program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async, rerun: 32) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) (rerun: 32) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$KVM_SET_MSRS(r6, 0xc008ae88, &(0x7f0000000040)={0x1, 0x0, [{0x198, 0x0, 0x106}]}) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000000c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 75.023897][ T5313] Bluetooth: hci0: command tx timeout [ 75.156641][ T5335] ================================================================== [ 75.160053][ T5335] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 75.163551][ T5335] Write of size 4 at addr ffff88801f68fae4 by task syz.0.0/5335 [ 75.166534][ T5335] [ 75.167675][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.167688][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.167695][ T5335] Call Trace: [ 75.167702][ T5335] [ 75.167707][ T5335] dump_stack_lvl+0x189/0x250 [ 75.167723][ T5335] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.167746][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.167758][ T5335] ? __kasan_check_byte+0x12/0x40 [ 75.167806][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.167817][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.167828][ T5335] ? lock_release+0x4b/0x3b0 [ 75.167839][ T5335] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.167853][ T5335] ? __virt_addr_valid+0x4a5/0x5c0 [ 75.167866][ T5335] print_report+0xca/0x240 [ 75.167876][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.167889][ T5335] kasan_report+0x118/0x150 [ 75.167899][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.167913][ T5335] kasan_check_range+0x2b0/0x2c0 [ 75.167924][ T5335] sk_skb_reason_drop+0x37/0x170 [ 75.167936][ T5335] nr_transmit_buffer+0x11d/0x1b0 [ 75.167949][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.167961][ T5335] nr_connect+0x6e6/0xde0 [ 75.167973][ T5335] ? __pfx_nr_connect+0x10/0x10 [ 75.167983][ T5335] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.168001][ T5335] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.168015][ T5335] __sys_connect+0x316/0x440 [ 75.168028][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.168040][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.168054][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.168065][ T5335] do_syscall_64+0xfa/0xf80 [ 75.168112][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.168123][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.168134][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.168144][ T5335] RIP: 0033:0x7f544f98f7c9 [ 75.168154][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.168164][ T5335] RSP: 002b:00007f545074b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.168176][ T5335] RAX: ffffffffffffffda RBX: 00007f544fbe6090 RCX: 00007f544f98f7c9 [ 75.168184][ T5335] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000007 [ 75.168190][ T5335] RBP: 00007f544fa13f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.168197][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.168203][ T5335] R13: 00007f544fbe6128 R14: 00007f544fbe6090 R15: 00007ffd343b0248 [ 75.168213][ T5335] [ 75.168216][ T5335] [ 75.275986][ T5335] Allocated by task 5335: [ 75.277836][ T5335] kasan_save_track+0x3e/0x80 [ 75.279857][ T5335] __kasan_slab_alloc+0x6c/0x80 [ 75.281842][ T5335] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 75.284389][ T5335] __alloc_skb+0x255/0x430 [ 75.286343][ T5335] nr_write_internal+0xe2/0xc60 [ 75.288451][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.290636][ T5335] nr_connect+0x6e6/0xde0 [ 75.292447][ T5335] __sys_connect+0x316/0x440 [ 75.294361][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.296481][ T5335] do_syscall_64+0xfa/0xf80 [ 75.298574][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.301175][ T5335] [ 75.302290][ T5335] Freed by task 5335: [ 75.304075][ T5335] kasan_save_track+0x3e/0x80 [ 75.306195][ T5335] kasan_save_free_info+0x46/0x50 [ 75.308400][ T5335] __kasan_slab_free+0x5c/0x80 [ 75.310349][ T5335] kmem_cache_free+0x197/0x620 [ 75.312521][ T5335] nr_route_frame+0x467/0x7e0 [ 75.314768][ T5335] nr_transmit_buffer+0xe7/0x1b0 [ 75.317157][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.319621][ T5335] nr_connect+0x6e6/0xde0 [ 75.321732][ T5335] __sys_connect+0x316/0x440 [ 75.323960][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.326182][ T5335] do_syscall_64+0xfa/0xf80 [ 75.328288][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.330832][ T5335] [ 75.331915][ T5335] The buggy address belongs to the object at ffff88801f68fa00 [ 75.331915][ T5335] which belongs to the cache skbuff_head_cache of size 240 [ 75.338201][ T5335] The buggy address is located 228 bytes inside of [ 75.338201][ T5335] freed 240-byte region [ffff88801f68fa00, ffff88801f68faf0) [ 75.343707][ T5335] [ 75.344791][ T5335] The buggy address belongs to the physical page: [ 75.348233][ T5335] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f68f [ 75.352904][ T5335] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.356640][ T5335] page_type: f5(slab) [ 75.358918][ T5335] raw: 00fff00000000000 ffff88803040cb40 ffffea0000468a80 0000000000000002 [ 75.363534][ T5335] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 75.367411][ T5335] page dumped because: kasan: bad access detected [ 75.370350][ T5335] page_owner tracks the page as allocated [ 75.372954][ T5335] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5312, tgid 5312 (syz-executor), ts 72586601454, free_ts 33724546179 [ 75.381011][ T5335] post_alloc_hook+0x234/0x290 [ 75.383009][ T5335] get_page_from_freelist+0x2365/0x2440 [ 75.385276][ T5335] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.387694][ T5335] alloc_pages_mpol+0x232/0x4a0 [ 75.389634][ T5335] allocate_slab+0x86/0x3b0 [ 75.391653][ T5335] ___slab_alloc+0xf2b/0x1960 [ 75.393665][ T5335] __slab_alloc+0x65/0x100 [ 75.395675][ T5335] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 75.398778][ T5335] __alloc_skb+0x255/0x430 [ 75.400844][ T5335] alloc_uevent_skb+0x7d/0x230 [ 75.402863][ T5335] kobject_uevent_net_broadcast+0x184/0x560 [ 75.405162][ T5335] kobject_uevent_env+0x55c/0x9f0 [ 75.407317][ T5335] device_add+0x557/0xb80 [ 75.409148][ T5335] netdev_register_kobject+0x178/0x310 [ 75.411274][ T5335] register_netdevice+0x1246/0x1a70 [ 75.413579][ T5335] team_newlink+0x114/0x160 [ 75.415473][ T5335] page last free pid 4743 tgid 4743 stack trace: [ 75.417773][ T5335] __free_frozen_pages+0xbc8/0xd30 [ 75.419671][ T5335] __put_partials+0x146/0x170 [ 75.421359][ T5335] put_cpu_partial+0x1f2/0x2d0 [ 75.423453][ T5335] __slab_free+0x288/0x2a0 [ 75.425282][ T5335] qlist_free_all+0x97/0x100 [ 75.427579][ T5335] kasan_quarantine_reduce+0x148/0x160 [ 75.429903][ T5335] __kasan_slab_alloc+0x22/0x80 [ 75.432098][ T5335] kmem_cache_alloc_noprof+0x37d/0x710 [ 75.434376][ T5335] getname_flags+0xb8/0x540 [ 75.436305][ T5335] do_sys_openat2+0xbc/0x200 [ 75.438398][ T5335] __x64_sys_openat+0x138/0x170 [ 75.440360][ T5335] do_syscall_64+0xfa/0xf80 [ 75.442397][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.444809][ T5335] [ 75.445744][ T5335] Memory state around the buggy address: [ 75.448065][ T5335] ffff88801f68f980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 75.451377][ T5335] ffff88801f68fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.454901][ T5335] >ffff88801f68fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 75.458521][ T5335] ^ [ 75.461483][ T5335] ffff88801f68fb00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 75.464864][ T5335] ffff88801f68fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.468404][ T5335] ================================================================== [ 75.501836][ T5335] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.504687][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.508454][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.513143][ T5335] Call Trace: [ 75.514749][ T5335] [ 75.516132][ T5335] dump_stack_lvl+0x99/0x250 [ 75.518272][ T5335] ? __asan_memcpy+0x40/0x70 [ 75.520229][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.522603][ T5335] ? __pfx__printk+0x10/0x10 [ 75.524645][ T5335] vpanic+0x237/0x6d0 [ 75.526324][ T5335] ? __pfx_vpanic+0x10/0x10 [ 75.528191][ T5335] ? preempt_schedule_common+0x83/0xd0 [ 75.530648][ T5335] ? preempt_schedule+0xae/0xc0 [ 75.532863][ T5335] panic+0xb9/0xc0 [ 75.534553][ T5335] ? __pfx_panic+0x10/0x10 [ 75.536499][ T5335] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.539413][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.541739][ T5335] check_panic_on_warn+0x89/0xb0 [ 75.543947][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.546301][ T5335] end_report+0x6f/0x140 [ 75.548236][ T5335] kasan_report+0x129/0x150 [ 75.550234][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.552482][ T5335] kasan_check_range+0x2b0/0x2c0 [ 75.554618][ T5335] sk_skb_reason_drop+0x37/0x170 [ 75.556874][ T5335] nr_transmit_buffer+0x11d/0x1b0 [ 75.559243][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.561605][ T5335] nr_connect+0x6e6/0xde0 [ 75.563550][ T5335] ? __pfx_nr_connect+0x10/0x10 [ 75.565547][ T5335] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.568413][ T5335] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.570840][ T5335] __sys_connect+0x316/0x440 [ 75.572918][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.575234][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.577333][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.579397][ T5335] do_syscall_64+0xfa/0xf80 [ 75.581381][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.584033][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.586119][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.588680][ T5335] RIP: 0033:0x7f544f98f7c9 [ 75.590625][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.599018][ T5335] RSP: 002b:00007f545074b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.602610][ T5335] RAX: ffffffffffffffda RBX: 00007f544fbe6090 RCX: 00007f544f98f7c9 [ 75.606126][ T5335] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000007 [ 75.609497][ T5335] RBP: 00007f544fa13f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.612915][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.616388][ T5335] R13: 00007f544fbe6128 R14: 00007f544fbe6090 R15: 00007ffd343b0248 [ 75.619704][ T5335] [ 75.621079][ T5335] Kernel Offset: disabled [ 75.622805][ T5335] Rebooting in 86400 seconds..