last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.187' (ED25519) to the list of known hosts.
2024/06/09 21:31:30 fuzzer started
2024/06/09 21:31:31 dialing manager at 10.128.0.169:30006
[ 96.076833][ T29] audit: type=1400 audit(1717968690.981:87): avc: denied { node_bind } for pid=5078 comm="syz-fuzzer" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 96.104711][ T29] audit: type=1400 audit(1717968691.011:88): avc: denied { name_bind } for pid=5078 comm="syz-fuzzer" src=6060 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1
[ 96.567739][ T29] audit: type=1400 audit(1717968691.471:89): avc: denied { mounton } for pid=5088 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 96.628534][ T29] audit: type=1400 audit(1717968691.481:90): avc: denied { setattr } for pid=5089 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=733 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 96.653207][ T29] audit: type=1400 audit(1717968691.521:91): avc: denied { mount } for pid=5088 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 96.674774][ T5087] cgroup: Unknown subsys name 'net'
[ 96.714709][ T29] audit: type=1400 audit(1717968691.521:92): avc: denied { create } for pid=5091 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 96.777769][ T29] audit: type=1400 audit(1717968691.521:93): avc: denied { write } for pid=5091 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 96.812845][ T29] audit: type=1400 audit(1717968691.531:94): avc: denied { read } for pid=5091 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 96.834573][ T29] audit: type=1400 audit(1717968691.551:95): avc: denied { mounton } for pid=5087 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 96.858110][ T29] audit: type=1400 audit(1717968691.551:96): avc: denied { mount } for pid=5087 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 96.884082][ T5092] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 96.943943][ T5087] cgroup: Unknown subsys name 'rlimit'
[ 97.620767][ T1158] cfg80211: failed to load regulatory.db
2024/06/09 21:31:33 starting 5 executor processes
[ 98.785958][ T5086] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 98.802045][ T5086] syz-executor (5086) used greatest stack depth: 21200 bytes left
[ 101.310335][ T29] kauditd_printk_skb: 8 callbacks suppressed
[ 101.310358][ T29] audit: type=1400 audit(1717968696.221:105): avc: denied { mounton } for pid=5109 comm="syz-executor.4" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[ 101.377118][ T29] audit: type=1400 audit(1717968696.251:106): avc: denied { mount } for pid=5109 comm="syz-executor.4" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1
[ 101.410090][ T29] audit: type=1400 audit(1717968696.251:107): avc: denied { create } for pid=5109 comm="syz-executor.4" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 101.433780][ T29] audit: type=1400 audit(1717968696.251:108): avc: denied { read write } for pid=5109 comm="syz-executor.4" name="vhci" dev="devtmpfs" ino=1077 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 101.461113][ T29] audit: type=1400 audit(1717968696.251:109): avc: denied { open } for pid=5109 comm="syz-executor.4" path="/dev/vhci" dev="devtmpfs" ino=1077 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 101.485758][ T29] audit: type=1400 audit(1717968696.311:110): avc: denied { ioctl } for pid=5111 comm="syz-executor.2" path="socket:[4451]" dev="sockfs" ino=4451 ioctlcmd=0x48c9 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 101.510334][ T5122] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 101.530776][ T5123] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 101.548354][ T5123] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 101.563011][ T5125] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 