program:
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) (async)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async)
connect$netrom(r0, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) (async, rerun: 32)
mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) (rerun: 32)
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
connect$netrom(r3, &(0x7f0000000300)={{0x6, @rose}, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}, 0x48) (async)
r4 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_macvtap\x00', <r5=>0x0}) (async, rerun: 32)
r6 = socket$netlink(0x10, 0x3, 0x0) (rerun: 32)
sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000900)=ANY=[@ANYBLOB="54000000100003052bbd7000249d020000000000", @ANYRES32=0x0, @ANYBLOB="1544010001800000240012800b0001006d61637365630000140002800500060001000000050007000100000008000500", @ANYRES32=r5], 0x54}}, 0x0) (async)
r7 = socket$pppl2tp(0x18, 0x1, 0x1) (async, rerun: 64)
r8 = socket$netlink(0x10, 0x3, 0x0) (rerun: 64)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r8, 0x10e, 0xc, &(0x7f0000000640)=0x4, 0x4) (async)
sendmsg$netlink(r8, &(0x7f0000001080)={0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000000040)=ANY=[@ANYBLOB="20000000120001002abd7000000000000d000000bdc1cdbc5acf463cc3000000"], 0x20}], 0x1}, 0x0) (async)
ioctl$SIOCSIFMTU(r7, 0x8922, &(0x7f0000000180)={'veth1_macvtap\x00', 0x44})

[   86.361623][ T5314] Bluetooth: hci0: command tx timeout
[   86.493934][ T5336] ==================================================================
[   86.497718][ T5336] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170
[   86.501214][ T5336] Write of size 4 at addr ffff888011cb35e4 by task syz.0.0/5336
[   86.504578][ T5336] 
[   86.505647][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.505662][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.505669][ T5336] Call Trace:
[   86.505677][ T5336]  <TASK>
[   86.505683][ T5336]  dump_stack_lvl+0x189/0x250
[   86.505700][ T5336]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.505715][ T5336]  ? rcu_is_watching+0x15/0xb0
[   86.505728][ T5336]  ? __kasan_check_byte+0x12/0x40
[   86.505780][ T5336]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.505791][ T5336]  ? rcu_is_watching+0x15/0xb0
[   86.505803][ T5336]  ? lock_release+0x4b/0x3b0
[   86.505815][ T5336]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.505828][ T5336]  ? __virt_addr_valid+0x4a5/0x5c0
[   86.505841][ T5336]  print_report+0xca/0x240
[   86.505852][ T5336]  ? sk_skb_reason_drop+0x37/0x170
[   86.505867][ T5336]  kasan_report+0x118/0x150
[   86.505877][ T5336]  ? sk_skb_reason_drop+0x37/0x170
[   86.505893][ T5336]  kasan_check_range+0x2b0/0x2c0
[   86.505904][ T5336]  sk_skb_reason_drop+0x37/0x170
[   86.505919][ T5336]  nr_transmit_buffer+0x11d/0x1b0
[   86.505935][ T5336]  nr_establish_data_link+0x62/0xb0
[   86.505948][ T5336]  nr_connect+0x6e6/0xde0
[   86.505961][ T5336]  ? __pfx_nr_connect+0x10/0x10
[   86.505972][ T5336]  ? tomoyo_socket_connect_permission+0x164/0x290
[   86.505985][ T5336]  ? bpf_lsm_socket_connect+0x9/0x20
[   86.505999][ T5336]  __sys_connect+0x316/0x440
[   86.506013][ T5336]  ? __pfx___sys_connect+0x10/0x10
[   86.506026][ T5336]  ? rcu_is_watching+0x15/0xb0
[   86.506039][ T5336]  __x64_sys_connect+0x7a/0x90
[   86.506050][ T5336]  do_syscall_64+0xfa/0xf80
[   86.506100][ T5336]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.506110][ T5336]  ? clear_bhb_loop+0x60/0xb0
[   86.506120][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.506130][ T5336] RIP: 0033:0x7f186818f7c9
[   86.506141][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.506155][ T5336] RSP: 002b:00007f18690d5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   86.506167][ T5336] RAX: ffffffffffffffda RBX: 00007f18683e6090 RCX: 00007f186818f7c9
