KASAN: slab-use-after-free Read in lockref_get

==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888071891b40 by task syz-executor/5869

CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 __kasan_check_byte+0x36/0x50 mm/kasan/common.c:557
 kasan_check_byte include/linux/kasan.h:399 [inline]
 lock_acquire kernel/locking/lockdep.c:5845 [inline]
 lock_acquire+0xfc/0x350 kernel/locking/lockdep.c:5828
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 lockref_get+0x15/0x50 lib/lockref.c:50
 dget include/linux/dcache.h:345 [inline]
 simple_recursive_removal+0x3b/0x690 fs/libfs.c:611
 debugfs_remove+0x5d/0x80 fs/debugfs/inode.c:805
 hci_release_dev+0x8c/0x600 net/bluetooth/hci_core.c:2708
 bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:87
 device_release+0xa1/0x240 drivers/base/core.c:2568
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3800
 vhci_release+0xb5/0x130 drivers/bluetooth/hci_vhci.c:668
 __fput+0x402/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x864/0x2bd0 kernel/exit.c:955
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6845b8d5ca
Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
 </TASK>

Allocated by task 5869:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1d0/0x3b0 mm/slub.c:4216
 __d_alloc+0x31/0xaa0 fs/dcache.c:1690
 d_alloc+0x4a/0x1e0 fs/dcache.c:1769
 d_alloc_parallel+0xe3/0x12e0 fs/dcache.c:2533
 __lookup_slow+0x193/0x460 fs/namei.c:1802
 lookup_noperm+0xe1/0x110 fs/namei.c:2962
 start_creating.part.0+0x15a/0x3e0 fs/debugfs/inode.c:391
 start_creating fs/debugfs/inode.c:364 [inline]
 debugfs_create_dir+0x6c/0x5f0 fs/debugfs/inode.c:586
 hci_register_dev+0x2f2/0xc60 net/bluetooth/hci_core.c:2585
 __vhci_create_device+0x357/0x7f0 drivers/bluetooth/hci_vhci.c:429
 vhci_create_device drivers/bluetooth/hci_vhci.c:471 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:528 [inline]
 vhci_write+0x2c0/0x480 drivers/bluetooth/hci_vhci.c:608
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x6c4/0x1150 fs/read_write.c:686
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x2d1/0x4d0 mm/slub.c:4745
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0x79c/0x14e0 kernel/rcu/tree.c:2832
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 run_ksoftirqd kernel/softirq.c:968 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:164
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:548
 __call_rcu_common.constprop.0+0x9a/0x9f0 kernel/rcu/tree.c:3090
 dentry_free+0xc2/0x160 fs/dcache.c:442
 __dentry_kill+0x498/0x600 fs/dcache.c:688
 dput.part.0+0x4b1/0x9b0 fs/dcache.c:911
 dput+0x1f/0x30 fs/dcache.c:901
 debugfs_remove+0x5d/0x80 fs/debugfs/inode.c:805
 vhci_release+0x9b/0x130 drivers/bluetooth/hci_vhci.c:664
 __fput+0x402/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x864/0x2bd0 kernel/exit.c:955
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888071891a70
 which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
 freed 312-byte region [ffff888071891a70, ffff888071891ba8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71890
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802919ed01
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
head: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
head: 00fff00000000001 ffffea0001c62401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 108825522753, free_ts 35108082918
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab mm/slub.c:2619 [inline]
 new_slab+0x23b/0x330 mm/slub.c:2673
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 kmem_cache_alloc_lru_noprof+0xf4/0x3b0 mm/slub.c:4216
 __d_alloc+0x31/0xaa0 fs/dcache.c:1690
 d_alloc_pseudo+0x1c/0xc0 fs/dcache.c:1821
 alloc_path_pseudo fs/file_table.c:360 [inline]
 alloc_file_pseudo+0xcf/0x230 fs/file_table.c:376
 sock_alloc_file+0x50/0x210 net/socket.c:470
 sock_map_fd net/socket.c:500 [inline]
 __sys_socket+0x1c0/0x260 net/socket.c:1692
 __do_sys_socket net/socket.c:1697 [inline]
 __se_sys_socket net/socket.c:1695 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1695
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 __free_pages mm/page_alloc.c:5071 [inline]
 free_contig_range+0x183/0x4b0 mm/page_alloc.c:6927
 destroy_args+0x7f6/0xa60 mm/debug_vm_pgtable.c:1009
 debug_vm_pgtable+0x13b8/0x2d00 mm/debug_vm_pgtable.c:1389
 do_one_initcall+0x120/0x6e0 init/main.c:1273
 do_initcall_level init/main.c:1335 [inline]
 do_initcalls init/main.c:1351 [inline]
 do_basic_setup init/main.c:1370 [inline]
 kernel_init_freeable+0x5c2/0x900 init/main.c:1583
 kernel_init+0x1c/0x2b0 init/main.c:1473
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888071891a00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
 ffff888071891a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888071891b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888071891b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
 ffff888071891c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Warning: Permanently added '10.128.1.4' (ED25519) to the list of known hosts.
