Warning: Permanently added '10.128.1.109' (ED25519) to the list of known hosts. 2024/06/14 09:28:02 ignoring optional flag "sandboxArg"="0" 2024/06/14 09:28:02 parsed 1 programs [ 697.304456][ T5145] cgroup: Unknown subsys name 'net' [ 697.470668][ T5145] cgroup: Unknown subsys name 'rlimit' [ 698.573260][ T5147] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 699.374278][ T5183] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 699.382427][ T5183] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 699.391131][ T5183] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 699.401946][ T5183] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 699.410184][ T5183] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 699.417576][ T5183] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 699.426721][ T5182] ================================================================== [ 699.434784][ T5182] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 699.442498][ T5182] Read of size 4 at addr ffff88806da5bd64 by task syz-executor.0/5182 [ 699.450637][ T5182] [ 699.452972][ T5182] CPU: 0 PID: 5182 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00761-g3ec8d7572a69 #0 [ 699.463365][ T5182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 699.473409][ T5182] Call Trace: [ 699.476671][ T5182] <TASK> [ 699.479584][ T5182] dump_stack_lvl+0x241/0x360 [ 699.484242][ T5182] ? __pfx_dump_stack_lvl+0x10/0x10 [ 699.489425][ T5182] ? __pfx__printk+0x10/0x10 [ 699.494014][ T5182] ? _printk+0xd5/0x120 [ 699.498154][ T5182] ? __virt_addr_valid+0x183/0x520 [ 699.503406][ T5182] ? __virt_addr_valid+0x183/0x520 [ 699.508499][ T5182] print_report+0x169/0x550 [ 699.512982][ T5182] ? __virt_addr_valid+0x183/0x520 [ 699.518080][ T5182] ? __virt_addr_valid+0x183/0x520 [ 699.523166][ T5182] ? __virt_addr_valid+0x44e/0x520 [ 699.528256][ T5182] ? __phys_addr+0xba/0x170 [ 699.532755][ T5182] ? kfree_skb_reason+0x41/0x3b0 [ 699.537672][ T5182] kasan_report+0x143/0x180 [ 699.542166][ T5182] ? kfree_skb_reason+0x41/0x3b0 [ 699.547169][ T5182] kasan_check_range+0x282/0x290 [ 699.552089][ T5182] kfree_skb_reason+0x41/0x3b0 [ 699.556835][ T5182] __hci_req_sync+0x62f/0x950 [ 699.561506][ T5182] ? __pfx___hci_req_sync+0x10/0x10 [ 699.566706][ T5182] ? __pfx___mutex_lock+0x10/0x10 [ 699.571710][ T5182] ? __pfx_autoremove_wake_function+0x10/0x10 [ 699.577757][ T5182] ? __pfx_hci_scan_req+0x10/0x10 [ 699.582767][ T5182] hci_req_sync+0xa9/0xd0 [ 699.587084][ T5182] hci_dev_cmd+0x4c5/0xa50 [ 699.591476][ T5182] ? security_capable+0x90/0xb0 [ 699.596341][ T5182] ? __pfx_hci_dev_cmd+0x10/0x10 [ 699.601356][ T5182] ? hci_sock_ioctl+0x6c4/0xa40 [ 699.606197][ T5182] sock_do_ioctl+0x158/0x460 [ 699.610792][ T5182] ? __pfx_sock_do_ioctl+0x10/0x10 [ 699.615909][ T5182] sock_ioctl+0x629/0x8e0 [ 699.620232][ T5182] ? __pfx_sock_ioctl+0x10/0x10 [ 699.625064][ T5182] ? __fget_files+0x29/0x470 [ 699.629635][ T5182] ? __fget_files+0x3f6/0x470 [ 699.634292][ T5182] ? __fget_files+0x29/0x470 [ 699.638868][ T5182] ? bpf_lsm_file_ioctl+0x9/0x10 [ 699.643788][ T5182] ? security_file_ioctl+0x87/0xb0 [ 699.648903][ T5182] ? __pfx_sock_ioctl+0x10/0x10 [ 699.653746][ T5182] __se_sys_ioctl+0xfc/0x170 [ 699.658319][ T5182] do_syscall_64+0xf3/0x230 [ 699.662800][ T5182] ? clear_bhb_loop+0x35/0x90 [ 699.667458][ T5182] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 699.673339][ T5182] RIP: 0033:0x7fc6b687cc0b [ 699.677739][ T5182] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 699.697329][ T5182] RSP: 002b:00007ffe709f32c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 699.705737][ T5182] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc6b687cc0b [ 699.713686][ T5182] RDX: 00007ffe709f3338 RSI: 00000000400448dd RDI: 0000000000000003 [ 699.721660][ T5182] RBP: 000055555e17b430 R08: 0000000000000000 R09: 0000000000000000 [ 699.729612][ T5182] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 699.737591][ T5182] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 [ 699.745544][ T5182] </TASK> [ 699.748542][ T5182] [ 699.750857][ T5182] Allocated by task 4486: [ 699.755155][ T5182] kasan_save_track+0x3f/0x80 [ 699.759839][ T5182] __kasan_slab_alloc+0x66/0x80 [ 699.764665][ T5182] kmem_cache_alloc_noprof+0x135/0x2a0 [ 699.770104][ T5182] skb_clone+0x20c/0x390 [ 699.774322][ T5182] hci_cmd_work+0x29e/0x670 [ 699.778803][ T5182] process_scheduled_works+0xa2c/0x1830 [ 699.784396][ T5182] worker_thread+0x86d/0xd70 [ 699.788984][ T5182] kthread+0x2f0/0x390 [ 699.793060][ T5182] ret_from_fork+0x4b/0x80 [ 699.797462][ T5182] ret_from_fork_asm+0x1a/0x30 [ 699.802228][ T5182] [ 699.804529][ T5182] Freed by task 4486: [ 699.808502][ T5182] kasan_save_track+0x3f/0x80 [ 699.813175][ T5182] kasan_save_free_info+0x40/0x50 [ 699.818177][ T5182] poison_slab_object+0xe0/0x150 [ 699.823112][ T5182] __kasan_slab_free+0x37/0x60 [ 699.827850][ T5182] kmem_cache_free+0x145/0x350 [ 699.832587][ T5182] hci_req_sync_complete+0xe7/0x290 [ 699.837767][ T5182] hci_event_packet+0xc71/0x1540 [ 699.842684][ T5182] hci_rx_work+0x3e8/0xca0 [ 699.847081][ T5182] process_scheduled_works+0xa2c/0x1830 [ 699.852603][ T5182] worker_thread+0x86d/0xd70 [ 699.857186][ T5182] kthread+0x2f0/0x390 [ 699.861231][ T5182] ret_from_fork+0x4b/0x80 [ 699.865635][ T5182] ret_from_fork_asm+0x1a/0x30 [ 699.870379][ T5182] [ 699.872678][ T5182] The buggy address belongs to the object at ffff88806da5bc80 [ 699.872678][ T5182] which belongs to the cache skbuff_head_cache of size 240 [ 699.887235][ T5182] The buggy address is located 228 bytes inside of [ 699.887235][ T5182] freed 240-byte region [ffff88806da5bc80, ffff88806da5bd70) [ 699.901004][ T5182] [ 699.903304][ T5182] The buggy address belongs to the physical page: [ 699.909749][ T5182] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6da5b [ 699.918517][ T5182] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 699.925624][ T5182] page_type: 0xffffefff(slab) [ 699.930309][ T5182] raw: 00fff00000000000 ffff888018ae2780 dead000000000122 0000000000000000 [ 699.938872][ T5182] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000 [ 699.947430][ T5182] page dumped because: kasan: bad access detected [ 699.953936][ T5182] page_owner tracks the page as allocated [ 699.959626][ T5182] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5184, tgid 5182 (syz-executor.0), ts 699417443300, free_ts 699363316025 [ 699.979138][ T5182] post_alloc_hook+0x1f3/0x230 [ 699.983921][ T5182] get_page_from_freelist+0x2e2d/0x2ee0 [ 699.989447][ T5182] __alloc_pages_noprof+0x256/0x6c0 [ 699.994641][ T5182] alloc_slab_page+0x5f/0x120 [ 699.999297][ T5182] allocate_slab+0x5a/0x2e0 [ 700.003776][ T5182] ___slab_alloc+0xcd1/0x14b0 [ 700.008429][ T5182] __slab_alloc+0x58/0xa0 [ 700.012738][ T5182] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 700.018627][ T5182] __alloc_skb+0x1c3/0x440 [ 700.023018][ T5182] vhci_write+0xc0/0x480 [ 700.027238][ T5182] do_iter_readv_writev+0x5a4/0x800 [ 700.032417][ T5182] vfs_writev+0x395/0xbe0 [ 700.036734][ T5182] do_writev+0x1b1/0x350 [ 700.041006][ T5182] do_syscall_64+0xf3/0x230 [ 700.045485][ T5182] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 700.051367][ T5182] page last free pid 5176 tgid 5176 stack trace: [ 700.057946][ T5182] free_unref_page+0xd22/0xea0 [ 700.062689][ T5182] vfree+0x186/0x2e0 [ 700.066734][ T5182] kcov_close+0x2b/0x50 [ 700.070866][ T5182] __fput+0x406/0x8b0 [ 700.074826][ T5182] task_work_run+0x24f/0x310 [ 700.079395][ T5182] do_exit+0xa27/0x27e0 [ 700.083524][ T5182] do_group_exit+0x207/0x2c0 [ 700.088091][ T5182] get_signal+0x16a1/0x1740 [ 700.092586][ T5182] arch_do_signal_or_restart+0x96/0x860 [ 700.098108][ T5182] syscall_exit_to_user_mode+0xc9/0x370 [ 700.103669][ T5182] do_syscall_64+0x100/0x230 [ 700.108255][ T5182] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 700.114134][ T5182] [ 700.116453][ T5182] Memory state around the buggy address: [ 700.122060][ T5182] ffff88806da5bc00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 700.130098][ T5182] ffff88806da5bc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 700.138135][ T5182] >ffff88806da5bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 700.146169][ T5182] ^ [ 700.153335][ T5182] ffff88806da5bd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 700.161373][ T5182] ffff88806da5be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 700.169411][ T5182] ================================================================== [ 700.181347][ T5182] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 700.188582][ T5182] CPU: 0 PID: 5182 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00761-g3ec8d7572a69 #0 [ 700.198996][ T5182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 700.209049][ T5182] Call Trace: [ 700.212308][ T5182] <TASK> [ 700.215218][ T5182] dump_stack_lvl+0x241/0x360 [ 700.219890][ T5182] ? __pfx_dump_stack_lvl+0x10/0x10 [ 700.225074][ T5182] ? __pfx__printk+0x10/0x10 [ 700.229650][ T5182] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 700.235617][ T5182] ? vscnprintf+0x5d/0x90 [ 700.239941][ T5182] panic+0x349/0x860 [ 700.243818][ T5182] ? check_panic_on_warn+0x21/0xb0 [ 700.248911][ T5182] ? __pfx_panic+0x10/0x10 [ 700.253311][ T5182] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 700.259268][ T5182] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 700.265570][ T5182] check_panic_on_warn+0x86/0xb0 [ 700.270503][ T5182] ? kfree_skb_reason+0x41/0x3b0 [ 700.275418][ T5182] end_report+0x77/0x160 [ 700.279659][ T5182] kasan_report+0x154/0x180 [ 700.284141][ T5182] ? kfree_skb_reason+0x41/0x3b0 [ 700.289070][ T5182] kasan_check_range+0x282/0x290 [ 700.294013][ T5182] kfree_skb_reason+0x41/0x3b0 [ 700.298757][ T5182] __hci_req_sync+0x62f/0x950 [ 700.303416][ T5182] ? __pfx___hci_req_sync+0x10/0x10 [ 700.308608][ T5182] ? __pfx___mutex_lock+0x10/0x10 [ 700.313616][ T5182] ? __pfx_autoremove_wake_function+0x10/0x10 [ 700.319766][ T5182] ? __pfx_hci_scan_req+0x10/0x10 [ 700.324782][ T5182] hci_req_sync+0xa9/0xd0 [ 700.329105][ T5182] hci_dev_cmd+0x4c5/0xa50 [ 700.333592][ T5182] ? security_capable+0x90/0xb0 [ 700.338449][ T5182] ? __pfx_hci_dev_cmd+0x10/0x10 [ 700.343372][ T5182] ? hci_sock_ioctl+0x6c4/0xa40 [ 700.348210][ T5182] sock_do_ioctl+0x158/0x460 [ 700.352785][ T5182] ? __pfx_sock_do_ioctl+0x10/0x10 [ 700.357895][ T5182] sock_ioctl+0x629/0x8e0 [ 700.362216][ T5182] ? __pfx_sock_ioctl+0x10/0x10 [ 700.367069][ T5182] ? __fget_files+0x29/0x470 [ 700.371646][ T5182] ? __fget_files+0x3f6/0x470 [ 700.376309][ T5182] ? __fget_files+0x29/0x470 [ 700.380899][ T5182] ? bpf_lsm_file_ioctl+0x9/0x10 [ 700.385817][ T5182] ? security_file_ioctl+0x87/0xb0 [ 700.390907][ T5182] ? __pfx_sock_ioctl+0x10/0x10 [ 700.395739][ T5182] __se_sys_ioctl+0xfc/0x170 [ 700.400311][ T5182] do_syscall_64+0xf3/0x230 [ 700.404792][ T5182] ? clear_bhb_loop+0x35/0x90 [ 700.409449][ T5182] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 700.415318][ T5182] RIP: 0033:0x7fc6b687cc0b [ 700.419722][ T5182] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 700.439341][ T5182] RSP: 002b:00007ffe709f32c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 700.447742][ T5182] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc6b687cc0b [ 700.455711][ T5182] RDX: 00007ffe709f3338 RSI: 00000000400448dd RDI: 0000000000000003 [ 700.463660][ T5182] RBP: 000055555e17b430 R08: 0000000000000000 R09: 0000000000000000 [ 700.471610][ T5182] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000 [ 700.479561][ T5182] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 [ 700.487520][ T5182] </TASK> [ 700.491101][ T5182] Kernel Offset: disabled [ 700.495419][ T5182] Rebooting in 86400 seconds..