last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.104' (ED25519) to the list of known hosts.
[ 101.920448][ T57] cfg80211: failed to load regulatory.db
[ 103.229593][ T5079] cgroup: Unknown subsys name 'net'
[ 103.443845][ T5079] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 105.548522][ T5079] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 109.818304][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 109.827901][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 109.845372][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 109.857069][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 109.877696][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 109.902863][ T5091] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 109.911212][ T5091] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 109.919711][ T5091] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 109.929780][ T4486] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 109.939638][ T4486] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 109.949389][ T4486] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 109.957119][ T4486] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 110.008882][ T5096] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 110.036378][ T5096] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 110.046102][ T5096] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 110.057772][ T5096] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 110.066663][ T5096] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 110.076223][ T5096] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 110.181511][ T53] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 110.195367][ T5095] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 110.206342][ T5091] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 110.236232][ T5091] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 110.236705][ T5107] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 110.253114][ T5107] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 110.261616][ T5091] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 110.270209][ T5091] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 110.278314][ T5091] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 110.301344][ T5091] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 110.306661][ T5096] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[ 110.318779][ T5091] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 110.320115][ T5096] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[ 110.333592][ T5096] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 110.341904][ T5091] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[ 110.359507][ T5096] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[ 110.384771][ T53] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3
[ 110.392470][ T53] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[ 110.425322][ T5103] ==================================================================
[ 110.433640][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210
[ 110.441412][ T5103] Read of size 4 at addr ffff8880632dbc24 by task syz-executor/5103
[ 110.449434][ T5103]
[ 110.451768][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 110.462040][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 110.472118][ T5103] Call Trace:
[ 110.475413][ T5103]
[ 110.478360][ T5103] dump_stack_lvl+0x116/0x1f0
[ 110.483179][ T5103] print_report+0xc3/0x620
[ 110.487642][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.493503][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.499200][ T5103] ? __phys_addr+0xc6/0x150
[ 110.503726][ T5103] kasan_report+0xd9/0x110
[ 110.508188][ T5103] ? kfree_skb_reason+0x36/0x210
[ 110.513247][ T5103] ? kfree_skb_reason+0x36/0x210
[ 110.518233][ T5103] kasan_check_range+0xef/0x1a0
[ 110.523123][ T5103] kfree_skb_reason+0x36/0x210
[ 110.527933][ T5103] __hci_req_sync+0x61d/0x980
[ 110.532643][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 110.537868][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 110.542623][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 110.548748][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.554531][ T5103] ? hci_req_sync+0x3f/0xd0
[ 110.559085][ T5103] ? __pfx___might_resched+0x10/0x10
[ 110.564429][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.570099][ T5103] ? aa_get_newest_label+0x376/0x680
[ 110.575466][ T5103] hci_req_sync+0x97/0xd0
[ 110.579839][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 110.584966][ T5103] hci_dev_cmd+0x634/0x960
[ 110.589623][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.595318][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 110.600297][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.605961][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.611617][ T5103] ? security_capable+0x98/0xd0
[ 110.616517][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 110.621518][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.627180][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 110.632410][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 110.638425][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.644099][ T5103] sock_do_ioctl+0x119/0x280
[ 110.648735][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 110.653906][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.659573][ T5103] sock_ioctl+0x22e/0x6c0
[ 110.663954][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 110.669419][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.675090][ T5103] ? __fget_files+0x256/0x400
[ 110.679904][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.685570][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 110.690577][ T5103] __x64_sys_ioctl+0x196/0x220
[ 110.695386][ T5103] do_syscall_64+0xcd/0x250
[ 110.699931][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 110.705887][ T5103] RIP: 0033:0x7fb7bb9757db
[ 110.710316][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 110.730888][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 110.739339][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 110.747352][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 110.755456][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 110.763464][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 110.771471][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 110.779503][ T5103]
[ 110.782528][ T5103]
[ 110.784858][ T5103] Allocated by task 4486:
[ 110.789212][ T5103] kasan_save_stack+0x33/0x60
[ 110.793930][ T5103] kasan_save_track+0x14/0x30
[ 110.798669][ T5103] __kasan_slab_alloc+0x89/0x90
[ 110.803547][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 110.809037][ T5103] skb_clone+0x190/0x3f0
[ 110.813306][ T5103] hci_cmd_work+0x66a/0x710
[ 110.817848][ T5103] process_one_work+0x9c8/0x1b40
[ 110.822925][ T5103] worker_thread+0x6c8/0xf30
[ 110.827545][ T5103] kthread+0x2c4/0x3a0
[ 110.831659][ T5103] ret_from_fork+0x48/0x80
[ 110.836118][ T5103] ret_from_fork_asm+0x1a/0x30
[ 110.841011][ T5103]
[ 110.843336][ T5103] Freed by task 4486:
[ 110.847328][ T5103] kasan_save_stack+0x33/0x60
[ 110.852071][ T5103] kasan_save_track+0x14/0x30
[ 110.857123][ T5103] kasan_save_free_info+0x3b/0x60
[ 110.862186][ T5103] poison_slab_object+0xf7/0x160
[ 110.867187][ T5103] __kasan_slab_free+0x32/0x50
[ 110.872073][ T5103] kmem_cache_free+0x12f/0x3a0
[ 110.876862][ T5103] kfree_skbmem+0x10e/0x200
[ 110.881435][ T5103] kfree_skb_reason+0x138/0x210
[ 110.886512][ T5103] hci_req_sync_complete+0x16c/0x270
[ 110.891823][ T5103] hci_event_packet+0x966/0x1170
[ 110.896822][ T5103] hci_rx_work+0x2c4/0x1610
[ 110.901383][ T5103] process_one_work+0x9c8/0x1b40
[ 110.906443][ T5103] worker_thread+0x6c8/0xf30
[ 110.911062][ T5103] kthread+0x2c4/0x3a0
[ 110.915178][ T5103] ret_from_fork+0x48/0x80
[ 110.919631][ T5103] ret_from_fork_asm+0x1a/0x30
[ 110.924434][ T5103]
[ 110.926760][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 110.926760][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 110.941441][ T5103] The buggy address is located 228 bytes inside of
[ 110.941441][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 110.955712][ T5103]
[ 110.958209][ T5103] The buggy address belongs to the physical page:
[ 110.964654][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 110.973437][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 110.980650][ T5103] page_type: 0xffffefff(slab)
[ 110.985516][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 110.994306][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 111.002906][ T5103] page dumped because: kasan: bad access detected
[ 111.009327][ T5103] page_owner tracks the page as allocated
[ 111.015132][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 111.034544][ T5103] post_alloc_hook+0x2d1/0x350
[ 111.039347][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 111.044933][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 111.050461][ T5103] alloc_slab_page+0x56/0x110
[ 111.055178][ T5103] new_slab+0x84/0x260
[ 111.059265][ T5103] ___slab_alloc+0xdac/0x1870
[ 111.063962][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 111.069370][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 111.075201][ T5103] __alloc_skb+0x2b1/0x380
[ 111.079657][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 111.084977][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 111.089413][ T5103] register_netdevice+0x1710/0x1cb0
[ 111.094721][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 111.099770][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 111.104823][ T5103] ops_init+0xbc/0x650
[ 111.108922][ T5103] setup_net+0x435/0xb40
[ 111.113191][ T5103] page last free pid 1 tgid 1 stack trace:
[ 111.119016][ T5103] free_unref_page+0x64a/0xe40
[ 111.123822][ T5103] free_contig_range+0xb6/0x1a0
[ 111.128707][ T5103] destroy_args+0xa4e/0xe20
[ 111.133247][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 111.138335][ T5103] do_one_initcall+0x12b/0x700
[ 111.143135][ T5103] kernel_init_freeable+0x69d/0xca0
[ 111.148380][ T5103] kernel_init+0x1c/0x2b0
[ 111.152754][ T5103] ret_from_fork+0x48/0x80
[ 111.157210][ T5103] ret_from_fork_asm+0x1a/0x30
[ 111.162012][ T5103]
[ 111.164336][ T5103] Memory state around the buggy address:
[ 111.169971][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 111.178046][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.186126][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 111.194278][ T5103] ^
[ 111.199654][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 111.207866][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 111.216079][ T5103] ==================================================================
[ 111.226388][ T5103] Disabling lock debugging due to kernel taint
[ 111.232561][ T5103] ==================================================================
[ 111.240636][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1f5/0x210
[ 111.248514][ T5103] Read of size 4 at addr ffff8880632dbc24 by task syz-executor/5103
[ 111.256546][ T5103]
[ 111.258883][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 111.270716][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 111.280819][ T5103] Call Trace:
[ 111.284118][ T5103]
[ 111.287069][ T5103] dump_stack_lvl+0x116/0x1f0
[ 111.291880][ T5103] print_report+0xc3/0x620
[ 111.296338][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.302011][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.307943][ T5103] ? __phys_addr+0xc6/0x150
[ 111.312516][ T5103] kasan_report+0xd9/0x110
[ 111.316970][ T5103] ? kfree_skb_reason+0x1f5/0x210
[ 111.322047][ T5103] ? kfree_skb_reason+0x1f5/0x210
[ 111.327243][ T5103] kfree_skb_reason+0x1f5/0x210
[ 111.332254][ T5103] __hci_req_sync+0x61d/0x980
[ 111.337013][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 111.342345][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 111.347071][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 111.353180][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.358861][ T5103] ? hci_req_sync+0x3f/0xd0
[ 111.363412][ T5103] ? __pfx___might_resched+0x10/0x10
[ 111.368745][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.374539][ T5103] ? aa_get_newest_label+0x376/0x680
[ 111.379893][ T5103] hci_req_sync+0x97/0xd0
[ 111.384269][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 111.389342][ T5103] hci_dev_cmd+0x634/0x960
