last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.245' (ED25519) to the list of known hosts. [ 82.533073][ T29] audit: type=1400 audit(1719931555.613:87): avc: denied { mounton } for pid=5072 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 82.542111][ T5072] cgroup: Unknown subsys name 'net' [ 82.561530][ T29] audit: type=1400 audit(1719931555.613:88): avc: denied { mount } for pid=5072 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 82.591225][ T29] audit: type=1400 audit(1719931555.653:89): avc: denied { unmount } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 82.779780][ T5072] cgroup: Unknown subsys name 'rlimit' [ 82.917908][ T29] audit: type=1400 audit(1719931556.003:90): avc: denied { setattr } for pid=5072 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=733 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 82.942144][ T29] audit: type=1400 audit(1719931556.003:91): avc: denied { create } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 82.964690][ T29] audit: type=1400 audit(1719931556.003:92): avc: denied { write } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 82.989148][ T29] audit: type=1400 audit(1719931556.003:93): avc: denied { read } for pid=5072 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 83.010740][ T29] audit: type=1400 audit(1719931556.023:94): avc: denied { mounton } for pid=5072 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 83.036762][ T29] audit: type=1400 audit(1719931556.023:95): avc: denied { mount } for pid=5072 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 83.061078][ T29] audit: type=1400 audit(1719931556.053:96): avc: denied { read } for pid=4749 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 83.120225][ T5075] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 84.508370][ T5072] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 85.574779][ T5098] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 85.576867][ T5095] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 85.601401][ T5095] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 85.604705][ T5099] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 85.610000][ T5095] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 85.620810][ T5098] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 85.626254][ T5095] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 85.632557][ T5098] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 85.639676][ T5095] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 85.645846][ T5099] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 85.654359][ T5095] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 85.659877][ T5098] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 85.670498][ T5095] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 85.676741][ T5099] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 85.682281][ T5095] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 85.688677][ T5099] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 85.696793][ T5095] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 85.702798][ T5099] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 85.710421][ T5095] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 85.718827][ T5099] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 85.723421][ T5095] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 85.730884][ T5099] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 85.744357][ T5101] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 85.748440][ T5095] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 85.752640][ T5101] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 