last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.34' (ED25519) to the list of known hosts.
2024/06/13 04:04:56 fuzzer started
2024/06/13 04:04:56 dialing manager at 10.128.0.169:30008
[ 52.545087][ T5077] cgroup: Unknown subsys name 'net'
[ 52.831608][ T5077] cgroup: Unknown subsys name 'rlimit'
2024/06/13 04:04:57 starting 5 executor processes
[ 53.746109][ T5078] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 55.498106][ T5101] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 55.508380][ T5104] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 55.516145][ T5104] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 55.524178][ T5104] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 55.543200][ T5106] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 55.551891][ T5106] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 55.556358][ T5111] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 55.559787][ T5106] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 55.566949][ T5111] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 55.582846][ T5106] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 55.583457][ T5111] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 55.590705][ T5106] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 55.597558][ T5111] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 55.606627][ T5106] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 55.619134][ T5106] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 55.619733][ T5111] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 55.626432][ T5106] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 55.633305][ T5111] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 55.640782][ T5106] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 55.648579][ T5111] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 55.656259][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 55.662260][ T5111] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 55.677027][ T5111] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 55.684368][ T5111] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 55.692809][ T5115] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 55.693092][ T5111] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 55.712486][ T5111] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 55.717156][ T5115] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 55.726527][ T5115] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 55.733915][ T5115] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 55.744102][ T5107] ==================================================================
[ 55.752174][ T5107] BUG: KASAN: slab-use-after-free in skb_release_data+0x190/0x880
[ 55.760008][ T5107] Read of size 8 at addr ffff88805dd57350 by task syz-executor.3/5107
[ 55.768163][ T5107]
[ 55.770496][ T5107] CPU: 1 PID: 5107 Comm: syz-executor.3 Not tainted 6.10.0-rc3-syzkaller-00022-gcea2a26553ac #0
[ 55.780912][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 55.790975][ T5107] Call Trace:
[ 55.794259][ T5107]
[ 55.797194][ T5107] dump_stack_lvl+0x241/0x360
[ 55.801896][ T5107] ? __pfx_dump_stack_lvl+0x10/0x10
[ 55.807257][ T5107] ? __pfx__printk+0x10/0x10
[ 55.812154][ T5107] ? _printk+0xd5/0x120
[ 55.816590][ T5107] ? __virt_addr_valid+0x183/0x520
[ 55.821712][ T5107] ? __virt_addr_valid+0x183/0x520