[ 111.393808][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.399487][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 111.404475][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.410150][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.415842][ T5103] ? security_capable+0x98/0xd0
[ 111.420758][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 111.425479][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.431151][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 111.436395][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 111.442420][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.448185][ T5103] sock_do_ioctl+0x119/0x280
[ 111.452963][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 111.458153][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.463815][ T5103] sock_ioctl+0x22e/0x6c0
[ 111.468540][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 111.473434][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.479096][ T5103] ? __fget_files+0x256/0x400
[ 111.483943][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.489632][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 111.494528][ T5103] __x64_sys_ioctl+0x196/0x220
[ 111.499335][ T5103] do_syscall_64+0xcd/0x250
[ 111.503973][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 111.510016][ T5103] RIP: 0033:0x7fb7bb9757db
[ 111.514449][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 111.534374][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 111.542924][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 111.550913][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 111.558903][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 111.566888][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 111.574873][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 111.582876][ T5103]
[ 111.585902][ T5103]
[ 111.588226][ T5103] Allocated by task 4486:
[ 111.592557][ T5103] kasan_save_stack+0x33/0x60
[ 111.597257][ T5103] kasan_save_track+0x14/0x30
[ 111.602073][ T5103] __kasan_slab_alloc+0x89/0x90
[ 111.606951][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 111.612463][ T5103] skb_clone+0x190/0x3f0
[ 111.616753][ T5103] hci_cmd_work+0x66a/0x710
[ 111.621285][ T5103] process_one_work+0x9c8/0x1b40
[ 111.626250][ T5103] worker_thread+0x6c8/0xf30
[ 111.630868][ T5103] kthread+0x2c4/0x3a0
[ 111.634977][ T5103] ret_from_fork+0x48/0x80
[ 111.639612][ T5103] ret_from_fork_asm+0x1a/0x30
[ 111.644416][ T5103]
[ 111.646741][ T5103] Freed by task 4486:
[ 111.650726][ T5103] kasan_save_stack+0x33/0x60
[ 111.655418][ T5103] kasan_save_track+0x14/0x30
[ 111.660114][ T5103] kasan_save_free_info+0x3b/0x60
[ 111.665173][ T5103] poison_slab_object+0xf7/0x160
[ 111.670151][ T5103] __kasan_slab_free+0x32/0x50
[ 111.674929][ T5103] kmem_cache_free+0x12f/0x3a0
[ 111.679711][ T5103] kfree_skbmem+0x10e/0x200
[ 111.684255][ T5103] kfree_skb_reason+0x138/0x210
[ 111.689140][ T5103] hci_req_sync_complete+0x16c/0x270
[ 111.694450][ T5103] hci_event_packet+0x966/0x1170
[ 111.699409][ T5103] hci_rx_work+0x2c4/0x1610
[ 111.703940][ T5103] process_one_work+0x9c8/0x1b40
[ 111.708996][ T5103] worker_thread+0x6c8/0xf30
[ 111.713610][ T5103] kthread+0x2c4/0x3a0
[ 111.717720][ T5103] ret_from_fork+0x48/0x80
[ 111.722171][ T5103] ret_from_fork_asm+0x1a/0x30
[ 111.726974][ T5103]
[ 111.729301][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 111.729301][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 111.744149][ T5103] The buggy address is located 228 bytes inside of
[ 111.744149][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 111.758054][ T5103]
[ 111.760402][ T5103] The buggy address belongs to the physical page:
[ 111.766811][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 111.775762][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 111.782895][ T5103] page_type: 0xffffefff(slab)
[ 111.787589][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 111.796193][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 111.805168][ T5103] page dumped because: kasan: bad access detected
[ 111.811884][ T5103] page_owner tracks the page as allocated
[ 111.817663][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 111.837158][ T5103] post_alloc_hook+0x2d1/0x350
[ 111.841958][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 111.847549][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 111.852874][ T5103] alloc_slab_page+0x56/0x110
[ 111.857590][ T5103] new_slab+0x84/0x260
[ 111.861855][ T5103] ___slab_alloc+0xdac/0x1870
[ 111.866550][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 111.871983][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 111.877846][ T5103] __alloc_skb+0x2b1/0x380
[ 111.882392][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 111.887790][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 111.892255][ T5103] register_netdevice+0x1710/0x1cb0
[ 111.897563][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 111.902790][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 111.907863][ T5103] ops_init+0xbc/0x650
[ 111.911957][ T5103] setup_net+0x435/0xb40
[ 111.916223][ T5103] page last free pid 1 tgid 1 stack trace:
[ 111.922059][ T5103] free_unref_page+0x64a/0xe40
[ 111.926903][ T5103] free_contig_range+0xb6/0x1a0
[ 111.931795][ T5103] destroy_args+0xa4e/0xe20
[ 111.936484][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 111.941655][ T5103] do_one_initcall+0x12b/0x700
[ 111.946481][ T5103] kernel_init_freeable+0x69d/0xca0
[ 111.951766][ T5103] kernel_init+0x1c/0x2b0
[ 111.956233][ T5103] ret_from_fork+0x48/0x80
[ 111.960693][ T5103] ret_from_fork_asm+0x1a/0x30
[ 111.965524][ T5103]
[ 111.967869][ T5103] Memory state around the buggy address:
[ 111.973554][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 111.981727][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.989811][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 111.997881][ T5103] ^
[ 112.003025][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 112.011106][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 112.019200][ T5103] ==================================================================
[ 112.027875][ T4486] Bluetooth: hci0: command tx timeout
[ 112.031636][ T5103] ==================================================================
[ 112.041429][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0
[ 112.049868][ T5103] Read of size 8 at addr ffff8880632dbb98 by task syz-executor/5103
[ 112.057915][ T5103]
[ 112.060256][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 112.072065][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 112.082327][ T5103] Call Trace:
[ 112.085624][ T5103]
[ 112.088564][ T5103] dump_stack_lvl+0x116/0x1f0
[ 112.093300][ T5103] print_report+0xc3/0x620
[ 112.097751][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.103439][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.109107][ T5103] ? __phys_addr+0xc6/0x150
[ 112.113638][ T5103] kasan_report+0xd9/0x110
[ 112.118082][ T5103] ? skb_release_head_state+0x283/0x2b0
[ 112.123773][ T5103] ? skb_release_head_state+0x283/0x2b0
[ 112.129371][ T5103] skb_release_head_state+0x283/0x2b0
[ 112.134774][ T5103] kfree_skb_reason+0xed/0x210
[ 112.139594][ T5103] __hci_req_sync+0x61d/0x980
[ 112.144393][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 112.149738][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 112.154471][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 112.161421][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.167107][ T5103] ? hci_req_sync+0x3f/0xd0
[ 112.171646][ T5103] ? __pfx___might_resched+0x10/0x10
[ 112.176969][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.182652][ T5103] ? aa_get_newest_label+0x376/0x680
[ 112.188275][ T5103] hci_req_sync+0x97/0xd0
[ 112.192634][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 112.197690][ T5103] hci_dev_cmd+0x634/0x960
[ 112.202154][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.207812][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 112.212966][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.218712][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.224374][ T5103] ? security_capable+0x98/0xd0
[ 112.229277][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 112.234070][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.239778][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 112.245028][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 112.251060][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.256748][ T5103] sock_do_ioctl+0x119/0x280
[ 112.261381][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 112.266654][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.272316][ T5103] sock_ioctl+0x22e/0x6c0
[ 112.276689][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 112.281583][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.287329][ T5103] ? __fget_files+0x256/0x400
[ 112.292051][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.297715][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 112.302613][ T5103] __x64_sys_ioctl+0x196/0x220
[ 112.307422][ T5103] do_syscall_64+0xcd/0x250
[ 112.312018][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 112.318002][ T5103] RIP: 0033:0x7fb7bb9757db
[ 112.322451][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 112.342114][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 112.350586][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 112.358574][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 112.366566][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 112.374549][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 112.383520][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 112.391695][ T5103]
[ 112.394720][ T5103]
[ 112.397048][ T5103] Allocated by task 4486:
[ 112.401383][ T5103] kasan_save_stack+0x33/0x60
[ 112.406080][ T5103] kasan_save_track+0x14/0x30
[ 112.410776][ T5103] __kasan_slab_alloc+0x89/0x90
[ 112.415668][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 112.421195][ T5103] skb_clone+0x190/0x3f0
[ 112.425481][ T5103] hci_cmd_work+0x66a/0x710
[ 112.430021][ T5103] process_one_work+0x9c8/0x1b40
[ 112.435015][ T5103] worker_thread+0x6c8/0xf30
[ 112.439646][ T5103] kthread+0x2c4/0x3a0
[ 112.443754][ T5103] ret_from_fork+0x48/0x80
[ 112.448212][ T5103] ret_from_fork_asm+0x1a/0x30
[ 112.453213][ T5103]
[ 112.455540][ T5103] Freed by task 4486:
[ 112.459537][ T5103] kasan_save_stack+0x33/0x60
[ 112.464230][ T5103] kasan_save_track+0x14/0x30
[ 112.468945][ T5103] kasan_save_free_info+0x3b/0x60
[ 112.474025][ T5103] poison_slab_object+0xf7/0x160
[ 112.479021][ T5103] __kasan_slab_free+0x32/0x50
[ 112.483807][ T5103] kmem_cache_free+0x12f/0x3a0
[ 112.488595][ T5103] kfree_skbmem+0x10e/0x200
[ 112.493140][ T5103] kfree_skb_reason+0x138/0x210
[ 112.498026][ T5103] hci_req_sync_complete+0x16c/0x270
[ 112.503513][ T5103] hci_event_packet+0x966/0x1170
[ 112.508472][ T5103] hci_rx_work+0x2c4/0x1610
[ 112.513003][ T5103] process_one_work+0x9c8/0x1b40
[ 112.517971][ T5103] worker_thread+0x6c8/0xf30
[ 112.522819][ T5103] kthread+0x2c4/0x3a0
[ 112.526937][ T5103] ret_from_fork+0x48/0x80
[ 112.531428][ T5103] ret_from_fork_asm+0x1a/0x30
[ 112.536235][ T5103]
[ 112.538562][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 112.538562][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 112.553244][ T5103] The buggy address is located 88 bytes inside of
[ 112.553244][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 112.566979][ T5103]
[ 112.569307][ T5103] The buggy address belongs to the physical page:
[ 112.575721][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 112.584520][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 112.591642][ T5103] page_type: 0xffffefff(slab)
[ 112.596338][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 112.604941][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 112.613544][ T5103] page dumped because: kasan: bad access detected
[ 112.619963][ T5103] page_owner tracks the page as allocated
[ 112.625693][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 112.645292][ T5103] post_alloc_hook+0x2d1/0x350
[ 112.650663][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 112.656252][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 112.661663][ T5103] alloc_slab_page+0x56/0x110
[ 112.666386][ T5103] new_slab+0x84/0x260
[ 112.670471][ T5103] ___slab_alloc+0xdac/0x1870
[ 112.675167][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 112.680559][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 112.686393][ T5103] __alloc_skb+0x2b1/0x380
