last executing test programs: kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.172' (ED25519) to the list of known hosts. [ 66.426211][ T5079] cgroup: Unknown subsys name 'net' [ 66.567277][ T5079] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 68.364999][ T5079] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 70.730138][ T5100] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 70.740946][ T5104] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 70.749286][ T5104] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 70.753937][ T5100] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 70.757719][ T5104] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 70.764118][ T5100] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 70.772042][ T5104] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 70.777793][ T5100] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 70.787243][ T5104] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 70.793491][ T5100] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 70.801281][ T5104] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 70.807640][ T5100] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 70.814164][ T5104] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 70.827187][ T5104] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 70.827644][ T5100] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 70.835526][ T5104] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 70.841580][ T5100] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 70.856759][ T5100] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 70.865364][ T5100] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 70.869841][ T5104] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 70.874076][ T5100] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 70.880709][ T5104] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 70.887277][ T5100] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 70.895091][ T5104] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 70.910050][ T5104] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 70.918674][ T5100] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 70.918695][ T5104] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 70.933839][ T5098] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 70.934463][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 70.943595][ T5104] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 70.955621][ T5103] ================================================================== [ 70.963718][ T5103] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0 [ 70.971491][ T5103] Read of size 4 at addr ffff88802297b364 by task syz-executor/5103 [ 70.979485][ T5103] [ 70.981836][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00834-g90dc946059b7 #0 [ 70.992113][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 71.002197][ T5103] Call Trace: [ 71.005504][ T5103] <TASK> [ 71.008456][ T5103] dump_stack_lvl+0x241/0x360 [ 71.013171][ T5103] ? __pfx_dump_stack_lvl+0x10/0x10 [ 71.018408][ T5103] ? __pfx__printk+0x10/0x10 [ 71.023028][ T5103] ? _printk+0xd5/0x120 [ 71.027213][ T5103] ? __virt_addr_valid+0x183/0x520 [ 71.032358][ T5103] ? __virt_addr_valid+0x183/0x520 [ 71.037503][ T5103] print_report+0x169/0x550 [ 71.042037][ T5103] ? __virt_addr_valid+0x183/0x520 [ 71.047186][ T5103] ? __virt_addr_valid+0x183/0x520 [ 71.052328][ T5103] ? __virt_addr_valid+0x44e/0x520 [ 71.057474][ T5103] ? __phys_addr+0xba/0x170 [ 71.062010][ T5103] ? kfree_skb_reason+0x41/0x3b0 [ 71.067011][ T5103] kasan_report+0x143/0x180 [ 71.071556][ T5103] ? kfree_skb_reason+0x41/0x3b0 [ 71.076537][ T5103] kasan_check_range+0x282/0x290 [ 71.081513][ T5103] kfree_skb_reason+0x41/0x3b0 [ 71.086485][ T5103] __hci_req_sync+0x62f/0x950 [ 71.091194][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 71.096427][ T5103] ? __pfx___mutex_lock+0x10/0x10 [ 71.101493][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 71.107595][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 71.112654][ T5103] hci_req_sync+0xa9/0xd0 [ 71.117042][ T5103] hci_dev_cmd+0x4c5/0xa50 [ 71.121522][ T5103] ? security_capable+0x90/0xb0 [ 71.126399][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 71.131373][ T5103] ? hci_sock_ioctl+0x6c4/0xa40 [ 71.136255][ T5103] sock_do_ioctl+0x158/0x460 [ 71.140874][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 71.146116][ T5103] sock_ioctl+0x629/0x8e0 [ 