program: r0 = socket$pppl2tp(0x18, 0x1, 0x1) (async) r1 = socket$inet6_udp(0xa, 0x2, 0x0) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)=@newlink={0x20, 0x10, 0xffffff1f, 0x0, 0x80, {0x0, 0x0, 0x0, 0x0, 0x4042, 0x3f00}}, 0x20}}, 0x0) (async) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="01000000120000007f00000001"], 0x48) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000680)={{r3, 0xffffffffffffffff}, &(0x7f0000000300), &(0x7f0000000340)=r2}, 0x20) (async) bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f00000002c0)={{r3}, &(0x7f0000000240), &(0x7f0000000280)='%pS \x00'}, 0x20) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000002380)={{r4}, &(0x7f0000001f40), &(0x7f0000002340)}, 0x20) (async) connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e21, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x2}}, 0x2e) (async) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000200)=@newtaction={0x64, 0x30, 0xffff, 0x0, 0x0, {}, [{0x50, 0x1, [@m_ife={0x4c, 0x1, 0x0, 0x0, {{0x8}, {0x24, 0x2, 0x0, 0x1, [@TCA_IFE_PARMS={0x1c}, @TCA_IFE_METALST={0x4}]}, {0x4}, {0xc}, {0xc}}}]}]}, 0x64}}, 0x0) r6 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000040), 0xffffffffffffffff) (async) r7 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$L2TP_CMD_SESSION_DELETE(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000005c0)={0x3c, r6, 0x1, 0x70bd2b, 0x25dfdbfe, {0x5}, [@L2TP_ATTR_CONN_ID={0x8, 0x9, 0x2}, @L2TP_ATTR_PEER_SESSION_ID={0x8, 0xc, 0xaaa}, @L2TP_ATTR_PW_TYPE={0x6, 0x1, 0x5}, @L2TP_ATTR_SESSION_ID={0x8, 0xb, 0x4}, @L2TP_ATTR_L2SPEC_TYPE={0x5, 0x5, 0x7806b0c37d852ac}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20006911}, 0x0) r8 = syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r9 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r11 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r11, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r9, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async) connect$netrom(r9, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) (async) ioctl$sock_ifreq(r8, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 85.805449][ T46] Bluetooth: hci0: command tx timeout [ 85.900896][ T5353] ================================================================== [ 85.904453][ T5353] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 85.907997][ T5353] Write of size 4 at addr ffff8880516dc5e4 by task syz.0.0/5353 [ 85.911342][ T5353] [ 85.912453][ T5353] CPU: 0 UID: 0 PID: 5353 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.912467][ T5353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.912474][ T5353] Call Trace: [ 85.912481][ T5353] [ 85.912486][ T5353] dump_stack_lvl+0x189/0x250 [ 85.912501][ T5353] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.912514][ T5353] ? rcu_is_watching+0x15/0xb0 [ 85.912524][ T5353] ? __kasan_check_byte+0x12/0x40 [ 85.912582][ T5353] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.912590][ T5353] ? rcu_is_watching+0x15/0xb0 [ 85.912600][ T5353] ? lock_release+0x4b/0x3b0 [ 85.912609][ T5353] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.912619][ T5353] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.912631][ T5353] print_report+0xca/0x240 [ 85.912642][ T5353] ? sk_skb_reason_drop+0x37/0x170 [ 85.912652][ T5353] kasan_report+0x118/0x150 [ 85.912666][ T5353] ? sk_skb_reason_drop+0x37/0x170 [ 85.912683][ T5353] kasan_check_range+0x2b0/0x2c0 [ 85.912696][ T5353] sk_skb_reason_drop+0x37/0x170 [ 85.912707][ T5353] nr_transmit_buffer+0x11d/0x1b0 [ 85.912720][ T5353] nr_establish_data_link+0x62/0xb0 [ 85.912730][ T5353] nr_connect+0x6e6/0xde0 [ 85.912747][ T5353] ? __pfx_nr_connect+0x10/0x10 [ 85.912761][ T5353] ? tomoyo_socket_connect_permission+0x164/0x290 [ 85.912776][ T5353] ? bpf_lsm_socket_connect+0x9/0x20 [ 85.912791][ T5353] __sys_connect+0x316/0x440 [ 