last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.255' (ED25519) to the list of known hosts.
2024/06/17 01:19:54 fuzzer started
2024/06/17 01:19:54 dialing manager at 10.128.0.169:30020
[   51.243090][ T5090] cgroup: Unknown subsys name 'net'
[   51.435940][ T5090] cgroup: Unknown subsys name 'rlimit'
2024/06/17 01:19:56 starting 5 executor processes
[   52.553904][ T5096] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   53.619924][   T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   53.628774][   T53] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   53.636794][   T53] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   53.640794][ T5117] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   53.644662][   T53] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   53.652957][ T5117] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   53.665431][   T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   53.668830][ T5117] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   53.677597][ T5119] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   53.679924][ T5117] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   53.692310][   T53] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   53.694830][ T5117] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   53.706697][   T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   53.708284][ T5117] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   53.715353][   T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   53.729159][ T5117] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   53.730377][   T53] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   53.736938][ T5117] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   53.744265][   T53] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   53.751133][ T5117] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   53.758035][   T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   53.764484][ T5117] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   53.771137][   T53] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   53.778492][ T5117] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   53.795064][ T4492] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   53.802527][ T4492] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   53.813614][ T4492] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   53.832492][   T53] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   53.847411][ T5108] ==================================================================
[   53.847604][ T5116] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   53.855473][ T5108] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0
[   53.855510][ T5108] Read of size 4 at addr ffff88801fd409a4 by task syz-executor.3/5108
[   53.855525][ T5108] 
[   53.855534][ T5108] CPU: 1 PID: 5108 Comm: syz-executor.3 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
[   53.855552][ T5108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   53.855566][ T5108] Call Trace:
[   53.855574][ T5108]  <TASK>
[   53.855582][ T5108]  dump_stack_lvl+0x241/0x360
[   53.855605][ T5108]  ? __pfx_dump_stack_lvl+0x10/0x10
[   53.855625][ T5108]  ? __pfx__printk+0x10/0x10
[   53.855643][ T5108]  ? _printk+0xd5/0x120
[   53.855661][ T5108]  ? __virt_addr_valid+0x183/0x520
[   53.855683][ T5108]  ? __virt_addr_valid+0x183/0x520
[   53.855705][ T5108]  print_report+0x169/0x550
[   53.855727][ T5108]  ? __virt_addr_valid+0x183/0x520
[   53.855748][ T5108]  ? __virt_addr_valid+0x183/0x520
