last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.19' (ED25519) to the list of known hosts.
[ 101.817227][ T45] cfg80211: failed to load regulatory.db
[ 103.644656][ T5086] cgroup: Unknown subsys name 'net'
[ 103.860247][ T5086] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 105.973637][ T5086] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 109.073775][ T5098] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 109.101854][ T5098] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 109.112175][ T5098] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 109.129513][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 109.136992][ T53] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 109.147589][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 109.155762][ T53] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 109.164104][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 109.189984][ T5104] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 109.198239][ T5101] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 109.206319][ T5101] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 109.214773][ T5101] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 109.224081][ T5101] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 109.232389][ T5101] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 109.235565][ T5104] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 109.240023][ T5101] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 109.247796][ T5104] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 109.261050][ T5104] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 109.301749][ T5100] ==================================================================
[ 109.308038][ T5110] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1
[ 109.309832][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210
[ 109.318327][ T5110] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9
[ 109.324514][ T5100] Read of size 4 at addr ffff888066ee5364 by task syz-executor/5100
[ 109.324548][ T5100]
[ 109.324559][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 109.334131][ T5110] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9
[ 109.339441][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 109.345095][ T5110] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4
[ 109.351981][ T5100] Call Trace:
[ 109.351998][ T5100]
[ 109.352013][ T5100] dump_stack_lvl+0x116/0x1f0
[ 109.352069][ T5100] print_report+0xc3/0x620
[ 109.360559][ T5110] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3
[ 109.369059][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.369110][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.369154][ T5100] ? __phys_addr+0xc6/0x150
[ 109.379018][ T5110] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2
[ 109.379319][ T5100] kasan_report+0xd9/0x110
[ 109.425467][ T5100] ? kfree_skb_reason+0x36/0x210
[ 109.430462][ T5100] ? kfree_skb_reason+0x36/0x210
[ 109.435465][ T5100] kasan_check_range+0xef/0x1a0
[ 109.440367][ T5100] kfree_skb_reason+0x36/0x210
[ 109.445177][ T5100] __hci_req_sync+0x61d/0x980
[ 109.449895][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 109.455129][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 109.459847][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 109.465951][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.471621][ T5100] ? hci_req_sync+0x3f/0xd0
[ 109.476171][ T5100] ? __pfx___might_resched+0x10/0x10
[ 109.481506][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.487262][ T5100] ? aa_get_newest_label+0x376/0x680
[ 109.492702][ T5100] hci_req_sync+0x97/0xd0
[ 109.497156][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 109.502225][ T5100] hci_dev_cmd+0x634/0x960
[ 109.506691][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.512453][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 109.517433][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.523103][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.528771][ T5100] ? security_capable+0x98/0xd0
[ 109.533689][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 109.538409][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.544080][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 109.549322][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 109.555346][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.561020][ T5100] sock_do_ioctl+0x119/0x280
[ 109.565663][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 109.570837][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.576510][ T5100] sock_ioctl+0x22e/0x6c0
[ 109.580895][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 109.585808][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.591475][ T5100] ? __fget_files+0x256/0x400
[ 109.596212][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 109.601883][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 109.606793][ T5100] __x64_sys_ioctl+0x196/0x220
[ 109.611610][ T5100] do_syscall_64+0xcd/0x250
[ 109.616165][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 109.622117][ T5100] RIP: 0033:0x7fad76d757db
[ 109.626555][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 109.646201][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 109.654655][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 109.662869][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 109.670866][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 109.678951][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 109.686944][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 109.694961][ T5100]
[ 109.697996][ T5100]
[ 109.700329][ T5100] Allocated by task 5098:
[ 109.704666][ T5100] kasan_save_stack+0x33/0x60
[ 109.709376][ T5100] kasan_save_track+0x14/0x30
[ 109.714080][ T5100] __kasan_slab_alloc+0x89/0x90
[ 109.718956][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 109.724447][ T5100] skb_clone+0x190/0x3f0
[ 109.728722][ T5100] hci_cmd_work+0x66a/0x710
[ 109.733269][ T5100] process_one_work+0x9c8/0x1b40
[ 109.738250][ T5100] worker_thread+0x6c8/0xf30
[ 109.742883][ T5100] kthread+0x2c4/0x3a0
[ 109.743475][ T5098] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 109.746978][ T5100] ret_from_fork+0x48/0x80
[ 109.756266][ T5098] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 109.758408][ T5100] ret_from_fork_asm+0x1a/0x30
[ 109.770141][ T5100]
[ 109.772477][ T5100] Freed by task 5098:
[ 109.772508][ T5098] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 109.776531][ T5100] kasan_save_stack+0x33/0x60
[ 109.785995][ T5098] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 109.788087][ T5100] kasan_save_track+0x14/0x30
[ 109.799728][ T5100] kasan_save_free_info+0x3b/0x60
[ 109.804817][ T5100] poison_slab_object+0xf7/0x160
[ 109.805852][ T5098] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 109.809789][ T5100] __kasan_slab_free+0x32/0x50
[ 109.818587][ T5098] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 109.821612][ T5100] kmem_cache_free+0x12f/0x3a0
[ 109.821654][ T5100] kfree_skbmem+0x10e/0x200
[ 109.837880][ T5100] kfree_skb_reason+0x138/0x210
[ 109.842774][ T5100] hci_req_sync_complete+0x16c/0x270
[ 109.848099][ T5100] hci_event_packet+0x966/0x1170
[ 109.853071][ T5100] hci_rx_work+0x2c4/0x1610
[ 109.857611][ T5100] process_one_work+0x9c8/0x1b40
[ 109.862592][ T5100] worker_thread+0x6c8/0xf30
[ 109.867228][ T5100] kthread+0x2c4/0x3a0
[ 109.871344][ T5100] ret_from_fork+0x48/0x80
[ 109.875817][ T5100] ret_from_fork_asm+0x1a/0x30
[ 109.880808][ T5100]
[ 109.883141][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 109.883141][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 109.897738][ T5100] The buggy address is located 228 bytes inside of
[ 109.897738][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 109.911574][ T5100]
[ 109.913909][ T5100] The buggy address belongs to the physical page:
[ 109.920327][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 109.929113][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 109.936241][ T5100] page_type: 0xffffefff(slab)
[ 109.940943][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 109.949556][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 109.958152][ T5100] page dumped because: kasan: bad access detected
[ 109.964574][ T5100] page_owner tracks the page as allocated
[ 109.970294][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 109.989710][ T5100] post_alloc_hook+0x2d1/0x350
[ 109.994529][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 110.000130][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 110.005469][ T5100] alloc_slab_page+0x56/0x110
[ 110.010194][ T5100] new_slab+0x84/0x260
[ 110.014330][ T5100] ___slab_alloc+0xdac/0x1870
[ 110.019037][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 110.024440][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 110.030281][ T5100] __alloc_skb+0x2b1/0x380
[ 110.034749][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 110.039465][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 110.044178][ T5100] hci_scan_req+0x87/0x150
[ 110.048630][ T5100] __hci_req_sync+0x145/0x980
[ 110.053342][ T5100] hci_req_sync+0x97/0xd0
[ 110.057706][ T5100] hci_dev_cmd+0x634/0x960
[ 110.062172][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 110.066887][ T5100] page last free pid 1 tgid 1 stack trace:
[ 110.072703][ T5100] free_unref_page+0x64a/0xe40
[ 110.077520][ T5100] free_contig_range+0xb6/0x1a0
[ 110.082416][ T5100] destroy_args+0xa4e/0xe20
[ 110.086973][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 110.092050][ T5100] do_one_initcall+0x12b/0x700
[ 110.096863][ T5100] kernel_init_freeable+0x69d/0xca0
[ 110.102111][ T5100] kernel_init+0x1c/0x2b0
[ 110.106491][ T5100] ret_from_fork+0x48/0x80
[ 110.110953][ T5100] ret_from_fork_asm+0x1a/0x30
[ 110.115770][ T5100]
[ 110.118103][ T5100] Memory state around the buggy address:
[ 110.123745][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 110.131832][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.139921][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 110.148000][ T5100] ^
[ 110.155210][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 110.163293][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.171368][ T5100] ==================================================================
[ 110.180828][ T5100] Disabling lock debugging due to kernel taint
[ 110.188240][ T5098] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 110.188805][ T5100] ==================================================================
[ 110.203265][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1f5/0x210
[ 110.211118][ T5100] Read of size 4 at addr ffff888066ee5364 by task syz-executor/5100
[ 110.219120][ T5100]
[ 110.221456][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 110.233207][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 110.243284][ T5100] Call Trace:
[ 110.246576][ T5100]
[ 110.249523][ T5100] dump_stack_lvl+0x116/0x1f0
[ 110.254249][ T5100] print_report+0xc3/0x620
[ 110.258700][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.264367][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.270034][ T5100] ? __phys_addr+0xc6/0x150
[ 110.274577][ T5100] kasan_report+0xd9/0x110
[ 110.279030][ T5100] ? kfree_skb_reason+0x1f5/0x210
[ 110.284102][ T5100] ? kfree_skb_reason+0x1f5/0x210
[ 110.289165][ T5100] kfree_skb_reason+0x1f5/0x210
[ 110.294049][ T5100] __hci_req_sync+0x61d/0x980
[ 110.298760][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 110.303989][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 110.308694][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 110.314816][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.320498][ T5100] ? hci_req_sync+0x3f/0xd0
[ 110.325044][ T5100] ? __pfx___might_resched+0x10/0x10
[ 110.330370][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.336026][ T5100] ? aa_get_newest_label+0x376/0x680
[ 110.341367][ T5100] hci_req_sync+0x97/0xd0
[ 110.345724][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 110.350777][ T5100] hci_dev_cmd+0x634/0x960
[ 110.355228][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.360888][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 110.365863][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.371531][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.377189][ T5100] ? security_capable+0x98/0xd0
