last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.25' (ED25519) to the list of known hosts.
syzkaller login: [ 66.699788][ T5072] cgroup: Unknown subsys name 'net'
[ 66.869775][ T5072] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 68.563007][ T5072] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 69.321523][ T5084] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 69.346822][ T5088] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 69.354591][ T5088] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 69.367253][ T5088] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 69.376365][ T5088] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 69.384872][ T5092] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 69.393910][ T5092] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 69.402723][ T5092] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 69.404999][ T5095] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 69.411349][ T5092] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 69.426087][ T5095] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 69.426134][ T5092] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 69.434115][ T5097] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 69.443116][ T5092] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 69.448044][ T5095] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 69.456231][ T5092] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 69.462715][ T5097] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 69.477311][ T5095] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 69.478716][ T5092] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 69.485771][ T5097] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 69.492199][ T5092] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 69.506143][ T4478] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 69.507034][ T5092] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 69.521274][ T4478] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 69.535328][ T5095] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 69.540302][ T4478] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 69.543364][ T5095] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 69.550616][ T4478] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 69.557104][ T5095] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 69.564401][ T4478] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 69.591628][ T5086] ==================================================================
[ 69.599937][ T5086] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0
[ 69.607893][ T5086] Read of size 4 at addr ffff888066d944a4 by task syz-executor/5086
[ 69.615904][ T5086]
[ 69.618278][ T5086] CPU: 0 PID: 5086 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[ 69.628559][ T5086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 69.638659][ T5086] Call Trace:
[ 69.641967][ T5086]
[ 69.644941][ T5086] dump_stack_lvl+0x241/0x360
[ 69.649673][ T5086] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.654925][ T5086] ? __pfx__printk+0x10/0x10
[ 69.659569][ T5086] ? _printk+0xd5/0x120
[ 69.663834][ T5086] ? __virt_addr_valid+0x183/0x520
[ 69.668972][ T5086] ? __virt_addr_valid+0x183/0x520
[ 69.674098][ T5086] print_report+0x169/0x550
[ 69.678609][ T5086] ? __virt_addr_valid+0x183/0x520
