program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) pipe2(&(0x7f00000000c0)={0xffffffffffffffff}, 0x84080) openat$cgroup_ro(r3, &(0x7f0000000100)='cpuacct.usage_user\x00', 0x0, 0x0) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000040)) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 86.963252][ T4674] Bluetooth: hci0: command tx timeout [ 87.119915][ T5327] ================================================================== [ 87.123773][ T5327] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 87.128537][ T5327] Write of size 4 at addr ffff888041d18ae4 by task syz.0.0/5327 [ 87.132304][ T5327] [ 87.133410][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.133427][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.133435][ T5327] Call Trace: [ 87.133443][ T5327] [ 87.133449][ T5327] dump_stack_lvl+0x189/0x250 [ 87.133470][ T5327] ? __virt_addr_valid+0x1c8/0x5c0 [ 87.133487][ T5327] ? rcu_is_watching+0x15/0xb0 [ 87.133499][ T5327] ? __kasan_check_byte+0x12/0x40 [ 87.133515][ T5327] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.133528][ T5327] ? rcu_is_watching+0x15/0xb0 [ 87.133540][ T5327] ? lock_release+0x4b/0x3e0 [ 87.133551][ T5327] ? __virt_addr_valid+0x1c8/0x5c0 [ 87.133565][ T5327] ? __virt_addr_valid+0x4a5/0x5c0 [ 87.133580][ T5327] print_report+0xca/0x240 [ 87.133594][ T5327] ? sk_skb_reason_drop+0x37/0x170 [ 87.133610][ T5327] kasan_report+0x118/0x150 [ 87.133626][ T5327] ? sk_skb_reason_drop+0x37/0x170 [ 87.133645][ T5327] kasan_check_range+0x2b0/0x2c0 [ 87.133661][ T5327] sk_skb_reason_drop+0x37/0x170 [ 87.133677][ T5327] nr_transmit_buffer+0x11d/0x1b0 [ 87.133691][ T5327] nr_establish_data_link+0x62/0xb0 [ 87.133704][ T5327] nr_connect+0x6e6/0xde0 [ 87.133718][ T5327] ? __pfx_nr_connect+0x10/0x10 [ 87.133728][ T5327] ? tomoyo_socket_connect_permission+0x164/0x290 [ 87.133805][ T5327] ? bpf_lsm_socket_connect+0x9/0x20 [ 87.133823][ T5327] __sys_connect+0x316/0x440 [ 87.133841][ T5327] ? __pfx___sys_connect+0x10/0x10 [ 87.133859][ T5327] ? rcu_is_watching+0x15/0xb0 [ 87.133875][ T5327] __x64_sys_connect+0x7a/0x90 [ 87.133890][ T5327] do_syscall_64+0xfa/0xfa0 [ 87.133906][ T5327] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.133921][ T5327] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.133933][ T5327] ? clear_bhb_loop+0x60/0xb0 [ 87.133947][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.133958][ T5327] RIP: 0033:0x7f6aa938f6c9 [ 87.133971][ T5327] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 87.133980][ T5327] RSP: 002b:00007f6aaa273038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 87.133994][ T5327] RAX: ffffffffffffffda RBX: 00007f6aa95e6090 RCX: 00007f6aa938f6c9 [ 87.134002][ T5327] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 87.134009][ T5327] RBP: 00007f6aa9411f91 R08: 0000000000000000 R09: 0000000000000000 [ 87.134016][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.134023][ T5327] R13: 00007f6aa95e6128 R14: 00007f6aa95e6090 R15: 00007ffef9e6b658 [ 87.134036][ T5327] [ 87.134040][ T5327] [ 87.268409][ T5327] Allocated by task 5327: [ 87.270251][ T5327] kasan_save_track+0x3e/0x80 [ 87.272581][ T5327] __kasan_slab_alloc+0x6c/0x80 [ 87.274935][ T5327] kmem_cache_alloc_node_noprof+0x433/0x710 [ 87.277784][ T5327] __alloc_skb+0x112/0x2d0 [ 87.280458][ T5327] nr_write_internal+0xe2/0xc60 [ 87.283712][ T5327] nr_establish_data_link+0x62/0xb0 [ 87.286016][ T5327] nr_connect+0x6e6/0xde0 [ 87.288011][ T5327] __sys_connect+0x316/0x440 [ 87.290307][ T5327] __x64_sys_connect+0x7a/0x90 [ 87.293513][ T5327] do_syscall_64+0xfa/0xfa0 [ 87.295366][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.297819][ T5327] [ 87.299562][ T5327] Freed by task 5327: [ 87.301522][ T5327] kasan_save_track+0x3e/0x80 [ 87.304971][ T5327] __kasan_save_free_info+0x46/0x50 [ 87.307336][ T5327] __kasan_slab_free+0x5c/0x80 [ 87.309689][ T5327] kmem_cache_free+0x19b/0x690 [ 87.312107][ T5327] nr_route_frame+0x467/0x7e0 [ 87.314333][ T5327] nr_transmit_buffer+0xe7/0x1b0 [ 87.317582][ T5327] nr_establish_data_link+0x62/0xb0 [ 87.320016][ T5327] nr_connect+0x6e6/0xde0 [ 87.322401][ T5327] __sys_connect+0x316/0x440 [ 87.324626][ T5327] __x64_sys_connect+0x7a/0x90 [ 87.326712][ T5327] do_syscall_64+0xfa/0xfa0 [ 87.328692][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.331702][ T5327] [ 87.332980][ T5327] The buggy address belongs to the object at ffff888041d18a00 [ 87.332980][ T5327] which belongs to the cache skbuff_head_cache of size 240 [ 87.339096][ T5327] The buggy address is located 228 bytes inside of [ 87.339096][ T5327] freed 240-byte region [ffff888041d18a00, ffff888041d18af0) [ 87.344839][ T5327] [ 87.346208][ T5327] The buggy address belongs to the physical page: [ 87.349870][ T5327] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41d18 [ 87.353935][ T5327] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 87.358304][ T5327] page_type: f5(slab) [ 87.361180][ T5327] raw: 04fff00000000000 ffff88801bae9c80 dead000000000122 0000000000000000 [ 87.368418][ T5327] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 87.373533][ T5327] page dumped because: kasan: bad access detected [ 87.377990][ T5327] page_owner tracks the page as allocated [ 87.381240][ T5327] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5172, tgid 5172 (dhcpcd), ts 87096581833, free_ts 83901701989 [ 87.392694][ T5327] post_alloc_hook+0x240/0x2a0 [ 87.394700][ T5327] get_page_from_freelist+0x2365/0x2440 [ 87.396931][ T5327] __alloc_frozen_pages_noprof+0x181/0x370 [ 87.399382][ T5327] alloc_pages_mpol+0x232/0x4a0 [ 87.401636][ T5327] allocate_slab+0x96/0x350 [ 87.403636][ T5327] ___slab_alloc+0xf56/0x1990 [ 87.405766][ T5327] __slab_alloc+0x65/0x100 [ 87.408080][ T5327] kmem_cache_alloc_noprof+0x3f9/0x6e0 [ 87.410432][ T5327] skb_clone+0x212/0x3a0 [ 87.412319][ T5327] dev_queue_xmit_nit+0x416/0xcc0 [ 87.416666][ T5327] dev_hard_start_xmit+0x1be/0x830 [ 87.418779][ T5327] sch_direct_xmit+0x241/0x4b0 [ 87.420790][ T5327] __dev_queue_xmit+0x1857/0x3b50 [ 87.422900][ T5327] packet_sendmsg+0x3e33/0x5080 [ 87.424945][ T5327] __sock_sendmsg+0x21c/0x270 [ 87.426891][ T5327] sock_write_iter+0x279/0x360 [ 87.428977][ T5327] page last free pid 5305 tgid 5305 stack trace: [ 87.431795][ T5327] __free_frozen_pages+0xbc4/0xd30 [ 87.436240][ T5327] __slab_free+0x2e7/0x390 [ 87.438702][ T5327] qlist_free_all+0x97/0x140 [ 87.441467][ T5327] kasan_quarantine_reduce+0x148/0x160 [ 87.444981][ T5327] __kasan_slab_alloc+0x22/0x80 [ 87.447900][ T5327] kmem_cache_alloc_node_noprof+0x433/0x710 [ 87.452132][ T5327] __alloc_skb+0x112/0x2d0 [ 87.454500][ T5327] netlink_sendmsg+0x5c6/0xb30 [ 87.457146][ T5327] __sock_sendmsg+0x21c/0x270 [ 87.460241][ T5327] __sys_sendto+0x3bd/0x520 [ 87.462279][ T5327] __x64_sys_sendto+0xde/0x100 [ 87.466078][ T5327] do_syscall_64+0xfa/0xfa0 [ 