[ 112.690909][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 112.696248][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 112.700870][ T5103] register_netdevice+0x1710/0x1cb0
[ 112.706097][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 112.711168][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 112.716221][ T5103] ops_init+0xbc/0x650
[ 112.720316][ T5103] setup_net+0x435/0xb40
[ 112.724583][ T5103] page last free pid 1 tgid 1 stack trace:
[ 112.730415][ T5103] free_unref_page+0x64a/0xe40
[ 112.735232][ T5103] free_contig_range+0xb6/0x1a0
[ 112.740290][ T5103] destroy_args+0xa4e/0xe20
[ 112.744828][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 112.749898][ T5103] do_one_initcall+0x12b/0x700
[ 112.754704][ T5103] kernel_init_freeable+0x69d/0xca0
[ 112.760028][ T5103] kernel_init+0x1c/0x2b0
[ 112.764400][ T5103] ret_from_fork+0x48/0x80
[ 112.768871][ T5103] ret_from_fork_asm+0x1a/0x30
[ 112.774199][ T5103]
[ 112.776526][ T5103] Memory state around the buggy address:
[ 112.782343][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 112.790422][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 112.798497][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.806565][ T5103] ^
[ 112.811420][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 112.819493][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 112.827560][ T5103] ==================================================================
[ 112.835759][ T4486] Bluetooth: hci1: command tx timeout
[ 112.837614][ T53] Bluetooth: hci2: command tx timeout
[ 112.841209][ T4486] Bluetooth: hci4: command tx timeout
[ 112.847552][ T53] Bluetooth: hci3: command tx timeout
[ 112.899115][ T5103] ==================================================================
[ 112.907228][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x28d/0x2b0
[ 112.915602][ T5103] Read of size 8 at addr ffff8880632dbba0 by task syz-executor/5103
[ 112.923606][ T5103]
[ 112.925951][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 112.937725][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 112.947817][ T5103] Call Trace:
[ 112.951391][ T5103]
[ 112.954347][ T5103] dump_stack_lvl+0x116/0x1f0
[ 112.959080][ T5103] print_report+0xc3/0x620
[ 112.963538][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.969212][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.974892][ T5103] ? __phys_addr+0xc6/0x150
[ 112.979433][ T5103] kasan_report+0xd9/0x110
[ 112.983885][ T5103] ? skb_release_head_state+0x28d/0x2b0
[ 112.989561][ T5103] ? skb_release_head_state+0x28d/0x2b0
[ 112.995157][ T5103] skb_release_head_state+0x28d/0x2b0
[ 113.000574][ T5103] kfree_skb_reason+0xed/0x210
[ 113.005386][ T5103] __hci_req_sync+0x61d/0x980
[ 113.010110][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 113.015467][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 113.020212][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 113.026326][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.031993][ T5103] ? hci_req_sync+0x3f/0xd0
[ 113.036531][ T5103] ? __pfx___might_resched+0x10/0x10
[ 113.041859][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.047518][ T5103] ? aa_get_newest_label+0x376/0x680
[ 113.052861][ T5103] hci_req_sync+0x97/0xd0
[ 113.057567][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 113.062620][ T5103] hci_dev_cmd+0x634/0x960
[ 113.067071][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.072729][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 113.077724][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.083379][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.089125][ T5103] ? security_capable+0x98/0xd0
[ 113.094114][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 113.098863][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.104520][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 113.109746][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 113.115780][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.121470][ T5103] sock_do_ioctl+0x119/0x280
[ 113.126103][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 113.131276][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.136971][ T5103] sock_ioctl+0x22e/0x6c0
[ 113.141477][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 113.146497][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.152163][ T5103] ? __fget_files+0x256/0x400
[ 113.157064][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.162725][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 113.167764][ T5103] __x64_sys_ioctl+0x196/0x220
[ 113.172677][ T5103] do_syscall_64+0xcd/0x250
[ 113.177244][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 113.183180][ T5103] RIP: 0033:0x7fb7bb9757db
[ 113.187608][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 113.207279][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 113.215718][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 113.223705][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 113.231809][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 113.240269][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 113.248362][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 113.256364][ T5103]
[ 113.259389][ T5103]
[ 113.261711][ T5103] Allocated by task 4486:
[ 113.266043][ T5103] kasan_save_stack+0x33/0x60
[ 113.270748][ T5103] kasan_save_track+0x14/0x30
[ 113.275443][ T5103] __kasan_slab_alloc+0x89/0x90
[ 113.280314][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 113.285837][ T5103] skb_clone+0x190/0x3f0
[ 113.290111][ T5103] hci_cmd_work+0x66a/0x710
[ 113.294849][ T5103] process_one_work+0x9c8/0x1b40
[ 113.299956][ T5103] worker_thread+0x6c8/0xf30
[ 113.304577][ T5103] kthread+0x2c4/0x3a0
[ 113.308685][ T5103] ret_from_fork+0x48/0x80
[ 113.313145][ T5103] ret_from_fork_asm+0x1a/0x30
[ 113.317968][ T5103]
[ 113.320295][ T5103] Freed by task 4486:
[ 113.324282][ T5103] kasan_save_stack+0x33/0x60
[ 113.328979][ T5103] kasan_save_track+0x14/0x30
[ 113.333673][ T5103] kasan_save_free_info+0x3b/0x60
[ 113.338732][ T5103] poison_slab_object+0xf7/0x160
[ 113.343717][ T5103] __kasan_slab_free+0x32/0x50
[ 113.348599][ T5103] kmem_cache_free+0x12f/0x3a0
[ 113.353383][ T5103] kfree_skbmem+0x10e/0x200
[ 113.357927][ T5103] kfree_skb_reason+0x138/0x210
[ 113.362983][ T5103] hci_req_sync_complete+0x16c/0x270
[ 113.368295][ T5103] hci_event_packet+0x966/0x1170
[ 113.373687][ T5103] hci_rx_work+0x2c4/0x1610
[ 113.378234][ T5103] process_one_work+0x9c8/0x1b40
[ 113.383199][ T5103] worker_thread+0x6c8/0xf30
[ 113.388079][ T5103] kthread+0x2c4/0x3a0
[ 113.392184][ T5103] ret_from_fork+0x48/0x80
[ 113.396636][ T5103] ret_from_fork_asm+0x1a/0x30
[ 113.401524][ T5103]
[ 113.403920][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 113.403920][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 113.418720][ T5103] The buggy address is located 96 bytes inside of
[ 113.418720][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 113.432455][ T5103]
[ 113.434782][ T5103] The buggy address belongs to the physical page:
[ 113.441193][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 113.449992][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 113.457113][ T5103] page_type: 0xffffefff(slab)
[ 113.461943][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 113.470546][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 113.479315][ T5103] page dumped because: kasan: bad access detected
[ 113.485935][ T5103] page_owner tracks the page as allocated
[ 113.491762][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 113.511258][ T5103] post_alloc_hook+0x2d1/0x350
[ 113.516088][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 113.521692][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 113.527016][ T5103] alloc_slab_page+0x56/0x110
[ 113.531731][ T5103] new_slab+0x84/0x260
[ 113.535830][ T5103] ___slab_alloc+0xdac/0x1870
[ 113.540526][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 113.545921][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 113.551751][ T5103] __alloc_skb+0x2b1/0x380
[ 113.556300][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 113.561732][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 113.566178][ T5103] register_netdevice+0x1710/0x1cb0
[ 113.571508][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 113.576561][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 113.581902][ T5103] ops_init+0xbc/0x650
[ 113.586014][ T5103] setup_net+0x435/0xb40
[ 113.590285][ T5103] page last free pid 1 tgid 1 stack trace:
[ 113.596101][ T5103] free_unref_page+0x64a/0xe40
[ 113.600900][ T5103] free_contig_range+0xb6/0x1a0
[ 113.605784][ T5103] destroy_args+0xa4e/0xe20
[ 113.610324][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 113.615413][ T5103] do_one_initcall+0x12b/0x700
[ 113.620716][ T5103] kernel_init_freeable+0x69d/0xca0
[ 113.625972][ T5103] kernel_init+0x1c/0x2b0
[ 113.630481][ T5103] ret_from_fork+0x48/0x80
[ 113.634936][ T5103] ret_from_fork_asm+0x1a/0x30
[ 113.639743][ T5103]
[ 113.642182][ T5103] Memory state around the buggy address:
[ 113.648015][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 113.656390][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 113.664513][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 113.672794][ T5103] ^
[ 113.678382][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 113.686467][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 113.694737][ T5103] ==================================================================
[ 113.719714][ T5103] ==================================================================
[ 113.727848][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x276/0x2b0
[ 113.736226][ T5103] Read of size 8 at addr ffff8880632dbba8 by task syz-executor/5103
[ 113.744228][ T5103]
[ 113.746567][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 113.758321][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 113.768485][ T5103] Call Trace:
[ 113.771782][ T5103]
[ 113.774731][ T5103] dump_stack_lvl+0x116/0x1f0
[ 113.779456][ T5103] print_report+0xc3/0x620
[ 113.783909][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.789582][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.795255][ T5103] ? __phys_addr+0xc6/0x150
[ 113.799796][ T5103] kasan_report+0xd9/0x110
[ 113.804261][ T5103] ? skb_release_head_state+0x276/0x2b0
[ 113.809858][ T5103] ? skb_release_head_state+0x276/0x2b0
[ 113.815454][ T5103] skb_release_head_state+0x276/0x2b0
[ 113.820872][ T5103] kfree_skb_reason+0xed/0x210
[ 113.825681][ T5103] __hci_req_sync+0x61d/0x980
[ 113.830396][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 113.835621][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 113.840415][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 113.846603][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.852264][ T5103] ? hci_req_sync+0x3f/0xd0
[ 113.856804][ T5103] ? __pfx___might_resched+0x10/0x10
[ 113.862135][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.867797][ T5103] ? aa_get_newest_label+0x376/0x680
[ 113.873141][ T5103] hci_req_sync+0x97/0xd0
[ 113.877500][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 113.882556][ T5103] hci_dev_cmd+0x634/0x960
[ 113.887009][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.892757][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 113.897754][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.903529][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.909214][ T5103] ? security_capable+0x98/0xd0
[ 113.914151][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 113.918865][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.924528][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 113.929846][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 113.935869][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.941530][ T5103] sock_do_ioctl+0x119/0x280
[ 113.946160][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 113.951340][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.957003][ T5103] sock_ioctl+0x22e/0x6c0
[ 113.961385][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 113.966289][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.972344][ T5103] ? __fget_files+0x256/0x400
[ 113.977165][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.982854][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 113.987776][ T5103] __x64_sys_ioctl+0x196/0x220
[ 113.992786][ T5103] do_syscall_64+0xcd/0x250
[ 113.997514][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.003586][ T5103] RIP: 0033:0x7fb7bb9757db
