last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.182' (ED25519) to the list of known hosts.
[  101.837087][   T57] cfg80211: failed to load regulatory.db
[  102.751467][ T5079] cgroup: Unknown subsys name 'net'
[  102.968242][ T5079] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[  105.116608][ T5079] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  108.447618][ T5101] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[  108.465469][ T5096] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  108.473548][ T5101] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[  108.484339][ T5096] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[  108.492086][ T5101] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[  108.500631][ T5110] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[  108.501665][ T5096] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  108.510334][ T5110] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[  108.522900][ T5110] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[  108.531311][ T5096] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[  108.533990][ T5110] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[  108.544944][ T5101] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[  108.546762][ T5110] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[  108.553417][ T5101] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  108.562055][ T5110] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[  108.566455][ T5096] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[  108.575192][ T5110] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[  108.581025][ T5101] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[  108.589179][ T5110] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[  108.596978][ T5101] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[  108.603310][ T5110] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[  108.609188][ T5096] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[  108.619938][ T5110] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  108.622791][ T5101] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[  108.632286][ T5110] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[  108.636581][ T5096] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[  108.644727][ T5110] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[  108.649796][ T5101] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[  108.658202][ T5110] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  108.674045][ T5096] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[  108.707128][ T5101] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[  108.715243][ T5101] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[  108.722540][ T5101] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[  108.730940][ T5096] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[  108.739338][ T5096] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3
[  108.747945][ T5101] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[  108.774060][ T5105] ==================================================================
[  108.782150][ T5105] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210
[  108.789918][ T5105] Read of size 4 at addr ffff88802253dae4 by task syz-executor/5105
[  108.798027][ T5105] 
[  108.800363][ T5105] CPU: 1 PID: 5105 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  108.810634][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  108.820711][ T5105] Call Trace:
[  108.824004][ T5105]  <TASK>
[  108.826958][ T5105]  dump_stack_lvl+0x116/0x1f0
[  108.831689][ T5105]  print_report+0xc3/0x620
[  108.836145][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.841821][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.847495][ T5105]  ? __phys_addr+0xc6/0x150
[  108.852044][ T5105]  kasan_report+0xd9/0x110
[  108.856504][ T5105]  ? kfree_skb_reason+0x36/0x210
[  108.861492][ T5105]  ? kfree_skb_reason+0x36/0x210
[  108.866485][ T5105]  kasan_check_range+0xef/0x1a0
[  108.871386][ T5105]  kfree_skb_reason+0x36/0x210
[  108.876199][ T5105]  __hci_req_sync+0x61d/0x980
[  108.880924][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  108.886163][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  108.891059][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  108.897167][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.902926][ T5105]  ? hci_req_sync+0x3f/0xd0
[  108.907502][ T5105]  ? __pfx___might_resched+0x10/0x10
[  108.912839][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.918512][ T5105]  ? aa_get_newest_label+0x376/0x680
[  108.923855][ T5105]  hci_req_sync+0x97/0xd0
[  108.928211][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  108.933266][ T5105]  hci_dev_cmd+0x634/0x960
[  108.937805][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.943464][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  108.948440][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.954184][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.959841][ T5105]  ? security_capable+0x98/0xd0
[  108.964742][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  108.969452][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.975147][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  108.980382][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  108.986390][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  108.992051][ T5105]  sock_do_ioctl+0x119/0x280
[  108.996681][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  109.002012][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.007686][ T5105]  sock_ioctl+0x22e/0x6c0
[  109.012058][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  109.016952][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.023132][ T5105]  ? __fget_files+0x256/0x400
[  109.027850][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.033505][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  109.038399][ T5105]  __x64_sys_ioctl+0x196/0x220
[  109.043210][ T5105]  do_syscall_64+0xcd/0x250
[  109.047779][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.053718][ T5105] RIP: 0033:0x7f07695757db
[  109.058145][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  109.077780][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  109.086217][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  109.094208][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  109.102194][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  109.110190][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  109.118185][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  109.126192][ T5105]  </TASK>
[  109.129217][ T5105] 
[  109.131540][ T5105] Allocated by task 5108:
[  109.135870][ T5105]  kasan_save_stack+0x33/0x60
[  109.140566][ T5105]  kasan_save_track+0x14/0x30
[  109.145258][ T5105]  __kasan_slab_alloc+0x89/0x90
[  109.150128][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  109.155612][ T5105]  skb_clone+0x190/0x3f0
[  109.159876][ T5105]  hci_cmd_work+0x66a/0x710
[  109.164406][ T5105]  process_one_work+0x9c8/0x1b40
[  109.169373][ T5105]  worker_thread+0x6c8/0xf30
[  109.173993][ T5105]  kthread+0x2c4/0x3a0
[  109.178106][ T5105]  ret_from_fork+0x48/0x80
[  109.182560][ T5105]  ret_from_fork_asm+0x1a/0x30
[  109.187448][ T5105] 
[  109.189822][ T5105] Freed by task 5101:
[  109.193806][ T5105]  kasan_save_stack+0x33/0x60
[  109.198507][ T5105]  kasan_save_track+0x14/0x30
[  109.203199][ T5105]  kasan_save_free_info+0x3b/0x60
[  109.208254][ T5105]  poison_slab_object+0xf7/0x160
[  109.213230][ T5105]  __kasan_slab_free+0x32/0x50
[  109.218015][ T5105]  kmem_cache_free+0x12f/0x3a0
[  109.222805][ T5105]  kfree_skbmem+0x10e/0x200
[  109.227353][ T5105]  kfree_skb_reason+0x138/0x210
[  109.232233][ T5105]  hci_req_sync_complete+0x16c/0x270
[  109.237541][ T5105]  hci_event_packet+0x966/0x1170
[  109.242502][ T5105]  hci_rx_work+0x2c4/0x1610
[  109.247038][ T5105]  process_one_work+0x9c8/0x1b40
[  109.252090][ T5105]  worker_thread+0x6c8/0xf30
[  109.256794][ T5105]  kthread+0x2c4/0x3a0
[  109.260897][ T5105]  ret_from_fork+0x48/0x80
[  109.265355][ T5105]  ret_from_fork_asm+0x1a/0x30
[  109.270157][ T5105] 
[  109.272482][ T5105] The buggy address belongs to the object at ffff88802253da00
[  109.272482][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  109.287071][ T5105] The buggy address is located 228 bytes inside of
[  109.287071][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  109.300889][ T5105] 
[  109.303212][ T5105] The buggy address belongs to the physical page:
[  109.309621][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  109.318394][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  109.325522][ T5105] page_type: 0xffffefff(slab)
[  109.330218][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  109.338821][ T5105] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[  109.347418][ T5105] page dumped because: kasan: bad access detected
[  109.353831][ T5105] page_owner tracks the page as allocated
[  109.359541][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  109.378420][ T5105]  post_alloc_hook+0x2d1/0x350
[  109.383222][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  109.388805][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  109.394130][ T5105]  alloc_slab_page+0x56/0x110
[  109.398932][ T5105]  new_slab+0x84/0x260
[  109.403026][ T5105]  ___slab_alloc+0xdac/0x1870
[  109.407722][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  109.413202][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  109.419038][ T5105]  __alloc_skb+0x2b1/0x380
[  109.423496][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  109.428636][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  109.433852][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  109.439077][ T5105]  __sys_sendto+0x482/0x4e0
[  109.443602][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  109.448388][ T5105]  do_syscall_64+0xcd/0x250
[  109.452923][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.458893][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  109.465222][ T5105]  free_unref_page+0x64a/0xe40
[  109.470016][ T5105]  __put_partials+0x14c/0x170
[  109.474717][ T5105]  qlist_free_all+0x4e/0x140
[  109.479345][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  109.485017][ T5105]  __kasan_slab_alloc+0x69/0x90
[  109.489979][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  109.495465][ T5105]  ptlock_alloc+0x1f/0x70
[  109.500011][ T5105]  pte_alloc_one+0x74/0x370
[  109.504555][ T5105]  __pte_alloc+0x6e/0x3a0
[  109.509003][ T5105]  __handle_mm_fault+0x4883/0x5430
[  109.514159][ T5105]  handle_mm_fault+0x476/0xa00
[  109.518962][ T5105]  do_user_addr_fault+0x426/0xe50
[  109.524024][ T5105]  exc_page_fault+0x5c/0xc0
[  109.528552][ T5105]  asm_exc_page_fault+0x26/0x30
[  109.533442][ T5105] 
[  109.535763][ T5105] Memory state around the buggy address:
[  109.541394][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  109.549465][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  109.557534][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  109.565602][ T5105]                                                        ^
[  109.572804][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  109.581161][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  109.589227][ T5105] ==================================================================
[  109.604118][ T5105] Disabling lock debugging due to kernel taint
[  109.610298][ T5105] ==================================================================
[  109.618456][ T5105] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1f5/0x210
[  109.626311][ T5105] Read of size 4 at addr ffff88802253dae4 by task syz-executor/5105
[  109.634309][ T5105] 
[  109.636646][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  109.648391][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  109.658466][ T5105] Call Trace:
[  109.661763][ T5105]  <TASK>
[  109.664716][ T5105]  dump_stack_lvl+0x116/0x1f0
[  109.669444][ T5105]  print_report+0xc3/0x620
[  109.673902][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.679582][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.685254][ T5105]  ? __phys_addr+0xc6/0x150
[  109.689797][ T5105]  kasan_report+0xd9/0x110
[  109.694254][ T5105]  ? kfree_skb_reason+0x1f5/0x210
[  109.699326][ T5105]  ? kfree_skb_reason+0x1f5/0x210
[  109.704403][ T5105]  kfree_skb_reason+0x1f5/0x210
[  109.709299][ T5105]  __hci_req_sync+0x61d/0x980
[  109.714022][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  109.719259][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  109.723981][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  109.730089][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.736456][ T5105]  ? hci_req_sync+0x3f/0xd0
[  109.741011][ T5105]  ? __pfx___might_resched+0x10/0x10
[  109.746354][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.752032][ T5105]  ? aa_get_newest_label+0x376/0x680
[  109.757384][ T5105]  hci_req_sync+0x97/0xd0
