last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.62' (ED25519) to the list of known hosts. 1970/01/01 00:00:28 fuzzer started 1970/01/01 00:00:28 dialing manager at 10.128.0.169:30028 [ 28.911900][ T6293] cgroup: Unknown subsys name 'net' [ 28.984192][ T6296] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 29.230002][ T6293] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:29 starting 5 executor processes [ 30.126637][ T6317] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 30.135386][ T6317] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 30.137868][ T6317] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 30.140356][ T6317] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 30.154984][ T6320] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 30.158265][ T52] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 30.160264][ T52] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 30.163111][ T52] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 30.165551][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 30.171661][ T52] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 30.175399][ T6320] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 30.177845][ T6320] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 30.180959][ T6320] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 30.184109][ T6322] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 30.186170][ T6320] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 30.190512][ T6322] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 30.192780][ T6322] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 30.195404][ T6322] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 30.197341][ T6326] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 30.200936][ T6322] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 30.202116][ T6330] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 30.204787][ T6322] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 30.207255][ T6317] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 30.208513][ T6322] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 30.210120][ T6330] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 30.213983][ T6318] ================================================================== [ 30.216052][ T6318] BUG: KASAN: slab-use-after-free in skb_release_data+0x504/0x618 [ 30.218161][ T6318] Read of size 1 at addr ffff0000ebedc57e by task syz-executor.2/6318 [ 30.220366][ T6318] [ 30.221006][ T6318] CPU: 0 PID: 6318 Comm: syz-executor.2 Tainted: G W 6.10.0-rc3-syzkaller-gac2193b4b460 #0 [ 30.224154][ T6318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 30.227055][ T6318] Call trace: [ 30.227923][ T6318] dump_backtrace+0x1b8/0x1e4 [ 30.229147][ T6318] show_stack+0x2c/0x3c [ 30.230295][ T6318] dump_stack_lvl+0xe4/0x150 [ 30.231558][ T6318] print_report+0x198/0x538 [ 30.232958][ T6318] kasan_report+0xd8/0x138 [ 30.234135][ T6318] __asan_report_load1_noabort+0x20/0x2c [ 30.235732][ T6318] skb_release_data+0x504/0x618 [ 30.237094][ T6318] kfree_skb_reason+0x1b8/0x490 [ 30.238409][ T6318] __hci_req_sync+0x4e8/0x798 [ 30.239678][ T6318] hci_req_sync+0xa0/0xcc [ 30.240816][ T6318] hci_dev_cmd+0x304/0x8c0 [ 30.241997][ T6318] hci_sock_ioctl+0x4b8/0x7e4 [ 30.243292][ T6318] sock_do_ioctl+0x134/0x2d0 [ 30.244548][ T6318] sock_ioctl+0x4ec/0x838 [ 30.245037][ T5862] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 30.245738][ T6318] __arm64_sys_ioctl+0x14c/0x1c8 [ 30.248415][ T6330] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 30.248813][ T6318] invoke_syscall+0x98/0x2b8 [ 30.251283][ T6330] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 30.251794][ T6318] el0_svc_common+0x130/0x23c [ 30.254078][ T6330] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 30.254883][ T6318] do_el0_svc+0x48/0x58 [ 30.254900][ T6318] el0_svc+0x54/0x168 [ 30.254912][ T6318] el0t_64_sync_handler+0x84/0xfc [ 30.254923][ T6318] el0t_64_sync+0x190/0x194 [ 30.254947][ T6318] [ 30.254951][ T6318] Allocated by task 6322: [ 30.257005][ T6330] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 30.257850][ T6318] kasan_save_track+0x40/0x78 [ 30.266189][ T6318] kasan_save_alloc_info+0x40/0x50 [ 30.267554][ T6318] __kasan_slab_alloc+0x74/0x8c [ 30.268841][ T6318] kmem_cache_alloc_noprof+0x1c0/0x350 [ 30.270324][ T6318] skb_clone+0x1c8/0x330 [ 30.271468][ T6318] hci_cmd_work+0x174/0x568 [ 30.272689][ T6318] process_one_work+0x79c/0x15b8 [ 30.274041][ T6318] worker_thread+0x938/0xef4 [ 30.275230][ T6318] kthread+0x288/0x310 [ 30.276337][ T6318] ret_from_fork+0x10/0x20 [ 30.277543][ T6318] [ 30.278184][ T6318] Freed by task 6330: [ 30.279248][ T6318] kasan_save_track+0x40/0x78 [ 30.280492][ T6318] kasan_save_free_info+0x54/0x6c [ 30.281799][ T6318] poison_slab_object+0x128/0x180 [ 30.283182][ T6318] __kasan_slab_free+0x3c/0x70 [ 30.284515][ T6318] kmem_cache_free+0x170/0x4d0 [ 30.285751][ T6318] kfree_skbmem+0x15c/0x1ec [ 30.286950][ T6318] kfree_skb_reason+0x1c0/0x490 [ 30.288201][ T6318] hci_req_sync_complete+0xb0/0x248 [ 30.289591][ T6318] hci_event_packet+0xab8/0x105c [ 30.290898][ T6318] hci_rx_work+0x318/0xa78 [ 30.292061][ T6318] process_one_work+0x79c/0x15b8 [ 30.293365][ T6318] worker_thread+0x938/0xef4 [ 30.294589][ T6318] kthread+0x288/0x310 [ 30.295758][ T6318] ret_from_fork+0x10/0x20 [ 30.296993][ T6318] [ 30.297617][ T6318] The buggy address belongs to the object at ffff0000ebedc500 [ 30.297617][ T6318] which belongs to the cache skbuff_head_cache of size 240 [ 30.301487][ T6318] The buggy address is located 126 bytes inside of [ 30.301487][ T6318] freed 240-byte region [ffff0000ebedc500, ffff0000ebedc5f0) [ 30.305212][ T6318] [ 30.305820][ T6318] The buggy address belongs to the physical page: [ 30.307586][ T6318] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12bedc [ 30.309947][ T6318] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 30.311846][ T6318] page_type: 0xffffefff(slab) [ 30.313113][ T6318] raw: 05ffc00000000000 ffff0000c1bcc780 dead000000000122 0000000000000000 [ 30.315462][ T6318] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 30.317741][ T6318] page dumped because: kasan: bad access detected [ 30.319486][ T6318] [ 30.320098][ T6318] Memory state around the buggy address: [ 30.321568][ T6318] ffff0000ebedc400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.323722][ T6318] ffff0000ebedc480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 30.325838][ T6318] >ffff0000ebedc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.327952][ T6318] ^ [ 30.330066][ T6318] ffff0000ebedc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 30.332268][ T6318] ffff0000ebedc600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 30.334516][ T6318] ================================================================== 1970/01/01 00:00:30 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 30.355012][ T6318] Disabling lock debugging due to kernel taint