101.568647][ T5123] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 101.578445][ T5123] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 101.581608][ T5126] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 101.587366][ T5127] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 101.594575][ T5125] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 101.603838][ T5123] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 101.612704][ T5127] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 101.617649][ T5129] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 101.625875][ T5127] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 101.630190][ T5123] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 101.637272][ T5127] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 101.651347][ T5129] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 101.652879][ T5127] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 101.659861][ T5123] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 101.672961][ T5127] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 101.681357][ T4481] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 101.688110][ T5127] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 101.689416][ T29] audit: type=1400 audit(1717968696.591:111): avc: denied { read } for pid=5111 comm="syz-executor.2" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 101.696758][ T5127] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 101.717017][ T5123] ==================================================================
[ 101.726181][ T5127] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 101.732082][ T5123] BUG: KASAN: double-free in kfree_skbmem+0x10e/0x200
[ 101.740355][ T4481] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 101.745857][ T5123] Free of addr ffff88805f3aaa00 by task kworker/u9:5/5123
[ 101.755424][ T5122] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 101.759919][ T5123]
[ 101.759944][ T5123] CPU: 0 PID: 5123 Comm: kworker/u9:5 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
2024/06/09 21:31:36 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[ 101.759983][ T5123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 101.760007][ T5123] Workqueue: hci1 hci_rx_work
[ 101.794518][ T5123] Call Trace:
[ 101.797840][ T5123]
[ 101.800806][ T5123] dump_stack_lvl+0x116/0x1f0
[ 101.805574][ T5123] print_report+0xc3/0x620
[ 101.810059][ T5123] ? __virt_addr_valid+0x5e/0x580
[ 101.815126][ T5123] ? __phys_addr+0xc6/0x150
[ 101.819675][ T5123] ? kfree_skbmem+0x10e/0x200
[ 101.824420][ T5123] kasan_report_invalid_free+0xaa/0xd0
[ 101.829947][ T5123] ? kfree_skbmem+0x10e/0x200
[ 101.834710][ T5123] ? kfree_skbmem+0x10e/0x200
[ 101.839475][ T5123] poison_slab_object+0x135/0x160
[ 101.844582][ T5123] __kasan_slab_free+0x32/0x50
[ 101.849416][ T5123] kmem_cache_free+0x12f/0x3a0
[ 101.854247][ T5123] ? skb_release_data+0x761/0x980
[ 101.859391][ T5123] ? kfree_skbmem+0x10e/0x200
[ 101.864110][ T5123] kfree_skbmem+0x10e/0x200
[ 101.868657][ T5123] kfree_skb_reason+0x138/0x210
[ 101.873537][ T5123] hci_req_sync_complete+0x16c/0x270
[ 101.878866][ T5123] hci_event_packet+0x963/0x1170
[ 101.883843][ T5123] ? __pfx_hci_cmd_complete_evt+0x10/0x10
[ 101.889589][ T5123] ? __pfx_hci_event_packet+0x10/0x10
[ 101.894995][ T5123] ? mark_held_locks+0x9f/0xe0
[ 101.899800][ T5123] ? kcov_remote_start+0x3d1/0x6e0
[ 101.904934][ T5123] ? __pfx_hci_req_sync_complete+0x10/0x10
[ 101.910784][ T5123] ? lockdep_hardirqs_on+0x7c/0x110
[ 101.916008][ T5123] hci_rx_work+0x2c4/0x1610
[ 101.920555][ T5123] process_one_work+0x9fb/0x1b60
[ 101.925551][ T5123] ? __pfx_hci_cmd_work+0x10/0x10
[ 101.930601][ T5123] ? __pfx_process_one_work+0x10/0x10
[ 101.935998][ T5123] ? assign_work+0x1a0/0x250