[ 114.008111][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 114.027851][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 114.036291][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 114.044279][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 114.052264][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 114.060425][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 114.068411][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 114.076411][ T5103]
[ 114.079436][ T5103]
[ 114.081765][ T5103] Allocated by task 4486:
[ 114.086190][ T5103] kasan_save_stack+0x33/0x60
[ 114.090940][ T5103] kasan_save_track+0x14/0x30
[ 114.095729][ T5103] __kasan_slab_alloc+0x89/0x90
[ 114.100630][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 114.106124][ T5103] skb_clone+0x190/0x3f0
[ 114.110884][ T5103] hci_cmd_work+0x66a/0x710
[ 114.115545][ T5103] process_one_work+0x9c8/0x1b40
[ 114.120663][ T5103] worker_thread+0x6c8/0xf30
[ 114.125370][ T5103] kthread+0x2c4/0x3a0
[ 114.129538][ T5103] ret_from_fork+0x48/0x80
[ 114.134226][ T5103] ret_from_fork_asm+0x1a/0x30
[ 114.139038][ T5103]
[ 114.141368][ T5103] Freed by task 4486:
[ 114.145382][ T5103] kasan_save_stack+0x33/0x60
[ 114.150088][ T5103] kasan_save_track+0x14/0x30
[ 114.154790][ T5103] kasan_save_free_info+0x3b/0x60
[ 114.159858][ T5103] poison_slab_object+0xf7/0x160
[ 114.164846][ T5103] __kasan_slab_free+0x32/0x50
[ 114.169636][ T5103] kmem_cache_free+0x12f/0x3a0
[ 114.174424][ T5103] kfree_skbmem+0x10e/0x200
[ 114.178976][ T5103] kfree_skb_reason+0x138/0x210
[ 114.183858][ T5103] hci_req_sync_complete+0x16c/0x270
[ 114.189171][ T5103] hci_event_packet+0x966/0x1170
[ 114.194187][ T5103] hci_rx_work+0x2c4/0x1610
[ 114.198725][ T5103] process_one_work+0x9c8/0x1b40
[ 114.203720][ T5103] worker_thread+0x6c8/0xf30
[ 114.208521][ T5103] kthread+0x2c4/0x3a0
[ 114.212631][ T5103] ret_from_fork+0x48/0x80
[ 114.217113][ T5103] ret_from_fork_asm+0x1a/0x30
[ 114.222117][ T5103]
[ 114.224479][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 114.224479][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 114.239127][ T5103] The buggy address is located 104 bytes inside of
[ 114.239127][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 114.252954][ T5103]
[ 114.255283][ T5103] The buggy address belongs to the physical page:
[ 114.261867][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 114.270644][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 114.277853][ T5103] page_type: 0xffffefff(slab)
[ 114.282577][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 114.291192][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 114.299797][ T5103] page dumped because: kasan: bad access detected
[ 114.306327][ T5103] page_owner tracks the page as allocated
[ 114.312060][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 114.331549][ T5103] post_alloc_hook+0x2d1/0x350
[ 114.336357][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 114.341945][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 114.347268][ T5103] alloc_slab_page+0x56/0x110
[ 114.352069][ T5103] new_slab+0x84/0x260
[ 114.356174][ T5103] ___slab_alloc+0xdac/0x1870
[ 114.361325][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 114.366721][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 114.372644][ T5103] __alloc_skb+0x2b1/0x380
[ 114.377109][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 114.382425][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 114.386863][ T5103] register_netdevice+0x1710/0x1cb0
[ 114.392120][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 114.397439][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 114.402528][ T5103] ops_init+0xbc/0x650
[ 114.406668][ T5103] setup_net+0x435/0xb40
[ 114.410961][ T5103] page last free pid 1 tgid 1 stack trace:
[ 114.416778][ T5103] free_unref_page+0x64a/0xe40
[ 114.421611][ T5103] free_contig_range+0xb6/0x1a0
[ 114.426521][ T5103] destroy_args+0xa4e/0xe20
[ 114.431124][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 114.436218][ T5103] do_one_initcall+0x12b/0x700
[ 114.441030][ T5103] kernel_init_freeable+0x69d/0xca0
[ 114.446399][ T5103] kernel_init+0x1c/0x2b0
[ 114.450864][ T5103] ret_from_fork+0x48/0x80
[ 114.455320][ T5103] ret_from_fork_asm+0x1a/0x30
[ 114.460128][ T5103]
[ 114.462993][ T5103] Memory state around the buggy address:
[ 114.468646][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 114.476811][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 114.484894][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 114.493056][ T5103] ^
[ 114.498535][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 114.506611][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 114.514679][ T5103] ==================================================================
[ 114.526641][ T5103] ==================================================================
[ 114.534859][ T5103] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x26c/0x2b0
[ 114.543209][ T5091] Bluetooth: hci0: command tx timeout
[ 114.549145][ T5103] Read of size 1 at addr ffff8880632dbbbf by task syz-executor/5103
[ 114.557157][ T5103]
[ 114.559608][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 114.571369][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 114.581527][ T5103] Call Trace:
[ 114.584815][ T5103]
[ 114.587757][ T5103] dump_stack_lvl+0x116/0x1f0
[ 114.593011][ T5103] print_report+0xc3/0x620
[ 114.597573][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.603508][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.609260][ T5103] ? __phys_addr+0xc6/0x150
[ 114.613788][ T5103] kasan_report+0xd9/0x110
[ 114.618232][ T5103] ? skb_release_head_state+0x26c/0x2b0
[ 114.623809][ T5103] ? skb_release_head_state+0x26c/0x2b0
[ 114.629650][ T5103] skb_release_head_state+0x26c/0x2b0
[ 114.635097][ T5103] kfree_skb_reason+0xed/0x210
[ 114.639921][ T5103] __hci_req_sync+0x61d/0x980
[ 114.644634][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 114.649869][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 114.654581][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 114.660676][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.666348][ T5103] ? hci_req_sync+0x3f/0xd0
[ 114.671038][ T5103] ? __pfx___might_resched+0x10/0x10
[ 114.676658][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.682326][ T5103] ? aa_get_newest_label+0x376/0x680
[ 114.687696][ T5103] hci_req_sync+0x97/0xd0
[ 114.692400][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 114.697545][ T5103] hci_dev_cmd+0x634/0x960
[ 114.702347][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.708007][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 114.713005][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.718753][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.724691][ T5103] ? security_capable+0x98/0xd0
[ 114.729590][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 114.734299][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.740057][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 114.745294][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 114.751418][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.757189][ T5103] sock_do_ioctl+0x119/0x280
[ 114.761839][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 114.767008][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.772680][ T5103] sock_ioctl+0x22e/0x6c0
[ 114.777055][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 114.782014][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.787744][ T5103] ? __fget_files+0x256/0x400
[ 114.792482][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.798148][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 114.803045][ T5103] __x64_sys_ioctl+0x196/0x220
[ 114.807855][ T5103] do_syscall_64+0xcd/0x250
[ 114.812404][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.818348][ T5103] RIP: 0033:0x7fb7bb9757db
[ 114.822781][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 114.842421][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 114.850978][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 114.859013][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 114.867023][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 114.875024][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 114.883013][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 114.891115][ T5103]
[ 114.894166][ T5103]
[ 114.896495][ T5103] Allocated by task 4486:
[ 114.900858][ T5103] kasan_save_stack+0x33/0x60
[ 114.905561][ T5103] kasan_save_track+0x14/0x30
[ 114.910252][ T5103] __kasan_slab_alloc+0x89/0x90
[ 114.915207][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 114.920691][ T5103] skb_clone+0x190/0x3f0
[ 114.924962][ T5103] hci_cmd_work+0x66a/0x710
[ 114.929515][ T5103] process_one_work+0x9c8/0x1b40
[ 114.934482][ T5103] worker_thread+0x6c8/0xf30
[ 114.939111][ T5103] kthread+0x2c4/0x3a0
[ 114.943243][ T5103] ret_from_fork+0x48/0x80
[ 114.947698][ T5103] ret_from_fork_asm+0x1a/0x30
[ 114.952499][ T5103]
[ 114.954827][ T5103] Freed by task 4486:
[ 114.958806][ T5103] kasan_save_stack+0x33/0x60
[ 114.963495][ T5103] kasan_save_track+0x14/0x30
[ 114.968186][ T5103] kasan_save_free_info+0x3b/0x60
[ 114.973246][ T5103] poison_slab_object+0xf7/0x160
[ 114.978230][ T5103] __kasan_slab_free+0x32/0x50
[ 114.983010][ T5103] kmem_cache_free+0x12f/0x3a0
[ 114.987795][ T5103] kfree_skbmem+0x10e/0x200
[ 114.992337][ T5103] kfree_skb_reason+0x138/0x210
[ 114.997405][ T5103] hci_req_sync_complete+0x16c/0x270
[ 115.002712][ T5103] hci_event_packet+0x966/0x1170
[ 115.007700][ T5103] hci_rx_work+0x2c4/0x1610
[ 115.012250][ T5103] process_one_work+0x9c8/0x1b40
[ 115.017253][ T5103] worker_thread+0x6c8/0xf30
[ 115.021884][ T5103] kthread+0x2c4/0x3a0
[ 115.025997][ T5103] ret_from_fork+0x48/0x80
[ 115.030454][ T5103] ret_from_fork_asm+0x1a/0x30
[ 115.035284][ T5103]
[ 115.037627][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 115.037627][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 115.052222][ T5103] The buggy address is located 127 bytes inside of
[ 115.052222][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 115.066519][ T5103]
[ 115.068857][ T5103] The buggy address belongs to the physical page:
[ 115.075303][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 115.084091][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 115.091246][ T5103] page_type: 0xffffefff(slab)
[ 115.095965][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 115.104581][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 115.113183][ T5103] page dumped because: kasan: bad access detected
[ 115.119601][ T5103] page_owner tracks the page as allocated
[ 115.125332][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 115.144990][ T5103] post_alloc_hook+0x2d1/0x350
[ 115.149791][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 115.155375][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 115.160695][ T5103] alloc_slab_page+0x56/0x110
[ 115.165600][ T5103] new_slab+0x84/0x260
[ 115.169772][ T5103] ___slab_alloc+0xdac/0x1870
[ 115.174577][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 115.179971][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 115.185801][ T5103] __alloc_skb+0x2b1/0x380
[ 115.190261][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 115.195571][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 115.200006][ T5103] register_netdevice+0x1710/0x1cb0
[ 115.205237][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 115.210288][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 115.215371][ T5103] ops_init+0xbc/0x650
[ 115.219462][ T5103] setup_net+0x435/0xb40
[ 115.223730][ T5103] page last free pid 1 tgid 1 stack trace:
[ 115.229547][ T5103] free_unref_page+0x64a/0xe40
[ 115.234346][ T5103] free_contig_range+0xb6/0x1a0
[ 115.239232][ T5103] destroy_args+0xa4e/0xe20
[ 115.243771][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 115.248846][ T5103] do_one_initcall+0x12b/0x700
[ 115.253647][ T5103] kernel_init_freeable+0x69d/0xca0
[ 115.258884][ T5103] kernel_init+0x1c/0x2b0
[ 115.263257][ T5103] ret_from_fork+0x48/0x80
[ 115.268055][ T5103] ret_from_fork_asm+0x1a/0x30
[ 115.272865][ T5103]
[ 115.275187][ T5103] Memory state around the buggy address:
[ 115.280818][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 115.288982][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 115.297076][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 115.305235][ T5103] ^