[  109.761753][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  109.766823][ T5105]  hci_dev_cmd+0x634/0x960
[  109.771291][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.776968][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  109.781971][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.787648][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.793317][ T5105]  ? security_capable+0x98/0xd0
[  109.798232][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  109.803049][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.808725][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  109.814058][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  109.820081][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.825758][ T5105]  sock_do_ioctl+0x119/0x280
[  109.830489][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  109.835666][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.841344][ T5105]  sock_ioctl+0x22e/0x6c0
[  109.845732][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  109.850642][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.856322][ T5105]  ? __fget_files+0x256/0x400
[  109.861068][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  109.866751][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  109.871670][ T5105]  __x64_sys_ioctl+0x196/0x220
[  109.876487][ T5105]  do_syscall_64+0xcd/0x250
[  109.881050][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.887003][ T5105] RIP: 0033:0x7f07695757db
[  109.891539][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  109.911271][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  109.919718][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  109.927714][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  109.935707][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  109.943703][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  109.951697][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  109.959707][ T5105]  </TASK>
[  109.962832][ T5105] 
[  109.965165][ T5105] Allocated by task 5108:
[  109.969503][ T5105]  kasan_save_stack+0x33/0x60
[  109.974216][ T5105]  kasan_save_track+0x14/0x30
[  109.978922][ T5105]  __kasan_slab_alloc+0x89/0x90
[  109.983813][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  109.989309][ T5105]  skb_clone+0x190/0x3f0
[  109.993587][ T5105]  hci_cmd_work+0x66a/0x710
[  109.998143][ T5105]  process_one_work+0x9c8/0x1b40
[  110.003123][ T5105]  worker_thread+0x6c8/0xf30
[  110.007755][ T5105]  kthread+0x2c4/0x3a0
[  110.011909][ T5105]  ret_from_fork+0x48/0x80
[  110.016377][ T5105]  ret_from_fork_asm+0x1a/0x30
[  110.021191][ T5105] 
[  110.023525][ T5105] Freed by task 5101:
[  110.027524][ T5105]  kasan_save_stack+0x33/0x60
[  110.032229][ T5105]  kasan_save_track+0x14/0x30
[  110.037031][ T5105]  kasan_save_free_info+0x3b/0x60
[  110.042111][ T5105]  poison_slab_object+0xf7/0x160
[  110.047112][ T5105]  __kasan_slab_free+0x32/0x50
[  110.051910][ T5105]  kmem_cache_free+0x12f/0x3a0
[  110.056708][ T5105]  kfree_skbmem+0x10e/0x200
[  110.061268][ T5105]  kfree_skb_reason+0x138/0x210
[  110.066164][ T5105]  hci_req_sync_complete+0x16c/0x270
[  110.071495][ T5105]  hci_event_packet+0x966/0x1170
[  110.076469][ T5105]  hci_rx_work+0x2c4/0x1610
[  110.081110][ T5105]  process_one_work+0x9c8/0x1b40
[  110.086102][ T5105]  worker_thread+0x6c8/0xf30
[  110.090745][ T5105]  kthread+0x2c4/0x3a0
[  110.094875][ T5105]  ret_from_fork+0x48/0x80
[  110.099357][ T5105]  ret_from_fork_asm+0x1a/0x30
[  110.104180][ T5105] 
[  110.106512][ T5105] The buggy address belongs to the object at ffff88802253da00
[  110.106512][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  110.121199][ T5105] The buggy address is located 228 bytes inside of
[  110.121199][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  110.135035][ T5105] 
[  110.137372][ T5105] The buggy address belongs to the physical page:
[  110.143803][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  110.152594][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  110.159730][ T5105] page_type: 0xffffefff(slab)
[  110.164435][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  110.173056][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  110.181747][ T5105] page dumped because: kasan: bad access detected
[  110.188175][ T5105] page_owner tracks the page as allocated
[  110.194074][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  110.200751][ T5092] chnl_net:caif_netlink_parms(): no params data found
[  110.212941][ T5105]  post_alloc_hook+0x2d1/0x350
[  110.212997][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  110.213058][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  110.235422][ T5105]  alloc_slab_page+0x56/0x110
[  110.240154][ T5105]  new_slab+0x84/0x260
[  110.244252][ T5105]  ___slab_alloc+0xdac/0x1870
[  110.248963][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  110.254372][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  110.260219][ T5105]  __alloc_skb+0x2b1/0x380
[  110.264691][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  110.270023][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  110.275259][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  110.280417][ T5105]  __sys_sendto+0x482/0x4e0
[  110.284961][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  110.289779][ T5105]  do_syscall_64+0xcd/0x250
[  110.294331][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.300282][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  110.306621][ T5105]  free_unref_page+0x64a/0xe40
[  110.311433][ T5105]  __put_partials+0x14c/0x170
[  110.316140][ T5105]  qlist_free_all+0x4e/0x140
[  110.320781][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  110.326295][ T5105]  __kasan_slab_alloc+0x69/0x90
[  110.331266][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  110.336763][ T5105]  ptlock_alloc+0x1f/0x70
[  110.341155][ T5105]  pte_alloc_one+0x74/0x370
[  110.345708][ T5105]  __pte_alloc+0x6e/0x3a0
[  110.350081][ T5105]  __handle_mm_fault+0x4883/0x5430
[  110.355247][ T5105]  handle_mm_fault+0x476/0xa00
[  110.360068][ T5105]  do_user_addr_fault+0x426/0xe50
[  110.365138][ T5105]  exc_page_fault+0x5c/0xc0
[  110.369683][ T5105]  asm_exc_page_fault+0x26/0x30
[  110.374590][ T5105] 
[  110.376924][ T5105] Memory state around the buggy address:
[  110.382568][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  110.390655][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.398741][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  110.406830][ T5105]                                                        ^
[  110.414055][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  110.422203][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.430267][ T5105] ==================================================================
[  110.439473][ T5105] ==================================================================
[  110.447552][ T5105] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0
[  110.455918][ T5105] Read of size 8 at addr ffff88802253da58 by task syz-executor/5105
[  110.463897][ T5105] 
[  110.466217][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  110.478035][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  110.488103][ T5105] Call Trace:
[  110.491419][ T5105]  <TASK>
[  110.494363][ T5105]  dump_stack_lvl+0x116/0x1f0
[  110.499057][ T5105]  print_report+0xc3/0x620
[  110.503503][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.509152][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.514808][ T5105]  ? __phys_addr+0xc6/0x150
[  110.519344][ T5105]  kasan_report+0xd9/0x110
[  110.523776][ T5105]  ? skb_release_head_state+0x283/0x2b0
[  110.529361][ T5105]  ? skb_release_head_state+0x283/0x2b0
[  110.535016][ T5105]  skb_release_head_state+0x283/0x2b0
[  110.540407][ T5105]  kfree_skb_reason+0xed/0x210
[  110.545190][ T5105]  __hci_req_sync+0x61d/0x980
[  110.549885][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  110.555097][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  110.559791][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  110.565958][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.571692][ T5105]  ? hci_req_sync+0x3f/0xd0
[  110.576217][ T5105]  ? __pfx___might_resched+0x10/0x10
[  110.581529][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.587891][ T5105]  ? aa_get_newest_label+0x376/0x680
[  110.593495][ T5105]  hci_req_sync+0x97/0xd0
[  110.597861][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  110.602902][ T5105]  hci_dev_cmd+0x634/0x960
[  110.607339][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.612987][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  110.617953][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.623638][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.629300][ T5105]  ? security_capable+0x98/0xd0
[  110.634183][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  110.638883][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.644527][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  110.649742][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  110.655737][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.661416][ T5105]  sock_do_ioctl+0x119/0x280
[  110.666147][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  110.671290][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.676944][ T5105]  sock_ioctl+0x22e/0x6c0
[  110.681308][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  110.686210][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.691854][ T5105]  ? __fget_files+0x256/0x400
[  110.696554][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  110.702201][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  110.707076][ T5105]  __x64_sys_ioctl+0x196/0x220
[  110.711863][ T5105]  do_syscall_64+0xcd/0x250
[  110.716388][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.722308][ T5105] RIP: 0033:0x7f07695757db
[  110.726726][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  110.746343][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  110.755129][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  110.763105][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  110.771121][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  110.779248][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  110.787310][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  110.791154][ T5096] Bluetooth: hci3: command tx timeout
[  110.795285][ T5105]  </TASK>
[  110.795300][ T5105] 
[  110.806005][ T5105] Allocated by task 5108:
[  110.810352][ T5105]  kasan_save_stack+0x33/0x60
[  110.815054][ T5105]  kasan_save_track+0x14/0x30
[  110.819762][ T5105]  __kasan_slab_alloc+0x89/0x90
[  110.824630][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  110.830102][ T5105]  skb_clone+0x190/0x3f0
[  110.834355][ T5105]  hci_cmd_work+0x66a/0x710
[  110.838873][ T5105]  process_one_work+0x9c8/0x1b40
[  110.843827][ T5105]  worker_thread+0x6c8/0xf30
[  110.848432][ T5105]  kthread+0x2c4/0x3a0
[  110.852530][ T5105]  ret_from_fork+0x48/0x80
[  110.856969][ T5105]  ret_from_fork_asm+0x1a/0x30
[  110.861753][ T5105] 
[  110.864076][ T5105] Freed by task 5101:
[  110.868052][ T5105]  kasan_save_stack+0x33/0x60
[  110.872743][ T5105]  kasan_save_track+0x14/0x30
[  110.877438][ T5105]  kasan_save_free_info+0x3b/0x60
[  110.882481][ T5105]  poison_slab_object+0xf7/0x160
[  110.887442][ T5105]  __kasan_slab_free+0x32/0x50
[  110.892211][ T5105]  kmem_cache_free+0x12f/0x3a0
[  110.896980][ T5105]  kfree_skbmem+0x10e/0x200
[  110.901530][ T5105]  kfree_skb_reason+0x138/0x210
[  110.906399][ T5105]  hci_req_sync_complete+0x16c/0x270
[  110.911694][ T5105]  hci_event_packet+0x966/0x1170
[  110.916640][ T5105]  hci_rx_work+0x2c4/0x1610
[  110.921166][ T5105]  process_one_work+0x9c8/0x1b40
[  110.926136][ T5105]  worker_thread+0x6c8/0xf30
[  110.930739][ T5105]  kthread+0x2c4/0x3a0
[  110.934848][ T5105]  ret_from_fork+0x48/0x80
[  110.939288][ T5105]  ret_from_fork_asm+0x1a/0x30
[  110.944098][ T5105] 
[  110.946440][ T5105] The buggy address belongs to the object at ffff88802253da00
[  110.946440][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  110.961024][ T5105] The buggy address is located 88 bytes inside of
[  110.961024][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  110.974791][ T5105] 
[  110.977111][ T5105] The buggy address belongs to the physical page:
[  110.983513][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  110.992277][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  110.999384][ T5105] page_type: 0xffffefff(slab)
[  111.004070][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  111.012660][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  111.021248][ T5105] page dumped because: kasan: bad access detected
[  111.027664][ T5105] page_owner tracks the page as allocated
[  111.033399][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  111.052258][ T5105]  post_alloc_hook+0x2d1/0x350
[  111.057063][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  111.062638][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  111.067946][ T5105]  alloc_slab_page+0x56/0x110
