last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.174' (ED25519) to the list of known hosts.
[ 95.233084][ T29] audit: type=1400 audit(1719902841.079:87): avc: denied { mounton } for pid=5072 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 95.245854][ T5072] cgroup: Unknown subsys name 'net'
[ 95.256009][ T29] audit: type=1400 audit(1719902841.089:88): avc: denied { mount } for pid=5072 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 95.283463][ T29] audit: type=1400 audit(1719902841.119:89): avc: denied { unmount } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 95.443358][ T5072] cgroup: Unknown subsys name 'rlimit'
[ 95.654090][ T29] audit: type=1400 audit(1719902841.499:90): avc: denied { setattr } for pid=5072 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=733 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 95.679018][ T29] audit: type=1400 audit(1719902841.499:91): avc: denied { create } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 95.725152][ T29] audit: type=1400 audit(1719902841.509:92): avc: denied { write } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 95.747940][ T29] audit: type=1400 audit(1719902841.509:93): avc: denied { read } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 95.774274][ T29] audit: type=1400 audit(1719902841.539:94): avc: denied { mounton } for pid=5072 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 95.801276][ T29] audit: type=1400 audit(1719902841.539:95): avc: denied { mount } for pid=5072 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 95.825240][ T29] audit: type=1400 audit(1719902841.559:96): avc: denied { read } for pid=4749 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1
[ 95.866927][ T5074] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[ 97.648110][ T9] cfg80211: failed to load regulatory.db
[ 97.761165][ T5072] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 98.927257][ T5093] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 98.938744][ T5094] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 98.948140][ T5093] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 98.957099][ T5094] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 98.959773][ T5093] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 98.965242][ T5094] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 98.973009][ T5093] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 98.987250][ T5100] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 98.996528][ T5100] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 99.007201][ T5100] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 99.009301][ T5094] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 99.014955][ T5100] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 99.024029][ T5094] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 99.030088][ T5100] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 99.037004][ T5094] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 99.043984][ T5100] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 99.052090][ T5094] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 99.057352][ T5100] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 99.071000][ T5093] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 99.073148][ T5094] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 99.078765][ T5093] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 99.087498][ T5094] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 99.097881][ T5093] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 99.103724][ T4479] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 99.108595][ T5093] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 99.113277][ T4479] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 99.121039][ T5093] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 99.134678][ T5093] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 99.165844][ T5083] ==================================================================