[   97.728066][  T926] cfg80211: failed to load regulatory.db
2025/06/08 22:41:53 ignoring optional flag "sandboxArg"="0"
2025/06/08 22:41:54 parsed 1 programs
[  103.212958][ T5840] cgroup: Unknown subsys name 'net'
[  103.331259][ T5840] cgroup: Unknown subsys name 'cpuset'
[  103.340949][ T5840] cgroup: Unknown subsys name 'rlimit'
[  105.471030][ T5840] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  108.443546][ T5854] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[  108.932529][   T51] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  108.941577][   T51] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  108.950059][   T51] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  108.963619][   T51] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  108.971971][   T51] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  109.297432][ T5869] ==================================================================
[  109.306453][ T5869] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40
[  109.314255][ T5869] Read of size 1 at addr ffff888071891b40 by task syz-executor/5869
[  109.322905][ T5869] 
[  109.325260][ T5869] CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full) 
[  109.325288][ T5869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[  109.325301][ T5869] Call Trace:
[  109.325311][ T5869]  <TASK>
[  109.325321][ T5869]  dump_stack_lvl+0x116/0x1f0
[  109.325364][ T5869]  print_report+0xcd/0x680
[  109.325387][ T5869]  ? __virt_addr_valid+0x81/0x610
[  109.325410][ T5869]  ? __phys_addr+0xe8/0x180
[  109.325431][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  109.325458][ T5869]  kasan_report+0xe0/0x110
[  109.325476][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  109.325505][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  109.325531][ T5869]  __kasan_check_byte+0x36/0x50
[  109.325572][ T5869]  lock_acquire+0xfc/0x350
[  109.325603][ T5869]  _raw_spin_lock+0x2e/0x40
[  109.325629][ T5869]  ? lockref_get+0x15/0x50
[  109.325659][ T5869]  lockref_get+0x15/0x50
[  109.325688][ T5869]  simple_recursive_removal+0x3b/0x690
[  109.325717][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  109.325747][ T5869]  ? __pfx_remove_one+0x10/0x10
[  109.325771][ T5869]  ? mntput+0x10/0x90
[  109.325796][ T5869]  debugfs_remove+0x5d/0x80
[  109.325821][ T5869]  hci_release_dev+0x8c/0x600
[  109.325852][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  109.325882][ T5869]  ? rcu_is_watching+0x12/0xc0
[  109.325903][ T5869]  ? kfree+0x24f/0x4d0
[  109.325931][ T5869]  bt_host_release+0x6a/0xb0
[  109.325952][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  109.325973][ T5869]  device_release+0xa1/0x240
[  109.325999][ T5869]  kobject_put+0x1e7/0x5a0
[  109.326020][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  109.326052][ T5869]  put_device+0x1f/0x30
[  109.326076][ T5869]  vhci_release+0xb5/0x130
[  109.326108][ T5869]  __fput+0x402/0xb70
[  109.326132][ T5869]  task_work_run+0x150/0x240
[  109.326164][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  109.326199][ T5869]  do_exit+0x864/0x2bd0
[  109.326230][ T5869]  ? __pfx_do_exit+0x10/0x10
[  109.326256][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  109.326286][ T5869]  ? find_held_lock+0x2b/0x80
[  109.326308][ T5869]  do_group_exit+0xd3/0x2a0
[  109.326336][ T5869]  get_signal+0x2673/0x26d0
[  109.326363][ T5869]  ? __pfx_get_signal+0x10/0x10
[  109.326385][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  109.326413][ T5869]  ? __fput+0x68d/0xb70
[  109.326434][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.326457][ T5869]  ? __fput+0x68d/0xb70
[  109.326476][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  109.326503][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  109.326524][ T5869]  ? dnotify_flush+0x79/0x4c0