87.468899][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.472868][ T5327] [ 87.476693][ T5327] Memory state around the buggy address: [ 87.479857][ T5327] ffff888041d18980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 87.483960][ T5327] ffff888041d18a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.488624][ T5327] >ffff888041d18a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 87.492178][ T5327] ^ [ 87.495779][ T5327] ffff888041d18b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 87.500570][ T5327] ffff888041d18b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 87.505865][ T5327] ================================================================== [ 87.583904][ T5327] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.587486][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.592018][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.596375][ T5327] Call Trace: [ 87.597758][ T5327] [ 87.598980][ T5327] dump_stack_lvl+0x99/0x250 [ 87.601005][ T5327] ? __asan_memcpy+0x40/0x70 [ 87.602945][ T5327] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.605547][ T5327] ? __pfx__printk+0x10/0x10 [ 87.607586][ T5327] vpanic+0x237/0x6d0 [ 87.609391][ T5327] ? __pfx_vpanic+0x10/0x10 [ 87.612104][ T5327] ? preempt_schedule_common+0x83/0xd0 [ 87.615019][ T5327] ? preempt_schedule+0xae/0xc0 [ 87.617140][ T5327] panic+0xb9/0xc0 [ 87.618772][ T5327] ? __pfx_panic+0x10/0x10 [ 87.620879][ T5327] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 87.623584][ T5327] ? sk_skb_reason_drop+0x37/0x170 [ 87.625850][ T5327] check_panic_on_warn+0x89/0xb0 [ 87.628055][ T5327] ? sk_skb_reason_drop+0x37/0x170 [ 87.630443][ T5327] end_report+0x78/0x160 [ 87.632372][ T5327] kasan_report+0x129/0x150 [ 87.634399][ T5327] ? sk_skb_reason_drop+0x37/0x170 [ 87.636875][ T5327] kasan_check_range+0x2b0/0x2c0 [ 87.639149][ T5327] sk_skb_reason_drop+0x37/0x170 [ 87.641557][ T5327] nr_transmit_buffer+0x11d/0x1b0 [ 87.643925][ T5327] nr_establish_data_link+0x62/0xb0 [ 87.647276][ T5327] nr_connect+0x6e6/0xde0 [ 87.649250][ T5327] ? __pfx_nr_connect+0x10/0x10 [ 87.651553][ T5327] ? tomoyo_socket_connect_permission+0x164/0x290 [ 87.654516][ T5327] ? bpf_lsm_socket_connect+0x9/0x20 [ 87.656906][ T5327] __sys_connect+0x316/0x440 [ 87.658992][ T5327] ? __pfx___sys_connect+0x10/0x10 [ 87.661513][ T5327] ? rcu_is_watching+0x15/0xb0 [ 87.663731][ T5327] __x64_sys_connect+0x7a/0x90 [ 87.665987][ T5327] do_syscall_64+0xfa/0xfa0 [ 87.668119][ T5327] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.670598][ T5327] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.673376][ T5327] ? clear_bhb_loop+0x60/0xb0 [ 87.675543][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.678123][ T5327] RIP: 0033:0x7f6aa938f6c9 [ 87.680037][ T5327] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 87.688717][ T5327] RSP: 002b:00007f6aaa273038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 87.693420][ T5327] RAX: ffffffffffffffda RBX: 00007f6aa95e6090 RCX: 00007f6aa938f6c9 [ 87.698309][ T5327] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 87.702880][ T5327] RBP: 00007f6aa9411f91 R08: 0000000000000000 R09: 0000000000000000 [ 87.708323][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.712631][ T5327] R13: 00007f6aa95e6128 R14: 00007f6aa95e6090 R15: 00007ffef9e6b658 [ 87.716042][ T5327] [ 87.717718][ T5327] Kernel Offset: disabled [ 87.719518][ T5327] Rebooting in 86400 seconds..