[ 115.311132][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 115.319578][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 115.327660][ T5103] ==================================================================
[ 115.338908][ T53] Bluetooth: hci3: command tx timeout
[ 115.342800][ T5091] Bluetooth: hci4: command tx timeout
[ 115.344331][ T53] Bluetooth: hci2: command tx timeout
[ 115.351646][ T5091] Bluetooth: hci1: command tx timeout
[ 115.362991][ T5103] ==================================================================
[ 115.371071][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1ff/0x210
[ 115.378928][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103
[ 115.386931][ T5103]
[ 115.389267][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 115.401018][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 115.411101][ T5103] Call Trace:
[ 115.414399][ T5103]
[ 115.417348][ T5103] dump_stack_lvl+0x116/0x1f0
[ 115.422091][ T5103] print_report+0xc3/0x620
[ 115.426560][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.432237][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.437917][ T5103] ? __phys_addr+0xc6/0x150
[ 115.442467][ T5103] kasan_report+0xd9/0x110
[ 115.446933][ T5103] ? kfree_skb_reason+0x1ff/0x210
[ 115.452019][ T5103] ? kfree_skb_reason+0x1ff/0x210
[ 115.457108][ T5103] kfree_skb_reason+0x1ff/0x210
[ 115.462013][ T5103] __hci_req_sync+0x61d/0x980
[ 115.466826][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 115.472189][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 115.477518][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 115.483625][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.489295][ T5103] ? hci_req_sync+0x3f/0xd0
[ 115.493851][ T5103] ? __pfx___might_resched+0x10/0x10
[ 115.499190][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.504868][ T5103] ? aa_get_newest_label+0x376/0x680
[ 115.510222][ T5103] hci_req_sync+0x97/0xd0
[ 115.514592][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 115.519663][ T5103] hci_dev_cmd+0x634/0x960
[ 115.524128][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.529803][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 115.534796][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.540739][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.546502][ T5103] ? security_capable+0x98/0xd0
[ 115.551886][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 115.556644][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.562332][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 115.567582][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 115.573602][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.579263][ T5103] sock_do_ioctl+0x119/0x280
[ 115.583906][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 115.589200][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.594967][ T5103] sock_ioctl+0x22e/0x6c0
[ 115.599362][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 115.604283][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.609999][ T5103] ? __fget_files+0x256/0x400
[ 115.614747][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.620487][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 115.625398][ T5103] __x64_sys_ioctl+0x196/0x220
[ 115.630295][ T5103] do_syscall_64+0xcd/0x250
[ 115.634946][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 115.641517][ T5103] RIP: 0033:0x7fb7bb9757db
[ 115.646047][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 115.665915][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 115.674366][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 115.682367][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 115.690367][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 115.698372][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 115.698488][ T5090] chnl_net:caif_netlink_parms(): no params data found
[ 115.706433][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 115.706475][ T5103]
[ 115.725044][ T5103]
[ 115.727380][ T5103] Allocated by task 4486:
[ 115.731721][ T5103] kasan_save_stack+0x33/0x60
[ 115.736525][ T5103] kasan_save_track+0x14/0x30
[ 115.741494][ T5103] __kasan_slab_alloc+0x89/0x90
[ 115.746377][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 115.751875][ T5103] skb_clone+0x190/0x3f0
[ 115.756161][ T5103] hci_cmd_work+0x66a/0x710
[ 115.760822][ T5103] process_one_work+0x9c8/0x1b40
[ 115.765834][ T5103] worker_thread+0x6c8/0xf30
[ 115.770467][ T5103] kthread+0x2c4/0x3a0
[ 115.774789][ T5103] ret_from_fork+0x48/0x80
[ 115.779256][ T5103] ret_from_fork_asm+0x1a/0x30
[ 115.784078][ T5103]
[ 115.786415][ T5103] Freed by task 4486:
[ 115.790419][ T5103] kasan_save_stack+0x33/0x60
[ 115.795678][ T5103] kasan_save_track+0x14/0x30
[ 115.800709][ T5103] kasan_save_free_info+0x3b/0x60
[ 115.805996][ T5103] poison_slab_object+0xf7/0x160
[ 115.811281][ T5103] __kasan_slab_free+0x32/0x50
[ 115.816085][ T5103] kmem_cache_free+0x12f/0x3a0
[ 115.820889][ T5103] kfree_skbmem+0x10e/0x200
[ 115.825540][ T5103] kfree_skb_reason+0x138/0x210
[ 115.830552][ T5103] hci_req_sync_complete+0x16c/0x270
[ 115.836002][ T5103] hci_event_packet+0x966/0x1170
[ 115.841045][ T5103] hci_rx_work+0x2c4/0x1610
[ 115.845612][ T5103] process_one_work+0x9c8/0x1b40
[ 115.850594][ T5103] worker_thread+0x6c8/0xf30
[ 115.855316][ T5103] kthread+0x2c4/0x3a0
[ 115.859445][ T5103] ret_from_fork+0x48/0x80
[ 115.863913][ T5103] ret_from_fork_asm+0x1a/0x30
[ 115.868819][ T5103]
[ 115.871155][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 115.871155][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 115.885863][ T5103] The buggy address is located 208 bytes inside of
[ 115.885863][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 115.899783][ T5103]
[ 115.902116][ T5103] The buggy address belongs to the physical page:
[ 115.908528][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 115.917295][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 115.924514][ T5103] page_type: 0xffffefff(slab)
[ 115.929214][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 115.937827][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 115.946512][ T5103] page dumped because: kasan: bad access detected
[ 115.953371][ T5103] page_owner tracks the page as allocated
[ 115.959356][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 115.978888][ T5103] post_alloc_hook+0x2d1/0x350
[ 115.983966][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 115.989586][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 115.994922][ T5103] alloc_slab_page+0x56/0x110
[ 115.999639][ T5103] new_slab+0x84/0x260
[ 116.003765][ T5103] ___slab_alloc+0xdac/0x1870
[ 116.008447][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 116.013841][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 116.019654][ T5103] __alloc_skb+0x2b1/0x380
[ 116.024176][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 116.029468][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 116.033888][ T5103] register_netdevice+0x1710/0x1cb0
[ 116.039096][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 116.044127][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 116.049161][ T5103] ops_init+0xbc/0x650
[ 116.053237][ T5103] setup_net+0x435/0xb40
[ 116.057485][ T5103] page last free pid 1 tgid 1 stack trace:
[ 116.063280][ T5103] free_unref_page+0x64a/0xe40
[ 116.068580][ T5103] free_contig_range+0xb6/0x1a0
[ 116.073799][ T5103] destroy_args+0xa4e/0xe20
[ 116.078362][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 116.083512][ T5103] do_one_initcall+0x12b/0x700
[ 116.088389][ T5103] kernel_init_freeable+0x69d/0xca0
[ 116.093606][ T5103] kernel_init+0x1c/0x2b0
[ 116.097958][ T5103] ret_from_fork+0x48/0x80
[ 116.102392][ T5103] ret_from_fork_asm+0x1a/0x30
[ 116.107192][ T5103]
[ 116.109608][ T5103] Memory state around the buggy address:
[ 116.115233][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 116.123311][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 116.131482][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 116.139547][ T5103] ^
[ 116.144133][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 116.152400][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 116.160472][ T5103] ==================================================================
[ 116.170913][ T5103] ==================================================================
[ 116.179015][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x8c6/0x980
[ 116.186861][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103
[ 116.195026][ T5103]
[ 116.197354][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 116.209289][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 116.219356][ T5103] Call Trace:
[ 116.222663][ T5103]
[ 116.225605][ T5103] dump_stack_lvl+0x116/0x1f0
[ 116.230322][ T5103] print_report+0xc3/0x620
[ 116.235112][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.240776][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.246455][ T5103] ? __phys_addr+0xc6/0x150
[ 116.250983][ T5103] kasan_report+0xd9/0x110
[ 116.255426][ T5103] ? skb_release_data+0x8c6/0x980
[ 116.260675][ T5103] ? skb_release_data+0x8c6/0x980
[ 116.265820][ T5103] skb_release_data+0x8c6/0x980
[ 116.270818][ T5103] kfree_skb_reason+0x12b/0x210
[ 116.275707][ T5103] __hci_req_sync+0x61d/0x980
[ 116.280626][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 116.286048][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 116.290762][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 116.296858][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.302545][ T5103] ? hci_req_sync+0x3f/0xd0
[ 116.307085][ T5103] ? __pfx___might_resched+0x10/0x10
[ 116.312408][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.318098][ T5103] ? aa_get_newest_label+0x376/0x680
[ 116.323547][ T5103] hci_req_sync+0x97/0xd0
[ 116.327915][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 116.332980][ T5103] hci_dev_cmd+0x634/0x960
[ 116.337440][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.343234][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 116.348214][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.354049][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.359729][ T5103] ? security_capable+0x98/0xd0
[ 116.364725][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 116.369438][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.375101][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 116.380335][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 116.386349][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.392014][ T5103] sock_do_ioctl+0x119/0x280
[ 116.396648][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 116.401810][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.407474][ T5103] sock_ioctl+0x22e/0x6c0
[ 116.411851][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 116.416746][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.422404][ T5103] ? __fget_files+0x256/0x400
[ 116.427125][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.432983][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 116.437993][ T5103] __x64_sys_ioctl+0x196/0x220
[ 116.442799][ T5103] do_syscall_64+0xcd/0x250
[ 116.447354][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 116.453329][ T5103] RIP: 0033:0x7fb7bb9757db
[ 116.457759][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 116.477664][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 116.486105][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 116.494091][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 116.502076][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 116.510245][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 116.518497][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 116.526496][ T5103]
[ 116.529526][ T5103]
[ 116.531862][ T5103] Allocated by task 4486:
[ 116.536317][ T5103] kasan_save_stack+0x33/0x60
[ 116.541278][ T5103] kasan_save_track+0x14/0x30
[ 116.545973][ T5103] __kasan_slab_alloc+0x89/0x90
[ 116.550870][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 116.556408][ T5103] skb_clone+0x190/0x3f0
[ 116.560682][ T5103] hci_cmd_work+0x66a/0x710
[ 116.565218][ T5103] process_one_work+0x9c8/0x1b40
[ 116.570186][ T5103] worker_thread+0x6c8/0xf30
[ 116.574802][ T5103] kthread+0x2c4/0x3a0
[ 116.578913][ T5103] ret_from_fork+0x48/0x80
[ 116.583368][ T5103] ret_from_fork_asm+0x1a/0x30
[ 116.588258][ T5103]
[ 116.590587][ T5103] Freed by task 4486:
[ 116.594613][ T5103] kasan_save_stack+0x33/0x60
[ 116.599314][ T5103] kasan_save_track+0x14/0x30