[ 101.940630][ T5123] worker_thread+0x6c8/0xf70
[ 101.945245][ T5123] ? __pfx_worker_thread+0x10/0x10
[ 101.950381][ T5123] kthread+0x2c1/0x3a0
[ 101.954475][ T5123] ? _raw_spin_unlock_irq+0x23/0x50
[ 101.959714][ T5123] ? __pfx_kthread+0x10/0x10
[ 101.964330][ T5123] ret_from_fork+0x45/0x80
[ 101.968780][ T5123] ? __pfx_kthread+0x10/0x10
[ 101.973399][ T5123] ret_from_fork_asm+0x1a/0x30
[ 101.978224][ T5123]
[ 101.981253][ T5123]
[ 101.983582][ T5123] Allocated by task 5123:
[ 101.987936][ T5123] kasan_save_stack+0x33/0x60
[ 101.992662][ T5123] kasan_save_track+0x14/0x30
[ 101.997404][ T5123] __kasan_slab_alloc+0x89/0x90
[ 102.002290][ T5123] kmem_cache_alloc_noprof+0x121/0x2f0
[ 102.007771][ T5123] skb_clone+0x190/0x3f0
[ 102.012052][ T5123] hci_cmd_work+0x66a/0x710
[ 102.016583][ T5123] process_one_work+0x9fb/0x1b60
[ 102.021555][ T5123] worker_thread+0x6c8/0xf70
[ 102.026182][ T5123] kthread+0x2c1/0x3a0
[ 102.030277][ T5123] ret_from_fork+0x45/0x80
[ 102.034725][ T5123] ret_from_fork_asm+0x1a/0x30
[ 102.039528][ T5123]
[ 102.041860][ T5123] Freed by task 5111:
[ 102.045848][ T5123] kasan_save_stack+0x33/0x60
[ 102.050563][ T5123] kasan_save_track+0x14/0x30
[ 102.055270][ T5123] kasan_save_free_info+0x3b/0x60
[ 102.060318][ T5123] poison_slab_object+0xf7/0x160
[ 102.065289][ T5123] __kasan_slab_free+0x32/0x50
[ 102.070083][ T5123] kmem_cache_free+0x12f/0x3a0
[ 102.074878][ T5123] kfree_skbmem+0x10e/0x200
[ 102.079414][ T5123] kfree_skb_reason+0x138/0x210
[ 102.084287][ T5123] __hci_req_sync+0x61d/0x980
[ 102.089001][ T5123] hci_req_sync+0x97/0xd0
[ 102.093361][ T5123] hci_dev_cmd+0x634/0x960
[ 102.097833][ T5123] hci_sock_ioctl+0x4f3/0x880
[ 102.102550][ T5123] sock_do_ioctl+0x116/0x280
[ 102.107170][ T5123] sock_ioctl+0x22e/0x6c0
[ 102.111534][ T5123] __x64_sys_ioctl+0x193/0x220
[ 102.116321][ T5123] do_syscall_64+0xcd/0x250
[ 102.120866][ T5123] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 102.126800][ T5123]
[ 102.129133][ T5123] The buggy address belongs to the object at ffff88805f3aaa00
[ 102.129133][ T5123] which belongs to the cache skbuff_head_cache of size 240
[ 102.143725][ T5123] The buggy address is located 0 bytes inside of
[ 102.143725][ T5123] 240-byte region [ffff88805f3aaa00, ffff88805f3aaaf0)
[ 102.156849][ T5123]
[ 102.159179][ T5123] The buggy address belongs to the physical page:
[ 102.165622][ T5123] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5f3aa
[ 102.174405][ T5123] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 102.181533][ T5123] page_type: 0xffffefff(slab)
[ 102.186248][ T5123] raw: 00fff00000000000 ffff888018eda780 dead000000000122 0000000000000000
[ 102.194849][ T5123] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 102.203443][ T5123] page dumped because: kasan: bad access detected
[ 102.209889][ T5123] page_owner tracks the page as allocated
[ 102.215605][ T5123] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4526, tgid 4526 (klogd), ts 101677830450, free_ts 34285192975
[ 102.234393][ T5123] post_alloc_hook+0x2d1/0x350
[ 102.239213][ T5123] get_page_from_freelist+0x136a/0x2e50
[ 102.244792][ T5123] __alloc_pages_noprof+0x22b/0x2460
[ 102.250117][ T5123] alloc_slab_page+0x56/0x110
[ 102.254822][ T5123] new_slab+0x84/0x260
[ 102.258927][ T5123] ___slab_alloc+0xdac/0x1870
[ 102.263665][ T5123] __slab_alloc.constprop.0+0x56/0xb0
[ 102.269079][ T5123] kmem_cache_alloc_node_noprof+0xed/0x310
[ 102.274906][ T5123] __alloc_skb+0x2b1/0x380
[ 102.279385][ T5123] alloc_skb_with_frags+0xe4/0x710
[ 102.284546][ T5123] sock_alloc_send_pskb+0x7f1/0x980
[ 102.289765][ T5123] unix_dgram_sendmsg+0x4b8/0x1a60
[ 102.294987][ T5123] __sys_sendto+0x47f/0x4e0
[ 102.299516][ T5123] __x64_sys_sendto+0xe0/0x1c0
[ 102.304328][ T5123] do_syscall_64+0xcd/0x250