85.760971][ T5095] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 85.768545][ T5101] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 85.774455][ T5095] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 85.787858][ T4479] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 85.797980][ T5095] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 85.841112][ T5082] ================================================================== [ 85.849511][ T5082] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210 [ 85.857481][ T5082] Read of size 4 at addr ffff88806975bc24 by task syz-executor/5082 [ 85.865929][ T5082] [ 85.868277][ T5082] CPU: 0 PID: 5082 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00051-g1dfe225e9af5 #0 [ 85.878634][ T5082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 85.889676][ T5082] Call Trace: [ 85.893149][ T5082] [ 85.896286][ T5082] dump_stack_lvl+0x116/0x1f0 [ 85.901235][ T5082] print_report+0xc3/0x620 [ 85.906014][ T5082] ? __virt_addr_valid+0x5e/0x580 [ 85.911416][ T5082] ? __phys_addr+0xc6/0x150 [ 85.916035][ T5082] kasan_report+0xd9/0x110 [ 85.920579][ T5082] ? kfree_skb_reason+0x36/0x210 [ 85.925641][ T5082] ? kfree_skb_reason+0x36/0x210 [ 85.930720][ T5082] kasan_check_range+0xef/0x1a0 [ 85.935871][ T5082] kfree_skb_reason+0x36/0x210 [ 85.940940][ T5082] __hci_req_sync+0x61d/0x980 [ 85.945765][ T5082] ? __pfx___hci_req_sync+0x10/0x10 [ 85.951470][ T5082] ? __mutex_lock+0x1a6/0x9c0 [ 85.956715][ T5082] ? __pfx_autoremove_wake_function+0x10/0x10 [ 85.962918][ T5082] ? hci_req_sync+0x3f/0xd0 [ 85.967643][ T5082] ? __pfx___might_resched+0x10/0x10 [ 85.973339][ T5082] hci_req_sync+0x97/0xd0 [ 85.977902][ T5082] ? __pfx_hci_scan_req+0x10/0x10 [ 85.983315][ T5082] hci_dev_cmd+0x634/0x960 [ 85.987781][ T5082] ? cap_capable+0x1cf/0x240 [ 85.992420][ T5082] ? __pfx_hci_dev_cmd+0x10/0x10 [ 85.997689][ T5082] ? security_capable+0x98/0xd0 [ 86.003195][ T5082] hci_sock_ioctl+0x4f3/0x880 [ 86.008250][ T5082] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 86.013572][ T5082] sock_do_ioctl+0x116/0x280 [ 86.018458][ T5082] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.024034][ T5082] ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470 [ 86.031466][ T5082] ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 [ 86.039049][ T5082] sock_ioctl+0x22e/0x6c0 [ 86.043435][ T5082] ? __pfx_sock_ioctl+0x10/0x10 [ 86.048431][ T5082] ? selinux_file_ioctl+0x180/0x270 [ 86.053753][ T5082] ? selinux_file_ioctl+0xb4/0x270 [ 86.059110][ T5082] ? __pfx_sock_ioctl+0x10/0x10 [ 86.064247][ T5082] __x64_sys_ioctl+0x193/0x220 [ 86.069275][ T5082] do_syscall_64+0xcd/0x250 [ 86.074829][ T5082] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.081035][ T5082] RIP: 0033:0x7f34f9775b1b [ 86.085789][ T5082] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 86.106128][ T5082] RSP: 002b:00007ffc9c3d8d10 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.114567][ T5082] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f34f9775b1b [ 86.122663][ T5082] RDX: 00007ffc9c3d8d88 RSI: 00000000400448dd RDI: 0000000000000003 [ 86.131283][ T5082] RBP: 00005555854da4a8 R08: 0000000000000000 R09: 0000000000000000 [ 86.139486][ T5082] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002 [ 86.147706][ T5082] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009 [ 86.155971][ T5082] [ 86.159005][ T5082] [ 86.161349][ T5082] Allocated by task 5095: [ 86.165780][ T5082] kasan_save_stack+0x33/0x60 [ 86.170531][ T5082] kasan_save_track+0x14/0x30 [ 86.175880][ T5082] __kasan_slab_alloc+0x89/0x90 [ 86.181075][ T5082] kmem_cache_alloc_noprof+0x121/0x2f0 [ 86.187273][ T5082] skb_clone+0x190/0x3f0 [ 86.191663][ T5082] hci_cmd_work+0x66a/0x710 [ 86.196893][ T5082] process_one_work+0x9c5/0x1b40 [ 86.202397][ T5082] worker_thread+0x6c8/0xf30 [ 86.207296][ T5082] kthread+0x2c1/0x3a0 [ 86.211481][ T5082] ret_from_fork+0x45/0x80 [ 86.216031][ T5082] ret_from_fork_asm+0x1a/0x30 [ 86.221028][ T5082] [ 86.223550][ T5082] Freed by task 5089: [ 86.227616][ T5082] kasan_save_stack+0x33/0x60 [ 86.232610][ T5082] kasan_save_track+0x14/0x30 [ 86.237505][ T5082] kasan_save_free_info+0x3b/0x60 [ 86.242664][ T5082] poison_slab_object+0xf7/0x160 [ 86.248577][ T5082] __kasan_slab_free+0x32/0x50 [ 86.253553][ T5082] kmem_cache_free+0x12f/0x3a0 [ 86.258445][ T5082] kfree_skbmem+0x10e/0x200 [ 86.262980][ T5082] kfree_skb_reason+0x138/0x210 [ 86.267867][ T5082] hci_req_sync_complete+0x16c/0x270 [ 86.273280][ T5082] hci_event_packet+0x963/0x1170 [ 86.278395][ T5082] hci_rx_work+0x2c4/0x1610 [ 86.282927][ T5082] process_one_work+0x9c5/0x1b40 [ 86.288151][ T5082] worker_thread+0x6c8/0xf30 [ 86.292952][ T5082] kthread+0x2c1/0x3a0 [ 86.297064][ T5082] ret_from_fork+0x45/0x80 [ 86.302042][ T5082] ret_from_fork_asm+0x1a/0x30 [ 86.307029][ T5082] [ 86.309460][ T5082] The buggy address belongs to the object at ffff88806975bb40 [ 86.309460][ T5082] which belongs to the cache skbuff_head_cache of size 240 [ 86.324932][ T5082] The buggy address is located 228 bytes inside of [ 86.324932][ T5082] freed 240-byte region [ffff88806975bb40, ffff88806975bc30) [ 86.339101][ T5082] [ 86.341486][ T5082] The buggy address belongs to the physical page: [ 86.349045][ T5082] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6975b [ 86.358446][ T5082] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 86.365666][ T5082] page_type: 0xffffefff(slab) [ 86.370392][ T5082] raw: 00fff00000000000 ffff888018eac780 dead000000000122 0000000000000000 [ 86.379090][ T5082] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000 [ 86.387686][ T5082] page dumped because: kasan: bad access detected [ 86.394202][ T5082] page_owner tracks the page as allocated [ 86.400018][ T5082] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5095, tgid 5095 (kworker/u9:4), ts 85837148232, free_ts 29313195642 [ 86.419505][ T5082] post_alloc_hook+0x2d1/0x350 [ 86.424316][ T5082] get_page_from_freelist+0x1353/0x2e50 [ 86.429983][ T5082] __alloc_pages_noprof+0x22b/0x2460 [ 86.435298][ T5082] alloc_slab_page+0x56/0x110 [ 86.440009][ T5082] new_slab+0x84/0x260 [ 86.444110][ T5082] ___slab_alloc+0xdac/0x1870 [ 86.448818][ T5082] __slab_alloc.constprop.0+0x56/0xb0 [ 86.454490][ T5082] kmem_cache_alloc_node_noprof+0xed/0x310 [ 86.460430][ T5082] __alloc_skb+0x2b1/0x380 [ 86.465054][ T5082] l2cap_send_cmd+0xa8/0x920 [ 86.469973][ T5082] l2cap_request_info+0x216/0x270 [ 86.475131][ T5082] l2cap_connect_cfm+0xa1c/0xf80 [ 86.480125][ T5082] hci_remote_features_evt+0x548/0x9e0 [ 86.485877][ T5082] hci_event_packet+0x9e3/0x1170 [ 86.490843][ T5082] hci_rx_work+0x2c4/0x1610 [ 86.495464][ T5082] process_one_work+0x9c5/0x1b40 [ 86.500435][ T5082] page last free pid 1 tgid 1 stack trace: [ 86.506260][ T5082] free_unref_page+0x64a/0xe40 [ 86.511557][ T5082] free_contig_range+0xb6/0x1a0 [ 86.516459][ T5082] destroy_args+0xa4e/0xe20 [ 86.521697][ T5082] debug_vm_pgtable+0x1705/0x3280 [ 86.526934][ T5082] do_one_initcall+0x128/0x700 [ 86.531770][ T5082] kernel_init_freeable+0x69d/0xca0 [ 86.537221][ T5082] kernel_init+0x1c/0x2b0 [ 86.541771][ T5082] ret_from_fork+0x45/0x80 [ 86.546589][ T5082] ret_from_fork_asm+0x1a/0x30 [ 86.551622][ T5082] [ 86.553967][ T5082] Memory state around the buggy address: [ 86.559685][ T5082] ffff88806975bb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 