last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.44' (ED25519) to the list of known hosts.
2024/06/16 08:55:21 fuzzer started
2024/06/16 08:55:21 dialing manager at 10.128.0.163:30022
[   51.250583][ T3545] cgroup: Unknown subsys name 'net'
[   51.393582][ T3545] cgroup: Unknown subsys name 'rlimit'
2024/06/16 08:55:23 starting 5 executor processes
[   52.537301][ T3554] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   53.184359][ T3569] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   53.192864][ T3569] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   53.200953][ T3569] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   53.208505][ T3569] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   53.219584][ T3571] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   53.228353][ T3573] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   53.235999][ T3573] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   53.244990][ T3573] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   53.252675][ T3573] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   53.260285][ T3573] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   53.263939][ T3581] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   53.268657][ T3573] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   53.275494][ T3581] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   53.282096][ T3573] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   53.289451][ T3581] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   53.297743][ T3573] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   53.303035][ T3581] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   53.310339][ T3573] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   53.317633][ T3581] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   53.323804][ T3573] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   53.330407][ T3581] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   53.344636][ T3581] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   53.345756][ T3573] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   53.352131][ T3581] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   53.365822][ T3581] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   53.367156][ T3567] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   53.381225][ T3567] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   53.397378][   T47] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   53.404693][ T3567] ==================================================================
[   53.411631][ T3581] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   53.412749][ T3567] BUG: KASAN: use-after-free in kfree_skb_reason+0x15b/0x390
[   53.427036][ T3567] Read of size 8 at addr ffff888018644710 by task kworker/u5:1/3567
[   53.435014][ T3567] 
[   53.437340][ T3567] CPU: 1 PID: 3567 Comm: kworker/u5:1 Not tainted 6.1.93-syzkaller #0
[   53.445475][ T3567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   53.455528][ T3567] Workqueue: hci0 hci_rx_work
[   53.460203][ T3567] Call Trace:
[   53.463472][ T3567]  <TASK>
[   53.466390][ T3567]  dump_stack_lvl+0x1e3/0x2cb
[   53.471063][ T3567]  ? nf_tcp_handle_invalid+0x642/0x642
[   53.476516][ T3567]  ? panic+0x764/0x764
[   53.480572][ T3567]  ? _printk+0xd1/0x111
[   53.484712][ T3567]  ? __virt_addr_valid+0x17f/0x520
[   53.489813][ T3567]  ? __virt_addr_valid+0x17f/0x520
[   53.494913][ T3567]  print_report+0x15f/0x4f0
[   53.499400][ T3567]  ? __virt_addr_valid+0x17f/0x520
[   53.504501][ T3567]  ? __virt_addr_valid+0x17f/0x520
[   53.509600][ T3567]  ? __virt_addr_valid+0x44a/0x520
[   53.514701][ T3567]  ? __phys_addr+0xb6/0x170
[   53.519197][ T3567]  ? kfree_skb_reason+0x15b/0x390
[   53.524224][ T3567]  kasan_report+0x136/0x160
[   53.528714][ T3567]  ? skb_release_head_state+0x1a4/0x230
[   53.534251][ T3567]  ? kfree_skb_reason+0x15b/0x390
[   53.539269][ T3567]  ? hci_req_sync_complete+0xee/0x280
[   53.544623][ T3567]  kfree_skb_reason+0x15b/0x390
[   53.549466][ T3567]  hci_req_sync_complete+0xee/0x280
[   53.554654][ T3567]  ? hci_req_run_skb+0x20/0x20
[   53.559401][ T3567]  hci_event_packet+0xc49/0x1510
[   53.564333][ T3567]  ? hci_remote_features_evt+0xab0/0xab0
[   53.569956][ T3567]  ? bis_list+0x290/0x290
[   53.574274][ T3567]  ? do_raw_spin_unlock+0x137/0x8a0
