last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.19' (ED25519) to the list of known hosts. [ 101.817227][ T45] cfg80211: failed to load regulatory.db [ 103.644656][ T5086] cgroup: Unknown subsys name 'net' [ 103.860247][ T5086] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 105.973637][ T5086] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 109.073775][ T5098] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 109.101854][ T5098] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 109.112175][ T5098] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 109.129513][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 109.136992][ T53] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 109.147589][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 109.155762][ T53] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 109.164104][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 109.189984][ T5104] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 109.198239][ T5101] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 109.206319][ T5101] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 109.214773][ T5101] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 109.224081][ T5101] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 109.232389][ T5101] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 109.235565][ T5104] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 109.240023][ T5101] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 109.247796][ T5104] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 109.261050][ T5104] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 109.301749][ T5100] ================================================================== [ 109.308038][ T5110] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 109.309832][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210 [ 109.318327][ T5110] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 109.324514][ T5100] Read of size 4 at addr ffff888066ee5364 by task syz-executor/5100 [ 109.324548][ T5100] [ 109.324559][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Not tainted 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 109.334131][ T5110] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 109.339441][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 109.345095][ T5110] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 109.351981][ T5100] Call Trace: [ 109.351998][ T5100] [ 109.352013][ T5100] dump_stack_lvl+0x116/0x1f0 [ 109.352069][ T5100] print_report+0xc3/0x620 [ 109.360559][ T5110] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 109.369059][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.369110][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.369154][ T5100] ? __phys_addr+0xc6/0x150 [ 109.379018][ T5110] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 109.379319][ T5100] kasan_report+0xd9/0x110 [ 109.425467][ T5100] ? kfree_skb_reason+0x36/0x210 [ 109.430462][ T5100] ? kfree_skb_reason+0x36/0x210 [ 109.435465][ T5100] kasan_check_range+0xef/0x1a0 [ 109.440367][ T5100] kfree_skb_reason+0x36/0x210 [ 109.445177][ T5100] __hci_req_sync+0x61d/0x980 [ 109.449895][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 109.455129][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 109.459847][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 109.465951][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.471621][ T5100] ? hci_req_sync+0x3f/0xd0 [ 109.476171][ T5100] ? __pfx___might_resched+0x10/0x10 [ 109.481506][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.487262][ T5100] ? aa_get_newest_label+0x376/0x680 [ 109.492702][ T5100] hci_req_sync+0x97/0xd0 [ 109.497156][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 109.502225][ T5100] hci_dev_cmd+0x634/0x960 [ 109.506691][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.512453][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 109.517433][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.523103][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.528771][ T5100] ? security_capable+0x98/0xd0 [ 109.533689][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 109.538409][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.544080][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 109.549322][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 109.555346][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.561020][ T5100] sock_do_ioctl+0x119/0x280 [ 109.565663][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 109.570837][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.576510][ T5100] sock_ioctl+0x22e/0x6c0 [ 109.580895][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 109.585808][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.591475][ T5100] ? __fget_files+0x256/0x400 [ 109.596212][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.601883][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 109.606793][ T5100] __x64_sys_ioctl+0x196/0x220 [ 109.611610][ T5100] do_syscall_64+0xcd/0x250 [ 109.616165][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.622117][ T5100] RIP: 0033:0x7fad76d757db [ 109.626555][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 109.646201][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.654655][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 109.662869][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 109.670866][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 109.678951][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 109.686944][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 109.694961][ T5100] [ 109.697996][ T5100] [ 109.700329][ T5100] Allocated by task 5098: [ 109.704666][ T5100] kasan_save_stack+0x33/0x60 [ 109.709376][ T5100] kasan_save_track+0x14/0x30 [ 109.714080][ T5100] __kasan_slab_alloc+0x89/0x90 [ 109.718956][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 109.724447][ T5100] skb_clone+0x190/0x3f0 [ 109.728722][ T5100] hci_cmd_work+0x66a/0x710 [ 109.733269][ T5100] process_one_work+0x9c8/0x1b40 [ 109.738250][ T5100] worker_thread+0x6c8/0xf30 [ 109.742883][ T5100] kthread+0x2c4/0x3a0 [ 109.743475][ T5098] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 109.746978][ T5100] ret_from_fork+0x48/0x80 [ 109.756266][ T5098] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 109.758408][ T5100] ret_from_fork_asm+0x1a/0x30 [ 109.770141][ T5100] [ 109.772477][ T5100] Freed by task 5098: [ 109.772508][ T5098] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 109.776531][ T5100] kasan_save_stack+0x33/0x60 [ 109.785995][ T5098] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 109.788087][ T5100] kasan_save_track+0x14/0x30 [ 109.799728][ T5100] kasan_save_free_info+0x3b/0x60 [ 109.804817][ T5100] poison_slab_object+0xf7/0x160 [ 109.805852][ T5098] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 109.809789][ T5100] __kasan_slab_free+0x32/0x50 [ 109.818587][ T5098] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 109.821612][ T5100] kmem_cache_free+0x12f/0x3a0 [ 109.821654][ T5100] kfree_skbmem+0x10e/0x200 [ 109.837880][ T5100] kfree_skb_reason+0x138/0x210 [ 109.842774][ T5100] hci_req_sync_complete+0x16c/0x270 [ 109.848099][ T5100] hci_event_packet+0x966/0x1170 [ 109.853071][ T5100] hci_rx_work+0x2c4/0x1610 [ 109.857611][ T5100] process_one_work+0x9c8/0x1b40 [ 109.862592][ T5100] worker_thread+0x6c8/0xf30 [ 109.867228][ T5100] kthread+0x2c4/0x3a0 [ 109.871344][ T5100] ret_from_fork+0x48/0x80 [ 109.875817][ T5100] ret_from_fork_asm+0x1a/0x30 [ 109.880808][ T5100] [ 109.883141][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 109.883141][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 109.897738][ T5100] The buggy address is located 228 bytes inside of [ 109.897738][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 109.911574][ T5100] [ 109.913909][ T5100] The buggy address belongs to the physical page: [ 109.920327][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 109.929113][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 109.936241][ T5100] page_type: 0xffffefff(slab) [ 109.940943][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 109.949556][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 109.958152][ T5100] page dumped because: kasan: bad access detected [ 109.964574][ T5100] page_owner tracks the page as allocated [ 109.970294][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 109.989710][ T5100] post_alloc_hook+0x2d1/0x350 [ 109.994529][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 110.000130][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 110.005469][ T5100] alloc_slab_page+0x56/0x110 [ 110.010194][ T5100] new_slab+0x84/0x260 [ 110.014330][ T5100] ___slab_alloc+0xdac/0x1870 [ 110.019037][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 110.024440][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 110.030281][ T5100] __alloc_skb+0x2b1/0x380 [ 110.034749][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 110.039465][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 110.044178][ T5100] hci_scan_req+0x87/0x150 [ 110.048630][ T5100] __hci_req_sync+0x145/0x980 [ 110.053342][ T5100] hci_req_sync+0x97/0xd0 [ 110.057706][ T5100] hci_dev_cmd+0x634/0x960 [ 110.062172][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 110.066887][ T5100] page last free pid 1 tgid 1 stack trace: [ 110.072703][ T5100] free_unref_page+0x64a/0xe40 [ 110.077520][ T5100] free_contig_range+0xb6/0x1a0 [ 110.082416][ T5100] destroy_args+0xa4e/0xe20 [ 110.086973][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 110.092050][ T5100] do_one_initcall+0x12b/0x700 [ 110.096863][ T5100] kernel_init_freeable+0x69d/0xca0 [ 110.102111][ T5100] kernel_init+0x1c/0x2b0 [ 110.106491][ T5100] ret_from_fork+0x48/0x80 [ 110.110953][ T5100] ret_from_fork_asm+0x1a/0x30 [ 110.115770][ T5100] [ 110.118103][ T5100] Memory state around the buggy address: [ 110.123745][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 110.131832][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.139921][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 110.148000][ T5100] ^ [ 110.155210][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 110.163293][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.171368][ T5100] ================================================================== [ 110.180828][ T5100] Disabling lock debugging due to kernel taint [ 110.188240][ T5098] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 110.188805][ T5100] ================================================================== [ 110.203265][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1f5/0x210 [ 110.211118][ T5100] Read of size 4 at addr ffff888066ee5364 by task syz-executor/5100 [ 110.219120][ T5100] [ 110.221456][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 110.233207][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 110.243284][ T5100] Call Trace: [ 110.246576][ T5100] [ 110.249523][ T5100] dump_stack_lvl+0x116/0x1f0 [ 110.254249][ T5100] print_report+0xc3/0x620 [ 110.258700][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.264367][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.270034][ T5100] ? __phys_addr+0xc6/0x150 [ 110.274577][ T5100] kasan_report+0xd9/0x110 [ 110.279030][ T5100] ? kfree_skb_reason+0x1f5/0x210 [ 110.284102][ T5100] ? kfree_skb_reason+0x1f5/0x210 [ 110.289165][ T5100] kfree_skb_reason+0x1f5/0x210 [ 110.294049][ T5100] __hci_req_sync+0x61d/0x980 [ 110.298760][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 110.303989][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 110.308694][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 110.314816][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.320498][ T5100] ? hci_req_sync+0x3f/0xd0 [ 110.325044][ T5100] ? __pfx___might_resched+0x10/0x10 [ 110.330370][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.336026][ T5100] ? aa_get_newest_label+0x376/0x680 [ 110.341367][ T5100] hci_req_sync+0x97/0xd0 [ 110.345724][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 110.350777][ T5100] hci_dev_cmd+0x634/0x960 [ 110.355228][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.360888][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 110.365863][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.371531][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.377189][ T5100] ? security_capable+0x98/0xd0 [ 