[   53.863094][ T5116] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   53.870352][ T5108]  ? __virt_addr_valid+0x44e/0x520
[   53.870381][ T5108]  ? __phys_addr+0xba/0x170
[   53.870402][ T5108]  ? kfree_skb_reason+0x41/0x3b0
[   53.870419][ T5108]  kasan_report+0x143/0x180
[   53.870440][ T5108]  ? kfree_skb_reason+0x41/0x3b0
[   53.870460][ T5108]  kasan_check_range+0x282/0x290
[   53.870482][ T5108]  kfree_skb_reason+0x41/0x3b0
[   53.870500][ T5108]  __hci_req_sync+0x62f/0x950
[   53.995859][ T5108]  ? __pfx___hci_req_sync+0x10/0x10
[   54.001057][ T5108]  ? __pfx___mutex_lock+0x10/0x10
[   54.006066][ T5108]  ? __pfx_autoremove_wake_function+0x10/0x10
[   54.012118][ T5108]  ? __pfx_hci_scan_req+0x10/0x10
[   54.017128][ T5108]  hci_req_sync+0xa9/0xd0
[   54.021444][ T5108]  hci_dev_cmd+0x4c5/0xa50
[   54.025845][ T5108]  ? security_capable+0x90/0xb0
[   54.030689][ T5108]  ? __pfx_hci_dev_cmd+0x10/0x10
[   54.035615][ T5108]  ? hci_sock_ioctl+0x6c4/0xa40
[   54.040452][ T5108]  compat_sock_ioctl+0x18b/0xf20
[   54.045379][ T5108]  ? __pfx_compat_sock_ioctl+0x10/0x10
[   54.050824][ T5108]  ? __fget_files+0x29/0x470
[   54.055401][ T5108]  ? __fget_files+0x3f6/0x470
[   54.060066][ T5108]  ? bpf_lsm_file_ioctl_compat+0x9/0x10
[   54.065596][ T5108]  ? security_file_ioctl_compat+0x87/0xb0
[   54.071300][ T5108]  __se_compat_sys_ioctl+0x51c/0xca0
[   54.076572][ T5108]  ? __pfx___se_compat_sys_ioctl+0x10/0x10
[   54.082364][ T5108]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   54.088327][ T5108]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   54.094639][ T5108]  ? syscall_enter_from_user_mode_prepare+0x7f/0xe0
[   54.101469][ T5108]  ? lockdep_hardirqs_on+0x99/0x150
[   54.106743][ T5108]  __do_fast_syscall_32+0xb4/0x120
[   54.111846][ T5108]  do_fast_syscall_32+0x34/0x80
[   54.116856][ T5108]  entry_SYSENTER_compat_after_hwframe+0x84/0x8e
[   54.123182][ T5108] RIP: 0023:0xf7494579
[   54.127242][ T5108] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[   54.146830][ T5108] RSP: 002b:00000000ffa13f44 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[   54.155236][ T5108] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000400448dd
[   54.163188][ T5108] RDX: 00000000ffa13f94 RSI: 00000000f7484ff4 RDI: 0000000000000004
[   54.171145][ T5108] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   54.179098][ T5108] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[   54.187053][ T5108] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   54.195013][ T5108]  </TASK>
[   54.198023][ T5108] 
[   54.200327][ T5108] Allocated by task 53:
[   54.204460][ T5108]  kasan_save_track+0x3f/0x80
[   54.209123][ T5108]  __kasan_slab_alloc+0x66/0x80
[   54.213961][ T5108]  kmem_cache_alloc_noprof+0x135/0x2a0
[   54.219405][ T5108]  skb_clone+0x20c/0x390
[   54.223629][ T5108]  hci_cmd_work+0x29e/0x670
[   54.228115][ T5108]  process_scheduled_works+0xa2c/0x1830
[   54.233728][ T5108]  worker_thread+0x86d/0xd70
[   54.238299][ T5108]  kthread+0x2f0/0x390
[   54.242352][ T5108]  ret_from_fork+0x4b/0x80
[   54.246752][ T5108]  ret_from_fork_asm+0x1a/0x30
[   54.251500][ T5108] 
[   54.253804][ T5108] Freed by task 5116:
[   54.257802][ T5108]  kasan_save_track+0x3f/0x80
[   54.262461][ T5108]  kasan_save_free_info+0x40/0x50
[   54.267552][ T5108]  poison_slab_object+0xe0/0x150
[   54.272473][ T5108]  __kasan_slab_free+0x37/0x60
[   54.277220][ T5108]  kmem_cache_free+0x145/0x350
[   54.281964][ T5108]  hci_req_sync_complete+0xe7/0x290
[   54.287146][ T5108]  hci_event_packet+0xc71/0x1540
[   54.292064][ T5108]  hci_rx_work+0x3e8/0xca0