[  109.326566][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.326600][ T5869]  do_syscall_64+0x3f6/0x490
[  109.326621][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.326644][ T5869] RIP: 0033:0x7f6845b8d5ca
[  109.326661][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  109.326671][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  109.326693][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  109.326706][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  109.326719][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  109.326732][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  109.326745][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  109.326765][ T5869]  </TASK>
[  109.326772][ T5869] 
[  109.662463][ T5869] Allocated by task 5869:
[  109.666812][ T5869]  kasan_save_stack+0x33/0x60
[  109.671613][ T5869]  kasan_save_track+0x14/0x30
[  109.676325][ T5869]  __kasan_slab_alloc+0x89/0x90
[  109.681256][ T5869]  kmem_cache_alloc_lru_noprof+0x1d0/0x3b0
[  109.687349][ T5869]  __d_alloc+0x31/0xaa0
[  109.691619][ T5869]  d_alloc+0x4a/0x1e0
[  109.695718][ T5869]  d_alloc_parallel+0xe3/0x12e0
[  109.700963][ T5869]  __lookup_slow+0x193/0x460
[  109.705774][ T5869]  lookup_noperm+0xe1/0x110
[  109.710312][ T5869]  start_creating.part.0+0x15a/0x3e0
[  109.716005][ T5869]  debugfs_create_dir+0x6c/0x5f0
[  109.721340][ T5869]  hci_register_dev+0x2f2/0xc60
[  109.726328][ T5869]  __vhci_create_device+0x357/0x7f0
[  109.731716][ T5869]  vhci_write+0x2c0/0x480
[  109.736252][ T5869]  vfs_write+0x6c4/0x1150
[  109.740904][ T5869]  ksys_write+0x12a/0x250
[  109.745448][ T5869]  do_syscall_64+0xcd/0x490
[  109.750065][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.755993][ T5869] 
[  109.758349][ T5869] Freed by task 15:
[  109.762424][ T5869]  kasan_save_stack+0x33/0x60
[  109.767369][ T5869]  kasan_save_track+0x14/0x30
[  109.772423][ T5869]  kasan_save_free_info+0x3b/0x60
[  109.777663][ T5869]  __kasan_slab_free+0x51/0x70
[  109.782576][ T5869]  kmem_cache_free+0x2d1/0x4d0
[  109.787495][ T5869]  rcu_core+0x79c/0x14e0
[  109.791784][ T5869]  handle_softirqs+0x219/0x8e0
[  109.796774][ T5869]  run_ksoftirqd+0x3a/0x60
[  109.801340][ T5869]  smpboot_thread_fn+0x3f7/0xae0
[  109.806423][ T5869]  kthread+0x3c2/0x780
[  109.810589][ T5869]  ret_from_fork+0x5d4/0x6f0
[  109.815482][ T5869]  ret_from_fork_asm+0x1a/0x30
[  109.820362][ T5869] 
[  109.823072][ T5869] Last potentially related work creation:
[  109.828904][ T5869]  kasan_save_stack+0x33/0x60
[  109.833815][ T5869]  kasan_record_aux_stack+0xa7/0xc0
[  109.839064][ T5869]  __call_rcu_common.constprop.0+0x9a/0x9f0
[  109.846303][ T5869]  dentry_free+0xc2/0x160
[  109.850666][ T5869]  __dentry_kill+0x498/0x600
[  109.855291][ T5869]  dput.part.0+0x4b1/0x9b0
[  109.859830][ T5869]  dput+0x1f/0x30
[  109.863586][ T5869]  debugfs_remove+0x5d/0x80
[  109.868127][ T5869]  vhci_release+0x9b/0x130
[  109.872572][ T5869]  __fput+0x402/0xb70
[  109.876663][ T5869]  task_work_run+0x150/0x240
[  109.881510][ T5869]  do_exit+0x864/0x2bd0
[  109.885964][ T5869]  do_group_exit+0xd3/0x2a0
[  109.890524][ T5869]  get_signal+0x2673/0x26d0
[  109.895159][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.900906][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.906326][ T5869]  do_syscall_64+0x3f6/0x490
[  109.911128][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.917311][ T5869] 
[  109.919935][ T5869] The buggy address belongs to the object at ffff888071891a70
[  109.919935][ T5869]  which belongs to the cache dentry of size 312
[  109.934312][ T5869] The buggy address is located 208 bytes inside of
[  109.934312][ T5869]  freed 312-byte region [ffff888071891a70, ffff888071891ba8)