[ 116.604008][ T5103] kasan_save_free_info+0x3b/0x60
[ 116.609103][ T5103] poison_slab_object+0xf7/0x160
[ 116.614281][ T5103] __kasan_slab_free+0x32/0x50
[ 116.619073][ T5103] kmem_cache_free+0x12f/0x3a0
[ 116.623866][ T5103] kfree_skbmem+0x10e/0x200
[ 116.628413][ T5103] kfree_skb_reason+0x138/0x210
[ 116.633380][ T5103] hci_req_sync_complete+0x16c/0x270
[ 116.638695][ T5103] hci_event_packet+0x966/0x1170
[ 116.643662][ T5103] hci_rx_work+0x2c4/0x1610
[ 116.648222][ T5103] process_one_work+0x9c8/0x1b40
[ 116.653222][ T5103] worker_thread+0x6c8/0xf30
[ 116.657847][ T5103] kthread+0x2c4/0x3a0
[ 116.661954][ T5103] ret_from_fork+0x48/0x80
[ 116.666519][ T5103] ret_from_fork_asm+0x1a/0x30
[ 116.671327][ T5103]
[ 116.673651][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 116.673651][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 116.688612][ T5103] The buggy address is located 208 bytes inside of
[ 116.688612][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 116.702611][ T5103]
[ 116.704940][ T5103] The buggy address belongs to the physical page:
[ 116.711431][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 116.720733][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 116.727910][ T5103] page_type: 0xffffefff(slab)
[ 116.732953][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 116.741672][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 116.750295][ T5103] page dumped because: kasan: bad access detected
[ 116.756716][ T5103] page_owner tracks the page as allocated
[ 116.762653][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 116.782100][ T5103] post_alloc_hook+0x2d1/0x350
[ 116.786908][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 116.792493][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 116.797821][ T5103] alloc_slab_page+0x56/0x110
[ 116.802534][ T5103] new_slab+0x84/0x260
[ 116.806618][ T5103] ___slab_alloc+0xdac/0x1870
[ 116.811338][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 116.816736][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 116.822661][ T5103] __alloc_skb+0x2b1/0x380
[ 116.827569][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 116.833232][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 116.837673][ T5103] register_netdevice+0x1710/0x1cb0
[ 116.842928][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 116.848088][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 116.853140][ T5103] ops_init+0xbc/0x650
[ 116.857239][ T5103] setup_net+0x435/0xb40
[ 116.861509][ T5103] page last free pid 1 tgid 1 stack trace:
[ 116.868150][ T5103] free_unref_page+0x64a/0xe40
[ 116.872965][ T5103] free_contig_range+0xb6/0x1a0
[ 116.877852][ T5103] destroy_args+0xa4e/0xe20
[ 116.882512][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 116.887776][ T5103] do_one_initcall+0x12b/0x700
[ 116.892689][ T5103] kernel_init_freeable+0x69d/0xca0
[ 116.897929][ T5103] kernel_init+0x1c/0x2b0
[ 116.902302][ T5103] ret_from_fork+0x48/0x80
[ 116.906757][ T5103] ret_from_fork_asm+0x1a/0x30
[ 116.911762][ T5103]
[ 116.914095][ T5103] Memory state around the buggy address:
[ 116.919833][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 116.927916][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 116.936080][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 116.944265][ T5103] ^
[ 116.949023][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 116.957113][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 116.965188][ T5103] ==================================================================
[ 116.985209][ T4486] Bluetooth: hci0: command tx timeout
[ 116.995492][ T5103] ==================================================================
[ 117.003589][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x813/0x980
[ 117.011442][ T5103] Read of size 4 at addr ffff8880632dbc0c by task syz-executor/5103
[ 117.019563][ T5103]
[ 117.021902][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 117.033825][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 117.043994][ T5103] Call Trace:
[ 117.047292][ T5103]
[ 117.050262][ T5103] dump_stack_lvl+0x116/0x1f0
[ 117.055001][ T5103] print_report+0xc3/0x620
[ 117.059462][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.065139][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.070811][ T5103] ? __phys_addr+0xc6/0x150
[ 117.075362][ T5103] kasan_report+0xd9/0x110
[ 117.079823][ T5103] ? skb_release_data+0x813/0x980
[ 117.084901][ T5103] ? skb_release_data+0x813/0x980
[ 117.089976][ T5103] skb_release_data+0x813/0x980
[ 117.095347][ T5103] kfree_skb_reason+0x12b/0x210
[ 117.100266][ T5103] __hci_req_sync+0x61d/0x980
[ 117.105013][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 117.110256][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 117.115019][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 117.121155][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.126922][ T5103] ? hci_req_sync+0x3f/0xd0
[ 117.131511][ T5103] ? __pfx___might_resched+0x10/0x10
[ 117.136860][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.142527][ T5103] ? aa_get_newest_label+0x376/0x680
[ 117.147885][ T5103] hci_req_sync+0x97/0xd0
[ 117.152329][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 117.157410][ T5103] hci_dev_cmd+0x634/0x960
[ 117.162018][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.167717][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 117.172725][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.176753][ T5102] chnl_net:caif_netlink_parms(): no params data found
[ 117.178382][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.190801][ T5103] ? security_capable+0x98/0xd0
[ 117.195749][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 117.200485][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.206162][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 117.211408][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 117.217432][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.223110][ T5103] sock_do_ioctl+0x119/0x280
[ 117.227757][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 117.232959][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.238741][ T5103] sock_ioctl+0x22e/0x6c0
[ 117.243136][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 117.248051][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.253725][ T5103] ? __fget_files+0x256/0x400
[ 117.258478][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.264500][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 117.269470][ T5103] __x64_sys_ioctl+0x196/0x220
[ 117.274288][ T5103] do_syscall_64+0xcd/0x250
[ 117.278855][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.285244][ T5103] RIP: 0033:0x7fb7bb9757db
[ 117.289697][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 117.309517][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 117.317961][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 117.325947][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 117.333959][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 117.341971][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 117.350142][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 117.358156][ T5103]
[ 117.361191][ T5103]
[ 117.363526][ T5103] Allocated by task 4486:
[ 117.367872][ T5103] kasan_save_stack+0x33/0x60
[ 117.371985][ T5097] chnl_net:caif_netlink_parms(): no params data found
[ 117.372561][ T5103] kasan_save_track+0x14/0x30
[ 117.384156][ T5103] __kasan_slab_alloc+0x89/0x90
[ 117.389065][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 117.394577][ T5103] skb_clone+0x190/0x3f0
[ 117.399472][ T5103] hci_cmd_work+0x66a/0x710
[ 117.404149][ T5103] process_one_work+0x9c8/0x1b40
[ 117.409135][ T5103] worker_thread+0x6c8/0xf30
[ 117.413772][ T5103] kthread+0x2c4/0x3a0
[ 117.417911][ T5103] ret_from_fork+0x48/0x80
[ 117.422382][ T5103] ret_from_fork_asm+0x1a/0x30
[ 117.427301][ T5103]
[ 117.429663][ T5103] Freed by task 4486:
[ 117.433640][ T5103] kasan_save_stack+0x33/0x60
[ 117.436254][ T5091] Bluetooth: hci2: command tx timeout
[ 117.438312][ T5103] kasan_save_track+0x14/0x30
[ 117.443708][ T5091] Bluetooth: hci4: command tx timeout
[ 117.448324][ T5103] kasan_save_free_info+0x3b/0x60
[ 117.448376][ T5103] poison_slab_object+0xf7/0x160
[ 117.454138][ T5091] Bluetooth: hci3: command tx timeout
[ 117.458722][ T5103] __kasan_slab_free+0x32/0x50
[ 117.458760][ T5103] kmem_cache_free+0x12f/0x3a0
[ 117.458797][ T5103] kfree_skbmem+0x10e/0x200
[ 117.458862][ T5103] kfree_skb_reason+0x138/0x210
[ 117.488164][ T5103] hci_req_sync_complete+0x16c/0x270
[ 117.493562][ T5103] hci_event_packet+0x966/0x1170
[ 117.498510][ T5103] hci_rx_work+0x2c4/0x1610
[ 117.503032][ T5103] process_one_work+0x9c8/0x1b40
[ 117.507981][ T5103] worker_thread+0x6c8/0xf30
[ 117.512600][ T5103] kthread+0x2c4/0x3a0
[ 117.516688][ T5103] ret_from_fork+0x48/0x80
[ 117.521126][ T5103] ret_from_fork_asm+0x1a/0x30
[ 117.525914][ T5103]
[ 117.528228][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 117.528228][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 117.542819][ T5103] The buggy address is located 204 bytes inside of
[ 117.542819][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 117.556628][ T5103]
[ 117.558964][ T5103] The buggy address belongs to the physical page:
[ 117.565385][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 117.575156][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 117.582316][ T5103] page_type: 0xffffefff(slab)
[ 117.587095][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 117.595958][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 117.604555][ T5103] page dumped because: kasan: bad access detected
[ 117.610965][ T5103] page_owner tracks the page as allocated
[ 117.616778][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 117.636271][ T5103] post_alloc_hook+0x2d1/0x350
[ 117.641143][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 117.646707][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 117.652010][ T5103] alloc_slab_page+0x56/0x110
[ 117.656705][ T5103] new_slab+0x84/0x260
[ 117.660783][ T5103] ___slab_alloc+0xdac/0x1870
[ 117.665474][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 117.670856][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 117.676669][ T5103] __alloc_skb+0x2b1/0x380
[ 117.681108][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 117.686400][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 117.690823][ T5103] register_netdevice+0x1710/0x1cb0
[ 117.696124][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 117.701157][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 117.706212][ T5103] ops_init+0xbc/0x650
[ 117.710290][ T5103] setup_net+0x435/0xb40
[ 117.714544][ T5103] page last free pid 1 tgid 1 stack trace:
[ 117.720349][ T5103] free_unref_page+0x64a/0xe40
[ 117.725134][ T5103] free_contig_range+0xb6/0x1a0
[ 117.730050][ T5103] destroy_args+0xa4e/0xe20
[ 117.734591][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 117.739811][ T5103] do_one_initcall+0x12b/0x700
[ 117.744618][ T5103] kernel_init_freeable+0x69d/0xca0
[ 117.749840][ T5103] kernel_init+0x1c/0x2b0
[ 117.754189][ T5103] ret_from_fork+0x48/0x80
[ 117.758625][ T5103] ret_from_fork_asm+0x1a/0x30
[ 117.763639][ T5103]
[ 117.765982][ T5103] Memory state around the buggy address:
[ 117.771648][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 117.779745][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 117.787829][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 117.795894][ T5103] ^
[ 117.800226][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 117.808377][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 117.816438][ T5103] ==================================================================
[ 117.824856][ T4486] Bluetooth: hci1: command tx timeout
[ 117.825055][ T5103] ==================================================================
[ 117.838481][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x806/0x980
[ 117.846345][ T5103] Read of size 1 at addr ffff8880632dbbbe by task syz-executor/5103
[ 117.854344][ T5103]
[ 117.856681][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 117.868593][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 117.878663][ T5103] Call Trace:
[ 117.881956][ T5103]
[ 117.884895][ T5103] dump_stack_lvl+0x116/0x1f0
[ 117.889609][ T5103] print_report+0xc3/0x620
[ 117.894239][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.899924][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.905583][ T5103] ? __phys_addr+0xc6/0x150