[ 69.683820][ T5086] ? __virt_addr_valid+0x183/0x520
[ 69.688948][ T5086] ? __virt_addr_valid+0x44e/0x520
[ 69.694073][ T5086] ? __phys_addr+0xba/0x170
[ 69.698608][ T5086] ? kfree_skb_reason+0x41/0x3b0
[ 69.703556][ T5086] kasan_report+0x143/0x180
[ 69.708066][ T5086] ? kfree_skb_reason+0x41/0x3b0
[ 69.713107][ T5086] kasan_check_range+0x282/0x290
[ 69.718055][ T5086] kfree_skb_reason+0x41/0x3b0
[ 69.722830][ T5086] __hci_req_sync+0x62f/0x950
[ 69.727547][ T5086] ? __pfx___hci_req_sync+0x10/0x10
[ 69.732777][ T5086] ? __pfx___mutex_lock+0x10/0x10
[ 69.737853][ T5086] ? __pfx_autoremove_wake_function+0x10/0x10
[ 69.743957][ T5086] ? __pfx_hci_scan_req+0x10/0x10
[ 69.749006][ T5086] hci_req_sync+0xa9/0xd0
[ 69.753358][ T5086] hci_dev_cmd+0x4c5/0xa50
[ 69.757784][ T5086] ? security_capable+0x90/0xb0
[ 69.762801][ T5086] ? __pfx_hci_dev_cmd+0x10/0x10
[ 69.767886][ T5086] ? hci_sock_ioctl+0x6c4/0xa40
[ 69.772925][ T5086] sock_do_ioctl+0x158/0x460
[ 69.777549][ T5086] ? __pfx_smack_log+0x10/0x10
[ 69.782418][ T5086] ? __pfx_sock_do_ioctl+0x10/0x10
[ 69.788154][ T5086] ? smk_tskacc+0x300/0x370
[ 69.792768][ T5086] ? smack_file_ioctl+0x2a1/0x3a0
[ 69.797812][ T5086] sock_ioctl+0x629/0x8e0
[ 69.802165][ T5086] ? __pfx_sock_ioctl+0x10/0x10
[ 69.807060][ T5086] ? __fget_files+0x3f6/0x470
[ 69.811754][ T5086] ? __fget_files+0x29/0x470
[ 69.816371][ T5086] ? bpf_lsm_file_ioctl+0x9/0x10
[ 69.821336][ T5086] ? security_file_ioctl+0x87/0xb0
[ 69.826457][ T5086] ? __pfx_sock_ioctl+0x10/0x10
[ 69.831324][ T5086] __se_sys_ioctl+0xfc/0x170
[ 69.836021][ T5086] do_syscall_64+0xf3/0x230
[ 69.840548][ T5086] ? clear_bhb_loop+0x35/0x90
[ 69.845365][ T5086] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.851302][ T5086] RIP: 0033:0x7fc45cd75b1b
[ 69.855737][ T5086] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 69.875532][ T5086] RSP: 002b:00007ffc80b7cb10 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 69.883962][ T5086] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc45cd75b1b
[ 69.891971][ T5086] RDX: 00007ffc80b7cb88 RSI: 00000000400448dd RDI: 0000000000000003
[ 69.899949][ T5086] RBP: 00005555662ed4a8 R08: 0000000000000000 R09: 0000000000000000
[ 69.907922][ T5086] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
[ 69.915898][ T5086] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009
[ 69.923883][ T5086]
[ 69.926903][ T5086]
[ 69.929316][ T5086] Allocated by task 5088:
[ 69.933641][ T5086] kasan_save_track+0x3f/0x80
[ 69.938331][ T5086] __kasan_slab_alloc+0x66/0x80
[ 69.943194][ T5086] kmem_cache_alloc_noprof+0x135/0x2a0
[ 69.948715][ T5086] skb_clone+0x20c/0x390
[ 69.952970][ T5086] hci_cmd_work+0x29e/0x670
[ 69.957503][ T5086] process_scheduled_works+0xa2c/0x1830
[ 69.963061][ T5086] worker_thread+0x86d/0xd50
[ 69.967679][ T5086] kthread+0x2f0/0x390
[ 69.971771][ T5086] ret_from_fork+0x4b/0x80
[ 69.976217][ T5086] ret_from_fork_asm+0x1a/0x30
[ 69.980995][ T5086]
[ 69.983329][ T5086] Freed by task 4478:
[ 69.987308][ T5086] kasan_save_track+0x3f/0x80
[ 69.992002][ T5086] kasan_save_free_info+0x40/0x50
[ 69.997039][ T5086] poison_slab_object+0xe0/0x150
[ 70.002005][ T5086] __kasan_slab_free+0x37/0x60
[ 70.006782][ T5086] kmem_cache_free+0x145/0x350
[ 70.011561][ T5086] hci_req_sync_complete+0xe7/0x290
[ 70.016785][ T5086] hci_event_packet+0xc71/0x1540
