last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.192' (ED25519) to the list of known hosts.
syzkaller login: [ 51.467906][ T3536] cgroup: Unknown subsys name 'net'
[ 51.635752][ T3536] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 52.873351][ T3536] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 53.959142][ T3561] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 53.959758][ T3562] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 53.968001][ T3561] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 53.974686][ T3562] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 53.982112][ T3561] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 53.988401][ T3562] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 53.996936][ T3561] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 54.002158][ T3562] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 54.009223][ T3561] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 54.015750][ T3562] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 54.030487][ T3562] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 54.030588][ T3561] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 54.037846][ T3562] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 54.045035][ T3561] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 54.051543][ T3562] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 54.059899][ T3561] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 54.065480][ T3562] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 54.073466][ T3561] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 54.079950][ T3562] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 54.087556][ T3561] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 54.093854][ T3562] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 54.100585][ T3561] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 54.107175][ T3562] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 54.121276][ T3562] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 54.128458][ T47] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 54.137236][ T47] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 54.144612][ T3561] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 54.144858][ T47] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 54.159146][ T47] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 54.182489][ T3560] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 54.192431][ T3549] ==================================================================
[ 54.200518][ T3549] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[ 54.207825][ T3549] Read of size 4 at addr ffff8880622439a4 by task syz-executor/3549
[ 54.215808][ T3549]
[ 54.218147][ T3549] CPU: 1 PID: 3549 Comm: syz-executor Not tainted 6.1.100-syzkaller #0
[ 54.226392][ T3549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 54.236453][ T3549] Call Trace:
[ 54.239735][ T3549]
[ 54.242662][ T3549] dump_stack_lvl+0x1e3/0x2cb
[ 54.247338][ T3549] ? nf_tcp_handle_invalid+0x642/0x642
[ 54.252786][ T3549] ? panic+0x764/0x764
[ 54.256840][ T3549] ? _printk+0xd1/0x111
[ 54.260979][ T3549] ? __virt_addr_valid+0x17f/0x530
[ 54.266078][ T3549] ? __virt_addr_valid+0x17f/0x530
[ 54.271175][ T3549] print_report+0x15f/0x4f0
[ 54.275748][ T3549] ? __virt_addr_valid+0x17f/0x530
[ 54.280845][ T3549] ? __virt_addr_valid+0x17f/0x530
[ 54.285939][ T3549] ? __virt_addr_valid+0x45b/0x530
[ 54.291061][ T3549] ? __phys_addr+0xb6/0x170
[ 54.295554][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 54.300481][ T3549] kasan_report+0x136/0x160
[ 54.304971][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 54.309894][ T3549] kasan_check_range+0x27f/0x290
[ 54.314813][ T3549] kfree_skb_reason+0x3d/0x390
[ 54.319566][ T3549] __hci_req_sync+0x626/0x940
[ 54.324225][ T3549] ? trace_contention_end+0x61/0x170
[ 54.329495][ T3549] ? hci_req_sync_complete+0x280/0x280
[ 54.334950][ T3549] ? mutex_lock_nested+0x10/0x10
[ 54.339871][ T3549] ? wake_bit_function+0x210/0x210
[ 54.345056][ T3549] ? hci_encrypt_req+0x170/0x170
[ 54.349979][ T3549] hci_req_sync+0xa5/0xc0
[ 54.354291][ T3549] hci_dev_cmd+0x2fc/0xa30
[ 54.358693][ T3549] ? security_capable+0x86/0xb0
[ 54.363532][ T3549] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 54.368726][ T3549] ? hci_sock_ioctl+0x426/0x850
[ 54.373563][ T3549] sock_do_ioctl+0x152/0x450
