last executing test programs:
kernel console output (not intermixed with test programs):
DUID 00:04:19:c0:d1:0e:d7:c0:27:6c:e7:df:2b:fb:70:54:6d:6b
forked to background, child pid 3215
[ 40.226419][ T3216] 8021q: adding VLAN 0 to HW filter on device bond0
[ 40.240854][ T3216] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.229' (ED25519) to the list of known hosts.
syzkaller login: [ 64.979426][ T3540] cgroup: Unknown subsys name 'net'
[ 65.138879][ T3540] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 66.635294][ T3540] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 68.249642][ T3560] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 68.257711][ T3560] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 68.266346][ T3560] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 68.268788][ T3561] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 68.277872][ T3564] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 68.282405][ T3561] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 68.289231][ T3564] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 68.296643][ T3561] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 68.303966][ T3564] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 68.310654][ T3561] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 68.316949][ T3564] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 68.324316][ T3561] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 68.331807][ T3564] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 68.338510][ T3561] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 68.351584][ T3561] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 68.353897][ T3564] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 68.360109][ T3561] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 68.367184][ T3564] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 68.373555][ T3561] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 68.380924][ T3564] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 68.387119][ T3561] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 68.403703][ T3559] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 68.411043][ T3559] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 68.418886][ T3559] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 68.426599][ T3559] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 68.434419][ T3559] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 68.441770][ T3559] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 68.449330][ T3559] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 68.457232][ T3549] ==================================================================
[ 68.465319][ T3549] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[ 68.472659][ T3549] Read of size 4 at addr ffff888061103ae4 by task syz-executor/3549
[ 68.480656][ T3549]
[ 68.483003][ T3549] CPU: 1 PID: 3549 Comm: syz-executor Not tainted 6.1.98-syzkaller #0
[ 68.491177][ T3549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 68.501256][ T3549] Call Trace:
[ 68.504553][ T3549]
[ 68.507507][ T3549] dump_stack_lvl+0x1e3/0x2cb
[ 68.512230][ T3549] ? nf_tcp_handle_invalid+0x642/0x642
[ 68.517729][ T3549] ? panic+0x764/0x764
[ 68.521831][ T3549] ? _printk+0xd1/0x111
[ 68.526018][ T3549] ? __virt_addr_valid+0x17f/0x520
[ 68.531162][ T3549] ? __virt_addr_valid+0x17f/0x520
[ 68.536286][ T3549] print_report+0x15f/0x4f0
[ 68.540795][ T3549] ? __virt_addr_valid+0x17f/0x520
[ 68.545931][ T3549] ? __virt_addr_valid+0x17f/0x520
[ 68.551046][ T3549] ? __virt_addr_valid+0x44a/0x520
[ 68.556175][ T3549] ? __phys_addr+0xb6/0x170
[ 68.560686][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 68.565636][ T3549] kasan_report+0x136/0x160
[ 68.570141][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 68.575090][ T3549] kasan_check_range+0x27f/0x290
[ 68.580030][ T3549] kfree_skb_reason+0x3d/0x390
[ 68.584801][ T3549] __hci_req_sync+0x626/0x940
[ 68.589477][ T3549] ? trace_contention_end+0x61/0x170
[ 68.594767][ T3549] ? hci_req_sync_complete+0x280/0x280
[ 68.600227][ T3549] ? mutex_lock_nested+0x10/0x10
[ 68.605164][ T3549] ? wake_bit_function+0x210/0x210
[ 68.610285][ T3549] ? hci_encrypt_req+0x170/0x170
[ 68.615245][ T3549] hci_req_sync+0xa5/0xc0
[ 68.619607][ T3549] hci_dev_cmd+0x2fc/0xa30
[ 68.624029][ T3549] ? security_capable+0x86/0xb0
[ 68.628891][ T3549] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 68.634099][ T3549] ? hci_sock_ioctl+0x426/0x850