[   53.579459][ T3567]  ? hci_req_run_skb+0x20/0x20
[   53.584208][ T3567]  ? kcov_remote_start+0x4b5/0x7d0
[   53.589312][ T3567]  ? warn_bogus_irq_restore+0x20/0x20
[   53.594670][ T3567]  ? hci_send_to_monitor+0x99/0x4d0
[   53.599857][ T3567]  hci_rx_work+0x3cd/0xce0
[   53.604260][ T3567]  ? do_raw_spin_unlock+0x137/0x8a0
[   53.609444][ T3567]  ? process_one_work+0x7a9/0x11d0
[   53.614542][ T3567]  process_one_work+0x8a9/0x11d0
[   53.619471][ T3567]  ? worker_detach_from_pool+0x260/0x260
[   53.625090][ T3567]  ? _raw_spin_lock_irqsave+0x120/0x120
[   53.630623][ T3567]  ? kthread_data+0x4e/0xc0
[   53.635116][ T3567]  ? wq_worker_running+0x97/0x190
[   53.640134][ T3567]  worker_thread+0xa47/0x1200
[   53.644799][ T3567]  ? __sched_text_start+0x8/0x8
[   53.649649][ T3567]  kthread+0x28d/0x320
[   53.653698][ T3567]  ? worker_clr_flags+0x190/0x190
[   53.658707][ T3567]  ? kthread_blkcg+0xd0/0xd0
[   53.663281][ T3567]  ret_from_fork+0x1f/0x30
[   53.667691][ T3567]  </TASK>
[   53.670693][ T3567] 
[   53.673003][ T3567] Allocated by task 3567:
[   53.677310][ T3567]  kasan_set_track+0x4b/0x70
[   53.681892][ T3567]  __kasan_slab_alloc+0x65/0x70
[   53.686722][ T3567]  slab_post_alloc_hook+0x52/0x3a0
[   53.691819][ T3567]  kmem_cache_alloc+0x10c/0x2d0
[   53.696653][ T3567]  skb_clone+0x1e5/0x360
[   53.700878][ T3567]  hci_cmd_work+0x296/0x660
[   53.705363][ T3567]  process_one_work+0x8a9/0x11d0
[   53.710287][ T3567]  worker_thread+0xa47/0x1200
[   53.714948][ T3567]  kthread+0x28d/0x320
[   53.718997][ T3567]  ret_from_fork+0x1f/0x30
[   53.723400][ T3567] 
[   53.725704][ T3567] Freed by task 3566:
[   53.729659][ T3567]  kasan_set_track+0x4b/0x70
[   53.734246][ T3567]  kasan_save_free_info+0x27/0x40
[   53.739253][ T3567]  ____kasan_slab_free+0xd6/0x120
[   53.744269][ T3567]  kmem_cache_free+0x292/0x510
[   53.749017][ T3567]  __hci_req_sync+0x626/0x940
[   53.753685][ T3567]  hci_req_sync+0xa5/0xc0
[   53.758004][ T3567]  hci_dev_cmd+0x2fc/0xa30
[   53.762406][ T3567]  sock_do_ioctl+0x152/0x450
[   53.766979][ T3567]  sock_ioctl+0x47f/0x770
[   53.771290][ T3567]  __se_sys_ioctl+0xf1/0x160
[   53.775874][ T3567]  do_syscall_64+0x3b/0xb0
[   53.780278][ T3567]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   53.786158][ T3567] 
[   53.788463][ T3567] The buggy address belongs to the object at ffff888018644640
[   53.788463][ T3567]  which belongs to the cache skbuff_head_cache of size 240
[   53.803017][ T3567] The buggy address is located 208 bytes inside of
[   53.803017][ T3567]  240-byte region [ffff888018644640, ffff888018644730)
[   53.816271][ T3567] 
[   53.818577][ T3567] The buggy address belongs to the physical page:
[   53.824974][ T3567] page:ffffea0000619100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888018644140 pfn:0x18644
[   53.836413][ T3567] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   53.843947][ T3567] raw: 00fff00000000200 ffffea00006af880 dead000000000004 ffff888014654500
[   53.852512][ T3567] raw: ffff888018644140 00000000800c000a 00000001ffffffff 0000000000000000
[   53.861070][ T3567] page dumped because: kasan: bad access detected
[   53.867464][ T3567] page_owner tracks the page as allocated
[   53.873157][ T3567] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3003, tgid 3003 (udevadm), ts 14729401349, free_ts 14683269330
[   53.891023][ T3567]  post_alloc_hook+0x18d/0x1b0
[   53.895774][ T3567]  get_page_from_freelist+0x31a1/0x3320
[   53.901303][ T3567]  __alloc_pages+0x28d/0x770
[   53.905878][ T3567]  alloc_slab_page+0x6a/0x150
[   53.910541][ T3567]  new_slab+0x84/0x2d0
[   53.914595][ T3567]  ___slab_alloc+0xc20/0x1270
[   53.919257][ T3567]  kmem_cache_alloc_node+0x1cf/0x310
[   53.924527][ T3567]  __alloc_skb+0xde/0x670
[   53.928846][ T3567]  alloc_uevent_skb+0x74/0x220
[   53.933597][ T3567]  kobject_uevent_net_broadcast+0x2e5/0x560
[   53.939485][ T3567]  kobject_uevent_env+0x576/0x8c0
[   53.944512][ T3567]  kobject_synth_uevent+0x4eb/0xae0
[   53.949696][ T3567]  uevent_store+0x47/0x70
[   53.954029][ T3567]  kernfs_fop_write_iter+0x3a2/0x4f0
[   53.959304][ T3567]  vfs_write+0x7ae/0xba0
[   53.963527][ T3567]  ksys_write+0x19c/0x2c0
[   53.967835][ T3567] page last free stack trace:
[   53.972486][ T3567]  free_unref_page_prepare+0xf63/0x1120
