last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.181' (ED25519) to the list of known hosts. [ 67.974200][ T5082] cgroup: Unknown subsys name 'net' [ 68.118579][ T5082] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 70.001572][ T5082] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 71.711227][ T1250] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.717898][ T1250] ieee802154 phy1 wpan1: encryption failed: -22 [ 73.406592][ T5108] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 73.414425][ T5109] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 73.415162][ T5108] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 73.431088][ T5109] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 73.431581][ T5108] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 73.439975][ T5109] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 73.447119][ T5108] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 73.454466][ T5109] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 73.462442][ T5108] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 73.467002][ T5109] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 73.474910][ T5108] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 73.481768][ T5109] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 73.488422][ T5108] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 73.495944][ T5109] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 73.503068][ T5108] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 73.509972][ T5109] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 73.515825][ T5108] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 73.523325][ T5109] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 73.530186][ T5108] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 73.536939][ T5109] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 73.544401][ T5108] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 73.557908][ T5092] ================================================================== [ 73.559766][ T5108] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 73.565994][ T5092] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 73.575638][ T5108] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 73.580633][ T5092] Read of size 4 at addr ffff8880222395e4 by task syz-executor/5092 [ 73.580655][ T5092] [ 73.580673][ T5092] CPU: 0 PID: 5092 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0 [ 73.580695][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 73.580716][ T5092] Call Trace: [ 73.580726][ T5092] [ 73.588215][ T5108] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 73.595617][ T5092] dump_stack_lvl+0x241/0x360 [ 73.604561][ T5108] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 73.608267][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10 [ 73.608302][ T5092] ? __pfx__printk+0x10/0x10 [ 73.608326][ T5092] ? _printk+0xd5/0x120 [ 73.608350][ T5092] ? __virt_addr_valid+0x183/0x520 [ 73.662528][ T5092] ? __virt_addr_valid+0x183/0x520 [ 73.667677][ T5092] print_report+0x169/0x550 [ 73.672298][ T5092] ? __virt_addr_valid+0x183/0x520 [ 73.677422][ T5092] ? __virt_addr_valid+0x183/0x520 [ 73.682548][ T5092] ? __virt_addr_valid+0x44e/0x520 [ 73.687675][ T5092] ? __phys_addr+0xba/0x170 [ 73.692191][ T5092] ? kfree_skb_reason+0x41/0x3b0 [ 73.697153][ T5092] kasan_report+0x143/0x180 [ 73.701687][ T5092] ? kfree_skb_reason+0x41/0x3b0 [ 73.706652][ T5092] kasan_check_range+0x282/0x290 [ 73.711610][ T5092] kfree_skb_reason+0x41/0x3b0 [ 73.716419][ T5092] __hci_req_sync+0x62f/0x950 [ 73.721639][ T5092] ? __pfx___hci_req_sync+0x10/0x10 [ 73.726859][ T5092] ? __pfx___mutex_lock+0x10/0x10 [ 73.731905][ T5092] ? __pfx_autoremove_wake_function+0x10/0x10 [ 73.737984][ T5092] ? __pfx_hci_scan_req+0x10/0x10 [ 73.743031][ T5092] hci_req_sync+0xa9/0xd0 [ 73.747413][ T5092] hci_dev_cmd+0x4c5/0xa50 [ 73.751858][ T5092] ? security_capable+0x90/0xb0 [ 73.756717][ T5092] ? __pfx_hci_dev_cmd+0x10/0x10 [ 73.761718][ T5092] ? hci_sock_ioctl+0x6c4/0xa40 [ 73.766603][ T5092] sock_do_ioctl+0x158/0x460 [ 73.771216][ T5092] ? __pfx_sock_do_ioctl+0x10/0x10 [ 73.776349][ T5092] sock_ioctl+0x629/0x8e0 [ 73.780702][ T5092] ? __pfx_sock_ioctl+0x10/0x10 [ 73.785569][ T5092] ? __fget_files+0x29/0x470 [ 73.790176][ T5092] ? __fget_files+0x3f6/0x470 [ 73.794867][ T5092] ? __fget_files+0x29/0x470 [ 73.799479][ T5092] ? bpf_lsm_file_ioctl+0x9/0x10 [ 73.804437][ T5092] ? security_file_ioctl+0x87/0xb0 [ 73.809583][ T5092] ? __pfx_sock_ioctl+0x10/0x10 [ 73.814455][ T5092] __se_sys_ioctl+0xfc/0x170 [ 73.819061][ T5092] do_syscall_64+0xf3/0x230 [ 73.823603][ T5092] ? clear_bhb_loop+0x35/0x90 [ 73.828330][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.834255][ T5092] RIP: 0033:0x7fb324d757db [ 73.838680][ T5092] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 73.858292][ T5092] RSP: 002b:00007ffed069fb50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.866806][ T5092] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb324d757db [ 73.874787][ T5092] RDX: 00007ffed069fbc8 RSI: 00000000400448dd RDI: 0000000000000003 [ 73.882762][ T5092] RBP: 000055558e71e4a8 R08: 0000000000000000 R09: 0000000000000000 [ 73.890791][ T5092] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 73.898795][ T5092] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 73.906798][ T5092] [ 73.909829][ T5092] [ 73.912162][ T5092] Allocated by task 5109: [ 73.916511][ T5092] kasan_save_track+0x3f/0x80 [ 73.921209][ T5092] __kasan_slab_alloc+0x66/0x80 [ 73.926081][ T5092] kmem_cache_alloc_noprof+0x135/0x2a0 [ 73.931550][ T5092] skb_clone+0x20c/0x390 [ 73.935814][ T5092] hci_cmd_work+0x29e/0x670 [ 73.940336][ T5092] process_scheduled_works+0xa2c/0x1830 [ 73.946091][ T5092] worker_thread+0x86d/0xd70 [ 73.950690][ T5092] kthread+0x2f0/0x390 [ 73.954771][ T5092] ret_from_fork+0x4b/0x80 [ 73.959204][ T5092] ret_from_fork_asm+0x1a/0x30 [ 73.963980][ T5092] [ 73.966305][ T5092] Freed by task 5108: [ 73.970284][ T5092] kasan_save_track+0x3f/0x80 [ 73.974968][ T5092] kasan_save_free_info+0x40/0x50 [ 73.980001][ T5092] poison_slab_object+0xe0/0x150 [ 73.984949][ T5092] __kasan_slab_free+0x37/0x60 [ 73.989764][ T5092] kmem_cache_free+0x145/0x350 [ 73.994561][ T5092] hci_req_sync_complete+0xe7/0x290 [ 73.999789][ T5092] hci_event_packet+0xc71/0x1540 [ 74.004837][ T5092] hci_rx_work+0x3e8/0xca0 [ 74.009309][ T5092] process_scheduled_works+0xa2c/0x1830 [ 74.014869][ T5092] worker_thread+0x86d/0xd70 [ 74.019469][ T5092] kthread+0x2f0/0x390 [ 74.023555][ T5092] ret_from_fork+0x4b/0x80 [ 74.028018][ T5092] ret_from_fork_asm+0x1a/0x30 [ 74.032914][ T5092] [ 74.035244][ T5092] The buggy address belongs to the object at ffff888022239500 [ 74.035244][ T5092] which belongs to the cache skbuff_head_cache of size 240 [ 74.049825][ T5092] The buggy address is located 228 bytes inside of [ 74.049825][ T5092] freed 240-byte region [ffff888022239500, ffff8880222395f0) [ 74.063634][ T5092] [ 74.065963][ T5092] The buggy address belongs to the physical page: [ 74.072393][ T5092] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22239 [ 74.081168][ T5092] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 74.088286][ T5092] page_type: 0xffffefff(slab) [ 74.092968][ T5092] raw: 00fff00000000000 ffff888018ae5780 dead000000000122 0000000000000000 [ 74.101558][ T5092] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000 [ 74.110145][ T5092] page dumped because: kasan: bad access detected [ 74.116575][ T5092] page_owner tracks the page as allocated [ 74.122293][ T5092] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5106, tgid 5106 (kworker/u9:4), ts 73555135732, free_ts 73552757516 [ 74.141577][ T5092] post_alloc_hook+0x1f3/0x230 [ 74.146362][ T5092] get_page_from_freelist+0x2e2d/0x2ee0 [ 74.151921][ T5092] __alloc_pages_noprof+0x256/0x6c0 [ 74.157163][ T5092] alloc_slab_page+0x5f/0x120 [ 74.161880][ T5092] allocate_slab+0x5a/0x2e0 [ 74.166405][ T5092] ___slab_alloc+0xcd1/0x14b0 [ 74.171097][ T5092] __slab_alloc+0x58/0xa0 [ 74.175436][ T5092] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 74.181339][ T5092] __alloc_skb+0x1c3/0x440 [ 74.185761][ T5092] mgmt_send_event+0x46/0x1a0 [ 74.190444][ T5092] mgmt_index_added+0x117/0x260 [ 74.195317][ T5092] hci_power_on+0x4a2/0x6b0 [ 74.199851][ T5092] process_scheduled_works+0xa2c/0x1830 [ 74.205491][ T5092] worker_thread+0x86d/0xd70 [ 74.210103][ T5092] kthread+0x2f0/0x390 [ 74.214186][ T5092] ret_from_fork+0x4b/0x80 [ 74.218615][ T5092] page last free pid 5103 tgid 5092 stack trace: [ 74.224942][ T5092] free_unref_page+0xd22/0xea0 [ 74.229728][ T5092] skb_release_data+0x6b2/0x880 [ 74.234593][ T5092] napi_consume_skb+0x146/0x1f0 [ 74.239458][ T5092] net_rx_action+0x584/0x10a0 [ 74.244149][ T5092] handle_softirqs+0x2c4/0x970 [ 74.248923][ T5092] __irq_exit_rcu+0xf4/0x1c0 [ 74.253526][ T5092] irq_exit_rcu+0x9/0x30 [ 74.257782][ T5092] common_interrupt+0xaa/0xd0 [ 74.262473][ T5092] asm_common_interrupt+0x26/0x40 [ 74.267523][ T5092] [ 74.269845][ T5092] Memory state around the buggy address: [ 74.275475][ T5092] ffff888022239480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 74.283541][ T5092] ffff888022239500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.291607][ T5092] >ffff888022239580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 74.299673][ T5092] ^ [ 74.306883][ T5092] ffff888022239600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 74.314949][ T5092] ffff888022239680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.323011][ T5092] ================================================================== [ 74.334823][ T5092] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.342139][ T5092] CPU: 0 PID: 5092 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0 [ 74.352512][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 74.362611][ T5092] Call Trace: [ 74.365905][ T5092] [ 74.368848][ T5092] dump_stack_lvl+0x241/0x360 [ 74.373541][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.378748][ T5092] ? __pfx__printk+0x10/0x10 [ 74.383342][ T5092] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 74.389333][ T5092] ? vscnprintf+0x5d/0x90 [ 74.393761][ T5092] panic+0x349/0x860 [ 74.397667][ T5092] ? check_panic_on_warn+0x21/0xb0 [ 74.402798][ T5092] ? __pfx_panic+0x10/0x10 [ 74.407241][ T5092] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 74.413335][ T5092] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.419676][ T5092] check_panic_on_warn+0x86/0xb0 [ 74.424628][ T5092] ? kfree_skb_reason+0x41/0x3b0 [ 74.429583][ T5092] end_report+0x77/0x160 [ 74.433850][ T5092] kasan_report+0x154/0x180 [ 74.438476][ T5092] ? kfree_skb_reason+0x41/0x3b0 [ 74.443439][ T5092] kasan_check_range+0x282/0x290 [ 74.448429][ T5092] kfree_skb_reason+0x41/0x3b0 [ 74.453210][ T5092] __hci_req_sync+0x62f/0x950 [ 74.457905][ T5092] ? __pfx___hci_req_sync+0x10/0x10 [ 74.463118][ T5092] ? __pfx___mutex_lock+0x10/0x10 [ 74.468164][ T5092] ? __pfx_autoremove_wake_function+0x10/0x10 [ 74.474240][ T5092] ? __pfx_hci_scan_req+0x10/0x10 [ 74.479285][ T5092] hci_req_sync+0xa9/0xd0 [ 74.483623][ T5092] hci_dev_cmd+0x4c5/0xa50 [ 74.488046][ T5092] ? security_capable+0x90/0xb0 [ 74.492904][ T5092] ? __pfx_hci_dev_cmd+0x10/0x10 [ 74.497870][ T5092] ? hci_sock_ioctl+0x6c4/0xa40 [ 74.502744][ T5092] sock_do_ioctl+0x158/0x460 [ 74.507349][ T5092] ? __pfx_sock_do_ioctl+0x10/0x10 [ 74.512478][ T5092] sock_ioctl+0x629/0x8e0 [ 74.516838][ T5092] ? __pfx_sock_ioctl+0x10/0x10 [ 74.521706][ T5092] ? __fget_files+0x29/0x470 [ 74.526316][ T5092] ? __fget_files+0x3f6/0x470 [ 74.531021][ T5092] ? __fget_files+0x29/0x470 [ 74.535629][ T5092] ? bpf_lsm_file_ioctl+0x9/0x10 [ 74.540578][ T5092] ? security_file_ioctl+0x87/0xb0 [ 74.545708][ T5092] ? __pfx_sock_ioctl+0x10/0x10 [ 74.550671][ T5092] __se_sys_ioctl+0xfc/0x170 [ 74.555279][ T5092] do_syscall_64+0xf3/0x230 [ 74.559792][ T5092] ? clear_bhb_loop+0x35/0x90 [ 74.564484][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.570392][ T5092] RIP: 0033:0x7fb324d757db [ 74.574814][ T5092] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 74.594444][ T5092] RSP: 002b:00007ffed069fb50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.602873][ T5092] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb324d757db [ 74.610942][ T5092] RDX: 00007ffed069fbc8 RSI: 00000000400448dd RDI: 0000000000000003 [ 74.618925][ T5092] RBP: 000055558e71e4a8 R08: 0000000000000000 R09: 0000000000000000 [ 74.626989][ T5092] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 74.635055][ T5092] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 74.643041][ T5092] [ 74.646334][ T5092] Kernel Offset: disabled [ 74.650685][ T5092] Rebooting in 86400 seconds..