[ 68.638955][ T3549] sock_do_ioctl+0x152/0x450
[ 68.643548][ T3549] ? sock_show_fdinfo+0xb0/0xb0
[ 68.648403][ T3549] ? __fget_files+0x28/0x4a0
[ 68.652997][ T3549] sock_ioctl+0x47f/0x770
[ 68.657327][ T3549] ? sock_poll+0x410/0x410
[ 68.661742][ T3549] ? __fget_files+0x28/0x4a0
[ 68.666332][ T3549] ? __fget_files+0x435/0x4a0
[ 68.671008][ T3549] ? __fget_files+0x28/0x4a0
[ 68.675606][ T3549] ? bpf_lsm_file_ioctl+0x5/0x10
[ 68.680549][ T3549] ? security_file_ioctl+0x7d/0xa0
[ 68.685660][ T3549] ? sock_poll+0x410/0x410
[ 68.690074][ T3549] __se_sys_ioctl+0xf1/0x160
[ 68.694673][ T3549] do_syscall_64+0x3b/0xb0
[ 68.699098][ T3549] ? clear_bhb_loop+0x45/0xa0
[ 68.703783][ T3549] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 68.709684][ T3549] RIP: 0033:0x7f105d5757db
[ 68.714106][ T3549] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 68.733712][ T3549] RSP: 002b:00007ffeb804aba0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 68.742129][ T3549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f105d5757db
[ 68.750100][ T3549] RDX: 00007ffeb804ac18 RSI: 00000000400448dd RDI: 0000000000000003
[ 68.758069][ T3549] RBP: 000055555622a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 68.766129][ T3549] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 68.774098][ T3549] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 68.782077][ T3549]
[ 68.785096][ T3549]
[ 68.787437][ T3549] Allocated by task 48:
[ 68.791594][ T3549] kasan_set_track+0x4b/0x70
[ 68.796541][ T3549] __kasan_slab_alloc+0x65/0x70
[ 68.801390][ T3549] slab_post_alloc_hook+0x52/0x3a0
[ 68.806501][ T3549] kmem_cache_alloc+0x10c/0x2d0
[ 68.811354][ T3549] skb_clone+0x1e5/0x360
[ 68.815596][ T3549] hci_cmd_work+0x296/0x660
[ 68.820101][ T3549] process_one_work+0x8a9/0x11d0
[ 68.825037][ T3549] worker_thread+0xa47/0x1200
[ 68.829712][ T3549] kthread+0x28d/0x320
[ 68.833783][ T3549] ret_from_fork+0x1f/0x30
[ 68.838201][ T3549]
[ 68.840523][ T3549] Freed by task 3565:
[ 68.844494][ T3549] kasan_set_track+0x4b/0x70
[ 68.849088][ T3549] kasan_save_free_info+0x27/0x40
[ 68.854114][ T3549] ____kasan_slab_free+0xd6/0x120
[ 68.859148][ T3549] kmem_cache_free+0x292/0x510
[ 68.863914][ T3549] hci_req_sync_complete+0xee/0x280
[ 68.869127][ T3549] hci_event_packet+0xc49/0x1510
[ 68.874080][ T3549] hci_rx_work+0x3cd/0xce0
[ 68.878501][ T3549] process_one_work+0x8a9/0x11d0
[ 68.883481][ T3549] worker_thread+0xa47/0x1200
[ 68.888169][ T3549] kthread+0x28d/0x320
[ 68.892241][ T3549] ret_from_fork+0x1f/0x30
[ 68.896850][ T3549]
[ 68.899175][ T3549] The buggy address belongs to the object at ffff888061103a00
[ 68.899175][ T3549] which belongs to the cache skbuff_head_cache of size 240
[ 68.913845][ T3549] The buggy address is located 228 bytes inside of
[ 68.913845][ T3549] 240-byte region [ffff888061103a00, ffff888061103af0)
[ 68.927817][ T3549]
[ 68.930137][ T3549] The buggy address belongs to the physical page:
[ 68.936576][ T3549] page:ffffea00018440c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61103
[ 68.946741][ T3549] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 68.954301][ T3549] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881401e6500
[ 68.962888][ T3549] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 68.971465][ T3549] page dumped because: kasan: bad access detected
[ 68.977882][ T3549] page_owner tracks the page as allocated
[ 68.983592][ T3549] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3555, tgid 3550 (syz-executor), ts 68449244588, free_ts 19750246303
[ 69.001997][ T3549] post_alloc_hook+0x18d/0x1b0
[ 69.006762][ T3549] get_page_from_freelist+0x322e/0x33b0
[ 69.012314][ T3549] __alloc_pages+0x28d/0x770
[ 69.016901][ T3549] alloc_slab_page+0x6a/0x150
[ 69.021668][ T3549] new_slab+0x84/0x2d0
[ 69.025740][ T3549] ___slab_alloc+0xc20/0x1270
[ 69.030427][ T3549] kmem_cache_alloc_node+0x1cf/0x310
[ 69.035717][ T3549] __alloc_skb+0xde/0x670
[ 69.040074][ T3549] vhci_write+0xbc/0x440
[ 69.044317][ T3549] do_iter_write+0x6e6/0xc40
[ 69.048905][ T3549] do_writev+0x27b/0x460
[ 69.053150][ T3549] do_syscall_64+0x3b/0xb0
[ 69.057583][ T3549] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 69.063486][ T3549] page last free stack trace:
[ 69.068241][ T3549] free_unref_page_prepare+0xf63/0x1120
[ 69.073786][ T3549] free_unref_page+0x33/0x3e0
[ 69.078459][ T3549] free_contig_range+0x9a/0x150
[ 69.083333][ T3549] destroy_args+0xfe/0x997
