last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.3' (ED25519) to the list of known hosts.
2024/06/13 12:01:39 fuzzer started
2024/06/13 12:01:39 dialing manager at 10.128.0.169:30006
[   71.608972][   T29] audit: type=1400 audit(1718280099.213:87): avc:  denied  { node_bind } for  pid=5073 comm="syz-fuzzer" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[   71.631436][   T29] audit: type=1400 audit(1718280099.233:88): avc:  denied  { name_bind } for  pid=5073 comm="syz-fuzzer" src=6060 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1
[   71.943401][   T29] audit: type=1400 audit(1718280099.503:89): avc:  denied  { mounton } for  pid=5081 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   72.005908][ T5082] cgroup: Unknown subsys name 'net'
[   72.006527][   T29] audit: type=1400 audit(1718280099.523:90): avc:  denied  { mount } for  pid=5081 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   72.076587][   T29] audit: type=1400 audit(1718280099.533:91): avc:  denied  { setattr } for  pid=5083 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=733 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   72.124258][   T29] audit: type=1400 audit(1718280099.543:92): avc:  denied  { mounton } for  pid=5082 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   72.148116][   T29] audit: type=1400 audit(1718280099.543:93): avc:  denied  { mount } for  pid=5082 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   72.161391][ T5088] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
[   72.171049][   T29] audit: type=1400 audit(1718280099.583:94): avc:  denied  { create } for  pid=5085 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   72.199837][   T29] audit: type=1400 audit(1718280099.583:95): avc:  denied  { write } for  pid=5085 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   72.228514][   T29] audit: type=1400 audit(1718280099.603:96): avc:  denied  { read } for  pid=5085 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   72.335029][ T5082] cgroup: Unknown subsys name 'rlimit'
2024/06/13 12:01:41 starting 5 executor processes
[   73.578844][ T5086] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   75.851136][ T5116] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   75.866662][ T5114] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   75.875805][ T5114] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   75.883776][ T5116] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   75.892811][ T5116] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   75.896621][ T5114] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   75.902419][ T5116] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   75.914805][ T5116] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   75.915357][ T5114] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   75.922887][ T5116] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   75.935570][ T5118] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   75.938808][ T5116] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   75.943885][ T5114] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   75.950835][ T5116] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   75.966128][ T5116] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   75.974996][ T5121] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   75.975452][ T5114] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   75.982530][ T5116] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   75.989936][ T5114] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   76.004313][ T5114] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   76.005607][ T5118] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   76.011710][ T5114] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   76.018870][ T5118] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   76.033117][ T5116] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   76.034725][ T5114] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   76.049261][ T5114] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   76.051900][ T5118] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   76.058847][ T5114] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   76.074188][ T5114] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   76.076793][ T5118] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   76.100741][ T5100] ==================================================================