[ 54.378139][ T3549] ? sock_show_fdinfo+0xb0/0xb0
[ 54.382972][ T3549] ? __fget_files+0x28/0x4a0
[ 54.387547][ T3549] sock_ioctl+0x47f/0x770
[ 54.391861][ T3549] ? sock_poll+0x410/0x410
[ 54.396257][ T3549] ? __fget_files+0x28/0x4a0
[ 54.400842][ T3549] ? __fget_files+0x435/0x4a0
[ 54.405523][ T3549] ? __fget_files+0x28/0x4a0
[ 54.410113][ T3549] ? bpf_lsm_file_ioctl+0x5/0x10
[ 54.415040][ T3549] ? security_file_ioctl+0x7d/0xa0
[ 54.420136][ T3549] ? sock_poll+0x410/0x410
[ 54.424538][ T3549] __se_sys_ioctl+0xf1/0x160
[ 54.429121][ T3549] do_syscall_64+0x3b/0xb0
[ 54.433529][ T3549] ? clear_bhb_loop+0x45/0xa0
[ 54.438192][ T3549] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 54.444071][ T3549] RIP: 0033:0x7f0383b7575b
[ 54.448482][ T3549] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 54.468071][ T3549] RSP: 002b:00007ffc334d8020 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 54.476467][ T3549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0383b7575b
[ 54.484420][ T3549] RDX: 00007ffc334d8098 RSI: 00000000400448dd RDI: 0000000000000003
[ 54.492379][ T3549] RBP: 000055555632a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 54.500330][ T3549] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[ 54.508282][ T3549] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[ 54.516244][ T3549]
[ 54.519248][ T3549]
[ 54.521554][ T3549] Allocated by task 3551:
[ 54.525859][ T3549] kasan_set_track+0x4b/0x70
[ 54.530444][ T3549] __kasan_slab_alloc+0x65/0x70
[ 54.535280][ T3549] slab_post_alloc_hook+0x52/0x3a0
[ 54.540374][ T3549] kmem_cache_alloc+0x10c/0x2d0
[ 54.545207][ T3549] skb_clone+0x1e5/0x360
[ 54.549430][ T3549] hci_cmd_work+0x296/0x660
[ 54.553917][ T3549] process_one_work+0x8a9/0x11d0
[ 54.558835][ T3549] worker_thread+0xa47/0x1200
[ 54.563492][ T3549] kthread+0x28d/0x320
[ 54.567540][ T3549] ret_from_fork+0x1f/0x30
[ 54.571939][ T3549]
[ 54.574243][ T3549] Freed by task 3563:
[ 54.578199][ T3549] kasan_set_track+0x4b/0x70
[ 54.582775][ T3549] kasan_save_free_info+0x27/0x40
[ 54.587778][ T3549] ____kasan_slab_free+0xd6/0x120
[ 54.592792][ T3549] kmem_cache_free+0x292/0x510
[ 54.597537][ T3549] hci_req_sync_complete+0xee/0x280
[ 54.602716][ T3549] hci_event_packet+0xc49/0x1510
[ 54.607721][ T3549] hci_rx_work+0x3cd/0xce0
[ 54.612117][ T3549] process_one_work+0x8a9/0x11d0
[ 54.617036][ T3549] worker_thread+0xa47/0x1200
[ 54.621705][ T3549] kthread+0x28d/0x320
[ 54.625752][ T3549] ret_from_fork+0x1f/0x30
[ 54.630162][ T3549]
[ 54.632480][ T3549] The buggy address belongs to the object at ffff8880622438c0
[ 54.632480][ T3549] which belongs to the cache skbuff_head_cache of size 240
[ 54.647031][ T3549] The buggy address is located 228 bytes inside of
[ 54.647031][ T3549] 240-byte region [ffff8880622438c0, ffff8880622439b0)
[ 54.660370][ T3549]
[ 54.662676][ T3549] The buggy address belongs to the physical page:
[ 54.669072][ T3549] page:ffffea00018890c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62243
[ 54.679202][ T3549] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 54.686737][ T3549] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888014a64500
[ 54.695300][ T3549] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 54.703858][ T3549] page dumped because: kasan: bad access detected
[ 54.710253][ T3549] page_owner tracks the page as allocated
[ 54.715945][ T3549] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 3551, tgid 3551 (kworker/u5:1), ts 54191084243, free_ts 10979826985
[ 54.734243][ T3549] post_alloc_hook+0x18d/0x1b0
[ 54.738990][ T3549] get_page_from_freelist+0x322e/0x33b0
[ 54.744523][ T3549] __alloc_pages+0x28d/0x770
[ 54.749092][ T3549] alloc_slab_page+0x6a/0x150
[ 54.753751][ T3549] new_slab+0x84/0x2d0
[ 54.757803][ T3549] ___slab_alloc+0xc20/0x1270
[ 54.762460][ T3549] kmem_cache_alloc_node+0x1cf/0x310
[ 54.767726][ T3549] __alloc_skb+0xde/0x670
[ 54.772046][ T3549] __hci_cmd_sync_sk+0x154/0x1100
[ 54.777055][ T3549] hci_write_ca_timeout_sync+0xa2/0x1d0
[ 54.782596][ T3549] hci_dev_open_sync+0x2ff7/0x35f0
[ 54.787690][ T3549] hci_power_on+0x1c4/0x6f0
[ 54.792171][ T3549] process_one_work+0x8a9/0x11d0
[ 54.797088][ T3549] worker_thread+0xa47/0x1200
[ 54.801748][ T3549] kthread+0x28d/0x320
[ 54.805794][ T3549] ret_from_fork+0x1f/0x30
[ 54.810195][ T3549] page last free stack trace:
[ 54.814848][ T3549] free_unref_page_prepare+0xf63/0x1120