[   54.296462][ T5108]  process_scheduled_works+0xa2c/0x1830
[   54.301987][ T5108]  worker_thread+0x86d/0xd70
[   54.306562][ T5108]  kthread+0x2f0/0x390
[   54.310612][ T5108]  ret_from_fork+0x4b/0x80
[   54.315015][ T5108]  ret_from_fork_asm+0x1a/0x30
[   54.319768][ T5108] 
[   54.322072][ T5108] The buggy address belongs to the object at ffff88801fd408c0
[   54.322072][ T5108]  which belongs to the cache skbuff_head_cache of size 240
[   54.336624][ T5108] The buggy address is located 228 bytes inside of
[   54.336624][ T5108]  freed 240-byte region [ffff88801fd408c0, ffff88801fd409b0)
[   54.350399][ T5108] 
[   54.352790][ T5108] The buggy address belongs to the physical page:
[   54.359187][ T5108] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fd40
[   54.367929][ T5108] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   54.375025][ T5108] page_type: 0xffffefff(slab)
[   54.379683][ T5108] raw: 00fff00000000000 ffff888018ad7780 dead000000000122 0000000000000000
[   54.388248][ T5108] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[   54.396808][ T5108] page dumped because: kasan: bad access detected
[   54.403292][ T5108] page_owner tracks the page as allocated
[   54.409073][ T5108] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 53, tgid 53 (kworker/u9:0), ts 53846136221, free_ts 53804707100
[   54.427978][ T5108]  post_alloc_hook+0x1f3/0x230
[   54.432735][ T5108]  get_page_from_freelist+0x2e43/0x2f00
[   54.438266][ T5108]  __alloc_pages_noprof+0x256/0x6c0
[   54.443450][ T5108]  alloc_slab_page+0x5f/0x120
[   54.448110][ T5108]  allocate_slab+0x5a/0x2f0
[   54.452595][ T5108]  ___slab_alloc+0xcd1/0x14b0
[   54.457252][ T5108]  __slab_alloc+0x58/0xa0
[   54.461561][ T5108]  kmem_cache_alloc_noprof+0x1c1/0x2a0
[   54.467008][ T5108]  skb_clone+0x20c/0x390
[   54.471231][ T5108]  hci_event_packet+0x49c/0x1540
[   54.476151][ T5108]  hci_rx_work+0x3e8/0xca0
[   54.480640][ T5108]  process_scheduled_works+0xa2c/0x1830
[   54.486167][ T5108]  worker_thread+0x86d/0xd70
[   54.490745][ T5108]  kthread+0x2f0/0x390
[   54.494797][ T5108]  ret_from_fork+0x4b/0x80
[   54.499197][ T5108]  ret_from_fork_asm+0x1a/0x30
[   54.503949][ T5108] page last free pid 5104 tgid 5104 stack trace:
[   54.510252][ T5108]  free_unref_page+0xd22/0xea0
[   54.515004][ T5108]  __folio_put+0x3b9/0x620
[   54.519399][ T5108]  skb_release_data+0x467/0x880
[   54.524229][ T5108]  napi_consume_skb+0x146/0x1f0
[   54.529063][ T5108]  net_rx_action+0x584/0x10a0
[   54.533723][ T5108]  handle_softirqs+0x2c4/0x970
[   54.538468][ T5108]  do_softirq+0x11b/0x1e0
[   54.542774][ T5108]  __local_bh_enable_ip+0x1bb/0x200
[   54.547957][ T5108]  fpu_clone+0x3ee/0xad0
[   54.552187][ T5108]  copy_thread+0x3e5/0x980
[   54.556587][ T5108]  copy_process+0x1c0c/0x3dc0
[   54.561244][ T5108]  kernel_clone+0x226/0x8f0
[   54.565729][ T5108]  __ia32_compat_sys_ia32_clone+0x255/0x2a0
[   54.571610][ T5108]  do_int80_emulation+0x11f/0x200
[   54.576618][ T5108]  asm_int80_emulation+0x1a/0x20
[   54.581538][ T5108] 
[   54.583852][ T5108] Memory state around the buggy address:
[   54.589459][ T5108]  ffff88801fd40880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   54.597519][ T5108]  ffff88801fd40900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.605559][ T5108] >ffff88801fd40980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   54.613595][ T5108]                                ^
[   54.618695][ T5108]  ffff88801fd40a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.626735][ T5108]  ffff88801fd40a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   54.634863][ T5108] ==================================================================