[   76.108836][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0
[   76.117210][ T5100] Read of size 8 at addr ffff88805e14a198 by task syz-executor.4/5100
[   76.125377][ T5100] 
[   76.127717][ T5100] CPU: 1 PID: 5100 Comm: syz-executor.4 Not tainted 6.10.0-rc3-syzkaller-00022-gcea2a26553ac #0
[   76.138144][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   76.148392][ T5100] Call Trace:
[   76.151685][ T5100]  <TASK>
[   76.154624][ T5100]  dump_stack_lvl+0x116/0x1f0
[   76.159347][ T5100]  print_report+0xc3/0x620
[   76.163795][ T5100]  ? __virt_addr_valid+0x5e/0x580
[   76.168839][ T5100]  ? __phys_addr+0xc6/0x150
[   76.173460][ T5100]  kasan_report+0xd9/0x110
[   76.177909][ T5100]  ? skb_release_head_state+0x283/0x2b0
[   76.183564][ T5100]  ? skb_release_head_state+0x283/0x2b0
[   76.189139][ T5100]  skb_release_head_state+0x283/0x2b0
[   76.194539][ T5100]  kfree_skb_reason+0xed/0x210
[   76.199327][ T5100]  __hci_req_sync+0x61d/0x980
[   76.204492][ T5100]  ? __pfx___hci_req_sync+0x10/0x10
[   76.209714][ T5100]  ? __mutex_lock+0x1a6/0x9c0
[   76.214410][ T5100]  ? __pfx_autoremove_wake_function+0x10/0x10
[   76.220511][ T5100]  ? hci_req_sync+0x3f/0xd0
[   76.225133][ T5100]  ? __pfx___might_resched+0x10/0x10
[   76.230442][ T5100]  hci_req_sync+0x97/0xd0
[   76.234799][ T5100]  ? __pfx_hci_scan_req+0x10/0x10
[   76.239852][ T5100]  hci_dev_cmd+0x634/0x960
[   76.244290][ T5100]  ? cap_capable+0x1cf/0x240
[   76.248911][ T5100]  ? __pfx_hci_dev_cmd+0x10/0x10
[   76.253867][ T5100]  ? security_capable+0x98/0xd0
[   76.258739][ T5100]  hci_sock_ioctl+0x4f3/0x880
[   76.263453][ T5100]  ? __pfx_hci_sock_ioctl+0x10/0x10
[   76.268764][ T5100]  sock_do_ioctl+0x116/0x280
[   76.273376][ T5100]  ? __pfx_sock_do_ioctl+0x10/0x10
[   76.278517][ T5100]  ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470
[   76.285047][ T5100]  ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
[   76.292188][ T5100]  sock_ioctl+0x22e/0x6c0
[   76.296650][ T5100]  ? __pfx_sock_ioctl+0x10/0x10
[   76.301528][ T5100]  ? selinux_file_ioctl+0x180/0x270
[   76.306755][ T5100]  ? selinux_file_ioctl+0xb4/0x270
[   76.311896][ T5100]  ? __pfx_sock_ioctl+0x10/0x10
[   76.316776][ T5100]  __x64_sys_ioctl+0x193/0x220
[   76.321741][ T5100]  do_syscall_64+0xcd/0x250
[   76.326310][ T5100]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.332234][ T5100] RIP: 0033:0x7f876f67cc0b
[   76.336671][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   76.356386][ T5100] RSP: 002b:00007ffc3c0df0a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   76.364822][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f876f67cc0b
[   76.372810][ T5100] RDX: 00007ffc3c0df118 RSI: 00000000400448dd RDI: 0000000000000003
[   76.380798][ T5100] RBP: 00005555930d8430 R08: 0000000000000000 R09: 0000000000000000
[   76.388786][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   76.396775][ T5100] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000000000c
[   76.404765][ T5100]  </TASK>
[   76.407801][ T5100] 
[   76.410126][ T5100] Allocated by task 5118:
[   76.414460][ T5100]  kasan_save_stack+0x33/0x60
[   76.419162][ T5100]  kasan_save_track+0x14/0x30
[   76.423947][ T5100]  __kasan_slab_alloc+0x89/0x90
[   76.428825][ T5100]  kmem_cache_alloc_noprof+0x121/0x2f0
[   76.434298][ T5100]  skb_clone+0x190/0x3f0
