program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) (async, rerun: 64) personality(0x400000) (rerun: 64) r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000580)=@base={0x8, 0x4, 0x4, 0xa4}, 0x48) bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000000c0)={r4, &(0x7f0000000000), 0x0}, 0x20) [ 75.966524][ T4679] Bluetooth: hci0: command tx timeout [ 76.014250][ T5334] ================================================================== [ 76.017706][ T5334] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 76.021301][ T5334] Write of size 4 at addr ffff888043b8a5e4 by task syz.0.0/5334 [ 76.024735][ T5334] [ 76.025950][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.025964][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.025971][ T5334] Call Trace: [ 76.025978][ T5334] [ 76.026007][ T5334] dump_stack_lvl+0x189/0x250 [ 76.026024][ T5334] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.026039][ T5334] ? rcu_is_watching+0x15/0xb0 [ 76.026052][ T5334] ? __kasan_check_byte+0x12/0x40 [ 76.026106][ T5334] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.026119][ T5334] ? rcu_is_watching+0x15/0xb0 [ 76.026131][ T5334] ? lock_release+0x4b/0x3b0 [ 76.026143][ T5334] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.026155][ T5334] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.026169][ T5334] print_report+0xca/0x240 [ 76.026181][ T5334] ? sk_skb_reason_drop+0x37/0x170 [ 76.026191][ T5334] kasan_report+0x118/0x150 [ 76.026203][ T5334] ? sk_skb_reason_drop+0x37/0x170 [ 76.026215][ T5334] kasan_check_range+0x2b0/0x2c0 [ 76.026227][ T5334] sk_skb_reason_drop+0x37/0x170 [ 76.026237][ T5334] nr_transmit_buffer+0x11d/0x1b0 [ 76.026248][ T5334] nr_establish_data_link+0x62/0xb0 [ 76.026257][ T5334] nr_connect+0x6e6/0xde0 [ 76.026274][ T5334] ? __pfx_nr_connect+0x10/0x10 [ 76.026288][ T5334] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.026303][ T5334] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.026320][ T5334] __sys_connect+0x316/0x440 [ 76.026337][ T5334] ? __pfx___sys_connect+0x10/0x10 [ 76.026354][ T5334] ? rcu_is_watching+0x15/0xb0 [ 76.026368][ T5334] __x64_sys_connect+0x7a/0x90 [ 76.026384][ T5334] do_syscall_64+0xfa/0xf80 [ 76.026430][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.026441][ T5334] ? clear_bhb_loop+0x60/0xb0 [ 76.026453][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.026464][ T5334] RIP: 0033:0x7fe2ed58f7c9 [ 76.026475][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.026485][ T5334] RSP: 002b:00007fe2ee375038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.026504][ T5334] RAX: ffffffffffffffda RBX: 00007fe2ed7e6090 RCX: 00007fe2ed58f7c9 [ 76.026513][ T5334] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 76.026520][ T5334] RBP: 00007fe2ed613f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.026526][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.026533][ T5334] R13: 00007fe2ed7e6128 R14: 00007fe2ed7e6090 R15: 00007ffded2f8208 [ 76.026544][ T5334] [ 76.026548][ T5334] [ 76.135294][ T5334] Allocated by task 5334: [ 76.137163][ T5334] kasan_save_track+0x3e/0x80 [ 76.139279][ T5334] __kasan_slab_alloc+0x6c/0x80 [ 76.141395][ T5334] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 76.144061][ T5334] __alloc_skb+0x255/0x430 [ 76.146012][ T5334] nr_write_internal+0xe2/0xc60 [ 76.148115][ T5334] nr_establish_data_link+0x62/0xb0 [ 76.150278][ T5334] nr_connect+0x6e6/0xde0 [ 76.152168][ T5334] __sys_connect+0x316/0x440 [ 76.154133][ T5334] __x64_sys_connect+0x7a/0x90 [ 76.156207][ T5334] do_syscall_64+0xfa/0xf80 [ 76.158219][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.160739][ T5334] [ 76.161798][ T5334] Freed by task 5334: [ 76.163550][ T5334] kasan_save_track+0x3e/0x80 [ 76.165606][ T5334] kasan_save_free_info+0x46/0x50 [ 76.167804][ T5334] __kasan_slab_free+0x5c/0x80 [ 76.169970][ T5334] kmem_cache_free+0x197/0x620 [ 76.172172][ T5334] nr_route_frame+0x467/0x7e0 [ 76.174267][ T5334] nr_transmit_buffer+0xe7/0x1b0 [ 76.176453][ T5334] nr_establish_data_link+0x62/0xb0 [ 76.178746][ T5334] nr_connect+0x6e6/0xde0 [ 76.180682][ T5334] __sys_connect+0x316/0x440 [ 76.182750][ T5334] __x64_sys_connect+0x7a/0x90 [ 76.184884][ T5334] do_syscall_64+0xfa/0xf80 [ 76.186918][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.189558][ T5334] [ 76.190686][ T5334] The buggy address belongs to the object at ffff888043b8a500 [ 76.190686][ T5334] which belongs to the cache skbuff_head_cache of size 240 [ 76.196825][ T5334] The buggy address is located 228 bytes inside of [ 76.196825][ T5334] freed 240-byte region [ffff888043b8a500, ffff888043b8a5f0) [ 76.202739][ T5334] [ 76.203893][ T5334] The buggy address belongs to the physical page: [ 76.206813][ T5334] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43b8a [ 76.210672][ T5334] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 76.213749][ T5334] page_type: f5(slab) [ 76.215514][ T5334] raw: 