[ 99.173974][ T5083] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210
[ 99.181799][ T5083] Read of size 4 at addr ffff888067eec364 by task syz-executor/5083
[ 99.189909][ T5083]
[ 99.192272][ T5083] CPU: 0 PID: 5083 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00048-g73e931504f8e #0
[ 99.202822][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 99.212935][ T5083] Call Trace:
[ 99.216246][ T5083]
[ 99.219206][ T5083] dump_stack_lvl+0x116/0x1f0
[ 99.223979][ T5083] print_report+0xc3/0x620
[ 99.228467][ T5083] ? __virt_addr_valid+0x5e/0x580
[ 99.233541][ T5083] ? __phys_addr+0xc6/0x150
[ 99.238092][ T5083] kasan_report+0xd9/0x110
[ 99.242580][ T5083] ? kfree_skb_reason+0x36/0x210
[ 99.247583][ T5083] ? kfree_skb_reason+0x36/0x210
[ 99.252586][ T5083] kasan_check_range+0xef/0x1a0
[ 99.257576][ T5083] kfree_skb_reason+0x36/0x210
[ 99.262406][ T5083] __hci_req_sync+0x61d/0x980
[ 99.267143][ T5083] ? __pfx___hci_req_sync+0x10/0x10
[ 99.272384][ T5083] ? __mutex_lock+0x1a6/0x9c0
[ 99.277111][ T5083] ? __pfx_autoremove_wake_function+0x10/0x10
[ 99.283246][ T5083] ? hci_req_sync+0x3f/0xd0
[ 99.287808][ T5083] ? __pfx___might_resched+0x10/0x10
[ 99.293159][ T5083] hci_req_sync+0x97/0xd0
[ 99.297542][ T5083] ? __pfx_hci_scan_req+0x10/0x10
[ 99.302625][ T5083] hci_dev_cmd+0x634/0x960
[ 99.307100][ T5083] ? cap_capable+0x1cf/0x240
[ 99.311745][ T5083] ? __pfx_hci_dev_cmd+0x10/0x10
[ 99.316738][ T5083] ? security_capable+0x98/0xd0
[ 99.321647][ T5083] hci_sock_ioctl+0x4f3/0x880
[ 99.326522][ T5083] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 99.331774][ T5083] sock_do_ioctl+0x116/0x280
[ 99.336422][ T5083] ? __pfx_sock_do_ioctl+0x10/0x10
[ 99.341577][ T5083] ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470
[ 99.348139][ T5083] ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
[ 99.355054][ T5083] sock_ioctl+0x22e/0x6c0
[ 99.359435][ T5083] ? __pfx_sock_ioctl+0x10/0x10
[ 99.364345][ T5083] ? selinux_file_ioctl+0x180/0x270
[ 99.369602][ T5083] ? selinux_file_ioctl+0xb4/0x270
[ 99.374780][ T5083] ? __pfx_sock_ioctl+0x10/0x10
[ 99.376559][ T5096] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 99.379672][ T5083] __x64_sys_ioctl+0x193/0x220
[ 99.379722][ T5083] do_syscall_64+0xcd/0x250
[ 99.387652][ T5096] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 99.391511][ T5083] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 99.409005][ T5083] RIP: 0033:0x7f881557579b
[ 99.413470][ T5083] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 99.433127][ T5083] RSP: 002b:00007fff09b5b250 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 99.441676][ T5083] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f881557579b
[ 99.449688][ T5083] RDX: 00007fff09b5b2c8 RSI: 00000000400448dd RDI: 0000000000000003
[ 99.457707][ T5083] RBP: 000055555f6014a8 R08: 0000000000000000 R09: 0000000000000000
[ 99.465735][ T5083] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
[ 99.473770][ T5083] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009
[ 99.481799][ T5083]
[ 99.484886][ T5083]
[ 99.487232][ T5083] Allocated by task 5091:
[ 99.491584][ T5083] kasan_save_stack+0x33/0x60
[ 99.496329][ T5083] kasan_save_track+0x14/0x30
[ 99.501062][ T5083] __kasan_slab_alloc+0x89/0x90
[ 99.505970][ T5083] kmem_cache_alloc_noprof+0x121/0x2f0