[  111.072644][ T5105]  new_slab+0x84/0x260
[  111.076721][ T5105]  ___slab_alloc+0xdac/0x1870
[  111.081417][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  111.086823][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  111.092729][ T5105]  __alloc_skb+0x2b1/0x380
[  111.097177][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  111.102307][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  111.107516][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  111.112644][ T5105]  __sys_sendto+0x482/0x4e0
[  111.117154][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  111.121928][ T5105]  do_syscall_64+0xcd/0x250
[  111.126449][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  111.132392][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  111.138719][ T5105]  free_unref_page+0x64a/0xe40
[  111.143507][ T5105]  __put_partials+0x14c/0x170
[  111.148200][ T5105]  qlist_free_all+0x4e/0x140
[  111.152815][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  111.158306][ T5105]  __kasan_slab_alloc+0x69/0x90
[  111.163170][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  111.168642][ T5105]  ptlock_alloc+0x1f/0x70
[  111.173014][ T5105]  pte_alloc_one+0x74/0x370
[  111.177543][ T5105]  __pte_alloc+0x6e/0x3a0
[  111.181894][ T5105]  __handle_mm_fault+0x4883/0x5430
[  111.187046][ T5105]  handle_mm_fault+0x476/0xa00
[  111.191838][ T5105]  do_user_addr_fault+0x426/0xe50
[  111.196890][ T5105]  exc_page_fault+0x5c/0xc0
[  111.201436][ T5105]  asm_exc_page_fault+0x26/0x30
[  111.206443][ T5105] 
[  111.208761][ T5105] Memory state around the buggy address:
[  111.214387][ T5105]  ffff88802253d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.222459][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  111.230521][ T5105] >ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  111.238582][ T5105]                                                     ^
[  111.245514][ T5105]  ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  111.253608][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  111.261677][ T5105] ==================================================================
[  111.269982][ T5096] Bluetooth: hci1: command tx timeout
[  111.275493][ T5096] Bluetooth: hci0: command tx timeout
[  111.275545][ T5101] Bluetooth: hci2: command tx timeout
[  111.281048][ T5108] Bluetooth: hci4: command tx timeout
[  111.286815][ T5105] ==================================================================
[  111.299661][ T5105] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x28d/0x2b0
[  111.308036][ T5105] Read of size 8 at addr ffff88802253da60 by task syz-executor/5105
[  111.316047][ T5105] 
[  111.318383][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  111.330106][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  111.340173][ T5105] Call Trace:
[  111.343470][ T5105]  <TASK>
[  111.346418][ T5105]  dump_stack_lvl+0x116/0x1f0
[  111.351145][ T5105]  print_report+0xc3/0x620
[  111.355608][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.361284][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.366960][ T5105]  ? __phys_addr+0xc6/0x150
[  111.371595][ T5105]  kasan_report+0xd9/0x110
[  111.376056][ T5105]  ? skb_release_head_state+0x28d/0x2b0
[  111.381651][ T5105]  ? skb_release_head_state+0x28d/0x2b0
[  111.387245][ T5105]  skb_release_head_state+0x28d/0x2b0
[  111.392658][ T5105]  kfree_skb_reason+0xed/0x210
[  111.397443][ T5105]  __hci_req_sync+0x61d/0x980
[  111.402163][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  111.407396][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  111.412188][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  111.418299][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.424059][ T5105]  ? hci_req_sync+0x3f/0xd0
[  111.428700][ T5105]  ? __pfx___might_resched+0x10/0x10
[  111.434043][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.439722][ T5105]  ? aa_get_newest_label+0x376/0x680
[  111.445078][ T5105]  hci_req_sync+0x97/0xd0
[  111.449451][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  111.455135][ T5105]  hci_dev_cmd+0x634/0x960
[  111.459611][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.465273][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  111.470255][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.475906][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.481580][ T5105]  ? security_capable+0x98/0xd0
[  111.486498][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  111.491223][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.496898][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  111.502143][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  111.508174][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.513856][ T5105]  sock_do_ioctl+0x119/0x280
[  111.518502][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  111.523680][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.529351][ T5105]  sock_ioctl+0x22e/0x6c0
[  111.533712][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  111.538591][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.544242][ T5105]  ? __fget_files+0x256/0x400
[  111.548969][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  111.554619][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  111.559496][ T5105]  __x64_sys_ioctl+0x196/0x220
[  111.564288][ T5105]  do_syscall_64+0xcd/0x250
[  111.568816][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  111.574739][ T5105] RIP: 0033:0x7f07695757db
[  111.579160][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  111.598808][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  111.607257][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  111.615235][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  111.623210][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  111.631207][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  111.639190][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  111.647175][ T5105]  </TASK>
[  111.650192][ T5105] 
[  111.652533][ T5105] Allocated by task 5108:
[  111.656942][ T5105]  kasan_save_stack+0x33/0x60
[  111.661628][ T5105]  kasan_save_track+0x14/0x30
[  111.666310][ T5105]  __kasan_slab_alloc+0x89/0x90
[  111.671167][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  111.676637][ T5105]  skb_clone+0x190/0x3f0
[  111.680897][ T5105]  hci_cmd_work+0x66a/0x710
[  111.685438][ T5105]  process_one_work+0x9c8/0x1b40
[  111.690391][ T5105]  worker_thread+0x6c8/0xf30
[  111.694998][ T5105]  kthread+0x2c4/0x3a0
[  111.699096][ T5105]  ret_from_fork+0x48/0x80
[  111.703554][ T5105]  ret_from_fork_asm+0x1a/0x30
[  111.708339][ T5105] 
[  111.710663][ T5105] Freed by task 5101:
[  111.714638][ T5105]  kasan_save_stack+0x33/0x60
[  111.719342][ T5105]  kasan_save_track+0x14/0x30
[  111.724041][ T5105]  kasan_save_free_info+0x3b/0x60
[  111.729085][ T5105]  poison_slab_object+0xf7/0x160
[  111.734068][ T5105]  __kasan_slab_free+0x32/0x50
[  111.738876][ T5105]  kmem_cache_free+0x12f/0x3a0
[  111.743649][ T5105]  kfree_skbmem+0x10e/0x200
[  111.748206][ T5105]  kfree_skb_reason+0x138/0x210
[  111.753073][ T5105]  hci_req_sync_complete+0x16c/0x270
[  111.758370][ T5105]  hci_event_packet+0x966/0x1170
[  111.763316][ T5105]  hci_rx_work+0x2c4/0x1610
[  111.767864][ T5105]  process_one_work+0x9c8/0x1b40
[  111.772830][ T5105]  worker_thread+0x6c8/0xf30
[  111.777434][ T5105]  kthread+0x2c4/0x3a0
[  111.781523][ T5105]  ret_from_fork+0x48/0x80
[  111.785961][ T5105]  ret_from_fork_asm+0x1a/0x30
[  111.790747][ T5105] 
[  111.793165][ T5105] The buggy address belongs to the object at ffff88802253da00
[  111.793165][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  111.807761][ T5105] The buggy address is located 96 bytes inside of
[  111.807761][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  111.821508][ T5105] 
[  111.823828][ T5105] The buggy address belongs to the physical page:
[  111.830237][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  111.839005][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  111.846121][ T5105] page_type: 0xffffefff(slab)
[  111.850805][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  111.859398][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  111.867979][ T5105] page dumped because: kasan: bad access detected
[  111.874383][ T5105] page_owner tracks the page as allocated
[  111.880119][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  111.898976][ T5105]  post_alloc_hook+0x2d1/0x350
[  111.903848][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  111.909416][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  111.914723][ T5105]  alloc_slab_page+0x56/0x110
[  111.919445][ T5105]  new_slab+0x84/0x260
[  111.923540][ T5105]  ___slab_alloc+0xdac/0x1870
[  111.928227][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  111.933629][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  111.939447][ T5105]  __alloc_skb+0x2b1/0x380
[  111.943886][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  111.949020][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  111.954232][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  111.959446][ T5105]  __sys_sendto+0x482/0x4e0
[  111.963960][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  111.968843][ T5105]  do_syscall_64+0xcd/0x250
[  111.973467][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  111.979397][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  111.985723][ T5105]  free_unref_page+0x64a/0xe40
[  111.990504][ T5105]  __put_partials+0x14c/0x170
[  111.995188][ T5105]  qlist_free_all+0x4e/0x140
[  111.999805][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  112.005315][ T5105]  __kasan_slab_alloc+0x69/0x90
[  112.010175][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  112.015647][ T5105]  ptlock_alloc+0x1f/0x70
[  112.020022][ T5105]  pte_alloc_one+0x74/0x370
[  112.024547][ T5105]  __pte_alloc+0x6e/0x3a0
[  112.028894][ T5105]  __handle_mm_fault+0x4883/0x5430
[  112.034035][ T5105]  handle_mm_fault+0x476/0xa00
[  112.038846][ T5105]  do_user_addr_fault+0x426/0xe50
[  112.044086][ T5105]  exc_page_fault+0x5c/0xc0
[  112.048602][ T5105]  asm_exc_page_fault+0x26/0x30
[  112.053481][ T5105] 
[  112.055815][ T5105] Memory state around the buggy address:
[  112.061458][ T5105]  ffff88802253d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  112.069540][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  112.077638][ T5105] >ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.085698][ T5105]                                                        ^
[  112.092911][ T5105]  ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  112.100979][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  112.109056][ T5105] ==================================================================
[  112.118093][ T5105] ==================================================================
[  112.126208][ T5105] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x276/0x2b0
[  112.134570][ T5105] Read of size 8 at addr ffff88802253da68 by task syz-executor/5105
[  112.142564][ T5105] 
[  112.144897][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  112.156638][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  112.166707][ T5105] Call Trace:
[  112.169997][ T5105]  <TASK>
[  112.172941][ T5105]  dump_stack_lvl+0x116/0x1f0
[  112.177653][ T5105]  print_report+0xc3/0x620
[  112.182130][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.187789][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.193460][ T5105]  ? __phys_addr+0xc6/0x150
[  112.198013][ T5105]  kasan_report+0xd9/0x110
[  112.202464][ T5105]  ? skb_release_head_state+0x276/0x2b0
[  112.208055][ T5105]  ? skb_release_head_state+0x276/0x2b0
[  112.213641][ T5105]  skb_release_head_state+0x276/0x2b0
[  112.219051][ T5105]  kfree_skb_reason+0xed/0x210
[  112.223850][ T5105]  __hci_req_sync+0x61d/0x980
[  112.228560][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  112.233789][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  112.238517][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  112.244623][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.250290][ T5105]  ? hci_req_sync+0x3f/0xd0
[  112.254829][ T5105]  ? __pfx___might_resched+0x10/0x10
[  112.260151][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.265812][ T5105]  ? aa_get_newest_label+0x376/0x680
[  112.271152][ T5105]  hci_req_sync+0x97/0xd0
[  112.275507][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  112.280561][ T5105]  hci_dev_cmd+0x634/0x960
[  112.285126][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.290785][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  112.295765][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.301425][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.307257][ T5105]  ? security_capable+0x98/0xd0
[  112.312160][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  112.316870][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.322530][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  112.327759][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  112.333771][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.339441][ T5105]  sock_do_ioctl+0x119/0x280