[  109.949195][ T5869] 
[  109.951537][ T5869] The buggy address belongs to the physical page:
[  109.957976][ T5869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71890
[  109.967572][ T5869] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  109.976151][ T5869] memcg:ffff88802919ed01
[  109.980496][ T5869] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  109.988514][ T5869] page_type: f5(slab)
[  109.993050][ T5869] raw: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.001676][ T5869] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.010388][ T5869] head: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.019449][ T5869] head: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.028182][ T5869] head: 00fff00000000001 ffffea0001c62401 00000000ffffffff 00000000ffffffff
[  110.037080][ T5869] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[  110.045949][ T5869] page dumped because: kasan: bad access detected
[  110.052725][ T5869] page_owner tracks the page as allocated
[  110.058670][ T5869] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 108825522753, free_ts 35108082918
[  110.083404][ T5869]  post_alloc_hook+0x1c0/0x230
[  110.089384][ T5869]  get_page_from_freelist+0x1321/0x3890
[  110.095163][ T5869]  __alloc_frozen_pages_noprof+0x261/0x23f0
[  110.102661][ T5869]  alloc_pages_mpol+0x1fb/0x550
[  110.108098][ T5869]  new_slab+0x23b/0x330
[  110.112837][ T5869]  ___slab_alloc+0xd9c/0x1940
[  110.117802][ T5869]  __slab_alloc.constprop.0+0x56/0xb0
[  110.123659][ T5869]  kmem_cache_alloc_lru_noprof+0xf4/0x3b0
[  110.129789][ T5869]  __d_alloc+0x31/0xaa0
[  110.134352][ T5869]  d_alloc_pseudo+0x1c/0xc0
[  110.139204][ T5869]  alloc_file_pseudo+0xcf/0x230
[  110.144507][ T5869]  sock_alloc_file+0x50/0x210
[  110.149791][ T5869]  __sys_socket+0x1c0/0x260
[  110.154768][ T5869]  __x64_sys_socket+0x72/0xb0
[  110.159903][ T5869]  do_syscall_64+0xcd/0x490
[  110.164705][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.171259][ T5869] page last free pid 1 tgid 1 stack trace:
[  110.177345][ T5869]  __free_frozen_pages+0x7fe/0x1180
[  110.182956][ T5869]  free_contig_range+0x183/0x4b0
[  110.188039][ T5869]  destroy_args+0x7f6/0xa60
[  110.192847][ T5869]  debug_vm_pgtable+0x13b8/0x2d00
[  110.198193][ T5869]  do_one_initcall+0x120/0x6e0
[  110.203286][ T5869]  kernel_init_freeable+0x5c2/0x900
[  110.208731][ T5869]  kernel_init+0x1c/0x2b0
[  110.213105][ T5869]  ret_from_fork+0x5d4/0x6f0
[  110.217918][ T5869]  ret_from_fork_asm+0x1a/0x30
[  110.222812][ T5869] 
[  110.225370][ T5869] Memory state around the buggy address:
[  110.231468][ T5869]  ffff888071891a00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[  110.240145][ T5869]  ffff888071891a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.248590][ T5869] >ffff888071891b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.257376][ T5869]                                            ^
[  110.263723][ T5869]  ffff888071891b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[  110.272360][ T5869]  ffff888071891c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.280656][ T5869] ==================================================================
[  110.290650][ T5869] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  110.298787][ T5869] CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full) 
[  110.311806][ T5869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[  110.321979][ T5869] Call Trace:
[  110.325949][ T5869]  <TASK>
[  110.329265][ T5869]  dump_stack_lvl+0x3d/0x1f0
[  110.334799][ T5869]  panic+0x71c/0x800
[  110.338998][ T5869]  ? __pfx_panic+0x10/0x10
[  110.343613][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.348630][ T5869]  ? irqentry_exit+0x3b/0x90
[  110.353343][ T5869]  ? lockdep_hardirqs_on+0x7c/0x110
