last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.154' (ED25519) to the list of known hosts. 1970/01/01 00:00:33 fuzzer started 1970/01/01 00:00:33 dialing manager at 10.128.0.169:30028 [ 33.436106][ T6265] cgroup: Unknown subsys name 'net' [ 33.512803][ T6266] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 33.715184][ T6265] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:33 starting 5 executor processes [ 34.648640][ T6291] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 34.651455][ T6291] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 34.655241][ T6295] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 34.658423][ T6291] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 34.660330][ T6295] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 34.664128][ T6292] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 34.667170][ T6299] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 34.669207][ T6299] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 34.671747][ T6292] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 34.673962][ T6292] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 34.676257][ T6299] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 34.676334][ T6292] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 34.681185][ T6292] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 34.684777][ T6292] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 34.687007][ T6289] ================================================================== [ 34.687333][ T6292] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 34.689200][ T6289] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x40/0x28c [ 34.693515][ T6289] Read of size 8 at addr ffff0000cfb9d058 by task syz-executor.0/6289 [ 34.695795][ T6289] [ 34.696442][ T6289] CPU: 0 PID: 6289 Comm: syz-executor.0 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 [ 34.699596][ T6289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 34.700759][ T52] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 34.702396][ T6289] Call trace: [ 34.702406][ T6289] dump_backtrace+0x1b8/0x1e4 [ 34.705063][ T52] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 34.705400][ T6289] show_stack+0x2c/0x3c [ 34.708178][ T5829] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 34.708656][ T6289] dump_stack_lvl+0xe4/0x150 [ 34.711011][ T5829] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 34.711731][ T6289] print_report+0x198/0x538 [ 34.713712][ T5829] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 34.715056][ T6289] kasan_report+0xd8/0x138 [ 34.716713][ T5829] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 34.718224][ T6289] __asan_report_load8_noabort+0x20/0x2c [ 34.719724][ T5829] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 34.721322][ T6289] skb_release_head_state+0x40/0x28c [ 34.721348][ T6289] kfree_skb_reason+0x190/0x4a4 [ 34.721361][ T6289] __hci_req_sync+0x4e8/0x798 [ 34.721373][ T6289] hci_req_sync+0xa0/0xcc [ 34.721383][ T6289] hci_dev_cmd+0x304/0x8c0 [ 34.721393][ T6289] hci_sock_ioctl+0x4b8/0x7e4 [ 34.721404][ T6289] sock_do_ioctl+0x134/0x2d0 [ 34.721414][ T6289] sock_ioctl+0x4ec/0x838 [ 34.721423][ T6289] __arm64_sys_ioctl+0x14c/0x1c8 [ 34.721434][ T6289] invoke_syscall+0x98/0x2b8 [ 34.737645][ T6289] el0_svc_common+0x130/0x23c [ 34.738987][ T6289] do_el0_svc+0x48/0x58 [ 34.740159][ T6289] el0_svc+0x54/0x168 [ 34.741268][ T6289] el0t_64_sync_handler+0x84/0xfc [ 34.742641][ T6289] el0t_64_sync+0x190/0x194 [ 34.743851][ T6289] [ 34.744495][ T6289] Allocated by task 52: [ 34.745658][ T6289] kasan_save_track+0x40/0x78 [ 34.746936][ T6289] kasan_save_alloc_info+0x40/0x50 [ 34.748306][ T6289] __kasan_slab_alloc+0x74/0x8c [ 34.749654][ T6289] kmem_cache_alloc_noprof+0x1c0/0x350 [ 34.751209][ T6289] skb_clone+0x1c8/0x330 [ 34.752324][ T6289] hci_cmd_work+0x174/0x568 [ 34.753562][ T6289] process_one_work+0x7b0/0x15e8 [ 34.754904][ T6289] worker_thread+0x938/0xef4 [ 34.756156][ T6289] kthread+0x288/0x310 [ 34.757272][ T6289] ret_from_fork+0x10/0x20 [ 34.758537][ T6289] [ 34.759155][ T6289] Freed by task 6292: [ 34.760206][ T6289] kasan_save_track+0x40/0x78 [ 34.761550][ T6289] kasan_save_free_info+0x54/0x6c [ 34.762767][ T6289] poison_slab_object+0x128/0x180 [ 34.764018][ T6289] __kasan_slab_free+0x3c/0x70 [ 34.765145][ T6289] kmem_cache_free+0x178/0x4e4 [ 34.766314][ T6289] kfree_skbmem+0x15c/0x1ec [ 34.767460][ T6289] kfree_skb_reason+0x1c8/0x4a4 [ 34.768953][ T6289] hci_req_sync_complete+0xb0/0x248 [ 34.770398][ T6289] hci_event_packet+0xab8/0x105c [ 34.771760][ T6289] hci_rx_work+0x318/0xa78 [ 34.772957][ T6289] process_one_work+0x7b0/0x15e8 [ 34.774324][ T6289] worker_thread+0x938/0xef4 [ 34.775652][ T6289] kthread+0x288/0x310 [ 34.776750][ T6289] ret_from_fork+0x10/0x20 [ 34.777955][ T6289] [ 34.778631][ T6289] The buggy address belongs to the object at ffff0000cfb9d000 [ 34.778631][ T6289] which belongs to the cache skbuff_head_cache of size 240 [ 34.782718][ T6289] The buggy address is located 88 bytes inside of [ 34.782718][ T6289] freed 240-byte region [ffff0000cfb9d000, ffff0000cfb9d0f0) [ 34.786480][ T6289] [ 34.787139][ T6289] The buggy address belongs to the physical page: [ 34.788929][ T6289] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fb9d [ 34.791344][ T6289] anon flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 34.793446][ T6289] page_type: 0xffffefff(slab) [ 34.794737][ T6289] raw: 05ffc00000000000 ffff0000c1bc6780 fffffdffc35bbec0 dead000000000005 [ 34.797098][ T6289] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 34.799431][ T6289] page dumped because: kasan: bad access detected [ 34.801159][ T6289] [ 34.801780][ T6289] Memory state around the buggy address: [ 34.803320][ T6289] ffff0000cfb9cf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.805579][ T6289] ffff0000cfb9cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.807787][ T6289] >ffff0000cfb9d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.809934][ T6289] ^ [ 34.811770][ T6289] ffff0000cfb9d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 34.814116][ T6289] ffff0000cfb9d100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 34.816296][ T6289] ================================================================== [ 34.820494][ T6289] Disabling lock debugging due to kernel taint [ 34.823892][ T5829] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 34.826942][ T5829] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 1970/01/01 00:00:34 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 34.834121][ T6301] chnl_net:caif_netlink_parms(): no params data found [ 34.853592][ T5829] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 34.855704][ T6299] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 34.865301][ T5829] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 34.867306][ T6299] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 34.870773][ T5829] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 34.880538][ T6295] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2