[   76.438558][ T5100]  hci_cmd_work+0x66a/0x710
[   76.443074][ T5100]  process_one_work+0x9fb/0x1b60
[   76.448026][ T5100]  worker_thread+0x6c8/0xf70
[   76.452628][ T5100]  kthread+0x2c1/0x3a0
[   76.456714][ T5100]  ret_from_fork+0x45/0x80
[   76.461147][ T5100]  ret_from_fork_asm+0x1a/0x30
[   76.465924][ T5100] 
[   76.468248][ T5100] Freed by task 5111:
[   76.472235][ T5100]  kasan_save_stack+0x33/0x60
[   76.476936][ T5100]  kasan_save_track+0x14/0x30
[   76.481635][ T5100]  kasan_save_free_info+0x3b/0x60
[   76.486679][ T5100]  poison_slab_object+0xf7/0x160
[   76.491639][ T5100]  __kasan_slab_free+0x32/0x50
[   76.496429][ T5100]  kmem_cache_free+0x12f/0x3a0
[   76.501215][ T5100]  kfree_skbmem+0x10e/0x200
[   76.505741][ T5100]  kfree_skb_reason+0x138/0x210
[   76.510606][ T5100]  hci_req_sync_complete+0x16c/0x270
[   76.515925][ T5100]  hci_event_packet+0x963/0x1170
[   76.520882][ T5100]  hci_rx_work+0x2c4/0x1610
[   76.525397][ T5100]  process_one_work+0x9fb/0x1b60
[   76.530355][ T5100]  worker_thread+0x6c8/0xf70
[   76.534955][ T5100]  kthread+0x2c1/0x3a0
[   76.539040][ T5100]  ret_from_fork+0x45/0x80
[   76.543481][ T5100]  ret_from_fork_asm+0x1a/0x30
[   76.548271][ T5100] 
[   76.550601][ T5100] The buggy address belongs to the object at ffff88805e14a140
[   76.550601][ T5100]  which belongs to the cache skbuff_head_cache of size 240
[   76.565201][ T5100] The buggy address is located 88 bytes inside of
[   76.565201][ T5100]  freed 240-byte region [ffff88805e14a140, ffff88805e14a230)
[   76.578928][ T5100] 
[   76.581261][ T5100] The buggy address belongs to the physical page:
[   76.587681][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e14a
[   76.596462][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   76.603665][ T5100] page_type: 0xffffefff(slab)
[   76.608374][ T5100] raw: 00fff00000000000 ffff888019aa6780 dead000000000122 0000000000000000
[   76.616974][ T5100] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[   76.625565][ T5100] page dumped because: kasan: bad access detected
[   76.631988][ T5100] page_owner tracks the page as allocated
[   76.637705][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5118, tgid 5118 (kworker/u9:7), ts 76100143350, free_ts 23830824699
[   76.657002][ T5100]  post_alloc_hook+0x2d1/0x350
[   76.661791][ T5100]  get_page_from_freelist+0x136a/0x2e50
[   76.667364][ T5100]  __alloc_pages_noprof+0x22b/0x2460
[   76.672677][ T5100]  alloc_slab_page+0x56/0x110
[   76.677373][ T5100]  new_slab+0x84/0x260
[   76.681468][ T5100]  ___slab_alloc+0xdac/0x1870
[   76.686172][ T5100]  __slab_alloc.constprop.0+0x56/0xb0
[   76.691571][ T5100]  kmem_cache_alloc_noprof+0x2a7/0x2f0
[   76.697045][ T5100]  skb_clone+0x190/0x3f0
[   76.701302][ T5100]  hci_cmd_work+0x1c3/0x710
[   76.705837][ T5100]  process_one_work+0x9fb/0x1b60
[   76.710969][ T5100]  worker_thread+0x6c8/0xf70
[   76.715579][ T5100]  kthread+0x2c1/0x3a0
[   76.719667][ T5100]  ret_from_fork+0x45/0x80
[   76.720180][   T29] kauditd_printk_skb: 20 callbacks suppressed
[   76.720195][   T29] audit: type=1400 audit(1718280104.213:117): avc:  denied  { module_request } for  pid=5102 comm="syz-executor.1" kmod="rtnl-link-nicvf" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   76.724085][ T5100]  ret_from_fork_asm+0x1a/0x30
[   76.724119][ T5100] page last free pid 1 tgid 1 stack trace:
[   76.763051][ T5100]  free_unref_page+0x64a/0xe40
[   76.767836][ T5100]  free_contig_range+0xb6/0x1a0
[   76.772718][ T5100]  destroy_args+0xa4e/0xe20
[   76.777247][ T5100]  debug_vm_pgtable+0x16db/0x3220
[   76.782294][ T5100]  do_one_initcall+0x128/0x700
[   76.787081][ T5100]  kernel_init_freeable+0x69d/0xca0
[   76.792302][ T5100]  kernel_init+0x1c/0x2b0
[   76.796649][ T5100]  ret_from_fork+0x45/0x80
[   76.801087][ T5100]  ret_from_fork_asm+0x1a/0x30
[   76.805880][ T5100] 