[ 55.826839][ T5107] print_report+0x169/0x550
[ 55.831352][ T5107] ? __virt_addr_valid+0x183/0x520
[ 55.836476][ T5107] ? __virt_addr_valid+0x183/0x520
[ 55.841599][ T5107] ? __virt_addr_valid+0x44e/0x520
[ 55.846731][ T5107] ? __phys_addr+0xba/0x170
[ 55.851240][ T5107] ? skb_release_data+0x190/0x880
[ 55.856252][ T5107] kasan_report+0x143/0x180
[ 55.860744][ T5107] ? skb_release_data+0x190/0x880
[ 55.865759][ T5107] skb_release_data+0x190/0x880
[ 55.870599][ T5107] ? __hci_req_sync+0x62f/0x950
[ 55.875440][ T5107] kfree_skb_reason+0x1a3/0x3b0
[ 55.880277][ T5107] __hci_req_sync+0x62f/0x950
[ 55.884945][ T5107] ? __pfx___hci_req_sync+0x10/0x10
[ 55.890135][ T5107] ? __pfx___mutex_lock+0x10/0x10
[ 55.895153][ T5107] ? __pfx_autoremove_wake_function+0x10/0x10
[ 55.901207][ T5107] ? __pfx_hci_scan_req+0x10/0x10
[ 55.906219][ T5107] hci_req_sync+0xa9/0xd0
[ 55.910537][ T5107] hci_dev_cmd+0x4c5/0xa50
[ 55.914939][ T5107] ? security_capable+0x90/0xb0
[ 55.919786][ T5107] ? __pfx_hci_dev_cmd+0x10/0x10
[ 55.924714][ T5107] ? hci_sock_ioctl+0x6c4/0xa40
[ 55.929556][ T5107] sock_do_ioctl+0x158/0x460
[ 55.934138][ T5107] ? __pfx_smack_log+0x10/0x10
[ 55.938888][ T5107] ? __pfx_sock_do_ioctl+0x10/0x10
[ 55.943992][ T5107] ? smk_tskacc+0x300/0x370
[ 55.948485][ T5107] ? smack_file_ioctl+0x2a1/0x3a0
[ 55.953496][ T5107] sock_ioctl+0x629/0x8e0
[ 55.957813][ T5107] ? __pfx_sock_ioctl+0x10/0x10
[ 55.962650][ T5107] ? __fget_files+0x3f6/0x470
[ 55.967310][ T5107] ? __fget_files+0x29/0x470
[ 55.971885][ T5107] ? bpf_lsm_file_ioctl+0x9/0x10
[ 55.976819][ T5107] ? security_file_ioctl+0x87/0xb0
[ 55.981915][ T5107] ? __pfx_sock_ioctl+0x10/0x10
[ 55.986752][ T5107] __se_sys_ioctl+0xfc/0x170
[ 55.991334][ T5107] do_syscall_64+0xf3/0x230
[ 55.995824][ T5107] ? clear_bhb_loop+0x35/0x90
[ 56.000492][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 56.006379][ T5107] RIP: 0033:0x7f925927cc0b
[ 56.010783][ T5107] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 56.030370][ T5107] RSP: 002b:00007ffeb46873f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 56.038767][ T5107] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f925927cc0b
[ 56.046723][ T5107] RDX: 00007ffeb4687468 RSI: 00000000400448dd RDI: 0000000000000003
[ 56.054810][ T5107] RBP: 000055558ae3c430 R08: 0000000000000000 R09: 0000000000000000
[ 56.062764][ T5107] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 56.070719][ T5107] R13: 0000000000000004 R14: 0000000000000003 R15: 000000000000000c
[ 56.078677][ T5107]
[ 56.081677][ T5107]
[ 56.083983][ T5107] Allocated by task 5115:
[ 56.088289][ T5107] kasan_save_track+0x3f/0x80
[ 56.092953][ T5107] __kasan_slab_alloc+0x66/0x80
[ 56.097784][ T5107] kmem_cache_alloc_noprof+0x135/0x2a0
[ 56.103227][ T5107] skb_clone+0x20c/0x390
[ 56.107453][ T5107] hci_cmd_work+0x29e/0x670
[ 56.111946][ T5107] process_scheduled_works+0xa2c/0x1830
[ 56.117474][ T5107] worker_thread+0x86d/0xd70
[ 56.122045][ T5107] kthread+0x2f0/0x390
[ 56.126097][ T5107] ret_from_fork+0x4b/0x80
[ 56.130496][ T5107] ret_from_fork_asm+0x1a/0x30
[ 56.135247][ T5107]
[ 56.137553][ T5107] Freed by task 5104:
[ 56.141510][ T5107] kasan_save_track+0x3f/0x80
[ 56.146173][ T5107] kasan_save_free_info+0x40/0x50
[ 56.151182][ T5107] poison_slab_object+0xe0/0x150
[ 56.156100][ T5107] __kasan_slab_free+0x37/0x60
[ 56.160844][ T5107] kmem_cache_free+0x145/0x350
[ 56.165593][ T5107] hci_req_sync_complete+0xe7/0x290
