Warning: Permanently added '[localhost]:9024' (ECDSA) to the list of known hosts. 2025/11/14 08:18:38 fuzzer started 2025/11/14 08:18:38 dialing manager at localhost:37161 syzkaller login: [ 59.962498] cgroup: Unknown subsys name 'net' [ 60.044111] cgroup: Unknown subsys name 'cpuset' [ 60.059171] cgroup: Unknown subsys name 'rlimit' 2025/11/14 08:18:50 syscalls: 2214 2025/11/14 08:18:50 code coverage: enabled 2025/11/14 08:18:50 comparison tracing: enabled 2025/11/14 08:18:50 extra coverage: enabled 2025/11/14 08:18:50 setuid sandbox: enabled 2025/11/14 08:18:50 namespace sandbox: enabled 2025/11/14 08:18:50 Android sandbox: enabled 2025/11/14 08:18:50 fault injection: enabled 2025/11/14 08:18:50 leak checking: enabled 2025/11/14 08:18:50 net packet injection: enabled 2025/11/14 08:18:50 net device setup: enabled 2025/11/14 08:18:50 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2025/11/14 08:18:50 devlink PCI setup: PCI device 0000:00:10.0 is not available 2025/11/14 08:18:50 USB emulation: enabled 2025/11/14 08:18:50 hci packet injection: enabled 2025/11/14 08:18:50 wifi device emulation: enabled 2025/11/14 08:18:50 802.15.4 emulation: enabled 2025/11/14 08:18:50 fetching corpus: 0, signal 0/2000 (executing program) 2025/11/14 08:18:50 fetching corpus: 43, signal 12098/15854 (executing program) 2025/11/14 08:18:50 fetching corpus: 91, signal 30421/35464 (executing program) 2025/11/14 08:18:50 fetching corpus: 141, signal 39594/45944 (executing program) 2025/11/14 08:18:50 fetching corpus: 191, signal 45673/53324 (executing program) 2025/11/14 08:18:51 fetching corpus: 241, signal 53815/62504 (executing program) 2025/11/14 08:18:51 fetching corpus: 291, signal 61234/70829 (executing program) 2025/11/14 08:18:51 fetching corpus: 341, signal 65266/75912 (executing program) 2025/11/14 08:18:51 fetching corpus: 391, signal 70557/82072 (executing program) 2025/11/14 08:18:51 fetching corpus: 441, signal 75267/87618 (executing program) 2025/11/14 08:18:51 fetching corpus: 491, signal 78262/91548 (executing program) 2025/11/14 08:18:51 fetching corpus: 540, signal 80644/94840 (executing program) 2025/11/14 08:18:51 fetching corpus: 590, signal 82328/97508 (executing program) 2025/11/14 08:18:51 fetching corpus: 640, signal 84234/100320 (executing program) 2025/11/14 08:18:51 fetching corpus: 690, signal 86901/103732 (executing program) 2025/11/14 08:18:52 fetching corpus: 740, signal 88788/106392 (executing program) 2025/11/14 08:18:52 fetching corpus: 787, signal 90676/109024 (executing program) 2025/11/14 08:18:52 fetching corpus: 837, signal 92303/111449 (executing program) 2025/11/14 08:18:52 fetching corpus: 887, signal 94309/114125 (executing program) 2025/11/14 08:18:52 fetching corpus: 937, signal 96035/116468 (executing program) 2025/11/14 08:18:52 fetching corpus: 987, signal 97734/118826 (executing program) 2025/11/14 08:18:52 fetching corpus: 1037, signal 102845/123751 (executing program) 2025/11/14 08:18:52 fetching corpus: 1087, signal 106705/127741 (executing program) 2025/11/14 08:18:52 fetching corpus: 1137, signal 108403/129959 (executing program) 2025/11/14 08:18:52 fetching corpus: 1187, signal 110543/132418 (executing program) 2025/11/14 08:18:53 fetching corpus: 1237, signal 113544/135474 (executing program) 2025/11/14 08:18:53 fetching corpus: 1287, signal 115150/137495 (executing program) 2025/11/14 08:18:53 fetching corpus: 1337, signal 116954/139618 (executing program) 2025/11/14 08:18:53 fetching corpus: 1387, signal 