[ 117.910115][ T5103] kasan_report+0xd9/0x110
[ 117.914556][ T5103] ? skb_release_data+0x806/0x980
[ 117.919638][ T5103] ? skb_release_data+0x806/0x980
[ 117.924721][ T5103] skb_release_data+0x806/0x980
[ 117.929782][ T5103] kfree_skb_reason+0x12b/0x210
[ 117.934933][ T5103] __hci_req_sync+0x61d/0x980
[ 117.939649][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 117.944878][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 117.949588][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 117.955685][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.961345][ T5103] ? hci_req_sync+0x3f/0xd0
[ 117.966012][ T5103] ? __pfx___might_resched+0x10/0x10
[ 117.971377][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.977039][ T5103] ? aa_get_newest_label+0x376/0x680
[ 117.982417][ T5103] hci_req_sync+0x97/0xd0
[ 117.986816][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 117.991876][ T5103] hci_dev_cmd+0x634/0x960
[ 117.996337][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.002224][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 118.007251][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.012912][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.018676][ T5103] ? security_capable+0x98/0xd0
[ 118.023599][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 118.028318][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.033990][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 118.039254][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 118.045270][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.050974][ T5103] sock_do_ioctl+0x119/0x280
[ 118.055620][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 118.060785][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.066477][ T5103] sock_ioctl+0x22e/0x6c0
[ 118.070882][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 118.075782][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.081463][ T5103] ? __fget_files+0x256/0x400
[ 118.086184][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.091868][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 118.096768][ T5103] __x64_sys_ioctl+0x196/0x220
[ 118.101870][ T5103] do_syscall_64+0xcd/0x250
[ 118.106464][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 118.112429][ T5103] RIP: 0033:0x7fb7bb9757db
[ 118.116885][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 118.137915][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 118.146368][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 118.154358][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 118.162555][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 118.170564][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 118.178660][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 118.186805][ T5103]
[ 118.189888][ T5103]
[ 118.192222][ T5103] Allocated by task 4486:
[ 118.196560][ T5103] kasan_save_stack+0x33/0x60
[ 118.201292][ T5103] kasan_save_track+0x14/0x30
[ 118.206012][ T5103] __kasan_slab_alloc+0x89/0x90
[ 118.210885][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 118.216369][ T5103] skb_clone+0x190/0x3f0
[ 118.220640][ T5103] hci_cmd_work+0x66a/0x710
[ 118.225176][ T5103] process_one_work+0x9c8/0x1b40
[ 118.230233][ T5103] worker_thread+0x6c8/0xf30
[ 118.234884][ T5103] kthread+0x2c4/0x3a0
[ 118.239111][ T5103] ret_from_fork+0x48/0x80
[ 118.243566][ T5103] ret_from_fork_asm+0x1a/0x30
[ 118.248375][ T5103]
[ 118.250704][ T5103] Freed by task 4486:
[ 118.254712][ T5103] kasan_save_stack+0x33/0x60
[ 118.259443][ T5103] kasan_save_track+0x14/0x30
[ 118.264137][ T5103] kasan_save_free_info+0x3b/0x60
[ 118.269197][ T5103] poison_slab_object+0xf7/0x160
[ 118.274178][ T5103] __kasan_slab_free+0x32/0x50
[ 118.278962][ T5103] kmem_cache_free+0x12f/0x3a0
[ 118.283776][ T5103] kfree_skbmem+0x10e/0x200
[ 118.288348][ T5103] kfree_skb_reason+0x138/0x210
[ 118.293240][ T5103] hci_req_sync_complete+0x16c/0x270
[ 118.298672][ T5103] hci_event_packet+0x966/0x1170
[ 118.303655][ T5103] hci_rx_work+0x2c4/0x1610
[ 118.308190][ T5103] process_one_work+0x9c8/0x1b40
[ 118.313162][ T5103] worker_thread+0x6c8/0xf30
[ 118.317933][ T5103] kthread+0x2c4/0x3a0
[ 118.322215][ T5103] ret_from_fork+0x48/0x80
[ 118.326669][ T5103] ret_from_fork_asm+0x1a/0x30
[ 118.331474][ T5103]
[ 118.333807][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 118.333807][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 118.348412][ T5103] The buggy address is located 126 bytes inside of
[ 118.348412][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 118.362294][ T5103]
[ 118.364626][ T5103] The buggy address belongs to the physical page:
[ 118.371038][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 118.380015][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 118.387336][ T5103] page_type: 0xffffefff(slab)
[ 118.392030][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 118.400896][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 118.409661][ T5103] page dumped because: kasan: bad access detected
[ 118.416079][ T5103] page_owner tracks the page as allocated
[ 118.421792][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 118.441290][ T5103] post_alloc_hook+0x2d1/0x350
[ 118.446094][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 118.451676][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 118.457015][ T5103] alloc_slab_page+0x56/0x110
[ 118.461726][ T5103] new_slab+0x84/0x260
[ 118.466022][ T5103] ___slab_alloc+0xdac/0x1870
[ 118.470721][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 118.476227][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 118.482069][ T5103] __alloc_skb+0x2b1/0x380
[ 118.486526][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 118.491840][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 118.496631][ T5103] register_netdevice+0x1710/0x1cb0
[ 118.501949][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 118.507004][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 118.512149][ T5103] ops_init+0xbc/0x650
[ 118.516248][ T5103] setup_net+0x435/0xb40
[ 118.520594][ T5103] page last free pid 1 tgid 1 stack trace:
[ 118.526415][ T5103] free_unref_page+0x64a/0xe40
[ 118.531216][ T5103] free_contig_range+0xb6/0x1a0
[ 118.536108][ T5103] destroy_args+0xa4e/0xe20
[ 118.540914][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 118.546002][ T5103] do_one_initcall+0x12b/0x700
[ 118.550802][ T5103] kernel_init_freeable+0x69d/0xca0
[ 118.556067][ T5103] kernel_init+0x1c/0x2b0
[ 118.560455][ T5103] ret_from_fork+0x48/0x80
[ 118.564912][ T5103] ret_from_fork_asm+0x1a/0x30
[ 118.569722][ T5103]
[ 118.572047][ T5103] Memory state around the buggy address:
[ 118.577687][ T5103] ffff8880632dba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 118.585779][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 118.593859][ T5103] >ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 118.601978][ T5103] ^
[ 118.608587][ T5103] ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 118.616688][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 118.624765][ T5103] ==================================================================
[ 118.637764][ T5103] ==================================================================
[ 118.645954][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980
[ 118.654002][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103
[ 118.662409][ T5103]
[ 118.664757][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 118.676694][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 118.686825][ T5103] Call Trace:
[ 118.690135][ T5103]
[ 118.693088][ T5103] dump_stack_lvl+0x116/0x1f0
[ 118.697818][ T5103] print_report+0xc3/0x620
[ 118.699388][ T5093] chnl_net:caif_netlink_parms(): no params data found
[ 118.702391][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.714794][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.720479][ T5103] ? __phys_addr+0xc6/0x150
[ 118.725022][ T5103] kasan_report+0xd9/0x110
[ 118.729480][ T5103] ? skb_release_data+0x8dd/0x980
[ 118.734554][ T5103] ? skb_release_data+0x8dd/0x980
[ 118.739630][ T5103] skb_release_data+0x8dd/0x980
[ 118.744622][ T5103] kfree_skb_reason+0x12b/0x210
[ 118.749525][ T5103] __hci_req_sync+0x61d/0x980
[ 118.754256][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 118.759499][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 118.764196][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 118.770279][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.775938][ T5103] ? hci_req_sync+0x3f/0xd0
[ 118.781004][ T5103] ? __pfx___might_resched+0x10/0x10
[ 118.786329][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.791973][ T5103] ? aa_get_newest_label+0x376/0x680
[ 118.797293][ T5103] hci_req_sync+0x97/0xd0
[ 118.801661][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 118.806711][ T5103] hci_dev_cmd+0x634/0x960
[ 118.811149][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.816797][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 118.821757][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.827427][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.833121][ T5103] ? security_capable+0x98/0xd0
[ 118.838060][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 118.842766][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.848619][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 118.853837][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 118.859834][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.865500][ T5103] sock_do_ioctl+0x119/0x280
[ 118.870116][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 118.875266][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.880935][ T5103] sock_ioctl+0x22e/0x6c0
[ 118.885289][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 118.890162][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.895824][ T5103] ? __fget_files+0x256/0x400
[ 118.900557][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.906745][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 118.912965][ T5103] __x64_sys_ioctl+0x196/0x220
[ 118.917779][ T5103] do_syscall_64+0xcd/0x250
[ 118.922307][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 118.928240][ T5103] RIP: 0033:0x7fb7bb9757db
[ 118.932700][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 118.952501][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 118.961036][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 118.969117][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 118.977098][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 118.985070][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 118.993067][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 119.001100][ T5103]
[ 119.004122][ T5103]
[ 119.006443][ T5103] Allocated by task 4486:
[ 119.010776][ T5103] kasan_save_stack+0x33/0x60
[ 119.015465][ T5103] kasan_save_track+0x14/0x30
[ 119.020163][ T5103] __kasan_slab_alloc+0x89/0x90
[ 119.025018][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 119.030484][ T5103] skb_clone+0x190/0x3f0
[ 119.034819][ T5103] hci_cmd_work+0x66a/0x710
[ 119.039335][ T5103] process_one_work+0x9c8/0x1b40
[ 119.044283][ T5103] worker_thread+0x6c8/0xf30
[ 119.048891][ T5103] kthread+0x2c4/0x3a0
[ 119.052977][ T5103] ret_from_fork+0x48/0x80
[ 119.057457][ T5103] ret_from_fork_asm+0x1a/0x30
[ 119.062255][ T5103]
[ 119.064759][ T5103] Freed by task 4486:
[ 119.068736][ T5103] kasan_save_stack+0x33/0x60
[ 119.073425][ T5103] kasan_save_track+0x14/0x30
[ 119.078105][ T5103] kasan_save_free_info+0x3b/0x60
[ 119.083146][ T5103] poison_slab_object+0xf7/0x160
[ 119.088103][ T5103] __kasan_slab_free+0x32/0x50
[ 119.092958][ T5103] kmem_cache_free+0x12f/0x3a0
[ 119.097927][ T5103] kfree_skbmem+0x10e/0x200
[ 119.102452][ T5103] kfree_skb_reason+0x138/0x210
[ 119.107316][ T5103] hci_req_sync_complete+0x16c/0x270
[ 119.112617][ T5103] hci_event_packet+0x966/0x1170
[ 119.117581][ T5103] hci_rx_work+0x2c4/0x1610
[ 119.122209][ T5103] process_one_work+0x9c8/0x1b40
[ 119.127158][ T5103] worker_thread+0x6c8/0xf30
[ 119.131757][ T5103] kthread+0x2c4/0x3a0
[ 119.135859][ T5103] ret_from_fork+0x48/0x80
[ 119.140758][ T5103] ret_from_fork_asm+0x1a/0x30
[ 119.145546][ T5103]
[ 119.147866][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 119.147866][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 119.162445][ T5103] The buggy address is located 208 bytes inside of
[ 119.162445][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 119.176471][ T5103]
[ 119.178858][ T5103] The buggy address belongs to the physical page:
