last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.203' (ED25519) to the list of known hosts. 1970/01/01 00:00:29 fuzzer started 1970/01/01 00:00:29 dialing manager at 10.128.0.169:30028 [ 29.934287][ T6242] cgroup: Unknown subsys name 'net' [ 30.030905][ T6250] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 30.211082][ T6242] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:30 starting 5 executor processes [ 31.130553][ T6266] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 31.134500][ T6266] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 31.137105][ T6266] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 31.139440][ T6266] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 31.141582][ T6266] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 31.143472][ T6266] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 31.183566][ T5818] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 31.186128][ T5818] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 31.188481][ T5818] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 31.190763][ T5818] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 31.192894][ T5818] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 31.194907][ T5818] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 31.200452][ T6276] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 31.202971][ T6276] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 31.205077][ T6276] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 31.220681][ T51] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 31.223280][ T51] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 31.225218][ T51] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 31.228358][ T51] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 31.230398][ T51] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 31.231707][ T6266] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 31.233665][ T6282] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 31.239056][ T6283] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 31.239197][ T6284] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 31.243014][ T6283] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 31.246628][ T6283] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 31.248923][ T6283] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 31.250913][ T6284] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 31.252881][ T6284] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 31.254914][ T6284] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 31.260007][ T6270] ================================================================== [ 31.262106][ T6270] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x40/0x28c [ 31.264174][ T6270] Read of size 8 at addr ffff0000ed18d198 by task syz-executor.1/6270 [ 31.266348][ T6270] [ 31.266939][ T6270] CPU: 0 PID: 6270 Comm: syz-executor.1 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 [ 31.269514][ T6270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 31.272137][ T6270] Call trace: [ 31.273008][ T6270] dump_backtrace+0x1b8/0x1e4 [ 31.274251][ T6270] show_stack+0x2c/0x3c [ 31.275331][ T6270] dump_stack_lvl+0xe4/0x150 [ 31.276528][ T6270] print_report+0x198/0x538 [ 31.277681][ T6270] kasan_report+0xd8/0x138 [ 31.278822][ T6270] __asan_report_load8_noabort+0x20/0x2c [ 31.280292][ T6270] skb_release_head_state+0x40/0x28c [ 31.281621][ T6270] kfree_skb_reason+0x190/0x4a8 [ 31.282899][ T6270] __hci_req_sync+0x4fc/0x7ac [ 31.284132][ T6270] hci_req_sync+0xa0/0xcc [ 31.285259][ T6270] hci_dev_cmd+0x330/0x90c [ 31.286387][ T6270] hci_sock_ioctl+0x4b8/0x82c [ 31.287599][ T6270] sock_do_ioctl+0x134/0x2d0 [ 31.288791][ T6270] sock_ioctl+0x4ec/0x838 [ 31.289844][ T6270] __arm64_sys_ioctl+0x14c/0x1c8 [ 31.291161][ T6270] invoke_syscall+0x98/0x2b8 [ 31.292371][ T6270] el0_svc_common+0x130/0x23c [ 31.293543][ T6270] do_el0_svc+0x48/0x58 [ 31.294612][ T6270] el0_svc+0x54/0x168 [ 31.295612][ T6270] el0t_64_sync_handler+0x84/0xfc [ 31.296876][ T6270] el0t_64_sync+0x190/0x194 [ 31.298031][ T6270] [ 31.298595][ T6270] Allocated by task 6276: [ 31.299680][ T6270] kasan_save_track+0x40/0x78 [ 31.300875][ T6270] kasan_save_alloc_info+0x40/0x50 [ 31.302197][ T6270] __kasan_slab_alloc+0x74/0x8c [ 31.303406][ T6270] kmem_cache_alloc+0x1dc/0x3c0 [ 31.304625][ T6270] skb_clone+0x1c8/0x330 [ 31.305723][ T6270] hci_cmd_work+0x174/0x568 [ 31.306919][ T6270] process_one_work+0x7b8/0x15d4 [ 31.308237][ T6270] worker_thread+0x938/0xef4 [ 31.309407][ T6270] kthread+0x288/0x310 [ 31.310449][ T6270] ret_from_fork+0x10/0x20 [ 31.311564][ T6270] [ 31.312153][ T6270] Freed by task 6278: [ 31.313147][ T6270] kasan_save_track+0x40/0x78 [ 31.314378][ T6270] kasan_save_free_info+0x54/0x6c [ 31.315610][ T6270] poison_slab_object+0x124/0x18c [ 31.316902][ T6270] __kasan_slab_free+0x3c/0x70 [ 31.318091][ T6270] kmem_cache_free+0x168/0x3f0 [ 31.319325][ T6270] kfree_skbmem+0x15c/0x1ec [ 31.320537][ T6270] kfree_skb_reason+0x1cc/0x4a8 [ 31.321784][ T6270] hci_req_sync_complete+0xcc/0x258 [ 31.323109][ T6270] hci_event_packet+0xbd0/0x1098 [ 31.324436][ T6270] hci_rx_work+0x318/0xa78 [ 31.325557][ T6270] process_one_work+0x7b8/0x15d4 [ 31.326830][ T6270] worker_thread+0x938/0xef4 [ 31.328063][ T6270] kthread+0x288/0x310 [ 31.329010][ T6270] ret_from_fork+0x10/0x20 [ 31.330156][ T6270] [ 31.330755][ T6270] The buggy address belongs to the object at ffff0000ed18d140 [ 31.330755][ T6270] which belongs to the cache skbuff_head_cache of size 240 [ 31.334500][ T6270] The buggy address is located 88 bytes inside of [ 31.334500][ T6270] freed 240-byte region [ffff0000ed18d140, ffff0000ed18d230) [ 31.338017][ T6270] [ 31.338622][ T6270] The buggy address belongs to the physical page: [ 31.340307][ T6270] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d18d [ 31.342598][ T6270] flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff) [ 31.344634][ T6270] page_type: 0xffffffff() [ 31.345738][ T6270] raw: 05ffc00000000800 ffff0000c1bbd780 dead000000000122 0000000000000000 [ 31.348016][ T6270] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 31.350226][ T6270] page dumped because: kasan: bad access detected [ 31.351861][ T6270] [ 31.352459][ T6270] Memory state around the buggy address: [ 31.353871][ T6270] ffff0000ed18d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 31.355973][ T6270] ffff0000ed18d100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 31.358078][ T6270] >ffff0000ed18d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.360180][ T6270] ^ [ 31.361424][ T6270] ffff0000ed18d200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 31.363517][ T6270] ffff0000ed18d280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.365650][ T6270] ================================================================== 1970/01/01 00:00:31 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 31.409238][ T6270] Disabling lock debugging due to kernel taint