[ 69.087755][ T3549] debug_vm_pgtable+0x416/0x46b
[ 69.092610][ T3549] do_one_initcall+0x265/0x8f0
[ 69.097379][ T3549] do_initcall_level+0x157/0x207
[ 69.102319][ T3549] do_initcalls+0x49/0x86
[ 69.106670][ T3549] kernel_init_freeable+0x45c/0x60f
[ 69.111877][ T3549] kernel_init+0x19/0x290
[ 69.116212][ T3549] ret_from_fork+0x1f/0x30
[ 69.120633][ T3549]
[ 69.122953][ T3549] Memory state around the buggy address:
[ 69.128580][ T3549] ffff888061103980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 69.136812][ T3549] ffff888061103a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.144870][ T3549] >ffff888061103a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 69.153036][ T3549] ^
[ 69.160402][ T3549] ffff888061103b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 69.168464][ T3549] ffff888061103b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.176522][ T3549] ==================================================================
[ 69.195771][ T3549] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.203016][ T3549] CPU: 0 PID: 3549 Comm: syz-executor Not tainted 6.1.98-syzkaller #0
[ 69.211195][ T3549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 69.221309][ T3549] Call Trace:
[ 69.224619][ T3549]
[ 69.224616][ T3553] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 69.234678][ T3549] dump_stack_lvl+0x1e3/0x2cb
[ 69.239398][ T3549] ? nf_tcp_handle_invalid+0x642/0x642
[ 69.244902][ T3549] ? panic+0x764/0x764
[ 69.249007][ T3549] ? preempt_schedule_common+0xa6/0xd0
[ 69.254492][ T3549] ? vscnprintf+0x59/0x80
[ 69.258858][ T3549] panic+0x318/0x764
[ 69.262783][ T3549] ? check_panic_on_warn+0x1d/0xa0
[ 69.267922][ T3549] ? memcpy_page_flushcache+0xfc/0xfc
[ 69.273327][ T3549] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 69.279354][ T3549] ? _raw_spin_unlock+0x40/0x40
[ 69.284242][ T3549] ? print_report+0x4a3/0x4f0
[ 69.288953][ T3549] check_panic_on_warn+0x7e/0xa0
[ 69.293930][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 69.298909][ T3549] end_report+0x66/0x110
[ 69.303180][ T3549] kasan_report+0x143/0x160
[ 69.307714][ T3549] ? kfree_skb_reason+0x3d/0x390
[ 69.312779][ T3549] kasan_check_range+0x27f/0x290
[ 69.317741][ T3549] kfree_skb_reason+0x3d/0x390
[ 69.322542][ T3549] __hci_req_sync+0x626/0x940
[ 69.327275][ T3549] ? trace_contention_end+0x61/0x170
[ 69.332598][ T3549] ? hci_req_sync_complete+0x280/0x280
[ 69.338090][ T3549] ? mutex_lock_nested+0x10/0x10
[ 69.343057][ T3549] ? wake_bit_function+0x210/0x210
[ 69.348207][ T3549] ? hci_encrypt_req+0x170/0x170
[ 69.353176][ T3549] hci_req_sync+0xa5/0xc0
[ 69.357535][ T3549] hci_dev_cmd+0x2fc/0xa30
[ 69.361988][ T3549] ? security_capable+0x86/0xb0
[ 69.366883][ T3549] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 69.372202][ T3549] ? hci_sock_ioctl+0x426/0x850
[ 69.377083][ T3549] sock_do_ioctl+0x152/0x450
[ 69.381709][ T3549] ? sock_show_fdinfo+0xb0/0xb0
[ 69.383154][ T3553] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 69.393513][ T3549] ? __fget_files+0x28/0x4a0
[ 69.398155][ T3549] sock_ioctl+0x47f/0x770
[ 69.402516][ T3549] ? sock_poll+0x410/0x410
[ 69.406966][ T3549] ? __fget_files+0x28/0x4a0
[ 69.411582][ T3549] ? __fget_files+0x435/0x4a0
[ 69.416287][ T3549] ? __fget_files+0x28/0x4a0
[ 69.420928][ T3549] ? bpf_lsm_file_ioctl+0x5/0x10
[ 69.425900][ T3549] ? security_file_ioctl+0x7d/0xa0
[ 69.431047][ T3549] ? sock_poll+0x410/0x410
[ 69.435495][ T3549] __se_sys_ioctl+0xf1/0x160
[ 69.440133][ T3549] do_syscall_64+0x3b/0xb0
[ 69.444610][ T3549] ? clear_bhb_loop+0x45/0xa0
[ 69.449339][ T3549] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 69.455278][ T3549] RIP: 0033:0x7f105d5757db
[ 69.459728][ T3549] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 69.479373][ T3549] RSP: 002b:00007ffeb804aba0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 69.487818][ T3549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f105d5757db
[ 69.495822][ T3549] RDX: 00007ffeb804ac18 RSI: 00000000400448dd RDI: 0000000000000003
[ 69.504052][ T3549] RBP: 000055555622a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 69.512051][ T3549] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 69.520048][ T3549] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 69.527887][ T3552] chnl_net:caif_netlink_parms(): no params data found
[ 69.534985][ T3549]
[ 69.538349][ T3549] Kernel Offset: disabled
[ 69.542677][ T3549] Rebooting in 86400 seconds..