110.382087][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 110.386796][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.392541][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 110.397767][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 110.403775][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.409434][ T5100] sock_do_ioctl+0x119/0x280 [ 110.414068][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 110.419226][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.424973][ T5100] sock_ioctl+0x22e/0x6c0 [ 110.429353][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 110.434248][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.439901][ T5100] ? __fget_files+0x256/0x400 [ 110.444617][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.450271][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 110.455160][ T5100] __x64_sys_ioctl+0x196/0x220 [ 110.460483][ T5100] do_syscall_64+0xcd/0x250 [ 110.465025][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.470971][ T5100] RIP: 0033:0x7fad76d757db [ 110.475397][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 110.495026][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 110.503466][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 110.511451][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 110.519438][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 110.527422][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 110.535405][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 110.543404][ T5100] [ 110.546427][ T5100] [ 110.548755][ T5100] Allocated by task 5098: [ 110.553083][ T5100] kasan_save_stack+0x33/0x60 [ 110.557776][ T5100] kasan_save_track+0x14/0x30 [ 110.562466][ T5100] __kasan_slab_alloc+0x89/0x90 [ 110.567334][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 110.572820][ T5100] skb_clone+0x190/0x3f0 [ 110.577087][ T5100] hci_cmd_work+0x66a/0x710 [ 110.581615][ T5100] process_one_work+0x9c8/0x1b40 [ 110.586580][ T5100] worker_thread+0x6c8/0xf30 [ 110.591193][ T5100] kthread+0x2c4/0x3a0 [ 110.595299][ T5100] ret_from_fork+0x48/0x80 [ 110.599755][ T5100] ret_from_fork_asm+0x1a/0x30 [ 110.604557][ T5100] [ 110.606876][ T5100] Freed by task 5098: [ 110.610857][ T5100] kasan_save_stack+0x33/0x60 [ 110.615547][ T5100] kasan_save_track+0x14/0x30 [ 110.620236][ T5100] kasan_save_free_info+0x3b/0x60 [ 110.625468][ T5100] poison_slab_object+0xf7/0x160 [ 110.630534][ T5100] __kasan_slab_free+0x32/0x50 [ 110.635312][ T5100] kmem_cache_free+0x12f/0x3a0 [ 110.640092][ T5100] kfree_skbmem+0x10e/0x200 [ 110.644634][ T5100] kfree_skb_reason+0x138/0x210 [ 110.649541][ T5100] hci_req_sync_complete+0x16c/0x270 [ 110.654939][ T5100] hci_event_packet+0x966/0x1170 [ 110.659896][ T5100] hci_rx_work+0x2c4/0x1610 [ 110.664428][ T5100] process_one_work+0x9c8/0x1b40 [ 110.669390][ T5100] worker_thread+0x6c8/0xf30 [ 110.674004][ T5100] kthread+0x2c4/0x3a0 [ 110.678108][ T5100] ret_from_fork+0x48/0x80 [ 110.682557][ T5100] ret_from_fork_asm+0x1a/0x30 [ 110.687354][ T5100] [ 110.689675][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 110.689675][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 110.704442][ T5100] The buggy address is located 228 bytes inside of [ 110.704442][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 110.718257][ T5100] [ 110.720579][ T5100] The buggy address belongs to the physical page: [ 110.726987][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 110.735760][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 110.742881][ T5100] page_type: 0xffffefff(slab) [ 110.747573][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 110.756172][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 110.764761][ T5100] page dumped because: kasan: bad access detected [ 110.771171][ T5100] page_owner tracks the page as allocated [ 110.776881][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 110.796448][ T5100] post_alloc_hook+0x2d1/0x350 [ 110.801244][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 110.806826][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 110.812148][ T5100] alloc_slab_page+0x56/0x110 [ 110.816860][ T5100] new_slab+0x84/0x260 [ 110.820942][ T5100] ___slab_alloc+0xdac/0x1870 [ 110.825637][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 110.831031][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 110.836863][ T5100] __alloc_skb+0x2b1/0x380 [ 110.841318][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 110.846017][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 110.850715][ T5100] hci_scan_req+0x87/0x150 [ 110.855152][ T5100] __hci_req_sync+0x145/0x980 [ 110.859851][ T5100] hci_req_sync+0x97/0xd0 [ 110.864200][ T5100] hci_dev_cmd+0x634/0x960 [ 110.868645][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 110.873867][ T5100] page last free pid 1 tgid 1 stack trace: [ 110.879677][ T5100] free_unref_page+0x64a/0xe40 [ 110.884496][ T5100] free_contig_range+0xb6/0x1a0 [ 110.889378][ T5100] destroy_args+0xa4e/0xe20 [ 110.893923][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 110.898983][ T5100] do_one_initcall+0x12b/0x700 [ 110.903786][ T5100] kernel_init_freeable+0x69d/0xca0 [ 110.909020][ T5100] kernel_init+0x1c/0x2b0 [ 110.913484][ T5100] ret_from_fork+0x48/0x80 [ 110.917936][ T5100] ret_from_fork_asm+0x1a/0x30 [ 110.922732][ T5100] [ 110.925051][ T5100] Memory state around the buggy address: [ 110.930682][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 110.938750][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.946819][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 110.954971][ T5100] ^ [ 110.962165][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 110.970233][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.978298][ T5100] ================================================================== [ 110.986991][ T5100] ================================================================== [ 110.992183][ T5098] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 110.995044][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x283/0x2b0 [ 111.010318][ T5100] Read of size 8 at addr ffff888066ee52d8 by task syz-executor/5100 [ 111.012003][ T5098] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 111.018294][ T5100] [ 111.018308][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 111.039270][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 111.041632][ T5098] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 111.049322][ T5100] Call Trace: [ 111.049340][ T5100] [ 111.049355][ T5100] dump_stack_lvl+0x116/0x1f0 [ 111.062826][ T5098] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 111.067090][ T5100] print_report+0xc3/0x620 [ 111.078483][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.084154][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.089822][ T5100] ? __phys_addr+0xc6/0x150 [ 111.091837][ T5098] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 111.094368][ T5100] kasan_report+0xd9/0x110 [ 111.105728][ T5100] ? skb_release_head_state+0x283/0x2b0 [ 111.111315][ T5100] ? skb_release_head_state+0x283/0x2b0 [ 111.116908][ T5100] skb_release_head_state+0x283/0x2b0 [ 111.122323][ T5100] kfree_skb_reason+0xed/0x210 [ 111.127132][ T5100] __hci_req_sync+0x61d/0x980 [ 111.131852][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 111.137088][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 111.141815][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 111.147924][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.153591][ T5100] ? hci_req_sync+0x3f/0xd0 [ 111.158139][ T5100] ? __pfx___might_resched+0x10/0x10 [ 111.163472][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.169140][ T5100] ? aa_get_newest_label+0x376/0x680 [ 111.174491][ T5100] hci_req_sync+0x97/0xd0 [ 111.178860][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 111.183927][ T5100] hci_dev_cmd+0x634/0x960 [ 111.188395][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.194073][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 111.199064][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.204730][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.210399][ T5100] ? security_capable+0x98/0xd0 [ 111.215310][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 111.220028][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.225702][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 111.231034][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 111.237065][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.242774][ T5100] sock_do_ioctl+0x119/0x280 [ 111.247419][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 111.251625][ T5101] Bluetooth: hci0: command tx timeout [ 111.252573][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.263575][ T5100] sock_ioctl+0x22e/0x6c0 [ 111.267963][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 111.272871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.278641][ T5100] ? __fget_files+0x256/0x400 [ 111.283394][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.289074][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 111.293992][ T5100] __x64_sys_ioctl+0x196/0x220 [ 111.298817][ T5100] do_syscall_64+0xcd/0x250 [ 111.303377][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.309365][ T5100] RIP: 0033:0x7fad76d757db [ 111.313799][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 111.333428][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 111.341863][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 111.349851][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 111.357843][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 111.365829][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 111.373810][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 111.381897][ T5100] [ 111.384920][ T5100] [ 111.387245][ T5100] Allocated by task 5098: [ 111.391577][ T5100] kasan_save_stack+0x33/0x60 [ 111.396446][ T5100] kasan_save_track+0x14/0x30 [ 111.401139][ T5100] __kasan_slab_alloc+0x89/0x90 [ 111.406006][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 111.411493][ T5100] skb_clone+0x190/0x3f0 [ 111.415763][ T5100] hci_cmd_work+0x66a/0x710 [ 111.420294][ T5100] process_one_work+0x9c8/0x1b40 [ 111.425287][ T5100] worker_thread+0x6c8/0xf30 [ 111.429903][ T5100] kthread+0x2c4/0x3a0 [ 111.434007][ T5100] ret_from_fork+0x48/0x80 [ 111.438463][ T5100] ret_from_fork_asm+0x1a/0x30 [ 111.443261][ T5100] [ 111.445581][ T5100] Freed by task 5098: [ 111.449561][ T5100] kasan_save_stack+0x33/0x60 [ 111.454252][ T5100] kasan_save_track+0x14/0x30 [ 111.458942][ T5100] kasan_save_free_info+0x3b/0x60 [ 111.463999][ T5100] poison_slab_object+0xf7/0x160 [ 111.469023][ T5100] __kasan_slab_free+0x32/0x50 [ 111.473808][ T5100] kmem_cache_free+0x12f/0x3a0 [ 111.478590][ T5100] kfree_skbmem+0x10e/0x200 [ 111.483131][ T5100] kfree_skb_reason+0x138/0x210 [ 111.488007][ T5100] hci_req_sync_complete+0x16c/0x270 [ 111.493317][ T5100] hci_event_packet+0x966/0x1170 [ 111.498280][ T5100] hci_rx_work+0x2c4/0x1610 [ 111.502808][ T5100] process_one_work+0x9c8/0x1b40 [ 111.507773][ T5100] worker_thread+0x6c8/0xf30 [ 111.512395][ T5100] kthread+0x2c4/0x3a0 [ 111.516498][ T5100] ret_from_fork+0x48/0x80 [ 111.520949][ T5100] ret_from_fork_asm+0x1a/0x30 [ 111.525751][ T5100] [ 111.528073][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 111.528073][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 111.542660][ T5100] The buggy address is located 88 bytes inside of [ 111.542660][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 111.556390][ T5100] [ 111.558713][ T5100] The buggy address belongs to the physical page: [ 111.565120][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 111.573893][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 111.581008][ T5100] page_type: 0xffffefff(slab) [ 111.585700][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 111.594301][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 111.602887][ T5100] page dumped because: kasan: bad access detected [ 111.609301][ T5100] page_owner tracks the page as allocated [ 111.615017][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 111.634418][ T5100] post_alloc_hook+0x2d1/0x350 [ 111.639213][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 111.644796][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 111.650115][ T5100] alloc_slab_page+0x56/0x110 [ 111.654822][ T5100] new_slab+0x84/0x260 [ 111.658912][ T5100] ___slab_alloc+0xdac/0x1870 [ 111.663609][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 111.669001][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 111.674831][ T5100] __alloc_skb+0x2b1/0x380 [ 111.679320][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 111.684021][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 111.688720][ T5100] hci_scan_req+0x87/0x150 [ 111.693158][ T5100] __hci_req_sync+0x145/0x980 [ 111.697854][ T5100] hci_req_sync+0x97/0xd0 [ 111.702200][ T5100] hci_dev_cmd+0x634/0x960 [ 111.706668][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 111.711365][ T5100] page last free pid 1 tgid 1 stack trace: [ 111.717172][ T5100] free_unref_page+0x64a/0xe40 [ 111.722057][ T5100] free_contig_range+0xb6/0x1a0 [ 111.726937][ T5100] destroy_args+0xa4e/0xe20 [ 111.731471][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 111.736536][ T5100] do_one_initcall+0x12b/0x700 [ 111.741346][ T5100] kernel_init_freeable+0x69d/0xca0 [ 111.746578][ T5100] kernel_init+0x1c/0x2b0 [ 111.750943][ T5100] ret_from_fork+0x48/0x80 [ 111.755392][ T5100] ret_from_fork_asm+0x1a/0x30 [ 111.760191][ T5100] [ 111.762514][ T5100] Memory state around the buggy address: [ 111.768322][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 111.776393][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 111.784463][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 111.792527][ T5100] ^ [ 111.799464][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 111.807540][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 111.815616][ T5100] ================================================================== [ 111.823844][ T5101] Bluetooth: hci5: command tx timeout [ 111.829333][ T5101] Bluetooth: hci2: command tx timeout [ 111.835552][ T5100] ================================================================== [ 111.843639][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x28d/0x2b0 [ 111.852027][ T5100] Read of size 8 at addr ffff888066ee52e0 by task syz-executor/5100 [ 111.860028][ T5100] [ 111.862362][ T5100] CPU: 1 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 111.874191][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 111.884262][ T5100] Call Trace: [ 111.887544][ T5100] [ 111.890483][ T5100] dump_stack_lvl+0x116/0x1f0 [ 111.895194][ T5100] print_report+0xc3/0x620 [ 111.899633][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.905289][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.910971][ T5100] ? __phys_addr+0xc6/0x150 [ 111.915496][ T5100] kasan_report+0xd9/0x110 [ 111.919964][ T5100] ? skb_release_head_state+0x28d/0x2b0 [ 111.925541][ T5100] ? skb_release_head_state+0x28d/0x2b0 [ 111.931117][ T5100] skb_release_head_state+0x28d/0x2b0 [ 111.936518][ T5100] kfree_skb_reason+0xed/0x210 [ 111.941313][ T5100] __hci_req_sync+0x61d/0x980 [ 111.946019][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 111.951241][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 111.955948][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 111.962042][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.967699][ T5100] ? hci_req_sync+0x3f/0xd0 [ 111.972234][ T5100] ? __pfx___might_resched+0x10/0x10 [ 111.977553][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 111.983206][ T5100] ? aa_get_newest_label+0x376/0x680 [ 111.988542][ T5100] hci_req_sync+0x97/0xd0 [ 111.992926][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 111.997979][ T5100] hci_dev_cmd+0x634/0x960 [ 112.002429][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.008083][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 112.013053][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.018705][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.024358][ T5100] ? security_capable+0x98/0xd0 [ 112.029257][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 112.033961][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.039614][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 112.044840][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 112.050846][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.056504][ T5100] sock_do_ioctl+0x119/0x280 [ 112.061132][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 112.066293][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.071954][ T5100] sock_ioctl+0x22e/0x6c0 [ 112.076419][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 112.081314][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.086977][ T5100] ? __fget_files+0x256/0x400 [ 112.091697][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.097356][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 112.102246][ T5100] __x64_sys_ioctl+0x196/0x220 [ 112.107050][ T5100] do_syscall_64+0xcd/0x250 [ 112.111594][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.117535][ T5100] RIP: 0033:0x7fad76d757db [ 112.121961][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 112.141588][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 112.150024][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 112.158009][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 112.165993][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 112.174003][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 112.181988][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 112.189993][ T5100] [ 112.193025][ T5100] [ 112.195347][ T5100] Allocated by task 5098: [ 112.199676][ T5100] kasan_save_stack+0x33/0x60 [ 112.204373][ T5100] kasan_save_track+0x14/0x30 [ 112.209065][ T5100] __kasan_slab_alloc+0x89/0x90 [ 112.213933][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 112.219416][ T5100] skb_clone+0x190/0x3f0 [ 112.223681][ T5100] hci_cmd_work+0x66a/0x710 [ 112.228238][ T5100] process_one_work+0x9c8/0x1b40 [ 112.233207][ T5100] worker_thread+0x6c8/0xf30 [ 112.237822][ T5100] kthread+0x2c4/0x3a0 [ 112.241931][ T5100] ret_from_fork+0x48/0x80 [ 112.246380][ T5100] ret_from_fork_asm+0x1a/0x30 [ 112.251217][ T5100] [ 112.253541][ T5100] Freed by task 5098: [ 112.257521][ T5100] kasan_save_stack+0x33/0x60 [ 112.262212][ T5100] kasan_save_track+0x14/0x30 [ 112.266903][ T5100] kasan_save_free_info+0x3b/0x60 [ 112.271956][ T5100] poison_slab_object+0xf7/0x160 [ 112.276932][ T5100] __kasan_slab_free+0x32/0x50 [ 112.281711][ T5100] kmem_cache_free+0x12f/0x3a0 [ 112.286491][ T5100] kfree_skbmem+0x10e/0x200 [ 112.291032][ T5100] kfree_skb_reason+0x138/0x210 [ 112.295910][ T5100] hci_req_sync_complete+0x16c/0x270 [ 112.301224][ T5100] hci_event_packet+0x966/0x1170 [ 112.306190][ T5100] hci_rx_work+0x2c4/0x1610 [ 112.310901][ T5100] process_one_work+0x9c8/0x1b40 [ 112.315864][ T5100] worker_thread+0x6c8/0xf30 [ 112.320476][ T5100] kthread+0x2c4/0x3a0 [ 112.324581][ T5100] ret_from_fork+0x48/0x80 [ 112.329037][ T5100] ret_from_fork_asm+0x1a/0x30 [ 112.333839][ T5100] [ 112.336161][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 112.336161][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 112.350745][ T5100] The buggy address is located 96 bytes inside of [ 112.350745][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 112.364471][ T5100] [ 112.366796][ T5100] The buggy address belongs to the physical page: [ 112.373204][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 112.381979][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 112.389100][ T5100] page_type: 0xffffefff(slab) [ 112.393792][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 112.402396][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 112.411015][ T5100] page dumped because: kasan: bad access detected [ 112.417436][ T5100] page_owner tracks the page as allocated [ 112.423235][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 112.442632][ T5100] post_alloc_hook+0x2d1/0x350 [ 112.447430][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 112.453041][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 112.458360][ T5100] alloc_slab_page+0x56/0x110 [ 112.463067][ T5100] new_slab+0x84/0x260 [ 112.467172][ T5100] ___slab_alloc+0xdac/0x1870 [ 112.471864][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 112.477255][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 112.483082][ T5100] __alloc_skb+0x2b1/0x380 [ 112.487534][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 112.492407][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 112.497104][ T5100] hci_scan_req+0x87/0x150 [ 112.501539][ T5100] __hci_req_sync+0x145/0x980 [ 112.506238][ T5100] hci_req_sync+0x97/0xd0 [ 112.510582][ T5100] hci_dev_cmd+0x634/0x960 [ 112.515026][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 112.519819][ T5100] page last free pid 1 tgid 1 stack trace: [ 112.525740][ T5100] free_unref_page+0x64a/0xe40 [ 112.530535][ T5100] free_contig_range+0xb6/0x1a0 [ 112.535412][ T5100] destroy_args+0xa4e/0xe20 [ 112.539948][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 112.545017][ T5100] do_one_initcall+0x12b/0x700 [ 112.549820][ T5100] kernel_init_freeable+0x69d/0xca0 [ 112.555055][ T5100] kernel_init+0x1c/0x2b0 [ 112.559421][ T5100] ret_from_fork+0x48/0x80 [ 112.563873][ T5100] ret_from_fork_asm+0x1a/0x30 [ 112.568673][ T5100] [ 112.570995][ T5100] Memory state around the buggy address: [ 112.576626][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 112.584699][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 112.592769][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.600833][ T5100] ^ [ 112.608029][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 112.616105][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 112.624171][ T5100] ================================================================== [ 112.641393][ T5098] Bluetooth: hci4: command tx timeout [ 112.678188][ T5100] ================================================================== [ 112.686395][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x276/0x2b0 [ 112.694775][ T5100] Read of size 8 at addr ffff888066ee52e8 by task syz-executor/5100 [ 112.702787][ T5100] [ 112.705130][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 112.716965][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 112.727039][ T5100] Call Trace: [ 112.730336][ T5100] [ 112.733276][ T5100] dump_stack_lvl+0x116/0x1f0 [ 112.738074][ T5100] print_report+0xc3/0x620 [ 112.742775][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.748439][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.754099][ T5100] ? __phys_addr+0xc6/0x150 [ 112.758624][ T5100] kasan_report+0xd9/0x110 [ 112.763063][ T5100] ? skb_release_head_state+0x276/0x2b0 [ 112.768639][ T5100] ? skb_release_head_state+0x276/0x2b0 [ 112.774233][ T5100] skb_release_head_state+0x276/0x2b0 [ 112.779635][ T5100] kfree_skb_reason+0xed/0x210 [ 112.784434][ T5100] __hci_req_sync+0x61d/0x980 [ 112.789143][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 112.794363][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 112.799069][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 112.805185][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.810866][ T5100] ? hci_req_sync+0x3f/0xd0 [ 112.815402][ T5100] ? __pfx___might_resched+0x10/0x10 [ 112.820723][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.826378][ T5100] ? aa_get_newest_label+0x376/0x680 [ 112.831713][ T5100] hci_req_sync+0x97/0xd0 [ 112.836066][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 112.841118][ T5100] hci_dev_cmd+0x634/0x960 [ 112.845566][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.851238][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 112.856211][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.861866][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.867521][ T5100] ? security_capable+0x98/0xd0 [ 112.872420][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 112.877298][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.882954][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 112.888180][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 112.894190][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.900023][ T5100] sock_do_ioctl+0x119/0x280 [ 112.904651][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 112.909812][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.915471][ T5100] sock_ioctl+0x22e/0x6c0 [ 112.919841][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 112.924734][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.930386][ T5100] ? __fget_files+0x256/0x400 [ 112.935106][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 112.940769][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 