Warning: Permanently added '10.128.1.34' (ED25519) to the list of known hosts. [ 541.340250][ T5130] cgroup: Unknown subsys name 'net' [ 541.478180][ T5130] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 543.140181][ T5130] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 543.208269][ T5150] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 543.218484][ T5150] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 543.220190][ T5149] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 543.226420][ T5150] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 543.234563][ T5149] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 543.242546][ T5150] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 543.248261][ T5149] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 543.254621][ T5150] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 543.263347][ T5149] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 543.269630][ T5150] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 543.282341][ T5149] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 543.282937][ T5150] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 543.292201][ T5149] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 543.298090][ T5150] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 543.303955][ T5152] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 543.311164][ T5150] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 543.320817][ T5152] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 543.333673][ T5149] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 543.334969][ T5150] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 543.341662][ T5149] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 543.348882][ T5150] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 543.359789][ T5149] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 543.363267][ T5150] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 543.369639][ T5149] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 543.377581][ T5150] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 543.392053][ T5150] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 543.399874][ T5150] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 543.407119][ T5153] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 543.415733][ T5150] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 543.422719][ T5149] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 543.438069][ T5134] ================================================================== [ 543.446186][ T5134] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 543.453977][ T5134] Read of size 4 at addr ffff8880240a8d64 by task syz-executor144/5134 [ 543.462251][ T5134] [ 543.464608][ T5134] CPU: 1 PID: 5134 Comm: syz-executor144 Not tainted 6.10.0-rc3-syzkaller #0 [ 543.473428][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 543.483522][ T5134] Call Trace: [ 543.486830][ T5134] [ 543.489786][ T5134] dump_stack_lvl+0x241/0x360 [ 543.494508][ T5134] ? __pfx_dump_stack_lvl+0x10/0x10 [ 543.499748][ T5134] ? __pfx__printk+0x10/0x10 [ 543.504382][ T5134] ? _printk+0xd5/0x120 [ 543.508661][ T5134] ? __virt_addr_valid+0x183/0x520 [ 543.513817][ T5134] ? __virt_addr_valid+0x183/0x520 [ 543.519017][ T5134] print_report+0x169/0x550 [ 543.523644][ T5134] ? __virt_addr_valid+0x183/0x520 [ 543.528802][ T5134] ? __virt_addr_valid+0x183/0x520 [ 543.533967][ T5134] ? __virt_addr_valid+0x44e/0x520 [ 543.539128][ T5134] ? __phys_addr+0xba/0x170 [ 543.543681][ T5134] ? kfree_skb_reason+0x41/0x3b0 [ 543.548668][ T5134] kasan_report+0x143/0x180 [ 543.553194][ T5134] ? kfree_skb_reason+0x41/0x3b0 [ 543.558142][ T5134] kasan_check_range+0x282/0x290 [ 543.563098][ T5134] kfree_skb_reason+0x41/0x3b0 [ 543.567871][ T5134] __hci_req_sync+0x62f/0x950 [ 543.572560][ T5134] ? __pfx___hci_req_sync+0x10/0x10 [ 543.577774][ T5134] ? __pfx___mutex_lock+0x10/0x10 [ 543.582803][ T5134] ? __pfx_autoremove_wake_function+0x10/0x10 [ 543.588882][ T5134] ? __pfx_hci_scan_req+0x10/0x10 [ 543.593934][ T5134] hci_req_sync+0xa9/0xd0 [ 543.598277][ T5134] hci_dev_cmd+0x4c5/0xa50 [ 543.602704][ T5134] ? security_capable+0x90/0xb0 [ 543.607624][ T5134] ? __pfx_hci_dev_cmd+0x10/0x10 [ 543.612576][ T5134] ? hci_sock_ioctl+0x6c4/0xa40 [ 543.617438][ T5134] sock_do_ioctl+0x158/0x460 [ 543.622076][ T5134] ? __pfx_sock_do_ioctl+0x10/0x10 [ 543.627217][ T5134] sock_ioctl+0x629/0x8e0 [ 543.631554][ T5134] ? __pfx_sock_ioctl+0x10/0x10 [ 543.636419][ T5134] ? __fget_files+0x29/0x470 [ 543.641021][ T5134] ? __fget_files+0x3f6/0x470 [ 543.645704][ T5134] ? __fget_files+0x29/0x470 [ 543.650313][ T5134] ? bpf_lsm_file_ioctl+0x9/0x10 [ 543.655261][ T5134] ? security_file_ioctl+0x87/0xb0 [ 543.660416][ T5134] ? __pfx_sock_ioctl+0x10/0x10 [ 543.665275][ T5134] __se_sys_ioctl+0xfc/0x170 [ 543.669879][ T5134] do_syscall_64+0xf3/0x230 [ 543.674418][ T5134] ? clear_bhb_loop+0x35/0x90 [ 543.679106][ T5134] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 543.685036][ T5134] RIP: 0033:0x7f0896a9840b [ 543.689468][ T5134] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 543.709080][ T5134] RSP: 002b:00007fff95ecb1a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 543.717508][ T5134] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0896a9840b [ 543.725597][ T5134] RDX: 00007fff95ecb2d0 RSI: 00000000400448dd RDI: 0000000000000003 [ 543.733876][ T5134] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 543.743446][ T5134] R10: 0000000000000008 R11: 0000000000000246 R12: 6c616b7a79732f2e [ 543.751779][ T5134] R13: 585858582e72656c R14: 0000000000000002 R15: 00007fff95ecb450 [ 543.759771][ T5134] [ 543.762878][ T5134] [ 543.765203][ T5134] Allocated by task 5142: [ 543.769527][ T5134] kasan_save_track+0x3f/0x80 [ 543.774235][ T5134] __kasan_slab_alloc+0x66/0x80 [ 543.779096][ T5134] kmem_cache_alloc_noprof+0x135/0x2a0 [ 543.784695][ T5134] skb_clone+0x20c/0x390 [ 543.788953][ T5134] hci_cmd_work+0x29e/0x670 [ 543.793462][ T5134] process_scheduled_works+0xa2c/0x1830 [ 543.799030][ T5134] worker_thread+0x86d/0xd70 [ 543.803652][ T5134] kthread+0x2f0/0x390 [ 543.807731][ T5134] ret_from_fork+0x4b/0x80 [ 543.812162][ T5134] ret_from_fork_asm+0x1a/0x30 [ 543.816932][ T5134] [ 543.819251][ T5134] Freed by task 5150: [ 543.823228][ T5134] kasan_save_track+0x3f/0x80 [ 543.827921][ T5134] kasan_save_free_info+0x40/0x50 [ 543.832949][ T5134] poison_slab_object+0xe0/0x150 [ 543.837894][ T5134] __kasan_slab_free+0x37/0x60 [ 543.842662][ T5134] kmem_cache_free+0x145/0x350 [ 543.847451][ T5134] hci_req_sync_complete+0xe7/0x290 [ 543.853017][ T5134] hci_event_packet+0xc71/0x1540 [ 543.857961][ T5134] hci_rx_work+0x3e8/0xca0 [ 543.862473][ T5134] process_scheduled_works+0xa2c/0x1830 [ 543.868020][ T5134] worker_thread+0x86d/0xd70 [ 543.872615][ T5134] kthread+0x2f0/0x390 [ 543.876776][ T5134] ret_from_fork+0x4b/0x80 [ 543.881210][ T5134] ret_from_fork_asm+0x1a/0x30 [ 543.885990][ T5134] [ 543.888321][ T5134] The buggy address belongs to the object at ffff8880240a8c80 [ 543.888321][ T5134] which belongs to the cache skbuff_head_cache of size 240 [ 543.903075][ T5134] The buggy address is located 228 bytes inside of [ 543.903075][ T5134] freed 240-byte region [ffff8880240a8c80, ffff8880240a8d70) [ 543.917419][ T5134] [ 543.919745][ T5134] The buggy address belongs to the physical page: [ 543.927250][ T5134] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x240a8 [ 543.937066][ T5134] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 543.945517][ T5134] page_type: 0xffffefff(slab) [ 543.951438][ T5134] raw: 00fff00000000000 ffff888018ad3780 dead000000000122 0000000000000000 [ 543.960573][ T5134] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000 [ 543.969986][ T5134] page dumped because: kasan: bad access detected [ 543.976730][ T5134] page_owner tracks the page as allocated [ 543.982634][ T5134] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5133, tgid 5133 (udevd), ts 543429373519, free_ts 543278055115 [ 544.003499][ T5134] post_alloc_hook+0x1f3/0x230 [ 544.008451][ T5134] get_page_from_freelist+0x2e43/0x2f00 [ 544.014010][ T5134] __alloc_pages_noprof+0x256/0x6c0 [ 544.019308][ T5134] alloc_slab_page+0x5f/0x120 [ 544.024079][ T5134] allocate_slab+0x5a/0x2f0 [ 544.028588][ T5134] ___slab_alloc+0xcd1/0x14b0 [ 544.033295][ T5134] __slab_alloc+0x58/0xa0 [ 544.037682][ T5134] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 544.043641][ T5134] __alloc_skb+0x1c3/0x440 [ 544.048101][ T5134] alloc_skb_with_frags+0xc3/0x770 [ 544.053505][ T5134] sock_alloc_send_pskb+0x91a/0xa60 [ 544.059003][ T5134] unix_dgram_sendmsg+0x6d3/0x1f80 [ 544.064166][ T5134] __sock_sendmsg+0x221/0x270 [ 544.069227][ T5134] sock_write_iter+0x2dd/0x400 [ 544.074301][ T5134] vfs_write+0xa72/0xc90 [ 544.078660][ T5134] ksys_write+0x1a0/0x2c0 [ 544.083087][ T5134] page last free pid 5133 tgid 5133 stack trace: [ 544.089761][ T5134] free_unref_page+0xd22/0xea0 [ 544.094722][ T5134] __put_partials+0xeb/0x130 [ 544.099778][ T5134] put_cpu_partial+0x17c/0x250 [ 544.104603][ T5134] __slab_free+0x2ea/0x3d0 [ 544.109042][ T5134] qlist_free_all+0x9e/0x140 [ 544.113670][ T5134] kasan_quarantine_reduce+0x14f/0x170 [ 544.119587][ T5134] __kasan_slab_alloc+0x23/0x80 [ 544.124708][ T5134] __kmalloc_node_noprof+0x1d2/0x440 [ 544.130699][ T5134] kvmalloc_node_noprof+0x72/0x190 [ 544.135811][ T5134] seq_read_iter+0x202/0xd60 [ 544.140414][ T5134] vfs_read+0x9c4/0xbd0 [ 544.144576][ T5134] ksys_read+0x1a0/0x2c0 [ 544.148836][ T5134] do_syscall_64+0xf3/0x230 [ 544.153608][ T5134] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 544.159921][ T5134] [ 544.162360][ T5134] Memory state around the buggy address: [ 544.168015][ T5134] ffff8880240a8c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 544.176190][ T5134] ffff8880240a8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 544.184255][ T5134] >ffff8880240a8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 544.192402][ T5134] ^ [ 544.199714][ T5134] ffff8880240a8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 