last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.104' (ED25519) to the list of known hosts. [ 101.920448][ T57] cfg80211: failed to load regulatory.db [ 103.229593][ T5079] cgroup: Unknown subsys name 'net' [ 103.443845][ T5079] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 105.548522][ T5079] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 109.818304][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 109.827901][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 109.845372][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 109.857069][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 109.877696][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 109.902863][ T5091] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 109.911212][ T5091] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 109.919711][ T5091] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 109.929780][ T4486] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 109.939638][ T4486] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 109.949389][ T4486] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 109.957119][ T4486] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 110.008882][ T5096] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 110.036378][ T5096] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 110.046102][ T5096] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 110.057772][ T5096] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 110.066663][ T5096] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 110.076223][ T5096] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 110.181511][ T53] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 110.195367][ T5095] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 110.206342][ T5091] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 110.236232][ T5091] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 110.236705][ T5107] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 110.253114][ T5107] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 110.261616][ T5091] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 110.270209][ T5091] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 110.278314][ T5091] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 110.301344][ T5091] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 110.306661][ T5096] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 110.318779][ T5091] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 110.320115][ T5096] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 110.333592][ T5096] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 110.341904][ T5091] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 110.359507][ T5096] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 110.384771][ T53] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 110.392470][ T53] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 110.425322][ T5103] ================================================================== [ 110.433640][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210 [ 110.441412][ T5103] Read of size 4 at addr ffff8880632dbc24 by task syz-executor/5103 [ 110.449434][ T5103] [ 110.451768][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 110.462040][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 110.472118][ T5103] Call Trace: [ 110.475413][ T5103] [ 110.478360][ T5103] dump_stack_lvl+0x116/0x1f0 [ 110.483179][ T5103] print_report+0xc3/0x620 [ 110.487642][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.493503][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.499200][ T5103] ? __phys_addr+0xc6/0x150 [ 110.503726][ T5103] kasan_report+0xd9/0x110 [ 110.508188][ T5103] ? kfree_skb_reason+0x36/0x210 [ 110.513247][ T5103] ? kfree_skb_reason+0x36/0x210 [ 110.518233][ T5103] kasan_check_range+0xef/0x1a0 [ 110.523123][ T5103] kfree_skb_reason+0x36/0x210 [ 110.527933][ T5103] __hci_req_sync+0x61d/0x980 [ 110.532643][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 110.537868][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 110.542623][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 110.548748][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.554531][ T5103] ? hci_req_sync+0x3f/0xd0 [ 110.559085][ T5103] ? __pfx___might_resched+0x10/0x10 [ 110.564429][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.570099][ T5103] ? aa_get_newest_label+0x376/0x680 [ 110.575466][ T5103] hci_req_sync+0x97/0xd0 [ 110.579839][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 110.584966][ T5103] hci_dev_cmd+0x634/0x960 [ 110.589623][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.595318][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 110.600297][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.605961][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.611617][ T5103] ? security_capable+0x98/0xd0 [ 110.616517][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 110.621518][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.627180][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 110.632410][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 110.638425][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.644099][ T5103] sock_do_ioctl+0x119/0x280 [ 110.648735][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 110.653906][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.659573][ T5103] sock_ioctl+0x22e/0x6c0 [ 110.663954][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 110.669419][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.675090][ T5103] ? __fget_files+0x256/0x400 [ 110.679904][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.685570][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 110.690577][ T5103] __x64_sys_ioctl+0x196/0x220 [ 110.695386][ T5103] do_syscall_64+0xcd/0x250 [ 110.699931][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.705887][ T5103] RIP: 0033:0x7fb7bb9757db [ 110.710316][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 110.730888][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 110.739339][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 110.747352][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 110.755456][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 110.763464][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 110.771471][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 110.779503][ T5103] [ 110.782528][ T5103] [ 110.784858][ T5103] Allocated by task 4486: [ 110.789212][ T5103] kasan_save_stack+0x33/0x60 [ 110.793930][ T5103] kasan_save_track+0x14/0x30 [ 110.798669][ T5103] __kasan_slab_alloc+0x89/0x90 [ 110.803547][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 110.809037][ T5103] skb_clone+0x190/0x3f0 [ 110.813306][ T5103] hci_cmd_work+0x66a/0x710 [ 110.817848][ T5103] process_one_work+0x9c8/0x1b40 [ 110.822925][ T5103] worker_thread+0x6c8/0xf30 [ 110.827545][ T5103] kthread+0x2c4/0x3a0 [ 110.831659][ T5103] ret_from_fork+0x48/0x80 [ 110.836118][ T5103] ret_from_fork_asm+0x1a/0x30 [ 110.841011][ T5103] [ 110.843336][ T5103] Freed by task 4486: [ 110.847328][ T5103] kasan_save_stack+0x33/0x60 [ 110.852071][ T5103] kasan_save_track+0x14/0x30 [ 110.857123][ T5103] kasan_save_free_info+0x3b/0x60 [ 110.862186][ T5103] poison_slab_object+0xf7/0x160 [ 110.867187][ T5103] __kasan_slab_free+0x32/0x50 [ 110.872073][ T5103] kmem_cache_free+0x12f/0x3a0 [ 110.876862][ T5103] kfree_skbmem+0x10e/0x200 [ 110.881435][ T5103] kfree_skb_reason+0x138/0x210 [ 110.886512][ T5103] hci_req_sync_complete+0x16c/0x270 [ 110.891823][ T5103] hci_event_packet+0x966/0x1170 [ 110.896822][ T5103] hci_rx_work+0x2c4/0x1610 [ 110.901383][ T5103] process_one_work+0x9c8/0x1b40 [ 110.906443][ T5103] worker_thread+0x6c8/0xf30 [ 110.911062][ T5103] kthread+0x2c4/0x3a0 [ 110.915178][ T5103] ret_from_fork+0x48/0x80 [ 110.919631][ T5103] ret_from_fork_asm+0x1a/0x30 [ 110.924434][ T5103] [ 110.926760][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 110.926760][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 110.941441][ T5103] The buggy address is located 228 bytes inside of [ 110.941441][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 110.955712][ T5103] [ 110.958209][ T5103] The buggy address belongs to the physical page: [ 110.964654][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 110.973437][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 110.980650][ T5103] page_type: 0xffffefff(slab) [ 110.985516][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 110.994306][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 111.002906][ T5103] page dumped because: kasan: bad access detected [ 111.009327][ T5103] page_owner tracks the page as allocated [ 111.015132][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 111.034544][ T5103] post_alloc_hook+0x2d1/0x350 [ 111.039347][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 111.044933][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 111.050461][ T5103] alloc_slab_page+0x56/0x110 [ 111.055178][ T5103] new_slab+0x84/0x260 [ 111.059265][ T5103] ___slab_alloc+0xdac/0x1870 [ 111.063962][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 111.069370][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 111.075201][ T5103] __alloc_skb+0x2b1/0x380 [ 111.079657][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 111.084977][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 111.089413][ T5103] register_netdevice+0x1710/0x1cb0 [ 111.094721][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 111.099770][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 111.104823][ T5103] ops_init+0xbc/0x650 [ 111.108922][ T5103] setup_net+0x435/0xb40 [ 111.113191][ T5103] page last free pid 1 tgid 1 stack trace: [ 111.119016][ T5103] free_unref_page+0x64a/0xe40 [ 111.123822][ T5103] free_contig_range+0xb6/0x1a0 [ 111.128707][ T5103] destroy_args+0xa4e/0xe20 [ 111.133247][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 111.138335][ T5103] do_one_initcall+0x12b/0x700 [ 111.143135][ T5103] kernel_init_freeable+0x69d/0xca0 [ 111.148380][ T5103] kernel_init+0x1c/0x2b0 [ 111.152754][ T5103] ret_from_fork+0x48/0x80 [ 111.157210][ T5103] ret_from_fork_asm+0x1a/0x30 [ 111.162012][ T5103] [ 111.164336][ T5103] Memory state around the buggy address: [ 111.169971][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 111.178046][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.186126][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 111.194278][ T5103] ^ [ 111.199654][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 111.207866][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 111.216079][ T5103] ================================================================== [ 111.226388][ T5103] Disabling lock debugging due to kernel taint [ 111.232561][ T5103] ================================================================== [ 111.240636][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1f5/0x210 [ 111.248514][ T5103] Read of size 4 at addr ffff8880632dbc24 by task syz-executor/5103 [ 111.256546][ T5103] [ 111.258883][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 111.270716][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 111.280819][ T5103] Call Trace: [ 111.284118][ T5103] [ 111.287069][ T5103] dump_stack_lvl+0x116/0x1f0 [ 111.291880][ T5103] print_report+0xc3/0x620 [ 111.296338][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.302011][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.307943][ T5103] ? __phys_addr+0xc6/0x150 [ 111.312516][ T5103] kasan_report+0xd9/0x110 [ 111.316970][ T5103] ? kfree_skb_reason+0x1f5/0x210 [ 111.322047][ T5103] ? kfree_skb_reason+0x1f5/0x210 [ 111.327243][ T5103] kfree_skb_reason+0x1f5/0x210 [ 111.332254][ T5103] __hci_req_sync+0x61d/0x980 [ 111.337013][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 111.342345][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 111.347071][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 111.353180][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.358861][ T5103] ? hci_req_sync+0x3f/0xd0 [ 111.363412][ T5103] ? __pfx___might_resched+0x10/0x10 [ 111.368745][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.374539][ T5103] ? aa_get_newest_label+0x376/0x680 [ 111.379893][ T5103] hci_req_sync+0x97/0xd0 [ 111.384269][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 111.389342][ T5103] hci_dev_cmd+0x634/0x960 [ 