118651/141595 (executing program) 2025/11/14 08:18:53 fetching corpus: 1437, signal 120463/143650 (executing program) 2025/11/14 08:18:53 fetching corpus: 1487, signal 121681/145257 (executing program) 2025/11/14 08:18:53 fetching corpus: 1537, signal 123214/147042 (executing program) 2025/11/14 08:18:53 fetching corpus: 1587, signal 124249/148463 (executing program) 2025/11/14 08:18:53 fetching corpus: 1637, signal 125574/150107 (executing program) 2025/11/14 08:18:53 fetching corpus: 1687, signal 126340/151329 (executing program) 2025/11/14 08:18:54 fetching corpus: 1737, signal 127580/152858 (executing program) 2025/11/14 08:18:54 fetching corpus: 1787, signal 128418/154058 (executing program) 2025/11/14 08:18:54 fetching corpus: 1837, signal 129397/155349 (executing program) 2025/11/14 08:18:54 fetching corpus: 1887, signal 130156/156478 (executing program) 2025/11/14 08:18:54 fetching corpus: 1937, signal 131807/158160 (executing program) 2025/11/14 08:18:54 fetching corpus: 1987, signal 132534/159204 (executing program) 2025/11/14 08:18:54 fetching corpus: 2037, signal 133844/160611 (executing program) 2025/11/14 08:18:54 fetching corpus: 2087, signal 134440/161570 (executing program) 2025/11/14 08:18:54 fetching corpus: 2137, signal 135017/162536 (executing program) 2025/11/14 08:18:55 fetching corpus: 2187, signal 135925/163648 (executing program) 2025/11/14 08:18:55 fetching corpus: 2237, signal 136782/164725 (executing program) 2025/11/14 08:18:55 fetching corpus: 2287, signal 137723/165860 (executing program) 2025/11/14 08:18:55 fetching corpus: 2337, signal 138486/166858 (executing program) 2025/11/14 08:18:55 fetching corpus: 2387, signal 139448/167931 (executing program) 2025/11/14 08:18:55 fetching corpus: 2437, signal 140261/168948 (executing program) 2025/11/14 08:18:55 fetching corpus: 2487, signal 141371/170060 (executing program) 2025/11/14 08:18:55 fetching corpus: 2537, signal 142268/171040 (executing program) 2025/11/14 08:18:55 fetching corpus: 2587, signal 143164/172057 (executing program) 2025/11/14 08:18:55 fetching corpus: 2637, signal 143709/172867 (executing program) 2025/11/14 08:18:56 fetching corpus: 2687, signal 144309/173676 (executing program) 2025/11/14 08:18:56 fetching corpus: 2737, signal 144860/174476 (executing program) 2025/11/14 08:18:56 fetching corpus: 2787, signal 146010/175472 (executing program) 2025/11/14 08:18:56 fetching corpus: 2837, signal 147085/176383 (executing program) 2025/11/14 08:18:56 fetching corpus: 2887, signal 147715/177171 (executing program) 2025/11/14 08:18:56 fetching corpus: 2937, signal 148599/178046 (executing program) 2025/11/14 08:18:56 fetching corpus: 2987, signal 149352/178809 (executing program) 2025/11/14 08:18:56 fetching corpus: 3037, signal 150159/179569 (executing program) 2025/11/14 08:18:56 fetching corpus: 3087, signal 150743/180225 (executing program) 2025/11/14 08:18:57 fetching corpus: 3137, signal 151531/181011 (executing program) 2025/11/14 08:18:57 fetching corpus: 3187, signal 152061/181652 (executing program) 2025/11/14 08:18:57 fetching corpus: 3237, signal 153017/182400 (executing program) 2025/11/14 08:18:57 fetching corpus: 3287, signal 153734/183062 (executing program) 2025/11/14 08:18:57 fetching corpus: 3336, signal 154300/183691 (executing program) 2025/11/14 08:18:57 fetching corpus: 3386, signal 154991/184285 (executing program) 2025/11/14 08:18:57 fetching corpus: 3436, signal 155629/184932 (executing program) 2025/11/14 08:18:57 fetching