ret_from_fork+0x79/0x7a0 [ 80.320093] ? lock_release+0xc8/0x290 [ 80.320132] ? __pfx_kthread+0x10/0x10 [ 80.320164] ret_from_fork+0x67a/0x7a0 [ 80.320189] ? __pfx_ret_from_fork+0x10/0x10 [ 80.320215] ? __switch_to+0x759/0x1060 [ 80.320249] ? __pfx_kthread+0x10/0x10 [ 80.320282] ret_from_fork_asm+0x1a/0x30 [ 80.320323] [ 80.320331] [ 80.342591] Allocated by task 292: [ 80.343208] kasan_save_stack+0x24/0x50 [ 80.343915] kasan_save_track+0x14/0x30 [ 80.344616] __kasan_slab_alloc+0x59/0x70 [ 80.345327] kmem_cache_alloc_node_noprof+0x228/0x6b0 [ 80.346221] __alloc_skb+0x2ab/0x370 [ 80.346897] hci_cmd_sync_alloc+0x34/0x300 [ 80.347645] __hci_cmd_sync_sk+0xf7/0x5c0 [ 80.348370] hci_read_bd_addr_sync+0x2c/0x170 [ 80.349149] hci_dev_open_sync+0x145c/0x1f60 [ 80.349909] hci_power_on+0xdb/0x5d0 [ 80.350567] process_one_work+0x8e1/0x19c0 [ 80.351300] worker_thread+0x67e/0xe90 [ 80.351992] kthread+0x3c8/0x740 [ 80.352594] ret_from_fork+0x67a/0x7a0 [ 80.353282] ret_from_fork_asm+0x1a/0x30 [ 80.353993] [ 80.354292] Freed by task 294: [ 80.354843] kasan_save_stack+0x24/0x50 [ 80.355535] kasan_save_track+0x14/0x30 [ 80.356230] kasan_save_free_info+0x3a/0x60 [ 80.356976] __kasan_slab_free+0x43/0x70 [ 80.357680] kmem_cache_free+0x26f/0x500 [ 80.358385] kfree_skbmem+0x18a/0x1f0 [ 80.359047] sk_skb_reason_drop+0x10e/0x1b0 [ 80.359791] vhci_read+0x3d5/0x5d0 [ 80.360422] vfs_read+0x1eb/0xc70 [ 80.361022] ksys_read+0x121/0x240 [ 80.361653] do_syscall_64+0xbf/0x430 [ 80.362314] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.363189] [ 80.363488] The buggy address belongs to the object at ffff88800e93f780 [ 80.363488] which belongs to the cache skbuff_head_cache of size 232 [ 80.365643] The buggy address is located 56 bytes inside of [ 80.365643] freed 232-byte region [ffff88800e93f780, ffff88800e93f868) [ 80.367686] [ 80.367993] The buggy address belongs to the physical page: [ 80.368900] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe93f [ 80.370009] anon flags: 0x100000000000000(node=0|zone=1) [ 80.370773] page_type: f5(slab) [ 80.371267] raw: 0100000000000000 ffff8880096c78c0 ffffea00003a2180 dead000000000005 [ 80.372373] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 80.373456] page dumped because: kasan: bad access detected [ 80.374243] [ 80.374495] Memory state around the buggy address: [ 80.375199] ffff88800e93f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.376239] ffff88800e93f700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 80.377276] >ffff88800e93f780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.378320] ^ [ 80.379055] ffff88800e93f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 80.380090] ffff88800e93f880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 80.381115] ================================================================== [ 80.382237] Disabling lock debugging due to kernel taint [ 80.386925] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 80.388513] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 80.425429] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 80.426935] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 80.428864] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 80.429585] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 80.431161] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 80.432724] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 80.435491] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 80.437708] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 80.439075] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 80.440613] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 80.484123] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 80.489052] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 80.490492] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 80.492265] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 80.493599] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 80.497590] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 80.498902] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 80.503930] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 80.504154] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 80.514583] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 80.551752] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 80.552836] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 