112.945667][ T5100] __x64_sys_ioctl+0x196/0x220 [ 112.950468][ T5100] do_syscall_64+0xcd/0x250 [ 112.955014][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 112.960954][ T5100] RIP: 0033:0x7fad76d757db [ 112.965382][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 112.985011][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 112.993448][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 113.001454][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 113.009526][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 113.017509][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 113.025579][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 113.033574][ T5100] [ 113.036596][ T5100] [ 113.038915][ T5100] Allocated by task 5098: [ 113.043245][ T5100] kasan_save_stack+0x33/0x60 [ 113.047940][ T5100] kasan_save_track+0x14/0x30 [ 113.052632][ T5100] __kasan_slab_alloc+0x89/0x90 [ 113.057498][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 113.062977][ T5100] skb_clone+0x190/0x3f0 [ 113.067239][ T5100] hci_cmd_work+0x66a/0x710 [ 113.071777][ T5100] process_one_work+0x9c8/0x1b40 [ 113.076745][ T5100] worker_thread+0x6c8/0xf30 [ 113.081369][ T5100] kthread+0x2c4/0x3a0 [ 113.085472][ T5100] ret_from_fork+0x48/0x80 [ 113.089923][ T5100] ret_from_fork_asm+0x1a/0x30 [ 113.094722][ T5100] [ 113.097041][ T5100] Freed by task 5098: [ 113.101021][ T5100] kasan_save_stack+0x33/0x60 [ 113.105712][ T5100] kasan_save_track+0x14/0x30 [ 113.110401][ T5100] kasan_save_free_info+0x3b/0x60 [ 113.115454][ T5100] poison_slab_object+0xf7/0x160 [ 113.120428][ T5100] __kasan_slab_free+0x32/0x50 [ 113.125205][ T5100] kmem_cache_free+0x12f/0x3a0 [ 113.129983][ T5100] kfree_skbmem+0x10e/0x200 [ 113.134525][ T5100] kfree_skb_reason+0x138/0x210 [ 113.139401][ T5100] hci_req_sync_complete+0x16c/0x270 [ 113.144708][ T5100] hci_event_packet+0x966/0x1170 [ 113.149665][ T5100] hci_rx_work+0x2c4/0x1610 [ 113.154196][ T5100] process_one_work+0x9c8/0x1b40 [ 113.159162][ T5100] worker_thread+0x6c8/0xf30 [ 113.163780][ T5100] kthread+0x2c4/0x3a0 [ 113.167885][ T5100] ret_from_fork+0x48/0x80 [ 113.172340][ T5100] ret_from_fork_asm+0x1a/0x30 [ 113.177139][ T5100] [ 113.179461][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 113.179461][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 113.194049][ T5100] The buggy address is located 104 bytes inside of [ 113.194049][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 113.207864][ T5100] [ 113.210186][ T5100] The buggy address belongs to the physical page: [ 113.216614][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 113.225386][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 113.232502][ T5100] page_type: 0xffffefff(slab) [ 113.237194][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 113.245794][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 113.254387][ T5100] page dumped because: kasan: bad access detected [ 113.260824][ T5100] page_owner tracks the page as allocated [ 113.266546][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 113.285946][ T5100] post_alloc_hook+0x2d1/0x350 [ 113.290744][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 113.296328][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 113.301653][ T5100] alloc_slab_page+0x56/0x110 [ 113.306394][ T5100] new_slab+0x84/0x260 [ 113.310482][ T5100] ___slab_alloc+0xdac/0x1870 [ 113.315175][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 113.320570][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 113.326406][ T5100] __alloc_skb+0x2b1/0x380 [ 113.330863][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 113.335568][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 113.340267][ T5100] hci_scan_req+0x87/0x150 [ 113.344704][ T5100] __hci_req_sync+0x145/0x980 [ 113.349401][ T5100] hci_req_sync+0x97/0xd0 [ 113.353748][ T5100] hci_dev_cmd+0x634/0x960 [ 113.358195][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 113.362925][ T5100] page last free pid 1 tgid 1 stack trace: [ 113.368733][ T5100] free_unref_page+0x64a/0xe40 [ 113.373530][ T5100] free_contig_range+0xb6/0x1a0 [ 113.378411][ T5100] destroy_args+0xa4e/0xe20 [ 113.382953][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 113.388020][ T5100] do_one_initcall+0x12b/0x700 [ 113.392862][ T5100] kernel_init_freeable+0x69d/0xca0 [ 113.398102][ T5100] kernel_init+0x1c/0x2b0 [ 113.402472][ T5100] ret_from_fork+0x48/0x80 [ 113.406925][ T5100] ret_from_fork_asm+0x1a/0x30 [ 113.411726][ T5100] [ 113.414055][ T5100] Memory state around the buggy address: [ 113.419686][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 113.427763][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 113.435833][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.443899][ T5100] ^ [ 113.451356][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 113.459426][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 113.467489][ T5100] ================================================================== [ 113.475942][ T5098] Bluetooth: hci3: command tx timeout [ 113.479050][ T5101] Bluetooth: hci0: command tx timeout [ 113.486785][ T5100] ================================================================== [ 113.494882][ T5100] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x26c/0x2b0 [ 113.503256][ T5100] Read of size 1 at addr ffff888066ee52ff by task syz-executor/5100 [ 113.511257][ T5100] [ 113.513598][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 113.525349][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 113.535430][ T5100] Call Trace: [ 113.538733][ T5100] [ 113.541683][ T5100] dump_stack_lvl+0x116/0x1f0 [ 113.546409][ T5100] print_report+0xc3/0x620 [ 113.550866][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.556551][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.562229][ T5100] ? __phys_addr+0xc6/0x150 [ 113.566769][ T5100] kasan_report+0xd9/0x110 [ 113.571224][ T5100] ? skb_release_head_state+0x26c/0x2b0 [ 113.576906][ T5100] ? skb_release_head_state+0x26c/0x2b0 [ 113.582504][ T5100] skb_release_head_state+0x26c/0x2b0 [ 113.587925][ T5100] kfree_skb_reason+0xed/0x210 [ 113.592739][ T5100] __hci_req_sync+0x61d/0x980 [ 113.597461][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 113.602699][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 113.607424][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 113.613531][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.619209][ T5100] ? hci_req_sync+0x3f/0xd0 [ 113.623762][ T5100] ? __pfx___might_resched+0x10/0x10 [ 113.629098][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.631908][ T5097] chnl_net:caif_netlink_parms(): no params data found [ 113.634748][ T5100] ? aa_get_newest_label+0x376/0x680 [ 113.646825][ T5100] hci_req_sync+0x97/0xd0 [ 113.651198][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 113.656265][ T5100] hci_dev_cmd+0x634/0x960 [ 113.660734][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.666409][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 113.671400][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.677081][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.682754][ T5100] ? security_capable+0x98/0xd0 [ 113.687669][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 113.692393][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.698072][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 113.703319][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 113.709351][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.715033][ T5100] sock_do_ioctl+0x119/0x280 [ 113.719689][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 113.724955][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.730631][ T5100] sock_ioctl+0x22e/0x6c0 [ 113.735022][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 113.739940][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.745613][ T5100] ? __fget_files+0x256/0x400 [ 113.750351][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 113.756027][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 113.761029][ T5100] __x64_sys_ioctl+0x196/0x220 [ 113.765853][ T5100] do_syscall_64+0xcd/0x250 [ 113.770417][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 113.776371][ T5100] RIP: 0033:0x7fad76d757db [ 113.780811][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 113.800457][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 113.808913][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 113.816913][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 113.824936][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 113.832951][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 113.840948][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 113.848959][ T5100] [ 113.851995][ T5100] [ 113.854853][ T5100] Allocated by task 5098: [ 113.859200][ T5100] kasan_save_stack+0x33/0x60 [ 113.863921][ T5100] kasan_save_track+0x14/0x30 [ 113.868641][ T5100] __kasan_slab_alloc+0x89/0x90 [ 113.873530][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 113.879030][ T5100] skb_clone+0x190/0x3f0 [ 113.883313][ T5100] hci_cmd_work+0x66a/0x710 [ 113.887862][ T5100] process_one_work+0x9c8/0x1b40 [ 113.891696][ T5101] Bluetooth: hci2: command tx timeout [ 113.892804][ T5100] worker_thread+0x6c8/0xf30 [ 113.898204][ T5101] Bluetooth: hci5: command tx timeout [ 113.902726][ T5100] kthread+0x2c4/0x3a0 [ 113.902785][ T5100] ret_from_fork+0x48/0x80 [ 113.916649][ T5100] ret_from_fork_asm+0x1a/0x30 [ 113.921462][ T5100] [ 113.923791][ T5100] Freed by task 5098: [ 113.927766][ T5100] kasan_save_stack+0x33/0x60 [ 113.932470][ T5100] kasan_save_track+0x14/0x30 [ 113.937151][ T5100] kasan_save_free_info+0x3b/0x60 [ 113.942214][ T5100] poison_slab_object+0xf7/0x160 [ 113.947194][ T5100] __kasan_slab_free+0x32/0x50 [ 113.951966][ T5100] kmem_cache_free+0x12f/0x3a0 [ 113.956737][ T5100] kfree_skbmem+0x10e/0x200 [ 113.961264][ T5100] kfree_skb_reason+0x138/0x210 [ 113.966127][ T5100] hci_req_sync_complete+0x16c/0x270 [ 113.971423][ T5100] hci_event_packet+0x966/0x1170 [ 113.976376][ T5100] hci_rx_work+0x2c4/0x1610 [ 113.980892][ T5100] process_one_work+0x9c8/0x1b40 [ 113.985865][ T5100] worker_thread+0x6c8/0xf30 [ 113.990466][ T5100] kthread+0x2c4/0x3a0 [ 113.994576][ T5100] ret_from_fork+0x48/0x80 [ 113.999014][ T5100] ret_from_fork_asm+0x1a/0x30 [ 114.003824][ T5100] [ 114.006141][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 114.006141][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 114.020724][ T5100] The buggy address is located 127 bytes inside of [ 114.020724][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 114.034527][ T5100] [ 114.036842][ T5100] The buggy address belongs to the physical page: [ 114.043242][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 114.052003][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 114.059115][ T5100] page_type: 0xffffefff(slab) [ 114.063796][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 114.072388][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 114.080965][ T5100] page dumped because: kasan: bad access detected [ 114.087372][ T5100] page_owner tracks the page as allocated [ 114.093076][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 114.113088][ T5100] post_alloc_hook+0x2d1/0x350 [ 114.117897][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 114.123492][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 114.128798][ T5100] alloc_slab_page+0x56/0x110 [ 114.133493][ T5100] new_slab+0x84/0x260 [ 114.137570][ T5100] ___slab_alloc+0xdac/0x1870 [ 114.142365][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 114.147764][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 114.153609][ T5100] __alloc_skb+0x2b1/0x380 [ 114.158222][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 114.162908][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 114.167596][ T5100] hci_scan_req+0x87/0x150 [ 114.172033][ T5100] __hci_req_sync+0x145/0x980 [ 114.176723][ T5100] hci_req_sync+0x97/0xd0 [ 114.181067][ T5100] hci_dev_cmd+0x634/0x960 [ 114.185503][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 114.190210][ T5100] page last free pid 1 tgid 1 stack trace: [ 114.196008][ T5100] free_unref_page+0x64a/0xe40 [ 114.200793][ T5100] free_contig_range+0xb6/0x1a0 [ 114.205663][ T5100] destroy_args+0xa4e/0xe20 [ 114.210185][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 114.215228][ T5100] do_one_initcall+0x12b/0x700 [ 114.220012][ T5100] kernel_init_freeable+0x69d/0xca0 [ 114.225267][ T5100] kernel_init+0x1c/0x2b0 [ 114.229645][ T5100] ret_from_fork+0x48/0x80 [ 114.234098][ T5100] ret_from_fork_asm+0x1a/0x30 [ 114.238901][ T5100] [ 114.241218][ T5100] Memory state around the buggy address: [ 114.246842][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 114.254905][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 114.263167][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.271248][ T5100] ^ [ 114.279221][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 114.287283][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 114.295358][ T5100] ================================================================== [ 114.304480][ T5100] ================================================================== [ 114.312593][ T5100] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x1ff/0x210 [ 114.320552][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100 [ 114.328542][ T5100] [ 114.330870][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 114.342623][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 114.352728][ T5100] Call Trace: [ 114.356018][ T5100] [ 114.358958][ T5100] dump_stack_lvl+0x116/0x1f0 [ 114.363670][ T5100] print_report+0xc3/0x620 [ 114.368129][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.373787][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.379447][ T5100] ? __phys_addr+0xc6/0x150 [ 114.383973][ T5100] kasan_report+0xd9/0x110 [ 114.388589][ T5100] ? kfree_skb_reason+0x1ff/0x210 [ 114.393645][ T5100] ? kfree_skb_reason+0x1ff/0x210 [ 114.398706][ T5100] kfree_skb_reason+0x1ff/0x210 [ 114.403588][ T5100] __hci_req_sync+0x61d/0x980 [ 114.408295][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 114.413518][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 114.418225][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 114.424318][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.429978][ T5100] ? hci_req_sync+0x3f/0xd0 [ 114.434549][ T5100] ? __pfx___might_resched+0x10/0x10 [ 114.439871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.445531][ T5100] ? aa_get_newest_label+0x376/0x680 [ 114.450871][ T5100] hci_req_sync+0x97/0xd0 [ 114.455225][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 114.460276][ T5100] hci_dev_cmd+0x634/0x960 [ 114.464727][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.470385][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 114.475356][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.481010][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.486667][ T5100] ? security_capable+0x98/0xd0 [ 114.491565][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 114.496274][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.501933][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 114.507159][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 114.513166][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.518826][ T5100] sock_do_ioctl+0x119/0x280 [ 114.523455][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 114.528614][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.534273][ T5100] sock_ioctl+0x22e/0x6c0 [ 114.538675][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 114.543569][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.549224][ T5100] ? __fget_files+0x256/0x400 [ 114.554039][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 114.559696][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 114.564588][ T5100] __x64_sys_ioctl+0x196/0x220 [ 114.569413][ T5100] do_syscall_64+0xcd/0x250 [ 114.573958][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 114.579896][ T5100] RIP: 0033:0x7fad76d757db [ 114.584323][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 114.603976][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 114.612412][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 114.620398][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 114.628406][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 114.636414][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 114.644397][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 114.652394][ T5100] [ 114.655425][ T5100] [ 114.657747][ T5100] Allocated by task 5098: [ 114.662076][ T5100] kasan_save_stack+0x33/0x60 [ 114.666783][ T5100] kasan_save_track+0x14/0x30 [ 114.671579][ T5100] __kasan_slab_alloc+0x89/0x90 [ 114.676447][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 114.681956][ T5100] skb_clone+0x190/0x3f0 [ 114.686247][ T5100] hci_cmd_work+0x66a/0x710 [ 114.690778][ T5100] process_one_work+0x9c8/0x1b40 [ 114.695749][ T5100] worker_thread+0x6c8/0xf30 [ 114.700561][ T5100] kthread+0x2c4/0x3a0 [ 114.704668][ T5100] ret_from_fork+0x48/0x80 [ 114.709122][ T5100] ret_from_fork_asm+0x1a/0x30 [ 114.713924][ T5100] [ 114.716248][ T5100] Freed by task 5098: [ 114.720230][ T5100] kasan_save_stack+0x33/0x60 [ 114.724926][ T5100] kasan_save_track+0x14/0x30 [ 114.729618][ T5100] kasan_save_free_info+0x3b/0x60 [ 114.734792][ T5100] poison_slab_object+0xf7/0x160 [ 114.739770][ T5100] __kasan_slab_free+0x32/0x50 [ 114.744557][ T5100] kmem_cache_free+0x12f/0x3a0 [ 114.749336][ T5100] kfree_skbmem+0x10e/0x200 [ 114.753881][ T5100] kfree_skb_reason+0x138/0x210 [ 114.758761][ T5100] hci_req_sync_complete+0x16c/0x270 [ 114.764079][ T5100] hci_event_packet+0x966/0x1170 [ 114.769037][ T5100] hci_rx_work+0x2c4/0x1610 [ 114.773569][ T5100] process_one_work+0x9c8/0x1b40 [ 114.778533][ T5100] worker_thread+0x6c8/0xf30 [ 114.783152][ T5100] kthread+0x2c4/0x3a0 [ 114.787259][ T5100] ret_from_fork+0x48/0x80 [ 114.791738][ T5100] ret_from_fork_asm+0x1a/0x30 [ 114.796544][ T5100] [ 114.798871][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 114.798871][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 114.813459][ T5100] The buggy address is located 208 bytes inside of [ 114.813459][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 114.827281][ T5100] [ 114.829606][ T5100] The buggy address belongs to the physical page: [ 114.836018][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 114.844799][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 114.851923][ T5100] page_type: 0xffffefff(slab) [ 114.856614][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 114.865830][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 114.874420][ T5100] page dumped because: kasan: bad access detected [ 114.880925][ T5100] page_owner tracks the page as allocated [ 114.886641][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 114.906042][ T5100] post_alloc_hook+0x2d1/0x350 [ 114.910844][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 114.916428][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 114.921749][ T5100] alloc_slab_page+0x56/0x110 [ 114.926550][ T5100] new_slab+0x84/0x260 [ 114.930636][ T5100] ___slab_alloc+0xdac/0x1870 [ 114.935332][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 114.940724][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 114.946553][ T5100] __alloc_skb+0x2b1/0x380 [ 114.951011][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 114.955718][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 114.960418][ T5100] hci_scan_req+0x87/0x150 [ 114.964857][ T5100] __hci_req_sync+0x145/0x980 [ 114.969554][ T5100] hci_req_sync+0x97/0xd0 [ 114.973994][ T5100] hci_dev_cmd+0x634/0x960 [ 114.978447][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 114.983173][ T5100] page last free pid 1 tgid 1 stack trace: [ 114.988979][ T5100] free_unref_page+0x64a/0xe40 [ 114.993790][ T5100] free_contig_range+0xb6/0x1a0 [ 114.998673][ T5100] destroy_args+0xa4e/0xe20 [ 115.003213][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 115.008274][ T5100] do_one_initcall+0x12b/0x700 [ 115.013078][ T5100] kernel_init_freeable+0x69d/0xca0 [ 115.018343][ T5100] kernel_init+0x1c/0x2b0 [ 115.022713][ T5100] ret_from_fork+0x48/0x80 [ 115.027167][ T5100] ret_from_fork_asm+0x1a/0x30 [ 115.031972][ T5100] [ 115.034295][ T5100] Memory state around the buggy address: [ 115.039929][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 115.048006][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.056082][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 115.064149][ T5100] ^ [ 115.070824][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 115.078984][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.087100][ T5100] ================================================================== [ 115.097763][ T5098] Bluetooth: hci4: command tx timeout [ 115.103614][ T5100] ================================================================== [ 115.111692][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x8c6/0x980 [ 115.119543][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100 [ 115.127547][ T5100] [ 115.129884][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 115.141627][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 115.151691][ T5100] Call Trace: [ 115.154978][ T5100] [ 115.157927][ T5100] dump_stack_lvl+0x116/0x1f0 [ 115.162641][ T5100] print_report+0xc3/0x620 [ 115.167065][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.172708][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.178373][ T5100] ? __phys_addr+0xc6/0x150 [ 115.182887][ T5100] kasan_report+0xd9/0x110 [ 115.187489][ T5100] ? skb_release_data+0x8c6/0x980 [ 115.192531][ T5100] ? skb_release_data+0x8c6/0x980 [ 115.197571][ T5100] skb_release_data+0x8c6/0x980 [ 115.202455][ T5100] kfree_skb_reason+0x12b/0x210 [ 115.207319][ T5100] __hci_req_sync+0x61d/0x980 [ 115.212024][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 115.217255][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 115.221949][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 115.228024][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.233668][ T5100] ? hci_req_sync+0x3f/0xd0 [ 115.238186][ T5100] ? __pfx___might_resched+0x10/0x10 [ 115.243492][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.249134][ T5100] ? aa_get_newest_label+0x376/0x680 [ 115.254450][ T5100] hci_req_sync+0x97/0xd0 [ 115.258790][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 115.263850][ T5100] hci_dev_cmd+0x634/0x960 [ 115.268286][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.273931][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 115.278910][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.284570][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.290298][ T5100] ? security_capable+0x98/0xd0 [ 115.295178][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 115.299872][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.305517][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 115.310738][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 115.316769][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.322456][ T5100] sock_do_ioctl+0x119/0x280 [ 115.327094][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 115.332251][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.338026][ T5100] sock_ioctl+0x22e/0x6c0 [ 115.342574][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 115.347484][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.353150][ T5100] ? __fget_files+0x256/0x400 [ 115.357871][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.363719][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 115.368617][ T5100] __x64_sys_ioctl+0x196/0x220 [ 115.373513][ T5100] do_syscall_64+0xcd/0x250 [ 115.378233][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 115.384172][ T5100] RIP: 0033:0x7fad76d757db [ 115.388608][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 115.408339][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 115.417235][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 115.425219][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 115.433201][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 115.441173][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 115.449154][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 115.457143][ T5100] [ 115.460159][ T5100] [ 115.462475][ T5100] Allocated by task 5098: [ 115.466798][ T5100] kasan_save_stack+0x33/0x60 [ 115.471487][ T5100] kasan_save_track+0x14/0x30 [ 115.476189][ T5100] __kasan_slab_alloc+0x89/0x90 [ 115.481047][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 115.486515][ T5100] skb_clone+0x190/0x3f0 [ 115.490802][ T5100] hci_cmd_work+0x66a/0x710 [ 115.491687][ T5098] Bluetooth: hci0: command tx timeout [ 115.495303][ T5100] process_one_work+0x9c8/0x1b40 [ 115.505620][ T5100] worker_thread+0x6c8/0xf30 [ 115.510257][ T5100] kthread+0x2c4/0x3a0 [ 115.514371][ T5100] ret_from_fork+0x48/0x80 [ 115.518809][ T5100] ret_from_fork_asm+0x1a/0x30 [ 115.523599][ T5100] [ 115.525924][ T5100] Freed by task 5098: [ 115.529931][ T5100] kasan_save_stack+0x33/0x60 [ 115.534791][ T5100] kasan_save_track+0x14/0x30 [ 115.539472][ T5100] kasan_save_free_info+0x3b/0x60 [ 115.544512][ T5100] poison_slab_object+0xf7/0x160 [ 115.549557][ T5100] __kasan_slab_free+0x32/0x50 [ 115.554325][ T5100] kmem_cache_free+0x12f/0x3a0 [ 115.559092][ T5100] kfree_skbmem+0x10e/0x200 [ 115.563620][ T5100] kfree_skb_reason+0x138/0x210 [ 115.568490][ T5100] hci_req_sync_complete+0x16c/0x270 [ 115.573875][ T5100] hci_event_packet+0x966/0x1170 [ 115.578818][ T5100] hci_rx_work+0x2c4/0x1610 [ 115.583337][ T5100] process_one_work+0x9c8/0x1b40 [ 115.588377][ T5100] worker_thread+0x6c8/0xf30 [ 115.593067][ T5100] kthread+0x2c4/0x3a0 [ 115.597175][ T5100] ret_from_fork+0x48/0x80 [ 115.601614][ T5100] ret_from_fork_asm+0x1a/0x30 [ 115.606451][ T5100] [ 115.608764][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 115.608764][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 115.623345][ T5100] The buggy address is located 208 bytes inside of [ 115.623345][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 115.637434][ T5100] [ 115.639749][ T5100] The buggy address belongs to the physical page: [ 115.646153][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 115.654922][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 115.662032][ T5100] page_type: 0xffffefff(slab) [ 115.666710][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 115.675335][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 115.683915][ T5100] page dumped because: kasan: bad access detected [ 115.690315][ T5100] page_owner tracks the page as allocated [ 115.696020][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 115.715399][ T5100] post_alloc_hook+0x2d1/0x350 [ 115.720179][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 115.725742][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 115.731074][ T5100] alloc_slab_page+0x56/0x110 [ 115.735770][ T5100] new_slab+0x84/0x260 [ 115.739849][ T5100] ___slab_alloc+0xdac/0x1870 [ 115.744530][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 115.749909][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 115.755728][ T5100] __alloc_skb+0x2b1/0x380 [ 115.760194][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 115.764880][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 115.769566][ T5100] hci_scan_req+0x87/0x150 [ 115.773994][ T5100] __hci_req_sync+0x145/0x980 [ 115.778679][ T5100] hci_req_sync+0x97/0xd0 [ 115.783042][ T5100] hci_dev_cmd+0x634/0x960 [ 115.787495][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 115.792185][ T5100] page last free pid 1 tgid 1 stack trace: [ 115.797988][ T5100] free_unref_page+0x64a/0xe40 [ 115.802774][ T5100] free_contig_range+0xb6/0x1a0 [ 115.807648][ T5100] destroy_args+0xa4e/0xe20 [ 115.812173][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 115.817226][ T5100] do_one_initcall+0x12b/0x700 [ 115.822035][ T5100] kernel_init_freeable+0x69d/0xca0 [ 115.827256][ T5100] kernel_init+0x1c/0x2b0 [ 115.831614][ T5100] ret_from_fork+0x48/0x80 [ 115.836078][ T5100] ret_from_fork_asm+0x1a/0x30 [ 115.840862][ T5100] [ 115.843178][ T5100] Memory state around the buggy address: [ 115.848826][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 115.856890][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.865044][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 115.873104][ T5100] ^ [ 115.879803][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 115.888001][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.896063][ T5100] ================================================================== [ 115.905231][ T5098] Bluetooth: hci3: command tx timeout [ 115.910725][ T5100] ================================================================== [ 115.918814][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x813/0x980 [ 115.926700][ T5100] Read of size 4 at addr ffff888066ee534c by task syz-executor/5100 [ 115.934699][ T5100] [ 115.937032][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 115.948776][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 115.958858][ T5100] Call Trace: [ 115.962439][ T5100] [ 115.965381][ T5100] dump_stack_lvl+0x116/0x1f0 [ 115.970095][ T5100] print_report+0xc3/0x620 [ 115.974542][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.980206][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 115.985884][ T5100] ? __phys_addr+0xc6/0x150 [ 115.990504][ T5100] kasan_report+0xd9/0x110 [ 115.994955][ T5100] ? skb_release_data+0x813/0x980 [ 116.000039][ T5100] ? skb_release_data+0x813/0x980 [ 116.005128][ T5100] skb_release_data+0x813/0x980 [ 116.010043][ T5100] kfree_skb_reason+0x12b/0x210 [ 116.014931][ T5100] __hci_req_sync+0x61d/0x980 [ 116.019643][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 116.024874][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 116.029586][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 116.035683][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.041371][ T5100] ? hci_req_sync+0x3f/0xd0 [ 116.045914][ T5100] ? __pfx___might_resched+0x10/0x10 [ 116.051264][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.056926][ T5100] ? aa_get_newest_label+0x376/0x680 [ 116.062272][ T5100] hci_req_sync+0x97/0xd0 [ 116.066631][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 116.071779][ T5100] hci_dev_cmd+0x634/0x960 [ 116.076236][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.081917][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 116.086919][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.092582][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.098241][ T5100] ? security_capable+0x98/0xd0 [ 116.103176][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 116.107912][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.113599][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 116.118829][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 116.124864][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.130527][ T5100] sock_do_ioctl+0x119/0x280 [ 116.135161][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 116.140325][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.146016][ T5100] sock_ioctl+0x22e/0x6c0 [ 116.150480][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 116.155660][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.161318][ T5100] ? __fget_files+0x256/0x400 [ 116.166038][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.171696][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 116.176612][ T5100] __x64_sys_ioctl+0x196/0x220 [ 116.181852][ T5100] do_syscall_64+0xcd/0x250 [ 116.186393][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 116.192329][ T5100] RIP: 0033:0x7fad76d757db [ 116.196792][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 116.216719][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 116.225175][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 116.233161][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 116.241432][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 116.249442][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 116.257459][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 116.265465][ T5100] [ 116.268601][ T5100] [ 116.270931][ T5100] Allocated by task 5098: [ 116.275284][ T5100] kasan_save_stack+0x33/0x60 [ 116.279981][ T5100] kasan_save_track+0x14/0x30 [ 116.284672][ T5100] __kasan_slab_alloc+0x89/0x90 [ 116.289558][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 116.295040][ T5100] skb_clone+0x190/0x3f0 [ 116.299304][ T5100] hci_cmd_work+0x66a/0x710 [ 116.303837][ T5100] process_one_work+0x9c8/0x1b40 [ 116.308805][ T5100] worker_thread+0x6c8/0xf30 [ 116.313446][ T5100] kthread+0x2c4/0x3a0 [ 116.317551][ T5100] ret_from_fork+0x48/0x80 [ 116.322004][ T5100] ret_from_fork_asm+0x1a/0x30 [ 116.326814][ T5100] [ 116.329142][ T5100] Freed by task 5098: [ 116.333218][ T5100] kasan_save_stack+0x33/0x60 [ 116.337911][ T5100] kasan_save_track+0x14/0x30 [ 116.342601][ T5100] kasan_save_free_info+0x3b/0x60 [ 116.347655][ T5100] poison_slab_object+0xf7/0x160 [ 116.352631][ T5100] __kasan_slab_free+0x32/0x50 [ 116.357412][ T5100] kmem_cache_free+0x12f/0x3a0 [ 116.362193][ T5100] kfree_skbmem+0x10e/0x200 [ 116.366734][ T5100] kfree_skb_reason+0x138/0x210 [ 116.371612][ T5100] hci_req_sync_complete+0x16c/0x270 [ 116.376918][ T5100] hci_event_packet+0x966/0x1170 [ 116.381876][ T5100] hci_rx_work+0x2c4/0x1610 [ 116.386407][ T5100] process_one_work+0x9c8/0x1b40 [ 116.391370][ T5100] worker_thread+0x6c8/0xf30 [ 116.395987][ T5100] kthread+0x2c4/0x3a0 [ 116.400090][ T5100] ret_from_fork+0x48/0x80 [ 116.404541][ T5100] ret_from_fork_asm+0x1a/0x30 [ 116.409341][ T5100] [ 116.411667][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 116.411667][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 116.426252][ T5100] The buggy address is located 204 bytes inside of [ 116.426252][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 116.440263][ T5100] [ 116.442604][ T5100] The buggy address belongs to the physical page: [ 116.449016][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 116.457801][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 116.464919][ T5100] page_type: 0xffffefff(slab) [ 116.469611][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 116.478215][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 116.486810][ T5100] page dumped because: kasan: bad access detected [ 116.493223][ T5100] page_owner tracks the page as allocated [ 116.498934][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 116.518334][ T5100] post_alloc_hook+0x2d1/0x350 [ 116.523135][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 116.528716][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 116.534043][ T5100] alloc_slab_page+0x56/0x110 [ 116.538755][ T5100] new_slab+0x84/0x260 [ 116.542845][ T5100] ___slab_alloc+0xdac/0x1870 [ 116.547540][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 116.552934][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 116.558764][ T5100] __alloc_skb+0x2b1/0x380 [ 116.563221][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 116.567922][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 116.572619][ T5100] hci_scan_req+0x87/0x150 [ 116.577055][ T5100] __hci_req_sync+0x145/0x980 [ 116.581750][ T5100] hci_req_sync+0x97/0xd0 [ 116.586104][ T5100] hci_dev_cmd+0x634/0x960 [ 116.590547][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 116.595249][ T5100] page last free pid 1 tgid 1 stack trace: [ 116.601055][ T5100] free_unref_page+0x64a/0xe40 [ 116.605854][ T5100] free_contig_range+0xb6/0x1a0 [ 116.610739][ T5100] destroy_args+0xa4e/0xe20 [ 116.615283][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 116.620345][ T5100] do_one_initcall+0x12b/0x700 [ 116.625143][ T5100] kernel_init_freeable+0x69d/0xca0 [ 116.630377][ T5100] kernel_init+0x1c/0x2b0 [ 116.634743][ T5100] ret_from_fork+0x48/0x80 [ 116.639198][ T5100] ret_from_fork_asm+0x1a/0x30 [ 116.644000][ T5100] [ 116.646321][ T5100] Memory state around the buggy address: [ 116.651954][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 116.660027][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.668099][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 116.676163][ T5100] ^ [ 116.682583][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 116.690652][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.698722][ T5100] ================================================================== [ 116.707045][ T5098] Bluetooth: hci5: command tx timeout [ 116.707528][ T5101] Bluetooth: hci2: command tx timeout [ 116.775611][ T5103] chnl_net:caif_netlink_parms(): no params data found [ 116.778955][ T5100] ================================================================== [ 116.790585][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x806/0x980 [ 116.798442][ T5100] Read of size 1 at addr ffff888066ee52fe by task syz-executor/5100 [ 116.806454][ T5100] [ 116.808801][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 116.820556][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 116.830647][ T5100] Call Trace: [ 116.833945][ T5100] [ 116.836897][ T5100] dump_stack_lvl+0x116/0x1f0 [ 116.841622][ T5100] print_report+0xc3/0x620 [ 116.846139][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.851821][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.857491][ T5100] ? __phys_addr+0xc6/0x150 [ 116.862003][ T5100] kasan_report+0xd9/0x110 [ 116.866430][ T5100] ? skb_release_data+0x806/0x980 [ 116.871466][ T5100] ? skb_release_data+0x806/0x980 [ 116.876958][ T5100] skb_release_data+0x806/0x980 [ 116.881839][ T5100] kfree_skb_reason+0x12b/0x210 [ 116.886704][ T5100] __hci_req_sync+0x61d/0x980 [ 116.891394][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 116.896602][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 116.901292][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 116.907376][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.913022][ T5100] ? hci_req_sync+0x3f/0xd0 [ 116.917542][ T5100] ? __pfx___might_resched+0x10/0x10 [ 116.922847][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.928490][ T5100] ? aa_get_newest_label+0x376/0x680 [ 116.933812][ T5100] hci_req_sync+0x97/0xd0 [ 116.938154][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 116.943194][ T5100] hci_dev_cmd+0x634/0x960 [ 116.947630][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.953276][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 116.958231][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.963891][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.969532][ T5100] ? security_capable+0x98/0xd0 [ 116.974412][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 116.979367][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 116.985013][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 116.990222][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 116.996216][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.001861][ T5100] sock_do_ioctl+0x119/0x280 [ 117.006469][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 117.011607][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.017247][ T5100] sock_ioctl+0x22e/0x6c0 [ 117.021605][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 117.026501][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.032177][ T5100] ? __fget_files+0x256/0x400 [ 117.036878][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.042520][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 117.047397][ T5100] __x64_sys_ioctl+0x196/0x220 [ 117.052268][ T5100] do_syscall_64+0xcd/0x250 [ 117.056789][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.062708][ T5100] RIP: 0033:0x7fad76d757db [ 117.067123][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 117.086767][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 117.095198][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 117.103351][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 117.111341][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 117.119319][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 117.127297][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 117.135284][ T5100] [ 117.138295][ T5100] [ 117.140605][ T5100] Allocated by task 5098: [ 117.144926][ T5100] kasan_save_stack+0x33/0x60 [ 117.149606][ T5100] kasan_save_track+0x14/0x30 [ 117.154369][ T5100] __kasan_slab_alloc+0x89/0x90 [ 117.159221][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 117.164686][ T5100] skb_clone+0x190/0x3f0 [ 117.168934][ T5100] hci_cmd_work+0x66a/0x710 [ 117.173448][ T5100] process_one_work+0x9c8/0x1b40 [ 117.178394][ T5100] worker_thread+0x6c8/0xf30 [ 117.182992][ T5100] kthread+0x2c4/0x3a0 [ 117.187078][ T5100] ret_from_fork+0x48/0x80 [ 117.191517][ T5100] ret_from_fork_asm+0x1a/0x30 [ 117.196306][ T5100] [ 117.198616][ T5100] Freed by task 5098: [ 117.202593][ T5100] kasan_save_stack+0x33/0x60 [ 117.207269][ T5100] kasan_save_track+0x14/0x30 [ 117.211946][ T5100] kasan_save_free_info+0x3b/0x60 [ 117.216984][ T5100] poison_slab_object+0xf7/0x160 [ 117.221943][ T5100] __kasan_slab_free+0x32/0x50 [ 117.226708][ T5100] kmem_cache_free+0x12f/0x3a0 [ 117.231479][ T5100] kfree_skbmem+0x10e/0x200 [ 117.236021][ T5100] kfree_skb_reason+0x138/0x210 [ 117.240899][ T5100] hci_req_sync_complete+0x16c/0x270 [ 117.246190][ T5100] hci_event_packet+0x966/0x1170 [ 117.251133][ T5100] hci_rx_work+0x2c4/0x1610 [ 117.255647][ T5100] process_one_work+0x9c8/0x1b40 [ 117.260601][ T5100] worker_thread+0x6c8/0xf30 [ 117.265202][ T5100] kthread+0x2c4/0x3a0 [ 117.269285][ T5100] ret_from_fork+0x48/0x80 [ 117.273740][ T5100] ret_from_fork_asm+0x1a/0x30 [ 117.278523][ T5100] [ 117.280834][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 117.280834][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 117.295411][ T5100] The buggy address is located 126 bytes inside of [ 117.295411][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 117.309301][ T5100] [ 117.311621][ T5100] The buggy address belongs to the physical page: [ 117.318043][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 117.326810][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 117.333917][ T5100] page_type: 0xffffefff(slab) [ 117.338595][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 117.347185][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 117.355766][ T5100] page dumped because: kasan: bad access detected [ 117.362195][ T5100] page_owner tracks the page as allocated [ 117.367900][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 117.387281][ T5100] post_alloc_hook+0x2d1/0x350 [ 117.392064][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 117.397628][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 117.402933][ T5100] alloc_slab_page+0x56/0x110 [ 117.407627][ T5100] new_slab+0x84/0x260 [ 117.411702][ T5100] ___slab_alloc+0xdac/0x1870 [ 117.416381][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 117.421780][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 117.427601][ T5100] __alloc_skb+0x2b1/0x380 [ 117.432039][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 117.436723][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 117.441405][ T5100] hci_scan_req+0x87/0x150 [ 117.445833][ T5100] __hci_req_sync+0x145/0x980 [ 117.450516][ T5100] hci_req_sync+0x97/0xd0 [ 117.454852][ T5100] hci_dev_cmd+0x634/0x960 [ 117.459281][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 117.463966][ T5100] page last free pid 1 tgid 1 stack trace: [ 117.469762][ T5100] free_unref_page+0x64a/0xe40 [ 117.474543][ T5100] free_contig_range+0xb6/0x1a0 [ 117.479407][ T5100] destroy_args+0xa4e/0xe20 [ 117.483927][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 117.488969][ T5100] do_one_initcall+0x12b/0x700 [ 117.493748][ T5100] kernel_init_freeable+0x69d/0xca0 [ 117.498966][ T5100] kernel_init+0x1c/0x2b0 [ 117.503313][ T5100] ret_from_fork+0x48/0x80 [ 117.507746][ T5100] ret_from_fork_asm+0x1a/0x30 [ 117.512532][ T5100] [ 117.514843][ T5100] Memory state around the buggy address: [ 117.520460][ T5100] ffff888066ee5180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 117.528524][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 117.536586][ T5100] >ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.544643][ T5100] ^ [ 117.552616][ T5100] ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 117.560874][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 117.568928][ T5100] ================================================================== [ 117.571672][ T5101] Bluetooth: hci0: command tx timeout [ 117.578119][ T5098] Bluetooth: hci4: command tx timeout [ 117.588156][ T5100] ================================================================== [ 117.596233][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x8dd/0x980 [ 117.604082][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100 [ 117.612084][ T5100] [ 117.614411][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 117.626151][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 117.636209][ T5100] Call Trace: [ 117.639483][ T5100] [ 117.642412][ T5100] dump_stack_lvl+0x116/0x1f0 [ 117.647121][ T5100] print_report+0xc3/0x620 [ 117.651554][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.657215][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.662856][ T5100] ? __phys_addr+0xc6/0x150 [ 117.667365][ T5100] kasan_report+0xd9/0x110 [ 117.671802][ T5100] ? skb_release_data+0x8dd/0x980 [ 117.676861][ T5100] ? skb_release_data+0x8dd/0x980 [ 117.681902][ T5100] skb_release_data+0x8dd/0x980 [ 117.686766][ T5100] kfree_skb_reason+0x12b/0x210 [ 117.691647][ T5100] __hci_req_sync+0x61d/0x980 [ 117.696353][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 117.701565][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 117.706254][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 117.712334][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.717997][ T5100] ? hci_req_sync+0x3f/0xd0 [ 117.722516][ T5100] ? __pfx___might_resched+0x10/0x10 [ 117.727820][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.733462][ T5100] ? aa_get_newest_label+0x376/0x680 [ 117.738777][ T5100] hci_req_sync+0x97/0xd0 [ 117.743144][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 117.748181][ T5100] hci_dev_cmd+0x634/0x960 [ 117.752614][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.758254][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 117.763208][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.768846][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.774496][ T5100] ? security_capable+0x98/0xd0 [ 117.779460][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 117.784151][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.789793][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 117.795007][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 117.800999][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.806644][ T5100] sock_do_ioctl+0x119/0x280 [ 117.811342][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 117.816569][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.822216][ T5100] sock_ioctl+0x22e/0x6c0 [ 117.826590][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 117.831465][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.837125][ T5100] ? __fget_files+0x256/0x400 [ 117.842000][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 117.847642][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 117.852514][ T5100] __x64_sys_ioctl+0x196/0x220 [ 117.857384][ T5100] do_syscall_64+0xcd/0x250 [ 117.861906][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.867823][ T5100] RIP: 0033:0x7fad76d757db [ 117.872237][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 117.891869][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 117.900309][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 117.908283][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 117.916280][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 117.924255][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 117.932228][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 117.940211][ T5100] [ 117.943224][ T5100] [ 117.945540][ T5100] Allocated by task 5098: [ 117.949855][ T5100] kasan_save_stack+0x33/0x60 [ 117.954535][ T5100] kasan_save_track+0x14/0x30 [ 117.959212][ T5100] __kasan_slab_alloc+0x89/0x90 [ 117.964068][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 117.969536][ T5100] skb_clone+0x190/0x3f0 [ 117.971630][ T5101] Bluetooth: hci3: command tx timeout [ 117.973772][ T5100] hci_cmd_work+0x66a/0x710 [ 117.983653][ T5100] process_one_work+0x9c8/0x1b40 [ 117.988665][ T5100] worker_thread+0x6c8/0xf30 [ 117.993296][ T5100] kthread+0x2c4/0x3a0 [ 117.997495][ T5100] ret_from_fork+0x48/0x80 [ 118.001931][ T5100] ret_from_fork_asm+0x1a/0x30 [ 118.006713][ T5100] [ 118.009025][ T5100] Freed by task 5098: [ 118.013036][ T5100] kasan_save_stack+0x33/0x60 [ 118.017714][ T5100] kasan_save_track+0x14/0x30 [ 118.022391][ T5100] kasan_save_free_info+0x3b/0x60 [ 118.027428][ T5100] poison_slab_object+0xf7/0x160 [ 118.032387][ T5100] __kasan_slab_free+0x32/0x50 [ 118.037152][ T5100] kmem_cache_free+0x12f/0x3a0 [ 118.041918][ T5100] kfree_skbmem+0x10e/0x200 [ 118.046444][ T5100] kfree_skb_reason+0x138/0x210 [ 118.051301][ T5100] hci_req_sync_complete+0x16c/0x270 [ 118.056592][ T5100] hci_event_packet+0x966/0x1170 [ 118.061540][ T5100] hci_rx_work+0x2c4/0x1610 [ 118.066073][ T5100] process_one_work+0x9c8/0x1b40 [ 118.071039][ T5100] worker_thread+0x6c8/0xf30 [ 118.075640][ T5100] kthread+0x2c4/0x3a0 [ 118.079726][ T5100] ret_from_fork+0x48/0x80 [ 118.084682][ T5100] ret_from_fork_asm+0x1a/0x30 [ 118.089462][ T5100] [ 118.091868][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 118.091868][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 118.106459][ T5100] The buggy address is located 208 bytes inside of [ 118.106459][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 118.120276][ T5100] [ 118.122591][ T5100] The buggy address belongs to the physical page: [ 118.128989][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 118.137749][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 118.144854][ T5100] page_type: 0xffffefff(slab) [ 118.149530][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 118.158115][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 118.166693][ T5100] page dumped because: kasan: bad access detected [ 118.173099][ T5100] page_owner tracks the page as allocated [ 118.178803][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 118.198176][ T5100] post_alloc_hook+0x2d1/0x350 [ 118.202962][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 118.208541][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 118.213850][ T5100] alloc_slab_page+0x56/0x110 [ 118.218544][ T5100] new_slab+0x84/0x260 [ 118.222613][ T5100] ___slab_alloc+0xdac/0x1870 [ 118.227293][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 118.232672][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 118.238485][ T5100] __alloc_skb+0x2b1/0x380 [ 118.242918][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 118.247604][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 118.252288][ T5100] hci_scan_req+0x87/0x150 [ 118.256804][ T5100] __hci_req_sync+0x145/0x980 [ 118.261491][ T5100] hci_req_sync+0x97/0xd0 [ 118.265840][ T5100] hci_dev_cmd+0x634/0x960 [ 118.270269][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 118.274952][ T5100] page last free pid 1 tgid 1 stack trace: [ 118.280745][ T5100] free_unref_page+0x64a/0xe40 [ 118.285525][ T5100] free_contig_range+0xb6/0x1a0 [ 118.290386][ T5100] destroy_args+0xa4e/0xe20 [ 118.294905][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 118.299950][ T5100] do_one_initcall+0x12b/0x700 [ 118.304727][ T5100] kernel_init_freeable+0x69d/0xca0 [ 118.309941][ T5100] kernel_init+0x1c/0x2b0 [ 118.314314][ T5100] ret_from_fork+0x48/0x80 [ 118.318745][ T5100] ret_from_fork_asm+0x1a/0x30 [ 118.323526][ T5100] [ 118.325837][ T5100] Memory state around the buggy address: [ 118.331455][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 118.339530][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.347593][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 118.355648][ T5100] ^ [ 118.362315][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 118.370376][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.378433][ T5100] ================================================================== [ 118.391406][ T5100] ================================================================== [ 118.399491][ T5100] BUG: KASAN: slab-use-after-free in skb_release_data+0x857/0x980 [ 118.407329][ T5100] Read of size 4 at addr ffff888066ee534c by task syz-executor/5100 [ 118.415319][ T5100] [ 118.417645][ T5100] CPU: 0 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 118.429379][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 118.439442][ T5100] Call Trace: [ 118.442728][ T5100] [ 118.445666][ T5100] dump_stack_lvl+0x116/0x1f0 [ 118.450373][ T5100] print_report+0xc3/0x620 [ 118.454819][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.460476][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.466136][ T5100] ? __phys_addr+0xc6/0x150 [ 118.470662][ T5100] kasan_report+0xd9/0x110 [ 118.475106][ T5100] ? skb_release_data+0x857/0x980 [ 118.480158][ T5100] ? skb_release_data+0x857/0x980 [ 118.485212][ T5100] skb_release_data+0x857/0x980 [ 118.490186][ T5100] kfree_skb_reason+0x12b/0x210 [ 118.495082][ T5100] __hci_req_sync+0x61d/0x980 [ 118.499878][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 118.505103][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 118.509839][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 118.515932][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.521586][ T5100] ? hci_req_sync+0x3f/0xd0 [ 118.526122][ T5100] ? __pfx___might_resched+0x10/0x10 [ 118.531440][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.537101][ T5100] ? aa_get_newest_label+0x376/0x680 [ 118.542436][ T5100] hci_req_sync+0x97/0xd0 [ 118.546797][ T5100] ? __pfx_hci_scan_req+0x10/0x10 [ 118.551852][ T5100] hci_dev_cmd+0x634/0x960 [ 118.556301][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.561957][ T5100] ? __pfx_hci_dev_cmd+0x10/0x10 [ 118.566929][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.572585][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.578239][ T5100] ? security_capable+0x98/0xd0 [ 118.583141][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 118.587872][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.593527][ T5100] ? __pfx_hci_sock_ioctl+0x10/0x10 [ 118.598753][ T5100] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 118.604764][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.610424][ T5100] sock_do_ioctl+0x119/0x280 [ 118.615169][ T5100] ? __pfx_sock_do_ioctl+0x10/0x10 [ 118.620331][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.625989][ T5100] sock_ioctl+0x22e/0x6c0 [ 118.630358][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 118.635254][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.640909][ T5100] ? __fget_files+0x256/0x400 [ 118.645628][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 118.651287][ T5100] ? __pfx_sock_ioctl+0x10/0x10 [ 118.656355][ T5100] __x64_sys_ioctl+0x196/0x220 [ 118.661160][ T5100] do_syscall_64+0xcd/0x250 [ 118.665700][ T5100] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.671658][ T5100] RIP: 0033:0x7fad76d757db [ 118.676090][ T5100] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 118.695720][ T5100] RSP: 002b:00007ffe28bf6500 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 118.704159][ T5100] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fad76d757db [ 118.712150][ T5100] RDX: 00007ffe28bf6578 RSI: 00000000400448dd RDI: 0000000000000003 [ 118.720135][ T5100] RBP: 000055555eac34a8 R08: 0000000000000000 R09: 0000000000000000 [ 118.728117][ T5100] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 [ 118.736100][ T5100] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009 [ 118.744097][ T5100] [ 118.747121][ T5100] [ 118.749441][ T5100] Allocated by task 5098: [ 118.753770][ T5100] kasan_save_stack+0x33/0x60 [ 118.758465][ T5100] kasan_save_track+0x14/0x30 [ 118.763155][ T5100] __kasan_slab_alloc+0x89/0x90 [ 118.768022][ T5100] kmem_cache_alloc_noprof+0x121/0x2f0 [ 118.773507][ T5100] skb_clone+0x190/0x3f0 [ 118.777771][ T5100] hci_cmd_work+0x66a/0x710 [ 118.782299][ T5100] process_one_work+0x9c8/0x1b40 [ 118.787261][ T5100] worker_thread+0x6c8/0xf30 [ 118.791880][ T5100] kthread+0x2c4/0x3a0 [ 118.795983][ T5100] ret_from_fork+0x48/0x80 [ 118.800436][ T5100] ret_from_fork_asm+0x1a/0x30 [ 118.805235][ T5100] [ 118.807554][ T5100] Freed by task 5098: [ 118.811533][ T5100] kasan_save_stack+0x33/0x60 [ 118.816221][ T5100] kasan_save_track+0x14/0x30 [ 118.820908][ T5100] kasan_save_free_info+0x3b/0x60 [ 118.826108][ T5100] poison_slab_object+0xf7/0x160 [ 118.831190][ T5100] __kasan_slab_free+0x32/0x50 [ 118.835979][ T5100] kmem_cache_free+0x12f/0x3a0 [ 118.840758][ T5100] kfree_skbmem+0x10e/0x200 [ 118.845310][ T5100] kfree_skb_reason+0x138/0x210 [ 118.850184][ T5100] hci_req_sync_complete+0x16c/0x270 [ 118.855488][ T5100] hci_event_packet+0x966/0x1170 [ 118.860452][ T5100] hci_rx_work+0x2c4/0x1610 [ 118.864985][ T5100] process_one_work+0x9c8/0x1b40 [ 118.869954][ T5100] worker_thread+0x6c8/0xf30 [ 118.874572][ T5100] kthread+0x2c4/0x3a0 [ 118.878676][ T5100] ret_from_fork+0x48/0x80 [ 118.883211][ T5100] ret_from_fork_asm+0x1a/0x30 [ 118.888011][ T5100] [ 118.890334][ T5100] The buggy address belongs to the object at ffff888066ee5280 [ 118.890334][ T5100] which belongs to the cache skbuff_head_cache of size 240 [ 118.904919][ T5100] The buggy address is located 204 bytes inside of [ 118.904919][ T5100] freed 240-byte region [ffff888066ee5280, ffff888066ee5370) [ 118.918735][ T5100] [ 118.921056][ T5100] The buggy address belongs to the physical page: [ 118.927468][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66ee5 [ 118.936328][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 118.943444][ T5100] page_type: 0xffffefff(slab) [ 118.948136][ T5100] raw: 00fff00000000000 ffff8880192cc780 dead000000000122 0000000000000000 [ 118.956766][ T5100] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 118.965356][ T5100] page dumped because: kasan: bad access detected [ 118.971768][ T5100] page_owner tracks the page as allocated [ 118.977483][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5100, tgid 5100 (syz-executor), ts 109300287404, free_ts 36958978900 [ 118.996876][ T5100] post_alloc_hook+0x2d1/0x350 [ 119.001740][ T5100] get_page_from_freelist+0x1353/0x2e50 [ 119.007327][ T5100] __alloc_pages_noprof+0x22b/0x2460 [ 119.012647][ T5100] alloc_slab_page+0x56/0x110 [ 119.017358][ T5100] new_slab+0x84/0x260 [ 119.021440][ T5100] ___slab_alloc+0xdac/0x1870 [ 119.026135][ T5100] __slab_alloc.constprop.0+0x56/0xb0 [ 119.031528][ T5100] kmem_cache_alloc_node_noprof+0xed/0x310 [ 119.037356][ T5100] __alloc_skb+0x2b1/0x380 [ 119.041813][ T5100] hci_prepare_cmd+0x32/0x2b0 [ 119.046511][ T5100] hci_req_add_ev+0x11b/0x2b0 [ 119.051205][ T5100] hci_scan_req+0x87/0x150 [ 119.055644][ T5100] __hci_req_sync+0x145/0x980 [ 119.060338][ T5100] hci_req_sync+0x97/0xd0 [ 119.064686][ T5100] hci_dev_cmd+0x634/0x960 [ 119.069133][ T5100] hci_sock_ioctl+0x4f3/0x880 [ 119.073834][ T5100] page last free pid 1 tgid 1 stack trace: [ 119.079640][ T5100] free_unref_page+0x64a/0xe40 [ 119.084458][ T5100] free_contig_range+0xb6/0x1a0 [ 119.089352][ T5100] destroy_args+0xa4e/0xe20 [ 119.093890][ T5100] debug_vm_pgtable+0x1705/0x3280 [ 119.098949][ T5100] do_one_initcall+0x12b/0x700 [ 119.103748][ T5100] kernel_init_freeable+0x69d/0xca0 [ 119.108986][ T5100] kernel_init+0x1c/0x2b0 [ 119.113354][ T5100] ret_from_fork+0x48/0x80 [ 119.117806][ T5100] ret_from_fork_asm+0x1a/0x30 [ 119.122611][ T5100] [ 119.124954][ T5100] Memory state around the buggy address: [ 119.130589][ T5100] ffff888066ee5200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 119.138658][ T5100] ffff888066ee5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.146729][ T5100] >ffff888066ee5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 119.154792][ T5100] ^ [ 119.161209][ T5100] ffff888066ee5380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 119.169277][ T5100] ffff888066ee5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.177345][ T5100] ================================================================== [ 119.186916][ T5100] ================================================================== [ 119.194999][ T5100] BUG: KASAN: slab-use-after-free in skb_free_head+0x1ae/0x1d0 [ 119.201555][ T5101] Bluetooth: hci2: command tx timeout [ 119.202558][ T5100] Read of size 8 at addr ffff888066ee5350 by task syz-executor/5100 [ 119.207932][ T5101] Bluetooth: hci5: command tx timeout [ 119.215841][ T5100] [ 119.215852][ T5100] CPU: 1 PID: 5100 Comm: syz-executor Tainted: G B 6.10.0-rc6-syzkaller-00069-g795c58e4c7fc #0 [ 119.215899][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 119.215923][ T5100] Call Trace: [ 119.215937][ T5100] [ 119.215952][ T5100] dump_stack_lvl+0x116/0x1f0 [ 119.216004][ T5100] print_report+0xc3/0x620 [ 119.260887][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.266546][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.272200][ T5100] ? __phys_addr+0xc6/0x150 [ 119.276755][ T5100] kasan_report+0xd9/0x110 [ 119.281195][ T5100] ? skb_free_head+0x1ae/0x1d0 [ 119.285983][ T5100] ? skb_free_head+0x1ae/0x1d0 [ 119.290776][ T5100] skb_free_head+0x1ae/0x1d0 [ 119.295390][ T5100] skb_release_data+0x75c/0x980 [ 119.300271][ T5100] kfree_skb_reason+0x12b/0x210 [ 119.305152][ T5100] __hci_req_sync+0x61d/0x980 [ 119.309861][ T5100] ? __pfx___hci_req_sync+0x10/0x10 [ 119.315086][ T5100] ? __mutex_lock+0x1a6/0x9c0 [ 119.319791][ T5100] ? __pfx_autoremove_wake_function+0x10/0x10 [ 119.325885][ T5100] ? srso_alias_return_thunk+0x5/0xfbef5 [ 119.331541][ T5100] ? hci_req_sync+0x3f/0xd0