2024/06/17 01:19:58 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   54.716270][ T5108] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   54.723497][ T5108] CPU: 0 PID: 5108 Comm: syz-executor.3 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
[   54.733918][ T5108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   54.743979][ T5108] Call Trace:
[   54.747268][ T5108]  <TASK>
[   54.750380][ T5108]  dump_stack_lvl+0x241/0x360
[   54.755073][ T5108]  ? __pfx_dump_stack_lvl+0x10/0x10
[   54.760285][ T5108]  ? __pfx__printk+0x10/0x10
[   54.764901][ T5108]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   54.770896][ T5108]  ? vscnprintf+0x5d/0x90
[   54.775243][ T5108]  panic+0x349/0x860
[   54.779155][ T5108]  ? check_panic_on_warn+0x21/0xb0
[   54.784281][ T5108]  ? __pfx_panic+0x10/0x10
[   54.788718][ T5108]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   54.794713][ T5108]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   54.801058][ T5108]  check_panic_on_warn+0x86/0xb0
[   54.806006][ T5108]  ? kfree_skb_reason+0x41/0x3b0
[   54.810955][ T5108]  end_report+0x77/0x160
[   54.815215][ T5108]  kasan_report+0x154/0x180
[   54.819740][ T5108]  ? kfree_skb_reason+0x41/0x3b0
[   54.824689][ T5108]  kasan_check_range+0x282/0x290
[   54.829641][ T5108]  kfree_skb_reason+0x41/0x3b0
[   54.834411][ T5108]  __hci_req_sync+0x62f/0x950
[   54.839094][ T5108]  ? __pfx___hci_req_sync+0x10/0x10
[   54.844295][ T5108]  ? __pfx___mutex_lock+0x10/0x10
[   54.849322][ T5108]  ? __pfx_autoremove_wake_function+0x10/0x10
[   54.855378][ T5108]  ? __pfx_hci_scan_req+0x10/0x10
[   54.860391][ T5108]  hci_req_sync+0xa9/0xd0
[   54.864708][ T5108]  hci_dev_cmd+0x4c5/0xa50
[   54.869113][ T5108]  ? security_capable+0x90/0xb0
[   54.873953][ T5108]  ? __pfx_hci_dev_cmd+0x10/0x10
[   54.878881][ T5108]  ? hci_sock_ioctl+0x6c4/0xa40
[   54.883722][ T5108]  compat_sock_ioctl+0x18b/0xf20
[   54.888649][ T5108]  ? __pfx_compat_sock_ioctl+0x10/0x10
[   54.894096][ T5108]  ? __fget_files+0x29/0x470
[   54.898672][ T5108]  ? __fget_files+0x3f6/0x470
[   54.903339][ T5108]  ? bpf_lsm_file_ioctl_compat+0x9/0x10
[   54.909222][ T5108]  ? security_file_ioctl_compat+0x87/0xb0
[   54.914929][ T5108]  __se_compat_sys_ioctl+0x51c/0xca0
[   54.920206][ T5108]  ? __pfx___se_compat_sys_ioctl+0x10/0x10
[   54.926094][ T5108]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   54.932066][ T5108]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   54.938380][ T5108]  ? syscall_enter_from_user_mode_prepare+0x7f/0xe0
[   54.944960][ T5108]  ? lockdep_hardirqs_on+0x99/0x150
[   54.950171][ T5108]  __do_fast_syscall_32+0xb4/0x120
[   54.955274][ T5108]  do_fast_syscall_32+0x34/0x80
[   54.960116][ T5108]  entry_SYSENTER_compat_after_hwframe+0x84/0x8e
[   54.966433][ T5108] RIP: 0023:0xf7494579
[   54.970484][ T5108] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[   54.990073][ T5108] RSP: 002b:00000000ffa13f44 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[   54.998474][ T5108] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000400448dd
[   55.006776][ T5108] RDX: 00000000ffa13f94 RSI: 00000000f7484ff4 RDI: 0000000000000004
[   55.014732][ T5108] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   55.022692][ T5108] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[   55.030647][ T5108] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   55.038631][ T5108]  </TASK>
[   55.041845][ T5108] Kernel Offset: disabled
[   55.046151][ T5108] Rebooting in 86400 seconds..