[   86.506175][ T5336] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000004
[   86.506181][ T5336] RBP: 00007f1868213f91 R08: 0000000000000000 R09: 0000000000000000
[   86.506188][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.506194][ T5336] R13: 00007f18683e6128 R14: 00007f18683e6090 R15: 00007fff9a831e88
[   86.506204][ T5336]  </TASK>
[   86.506208][ T5336] 
[   86.616004][ T5336] Allocated by task 5336:
[   86.618385][ T5336]  kasan_save_track+0x3e/0x80
[   86.620566][ T5336]  __kasan_slab_alloc+0x6c/0x80
[   86.622828][ T5336]  kmem_cache_alloc_node_noprof+0x43c/0x720
[   86.625627][ T5336]  __alloc_skb+0x255/0x430
[   86.627620][ T5336]  nr_write_internal+0xe2/0xc60
[   86.629859][ T5336]  nr_establish_data_link+0x62/0xb0
[   86.632160][ T5336]  nr_connect+0x6e6/0xde0
[   86.634185][ T5336]  __sys_connect+0x316/0x440
[   86.636378][ T5336]  __x64_sys_connect+0x7a/0x90
[   86.638612][ T5336]  do_syscall_64+0xfa/0xf80
[   86.640824][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.643664][ T5336] 
[   86.644828][ T5336] Freed by task 5336:
[   86.646597][ T5336]  kasan_save_track+0x3e/0x80
[   86.648793][ T5336]  kasan_save_free_info+0x46/0x50
[   86.651051][ T5336]  __kasan_slab_free+0x5c/0x80
[   86.653292][ T5336]  kmem_cache_free+0x197/0x620
[   86.655444][ T5336]  nr_route_frame+0x467/0x7e0
[   86.657552][ T5336]  nr_transmit_buffer+0xe7/0x1b0
[   86.659733][ T5336]  nr_establish_data_link+0x62/0xb0
[   86.662050][ T5336]  nr_connect+0x6e6/0xde0
[   86.664000][ T5336]  __sys_connect+0x316/0x440
[   86.666062][ T5336]  __x64_sys_connect+0x7a/0x90
[   86.668192][ T5336]  do_syscall_64+0xfa/0xf80
[   86.670088][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.672741][ T5336] 
[   86.673912][ T5336] The buggy address belongs to the object at ffff888011cb3500
[   86.673912][ T5336]  which belongs to the cache skbuff_head_cache of size 240
[   86.679804][ T5336] The buggy address is located 228 bytes inside of
[   86.679804][ T5336]  freed 240-byte region [ffff888011cb3500, ffff888011cb35f0)
[   86.685361][ T5336] 
[   86.686489][ T5336] The buggy address belongs to the physical page:
[   86.689284][ T5336] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11cb3
[   86.693093][ T5336] ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   86.696275][ T5336] page_type: f5(slab)
[   86.698133][ T5336] raw: 00fff00000000000 ffff888030418c80 ffffea0000472c80 0000000000000003
[   86.702074][ T5336] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   86.705938][ T5336] page dumped because: kasan: bad access detected
[   86.708831][ T5336] page_owner tracks the page as allocated
[   86.711406][ T5336] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5314, tgid 5314 (kworker/u5:2), ts 81622359536, free_ts 29742688665
[   86.719806][ T5336]  post_alloc_hook+0x234/0x290
[   86.721953][ T5336]  get_page_from_freelist+0x2365/0x2440
[   86.724419][ T5336]  __alloc_frozen_pages_noprof+0x181/0x370
[   86.726944][ T5336]  alloc_pages_mpol+0x232/0x4a0
[   86.729163][ T5336]  allocate_slab+0x86/0x3b0
[   86.731325][ T5336]  ___slab_alloc+0xf2b/0x1960
[   86.733533][ T5336]  __slab_alloc+0x65/0x100
[   86.735677][ T5336]  kmem_cache_alloc_noprof+0x40f/0x710
[   86.738196][ T5336]  skb_clone+0x212/0x3a0
[   86.740211][ T5336]  hci_event_packet+0x3f4/0x1260
[   86.742465][ T5336]  hci_rx_work+0x3ee/0x1060
[   86.744570][ T5336]  process_scheduled_works+0xad1/0x1770
[   86.747106][ T5336]  worker_thread+0x8a0/0xda0
[   86.749196][ T5336]  kthread+0x711/0x8a0
[   86.751121][ T5336]  ret_from_fork+0x599/0xb30
[   86.753227][ T5336]  ret_from_fork_asm+0x1a/0x30
[   86.755308][ T5336] page last free pid 4727 tgid 4727 stack trace:
[   86.758021][ T5336]  __free_frozen_pages+0xbc8/0xd30
[   86.760234][ T5336]  rcu_core+0xd70/0x1870
