last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.236' (ED25519) to the list of known hosts. 1970/01/01 00:00:30 fuzzer started 1970/01/01 00:00:30 dialing manager at 10.128.0.169:30028 [ 30.939558][ T6262] cgroup: Unknown subsys name 'net' [ 31.017470][ T6268] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 31.196375][ T6262] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:31 starting 5 executor processes [ 32.296950][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 32.311453][ T6288] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 32.314426][ T6291] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 32.318885][ T6294] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 32.323066][ T6294] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 32.323730][ T6296] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 32.325518][ T6294] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 32.327834][ T6296] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 32.330102][ T6298] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 32.332574][ T6296] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 32.335290][ T6296] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 32.335369][ T6298] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 32.337636][ T6296] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 32.339965][ T6298] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 32.342231][ T6296] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 32.343505][ T6298] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 32.345176][ T6296] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 32.347085][ T6298] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 32.349665][ T6296] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 32.352576][ T6298] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 32.352730][ T6296] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 32.354883][ T6298] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 32.356614][ T6296] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 32.358749][ T6298] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 32.360814][ T6296] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 32.362485][ T6298] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 32.364483][ T6296] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 32.366075][ T6298] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 32.368052][ T6296] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 32.372578][ T6296] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 32.378352][ T6298] ================================================================== [ 32.380538][ T6298] BUG: KASAN: double-free in kfree_skbmem+0x15c/0x1ec [ 32.382307][ T6298] Free of addr ffff0000ed136280 by task kworker/u9:7/6298 [ 32.384194][ T6298] [ 32.384820][ T6298] CPU: 1 PID: 6298 Comm: kworker/u9:7 Tainted: G W 6.10.0-rc3-syzkaller-gac2193b4b460 #0 [ 32.387781][ T6298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 32.390411][ T6298] Workqueue: hci1 hci_rx_work [ 32.391684][ T6298] Call trace: [ 32.392550][ T6298] dump_backtrace+0x1b8/0x1e4 [ 32.393795][ T6298] show_stack+0x2c/0x3c [ 32.394920][ T6298] dump_stack_lvl+0xe4/0x150 [ 32.396273][ T6298] print_report+0x198/0x538 [ 32.397577][ T6298] kasan_report_invalid_free+0xc4/0x118 [ 32.399025][ T6298] poison_slab_object+0x140/0x180 [ 32.400415][ T6298] __kasan_slab_free+0x3c/0x70 [ 32.401663][ T6298] kmem_cache_free+0x170/0x4d0 [ 32.402987][ T6298] kfree_skbmem+0x15c/0x1ec [ 32.404215][ T6298] kfree_skb_reason+0x1c0/0x490 [ 32.405544][ T6298] hci_req_sync_complete+0xb0/0x248 [ 32.406954][ T6298] hci_event_packet+0xab8/0x105c [ 32.408351][ T6298] hci_rx_work+0x318/0xa78 [ 32.409531][ T6298] process_one_work+0x79c/0x15b8 [ 32.410857][ T6298] worker_thread+0x938/0xef4 [ 32.412177][ T6298] kthread+0x288/0x310 [ 32.413273][ T6298] ret_from_fork+0x10/0x20 [ 32.414462][ T6298] [ 32.415133][ T6298] Allocated by task 6298: [ 32.416213][ T6298] kasan_save_track+0x40/0x78 [ 32.417486][ T6298] kasan_save_alloc_info+0x40/0x50 [ 32.418884][ T6298] __kasan_slab_alloc+0x74/0x8c [ 32.420175][ T6298] kmem_cache_alloc_noprof+0x1c0/0x350 [ 32.421611][ T6298] skb_clone+0x1c8/0x330 [ 32.422741][ T6298] hci_cmd_work+0x174/0x568 [ 32.423970][ T6298] process_one_work+0x79c/0x15b8 [ 32.425280][ T6298] worker_thread+0x938/0xef4 [ 32.426544][ T6298] kthread+0x288/0x310 [ 32.427624][ T6298] ret_from_fork+0x10/0x20 1970/01/01 00:00:32 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 32.428799][ T6298] [ 32.429435][ T6298] Freed by task 6286: [ 32.430492][ T6298] kasan_save_track+0x40/0x78 [ 32.431777][ T6298] kasan_save_free_info+0x54/0x6c [ 32.433138][ T6298] poison_slab_object+0x128/0x180 [ 32.434532][ T6298] __kasan_slab_free+0x3c/0x70 [ 32.435827][ T6298] kmem_cache_free+0x170/0x4d0 [ 32.437317][ T6298] kfree_skbmem+0x15c/0x1ec [ 32.438591][ T6298] kfree_skb_reason+0x1c0/0x490 [ 32.439999][ T6298] __hci_req_sync+0x4e8/0x798 [ 32.441291][ T6298] hci_req_sync+0xa0/0xcc [ 32.442468][ T6298] hci_dev_cmd+0x304/0x8c0 [ 32.443675][ T6298] hci_sock_ioctl+0x4b8/0x7e4 [ 32.444971][ T6298] sock_do_ioctl+0x134/0x2d0 [ 32.446179][ T6298] sock_ioctl+0x4ec/0x838 [ 32.447332][ T6298] __arm64_sys_ioctl+0x14c/0x1c8 [ 32.448626][ T6298] invoke_syscall+0x98/0x2b8 [ 32.449941][ T6298] el0_svc_common+0x130/0x23c [ 32.451256][ T6298] do_el0_svc+0x48/0x58 [ 32.452362][ T6298] el0_svc+0x54/0x168 [ 32.453405][ T6298] el0t_64_sync_handler+0x84/0xfc [ 32.454728][ T6298] el0t_64_sync+0x190/0x194 [ 32.455947][ T6298] [ 32.456579][ T6298] The buggy address belongs to the object at ffff0000ed136280 [ 32.456579][ T6298] which belongs to the cache skbuff_head_cache of size 240 [ 32.460396][ T6298] The buggy address is located 0 bytes inside of [ 32.460396][ T6298] 240-byte region [ffff0000ed136280, ffff0000ed136370) [ 32.463873][ T6298] [ 32.464458][ T6298] The buggy address belongs to the physical page: [ 32.466184][ T6298] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d136 [ 32.468610][ T6298] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 32.470538][ T6298] page_type: 0xffffefff(slab) [ 32.471787][ T6298] raw: 05ffc00000000000 ffff0000c1bcc780 dead000000000122 0000000000000000 [ 32.474148][ T6298] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 32.476623][ T6298] page dumped because: kasan: bad access detected [ 32.478447][ T6298] [ 32.479094][ T6298] Memory state around the buggy address: [ 32.480615][ T6298] ffff0000ed136180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.482737][ T6298] ffff0000ed136200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 32.484885][ T6298] >ffff0000ed136280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.487054][ T6298] ^ [ 32.488194][ T6298] ffff0000ed136300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 32.490417][ T6298] ffff0000ed136380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.492591][ T6298] ================================================================== [ 32.501171][ T6298] Disabling lock debugging due to kernel taint