[ 56.170776][ T5107] hci_event_packet+0xc71/0x1540
[ 56.175695][ T5107] hci_rx_work+0x3e8/0xca0
[ 56.180118][ T5107] process_scheduled_works+0xa2c/0x1830
[ 56.185646][ T5107] worker_thread+0x86d/0xd70
[ 56.190218][ T5107] kthread+0x2f0/0x390
[ 56.194271][ T5107] ret_from_fork+0x4b/0x80
[ 56.198671][ T5107] ret_from_fork_asm+0x1a/0x30
[ 56.203420][ T5107]
[ 56.205725][ T5107] The buggy address belongs to the object at ffff88805dd57280
[ 56.205725][ T5107] which belongs to the cache skbuff_head_cache of size 240
[ 56.220277][ T5107] The buggy address is located 208 bytes inside of
[ 56.220277][ T5107] freed 240-byte region [ffff88805dd57280, ffff88805dd57370)
[ 56.234052][ T5107]
[ 56.236358][ T5107] The buggy address belongs to the physical page:
[ 56.242754][ T5107] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5dd57
[ 56.251499][ T5107] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 56.258592][ T5107] page_type: 0xffffefff(slab)
[ 56.263250][ T5107] raw: 00fff00000000000 ffff888018a9e780 dead000000000122 0000000000000000
[ 56.271817][ T5107] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[ 56.280375][ T5107] page dumped because: kasan: bad access detected
[ 56.286773][ T5107] page_owner tracks the page as allocated
[ 56.292469][ T5107] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5115, tgid 5115 (kworker/u9:8), ts 55743436443, free_ts 13955617345
[ 56.311723][ T5107] post_alloc_hook+0x1f3/0x230
[ 56.316471][ T5107] get_page_from_freelist+0x2e43/0x2f00
[ 56.322000][ T5107] __alloc_pages_noprof+0x256/0x6c0
[ 56.327183][ T5107] alloc_slab_page+0x5f/0x120
[ 56.331840][ T5107] allocate_slab+0x5a/0x2f0
[ 56.336411][ T5107] ___slab_alloc+0xcd1/0x14b0
[ 56.341073][ T5107] __slab_alloc+0x58/0xa0
[ 56.345390][ T5107] kmem_cache_alloc_noprof+0x1c1/0x2a0
[ 56.350831][ T5107] skb_clone+0x20c/0x390
[ 56.355058][ T5107] hci_event_packet+0x49c/0x1540
[ 56.359976][ T5107] hci_rx_work+0x3e8/0xca0
[ 56.364373][ T5107] process_scheduled_works+0xa2c/0x1830
[ 56.369899][ T5107] worker_thread+0x86d/0xd70
[ 56.374472][ T5107] kthread+0x2f0/0x390
[ 56.378525][ T5107] ret_from_fork+0x4b/0x80
[ 56.382928][ T5107] ret_from_fork_asm+0x1a/0x30
[ 56.387677][ T5107] page last free pid 1 tgid 1 stack trace:
[ 56.393458][ T5107] free_unref_page+0xd19/0xea0
[ 56.398202][ T5107] free_contig_range+0x9e/0x160
[ 56.403036][ T5107] destroy_args+0x8a/0x890
[ 56.407439][ T5107] debug_vm_pgtable+0x4be/0x550
[ 56.412275][ T5107] do_one_initcall+0x248/0x880
[ 56.417035][ T5107] do_initcall_level+0x157/0x210
[ 56.421959][ T5107] do_initcalls+0x3f/0x80
[ 56.426269][ T5107] kernel_init_freeable+0x435/0x5d0
[ 56.431450][ T5107] kernel_init+0x1d/0x2b0
[ 56.435765][ T5107] ret_from_fork+0x4b/0x80
[ 56.440167][ T5107] ret_from_fork_asm+0x1a/0x30
[ 56.444923][ T5107]
[ 56.447232][ T5107] Memory state around the buggy address:
[ 56.452845][ T5107] ffff88805dd57200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 56.460892][ T5107] ffff88805dd57280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.468939][ T5107] >ffff88805dd57300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 56.476983][ T5107] ^
[ 56.483637][ T5107] ffff88805dd57380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 56.491677][ T5107] ffff88805dd57400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.499713][ T5107] ==================================================================