71.150489][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 71.155375][ T5103] ? __fget_files+0x29/0x470 [ 71.160002][ T5103] ? __fget_files+0x3f6/0x470 [ 71.164712][ T5103] ? __fget_files+0x29/0x470 [ 71.169343][ T5103] ? bpf_lsm_file_ioctl+0x9/0x10 [ 71.174313][ T5103] ? security_file_ioctl+0x87/0xb0 [ 71.179463][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 71.184346][ T5103] __se_sys_ioctl+0xfc/0x170 [ 71.188965][ T5103] do_syscall_64+0xf3/0x230 [ 71.193494][ T5103] ? clear_bhb_loop+0x35/0x90 [ 71.198202][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.204143][ T5103] RIP: 0033:0x7fc1923757db [ 71.208581][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 71.228210][ T5103] RSP: 002b:00007ffeee021a40 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 71.236653][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc1923757db [ 71.244656][ T5103] RDX: 00007ffeee021ab8 RSI: 00000000400448dd RDI: 0000000000000003 [ 71.252652][ T5103] RBP: 0000555587b7d4a8 R08: 0000000000000000 R09: 0000000000000000 [ 71.260644][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004 [ 71.268635][ T5103] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009 [ 71.276640][ T5103] </TASK> [ 71.279676][ T5103] [ 71.282009][ T5103] Allocated by task 53: [ 71.286187][ T5103] kasan_save_track+0x3f/0x80 [ 71.290892][ T5103] __kasan_slab_alloc+0x66/0x80 [ 71.295774][ T5103] kmem_cache_alloc_noprof+0x135/0x2a0 [ 71.301271][ T5103] skb_clone+0x20c/0x390 [ 71.305544][ T5103] hci_cmd_work+0x29e/0x670 [ 71.310078][ T5103] process_scheduled_works+0xa2c/0x1830 [ 71.315646][ T5103] worker_thread+0x86d/0xd70 [ 71.320259][ T5103] kthread+0x2f0/0x390 [ 71.324351][ T5103] ret_from_fork+0x4b/0x80 [ 71.328794][ T5103] ret_from_fork_asm+0x1a/0x30 [ 71.333589][ T5103] [ 71.335941][ T5103] Freed by task 5104: [ 71.339930][ T5103] kasan_save_track+0x3f/0x80 [ 71.344645][ T5103] kasan_save_free_info+0x40/0x50 [ 71.349688][ T5103] poison_slab_object+0xe0/0x150 [ 71.354660][ T5103] __kasan_slab_free+0x37/0x60 [ 71.359458][ T5103] kmem_cache_free+0x145/0x350 [ 71.364243][ T5103] hci_req_sync_complete+0xe7/0x290 [ 71.369459][ T5103] hci_event_packet+0xc71/0x1540 [ 71.374427][ T5103] hci_rx_work+0x3e8/0xca0 [ 71.378874][ T5103] process_scheduled_works+0xa2c/0x1830 [ 71.384443][ T5103] worker_thread+0x86d/0xd70 [ 71.389060][ T5103] kthread+0x2f0/0x390 [ 71.393155][ T5103] ret_from_fork+0x4b/0x80 [ 71.397605][ T5103] ret_from_fork_asm+0x1a/0x30 [ 71.402401][ T5103] [ 71.404737][ T5103] The buggy address belongs to the object at ffff88802297b280 [ 71.404737][ T5103] which belongs to the cache skbuff_head_cache of size 240 [ 71.419324][ T5103] The buggy address is located 228 bytes inside of [ 71.419324][ T5103] freed 240-byte region [ffff88802297b280, ffff88802297b370) [ 71.433237][ T5103] [ 71.435580][ T5103] The buggy address belongs to the physical page: [ 71.442010][ T5103] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2297b [ 71.450804][ T5103] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.457935][ T5103] page_type: 0xffffefff(slab) [ 71.462610][ T5103] raw: 00fff00000000000 ffff888018e9f780 dead000000000122 0000000000000000 [ 71.471190][ T5103] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000 [ 71.479769][ T5103] page dumped because: kasan: bad access detected [ 71.486185][ T5103] page_owner tracks the page as allocated [ 71.491892][ T5103] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5103, tgid 5103 (syz-executor), ts 70954503600, free_ts 70915614215 [ 71.511166][ T5103] post_alloc_hook+0x1f3/0x230 [ 71.515938][ T5103] get_page_from_freelist+0x2e2d/0x2ee0 [ 71.521483][ T5103] __alloc_pages_noprof+0x256/0x6c0 [ 71.526683][ T5103] alloc_slab_page+0x5f/0x120 [ 71.531388][ T5103] allocate_slab+0x5a/0x2e0 [ 71.535907][ T5103] ___slab_alloc+0xcd1/0x14b0 [ 71.540594][ T5103] __slab_alloc+0x58/0xa0 [ 71.544933][ T5103] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 71.550842][ T5103] __alloc_skb+0x1c3/0x440 [ 71.555343][ T5103] hci_prepare_cmd+0x39/0x300 [ 71.560028][ T5103] hci_req_add_ev+0xac/0x290 [ 71.564637][ T5103] hci_scan_req+0xa0/0x180 [ 71.569077][ T5103] __hci_req_sync+0x1a8/0x950 [ 71.573761][ T5103] hci_req_sync+0xa9/0xd0 [ 71.578116][ T5103] hci_dev_cmd+0x4c5/0xa50 [ 71.582538][ T5103] sock_do_ioctl+0x158/0x460 [ 71.587132][ T5103] page last free pid 5089 tgid 5089 stack trace: [ 71.593456][ T5103] free_unref_page+0xd22/0xea0 [ 71.598253][ T5103] __put_partials+0xeb/0x130 [ 71.602849][ T5103] put_cpu_partial+0x17c/0x250 [ 71.607619][ T5103] __slab_free+0x2ea/0x3d0 [ 71.612044][ T5103] qlist_free_all+0x9e/0x140 [ 71.616644][ T5103] kasan_quarantine_reduce+0x14f/0x170 [ 71.622105][ T5103] __kasan_slab_alloc+0x23/0x80 [ 71.626962][ T5103] kmem_cache_alloc_noprof+0x135/0x2a0 [ 71.632439][ T5103] create_new_namespaces+0x34/0x7b0 [ 71.637659][ T5103] unshare_nsproxy_namespaces+0x124/0x180 [ 71.643385][ T5103] ksys_unshare+0x619/0xc10 [ 71.647895][ T5103] __x64_sys_unshare+0x38/0x40 [ 71.652666][ T5103] do_syscall_64+0xf3/0x230 [ 71.657176][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.663076][ T5103] [ 71.665403][ T5103] Memory state around the buggy address: [ 71.671031][ T5103] ffff88802297b200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 71.679090][ T5103] ffff88802297b280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.687152][ T5103] >ffff88802297b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 71.695217][ T5103] ^ [ 71.702408][ T5103] ffff88802297b380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 71.710463][ T5103] ffff88802297b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.718513][ T5103] ================================================================== [ 71.729854][ T1247] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.736524][ T1247] ieee802154 phy1 wpan1: encryption failed: -22 [ 71.750635][ T5103] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 71.757861][ T5103] CPU: 1 PID: 5103 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00834-g90dc946059b7 #0 [ 71.768106][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 71.778168][ T5103] Call Trace: [ 71.781451][ T5103] <TASK> [ 71.784385][ T5103] dump_stack_lvl+0x241/0x360 [ 71.789072][ T5103] ? __pfx_dump_stack_lvl+0x10/0x10 [ 71.794281][ T5103] ? __pfx__printk+0x10/0x10 [ 71.798872][ T5103] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.804861][ T5103] ? vscnprintf+0x5d/0x90 [ 71.809199][ T5103] panic+0x349/0x860 [ 71.813098][ T5103] ? check_panic_on_warn+0x21/0xb0 [ 71.818216][ T5103] ? __pfx_panic+0x10/0x10 [ 71.822723][ T5103] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 71.828707][ T5103] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 71.835041][ T5103] check_panic_on_warn+0x86/0xb0 [ 71.839991][ T5103] ? kfree_skb_reason+0x41/0x3b0 [ 71.844933][ T5103] end_report+0x77/0x160 [ 71.849199][ T5103] kasan_report+0x154/0x180 [ 71.853717][ T5103] ? kfree_skb_reason+0x41/0x3b0 [ 71.858663][ T5103] kasan_check_range+0x282/0x290 [ 71.863612][ T5103] kfree_skb_reason+0x41/0x3b0 [ 71.868391][ T5103] __hci_req_sync+0x62f/0x950 [ 71.873094][ T5103] ? __pfx___hci_req_sync+0x10/0x10 [ 71.878302][ T5103] ? __pfx___mutex_lock+0x10/0x10 [ 71.883335][ T5103] ? __pfx_autoremove_wake_function+0x10/0x10 [ 71.889406][ T5103] ? __pfx_hci_scan_req+0x10/0x10 [ 71.894438][ T5103] hci_req_sync+0xa9/0xd0 [ 71.898769][ T5103] hci_dev_cmd+0x4c5/0xa50 [ 71.903186][ T5103] ? security_capable+0x90/0xb0 [ 71.908040][ T5103] ? __pfx_hci_dev_cmd+0x10/0x10 [ 71.914112][ T5103] ? hci_sock_ioctl+0x6c4/0xa40 [ 71.918967][ T5103] sock_do_ioctl+0x158/0x460 [ 71.923563][ T5103] ? __pfx_sock_do_ioctl+0x10/0x10 [ 71.928681][ T5103] sock_ioctl+0x629/0x8e0 [ 71.933019][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 71.937881][ T5103] ? __fget_files+0x29/0x470 [ 71.942479][ T5103] ? __fget_files+0x3f6/0x470 [ 71.947175][ T5103] ? __fget_files+0x29/0x470 [ 71.951776][ T5103] ? bpf_lsm_file_ioctl+0x9/0x10 [ 71.956720][ T5103] ? security_file_ioctl+0x87/0xb0 [ 71.961836][ T5103] ? __pfx_sock_ioctl+0x10/0x10 [ 71.966695][ T5103] __se_sys_ioctl+0xfc/0x170 [ 71.971292][ T5103] do_syscall_64+0xf3/0x230 [ 71.975797][ T5103] ? clear_bhb_loop+0x35/0x90 [ 71.980496][ T5103] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.986393][ T5103] RIP: 0033:0x7fc1923757db [ 71.990806][ T5103] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 72.010410][ T5103] RSP: 002b:00007ffeee021a40 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 72.018827][ T5103] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc1923757db [ 72.026982][ T5103] RDX: 00007ffeee021ab8 RSI: 00000000400448dd RDI: 0000000000000003 [ 72.034952][ T5103] RBP: 0000555587b7d4a8 R08: 0000000000000000 R09: 0000000000000000 [ 72.042927][ T5103] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004 [ 72.050894][ T5103] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009 [ 72.058886][ T5103] </TASK> [ 72.062203][ T5103] Kernel Offset: disabled [ 72.066527][ T5103] Rebooting in 86400 seconds..