DUID 00:04:b0:7e:30:9f:4d:11:81:da:bf:2d:3d:77:4c:17:c1:ba
forked to background, child pid 4759
[   34.837105][ T4760] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.850223][ T4760] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.190' (ED25519) to the list of known hosts.
2024/05/28 15:31:47 ignoring optional flag "sandboxArg"="0"
2024/05/28 15:31:47 parsed 1 programs
syzkaller login: [   56.336624][ T5091] cgroup: Unknown subsys name 'net'
[   56.534731][ T5091] cgroup: Unknown subsys name 'rlimit'
[   57.679571][ T5101] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   58.083787][ T5132] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   58.092346][ T5132] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   58.100731][ T5132] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   58.108607][ T5132] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   58.117595][ T5132] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   58.124868][ T5132] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   58.134773][ T5131] ==================================================================
[   58.142888][ T5131] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0
[   58.150751][ T5131] Read of size 4 at addr ffff88802b5a45e4 by task syz-executor.0/5131
[   58.158913][ T5131] 
[   58.161225][ T5131] CPU: 0 PID: 5131 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-12079-gc30ff5f3aec3 #0
[   58.171189][ T5131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   58.181314][ T5131] Call Trace:
[   58.184612][ T5131]  <TASK>
[   58.187527][ T5131]  dump_stack_lvl+0x241/0x360
[   58.192192][ T5131]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.197370][ T5131]  ? __pfx__printk+0x10/0x10
[   58.201944][ T5131]  ? _printk+0xd5/0x120
[   58.206104][ T5131]  ? __virt_addr_valid+0x183/0x520
[   58.211214][ T5131]  ? __virt_addr_valid+0x183/0x520
[   58.216320][ T5131]  print_report+0x169/0x550
[   58.220825][ T5131]  ? __virt_addr_valid+0x183/0x520
[   58.225938][ T5131]  ? __virt_addr_valid+0x183/0x520
[   58.231039][ T5131]  ? __virt_addr_valid+0x44e/0x520
[   58.236143][ T5131]  ? __phys_addr+0xba/0x170
[   58.240631][ T5131]  ? kfree_skb_reason+0x41/0x3b0
[   58.245574][ T5131]  kasan_report+0x143/0x180
[   58.250062][ T5131]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   58.256375][ T5131]  ? kfree_skb_reason+0x41/0x3b0
[   58.261301][ T5131]  kasan_check_range+0x282/0x290
[   58.266237][ T5131]  kfree_skb_reason+0x41/0x3b0
[   58.271003][ T5131]  __hci_req_sync+0x62f/0x950
[   58.275675][ T5131]  ? __pfx___hci_req_sync+0x10/0x10
[   58.280865][ T5131]  ? __pfx___mutex_lock+0x10/0x10
[   58.285881][ T5131]  ? __pfx_hci_scan_req+0x10/0x10
[   58.290889][ T5131]  hci_req_sync+0xa9/0xd0
[   58.295222][ T5131]  hci_dev_cmd+0x4c5/0xa50
[   58.299629][ T5131]  ? security_capable+0x90/0xb0
[   58.304491][ T5131]  ? __pfx_hci_dev_cmd+0x10/0x10
[   58.309455][ T5131]  ? hci_sock_ioctl+0x6c4/0xa40
[   58.314296][ T5131]  sock_do_ioctl+0x158/0x460
[   58.318884][ T5131]  ? __pfx_sock_do_ioctl+0x10/0x10
[   58.323993][ T5131]  sock_ioctl+0x629/0x8e0
[   58.328309][ T5131]  ? __pfx_sock_ioctl+0x10/0x10
[   58.333159][ T5131]  ? __fget_files+0x29/0x470
[   58.337748][ T5131]  ? __fget_files+0x3f6/0x470
[   58.342424][ T5131]  ? __fget_files+0x29/0x470
[   58.347008][ T5131]  ? bpf_lsm_file_ioctl+0x9/0x10
[   58.351926][ T5131]  ? security_file_ioctl+0x87/0xb0
[   58.357026][ T5131]  ? __pfx_sock_ioctl+0x10/0x10
[   58.361865][ T5131]  __se_sys_ioctl+0xfc/0x170
[   58.366442][ T5131]  do_syscall_64+0xf3/0x230
[   58.370930][ T5131]  ? clear_bhb_loop+0x35/0x90
[   58.375596][ T5131]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.381477][ T5131] RIP: 0033:0x7f51efa7cc4b
[   58.385876][ T5131] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   58.405469][ T5131] RSP: 002b:00007ffe92fdb0c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.413863][ T5131] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f51efa7cc4b
[   58.421819][ T5131] RDX: 00007ffe92fdb138 RSI: 00000000400448dd RDI: 0000000000000003
[   58.429776][ T5131] RBP: 0000555592ab2430 R08: 0000000000000000 R09: 0000000000000000
