last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.103' (ED25519) to the list of known hosts. 1970/01/01 00:00:35 fuzzer started 1970/01/01 00:00:35 dialing manager at 10.128.0.163:30026 [ 36.201068][ T4227] cgroup: Unknown subsys name 'net' [ 36.288948][ T4233] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 36.478809][ T4227] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:36 starting 5 executor processes [ 37.227926][ T4252] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 37.238777][ T4255] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 37.242307][ T4258] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 37.244806][ T4258] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 37.247970][ T4263] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 37.248066][ T4261] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 37.250734][ T4263] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 37.253131][ T4261] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 37.255199][ T4263] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 37.256393][ T4261] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 37.258628][ T4263] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 37.260463][ T4264] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 37.264175][ T4263] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 37.264832][ T4264] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 37.266899][ T4263] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 37.268150][ T4264] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 37.270236][ T4263] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 37.273217][ T4265] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 37.274484][ T4263] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 37.277595][ T4265] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 37.277678][ T4261] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 37.279976][ T4265] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 37.281567][ T4261] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 37.284393][ T4265] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 37.285858][ T4261] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 37.288297][ T4263] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 37.290134][ T4265] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 37.293230][ T4252] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 37.308121][ T47] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 37.326660][ T47] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 37.329425][ T4257] ================================================================== [ 37.331530][ T4257] BUG: KASAN: use-after-free in skb_release_data+0x5a4/0x6b0 [ 37.333464][ T4257] Read of size 1 at addr ffff0000edfc907e by task syz-executor.2/4257 [ 37.335632][ T4257] [ 37.336224][ T4257] CPU: 0 PID: 4257 Comm: syz-executor.2 Not tainted 6.1.93-syzkaller #0 [ 37.338426][ T4257] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 37.341122][ T4257] Call trace: [ 37.342012][ T4257] dump_backtrace+0x1c8/0x1f4 [ 37.343280][ T4257] show_stack+0x2c/0x3c [ 37.344370][ T4257] dump_stack_lvl+0x108/0x170 [ 37.345608][ T4257] print_report+0x174/0x4c0 [ 37.346877][ T4257] kasan_report+0xd4/0x130 [ 37.348023][ T4257] __asan_report_load1_noabort+0x2c/0x38 [ 37.349616][ T4257] skb_release_data+0x5a4/0x6b0 [ 37.350909][ T4257] kfree_skb_reason+0x1a4/0x47c [ 37.352243][ T4257] __hci_req_sync+0x4fc/0x7ac [ 37.353501][ T4257] hci_req_sync+0xa4/0xd0 [ 37.354628][ T4257] hci_dev_cmd+0x330/0x90c [ 37.355785][ T4257] hci_sock_ioctl+0x4b8/0x82c [ 37.357076][ T4257] sock_do_ioctl+0x134/0x2dc [ 37.358391][ T4257] sock_ioctl+0x4ec/0x858 [ 37.359624][ T4257] __arm64_sys_ioctl+0x14c/0x1c8 [ 37.360992][ T4257] invoke_syscall+0x98/0x2c0 [ 37.362245][ T4257] el0_svc_common+0x138/0x258 [ 37.363521][ T4257] do_el0_svc+0x64/0x218 [ 37.364689][ T4257] el0_svc+0x58/0x168 [ 37.365784][ T4257] el0t_64_sync_handler+0x84/0xf0 [ 37.367160][ T4257] el0t_64_sync+0x18c/0x190 [ 37.368375][ T4257] [ 37.369011][ T4257] Allocated by task 4255: [ 37.370193][ T4257] kasan_set_track+0x4c/0x80 [ 37.371381][ T4257] kasan_save_alloc_info+0x24/0x30 [ 37.372842][ T4257] __kasan_slab_alloc+0x74/0x8c [ 37.374127][ T4257] slab_post_alloc_hook+0x74/0x458 [ 37.375476][ T4257] kmem_cache_alloc+0x230/0x37c [ 37.376852][ T4257] skb_clone+0x19c/0x304 [ 37.378073][ T4257] hci_cmd_work+0x174/0x568 [ 37.379285][ T4257] process_one_work+0x7ac/0x1404 [ 37.380612][ T4257] worker_thread+0x8e4/0xfec [ 37.381896][ T4257] kthread+0x250/0x2d8 [ 37.382957][ T4257] ret_from_fork+0x10/0x20 [ 37.384189][ T4257] [ 37.384802][ T4257] Freed by task 47: [ 37.385865][ T4257] kasan_set_track+0x4c/0x80 [ 37.387169][ T4257] kasan_save_free_info+0x38/0x5c [ 37.388542][ T4257] ____kasan_slab_free+0x144/0x1c0 [ 37.389914][ T4257] __kasan_slab_free+0x18/0x28 [ 37.391191][ T4257] kmem_cache_free+0x2f0/0x588 [ 37.392484][ T4257] kfree_skbmem+0x10c/0x19c [ 37.393694][ T4257] kfree_skb_reason+0x1ac/0x47c [ 37.394976][ T4257] hci_req_sync_complete+0xcc/0x258 [ 37.396395][ T4257] hci_event_packet+0xbd4/0x109c [ 37.397753][ T4257] hci_rx_work+0x318/0xa68 [ 37.399006][ T4257] process_one_work+0x7ac/0x1404 [ 37.400361][ T4257] worker_thread+0x8e4/0xfec [ 37.401635][ T4257] kthread+0x250/0x2d8 [ 37.402742][ T4257] ret_from_fork+0x10/0x20 [ 37.403980][ T4257] [ 37.404612][ T4257] The buggy address belongs to the object at ffff0000edfc9000 [ 37.404612][ T4257] which belongs to the cache skbuff_head_cache of size 240 [ 37.408550][ T4257] The buggy address is located 126 bytes inside of [ 37.408550][ T4257] 240-byte region [ffff0000edfc9000, ffff0000edfc90f0) [ 37.412135][ T4257] [ 37.412754][ T4257] The buggy address belongs to the physical page: [ 37.414544][ T4257] page:0000000024b5f3a9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12dfc9 [ 37.417322][ T4257] flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff) [ 37.419430][ T4257] raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0b72600 [ 37.421765][ T4257] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 37.424144][ T4257] page dumped because: kasan: bad access detected [ 37.425859][ T4257] [ 37.426479][ T4257] Memory state around the buggy address: [ 37.427978][ T4257] ffff0000edfc8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.430235][ T4257] ffff0000edfc8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.432401][ T4257] >ffff0000edfc9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.434560][ T4257] ^ [ 37.436432][ T4257] ffff0000edfc9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 37.438324][ T4257] ffff0000edfc9100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 37.440452][ T4257] ================================================================== 1970/01/01 00:00:37 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 37.443438][ T4257] Disabling lock debugging due to kernel taint [ 37.552729][ T4248] chnl_net:caif_netlink_parms(): no params data found