[ 110.382087][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 110.386796][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.392541][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 110.397767][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 110.403775][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.409434][ T5100] sock_do_ioctl+0x119/0x280
[ 110.414068][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 110.419226][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.424973][ T5100] sock_ioctl+0x22e/0x6c0
[ 110.429353][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 110.434248][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.439901][ T5100] ? __fget_files+0x256/0x400
[ 110.444617][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 110.450271][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 110.455160][ T5100] __x64_sys_ioctl+0x196/0x220
[ 110.460483][ T5100] do_syscall_64+0xcd/0x250
[ 110.465025][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 110.470971][ T5100] RIP: 0033:0x7fad76d757db
[ 110.475397][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 110.495026][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 110.503466][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 110.511451][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 110.519438][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 110.527422][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 110.535405][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 110.543404][ T5100]
[ 110.546427][ T5100]
[ 110.548755][ T5100] Allocated by task 5098:
[ 110.553083][ T5100] kasan_save_stack+0x33/0x60
[ 110.557776][ T5100] kasan_save_track+0x14/0x30
[ 110.562466][ T5100] __kasan_slab_alloc+0x89/0x90
[ 110.567334][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 110.572820][ T5100] skb_clone+0x190/0x3f0
[ 110.577087][ T5100] hci_cmd_work+0x66a/0x710
[ 110.581615][ T5100] process_one_work+0x9c8/0x1b40
[ 110.586580][ T5100] worker_thread+0x6c8/0xf30
[ 110.591193][ T5100] kthread+0x2c4/0x3a0
[ 110.595299][ T5100] ret_from_fork+0x48/0x80
[ 110.599755][ T5100] ret_from_fork_asm+0x1a/0x30
[ 110.604557][ T5100]
[ 110.606876][ T5100] Freed by task 5098:
[ 110.610857][ T5100] kasan_save_stack+0x33/0x60
[ 110.615547][ T5100] kasan_save_track+0x14/0x30
[ 110.620236][ T5100] kasan_save_free_info+0x3b/0x60
[ 110.625468][ T5100] poison_slab_object+0xf7/0x160
[ 110.630534][ T5100] __kasan_slab_free+0x32/0x50
[ 110.635312][ T5100] kmem_cache_free+0x12f/0x3a0
[ 110.640092][ T5100] kfree_skbmem+0x10e/0x200
[ 110.644634][ T5100] kfree_skb_reason+0x138/0x210
[ 110.649541][ T5100] hci_req_sync_complete+0x16c/0x270
[ 110.654939][ T5100] hci_event_packet+0x966/0x1170
[ 110.659896][ T5100] hci_rx_work+0x2c4/0x1610
[ 110.664428][ T5100] process_one_work+0x9c8/0x1b40
[ 110.669390][ T5100] worker_thread+0x6c8/0xf30
[ 110.674004][ T5100] kthread+0x2c4/0x3a0
[ 110.678108][ T5100] ret_from_fork+0x48/0x80
[ 110.682557][ T5100] ret_from_fork_asm+0x1a/0x30
[ 110.687354][ T5100]
[ 110.689675][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 110.689675][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 110.704442][ T5100] The buggy address is located 228 bytes inside of
[ 110.704442][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 110.718257][ T5100]
[ 110.720579][ T5100] The buggy address belongs to the physical page:
[ 110.726987][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 110.735760][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 110.742881][ T5100] page_type: 0xffffefff(slab)
[ 110.747573][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 110.756172][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 110.764761][ T5100] page dumped because: kasan: bad access detected
[ 110.771171][ T5100] page_owner tracks the page as allocated
[ 110.776881][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 110.796448][ T5100] post_alloc_hook+0x2d1/0x350
[ 110.801244][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 110.806826][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 110.812148][ T5100] alloc_slab_page+0x56/0x110
[ 110.816860][ T5100] new_slab+0x84/0x260
[ 110.820942][ T5100] ___slab_alloc+0xdac/0x1870
[ 110.825637][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 110.831031][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 110.836863][ T5100] __alloc_skb+0x2b1/0x380
[ 110.841318][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 110.846017][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 110.850715][ T5100] hci_scan_req+0x87/0x150
[ 110.855152][ T5100] __hci_req_sync+0x145/0x980
[ 110.859851][ T5100] hci_req_sync+0x97/0xd0
[ 110.864200][ T5100] hci_dev_cmd+0x634/0x960
[ 110.868645][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 110.873867][ T5100] page last free pid 1 tgid 1 stack trace:
[ 110.879677][ T5100] free_unref_page+0x64a/0xe40
[ 110.884496][ T5100] free_contig_range+0xb6/0x1a0
[ 110.889378][ T5100] destroy_args+0xa4e/0xe20
[ 110.893923][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 110.898983][ T5100] do_one_initcall+0x12b/0x700
[ 110.903786][ T5100] kernel_init_freeable+0x69d/0xca0
[ 110.909020][ T5100] kernel_init+0x1c/0x2b0
[ 110.913484][ T5100] ret_from_fork+0x48/0x80
[ 110.917936][ T5100] ret_from_fork_asm+0x1a/0x30
[ 110.922732][ T5100]
[ 110.925051][ T5100] Memory state around the buggy address:
[ 110.930682][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 110.938750][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.946819][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 110.954971][ T5100] ^
[ 110.962165][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 110.970233][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.978298][ T5100] ==================================================================
[ 110.986991][ T5100] ==================================================================
[ 110.992183][ T5098] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 110.995044][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0
[ 111.010318][ T5100] Read of size 8 at addr ffff888066ee52d8 by task syz-executor/5100
[ 111.012003][ T5098] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 111.018294][ T5100]
[ 111.018308][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 111.039270][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 111.041632][ T5098] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 111.049322][ T5100] Call Trace:
[ 111.049340][ T5100]
[ 111.049355][ T5100] dump_stack_lvl+0x116/0x1f0
[ 111.062826][ T5098] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 111.067090][ T5100] print_report+0xc3/0x620
[ 111.078483][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.084154][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.089822][ T5100] ? __phys_addr+0xc6/0x150
[ 111.091837][ T5098] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 111.094368][ T5100] kasan_report+0xd9/0x110
[ 111.105728][ T5100] ? skb_release_head_state+0x283/0x2b0
[ 111.111315][ T5100] ? skb_release_head_state+0x283/0x2b0
[ 111.116908][ T5100] skb_release_head_state+0x283/0x2b0
[ 111.122323][ T5100] kfree_skb_reason+0xed/0x210
[ 111.127132][ T5100] __hci_req_sync+0x61d/0x980
[ 111.131852][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 111.137088][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 111.141815][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 111.147924][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.153591][ T5100] ? hci_req_sync+0x3f/0xd0
[ 111.158139][ T5100] ? __pfx___might_resched+0x10/0x10
[ 111.163472][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.169140][ T5100] ? aa_get_newest_label+0x376/0x680
[ 111.174491][ T5100] hci_req_sync+0x97/0xd0
[ 111.178860][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 111.183927][ T5100] hci_dev_cmd+0x634/0x960
[ 111.188395][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.194073][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 111.199064][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.204730][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.210399][ T5100] ? security_capable+0x98/0xd0
[ 111.215310][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 111.220028][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.225702][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 111.231034][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 111.237065][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.242774][ T5100] sock_do_ioctl+0x119/0x280
[ 111.247419][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 111.251625][ T5101] Bluetooth: hci0: command tx timeout
[ 111.252573][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.263575][ T5100] sock_ioctl+0x22e/0x6c0
[ 111.267963][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 111.272871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.278641][ T5100] ? __fget_files+0x256/0x400
[ 111.283394][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.289074][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 111.293992][ T5100] __x64_sys_ioctl+0x196/0x220
[ 111.298817][ T5100] do_syscall_64+0xcd/0x250
[ 111.303377][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 111.309365][ T5100] RIP: 0033:0x7fad76d757db
[ 111.313799][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 111.333428][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 111.341863][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 111.349851][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 111.357843][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 111.365829][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 111.373810][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 111.381897][ T5100]
[ 111.384920][ T5100]
[ 111.387245][ T5100] Allocated by task 5098:
[ 111.391577][ T5100] kasan_save_stack+0x33/0x60
[ 111.396446][ T5100] kasan_save_track+0x14/0x30
[ 111.401139][ T5100] __kasan_slab_alloc+0x89/0x90
[ 111.406006][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 111.411493][ T5100] skb_clone+0x190/0x3f0
[ 111.415763][ T5100] hci_cmd_work+0x66a/0x710
[ 111.420294][ T5100] process_one_work+0x9c8/0x1b40
[ 111.425287][ T5100] worker_thread+0x6c8/0xf30
[ 111.429903][ T5100] kthread+0x2c4/0x3a0
[ 111.434007][ T5100] ret_from_fork+0x48/0x80
[ 111.438463][ T5100] ret_from_fork_asm+0x1a/0x30
[ 111.443261][ T5100]
[ 111.445581][ T5100] Freed by task 5098:
[ 111.449561][ T5100] kasan_save_stack+0x33/0x60
[ 111.454252][ T5100] kasan_save_track+0x14/0x30
[ 111.458942][ T5100] kasan_save_free_info+0x3b/0x60
[ 111.463999][ T5100] poison_slab_object+0xf7/0x160
[ 111.469023][ T5100] __kasan_slab_free+0x32/0x50
[ 111.473808][ T5100] kmem_cache_free+0x12f/0x3a0
[ 111.478590][ T5100] kfree_skbmem+0x10e/0x200
[ 111.483131][ T5100] kfree_skb_reason+0x138/0x210
[ 111.488007][ T5100] hci_req_sync_complete+0x16c/0x270
[ 111.493317][ T5100] hci_event_packet+0x966/0x1170
[ 111.498280][ T5100] hci_rx_work+0x2c4/0x1610
[ 111.502808][ T5100] process_one_work+0x9c8/0x1b40
[ 111.507773][ T5100] worker_thread+0x6c8/0xf30
[ 111.512395][ T5100] kthread+0x2c4/0x3a0
[ 111.516498][ T5100] ret_from_fork+0x48/0x80
[ 111.520949][ T5100] ret_from_fork_asm+0x1a/0x30
[ 111.525751][ T5100]
[ 111.528073][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 111.528073][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 111.542660][ T5100] The buggy address is located 88 bytes inside of
[ 111.542660][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 111.556390][ T5100]
[ 111.558713][ T5100] The buggy address belongs to the physical page:
[ 111.565120][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 111.573893][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 111.581008][ T5100] page_type: 0xffffefff(slab)
[ 111.585700][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 111.594301][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 111.602887][ T5100] page dumped because: kasan: bad access detected
[ 111.609301][ T5100] page_owner tracks the page as allocated
[ 111.615017][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 111.634418][ T5100] post_alloc_hook+0x2d1/0x350
[ 111.639213][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 111.644796][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 111.650115][ T5100] alloc_slab_page+0x56/0x110
[ 111.654822][ T5100] new_slab+0x84/0x260
