last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.150' (ED25519) to the list of known hosts. 1970/01/01 00:00:32 fuzzer started 1970/01/01 00:00:32 dialing manager at 10.128.0.163:30026 [ 33.174191][ T4233] cgroup: Unknown subsys name 'net' [ 33.331714][ T4235] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 33.378584][ T4233] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:33 starting 5 executor processes [ 34.235165][ T4259] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 34.238107][ T4259] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 34.252998][ T4260] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 34.255639][ T4260] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 34.258283][ T4265] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 34.261114][ T4265] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 34.263139][ T4265] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 34.266738][ T4261] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 34.269366][ T4261] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 34.269891][ T4266] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 34.274213][ T4261] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 34.275085][ T4266] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 34.278841][ T4261] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 34.279002][ T4266] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 34.282596][ T4261] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 34.285351][ T4261] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 34.285920][ T4266] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 34.288148][ T4261] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 34.289442][ T4266] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 34.291291][ T4265] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 34.294562][ T4266] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 34.297268][ T4261] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 34.298538][ T4266] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 34.301924][ T4256] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 34.302102][ T4268] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 34.315412][ T4254] ================================================================== [ 34.317589][ T4254] BUG: KASAN: use-after-free in skb_release_head_state+0xb4/0x28c [ 34.319696][ T4254] Read of size 8 at addr ffff0000ee7b02e0 by task syz-executor.4/4254 [ 34.321908][ T4254] [ 34.322514][ T4254] CPU: 0 PID: 4254 Comm: syz-executor.4 Not tainted 6.1.92-syzkaller #0 [ 34.324784][ T4254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 34.327506][ T4254] Call trace: [ 34.328410][ T4254] dump_backtrace+0x1c8/0x1f4 [ 34.329656][ T4254] show_stack+0x2c/0x3c [ 34.330829][ T4254] dump_stack_lvl+0x108/0x170 [ 34.332022][ T4254] print_report+0x174/0x4c0 [ 34.333279][ T4254] kasan_report+0xd4/0x130 [ 34.334496][ T4254] __asan_report_load8_noabort+0x2c/0x38 [ 34.335995][ T4254] skb_release_head_state+0xb4/0x28c [ 34.337442][ T4254] kfree_skb_reason+0x178/0x47c [ 34.338869][ T4254] __hci_req_sync+0x4fc/0x7ac [ 34.340157][ T4254] hci_req_sync+0xa4/0xd0 [ 34.341318][ T4254] hci_dev_cmd+0x330/0x90c [ 34.342300][ T4271] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 34.342511][ T4254] hci_sock_ioctl+0x4b8/0x82c [ 34.345763][ T4254] sock_do_ioctl+0x134/0x2dc [ 34.346941][ T4254] sock_ioctl+0x4ec/0x858 [ 34.348165][ T4254] __arm64_sys_ioctl+0x14c/0x1c8 [ 34.349519][ T4254] invoke_syscall+0x98/0x2c0 [ 34.350817][ T4254] el0_svc_common+0x138/0x258 [ 34.352007][ T4254] do_el0_svc+0x64/0x218 [ 34.353143][ T4254] el0_svc+0x58/0x168 [ 34.354205][ T4254] el0t_64_sync_handler+0x84/0xf0 [ 34.355603][ T4254] el0t_64_sync+0x18c/0x190 [ 34.356827][ T4254] [ 34.357446][ T4254] Allocated by task 4268: [ 34.358627][ T4254] kasan_set_track+0x4c/0x80 [ 34.359876][ T4254] kasan_save_alloc_info+0x24/0x30 [ 34.361269][ T4254] __kasan_slab_alloc+0x74/0x8c [ 34.362560][ T4254] slab_post_alloc_hook+0x74/0x458 [ 34.363953][ T4254] kmem_cache_alloc+0x230/0x37c [ 34.365229][ T4254] skb_clone+0x19c/0x304 [ 34.366396][ T4254] hci_cmd_work+0x174/0x568 [ 34.367625][ T4254] process_one_work+0x7ac/0x1404 [ 34.369020][ T4254] worker_thread+0x8e4/0xfec [ 34.370259][ T4254] kthread+0x250/0x2d8 [ 34.371213][ T4254] ret_from_fork+0x10/0x20 [ 34.372223][ T4254] [ 34.372751][ T4254] Freed by task 4271: [ 34.373666][ T4254] kasan_set_track+0x4c/0x80 [ 34.374740][ T4254] kasan_save_free_info+0x38/0x5c [ 34.375298][ T4260] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 34.375944][ T4254] ____kasan_slab_free+0x144/0x1c0 [ 34.378682][ T4260] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 34.379248][ T4254] __kasan_slab_free+0x18/0x28 [ 34.381592][ T4260] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 34.382353][ T4254] kmem_cache_free+0x2f0/0x588 [ 34.382370][ T4254] kfree_skbmem+0x10c/0x19c [ 34.382381][ T4254] kfree_skb_reason+0x1ac/0x47c [ 34.382390][ T4254] hci_req_sync_complete+0xcc/0x258 [ 34.382401][ T4254] hci_event_packet+0xbd4/0x109c [ 34.382412][ T4254] hci_rx_work+0x318/0xa68 [ 34.382420][ T4254] process_one_work+0x7ac/0x1404 [ 34.386738][ T4260] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 34.388108][ T4254] worker_thread+0x8e4/0xfec [ 34.396742][ T4254] kthread+0x250/0x2d8 [ 34.397856][ T4254] ret_from_fork+0x10/0x20 [ 34.399139][ T4254] [ 34.399775][ T4254] The buggy address belongs to the object at ffff0000ee7b0280 [ 34.399775][ T4254] which belongs to the cache skbuff_head_cache of size 240 [ 34.403889][ T4254] The buggy address is located 96 bytes inside of [ 34.403889][ T4254] 240-byte region [ffff0000ee7b0280, ffff0000ee7b0370) [ 34.407639][ T4254] [ 34.408282][ T4254] The buggy address belongs to the physical page: [ 34.410123][ T4254] page:000000000c705fe1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12e7b0 [ 34.413041][ T4254] flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff) [ 34.415130][ T4254] raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0b72480 [ 34.417476][ T4254] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 34.419892][ T4254] page dumped because: kasan: bad access detected [ 34.421691][ T4254] [ 34.422332][ T4254] Memory state around the buggy address: [ 34.423919][ T4254] ffff0000ee7b0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.426155][ T4254] ffff0000ee7b0200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 34.428420][ T4254] >ffff0000ee7b0280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.430570][ T4254] ^ [ 34.432564][ T4254] ffff0000ee7b0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 34.434977][ T4254] ffff0000ee7b0380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.437271][ T4254] ================================================================== 1970/01/01 00:00:34 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 34.445957][ T4254] Disabling lock debugging due to kernel taint [ 34.571711][ T4255] chnl_net:caif_netlink_parms(): no params data found [ 34.597221][ T4255] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.599191][ T4255] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.601598][ T4255] device bridge_slave_0 entered promiscuous mode [ 34.606594][ T4255] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.608659][ T4255] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.611152][ T4255] device bridge_slave_1 entered promiscuous mode [ 34.626778][ T4255] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 34.634982][ T4255] bond0: (slave bond_slave_1): Enslaving as an active int