[ 54.820376][ T3549] free_unref_page+0x33/0x3e0
[ 54.825033][ T3549] free_contig_range+0x9a/0x150
[ 54.829871][ T3549] destroy_args+0xfe/0x997
[ 54.834272][ T3549] debug_vm_pgtable+0x416/0x46b
[ 54.839104][ T3549] do_one_initcall+0x265/0x8f0
[ 54.843850][ T3549] do_initcall_level+0x157/0x207
[ 54.848768][ T3549] do_initcalls+0x49/0x86
[ 54.853079][ T3549] kernel_init_freeable+0x45c/0x60f
[ 54.858344][ T3549] kernel_init+0x19/0x290
[ 54.862660][ T3549] ret_from_fork+0x1f/0x30
[ 54.867146][ T3549]
[ 54.869448][ T3549] Memory state around the buggy address:
[ 54.875055][ T3549] ffff888062243880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 54.883094][ T3549] ffff888062243900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.891146][ T3549] >ffff888062243980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 54.899183][ T3549] ^
[ 54.904270][ T3549] ffff888062243a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.912311][ T3549] ffff888062243a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 54.920351][ T3549] ==================================================================
[ 54.930060][ T3549] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 54.937263][ T3549] CPU: 1 PID: 3549 Comm: syz-executor Not tainted 6.1.100-syzkaller #0
[ 54.945497][ T3549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[ 54.955546][ T3549] Call Trace:
[ 54.958819][ T3549]
[ 54.961742][ T3549] dump_stack_lvl+0x1e3/0x2cb
[ 54.966414][ T3549] ? nf_tcp_handle_invalid+0x642/0x642
[ 54.971861][ T3549] ? panic+0x764/0x764
[ 54.975915][ T3549] ? preempt_schedule_common+0xa6/0xd0
[ 54.981360][ T3549] ? vscnprintf+0x59/0x80
[ 54.985676][ T3549] panic+0x318/0x764
[ 54.989556][ T3549] ? check_panic_on_warn+0x1d/0xa0
[ 54.994656][ T3549] ? memcpy_page_flushcache+0xfc/0xfc
[ 55.000018][ T3549] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 55.005982][ T3549] ? _raw_spin_unlock+0x40/0x40
[ 55.010816][ T3549] ? print_report+0x4a3/0x4f0
[ 55.015476][ T3549] check_panic_on_warn+0x7e/0xa0
[ 55.020396][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 55.025325][ T3549] end_report+0x66/0x110
[ 55.029564][ T3549] kasan_report+0x143/0x160
[ 55.034055][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 55.038994][ T3549] kasan_check_range+0x27f/0x290
[ 55.043913][ T3549] kfree_skb_reason+0x3d/0x390
[ 55.048665][ T3549] __hci_req_sync+0x626/0x940
[ 55.053325][ T3549] ? trace_contention_end+0x61/0x170
[ 55.058600][ T3549] ? hci_req_sync_complete+0x280/0x280
[ 55.064042][ T3549] ? mutex_lock_nested+0x10/0x10
[ 55.069050][ T3549] ? wake_bit_function+0x210/0x210
[ 55.074158][ T3549] ? hci_encrypt_req+0x170/0x170
[ 55.079085][ T3549] hci_req_sync+0xa5/0xc0
[ 55.083486][ T3549] hci_dev_cmd+0x2fc/0xa30
[ 55.087887][ T3549] ? security_capable+0x86/0xb0
[ 55.092724][ T3549] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 55.098082][ T3549] ? hci_sock_ioctl+0x426/0x850
[ 55.102917][ T3549] sock_do_ioctl+0x152/0x450
[ 55.107489][ T3549] ? sock_show_fdinfo+0xb0/0xb0
[ 55.112322][ T3549] ? __fget_files+0x28/0x4a0
[ 55.116902][ T3549] sock_ioctl+0x47f/0x770
[ 55.121216][ T3549] ? sock_poll+0x410/0x410
[ 55.125612][ T3549] ? __fget_files+0x28/0x4a0
[ 55.130181][ T3549] ? __fget_files+0x435/0x4a0
[ 55.134842][ T3549] ? __fget_files+0x28/0x4a0
[ 55.139432][ T3549] ? bpf_lsm_file_ioctl+0x5/0x10
[ 55.144362][ T3549] ? security_file_ioctl+0x7d/0xa0
[ 55.149459][ T3549] ? sock_poll+0x410/0x410
[ 55.153869][ T3549] __se_sys_ioctl+0xf1/0x160
[ 55.158457][ T3549] do_syscall_64+0x3b/0xb0
[ 55.162867][ T3549] ? clear_bhb_loop+0x45/0xa0
[ 55.167533][ T3549] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 55.173412][ T3549] RIP: 0033:0x7f0383b7575b
[ 55.177811][ T3549] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 55.197496][ T3549] RSP: 002b:00007ffc334d8020 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 55.205902][ T3549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0383b7575b
[ 55.213853][ T3549] RDX: 00007ffc334d8098 RSI: 00000000400448dd RDI: 0000000000000003
[ 55.221806][ T3549] RBP: 000055555632a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 55.229774][ T3549] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[ 55.237743][ T3549] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[ 55.245707][ T3549]
[ 55.248923][ T3549] Kernel Offset: disabled
[ 55.253234][ T3549] Rebooting in 86400 seconds..