80.554193] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 80.555394] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 80.558911] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 80.560090] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 80.564919] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 80.566594] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 80.567876] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 80.570198] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 80.585772] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 80.592960] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 80.605481] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 80.608097] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 80.625238] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 82.459760] Bluetooth: hci1: command tx timeout [ 82.460207] Bluetooth: hci0: command tx timeout [ 82.523734] Bluetooth: hci3: command tx timeout [ 82.524136] Bluetooth: hci2: command tx timeout [ 82.587769] Bluetooth: hci4: command tx timeout [ 82.651714] Bluetooth: hci7: command tx timeout [ 82.652113] Bluetooth: hci5: command tx timeout [ 82.715754] Bluetooth: hci6: command tx timeout [ 84.507788] Bluetooth: hci1: command tx timeout [ 84.508236] Bluetooth: hci0: command tx timeout [ 84.572112] Bluetooth: hci3: command tx timeout [ 84.572548] Bluetooth: hci2: command tx timeout [ 84.635802] Bluetooth: hci4: command tx timeout [ 84.699761] Bluetooth: hci5: command tx timeout [ 84.700249] Bluetooth: hci7: command tx timeout [ 84.763727] Bluetooth: hci6: command tx timeout [ 86.556967] Bluetooth: hci0: command tx timeout [ 86.557415] Bluetooth: hci1: command tx timeout [ 86.619750] Bluetooth: hci2: command tx timeout [ 86.620195] Bluetooth: hci3: command tx timeout [ 86.683721] Bluetooth: hci4: command tx timeout [ 86.747761] Bluetooth: hci7: command tx timeout [ 86.748210] Bluetooth: hci5: command tx timeout [ 86.811738] Bluetooth: hci6: command tx timeout [ 88.603734] Bluetooth: hci1: command tx timeout [ 88.604182] Bluetooth: hci0: command tx timeout [ 88.667729] Bluetooth: hci3: command tx timeout [ 88.668186] Bluetooth: hci2: command tx timeout [ 88.731755] Bluetooth: hci4: command tx timeout [ 88.796707] Bluetooth: hci5: command tx timeout [ 88.797151] Bluetooth: hci7: command tx timeout [ 88.859771] Bluetooth: hci6: command tx timeout VM DIAGNOSIS: 08:17:27 Registers: info registers vcpu 0 RAX=0000000000000000 RBX=ffff88806cf3cb80 RCX=ffffffff8169b13c RDX=ffff88801715b780 RSI=ffffffff8169b116 RDI=0000000000000005 RBP=0000000000000003 RSP=ffff8880162e76e8 R8 =0000000000000001 R9 =0000000000000001 R10=0000000000000001 R11=1ffff1100d9c6c41 R12=ffffed100d9e7971 R13=ffff88806cf3cb88 R14=0000000000000001 R15=dffffc0000000000 RIP=ffffffff8169b118 RFL=00000293 [--S-A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 00007fca847228c0 00000000 00000000 GS =0000 ffff8880e538f000 00000000 00000000 LDT=0000 fffffe5800000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f0d2af12300 CR3=000000000dcb1000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000 XMM02=00000000000000004188a865c0000000 XMM03=0000ff00000000000000000000000000 XMM04=732f6c61636f6c2f7273752f3d485441 XMM05=622f6c61636f6c2f7273752f3a6e6962 XMM06=73752f3a6e6962732f7273752f3a6e69 XMM07=6e69622f3a6e6962732f3a6e69622f72 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=0000000000000032 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8 RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff88801975f618 R8 =0000000000000000 R9 =ffffed10013ad046 R10=0000000000000032 R11=6530303838386652 R12=0000000000000032 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0 RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e548f000 00000000 00000000 LDT=0000 fffffe4400000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007fa229b57070 CR3=000000000fb8b000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=2037323a37313a383020343120766f4e XMM01=5d3134303730332e30382020205b203a XMM02=20313030317830206363206465746365 XMM03=6f7465756c42205d3134303730332e30 XMM04=2036323a37313a383020343120766f4e XMM05=65636f72703d7373616c63742030733a XMM06=733a755f6d65747379733d747865746e XMM07=725f6d65747379733a755f6d65747379 XMM08=7475636578652d7a7973223d6d6d6f63 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000