[ 111.658912][ T5100] ___slab_alloc+0xdac/0x1870
[ 111.663609][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 111.669001][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 111.674831][ T5100] __alloc_skb+0x2b1/0x380
[ 111.679320][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 111.684021][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 111.688720][ T5100] hci_scan_req+0x87/0x150
[ 111.693158][ T5100] __hci_req_sync+0x145/0x980
[ 111.697854][ T5100] hci_req_sync+0x97/0xd0
[ 111.702200][ T5100] hci_dev_cmd+0x634/0x960
[ 111.706668][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 111.711365][ T5100] page last free pid 1 tgid 1 stack trace:
[ 111.717172][ T5100] free_unref_page+0x64a/0xe40
[ 111.722057][ T5100] free_contig_range+0xb6/0x1a0
[ 111.726937][ T5100] destroy_args+0xa4e/0xe20
[ 111.731471][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 111.736536][ T5100] do_one_initcall+0x12b/0x700
[ 111.741346][ T5100] kernel_init_freeable+0x69d/0xca0
[ 111.746578][ T5100] kernel_init+0x1c/0x2b0
[ 111.750943][ T5100] ret_from_fork+0x48/0x80
[ 111.755392][ T5100] ret_from_fork_asm+0x1a/0x30
[ 111.760191][ T5100]
[ 111.762514][ T5100] Memory state around the buggy address:
[ 111.768322][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 111.776393][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 111.784463][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 111.792527][ T5100] ^
[ 111.799464][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 111.807540][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 111.815616][ T5100] ==================================================================
[ 111.823844][ T5101] Bluetooth: hci5: command tx timeout
[ 111.829333][ T5101] Bluetooth: hci2: command tx timeout
[ 111.835552][ T5100] ==================================================================
[ 111.843639][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x28d/0x2b0
[ 111.852027][ T5100] Read of size 8 at addr ffff888066ee52e0 by task syz-executor/5100
[ 111.860028][ T5100]
[ 111.862362][ T5100] CPU: 1 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 111.874191][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 111.884262][ T5100] Call Trace:
[ 111.887544][ T5100]
[ 111.890483][ T5100] dump_stack_lvl+0x116/0x1f0
[ 111.895194][ T5100] print_report+0xc3/0x620
[ 111.899633][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.905289][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.910971][ T5100] ? __phys_addr+0xc6/0x150
[ 111.915496][ T5100] kasan_report+0xd9/0x110
[ 111.919964][ T5100] ? skb_release_head_state+0x28d/0x2b0
[ 111.925541][ T5100] ? skb_release_head_state+0x28d/0x2b0
[ 111.931117][ T5100] skb_release_head_state+0x28d/0x2b0
[ 111.936518][ T5100] kfree_skb_reason+0xed/0x210
[ 111.941313][ T5100] __hci_req_sync+0x61d/0x980
[ 111.946019][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 111.951241][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 111.955948][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 111.962042][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.967699][ T5100] ? hci_req_sync+0x3f/0xd0
[ 111.972234][ T5100] ? __pfx___might_resched+0x10/0x10
[ 111.977553][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 111.983206][ T5100] ? aa_get_newest_label+0x376/0x680
[ 111.988542][ T5100] hci_req_sync+0x97/0xd0
[ 111.992926][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 111.997979][ T5100] hci_dev_cmd+0x634/0x960
[ 112.002429][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.008083][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 112.013053][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.018705][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.024358][ T5100] ? security_capable+0x98/0xd0
[ 112.029257][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 112.033961][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.039614][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 112.044840][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 112.050846][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.056504][ T5100] sock_do_ioctl+0x119/0x280
[ 112.061132][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 112.066293][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.071954][ T5100] sock_ioctl+0x22e/0x6c0
[ 112.076419][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 112.081314][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.086977][ T5100] ? __fget_files+0x256/0x400
[ 112.091697][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.097356][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 112.102246][ T5100] __x64_sys_ioctl+0x196/0x220
[ 112.107050][ T5100] do_syscall_64+0xcd/0x250
[ 112.111594][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 112.117535][ T5100] RIP: 0033:0x7fad76d757db
[ 112.121961][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 112.141588][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 112.150024][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 112.158009][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 112.165993][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 112.174003][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 112.181988][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 112.189993][ T5100]
[ 112.193025][ T5100]
[ 112.195347][ T5100] Allocated by task 5098:
[ 112.199676][ T5100] kasan_save_stack+0x33/0x60
[ 112.204373][ T5100] kasan_save_track+0x14/0x30
[ 112.209065][ T5100] __kasan_slab_alloc+0x89/0x90
[ 112.213933][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 112.219416][ T5100] skb_clone+0x190/0x3f0
[ 112.223681][ T5100] hci_cmd_work+0x66a/0x710
[ 112.228238][ T5100] process_one_work+0x9c8/0x1b40
[ 112.233207][ T5100] worker_thread+0x6c8/0xf30
[ 112.237822][ T5100] kthread+0x2c4/0x3a0
[ 112.241931][ T5100] ret_from_fork+0x48/0x80
[ 112.246380][ T5100] ret_from_fork_asm+0x1a/0x30
[ 112.251217][ T5100]
[ 112.253541][ T5100] Freed by task 5098:
[ 112.257521][ T5100] kasan_save_stack+0x33/0x60
[ 112.262212][ T5100] kasan_save_track+0x14/0x30
[ 112.266903][ T5100] kasan_save_free_info+0x3b/0x60
[ 112.271956][ T5100] poison_slab_object+0xf7/0x160
[ 112.276932][ T5100] __kasan_slab_free+0x32/0x50
[ 112.281711][ T5100] kmem_cache_free+0x12f/0x3a0
[ 112.286491][ T5100] kfree_skbmem+0x10e/0x200
[ 112.291032][ T5100] kfree_skb_reason+0x138/0x210
[ 112.295910][ T5100] hci_req_sync_complete+0x16c/0x270
[ 112.301224][ T5100] hci_event_packet+0x966/0x1170
[ 112.306190][ T5100] hci_rx_work+0x2c4/0x1610
[ 112.310901][ T5100] process_one_work+0x9c8/0x1b40
[ 112.315864][ T5100] worker_thread+0x6c8/0xf30
[ 112.320476][ T5100] kthread+0x2c4/0x3a0
[ 112.324581][ T5100] ret_from_fork+0x48/0x80
[ 112.329037][ T5100] ret_from_fork_asm+0x1a/0x30
[ 112.333839][ T5100]
[ 112.336161][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 112.336161][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 112.350745][ T5100] The buggy address is located 96 bytes inside of
[ 112.350745][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 112.364471][ T5100]
[ 112.366796][ T5100] The buggy address belongs to the physical page:
[ 112.373204][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 112.381979][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 112.389100][ T5100] page_type: 0xffffefff(slab)
[ 112.393792][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 112.402396][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 112.411015][ T5100] page dumped because: kasan: bad access detected
[ 112.417436][ T5100] page_owner tracks the page as allocated
[ 112.423235][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 112.442632][ T5100] post_alloc_hook+0x2d1/0x350
[ 112.447430][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 112.453041][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 112.458360][ T5100] alloc_slab_page+0x56/0x110
[ 112.463067][ T5100] new_slab+0x84/0x260
[ 112.467172][ T5100] ___slab_alloc+0xdac/0x1870
[ 112.471864][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 112.477255][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 112.483082][ T5100] __alloc_skb+0x2b1/0x380
[ 112.487534][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 112.492407][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 112.497104][ T5100] hci_scan_req+0x87/0x150
[ 112.501539][ T5100] __hci_req_sync+0x145/0x980
[ 112.506238][ T5100] hci_req_sync+0x97/0xd0
[ 112.510582][ T5100] hci_dev_cmd+0x634/0x960
[ 112.515026][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 112.519819][ T5100] page last free pid 1 tgid 1 stack trace:
[ 112.525740][ T5100] free_unref_page+0x64a/0xe40
[ 112.530535][ T5100] free_contig_range+0xb6/0x1a0
[ 112.535412][ T5100] destroy_args+0xa4e/0xe20
[ 112.539948][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 112.545017][ T5100] do_one_initcall+0x12b/0x700
[ 112.549820][ T5100] kernel_init_freeable+0x69d/0xca0
[ 112.555055][ T5100] kernel_init+0x1c/0x2b0
[ 112.559421][ T5100] ret_from_fork+0x48/0x80
[ 112.563873][ T5100] ret_from_fork_asm+0x1a/0x30
[ 112.568673][ T5100]
[ 112.570995][ T5100] Memory state around the buggy address:
[ 112.576626][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 112.584699][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 112.592769][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 112.600833][ T5100] ^
[ 112.608029][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 112.616105][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 112.624171][ T5100] ==================================================================
[ 112.641393][ T5098] Bluetooth: hci4: command tx timeout
[ 112.678188][ T5100] ==================================================================
[ 112.686395][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x276/0x2b0
[ 112.694775][ T5100] Read of size 8 at addr ffff888066ee52e8 by task syz-executor/5100
[ 112.702787][ T5100]
[ 112.705130][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 112.716965][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 112.727039][ T5100] Call Trace:
[ 112.730336][ T5100]
[ 112.733276][ T5100] dump_stack_lvl+0x116/0x1f0
[ 112.738074][ T5100] print_report+0xc3/0x620
[ 112.742775][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.748439][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.754099][ T5100] ? __phys_addr+0xc6/0x150
[ 112.758624][ T5100] kasan_report+0xd9/0x110
[ 112.763063][ T5100] ? skb_release_head_state+0x276/0x2b0
[ 112.768639][ T5100] ? skb_release_head_state+0x276/0x2b0
[ 112.774233][ T5100] skb_release_head_state+0x276/0x2b0
[ 112.779635][ T5100] kfree_skb_reason+0xed/0x210
[ 112.784434][ T5100] __hci_req_sync+0x61d/0x980
[ 112.789143][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 112.794363][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 112.799069][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 112.805185][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.810866][ T5100] ? hci_req_sync+0x3f/0xd0
[ 112.815402][ T5100] ? __pfx___might_resched+0x10/0x10
[ 112.820723][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.826378][ T5100] ? aa_get_newest_label+0x376/0x680
[ 112.831713][ T5100] hci_req_sync+0x97/0xd0
[ 112.836066][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 112.841118][ T5100] hci_dev_cmd+0x634/0x960
[ 112.845566][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.851238][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 112.856211][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.861866][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.867521][ T5100] ? security_capable+0x98/0xd0
[ 112.872420][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 112.877298][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.882954][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 112.888180][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 112.894190][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.900023][ T5100] sock_do_ioctl+0x119/0x280
[ 112.904651][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 112.909812][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.915471][ T5100] sock_ioctl+0x22e/0x6c0
[ 112.919841][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 112.924734][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.930386][ T5100] ? __fget_files+0x256/0x400