[ 99.511502][ T5083] skb_clone+0x190/0x3f0
[ 99.515801][ T5083] hci_cmd_work+0x66a/0x710
[ 99.520361][ T5083] process_one_work+0x9c5/0x1b40
[ 99.525346][ T5083] worker_thread+0x6c8/0xf30
[ 99.529985][ T5083] kthread+0x2c1/0x3a0
[ 99.534114][ T5083] ret_from_fork+0x45/0x80
[ 99.538598][ T5083] ret_from_fork_asm+0x1a/0x30
[ 99.543432][ T5083]
[ 99.545784][ T5083] Freed by task 5093:
[ 99.549793][ T5083] kasan_save_stack+0x33/0x60
[ 99.554542][ T5083] kasan_save_track+0x14/0x30
[ 99.559296][ T5083] kasan_save_free_info+0x3b/0x60
[ 99.564377][ T5083] poison_slab_object+0xf7/0x160
[ 99.569377][ T5083] __kasan_slab_free+0x32/0x50
[ 99.574216][ T5083] kmem_cache_free+0x12f/0x3a0
[ 99.579057][ T5083] kfree_skbmem+0x10e/0x200
[ 99.583616][ T5083] kfree_skb_reason+0x138/0x210
[ 99.588527][ T5083] hci_req_sync_complete+0x16c/0x270
[ 99.593865][ T5083] hci_event_packet+0x963/0x1170
[ 99.598858][ T5083] hci_rx_work+0x2c4/0x1610
[ 99.603417][ T5083] process_one_work+0x9c5/0x1b40
[ 99.608397][ T5083] worker_thread+0x6c8/0xf30
[ 99.613121][ T5083] kthread+0x2c1/0x3a0
[ 99.617246][ T5083] ret_from_fork+0x45/0x80
[ 99.621725][ T5083] ret_from_fork_asm+0x1a/0x30
[ 99.626555][ T5083]
[ 99.628905][ T5083] The buggy address belongs to the object at ffff888067eec280
[ 99.628905][ T5083] which belongs to the cache skbuff_head_cache of size 240
[ 99.643521][ T5083] The buggy address is located 228 bytes inside of
[ 99.643521][ T5083] freed 240-byte region [ffff888067eec280, ffff888067eec370)
[ 99.657371][ T5083]
[ 99.659723][ T5083] The buggy address belongs to the physical page:
[ 99.666172][ T5083] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x67eec
[ 99.675002][ T5083] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 99.682147][ T5083] page_type: 0xffffefff(slab)
[ 99.686884][ T5083] raw: 00fff00000000000 ffff88801929b780 dead000000000122 0000000000000000
[ 99.695518][ T5083] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 99.704138][ T5083] page dumped because: kasan: bad access detected
[ 99.710595][ T5083] page_owner tracks the page as allocated
[ 99.716341][ T5083] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5083, tgid 5083 (syz-executor), ts 99144782501, free_ts 34987577503
[ 99.735674][ T5083] post_alloc_hook+0x2d1/0x350
[ 99.740492][ T5083] get_page_from_freelist+0x1353/0x2e50
[ 99.746103][ T5083] __alloc_pages_noprof+0x22b/0x2460
[ 99.751449][ T5083] alloc_slab_page+0x56/0x110
[ 99.756183][ T5083] new_slab+0x84/0x260
[ 99.760312][ T5083] ___slab_alloc+0xdac/0x1870
[ 99.765059][ T5083] __slab_alloc.constprop.0+0x56/0xb0
[ 99.770499][ T5083] kmem_cache_alloc_node_noprof+0xed/0x310
[ 99.776376][ T5083] __alloc_skb+0x2b1/0x380
[ 99.780850][ T5083] hci_prepare_cmd+0x32/0x2b0
[ 99.785571][ T5083] hci_req_add_ev+0x11b/0x2b0
[ 99.790304][ T5083] hci_scan_req+0x87/0x150
[ 99.794767][ T5083] __hci_req_sync+0x142/0x980
[ 99.799584][ T5083] hci_req_sync+0x97/0xd0
[ 99.803964][ T5083] hci_dev_cmd+0x634/0x960
[ 99.808435][ T5083] hci_sock_ioctl+0x4f3/0x880
[ 99.813161][ T5083] page last free pid 1 tgid 1 stack trace:
[ 99.818991][ T5083] free_unref_page+0x64a/0xe40
[ 99.823810][ T5083] free_contig_range+0xb6/0x1a0
[ 99.828708][ T5083] destroy_args+0xa4e/0xe20
[ 99.833265][ T5083] debug_vm_pgtable+0x1705/0x3280
[ 99.838364][ T5083] do_one_initcall+0x128/0x700
[ 99.843181][ T5083] kernel_init_freeable+0x69d/0xca0
[ 99.848437][ T5083] kernel_init+0x1c/0x2b0
[ 99.852828][ T5083] ret_from_fork+0x45/0x80
[ 99.857300][ T5083] ret_from_fork_asm+0x1a/0x30
[ 99.862118][ T5083]
[ 99.864462][ T5083] Memory state around the buggy address:
