last executing test programs:
574.505033ms ago: executing program 1 (id=103):
nanosleep(&(0x7f0000000000), 0x0)
574.169506ms ago: executing program 1 (id=105):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc0', 0x800, 0x0)
561.979889ms ago: executing program 1 (id=107):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/loop-control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/loop-control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/loop-control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/loop-control', 0x800, 0x0)
502.964577ms ago: executing program 1 (id=111):
tkill(0x0, 0x0)
500.614527ms ago: executing program 1 (id=113):
rename(&(0x7f0000000000), &(0x7f0000000000))
447.141571ms ago: executing program 1 (id=114):
rt_sigreturn()
116.221884ms ago: executing program 2 (id=141):
syz_open_dev$cec(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$cec(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$cec(&(0x7f0000000100), 0x0, 0x800)
116.13266ms ago: executing program 0 (id=142):
mount_setattr(0xffffffffffffffff, &(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0)
115.987448ms ago: executing program 2 (id=143):
getresgid(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))
66.929313ms ago: executing program 0 (id=144):
munlockall()
66.736631ms ago: executing program 0 (id=145):
lremovexattr(&(0x7f0000000000), &(0x7f0000000000))
66.622943ms ago: executing program 2 (id=146):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/logging', 0x2, 0x0)
66.462322ms ago: executing program 0 (id=147):
socket$igmp(0x2, 0x3, 0x2)
66.319965ms ago: executing program 2 (id=148):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qrtr-tun', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qrtr-tun', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qrtr-tun', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qrtr-tun', 0x800, 0x0)
3.955774ms ago: executing program 0 (id=149):
readv(0xffffffffffffffff, &(0x7f0000000000), 0x0)
3.353019ms ago: executing program 2 (id=150):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/vs/sync_qlen_max', 0x2, 0x0)
3.25981ms ago: executing program 0 (id=151):
syz_init_net_socket$ax25(0x3, 0x2, 0x0)
0s ago: executing program 2 (id=152):
mlock2(0x0, 0x0, 0x0)
kernel console output (not intermixed with test programs):
Warning: Permanently added '[localhost]:26091' (ED25519) to the list of known hosts.
syzkaller login: [ 64.603051][ T5811] cgroup: Unknown subsys name 'net'
[ 64.816523][ T5811] cgroup: Unknown subsys name 'cpuset'
[ 64.822337][ T5811] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 66.961295][ T5811] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 74.082752][ T56] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 74.089613][ T56] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 74.092415][ T56] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 74.095165][ T56] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 74.098317][ T56] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 74.106396][ T56] ==================================================================
[ 74.109824][ T56] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 74.112856][ T56] Read of size 2 at addr ffff88816ca6c338 by task kworker/u11:0/56
[ 74.117589][ T56]
[ 74.118845][ T56] CPU: 0 UID: 0 PID: 56 Comm: kworker/u11:0 Not tainted syzkaller #0 PREEMPT(full)
[ 74.118864][ T56] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 74.118873][ T56] Workqueue: hci0 hci_cmd_work