[ 102.308858][ T5123] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 102.314781][ T5123] page last free pid 1 tgid 1 stack trace:
[ 102.320600][ T5123] free_unref_page+0x64a/0xe40
[ 102.325392][ T5123] free_contig_range+0xb6/0x1a0
[ 102.330274][ T5123] destroy_args+0xa4e/0xe20
[ 102.334806][ T5123] debug_vm_pgtable+0x16db/0x3220
[ 102.339862][ T5123] do_one_initcall+0x128/0x700
[ 102.344678][ T5123] kernel_init_freeable+0x69d/0xca0
[ 102.349899][ T5123] kernel_init+0x1c/0x2b0
[ 102.354255][ T5123] ret_from_fork+0x45/0x80
[ 102.358711][ T5123] ret_from_fork_asm+0x1a/0x30
[ 102.363510][ T5123]
[ 102.365840][ T5123] Memory state around the buggy address:
[ 102.371564][ T5123] ffff88805f3aa900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 102.379639][ T5123] ffff88805f3aa980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 102.387719][ T5123] >ffff88805f3aaa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 102.395791][ T5123] ^
[ 102.399873][ T5123] ffff88805f3aaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 102.407950][ T5123] ffff88805f3aab00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 102.416025][ T5123] ==================================================================
[ 102.426483][ T5123] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 102.433739][ T5123] CPU: 0 PID: 5123 Comm: kworker/u9:5 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
[ 102.444038][ T5123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 102.454145][ T5123] Workqueue: hci1 hci_rx_work
[ 102.458883][ T5123] Call Trace:
[ 102.462281][ T5123]
[ 102.465252][ T5123] dump_stack_lvl+0x3d/0x1f0
[ 102.469929][ T5123] panic+0x6f5/0x7a0
[ 102.473902][ T5123] ? __pfx_panic+0x10/0x10
[ 102.478390][ T5123] ? irqentry_exit+0x3b/0x90
[ 102.483036][ T5123] ? lockdep_hardirqs_on+0x7c/0x110
[ 102.488291][ T5123] ? preempt_schedule_thunk+0x1a/0x30
[ 102.493727][ T5123] ? preempt_schedule_common+0x44/0xc0
[ 102.499263][ T5123] check_panic_on_warn+0xab/0xb0
[ 102.504288][ T5123] end_report+0x117/0x180
[ 102.508665][ T5123] ? kfree_skbmem+0x10e/0x200
[ 102.513408][ T5123] kasan_report_invalid_free+0xba/0xd0
[ 102.518928][ T5123] ? kfree_skbmem+0x10e/0x200
[ 102.523679][ T5123] ? kfree_skbmem+0x10e/0x200
[ 102.528430][ T5123] poison_slab_object+0x135/0x160
[ 102.533539][ T5123] __kasan_slab_free+0x32/0x50
[ 102.538378][ T5123] kmem_cache_free+0x12f/0x3a0
[ 102.543217][ T5123] ? skb_release_data+0x761/0x980
[ 102.548293][ T5123] ? kfree_skbmem+0x10e/0x200
[ 102.553043][ T5123] kfree_skbmem+0x10e/0x200
[ 102.557623][ T5123] kfree_skb_reason+0x138/0x210
[ 102.562546][ T5123] hci_req_sync_complete+0x16c/0x270
[ 102.567910][ T5123] hci_event_packet+0x963/0x1170
[ 102.572925][ T5123] ? __pfx_hci_cmd_complete_evt+0x10/0x10
[ 102.578698][ T5123] ? __pfx_hci_event_packet+0x10/0x10
[ 102.584222][ T5123] ? mark_held_locks+0x9f/0xe0
[ 102.589047][ T5123] ? kcov_remote_start+0x3d1/0x6e0
[ 102.594201][ T5123] ? __pfx_hci_req_sync_complete+0x10/0x10
[ 102.600079][ T5123] ? lockdep_hardirqs_on+0x7c/0x110
[ 102.605333][ T5123] hci_rx_work+0x2c4/0x1610
[ 102.609898][ T5123] process_one_work+0x9fb/0x1b60
[ 102.614901][ T5123] ? __pfx_hci_cmd_work+0x10/0x10
[ 102.619997][ T5123] ? __pfx_process_one_work+0x10/0x10
[ 102.625435][ T5123] ? assign_work+0x1a0/0x250
[ 102.630094][ T5123] worker_thread+0x6c8/0xf70
[ 102.634764][ T5123] ? __pfx_worker_thread+0x10/0x10
[ 102.639923][ T5123] kthread+0x2c1/0x3a0
[ 102.644043][ T5123] ? _raw_spin_unlock_irq+0x23/0x50
[ 102.649303][ T5123] ? __pfx_kthread+0x10/0x10
[ 102.653948][ T5123] ret_from_fork+0x45/0x80
[ 102.658444][ T5123] ? __pfx_kthread+0x10/0x10
[ 102.663176][ T5123] ret_from_fork_asm+0x1a/0x30
[ 102.668104][ T5123]
[ 102.671622][ T5123] Kernel Offset: disabled
[ 102.675963][ T5123] Rebooting in 86400 seconds..