[   86.762109][ T5336]  handle_softirqs+0x27d/0x850
[   86.764355][ T5336]  __irq_exit_rcu+0xca/0x1f0
[   86.766474][ T5336]  irq_exit_rcu+0x9/0x30
[   86.768454][ T5336]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   86.771020][ T5336]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   86.773834][ T5336] 
[   86.774942][ T5336] Memory state around the buggy address:
[   86.777587][ T5336]  ffff888011cb3480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   86.781245][ T5336]  ffff888011cb3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.784799][ T5336] >ffff888011cb3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   86.788484][ T5336]                                                        ^
[   86.791736][ T5336]  ffff888011cb3600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   86.795289][ T5336]  ffff888011cb3680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   86.798952][ T5336] ==================================================================
[   86.903220][ T5336] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.906385][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.910447][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.915245][ T5336] Call Trace:
[   86.916712][ T5336]  <TASK>
[   86.917986][ T5336]  dump_stack_lvl+0x99/0x250
[   86.919955][ T5336]  ? __asan_memcpy+0x40/0x70
[   86.921855][ T5336]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.924006][ T5336]  ? __pfx__printk+0x10/0x10
[   86.925957][ T5336]  vpanic+0x237/0x6d0
[   86.927680][ T5336]  ? __pfx_vpanic+0x10/0x10
[   86.929771][ T5336]  ? preempt_schedule_common+0x83/0xd0
[   86.932356][ T5336]  ? preempt_schedule+0xae/0xc0
[   86.934436][ T5336]  panic+0xb9/0xc0
[   86.936127][ T5336]  ? __pfx_panic+0x10/0x10
[   86.938256][ T5336]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   86.941212][ T5336]  ? sk_skb_reason_drop+0x37/0x170
[   86.943505][ T5336]  check_panic_on_warn+0x89/0xb0
[   86.945715][ T5336]  ? sk_skb_reason_drop+0x37/0x170
[   86.947990][ T5336]  end_report+0x6f/0x140
[   86.949954][ T5336]  kasan_report+0x129/0x150
[   86.952216][ T5336]  ? sk_skb_reason_drop+0x37/0x170
[   86.954649][ T5336]  kasan_check_range+0x2b0/0x2c0
[   86.957088][ T5336]  sk_skb_reason_drop+0x37/0x170
[   86.959599][ T5336]  nr_transmit_buffer+0x11d/0x1b0
[   86.961856][ T5336]  nr_establish_data_link+0x62/0xb0
[   86.964167][ T5336]  nr_connect+0x6e6/0xde0
[   86.966175][ T5336]  ? __pfx_nr_connect+0x10/0x10
[   86.968697][ T5336]  ? tomoyo_socket_connect_permission+0x164/0x290
[   86.971587][ T5336]  ? bpf_lsm_socket_connect+0x9/0x20
[   86.973978][ T5336]  __sys_connect+0x316/0x440
[   86.976079][ T5336]  ? __pfx___sys_connect+0x10/0x10
[   86.978467][ T5336]  ? rcu_is_watching+0x15/0xb0
[   86.980421][ T5336]  __x64_sys_connect+0x7a/0x90
[   86.982390][ T5336]  do_syscall_64+0xfa/0xf80
[   86.984324][ T5336]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.986953][ T5336]  ? clear_bhb_loop+0x60/0xb0
[   86.989059][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.991680][ T5336] RIP: 0033:0x7f186818f7c9
[   86.993862][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   87.002093][ T5336] RSP: 002b:00007f18690d5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   87.005692][ T5336] RAX: ffffffffffffffda RBX: 00007f18683e6090 RCX: 00007f186818f7c9
[   87.008993][ T5336] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000004
[   87.012469][ T5336] RBP: 00007f1868213f91 R08: 0000000000000000 R09: 0000000000000000
[   87.015985][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   87.019526][ T5336] R13: 00007f18683e6128 R14: 00007f18683e6090 R15: 00007fff9a831e88
[   87.023133][ T5336]  </TASK>
[   87.024942][ T5336] Kernel Offset: disabled
[   87.026895][ T5336] Rebooting in 86400 seconds..