last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.191' (ED25519) to the list of known hosts. [ 100.893101][ T5079] cgroup: Unknown subsys name 'net' [ 101.085406][ T5079] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 101.891613][ T925] cfg80211: failed to load regulatory.db [ 103.230034][ T5079] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 107.640257][ T5093] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 107.653644][ T5096] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 107.663098][ T5096] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 107.671667][ T5098] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 107.678977][ T5096] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 107.686667][ T5098] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 107.711470][ T5107] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 107.720739][ T5107] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 107.728764][ T5107] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 107.736535][ T5107] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 107.746668][ T5107] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 107.754519][ T5107] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 107.761830][ T5107] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 107.769630][ T5107] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 107.777267][ T5108] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 107.778242][ T5107] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 107.785982][ T5108] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 107.792405][ T5107] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 107.806509][ T5112] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 107.826272][ T5107] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 107.833805][ T5112] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 107.836862][ T5109] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 107.842722][ T5108] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 107.856869][ T5108] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 107.864476][ T5108] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 107.865599][ T5109] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 107.883564][ T5108] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 107.890772][ T5096] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 107.899799][ T4484] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 107.908932][ T4484] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 107.916679][ T5108] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 107.929484][ T53] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 107.939207][ T53] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 107.942377][ T5108] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 107.947467][ T53] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 107.954901][ T5108] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 107.968975][ T5090] ================================================================== [ 107.977107][ T5090] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980 [ 107.984967][ T5090] Read of size 8 at addr ffff888023020c10 by task syz-executor/5090 [ 107.993013][ T5090] [ 107.995363][ T5090] CPU: 0 PID: 5090 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 108.005693][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 108.015786][ T5090] Call Trace: [ 108.019085][ T5090] <TASK> [ 108.022034][ T5090] dump_stack_lvl+0x116/0x1f0 [ 108.026766][ T5090] print_report+0xc3/0x620 [ 108.031317][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.036991][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.042675][ T5090] ? __phys_addr+0xc6/0x150 [ 108.047226][ T5090] kasan_report+0xd9/0x110 [ 108.051686][ T5090] ? skb_release_data+0x8dd/0x980 [ 108.056762][ T5090] ? skb_release_data+0x8dd/0x980 [ 108.061832][ T5090] skb_release_data+0x8dd/0x980 [ 108.066734][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.072406][ T5090] ? rcu_is_watching+0x12/0xc0 [ 108.077222][ T5090] kfree_skb_reason+0x12b/0x210 [ 108.082131][ T5090] __hci_req_sync+0x61d/0x980 [ 108.086895][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 108.092139][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 108.096858][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 108.102971][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.108645][ T5090] ? hci_req_sync+0x3f/0xd0 [ 108.113205][ T5090] ? __pfx___might_resched+0x10/0x10 [ 108.118546][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.124222][ T5090] ? aa_get_newest_label+0x376/0x680 [ 108.129579][ T5090] hci_req_sync+0x97/0xd0 [ 108.133953][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 108.139025][ T5090] hci_dev_cmd+0x634/0x960 [ 108.143499][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.149176][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 108.154168][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.159842][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.165519][ T5090] ? security_capable+0x98/0xd0 [ 108.170429][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 108.175144][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.180805][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 108.186036][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 108.192049][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.197715][ T5090] sock_do_ioctl+0x119/0x280 [ 108.202351][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 108.207517][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.213181][ T5090] sock_ioctl+0x22e/0x6c0 [ 108.217554][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 108.222449][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.228107][ T5090] ? __fget_files+0x256/0x400 [ 108.232831][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.238489][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 108.243382][ T5090] __x64_sys_ioctl+0x196/0x220 [ 108.248191][ T5090] do_syscall_64+0xcd/0x250 [ 108.252737][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 108.258683][ T5090] RIP: 0033:0x7fdbe7f757db [ 108.263120][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 108.282755][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 108.291194][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 108.299210][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 108.307197][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 108.315186][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 108.323172][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 108.331199][ T5090] </TASK> [ 108.334225][ T5090] [ 108.336667][ T5090] Allocated by task 5102: [ 108.341004][ T5090] kasan_save_stack+0x33/0x60 [ 108.345754][ T5090] kasan_save_track+0x14/0x30 [ 108.350463][ T5090] __kasan_slab_alloc+0x89/0x90 [ 108.355338][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 108.360826][ T5090] skb_clone+0x190/0x3f0 [ 108.365101][ T5090] hci_cmd_work+0x66a/0x710 [ 108.369810][ T5090] process_one_work+0x9c8/0x1b40 [ 108.374783][ T5090] worker_thread+0x6c8/0xf30 [ 108.379542][ T5090] kthread+0x2c4/0x3a0 [ 108.383660][ T5090] ret_from_fork+0x48/0x80 [ 108.388121][ T5090] ret_from_fork_asm+0x1a/0x30 [ 108.392932][ T5090] [ 108.395257][ T5090] Freed by task 5098: [ 108.399243][ T5090] kasan_save_stack+0x33/0x60 [ 108.403938][ T5090] kasan_save_track+0x14/0x30 [ 108.408634][ T5090] kasan_save_free_info+0x3b/0x60 [ 108.413693][ T5090] poison_slab_object+0xf7/0x160 [ 108.418678][ T5090] __kasan_slab_free+0x32/0x50 [ 108.423461][ T5090] kmem_cache_free+0x12f/0x3a0 [ 108.428248][ T5090] kfree_skbmem+0x10e/0x200 [ 108.432796][ T5090] kfree_skb_reason+0x138/0x210 [ 108.437681][ T5090] hci_req_sync_complete+0x16c/0x270 [ 108.443020][ T5090] hci_event_packet+0x966/0x1170 [ 108.447983][ T5090] hci_rx_work+0x2c4/0x1610 [ 108.452519][ T5090] process_one_work+0x9c8/0x1b40 [ 108.457487][ T5090] worker_thread+0x6c8/0xf30 [ 108.462105][ T5090] kthread+0x2c4/0x3a0 [ 108.466214][ T5090] ret_from_fork+0x48/0x80 [ 108.470670][ T5090] ret_from_fork_asm+0x1a/0x30 [ 108.475472][ T5090] [ 108.477800][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 108.477800][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 108.492415][ T5090] The buggy address is located 208 bytes inside of [ 108.492415][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 108.506231][ T5090] [ 108.508557][ T5090] The buggy address belongs to the physical page: [ 108.514966][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 108.523744][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 108.530878][ T5090] page_type: 0xffffefff(slab) [ 108.535574][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 108.544177][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 108.552766][ T5090] page dumped because: kasan: bad access detected [ 108.559183][ T5090] page_owner tracks the page as allocated [ 108.564900][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 108.583781][ T5090] post_alloc_hook+0x2d1/0x350 [ 108.588586][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 108.594172][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 108.599498][ T5090] alloc_slab_page+0x56/0x110 [ 108.604214][ T5090] new_slab+0x84/0x260 [ 108.608301][ T5090] ___slab_alloc+0xdac/0x1870 [ 108.612998][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 108.618393][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 108.624226][ T5090] __alloc_skb+0x2b1/0x380 [ 108.628684][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 108.634001][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 108.639217][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 108.644391][ T5090] __sys_sendto+0x482/0x4e0 [ 108.648916][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 108.653788][ T5090] do_syscall_64+0xcd/0x250 [ 108.658328][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 108.664267][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 108.670605][ T5090] free_unref_page+0x64a/0xe40 [ 108.675405][ T5090] __put_partials+0x14c/0x170 [ 108.680101][ T5090] qlist_free_all+0x4e/0x140 [ 108.684732][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 108.690232][ T5090] __kasan_slab_alloc+0x69/0x90 [ 108.695133][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 108.700442][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 108.705245][ T5090] do_dentry_open+0x922/0x15f0 [ 108.710051][ T5090] vfs_open+0x82/0x3f0 [ 108.714146][ T5090] path_openat+0x21fc/0x2e50 [ 108.718780][ T5090] do_filp_open+0x1dc/0x430 [ 108.723330][ T5090] do_sys_openat2+0x17a/0x1e0 [ 108.728130][ T5090] __x64_sys_openat+0x175/0x210 [ 108.733013][ T5090] do_syscall_64+0xcd/0x250 [ 108.737552][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 108.743493][ T5090] [ 108.745847][ T5090] Memory state around the buggy address: [ 108.751495][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 108.759580][ T5090] ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.767658][ T5090] >ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 108.775724][ T5090] ^ [ 108.780337][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.788413][ T5090] ffff888023020d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 108.796479][ T5090] ================================================================== [ 108.820844][ T5090] Disabling lock debugging due to kernel taint [ 108.834878][ T5090] ================================================================== [ 108.842966][ T5090] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980 [ 108.850815][ T5090] Read of size 4 at addr ffff888023020c0c by task syz-executor/5090 [ 108.858836][ T5090] [ 108.861175][ T5090] CPU: 0 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 108.872929][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 108.883103][ T5090] Call Trace: [ 108.886390][ T5090] <TASK> [ 108.889329][ T5090] dump_stack_lvl+0x116/0x1f0 [ 108.894040][ T5090] print_report+0xc3/0x620 [ 108.898479][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.904136][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.909802][ T5090] ? __phys_addr+0xc6/0x150 [ 108.914335][ T5090] kasan_report+0xd9/0x110 [ 108.918780][ T5090] ? skb_release_data+0x857/0x980 [ 108.923847][ T5090] ? skb_release_data+0x857/0x980 [ 108.928904][ T5090] skb_release_data+0x857/0x980 [ 108.933783][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.939442][ T5090] ? rcu_is_watching+0x12/0xc0 [ 108.944239][ T5090] kfree_skb_reason+0x12b/0x210 [ 108.949124][ T5090] __hci_req_sync+0x61d/0x980 [ 108.953835][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 108.959063][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 108.963769][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 108.969866][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.975547][ T5090] ? hci_req_sync+0x3f/0xd0 [ 108.980104][ T5090] ? __pfx___might_resched+0x10/0x10 [ 108.985441][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 108.991103][ T5090] ? aa_get_newest_label+0x376/0x680 [ 108.996529][ T5090] hci_req_sync+0x97/0xd0 [ 109.000896][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 109.005950][ T5090] hci_dev_cmd+0x634/0x960 [ 109.010402][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.016063][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 109.021038][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.026693][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.032347][ T5090] ? security_capable+0x98/0xd0 [ 109.037246][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 109.041951][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.047610][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 109.052841][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 109.058854][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.064519][ T5090] sock_do_ioctl+0x119/0x280 [ 109.069159][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 109.074322][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.079982][ T5090] sock_ioctl+0x22e/0x6c0 [ 109.084352][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 109.089274][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.095018][ T5090] ? __fget_files+0x256/0x400 [ 109.099742][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.105398][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 109.110381][ T5090] __x64_sys_ioctl+0x196/0x220 [ 109.115183][ T5090] do_syscall_64+0xcd/0x250 [ 109.119725][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.125665][ T5090] RIP: 0033:0x7fdbe7f757db [ 109.130093][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 109.149722][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.158174][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 109.166163][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 109.174152][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 109.182140][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 109.190153][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 109.198591][ T5090] </TASK> [ 109.201620][ T5090] [ 109.203966][ T5090] Allocated by task 5102: [ 109.208299][ T5090] kasan_save_stack+0x33/0x60 [ 109.212997][ T5090] kasan_save_track+0x14/0x30 [ 109.217689][ T5090] __kasan_slab_alloc+0x89/0x90 [ 109.222563][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 109.228049][ T5090] skb_clone+0x190/0x3f0 [ 109.232312][ T5090] hci_cmd_work+0x66a/0x710 [ 109.236868][ T5090] process_one_work+0x9c8/0x1b40 [ 109.241837][ T5090] worker_thread+0x6c8/0xf30 [ 109.246542][ T5090] kthread+0x2c4/0x3a0 [ 109.250658][ T5090] ret_from_fork+0x48/0x80 [ 109.255195][ T5090] ret_from_fork_asm+0x1a/0x30 [ 109.259996][ T5090] [ 109.262346][ T5090] Freed by task 5098: [ 109.266434][ T5090] kasan_save_stack+0x33/0x60 [ 109.271133][ T5090] kasan_save_track+0x14/0x30 [ 109.275822][ T5090] kasan_save_free_info+0x3b/0x60 [ 109.280890][ T5090] poison_slab_object+0xf7/0x160 [ 109.285868][ T5090] __kasan_slab_free+0x32/0x50 [ 109.290651][ T5090] kmem_cache_free+0x12f/0x3a0 [ 109.295437][ T5090] kfree_skbmem+0x10e/0x200 [ 109.299981][ T5090] kfree_skb_reason+0x138/0x210 [ 109.304861][ T5090] hci_req_sync_complete+0x16c/0x270 [ 109.310171][ T5090] hci_event_packet+0x966/0x1170 [ 109.315672][ T5090] hci_rx_work+0x2c4/0x1610 [ 109.320202][ T5090] process_one_work+0x9c8/0x1b40 [ 109.325166][ T5090] worker_thread+0x6c8/0xf30 [ 109.329784][ T5090] kthread+0x2c4/0x3a0 [ 109.333887][ T5090] ret_from_fork+0x48/0x80 [ 109.338338][ T5090] ret_from_fork_asm+0x1a/0x30 [ 109.343137][ T5090] [ 109.345461][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 109.345461][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 109.360265][ T5090] The buggy address is located 204 bytes inside of [ 109.360265][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 109.374085][ T5090] [ 109.376414][ T5090] The buggy address belongs to the physical page: [ 109.382827][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 109.391610][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 109.398730][ T5090] page_type: 0xffffefff(slab) [ 109.403450][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 109.412199][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 109.420788][ T5090] page dumped because: kasan: bad access detected [ 109.427201][ T5090] page_owner tracks the page as allocated [ 109.432915][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 109.451816][ T5090] post_alloc_hook+0x2d1/0x350 [ 109.456616][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 109.462371][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 109.467695][ T5090] alloc_slab_page+0x56/0x110 [ 109.472405][ T5090] new_slab+0x84/0x260 [ 109.476493][ T5090] ___slab_alloc+0xdac/0x1870 [ 109.481280][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 109.486679][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 109.492531][ T5090] __alloc_skb+0x2b1/0x380 [ 109.497005][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 109.502151][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 109.507384][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 109.512536][ T5090] __sys_sendto+0x482/0x4e0 [ 109.517056][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 109.521848][ T5090] do_syscall_64+0xcd/0x250 [ 109.526387][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.532427][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 109.538758][ T5090] free_unref_page+0x64a/0xe40 [ 109.543575][ T5090] __put_partials+0x14c/0x170 [ 109.548268][ T5090] qlist_free_all+0x4e/0x140 [ 109.552913][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 109.558414][ T5090] __kasan_slab_alloc+0x69/0x90 [ 109.563285][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 109.568506][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 109.573303][ T5090] do_dentry_open+0x922/0x15f0 [ 109.578112][ T5090] vfs_open+0x82/0x3f0 [ 109.582205][ T5090] path_openat+0x21fc/0x2e50 [ 109.586848][ T5090] do_filp_open+0x1dc/0x430 [ 109.591397][ T5090] do_sys_openat2+0x17a/0x1e0 [ 109.596133][ T5090] __x64_sys_openat+0x175/0x210 [ 109.601014][ T5090] do_syscall_64+0xcd/0x250 [ 109.605552][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.611495][ T5090] [ 109.613822][ T5090] Memory state around the buggy address: [ 109.619455][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 109.627530][ T5090] ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.635610][ T5090] >ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 109.643679][ T5090] ^ [ 109.648010][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 109.656083][ T5090] ffff888023020d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 109.664153][ T5090] ================================================================== [ 109.673134][ T5090] ================================================================== [ 109.681216][ T5090] BUG: KASAN: slab-use-after-free in skb_free_head+0x1ae/0x1d0 [ 109.688785][ T5090] Read of size 8 at addr ffff888023020c10 by task syz-executor/5090 [ 109.696777][ T5090] [ 109.699105][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 109.710849][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 109.720941][ T5090] Call Trace: [ 109.724230][ T5090] <TASK> [ 109.727170][ T5090] dump_stack_lvl+0x116/0x1f0 [ 109.731882][ T5090] print_report+0xc3/0x620 [ 109.736327][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.741983][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.747639][ T5090] ? __phys_addr+0xc6/0x150 [ 109.752167][ T5090] kasan_report+0xd9/0x110 [ 109.756614][ T5090] ? skb_free_head+0x1ae/0x1d0 [ 109.761413][ T5090] ? skb_free_head+0x1ae/0x1d0 [ 109.766206][ T5090] skb_free_head+0x1ae/0x1d0 [ 109.770819][ T5090] skb_release_data+0x75c/0x980 [ 109.775699][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.781356][ T5090] ? rcu_is_watching+0x12/0xc0 [ 109.786329][ T5090] kfree_skb_reason+0x12b/0x210 [ 109.791213][ T5090] __hci_req_sync+0x61d/0x980 [ 109.795922][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 109.801145][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 109.805879][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 109.811976][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.817631][ T5090] ? hci_req_sync+0x3f/0xd0 [ 109.822165][ T5090] ? __pfx___might_resched+0x10/0x10 [ 109.827486][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.833161][ T5090] ? aa_get_newest_label+0x376/0x680 [ 109.838498][ T5090] hci_req_sync+0x97/0xd0 [ 109.842880][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 109.847936][ T5090] hci_dev_cmd+0x634/0x960 [ 