111.393808][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.399487][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 111.404475][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.410150][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.415842][ T5103] ? security_capable+0x98/0xd0 [ 111.420758][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 111.425479][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.431151][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 111.436395][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 111.442420][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.448185][ T5103] sock_do_ioctl+0x119/0x280 [ 111.452963][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 111.458153][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.463815][ T5103] sock_ioctl+0x22e/0x6c0 [ 111.468540][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 111.473434][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.479096][ T5103] ? __fget_files+0x256/0x400 [ 111.483943][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.489632][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 111.494528][ T5103] __x64_sys_ioctl+0x196/0x220 [ 111.499335][ T5103] do_syscall_64+0xcd/0x250 [ 111.503973][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.510016][ T5103] RIP: 0033:0x7fb7bb9757db [ 111.514449][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 111.534374][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 111.542924][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 111.550913][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 111.558903][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 111.566888][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 111.574873][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 111.582876][ T5103] [ 111.585902][ T5103] [ 111.588226][ T5103] Allocated by task 4486: [ 111.592557][ T5103] kasan_save_stack+0x33/0x60 [ 111.597257][ T5103] kasan_save_track+0x14/0x30 [ 111.602073][ T5103] __kasan_slab_alloc+0x89/0x90 [ 111.606951][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 111.612463][ T5103] skb_clone+0x190/0x3f0 [ 111.616753][ T5103] hci_cmd_work+0x66a/0x710 [ 111.621285][ T5103] process_one_work+0x9c8/0x1b40 [ 111.626250][ T5103] worker_thread+0x6c8/0xf30 [ 111.630868][ T5103] kthread+0x2c4/0x3a0 [ 111.634977][ T5103] ret_from_fork+0x48/0x80 [ 111.639612][ T5103] ret_from_fork_asm+0x1a/0x30 [ 111.644416][ T5103] [ 111.646741][ T5103] Freed by task 4486: [ 111.650726][ T5103] kasan_save_stack+0x33/0x60 [ 111.655418][ T5103] kasan_save_track+0x14/0x30 [ 111.660114][ T5103] kasan_save_free_info+0x3b/0x60 [ 111.665173][ T5103] poison_slab_object+0xf7/0x160 [ 111.670151][ T5103] __kasan_slab_free+0x32/0x50 [ 111.674929][ T5103] kmem_cache_free+0x12f/0x3a0 [ 111.679711][ T5103] kfree_skbmem+0x10e/0x200 [ 111.684255][ T5103] kfree_skb_reason+0x138/0x210 [ 111.689140][ T5103] hci_req_sync_complete+0x16c/0x270 [ 111.694450][ T5103] hci_event_packet+0x966/0x1170 [ 111.699409][ T5103] hci_rx_work+0x2c4/0x1610 [ 111.703940][ T5103] process_one_work+0x9c8/0x1b40 [ 111.708996][ T5103] worker_thread+0x6c8/0xf30 [ 111.713610][ T5103] kthread+0x2c4/0x3a0 [ 111.717720][ T5103] ret_from_fork+0x48/0x80 [ 111.722171][ T5103] ret_from_fork_asm+0x1a/0x30 [ 111.726974][ T5103] [ 111.729301][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 111.729301][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 111.744149][ T5103] The buggy address is located 228 bytes inside of [ 111.744149][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 111.758054][ T5103] [ 111.760402][ T5103] The buggy address belongs to the physical page: [ 111.766811][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 111.775762][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 111.782895][ T5103] page_type: 0xffffefff(slab) [ 111.787589][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 111.796193][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 111.805168][ T5103] page dumped because: kasan: bad access detected [ 111.811884][ T5103] page_owner tracks the page as allocated [ 111.817663][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 111.837158][ T5103] post_alloc_hook+0x2d1/0x350 [ 111.841958][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 111.847549][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 111.852874][ T5103] alloc_slab_page+0x56/0x110 [ 111.857590][ T5103] new_slab+0x84/0x260 [ 111.861855][ T5103] ___slab_alloc+0xdac/0x1870 [ 111.866550][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 111.871983][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 111.877846][ T5103] __alloc_skb+0x2b1/0x380 [ 111.882392][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 111.887790][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 111.892255][ T5103] register_netdevice+0x1710/0x1cb0 [ 111.897563][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 111.902790][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 111.907863][ T5103] ops_init+0xbc/0x650 [ 111.911957][ T5103] setup_net+0x435/0xb40 [ 111.916223][ T5103] page last free pid 1 tgid 1 stack trace: [ 111.922059][ T5103] free_unref_page+0x64a/0xe40 [ 111.926903][ T5103] free_contig_range+0xb6/0x1a0 [ 111.931795][ T5103] destroy_args+0xa4e/0xe20 [ 111.936484][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 111.941655][ T5103] do_one_initcall+0x12b/0x700 [ 111.946481][ T5103] kernel_init_freeable+0x69d/0xca0 [ 111.951766][ T5103] kernel_init+0x1c/0x2b0 [ 111.956233][ T5103] ret_from_fork+0x48/0x80 [ 111.960693][ T5103] ret_from_fork_asm+0x1a/0x30 [ 111.965524][ T5103] [ 111.967869][ T5103] Memory state around the buggy address: [ 111.973554][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 111.981727][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.989811][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 111.997881][ T5103] ^ [ 112.003025][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 112.011106][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 112.019200][ T5103] ================================================================== [ 112.027875][ T4486] Bluetooth: hci0: command tx timeout [ 112.031636][ T5103] ================================================================== [ 112.041429][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0 [ 112.049868][ T5103] Read of size 8 at addr ffff8880632dbb98 by task syz-executor/5103 [ 112.057915][ T5103] [ 112.060256][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 112.072065][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 112.082327][ T5103] Call Trace: [ 112.085624][ T5103] [ 112.088564][ T5103] dump_stack_lvl+0x116/0x1f0 [ 112.093300][ T5103] print_report+0xc3/0x620 [ 112.097751][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.103439][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.109107][ T5103] ? __phys_addr+0xc6/0x150 [ 112.113638][ T5103] kasan_report+0xd9/0x110 [ 112.118082][ T5103] ? skb_release_head_state+0x283/0x2b0 [ 112.123773][ T5103] ? skb_release_head_state+0x283/0x2b0 [ 112.129371][ T5103] skb_release_head_state+0x283/0x2b0 [ 112.134774][ T5103] kfree_skb_reason+0xed/0x210 [ 112.139594][ T5103] __hci_req_sync+0x61d/0x980 [ 112.144393][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 112.149738][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 112.154471][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 112.161421][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.167107][ T5103] ? hci_req_sync+0x3f/0xd0 [ 112.171646][ T5103] ? __pfx___might_resched+0x10/0x10 [ 112.176969][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.182652][ T5103] ? aa_get_newest_label+0x376/0x680 [ 112.188275][ T5103] hci_req_sync+0x97/0xd0 [ 112.192634][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 112.197690][ T5103] hci_dev_cmd+0x634/0x960 [ 112.202154][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.207812][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 112.212966][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.218712][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.224374][ T5103] ? security_capable+0x98/0xd0 [ 112.229277][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 112.234070][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.239778][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 112.245028][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 112.251060][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.256748][ T5103] sock_do_ioctl+0x119/0x280 [ 112.261381][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 112.266654][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.272316][ T5103] sock_ioctl+0x22e/0x6c0 [ 112.276689][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 112.281583][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.287329][ T5103] ? __fget_files+0x256/0x400 [ 112.292051][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.297715][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 112.302613][ T5103] __x64_sys_ioctl+0x196/0x220 [ 112.307422][ T5103] do_syscall_64+0xcd/0x250 [ 112.312018][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.318002][ T5103] RIP: 0033:0x7fb7bb9757db [ 112.322451][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 112.342114][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 112.350586][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 112.358574][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 112.366566][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 112.374549][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 112.383520][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 112.391695][ T5103] [ 112.394720][ T5103] [ 112.397048][ T5103] Allocated by task 4486: [ 112.401383][ T5103] kasan_save_stack+0x33/0x60 [ 112.406080][ T5103] kasan_save_track+0x14/0x30 [ 112.410776][ T5103] __kasan_slab_alloc+0x89/0x90 [ 112.415668][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 112.421195][ T5103] skb_clone+0x190/0x3f0 [ 112.425481][ T5103] hci_cmd_work+0x66a/0x710 [ 112.430021][ T5103] process_one_work+0x9c8/0x1b40 [ 112.435015][ T5103] worker_thread+0x6c8/0xf30 [ 112.439646][ T5103] kthread+0x2c4/0x3a0 [ 112.443754][ T5103] ret_from_fork+0x48/0x80 [ 112.448212][ T5103] ret_from_fork_asm+0x1a/0x30 [ 112.453213][ T5103] [ 112.455540][ T5103] Freed by task 4486: [ 112.459537][ T5103] kasan_save_stack+0x33/0x60 [ 112.464230][ T5103] kasan_save_track+0x14/0x30 [ 112.468945][ T5103] kasan_save_free_info+0x3b/0x60 [ 112.474025][ T5103] poison_slab_object+0xf7/0x160 [ 112.479021][ T5103] __kasan_slab_free+0x32/0x50 [ 112.483807][ T5103] kmem_cache_free+0x12f/0x3a0 [ 112.488595][ T5103] kfree_skbmem+0x10e/0x200 [ 112.493140][ T5103] kfree_skb_reason+0x138/0x210 [ 112.498026][ T5103] hci_req_sync_complete+0x16c/0x270 [ 112.503513][ T5103] hci_event_packet+0x966/0x1170 [ 112.508472][ T5103] hci_rx_work+0x2c4/0x1610 [ 112.513003][ T5103] process_one_work+0x9c8/0x1b40 [ 112.517971][ T5103] worker_thread+0x6c8/0xf30 [ 112.522819][ T5103] kthread+0x2c4/0x3a0 [ 112.526937][ T5103] ret_from_fork+0x48/0x80 [ 112.531428][ T5103] ret_from_fork_asm+0x1a/0x30 [ 112.536235][ T5103] [ 112.538562][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 112.538562][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 112.553244][ T5103] The buggy address is located 88 bytes inside of [ 112.553244][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 112.566979][ T5103] [ 112.569307][ T5103] The buggy address belongs to the physical page: [ 112.575721][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 112.584520][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 112.591642][ T5103] page_type: 0xffffefff(slab) [ 112.596338][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 112.604941][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 112.613544][ T5103] page dumped because: kasan: bad access detected [ 112.619963][ T5103] page_owner tracks the page as allocated [ 112.625693][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 112.645292][ T5103] post_alloc_hook+0x2d1/0x350 [ 112.650663][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 112.656252][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 112.661663][ T5103] alloc_slab_page+0x56/0x110 [ 112.666386][ T5103] new_slab+0x84/0x260 [ 112.670471][ T5103] ___slab_alloc+0xdac/0x1870 [ 112.675167][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 112.680559][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 