[   58.437738][ T5131] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   58.445691][ T5131] R13: 0000000000000000 R14: 0000000000000001 R15: 00000000fffffff1
[   58.453647][ T5131]  </TASK>
[   58.456652][ T5131] 
[   58.458960][ T5131] Allocated by task 5132:
[   58.463266][ T5131]  kasan_save_track+0x3f/0x80
[   58.467930][ T5131]  __kasan_slab_alloc+0x66/0x80
[   58.472779][ T5131]  kmem_cache_alloc_noprof+0x135/0x2a0
[   58.478309][ T5131]  skb_clone+0x20c/0x390
[   58.482800][ T5131]  hci_cmd_work+0x29e/0x670
[   58.487285][ T5131]  process_scheduled_works+0xa2c/0x1830
[   58.492898][ T5131]  worker_thread+0x86d/0xd70
[   58.497467][ T5131]  kthread+0x2f0/0x390
[   58.501516][ T5131]  ret_from_fork+0x4b/0x80
[   58.506437][ T5131]  ret_from_fork_asm+0x1a/0x30
[   58.511189][ T5131] 
[   58.513490][ T5131] Freed by task 5132:
[   58.517458][ T5131]  kasan_save_track+0x3f/0x80
[   58.522130][ T5131]  kasan_save_free_info+0x40/0x50
[   58.527149][ T5131]  poison_slab_object+0xe0/0x150
[   58.532179][ T5131]  __kasan_slab_free+0x37/0x60
[   58.536939][ T5131]  kmem_cache_free+0x145/0x350
[   58.541700][ T5131]  hci_req_sync_complete+0xe7/0x290
[   58.546894][ T5131]  hci_event_packet+0xc71/0x1540
[   58.551827][ T5131]  hci_rx_work+0x3e8/0xca0
[   58.556228][ T5131]  process_scheduled_works+0xa2c/0x1830
[   58.561767][ T5131]  worker_thread+0x86d/0xd70
[   58.566352][ T5131]  kthread+0x2f0/0x390
[   58.570401][ T5131]  ret_from_fork+0x4b/0x80
[   58.574801][ T5131]  ret_from_fork_asm+0x1a/0x30
[   58.579565][ T5131] 
[   58.581875][ T5131] The buggy address belongs to the object at ffff88802b5a4500
[   58.581875][ T5131]  which belongs to the cache skbuff_head_cache of size 240
[   58.596438][ T5131] The buggy address is located 228 bytes inside of
[   58.596438][ T5131]  freed 240-byte region [ffff88802b5a4500, ffff88802b5a45f0)
[   58.610224][ T5131] 
[   58.612566][ T5131] The buggy address belongs to the physical page:
[   58.618959][ T5131] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b5a4
[   58.627706][ T5131] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   58.635227][ T5131] page_type: 0xffffefff(slab)
[   58.639968][ T5131] raw: 00fff00000000000 ffff888018ad5780 0000000000000000 dead000000000001
[   58.648531][ T5131] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[   58.657091][ T5131] page dumped because: kasan: bad access detected
[   58.663564][ T5131] page_owner tracks the page as allocated
[   58.669256][ T5131] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4547, tgid 4547 (udevadm), ts 20596990299, free_ts 17150583197
[   58.688088][ T5131]  post_alloc_hook+0x1f3/0x230
[   58.692860][ T5131]  get_page_from_freelist+0x2e2d/0x2ee0
[   58.698405][ T5131]  __alloc_pages_noprof+0x256/0x6c0
[   58.703606][ T5131]  alloc_slab_page+0x5f/0x120
[   58.708354][ T5131]  allocate_slab+0x5a/0x2e0
[   58.712840][ T5131]  ___slab_alloc+0xcd1/0x14b0
[   58.717501][ T5131]  __slab_alloc+0x58/0xa0
[   58.721813][ T5131]  kmem_cache_alloc_noprof+0x1c1/0x2a0
[   58.727253][ T5131]  skb_clone+0x20c/0x390
[   58.731479][ T5131]  netlink_broadcast_filtered+0x707/0x1290
[   58.737272][ T5131]  netlink_broadcast+0x39/0x50
[   58.742018][ T5131]  kobject_uevent_net_broadcast+0x38f/0x580
[   58.747893][ T5131]  kobject_uevent_env+0x57d/0x8e0
[   58.752898][ T5131]  kobject_synth_uevent+0x4ef/0xae0
[   58.758082][ T5131]  uevent_store+0x4b/0x70
[   58.762393][ T5131]  kernfs_fop_write_iter+0x3a1/0x500
[   58.767668][ T5131] page last free pid 1 tgid 1 stack trace:
[   58.773682][ T5131]  free_unref_page+0xd22/0xea0
[   58.778610][ T5131]  kasan_depopulate_vmalloc_pte+0x74/0x90
[   58.784313][ T5131]  __apply_to_page_range+0x8a8/0xe50
[   58.789754][ T5131]  kasan_release_vmalloc+0x9a/0xb0
[   58.794852][ T5131]  purge_vmap_node+0x3e3/0x770
[   58.799596][ T5131]  __purge_vmap_area_lazy+0x708/0xae0
[   58.804949][ T5131]  _vm_unmap_aliases+0x7cc/0x870
[   58.809889][ T5131]  change_page_attr_set_clr+0x2fe/0xdb0
[   58.815428][ T5131]  set_memory_nx+0xf2/0x130
[   58.820024][ T5131]  free_initmem+0x79/0x110
[   58.824433][ T5131]  kernel_init+0x31/0x2b0