[ 112.935106][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 112.940769][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 112.945667][ T5100] __x64_sys_ioctl+0x196/0x220
[ 112.950468][ T5100] do_syscall_64+0xcd/0x250
[ 112.955014][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 112.960954][ T5100] RIP: 0033:0x7fad76d757db
[ 112.965382][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 112.985011][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 112.993448][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 113.001454][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 113.009526][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 113.017509][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 113.025579][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 113.033574][ T5100]
[ 113.036596][ T5100]
[ 113.038915][ T5100] Allocated by task 5098:
[ 113.043245][ T5100] kasan_save_stack+0x33/0x60
[ 113.047940][ T5100] kasan_save_track+0x14/0x30
[ 113.052632][ T5100] __kasan_slab_alloc+0x89/0x90
[ 113.057498][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 113.062977][ T5100] skb_clone+0x190/0x3f0
[ 113.067239][ T5100] hci_cmd_work+0x66a/0x710
[ 113.071777][ T5100] process_one_work+0x9c8/0x1b40
[ 113.076745][ T5100] worker_thread+0x6c8/0xf30
[ 113.081369][ T5100] kthread+0x2c4/0x3a0
[ 113.085472][ T5100] ret_from_fork+0x48/0x80
[ 113.089923][ T5100] ret_from_fork_asm+0x1a/0x30
[ 113.094722][ T5100]
[ 113.097041][ T5100] Freed by task 5098:
[ 113.101021][ T5100] kasan_save_stack+0x33/0x60
[ 113.105712][ T5100] kasan_save_track+0x14/0x30
[ 113.110401][ T5100] kasan_save_free_info+0x3b/0x60
[ 113.115454][ T5100] poison_slab_object+0xf7/0x160
[ 113.120428][ T5100] __kasan_slab_free+0x32/0x50
[ 113.125205][ T5100] kmem_cache_free+0x12f/0x3a0
[ 113.129983][ T5100] kfree_skbmem+0x10e/0x200
[ 113.134525][ T5100] kfree_skb_reason+0x138/0x210
[ 113.139401][ T5100] hci_req_sync_complete+0x16c/0x270
[ 113.144708][ T5100] hci_event_packet+0x966/0x1170
[ 113.149665][ T5100] hci_rx_work+0x2c4/0x1610
[ 113.154196][ T5100] process_one_work+0x9c8/0x1b40
[ 113.159162][ T5100] worker_thread+0x6c8/0xf30
[ 113.163780][ T5100] kthread+0x2c4/0x3a0
[ 113.167885][ T5100] ret_from_fork+0x48/0x80
[ 113.172340][ T5100] ret_from_fork_asm+0x1a/0x30
[ 113.177139][ T5100]
[ 113.179461][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 113.179461][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 113.194049][ T5100] The buggy address is located 104 bytes inside of
[ 113.194049][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 113.207864][ T5100]
[ 113.210186][ T5100] The buggy address belongs to the physical page:
[ 113.216614][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 113.225386][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 113.232502][ T5100] page_type: 0xffffefff(slab)
[ 113.237194][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 113.245794][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 113.254387][ T5100] page dumped because: kasan: bad access detected
[ 113.260824][ T5100] page_owner tracks the page as allocated
[ 113.266546][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 113.285946][ T5100] post_alloc_hook+0x2d1/0x350
[ 113.290744][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 113.296328][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 113.301653][ T5100] alloc_slab_page+0x56/0x110
[ 113.306394][ T5100] new_slab+0x84/0x260
[ 113.310482][ T5100] ___slab_alloc+0xdac/0x1870
[ 113.315175][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 113.320570][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 113.326406][ T5100] __alloc_skb+0x2b1/0x380
[ 113.330863][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 113.335568][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 113.340267][ T5100] hci_scan_req+0x87/0x150
[ 113.344704][ T5100] __hci_req_sync+0x145/0x980
[ 113.349401][ T5100] hci_req_sync+0x97/0xd0
[ 113.353748][ T5100] hci_dev_cmd+0x634/0x960
[ 113.358195][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 113.362925][ T5100] page last free pid 1 tgid 1 stack trace:
[ 113.368733][ T5100] free_unref_page+0x64a/0xe40
[ 113.373530][ T5100] free_contig_range+0xb6/0x1a0
[ 113.378411][ T5100] destroy_args+0xa4e/0xe20
[ 113.382953][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 113.388020][ T5100] do_one_initcall+0x12b/0x700
[ 113.392862][ T5100] kernel_init_freeable+0x69d/0xca0
[ 113.398102][ T5100] kernel_init+0x1c/0x2b0
[ 113.402472][ T5100] ret_from_fork+0x48/0x80
[ 113.406925][ T5100] ret_from_fork_asm+0x1a/0x30
[ 113.411726][ T5100]
[ 113.414055][ T5100] Memory state around the buggy address:
[ 113.419686][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 113.427763][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 113.435833][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 113.443899][ T5100] ^
[ 113.451356][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 113.459426][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 113.467489][ T5100] ==================================================================
[ 113.475942][ T5098] Bluetooth: hci3: command tx timeout
[ 113.479050][ T5101] Bluetooth: hci0: command tx timeout
[ 113.486785][ T5100] ==================================================================
[ 113.494882][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x26c/0x2b0
[ 113.503256][ T5100] Read of size 1 at addr ffff888066ee52ff by task syz-executor/5100
[ 113.511257][ T5100]
[ 113.513598][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 113.525349][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 113.535430][ T5100] Call Trace:
[ 113.538733][ T5100]
[ 113.541683][ T5100] dump_stack_lvl+0x116/0x1f0
[ 113.546409][ T5100] print_report+0xc3/0x620
[ 113.550866][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.556551][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.562229][ T5100] ? __phys_addr+0xc6/0x150
[ 113.566769][ T5100] kasan_report+0xd9/0x110
[ 113.571224][ T5100] ? skb_release_head_state+0x26c/0x2b0
[ 113.576906][ T5100] ? skb_release_head_state+0x26c/0x2b0
[ 113.582504][ T5100] skb_release_head_state+0x26c/0x2b0
[ 113.587925][ T5100] kfree_skb_reason+0xed/0x210
[ 113.592739][ T5100] __hci_req_sync+0x61d/0x980
[ 113.597461][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 113.602699][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 113.607424][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 113.613531][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.619209][ T5100] ? hci_req_sync+0x3f/0xd0
[ 113.623762][ T5100] ? __pfx___might_resched+0x10/0x10
[ 113.629098][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.631908][ T5097] chnl_net:caif_netlink_parms(): no params data found
[ 113.634748][ T5100] ? aa_get_newest_label+0x376/0x680
[ 113.646825][ T5100] hci_req_sync+0x97/0xd0
[ 113.651198][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 113.656265][ T5100] hci_dev_cmd+0x634/0x960
[ 113.660734][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.666409][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 113.671400][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.677081][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.682754][ T5100] ? security_capable+0x98/0xd0
[ 113.687669][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 113.692393][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.698072][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 113.703319][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 113.709351][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.715033][ T5100] sock_do_ioctl+0x119/0x280
[ 113.719689][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 113.724955][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.730631][ T5100] sock_ioctl+0x22e/0x6c0
[ 113.735022][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 113.739940][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.745613][ T5100] ? __fget_files+0x256/0x400
[ 113.750351][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 113.756027][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 113.761029][ T5100] __x64_sys_ioctl+0x196/0x220
[ 113.765853][ T5100] do_syscall_64+0xcd/0x250
[ 113.770417][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 113.776371][ T5100] RIP: 0033:0x7fad76d757db
[ 113.780811][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 113.800457][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 113.808913][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 113.816913][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 113.824936][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 113.832951][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 113.840948][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 113.848959][ T5100]
[ 113.851995][ T5100]
[ 113.854853][ T5100] Allocated by task 5098:
[ 113.859200][ T5100] kasan_save_stack+0x33/0x60
[ 113.863921][ T5100] kasan_save_track+0x14/0x30
[ 113.868641][ T5100] __kasan_slab_alloc+0x89/0x90
[ 113.873530][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 113.879030][ T5100] skb_clone+0x190/0x3f0
[ 113.883313][ T5100] hci_cmd_work+0x66a/0x710
[ 113.887862][ T5100] process_one_work+0x9c8/0x1b40
[ 113.891696][ T5101] Bluetooth: hci2: command tx timeout
[ 113.892804][ T5100] worker_thread+0x6c8/0xf30
[ 113.898204][ T5101] Bluetooth: hci5: command tx timeout
[ 113.902726][ T5100] kthread+0x2c4/0x3a0
[ 113.902785][ T5100] ret_from_fork+0x48/0x80
[ 113.916649][ T5100] ret_from_fork_asm+0x1a/0x30
[ 113.921462][ T5100]
[ 113.923791][ T5100] Freed by task 5098:
[ 113.927766][ T5100] kasan_save_stack+0x33/0x60
[ 113.932470][ T5100] kasan_save_track+0x14/0x30
[ 113.937151][ T5100] kasan_save_free_info+0x3b/0x60
[ 113.942214][ T5100] poison_slab_object+0xf7/0x160
[ 113.947194][ T5100] __kasan_slab_free+0x32/0x50
[ 113.951966][ T5100] kmem_cache_free+0x12f/0x3a0
[ 113.956737][ T5100] kfree_skbmem+0x10e/0x200
[ 113.961264][ T5100] kfree_skb_reason+0x138/0x210
[ 113.966127][ T5100] hci_req_sync_complete+0x16c/0x270
[ 113.971423][ T5100] hci_event_packet+0x966/0x1170
[ 113.976376][ T5100] hci_rx_work+0x2c4/0x1610
[ 113.980892][ T5100] process_one_work+0x9c8/0x1b40
[ 113.985865][ T5100] worker_thread+0x6c8/0xf30
[ 113.990466][ T5100] kthread+0x2c4/0x3a0
[ 113.994576][ T5100] ret_from_fork+0x48/0x80
[ 113.999014][ T5100] ret_from_fork_asm+0x1a/0x30
[ 114.003824][ T5100]
[ 114.006141][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 114.006141][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 114.020724][ T5100] The buggy address is located 127 bytes inside of
[ 114.020724][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 114.034527][ T5100]
[ 114.036842][ T5100] The buggy address belongs to the physical page:
[ 114.043242][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 114.052003][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 114.059115][ T5100] page_type: 0xffffefff(slab)
[ 114.063796][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 114.072388][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 114.080965][ T5100] page dumped because: kasan: bad access detected
[ 114.087372][ T5100] page_owner tracks the page as allocated
[ 114.093076][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 114.113088][ T5100] post_alloc_hook+0x2d1/0x350
[ 114.117897][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 114.123492][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 114.128798][ T5100] alloc_slab_page+0x56/0x110
[ 114.133493][ T5100] new_slab+0x84/0x260
[ 114.137570][ T5100] ___slab_alloc+0xdac/0x1870
[ 114.142365][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 114.147764][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 114.153609][ T5100] __alloc_skb+0x2b1/0x380
[ 114.158222][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 114.162908][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 114.167596][ T5100] hci_scan_req+0x87/0x150
[ 114.172033][ T5100] __hci_req_sync+0x145/0x980
[ 114.176723][ T5100] hci_req_sync+0x97/0xd0
[ 114.181067][ T5100] hci_dev_cmd+0x634/0x960
[ 114.185503][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 114.190210][ T5100] page last free pid 1 tgid 1 stack trace:
[ 114.196008][ T5100] free_unref_page+0x64a/0xe40
[ 114.200793][ T5100] free_contig_range+0xb6/0x1a0