[ 99.870116][ T5083] ffff888067eec200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 99.878217][ T5083] ffff888067eec280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.886489][ T5083] >ffff888067eec300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 99.894581][ T5083] ^
[ 99.901819][ T5083] ffff888067eec380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 99.909922][ T5083] ffff888067eec400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 99.918016][ T5083] ==================================================================
[ 99.944528][ T5083] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 99.951999][ T5083] CPU: 0 PID: 5083 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00048-g73e931504f8e #0
[ 99.962278][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 99.972378][ T5083] Call Trace:
[ 99.975688][ T5083]
[ 99.978648][ T5083] dump_stack_lvl+0x3d/0x1f0
[ 99.983290][ T5083] panic+0x6f5/0x7a0
[ 99.987244][ T5083] ? __pfx_panic+0x10/0x10
[ 99.991721][ T5083] ? irqentry_exit+0x3b/0x90
[ 99.996368][ T5083] ? lockdep_hardirqs_on+0x7c/0x110
[ 100.001620][ T5083] ? preempt_schedule_thunk+0x1a/0x30
[ 100.007041][ T5083] ? preempt_schedule_common+0x44/0xc0
[ 100.012548][ T5083] ? check_panic_on_warn+0x1f/0xb0
[ 100.017730][ T5083] check_panic_on_warn+0xab/0xb0
[ 100.022751][ T5083] end_report+0x117/0x180
[ 100.027156][ T5083] kasan_report+0xe9/0x110
[ 100.031633][ T5083] ? kfree_skb_reason+0x36/0x210
[ 100.036629][ T5083] ? kfree_skb_reason+0x36/0x210
[ 100.041626][ T5083] kasan_check_range+0xef/0x1a0
[ 100.046544][ T5083] kfree_skb_reason+0x36/0x210
[ 100.051390][ T5083] __hci_req_sync+0x61d/0x980
[ 100.056121][ T5083] ? __pfx___hci_req_sync+0x10/0x10
[ 100.061369][ T5083] ? __mutex_lock+0x1a6/0x9c0
[ 100.066102][ T5083] ? __pfx_autoremove_wake_function+0x10/0x10
[ 100.072232][ T5083] ? hci_req_sync+0x3f/0xd0
[ 100.076793][ T5083] ? __pfx___might_resched+0x10/0x10
[ 100.082135][ T5083] hci_req_sync+0x97/0xd0
[ 100.086511][ T5083] ? __pfx_hci_scan_req+0x10/0x10
[ 100.091585][ T5083] hci_dev_cmd+0x634/0x960
[ 100.096068][ T5083] ? cap_capable+0x1cf/0x240
[ 100.100719][ T5083] ? __pfx_hci_dev_cmd+0x10/0x10
[ 100.105720][ T5083] ? security_capable+0x98/0xd0
[ 100.110640][ T5083] hci_sock_ioctl+0x4f3/0x880
[ 100.115374][ T5083] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 100.120633][ T5083] sock_do_ioctl+0x116/0x280
[ 100.125274][ T5083] ? __pfx_sock_do_ioctl+0x10/0x10
[ 100.130433][ T5083] ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470
[ 100.136991][ T5083] ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
[ 100.143901][ T5083] sock_ioctl+0x22e/0x6c0
[ 100.148282][ T5083] ? __pfx_sock_ioctl+0x10/0x10
[ 100.153185][ T5083] ? selinux_file_ioctl+0x180/0x270
[ 100.158524][ T5083] ? selinux_file_ioctl+0xb4/0x270
[ 100.163687][ T5083] ? __pfx_sock_ioctl+0x10/0x10
[ 100.168587][ T5083] __x64_sys_ioctl+0x193/0x220
[ 100.173406][ T5083] do_syscall_64+0xcd/0x250
[ 100.177976][ T5083] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 100.183940][ T5083] RIP: 0033:0x7f881557579b
[ 100.188394][ T5083] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 100.208052][ T5083] RSP: 002b:00007fff09b5b250 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 100.216524][ T5083] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f881557579b
[ 100.224544][ T5083] RDX: 00007fff09b5b2c8 RSI: 00000000400448dd RDI: 0000000000000003
[ 100.232562][ T5083] RBP: 000055555f6014a8 R08: 0000000000000000 R09: 0000000000000000
[ 100.240580][ T5083] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
[ 100.248608][ T5083] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009
[ 100.256641][ T5083]
[ 100.260355][ T5083] Kernel Offset: disabled
[ 100.264691][ T5083] Rebooting in 86400 seconds..