[  112.344074][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  112.349235][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.354895][ T5105]  sock_ioctl+0x22e/0x6c0
[  112.359269][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  112.364170][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.369864][ T5105]  ? __fget_files+0x256/0x400
[  112.374584][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  112.380330][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  112.385227][ T5105]  __x64_sys_ioctl+0x196/0x220
[  112.390039][ T5105]  do_syscall_64+0xcd/0x250
[  112.394588][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  112.400532][ T5105] RIP: 0033:0x7f07695757db
[  112.404970][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  112.424606][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  112.433046][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  112.441038][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  112.449025][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  112.457100][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  112.465086][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  112.473084][ T5105]  </TASK>
[  112.476111][ T5105] 
[  112.478435][ T5105] Allocated by task 5108:
[  112.482944][ T5105]  kasan_save_stack+0x33/0x60
[  112.487640][ T5105]  kasan_save_track+0x14/0x30
[  112.492333][ T5105]  __kasan_slab_alloc+0x89/0x90
[  112.497201][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  112.502688][ T5105]  skb_clone+0x190/0x3f0
[  112.506956][ T5105]  hci_cmd_work+0x66a/0x710
[  112.511493][ T5105]  process_one_work+0x9c8/0x1b40
[  112.516460][ T5105]  worker_thread+0x6c8/0xf30
[  112.521079][ T5105]  kthread+0x2c4/0x3a0
[  112.525188][ T5105]  ret_from_fork+0x48/0x80
[  112.529640][ T5105]  ret_from_fork_asm+0x1a/0x30
[  112.534442][ T5105] 
[  112.536768][ T5105] Freed by task 5101:
[  112.540751][ T5105]  kasan_save_stack+0x33/0x60
[  112.545446][ T5105]  kasan_save_track+0x14/0x30
[  112.550139][ T5105]  kasan_save_free_info+0x3b/0x60
[  112.555197][ T5105]  poison_slab_object+0xf7/0x160
[  112.560176][ T5105]  __kasan_slab_free+0x32/0x50
[  112.564965][ T5105]  kmem_cache_free+0x12f/0x3a0
[  112.569758][ T5105]  kfree_skbmem+0x10e/0x200
[  112.574304][ T5105]  kfree_skb_reason+0x138/0x210
[  112.579183][ T5105]  hci_req_sync_complete+0x16c/0x270
[  112.584494][ T5105]  hci_event_packet+0x966/0x1170
[  112.589454][ T5105]  hci_rx_work+0x2c4/0x1610
[  112.593987][ T5105]  process_one_work+0x9c8/0x1b40
[  112.598958][ T5105]  worker_thread+0x6c8/0xf30
[  112.603580][ T5105]  kthread+0x2c4/0x3a0
[  112.607686][ T5105]  ret_from_fork+0x48/0x80
[  112.612144][ T5105]  ret_from_fork_asm+0x1a/0x30
[  112.616956][ T5105] 
[  112.619281][ T5105] The buggy address belongs to the object at ffff88802253da00
[  112.619281][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  112.633959][ T5105] The buggy address is located 104 bytes inside of
[  112.633959][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  112.647779][ T5105] 
[  112.650106][ T5105] The buggy address belongs to the physical page:
[  112.656517][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  112.665313][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  112.672457][ T5105] page_type: 0xffffefff(slab)
[  112.677150][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  112.685755][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  112.694344][ T5105] page dumped because: kasan: bad access detected
[  112.700846][ T5105] page_owner tracks the page as allocated
[  112.706559][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  112.725469][ T5105]  post_alloc_hook+0x2d1/0x350
[  112.730354][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  112.736034][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  112.741533][ T5105]  alloc_slab_page+0x56/0x110
[  112.746244][ T5105]  new_slab+0x84/0x260
[  112.750331][ T5105]  ___slab_alloc+0xdac/0x1870
[  112.755035][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  112.760436][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  112.766269][ T5105]  __alloc_skb+0x2b1/0x380
[  112.770725][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  112.775872][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  112.781093][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  112.786238][ T5105]  __sys_sendto+0x482/0x4e0
[  112.790788][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  112.795572][ T5105]  do_syscall_64+0xcd/0x250
[  112.800134][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  112.806069][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  112.812403][ T5105]  free_unref_page+0x64a/0xe40
[  112.817201][ T5105]  __put_partials+0x14c/0x170
[  112.821896][ T5105]  qlist_free_all+0x4e/0x140
[  112.826523][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  112.832023][ T5105]  __kasan_slab_alloc+0x69/0x90
[  112.836899][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  112.842381][ T5105]  ptlock_alloc+0x1f/0x70
[  112.846753][ T5105]  pte_alloc_one+0x74/0x370
[  112.851319][ T5105]  __pte_alloc+0x6e/0x3a0
[  112.855681][ T5105]  __handle_mm_fault+0x4883/0x5430
[  112.860848][ T5105]  handle_mm_fault+0x476/0xa00
[  112.865654][ T5105]  do_user_addr_fault+0x426/0xe50
[  112.870710][ T5105]  exc_page_fault+0x5c/0xc0
[  112.875244][ T5105]  asm_exc_page_fault+0x26/0x30
[  112.880137][ T5105] 
[  112.882461][ T5105] Memory state around the buggy address:
[  112.888099][ T5105]  ffff88802253d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  112.896174][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  112.904268][ T5105] >ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.912357][ T5105]                                                           ^
[  112.919817][ T5105]  ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  112.927890][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  112.936135][ T5105] ==================================================================
[  112.946814][ T5108] Bluetooth: hci3: command tx timeout
[  112.972004][ T5105] ==================================================================
[  112.980279][ T5105] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x26c/0x2b0
[  112.988636][ T5105] Read of size 1 at addr ffff88802253da7f by task syz-executor/5105
[  112.996630][ T5105] 
[  112.998955][ T5105] CPU: 1 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  113.010709][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  113.020777][ T5105] Call Trace:
[  113.024065][ T5105]  <TASK>
[  113.027006][ T5105]  dump_stack_lvl+0x116/0x1f0
[  113.031721][ T5105]  print_report+0xc3/0x620
[  113.036162][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.041818][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.047470][ T5105]  ? __phys_addr+0xc6/0x150
[  113.052099][ T5105]  kasan_report+0xd9/0x110
[  113.056627][ T5105]  ? skb_release_head_state+0x26c/0x2b0
[  113.062227][ T5105]  ? skb_release_head_state+0x26c/0x2b0
[  113.067809][ T5105]  skb_release_head_state+0x26c/0x2b0
[  113.073214][ T5105]  kfree_skb_reason+0xed/0x210
[  113.078013][ T5105]  __hci_req_sync+0x61d/0x980
[  113.082727][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  113.087951][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  113.092663][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  113.098760][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.104420][ T5105]  ? hci_req_sync+0x3f/0xd0
[  113.108956][ T5105]  ? __pfx___might_resched+0x10/0x10
[  113.114280][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.119935][ T5105]  ? aa_get_newest_label+0x376/0x680
[  113.125362][ T5105]  hci_req_sync+0x97/0xd0
[  113.130068][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  113.135123][ T5105]  hci_dev_cmd+0x634/0x960
[  113.139576][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.145235][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  113.150206][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.155861][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.161527][ T5105]  ? security_capable+0x98/0xd0
[  113.166516][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  113.171223][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.176880][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  113.182107][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  113.188114][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.193772][ T5105]  sock_do_ioctl+0x119/0x280
[  113.198400][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  113.203575][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.209233][ T5105]  sock_ioctl+0x22e/0x6c0
[  113.213603][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  113.218504][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.224163][ T5105]  ? __fget_files+0x256/0x400
[  113.228883][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.234544][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  113.239456][ T5105]  __x64_sys_ioctl+0x196/0x220
[  113.244261][ T5105]  do_syscall_64+0xcd/0x250
[  113.248803][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  113.254742][ T5105] RIP: 0033:0x7f07695757db
[  113.259172][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  113.278917][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  113.287358][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  113.295345][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  113.303415][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  113.311399][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  113.319380][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  113.327378][ T5105]  </TASK>
[  113.330400][ T5105] 
[  113.332722][ T5105] Allocated by task 5108:
[  113.337050][ T5105]  kasan_save_stack+0x33/0x60
[  113.341745][ T5105]  kasan_save_track+0x14/0x30
[  113.346436][ T5105]  __kasan_slab_alloc+0x89/0x90
[  113.351302][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  113.356785][ T5105]  skb_clone+0x190/0x3f0
[  113.361051][ T5105]  hci_cmd_work+0x66a/0x710
[  113.365583][ T5105]  process_one_work+0x9c8/0x1b40
[  113.370548][ T5105]  worker_thread+0x6c8/0xf30
[  113.375166][ T5105]  kthread+0x2c4/0x3a0
[  113.379271][ T5105]  ret_from_fork+0x48/0x80
[  113.383724][ T5105]  ret_from_fork_asm+0x1a/0x30
[  113.388525][ T5105] 
[  113.390861][ T5105] Freed by task 5101:
[  113.394845][ T5105]  kasan_save_stack+0x33/0x60
[  113.399550][ T5105]  kasan_save_track+0x14/0x30
[  113.404241][ T5105]  kasan_save_free_info+0x3b/0x60
[  113.409298][ T5105]  poison_slab_object+0xf7/0x160
[  113.414276][ T5105]  __kasan_slab_free+0x32/0x50
[  113.419057][ T5105]  kmem_cache_free+0x12f/0x3a0
[  113.423838][ T5105]  kfree_skbmem+0x10e/0x200
[  113.428466][ T5105]  kfree_skb_reason+0x138/0x210
[  113.433344][ T5105]  hci_req_sync_complete+0x16c/0x270
[  113.438742][ T5105]  hci_event_packet+0x966/0x1170
[  113.443718][ T5105]  hci_rx_work+0x2c4/0x1610
[  113.448249][ T5105]  process_one_work+0x9c8/0x1b40
[  113.453212][ T5105]  worker_thread+0x6c8/0xf30
[  113.457830][ T5105]  kthread+0x2c4/0x3a0
[  113.461948][ T5105]  ret_from_fork+0x48/0x80
[  113.466402][ T5105]  ret_from_fork_asm+0x1a/0x30
[  113.471379][ T5105] 
[  113.473702][ T5105] The buggy address belongs to the object at ffff88802253da00
[  113.473702][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  113.488289][ T5105] The buggy address is located 127 bytes inside of
[  113.488289][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  113.502277][ T5105] 
[  113.504599][ T5105] The buggy address belongs to the physical page:
[  113.511092][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  113.520043][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  113.527161][ T5105] page_type: 0xffffefff(slab)
[  113.531853][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  113.540455][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  113.549129][ T5105] page dumped because: kasan: bad access detected
[  113.555541][ T5105] page_owner tracks the page as allocated
[  113.561339][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  113.580213][ T5105]  post_alloc_hook+0x2d1/0x350
[  113.585100][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  113.590686][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  113.596010][ T5105]  alloc_slab_page+0x56/0x110
[  113.600725][ T5105]  new_slab+0x84/0x260
[  113.604812][ T5105]  ___slab_alloc+0xdac/0x1870
[  113.609506][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  113.614897][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  113.620728][ T5105]  __alloc_skb+0x2b1/0x380
[  113.625184][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  113.630353][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  113.635568][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  113.640803][ T5105]  __sys_sendto+0x482/0x4e0