[ 114.205663][ T5100] destroy_args+0xa4e/0xe20
[ 114.210185][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 114.215228][ T5100] do_one_initcall+0x12b/0x700
[ 114.220012][ T5100] kernel_init_freeable+0x69d/0xca0
[ 114.225267][ T5100] kernel_init+0x1c/0x2b0
[ 114.229645][ T5100] ret_from_fork+0x48/0x80
[ 114.234098][ T5100] ret_from_fork_asm+0x1a/0x30
[ 114.238901][ T5100]
[ 114.241218][ T5100] Memory state around the buggy address:
[ 114.246842][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 114.254905][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 114.263167][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 114.271248][ T5100] ^
[ 114.279221][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 114.287283][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 114.295358][ T5100] ==================================================================
[ 114.304480][ T5100] ==================================================================
[ 114.312593][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1ff/0x210
[ 114.320552][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100
[ 114.328542][ T5100]
[ 114.330870][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 114.342623][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 114.352728][ T5100] Call Trace:
[ 114.356018][ T5100]
[ 114.358958][ T5100] dump_stack_lvl+0x116/0x1f0
[ 114.363670][ T5100] print_report+0xc3/0x620
[ 114.368129][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.373787][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.379447][ T5100] ? __phys_addr+0xc6/0x150
[ 114.383973][ T5100] kasan_report+0xd9/0x110
[ 114.388589][ T5100] ? kfree_skb_reason+0x1ff/0x210
[ 114.393645][ T5100] ? kfree_skb_reason+0x1ff/0x210
[ 114.398706][ T5100] kfree_skb_reason+0x1ff/0x210
[ 114.403588][ T5100] __hci_req_sync+0x61d/0x980
[ 114.408295][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 114.413518][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 114.418225][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 114.424318][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.429978][ T5100] ? hci_req_sync+0x3f/0xd0
[ 114.434549][ T5100] ? __pfx___might_resched+0x10/0x10
[ 114.439871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.445531][ T5100] ? aa_get_newest_label+0x376/0x680
[ 114.450871][ T5100] hci_req_sync+0x97/0xd0
[ 114.455225][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 114.460276][ T5100] hci_dev_cmd+0x634/0x960
[ 114.464727][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.470385][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 114.475356][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.481010][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.486667][ T5100] ? security_capable+0x98/0xd0
[ 114.491565][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 114.496274][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.501933][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 114.507159][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 114.513166][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.518826][ T5100] sock_do_ioctl+0x119/0x280
[ 114.523455][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 114.528614][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.534273][ T5100] sock_ioctl+0x22e/0x6c0
[ 114.538675][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 114.543569][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.549224][ T5100] ? __fget_files+0x256/0x400
[ 114.554039][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 114.559696][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 114.564588][ T5100] __x64_sys_ioctl+0x196/0x220
[ 114.569413][ T5100] do_syscall_64+0xcd/0x250
[ 114.573958][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.579896][ T5100] RIP: 0033:0x7fad76d757db
[ 114.584323][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 114.603976][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 114.612412][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 114.620398][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 114.628406][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 114.636414][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 114.644397][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 114.652394][ T5100]
[ 114.655425][ T5100]
[ 114.657747][ T5100] Allocated by task 5098:
[ 114.662076][ T5100] kasan_save_stack+0x33/0x60
[ 114.666783][ T5100] kasan_save_track+0x14/0x30
[ 114.671579][ T5100] __kasan_slab_alloc+0x89/0x90
[ 114.676447][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 114.681956][ T5100] skb_clone+0x190/0x3f0
[ 114.686247][ T5100] hci_cmd_work+0x66a/0x710
[ 114.690778][ T5100] process_one_work+0x9c8/0x1b40
[ 114.695749][ T5100] worker_thread+0x6c8/0xf30
[ 114.700561][ T5100] kthread+0x2c4/0x3a0
[ 114.704668][ T5100] ret_from_fork+0x48/0x80
[ 114.709122][ T5100] ret_from_fork_asm+0x1a/0x30
[ 114.713924][ T5100]
[ 114.716248][ T5100] Freed by task 5098:
[ 114.720230][ T5100] kasan_save_stack+0x33/0x60
[ 114.724926][ T5100] kasan_save_track+0x14/0x30
[ 114.729618][ T5100] kasan_save_free_info+0x3b/0x60
[ 114.734792][ T5100] poison_slab_object+0xf7/0x160
[ 114.739770][ T5100] __kasan_slab_free+0x32/0x50
[ 114.744557][ T5100] kmem_cache_free+0x12f/0x3a0
[ 114.749336][ T5100] kfree_skbmem+0x10e/0x200
[ 114.753881][ T5100] kfree_skb_reason+0x138/0x210
[ 114.758761][ T5100] hci_req_sync_complete+0x16c/0x270
[ 114.764079][ T5100] hci_event_packet+0x966/0x1170
[ 114.769037][ T5100] hci_rx_work+0x2c4/0x1610
[ 114.773569][ T5100] process_one_work+0x9c8/0x1b40
[ 114.778533][ T5100] worker_thread+0x6c8/0xf30
[ 114.783152][ T5100] kthread+0x2c4/0x3a0
[ 114.787259][ T5100] ret_from_fork+0x48/0x80
[ 114.791738][ T5100] ret_from_fork_asm+0x1a/0x30
[ 114.796544][ T5100]
[ 114.798871][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 114.798871][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 114.813459][ T5100] The buggy address is located 208 bytes inside of
[ 114.813459][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 114.827281][ T5100]
[ 114.829606][ T5100] The buggy address belongs to the physical page:
[ 114.836018][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 114.844799][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 114.851923][ T5100] page_type: 0xffffefff(slab)
[ 114.856614][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 114.865830][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 114.874420][ T5100] page dumped because: kasan: bad access detected
[ 114.880925][ T5100] page_owner tracks the page as allocated
[ 114.886641][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 114.906042][ T5100] post_alloc_hook+0x2d1/0x350
[ 114.910844][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 114.916428][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 114.921749][ T5100] alloc_slab_page+0x56/0x110
[ 114.926550][ T5100] new_slab+0x84/0x260
[ 114.930636][ T5100] ___slab_alloc+0xdac/0x1870
[ 114.935332][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 114.940724][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 114.946553][ T5100] __alloc_skb+0x2b1/0x380
[ 114.951011][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 114.955718][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 114.960418][ T5100] hci_scan_req+0x87/0x150
[ 114.964857][ T5100] __hci_req_sync+0x145/0x980
[ 114.969554][ T5100] hci_req_sync+0x97/0xd0
[ 114.973994][ T5100] hci_dev_cmd+0x634/0x960
[ 114.978447][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 114.983173][ T5100] page last free pid 1 tgid 1 stack trace:
[ 114.988979][ T5100] free_unref_page+0x64a/0xe40
[ 114.993790][ T5100] free_contig_range+0xb6/0x1a0
[ 114.998673][ T5100] destroy_args+0xa4e/0xe20
[ 115.003213][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 115.008274][ T5100] do_one_initcall+0x12b/0x700
[ 115.013078][ T5100] kernel_init_freeable+0x69d/0xca0
[ 115.018343][ T5100] kernel_init+0x1c/0x2b0
[ 115.022713][ T5100] ret_from_fork+0x48/0x80
[ 115.027167][ T5100] ret_from_fork_asm+0x1a/0x30
[ 115.031972][ T5100]
[ 115.034295][ T5100] Memory state around the buggy address:
[ 115.039929][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 115.048006][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 115.056082][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 115.064149][ T5100] ^
[ 115.070824][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 115.078984][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 115.087100][ T5100] ==================================================================
[ 115.097763][ T5098] Bluetooth: hci4: command tx timeout
[ 115.103614][ T5100] ==================================================================
[ 115.111692][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x8c6/0x980
[ 115.119543][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100
[ 115.127547][ T5100]
[ 115.129884][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 115.141627][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 115.151691][ T5100] Call Trace:
[ 115.154978][ T5100]
[ 115.157927][ T5100] dump_stack_lvl+0x116/0x1f0
[ 115.162641][ T5100] print_report+0xc3/0x620
[ 115.167065][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.172708][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.178373][ T5100] ? __phys_addr+0xc6/0x150
[ 115.182887][ T5100] kasan_report+0xd9/0x110
[ 115.187489][ T5100] ? skb_release_data+0x8c6/0x980
[ 115.192531][ T5100] ? skb_release_data+0x8c6/0x980
[ 115.197571][ T5100] skb_release_data+0x8c6/0x980
[ 115.202455][ T5100] kfree_skb_reason+0x12b/0x210
[ 115.207319][ T5100] __hci_req_sync+0x61d/0x980
[ 115.212024][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 115.217255][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 115.221949][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 115.228024][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.233668][ T5100] ? hci_req_sync+0x3f/0xd0
[ 115.238186][ T5100] ? __pfx___might_resched+0x10/0x10
[ 115.243492][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.249134][ T5100] ? aa_get_newest_label+0x376/0x680
[ 115.254450][ T5100] hci_req_sync+0x97/0xd0
[ 115.258790][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 115.263850][ T5100] hci_dev_cmd+0x634/0x960
[ 115.268286][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.273931][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 115.278910][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.284570][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.290298][ T5100] ? security_capable+0x98/0xd0
[ 115.295178][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 115.299872][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.305517][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 115.310738][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 115.316769][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.322456][ T5100] sock_do_ioctl+0x119/0x280
[ 115.327094][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 115.332251][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.338026][ T5100] sock_ioctl+0x22e/0x6c0
[ 115.342574][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 115.347484][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.353150][ T5100] ? __fget_files+0x256/0x400
[ 115.357871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.363719][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 115.368617][ T5100] __x64_sys_ioctl+0x196/0x220
[ 115.373513][ T5100] do_syscall_64+0xcd/0x250
[ 115.378233][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 115.384172][ T5100] RIP: 0033:0x7fad76d757db
[ 115.388608][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 115.408339][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 115.417235][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 115.425219][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 115.433201][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 115.441173][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 115.449154][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 115.457143][ T5100]
[ 115.460159][ T5100]
[ 115.462475][ T5100] Allocated by task 5098:
[ 115.466798][ T5100] kasan_save_stack+0x33/0x60
[ 115.471487][ T5100] kasan_save_track+0x14/0x30
[ 115.476189][ T5100] __kasan_slab_alloc+0x89/0x90
