program: mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0) r0 = socket$inet6(0xa, 0x3, 0xff) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x0, 0x0, @empty}, 0x1c) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000000)=0x24d2, 0x4) write(r0, &(0x7f0000000180)="b107a4e60867713392040000000000000076d7b36598b8cb08591ffc2467faa14eba6144e8127696", 0x28) mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0\x00', 0x0, 0x101091, 0x0) r1 = landlock_create_ruleset(&(0x7f0000000140)={0x0, 0x3}, 0x10, 0x0) landlock_restrict_self(r1, 0x0) landlock_restrict_self(r1, 0x0) umount2(&(0x7f00000000c0)='./file0\x00', 0x0) r2 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r2, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r2, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) r5 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) connect$netrom(r5, &(0x7f0000000300)={{0x6, @rose}, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}, 0x48) syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000200)='./file1\x00', 0x2200000, &(0x7f0000000140)={[], [{@defcontext={'defcontext', 0x3d, 'unconfined_u'}}, {@appraise}, {@dont_appraise}, {@smackfsdef={'smackfsdef', 0x3d, 'squashfs\x00'}}]}, 0xfe, 0x54b, &(0x7f0000000400)="$eJzs3d9rW1UcAPDvTdv96nQdjKE+SGEPTubStfXHBB/mo+hwoO8ztHdlNF1Gk461Dtwe3IsvMgQRB+If4LuPw3/Av2KggyGj6IMvkZvebNmaNGmXrZn5fOC259x70nNP7v2enpOTkACG1mT2oxDxakR8m0Qcajk2GvnByY1y6w+uzWVbEvX6Z38lkeT7muWT/Pd4nnklIn77OuJEYXO91dW1xVK5nC7n+ana0uWp6urayYtLpYV0Ib00Mzt7+p3Zmfffe7dvbX3z3D8/fHrno9PfHFv//pd7h28lcSYO5sda2/EUrrdmJmMyf07G4swTBaf7UNkgSXb7BNiRkTzOxyLrAw7FSB71wP/fVxFRB4ZUIv5hSDXHAc25fZ/mwS+M+x9uTIA2tz/ZeG0k9jXmRgfWk8dmRtl8d6IP9Wd1/Prn7VvZFv17HQKgq+s3IuLU6Gjn/m/nTvVQ5sk69H/w/NzJxj9vtRv/FB6Of6LN+Ge8TezuRPf4L9zrQzUdZeO/D9qOfx8uWk2M5LmXGmO+seTCxXKa9W0vR8TxGNub5bdazzm9frfe6Vjr+C/bsvqbY8H8PO6N7n38MfOlWulp2tzq/o2I17qMf5M21z97Ps71WMfR9PbrnY51b/+zVf854o221//Rilay9frkVON+mGreFZv9ffPo753q3+32Z9f/wNbtn0ha12ur26/jp33/pp2OTSb5ouk27/89yeeN9J5839VSrbY8HbEn+WTz/plHj23mm+Wz9h8/tnX/1+7+3x8RX/TY/ptHbnYsOgjXf35b13/7ibsff/ljp/p76//ebqSO53t66f96PcGnee4AAAAAAABg0BQi4mAkheLDdKFQLG68v+NIHCiUK9XaiQuVlUvz0fis7ESMFZor3eMt74eYzt8P28zPPJGfjYjDEfHdyP5GvjhXKc/vduMBAAAAAAAAAAAAAAAAAABgQIx3+Px/5o+R3T474Jnzld8wvLrGfz++6QkYSP7/w/AS/zC8xD8ML/EPw0v8w/AS/zC8xD8ML/EPAAAAAAAAAAAAAAAAAAAAAAAAAAAAfXXu7Nlsq68/uDaX5eevrK4sVq6cnE+ri8WllbniXGX5cnGhUlkop8W5ylK3v1euVC5Pz8TK1alaWq1NVVfXzi9VVi7Vzl9cKi2k59Ox59IqAAAAAAAAAAAAAAAAAAAAeLFUV9cWS+VyuiwhsaPE6GCchkSfE7vdMwEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAI/8FAAD//wZvNao=") r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r7 = shmget$private(0x0, 0xc00000, 0x1000, &(0x7f0000400000/0xc00000)=nil) shmctl$IPC_RMID(r7, 0x0) r8 = shmget$private(0x0, 0x4000, 0x2, &(0x7f0000703000/0x4000)=nil) shmctl$SHM_INFO(r8, 0xe, &(0x7f0000000000)=""/4096) open(&(0x7f00000005c0)='./bus\x00', 0x64842, 0x0) bind$bt_hci(r6, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x3}, 0x6) write$bt_hci(r6, &(0x7f00000005c0)=ANY=[@ANYBLOB="0e00000002"], 0x8) [ 74.464122][ T5303] Bluetooth: hci0: command tx timeout [ 74.835050][ T5324] ================================================================== [ 74.839168][ T5324] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 74.843037][ T5324] Write of size 4 at addr ffff888050b91864 by task syz.0.0/5324 [ 74.855500][ T5324] [ 74.865819][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.865838][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.865846][ T5324] Call Trace: [ 74.865854][ T5324] [ 74.865861][ T5324] dump_stack_lvl+0x189/0x250 [ 74.865880][ T5324] ? __virt_addr_valid+0x1c8/0x5c0 [ 74.865895][ T5324] ? rcu_is_watching+0x15/0xb0 [ 74.865906][ T5324] ? __kasan_check_byte+0x12/0x40 [ 74.865921][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.865934][ T5324] ? rcu_is_watching+0x15/0xb0 [ 74.865944][ T5324] ? lock_release+0x4b/0x3e0 [ 74.865955][ T5324] ? __virt_addr_valid+0x1c8/0x5c0 [ 74.865967][ T5324] ? __virt_addr_valid+0x4a5/0x5c0 [ 74.865979][ T5324] print_report+0xca/0x240 [ 74.865992][ T5324] ? sk_skb_reason_drop+0x37/0x170 [ 74.866005][ T5324] kasan_report+0x118/0x150 [ 74.866020][ T5324] ? sk_skb_reason_drop+0x37/0x170 [ 74.866034][ T5324] kasan_check_range+0x2b0/0x2c0 [ 74.866048][ T5324] sk_skb_reason_drop+0x37/0x170 [ 74.866105][ T5324] nr_transmit_buffer+0x11d/0x1b0 [ 74.866119][ T5324] nr_establish_data_link+0x62/0xb0 [ 74.866130][ T5324] nr_connect+0x6e6/0xde0 [ 74.866147][ T5324] ? __pfx_nr_connect+0x10/0x10 [ 74.866160][ T5324] ? tomoyo_socket_connect_permission+0x164/0x290 [ 74.866228][ T5324] ? bpf_lsm_socket_connect+0x9/0x20 [ 74.866245][ T5324] __sys_connect+0x316/0x440 [ 74.866261][ T5324] ? __pfx___sys_connect+0x10/0x10 [ 74.866276][ T5324] ? rcu_is_watching+0x15/0xb0 [ 74.866289][ T5324] __x64_sys_connect+0x7a/0x90 [ 74.866301][ T5324] do_syscall_64+0xfa/0xfa0 [ 74.866315][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.866326][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.866336][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 74.866348][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.866359][ T5324] RIP: 0033:0x7fb88538efc9 [ 74.866372][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.866381][ T5324] RSP: 002b:00007fb88619e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 74.866394][ T5324] RAX: ffffffffffffffda RBX: 00007fb8855e6090 RCX: 00007fb88538efc9 [ 74.866403][ T5324] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000006 [ 74.866409][ T5324] RBP: 00007fb885411f91 R08: 0000000000000000 R09: 0000000000000000 [ 74.866415][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.866421][ T5324] R13: 00007fb8855e6128 R14: 00007fb8855e6090 R15: 00007ffe89d38e48 [ 74.866431][ T5324] [ 74.866436][ T5324] [ 75.129186][ T5324] Allocated by task 5324: [ 75.131573][ T5324] kasan_save_track+0x3e/0x80 [ 75.137698][ T5324] __kasan_slab_alloc+0x6c/0x80 [ 75.146765][ T5324] kmem_cache_alloc_node_noprof+0x433/0x710 [ 75.149785][ T5324] __alloc_skb+0x112/0x2d0 [ 75.152120][ T5324] nr_write_internal+0xe2/0xc60 [ 75.157572][ T5324] nr_establish_data_link+0x62/0xb0 [ 75.163412][ T5324] nr_connect+0x6e6/0xde0 [ 75.167160][ T5324] __sys_connect+0x316/0x440 [ 75.177107][ T5324] __x64_sys_connect+0x7a/0x90 [ 75.179397][ T5324] do_syscall_64+0xfa/0xfa0 [ 75.181663][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.184641][ T5324] [ 75.194716][ T5324] Freed by task 5324: [ 75.196820][ T5324] kasan_save_track+0x3e/0x80 [ 75.199194][ T5324] __kasan_save_free_info+0x46/0x50 [ 75.201822][ T5324] __kasan_slab_free+0x5c/0x80 [ 75.204225][ T5324] kmem_cache_free+0x19b/0x690 [ 75.221623][ T5324] nr_route_frame+0x467/0x7e0 [ 75.227744][ T5324] nr_transmit_buffer+0xe7/0x1b0 [ 75.231201][ T5324] nr_establish_data_link+0x62/0xb0 [ 75.233541][ T5324] nr_connect+0x6e6/0xde0 [ 75.240807][ T5324] __sys_connect+0x316/0x440 [ 75.242990][ T5324] __x64_sys_connect+0x7a/0x90 [ 75.245178][ T5324] do_syscall_64+0xfa/0xfa0 [ 75.254209][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.259913][ T5324] [ 75.260942][ T5324] The buggy address belongs to the object at ffff888050b91780 [ 75.260942][ T5324] which belongs to the cache skbuff_head_cache of size 240 [ 75.275414][ T5324] The buggy address is located 228 bytes inside of [ 75.275414][ T5324] freed 240-byte region [ffff888050b91780, ffff888050b91870) [ 75.280917][ T5324] [ 75.281958][ T5324] The buggy address belongs to the physical page: [ 75.284590][ T5324] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x50b91 [ 75.308785][ T5324] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.321889][ T5324] page_type: f5(slab) [ 75.328258][ T5324] raw: 04fff00000000000 ffff8880304cfdc0 ffffea000048d600 0000000000000007 [ 75.338977][ T5324] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 [ 75.349005][ T5324] page dumped because: kasan: bad access detected [ 75.366008][ T5324] page_owner tracks the page as allocated [ 75.369576][ T5324] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5303, tgid 5303 (kworker/u5:2), ts 71432794597, free_ts 0 [ 75.381756][ T5324] post_alloc_hook+0x240/0x2a0 [ 75.396384][ T5324] get_page_from_freelist+0x2365/0x2440 [ 75.399164][ T5324] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.402509][ T5324] alloc_pages_mpol+0x232/0x4a0 [ 75.405361][ T5324] allocate_slab+0x96/0x350 [ 75.409119][ T5324] ___slab_alloc+0xe94/0x18a0 [ 75.418141][ T5324] __slab_alloc+0x65/0x100 [ 75.420857][ T5324] kmem_cache_alloc_noprof+0x3f9/0x6e0 [ 75.437044][ T5324] skb_clone+0x212/0x3a0 [ 75.439182][ T5324] hci_cmd_work+0x2ea/0x6e0 [ 75.455537][ T5324] process_scheduled_works+0xae1/0x17b0 [ 75.458164][ T5324] worker_thread+0x8a0/0xda0 [ 75.466396][ T5324] kthread+0x711/0x8a0 [ 75.468268][ T5324] ret_from_fork+0x4bc/0x870 [ 75.476801][ T5324] ret_from_fork_asm+0x1a/0x30 [ 75.478934][ T5324] page_owner free stack trace missing [ 75.480806][ T5324] [ 75.481890][ T5324] Memory state around the buggy address: [ 75.484291][ T5324] ffff888050b91700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 75.497110][ T5324] ffff888050b91780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.500965][ T5324] >ffff888050b91800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 75.504511][ T5324] ^ [ 75.518001][ T5324] ffff888050b91880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 75.521687][ T5324] ffff888050b91900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.538946][ T5324] ================================================================== [ 75.871675][ T5324] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.886107][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.890079][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.894207][ T5324] Call Trace: [ 75.905741][ T5324] [ 75.908979][ T5324] dump_stack_lvl+0x99/0x250 [ 75.914189][ T5324] ? __asan_memcpy+0x40/0x70 [ 75.926951][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.929980][ T5324] ? __pfx__printk+0x10/0x10 [ 75.932551][ T5324] vpanic+0x237/0x6d0 [ 75.935599][ T5324] ? __pfx_vpanic+0x10/0x10 [ 75.946095][ T5324] ? preempt_schedule_common+0x83/0xd0 [ 75.962131][ T5324] ? preempt_schedule+0xae/0xc0 [ 75.964151][ T5324] panic+0xb9/0xc0 [ 75.965833][ T5324] ? __pfx_panic+0x10/0x10 [ 75.967681][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.970249][ T5324] ? sk_skb_reason_drop+0x37/0x170 [ 75.972329][ T5324] check_panic_on_warn+0x89/0xb0 [ 75.995806][ T5324] ? sk_skb_reason_drop+0x37/0x170 [ 75.997736][ T5324] end_report+0x78/0x160 [ 75.999355][ T5324] kasan_report+0x129/0x150 [ 76.001057][ T5324] ? sk_skb_reason_drop+0x37/0x170 [ 76.003142][ T5324] kasan_check_range+0x2b0/0x2c0 [ 76.005166][ T5324] sk_skb_reason_drop+0x37/0x170 [ 76.018500][ T5324] nr_transmit_buffer+0x11d/0x1b0 [ 76.023754][ T5324] nr_establish_data_link+0x62/0xb0 [ 76.030117][ T5324] nr_connect+0x6e6/0xde0 [ 76.031905][ T5324] ? __pfx_nr_connect+0x10/0x10 [ 76.034180][ T5324] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.047120][ T5324] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.049233][ T5324] __sys_connect+0x316/0x440 [ 76.051226][ T5324] ? __pfx___sys_connect+0x10/0x10 [ 76.053603][ T5324] ? rcu_is_watching+0x15/0xb0 [ 76.065888][ T5324] __x64_sys_connect+0x7a/0x90 [ 76.067924][ T5324] do_syscall_64+0xfa/0xfa0 [ 76.069875][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.072181][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.077538][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 76.079728][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.082358][ T5324] RIP: 0033:0x7fb88538efc9 [ 76.091793][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.117372][ T5324] RSP: 002b:00007fb88619e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.122280][ T5324] RAX: ffffffffffffffda RBX: 00007fb8855e6090 RCX: 00007fb88538efc9 [ 76.135748][ T5324] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000006 [ 76.138948][ T5324] RBP: 00007fb885411f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.143225][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.157153][ T5324] R13: 00007fb8855e6128 R14: 00007fb8855e6090 R15: 00007ffe89d38e48 [ 76.160811][ T5324] [ 76.162726][ T5324] Kernel Offset: disabled [ 76.164763][ T5324] Rebooting in 86400 seconds..