[ 70.021736][ T5086] hci_rx_work+0x3e8/0xca0
[ 70.026254][ T5086] process_scheduled_works+0xa2c/0x1830
[ 70.031829][ T5086] worker_thread+0x86d/0xd50
[ 70.036428][ T5086] kthread+0x2f0/0x390
[ 70.040528][ T5086] ret_from_fork+0x4b/0x80
[ 70.044964][ T5086] ret_from_fork_asm+0x1a/0x30
[ 70.049744][ T5086]
[ 70.052068][ T5086] The buggy address belongs to the object at ffff888066d943c0
[ 70.052068][ T5086] which belongs to the cache skbuff_head_cache of size 240
[ 70.066644][ T5086] The buggy address is located 228 bytes inside of
[ 70.066644][ T5086] freed 240-byte region [ffff888066d943c0, ffff888066d944b0)
[ 70.080444][ T5086]
[ 70.082773][ T5086] The buggy address belongs to the physical page:
[ 70.089201][ T5086] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66d94
[ 70.098057][ T5086] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 70.105261][ T5086] page_type: 0xffffefff(slab)
[ 70.109946][ T5086] raw: 00fff00000000000 ffff888018aa1000 dead000000000122 0000000000000000
[ 70.118561][ T5086] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[ 70.127154][ T5086] page dumped because: kasan: bad access detected
[ 70.133657][ T5086] page_owner tracks the page as allocated
[ 70.139383][ T5086] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5085, tgid 5085 (syz-executor), ts 69589411113, free_ts 25993557897
[ 70.158929][ T5086] post_alloc_hook+0x1f3/0x230
[ 70.163877][ T5086] get_page_from_freelist+0x2e4c/0x2f10
[ 70.169434][ T5086] __alloc_pages_noprof+0x256/0x6c0
[ 70.174637][ T5086] alloc_slab_page+0x5f/0x120
[ 70.179326][ T5086] allocate_slab+0x5a/0x2f0
[ 70.183848][ T5086] ___slab_alloc+0xcd1/0x14b0
[ 70.188582][ T5086] __slab_alloc+0x58/0xa0
[ 70.192923][ T5086] kmem_cache_alloc_node_noprof+0x1fe/0x320
[ 70.198823][ T5086] __alloc_skb+0x1c3/0x440
[ 70.203248][ T5086] create_monitor_ctrl_close+0xbe/0x830
[ 70.208810][ T5086] hci_sock_release+0xd0/0x4f0
[ 70.213592][ T5086] sock_close+0xbc/0x240
[ 70.217865][ T5086] __fput+0x24a/0x8a0
[ 70.221858][ T5086] __x64_sys_close+0x7f/0x110
[ 70.226550][ T5086] do_syscall_64+0xf3/0x230
[ 70.231348][ T5086] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.237255][ T5086] page last free pid 1 tgid 1 stack trace:
[ 70.243058][ T5086] free_unref_page+0xd19/0xea0
[ 70.247827][ T5086] free_contig_range+0x9e/0x160
[ 70.252702][ T5086] destroy_args+0x8a/0x890
[ 70.257572][ T5086] debug_vm_pgtable+0x4be/0x550
[ 70.262425][ T5086] do_one_initcall+0x248/0x880
[ 70.267196][ T5086] do_initcall_level+0x157/0x210
[ 70.272142][ T5086] do_initcalls+0x3f/0x80
[ 70.276481][ T5086] kernel_init_freeable+0x435/0x5d0
[ 70.281688][ T5086] kernel_init+0x1d/0x2b0
[ 70.286022][ T5086] ret_from_fork+0x4b/0x80
[ 70.290554][ T5086] ret_from_fork_asm+0x1a/0x30
[ 70.295334][ T5086]
[ 70.297668][ T5086] Memory state around the buggy address:
[ 70.303298][ T5086] ffff888066d94380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 70.311361][ T5086] ffff888066d94400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.319426][ T5086] >ffff888066d94480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 70.327489][ T5086] ^
[ 70.332602][ T5086] ffff888066d94500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.340751][ T5086] ffff888066d94580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 70.348813][ T5086] ==================================================================