[ 115.481047][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 115.486515][ T5100] skb_clone+0x190/0x3f0
[ 115.490802][ T5100] hci_cmd_work+0x66a/0x710
[ 115.491687][ T5098] Bluetooth: hci0: command tx timeout
[ 115.495303][ T5100] process_one_work+0x9c8/0x1b40
[ 115.505620][ T5100] worker_thread+0x6c8/0xf30
[ 115.510257][ T5100] kthread+0x2c4/0x3a0
[ 115.514371][ T5100] ret_from_fork+0x48/0x80
[ 115.518809][ T5100] ret_from_fork_asm+0x1a/0x30
[ 115.523599][ T5100]
[ 115.525924][ T5100] Freed by task 5098:
[ 115.529931][ T5100] kasan_save_stack+0x33/0x60
[ 115.534791][ T5100] kasan_save_track+0x14/0x30
[ 115.539472][ T5100] kasan_save_free_info+0x3b/0x60
[ 115.544512][ T5100] poison_slab_object+0xf7/0x160
[ 115.549557][ T5100] __kasan_slab_free+0x32/0x50
[ 115.554325][ T5100] kmem_cache_free+0x12f/0x3a0
[ 115.559092][ T5100] kfree_skbmem+0x10e/0x200
[ 115.563620][ T5100] kfree_skb_reason+0x138/0x210
[ 115.568490][ T5100] hci_req_sync_complete+0x16c/0x270
[ 115.573875][ T5100] hci_event_packet+0x966/0x1170
[ 115.578818][ T5100] hci_rx_work+0x2c4/0x1610
[ 115.583337][ T5100] process_one_work+0x9c8/0x1b40
[ 115.588377][ T5100] worker_thread+0x6c8/0xf30
[ 115.593067][ T5100] kthread+0x2c4/0x3a0
[ 115.597175][ T5100] ret_from_fork+0x48/0x80
[ 115.601614][ T5100] ret_from_fork_asm+0x1a/0x30
[ 115.606451][ T5100]
[ 115.608764][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 115.608764][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 115.623345][ T5100] The buggy address is located 208 bytes inside of
[ 115.623345][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 115.637434][ T5100]
[ 115.639749][ T5100] The buggy address belongs to the physical page:
[ 115.646153][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 115.654922][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 115.662032][ T5100] page_type: 0xffffefff(slab)
[ 115.666710][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 115.675335][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 115.683915][ T5100] page dumped because: kasan: bad access detected
[ 115.690315][ T5100] page_owner tracks the page as allocated
[ 115.696020][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 115.715399][ T5100] post_alloc_hook+0x2d1/0x350
[ 115.720179][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 115.725742][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 115.731074][ T5100] alloc_slab_page+0x56/0x110
[ 115.735770][ T5100] new_slab+0x84/0x260
[ 115.739849][ T5100] ___slab_alloc+0xdac/0x1870
[ 115.744530][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 115.749909][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 115.755728][ T5100] __alloc_skb+0x2b1/0x380
[ 115.760194][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 115.764880][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 115.769566][ T5100] hci_scan_req+0x87/0x150
[ 115.773994][ T5100] __hci_req_sync+0x145/0x980
[ 115.778679][ T5100] hci_req_sync+0x97/0xd0
[ 115.783042][ T5100] hci_dev_cmd+0x634/0x960
[ 115.787495][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 115.792185][ T5100] page last free pid 1 tgid 1 stack trace:
[ 115.797988][ T5100] free_unref_page+0x64a/0xe40
[ 115.802774][ T5100] free_contig_range+0xb6/0x1a0
[ 115.807648][ T5100] destroy_args+0xa4e/0xe20
[ 115.812173][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 115.817226][ T5100] do_one_initcall+0x12b/0x700
[ 115.822035][ T5100] kernel_init_freeable+0x69d/0xca0
[ 115.827256][ T5100] kernel_init+0x1c/0x2b0
[ 115.831614][ T5100] ret_from_fork+0x48/0x80
[ 115.836078][ T5100] ret_from_fork_asm+0x1a/0x30
[ 115.840862][ T5100]
[ 115.843178][ T5100] Memory state around the buggy address:
[ 115.848826][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 115.856890][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 115.865044][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 115.873104][ T5100] ^
[ 115.879803][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 115.888001][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 115.896063][ T5100] ==================================================================
[ 115.905231][ T5098] Bluetooth: hci3: command tx timeout
[ 115.910725][ T5100] ==================================================================
[ 115.918814][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x813/0x980
[ 115.926700][ T5100] Read of size 4 at addr ffff888066ee534c by task syz-executor/5100
[ 115.934699][ T5100]
[ 115.937032][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 115.948776][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 115.958858][ T5100] Call Trace:
[ 115.962439][ T5100]
[ 115.965381][ T5100] dump_stack_lvl+0x116/0x1f0
[ 115.970095][ T5100] print_report+0xc3/0x620
[ 115.974542][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.980206][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 115.985884][ T5100] ? __phys_addr+0xc6/0x150
[ 115.990504][ T5100] kasan_report+0xd9/0x110
[ 115.994955][ T5100] ? skb_release_data+0x813/0x980
[ 116.000039][ T5100] ? skb_release_data+0x813/0x980
[ 116.005128][ T5100] skb_release_data+0x813/0x980
[ 116.010043][ T5100] kfree_skb_reason+0x12b/0x210
[ 116.014931][ T5100] __hci_req_sync+0x61d/0x980
[ 116.019643][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 116.024874][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 116.029586][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 116.035683][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.041371][ T5100] ? hci_req_sync+0x3f/0xd0
[ 116.045914][ T5100] ? __pfx___might_resched+0x10/0x10
[ 116.051264][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.056926][ T5100] ? aa_get_newest_label+0x376/0x680
[ 116.062272][ T5100] hci_req_sync+0x97/0xd0
[ 116.066631][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 116.071779][ T5100] hci_dev_cmd+0x634/0x960
[ 116.076236][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.081917][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 116.086919][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.092582][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.098241][ T5100] ? security_capable+0x98/0xd0
[ 116.103176][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 116.107912][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.113599][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 116.118829][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 116.124864][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.130527][ T5100] sock_do_ioctl+0x119/0x280
[ 116.135161][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 116.140325][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.146016][ T5100] sock_ioctl+0x22e/0x6c0
[ 116.150480][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 116.155660][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.161318][ T5100] ? __fget_files+0x256/0x400
[ 116.166038][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.171696][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 116.176612][ T5100] __x64_sys_ioctl+0x196/0x220
[ 116.181852][ T5100] do_syscall_64+0xcd/0x250
[ 116.186393][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 116.192329][ T5100] RIP: 0033:0x7fad76d757db
[ 116.196792][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 116.216719][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 116.225175][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 116.233161][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 116.241432][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 116.249442][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 116.257459][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 116.265465][ T5100]
[ 116.268601][ T5100]
[ 116.270931][ T5100] Allocated by task 5098:
[ 116.275284][ T5100] kasan_save_stack+0x33/0x60
[ 116.279981][ T5100] kasan_save_track+0x14/0x30
[ 116.284672][ T5100] __kasan_slab_alloc+0x89/0x90
[ 116.289558][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 116.295040][ T5100] skb_clone+0x190/0x3f0
[ 116.299304][ T5100] hci_cmd_work+0x66a/0x710
[ 116.303837][ T5100] process_one_work+0x9c8/0x1b40
[ 116.308805][ T5100] worker_thread+0x6c8/0xf30
[ 116.313446][ T5100] kthread+0x2c4/0x3a0
[ 116.317551][ T5100] ret_from_fork+0x48/0x80
[ 116.322004][ T5100] ret_from_fork_asm+0x1a/0x30
[ 116.326814][ T5100]
[ 116.329142][ T5100] Freed by task 5098:
[ 116.333218][ T5100] kasan_save_stack+0x33/0x60
[ 116.337911][ T5100] kasan_save_track+0x14/0x30
[ 116.342601][ T5100] kasan_save_free_info+0x3b/0x60
[ 116.347655][ T5100] poison_slab_object+0xf7/0x160
[ 116.352631][ T5100] __kasan_slab_free+0x32/0x50
[ 116.357412][ T5100] kmem_cache_free+0x12f/0x3a0
[ 116.362193][ T5100] kfree_skbmem+0x10e/0x200
[ 116.366734][ T5100] kfree_skb_reason+0x138/0x210
[ 116.371612][ T5100] hci_req_sync_complete+0x16c/0x270
[ 116.376918][ T5100] hci_event_packet+0x966/0x1170
[ 116.381876][ T5100] hci_rx_work+0x2c4/0x1610
[ 116.386407][ T5100] process_one_work+0x9c8/0x1b40
[ 116.391370][ T5100] worker_thread+0x6c8/0xf30
[ 116.395987][ T5100] kthread+0x2c4/0x3a0
[ 116.400090][ T5100] ret_from_fork+0x48/0x80
[ 116.404541][ T5100] ret_from_fork_asm+0x1a/0x30
[ 116.409341][ T5100]
[ 116.411667][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 116.411667][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 116.426252][ T5100] The buggy address is located 204 bytes inside of
[ 116.426252][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 116.440263][ T5100]
[ 116.442604][ T5100] The buggy address belongs to the physical page:
[ 116.449016][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 116.457801][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 116.464919][ T5100] page_type: 0xffffefff(slab)
[ 116.469611][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 116.478215][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 116.486810][ T5100] page dumped because: kasan: bad access detected
[ 116.493223][ T5100] page_owner tracks the page as allocated
[ 116.498934][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 116.518334][ T5100] post_alloc_hook+0x2d1/0x350
[ 116.523135][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 116.528716][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 116.534043][ T5100] alloc_slab_page+0x56/0x110
[ 116.538755][ T5100] new_slab+0x84/0x260
[ 116.542845][ T5100] ___slab_alloc+0xdac/0x1870
[ 116.547540][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 116.552934][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 116.558764][ T5100] __alloc_skb+0x2b1/0x380
[ 116.563221][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 116.567922][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 116.572619][ T5100] hci_scan_req+0x87/0x150
[ 116.577055][ T5100] __hci_req_sync+0x145/0x980
[ 116.581750][ T5100] hci_req_sync+0x97/0xd0
[ 116.586104][ T5100] hci_dev_cmd+0x634/0x960
[ 116.590547][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 116.595249][ T5100] page last free pid 1 tgid 1 stack trace:
[ 116.601055][ T5100] free_unref_page+0x64a/0xe40
[ 116.605854][ T5100] free_contig_range+0xb6/0x1a0
[ 116.610739][ T5100] destroy_args+0xa4e/0xe20
[ 116.615283][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 116.620345][ T5100] do_one_initcall+0x12b/0x700
[ 116.625143][ T5100] kernel_init_freeable+0x69d/0xca0
[ 116.630377][ T5100] kernel_init+0x1c/0x2b0
[ 116.634743][ T5100] ret_from_fork+0x48/0x80
[ 116.639198][ T5100] ret_from_fork_asm+0x1a/0x30
[ 116.644000][ T5100]
[ 116.646321][ T5100] Memory state around the buggy address:
[ 116.651954][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 116.660027][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 116.668099][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 116.676163][ T5100] ^
[ 116.682583][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 116.690652][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 116.698722][ T5100] ==================================================================
[ 116.707045][ T5098] Bluetooth: hci5: command tx timeout
[ 116.707528][ T5101] Bluetooth: hci2: command tx timeout
[ 116.775611][ T5103] chnl_net:caif_netlink_parms(): no params data found
[ 116.778955][ T5100] ==================================================================
[ 116.790585][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x806/0x980
[ 116.798442][ T5100] Read of size 1 at addr ffff888066ee52fe by task syz-executor/5100