[   58.828755][ T5131]  ret_from_fork+0x4b/0x80
[   58.833159][ T5131]  ret_from_fork_asm+0x1a/0x30
[   58.837941][ T5131] 
[   58.840248][ T5131] Memory state around the buggy address:
[   58.845857][ T5131]  ffff88802b5a4480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   58.853909][ T5131]  ffff88802b5a4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.861964][ T5131] >ffff88802b5a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   58.870003][ T5131]                                                        ^
[   58.877178][ T5131]  ffff88802b5a4600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   58.885479][ T5131]  ffff88802b5a4680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   58.893719][ T5131] ==================================================================
[   58.903379][ T5131] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.910604][ T5131] CPU: 0 PID: 5131 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-12079-gc30ff5f3aec3 #0
[   58.920595][ T5131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   58.930665][ T5131] Call Trace:
[   58.933964][ T5131]  <TASK>
[   58.936914][ T5131]  dump_stack_lvl+0x241/0x360
[   58.941617][ T5131]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.946838][ T5131]  ? __pfx__printk+0x10/0x10
[   58.951451][ T5131]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   58.957434][ T5131]  ? vscnprintf+0x5d/0x90
[   58.961756][ T5131]  panic+0x349/0x860
[   58.965646][ T5131]  ? check_panic_on_warn+0x21/0xb0
[   58.970745][ T5131]  ? __pfx_panic+0x10/0x10
[   58.975160][ T5131]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   58.981137][ T5131]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   58.987477][ T5131]  check_panic_on_warn+0x86/0xb0
[   58.992403][ T5131]  ? kfree_skb_reason+0x41/0x3b0
[   58.997345][ T5131]  end_report+0x77/0x160
[   59.001574][ T5131]  kasan_report+0x154/0x180
[   59.006063][ T5131]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   59.012386][ T5131]  ? kfree_skb_reason+0x41/0x3b0
[   59.017411][ T5131]  kasan_check_range+0x282/0x290
[   59.022352][ T5131]  kfree_skb_reason+0x41/0x3b0
[   59.027113][ T5131]  __hci_req_sync+0x62f/0x950
[   59.031780][ T5131]  ? __pfx___hci_req_sync+0x10/0x10
[   59.036981][ T5131]  ? __pfx___mutex_lock+0x10/0x10
[   59.042001][ T5131]  ? __pfx_hci_scan_req+0x10/0x10
[   59.047012][ T5131]  hci_req_sync+0xa9/0xd0
[   59.051326][ T5131]  hci_dev_cmd+0x4c5/0xa50
[   59.055729][ T5131]  ? security_capable+0x90/0xb0
[   59.060560][ T5131]  ? __pfx_hci_dev_cmd+0x10/0x10
[   59.065480][ T5131]  ? hci_sock_ioctl+0x6c4/0xa40
[   59.070312][ T5131]  sock_do_ioctl+0x158/0x460
[   59.074884][ T5131]  ? __pfx_sock_do_ioctl+0x10/0x10
[   59.079981][ T5131]  sock_ioctl+0x629/0x8e0
[   59.084297][ T5131]  ? __pfx_sock_ioctl+0x10/0x10
[   59.089127][ T5131]  ? __fget_files+0x29/0x470
[   59.093699][ T5131]  ? __fget_files+0x3f6/0x470
[   59.098360][ T5131]  ? __fget_files+0x29/0x470
[   59.102936][ T5131]  ? bpf_lsm_file_ioctl+0x9/0x10
[   59.107869][ T5131]  ? security_file_ioctl+0x87/0xb0
[   59.113072][ T5131]  ? __pfx_sock_ioctl+0x10/0x10
[   59.117921][ T5131]  __se_sys_ioctl+0xfc/0x170
[   59.122509][ T5131]  do_syscall_64+0xf3/0x230
[   59.126999][ T5131]  ? clear_bhb_loop+0x35/0x90
[   59.131764][ T5131]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   59.137730][ T5131] RIP: 0033:0x7f51efa7cc4b
[   59.142242][ T5131] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   59.161840][ T5131] RSP: 002b:00007ffe92fdb0c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   59.170326][ T5131] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f51efa7cc4b
[   59.178284][ T5131] RDX: 00007ffe92fdb138 RSI: 00000000400448dd RDI: 0000000000000003
[   59.186268][ T5131] RBP: 0000555592ab2430 R08: 0000000000000000 R09: 0000000000000000
[   59.194289][ T5131] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   59.202263][ T5131] R13: 0000000000000000 R14: 0000000000000001 R15: 00000000fffffff1
[   59.210230][ T5131]  </TASK>
[   59.213346][ T5131] Kernel Offset: disabled
[   59.217658][ T5131] Rebooting in 86400 seconds..