last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.17' (ED25519) to the list of known hosts. 1970/01/01 00:00:33 fuzzer started 1970/01/01 00:00:33 dialing manager at 10.128.0.169:30028 [ 33.823126][ T6285] cgroup: Unknown subsys name 'net' [ 33.935584][ T6295] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 34.059720][ T6285] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:00:34 starting 5 executor processes [ 34.926417][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 34.929342][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 34.932015][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 34.934489][ T53] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 34.941345][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 34.944727][ T6311] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 34.947393][ T6311] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 34.949273][ T6311] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 34.962297][ T6318] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 34.966036][ T6310] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 34.968334][ T6310] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 34.970522][ T6310] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 34.972742][ T6310] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 34.975220][ T6310] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 34.977853][ T6320] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 34.980596][ T6319] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 34.980794][ T6320] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 34.984419][ T6310] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 34.984924][ T6320] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 34.987210][ T6310] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 34.989101][ T6320] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 34.990340][ T6310] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 34.992494][ T6320] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 34.999711][ T6320] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 35.001767][ T6320] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 35.003633][ T6310] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 35.004482][ T6320] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 35.005568][ T6310] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 35.010979][ T6318] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 35.013043][ T6318] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 35.027998][ T6315] ================================================================== [ 35.030121][ T6315] BUG: KASAN: slab-use-after-free in skb_release_data+0x504/0x618 [ 35.032239][ T6315] Read of size 1 at addr ffff0000eccddcfe by task syz-executor.3/6315 [ 35.034359][ T6315] [ 35.034975][ T6315] CPU: 0 PID: 6315 Comm: syz-executor.3 Tainted: G W 6.10.0-rc3-syzkaller-gac2193b4b460 #0 [ 35.038059][ T6315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 35.040745][ T6315] Call trace: [ 35.041606][ T6315] dump_backtrace+0x1b8/0x1e4 [ 35.042835][ T6315] show_stack+0x2c/0x3c [ 35.043942][ T6315] dump_stack_lvl+0xe4/0x150 [ 35.045274][ T6315] print_report+0x198/0x538 [ 35.046492][ T6315] kasan_report+0xd8/0x138 [ 35.047679][ T6315] __asan_report_load1_noabort+0x20/0x2c [ 35.049203][ T6315] skb_release_data+0x504/0x618 [ 35.050470][ T6315] kfree_skb_reason+0x1b8/0x490 [ 35.051789][ T6315] __hci_req_sync+0x4e8/0x798 [ 35.053036][ T6315] hci_req_sync+0xa0/0xcc [ 35.054196][ T6315] hci_dev_cmd+0x304/0x8c0 [ 35.055359][ T6315] hci_sock_ioctl+0x4b8/0x7e4 [ 35.056631][ T6315] sock_do_ioctl+0x134/0x2d0 [ 35.057858][ T6315] sock_ioctl+0x4ec/0x838 [ 35.059040][ T6315] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.060348][ T6315] invoke_syscall+0x98/0x2b8 [ 35.061565][ T6315] el0_svc_common+0x130/0x23c [ 35.062826][ T6315] do_el0_svc+0x48/0x58 [ 35.063945][ T6315] el0_svc+0x54/0x168 [ 35.064995][ T6315] el0t_64_sync_handler+0x84/0xfc [ 35.066321][ T6315] el0t_64_sync+0x190/0x194 [ 35.067534][ T6315] [ 35.068136][ T6315] Allocated by task 6307: [ 35.069268][ T6315] kasan_save_track+0x40/0x78 [ 35.070547][ T6315] kasan_save_alloc_info+0x40/0x50 [ 35.071921][ T6315] __kasan_slab_alloc+0x74/0x8c [ 35.073204][ T6315] kmem_cache_alloc_noprof+0x1c0/0x350 [ 35.074702][ T6315] skb_clone+0x1c8/0x330 [ 35.075837][ T6315] hci_cmd_work+0x174/0x568 [ 35.077049][ T6315] process_one_work+0x79c/0x15b8 [ 35.078371][ T6315] worker_thread+0x938/0xef4 [ 35.079582][ T6315] kthread+0x288/0x310 [ 35.080616][ T6315] ret_from_fork+0x10/0x20 [ 35.081772][ T6315] [ 35.082382][ T6315] Freed by task 6307: [ 35.083396][ T6315] kasan_save_track+0x40/0x78 [ 35.084692][ T6315] kasan_save_free_info+0x54/0x6c [ 35.085994][ T6315] poison_slab_object+0x128/0x180 [ 35.087293][ T6315] __kasan_slab_free+0x3c/0x70 [ 35.088691][ T6315] kmem_cache_free+0x170/0x4d0 [ 35.089869][ T6315] kfree_skbmem+0x15c/0x1ec [ 35.091048][ T6315] kfree_skb_reason+0x1c0/0x490 [ 35.092322][ T6315] hci_req_sync_complete+0xb0/0x248 [ 35.093679][ T6315] hci_event_packet+0xab8/0x105c [ 35.094992][ T6315] hci_rx_work+0x318/0xa78 [ 35.096230][ T6315] process_one_work+0x79c/0x15b8 [ 35.097505][ T6315] worker_thread+0x938/0xef4 [ 35.098774][ T6315] kthread+0x288/0x310 [ 35.099858][ T6315] ret_from_fork+0x10/0x20 [ 35.101101][ T6315] [ 35.101683][ T6315] The buggy address belongs to the object at ffff0000eccddc80 [ 35.101683][ T6315] which belongs to the cache skbuff_head_cache of size 240 [ 35.105566][ T6315] The buggy address is located 126 bytes inside of [ 35.105566][ T6315] freed 240-byte region [ffff0000eccddc80, ffff0000eccddd70) [ 35.109296][ T6315] [ 35.109892][ T6315] The buggy address belongs to the physical page: [ 35.111570][ T6315] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12ccdd [ 35.113978][ T6315] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 35.115894][ T6315] page_type: 0xffffefff(slab) [ 35.117177][ T6315] raw: 05ffc00000000000 ffff0000c1bcc780 dead000000000122 0000000000000000 [ 35.119414][ T6315] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 35.121649][ T6315] page dumped because: kasan: bad access detected [ 35.123345][ T6315] [ 35.123948][ T6315] Memory state around the buggy address: [ 35.125429][ T6315] ffff0000eccddb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.127554][ T6315] ffff0000eccddc00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 35.129679][ T6315] >ffff0000eccddc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.131788][ T6315] ^ [ 35.133911][ T6315] ffff0000eccddd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 35.136115][ T6315] ffff0000eccddd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 35.138211][ T6315] ================================================================== 1970/01/01 00:00:35 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF [ 35.199971][ T6305] chnl_net:caif_netlink_parms(): no params data found [ 35.200030][ T6315] Disabling lock debugging due to kernel taint [ 35.257692][ T6305] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.260687][ T6305] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.262884][ T6305] bridge_slave_0: entered allmulticast mode [ 35.265173][ T6305] bridge_slave_0: ent