corpus: 3486, signal 156143/185482 (executing program) 2025/11/14 08:18:57 fetching corpus: 3536, signal 156761/186058 (executing program) 2025/11/14 08:18:57 fetching corpus: 3586, signal 157220/186554 (executing program) 2025/11/14 08:18:58 fetching corpus: 3636, signal 158105/187162 (executing program) 2025/11/14 08:18:58 fetching corpus: 3686, signal 158808/187793 (executing program) 2025/11/14 08:18:58 fetching corpus: 3736, signal 159374/188288 (executing program) 2025/11/14 08:18:58 fetching corpus: 3786, signal 160022/188824 (executing program) 2025/11/14 08:18:58 fetching corpus: 3836, signal 160694/189367 (executing program) 2025/11/14 08:18:58 fetching corpus: 3886, signal 161209/189875 (executing program) 2025/11/14 08:18:58 fetching corpus: 3936, signal 161647/190334 (executing program) 2025/11/14 08:18:58 fetching corpus: 3986, signal 162344/190813 (executing program) 2025/11/14 08:18:58 fetching corpus: 4036, signal 162902/191277 (executing program) 2025/11/14 08:18:58 fetching corpus: 4086, signal 163156/191658 (executing program) 2025/11/14 08:18:58 fetching corpus: 4136, signal 163641/192085 (executing program) 2025/11/14 08:18:58 fetching corpus: 4186, signal 163994/192475 (executing program) 2025/11/14 08:18:59 fetching corpus: 4236, signal 164793/192897 (executing program) 2025/11/14 08:18:59 fetching corpus: 4286, signal 165454/193273 (executing program) 2025/11/14 08:18:59 fetching corpus: 4336, signal 165833/193624 (executing program) 2025/11/14 08:18:59 fetching corpus: 4386, signal 166267/193996 (executing program) 2025/11/14 08:18:59 fetching corpus: 4436, signal 167542/194434 (executing program) 2025/11/14 08:18:59 fetching corpus: 4486, signal 167980/194793 (executing program) 2025/11/14 08:18:59 fetching corpus: 4536, signal 168307/195115 (executing program) 2025/11/14 08:18:59 fetching corpus: 4586, signal 168815/195445 (executing program) 2025/11/14 08:18:59 fetching corpus: 4636, signal 169639/195798 (executing program) 2025/11/14 08:18:59 fetching corpus: 4686, signal 170885/196131 (executing program) 2025/11/14 08:19:00 fetching corpus: 4736, signal 171693/196418 (executing program) 2025/11/14 08:19:00 fetching corpus: 4786, signal 172298/196691 (executing program) 2025/11/14 08:19:00 fetching corpus: 4836, signal 172833/196926 (executing program) 2025/11/14 08:19:00 fetching corpus: 4886, signal 173318/197029 (executing program) 2025/11/14 08:19:00 fetching corpus: 4936, signal 173936/197029 (executing program) 2025/11/14 08:19:00 fetching corpus: 4986, signal 174346/197029 (executing program) 2025/11/14 08:19:00 fetching corpus: 5036, signal 174843/197029 (executing program) 2025/11/14 08:19:00 fetching corpus: 5086, signal 175348/197034 (executing program) 2025/11/14 08:19:00 fetching corpus: 5136, signal 175695/197034 (executing program) 2025/11/14 08:19:00 fetching corpus: 5185, signal 176078/197059 (executing program) 2025/11/14 08:19:00 fetching corpus: 5235, signal 176505/197063 (executing program) 2025/11/14 08:19:00 fetching corpus: 5285, signal 177081/197063 (executing program) 2025/11/14 08:19:01 fetching corpus: 5334, signal 177427/197084 (executing program) 2025/11/14 08:19:01 fetching corpus: 5384, signal 177983/197089 (executing program) 2025/11/14 08:19:01 fetching corpus: 5434, signal 178372/197096 (executing program) 2025/11/14 08:19:01 fetching corpus: 5484, signal 178933/197096 (executing program) 2025/11/14 08:19:01 fetching corpus: 5534, signal 179336/197096 (executing program) 2025/11/14 