[  113.645322][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  113.650105][ T5105]  do_syscall_64+0xcd/0x250
[  113.654640][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  113.660576][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  113.666906][ T5105]  free_unref_page+0x64a/0xe40
[  113.671703][ T5105]  __put_partials+0x14c/0x170
[  113.676481][ T5105]  qlist_free_all+0x4e/0x140
[  113.681108][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  113.686606][ T5105]  __kasan_slab_alloc+0x69/0x90
[  113.691474][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  113.696954][ T5105]  ptlock_alloc+0x1f/0x70
[  113.701326][ T5105]  pte_alloc_one+0x74/0x370
[  113.705866][ T5105]  __pte_alloc+0x6e/0x3a0
[  113.710224][ T5105]  __handle_mm_fault+0x4883/0x5430
[  113.715377][ T5105]  handle_mm_fault+0x476/0xa00
[  113.720179][ T5105]  do_user_addr_fault+0x426/0xe50
[  113.725232][ T5105]  exc_page_fault+0x5c/0xc0
[  113.729761][ T5105]  asm_exc_page_fault+0x26/0x30
[  113.734650][ T5105] 
[  113.736976][ T5105] Memory state around the buggy address:
[  113.742607][ T5105]  ffff88802253d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  113.750684][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  113.758760][ T5105] >ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  113.766917][ T5105]                                                                 ^
[  113.774904][ T5105]  ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  113.782978][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  113.791049][ T5105] ==================================================================
[  113.800090][ T5105] ==================================================================
[  113.808358][ T5105] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1ff/0x210
[  113.816207][ T5105] Read of size 8 at addr ffff88802253dad0 by task syz-executor/5105
[  113.823898][ T5108] Bluetooth: hci2: command tx timeout
[  113.824191][ T5105] 
[  113.824202][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  113.829576][ T5108] Bluetooth: hci4: command tx timeout
[  113.831846][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  113.831870][ T5105] Call Trace:
[  113.831885][ T5105]  <TASK>
[  113.831900][ T5105]  dump_stack_lvl+0x116/0x1f0
[  113.831952][ T5105]  print_report+0xc3/0x620
[  113.843787][ T5096] Bluetooth: hci0: command tx timeout
[  113.849053][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.859177][ T5108] Bluetooth: hci1: command tx timeout
[  113.862340][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.862386][ T5105]  ? __phys_addr+0xc6/0x150
[  113.900946][ T5105]  kasan_report+0xd9/0x110
[  113.905409][ T5105]  ? kfree_skb_reason+0x1ff/0x210
[  113.910482][ T5105]  ? kfree_skb_reason+0x1ff/0x210
[  113.915555][ T5105]  kfree_skb_reason+0x1ff/0x210
[  113.920451][ T5105]  __hci_req_sync+0x61d/0x980
[  113.925171][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  113.930405][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  113.935125][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  113.941238][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.946906][ T5105]  ? hci_req_sync+0x3f/0xd0
[  113.951455][ T5105]  ? __pfx___might_resched+0x10/0x10
[  113.956797][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.962467][ T5105]  ? aa_get_newest_label+0x376/0x680
[  113.967854][ T5105]  hci_req_sync+0x97/0xd0
[  113.972229][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  113.977298][ T5105]  hci_dev_cmd+0x634/0x960
[  113.981765][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.987438][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  113.992426][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  113.998086][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.003754][ T5105]  ? security_capable+0x98/0xd0
[  114.008662][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  114.013369][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.019027][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  114.024254][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  114.030261][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.035924][ T5105]  sock_do_ioctl+0x119/0x280
[  114.040555][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  114.045718][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.051388][ T5105]  sock_ioctl+0x22e/0x6c0
[  114.055762][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  114.060659][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.066316][ T5105]  ? __fget_files+0x256/0x400
[  114.071042][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.076698][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  114.081593][ T5105]  __x64_sys_ioctl+0x196/0x220
[  114.086397][ T5105]  do_syscall_64+0xcd/0x250
[  114.091031][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.096973][ T5105] RIP: 0033:0x7f07695757db
[  114.101403][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  114.122170][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  114.130693][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  114.138690][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  114.146684][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  114.154849][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  114.162834][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  114.170839][ T5105]  </TASK>
[  114.173866][ T5105] 
[  114.176188][ T5105] Allocated by task 5108:
[  114.180516][ T5105]  kasan_save_stack+0x33/0x60
[  114.185213][ T5105]  kasan_save_track+0x14/0x30
[  114.189991][ T5105]  __kasan_slab_alloc+0x89/0x90
[  114.194858][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  114.200339][ T5105]  skb_clone+0x190/0x3f0
[  114.204605][ T5105]  hci_cmd_work+0x66a/0x710
[  114.209833][ T5105]  process_one_work+0x9c8/0x1b40
[  114.214800][ T5105]  worker_thread+0x6c8/0xf30
[  114.219419][ T5105]  kthread+0x2c4/0x3a0
[  114.223524][ T5105]  ret_from_fork+0x48/0x80
[  114.228239][ T5105]  ret_from_fork_asm+0x1a/0x30
[  114.233045][ T5105] 
[  114.235373][ T5105] Freed by task 5101:
[  114.239357][ T5105]  kasan_save_stack+0x33/0x60
[  114.244053][ T5105]  kasan_save_track+0x14/0x30
[  114.248744][ T5105]  kasan_save_free_info+0x3b/0x60
[  114.253810][ T5105]  poison_slab_object+0xf7/0x160
[  114.259309][ T5105]  __kasan_slab_free+0x32/0x50
[  114.264089][ T5105]  kmem_cache_free+0x12f/0x3a0
[  114.268899][ T5105]  kfree_skbmem+0x10e/0x200
[  114.273444][ T5105]  kfree_skb_reason+0x138/0x210
[  114.278321][ T5105]  hci_req_sync_complete+0x16c/0x270
[  114.283632][ T5105]  hci_event_packet+0x966/0x1170
[  114.288594][ T5105]  hci_rx_work+0x2c4/0x1610
[  114.293151][ T5105]  process_one_work+0x9c8/0x1b40
[  114.298211][ T5105]  worker_thread+0x6c8/0xf30
[  114.302830][ T5105]  kthread+0x2c4/0x3a0
[  114.306940][ T5105]  ret_from_fork+0x48/0x80
[  114.311391][ T5105]  ret_from_fork_asm+0x1a/0x30
[  114.316190][ T5105] 
[  114.318514][ T5105] The buggy address belongs to the object at ffff88802253da00
[  114.318514][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  114.333710][ T5105] The buggy address is located 208 bytes inside of
[  114.333710][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  114.347525][ T5105] 
[  114.349851][ T5105] The buggy address belongs to the physical page:
[  114.356260][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  114.365210][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  114.372328][ T5105] page_type: 0xffffefff(slab)
[  114.377022][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  114.385624][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  114.394216][ T5105] page dumped because: kasan: bad access detected
[  114.400628][ T5105] page_owner tracks the page as allocated
[  114.406340][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  114.425225][ T5105]  post_alloc_hook+0x2d1/0x350
[  114.430026][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  114.435610][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  114.440931][ T5105]  alloc_slab_page+0x56/0x110
[  114.445645][ T5105]  new_slab+0x84/0x260
[  114.449730][ T5105]  ___slab_alloc+0xdac/0x1870
[  114.454432][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  114.459827][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  114.466093][ T5105]  __alloc_skb+0x2b1/0x380
[  114.470638][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  114.475786][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  114.481004][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  114.486145][ T5105]  __sys_sendto+0x482/0x4e0
[  114.490750][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  114.495534][ T5105]  do_syscall_64+0xcd/0x250
[  114.500069][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.506437][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  114.512857][ T5105]  free_unref_page+0x64a/0xe40
[  114.517655][ T5105]  __put_partials+0x14c/0x170
[  114.522347][ T5105]  qlist_free_all+0x4e/0x140
[  114.526974][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  114.532474][ T5105]  __kasan_slab_alloc+0x69/0x90
[  114.537342][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  114.542913][ T5105]  ptlock_alloc+0x1f/0x70
[  114.547285][ T5105]  pte_alloc_one+0x74/0x370
[  114.551826][ T5105]  __pte_alloc+0x6e/0x3a0
[  114.556184][ T5105]  __handle_mm_fault+0x4883/0x5430
[  114.561335][ T5105]  handle_mm_fault+0x476/0xa00
[  114.566144][ T5105]  do_user_addr_fault+0x426/0xe50
[  114.571202][ T5105]  exc_page_fault+0x5c/0xc0
[  114.575730][ T5105]  asm_exc_page_fault+0x26/0x30
[  114.580624][ T5105] 
[  114.582946][ T5105] Memory state around the buggy address:
[  114.588579][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  114.596652][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  114.604728][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  114.612800][ T5105]                                                  ^
[  114.619483][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  114.627649][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  114.635717][ T5105] ==================================================================
[  114.644878][ T5105] ==================================================================
[  114.652954][ T5105] BUG: KASAN: slab-use-after-free in skb_release_data+0x8c6/0x980
[  114.660807][ T5105] Read of size 8 at addr ffff88802253dad0 by task syz-executor/5105
[  114.668813][ T5105] 
[  114.671147][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  114.683072][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  114.693272][ T5105] Call Trace:
[  114.696568][ T5105]  <TASK>
[  114.699519][ T5105]  dump_stack_lvl+0x116/0x1f0
[  114.704243][ T5105]  print_report+0xc3/0x620
[  114.708701][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.714381][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.720056][ T5105]  ? __phys_addr+0xc6/0x150
[  114.724617][ T5105]  kasan_report+0xd9/0x110
[  114.729071][ T5105]  ? skb_release_data+0x8c6/0x980
[  114.734135][ T5105]  ? skb_release_data+0x8c6/0x980
[  114.739217][ T5105]  skb_release_data+0x8c6/0x980
[  114.744115][ T5105]  kfree_skb_reason+0x12b/0x210
[  114.749023][ T5105]  __hci_req_sync+0x61d/0x980
[  114.753749][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  114.758990][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  114.763718][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  114.769873][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.775544][ T5105]  ? hci_req_sync+0x3f/0xd0
[  114.780156][ T5105]  ? __pfx___might_resched+0x10/0x10
[  114.785495][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.791168][ T5105]  ? aa_get_newest_label+0x376/0x680
[  114.796509][ T5105]  hci_req_sync+0x97/0xd0
[  114.800867][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  114.805924][ T5105]  hci_dev_cmd+0x634/0x960
[  114.810377][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.816039][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  114.821108][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.826814][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.832477][ T5105]  ? security_capable+0x98/0xd0
[  114.837383][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  114.842094][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.847754][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  114.852985][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  114.859002][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.864671][ T5105]  sock_do_ioctl+0x119/0x280
[  114.869310][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  114.874482][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.880148][ T5105]  sock_ioctl+0x22e/0x6c0
[  114.884522][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  114.889421][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.895079][ T5105]  ? __fget_files+0x256/0x400
[  114.899802][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  114.905495][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  114.910415][ T5105]  __x64_sys_ioctl+0x196/0x220
[  114.915225][ T5105]  do_syscall_64+0xcd/0x250
