last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.64' (ED25519) to the list of known hosts. [ 76.153232][ T5083] cgroup: Unknown subsys name 'net' [ 76.326580][ T5083] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 78.076162][ T5083] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 80.490261][ T5099] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 80.503087][ T5104] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 80.511894][ T5104] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 80.520030][ T5104] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 80.523392][ T5106] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 80.529713][ T5104] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 80.536685][ T5108] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 80.542917][ T5104] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 80.550633][ T5108] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 80.561252][ T5104] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 80.565420][ T5108] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 80.578957][ T5104] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 80.580013][ T5108] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 80.586448][ T5104] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 80.594323][ T5108] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 80.608544][ T5106] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 80.619698][ T5104] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 80.621248][ T5101] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 80.635051][ T5108] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 80.638383][ T5104] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 80.644305][ T5099] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 80.666510][ T5101] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 80.685250][ T5099] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 80.686773][ T5108] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 80.694986][ T5109] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 80.711994][ T5108] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 80.720396][ T5108] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 80.728773][ T5108] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 80.737326][ T5108] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 80.745299][ T5108] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 80.760100][ T5107] ================================================================== [ 80.768233][ T5107] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 80.776198][ T5107] Read of size 4 at addr ffff8880247d7ae4 by task syz-executor/5107 [ 80.784294][ T5107] [ 80.786650][ T5107] CPU: 0 PID: 5107 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00825-ga5912c37faf7 #0 [ 80.797102][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 80.807224][ T5107] Call Trace: [ 80.810978][ T5107] [ 80.813983][ T5107] dump_stack_lvl+0x241/0x360 [ 80.818713][ T5107] ? __pfx_dump_stack_lvl+0x10/0x10 [ 80.823968][ T5107] ? __pfx__printk+0x10/0x10 [ 80.828610][ T5107] ? _printk+0xd5/0x120 [ 80.832814][ T5107] ? __virt_addr_valid+0x183/0x520 [ 80.838067][ T5107] ? __virt_addr_valid+0x183/0x520 [ 80.843314][ T5107] print_report+0x169/0x550 [ 80.847869][ T5107] ? __virt_addr_valid+0x183/0x520 [ 80.853029][ T5107] ? __virt_addr_valid+0x183/0x520 [ 80.858282][ T5107] ? __virt_addr_valid+0x44e/0x520 [ 80.863443][ T5107] ? __phys_addr+0xba/0x170 [ 80.868002][ T5107] ? kfree_skb_reason+0x41/0x3b0 [ 80.872991][ T5107] kasan_report+0x143/0x180 [ 80.877544][ T5107] ? kfree_skb_reason+0x41/0x3b0 [ 80.882541][ T5107] kasan_check_range+0x282/0x290 [ 80.887712][ T5107] kfree_skb_reason+0x41/0x3b0 [ 80.892527][ T5107] __hci_req_sync+0x62f/0x950 [ 80.897328][ T5107] ? __pfx___hci_req_sync+0x10/0x10 [ 80.902571][ T5107] ? __pfx___mutex_lock+0x10/0x10 [ 80.907728][ T5107] ? __pfx_autoremove_wake_function+0x10/0x10 [ 80.913935][ T5107] ? __pfx_hci_scan_req+0x10/0x10 [ 80.919001][ T5107] hci_req_sync+0xa9/0xd0 [ 80.923376][ T5107] hci_dev_cmd+0x4c5/0xa50 [ 80.928089][ T5107] ? security_capable+0x90/0xb0 [ 80.932976][ T5107] ? __pfx_hci_dev_cmd+0x10/0x10 [ 80.937956][ T5107] ? hci_sock_ioctl+0x6c4/0xa40 [ 80.942937][ T5107] sock_do_ioctl+0x158/0x460 [ 80.947566][ T5107] ? __pfx_sock_do_ioctl+0x10/0x10 [ 80.952721][ T5107] sock_ioctl+0x629/0x8e0 [ 80.957096][ T5107] ? __pfx_sock_ioctl+0x10/0x10 [ 80.961988][ T5107] ? __fget_files+0x29/0x470 [ 80.966621][ T5107] ? __fget_files+0x3f6/0x470 [ 80.971335][ T5107] ? __fget_files+0x29/0x470 [ 80.975970][ T5107] ? bpf_lsm_file_ioctl+0x9/0x10 [ 80.981032][ T5107] ? security_file_ioctl+0x87/0xb0 [ 80.986275][ T5107] ? __pfx_sock_ioctl+0x10/0x10 [ 80.991287][ T5107] __se_sys_ioctl+0xfc/0x170 [ 80.996026][ T5107] do_syscall_64+0xf3/0x230 [ 81.000591][ T5107] ? clear_bhb_loop+0x35/0x90 [ 81.005318][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.011449][ T5107] RIP: 0033:0x7f7a36d757db [ 81.015902][ T5107] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 81.035891][ T5107] RSP: 002b:00007fff45544ca0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 81.044350][ T5107] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7a36d757db [ 81.052548][ T5107] RDX: 00007fff45544d18 RSI: 00000000400448dd RDI: 0000000000000003 [ 81.060821][ T5107] RBP: 0000555555f824a8 R08: 0000000000000000 R09: 0000000000000000 [ 81.068929][ T5107] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004 [ 81.076954][ T5107] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009 [ 81.086712][ T5107] [ 81.089761][ T5107] [ 81.092103][ T5107] Allocated by task 5108: [ 81.096448][ T5107] kasan_save_track+0x3f/0x80 [ 81.101162][ T5107] __kasan_slab_alloc+0x66/0x80 [ 81.106080][ T5107] kmem_cache_alloc_noprof+0x135/0x2a0 [ 81.111576][ T5107] skb_clone+0x20c/0x390 [ 81.115864][ T5107] hci_cmd_work+0x29e/0x670 [ 81.120587][ T5107] process_scheduled_works+0xa2c/0x1830 [ 81.126240][ T5107] worker_thread+0x86d/0xd70 [ 81.130957][ T5107] kthread+0x2f0/0x390 [ 81.135093][ T5107] ret_from_fork+0x4b/0x80 [ 81.139550][ T5107] ret_from_fork_asm+0x1a/0x30 [ 81.144351][ T5107] [ 81.146705][ T5107] Freed by task 5104: [ 81.150700][ T5107] kasan_save_track+0x3f/0x80 [ 81.155441][ T5107] kasan_save_free_info+0x40/0x50 [ 81.160529][ T5107] poison_slab_object+0xe0/0x150 [ 81.165519][ T5107] __kasan_slab_free+0x37/0x60 [ 81.170347][ T5107] kmem_cache_free+0x145/0x350 [ 81.175156][ T5107] hci_req_sync_complete+0xe7/0x290 [ 81.180487][ T5107] hci_event_packet+0xc71/0x1540 [ 81.185469][ T5107] hci_rx_work+0x3e8/0xca0 [ 81.189941][ T5107] process_scheduled_works+0xa2c/0x1830 [ 81.195523][ T5107] worker_thread+0x86d/0xd70 [ 81.200154][ T5107] kthread+0x2f0/0x390 [ 81.204255][ T5107] ret_from_fork+0x4b/0x80 [ 81.208799][ T5107] ret_from_fork_asm+0x1a/0x30 [ 81.213597][ T5107] [ 81.215940][ T5107] The buggy address belongs to the object at ffff8880247d7a00 [ 81.215940][ T5107] which belongs to the cache skbuff_head_cache of size 240 [ 81.230800][ T5107] The buggy address is located 228 bytes inside of [ 81.230800][ T5107] freed 240-byte region [ffff8880247d7a00, ffff8880247d7af0) [ 81.245812][ T5107] [ 81.248174][ T5107] The buggy address belongs to the physical page: [ 81.254643][ T5107] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x247d7 [ 81.263512][ T5107] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 81.271079][ T5107] page_type: 0xffffefff(slab) [ 81.275935][ T5107] raw: 00fff00000000000 ffff888018e9f780 dead000000000100 dead000000000122 [ 81.284711][ T5107] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 81.293447][ T5107] page dumped because: kasan: bad access detected [ 81.300062][ T5107] page_owner tracks the page as allocated [ 81.305824][ T5107] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4552, tgid 4552 (udevd), ts 32596878450, free_ts 32587190338 [ 81.324790][ T5107] post_alloc_hook+0x1f3/0x230 [ 81.329584][ T5107] get_page_from_freelist+0x2e2d/0x2ee0 [ 81.335152][ T5107] __alloc_pages_noprof+0x256/0x6c0 [ 81.340376][ T5107] alloc_slab_page+0x5f/0x120 [ 81.345067][ T5107] allocate_slab+0x5a/0x2e0 [ 81.350034][ T5107] ___slab_alloc+0xcd1/0x14b0 [ 81.355156][ T5107] __slab_alloc+0x58/0xa0 [ 81.360206][ T5107] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 81.366112][ T5107] __alloc_skb+0x1c3/0x440 [ 81.370544][ T5107] netlink_sendmsg+0x631/0xcb0 [ 81.375319][ T5107] __sock_sendmsg+0x221/0x270 [ 81.380007][ T5107] ____sys_sendmsg+0x525/0x7d0 [ 81.384780][ T5107] __sys_sendmsg+0x2b0/0x3a0 [ 81.389375][ T5107] do_syscall_64+0xf3/0x230 [ 81.393887][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.399783][ T5107] page last free pid 4551 tgid 4551 stack trace: [ 81.406538][ T5107] free_unref_page+0xd22/0xea0 [ 81.411311][ T5107] __put_partials+0xeb/0x130 [ 81.415928][ T5107] put_cpu_partial+0x17c/0x250 [ 81.420706][ T5107] __slab_free+0x2ea/0x3d0 [ 81.425133][ T5107] qlist_free_all+0x9e/0x140 [ 81.429751][ T5107] kasan_quarantine_reduce+0x14f/0x170 [ 81.435425][ T5107] __kasan_slab_alloc+0x23/0x80 [ 81.440409][ T5107] kmem_cache_alloc_noprof+0x135/0x2a0 [ 81.446247][ T5107] getname_flags+0xbd/0x4f0 [ 81.450769][ T5107] do_sys_openat2+0xd2/0x1d0 [ 81.455363][ T5107] __x64_sys_openat+0x247/0x2a0 [ 81.460218][ T5107] do_syscall_64+0xf3/0x230 [ 81.464737][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.470653][ T5107] [ 81.472983][ T5107] Memory state around the buggy address: [ 81.478810][ T5107] ffff8880247d7980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 81.486885][ T5107] ffff8880247d7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.494948][ T5107] >ffff8880247d7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 81.503011][ T5107] ^ [ 81.510202][ T5107] ffff8880247d7b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 81.518265][ T5107] ffff8880247d7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.526327][ T5107] ================================================================== [ 81.542191][ T5107] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 81.549438][ T5107] CPU: 1 PID: 5107 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00825-ga5912c37faf7 #0 [ 81.559703][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 81.569789][ T5107] Call Trace: [ 81.573196][ T5107] [ 81.576687][ T5107] dump_stack_lvl+0x241/0x360 [ 81.581423][ T5107] ? __pfx_dump_stack_lvl+0x10/0x10 [ 81.587403][ T5107] ? __pfx__printk+0x10/0x10 [ 81.592028][ T5107] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 81.598056][ T5107] ? vscnprintf+0x5d/0x90 [ 81.602506][ T5107] panic+0x349/0x860 [ 81.606443][ T5107] ? check_panic_on_warn+0x21/0xb0 [ 81.611687][ T5107] ? __pfx_panic+0x10/0x10 [ 81.616145][ T5107] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 81.622271][ T5107] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 81.628650][ T5107] check_panic_on_warn+0x86/0xb0 [ 81.633639][ T5107] ? kfree_skb_reason+0x41/0x3b0 [ 81.638619][ T5107] end_report+0x77/0x160 [ 81.642900][ T5107] kasan_report+0x154/0x180 [ 81.647613][ T5107] ? kfree_skb_reason+0x41/0x3b0 [ 81.652569][ T5107] kasan_check_range+0x282/0x290 [ 81.657551][ T5107] kfree_skb_reason+0x41/0x3b0 [ 81.662335][ T5107] __hci_req_sync+0x62f/0x950 [ 81.667037][ T5107] ? __pfx___hci_req_sync+0x10/0x10 [ 81.672248][ T5107] ? __pfx___mutex_lock+0x10/0x10 [ 81.677283][ T5107] ? __pfx_autoremove_wake_function+0x10/0x10 [ 81.683362][ T5107] ? __pfx_hci_scan_req+0x10/0x10 [ 81.688415][ T5107] hci_req_sync+0xa9/0xd0 [ 81.692748][ T5107] hci_dev_cmd+0x4c5/0xa50 [ 81.697169][ T5107] ? security_capable+0x90/0xb0 [ 81.702023][ T5107] ? __pfx_hci_dev_cmd+0x10/0x10 [ 81.706970][ T5107] ? hci_sock_ioctl+0x6c4/0xa40 [ 81.711857][ T5107] sock_do_ioctl+0x158/0x460 [ 81.716455][ T5107] ? __pfx_sock_do_ioctl+0x10/0x10 [ 81.721578][ T5107] sock_ioctl+0x629/0x8e0 [ 81.725930][ T5107] ? __pfx_sock_ioctl+0x10/0x10 [ 81.730793][ T5107] ? __fget_files+0x29/0x470 [ 81.735393][ T5107] ? __fget_files+0x3f6/0x470 [ 81.740080][ T5107] ? __fget_files+0x29/0x470 [ 81.744684][ T5107] ? bpf_lsm_file_ioctl+0x9/0x10 [ 81.749631][ T5107] ? security_file_ioctl+0x87/0xb0 [ 81.754752][ T5107] ? __pfx_sock_ioctl+0x10/0x10 [ 81.759620][ T5107] __se_sys_ioctl+0xfc/0x170 [ 81.764233][ T5107] do_syscall_64+0xf3/0x230 [ 81.768745][ T5107] ? clear_bhb_loop+0x35/0x90 [ 81.773431][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.779417][ T5107] RIP: 0033:0x7f7a36d757db [ 81.784099][ T5107] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 81.803839][ T5107] RSP: 002b:00007fff45544ca0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 81.812262][ T5107] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7a36d757db [ 81.820324][ T5107] RDX: 00007fff45544d18 RSI: 00000000400448dd RDI: 0000000000000003 [ 81.828306][ T5107] RBP: 0000555555f824a8 R08: 0000000000000000 R09: 0000000000000000 [ 81.836283][ T5107] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004 [ 81.844254][ T5107] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009 [ 81.852239][ T5107] [ 81.855544][ T5107] Kernel Offset: disabled [ 81.859890][ T5107] Rebooting in 86400 seconds..