08:19:01 fetching corpus: 5583, signal 179684/197102 (executing program) 2025/11/14 08:19:01 fetching corpus: 5633, signal 180011/197102 (executing program) 2025/11/14 08:19:01 fetching corpus: 5682, signal 180511/197108 (executing program) 2025/11/14 08:19:01 fetching corpus: 5732, signal 181035/197135 (executing program) 2025/11/14 08:19:01 fetching corpus: 5782, signal 181336/197135 (executing program) 2025/11/14 08:19:01 fetching corpus: 5831, signal 181678/197135 (executing program) 2025/11/14 08:19:02 fetching corpus: 5881, signal 182055/197135 (executing program) 2025/11/14 08:19:02 fetching corpus: 5931, signal 182330/197135 (executing program) 2025/11/14 08:19:02 fetching corpus: 5981, signal 182766/197135 (executing program) 2025/11/14 08:19:02 fetching corpus: 6031, signal 183066/197154 (executing program) 2025/11/14 08:19:02 fetching corpus: 6081, signal 183342/197154 (executing program) 2025/11/14 08:19:02 fetching corpus: 6131, signal 183724/197154 (executing program) 2025/11/14 08:19:02 fetching corpus: 6181, signal 184114/197154 (executing program) 2025/11/14 08:19:02 fetching corpus: 6231, signal 184481/197154 (executing program) 2025/11/14 08:19:02 fetching corpus: 6281, signal 184793/197155 (executing program) 2025/11/14 08:19:02 fetching corpus: 6331, signal 185067/197155 (executing program) 2025/11/14 08:19:02 fetching corpus: 6381, signal 185396/197195 (executing program) 2025/11/14 08:19:02 fetching corpus: 6430, signal 185667/197195 (executing program) 2025/11/14 08:19:03 fetching corpus: 6480, signal 186266/197195 (executing program) 2025/11/14 08:19:03 fetching corpus: 6530, signal 186584/197195 (executing program) 2025/11/14 08:19:03 fetching corpus: 6580, signal 187037/197195 (executing program) 2025/11/14 08:19:03 fetching corpus: 6630, signal 187433/197195 (executing program) 2025/11/14 08:19:03 fetching corpus: 6680, signal 187754/197198 (executing program) 2025/11/14 08:19:03 fetching corpus: 6729, signal 188135/197198 (executing program) 2025/11/14 08:19:03 fetching corpus: 6779, signal 188448/197232 (executing program) 2025/11/14 08:19:03 fetching corpus: 6829, signal 188810/197232 (executing program) 2025/11/14 08:19:03 fetching corpus: 6878, signal 189197/197232 (executing program) 2025/11/14 08:19:03 fetching corpus: 6928, signal 189470/197232 (executing program) 2025/11/14 08:19:04 fetching corpus: 6978, signal 189782/197267 (executing program) 2025/11/14 08:19:04 fetching corpus: 7028, signal 190040/197282 (executing program) 2025/11/14 08:19:04 fetching corpus: 7078, signal 190426/197282 (executing program) 2025/11/14 08:19:04 fetching corpus: 7127, signal 190849/197283 (executing program) 2025/11/14 08:19:04 fetching corpus: 7177, signal 191222/197283 (executing program) 2025/11/14 08:19:04 fetching corpus: 7227, signal 191470/197287 (executing program) 2025/11/14 08:19:04 fetching corpus: 7277, signal 191712/197287 (executing program) 2025/11/14 08:19:04 fetching corpus: 7327, signal 192058/197287 (executing program) 2025/11/14 08:19:04 fetching corpus: 7376, signal 192288/197320 (executing program) 2025/11/14 08:19:04 fetching corpus: 7426, signal 192588/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7476, signal 192804/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7526, signal 193111/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7576, signal 193491/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7626, signal 193711/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7676, signal 