85.912807][ T5353] ? __pfx___sys_connect+0x10/0x10 [ 85.912850][ T5353] ? rcu_is_watching+0x15/0xb0 [ 85.912865][ T5353] __x64_sys_connect+0x7a/0x90 [ 85.912879][ T5353] do_syscall_64+0xfa/0xf80 [ 85.912890][ T5353] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.912900][ T5353] ? clear_bhb_loop+0x60/0xb0 [ 85.912912][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.912923][ T5353] RIP: 0033:0x7f507418f7c9 [ 85.912934][ T5353] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.912943][ T5353] RSP: 002b:00007f5074f9c038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 85.912956][ T5353] RAX: ffffffffffffffda RBX: 00007f50743e6090 RCX: 00007f507418f7c9 [ 85.912964][ T5353] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 000000000000000b [ 85.912971][ T5353] RBP: 00007f5074213f91 R08: 0000000000000000 R09: 0000000000000000 [ 85.912978][ T5353] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.912984][ T5353] R13: 00007f50743e6128 R14: 00007f50743e6090 R15: 00007ffe27f644e8 [ 85.913002][ T5353] [ 85.913006][ T5353] [ 86.022270][ T5353] Allocated by task 5353: [ 86.024073][ T5353] kasan_save_track+0x3e/0x80 [ 86.026087][ T5353] __kasan_slab_alloc+0x6c/0x80 [ 86.028245][ T5353] kmem_cache_alloc_node_noprof+0x433/0x710 [ 86.030877][ T5353] __alloc_skb+0x255/0x430 [ 86.032694][ T5353] nr_write_internal+0xe2/0xc60 [ 86.034846][ T5353] nr_establish_data_link+0x62/0xb0 [ 86.037102][ T5353] nr_connect+0x6e6/0xde0 [ 86.039007][ T5353] __sys_connect+0x316/0x440 [ 86.041050][ T5353] __x64_sys_connect+0x7a/0x90 [ 86.043130][ T5353] do_syscall_64+0xfa/0xf80 [ 86.045173][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.047718][ T5353] [ 86.048766][ T5353] Freed by task 5353: [ 86.050554][ T5353] kasan_save_track+0x3e/0x80 [ 86.052580][ T5353] __kasan_save_free_info+0x46/0x50 [ 86.054807][ T5353] __kasan_slab_free+0x5c/0x80 [ 86.056847][ T5353] kmem_cache_free+0x197/0x620 [ 86.058766][ T5353] nr_route_frame+0x467/0x7e0 [ 86.060415][ T5353] nr_transmit_buffer+0xe7/0x1b0 [ 86.062709][ T5353] nr_establish_data_link+0x62/0xb0 [ 86.065529][ T5353] nr_connect+0x6e6/0xde0 [ 86.067535][ T5353] __sys_connect+0x316/0x440 [ 86.069425][ T5353] __x64_sys_connect+0x7a/0x90 [ 86.071348][ T5353] do_syscall_64+0xfa/0xf80 [ 86.073144][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.075663][ T5353] [ 86.076792][ T5353] The buggy address belongs to the object at ffff8880516dc500 [ 86.076792][ T5353] which belongs to the cache skbuff_head_cache of size 240 [ 86.082912][ T5353] The buggy address is located 228 bytes inside of [ 86.082912][ T5353] freed 240-byte region [ffff8880516dc500, ffff8880516dc5f0) [ 86.088860][ T5353] [ 86.089993][ T5353] The buggy address belongs to the physical page: [ 86.092915][ T5353] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x516dc [ 86.096853][ T5353] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 86.099993][ T5353] page_type: f5(slab) [ 86.101646][ T5353] raw: 04fff00000000000 ffff88801baeec80 dead000000000122 0000000000000000 [ 86.105226][ T5353] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 86.108967][ T5353] page dumped because: kasan: bad access detected [ 86.111979][ T5353] page_owner tracks the page as allocated [ 86.114595][ T5353] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3022, tgid 3022 (kworker/u4:15), ts 85894524248, free_ts 0 [ 86.123072][ T5353] post_alloc_hook+0x234/0x290 [ 86.125201][ T5353] get_page_from_freelist+0x2365/0x2440 [ 86.127504][ T5353] __alloc_frozen_pages_noprof+0x181/0x370 [ 86.130161][ T5353] alloc_pages_mpol+0x232/0x4a0 [ 86.132310][ T5353] allocate_slab+0x86/0x3b0 [ 86.134101][ T5353] ___slab_alloc+0xf2b/0x1960 [ 86.136000][ T5353] __slab_alloc+0x65/0x100 [ 86.138109][ T5353] kmem_cache_alloc_node_noprof+0x4c5/0x710 [ 86.140734][ T5353] __alloc_skb+0x255/0x430 [ 86.142839][ T5353] ndisc_alloc_skb+0x9f/0x480 [ 86.144966][ T5353] ndisc_send_rs+0x2b5/0x630 [ 86.146962][ T5353] addrconf_dad_completed+0x7ae/0xd60 [ 86.149236][ T5353] addrconf_dad_work+0xc36/0x14b0 [ 86.151702][ T5353] process_scheduled_works+0xad1/0x1770 [ 86.154170][ T5353] worker_thread+0x8a0/0xda0 [ 86.156196][ T5353] kthread+0x711/0x8a0 [ 86.158039][ T5353] page_owner free stack trace missing [ 86.160290][ T5353] [ 86.161360][ T5353] Memory state around the buggy address: [ 86.163717][ T5353] ffff8880516dc480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 86.167261][ T5353] ffff8880516dc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.170858][ T5353] >ffff8880516dc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 86.174411][ T5353] ^ [ 86.177557][ T5353] ffff8880516dc600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 86.181046][ T5353] ffff8880516dc680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 86.184481][ T5353] ================================================================== [ 86.221932][ T5355] 8021q: adding VLAN 0 to HW filter on device bond0 [ 86.240170][ T5355] bond0: (slave rose0): Enslaving as an active interface with an up link [ 86.254588][ T5353] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 86.257890][ T5353] CPU: 0 UID: 0 PID: 5353 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.261838][ T5353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.266570][ T5353] Call Trace: [ 86.268011][ T5353] [ 86.269311][ T5353] dump_stack_lvl+0x99/0x250 [ 86.271301][ T5353] ? __asan_memcpy+0x40/0x70 [ 86.273299][ T5353] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.275500][ T5353] ? __pfx__printk+0x10/0x10 [ 86.277571][ T5353] vpanic+0x237/0x6d0 [ 86.279372][ T5353] ? __pfx_vpanic+0x10/0x10 [ 86.281406][ T5353] ? preempt_schedule_common+0x83/0xd0 [ 86.283764][ T5353] ? preempt_schedule+0xae/0xc0 [ 86.286011][ T5353] panic+0xb9/0xc0 [ 86.287663][ T5353] ? __pfx_panic+0x10/0x10 [ 86.289591][ T5353] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.292257][ T5353] ? sk_skb_reason_drop+0x37/0x170 [ 86.294453][ T5353] check_panic_on_warn+0x89/0xb0 [ 86.296667][ T5353] ? sk_skb_reason_drop+0x37/0x170 [ 86.298843][ T5353] end_report+0x6f/0x140 [ 86.300650][ T5353] kasan_report+0x129/0x150 [ 86.302605][ T5353] ? sk_skb_reason_drop+0x37/0x170 [ 86.304880][ T5353] kasan_check_range+0x2b0/0x2c0 [ 86.307003][ T5353] sk_skb_reason_drop+0x37/0x170 [ 86.309136][ T5353] nr_transmit_buffer+0x11d/0x1b0 [ 86.311346][ T5353] nr_establish_data_link+0x62/0xb0 [ 86.313582][ T5353] nr_connect+0x6e6/0xde0 [ 86.315438][ T5353] ? __pfx_nr_connect+0x10/0x10 [ 86.317553][ T5353] ? tomoyo_socket_connect_permission+0x164/0x290 [ 86.320212][ T5353] ? bpf_lsm_socket_connect+0x9/0x20 [ 86.322524][ T5353] __sys_connect+0x316/0x440 [ 86.324592][ T5353] ? __pfx___sys_connect+0x10/0x10 [ 86.326843][ T5353] ? rcu_is_watching+0x15/0xb0 [ 86.328795][ T5353] __x64_sys_connect+0x7a/0x90 [ 86.331010][ T5353] do_syscall_64+0xfa/0xf80 [ 86.332943][ T5353] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.335418][ T5353] ? clear_bhb_loop+0x60/0xb0 [ 86.337529][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.340140][ T5353] RIP: 0033:0x7f507418f7c9 [ 86.342118][ T5353] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.350478][ T5353] RSP: 002b:00007f5074f9c038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 86.354174][ T5353] RAX: ffffffffffffffda RBX: 00007f50743e6090 RCX: 00007f507418f7c9 [ 86.357653][ T5353] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 000000000000000b [ 86.361045][ T5353] RBP: 00007f5074213f91 R08: 0000000000000000 R09: 0000000000000000 [ 86.364525][ T5353] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.368087][ T5353] R13: 00007f50743e6128 R14: 00007f50743e6090 R15: 00007ffe27f644e8 [ 86.371477][ T5353] [ 86.373066][ T5353] Kernel Offset: disabled [ 86.374930][ T5353] Rebooting in 86400 seconds..