program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) (async) syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000500)='./file0\x00', 0x0, &(0x7f0000000540), 0x1, 0x4a3, &(0x7f0000000580)="$eJzs3c1rXOUaAPBnZpo0SXNvP+7l0vbCbaEXej9oJh9IE3XjSl0UxIIbhRqTaayZZEJmUpvQRaq7LlyIoiAu3PsXuLEriyCudS8upKI1ggrCyDkzk+Zr4qBpBnJ+Pzid95z3dJ73zfC8nHnPOXMCyKyzyT+5iMGI+DwijjZWN+9wtvGydv/mVLLkol6//F0u3S9Zb+3a+n9HImI1Ivoi4tknI17KbY9bXV6ZnSyXS4vN9WJtbqFYXV65cG1ucqY0U5ofGb84MTE+PDY6sWd9vf3GK7cvffR074c/vX7v7puffJw0a7BZt7Efe6nR9Z44vmHboYh4/GEE64JCsz/93W4If0jy+f0tIs6l+X80CumnCWRBvV6v/1o/3K56tQ4cWPn0GDiXH4qIRjmfHxpqHMP/PQby5Uq19v+rlaX56cax8rHoyV+9Vi4NN78rHIueXLI+kpYfrI9uWR+LSI+B3yr0p+tDU5Xy9P4OdcAWR7bk/4+FRv4DGeErP2SX/Ifskv+QXfIfskv+Q3bJf8gu+Q/ZJf8hu+Q/ZJf8h+yS/5BJz1y6lCz11v3v09eXl2Yr1y9Ml6qzQ3NLU0NTlcWFoZlKZSa9Z2fu996vXKksjDwSSzeKtVK1Vqwur1yZqyzN166k9/VfKfXsS6+AThw/c+fLXESsPtqfLoneZp1chYOtXs9Ft+9BBrqj0O0BCOgaU3+QXb7jAzv8RO8mfe0qFva+LcD+yHe7AUDXnD/l/B9klfl/yC7z/5BdjvEB8/+QPeb/IbsG2zz/6y8bnt01HBF/jYgvCj2HW8/6Ag6C/De55vH/+aP/Htxa25v7OT1F0BsRr753+Z0bk7Xa4kiy/fv17bV3m9tHu9F+oFOtPG3lMQCQXWv3b061lv2M++0TjYsQtsc/1Jyb7EvPUQ6s5TZdq5Dbo2sXVm9FxMmd4ueazztvnPkYWCtsi3+i+ZprvEXa3kPpc9P3J/6pDfH/tSH+6T/9V4FsuJOMP8M75V8+zelYz7/N48/gHl070X78y6+Pf4U249+ZDmO8/P5rX7eNfyvi9I7xW/H60lhb4ydtO99h/HsvPPePdnX1Dxrvs1P8lqRUrM0tFKvLKxfS35GbKc2PjF+cmBgfHhudKKZz1MXWTPV2j5387O5u/R9oE3+3/ifb/tth/3/556fPn90l/n/O7fz5n9glfn9E/K/D+D+MfvViu7ok/nSb/ud3iZ9sG+swfvXtpw53uCsAsA+qyyuzk+VyaVFBQUFhvdDtkQl42B4kfbdbAgAAAAAAAAAAAHRqPy4n7nYfAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOgt8CAAD//1kn1ls=") mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000200)='configfs\x00', 0x16, 0x0) (async) quotactl$Q_QUOTAON(0xffffffff80000200, &(0x7f0000000000)=@loop={'/dev/loop', 0x0}, 0x0, &(0x7f00000002c0)='./file0/file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') (async) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async, rerun: 64) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async, rerun: 64) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 75.854304][ T46] Bluetooth: hci0: command tx timeout [ 76.042828][ T5340] loop0: detected capacity change from 0 to 512 [ 76.087318][ T5340] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 76.094648][ T5340] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff) [ 76.104337][ T5341] ================================================================== [ 76.107993][ T5341] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 76.111614][ T5341] Write of size 4 at addr ffff8880111c5364 by task syz.0.0/5341 [ 76.114923][ T5341] [ 76.116022][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.116035][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.116042][ T5341] Call Trace: [ 76.116049][ T5341] [ 76.116054][ T5341] dump_stack_lvl+0xe8/0x150 [ 76.116070][ T5341] print_report+0xca/0x240 [ 76.116082][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.116092][ T5341] kasan_report+0x118/0x150 [ 76.116145][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.116156][ T5341] kasan_check_range+0x2b0/0x2c0 [ 76.116166][ T5341] sk_skb_reason_drop+0x37/0x170 [ 76.116176][ T5341] nr_transmit_buffer+0x11d/0x1b0 [ 76.116187][ T5341] nr_establish_data_link+0x62/0xb0 [ 76.116196][ T5341] nr_connect+0x6e6/0xde0 [ 76.116210][ T5341] ? __pfx_nr_connect+0x10/0x10 [ 76.116222][ T5341] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.116236][ T5341] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.116251][ T5341] __sys_connect+0x316/0x440 [ 76.116265][ T5341] ? __pfx___sys_connect+0x10/0x10 [ 76.116281][ T5341] ? rcu_is_watching+0x15/0xb0 [ 76.116294][ T5341] __x64_sys_connect+0x7a/0x90 [ 76.116307][ T5341] do_syscall_64+0xec/0xf80 [ 76.116344][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.116354][ T5341] ? trace_irq_disable+0x37/0x100 [ 76.116367][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 76.116377][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.116397][ T5341] RIP: 0033:0x7f176078f7c9 [ 76.116407][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.116415][ T5341] RSP: 002b:00007f17615ed038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.116428][ T5341] RAX: ffffffffffffffda RBX: 00007f17609e6090 RCX: 00007f176078f7c9 [ 76.116435][ T5341] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 76.116441][ T5341] RBP: 00007f1760813f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.116447][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.116453][ T5341] R13: 00007f17609e6128 R14: 00007f17609e6090 R15: 00007ffcf6466418 [ 76.116464][ T5341] [ 76.116467][ T5341] [ 76.209321][ T5341] Allocated by task 5341: [ 76.211066][ T5341] kasan_save_track+0x3e/0x80 [ 76.212907][ T5341] __kasan_slab_alloc+0x6c/0x80 [ 76.214997][ T5341] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 76.217401][ T5341] __alloc_skb+0x1dc/0x3a0 [ 76.219364][ T5341] nr_write_internal+0xe2/0xc60 [ 76.221474][ T5341] nr_establish_data_link+0x62/0xb0 [ 76.223569][ T5341] nr_connect+0x6e6/0xde0 [ 76.225244][ T5341] __sys_connect+0x316/0x440 [ 76.227176][ T5341] __x64_sys_connect+0x7a/0x90 [ 76.229162][ T5341] do_syscall_64+0xec/0xf80 [ 76.231241][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.233697][ T5341] [ 76.234754][ T5341] Freed by task 5341: [ 76.236449][ T5341] kasan_save_track+0x3e/0x80 [ 76.238581][ T5341] kasan_save_free_info+0x46/0x50 [ 76.240914][ T5341] __kasan_slab_free+0x5c/0x80 [ 76.242991][ T5341] kmem_cache_free+0x197/0x620 [ 76.245093][ T5341] nr_route_frame+0x467/0x7e0 [ 76.247115][ T5341] nr_transmit_buffer+0xe7/0x1b0 [ 76.249310][ T5341] nr_establish_data_link+0x62/0xb0 [ 76.251431][ T5341] nr_connect+0x6e6/0xde0 [ 76.253300][ T5341] __sys_connect+0x316/0x440 [ 76.255123][ T5341] __x64_sys_connect+0x7a/0x90 [ 76.257117][ T5341] do_syscall_64+0xec/0xf80 [ 76.259231][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.261592][ T5341] [ 76.262635][ T5341] The buggy address belongs to the object at ffff8880111c5280 [ 76.262635][ T5341] which belongs to the cache skbuff_head_cache of size 240 [ 76.268482][ T5341] The buggy address is located 228 bytes inside of [ 76.268482][ T5341] freed 240-byte region [ffff8880111c5280, ffff8880111c5370) [ 76.274433][ T5341] [ 76.275546][ T5341] The buggy address belongs to the physical page: [ 76.278269][ T5341] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111c5 [ 76.281809][ T5341] ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 76.284998][ T5341] page_type: f5(slab) [ 76.286765][ T5341] raw: 00fff00000000000 ffff88801bae6c80 ffffea0000458ac0 0000000000000003 [ 76.290205][ T5341] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 76.293867][ T5341] page dumped because: kasan: bad access detected [ 76.296559][ T5341] page_owner tracks the page as allocated [ 76.299006][ T5341] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5318, tgid 5318 (syz-executor), ts 73254401022, free_ts 57675682391 [ 76.307145][ T5341] post_alloc_hook+0x234/0x290 [ 76.309213][ T5341] get_page_from_freelist+0x24e0/0x2580 [ 76.311737][ T5341] __alloc_frozen_pages_noprof+0x181/0x370 [ 76.314821][ T5341] alloc_pages_mpol+0x232/0x4a0 [ 76.316920][ T5341] allocate_slab+0x86/0x3b0 [ 76.318860][ T5341] ___slab_alloc+0xe53/0x1820 [ 76.320774][ T5341] __slab_alloc+0x65/0x100 [ 76.322649][ T5341] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 76.325128][ T5341] __alloc_skb+0x1dc/0x3a0 [ 76.326990][ T5341] netlink_ack+0x146/0xa50 [ 76.328952][ T5341] netlink_rcv_skb+0x28c/0x470 [ 76.331001][ T5341] netlink_unicast+0x82f/0x9e0 [ 76.333069][ T5341] netlink_sendmsg+0x805/0xb30 [ 76.335126][ T5341] __sock_sendmsg+0x21c/0x270 [ 76.337226][ T5341] __sys_sendto+0x3bd/0x520 [ 76.339284][ T5341] __x64_sys_sendto+0xde/0x100 [ 76.341448][ T5341] page last free pid 5228 tgid 5228 stack trace: [ 76.344132][ T5341] __free_frozen_pages+0xbc8/0xd30 [ 76.346331][ T5341] __slab_free+0x2ce/0x320 [ 76.348220][ T5341] qlist_free_all+0x97/0x100 [ 76.350197][ T5341] kasan_quarantine_reduce+0x148/0x160 [ 76.352441][ T5341] __kasan_slab_alloc+0x22/0x80 [ 76.354517][ T5341] kmem_cache_alloc_noprof+0x37d/0x710 [ 76.356747][ T5341] alloc_empty_file+0x55/0x1d0 [ 76.358765][ T5341] path_openat+0x108/0x3dd0 [ 76.360634][ T5341] do_filp_open+0x1fa/0x410 [ 76.362540][ T5341] do_sys_openat2+0x121/0x200 [ 76.364500][ T5341] __x64_sys_openat+0x138/0x170 [ 76.366445][ T5341] do_syscall_64+0xec/0xf80 [ 76.368070][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.370472][ T5341] [ 76.371354][ T5341] Memory state around the buggy address: [ 76.373383][ T5341] ffff8880111c5200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 76.376657][ T5341] ffff8880111c5280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.379842][ T5341] >ffff8880111c5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 76.383402][ T5341] ^ [ 76.386981][ T5341] ffff8880111c5380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 76.390590][ T5341] ffff8880111c5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.394058][ T5341] ================================================================== [ 76.437687][ T5340] 8021q: adding VLAN 0 to HW filter on device bond0 [ 76.456460][ T5340] bond0: (slave rose0): Enslaving as an active interface with an up link [ 76.467023][ T5341] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.469775][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.473343][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.477810][ T5341] Call Trace: [ 76.479325][ T5341] [ 76.480772][ T5341] vpanic+0x1e0/0x670 [ 76.482497][ T5341] panic+0xb9/0xc0 [ 76.484140][ T5341] ? __pfx_panic+0x10/0x10 [ 76.486109][ T5341] ? preempt_schedule_thunk+0x16/0x30 [ 76.488610][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.490836][ T5341] ? preempt_schedule_thunk+0x16/0x30 [ 76.493038][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.495122][ T5341] check_panic_on_warn+0x89/0xb0 [ 76.497157][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.499343][ T5341] end_report+0x6f/0x140 [ 76.501118][ T5341] kasan_report+0x129/0x150 [ 76.503041][ T5341] ? sk_skb_reason_drop+0x37/0x170 [ 76.505152][ T5341] kasan_check_range+0x2b0/0x2c0 [ 76.507273][ T5341] sk_skb_reason_drop+0x37/0x170 [ 76.509424][ T5341] nr_transmit_buffer+0x11d/0x1b0 [ 76.511658][ T5341] nr_establish_data_link+0x62/0xb0 [ 76.513900][ T5341] nr_connect+0x6e6/0xde0 [ 76.515836][ T5341] ? __pfx_nr_connect+0x10/0x10 [ 76.517998][ T5341] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.520771][ T5341] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.523216][ T5341] __sys_connect+0x316/0x440 [ 76.525206][ T5341] ? __pfx___sys_connect+0x10/0x10 [ 76.531233][ T5341] ? rcu_is_watching+0x15/0xb0 [ 76.533491][ T5341] __x64_sys_connect+0x7a/0x90 [ 76.536355][ T5341] do_syscall_64+0xec/0xf80 [ 76.538441][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.540733][ T5341] ? trace_irq_disable+0x37/0x100 [ 76.542463][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 76.544399][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.546950][ T5341] RIP: 0033:0x7f176078f7c9 [ 76.548918][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.557080][ T5341] RSP: 002b:00007f17615ed038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.560642][ T5341] RAX: ffffffffffffffda RBX: 00007f17609e6090 RCX: 00007f176078f7c9 [ 76.563881][ T5341] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 76.567104][ T5341] RBP: 00007f1760813f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.570445][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.573688][ T5341] R13: 00007f17609e6128 R14: 00007f17609e6090 R15: 00007ffcf6466418 [ 76.576970][ T5341] [ 76.579387][ T5341] Kernel Offset: disabled [ 76.581200][ T5341] Rebooting in 86400 seconds..