193973/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7726, signal 194289/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7776, signal 194479/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7826, signal 194798/197320 (executing program) 2025/11/14 08:19:05 fetching corpus: 7876, signal 195127/197334 (executing program) 2025/11/14 08:19:06 fetching corpus: 7926, signal 195380/197335 (executing program) 2025/11/14 08:19:06 fetching corpus: 7976, signal 195666/197335 (executing program) 2025/11/14 08:19:06 fetching corpus: 8026, signal 195953/197335 (executing program) 2025/11/14 08:19:06 fetching corpus: 8076, signal 196168/197335 (executing program) 2025/11/14 08:19:06 fetching corpus: 8126, signal 196376/197337 (executing program) 2025/11/14 08:19:06 fetching corpus: 8134, signal 196449/197337 (executing program) 2025/11/14 08:19:06 fetching corpus: 8134, signal 196449/197337 (executing program) 2025/11/14 08:19:07 starting 8 fuzzer processes 08:19:07 executing program 0: syz_mount_image$iso9660(0x0, &(0x7f0000000100)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000180)='ramfs\x00', 0x0, 0x0) r0 = syz_mount_image$tmpfs(&(0x7f0000000380), &(0x7f0000000140)='./file0\x00', 0x0, 0x0, 0x0, 0x2080030, &(0x7f0000000040)=ANY=[]) symlinkat(&(0x7f0000000040)='./file0/file0\x00', r0, &(0x7f0000000200)='./file0\x00') link(&(0x7f0000000000)='./file0/file0\x00', &(0x7f0000000080)='./file0/file1\x00') 08:19:07 executing program 1: r0 = openat$sr(0xffffffffffffff9c, &(0x7f0000000440), 0x141802, 0x0) fcntl$setstatus(r0, 0x4, 0x40c00) 08:19:07 executing program 7: r0 = socket$packet(0x11, 0x3, 0x300) getpeername$packet(r0, 0x0, 0x0) 08:19:07 executing program 2: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0x7b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$tty20(0xc, 0x4, 0x0) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000000)=0x1a) 08:19:07 executing program 3: perf_event_open(&(0x7f0000000000)={0x2, 0x80, 0xea, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000000)='pagemap\x00') read$rfkill(r0, &(0x7f0000000240), 0x80000) 08:19:07 executing program 4: prctl$PR_SET_MM(0x23, 0xa, &(0x7f0000ff0000/0x1000)=nil) prctl$PR_SET_MM(0x23, 0xb, &(0x7f0000ff8000/0x3000)=nil) 08:19:08 executing program 5: syz_mount_image$iso9660(0x0, &(0x7f0000000100)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000180)='ramfs\x00', 0x0, 0x0) r0 = syz_mount_image$tmpfs(&(0x7f0000000380), &(0x7f0000000140)='./file0\x00', 0x0, 0x0, 0x0, 0x2080030, &(0x7f0000000040)=ANY=[]) symlinkat(&(0x7f0000000040)='./file0/file0\x00', r0, &(0x7f0000000200)='./file0\x00') mknodat$loop(r0, &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x0) syz_mount_image$tmpfs(0x0, 0x0, 0x0, 0x1, &(0x7f00000023c0)=[{0x0, 0x0, 0x401}], 0x1260082, &(0x7f0000002400)={[{@uid={'uid', 0x3d, 0xee01}}, {@huge_within_size}, {@huge_advise}, {@huge_advise}], [{@euid_gt}, {@subj_user={'subj_user', 0x3d, 'tmpfs\x00'}}, {@euid_gt}, {@audit}, {@subj_user={'subj_user', 0x3d, '!