544.207796][ T5134] ffff8880240a8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 544.215860][ T5134] ================================================================== [ 544.274553][ T5134] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 544.282250][ T5134] CPU: 0 PID: 5134 Comm: syz-executor144 Not tainted 6.10.0-rc3-syzkaller #0 [ 544.291154][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 544.301335][ T5134] Call Trace: [ 544.304650][ T5134] [ 544.307615][ T5134] dump_stack_lvl+0x241/0x360 [ 544.312508][ T5134] ? __pfx_dump_stack_lvl+0x10/0x10 [ 544.317771][ T5134] ? __pfx__printk+0x10/0x10 [ 544.322413][ T5134] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 544.329138][ T5134] ? vscnprintf+0x5d/0x90 [ 544.333525][ T5134] panic+0x349/0x860 [ 544.337554][ T5134] ? check_panic_on_warn+0x21/0xb0 [ 544.342867][ T5134] ? __pfx_panic+0x10/0x10 [ 544.347680][ T5134] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 544.353936][ T5134] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 544.360752][ T5134] check_panic_on_warn+0x86/0xb0 [ 544.366389][ T5134] ? kfree_skb_reason+0x41/0x3b0 [ 544.371375][ T5134] end_report+0x77/0x160 [ 544.375792][ T5134] kasan_report+0x154/0x180 [ 544.380437][ T5134] ? kfree_skb_reason+0x41/0x3b0 [ 544.385412][ T5134] kasan_check_range+0x282/0x290 [ 544.390477][ T5134] kfree_skb_reason+0x41/0x3b0 [ 544.395277][ T5134] __hci_req_sync+0x62f/0x950 [ 544.400002][ T5134] ? __pfx___hci_req_sync+0x10/0x10 [ 544.405327][ T5134] ? __pfx___mutex_lock+0x10/0x10 [ 544.410408][ T5134] ? __pfx_autoremove_wake_function+0x10/0x10 [ 544.416588][ T5134] ? __pfx_hci_scan_req+0x10/0x10 [ 544.421660][ T5134] hci_req_sync+0xa9/0xd0 [ 544.426040][ T5134] hci_dev_cmd+0x4c5/0xa50 [ 544.430490][ T5134] ? security_capable+0x90/0xb0 [ 544.435357][ T5134] ? __pfx_hci_dev_cmd+0x10/0x10 [ 544.440309][ T5134] ? hci_sock_ioctl+0x6c4/0xa40 [ 544.445175][ T5134] sock_do_ioctl+0x158/0x460 [ 544.449893][ T5134] ? __pfx_sock_do_ioctl+0x10/0x10 [ 544.455403][ T5134] sock_ioctl+0x629/0x8e0 [ 544.459860][ T5134] ? __pfx_sock_ioctl+0x10/0x10 [ 544.464744][ T5134] ? __fget_files+0x29/0x470 [ 544.469456][ T5134] ? __fget_files+0x3f6/0x470 [ 544.474179][ T5134] ? __fget_files+0x29/0x470 [ 544.478962][ T5134] ? bpf_lsm_file_ioctl+0x9/0x10 [ 544.483993][ T5134] ? security_file_ioctl+0x87/0xb0 [ 544.489111][ T5134] ? __pfx_sock_ioctl+0x10/0x10 [ 544.494349][ T5134] __se_sys_ioctl+0xfc/0x170 [ 544.499164][ T5134] do_syscall_64+0xf3/0x230 [ 544.507811][ T5134] ? clear_bhb_loop+0x35/0x90 [ 544.512766][ T5134] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 544.518681][ T5134] RIP: 0033:0x7f0896a9840b [ 544.523921][ T5134] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 544.544547][ T5134] RSP: 002b:00007fff95ecb1a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 544.553820][ T5134] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0896a9840b [ 544.563995][ T5134] RDX: 00007fff95ecb2d0 RSI: 00000000400448dd RDI: 0000000000000003 [ 544.572354][ T5134] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 [ 544.580426][ T5134] R10: 0000000000000008 R11: 0000000000000246 R12: 6c616b7a79732f2e [ 544.588754][ T5134] R13: 585858582e72656c R14: 0000000000000002 R15: 00007fff95ecb450 [ 544.597395][ T5134] [ 544.600714][ T5134] Kernel Offset: disabled [ 544.605357][ T5134] Rebooting in 86400 seconds..