[ 70.358724][ T5086] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 70.366063][ T5086] CPU: 1 PID: 5086 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
SYZFAIL: failed to recv rpc
fd=3 want=4 sent=0 n=0 (errno 9: Bad file descriptor)
[ 70.376350][ T5086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 70.386457][ T5086] Call Trace:
[ 70.389773][ T5086]
[ 70.392753][ T5086] dump_stack_lvl+0x241/0x360
[ 70.397578][ T5086] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.402829][ T5086] ? __pfx__printk+0x10/0x10
[ 70.407482][ T5086] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 70.413519][ T5086] ? vscnprintf+0x5d/0x90
[ 70.417889][ T5086] panic+0x349/0x860
[ 70.421843][ T5086] ? check_panic_on_warn+0x21/0xb0
[ 70.427087][ T5086] ? __pfx_panic+0x10/0x10
[ 70.431568][ T5086] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 70.437779][ T5086] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 70.444409][ T5086] check_panic_on_warn+0x86/0xb0
[ 70.449493][ T5086] ? kfree_skb_reason+0x41/0x3b0
[ 70.454482][ T5086] end_report+0x77/0x160
[ 70.458765][ T5086] kasan_report+0x154/0x180
[ 70.463311][ T5086] ? kfree_skb_reason+0x41/0x3b0
[ 70.468308][ T5086] kasan_check_range+0x282/0x290
[ 70.473305][ T5086] kfree_skb_reason+0x41/0x3b0
[ 70.478213][ T5086] __hci_req_sync+0x62f/0x950
[ 70.482948][ T5086] ? __pfx___hci_req_sync+0x10/0x10
[ 70.488209][ T5086] ? __pfx___mutex_lock+0x10/0x10
[ 70.493281][ T5086] ? __pfx_autoremove_wake_function+0x10/0x10
[ 70.499399][ T5086] ? __pfx_hci_scan_req+0x10/0x10
[ 70.504472][ T5086] hci_req_sync+0xa9/0xd0
[ 70.508855][ T5086] hci_dev_cmd+0x4c5/0xa50
[ 70.513314][ T5086] ? security_capable+0x90/0xb0
[ 70.518294][ T5086] ? __pfx_hci_dev_cmd+0x10/0x10
[ 70.523280][ T5086] ? hci_sock_ioctl+0x6c4/0xa40
[ 70.528260][ T5086] sock_do_ioctl+0x158/0x460
[ 70.532893][ T5086] ? __pfx_smack_log+0x10/0x10
[ 70.537679][ T5086] ? __pfx_sock_do_ioctl+0x10/0x10
[ 70.542823][ T5086] ? smk_tskacc+0x300/0x370
[ 70.547345][ T5086] ? smack_file_ioctl+0x2a1/0x3a0
[ 70.552386][ T5086] sock_ioctl+0x629/0x8e0
[ 70.556821][ T5086] ? __pfx_sock_ioctl+0x10/0x10
[ 70.561693][ T5086] ? __fget_files+0x3f6/0x470
[ 70.566381][ T5086] ? __fget_files+0x29/0x470
[ 70.570986][ T5086] ? bpf_lsm_file_ioctl+0x9/0x10
[ 70.576134][ T5086] ? security_file_ioctl+0x87/0xb0
[ 70.581272][ T5086] ? __pfx_sock_ioctl+0x10/0x10
[ 70.586137][ T5086] __se_sys_ioctl+0xfc/0x170
[ 70.590778][ T5086] do_syscall_64+0xf3/0x230
[ 70.595328][ T5086] ? clear_bhb_loop+0x35/0x90
[ 70.600106][ T5086] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.606273][ T5086] RIP: 0033:0x7fc45cd75b1b
[ 70.610710][ T5086] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 70.630344][ T5086] RSP: 002b:00007ffc80b7cb10 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 70.638862][ T5086] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc45cd75b1b
[ 70.646846][ T5086] RDX: 00007ffc80b7cb88 RSI: 00000000400448dd RDI: 0000000000000003
[ 70.654824][ T5086] RBP: 00005555662ed4a8 R08: 0000000000000000 R09: 0000000000000000
[ 70.662982][ T5086] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
[ 70.670959][ T5086] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009
[ 70.678952][ T5086]
[ 70.682314][ T5086] Kernel Offset: disabled
[ 70.686662][ T5086] Rebooting in 86400 seconds..