112.686393][ T5103] __alloc_skb+0x2b1/0x380 [ 112.690909][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 112.696248][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 112.700870][ T5103] register_netdevice+0x1710/0x1cb0 [ 112.706097][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 112.711168][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 112.716221][ T5103] ops_init+0xbc/0x650 [ 112.720316][ T5103] setup_net+0x435/0xb40 [ 112.724583][ T5103] page last free pid 1 tgid 1 stack trace: [ 112.730415][ T5103] free_unref_page+0x64a/0xe40 [ 112.735232][ T5103] free_contig_range+0xb6/0x1a0 [ 112.740290][ T5103] destroy_args+0xa4e/0xe20 [ 112.744828][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 112.749898][ T5103] do_one_initcall+0x12b/0x700 [ 112.754704][ T5103] kernel_init_freeable+0x69d/0xca0 [ 112.760028][ T5103] kernel_init+0x1c/0x2b0 [ 112.764400][ T5103] ret_from_fork+0x48/0x80 [ 112.768871][ T5103] ret_from_fork_asm+0x1a/0x30 [ 112.774199][ T5103] [ 112.776526][ T5103] Memory state around the buggy address: [ 112.782343][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 112.790422][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 112.798497][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.806565][ T5103] ^ [ 112.811420][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 112.819493][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 112.827560][ T5103] ================================================================== [ 112.835759][ T4486] Bluetooth: hci1: command tx timeout [ 112.837614][ T53] Bluetooth: hci2: command tx timeout [ 112.841209][ T4486] Bluetooth: hci4: command tx timeout [ 112.847552][ T53] Bluetooth: hci3: command tx timeout [ 112.899115][ T5103] ================================================================== [ 112.907228][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x28d/0x2b0 [ 112.915602][ T5103] Read of size 8 at addr ffff8880632dbba0 by task syz-executor/5103 [ 112.923606][ T5103] [ 112.925951][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 112.937725][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 112.947817][ T5103] Call Trace: [ 112.951391][ T5103] [ 112.954347][ T5103] dump_stack_lvl+0x116/0x1f0 [ 112.959080][ T5103] print_report+0xc3/0x620 [ 112.963538][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.969212][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.974892][ T5103] ? __phys_addr+0xc6/0x150 [ 112.979433][ T5103] kasan_report+0xd9/0x110 [ 112.983885][ T5103] ? skb_release_head_state+0x28d/0x2b0 [ 112.989561][ T5103] ? skb_release_head_state+0x28d/0x2b0 [ 112.995157][ T5103] skb_release_head_state+0x28d/0x2b0 [ 113.000574][ T5103] kfree_skb_reason+0xed/0x210 [ 113.005386][ T5103] __hci_req_sync+0x61d/0x980 [ 113.010110][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 113.015467][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 113.020212][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 113.026326][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.031993][ T5103] ? hci_req_sync+0x3f/0xd0 [ 113.036531][ T5103] ? __pfx___might_resched+0x10/0x10 [ 113.041859][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.047518][ T5103] ? aa_get_newest_label+0x376/0x680 [ 113.052861][ T5103] hci_req_sync+0x97/0xd0 [ 113.057567][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 113.062620][ T5103] hci_dev_cmd+0x634/0x960 [ 113.067071][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.072729][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 113.077724][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.083379][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.089125][ T5103] ? security_capable+0x98/0xd0 [ 113.094114][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 113.098863][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.104520][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 113.109746][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 113.115780][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.121470][ T5103] sock_do_ioctl+0x119/0x280 [ 113.126103][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 113.131276][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.136971][ T5103] sock_ioctl+0x22e/0x6c0 [ 113.141477][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 113.146497][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.152163][ T5103] ? __fget_files+0x256/0x400 [ 113.157064][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.162725][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 113.167764][ T5103] __x64_sys_ioctl+0x196/0x220 [ 113.172677][ T5103] do_syscall_64+0xcd/0x250 [ 113.177244][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 113.183180][ T5103] RIP: 0033:0x7fb7bb9757db [ 113.187608][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 113.207279][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 113.215718][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 113.223705][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 113.231809][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 113.240269][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 113.248362][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 113.256364][ T5103] [ 113.259389][ T5103] [ 113.261711][ T5103] Allocated by task 4486: [ 113.266043][ T5103] kasan_save_stack+0x33/0x60 [ 113.270748][ T5103] kasan_save_track+0x14/0x30 [ 113.275443][ T5103] __kasan_slab_alloc+0x89/0x90 [ 113.280314][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 113.285837][ T5103] skb_clone+0x190/0x3f0 [ 113.290111][ T5103] hci_cmd_work+0x66a/0x710 [ 113.294849][ T5103] process_one_work+0x9c8/0x1b40 [ 113.299956][ T5103] worker_thread+0x6c8/0xf30 [ 113.304577][ T5103] kthread+0x2c4/0x3a0 [ 113.308685][ T5103] ret_from_fork+0x48/0x80 [ 113.313145][ T5103] ret_from_fork_asm+0x1a/0x30 [ 113.317968][ T5103] [ 113.320295][ T5103] Freed by task 4486: [ 113.324282][ T5103] kasan_save_stack+0x33/0x60 [ 113.328979][ T5103] kasan_save_track+0x14/0x30 [ 113.333673][ T5103] kasan_save_free_info+0x3b/0x60 [ 113.338732][ T5103] poison_slab_object+0xf7/0x160 [ 113.343717][ T5103] __kasan_slab_free+0x32/0x50 [ 113.348599][ T5103] kmem_cache_free+0x12f/0x3a0 [ 113.353383][ T5103] kfree_skbmem+0x10e/0x200 [ 113.357927][ T5103] kfree_skb_reason+0x138/0x210 [ 113.362983][ T5103] hci_req_sync_complete+0x16c/0x270 [ 113.368295][ T5103] hci_event_packet+0x966/0x1170 [ 113.373687][ T5103] hci_rx_work+0x2c4/0x1610 [ 113.378234][ T5103] process_one_work+0x9c8/0x1b40 [ 113.383199][ T5103] worker_thread+0x6c8/0xf30 [ 113.388079][ T5103] kthread+0x2c4/0x3a0 [ 113.392184][ T5103] ret_from_fork+0x48/0x80 [ 113.396636][ T5103] ret_from_fork_asm+0x1a/0x30 [ 113.401524][ T5103] [ 113.403920][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 113.403920][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 113.418720][ T5103] The buggy address is located 96 bytes inside of [ 113.418720][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 113.432455][ T5103] [ 113.434782][ T5103] The buggy address belongs to the physical page: [ 113.441193][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 113.449992][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 113.457113][ T5103] page_type: 0xffffefff(slab) [ 113.461943][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 113.470546][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 113.479315][ T5103] page dumped because: kasan: bad access detected [ 113.485935][ T5103] page_owner tracks the page as allocated [ 113.491762][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 113.511258][ T5103] post_alloc_hook+0x2d1/0x350 [ 113.516088][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 113.521692][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 113.527016][ T5103] alloc_slab_page+0x56/0x110 [ 113.531731][ T5103] new_slab+0x84/0x260 [ 113.535830][ T5103] ___slab_alloc+0xdac/0x1870 [ 113.540526][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 113.545921][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 113.551751][ T5103] __alloc_skb+0x2b1/0x380 [ 113.556300][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 113.561732][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 113.566178][ T5103] register_netdevice+0x1710/0x1cb0 [ 113.571508][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 113.576561][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 113.581902][ T5103] ops_init+0xbc/0x650 [ 113.586014][ T5103] setup_net+0x435/0xb40 [ 113.590285][ T5103] page last free pid 1 tgid 1 stack trace: [ 113.596101][ T5103] free_unref_page+0x64a/0xe40 [ 113.600900][ T5103] free_contig_range+0xb6/0x1a0 [ 113.605784][ T5103] destroy_args+0xa4e/0xe20 [ 113.610324][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 113.615413][ T5103] do_one_initcall+0x12b/0x700 [ 113.620716][ T5103] kernel_init_freeable+0x69d/0xca0 [ 113.625972][ T5103] kernel_init+0x1c/0x2b0 [ 113.630481][ T5103] ret_from_fork+0x48/0x80 [ 113.634936][ T5103] ret_from_fork_asm+0x1a/0x30 [ 113.639743][ T5103] [ 113.642182][ T5103] Memory state around the buggy address: [ 113.648015][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 113.656390][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 113.664513][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.672794][ T5103] ^ [ 113.678382][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 113.686467][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 113.694737][ T5103] ================================================================== [ 113.719714][ T5103] ================================================================== [ 113.727848][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x276/0x2b0 [ 113.736226][ T5103] Read of size 8 at addr ffff8880632dbba8 by task syz-executor/5103 [ 113.744228][ T5103] [ 113.746567][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 113.758321][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 113.768485][ T5103] Call Trace: [ 113.771782][ T5103] [ 113.774731][ T5103] dump_stack_lvl+0x116/0x1f0 [ 113.779456][ T5103] print_report+0xc3/0x620 [ 113.783909][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.789582][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.795255][ T5103] ? __phys_addr+0xc6/0x150 [ 113.799796][ T5103] kasan_report+0xd9/0x110 [ 113.804261][ T5103] ? skb_release_head_state+0x276/0x2b0 [ 113.809858][ T5103] ? skb_release_head_state+0x276/0x2b0 [ 113.815454][ T5103] skb_release_head_state+0x276/0x2b0 [ 113.820872][ T5103] kfree_skb_reason+0xed/0x210 [ 113.825681][ T5103] __hci_req_sync+0x61d/0x980 [ 113.830396][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 113.835621][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 113.840415][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 113.846603][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.852264][ T5103] ? hci_req_sync+0x3f/0xd0 [ 113.856804][ T5103] ? __pfx___might_resched+0x10/0x10 [ 113.862135][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.867797][ T5103] ? aa_get_newest_label+0x376/0x680 [ 113.873141][ T5103] hci_req_sync+0x97/0xd0 [ 113.877500][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 113.882556][ T5103] hci_dev_cmd+0x634/0x960 [ 113.887009][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.892757][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 113.897754][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.903529][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.909214][ T5103] ? security_capable+0x98/0xd0 [ 113.914151][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 113.918865][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.924528][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 113.929846][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 113.935869][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.941530][ T5103] sock_do_ioctl+0x119/0x280 [ 113.946160][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 113.951340][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.957003][ T5103] sock_ioctl+0x22e/0x6c0 [ 113.961385][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 113.966289][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.972344][ T5103] ? __fget_files+0x256/0x400 [ 113.977165][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.982854][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 113.987776][ T5103] __x64_sys_ioctl+0x196/0x220 [ 