[  114.919865][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.925814][ T5105] RIP: 0033:0x7f07695757db
[  114.930251][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  114.949898][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  114.958346][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  114.966342][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  114.974334][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  114.982324][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  114.990319][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  114.998329][ T5105]  </TASK>
[  115.001382][ T5105] 
[  115.003712][ T5105] Allocated by task 5108:
[  115.008065][ T5105]  kasan_save_stack+0x33/0x60
[  115.012774][ T5105]  kasan_save_track+0x14/0x30
[  115.017471][ T5105]  __kasan_slab_alloc+0x89/0x90
[  115.022345][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  115.027832][ T5105]  skb_clone+0x190/0x3f0
[  115.032101][ T5105]  hci_cmd_work+0x66a/0x710
[  115.036638][ T5105]  process_one_work+0x9c8/0x1b40
[  115.041611][ T5105]  worker_thread+0x6c8/0xf30
[  115.046233][ T5105]  kthread+0x2c4/0x3a0
[  115.050342][ T5105]  ret_from_fork+0x48/0x80
[  115.054798][ T5105]  ret_from_fork_asm+0x1a/0x30
[  115.059606][ T5105] 
[  115.061933][ T5105] Freed by task 5101:
[  115.065920][ T5105]  kasan_save_stack+0x33/0x60
[  115.070614][ T5105]  kasan_save_track+0x14/0x30
[  115.075310][ T5105]  kasan_save_free_info+0x3b/0x60
[  115.080369][ T5105]  poison_slab_object+0xf7/0x160
[  115.085349][ T5105]  __kasan_slab_free+0x32/0x50
[  115.090218][ T5105]  kmem_cache_free+0x12f/0x3a0
[  115.095002][ T5105]  kfree_skbmem+0x10e/0x200
[  115.099551][ T5105]  kfree_skb_reason+0x138/0x210
[  115.104429][ T5105]  hci_req_sync_complete+0x16c/0x270
[  115.109739][ T5105]  hci_event_packet+0x966/0x1170
[  115.114700][ T5105]  hci_rx_work+0x2c4/0x1610
[  115.119234][ T5105]  process_one_work+0x9c8/0x1b40
[  115.124204][ T5105]  worker_thread+0x6c8/0xf30
[  115.128822][ T5105]  kthread+0x2c4/0x3a0
[  115.132931][ T5105]  ret_from_fork+0x48/0x80
[  115.137383][ T5105]  ret_from_fork_asm+0x1a/0x30
[  115.142195][ T5105] 
[  115.144521][ T5105] The buggy address belongs to the object at ffff88802253da00
[  115.144521][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  115.159110][ T5105] The buggy address is located 208 bytes inside of
[  115.159110][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  115.172929][ T5105] 
[  115.175254][ T5105] The buggy address belongs to the physical page:
[  115.181672][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  115.190537][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  115.197661][ T5105] page_type: 0xffffefff(slab)
[  115.202360][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  115.210968][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  115.219828][ T5105] page dumped because: kasan: bad access detected
[  115.226245][ T5105] page_owner tracks the page as allocated
[  115.231961][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  115.251057][ T5105]  post_alloc_hook+0x2d1/0x350
[  115.255869][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  115.261458][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  115.266783][ T5105]  alloc_slab_page+0x56/0x110
[  115.271496][ T5105]  new_slab+0x84/0x260
[  115.275584][ T5105]  ___slab_alloc+0xdac/0x1870
[  115.280280][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  115.285674][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  115.291508][ T5105]  __alloc_skb+0x2b1/0x380
[  115.296008][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  115.301157][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  115.306375][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  115.311521][ T5105]  __sys_sendto+0x482/0x4e0
[  115.316052][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  115.320835][ T5105]  do_syscall_64+0xcd/0x250
[  115.325372][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  115.331310][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  115.337643][ T5105]  free_unref_page+0x64a/0xe40
[  115.342480][ T5105]  __put_partials+0x14c/0x170
[  115.347176][ T5105]  qlist_free_all+0x4e/0x140
[  115.351808][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  115.357308][ T5105]  __kasan_slab_alloc+0x69/0x90
[  115.362177][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  115.367660][ T5105]  ptlock_alloc+0x1f/0x70
[  115.372036][ T5105]  pte_alloc_one+0x74/0x370
[  115.376576][ T5105]  __pte_alloc+0x6e/0x3a0
[  115.380937][ T5105]  __handle_mm_fault+0x4883/0x5430
[  115.386098][ T5105]  handle_mm_fault+0x476/0xa00
[  115.390904][ T5105]  do_user_addr_fault+0x426/0xe50
[  115.395978][ T5105]  exc_page_fault+0x5c/0xc0
[  115.400529][ T5105]  asm_exc_page_fault+0x26/0x30
[  115.405429][ T5105] 
[  115.407753][ T5105] Memory state around the buggy address:
[  115.413389][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  115.421463][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.429534][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  115.437604][ T5105]                                                  ^
[  115.444283][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  115.452358][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.460424][ T5105] ==================================================================
[  115.498751][ T5092] bridge0: port 1(bridge_slave_0) entered blocking state
[  115.502704][ T5101] Bluetooth: hci3: command tx timeout
[  115.515421][ T5105] ==================================================================
[  115.522056][ T5092] bridge0: port 1(bridge_slave_0) entered disabled state
[  115.523489][ T5105] BUG: KASAN: slab-use-after-free in skb_release_data+0x813/0x980
[  115.530694][ T5092] bridge_slave_0: entered allmulticast mode
[  115.538296][ T5105] Read of size 4 at addr ffff88802253dacc by task syz-executor/5105
[  115.538329][ T5105] 
[  115.538340][ T5105] CPU: 1 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  115.547056][ T5092] bridge_slave_0: entered promiscuous mode
[  115.552165][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  115.552189][ T5105] Call Trace:
[  115.552205][ T5105]  <TASK>
[  115.559117][ T5092] bridge0: port 2(bridge_slave_1) entered blocking state
[  115.566176][ T5105]  dump_stack_lvl+0x116/0x1f0
[  115.566229][ T5105]  print_report+0xc3/0x620
[  115.572232][ T5092] bridge0: port 2(bridge_slave_1) entered disabled state
[  115.582052][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.585566][ T5092] bridge_slave_1: entered allmulticast mode
[  115.588260][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.597726][ T5092] bridge_slave_1: entered promiscuous mode
[  115.599896][ T5105]  ? __phys_addr+0xc6/0x150
[  115.638989][ T5105]  kasan_report+0xd9/0x110
[  115.643438][ T5105]  ? skb_release_data+0x813/0x980
[  115.648491][ T5105]  ? skb_release_data+0x813/0x980
[  115.653549][ T5105]  skb_release_data+0x813/0x980
[  115.658435][ T5105]  kfree_skb_reason+0x12b/0x210
[  115.663320][ T5105]  __hci_req_sync+0x61d/0x980
[  115.668033][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  115.673258][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  115.677975][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  115.684158][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.689815][ T5105]  ? hci_req_sync+0x3f/0xd0
[  115.694353][ T5105]  ? __pfx___might_resched+0x10/0x10
[  115.699681][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.705342][ T5105]  ? aa_get_newest_label+0x376/0x680
[  115.710680][ T5105]  hci_req_sync+0x97/0xd0
[  115.715042][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  115.720104][ T5105]  hci_dev_cmd+0x634/0x960
[  115.724556][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.730217][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  115.735190][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.740848][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.746503][ T5105]  ? security_capable+0x98/0xd0
[  115.751405][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  115.756120][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.761784][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  115.767021][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  115.773041][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.778722][ T5105]  sock_do_ioctl+0x119/0x280
[  115.783357][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  115.788519][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.794188][ T5105]  sock_ioctl+0x22e/0x6c0
[  115.798566][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  115.803465][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.809126][ T5105]  ? __fget_files+0x256/0x400
[  115.813846][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  115.819503][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  115.824401][ T5105]  __x64_sys_ioctl+0x196/0x220
[  115.829211][ T5105]  do_syscall_64+0xcd/0x250
[  115.833759][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  115.839702][ T5105] RIP: 0033:0x7f07695757db
[  115.844308][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  115.863953][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  115.872391][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  115.880403][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  115.888475][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  115.896554][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  115.904541][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  115.912543][ T5105]  </TASK>
[  115.915566][ T5105] 
[  115.917893][ T5105] Allocated by task 5108:
[  115.922224][ T5105]  kasan_save_stack+0x33/0x60
[  115.926922][ T5105]  kasan_save_track+0x14/0x30
[  115.931614][ T5105]  __kasan_slab_alloc+0x89/0x90
[  115.936485][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  115.941971][ T5105]  skb_clone+0x190/0x3f0
[  115.946243][ T5105]  hci_cmd_work+0x66a/0x710
[  115.950774][ T5105]  process_one_work+0x9c8/0x1b40
[  115.955743][ T5105]  worker_thread+0x6c8/0xf30
[  115.960360][ T5105]  kthread+0x2c4/0x3a0
[  115.964467][ T5105]  ret_from_fork+0x48/0x80
[  115.968921][ T5105]  ret_from_fork_asm+0x1a/0x30
[  115.973726][ T5105] 
[  115.976054][ T5105] Freed by task 5101:
[  115.980300][ T5105]  kasan_save_stack+0x33/0x60
[  115.985018][ T5105]  kasan_save_track+0x14/0x30
[  115.989740][ T5105]  kasan_save_free_info+0x3b/0x60
[  115.994798][ T5105]  poison_slab_object+0xf7/0x160
[  115.999780][ T5105]  __kasan_slab_free+0x32/0x50
[  116.004563][ T5105]  kmem_cache_free+0x12f/0x3a0
[  116.009348][ T5105]  kfree_skbmem+0x10e/0x200
[  116.013893][ T5105]  kfree_skb_reason+0x138/0x210
[  116.018772][ T5105]  hci_req_sync_complete+0x16c/0x270
[  116.024087][ T5105]  hci_event_packet+0x966/0x1170
[  116.029053][ T5105]  hci_rx_work+0x2c4/0x1610
[  116.033584][ T5105]  process_one_work+0x9c8/0x1b40
[  116.038554][ T5105]  worker_thread+0x6c8/0xf30
[  116.043171][ T5105]  kthread+0x2c4/0x3a0
[  116.047282][ T5105]  ret_from_fork+0x48/0x80
[  116.051735][ T5105]  ret_from_fork_asm+0x1a/0x30
[  116.056544][ T5105] 
[  116.058871][ T5105] The buggy address belongs to the object at ffff88802253da00
[  116.058871][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  116.073459][ T5105] The buggy address is located 204 bytes inside of
[  116.073459][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  116.087275][ T5105] 
[  116.089599][ T5105] The buggy address belongs to the physical page:
[  116.096012][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  116.104791][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  116.111915][ T5105] page_type: 0xffffefff(slab)
[  116.116610][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  116.125213][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  116.133822][ T5105] page dumped because: kasan: bad access detected
[  116.140272][ T5105] page_owner tracks the page as allocated
[  116.145991][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  116.164872][ T5105]  post_alloc_hook+0x2d1/0x350
[  116.169682][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  116.175299][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  116.180624][ T5105]  alloc_slab_page+0x56/0x110
[  116.185344][ T5105]  new_slab+0x84/0x260
[  116.189433][ T5105]  ___slab_alloc+0xdac/0x1870
[  116.194132][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  116.199528][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  116.205360][ T5105]  __alloc_skb+0x2b1/0x380
[  116.209816][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  116.215071][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  116.220306][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  116.225454][ T5105]  __sys_sendto+0x482/0x4e0
[  116.229980][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  116.234772][ T5105]  do_syscall_64+0xcd/0x250
[  116.239314][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  116.245253][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  116.251585][ T5105]  free_unref_page+0x64a/0xe40