[ 74.118899][ T56] Call Trace:
[ 74.118904][ T56]
[ 74.118910][ T56] dump_stack_lvl+0x189/0x250
[ 74.118932][ T56] ? __virt_addr_valid+0x1c8/0x5c0
[ 74.118947][ T56] ? rcu_is_watching+0x15/0xb0
[ 74.118960][ T56] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.118980][ T56] ? rcu_is_watching+0x15/0xb0
[ 74.118993][ T56] ? lock_release+0x4b/0x3d0
[ 74.119009][ T56] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 74.119028][ T56] ? __virt_addr_valid+0x1c8/0x5c0
[ 74.119042][ T56] ? __virt_addr_valid+0x4a5/0x5c0
[ 74.119056][ T56] print_report+0xca/0x240
[ 74.119074][ T56] ? hci_cmd_work+0x5d0/0x7b0
[ 74.119093][ T56] kasan_report+0x118/0x150
[ 74.119113][ T56] ? hci_cmd_work+0x5d0/0x7b0
[ 74.119135][ T56] hci_cmd_work+0x5d0/0x7b0
[ 74.119155][ T56] ? process_one_work+0x868/0x15e0
[ 74.119173][ T56] process_one_work+0x93a/0x15e0
[ 74.119190][ T56] ? __lock_acquire+0xab9/0xd20
[ 74.119214][ T56] ? __pfx_process_one_work+0x10/0x10
[ 74.119233][ T56] ? assign_work+0x3a1/0x410
[ 74.119251][ T56] worker_thread+0x9b0/0xee0
[ 74.119273][ T56] kthread+0x711/0x8a0
[ 74.119285][ T56] ? __pfx_worker_thread+0x10/0x10
[ 74.119299][ T56] ? __pfx_kthread+0x10/0x10
[ 74.119311][ T56] ? _raw_spin_unlock_irq+0x23/0x50
[ 74.119328][ T56] ? lockdep_hardirqs_on+0x9c/0x150
[ 74.119344][ T56] ? __pfx_kthread+0x10/0x10
[ 74.119354][ T56] ret_from_fork+0x599/0xb30
[ 74.119369][ T56] ? __pfx_ret_from_fork+0x10/0x10
[ 74.119385][ T56] ? __switch_to_asm+0x39/0x70
[ 74.119396][ T56] ? __switch_to_asm+0x33/0x70
[ 74.119406][ T56] ? __pfx_kthread+0x10/0x10
[ 74.119416][ T56] ret_from_fork_asm+0x1a/0x30
[ 74.119431][ T56]
[ 74.119436][ T56]
[ 74.196837][ T56] Allocated by task 6001:
[ 74.198347][ T56] kasan_save_track+0x3e/0x80
[ 74.200139][ T56] __kasan_slab_alloc+0x6c/0x80
[ 74.202001][ T56] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 74.204151][ T56] __alloc_skb+0x112/0x2d0
[ 74.205814][ T56] hci_cmd_sync_alloc+0x3d/0x3b0
[ 74.207588][ T56] __hci_cmd_sync_sk+0x1a7/0xc70
[ 74.209338][ T56] hci_cmd_sync_status+0x4d/0x150
[ 74.211584][ T56] hci_dev_cmd+0x431/0x7d0
[ 74.213297][ T56] sock_do_ioctl+0xdc/0x300
[ 74.215028][ T56] sock_ioctl+0x576/0x790
[ 74.216470][ T56] __se_sys_ioctl+0xfc/0x170
[ 74.218192][ T56] do_syscall_64+0xfa/0xfa0
[ 74.219846][ T56] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.221958][ T56]
[ 74.222868][ T56] Freed by task 6003:
[ 74.224318][ T56] kasan_save_track+0x3e/0x80
[ 74.226101][ T56] kasan_save_free_info+0x46/0x50
[ 74.228119][ T56] __kasan_slab_free+0x5c/0x80
[ 74.230012][ T56] kmem_cache_free+0x197/0x640
[ 74.231865][ T56] vhci_read+0x49a/0x5b0
[ 74.233390][ T56] vfs_read+0x200/0xa30
[ 74.234902][ T56] ksys_read+0x145/0x250
[ 74.236438][ T56] do_syscall_64+0xfa/0xfa0
[ 74.238148][ T56] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.240662][ T56]
[ 74.241657][ T56] The buggy address belongs to the object at ffff88816ca6c300
[ 74.241657][ T56] which belongs to the cache skbuff_head_cache of size 240
[ 74.246994][ T56] The buggy address is located 56 bytes inside of
[ 74.246994][ T56] freed 240-byte region [ffff88816ca6c300, ffff88816ca6c3f0)
[ 74.251830][ T56]
[ 74.252739][ T56] The buggy address belongs to the physical page:
[ 74.255756][ T56] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16ca6c
[ 74.259706][ T56] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 74.262643][ T56] anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[ 74.265522][ T56] page_type: f5(slab)