113.992786][ T5103] do_syscall_64+0xcd/0x250 [ 113.997514][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 114.003586][ T5103] RIP: 0033:0x7fb7bb9757db [ 114.008111][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 114.027851][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 114.036291][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 114.044279][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 114.052264][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 114.060425][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 114.068411][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 114.076411][ T5103] [ 114.079436][ T5103] [ 114.081765][ T5103] Allocated by task 4486: [ 114.086190][ T5103] kasan_save_stack+0x33/0x60 [ 114.090940][ T5103] kasan_save_track+0x14/0x30 [ 114.095729][ T5103] __kasan_slab_alloc+0x89/0x90 [ 114.100630][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 114.106124][ T5103] skb_clone+0x190/0x3f0 [ 114.110884][ T5103] hci_cmd_work+0x66a/0x710 [ 114.115545][ T5103] process_one_work+0x9c8/0x1b40 [ 114.120663][ T5103] worker_thread+0x6c8/0xf30 [ 114.125370][ T5103] kthread+0x2c4/0x3a0 [ 114.129538][ T5103] ret_from_fork+0x48/0x80 [ 114.134226][ T5103] ret_from_fork_asm+0x1a/0x30 [ 114.139038][ T5103] [ 114.141368][ T5103] Freed by task 4486: [ 114.145382][ T5103] kasan_save_stack+0x33/0x60 [ 114.150088][ T5103] kasan_save_track+0x14/0x30 [ 114.154790][ T5103] kasan_save_free_info+0x3b/0x60 [ 114.159858][ T5103] poison_slab_object+0xf7/0x160 [ 114.164846][ T5103] __kasan_slab_free+0x32/0x50 [ 114.169636][ T5103] kmem_cache_free+0x12f/0x3a0 [ 114.174424][ T5103] kfree_skbmem+0x10e/0x200 [ 114.178976][ T5103] kfree_skb_reason+0x138/0x210 [ 114.183858][ T5103] hci_req_sync_complete+0x16c/0x270 [ 114.189171][ T5103] hci_event_packet+0x966/0x1170 [ 114.194187][ T5103] hci_rx_work+0x2c4/0x1610 [ 114.198725][ T5103] process_one_work+0x9c8/0x1b40 [ 114.203720][ T5103] worker_thread+0x6c8/0xf30 [ 114.208521][ T5103] kthread+0x2c4/0x3a0 [ 114.212631][ T5103] ret_from_fork+0x48/0x80 [ 114.217113][ T5103] ret_from_fork_asm+0x1a/0x30 [ 114.222117][ T5103] [ 114.224479][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 114.224479][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 114.239127][ T5103] The buggy address is located 104 bytes inside of [ 114.239127][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 114.252954][ T5103] [ 114.255283][ T5103] The buggy address belongs to the physical page: [ 114.261867][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 114.270644][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 114.277853][ T5103] page_type: 0xffffefff(slab) [ 114.282577][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 114.291192][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 114.299797][ T5103] page dumped because: kasan: bad access detected [ 114.306327][ T5103] page_owner tracks the page as allocated [ 114.312060][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 114.331549][ T5103] post_alloc_hook+0x2d1/0x350 [ 114.336357][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 114.341945][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 114.347268][ T5103] alloc_slab_page+0x56/0x110 [ 114.352069][ T5103] new_slab+0x84/0x260 [ 114.356174][ T5103] ___slab_alloc+0xdac/0x1870 [ 114.361325][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 114.366721][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 114.372644][ T5103] __alloc_skb+0x2b1/0x380 [ 114.377109][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 114.382425][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 114.386863][ T5103] register_netdevice+0x1710/0x1cb0 [ 114.392120][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 114.397439][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 114.402528][ T5103] ops_init+0xbc/0x650 [ 114.406668][ T5103] setup_net+0x435/0xb40 [ 114.410961][ T5103] page last free pid 1 tgid 1 stack trace: [ 114.416778][ T5103] free_unref_page+0x64a/0xe40 [ 114.421611][ T5103] free_contig_range+0xb6/0x1a0 [ 114.426521][ T5103] destroy_args+0xa4e/0xe20 [ 114.431124][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 114.436218][ T5103] do_one_initcall+0x12b/0x700 [ 114.441030][ T5103] kernel_init_freeable+0x69d/0xca0 [ 114.446399][ T5103] kernel_init+0x1c/0x2b0 [ 114.450864][ T5103] ret_from_fork+0x48/0x80 [ 114.455320][ T5103] ret_from_fork_asm+0x1a/0x30 [ 114.460128][ T5103] [ 114.462993][ T5103] Memory state around the buggy address: [ 114.468646][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 114.476811][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 114.484894][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.493056][ T5103] ^ [ 114.498535][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 114.506611][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 114.514679][ T5103] ================================================================== [ 114.526641][ T5103] ================================================================== [ 114.534859][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x26c/0x2b0 [ 114.543209][ T5091] Bluetooth: hci0: command tx timeout [ 114.549145][ T5103] Read of size 1 at addr ffff8880632dbbbf by task syz-executor/5103 [ 114.557157][ T5103] [ 114.559608][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 114.571369][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 114.581527][ T5103] Call Trace: [ 114.584815][ T5103] [ 114.587757][ T5103] dump_stack_lvl+0x116/0x1f0 [ 114.593011][ T5103] print_report+0xc3/0x620 [ 114.597573][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.603508][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.609260][ T5103] ? __phys_addr+0xc6/0x150 [ 114.613788][ T5103] kasan_report+0xd9/0x110 [ 114.618232][ T5103] ? skb_release_head_state+0x26c/0x2b0 [ 114.623809][ T5103] ? skb_release_head_state+0x26c/0x2b0 [ 114.629650][ T5103] skb_release_head_state+0x26c/0x2b0 [ 114.635097][ T5103] kfree_skb_reason+0xed/0x210 [ 114.639921][ T5103] __hci_req_sync+0x61d/0x980 [ 114.644634][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 114.649869][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 114.654581][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 114.660676][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.666348][ T5103] ? hci_req_sync+0x3f/0xd0 [ 114.671038][ T5103] ? __pfx___might_resched+0x10/0x10 [ 114.676658][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.682326][ T5103] ? aa_get_newest_label+0x376/0x680 [ 114.687696][ T5103] hci_req_sync+0x97/0xd0 [ 114.692400][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 114.697545][ T5103] hci_dev_cmd+0x634/0x960 [ 114.702347][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.708007][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 114.713005][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.718753][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.724691][ T5103] ? security_capable+0x98/0xd0 [ 114.729590][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 114.734299][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.740057][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 114.745294][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 114.751418][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.757189][ T5103] sock_do_ioctl+0x119/0x280 [ 114.761839][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 114.767008][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.772680][ T5103] sock_ioctl+0x22e/0x6c0 [ 114.777055][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 114.782014][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.787744][ T5103] ? __fget_files+0x256/0x400 [ 114.792482][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.798148][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 114.803045][ T5103] __x64_sys_ioctl+0x196/0x220 [ 114.807855][ T5103] do_syscall_64+0xcd/0x250 [ 114.812404][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 114.818348][ T5103] RIP: 0033:0x7fb7bb9757db [ 114.822781][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 114.842421][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 114.850978][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 114.859013][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 114.867023][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 114.875024][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 114.883013][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 114.891115][ T5103] [ 114.894166][ T5103] [ 114.896495][ T5103] Allocated by task 4486: [ 114.900858][ T5103] kasan_save_stack+0x33/0x60 [ 114.905561][ T5103] kasan_save_track+0x14/0x30 [ 114.910252][ T5103] __kasan_slab_alloc+0x89/0x90 [ 114.915207][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 114.920691][ T5103] skb_clone+0x190/0x3f0 [ 114.924962][ T5103] hci_cmd_work+0x66a/0x710 [ 114.929515][ T5103] process_one_work+0x9c8/0x1b40 [ 114.934482][ T5103] worker_thread+0x6c8/0xf30 [ 114.939111][ T5103] kthread+0x2c4/0x3a0 [ 114.943243][ T5103] ret_from_fork+0x48/0x80 [ 114.947698][ T5103] ret_from_fork_asm+0x1a/0x30 [ 114.952499][ T5103] [ 114.954827][ T5103] Freed by task 4486: [ 114.958806][ T5103] kasan_save_stack+0x33/0x60 [ 114.963495][ T5103] kasan_save_track+0x14/0x30 [ 114.968186][ T5103] kasan_save_free_info+0x3b/0x60 [ 114.973246][ T5103] poison_slab_object+0xf7/0x160 [ 114.978230][ T5103] __kasan_slab_free+0x32/0x50 [ 114.983010][ T5103] kmem_cache_free+0x12f/0x3a0 [ 114.987795][ T5103] kfree_skbmem+0x10e/0x200 [ 114.992337][ T5103] kfree_skb_reason+0x138/0x210 [ 114.997405][ T5103] hci_req_sync_complete+0x16c/0x270 [ 115.002712][ T5103] hci_event_packet+0x966/0x1170 [ 115.007700][ T5103] hci_rx_work+0x2c4/0x1610 [ 115.012250][ T5103] process_one_work+0x9c8/0x1b40 [ 115.017253][ T5103] worker_thread+0x6c8/0xf30 [ 115.021884][ T5103] kthread+0x2c4/0x3a0 [ 115.025997][ T5103] ret_from_fork+0x48/0x80 [ 115.030454][ T5103] ret_from_fork_asm+0x1a/0x30 [ 115.035284][ T5103] [ 115.037627][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 115.037627][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 115.052222][ T5103] The buggy address is located 127 bytes inside of [ 115.052222][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 115.066519][ T5103] [ 115.068857][ T5103] The buggy address belongs to the physical page: [ 115.075303][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 115.084091][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 115.091246][ T5103] page_type: 0xffffefff(slab) [ 115.095965][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 115.104581][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 115.113183][ T5103] page dumped because: kasan: bad access detected [ 115.119601][ T5103] page_owner tracks the page as allocated [ 115.125332][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 115.144990][ T5103] post_alloc_hook+0x2d1/0x350 [ 115.149791][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 115.155375][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 115.160695][ T5103] alloc_slab_page+0x56/0x110 [ 115.165600][ T5103] new_slab+0x84/0x260 [ 115.169772][ T5103] ___slab_alloc+0xdac/0x1870 [ 115.174577][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 115.179971][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 115.185801][ T5103] __alloc_skb+0x2b1/0x380 [ 115.190261][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 115.195571][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 115.200006][ T5103] register_netdevice+0x1710/0x1cb0 [ 115.205237][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 115.210288][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 115.215371][ T5103] ops_init+0xbc/0x650 [ 115.219462][ T5103] setup_net+0x435/0xb40 [ 115.223730][ T5103] page last free pid 1 tgid 1 stack trace: [ 115.229547][ T5103] free_unref_page+0x64a/0xe40 [ 115.234346][ T5103] free_contig_range+0xb6/0x1a0 [ 115.239232][ T5103] destroy_args+0xa4e/0xe20 [ 115.243771][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 115.248846][ T5103] do_one_initcall+0x12b/0x700 [ 115.253647][ T5103] kernel_init_freeable+0x69d/0xca0 [ 115.258884][ T5103] kernel_init+0x1c/0x2b0 [ 115.263257][ T5103] ret_from_fork+0x48/0x80 [ 115.268055][ T5103] ret_from_fork_asm+0x1a/0x30 [ 115.272865][ T5103] [ 115.275187][ T5103] Memory state around the buggy address: [ 115.280818][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 