last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.18' (ED25519) to the list of known hosts. [ 69.142265][ T5082] cgroup: Unknown subsys name 'net' [ 69.309073][ T5082] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 71.007760][ T5082] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 71.822162][ T1246] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.828824][ T1246] ieee802154 phy1 wpan1: encryption failed: -22 [ 73.380706][ T5103] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 73.395450][ T5106] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 73.404757][ T5106] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 73.413326][ T5106] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 73.422336][ T5106] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 73.429928][ T5108] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 73.434537][ T5106] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 73.437915][ T5108] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 73.445949][ T5106] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 73.460310][ T5108] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 73.461647][ T5106] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 73.473204][ T5110] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 73.476064][ T5106] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 73.483309][ T5110] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 73.490592][ T5106] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 73.497995][ T5108] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 73.504634][ T5106] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 73.511237][ T5108] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 73.518763][ T5106] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 73.524346][ T5110] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 73.532295][ T5106] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 73.539763][ T5108] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 73.546287][ T5106] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 73.554763][ T4488] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 73.567267][ T5106] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 73.575583][ T5108] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 73.586391][ T5108] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 73.596184][ T5108] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 73.614870][ T53] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 73.622536][ T53] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 73.631804][ T5094] ================================================================== [ 73.639963][ T5094] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 73.647834][ T5094] Read of size 4 at addr ffff888068fa8364 by task syz-executor/5094 [ 73.655928][ T5094] [ 73.658289][ T5094] CPU: 0 PID: 5094 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0 [ 73.668553][ T5094] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 73.678651][ T5094] Call Trace: [ 73.682391][ T5094] [ 73.685356][ T5094] dump_stack_lvl+0x241/0x360 [ 73.690249][ T5094] ? __pfx_dump_stack_lvl+0x10/0x10 [ 73.695462][ T5094] ? __pfx__printk+0x10/0x10 [ 73.700056][ T5094] ? _printk+0xd5/0x120 [ 73.704219][ T5094] ? __virt_addr_valid+0x183/0x520 [ 73.709366][ T5094] ? __virt_addr_valid+0x183/0x520 [ 73.714575][ T5094] print_report+0x169/0x550 [ 73.719180][ T5094] ? __virt_addr_valid+0x183/0x520 [ 73.724319][ T5094] ? __virt_addr_valid+0x183/0x520 [ 73.729442][ T5094] ? __virt_addr_valid+0x44e/0x520 [ 73.734565][ T5094] ? __phys_addr+0xba/0x170 [ 73.739078][ T5094] ? kfree_skb_reason+0x41/0x3b0 [ 73.744029][ T5094] kasan_report+0x143/0x180 [ 73.748547][ T5094] ? kfree_skb_reason+0x41/0x3b0 [ 73.753505][ T5094] kasan_check_range+0x282/0x290 [ 73.758453][ T5094] kfree_skb_reason+0x41/0x3b0 [ 73.763400][ T5094] __hci_req_sync+0x62f/0x950 [ 73.768081][ T5094] ? __pfx___hci_req_sync+0x10/0x10 [ 73.773289][ T5094] ? __pfx___mutex_lock+0x10/0x10 [ 73.778324][ T5094] ? __pfx_autoremove_wake_function+0x10/0x10 [ 73.784486][ T5094] ? __pfx_hci_scan_req+0x10/0x10 [ 73.789517][ T5094] hci_req_sync+0xa9/0xd0 [ 73.793853][ T5094] hci_dev_cmd+0x4c5/0xa50 [ 73.798277][ T5094] ? security_capable+0x90/0xb0 [ 73.803129][ T5094] ? __pfx_hci_dev_cmd+0x10/0x10 [ 73.808097][ T5094] ? hci_sock_ioctl+0x6c4/0xa40 [ 73.812952][ T5094] sock_do_ioctl+0x158/0x460 [ 73.817548][ T5094] ? __pfx_sock_do_ioctl+0x10/0x10 [ 73.822690][ T5094] sock_ioctl+0x629/0x8e0 [ 73.827044][ T5094] ? __pfx_sock_ioctl+0x10/0x10 [ 73.831906][ T5094] ? __fget_files+0x29/0x470 [ 73.836505][ T5094] ? __fget_files+0x3f6/0x470 [ 73.841189][ T5094] ? __fget_files+0x29/0x470 [ 73.845796][ T5094] ? bpf_lsm_file_ioctl+0x9/0x10 [ 73.850741][ T5094] ? security_file_ioctl+0x87/0xb0 [ 73.855868][ T5094] ? __pfx_sock_ioctl+0x10/0x10 [ 73.860822][ T5094] __se_sys_ioctl+0xfc/0x170 [ 73.865419][ T5094] do_syscall_64+0xf3/0x230 [ 73.869926][ T5094] ? clear_bhb_loop+0x35/0x90 [ 73.874630][ T5094] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.880542][ T5094] RIP: 0033:0x7f4a117757db [ 73.884980][ T5094] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 73.904772][ T5094] RSP: 002b:00007ffefd21a9c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.913198][ T5094] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4a117757db [ 73.921194][ T5094] RDX: 00007ffefd21aa38 RSI: 00000000400448dd RDI: 0000000000000003 [ 73.929166][ T5094] RBP: 000055557e35d4a8 R08: 0000000000000000 R09: 0000000000000000 [ 73.937134][ T5094] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002 [ 73.945104][ T5094] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009 [ 73.953088][ T5094] [ 73.956213][ T5094] [ 73.958531][ T5094] Allocated by task 53: [ 73.962681][ T5094] kasan_save_track+0x3f/0x80 [ 73.967367][ T5094] __kasan_slab_alloc+0x66/0x80 [ 73.972228][ T5094] kmem_cache_alloc_noprof+0x135/0x2a0 [ 73.977689][ T5094] skb_clone+0x20c/0x390 [ 73.981941][ T5094] hci_cmd_work+0x29e/0x670 [ 73.986535][ T5094] process_scheduled_works+0xa2c/0x1830 [ 73.992168][ T5094] worker_thread+0x86d/0xd70 [ 73.996762][ T5094] kthread+0x2f0/0x390 [ 74.000851][ T5094] ret_from_fork+0x4b/0x80 [ 74.005274][ T5094] ret_from_fork_asm+0x1a/0x30 [ 74.010044][ T5094] [ 74.012362][ T5094] Freed by task 5103: [ 74.016344][ T5094] kasan_save_track+0x3f/0x80 [ 74.021042][ T5094] kasan_save_free_info+0x40/0x50 [ 74.026067][ T5094] poison_slab_object+0xe0/0x150 [ 74.031015][ T5094] __kasan_slab_free+0x37/0x60 [ 74.035785][ T5094] kmem_cache_free+0x145/0x350 [ 74.040547][ T5094] hci_req_sync_complete+0xe7/0x290 [ 74.045742][ T5094] hci_event_packet+0xc71/0x1540 [ 74.050686][ T5094] hci_rx_work+0x3e8/0xca0 [ 74.055111][ T5094] process_scheduled_works+0xa2c/0x1830 [ 74.060664][ T5094] worker_thread+0x86d/0xd70 [ 74.065256][ T5094] kthread+0x2f0/0x390 [ 74.069326][ T5094] ret_from_fork+0x4b/0x80 [ 74.073759][ T5094] ret_from_fork_asm+0x1a/0x30 [ 74.078635][ T5094] [ 74.080963][ T5094] The buggy address belongs to the object at ffff888068fa8280 [ 74.080963][ T5094] which belongs to the cache skbuff_head_cache of size 240 [ 74.095626][ T5094] The buggy address is located 228 bytes inside of [ 74.095626][ T5094] freed 240-byte region [ffff888068fa8280, ffff888068fa8370) [ 74.109421][ T5094] [ 74.111742][ T5094] The buggy address belongs to the physical page: [ 74.118156][ T5094] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68fa8 [ 74.126913][ T5094] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 74.134067][ T5094] page_type: 0xffffefff(slab) [ 74.138779][ T5094] raw: 00fff00000000000 ffff888018ae0780 dead000000000122 0000000000000000 [ 74.147375][ T5094] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000 [ 74.156055][ T5094] page dumped because: kasan: bad access detected [ 74.162577][ T5094] page_owner tracks the page as allocated [ 74.168295][ T5094] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 53, tgid 53 (kworker/u9:0), ts 73631083951, free_ts 24952886801 [ 74.187353][ T5094] post_alloc_hook+0x1f3/0x230 [ 74.192138][ T5094] get_page_from_freelist+0x2e2d/0x2ee0 [ 74.197689][ T5094] __alloc_pages_noprof+0x256/0x6c0 [ 74.202893][ T5094] alloc_slab_page+0x5f/0x120 [ 74.207580][ T5094] allocate_slab+0x5a/0x2e0 [ 74.212091][ T5094] ___slab_alloc+0xcd1/0x14b0 [ 74.216773][ T5094] __slab_alloc+0x58/0xa0 [ 74.221105][ T5094] kmem_cache_alloc_noprof+0x1c1/0x2a0 [ 74.226567][ T5094] skb_clone+0x20c/0x390 [ 74.230832][ T5094] hci_event_packet+0x49c/0x1540 [ 74.235778][ T5094] hci_rx_work+0x3e8/0xca0 [ 74.240206][ T5094] process_scheduled_works+0xa2c/0x1830 [ 74.245853][ T5094] worker_thread+0x86d/0xd70 [ 74.250444][ T5094] kthread+0x2f0/0x390 [ 74.254518][ T5094] ret_from_fork+0x4b/0x80 [ 74.258943][ T5094] ret_from_fork_asm+0x1a/0x30 [ 74.263716][ T5094] page last free pid 1 tgid 1 stack trace: [ 74.269515][ T5094] free_unref_page+0xd22/0xea0 [ 74.274287][ T5094] free_contig_range+0x9e/0x160 [ 74.279227][ T5094] destroy_args+0x8a/0x890 [ 74.283673][ T5094] debug_vm_pgtable+0x4be/0x550 [ 74.288553][ T5094] do_one_initcall+0x248/0x880 [ 74.293338][ T5094] do_initcall_level+0x157/0x210 [ 74.298305][ T5094] do_initcalls+0x3f/0x80 [ 74.302663][ T5094] kernel_init_freeable+0x435/0x5d0 [ 74.307882][ T5094] kernel_init+0x1d/0x2b0 [ 74.312232][ T5094] ret_from_fork+0x4b/0x80 [ 74.316658][ T5094] ret_from_fork_asm+0x1a/0x30 [ 74.321436][ T5094] [ 74.323765][ T5094] Memory state around the buggy address: [ 74.330261][ T5094] ffff888068fa8200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 74.338319][ T5094] ffff888068fa8280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.346377][ T5094] >ffff888068fa8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 74.354433][ T5094] ^ [ 74.361647][ T5094] ffff888068fa8380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 74.369708][ T5094] ffff888068fa8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.377764][ T5094] ================================================================== [ 74.387120][ T5094] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.394352][ T5094] CPU: 1 PID: 5094 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0 [ 74.404625][ T5094] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 74.414718][ T5094] Call Trace: [ 74.418025][ T5094] [ 74.420985][ T5094] dump_stack_lvl+0x241/0x360 [ 74.425708][ T5094] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.430945][ T5094] ? __pfx__printk+0x10/0x10 [ 74.435562][ T5094] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 74.441575][ T5094] ? vscnprintf+0x5d/0x90 [ 74.445943][ T5094] panic+0x349/0x860 [ 74.449958][ T5094] ? check_panic_on_warn+0x21/0xb0 [ 74.455109][ T5094] ? __pfx_panic+0x10/0x10 [ 74.459563][ T5094] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 74.465578][ T5094] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.471943][ T5094] check_panic_on_warn+0x86/0xb0 [ 74.476922][ T5094] ? kfree_skb_reason+0x41/0x3b0 [ 74.481909][ T5094] end_report+0x77/0x160 [ 74.486215][ T5094] kasan_report+0x154/0x180 [ 74.490776][ T5094] ? kfree_skb_reason+0x41/0x3b0 [ 74.495794][ T5094] kasan_check_range+0x282/0x290 [ 74.500780][ T5094] kfree_skb_reason+0x41/0x3b0 [ 74.505595][ T5094] __hci_req_sync+0x62f/0x950 [ 74.510310][ T5094] ? __pfx___hci_req_sync+0x10/0x10 [ 74.515552][ T5094] ? __pfx___mutex_lock+0x10/0x10 [ 74.520720][ T5094] ? __pfx_autoremove_wake_function+0x10/0x10 [ 74.526972][ T5094] ? __pfx_hci_scan_req+0x10/0x10 [ 74.532022][ T5094] hci_req_sync+0xa9/0xd0 [ 74.536361][ T5094] hci_dev_cmd+0x4c5/0xa50 [ 74.540805][ T5094] ? security_capable+0x90/0xb0 [ 74.545660][ T5094] ? __pfx_hci_dev_cmd+0x10/0x10 [ 74.550604][ T5094] ? hci_sock_ioctl+0x6c4/0xa40 [ 74.555482][ T5094] sock_do_ioctl+0x158/0x460 [ 74.560096][ T5094] ? __pfx_sock_do_ioctl+0x10/0x10 [ 74.565309][ T5094] sock_ioctl+0x629/0x8e0 [ 74.569655][ T5094] ? __pfx_sock_ioctl+0x10/0x10 [ 74.574516][ T5094] ? __fget_files+0x29/0x470 [ 74.579118][ T5094] ? __fget_files+0x3f6/0x470 [ 74.583804][ T5094] ? __fget_files+0x29/0x470 [ 74.588493][ T5094] ? bpf_lsm_file_ioctl+0x9/0x10 [ 74.593697][ T5094] ? security_file_ioctl+0x87/0xb0 [ 74.598820][ T5094] ? __pfx_sock_ioctl+0x10/0x10 [ 74.603706][ T5094] __se_sys_ioctl+0xfc/0x170 [ 74.608426][ T5094] do_syscall_64+0xf3/0x230 [ 74.613223][ T5094] ? clear_bhb_loop+0x35/0x90 [ 74.618088][ T5094] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.623990][ T5094] RIP: 0033:0x7f4a117757db [ 74.628412][ T5094] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 74.648038][ T5094] RSP: 002b:00007ffefd21a9c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.656658][ T5094] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4a117757db [ 74.664636][ T5094] RDX: 00007ffefd21aa38 RSI: 00000000400448dd RDI: 0000000000000003 [ 74.672648][ T5094] RBP: 000055557e35d4a8 R08: 0000000000000000 R09: 0000000000000000 [ 74.680626][ T5094] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002 [ 74.688618][ T5094] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009 [ 74.696598][ T5094] [ 74.699989][ T5094] Kernel Offset: disabled [ 74.704310][ T5094] Rebooting in 86400 seconds..