\xf6'}}]}) readlink(&(0x7f00000001c0)='./file0/file0\x00', &(0x7f0000000240)=""/207, 0xcf) [ 87.618845] audit: type=1400 audit(1763108348.006:7): avc: denied { execmem } for pid=285 comm="syz-executor.1" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 08:19:08 executing program 6: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_inet_SIOCGARP(r0, 0x8953, &(0x7f0000000100)={{0x2, 0x0, @private}, {}, 0x2c, {0x2, 0x0, @empty}}) [ 88.840673] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 88.841940] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 88.844503] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 88.845701] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 88.845715] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 88.848002] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 88.851211] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 88.852430] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 88.854274] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 88.855298] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 88.859059] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 88.862565] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 88.864247] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 88.865871] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 88.870084] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 88.882425] ================================================================== [ 88.883754] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 [ 88.884985] Read of size 2 at addr ffff8880166bab78 by task kworker/u11:1/304 [ 88.887980] [ 88.888957] CPU: 1 UID: 0 PID: 304 Comm: kworker/u11:1 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) [ 88.889007] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 88.889032] Workqueue: hci1 hci_cmd_work [ 88.889081] Call Trace: [ 88.889093] [ 88.889107] dump_stack_lvl+0xca/0x120 [ 88.889155] print_report+0xcb/0x610 [ 88.889202] ? __virt_addr_valid+0x100/0x5d0 [ 88.889244] ? hci_cmd_work+0x66d/0x6d0 [ 88.889289] ? hci_cmd_work+0x66d/0x6d0 [ 88.889335] kasan_report+0xca/0x100 [ 88.889381] ? hci_cmd_work+0x66d/0x6d0 [ 88.889433] hci_cmd_work+0x66d/0x6d0 [ 88.889482] process_one_work+0x8e1/0x19c0 [ 88.889545] ? __pfx_process_one_work+0x10/0x10 [ 88.889597] ? move_linked_works+0x172/0x270 [ 88.889638] ? assign_work+0x196/0x240 [ 88.889689] worker_thread+0x67e/0xe90 [ 88.889741] ? trace_irq_enable.constprop.0+0xc2/0x100 [ 88.889785] ? __pfx_worker_thread+0x10/0x10 [ 88.889838] kthread+0x3c8/0x740 [ 88.889893] ? __pfx_kthread+0x10/0x10 [ 88.889938] ? ret_from_fork+0x79/0x7a0 [ 88.889972] ? lock_release+0xc8/0x290 [ 88.890019] ? __pfx_kthread+0x10/0x10 [ 88.890060] ret_from_fork+0x67a/0x7a0 [ 88.890088] ? __pfx_ret_from_fork+0x10/0x10 [ 88.890115] ? __switch_to+0x759/0x1060 [ 88.890158] ? __pfx_kthread+0x10/0x10 [ 88.890204] ret_from_fork_asm+0x1a/0x30 [ 88.890265] [ 88.890277] [ 88.914075] Allocated by task 293: [ 88.914555] kasan_save_stack+0x24/0x50 [ 88.915102] kasan_save_track+0x14/0x30 [ 88.915639] __kasan_slab_alloc+0x59/0x70 [ 88.916198] kmem_cache_alloc_node_noprof+0x228/0x6b0 [ 88.916907] __alloc_skb+0x2ab/0x370 [ 88.917422] hci_cmd_sync_alloc+0x34/0x300 [ 88.918004] __hci_cmd_sync_sk+0xf7/0x5c0 [ 88.918566] __hci_cmd_sync_status_sk+0x4d/0x1a0 [ 88.919220] hci_cmd_sync_status+0x4c/0x70 [ 88.919799] hci_dev_cmd+0x4d5/0x980 [ 88.920311] hci_sock_ioctl+0x493/0x810 [ 88.920864] sock_do_ioctl+0xd1/0x240 [ 88.921381] sock_ioctl+0x40d/0x630 [ 88.921877] __x64_sys_ioctl+0x18f/0x210 [ 88.922429] do_syscall_64+0xbf/0x430 [ 88.922945] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.923631] [ 88.923863] Freed by task 301: [ 88.924295] kasan_save_stack+0x24/0x50 [ 88.924841] kasan_save_track+0x14/0x30 [ 88.925378] kasan_save_free_info+0x3a/0x60 [ 88.925963] __kasan_slab_free+0x43/0x70 [ 88.926510] kmem_cache_free+0x26f/0x500 [ 88.927063] kfree_skbmem+0x18a/0x1f0 [ 88.927577] sk_skb_reason_drop+0x10e/0x1b0 [ 88.928153] vhci_read+0x3d5/0x5d0 [ 88.928650] vfs_read+0x1eb/0xc70 [ 88.929120] ksys_read+0x121/0x240 [ 88.929601] do_syscall_64+0xbf/0x430 [ 88.930118] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.930798] [ 88.931033] The buggy address belongs to the object at ffff8880166bab40 [ 88.931033] which belongs to the cache skbuff_head_cache of size 232 [ 88.932720] The buggy address is located 56 bytes inside of [ 88.932720] freed 232-byte region [ffff8880166bab40, ffff8880166bac28) [ 88.934302] [ 88.934534] The buggy address belongs to the physical page: [ 88.935283] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x166ba [ 88.936326] flags: 0x100000000000000(node=0|zone=1) [ 88.937004] page_type: f5(slab) [ 88.937450] raw: 0100000000000000 ffff8880096c78c0 dead000000000122 0000000000000000 [ 88.938455] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 [ 88.939457] page dumped because: kasan: bad access detected [ 88.940186] [ 88.940426] Memory state around the buggy address: [ 88.941063] ffff8880166baa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.942013] ffff8880166baa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 88.942958] >ffff8880166bab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 88.943898] ^ [ 88.944839] ffff8880166bab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.945790] ffff8880166bac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 88.946726] ================================================================== [ 88.947843] Disabling lock debugging due to kernel taint [ 88.948801] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 88.952674] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 88.956967] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 88.958963] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 88.959514] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 88.962478] Bluetooth: hci7: unexpected cc 0x0c03 length: 249 > 1 [ 88.963154] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 88.963695] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 88.964348] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 88.964952] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 88.965969] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 88.968100] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 88.969839] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 88.971073] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 88.972187] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 88.973592] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 88.974573] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 88.975289] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 88.976241] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 88.979644] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 88.980478] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 88.981114] Bluetooth: hci7: unexpected cc 0x1003 length: 249 > 9 [ 88.982304] Bluetooth: hci7: unexpected cc 0x1001 length: 249 > 9 [ 88.988410] Bluetooth: hci7: unexpected cc 0x0c23 length: 249 > 4 [ 88.989542] Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2 [ 90.929993] Bluetooth: hci0: command tx timeout [ 90.930433] Bluetooth: hci2: command tx timeout [ 90.992956] Bluetooth: hci1: command tx timeout [ 90.993977] Bluetooth: hci3: command tx timeout [ 91.056969] Bluetooth: hci7: command tx timeout [ 91.057397] Bluetooth: hci5: command tx timeout [ 91.057771] Bluetooth: hci6: command tx timeout [ 91.058181] Bluetooth: hci4: command tx timeout [ 92.977057] Bluetooth: hci2: command tx timeout [ 92.977512] Bluetooth: hci0: command tx timeout [ 93.040997] Bluetooth: hci3: command tx timeout [ 93.041401] Bluetooth: hci1: command tx timeout [ 93.104993] Bluetooth: hci4: command tx timeout [ 93.105393] Bluetooth: hci6: command tx timeout [ 93.105766] Bluetooth: hci5: command tx timeout [ 93.106764] Bluetooth: hci7: command tx timeout [ 95.024986] Bluetooth: hci0: command tx timeout [ 95.025435] Bluetooth: hci2: command tx timeout [ 95.088998] Bluetooth: hci1: command tx timeout [ 95.089519] Bluetooth: hci3: command tx timeout [ 95.152969] Bluetooth: hci7: command tx timeout [ 95.153037] Bluetooth: hci5: command tx timeout [ 95.153365] Bluetooth: hci6: command tx timeout [ 95.153758] Bluetooth: hci4: command tx timeout [ 97.073024] Bluetooth: hci2: command tx timeout [ 97.073479] Bluetooth: hci0: command tx timeout [ 97.136957] Bluetooth: hci1: command tx timeout [ 97.139958] Bluetooth: hci3: command tx timeout [ 97.200950] Bluetooth: hci4: command tx timeout [ 97.201345] Bluetooth: hci6: command tx timeout [ 97.201715] Bluetooth: hci5: command tx timeout [ 97.202162] Bluetooth: hci7: command tx timeout VM DIAGNOSIS: 08:19:09 Registers: info registers vcpu 0 RAX=0000000000000000 RBX=0000000000100073 RCX=ffffffff819f0f3d RDX=ffff88801552b780 RSI=ffffffff819f0816 RDI=0000000000000001 RBP=840000001a17a025 RSP=ffff888016987588 R8 =0000000000000000 R9 =fffff940000d0bd0 R10=0000000000000000 R11=0000000000000001 R12=0000000000000020 R13=ffff88800be7d2a0 R14=ffffea0000685eb0 R15=ffff8880170f6900 RIP=ffffffff8175342b RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 00007f9863ebe8c0 00000000 00000000 GS =0000 ffff8880e538f000 00000000 00000000 LDT=0000 fffffe7c00000000 00000000 00000000 TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000001000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007fffe1192a80 CR3=000000000bbbc000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=79732f6563696c732e6d65747379732f XMM01=646d65747379732f6563696c732e6d65 XMM02=7379732f646d65747379732f62696c2f XMM03=006c6c696b66722d646d65747379732f XMM04=2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f XMM05=0000560f8ae39ae00000560f8af30090 XMM06=0000560f8aee72400000560f8af2cdf0 XMM07=00000000000000000000000000000000 XMM08=69253d4449504e49414d0073253d5445 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=0000000000000030 RBX=00000000000003f8 RCX=0000000000000000 RDX=00000000000003f8 RSI=ffffffff8293dd05 RDI=ffffffff889747c0 RBP=ffffffff88974780 RSP=ffff888019437618 R8 =0000000000000000 R9 =ffffed10013e6046 R10=0000000000000030 R11=000000003a555043 R12=0000000000000030 R13=0000000000000010 R14=ffffffff88974780 R15=ffffffff8293dcf0 RIP=ffffffff8293dd5d RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff8880e548f000 00000000 00000000 LDT=0000 fffffe1600000000 00000000 00000000 TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe0000048000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f98643041c0 CR3=000000000d0d4000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000 XMM02=ffffffffffffffff00000000000000ff XMM03=696e656420737365636341002f737973 XMM04=00000003ffffffff000055d727283240 XMM05=000055d72728a770000055d727282ca0 XMM06=000055d7272cf9d00000000200000003 XMM07=00000000000000000000000000000000 XMM08=7269762f736563697665642f7379732f XMM09=00000000000000000000000000000000 XMM10=00000000002000000000000000200000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000