115.288982][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 115.297076][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.305235][ T5103] ^ [ 115.311132][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 115.319578][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 115.327660][ T5103] ================================================================== [ 115.338908][ T53] Bluetooth: hci3: command tx timeout [ 115.342800][ T5091] Bluetooth: hci4: command tx timeout [ 115.344331][ T53] Bluetooth: hci2: command tx timeout [ 115.351646][ T5091] Bluetooth: hci1: command tx timeout [ 115.362991][ T5103] ================================================================== [ 115.371071][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1ff/0x210 [ 115.378928][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103 [ 115.386931][ T5103] [ 115.389267][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 115.401018][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 115.411101][ T5103] Call Trace: [ 115.414399][ T5103] [ 115.417348][ T5103] dump_stack_lvl+0x116/0x1f0 [ 115.422091][ T5103] print_report+0xc3/0x620 [ 115.426560][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.432237][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.437917][ T5103] ? __phys_addr+0xc6/0x150 [ 115.442467][ T5103] kasan_report+0xd9/0x110 [ 115.446933][ T5103] ? kfree_skb_reason+0x1ff/0x210 [ 115.452019][ T5103] ? kfree_skb_reason+0x1ff/0x210 [ 115.457108][ T5103] kfree_skb_reason+0x1ff/0x210 [ 115.462013][ T5103] __hci_req_sync+0x61d/0x980 [ 115.466826][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 115.472189][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 115.477518][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 115.483625][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.489295][ T5103] ? hci_req_sync+0x3f/0xd0 [ 115.493851][ T5103] ? __pfx___might_resched+0x10/0x10 [ 115.499190][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.504868][ T5103] ? aa_get_newest_label+0x376/0x680 [ 115.510222][ T5103] hci_req_sync+0x97/0xd0 [ 115.514592][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 115.519663][ T5103] hci_dev_cmd+0x634/0x960 [ 115.524128][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.529803][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 115.534796][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.540739][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.546502][ T5103] ? security_capable+0x98/0xd0 [ 115.551886][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 115.556644][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.562332][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 115.567582][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 115.573602][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.579263][ T5103] sock_do_ioctl+0x119/0x280 [ 115.583906][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 115.589200][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.594967][ T5103] sock_ioctl+0x22e/0x6c0 [ 115.599362][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 115.604283][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.609999][ T5103] ? __fget_files+0x256/0x400 [ 115.614747][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.620487][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 115.625398][ T5103] __x64_sys_ioctl+0x196/0x220 [ 115.630295][ T5103] do_syscall_64+0xcd/0x250 [ 115.634946][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 115.641517][ T5103] RIP: 0033:0x7fb7bb9757db [ 115.646047][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 115.665915][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 115.674366][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 115.682367][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 115.690367][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 115.698372][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 115.698488][ T5090] chnl_net:caif_netlink_parms(): no params data found [ 115.706433][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 115.706475][ T5103] [ 115.725044][ T5103] [ 115.727380][ T5103] Allocated by task 4486: [ 115.731721][ T5103] kasan_save_stack+0x33/0x60 [ 115.736525][ T5103] kasan_save_track+0x14/0x30 [ 115.741494][ T5103] __kasan_slab_alloc+0x89/0x90 [ 115.746377][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 115.751875][ T5103] skb_clone+0x190/0x3f0 [ 115.756161][ T5103] hci_cmd_work+0x66a/0x710 [ 115.760822][ T5103] process_one_work+0x9c8/0x1b40 [ 115.765834][ T5103] worker_thread+0x6c8/0xf30 [ 115.770467][ T5103] kthread+0x2c4/0x3a0 [ 115.774789][ T5103] ret_from_fork+0x48/0x80 [ 115.779256][ T5103] ret_from_fork_asm+0x1a/0x30 [ 115.784078][ T5103] [ 115.786415][ T5103] Freed by task 4486: [ 115.790419][ T5103] kasan_save_stack+0x33/0x60 [ 115.795678][ T5103] kasan_save_track+0x14/0x30 [ 115.800709][ T5103] kasan_save_free_info+0x3b/0x60 [ 115.805996][ T5103] poison_slab_object+0xf7/0x160 [ 115.811281][ T5103] __kasan_slab_free+0x32/0x50 [ 115.816085][ T5103] kmem_cache_free+0x12f/0x3a0 [ 115.820889][ T5103] kfree_skbmem+0x10e/0x200 [ 115.825540][ T5103] kfree_skb_reason+0x138/0x210 [ 115.830552][ T5103] hci_req_sync_complete+0x16c/0x270 [ 115.836002][ T5103] hci_event_packet+0x966/0x1170 [ 115.841045][ T5103] hci_rx_work+0x2c4/0x1610 [ 115.845612][ T5103] process_one_work+0x9c8/0x1b40 [ 115.850594][ T5103] worker_thread+0x6c8/0xf30 [ 115.855316][ T5103] kthread+0x2c4/0x3a0 [ 115.859445][ T5103] ret_from_fork+0x48/0x80 [ 115.863913][ T5103] ret_from_fork_asm+0x1a/0x30 [ 115.868819][ T5103] [ 115.871155][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 115.871155][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 115.885863][ T5103] The buggy address is located 208 bytes inside of [ 115.885863][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 115.899783][ T5103] [ 115.902116][ T5103] The buggy address belongs to the physical page: [ 115.908528][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 115.917295][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 115.924514][ T5103] page_type: 0xffffefff(slab) [ 115.929214][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 115.937827][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 115.946512][ T5103] page dumped because: kasan: bad access detected [ 115.953371][ T5103] page_owner tracks the page as allocated [ 115.959356][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 115.978888][ T5103] post_alloc_hook+0x2d1/0x350 [ 115.983966][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 115.989586][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 115.994922][ T5103] alloc_slab_page+0x56/0x110 [ 115.999639][ T5103] new_slab+0x84/0x260 [ 116.003765][ T5103] ___slab_alloc+0xdac/0x1870 [ 116.008447][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 116.013841][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 116.019654][ T5103] __alloc_skb+0x2b1/0x380 [ 116.024176][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 116.029468][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 116.033888][ T5103] register_netdevice+0x1710/0x1cb0 [ 116.039096][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 116.044127][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 116.049161][ T5103] ops_init+0xbc/0x650 [ 116.053237][ T5103] setup_net+0x435/0xb40 [ 116.057485][ T5103] page last free pid 1 tgid 1 stack trace: [ 116.063280][ T5103] free_unref_page+0x64a/0xe40 [ 116.068580][ T5103] free_contig_range+0xb6/0x1a0 [ 116.073799][ T5103] destroy_args+0xa4e/0xe20 [ 116.078362][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 116.083512][ T5103] do_one_initcall+0x12b/0x700 [ 116.088389][ T5103] kernel_init_freeable+0x69d/0xca0 [ 116.093606][ T5103] kernel_init+0x1c/0x2b0 [ 116.097958][ T5103] ret_from_fork+0x48/0x80 [ 116.102392][ T5103] ret_from_fork_asm+0x1a/0x30 [ 116.107192][ T5103] [ 116.109608][ T5103] Memory state around the buggy address: [ 116.115233][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 116.123311][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.131482][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 116.139547][ T5103] ^ [ 116.144133][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 116.152400][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 116.160472][ T5103] ================================================================== [ 116.170913][ T5103] ================================================================== [ 116.179015][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x8c6/0x980 [ 116.186861][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103 [ 116.195026][ T5103] [ 116.197354][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 116.209289][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 116.219356][ T5103] Call Trace: [ 116.222663][ T5103] [ 116.225605][ T5103] dump_stack_lvl+0x116/0x1f0 [ 116.230322][ T5103] print_report+0xc3/0x620 [ 116.235112][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.240776][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.246455][ T5103] ? __phys_addr+0xc6/0x150 [ 116.250983][ T5103] kasan_report+0xd9/0x110 [ 116.255426][ T5103] ? skb_release_data+0x8c6/0x980 [ 116.260675][ T5103] ? skb_release_data+0x8c6/0x980 [ 116.265820][ T5103] skb_release_data+0x8c6/0x980 [ 116.270818][ T5103] kfree_skb_reason+0x12b/0x210 [ 116.275707][ T5103] __hci_req_sync+0x61d/0x980 [ 116.280626][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 116.286048][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 116.290762][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 116.296858][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.302545][ T5103] ? hci_req_sync+0x3f/0xd0 [ 116.307085][ T5103] ? __pfx___might_resched+0x10/0x10 [ 116.312408][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.318098][ T5103] ? aa_get_newest_label+0x376/0x680 [ 116.323547][ T5103] hci_req_sync+0x97/0xd0 [ 116.327915][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 116.332980][ T5103] hci_dev_cmd+0x634/0x960 [ 116.337440][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.343234][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 116.348214][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.354049][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.359729][ T5103] ? security_capable+0x98/0xd0 [ 116.364725][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 116.369438][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.375101][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 116.380335][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 116.386349][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.392014][ T5103] sock_do_ioctl+0x119/0x280 [ 116.396648][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 116.401810][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.407474][ T5103] sock_ioctl+0x22e/0x6c0 [ 116.411851][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 116.416746][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.422404][ T5103] ? __fget_files+0x256/0x400 [ 116.427125][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.432983][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 116.437993][ T5103] __x64_sys_ioctl+0x196/0x220 [ 116.442799][ T5103] do_syscall_64+0xcd/0x250 [ 116.447354][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 116.453329][ T5103] RIP: 0033:0x7fb7bb9757db [ 116.457759][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 116.477664][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 116.486105][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 116.494091][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 116.502076][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 116.510245][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 116.518497][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 116.526496][ T5103] [ 116.529526][ T5103] [ 116.531862][ T5103] Allocated by task 4486: [ 116.536317][ T5103] kasan_save_stack+0x33/0x60 [ 116.541278][ T5103] kasan_save_track+0x14/0x30 [ 116.545973][ T5103] __kasan_slab_alloc+0x89/0x90 [ 116.550870][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 116.556408][ T5103] skb_clone+0x190/0x3f0 [ 116.560682][ T5103] hci_cmd_work+0x66a/0x710 [ 116.565218][ T5103] process_one_work+0x9c8/0x1b40 [ 116.570186][ T5103] worker_thread+0x6c8/0xf30 [ 116.574802][ T5103] kthread+0x2c4/0x3a0 [ 116.578913][ T5103] ret_from_fork+0x48/0x80 [ 116.583368][ T5103] ret_from_fork_asm+0x1a/0x30 [ 116.588258][ T5103] [ 116.590587][ T5103] Freed by task 4486: [ 116.594613][ T5103] kasan_save_stack+0x33/0x60 [ 116.599314][ T5103] kasan_save_track+0x14/0x30 [ 116.604008][ T5103] kasan_save_free_info+0x3b/0x60 [ 116.609103][ T5103] poison_slab_object+0xf7/0x160 [ 116.614281][ T5103] __kasan_slab_free+0x32/0x50 [ 116.619073][ T5103] kmem_cache_free+0x12f/0x3a0 [ 116.623866][ T5103] kfree_skbmem+0x10e/0x200 [ 116.628413][ T5103] kfree_skb_reason+0x138/0x210 [ 116.633380][ T5103] hci_req_sync_complete+0x16c/0x270 [ 116.638695][ T5103] hci_event_packet+0x966/0x1170 [ 116.643662][ T5103] hci_rx_work+0x2c4/0x1610 [ 116.648222][ T5103] process_one_work+0x9c8/0x1b40 [ 116.653222][ T5103] worker_thread+0x6c8/0xf30 [ 116.657847][ T5103] kthread+0x2c4/0x3a0 [ 116.661954][ T5103] ret_from_fork+0x48/0x80 [ 116.666519][ T5103] ret_from_fork_asm+0x1a/0x30 [ 116.671327][ T5103] [ 116.673651][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 116.673651][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 116.688612][ T5103] The buggy address is located 208 bytes inside of [ 116.688612][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 116.702611][ T5103] [ 116.704940][ T5103] The buggy address belongs to the physical page: [ 116.711431][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 116.720733][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 116.727910][ T5103] page_type: 0xffffefff(slab) [ 116.732953][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 116.741672][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 116.750295][ T5103] page dumped because: kasan: bad access detected [ 116.756716][ T5103] page_owner tracks the page as allocated [ 116.762653][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 116.782100][ T5103] post_alloc_hook+0x2d1/0x350 [ 116.786908][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 116.792493][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 116.797821][ T5103] alloc_slab_page+0x56/0x110 [ 116.802534][ T5103] new_slab+0x84/0x260 [ 116.806618][ T5103] ___slab_alloc+0xdac/0x1870 [ 116.811338][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 116.816736][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 116.822661][ T5103] __alloc_skb+0x2b1/0x380 [ 116.827569][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 116.833232][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 116.837673][ T5103] register_netdevice+0x1710/0x1cb0 [ 116.842928][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 116.848088][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 116.853140][ T5103] ops_init+0xbc/0x650 [ 116.857239][ T5103] setup_net+0x435/0xb40 [ 116.861509][ T5103] page last free pid 1 tgid 1 stack trace: [ 116.868150][ T5103] free_unref_page+0x64a/0xe40 [ 116.872965][ T5103] free_contig_range+0xb6/0x1a0 [ 116.877852][ T5103] destroy_args+0xa4e/0xe20 [ 116.882512][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 116.887776][ T5103] do_one_initcall+0x12b/0x700 [ 116.892689][ T5103] kernel_init_freeable+0x69d/0xca0 [ 116.897929][ T5103] kernel_init+0x1c/0x2b0 [ 116.902302][ T5103] ret_from_fork+0x48/0x80 [ 116.906757][ T5103] ret_from_fork_asm+0x1a/0x30 [ 116.911762][ T5103] [ 116.914095][ T5103] Memory state around the buggy address: [ 116.919833][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 116.927916][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.936080][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 116.944265][ T5103] ^ [ 116.949023][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 116.957113][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 116.965188][ T5103] ================================================================== [ 116.985209][ T4486] Bluetooth: hci0: command tx timeout [ 116.995492][ T5103] ================================================================== [ 117.003589][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x813/0x980 [ 117.011442][ T5103] Read of size 4 at addr ffff8880632dbc0c by task syz-executor/5103 [ 117.019563][ T5103] [ 117.021902][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 117.033825][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 117.043994][ T5103] Call Trace: [ 117.047292][ T5103] [ 117.050262][ T5103] dump_stack_lvl+0x116/0x1f0 [ 117.055001][ T5103] print_report+0xc3/0x620 [ 117.059462][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.065139][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.070811][ T5103] ? __phys_addr+0xc6/0x150 [ 117.075362][ T5103] kasan_report+0xd9/0x110 [ 117.079823][ T5103] ? skb_release_data+0x813/0x980 [ 117.084901][ T5103] ? skb_release_data+0x813/0x980 [ 117.089976][ T5103] skb_release_data+0x813/0x980 [ 117.095347][ T5103] kfree_skb_reason+0x12b/0x210 [ 117.100266][ T5103] __hci_req_sync+0x61d/0x980 [ 117.105013][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 117.110256][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 117.115019][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 117.121155][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.126922][ T5103] ? hci_req_sync+0x3f/0xd0 [ 117.131511][ T5103] ? __pfx___might_resched+0x10/0x10 [ 117.136860][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.142527][ T5103] ? aa_get_newest_label+0x376/0x680 [ 117.147885][ T5103] hci_req_sync+0x97/0xd0 [ 117.152329][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 117.157410][ T5103] hci_dev_cmd+0x634/0x960 [ 117.162018][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.167717][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 117.172725][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.176753][ T5102] chnl_net:caif_netlink_parms(): no params data found [ 117.178382][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.190801][ T5103] ? security_capable+0x98/0xd0 [ 117.195749][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 117.200485][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.206162][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 117.211408][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 117.217432][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.223110][ T5103] sock_do_ioctl+0x119/0x280 [ 117.227757][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 117.232959][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.238741][ T5103] sock_ioctl+0x22e/0x6c0 [ 117.243136][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 117.248051][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.253725][ T5103] ? __fget_files+0x256/0x400 [ 117.258478][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.264500][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 117.269470][ T5103] __x64_sys_ioctl+0x196/0x220 [ 117.274288][ T5103] do_syscall_64+0xcd/0x250 [ 117.278855][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.285244][ T5103] RIP: 0033:0x7fb7bb9757db [ 117.289697][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 117.309517][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 117.317961][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 117.325947][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 117.333959][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 117.341971][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 117.350142][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 117.358156][ T5103] [ 117.361191][ T5103] [ 117.363526][ T5103] Allocated by task 4486: [ 117.367872][ T5103] kasan_save_stack+0x33/0x60 [ 117.371985][ T5097] chnl_net:caif_netlink_parms(): no params data found [ 117.372561][ T5103] kasan_save_track+0x14/0x30 [ 117.384156][ T5103] __kasan_slab_alloc+0x89/0x90 [ 117.389065][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 117.394577][ T5103] skb_clone+0x190/0x3f0 [ 117.399472][ T5103] hci_cmd_work+0x66a/0x710 [ 117.404149][ T5103] process_one_work+0x9c8/0x1b40 [ 117.409135][ T5103] worker_thread+0x6c8/0xf30 [ 117.413772][ T5103] kthread+0x2c4/0x3a0 [ 117.417911][ T5103] ret_from_fork+0x48/0x80 [ 117.422382][ T5103] ret_from_fork_asm+0x1a/0x30 [ 117.427301][ T5103] [ 117.429663][ T5103] Freed by task 4486: [ 117.433640][ T5103] kasan_save_stack+0x33/0x60 [ 117.436254][ T5091] Bluetooth: hci2: command tx timeout [ 117.438312][ T5103] kasan_save_track+0x14/0x30 [ 117.443708][ T5091] Bluetooth: hci4: command tx timeout [ 117.448324][ T5103] kasan_save_free_info+0x3b/0x60 [ 117.448376][ T5103] poison_slab_object+0xf7/0x160 [ 117.454138][ T5091] Bluetooth: hci3: command tx timeout [ 117.458722][ T5103] __kasan_slab_free+0x32/0x50 [ 117.458760][ T5103] kmem_cache_free+0x12f/0x3a0 [ 117.458797][ T5103] kfree_skbmem+0x10e/0x200 [ 117.458862][ T5103] kfree_skb_reason+0x138/0x210 [ 117.488164][ T5103] hci_req_sync_complete+0x16c/0x270 [ 117.493562][ T5103] hci_event_packet+0x966/0x1170 [ 117.498510][ T5103] hci_rx_work+0x2c4/0x1610 [ 117.503032][ T5103] process_one_work+0x9c8/0x1b40 [ 117.507981][ T5103] worker_thread+0x6c8/0xf30 [ 117.512600][ T5103] kthread+0x2c4/0x3a0 [ 117.516688][ T5103] ret_from_fork+0x48/0x80 [ 117.521126][ T5103] ret_from_fork_asm+0x1a/0x30 [ 117.525914][ T5103] [ 117.528228][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 117.528228][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 117.542819][ T5103] The buggy address is located 204 bytes inside of [ 117.542819][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 117.556628][ T5103] [ 117.558964][ T5103] The buggy address belongs to the physical page: [ 117.565385][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 117.575156][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 117.582316][ T5103] page_type: 0xffffefff(slab) [ 117.587095][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 117.595958][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 117.604555][ T5103] page dumped because: kasan: bad access detected [ 117.610965][ T5103] page_owner tracks the page as allocated [ 117.616778][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 117.636271][ T5103] post_alloc_hook+0x2d1/0x350 [ 117.641143][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 117.646707][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 117.652010][ T5103] alloc_slab_page+0x56/0x110 [ 117.656705][ T5103] new_slab+0x84/0x260 [ 117.660783][ T5103] ___slab_alloc+0xdac/0x1870 [ 117.665474][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 117.670856][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 117.676669][ T5103] __alloc_skb+0x2b1/0x380 [ 117.681108][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 117.686400][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 117.690823][ T5103] register_netdevice+0x1710/0x1cb0 [ 117.696124][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 117.701157][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 117.706212][ T5103] ops_init+0xbc/0x650 [ 117.710290][ T5103] setup_net+0x435/0xb40 [ 117.714544][ T5103] page last free pid 1 tgid 1 stack trace: [ 117.720349][ T5103] free_unref_page+0x64a/0xe40 [ 117.725134][ T5103] free_contig_range+0xb6/0x1a0 [ 117.730050][ T5103] destroy_args+0xa4e/0xe20 [ 117.734591][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 117.739811][ T5103] do_one_initcall+0x12b/0x700 [ 117.744618][ T5103] kernel_init_freeable+0x69d/0xca0 [ 117.749840][ T5103] kernel_init+0x1c/0x2b0 [ 117.754189][ T5103] ret_from_fork+0x48/0x80 [ 117.758625][ T5103] ret_from_fork_asm+0x1a/0x30 [ 117.763639][ T5103] [ 117.765982][ T5103] Memory state around the buggy address: [ 117.771648][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 117.779745][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.787829][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 117.795894][ T5103] ^ [ 117.800226][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 117.808377][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 117.816438][ T5103] ================================================================== [ 117.824856][ T4486] Bluetooth: hci1: command tx timeout [ 117.825055][ T5103] ================================================================== [ 117.838481][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x806/0x980 [ 117.846345][ T5103] Read of size 1 at addr ffff8880632dbbbe by task syz-executor/5103 [ 117.854344][ T5103] [ 117.856681][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 117.868593][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 117.878663][ T5103] Call Trace: [ 117.881956][ T5103] [ 117.884895][ T5103] dump_stack_lvl+0x116/0x1f0 [ 117.889609][ T5103] print_report+0xc3/0x620 [ 117.894239][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.899924][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.905583][ T5103] ? __phys_addr+0xc6/0x150 [ 117.910115][ T5103] kasan_report+0xd9/0x110 [ 117.914556][ T5103] ? skb_release_data+0x806/0x980 [ 117.919638][ T5103] ? skb_release_data+0x806/0x980 [ 117.924721][ T5103] skb_release_data+0x806/0x980 [ 117.929782][ T5103] kfree_skb_reason+0x12b/0x210 [ 117.934933][ T5103] __hci_req_sync+0x61d/0x980 [ 117.939649][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 117.944878][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 117.949588][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 117.955685][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.961345][ T5103] ? hci_req_sync+0x3f/0xd0 [ 117.966012][ T5103] ? __pfx___might_resched+0x10/0x10 [ 117.971377][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.977039][ T5103] ? aa_get_newest_label+0x376/0x680 [ 117.982417][ T5103] hci_req_sync+0x97/0xd0 [ 117.986816][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 117.991876][ T5103] hci_dev_cmd+0x634/0x960 [ 117.996337][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.002224][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 118.007251][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.012912][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.018676][ T5103] ? security_capable+0x98/0xd0 [ 118.023599][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 118.028318][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.033990][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 118.039254][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 118.045270][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.050974][ T5103] sock_do_ioctl+0x119/0x280 [ 118.055620][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 118.060785][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.066477][ T5103] sock_ioctl+0x22e/0x6c0 [ 118.070882][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 118.075782][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.081463][ T5103] ? __fget_files+0x256/0x400 [ 118.086184][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.091868][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 118.096768][ T5103] __x64_sys_ioctl+0x196/0x220 [ 118.101870][ T5103] do_syscall_64+0xcd/0x250 [ 118.106464][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.112429][ T5103] RIP: 0033:0x7fb7bb9757db [ 118.116885][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 118.137915][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 118.146368][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 118.154358][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 118.162555][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 118.170564][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 118.178660][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 118.186805][ T5103] [ 118.189888][ T5103] [ 118.192222][ T5103] Allocated by task 4486: [ 118.196560][ T5103] kasan_save_stack+0x33/0x60 [ 118.201292][ T5103] kasan_save_track+0x14/0x30 [ 118.206012][ T5103] __kasan_slab_alloc+0x89/0x90 [ 118.210885][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 118.216369][ T5103] skb_clone+0x190/0x3f0 [ 118.220640][ T5103] hci_cmd_work+0x66a/0x710 [ 118.225176][ T5103] process_one_work+0x9c8/0x1b40 [ 118.230233][ T5103] worker_thread+0x6c8/0xf30 [ 118.234884][ T5103] kthread+0x2c4/0x3a0 [ 118.239111][ T5103] ret_from_fork+0x48/0x80 [ 118.243566][ T5103] ret_from_fork_asm+0x1a/0x30 [ 118.248375][ T5103] [ 118.250704][ T5103] Freed by task 4486: [ 118.254712][ T5103] kasan_save_stack+0x33/0x60 [ 118.259443][ T5103] kasan_save_track+0x14/0x30 [ 118.264137][ T5103] kasan_save_free_info+0x3b/0x60 [ 118.269197][ T5103] poison_slab_object+0xf7/0x160 [ 118.274178][ T5103] __kasan_slab_free+0x32/0x50 [ 118.278962][ T5103] kmem_cache_free+0x12f/0x3a0 [ 118.283776][ T5103] kfree_skbmem+0x10e/0x200 [ 118.288348][ T5103] kfree_skb_reason+0x138/0x210 [ 118.293240][ T5103] hci_req_sync_complete+0x16c/0x270 [ 118.298672][ T5103] hci_event_packet+0x966/0x1170 [ 118.303655][ T5103] hci_rx_work+0x2c4/0x1610 [ 118.308190][ T5103] process_one_work+0x9c8/0x1b40 [ 118.313162][ T5103] worker_thread+0x6c8/0xf30 [ 118.317933][ T5103] kthread+0x2c4/0x3a0 [ 118.322215][ T5103] ret_from_fork+0x48/0x80 [ 118.326669][ T5103] ret_from_fork_asm+0x1a/0x30 [ 118.331474][ T5103] [ 118.333807][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 118.333807][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 118.348412][ T5103] The buggy address is located 126 bytes inside of [ 118.348412][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 118.362294][ T5103] [ 118.364626][ T5103] The buggy address belongs to the physical page: [ 118.371038][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 118.380015][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 118.387336][ T5103] page_type: 0xffffefff(slab) [ 118.392030][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 118.400896][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 118.409661][ T5103] page dumped because: kasan: bad access detected [ 118.416079][ T5103] page_owner tracks the page as allocated [ 118.421792][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 118.441290][ T5103] post_alloc_hook+0x2d1/0x350 [ 118.446094][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 118.451676][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 118.457015][ T5103] alloc_slab_page+0x56/0x110 [ 118.461726][ T5103] new_slab+0x84/0x260 [ 118.466022][ T5103] ___slab_alloc+0xdac/0x1870 [ 118.470721][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 118.476227][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 118.482069][ T5103] __alloc_skb+0x2b1/0x380 [ 118.486526][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 118.491840][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 118.496631][ T5103] register_netdevice+0x1710/0x1cb0 [ 118.501949][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 118.507004][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 118.512149][ T5103] ops_init+0xbc/0x650 [ 118.516248][ T5103] setup_net+0x435/0xb40 [ 118.520594][ T5103] page last free pid 1 tgid 1 stack trace: [ 118.526415][ T5103] free_unref_page+0x64a/0xe40 [ 118.531216][ T5103] free_contig_range+0xb6/0x1a0 [ 118.536108][ T5103] destroy_args+0xa4e/0xe20 [ 118.540914][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 118.546002][ T5103] do_one_initcall+0x12b/0x700 [ 118.550802][ T5103] kernel_init_freeable+0x69d/0xca0 [ 118.556067][ T5103] kernel_init+0x1c/0x2b0 [ 118.560455][ T5103] ret_from_fork+0x48/0x80 [ 118.564912][ T5103] ret_from_fork_asm+0x1a/0x30 [ 118.569722][ T5103] [ 118.572047][ T5103] Memory state around the buggy address: [ 118.577687][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 118.585779][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 118.593859][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.601978][ T5103] ^ [ 118.608587][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 118.616688][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 118.624765][ T5103] ================================================================== [ 118.637764][ T5103] ================================================================== [ 118.645954][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980 [ 118.654002][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103 [ 118.662409][ T5103] [ 118.664757][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 118.676694][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 118.686825][ T5103] Call Trace: [ 118.690135][ T5103] [ 118.693088][ T5103] dump_stack_lvl+0x116/0x1f0 [ 118.697818][ T5103] print_report+0xc3/0x620 [ 118.699388][ T5093] chnl_net:caif_netlink_parms(): no params data found [ 118.702391][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.714794][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.720479][ T5103] ? __phys_addr+0xc6/0x150 [ 118.725022][ T5103] kasan_report+0xd9/0x110 [ 118.729480][ T5103] ? skb_release_data+0x8dd/0x980 [ 118.734554][ T5103] ? skb_release_data+0x8dd/0x980 [ 118.739630][ T5103] skb_release_data+0x8dd/0x980 [ 118.744622][ T5103] kfree_skb_reason+0x12b/0x210 [ 118.749525][ T5103] __hci_req_sync+0x61d/0x980 [ 118.754256][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 118.759499][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 118.764196][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 118.770279][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.775938][ T5103] ? hci_req_sync+0x3f/0xd0 [ 118.781004][ T5103] ? __pfx___might_resched+0x10/0x10 [ 118.786329][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.791973][ T5103] ? aa_get_newest_label+0x376/0x680 [ 118.797293][ T5103] hci_req_sync+0x97/0xd0 [ 118.801661][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 118.806711][ T5103] hci_dev_cmd+0x634/0x960 [ 118.811149][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.816797][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 118.821757][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.827427][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.833121][ T5103] ? security_capable+0x98/0xd0 [ 118.838060][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 118.842766][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.848619][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 118.853837][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 118.859834][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.865500][ T5103] sock_do_ioctl+0x119/0x280 [ 118.870116][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 118.875266][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.880935][ T5103] sock_ioctl+0x22e/0x6c0 [ 118.885289][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 118.890162][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.895824][ T5103] ? __fget_files+0x256/0x400 [ 118.900557][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.906745][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 118.912965][ T5103] __x64_sys_ioctl+0x196/0x220 [ 118.917779][ T5103] do_syscall_64+0xcd/0x250 [ 118.922307][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.928240][ T5103] RIP: 0033:0x7fb7bb9757db [ 118.932700][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 118.952501][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 118.961036][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 118.969117][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 118.977098][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 118.985070][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 118.993067][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 119.001100][ T5103] [ 119.004122][ T5103] [ 119.006443][ T5103] Allocated by task 4486: [ 119.010776][ T5103] kasan_save_stack+0x33/0x60 [ 119.015465][ T5103] kasan_save_track+0x14/0x30 [ 119.020163][ T5103] __kasan_slab_alloc+0x89/0x90 [ 119.025018][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 119.030484][ T5103] skb_clone+0x190/0x3f0 [ 119.034819][ T5103] hci_cmd_work+0x66a/0x710 [ 119.039335][ T5103] process_one_work+0x9c8/0x1b40 [ 119.044283][ T5103] worker_thread+0x6c8/0xf30 [ 119.048891][ T5103] kthread+0x2c4/0x3a0 [ 119.052977][ T5103] ret_from_fork+0x48/0x80 [ 119.057457][ T5103] ret_from_fork_asm+0x1a/0x30 [ 119.062255][ T5103] [ 119.064759][ T5103] Freed by task 4486: [ 119.068736][ T5103] kasan_save_stack+0x33/0x60 [ 119.073425][ T5103] kasan_save_track+0x14/0x30 [ 119.078105][ T5103] kasan_save_free_info+0x3b/0x60 [ 119.083146][ T5103] poison_slab_object+0xf7/0x160 [ 119.088103][ T5103] __kasan_slab_free+0x32/0x50 [ 119.092958][ T5103] kmem_cache_free+0x12f/0x3a0 [ 119.097927][ T5103] kfree_skbmem+0x10e/0x200 [ 119.102452][ T5103] kfree_skb_reason+0x138/0x210 [ 119.107316][ T5103] hci_req_sync_complete+0x16c/0x270 [ 119.112617][ T5103] hci_event_packet+0x966/0x1170 [ 119.117581][ T5103] hci_rx_work+0x2c4/0x1610 [ 119.122209][ T5103] process_one_work+0x9c8/0x1b40 [ 119.127158][ T5103] worker_thread+0x6c8/0xf30 [ 119.131757][ T5103] kthread+0x2c4/0x3a0 [ 119.135859][ T5103] ret_from_fork+0x48/0x80 [ 119.140758][ T5103] ret_from_fork_asm+0x1a/0x30 [ 119.145546][ T5103] [ 119.147866][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 