[ 116.806454][ T5100]
[ 116.808801][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 116.820556][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 116.830647][ T5100] Call Trace:
[ 116.833945][ T5100]
[ 116.836897][ T5100] dump_stack_lvl+0x116/0x1f0
[ 116.841622][ T5100] print_report+0xc3/0x620
[ 116.846139][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.851821][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.857491][ T5100] ? __phys_addr+0xc6/0x150
[ 116.862003][ T5100] kasan_report+0xd9/0x110
[ 116.866430][ T5100] ? skb_release_data+0x806/0x980
[ 116.871466][ T5100] ? skb_release_data+0x806/0x980
[ 116.876958][ T5100] skb_release_data+0x806/0x980
[ 116.881839][ T5100] kfree_skb_reason+0x12b/0x210
[ 116.886704][ T5100] __hci_req_sync+0x61d/0x980
[ 116.891394][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 116.896602][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 116.901292][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 116.907376][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.913022][ T5100] ? hci_req_sync+0x3f/0xd0
[ 116.917542][ T5100] ? __pfx___might_resched+0x10/0x10
[ 116.922847][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.928490][ T5100] ? aa_get_newest_label+0x376/0x680
[ 116.933812][ T5100] hci_req_sync+0x97/0xd0
[ 116.938154][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 116.943194][ T5100] hci_dev_cmd+0x634/0x960
[ 116.947630][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.953276][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 116.958231][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.963891][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.969532][ T5100] ? security_capable+0x98/0xd0
[ 116.974412][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 116.979367][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 116.985013][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 116.990222][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 116.996216][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.001861][ T5100] sock_do_ioctl+0x119/0x280
[ 117.006469][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 117.011607][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.017247][ T5100] sock_ioctl+0x22e/0x6c0
[ 117.021605][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 117.026501][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.032177][ T5100] ? __fget_files+0x256/0x400
[ 117.036878][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.042520][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 117.047397][ T5100] __x64_sys_ioctl+0x196/0x220
[ 117.052268][ T5100] do_syscall_64+0xcd/0x250
[ 117.056789][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.062708][ T5100] RIP: 0033:0x7fad76d757db
[ 117.067123][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 117.086767][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 117.095198][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 117.103351][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 117.111341][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 117.119319][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 117.127297][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 117.135284][ T5100]
[ 117.138295][ T5100]
[ 117.140605][ T5100] Allocated by task 5098:
[ 117.144926][ T5100] kasan_save_stack+0x33/0x60
[ 117.149606][ T5100] kasan_save_track+0x14/0x30
[ 117.154369][ T5100] __kasan_slab_alloc+0x89/0x90
[ 117.159221][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 117.164686][ T5100] skb_clone+0x190/0x3f0
[ 117.168934][ T5100] hci_cmd_work+0x66a/0x710
[ 117.173448][ T5100] process_one_work+0x9c8/0x1b40
[ 117.178394][ T5100] worker_thread+0x6c8/0xf30
[ 117.182992][ T5100] kthread+0x2c4/0x3a0
[ 117.187078][ T5100] ret_from_fork+0x48/0x80
[ 117.191517][ T5100] ret_from_fork_asm+0x1a/0x30
[ 117.196306][ T5100]
[ 117.198616][ T5100] Freed by task 5098:
[ 117.202593][ T5100] kasan_save_stack+0x33/0x60
[ 117.207269][ T5100] kasan_save_track+0x14/0x30
[ 117.211946][ T5100] kasan_save_free_info+0x3b/0x60
[ 117.216984][ T5100] poison_slab_object+0xf7/0x160
[ 117.221943][ T5100] __kasan_slab_free+0x32/0x50
[ 117.226708][ T5100] kmem_cache_free+0x12f/0x3a0
[ 117.231479][ T5100] kfree_skbmem+0x10e/0x200
[ 117.236021][ T5100] kfree_skb_reason+0x138/0x210
[ 117.240899][ T5100] hci_req_sync_complete+0x16c/0x270
[ 117.246190][ T5100] hci_event_packet+0x966/0x1170
[ 117.251133][ T5100] hci_rx_work+0x2c4/0x1610
[ 117.255647][ T5100] process_one_work+0x9c8/0x1b40
[ 117.260601][ T5100] worker_thread+0x6c8/0xf30
[ 117.265202][ T5100] kthread+0x2c4/0x3a0
[ 117.269285][ T5100] ret_from_fork+0x48/0x80
[ 117.273740][ T5100] ret_from_fork_asm+0x1a/0x30
[ 117.278523][ T5100]
[ 117.280834][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 117.280834][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 117.295411][ T5100] The buggy address is located 126 bytes inside of
[ 117.295411][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 117.309301][ T5100]
[ 117.311621][ T5100] The buggy address belongs to the physical page:
[ 117.318043][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 117.326810][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 117.333917][ T5100] page_type: 0xffffefff(slab)
[ 117.338595][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 117.347185][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 117.355766][ T5100] page dumped because: kasan: bad access detected
[ 117.362195][ T5100] page_owner tracks the page as allocated
[ 117.367900][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 117.387281][ T5100] post_alloc_hook+0x2d1/0x350
[ 117.392064][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 117.397628][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 117.402933][ T5100] alloc_slab_page+0x56/0x110
[ 117.407627][ T5100] new_slab+0x84/0x260
[ 117.411702][ T5100] ___slab_alloc+0xdac/0x1870
[ 117.416381][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 117.421780][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 117.427601][ T5100] __alloc_skb+0x2b1/0x380
[ 117.432039][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 117.436723][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 117.441405][ T5100] hci_scan_req+0x87/0x150
[ 117.445833][ T5100] __hci_req_sync+0x145/0x980
[ 117.450516][ T5100] hci_req_sync+0x97/0xd0
[ 117.454852][ T5100] hci_dev_cmd+0x634/0x960
[ 117.459281][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 117.463966][ T5100] page last free pid 1 tgid 1 stack trace:
[ 117.469762][ T5100] free_unref_page+0x64a/0xe40
[ 117.474543][ T5100] free_contig_range+0xb6/0x1a0
[ 117.479407][ T5100] destroy_args+0xa4e/0xe20
[ 117.483927][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 117.488969][ T5100] do_one_initcall+0x12b/0x700
[ 117.493748][ T5100] kernel_init_freeable+0x69d/0xca0
[ 117.498966][ T5100] kernel_init+0x1c/0x2b0
[ 117.503313][ T5100] ret_from_fork+0x48/0x80
[ 117.507746][ T5100] ret_from_fork_asm+0x1a/0x30
[ 117.512532][ T5100]
[ 117.514843][ T5100] Memory state around the buggy address:
[ 117.520460][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 117.528524][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 117.536586][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 117.544643][ T5100] ^
[ 117.552616][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 117.560874][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 117.568928][ T5100] ==================================================================
[ 117.571672][ T5101] Bluetooth: hci0: command tx timeout
[ 117.578119][ T5098] Bluetooth: hci4: command tx timeout
[ 117.588156][ T5100] ==================================================================
[ 117.596233][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980
[ 117.604082][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100
[ 117.612084][ T5100]
[ 117.614411][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 117.626151][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 117.636209][ T5100] Call Trace:
[ 117.639483][ T5100]
[ 117.642412][ T5100] dump_stack_lvl+0x116/0x1f0
[ 117.647121][ T5100] print_report+0xc3/0x620
[ 117.651554][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.657215][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.662856][ T5100] ? __phys_addr+0xc6/0x150
[ 117.667365][ T5100] kasan_report+0xd9/0x110
[ 117.671802][ T5100] ? skb_release_data+0x8dd/0x980
[ 117.676861][ T5100] ? skb_release_data+0x8dd/0x980
[ 117.681902][ T5100] skb_release_data+0x8dd/0x980
[ 117.686766][ T5100] kfree_skb_reason+0x12b/0x210
[ 117.691647][ T5100] __hci_req_sync+0x61d/0x980
[ 117.696353][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 117.701565][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 117.706254][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 117.712334][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.717997][ T5100] ? hci_req_sync+0x3f/0xd0
[ 117.722516][ T5100] ? __pfx___might_resched+0x10/0x10
[ 117.727820][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.733462][ T5100] ? aa_get_newest_label+0x376/0x680
[ 117.738777][ T5100] hci_req_sync+0x97/0xd0
[ 117.743144][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 117.748181][ T5100] hci_dev_cmd+0x634/0x960
[ 117.752614][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.758254][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 117.763208][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.768846][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.774496][ T5100] ? security_capable+0x98/0xd0
[ 117.779460][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 117.784151][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.789793][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 117.795007][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 117.800999][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.806644][ T5100] sock_do_ioctl+0x119/0x280
[ 117.811342][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 117.816569][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.822216][ T5100] sock_ioctl+0x22e/0x6c0
[ 117.826590][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 117.831465][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.837125][ T5100] ? __fget_files+0x256/0x400
[ 117.842000][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 117.847642][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 117.852514][ T5100] __x64_sys_ioctl+0x196/0x220
[ 117.857384][ T5100] do_syscall_64+0xcd/0x250
[ 117.861906][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.867823][ T5100] RIP: 0033:0x7fad76d757db
[ 117.872237][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 117.891869][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 117.900309][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 117.908283][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 117.916280][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 117.924255][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 117.932228][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 117.940211][ T5100]
[ 117.943224][ T5100]
[ 117.945540][ T5100] Allocated by task 5098:
[ 117.949855][ T5100] kasan_save_stack+0x33/0x60
[ 117.954535][ T5100] kasan_save_track+0x14/0x30
[ 117.959212][ T5100] __kasan_slab_alloc+0x89/0x90
[ 117.964068][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 117.969536][ T5100] skb_clone+0x190/0x3f0
[ 117.971630][ T5101] Bluetooth: hci3: command tx timeout
[ 117.973772][ T5100] hci_cmd_work+0x66a/0x710
[ 117.983653][ T5100] process_one_work+0x9c8/0x1b40
[ 117.988665][ T5100] worker_thread+0x6c8/0xf30
[ 117.993296][ T5100] kthread+0x2c4/0x3a0
[ 117.997495][ T5100] ret_from_fork+0x48/0x80
[ 118.001931][ T5100] ret_from_fork_asm+0x1a/0x30
[ 118.006713][ T5100]
[ 118.009025][ T5100] Freed by task 5098:
[ 118.013036][ T5100] kasan_save_stack+0x33/0x60
[ 118.017714][ T5100] kasan_save_track+0x14/0x30
[ 118.022391][ T5100] kasan_save_free_info+0x3b/0x60
[ 118.027428][ T5100] poison_slab_object+0xf7/0x160
[ 118.032387][ T5100] __kasan_slab_free+0x32/0x50
[ 118.037152][ T5100] kmem_cache_free+0x12f/0x3a0
[ 118.041918][ T5100] kfree_skbmem+0x10e/0x200
[ 118.046444][ T5100] kfree_skb_reason+0x138/0x210
[ 118.051301][ T5100] hci_req_sync_complete+0x16c/0x270