[ 74.266916][ T56] raw: 057ff00000000040 ffff8881616a78c0 0000000000000000 dead000000000001
[ 74.269814][ T56] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 74.273278][ T56] head: 057ff00000000040 ffff8881616a78c0 0000000000000000 dead000000000001
[ 74.277589][ T56] head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
[ 74.281057][ T56] head: 057ff00000000001 ffffea0005b29b01 00000000ffffffff 00000000ffffffff
[ 74.284228][ T56] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[ 74.287852][ T56] page dumped because: kasan: bad access detected
[ 74.290826][ T56] page_owner tracks the page as allocated
[ 74.293181][ T56] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5291, tgid 5291 (udevd), ts 33642680595, free_ts 13452841945
[ 74.301608][ T56] post_alloc_hook+0x240/0x2a0
[ 74.303257][ T56] get_page_from_freelist+0x2365/0x2440
[ 74.305268][ T56] __alloc_frozen_pages_noprof+0x181/0x370
[ 74.307343][ T56] alloc_pages_mpol+0x232/0x4a0
[ 74.309122][ T56] allocate_slab+0x86/0x3b0
[ 74.310850][ T56] ___slab_alloc+0xf56/0x1990
[ 74.312891][ T56] __slab_alloc+0x65/0x100
[ 74.314930][ T56] kmem_cache_alloc_node_noprof+0x4ce/0x710
[ 74.317205][ T56] __alloc_skb+0x112/0x2d0
[ 74.318945][ T56] netlink_sendmsg+0x5c6/0xb30
[ 74.320697][ T56] __sock_sendmsg+0x21c/0x270
[ 74.322410][ T56] ____sys_sendmsg+0x505/0x870
[ 74.324137][ T56] ___sys_sendmsg+0x21f/0x2a0
[ 74.326058][ T56] __x64_sys_sendmsg+0x19b/0x260
[ 74.328032][ T56] do_syscall_64+0xfa/0xfa0
[ 74.329756][ T56] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.331944][ T56] page last free pid 9 tgid 9 stack trace:
[ 74.334204][ T56] __free_frozen_pages+0xbc8/0xd30
[ 74.336778][ T56] vfree+0x25a/0x400
[ 74.338563][ T56] delayed_vfree_work+0x55/0x80
[ 74.340827][ T56] process_one_work+0x93a/0x15e0
[ 74.343045][ T56] worker_thread+0x9b0/0xee0
[ 74.344828][ T56] kthread+0x711/0x8a0
[ 74.346294][ T56] ret_from_fork+0x599/0xb30
[ 74.348048][ T56] ret_from_fork_asm+0x1a/0x30
[ 74.349869][ T56]
[ 74.350790][ T56] Memory state around the buggy address:
[ 74.352795][ T56] ffff88816ca6c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 74.355686][ T56] ffff88816ca6c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.358758][ T56] >ffff88816ca6c300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.361922][ T56] ^
[ 74.364545][ T56] ffff88816ca6c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 74.367917][ T56] ffff88816ca6c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.370838][ T56] ==================================================================
[ 74.377880][ T56] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.380983][ T56] CPU: 0 UID: 0 PID: 56 Comm: kworker/u11:0 Not tainted syzkaller #0 PREEMPT(full)
[ 74.386145][ T56] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 74.390420][ T56] Workqueue: hci0 hci_cmd_work
[ 74.392417][ T56] Call Trace:
[ 74.393847][ T56]
[ 74.395090][ T56] dump_stack_lvl+0x99/0x250
[ 74.397042][ T56] ? __asan_memcpy+0x40/0x70
[ 74.399012][ T56] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.401174][ T56] ? __pfx__printk+0x10/0x10
[ 74.403107][ T56] vpanic+0x237/0x6d0
[ 74.404769][ T56] ? __pfx_vpanic+0x10/0x10
[ 74.406730][ T56] ? preempt_schedule+0xae/0xc0
[ 74.408931][ T56] ? __pfx_preempt_schedule+0x10/0x10
[ 74.411586][ T56] panic+0xb9/0xc0
[ 74.413354][ T56] ? __pfx_panic+0x10/0x10
[ 74.415294][ T56] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 74.417826][ T56] ? is_module_address+0x17/0xf0