[  110.358844][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.363634][ T5869]  ? check_panic_on_warn+0x1f/0xb0
[  110.368878][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.373779][ T5869]  check_panic_on_warn+0xab/0xb0
[  110.378848][ T5869]  end_report+0x107/0x170
[  110.383308][ T5869]  kasan_report+0xee/0x110
[  110.387745][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.392640][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.397603][ T5869]  __kasan_check_byte+0x36/0x50
[  110.402600][ T5869]  lock_acquire+0xfc/0x350
[  110.407153][ T5869]  _raw_spin_lock+0x2e/0x40
[  110.411773][ T5869]  ? lockref_get+0x15/0x50
[  110.416402][ T5869]  lockref_get+0x15/0x50
[  110.420955][ T5869]  simple_recursive_removal+0x3b/0x690
[  110.426702][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  110.431959][ T5869]  ? __pfx_remove_one+0x10/0x10
[  110.436933][ T5869]  ? mntput+0x10/0x90
[  110.441117][ T5869]  debugfs_remove+0x5d/0x80
[  110.446166][ T5869]  hci_release_dev+0x8c/0x600
[  110.450960][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  110.456565][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.461363][ T5869]  ? kfree+0x24f/0x4d0
[  110.465635][ T5869]  bt_host_release+0x6a/0xb0
[  110.470427][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  110.475842][ T5869]  device_release+0xa1/0x240
[  110.480576][ T5869]  kobject_put+0x1e7/0x5a0
[  110.485098][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  110.490263][ T5869]  put_device+0x1f/0x30
[  110.494492][ T5869]  vhci_release+0xb5/0x130
[  110.499490][ T5869]  __fput+0x402/0xb70
[  110.503813][ T5869]  task_work_run+0x150/0x240
[  110.508637][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  110.514088][ T5869]  do_exit+0x864/0x2bd0
[  110.518757][ T5869]  ? __pfx_do_exit+0x10/0x10
[  110.523385][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  110.528713][ T5869]  ? find_held_lock+0x2b/0x80
[  110.533506][ T5869]  do_group_exit+0xd3/0x2a0
[  110.538221][ T5869]  get_signal+0x2673/0x26d0
[  110.542932][ T5869]  ? __pfx_get_signal+0x10/0x10
[  110.548742][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  110.553909][ T5869]  ? __fput+0x68d/0xb70
[  110.558187][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  110.564061][ T5869]  ? __fput+0x68d/0xb70
[  110.568918][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  110.575472][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  110.580949][ T5869]  ? dnotify_flush+0x79/0x4c0
[  110.585856][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  110.591259][ T5869]  do_syscall_64+0x3f6/0x490
[  110.595889][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.602107][ T5869] RIP: 0033:0x7f6845b8d5ca
[  110.606681][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  110.613977][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  110.622786][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  110.630784][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  110.638860][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  110.647030][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  110.655018][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  110.663275][ T5869]  </TASK>
[  110.667034][ T5869] Kernel Offset: disabled
[  110.671574][ T5869] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3640950295=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 3d2f584dd
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=3d2f584ddab119da50e8a8d26765aa98d3b33c02 -X github.com/google/syzkaller/prog.gitRevisionDate=20250528-144826"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"3d2f584ddab119da50e8a8d26765aa98d3b33c02\"
/usr/bin/ld: /tmp/ccd8Gt78.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking