program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r0, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) [ 91.933079][ T45] Bluetooth: hci0: command tx timeout [ 91.937835][ T54] cfg80211: failed to load regulatory.db [ 92.145586][ T5328] ================================================================== [ 92.149400][ T5328] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 92.153231][ T5328] Write of size 4 at addr ffff888052e9cea4 by task syz.0.0/5328 [ 92.157447][ T5328] [ 92.158798][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller-00004-gaef17cb3d3c4 #0 PREEMPT(full) [ 92.158816][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 92.158828][ T5328] Call Trace: [ 92.158837][ T5328] [ 92.158845][ T5328] dump_stack_lvl+0x189/0x250 [ 92.158917][ T5328] ? __kasan_check_byte+0x12/0x40 [ 92.158968][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.158990][ T5328] ? lock_release+0x4b/0x3e0 [ 92.159010][ T5328] ? __virt_addr_valid+0x4a5/0x5c0 [ 92.159024][ T5328] print_report+0xd2/0x2b0 [ 92.159041][ T5328] ? sk_skb_reason_drop+0x37/0x170 [ 92.159057][ T5328] kasan_report+0x118/0x150 [ 92.159073][ T5328] ? sk_skb_reason_drop+0x37/0x170 [ 92.159093][ T5328] kasan_check_range+0x2b0/0x2c0 [ 92.159106][ T5328] sk_skb_reason_drop+0x37/0x170 [ 92.159123][ T5328] nr_transmit_buffer+0x11d/0x1b0 [ 92.159137][ T5328] nr_establish_data_link+0x62/0xb0 [ 92.159151][ T5328] nr_connect+0x6e6/0xde0 [ 92.159174][ T5328] ? __pfx_nr_connect+0x10/0x10 [ 92.159194][ T5328] ? tomoyo_socket_connect_permission+0x164/0x290 [ 92.159212][ T5328] ? bpf_lsm_socket_connect+0x9/0x20 [ 92.159223][ T5328] __sys_connect+0x313/0x440 [ 92.159232][ T5328] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 92.159244][ T5328] ? __pfx___sys_connect+0x10/0x10 [ 92.159255][ T5328] ? rcu_is_watching+0x15/0xb0 [ 92.159274][ T5328] __x64_sys_connect+0x7a/0x90 [ 92.159287][ T5328] do_syscall_64+0xfa/0x3b0 [ 92.159355][ T5328] ? lockdep_hardirqs_on+0x9c/0x150 [ 92.159373][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.159383][ T5328] ? clear_bhb_loop+0x60/0xb0 [ 92.159393][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.159407][ T5328] RIP: 0033:0x7f564878e929 [ 92.159431][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 92.159440][ T5328] RSP: 002b:00007f564958d038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 92.159456][ T5328] RAX: ffffffffffffffda RBX: 00007f56489b6080 RCX: 00007f564878e929 [ 92.159467][ T5328] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000004 [ 92.159475][ T5328] RBP: 00007f5648810b39 R08: 0000000000000000 R09: 0000000000000000 [ 92.159482][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.159488][ T5328] R13: 0000000000000000 R14: 00007f56489b6080 R15: 00007ffdbc051128 [ 92.159499][ T5328] [ 92.159503][ T5328] [ 92.277279][ T5328] Allocated by task 5328: [ 92.279761][ T5328] kasan_save_track+0x3e/0x80 [ 92.282105][ T5328] __kasan_slab_alloc+0x6c/0x80 [ 92.284278][ T5328] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 [ 92.287090][ T5328] __alloc_skb+0x112/0x2d0 [ 92.289385][ T5328] nr_write_internal+0xe2/0xc60 [ 92.291955][ T5328] nr_establish_data_link+0x62/0xb0 [ 92.294510][ T5328] nr_connect+0x6e6/0xde0 [ 92.296519][ T5328] __sys_connect+0x313/0x440 [ 92.298600][ T5328] __x64_sys_connect+0x7a/0x90 [ 92.300844][ T5328] do_syscall_64+0xfa/0x3b0 [ 92.303219][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.306533][ T5328] [ 92.307773][ T5328] Freed by task 5328: [ 92.309657][ T5328] kasan_save_track+0x3e/0x80 [ 92.311757][ T5328] kasan_save_free_info+0x46/0x50 [ 92.314033][ T5328] __kasan_slab_free+0x62/0x70 [ 92.316557][ T5328] kmem_cache_free+0x18f/0x400 [ 92.318998][ T5328] nr_route_frame+0x467/0x7e0 [ 92.321416][ T5328] nr_transmit_buffer+0xe7/0x1b0 [ 92.323702][ T5328] nr_establish_data_link+0x62/0xb0 [ 92.326331][ T5328] nr_connect+0x6e6/0xde0 [ 92.328536][ T5328] __sys_connect+0x313/0x440 [ 92.330962][ T5328] __x64_sys_connect+0x7a/0x90 [ 92.333200][ T5328] do_syscall_64+0xfa/0x3b0 [ 92.335385][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.337957][ T5328] [ 92.339040][ T5328] The buggy address belongs to the object at ffff888052e9cdc0 [ 92.339040][ T5328] which belongs to the cache skbuff_head_cache of size 240 [ 92.345819][ T5328] The buggy address is located 228 bytes inside of [ 92.345819][ T5328] freed 240-byte region [ffff888052e9cdc0, ffff888052e9ceb0) [ 92.351756][ T5328] [ 92.352954][ T5328] The buggy address belongs to the physical page: [ 92.356388][ T5328] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52e9c [ 92.360430][ T5328] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 92.363420][ T5328] page_type: f5(slab) [ 92.365341][ T5328] raw: 04fff00000000000 ffff8880304fab40 dead000000000122 0000000000000000 [ 92.369772][ T5328] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 [ 92.374197][ T5328] page dumped because: kasan: bad access detected [ 92.376990][ T5328] page_owner tracks the page as allocated [ 92.379368][ T5328] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5020, tgid 5020 (dhcpcd), ts 92136319816, free_ts 92134111122 [ 92.387640][ T5328] post_alloc_hook+0x240/0x2a0 [ 92.389827][ T5328] get_page_from_freelist+0x21e4/0x22c0 [ 92.392349][ T5328] __alloc_frozen_pages_noprof+0x181/0x370 [ 92.394920][ T5328] alloc_pages_mpol+0x232/0x4a0 [ 92.397217][ T5328] allocate_slab+0x8a/0x3b0 [ 92.399295][ T5328] ___slab_alloc+0xbfc/0x1480 [ 92.401264][ T5328] kmem_cache_alloc_node_noprof+0x280/0x3c0 [ 92.403772][ T5328] __alloc_skb+0x112/0x2d0 [ 92.405696][ T5328] alloc_skb_with_frags+0xca/0x890 [ 92.407930][ T5328] sock_alloc_send_pskb+0x857/0x990 [ 92.410319][ T5328] unix_dgram_sendmsg+0x4f6/0x1870 [ 92.412718][ T5328] __sock_sendmsg+0x219/0x270 [ 92.414939][ T5328] __sys_sendto+0x3bd/0x520 [ 92.417442][ T5328] __x64_sys_sendto+0xde/0x100 [ 92.419911][ T5328] do_syscall_64+0xfa/0x3b0 [ 92.421973][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.424484][ T5328] page last free pid 15 tgid 15 stack trace: [ 92.427156][ T5328] __free_frozen_pages+0xc71/0xe70 [ 92.429703][ T5328] __tlb_remove_table+0x2d2/0x3b0 [ 92.432212][ T5328] tlb_remove_table_rcu+0x85/0x100 [ 92.434642][ T5328] rcu_core+0xca5/0x1710 [ 92.436716][ T5328] handle_softirqs+0x286/0x870 [ 92.439258][ T5328] run_ksoftirqd+0x9b/0x100 [ 92.441926][ T5328] smpboot_thread_fn+0x53f/0xa60 [ 92.445430][ T5328] kthread+0x70e/0x8a0 [ 92.447795][ T5328] ret_from_fork+0x3fc/0x770 [ 92.450014][ T5328] ret_from_fork_asm+0x1a/0x30 [ 92.452289][ T5328] [ 92.453326][ T5328] Memory state around the buggy address: [ 92.455686][ T5328] ffff888052e9cd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 92.459593][ T5328] ffff888052e9ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.463648][ T5328] >ffff888052e9ce80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 92.467433][ T5328] ^ [ 92.469782][ T5328] ffff888052e9cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.473527][ T5328] ffff888052e9cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.477847][ T5328] ================================================================== [ 92.518385][ T5328] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 92.522401][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller-00004-gaef17cb3d3c4 #0 PREEMPT(full) [ 92.527719][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 92.533213][ T5328] Call Trace: [ 92.534928][ T5328] [ 92.536351][ T5328] dump_stack_lvl+0x99/0x250 [ 92.538523][ T5328] ? __asan_memcpy+0x40/0x70 [ 92.540587][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.543098][ T5328] ? __pfx__printk+0x10/0x10 [ 92.545682][ T5328] panic+0x2db/0x790 [ 92.547952][ T5328] ? __pfx_preempt_schedule+0x10/0x10 [ 92.550375][ T5328] ? __pfx_panic+0x10/0x10 [ 92.552393][ T5328] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 92.554988][ T5328] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 92.558358][ T5328] ? sk_skb_reason_drop+0x37/0x170 [ 92.561225][ T5328] check_panic_on_warn+0x89/0xb0 [ 92.563666][ T5328] ? sk_skb_reason_drop+0x37/0x170 [ 92.566041][ T5328] end_report+0x78/0x160 [ 92.567999][ T5328] kasan_report+0x129/0x150 [ 92.570209][ T5328] ? sk_skb_reason_drop+0x37/0x170 [ 92.572881][ T5328] kasan_check_range+0x2b0/0x2c0 [ 92.575478][ T5328] sk_skb_reason_drop+0x37/0x170 [ 92.577795][ T5328] nr_transmit_buffer+0x11d/0x1b0 [ 92.580029][ T5328] nr_establish_data_link+0x62/0xb0 [ 92.582275][ T5328] nr_connect+0x6e6/0xde0 [ 92.584269][ T5328] ? __pfx_nr_connect+0x10/0x10 [ 92.587028][ T5328] ? tomoyo_socket_connect_permission+0x164/0x290 [ 92.590190][ T5328] ? bpf_lsm_socket_connect+0x9/0x20 [ 92.592482][ T5328] __sys_connect+0x313/0x440 [ 92.594492][ T5328] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 92.597094][ T5328] ? __pfx___sys_connect+0x10/0x10 [ 92.599580][ T5328] ? rcu_is_watching+0x15/0xb0 [ 92.601970][ T5328] __x64_sys_connect+0x7a/0x90 [ 92.604290][ T5328] do_syscall_64+0xfa/0x3b0 [ 92.606468][ T5328] ? lockdep_hardirqs_on+0x9c/0x150 [ 92.608824][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.611930][ T5328] ? clear_bhb_loop+0x60/0xb0 [ 92.614464][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.617071][ T5328] RIP: 0033:0x7f564878e929 [ 92.618828][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 92.626351][ T5328] RSP: 002b:00007f564958d038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 92.630443][ T5328] RAX: ffffffffffffffda RBX: 00007f56489b6080 RCX: 00007f564878e929 [ 92.634652][ T5328] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000004 [ 92.638172][ T5328] RBP: 00007f5648810b39 R08: 0000000000000000 R09: 0000000000000000 [ 92.641960][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.645816][ T5328] R13: 0000000000000000 R14: 00007f56489b6080 R15: 00007ffdbc051128 [ 92.649193][ T5328] [ 92.650906][ T5328] Kernel Offset: disabled [ 92.652964][ T5328] Rebooting in 86400 seconds..