[ 118.056592][ T5100] hci_event_packet+0x966/0x1170
[ 118.061540][ T5100] hci_rx_work+0x2c4/0x1610
[ 118.066073][ T5100] process_one_work+0x9c8/0x1b40
[ 118.071039][ T5100] worker_thread+0x6c8/0xf30
[ 118.075640][ T5100] kthread+0x2c4/0x3a0
[ 118.079726][ T5100] ret_from_fork+0x48/0x80
[ 118.084682][ T5100] ret_from_fork_asm+0x1a/0x30
[ 118.089462][ T5100]
[ 118.091868][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 118.091868][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 118.106459][ T5100] The buggy address is located 208 bytes inside of
[ 118.106459][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 118.120276][ T5100]
[ 118.122591][ T5100] The buggy address belongs to the physical page:
[ 118.128989][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 118.137749][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 118.144854][ T5100] page_type: 0xffffefff(slab)
[ 118.149530][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 118.158115][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 118.166693][ T5100] page dumped because: kasan: bad access detected
[ 118.173099][ T5100] page_owner tracks the page as allocated
[ 118.178803][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 118.198176][ T5100] post_alloc_hook+0x2d1/0x350
[ 118.202962][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 118.208541][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 118.213850][ T5100] alloc_slab_page+0x56/0x110
[ 118.218544][ T5100] new_slab+0x84/0x260
[ 118.222613][ T5100] ___slab_alloc+0xdac/0x1870
[ 118.227293][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 118.232672][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 118.238485][ T5100] __alloc_skb+0x2b1/0x380
[ 118.242918][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 118.247604][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 118.252288][ T5100] hci_scan_req+0x87/0x150
[ 118.256804][ T5100] __hci_req_sync+0x145/0x980
[ 118.261491][ T5100] hci_req_sync+0x97/0xd0
[ 118.265840][ T5100] hci_dev_cmd+0x634/0x960
[ 118.270269][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 118.274952][ T5100] page last free pid 1 tgid 1 stack trace:
[ 118.280745][ T5100] free_unref_page+0x64a/0xe40
[ 118.285525][ T5100] free_contig_range+0xb6/0x1a0
[ 118.290386][ T5100] destroy_args+0xa4e/0xe20
[ 118.294905][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 118.299950][ T5100] do_one_initcall+0x12b/0x700
[ 118.304727][ T5100] kernel_init_freeable+0x69d/0xca0
[ 118.309941][ T5100] kernel_init+0x1c/0x2b0
[ 118.314314][ T5100] ret_from_fork+0x48/0x80
[ 118.318745][ T5100] ret_from_fork_asm+0x1a/0x30
[ 118.323526][ T5100]
[ 118.325837][ T5100] Memory state around the buggy address:
[ 118.331455][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 118.339530][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 118.347593][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 118.355648][ T5100] ^
[ 118.362315][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 118.370376][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 118.378433][ T5100] ==================================================================
[ 118.391406][ T5100] ==================================================================
[ 118.399491][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980
[ 118.407329][ T5100] Read of size 4 at addr ffff888066ee534c by task syz-executor/5100
[ 118.415319][ T5100]
[ 118.417645][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 118.429379][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 118.439442][ T5100] Call Trace:
[ 118.442728][ T5100]
[ 118.445666][ T5100] dump_stack_lvl+0x116/0x1f0
[ 118.450373][ T5100] print_report+0xc3/0x620
[ 118.454819][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.460476][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.466136][ T5100] ? __phys_addr+0xc6/0x150
[ 118.470662][ T5100] kasan_report+0xd9/0x110
[ 118.475106][ T5100] ? skb_release_data+0x857/0x980
[ 118.480158][ T5100] ? skb_release_data+0x857/0x980
[ 118.485212][ T5100] skb_release_data+0x857/0x980
[ 118.490186][ T5100] kfree_skb_reason+0x12b/0x210
[ 118.495082][ T5100] __hci_req_sync+0x61d/0x980
[ 118.499878][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 118.505103][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 118.509839][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 118.515932][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.521586][ T5100] ? hci_req_sync+0x3f/0xd0
[ 118.526122][ T5100] ? __pfx___might_resched+0x10/0x10
[ 118.531440][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.537101][ T5100] ? aa_get_newest_label+0x376/0x680
[ 118.542436][ T5100] hci_req_sync+0x97/0xd0
[ 118.546797][ T5100] ? __pfx_hci_scan_req+0x10/0x10
[ 118.551852][ T5100] hci_dev_cmd+0x634/0x960
[ 118.556301][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.561957][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10
[ 118.566929][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.572585][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.578239][ T5100] ? security_capable+0x98/0xd0
[ 118.583141][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 118.587872][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.593527][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10
[ 118.598753][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 118.604764][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.610424][ T5100] sock_do_ioctl+0x119/0x280
[ 118.615169][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10
[ 118.620331][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.625989][ T5100] sock_ioctl+0x22e/0x6c0
[ 118.630358][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 118.635254][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.640909][ T5100] ? __fget_files+0x256/0x400
[ 118.645628][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 118.651287][ T5100] ? __pfx_sock_ioctl+0x10/0x10
[ 118.656355][ T5100] __x64_sys_ioctl+0x196/0x220
[ 118.661160][ T5100] do_syscall_64+0xcd/0x250
[ 118.665700][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 118.671658][ T5100] RIP: 0033:0x7fad76d757db
[ 118.676090][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 118.695720][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 118.704159][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db
[ 118.712150][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003
[ 118.720135][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000
[ 118.728117][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 118.736100][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 118.744097][ T5100]
[ 118.747121][ T5100]
[ 118.749441][ T5100] Allocated by task 5098:
[ 118.753770][ T5100] kasan_save_stack+0x33/0x60
[ 118.758465][ T5100] kasan_save_track+0x14/0x30
[ 118.763155][ T5100] __kasan_slab_alloc+0x89/0x90
[ 118.768022][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0
[ 118.773507][ T5100] skb_clone+0x190/0x3f0
[ 118.777771][ T5100] hci_cmd_work+0x66a/0x710
[ 118.782299][ T5100] process_one_work+0x9c8/0x1b40
[ 118.787261][ T5100] worker_thread+0x6c8/0xf30
[ 118.791880][ T5100] kthread+0x2c4/0x3a0
[ 118.795983][ T5100] ret_from_fork+0x48/0x80
[ 118.800436][ T5100] ret_from_fork_asm+0x1a/0x30
[ 118.805235][ T5100]
[ 118.807554][ T5100] Freed by task 5098:
[ 118.811533][ T5100] kasan_save_stack+0x33/0x60
[ 118.816221][ T5100] kasan_save_track+0x14/0x30
[ 118.820908][ T5100] kasan_save_free_info+0x3b/0x60
[ 118.826108][ T5100] poison_slab_object+0xf7/0x160
[ 118.831190][ T5100] __kasan_slab_free+0x32/0x50
[ 118.835979][ T5100] kmem_cache_free+0x12f/0x3a0
[ 118.840758][ T5100] kfree_skbmem+0x10e/0x200
[ 118.845310][ T5100] kfree_skb_reason+0x138/0x210
[ 118.850184][ T5100] hci_req_sync_complete+0x16c/0x270
[ 118.855488][ T5100] hci_event_packet+0x966/0x1170
[ 118.860452][ T5100] hci_rx_work+0x2c4/0x1610
[ 118.864985][ T5100] process_one_work+0x9c8/0x1b40
[ 118.869954][ T5100] worker_thread+0x6c8/0xf30
[ 118.874572][ T5100] kthread+0x2c4/0x3a0
[ 118.878676][ T5100] ret_from_fork+0x48/0x80
[ 118.883211][ T5100] ret_from_fork_asm+0x1a/0x30
[ 118.888011][ T5100]
[ 118.890334][ T5100] The buggy address belongs to the object at ffff888066ee5280
[ 118.890334][ T5100] which belongs to the cache skbuff_head_cache of size 240
[ 118.904919][ T5100] The buggy address is located 204 bytes inside of
[ 118.904919][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370)
[ 118.918735][ T5100]
[ 118.921056][ T5100] The buggy address belongs to the physical page:
[ 118.927468][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5
[ 118.936328][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 118.943444][ T5100] page_type: 0xffffefff(slab)
[ 118.948136][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000
[ 118.956766][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 118.965356][ T5100] page dumped because: kasan: bad access detected
[ 118.971768][ T5100] page_owner tracks the page as allocated
[ 118.977483][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900
[ 118.996876][ T5100] post_alloc_hook+0x2d1/0x350
[ 119.001740][ T5100] get_page_from_freelist+0x1353/0x2e50
[ 119.007327][ T5100] __alloc_pages_noprof+0x22b/0x2460
[ 119.012647][ T5100] alloc_slab_page+0x56/0x110
[ 119.017358][ T5100] new_slab+0x84/0x260
[ 119.021440][ T5100] ___slab_alloc+0xdac/0x1870
[ 119.026135][ T5100] __slab_alloc.constprop.0+0x56/0xb0
[ 119.031528][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310
[ 119.037356][ T5100] __alloc_skb+0x2b1/0x380
[ 119.041813][ T5100] hci_prepare_cmd+0x32/0x2b0
[ 119.046511][ T5100] hci_req_add_ev+0x11b/0x2b0
[ 119.051205][ T5100] hci_scan_req+0x87/0x150
[ 119.055644][ T5100] __hci_req_sync+0x145/0x980
[ 119.060338][ T5100] hci_req_sync+0x97/0xd0
[ 119.064686][ T5100] hci_dev_cmd+0x634/0x960
[ 119.069133][ T5100] hci_sock_ioctl+0x4f3/0x880
[ 119.073834][ T5100] page last free pid 1 tgid 1 stack trace:
[ 119.079640][ T5100] free_unref_page+0x64a/0xe40
[ 119.084458][ T5100] free_contig_range+0xb6/0x1a0
[ 119.089352][ T5100] destroy_args+0xa4e/0xe20
[ 119.093890][ T5100] debug_vm_pgtable+0x1705/0x3280
[ 119.098949][ T5100] do_one_initcall+0x12b/0x700
[ 119.103748][ T5100] kernel_init_freeable+0x69d/0xca0
[ 119.108986][ T5100] kernel_init+0x1c/0x2b0
[ 119.113354][ T5100] ret_from_fork+0x48/0x80
[ 119.117806][ T5100] ret_from_fork_asm+0x1a/0x30
[ 119.122611][ T5100]
[ 119.124954][ T5100] Memory state around the buggy address:
[ 119.130589][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 119.138658][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 119.146729][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 119.154792][ T5100] ^
[ 119.161209][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 119.169277][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 119.177345][ T5100] ==================================================================
[ 119.186916][ T5100] ==================================================================
[ 119.194999][ T5100] BUG: KASAN: slab-use-after-free in skb_free_head+0x1ae/0x1d0
[ 119.201555][ T5101] Bluetooth: hci2: command tx timeout
[ 119.202558][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100
[ 119.207932][ T5101] Bluetooth: hci5: command tx timeout
[ 119.215841][ T5100]
[ 119.215852][ T5100] CPU: 1 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0
[ 119.215899][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 119.215923][ T5100] Call Trace:
[ 119.215937][ T5100]
[ 119.215952][ T5100] dump_stack_lvl+0x116/0x1f0
[ 119.216004][ T5100] print_report+0xc3/0x620
[ 119.260887][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.266546][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.272200][ T5100] ? __phys_addr+0xc6/0x150
[ 119.276755][ T5100] kasan_report+0xd9/0x110
[ 119.281195][ T5100] ? skb_free_head+0x1ae/0x1d0
[ 119.285983][ T5100] ? skb_free_head+0x1ae/0x1d0
[ 119.290776][ T5100] skb_free_head+0x1ae/0x1d0
[ 119.295390][ T5100] skb_release_data+0x75c/0x980
[ 119.300271][ T5100] kfree_skb_reason+0x12b/0x210
[ 119.305152][ T5100] __hci_req_sync+0x61d/0x980
[ 119.309861][ T5100] ? __pfx___hci_req_sync+0x10/0x10
[ 119.315086][ T5100] ? __mutex_lock+0x1a6/0x9c0
[ 119.319791][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10
[ 119.325885][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5
[ 119.331541][ T5100] ? hci_req_sync+0x3f/0xd0