109.852395][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.858054][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 109.863049][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.868706][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.874364][ T5090] ? security_capable+0x98/0xd0 [ 109.879263][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 109.883970][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.889631][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 109.894883][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 109.900931][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.906619][ T5090] sock_do_ioctl+0x119/0x280 [ 109.911254][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 109.916416][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.922164][ T5090] sock_ioctl+0x22e/0x6c0 [ 109.926535][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 109.931871][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.937529][ T5090] ? __fget_files+0x256/0x400 [ 109.942248][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.947910][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 109.952806][ T5090] __x64_sys_ioctl+0x196/0x220 [ 109.957610][ T5090] do_syscall_64+0xcd/0x250 [ 109.962153][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.968207][ T5090] RIP: 0033:0x7fdbe7f757db [ 109.973160][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 109.992902][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 110.001338][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 110.009347][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 110.017336][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 110.025322][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 110.033306][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 110.041306][ T5090] </TASK> [ 110.044329][ T5090] [ 110.046655][ T5090] Allocated by task 5102: [ 110.051014][ T5090] kasan_save_stack+0x33/0x60 [ 110.055734][ T5090] kasan_save_track+0x14/0x30 [ 110.060603][ T5090] __kasan_slab_alloc+0x89/0x90 [ 110.065499][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 110.070982][ T5090] skb_clone+0x190/0x3f0 [ 110.075247][ T5090] hci_cmd_work+0x66a/0x710 [ 110.079789][ T5090] process_one_work+0x9c8/0x1b40 [ 110.084757][ T5090] worker_thread+0x6c8/0xf30 [ 110.089384][ T5090] kthread+0x2c4/0x3a0 [ 110.093512][ T5090] ret_from_fork+0x48/0x80 [ 110.097965][ T5090] ret_from_fork_asm+0x1a/0x30 [ 110.102769][ T5090] [ 110.105098][ T5090] Freed by task 5098: [ 110.109078][ T5090] kasan_save_stack+0x33/0x60 [ 110.113768][ T5090] kasan_save_track+0x14/0x30 [ 110.118462][ T5090] kasan_save_free_info+0x3b/0x60 [ 110.123517][ T5090] poison_slab_object+0xf7/0x160 [ 110.128504][ T5090] __kasan_slab_free+0x32/0x50 [ 110.133289][ T5090] kmem_cache_free+0x12f/0x3a0 [ 110.138072][ T5090] kfree_skbmem+0x10e/0x200 [ 110.142703][ T5090] kfree_skb_reason+0x138/0x210 [ 110.147584][ T5090] hci_req_sync_complete+0x16c/0x270 [ 110.152898][ T5090] hci_event_packet+0x966/0x1170 [ 110.157889][ T5090] hci_rx_work+0x2c4/0x1610 [ 110.162421][ T5090] process_one_work+0x9c8/0x1b40 [ 110.167387][ T5090] worker_thread+0x6c8/0xf30 [ 110.172004][ T5090] kthread+0x2c4/0x3a0 [ 110.176111][ T5090] ret_from_fork+0x48/0x80 [ 110.180562][ T5090] ret_from_fork_asm+0x1a/0x30 [ 110.185365][ T5090] [ 110.187688][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 110.187688][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 110.202389][ T5090] The buggy address is located 208 bytes inside of [ 110.202389][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 110.216293][ T5090] [ 110.218630][ T5090] The buggy address belongs to the physical page: [ 110.225037][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 110.233836][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 110.240955][ T5090] page_type: 0xffffefff(slab) [ 110.245647][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 110.254250][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 110.262843][ T5090] page dumped because: kasan: bad access detected [ 110.269345][ T5090] page_owner tracks the page as allocated [ 110.275060][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 110.293937][ T5090] post_alloc_hook+0x2d1/0x350 [ 110.298752][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 110.304338][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 110.309663][ T5090] alloc_slab_page+0x56/0x110 [ 110.314393][ T5090] new_slab+0x84/0x260 [ 110.318481][ T5090] ___slab_alloc+0xdac/0x1870 [ 110.323183][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 110.328582][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 110.334411][ T5090] __alloc_skb+0x2b1/0x380 [ 110.338868][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 110.344008][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 110.349247][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 110.354387][ T5090] __sys_sendto+0x482/0x4e0 [ 110.358904][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 110.363683][ T5090] do_syscall_64+0xcd/0x250 [ 110.368217][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.374150][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 110.380480][ T5090] free_unref_page+0x64a/0xe40 [ 110.385280][ T5090] __put_partials+0x14c/0x170 [ 110.389972][ T5090] qlist_free_all+0x4e/0x140 [ 110.394598][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 110.400096][ T5090] __kasan_slab_alloc+0x69/0x90 [ 110.404961][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 110.410180][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 110.414978][ T5090] do_dentry_open+0x922/0x15f0 [ 110.419789][ T5090] vfs_open+0x82/0x3f0 [ 110.423887][ T5090] path_openat+0x21fc/0x2e50 [ 110.428517][ T5090] do_filp_open+0x1dc/0x430 [ 110.433065][ T5090] do_sys_openat2+0x17a/0x1e0 [ 110.437766][ T5090] __x64_sys_openat+0x175/0x210 [ 110.442656][ T5090] do_syscall_64+0xcd/0x250 [ 110.447196][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.453217][ T5090] [ 110.455591][ T5090] Memory state around the buggy address: [ 110.461225][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 110.469298][ T5090] ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.477371][ T5090] >ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 110.485437][ T5090] ^ [ 110.490114][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.498186][ T5090] ffff888023020d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 110.506341][ T5090] ================================================================== [ 110.514662][ T5093] Bluetooth: hci1: command tx timeout [ 110.522396][ T5093] Bluetooth: hci3: command tx timeout [ 110.527974][ T5093] Bluetooth: hci2: command tx timeout [ 110.533666][ T5090] ================================================================== [ 110.541739][ T5090] BUG: KASAN: slab-use-after-free in skb_free_head+0x19a/0x1d0 [ 110.549322][ T5090] Read of size 1 at addr ffff888023020bbe by task syz-executor/5090 [ 110.557320][ T5090] [ 110.559652][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 110.571395][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 110.581817][ T5090] Call Trace: [ 110.585113][ T5090] <TASK> [ 110.588060][ T5090] dump_stack_lvl+0x116/0x1f0 [ 110.592782][ T5090] print_report+0xc3/0x620 [ 110.597236][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.602906][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.608588][ T5090] ? __phys_addr+0xc6/0x150 [ 110.613126][ T5090] kasan_report+0xd9/0x110 [ 110.617578][ T5090] ? skb_free_head+0x19a/0x1d0 [ 110.622464][ T5090] ? skb_free_head+0x19a/0x1d0 [ 110.627267][ T5090] skb_free_head+0x19a/0x1d0 [ 110.631895][ T5090] skb_release_data+0x75c/0x980 [ 110.636958][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.642628][ T5090] ? rcu_is_watching+0x12/0xc0 [ 110.647442][ T5090] kfree_skb_reason+0x12b/0x210 [ 110.652341][ T5090] __hci_req_sync+0x61d/0x980 [ 110.657062][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 110.662301][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 110.667024][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 110.673133][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.678811][ T5090] ? hci_req_sync+0x3f/0xd0 [ 110.683360][ T5090] ? __pfx___might_resched+0x10/0x10 [ 110.688695][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.694368][ T5090] ? aa_get_newest_label+0x376/0x680 [ 110.700071][ T5090] hci_req_sync+0x97/0xd0 [ 110.704613][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 110.709684][ T5090] hci_dev_cmd+0x634/0x960 [ 110.714238][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.719908][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 110.724897][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.730571][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.736239][ T5090] ? security_capable+0x98/0xd0 [ 110.741156][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 110.745877][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.751547][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 110.756787][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 110.762823][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.768497][ T5090] sock_do_ioctl+0x119/0x280 [ 110.773229][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 110.778405][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.784081][ T5090] sock_ioctl+0x22e/0x6c0 [ 110.788468][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 110.793378][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.799049][ T5090] ? __fget_files+0x256/0x400 [ 110.803783][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.809458][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 110.814369][ T5090] __x64_sys_ioctl+0x196/0x220 [ 110.819185][ T5090] do_syscall_64+0xcd/0x250 [ 110.823740][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.830224][ T5090] RIP: 0033:0x7fdbe7f757db [ 110.835273][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 110.854917][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 110.863440][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 110.871427][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 110.879424][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 110.887410][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 110.895400][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 110.903398][ T5090] </TASK> [ 110.906422][ T5090] [ 110.908745][ T5090] Allocated by task 5102: [ 110.913080][ T5090] kasan_save_stack+0x33/0x60 [ 110.917778][ T5090] kasan_save_track+0x14/0x30 [ 110.922742][ T5090] __kasan_slab_alloc+0x89/0x90 [ 110.927610][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 110.933091][ T5090] skb_clone+0x190/0x3f0 [ 110.937369][ T5090] hci_cmd_work+0x66a/0x710 [ 110.941898][ T5090] process_one_work+0x9c8/0x1b40 [ 110.946862][ T5090] worker_thread+0x6c8/0xf30 [ 110.951489][ T5090] kthread+0x2c4/0x3a0 [ 110.955593][ T5090] ret_from_fork+0x48/0x80 [ 110.960050][ T5090] ret_from_fork_asm+0x1a/0x30 [ 110.964855][ T5090] [ 110.967178][ T5090] Freed by task 5098: [ 110.971159][ T5090] kasan_save_stack+0x33/0x60 [ 110.975878][ T5090] kasan_save_track+0x14/0x30 [ 110.980594][ T5090] kasan_save_free_info+0x3b/0x60 [ 110.985653][ T5090] poison_slab_object+0xf7/0x160 [ 110.990631][ T5090] __kasan_slab_free+0x32/0x50 [ 110.995759][ T5090] kmem_cache_free+0x12f/0x3a0 [ 111.000544][ T5090] kfree_skbmem+0x10e/0x200 [ 111.005090][ T5090] kfree_skb_reason+0x138/0x210 [ 111.009967][ T5090] hci_req_sync_complete+0x16c/0x270 [ 111.015274][ T5090] hci_event_packet+0x966/0x1170 [ 111.020232][ T5090] hci_rx_work+0x2c4/0x1610 [ 111.024763][ T5090] process_one_work+0x9c8/0x1b40 [ 111.029740][ T5090] worker_thread+0x6c8/0xf30 [ 111.034362][ T5090] kthread+0x2c4/0x3a0 [ 111.038467][ T5090] ret_from_fork+0x48/0x80 [ 111.042920][ T5090] ret_from_fork_asm+0x1a/0x30 [ 111.047815][ T5090] [ 111.050228][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 111.050228][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 111.065425][ T5090] The buggy address is located 126 bytes inside of [ 111.065425][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 111.079241][ T5090] [ 111.081565][ T5090] The buggy address belongs to the physical page: [ 111.087974][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 111.096768][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 111.103894][ T5090] page_type: 0xffffefff(slab) [ 111.108589][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 111.117192][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 111.125777][ T5090] page dumped because: kasan: bad access detected [ 111.132194][ T5090] page_owner tracks the page as allocated [ 111.137906][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 111.156783][ T5090] post_alloc_hook+0x2d1/0x350 [ 111.161670][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 111.167251][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 111.172572][ T5090] alloc_slab_page+0x56/0x110 [ 111.177284][ T5090] new_slab+0x84/0x260 [ 111.181372][ T5090] ___slab_alloc+0xdac/0x1870 [ 111.186065][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 111.191467][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 111.197297][ T5090] __alloc_skb+0x2b1/0x380 [ 111.201755][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 111.206906][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 111.212120][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 111.217274][ T5090] __sys_sendto+0x482/0x4e0 [ 111.221791][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 111.226583][ T5090] do_syscall_64+0xcd/0x250 [ 111.231118][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.237051][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 111.243393][ T5090] free_unref_page+0x64a/0xe40 [ 111.248191][ T5090] __put_partials+0x14c/0x170 [ 111.253424][ T5090] qlist_free_all+0x4e/0x140 [ 111.258051][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 111.263552][ T5090] __kasan_slab_alloc+0x69/0x90 [ 111.268509][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 111.273829][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 111.278634][ T5090] do_dentry_open+0x922/0x15f0 [ 111.283439][ T5090] vfs_open+0x82/0x3f0 [ 111.287531][ T5090] path_openat+0x21fc/0x2e50 [ 111.292160][ T5090] do_filp_open+0x1dc/0x430 [ 111.296705][ T5090] do_sys_openat2+0x17a/0x1e0 [ 111.301408][ T5090] __x64_sys_openat+0x175/0x210 [ 111.306372][ T5090] do_syscall_64+0xcd/0x250 [ 111.310905][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.316924][ T5090] [ 111.319259][ T5090] Memory state around the buggy address: [ 111.325154][ T5090] ffff888023020a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 111.333837][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 111.341910][ T5090] >ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.349986][ T5090] ^ [ 111.355882][ T5090] ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 111.363956][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.372025][ T5090] ================================================================== [ 111.380203][ T5108] Bluetooth: hci5: command tx timeout [ 111.385768][ T5108] Bluetooth: hci4: command tx timeout [ 111.484322][ T5090] ================================================================== [ 111.492433][ T5090] BUG: KASAN: slab-use-after-free in skb_free_head+0x1a4/0x1d0 [ 111.500016][ T5090] Read of size 4 at addr ffff888023020c0c by task syz-executor/5090 [ 111.508022][ T5090] [ 111.510621][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 111.522370][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 111.532445][ T5090] Call Trace: [ 111.535742][ T5090] <TASK> [ 111.538691][ T5090] dump_stack_lvl+0x116/0x1f0 [ 111.543413][ T5090] print_report+0xc3/0x620 [ 111.547846][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.553510][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.559180][ T5090] ? __phys_addr+0xc6/0x150 [ 111.563722][ T5090] kasan_report+0xd9/0x110 [ 111.568182][ T5090] ? skb_free_head+0x1a4/0x1d0 [ 111.572983][ T5090] ? skb_free_head+0x1a4/0x1d0 [ 111.577785][ T5090] skb_free_head+0x1a4/0x1d0 [ 111.582415][ T5090] skb_release_data+0x75c/0x980 [ 111.587305][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.593062][ T5090] ? rcu_is_watching+0x12/0xc0 [ 111.597894][ T5090] kfree_skb_reason+0x12b/0x210 [ 111.602804][ T5090] __hci_req_sync+0x61d/0x980 [ 111.607700][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 111.612936][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 111.617657][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 111.623875][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.629543][ T5090] ? hci_req_sync+0x3f/0xd0 [ 111.634090][ T5090] ? __pfx___might_resched+0x10/0x10 [ 111.639426][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.645182][ T5090] ? aa_get_newest_label+0x376/0x680 [ 111.650619][ T5090] hci_req_sync+0x97/0xd0 [ 111.654988][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 111.660060][ T5090] hci_dev_cmd+0x634/0x960 [ 111.664524][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.670202][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 111.675190][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.680862][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.686532][ T5090] ? security_capable+0x98/0xd0 [ 111.691446][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 111.696182][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.701853][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 111.707099][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 111.713124][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.718805][ T5090] sock_do_ioctl+0x119/0x280 [ 111.723451][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 111.728626][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.734320][ T5090] sock_ioctl+0x22e/0x6c0 [ 111.738709][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 111.743625][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.749294][ T5090] ? __fget_files+0x256/0x400 [ 111.754028][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.759700][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 111.764691][ T5090] __x64_sys_ioctl+0x196/0x220 [ 111.769507][ T5090] do_syscall_64+0xcd/0x250 [ 111.774063][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.780015][ T5090] RIP: 0033:0x7fdbe7f757db [ 111.784453][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 111.804094][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 111.812543][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 111.820542][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 111.828543][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 111.836538][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 111.844533][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 111.852621][ T5090] </TASK> [ 111.855649][ T5090] [ 111.857963][ T5090] Allocated by task 5102: [ 111.862291][ T5090] kasan_save_stack+0x33/0x60 [ 111.866997][ T5090] kasan_save_track+0x14/0x30 [ 111.871698][ T5090] __kasan_slab_alloc+0x89/0x90 [ 111.876580][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 111.882077][ T5090] skb_clone+0x190/0x3f0 [ 111.886353][ T5090] hci_cmd_work+0x66a/0x710 [ 111.890897][ T5090] process_one_work+0x9c8/0x1b40 [ 111.895873][ T5090] worker_thread+0x6c8/0xf30 [ 111.900502][ T5090] kthread+0x2c4/0x3a0 [ 111.904622][ T5090] ret_from_fork+0x48/0x80 [ 111.909090][ T5090] ret_from_fork_asm+0x1a/0x30 [ 111.913903][ T5090] [ 111.916233][ T5090] Freed by task 5098: [ 111.920312][ T5090] kasan_save_stack+0x33/0x60 [ 111.925009][ T5090] kasan_save_track+0x14/0x30 [ 111.929702][ T5090] kasan_save_free_info+0x3b/0x60 [ 111.934750][ T5090] poison_slab_object+0xf7/0x160 [ 111.939750][ T5090] __kasan_slab_free+0x32/0x50 [ 111.944546][ T5090] kmem_cache_free+0x12f/0x3a0 [ 111.949341][ T5090] kfree_skbmem+0x10e/0x200 [ 111.953897][ T5090] kfree_skb_reason+0x138/0x210 [ 111.958869][ T5090] hci_req_sync_complete+0x16c/0x270 [ 111.964191][ T5090] hci_event_packet+0x966/0x1170 [ 111.969161][ T5090] hci_rx_work+0x2c4/0x1610 [ 111.973703][ T5090] process_one_work+0x9c8/0x1b40 [ 111.978685][ T5090] worker_thread+0x6c8/0xf30 [ 111.983319][ T5090] kthread+0x2c4/0x3a0 [ 111.987438][ T5090] ret_from_fork+0x48/0x80 [ 111.991919][ T5090] ret_from_fork_asm+0x1a/0x30 [ 111.996747][ T5090] [ 111.999082][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 111.999082][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 112.013682][ T5090] The buggy address is located 204 bytes inside of [ 112.013682][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 112.027770][ T5090] [ 112.030102][ T5090] The buggy address belongs to the physical page: [ 112.036519][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 112.045825][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 112.052972][ T5090] page_type: 0xffffefff(slab) [ 112.057683][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 112.066298][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 112.070783][ T5101] chnl_net:caif_netlink_parms(): no params data found [ 112.074877][ T5090] page dumped because: kasan: bad access detected [ 112.074895][ T5090] page_owner tracks the page as allocated [ 112.074907][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 112.112636][ T5090] post_alloc_hook+0x2d1/0x350 [ 112.117452][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 112.123098][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 112.128438][ T5090] alloc_slab_page+0x56/0x110 [ 112.133166][ T5090] new_slab+0x84/0x260 [ 112.137271][ T5090] ___slab_alloc+0xdac/0x1870 [ 112.141977][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 112.147382][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 112.153225][ T5090] __alloc_skb+0x2b1/0x380 [ 112.157697][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 112.162853][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 112.168080][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 112.173235][ T5090] __sys_sendto+0x482/0x4e0 [ 112.177771][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 112.182570][ T5090] do_syscall_64+0xcd/0x250 [ 112.187119][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.193064][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 112.199404][ T5090] free_unref_page+0x64a/0xe40 [ 112.204215][ T5090] __put_partials+0x14c/0x170 [ 112.208918][ T5090] qlist_free_all+0x4e/0x140 [ 112.213562][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 112.219074][ T5090] __kasan_slab_alloc+0x69/0x90 [ 112.223957][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 112.229187][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 112.233999][ T5090] do_dentry_open+0x922/0x15f0 [ 112.238823][ T5090] vfs_open+0x82/0x3f0 [ 112.242935][ T5090] path_openat+0x21fc/0x2e50 [ 112.247580][ T5090] do_filp_open+0x1dc/0x430 [ 112.252138][ T5090] do_sys_openat2+0x17a/0x1e0 [ 112.256857][ T5090] __x64_sys_openat+0x175/0x210 [ 112.261750][ T5090] do_syscall_64+0xcd/0x250 [ 112.266308][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.272271][ T5090] [ 112.274617][ T5090] Memory state around the buggy address: [ 112.280261][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 112.288867][ T5090] ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.296951][ T5090] >ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 112.305208][ T5090] ^ [ 112.309550][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.317638][ T5090] ffff888023020d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 112.325721][ T5090] ================================================================== [ 112.342922][ T5090] ================================================================== [ 112.351091][ T5090] BUG: KASAN: slab-use-after-free in skb_release_data+0x83d/0x980 [ 112.354764][ T5091] chnl_net:caif_netlink_parms(): no params data found [ 112.358916][ T5090] Write of size 1 at addr ffff888023020bbe by task syz-executor/5090 [ 112.358951][ T5090] [ 112.358962][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 112.359009][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 112.384999][ T5100] chnl_net:caif_netlink_parms(): no params data found [ 112.387841][ T5090] Call Trace: [ 112.387857][ T5090] <TASK> [ 112.387873][ T5090] dump_stack_lvl+0x116/0x1f0 [ 112.387926][ T5090] print_report+0xc3/0x620 [ 112.420060][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.425736][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.431420][ T5090] ? __phys_addr+0xc6/0x150 [ 112.436077][ T5090] kasan_report+0xd9/0x110 [ 112.440532][ T5090] ? skb_release_data+0x83d/0x980 [ 112.445604][ T5090] ? skb_release_data+0x83d/0x980 [ 112.450673][ T5090] skb_release_data+0x83d/0x980 [ 112.455572][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.461242][ T5090] ? rcu_is_watching+0x12/0xc0 [ 112.466053][ T5090] kfree_skb_reason+0x12b/0x210 [ 112.470958][ T5090] __hci_req_sync+0x61d/0x980 [ 112.475853][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 112.481086][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 112.485805][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 112.491911][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.497626][ T5090] ? hci_req_sync+0x3f/0xd0 [ 112.502175][ T5090] ? __pfx___might_resched+0x10/0x10 [ 112.507509][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.513271][ T5090] ? aa_get_newest_label+0x376/0x680 [ 112.518622][ T5090] hci_req_sync+0x97/0xd0 [ 112.522992][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 112.528059][ T5090] hci_dev_cmd+0x634/0x960 [ 112.532523][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.538200][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 112.543183][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.548858][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.555048][ T5090] ? security_capable+0x98/0xd0 [ 112.559966][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 112.564715][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.570385][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 112.575630][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 112.581651][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.587326][ T5090] sock_do_ioctl+0x119/0x280 [ 112.591969][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 112.597314][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.602989][ T5090] sock_ioctl+0x22e/0x6c0 [ 112.607374][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 112.612283][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.617946][ T5090] ? __fget_files+0x256/0x400 [ 112.622651][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.628295][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 112.633168][ T5090] __x64_sys_ioctl+0x196/0x220 [ 112.637953][ T5090] do_syscall_64+0xcd/0x250 [ 112.642570][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.648490][ T5090] RIP: 0033:0x7fdbe7f757db [ 112.652915][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 112.672621][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 112.681140][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 112.689118][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 112.697096][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 112.705081][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 112.713072][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 112.721144][ T5090] </TASK> [ 112.724158][ T5090] [ 112.726501][ T5090] Allocated by task 5102: [ 112.730823][ T5090] kasan_save_stack+0x33/0x60 [ 112.735515][ T5090] kasan_save_track+0x14/0x30 [ 112.740223][ T5090] __kasan_slab_alloc+0x89/0x90 [ 112.745518][ T5090] kmem_cache_alloc_noprof+0x121/0x2f0 [ 112.751422][ T5090] skb_clone+0x190/0x3f0 [ 112.755691][ T5090] hci_cmd_work+0x66a/0x710 [ 112.760205][ T5090] process_one_work+0x9c8/0x1b40 [ 112.765166][ T5090] worker_thread+0x6c8/0xf30 [ 112.769791][ T5090] kthread+0x2c4/0x3a0 [ 112.773898][ T5090] ret_from_fork+0x48/0x80 [ 112.778332][ T5090] ret_from_fork_asm+0x1a/0x30 [ 112.783115][ T5090] [ 112.785439][ T5090] Freed by task 5098: [ 112.789422][ T5090] kasan_save_stack+0x33/0x60 [ 112.794103][ T5090] kasan_save_track+0x14/0x30 [ 112.798881][ T5090] kasan_save_free_info+0x3b/0x60 [ 112.803930][ T5090] poison_slab_object+0xf7/0x160 [ 112.808891][ T5090] __kasan_slab_free+0x32/0x50 [ 112.813661][ T5090] kmem_cache_free+0x12f/0x3a0 [ 112.818429][ T5090] kfree_skbmem+0x10e/0x200 [ 112.822953][ T5090] kfree_skb_reason+0x138/0x210 [ 112.827822][ T5090] hci_req_sync_complete+0x16c/0x270 [ 112.833138][ T5090] hci_event_packet+0x966/0x1170 [ 112.838090][ T5090] hci_rx_work+0x2c4/0x1610 [ 112.842711][ T5090] process_one_work+0x9c8/0x1b40 [ 112.847665][ T5090] worker_thread+0x6c8/0xf30 [ 112.852267][ T5090] kthread+0x2c4/0x3a0 [ 112.856357][ T5090] ret_from_fork+0x48/0x80 [ 112.860825][ T5090] ret_from_fork_asm+0x1a/0x30 [ 112.865802][ T5090] [ 112.868118][ T5090] The buggy address belongs to the object at ffff888023020b40 [ 112.868118][ T5090] which belongs to the cache skbuff_head_cache of size 240 [ 112.882710][ T5090] The buggy address is located 126 bytes inside of [ 112.882710][ T5090] freed 240-byte region [ffff888023020b40, ffff888023020c30) [ 112.896596][ T5090] [ 112.898916][ T5090] The buggy address belongs to the physical page: [ 112.905327][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23020 [ 112.914109][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 112.921216][ T5090] page_type: 0xffffefff(slab) [ 112.925895][ T5090] raw: 00fff00000000000 ffff888019299780 dead000000000122 0000000000000000 [ 112.934484][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 112.943059][ T5090] page dumped because: kasan: bad access detected [ 112.949465][ T5090] page_owner tracks the page as allocated [ 112.955177][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4529, tgid 4529 (klogd), ts 107964523750, free_ts 107893195422 [ 112.974069][ T5090] post_alloc_hook+0x2d1/0x350 [ 112.978864][ T5090] get_page_from_freelist+0x1353/0x2e50 [ 112.984442][ T5090] __alloc_pages_noprof+0x22b/0x2460 [ 112.989747][ T5090] alloc_slab_page+0x56/0x110 [ 112.994445][ T5090] new_slab+0x84/0x260 [ 112.998521][ T5090] ___slab_alloc+0xdac/0x1870 [ 113.003223][ T5090] __slab_alloc.constprop.0+0x56/0xb0 [ 113.008696][ T5090] kmem_cache_alloc_node_noprof+0xed/0x310 [ 113.014511][ T5090] __alloc_skb+0x2b1/0x380 [ 113.018958][ T5090] alloc_skb_with_frags+0xe4/0x710 [ 113.024169][ T5090] sock_alloc_send_pskb+0x7f1/0x980 [ 113.029805][ T5090] unix_dgram_sendmsg+0x4b8/0x1a60 [ 113.034932][ T5090] __sys_sendto+0x482/0x4e0 [ 113.039442][ T5090] __x64_sys_sendto+0xe0/0x1c0 [ 113.044208][ T5090] do_syscall_64+0xcd/0x250 [ 113.048732][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 113.054648][ T5090] page last free pid 5103 tgid 5103 stack trace: [ 113.060968][ T5090] free_unref_page+0x64a/0xe40 [ 113.065841][ T5090] __put_partials+0x14c/0x170 [ 113.070522][ T5090] qlist_free_all+0x4e/0x140 [ 113.075145][ T5090] kasan_quarantine_reduce+0x192/0x1e0 [ 113.080663][ T5090] __kasan_slab_alloc+0x69/0x90 [ 113.085530][ T5090] kmalloc_trace_noprof+0x11e/0x300 [ 113.090763][ T5090] kernfs_fop_open+0x28b/0xdb0 [ 113.095561][ T5090] do_dentry_open+0x922/0x15f0 [ 113.100363][ T5090] vfs_open+0x82/0x3f0 [ 113.104442][ T5090] path_openat+0x21fc/0x2e50 [ 113.109055][ T5090] do_filp_open+0x1dc/0x430 [ 113.113580][ T5090] do_sys_openat2+0x17a/0x1e0 [ 113.118269][ T5090] __x64_sys_openat+0x175/0x210 [ 113.123130][ T5090] do_syscall_64+0xcd/0x250 [ 113.127651][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 113.133592][ T5090] [ 113.135915][ T5090] Memory state around the buggy address: [ 113.141709][ T5090] ffff888023020a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 113.149773][ T5090] ffff888023020b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 113.157840][ T5090] >ffff888023020b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.165911][ T5090] ^ [ 113.171794][ T5090] ffff888023020c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 113.179854][ T5090] ffff888023020c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.187913][ T5090] ================================================================== [ 113.196422][ T5108] Bluetooth: hci2: command tx timeout [ 113.197752][ T5090] Kernel panic - not syncing: kasan.fault=panic_on_write set ... [ 113.197774][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 113.197819][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 113.197845][ T5090] Call Trace: [ 113.197860][ T5090] <TASK> [ 113.197875][ T5090] dump_stack_lvl+0x3d/0x1f0 [ 113.197925][ T5090] panic+0x6f5/0x7a0 [ 113.197969][ T5090] ? __pfx_panic+0x10/0x10 [ 113.198011][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198058][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198101][ T5090] ? preempt_schedule_common+0x44/0xc0 [ 113.198147][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198190][ T5090] ? preempt_schedule_thunk+0x1a/0x30 [ 113.198238][ T5090] end_report+0x160/0x180 [ 113.198281][ T5090] kasan_report+0xe9/0x110 [ 113.198322][ T5090] ? skb_release_data+0x83d/0x980 [ 113.198370][ T5090] ? skb_release_data+0x83d/0x980 [ 113.198421][ T5090] skb_release_data+0x83d/0x980 [ 113.198467][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198509][ T5090] ? rcu_is_watching+0x12/0xc0 [ 113.198566][ T5090] kfree_skb_reason+0x12b/0x210 [ 113.198617][ T5090] __hci_req_sync+0x61d/0x980 [ 113.198666][ T5090] ? __pfx___hci_req_sync+0x10/0x10 [ 113.198709][ T5090] ? __mutex_lock+0x1a6/0x9c0 [ 113.198757][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10 [ 113.198802][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198845][ T5090] ? hci_req_sync+0x3f/0xd0 [ 113.198896][ T5090] ? __pfx___might_resched+0x10/0x10 [ 113.198950][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.198992][ T5090] ? aa_get_newest_label+0x376/0x680 [ 113.199062][ T5090] hci_req_sync+0x97/0xd0 [ 113.199105][ T5090] ? __pfx_hci_scan_req+0x10/0x10 [ 113.199153][ T5090] hci_dev_cmd+0x634/0x960 [ 113.199206][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199250][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10 [ 113.199304][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199347][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199389][ T5090] ? security_capable+0x98/0xd0 [ 113.199455][ T5090] hci_sock_ioctl+0x4f3/0x880 [ 113.199502][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199546][ T5090] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 113.199598][ T5090] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 113.199644][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199691][ T5090] sock_do_ioctl+0x119/0x280 [ 113.199748][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10 [ 113.199814][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.199861][ T5090] sock_ioctl+0x22e/0x6c0 [ 113.199920][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 113.199982][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.200024][ T5090] ? __fget_files+0x256/0x400 [ 113.200084][ T5090] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.200127][ T5090] ? __pfx_sock_ioctl+0x10/0x10 [ 113.200187][ T5090] __x64_sys_ioctl+0x196/0x220 [ 113.200243][ T5090] do_syscall_64+0xcd/0x250 [ 113.200299][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 113.200362][ T5090] RIP: 0033:0x7fdbe7f757db [ 113.200391][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 113.200428][ T5090] RSP: 002b:00007ffee3dec300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 113.200466][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdbe7f757db [ 113.200493][ T5090] RDX: 00007ffee3dec378 RSI: 00000000400448dd RDI: 0000000000000003 [ 113.200519][ T5090] RBP: 0000555576eb34a8 R08: 0000000000000000 R09: 0000000000000000 [ 113.200545][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 113.200575][ T5090] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009 [ 113.200613][ T5090] </TASK> [ 113.202010][ T5090] Kernel Offset: disabled