[   76.808203][ T5100] Memory state around the buggy address:
[   76.813840][ T5100]  ffff88805e14a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   76.821912][ T5100]  ffff88805e14a100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   76.829974][ T5100] >ffff88805e14a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.838037][ T5100]                             ^
[   76.842896][ T5100]  ffff88805e14a200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   76.851229][ T5100]  ffff88805e14a280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.859303][ T5100] ==================================================================
[   76.869349][ T5100] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.876572][ T5100] CPU: 0 PID: 5100 Comm: syz-executor.4 Not tainted 6.10.0-rc3-syzkaller-00022-gcea2a26553ac #0
[   76.887003][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   76.897069][ T5100] Call Trace:
[   76.900355][ T5100]  <TASK>
2024/06/13 12:01:44 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   76.903289][ T5100]  dump_stack_lvl+0x3d/0x1f0
[   76.907918][ T5100]  panic+0x6f5/0x7a0
[   76.911848][ T5100]  ? __pfx_panic+0x10/0x10
[   76.916382][ T5100]  ? preempt_schedule_thunk+0x1a/0x30
[   76.921782][ T5100]  ? preempt_schedule_common+0x44/0xc0
[   76.927280][ T5100]  ? check_panic_on_warn+0x1f/0xb0
[   76.932431][ T5100]  check_panic_on_warn+0xab/0xb0
[   76.937399][ T5100]  end_report+0x117/0x180
[   76.941740][ T5100]  kasan_report+0xe9/0x110
[   76.946169][ T5100]  ? skb_release_head_state+0x283/0x2b0
[   76.951831][ T5100]  ? skb_release_head_state+0x283/0x2b0
[   76.957568][ T5100]  skb_release_head_state+0x283/0x2b0
[   76.962953][ T5100]  kfree_skb_reason+0xed/0x210
[   76.967725][ T5100]  __hci_req_sync+0x61d/0x980
[   76.972417][ T5100]  ? __pfx___hci_req_sync+0x10/0x10
[   76.977628][ T5100]  ? __mutex_lock+0x1a6/0x9c0
[   76.982314][ T5100]  ? __pfx_autoremove_wake_function+0x10/0x10
[   76.988399][ T5100]  ? hci_req_sync+0x3f/0xd0
[   76.992912][ T5100]  ? __pfx___might_resched+0x10/0x10
[   76.998201][ T5100]  hci_req_sync+0x97/0xd0
[   77.002544][ T5100]  ? __pfx_hci_scan_req+0x10/0x10
[   77.007582][ T5100]  hci_dev_cmd+0x634/0x960
[   77.011998][ T5100]  ? cap_capable+0x1cf/0x240
[   77.016588][ T5100]  ? __pfx_hci_dev_cmd+0x10/0x10
[   77.021526][ T5100]  ? security_capable+0x98/0xd0
[   77.026377][ T5100]  hci_sock_ioctl+0x4f3/0x880
[   77.031067][ T5100]  ? __pfx_hci_sock_ioctl+0x10/0x10
[   77.036274][ T5100]  sock_do_ioctl+0x116/0x280
[   77.040874][ T5100]  ? __pfx_sock_do_ioctl+0x10/0x10
[   77.045992][ T5100]  ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470
[   77.052507][ T5100]  ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
[   77.059366][ T5100]  sock_ioctl+0x22e/0x6c0
[   77.063700][ T5100]  ? __pfx_sock_ioctl+0x10/0x10
[   77.068557][ T5100]  ? selinux_file_ioctl+0x180/0x270
[   77.073761][ T5100]  ? selinux_file_ioctl+0xb4/0x270
[   77.078878][ T5100]  ? __pfx_sock_ioctl+0x10/0x10
[   77.083853][ T5100]  __x64_sys_ioctl+0x193/0x220
[   77.088622][ T5100]  do_syscall_64+0xcd/0x250
[   77.093127][ T5100]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.099030][ T5100] RIP: 0033:0x7f876f67cc0b
[   77.103440][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   77.123132][ T5100] RSP: 002b:00007ffc3c0df0a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   77.131636][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f876f67cc0b
[   77.139693][ T5100] RDX: 00007ffc3c0df118 RSI: 00000000400448dd RDI: 0000000000000003
[   77.147660][ T5100] RBP: 00005555930d8430 R08: 0000000000000000 R09: 0000000000000000
[   77.155801][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   77.163798][ T5100] R13: 0000000000000000 R14: 0000000000000003 R15: 000000000000000c
[   77.171769][ T5100]  </TASK>
[   77.174994][ T5100] Kernel Offset: disabled
[   77.179306][ T5100] Rebooting in 86400 seconds..