[   53.978026][ T3567]  free_unref_page+0x33/0x3e0
[   53.982694][ T3567]  __unfreeze_partials+0x1b7/0x210
[   53.987795][ T3567]  put_cpu_partial+0x17b/0x250
[   53.992547][ T3567]  qlist_free_all+0x76/0xe0
[   53.997039][ T3567]  kasan_quarantine_reduce+0x156/0x170
[   54.002488][ T3567]  __kasan_slab_alloc+0x1f/0x70
[   54.007326][ T3567]  slab_post_alloc_hook+0x52/0x3a0
[   54.012428][ T3567]  __kmem_cache_alloc_node+0x137/0x260
[   54.017878][ T3567]  __kmalloc+0xa1/0x230
[   54.022018][ T3567]  kernfs_fop_write_iter+0x157/0x4f0
[   54.027293][ T3567]  vfs_write+0x7ae/0xba0
[   54.031520][ T3567]  ksys_write+0x19c/0x2c0
[   54.035831][ T3567]  do_syscall_64+0x3b/0xb0
[   54.040244][ T3567]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   54.046130][ T3567] 
[   54.048437][ T3567] Memory state around the buggy address:
[   54.054045][ T3567]  ffff888018644600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   54.062086][ T3567]  ffff888018644680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.070128][ T3567] >ffff888018644700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   54.078168][ T3567]                          ^
2024/06/16 08:55:24 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   54.082741][ T3567]  ffff888018644780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.090778][ T3567]  ffff888018644800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   54.098816][ T3567] ==================================================================
[   54.132676][ T3573] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   54.140742][ T3567] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   54.147950][ T3567] CPU: 1 PID: 3567 Comm: kworker/u5:1 Not tainted 6.1.93-syzkaller #0
[   54.156109][ T3567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   54.166167][ T3567] Workqueue: hci0 hci_rx_work
[   54.170913][ T3567] Call Trace:
[   54.174194][ T3567]  <TASK>
[   54.177132][ T3567]  dump_stack_lvl+0x1e3/0x2cb
[   54.181830][ T3567]  ? nf_tcp_handle_invalid+0x642/0x642
[   54.187308][ T3567]  ? panic+0x764/0x764
[   54.191391][ T3567]  ? preempt_schedule_common+0xa6/0xd0
[   54.196875][ T3567]  ? vscnprintf+0x59/0x80
[   54.201300][ T3567]  panic+0x318/0x764
[   54.205202][ T3567]  ? check_panic_on_warn+0x1d/0xa0
[   54.210327][ T3567]  ? memcpy_page_flushcache+0xfc/0xfc
[   54.215715][ T3567]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   54.221705][ T3567]  ? _raw_spin_unlock+0x40/0x40
[   54.226566][ T3567]  ? print_report+0x4a3/0x4f0
[   54.231259][ T3567]  check_panic_on_warn+0x7e/0xa0
[   54.236208][ T3567]  ? kfree_skb_reason+0x15b/0x390
[   54.241251][ T3567]  end_report+0x66/0x110
[   54.245498][ T3567]  kasan_report+0x143/0x160
[   54.250007][ T3567]  ? skb_release_head_state+0x1a4/0x230
[   54.255574][ T3567]  ? kfree_skb_reason+0x15b/0x390
[   54.260615][ T3567]  ? hci_req_sync_complete+0xee/0x280
[   54.265994][ T3567]  kfree_skb_reason+0x15b/0x390
[   54.270864][ T3567]  hci_req_sync_complete+0xee/0x280
[   54.276073][ T3567]  ? hci_req_run_skb+0x20/0x20
[   54.280845][ T3567]  hci_event_packet+0xc49/0x1510
[   54.285795][ T3567]  ? hci_remote_features_evt+0xab0/0xab0
[   54.291443][ T3567]  ? bis_list+0x290/0x290
[   54.295784][ T3567]  ? do_raw_spin_unlock+0x137/0x8a0
[   54.300992][ T3567]  ? hci_req_run_skb+0x20/0x20
[   54.305765][ T3567]  ? kcov_remote_start+0x4b5/0x7d0
[   54.310888][ T3567]  ? warn_bogus_irq_restore+0x20/0x20
[   54.316273][ T3567]  ? hci_send_to_monitor+0x99/0x4d0
[   54.321481][ T3567]  hci_rx_work+0x3cd/0xce0
[   54.325908][ T3567]  ? do_raw_spin_unlock+0x137/0x8a0
[   54.331117][ T3567]  ? process_one_work+0x7a9/0x11d0
[   54.336236][ T3567]  process_one_work+0x8a9/0x11d0
[   54.341191][ T3567]  ? worker_detach_from_pool+0x260/0x260
[   54.346833][ T3567]  ? _raw_spin_lock_irqsave+0x120/0x120
[   54.352389][ T3567]  ? kthread_data+0x4e/0xc0
[   54.356917][ T3567]  ? wq_worker_running+0x97/0x190
[   54.361959][ T3567]  worker_thread+0xa47/0x1200
[   54.366654][ T3567]  ? __sched_text_start+0x8/0x8
[   54.371529][ T3567]  kthread+0x28d/0x320
[   54.375601][ T3567]  ? worker_clr_flags+0x190/0x190
[   54.380635][ T3567]  ? kthread_blkcg+0xd0/0xd0
[   54.385231][ T3567]  ret_from_fork+0x1f/0x30
[   54.389667][ T3567]  </TASK>
[   54.392800][ T3567] Kernel Offset: disabled
[   54.397109][ T3567] Rebooting in 86400 seconds..