[ 119.185371][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 119.194257][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 119.201425][ T5103] page_type: 0xffffefff(slab)
[ 119.206235][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 119.214837][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 119.223461][ T5103] page dumped because: kasan: bad access detected
[ 119.229982][ T5103] page_owner tracks the page as allocated
[ 119.235695][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 119.255124][ T5103] post_alloc_hook+0x2d1/0x350
[ 119.259954][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 119.265608][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 119.270912][ T5103] alloc_slab_page+0x56/0x110
[ 119.275614][ T5103] new_slab+0x84/0x260
[ 119.279703][ T5103] ___slab_alloc+0xdac/0x1870
[ 119.284405][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 119.289782][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 119.295609][ T5103] __alloc_skb+0x2b1/0x380
[ 119.300158][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 119.305473][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 119.309892][ T5103] register_netdevice+0x1710/0x1cb0
[ 119.315278][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 119.320360][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 119.325396][ T5103] ops_init+0xbc/0x650
[ 119.329472][ T5103] setup_net+0x435/0xb40
[ 119.333721][ T5103] page last free pid 1 tgid 1 stack trace:
[ 119.339536][ T5103] free_unref_page+0x64a/0xe40
[ 119.344315][ T5103] free_contig_range+0xb6/0x1a0
[ 119.349177][ T5103] destroy_args+0xa4e/0xe20
[ 119.353696][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 119.358741][ T5103] do_one_initcall+0x12b/0x700
[ 119.363719][ T5103] kernel_init_freeable+0x69d/0xca0
[ 119.368943][ T5103] kernel_init+0x1c/0x2b0
[ 119.373293][ T5103] ret_from_fork+0x48/0x80
[ 119.377728][ T5103] ret_from_fork_asm+0x1a/0x30
[ 119.382521][ T5103]
[ 119.384834][ T5103] Memory state around the buggy address:
[ 119.390455][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 119.398515][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 119.406575][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 119.414628][ T5103] ^
[ 119.419210][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 119.427407][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 119.435477][ T5103] ==================================================================
[ 119.444321][ T4486] Bluetooth: hci0: command tx timeout
[ 119.449811][ T5103] ==================================================================
[ 119.452569][ T5090] bridge0: port 1(bridge_slave_0) entered blocking state
[ 119.457865][ T5103] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980
[ 119.457924][ T5103] Read of size 4 at addr ffff8880632dbc0c by task syz-executor/5103
[ 119.457956][ T5103]
[ 119.457967][ T5103] CPU: 0 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 119.458013][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 119.458037][ T5103] Call Trace:
[ 119.458051][ T5103]
[ 119.458065][ T5103] dump_stack_lvl+0x116/0x1f0
[ 119.458115][ T5103] print_report+0xc3/0x620
[ 119.458158][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.458204][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.458248][ T5103] ? __phys_addr+0xc6/0x150
[ 119.536657][ T5103] kasan_report+0xd9/0x110
[ 119.541137][ T5103] ? skb_release_data+0x857/0x980
[ 119.546198][ T5103] ? skb_release_data+0x857/0x980
[ 119.551285][ T5103] skb_release_data+0x857/0x980
[ 119.556175][ T5103] kfree_skb_reason+0x12b/0x210
[ 119.561060][ T5103] __hci_req_sync+0x61d/0x980
[ 119.565798][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 119.571030][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 119.575741][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 119.581853][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.587515][ T5103] ? hci_req_sync+0x3f/0xd0
[ 119.592141][ T5103] ? __pfx___might_resched+0x10/0x10
[ 119.597466][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.603131][ T5103] ? aa_get_newest_label+0x376/0x680
[ 119.608469][ T5103] hci_req_sync+0x97/0xd0
[ 119.612930][ T5103] ? __pfx_hci_scan_req+0x10/0x10
[ 119.617995][ T5103] hci_dev_cmd+0x634/0x960
[ 119.622451][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.628286][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10
[ 119.633261][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.639007][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.645099][ T5103] ? security_capable+0x98/0xd0
[ 119.650030][ T5103] hci_sock_ioctl+0x4f3/0x880
[ 119.654737][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.660408][ T5103] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 119.665639][ T5103] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 119.671650][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.677321][ T5103] sock_do_ioctl+0x119/0x280
[ 119.682057][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10
[ 119.687219][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.692993][ T5103] sock_ioctl+0x22e/0x6c0
[ 119.697370][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 119.702268][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.707957][ T5103] ? __fget_files+0x256/0x400
[ 119.712703][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.718371][ T5103] ? __pfx_sock_ioctl+0x10/0x10
[ 119.723294][ T5103] __x64_sys_ioctl+0x196/0x220
[ 119.728189][ T5103] do_syscall_64+0xcd/0x250
[ 119.732825][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 119.738766][ T5103] RIP: 0033:0x7fb7bb9757db
[ 119.743199][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 119.762843][ T5103] RSP: 002b:00007fffd72953f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 119.771304][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7bb9757db
[ 119.779300][ T5103] RDX: 00007fffd7295468 RSI: 00000000400448dd RDI: 0000000000000003
[ 119.787290][ T5103] RBP: 000055558dc304a8 R08: 0000000000000000 R09: 0000000000000000
[ 119.795280][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000005
[ 119.803464][ T5103] R13: 0000000000000005 R14: 0000000000000009 R15: 0000000000000009
[ 119.811577][ T5103]
[ 119.814722][ T5103]
[ 119.817056][ T5103] Allocated by task 4486:
[ 119.821509][ T5103] kasan_save_stack+0x33/0x60
[ 119.826233][ T5103] kasan_save_track+0x14/0x30
[ 119.831033][ T5103] __kasan_slab_alloc+0x89/0x90
[ 119.835927][ T5103] kmem_cache_alloc_noprof+0x121/0x2f0
[ 119.841431][ T5103] skb_clone+0x190/0x3f0
[ 119.845735][ T5103] hci_cmd_work+0x66a/0x710
[ 119.850270][ T5103] process_one_work+0x9c8/0x1b40
[ 119.855363][ T5103] worker_thread+0x6c8/0xf30
[ 119.860038][ T5103] kthread+0x2c4/0x3a0
[ 119.864347][ T5103] ret_from_fork+0x48/0x80
[ 119.868811][ T5103] ret_from_fork_asm+0x1a/0x30
[ 119.873711][ T5103]
[ 119.876038][ T5103] Freed by task 4486:
[ 119.880024][ T5103] kasan_save_stack+0x33/0x60
[ 119.884718][ T5103] kasan_save_track+0x14/0x30
[ 119.889413][ T5103] kasan_save_free_info+0x3b/0x60
[ 119.894474][ T5103] poison_slab_object+0xf7/0x160
[ 119.899455][ T5103] __kasan_slab_free+0x32/0x50
[ 119.904325][ T5103] kmem_cache_free+0x12f/0x3a0
[ 119.909110][ T5103] kfree_skbmem+0x10e/0x200
[ 119.913654][ T5103] kfree_skb_reason+0x138/0x210
[ 119.918535][ T5103] hci_req_sync_complete+0x16c/0x270
[ 119.923852][ T5103] hci_event_packet+0x966/0x1170
[ 119.928813][ T5103] hci_rx_work+0x2c4/0x1610
[ 119.933348][ T5103] process_one_work+0x9c8/0x1b40
[ 119.938352][ T5103] worker_thread+0x6c8/0xf30
[ 119.942971][ T5103] kthread+0x2c4/0x3a0
[ 119.947078][ T5103] ret_from_fork+0x48/0x80
[ 119.951530][ T5103] ret_from_fork_asm+0x1a/0x30
[ 119.956332][ T5103]
[ 119.958660][ T5103] The buggy address belongs to the object at ffff8880632dbb40
[ 119.958660][ T5103] which belongs to the cache skbuff_head_cache of size 240
[ 119.973623][ T5103] The buggy address is located 204 bytes inside of
[ 119.973623][ T5103] freed 240-byte region [ffff8880632dbb40, ffff8880632dbc30)
[ 119.987465][ T5103]
[ 119.989793][ T5103] The buggy address belongs to the physical page:
[ 119.996209][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632db
[ 120.004983][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 120.012283][ T5103] page_type: 0xffffefff(slab)
[ 120.016980][ T5103] raw: 00fff00000000000 ffff888018edc780 dead000000000122 0000000000000000
[ 120.025585][ T5103] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 120.034194][ T5103] page dumped because: kasan: bad access detected
[ 120.040609][ T5103] page_owner tracks the page as allocated
[ 120.046326][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5097, tgid 5097 (syz-executor), ts 110413636297, free_ts 37146400838
[ 120.065744][ T5103] post_alloc_hook+0x2d1/0x350
[ 120.070635][ T5103] get_page_from_freelist+0x1353/0x2e50
[ 120.076244][ T5103] __alloc_pages_noprof+0x22b/0x2460
[ 120.081568][ T5103] alloc_slab_page+0x56/0x110
[ 120.086280][ T5103] new_slab+0x84/0x260
[ 120.090384][ T5103] ___slab_alloc+0xdac/0x1870
[ 120.095078][ T5103] __slab_alloc.constprop.0+0x56/0xb0
[ 120.100481][ T5103] kmem_cache_alloc_node_noprof+0xed/0x310
[ 120.106654][ T5103] __alloc_skb+0x2b1/0x380
[ 120.112306][ T5103] rtmsg_ifinfo_build_skb+0x81/0x280
[ 120.117709][ T5103] rtmsg_ifinfo+0x9f/0x1a0
[ 120.122147][ T5103] register_netdevice+0x1710/0x1cb0
[ 120.127371][ T5103] __ip_tunnel_create+0x4aa/0x690
[ 120.132420][ T5103] ip_tunnel_init_net+0x22a/0x780
[ 120.137485][ T5103] ops_init+0xbc/0x650
[ 120.141575][ T5103] setup_net+0x435/0xb40
[ 120.145849][ T5103] page last free pid 1 tgid 1 stack trace:
[ 120.151659][ T5103] free_unref_page+0x64a/0xe40
[ 120.156458][ T5103] free_contig_range+0xb6/0x1a0
[ 120.161427][ T5103] destroy_args+0xa4e/0xe20
[ 120.165967][ T5103] debug_vm_pgtable+0x1705/0x3280
[ 120.171031][ T5103] do_one_initcall+0x12b/0x700
[ 120.175841][ T5103] kernel_init_freeable+0x69d/0xca0
[ 120.181187][ T5103] kernel_init+0x1c/0x2b0
[ 120.185561][ T5103] ret_from_fork+0x48/0x80
[ 120.190019][ T5103] ret_from_fork_asm+0x1a/0x30
[ 120.194823][ T5103]
[ 120.197148][ T5103] Memory state around the buggy address:
[ 120.202778][ T5103] ffff8880632dbb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 120.210851][ T5103] ffff8880632dbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 120.218922][ T5103] >ffff8880632dbc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 120.226987][ T5103] ^
[ 120.231317][ T5103] ffff8880632dbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 120.239388][ T5103] ffff8880632dbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[ 120.247453][ T5103] ==================================================================
[ 120.256024][ T4486] Bluetooth: hci3: command tx timeout
[ 120.258181][ T5090] bridge0: port 1(bridge_slave_0) entered disabled state
[ 120.261423][ T4486] Bluetooth: hci4: command tx timeout
[ 120.268691][ T5090] bridge_slave_0: entered allmulticast mode
[ 120.273978][ T4486] Bluetooth: hci2: command tx timeout
[ 120.286030][ T5090] bridge_slave_0: entered promiscuous mode
[ 120.326835][ T5103] ==================================================================
[ 120.335144][ T5103] BUG: KASAN: slab-use-after-free in skb_free_head+0x1ae/0x1d0
[ 120.342818][ T5103] Read of size 8 at addr ffff8880632dbc10 by task syz-executor/5103
[ 120.350822][ T5103]
[ 120.353159][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 120.364879][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 120.374949][ T5103] Call Trace:
[ 120.378230][ T5103]
[ 120.381828][ T5103] dump_stack_lvl+0x116/0x1f0
[ 120.386537][ T5103] print_report+0xc3/0x620
[ 120.390964][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 120.396621][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 120.402293][ T5103] ? __phys_addr+0xc6/0x150
[ 120.406813][ T5103] kasan_report+0xd9/0x110
[ 120.411245][ T5103] ? skb_free_head+0x1ae/0x1d0
[ 120.416017][ T5103] ? skb_free_head+0x1ae/0x1d0
[ 120.420793][ T5103] skb_free_head+0x1ae/0x1d0
[ 120.425499][ T5103] skb_release_data+0x75c/0x980
[ 120.430394][ T5103] kfree_skb_reason+0x12b/0x210
[ 120.435330][ T5103] __hci_req_sync+0x61d/0x980
[ 120.440169][ T5103] ? __pfx___hci_req_sync+0x10/0x10
[ 120.445544][ T5103] ? __mutex_lock+0x1a6/0x9c0
[ 120.450739][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10
[ 120.456863][ T5103] ? srso_alias_return_thunk+0x5/0xfbef5
[ 120.462528][ T5103] ? hci_req_sync+0x3f/0xd0
[ 120.467157][ T5103] ? __pfx___might_resched+0x10/0x10