2024/06/13 04:05:00 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[ 56.543714][ T5107] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 56.550937][ T5107] CPU: 0 PID: 5107 Comm: syz-executor.3 Not tainted 6.10.0-rc3-syzkaller-00022-gcea2a26553ac #0
[ 56.561350][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 56.571411][ T5107] Call Trace:
[ 56.574693][ T5107]
[ 56.577628][ T5107] dump_stack_lvl+0x241/0x360
[ 56.582320][ T5107] ? __pfx_dump_stack_lvl+0x10/0x10
[ 56.587530][ T5107] ? __pfx__printk+0x10/0x10
[ 56.592128][ T5107] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 56.598124][ T5107] ? vscnprintf+0x5d/0x90
[ 56.602470][ T5107] panic+0x349/0x860
[ 56.606378][ T5107] ? check_panic_on_warn+0x21/0xb0
[ 56.611496][ T5107] ? __pfx_panic+0x10/0x10
[ 56.615900][ T5107] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 56.621868][ T5107] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 56.628186][ T5107] check_panic_on_warn+0x86/0xb0
[ 56.633110][ T5107] ? skb_release_data+0x190/0x880
[ 56.638118][ T5107] end_report+0x77/0x160
[ 56.642342][ T5107] kasan_report+0x154/0x180
[ 56.646833][ T5107] ? skb_release_data+0x190/0x880
[ 56.651847][ T5107] skb_release_data+0x190/0x880
[ 56.656682][ T5107] ? __hci_req_sync+0x62f/0x950
[ 56.661517][ T5107] kfree_skb_reason+0x1a3/0x3b0
[ 56.666353][ T5107] __hci_req_sync+0x62f/0x950
[ 56.671294][ T5107] ? __pfx___hci_req_sync+0x10/0x10
[ 56.676489][ T5107] ? __pfx___mutex_lock+0x10/0x10
[ 56.681505][ T5107] ? __pfx_autoremove_wake_function+0x10/0x10
[ 56.687562][ T5107] ? __pfx_hci_scan_req+0x10/0x10
[ 56.692580][ T5107] hci_req_sync+0xa9/0xd0
[ 56.696903][ T5107] hci_dev_cmd+0x4c5/0xa50
[ 56.701313][ T5107] ? security_capable+0x90/0xb0
[ 56.706157][ T5107] ? __pfx_hci_dev_cmd+0x10/0x10
[ 56.711084][ T5107] ? hci_sock_ioctl+0x6c4/0xa40
[ 56.715923][ T5107] sock_do_ioctl+0x158/0x460
[ 56.720501][ T5107] ? __pfx_smack_log+0x10/0x10
[ 56.725249][ T5107] ? __pfx_sock_do_ioctl+0x10/0x10
[ 56.730349][ T5107] ? smk_tskacc+0x300/0x370
[ 56.734835][ T5107] ? smack_file_ioctl+0x2a1/0x3a0
[ 56.739853][ T5107] sock_ioctl+0x629/0x8e0
[ 56.744174][ T5107] ? __pfx_sock_ioctl+0x10/0x10
[ 56.749014][ T5107] ? __fget_files+0x3f6/0x470
[ 56.753671][ T5107] ? __fget_files+0x29/0x470
[ 56.758244][ T5107] ? bpf_lsm_file_ioctl+0x9/0x10
[ 56.763173][ T5107] ? security_file_ioctl+0x87/0xb0
[ 56.768269][ T5107] ? __pfx_sock_ioctl+0x10/0x10
[ 56.773104][ T5107] __se_sys_ioctl+0xfc/0x170
[ 56.777683][ T5107] do_syscall_64+0xf3/0x230
[ 56.782174][ T5107] ? clear_bhb_loop+0x35/0x90
[ 56.786838][ T5107] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 56.792724][ T5107] RIP: 0033:0x7f925927cc0b
[ 56.797124][ T5107] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 56.816712][ T5107] RSP: 002b:00007ffeb46873f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 56.825109][ T5107] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f925927cc0b
[ 56.833066][ T5107] RDX: 00007ffeb4687468 RSI: 00000000400448dd RDI: 0000000000000003
[ 56.841020][ T5107] RBP: 000055558ae3c430 R08: 0000000000000000 R09: 0000000000000000
[ 56.848973][ T5107] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 56.856924][ T5107] R13: 0000000000000004 R14: 0000000000000003 R15: 000000000000000c
[ 56.864881][ T5107]
[ 56.868088][ T5107] Kernel Offset: disabled
[ 56.872399][ T5107] Rebooting in 86400 seconds..