[  116.256385][ T5105]  __put_partials+0x14c/0x170
[  116.261081][ T5105]  qlist_free_all+0x4e/0x140
[  116.265709][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  116.271215][ T5105]  __kasan_slab_alloc+0x69/0x90
[  116.276087][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  116.281573][ T5105]  ptlock_alloc+0x1f/0x70
[  116.285945][ T5105]  pte_alloc_one+0x74/0x370
[  116.290487][ T5105]  __pte_alloc+0x6e/0x3a0
[  116.294931][ T5105]  __handle_mm_fault+0x4883/0x5430
[  116.300088][ T5105]  handle_mm_fault+0x476/0xa00
[  116.304892][ T5105]  do_user_addr_fault+0x426/0xe50
[  116.309951][ T5105]  exc_page_fault+0x5c/0xc0
[  116.314482][ T5105]  asm_exc_page_fault+0x26/0x30
[  116.319378][ T5105] 
[  116.321702][ T5105] Memory state around the buggy address:
[  116.327335][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  116.335407][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  116.343482][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  116.351551][ T5105]                                               ^
[  116.357967][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  116.366043][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  116.374112][ T5105] ==================================================================
[  116.386006][ T5101] Bluetooth: hci0: command tx timeout
[  116.392039][ T5101] Bluetooth: hci1: command tx timeout
[  116.397523][ T5101] Bluetooth: hci4: command tx timeout
[  116.403063][ T5101] Bluetooth: hci2: command tx timeout
[  116.411508][ T5105] ==================================================================
[  116.419624][ T5105] BUG: KASAN: slab-use-after-free in skb_release_data+0x806/0x980
[  116.427475][ T5105] Read of size 1 at addr ffff88802253da7e by task syz-executor/5105
[  116.435479][ T5105] 
[  116.437818][ T5105] CPU: 1 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  116.449659][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  116.459739][ T5105] Call Trace:
[  116.463040][ T5105]  <TASK>
[  116.465989][ T5105]  dump_stack_lvl+0x116/0x1f0
[  116.470725][ T5105]  print_report+0xc3/0x620
[  116.475184][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.480866][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.486543][ T5105]  ? __phys_addr+0xc6/0x150
[  116.491087][ T5105]  kasan_report+0xd9/0x110
[  116.495543][ T5105]  ? skb_release_data+0x806/0x980
[  116.500617][ T5105]  ? skb_release_data+0x806/0x980
[  116.505688][ T5105]  skb_release_data+0x806/0x980
[  116.510587][ T5105]  kfree_skb_reason+0x12b/0x210
[  116.515490][ T5105]  __hci_req_sync+0x61d/0x980
[  116.520215][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  116.525463][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  116.530187][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  116.536295][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.541966][ T5105]  ? hci_req_sync+0x3f/0xd0
[  116.546522][ T5105]  ? __pfx___might_resched+0x10/0x10
[  116.551861][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.557532][ T5105]  ? aa_get_newest_label+0x376/0x680
[  116.562885][ T5105]  hci_req_sync+0x97/0xd0
[  116.567253][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  116.572323][ T5105]  hci_dev_cmd+0x634/0x960
[  116.576788][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.582461][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  116.587533][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.593204][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.598875][ T5105]  ? security_capable+0x98/0xd0
[  116.603796][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  116.608523][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.614199][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  116.619532][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  116.625557][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.631311][ T5105]  sock_do_ioctl+0x119/0x280
[  116.635968][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  116.641165][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.646857][ T5105]  sock_ioctl+0x22e/0x6c0
[  116.651254][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  116.656262][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.661943][ T5105]  ? __fget_files+0x256/0x400
[  116.666683][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  116.672358][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  116.677268][ T5105]  __x64_sys_ioctl+0x196/0x220
[  116.682088][ T5105]  do_syscall_64+0xcd/0x250
[  116.686644][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  116.692599][ T5105] RIP: 0033:0x7f07695757db
[  116.697046][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  116.716698][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  116.725330][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  116.733335][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  116.741339][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  116.749344][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  116.757359][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  116.765386][ T5105]  </TASK>
[  116.768428][ T5105] 
[  116.770765][ T5105] Allocated by task 5108:
[  116.775117][ T5105]  kasan_save_stack+0x33/0x60
[  116.779842][ T5105]  kasan_save_track+0x14/0x30
[  116.784548][ T5105]  __kasan_slab_alloc+0x89/0x90
[  116.789436][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  116.795148][ T5105]  skb_clone+0x190/0x3f0
[  116.799430][ T5105]  hci_cmd_work+0x66a/0x710
[  116.803730][ T5089] chnl_net:caif_netlink_parms(): no params data found
[  116.803952][ T5105]  process_one_work+0x9c8/0x1b40
[  116.815659][ T5105]  worker_thread+0x6c8/0xf30
[  116.820292][ T5105]  kthread+0x2c4/0x3a0
[  116.824413][ T5105]  ret_from_fork+0x48/0x80
[  116.828883][ T5105]  ret_from_fork_asm+0x1a/0x30
[  116.833700][ T5105] 
[  116.836033][ T5105] Freed by task 5101:
[  116.840026][ T5105]  kasan_save_stack+0x33/0x60
[  116.844734][ T5105]  kasan_save_track+0x14/0x30
[  116.849618][ T5105]  kasan_save_free_info+0x3b/0x60
[  116.854694][ T5105]  poison_slab_object+0xf7/0x160
[  116.859694][ T5105]  __kasan_slab_free+0x32/0x50
[  116.864488][ T5105]  kmem_cache_free+0x12f/0x3a0
[  116.869291][ T5105]  kfree_skbmem+0x10e/0x200
[  116.873896][ T5105]  kfree_skb_reason+0x138/0x210
[  116.878799][ T5105]  hci_req_sync_complete+0x16c/0x270
[  116.884117][ T5105]  hci_event_packet+0x966/0x1170
[  116.889083][ T5105]  hci_rx_work+0x2c4/0x1610
[  116.893600][ T5105]  process_one_work+0x9c8/0x1b40
[  116.898548][ T5105]  worker_thread+0x6c8/0xf30
[  116.903170][ T5105]  kthread+0x2c4/0x3a0
[  116.907257][ T5105]  ret_from_fork+0x48/0x80
[  116.911690][ T5105]  ret_from_fork_asm+0x1a/0x30
[  116.916483][ T5105] 
[  116.918801][ T5105] The buggy address belongs to the object at ffff88802253da00
[  116.918801][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  116.933383][ T5105] The buggy address is located 126 bytes inside of
[  116.933383][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  116.947187][ T5105] 
[  116.949501][ T5105] The buggy address belongs to the physical page:
[  116.955900][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  116.964663][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  116.971774][ T5105] page_type: 0xffffefff(slab)
[  116.976461][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  116.985073][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  116.993652][ T5105] page dumped because: kasan: bad access detected
[  117.000085][ T5105] page_owner tracks the page as allocated
[  117.005794][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  117.024657][ T5105]  post_alloc_hook+0x2d1/0x350
[  117.029440][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  117.035005][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  117.040306][ T5105]  alloc_slab_page+0x56/0x110
[  117.044996][ T5105]  new_slab+0x84/0x260
[  117.049075][ T5105]  ___slab_alloc+0xdac/0x1870
[  117.053754][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  117.059135][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  117.064949][ T5105]  __alloc_skb+0x2b1/0x380
[  117.069385][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  117.074507][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  117.079707][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  117.084916][ T5105]  __sys_sendto+0x482/0x4e0
[  117.089424][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  117.094189][ T5105]  do_syscall_64+0xcd/0x250
[  117.098709][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  117.104718][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  117.111125][ T5105]  free_unref_page+0x64a/0xe40
[  117.115917][ T5105]  __put_partials+0x14c/0x170
[  117.120595][ T5105]  qlist_free_all+0x4e/0x140
[  117.125229][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  117.130997][ T5105]  __kasan_slab_alloc+0x69/0x90
[  117.135863][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  117.141328][ T5105]  ptlock_alloc+0x1f/0x70
[  117.145694][ T5105]  pte_alloc_one+0x74/0x370
[  117.150247][ T5105]  __pte_alloc+0x6e/0x3a0
[  117.154596][ T5105]  __handle_mm_fault+0x4883/0x5430
[  117.159741][ T5105]  handle_mm_fault+0x476/0xa00
[  117.164529][ T5105]  do_user_addr_fault+0x426/0xe50
[  117.169604][ T5105]  exc_page_fault+0x5c/0xc0
[  117.174118][ T5105]  asm_exc_page_fault+0x26/0x30
[  117.178990][ T5105] 
[  117.181307][ T5105] Memory state around the buggy address:
[  117.187448][ T5105]  ffff88802253d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  117.195509][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  117.203571][ T5105] >ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  117.211631][ T5105]                                                                 ^
[  117.219616][ T5105]  ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  117.227764][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  117.235826][ T5105] ==================================================================
[  117.247553][ T5105] ==================================================================
[  117.255734][ T5105] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980
[  117.263580][ T5105] Read of size 8 at addr ffff88802253dad0 by task syz-executor/5105
[  117.271570][ T5105] 
[  117.273900][ T5105] CPU: 1 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  117.285634][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  117.295696][ T5105] Call Trace:
[  117.298986][ T5105]  <TASK>
[  117.301924][ T5105]  dump_stack_lvl+0x116/0x1f0
[  117.306740][ T5105]  print_report+0xc3/0x620
[  117.311213][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.316890][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.322546][ T5105]  ? __phys_addr+0xc6/0x150
[  117.327074][ T5105]  kasan_report+0xd9/0x110
[  117.331536][ T5105]  ? skb_release_data+0x8dd/0x980
[  117.336589][ T5105]  ? skb_release_data+0x8dd/0x980
[  117.342079][ T5105]  skb_release_data+0x8dd/0x980
[  117.346964][ T5105]  kfree_skb_reason+0x12b/0x210
[  117.351849][ T5105]  __hci_req_sync+0x61d/0x980
[  117.356557][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  117.361779][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  117.366514][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  117.372617][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.378295][ T5105]  ? hci_req_sync+0x3f/0xd0
[  117.382847][ T5105]  ? __pfx___might_resched+0x10/0x10
[  117.388198][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.393858][ T5105]  ? aa_get_newest_label+0x376/0x680
[  117.399196][ T5105]  hci_req_sync+0x97/0xd0
[  117.403556][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  117.408611][ T5105]  hci_dev_cmd+0x634/0x960
[  117.413063][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.418722][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  117.423701][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.429357][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.435015][ T5105]  ? security_capable+0x98/0xd0
[  117.439918][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  117.444623][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.450281][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  117.455513][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  117.461521][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.467184][ T5105]  sock_do_ioctl+0x119/0x280
[  117.471818][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  117.476975][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.482634][ T5105]  sock_ioctl+0x22e/0x6c0
[  117.487005][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  117.491899][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.497554][ T5105]  ? __fget_files+0x256/0x400
[  117.502357][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  117.508016][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  117.512907][ T5105]  __x64_sys_ioctl+0x196/0x220
[  117.517709][ T5105]  do_syscall_64+0xcd/0x250