04fff00000000000 ffff88803040fc80 dead000000000122 0000000000000000 [ 76.219087][ T5334] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 76.222783][ T5334] page dumped because: kasan: bad access detected [ 76.226186][ T5334] page_owner tracks the page as allocated [ 76.228764][ T5334] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4055, tgid 4055 (kworker/u4:23), ts 76005970504, free_ts 74255680323 [ 76.236655][ T5334] post_alloc_hook+0x234/0x290 [ 76.238967][ T5334] get_page_from_freelist+0x2365/0x2440 [ 76.241331][ T5334] __alloc_frozen_pages_noprof+0x181/0x370 [ 76.243833][ T5334] alloc_pages_mpol+0x232/0x4a0 [ 76.246072][ T5334] allocate_slab+0x86/0x3b0 [ 76.248064][ T5334] ___slab_alloc+0xf2b/0x1960 [ 76.250108][ T5334] __slab_alloc+0x65/0x100 [ 76.251985][ T5334] kmem_cache_alloc_noprof+0x40f/0x710 [ 76.254256][ T5334] skb_clone+0x212/0x3a0 [ 76.256142][ T5334] maybe_deliver+0x98/0x160 [ 76.258239][ T5334] br_flood+0x31a/0x6a0 [ 76.260111][ T5334] br_dev_xmit+0x11b3/0x1840 [ 76.262261][ T5334] dev_hard_start_xmit+0x2cd/0x800 [ 76.264695][ T5334] __dev_queue_xmit+0x1493/0x3140 [ 76.266911][ T5334] ip6_finish_output2+0xf70/0x1480 [ 76.269138][ T5334] ip6_finish_output+0x234/0x7d0 [ 76.271350][ T5334] page last free pid 15 tgid 15 stack trace: [ 76.273927][ T5334] __free_frozen_pages+0xbc8/0xd30 [ 76.276133][ T5334] rcu_core+0xd70/0x1870 [ 76.277877][ T5334] handle_softirqs+0x27d/0x850 [ 76.279981][ T5334] run_ksoftirqd+0x9b/0x100 [ 76.281838][ T5334] smpboot_thread_fn+0x542/0xa60 [ 76.283983][ T5334] kthread+0x711/0x8a0 [ 76.285725][ T5334] ret_from_fork+0x599/0xb30 [ 76.287853][ T5334] ret_from_fork_asm+0x1a/0x30 [ 76.290013][ T5334] [ 76.291121][ T5334] Memory state around the buggy address: [ 76.293622][ T5334] ffff888043b8a480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 76.297039][ T5334] ffff888043b8a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.300575][ T5334] >ffff888043b8a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 76.304074][ T5334] ^ [ 76.307361][ T5334] ffff888043b8a600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 76.311043][ T5334] ffff888043b8a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.314612][ T5334] ================================================================== [ 76.337135][ T5334] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.340278][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.344156][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.348840][ T5334] Call Trace: [ 76.350272][ T5334] [ 76.351618][ T5334] dump_stack_lvl+0x99/0x250 [ 76.353602][ T5334] ? __asan_memcpy+0x40/0x70 [ 76.355745][ T5334] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.357708][ T5334] ? __pfx__printk+0x10/0x10 [ 76.359797][ T5334] vpanic+0x237/0x6d0 [ 76.361544][ T5334] ? __pfx_vpanic+0x10/0x10 [ 76.363549][ T5334] ? preempt_schedule_common+0x83/0xd0 [ 76.366021][ T5334] ? preempt_schedule+0xae/0xc0 [ 76.368087][ T5334] panic+0xb9/0xc0 [ 76.369725][ T5334] ? __pfx_panic+0x10/0x10 [ 76.371662][ T5334] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.374360][ T5334] ? sk_skb_reason_drop+0x37/0x170 [ 76.377176][ T5334] check_panic_on_warn+0x89/0xb0 [ 76.379807][ T5334] ? sk_skb_reason_drop+0x37/0x170 [ 76.382376][ T5334] end_report+0x6f/0x140 [ 76.384286][ T5334] kasan_report+0x129/0x150 [ 76.386468][ T5334] ? sk_skb_reason_drop+0x37/0x170 [ 76.388794][ T5334] kasan_check_range+0x2b0/0x2c0 [ 76.390926][ T5334] sk_skb_reason_drop+0x37/0x170 [ 76.392972][ T5334] nr_transmit_buffer+0x11d/0x1b0 [ 76.395190][ T5334] nr_establish_data_link+0x62/0xb0 [ 76.397411][ T5334] nr_connect+0x6e6/0xde0 [ 76.399302][ T5334] ? __pfx_nr_connect+0x10/0x10 [ 76.401599][ T5334] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.404635][ T5334] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.406930][ T5334] __sys_connect+0x316/0x440 [ 76.408632][ T5334] ? __pfx___sys_connect+0x10/0x10 [ 76.410746][ T5334] ? rcu_is_watching+0x15/0xb0 [ 76.412826][ T5334] __x64_sys_connect+0x7a/0x90 [ 76.414946][ T5334] do_syscall_64+0xfa/0xf80 [ 76.416947][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.419686][ T5334] ? clear_bhb_loop+0x60/0xb0 [ 76.421646][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.424226][ T5334] RIP: 0033:0x7fe2ed58f7c9 [ 76.426280][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.433976][ T5334] RSP: 002b:00007fe2ee375038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.437373][ T5334] RAX: ffffffffffffffda RBX: 00007fe2ed7e6090 RCX: 00007fe2ed58f7c9 [ 76.440810][ T5334] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 76.444140][ T5334] RBP: 00007fe2ed613f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.447594][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.450966][ T5334] R13: 00007fe2ed7e6128 R14: 00007fe2ed7e6090 R15: 00007ffded2f8208 [ 76.454475][ T5334] [ 76.456274][ T5334] Kernel Offset: disabled [ 76.458375][ T5334] Rebooting in 86400 seconds..