[ 74.419861][ T56] ? hci_cmd_work+0x5d0/0x7b0
[ 74.421879][ T56] check_panic_on_warn+0x89/0xb0
[ 74.423986][ T56] ? hci_cmd_work+0x5d0/0x7b0
[ 74.425951][ T56] end_report+0x6f/0x160
[ 74.427799][ T56] kasan_report+0x129/0x150
[ 74.430001][ T56] ? hci_cmd_work+0x5d0/0x7b0
[ 74.432092][ T56] hci_cmd_work+0x5d0/0x7b0
[ 74.434374][ T56] ? process_one_work+0x868/0x15e0
[ 74.436660][ T56] process_one_work+0x93a/0x15e0
[ 74.438981][ T56] ? __lock_acquire+0xab9/0xd20
[ 74.441143][ T56] ? __pfx_process_one_work+0x10/0x10
[ 74.443352][ T56] ? assign_work+0x3a1/0x410
[ 74.445431][ T56] worker_thread+0x9b0/0xee0
[ 74.447601][ T56] kthread+0x711/0x8a0
[ 74.449443][ T56] ? __pfx_worker_thread+0x10/0x10
[ 74.452162][ T56] ? __pfx_kthread+0x10/0x10
[ 74.454398][ T56] ? _raw_spin_unlock_irq+0x23/0x50
[ 74.456589][ T56] ? lockdep_hardirqs_on+0x9c/0x150
[ 74.458729][ T56] ? __pfx_kthread+0x10/0x10
[ 74.460480][ T56] ret_from_fork+0x599/0xb30
[ 74.462249][ T56] ? __pfx_ret_from_fork+0x10/0x10
[ 74.464325][ T56] ? __switch_to_asm+0x39/0x70
[ 74.466346][ T56] ? __switch_to_asm+0x33/0x70
[ 74.468390][ T56] ? __pfx_kthread+0x10/0x10
[ 74.470447][ T56] ret_from_fork_asm+0x1a/0x30
[ 74.472604][ T56]
[ 74.474804][ T56] Kernel Offset: disabled
[ 74.476224][ T56] Rebooting in 86400 seconds..
VM DIAGNOSIS:
20:06:54 Registers:
info registers vcpu 0
CPU#0
RAX=0000000000000061 RBX=0000000000000061 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=00000000000003f8 RSP=ffffc9000142f330
R8 =ffff88816b3c0237 R9 =1ffff1102d678046 R10=dffffc0000000000 R11=ffffffff851c21e0
R12=dffffc0000000000 R13=ffffffff9985695a R14=ffffffff99b6b080 R15=0000000000000000
RIP=ffffffff851c225c RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88818e8be000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00007f5cdc1dae10 CR3=000000016a4fe000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=0000000000000000 0000000000000000
XMM02=00007f5cdc3b7498 00007f5cdc3b7470 XMM03=00007f5cdc3b74a8 00007f5cdc3b74a0
XMM04=00007f5cdcf1d100 00007f5cdc3b7460 XMM05=00007f5cdc3b7478 00007f5cdc3b74c0
XMM06=00007f5cdc3b74b8 00007f5cdc3b74b0 XMM07=00007f5cdc3b74a8 00007f5cdc3b74a0
XMM08=0000000000000000 0000000000000000 XMM09=0000000000000000 0000000000000000
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
info registers vcpu 1
CPU#1
RAX=00000000dd6cafa3 RBX=0000000000000003 RCX=00000000d9309d63 RDX=00000000f5501d20
RSI=000000005d298343 RDI=ffff88810c19d7c0 RBP=0000000000000000 RSP=ffffc90004fe59c8
R8 =0000000000000000 R9 =ffffffff81741ff5 R10=ffffc90004fe5c18 R11=ffffffff81ad9f00
R12=00000000808f6b51 R13=ffff88810c19e2f0 R14=ffff88810c19e368 R15=00000000071e345e
RIP=ffffffff819e7947 RFL=00000086 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 000055558d04e500 ffffffff 00c00000
GS =0000 ffff8882a9ebe000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000048000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00007f5cdc118f60 CR3=000000011163a000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00ff000000000000 0000000000000000 XMM01=0000ff0000000000 0000ff0000000000
XMM02=0000000000000000 000000000000ff00 XMM03=0000000000000000 0000000000000000
XMM04=0000000000000000 0000000000000000 XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 0000000000000000 XMM07=0000000000000000 0000000000000000
XMM08=0000000000000000 0000000000000000 XMM09=0000000000000000 0000000000000000
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000