86.568402][ T5082] ffff88806975bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.576663][ T5082] >ffff88806975bc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 86.585334][ T5082] ^ [ 86.590556][ T5082] ffff88806975bc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.598720][ T5082] ffff88806975bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 86.606874][ T5082] ================================================================== [ 86.631946][ T5082] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 86.639621][ T5082] CPU: 0 PID: 5082 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00051-g1dfe225e9af5 #0 [ 86.650588][ T5082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 86.660938][ T5082] Call Trace: [ 86.664233][ T5082] [ 86.667348][ T5082] dump_stack_lvl+0x3d/0x1f0 [ 86.672091][ T5082] panic+0x6f5/0x7a0 [ 86.678818][ T5082] ? __pfx_panic+0x10/0x10 [ 86.683414][ T5082] ? irqentry_exit+0x3b/0x90 [ 86.688135][ T5082] ? lockdep_hardirqs_on+0x7c/0x110 [ 86.693629][ T5082] ? preempt_schedule_thunk+0x1a/0x30 [ 86.699118][ T5082] ? preempt_schedule_common+0x44/0xc0 [ 86.704784][ T5082] ? check_panic_on_warn+0x1f/0xb0 [ 86.710373][ T5082] check_panic_on_warn+0xab/0xb0 [ 86.715442][ T5082] end_report+0x117/0x180 [ 86.719820][ T5082] kasan_report+0xe9/0x110 [ 86.724271][ T5082] ? kfree_skb_reason+0x36/0x210 [ 86.729337][ T5082] ? kfree_skb_reason+0x36/0x210 [ 86.734312][ T5082] kasan_check_range+0xef/0x1a0 [ 86.739303][ T5082] kfree_skb_reason+0x36/0x210 [ 86.744198][ T5082] __hci_req_sync+0x61d/0x980 [ 86.748973][ T5082] ? __pfx___hci_req_sync+0x10/0x10 [ 86.754637][ T5082] ? __mutex_lock+0x1a6/0x9c0 [ 86.759348][ T5082] ? __pfx_autoremove_wake_function+0x10/0x10 [ 86.765637][ T5082] ? hci_req_sync+0x3f/0xd0 [ 86.770247][ T5082] ? __pfx___might_resched+0x10/0x10 [ 86.775795][ T5082] hci_req_sync+0x97/0xd0 [ 86.780126][ T5082] ? __pfx_hci_scan_req+0x10/0x10 [ 86.785336][ T5082] hci_dev_cmd+0x634/0x960 [ 86.790184][ T5082] ? cap_capable+0x1cf/0x240 [ 86.795157][ T5082] ? __pfx_hci_dev_cmd+0x10/0x10 [ 86.800116][ T5082] ? security_capable+0x98/0xd0 [ 86.805063][ T5082] hci_sock_ioctl+0x4f3/0x880 [ 86.809967][ T5082] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 86.815275][ T5082] sock_do_ioctl+0x116/0x280 [ 86.820042][ T5082] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.825153][ T5082] ? ioctl_has_perm.constprop.0.isra.0+0x2f9/0x470 [ 86.831744][ T5082] ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 [ 86.838785][ T5082] sock_ioctl+0x22e/0x6c0 [ 86.843140][ T5082] ? __pfx_sock_ioctl+0x10/0x10 [ 86.847998][ T5082] ? selinux_file_ioctl+0x180/0x270 [ 86.853206][ T5082] ? selinux_file_ioctl+0xb4/0x270 [ 86.858370][ T5082] ? __pfx_sock_ioctl+0x10/0x10 [ 86.863337][ T5082] __x64_sys_ioctl+0x193/0x220 [ 86.868625][ T5082] do_syscall_64+0xcd/0x250 [ 86.873598][ T5082] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.879623][ T5082] RIP: 0033:0x7f34f9775b1b [ 86.884044][ T5082] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 86.903756][ T5082] RSP: 002b:00007ffc9c3d8d10 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.912265][ T5082] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f34f9775b1b [ 86.920238][ T5082] RDX: 00007ffc9c3d8d88 RSI: 00000000400448dd RDI: 0000000000000003 [ 86.928211][ T5082] RBP: 00005555854da4a8 R08: 0000000000000000 R09: 0000000000000000 [ 86.936179][ T5082] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002 [ 86.944230][ T5082] R13: 0000000000000002 R14: 0000000000000009 R15: 0000000000000009 [ 86.952292][ T5082] [ 86.955745][ T5082] Kernel Offset: disabled [ 86.960126][ T5082] Rebooting in 86400 seconds..