119.147866][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 119.162445][ T5103] The buggy address is located 208 bytes inside of [ 119.162445][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 119.176471][ T5103] [ 119.178858][ T5103] The buggy address belongs to the physical page: [ 119.185371][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 119.194257][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 119.201425][ T5103] page_type: 0xffffefff(slab) [ 119.206235][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 119.214837][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 119.223461][ T5103] page dumped because: kasan: bad access detected [ 119.229982][ T5103] page_owner tracks the page as allocated [ 119.235695][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 119.255124][ T5103] post_alloc_hook+0x2d1/0x350 [ 119.259954][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 119.265608][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 119.270912][ T5103] alloc_slab_page+0x56/0x110 [ 119.275614][ T5103] new_slab+0x84/0x260 [ 119.279703][ T5103] ___slab_alloc+0xdac/0x1870 [ 119.284405][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 119.289782][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 119.295609][ T5103] __alloc_skb+0x2b1/0x380 [ 119.300158][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 119.305473][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 119.309892][ T5103] register_netdevice+0x1710/0x1cb0 [ 119.315278][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 119.320360][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 119.325396][ T5103] ops_init+0xbc/0x650 [ 119.329472][ T5103] setup_net+0x435/0xb40 [ 119.333721][ T5103] page last free pid 1 tgid 1 stack trace: [ 119.339536][ T5103] free_unref_page+0x64a/0xe40 [ 119.344315][ T5103] free_contig_range+0xb6/0x1a0 [ 119.349177][ T5103] destroy_args+0xa4e/0xe20 [ 119.353696][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 119.358741][ T5103] do_one_initcall+0x12b/0x700 [ 119.363719][ T5103] kernel_init_freeable+0x69d/0xca0 [ 119.368943][ T5103] kernel_init+0x1c/0x2b0 [ 119.373293][ T5103] ret_from_fork+0x48/0x80 [ 119.377728][ T5103] ret_from_fork_asm+0x1a/0x30 [ 119.382521][ T5103] [ 119.384834][ T5103] Memory state around the buggy address: [ 119.390455][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 119.398515][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.406575][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 119.414628][ T5103] ^ [ 119.419210][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 119.427407][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 119.435477][ T5103] ================================================================== [ 119.444321][ T4486] Bluetooth: hci0: command tx timeout [ 119.449811][ T5103] ================================================================== [ 119.452569][ T5090] bridge0: port 1(bridge_slave_0) entered blocking state [ 119.457865][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980 [ 119.457924][ T5103] Read of size 4 at addr ffff8880632dbc0c by task syz-executor/5103 [ 119.457956][ T5103] [ 119.457967][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 119.458013][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 119.458037][ T5103] Call Trace: [ 119.458051][ T5103] [ 119.458065][ T5103] dump_stack_lvl+0x116/0x1f0 [ 119.458115][ T5103] print_report+0xc3/0x620 [ 119.458158][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.458204][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.458248][ T5103] ? __phys_addr+0xc6/0x150 [ 119.536657][ T5103] kasan_report+0xd9/0x110 [ 119.541137][ T5103] ? skb_release_data+0x857/0x980 [ 119.546198][ T5103] ? skb_release_data+0x857/0x980 [ 119.551285][ T5103] skb_release_data+0x857/0x980 [ 119.556175][ T5103] kfree_skb_reason+0x12b/0x210 [ 119.561060][ T5103] __hci_req_sync+0x61d/0x980 [ 119.565798][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 119.571030][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 119.575741][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 119.581853][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.587515][ T5103] ? hci_req_sync+0x3f/0xd0 [ 119.592141][ T5103] ? __pfx___might_resched+0x10/0x10 [ 119.597466][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.603131][ T5103] ? aa_get_newest_label+0x376/0x680 [ 119.608469][ T5103] hci_req_sync+0x97/0xd0 [ 119.612930][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 119.617995][ T5103] hci_dev_cmd+0x634/0x960 [ 119.622451][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.628286][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 119.633261][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.639007][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.645099][ T5103] ? security_capable+0x98/0xd0 [ 119.650030][ T5103] hci_sock_ioctl+0x4f3/0x880 [ 119.654737][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.660408][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 119.665639][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 119.671650][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.677321][ T5103] sock_do_ioctl+0x119/0x280 [ 119.682057][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 119.687219][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.692993][ T5103] sock_ioctl+0x22e/0x6c0 [ 119.697370][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 119.702268][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.707957][ T5103] ? __fget_files+0x256/0x400 [ 119.712703][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.718371][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 119.723294][ T5103] __x64_sys_ioctl+0x196/0x220 [ 119.728189][ T5103] do_syscall_64+0xcd/0x250 [ 119.732825][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 119.738766][ T5103] RIP: 0033:0x7fb7bb9757db [ 119.743199][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 119.762843][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 119.771304][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db [ 119.779300][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003 [ 119.787290][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000 [ 119.795280][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005 [ 119.803464][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009 [ 119.811577][ T5103] [ 119.814722][ T5103] [ 119.817056][ T5103] Allocated by task 4486: [ 119.821509][ T5103] kasan_save_stack+0x33/0x60 [ 119.826233][ T5103] kasan_save_track+0x14/0x30 [ 119.831033][ T5103] __kasan_slab_alloc+0x89/0x90 [ 119.835927][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0 [ 119.841431][ T5103] skb_clone+0x190/0x3f0 [ 119.845735][ T5103] hci_cmd_work+0x66a/0x710 [ 119.850270][ T5103] process_one_work+0x9c8/0x1b40 [ 119.855363][ T5103] worker_thread+0x6c8/0xf30 [ 119.860038][ T5103] kthread+0x2c4/0x3a0 [ 119.864347][ T5103] ret_from_fork+0x48/0x80 [ 119.868811][ T5103] ret_from_fork_asm+0x1a/0x30 [ 119.873711][ T5103] [ 119.876038][ T5103] Freed by task 4486: [ 119.880024][ T5103] kasan_save_stack+0x33/0x60 [ 119.884718][ T5103] kasan_save_track+0x14/0x30 [ 119.889413][ T5103] kasan_save_free_info+0x3b/0x60 [ 119.894474][ T5103] poison_slab_object+0xf7/0x160 [ 119.899455][ T5103] __kasan_slab_free+0x32/0x50 [ 119.904325][ T5103] kmem_cache_free+0x12f/0x3a0 [ 119.909110][ T5103] kfree_skbmem+0x10e/0x200 [ 119.913654][ T5103] kfree_skb_reason+0x138/0x210 [ 119.918535][ T5103] hci_req_sync_complete+0x16c/0x270 [ 119.923852][ T5103] hci_event_packet+0x966/0x1170 [ 119.928813][ T5103] hci_rx_work+0x2c4/0x1610 [ 119.933348][ T5103] process_one_work+0x9c8/0x1b40 [ 119.938352][ T5103] worker_thread+0x6c8/0xf30 [ 119.942971][ T5103] kthread+0x2c4/0x3a0 [ 119.947078][ T5103] ret_from_fork+0x48/0x80 [ 119.951530][ T5103] ret_from_fork_asm+0x1a/0x30 [ 119.956332][ T5103] [ 119.958660][ T5103] The buggy address belongs to the object at ffff8880632dbb40 [ 119.958660][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 119.973623][ T5103] The buggy address is located 204 bytes inside of [ 119.973623][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30) [ 119.987465][ T5103] [ 119.989793][ T5103] The buggy address belongs to the physical page: [ 119.996209][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db [ 120.004983][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 120.012283][ T5103] page_type: 0xffffefff(slab) [ 120.016980][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000 [ 120.025585][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 120.034194][ T5103] page dumped because: kasan: bad access detected [ 120.040609][ T5103] page_owner tracks the page as allocated [ 120.046326][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838 [ 120.065744][ T5103] post_alloc_hook+0x2d1/0x350 [ 120.070635][ T5103] get_page_from_freelist+0x1353/0x2e50 [ 120.076244][ T5103] __alloc_pages_noprof+0x22b/0x2460 [ 120.081568][ T5103] alloc_slab_page+0x56/0x110 [ 120.086280][ T5103] new_slab+0x84/0x260 [ 120.090384][ T5103] ___slab_alloc+0xdac/0x1870 [ 120.095078][ T5103] __slab_alloc.constprop.0+0x56/0xb0 [ 120.100481][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310 [ 120.106654][ T5103] __alloc_skb+0x2b1/0x380 [ 120.112306][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280 [ 120.117709][ T5103] rtmsg_ifinfo+0x9f/0x1a0 [ 120.122147][ T5103] register_netdevice+0x1710/0x1cb0 [ 120.127371][ T5103] __ip_tunnel_create+0x4aa/0x690 [ 120.132420][ T5103] ip_tunnel_init_net+0x22a/0x780 [ 120.137485][ T5103] ops_init+0xbc/0x650 [ 120.141575][ T5103] setup_net+0x435/0xb40 [ 120.145849][ T5103] page last free pid 1 tgid 1 stack trace: [ 120.151659][ T5103] free_unref_page+0x64a/0xe40 [ 120.156458][ T5103] free_contig_range+0xb6/0x1a0 [ 120.161427][ T5103] destroy_args+0xa4e/0xe20 [ 120.165967][ T5103] debug_vm_pgtable+0x1705/0x3280 [ 120.171031][ T5103] do_one_initcall+0x12b/0x700 [ 120.175841][ T5103] kernel_init_freeable+0x69d/0xca0 [ 120.181187][ T5103] kernel_init+0x1c/0x2b0 [ 120.185561][ T5103] ret_from_fork+0x48/0x80 [ 120.190019][ T5103] ret_from_fork_asm+0x1a/0x30 [ 120.194823][ T5103] [ 120.197148][ T5103] Memory state around the buggy address: [ 120.202778][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 120.210851][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 120.218922][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 120.226987][ T5103] ^ [ 120.231317][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 120.239388][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 120.247453][ T5103] ================================================================== [ 120.256024][ T4486] Bluetooth: hci3: command tx timeout [ 120.258181][ T5090] bridge0: port 1(bridge_slave_0) entered disabled state [ 120.261423][ T4486] Bluetooth: hci4: command tx timeout [ 120.268691][ T5090] bridge_slave_0: entered allmulticast mode [ 120.273978][ T4486] Bluetooth: hci2: command tx timeout [ 120.286030][ T5090] bridge_slave_0: entered promiscuous mode [ 120.326835][ T5103] ================================================================== [ 120.335144][ T5103] BUG: KASAN: slab-use-after-free in skb_free_head+0x1ae/0x1d0 [ 120.342818][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103 [ 120.350822][ T5103] [ 120.353159][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 120.364879][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 120.374949][ T5103] Call Trace: [ 120.378230][ T5103] [ 120.381828][ T5103] dump_stack_lvl+0x116/0x1f0 [ 120.386537][ T5103] print_report+0xc3/0x620 [ 120.390964][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 120.396621][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 120.402293][ T5103] ? __phys_addr+0xc6/0x150 [ 120.406813][ T5103] kasan_report+0xd9/0x110 [ 120.411245][ T5103] ? skb_free_head+0x1ae/0x1d0 [ 120.416017][ T5103] ? skb_free_head+0x1ae/0x1d0 [ 120.420793][ T5103] skb_free_head+0x1ae/0x1d0 [ 120.425499][ T5103] skb_release_data+0x75c/0x980 [ 120.430394][ T5103] kfree_skb_reason+0x12b/0x210 [ 120.435330][ T5103] __hci_req_sync+0x61d/0x980 [ 120.440169][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 120.445544][ T5103] ? __mutex_lock+0x1a6/0x9c0 [ 120.450739][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 120.456863][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5 [ 120.462528][ T5103] ? hci_req_sync+0x3f/0xd0 [ 120.467157][ T5103] ? __pfx___might_resched+0x10/0x10