[  117.522249][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  117.528359][ T5105] RIP: 0033:0x7f07695757db
[  117.532797][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  117.552425][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  117.560857][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  117.568843][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  117.576826][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  117.584812][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  117.592797][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  117.600795][ T5105]  </TASK>
[  117.603822][ T5105] 
[  117.606145][ T5105] Allocated by task 5108:
[  117.610471][ T5105]  kasan_save_stack+0x33/0x60
[  117.615166][ T5105]  kasan_save_track+0x14/0x30
[  117.619857][ T5105]  __kasan_slab_alloc+0x89/0x90
[  117.624726][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  117.630298][ T5105]  skb_clone+0x190/0x3f0
[  117.634561][ T5105]  hci_cmd_work+0x66a/0x710
[  117.639089][ T5105]  process_one_work+0x9c8/0x1b40
[  117.644052][ T5105]  worker_thread+0x6c8/0xf30
[  117.648667][ T5105]  kthread+0x2c4/0x3a0
[  117.652770][ T5105]  ret_from_fork+0x48/0x80
[  117.657229][ T5105]  ret_from_fork_asm+0x1a/0x30
[  117.662028][ T5105] 
[  117.664349][ T5105] Freed by task 5101:
[  117.668328][ T5105]  kasan_save_stack+0x33/0x60
[  117.673019][ T5105]  kasan_save_track+0x14/0x30
[  117.677713][ T5105]  kasan_save_free_info+0x3b/0x60
[  117.682769][ T5105]  poison_slab_object+0xf7/0x160
[  117.687751][ T5105]  __kasan_slab_free+0x32/0x50
[  117.692638][ T5105]  kmem_cache_free+0x12f/0x3a0
[  117.697505][ T5105]  kfree_skbmem+0x10e/0x200
[  117.702048][ T5105]  kfree_skb_reason+0x138/0x210
[  117.706927][ T5105]  hci_req_sync_complete+0x16c/0x270
[  117.712256][ T5105]  hci_event_packet+0x966/0x1170
[  117.717231][ T5105]  hci_rx_work+0x2c4/0x1610
[  117.721763][ T5105]  process_one_work+0x9c8/0x1b40
[  117.726732][ T5105]  worker_thread+0x6c8/0xf30
[  117.731352][ T5105]  kthread+0x2c4/0x3a0
[  117.735456][ T5105]  ret_from_fork+0x48/0x80
[  117.739906][ T5105]  ret_from_fork_asm+0x1a/0x30
[  117.744710][ T5105] 
[  117.747034][ T5105] The buggy address belongs to the object at ffff88802253da00
[  117.747034][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  117.761637][ T5105] The buggy address is located 208 bytes inside of
[  117.761637][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  117.775461][ T5105] 
[  117.777790][ T5105] The buggy address belongs to the physical page:
[  117.784309][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  117.793256][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  117.800374][ T5105] page_type: 0xffffefff(slab)
[  117.805070][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  117.813671][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  117.822257][ T5105] page dumped because: kasan: bad access detected
[  117.828667][ T5105] page_owner tracks the page as allocated
[  117.834379][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  117.853255][ T5105]  post_alloc_hook+0x2d1/0x350
[  117.858058][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  117.863643][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  117.868964][ T5105]  alloc_slab_page+0x56/0x110
[  117.873762][ T5105]  new_slab+0x84/0x260
[  117.877864][ T5105]  ___slab_alloc+0xdac/0x1870
[  117.882563][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  117.887956][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  117.893783][ T5105]  __alloc_skb+0x2b1/0x380
[  117.898242][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  117.903380][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  117.908596][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  117.913735][ T5105]  __sys_sendto+0x482/0x4e0
[  117.918258][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  117.923038][ T5105]  do_syscall_64+0xcd/0x250
[  117.927570][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  117.933501][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  117.939833][ T5105]  free_unref_page+0x64a/0xe40
[  117.944629][ T5105]  __put_partials+0x14c/0x170
[  117.949321][ T5105]  qlist_free_all+0x4e/0x140
[  117.954037][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  117.959536][ T5105]  __kasan_slab_alloc+0x69/0x90
[  117.964404][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  117.969885][ T5105]  ptlock_alloc+0x1f/0x70
[  117.974251][ T5105]  pte_alloc_one+0x74/0x370
[  117.978795][ T5105]  __pte_alloc+0x6e/0x3a0
[  117.983153][ T5105]  __handle_mm_fault+0x4883/0x5430
[  117.988303][ T5105]  handle_mm_fault+0x476/0xa00
[  117.993214][ T5105]  do_user_addr_fault+0x426/0xe50
[  117.998270][ T5105]  exc_page_fault+0x5c/0xc0
[  118.002826][ T5105]  asm_exc_page_fault+0x26/0x30
[  118.008096][ T5105] 
[  118.010426][ T5105] Memory state around the buggy address:
[  118.016171][ T5105]  ffff88802253d980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  118.024243][ T5105]  ffff88802253da00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.032318][ T5105] >ffff88802253da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  118.040480][ T5105]                                                  ^
[  118.047161][ T5105]  ffff88802253db00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  118.055496][ T5105]  ffff88802253db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.063563][ T5105] ==================================================================
[  118.073145][ T5105] ==================================================================
[  118.081105][ T5101] Bluetooth: hci3: command tx timeout
[  118.081309][ T5105] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980
[  118.094496][ T5105] Read of size 4 at addr ffff88802253dacc by task syz-executor/5105
[  118.102590][ T5105] 
[  118.104920][ T5105] CPU: 0 PID: 5105 Comm: syz-executor Tainted: G    B              6.10.0-rc6-syzkaller-00061-ge9d22f7a6655 #0
[  118.116664][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[  118.126734][ T5105] Call Trace:
[  118.130114][ T5105]  <TASK>
[  118.133065][ T5105]  dump_stack_lvl+0x116/0x1f0
[  118.137793][ T5105]  print_report+0xc3/0x620
[  118.142243][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.147910][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.153568][ T5105]  ? __phys_addr+0xc6/0x150
[  118.158095][ T5105]  kasan_report+0xd9/0x110
[  118.162541][ T5105]  ? skb_release_data+0x857/0x980
[  118.167624][ T5105]  ? skb_release_data+0x857/0x980
[  118.172796][ T5105]  skb_release_data+0x857/0x980
[  118.177705][ T5105]  kfree_skb_reason+0x12b/0x210
[  118.182600][ T5105]  __hci_req_sync+0x61d/0x980
[  118.187316][ T5105]  ? __pfx___hci_req_sync+0x10/0x10
[  118.192577][ T5105]  ? __mutex_lock+0x1a6/0x9c0
[  118.197289][ T5105]  ? __pfx_autoremove_wake_function+0x10/0x10
[  118.203419][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.209081][ T5105]  ? hci_req_sync+0x3f/0xd0
[  118.213623][ T5105]  ? __pfx___might_resched+0x10/0x10
[  118.219038][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.224701][ T5105]  ? aa_get_newest_label+0x376/0x680
[  118.230043][ T5105]  hci_req_sync+0x97/0xd0
[  118.234427][ T5105]  ? __pfx_hci_scan_req+0x10/0x10
[  118.239485][ T5105]  hci_dev_cmd+0x634/0x960
[  118.243938][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.249718][ T5105]  ? __pfx_hci_dev_cmd+0x10/0x10
[  118.254704][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.260473][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.266145][ T5105]  ? security_capable+0x98/0xd0
[  118.271313][ T5105]  hci_sock_ioctl+0x4f3/0x880
[  118.276022][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.281686][ T5105]  ? __pfx_hci_sock_ioctl+0x10/0x10
[  118.287007][ T5105]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[  118.293020][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.298703][ T5105]  sock_do_ioctl+0x119/0x280
[  118.303353][ T5105]  ? __pfx_sock_do_ioctl+0x10/0x10
[  118.308519][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.314181][ T5105]  sock_ioctl+0x22e/0x6c0
[  118.318558][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  118.323453][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.329113][ T5105]  ? __fget_files+0x256/0x400
[  118.333853][ T5105]  ? srso_alias_return_thunk+0x5/0xfbef5
[  118.339509][ T5105]  ? __pfx_sock_ioctl+0x10/0x10
[  118.344402][ T5105]  __x64_sys_ioctl+0x196/0x220
[  118.349206][ T5105]  do_syscall_64+0xcd/0x250
[  118.353784][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  118.359726][ T5105] RIP: 0033:0x7f07695757db
[  118.364158][ T5105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[  118.383795][ T5105] RSP: 002b:00007ffd21b24990 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  118.392235][ T5105] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07695757db
[  118.400222][ T5105] RDX: 00007ffd21b24a08 RSI: 00000000400448dd RDI: 0000000000000003
[  118.408213][ T5105] RBP: 00005555849894a8 R08: 0000000000000000 R09: 0000000000000000
[  118.416201][ T5105] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[  118.424186][ T5105] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[  118.432207][ T5105]  </TASK>
[  118.435249][ T5105] 
[  118.437571][ T5105] Allocated by task 5108:
[  118.441902][ T5105]  kasan_save_stack+0x33/0x60
[  118.446600][ T5105]  kasan_save_track+0x14/0x30
[  118.451292][ T5105]  __kasan_slab_alloc+0x89/0x90
[  118.456160][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  118.461641][ T5105]  skb_clone+0x190/0x3f0
[  118.465904][ T5105]  hci_cmd_work+0x66a/0x710
[  118.470434][ T5105]  process_one_work+0x9c8/0x1b40
[  118.475486][ T5105]  worker_thread+0x6c8/0xf30
[  118.480102][ T5105]  kthread+0x2c4/0x3a0
[  118.484381][ T5105]  ret_from_fork+0x48/0x80
[  118.488835][ T5105]  ret_from_fork_asm+0x1a/0x30
[  118.493637][ T5105] 
[  118.495964][ T5105] Freed by task 5101:
[  118.499948][ T5105]  kasan_save_stack+0x33/0x60
[  118.504640][ T5105]  kasan_save_track+0x14/0x30
[  118.509332][ T5105]  kasan_save_free_info+0x3b/0x60
[  118.514485][ T5105]  poison_slab_object+0xf7/0x160
[  118.519464][ T5105]  __kasan_slab_free+0x32/0x50
[  118.524247][ T5105]  kmem_cache_free+0x12f/0x3a0
[  118.529029][ T5105]  kfree_skbmem+0x10e/0x200
[  118.533569][ T5105]  kfree_skb_reason+0x138/0x210
[  118.538445][ T5105]  hci_req_sync_complete+0x16c/0x270
[  118.543750][ T5105]  hci_event_packet+0x966/0x1170
[  118.548712][ T5105]  hci_rx_work+0x2c4/0x1610
[  118.553244][ T5105]  process_one_work+0x9c8/0x1b40
[  118.558207][ T5105]  worker_thread+0x6c8/0xf30
[  118.562998][ T5105]  kthread+0x2c4/0x3a0
[  118.567105][ T5105]  ret_from_fork+0x48/0x80
[  118.571736][ T5105]  ret_from_fork_asm+0x1a/0x30
[  118.576542][ T5105] 
[  118.578872][ T5105] The buggy address belongs to the object at ffff88802253da00
[  118.578872][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[  118.593469][ T5105] The buggy address is located 204 bytes inside of
[  118.593469][ T5105]  freed 240-byte region [ffff88802253da00, ffff88802253daf0)
[  118.607384][ T5105] 
[  118.609718][ T5105] The buggy address belongs to the physical page:
[  118.616128][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2253d
[  118.624906][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  118.632026][ T5105] page_type: 0xffffefff(slab)
[  118.636719][ T5105] raw: 00fff00000000000 ffff8880192ca780 dead000000000122 0000000000000000
[  118.645324][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[  118.654002][ T5105] page dumped because: kasan: bad access detected
[  118.660420][ T5105] page_owner tracks the page as allocated
[  118.666141][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4531, tgid 4531 (klogd), ts 108768216197, free_ts 108379094728
[  118.685024][ T5105]  post_alloc_hook+0x2d1/0x350
[  118.689851][ T5105]  get_page_from_freelist+0x1353/0x2e50
[  118.695437][ T5105]  __alloc_pages_noprof+0x22b/0x2460
[  118.700759][ T5105]  alloc_slab_page+0x56/0x110
[  118.705475][ T5105]  new_slab+0x84/0x260
[  118.709563][ T5105]  ___slab_alloc+0xdac/0x1870
[  118.714260][ T5105]  __slab_alloc.constprop.0+0x56/0xb0
[  118.719683][ T5105]  kmem_cache_alloc_node_noprof+0xed/0x310
[  118.725511][ T5105]  __alloc_skb+0x2b1/0x380
[  118.729966][ T5105]  alloc_skb_with_frags+0xe4/0x710
[  118.735107][ T5105]  sock_alloc_send_pskb+0x7f1/0x980
[  118.740323][ T5105]  unix_dgram_sendmsg+0x4b8/0x1a60
[  118.745465][ T5105]  __sys_sendto+0x482/0x4e0
[  118.749984][ T5105]  __x64_sys_sendto+0xe0/0x1c0
[  118.754765][ T5105]  do_syscall_64+0xcd/0x250
[  118.759305][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  118.765238][ T5105] page last free pid 5097 tgid 5089 stack trace:
[  118.771571][ T5105]  free_unref_page+0x64a/0xe40
[  118.776543][ T5105]  __put_partials+0x14c/0x170
[  118.781238][ T5105]  qlist_free_all+0x4e/0x140
[  118.785867][ T5105]  kasan_quarantine_reduce+0x192/0x1e0
[  118.791365][ T5105]  __kasan_slab_alloc+0x69/0x90
[  118.796232][ T5105]  kmem_cache_alloc_noprof+0x121/0x2f0
[  118.801716][ T5105]  ptlock_alloc+0x1f/0x70
[  118.806087][ T5105]  pte_alloc_one+0x74/0x370