program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='hugetlb.1GB.usage_in_bytes\x00', 0x275a, 0x0) write$binfmt_script(r4, &(0x7f0000000900), 0x4) cachestat(r4, &(0x7f0000000040), &(0x7f0000000080), 0x0) r5 = socket$inet_icmp_raw(0x2, 0x3, 0x1) setsockopt$inet_int(r5, 0x0, 0x3, &(0x7f0000000180)=0x4, 0x4) epoll_ctl$EPOLL_CTL_ADD(r4, 0x1, r5, &(0x7f0000000040)={0x100000012}) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 85.423177][ T4688] Bluetooth: hci0: command tx timeout [ 85.551258][ T5344] bpq0: entered promiscuous mode [ 85.570203][ T5345] ================================================================== [ 85.573781][ T5345] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 85.577586][ T5345] Write of size 4 at addr ffff8880437104a4 by task syz.0.0/5345 [ 85.580738][ T5345] [ 85.581758][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) [ 85.581774][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.581784][ T5345] Call Trace: [ 85.581793][ T5345] [ 85.581800][ T5345] dump_stack_lvl+0x189/0x250 [ 85.581817][ T5345] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.581833][ T5345] ? rcu_is_watching+0x15/0xb0 [ 85.581889][ T5345] ? __kasan_check_byte+0x12/0x40 [ 85.581904][ T5345] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.581916][ T5345] ? rcu_is_watching+0x15/0xb0 [ 85.581929][ T5345] ? lock_release+0x4b/0x3e0 [ 85.581942][ T5345] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.581957][ T5345] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.581972][ T5345] print_report+0xca/0x230 [ 85.581982][ T5345] ? sk_skb_reason_drop+0x37/0x170 [ 85.581997][ T5345] kasan_report+0x118/0x150 [ 85.582013][ T5345] ? sk_skb_reason_drop+0x37/0x170 [ 85.582032][ T5345] kasan_check_range+0x2b0/0x2c0 [ 85.582048][ T5345] sk_skb_reason_drop+0x37/0x170 [ 85.582063][ T5345] nr_transmit_buffer+0x11d/0x1b0 [ 85.582076][ T5345] nr_establish_data_link+0x62/0xb0 [ 85.582086][ T5345] nr_connect+0x6e6/0xde0 [ 85.582104][ T5345] ? __pfx_nr_connect+0x10/0x10 [ 85.582121][ T5345] ? tomoyo_socket_connect_permission+0x164/0x290 [ 85.582135][ T5345] ? bpf_lsm_socket_connect+0x9/0x20 [ 85.582153][ T5345] __sys_connect+0x316/0x440 [ 85.582184][ T5345] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 85.582203][ T5345] ? __pfx___sys_connect+0x10/0x10 [ 85.582220][ T5345] ? rcu_is_watching+0x15/0xb0 [ 85.582237][ T5345] __x64_sys_connect+0x7a/0x90 [ 85.582249][ T5345] do_syscall_64+0xfa/0x3b0 [ 85.582299][ T5345] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.582312][ T5345] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.582330][ T5345] ? clear_bhb_loop+0x60/0xb0 [ 85.582345][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.582358][ T5345] RIP: 0033:0x7f486958e9a9 [ 85.582371][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.582382][ T5345] RSP: 002b:00007f486a334038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 85.582395][ T5345] RAX: ffffffffffffffda RBX: 00007f48697b6080 RCX: 00007f486958e9a9 [ 85.582413][ T5345] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 85.582421][ T5345] RBP: 00007f4869610d69 R08: 0000000000000000 R09: 0000000000000000 [ 85.582428][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.582435][ T5345] R13: 0000000000000000 R14: 00007f48697b6080 R15: 00007ffdeab27988 [ 85.582447][ T5345] [ 85.582452][ T5345] [ 85.701066][ T5345] Allocated by task 5345: [ 85.703393][ T5345] kasan_save_track+0x3e/0x80 [ 85.706332][ T5345] __kasan_slab_alloc+0x6c/0x80 [ 85.709085][ T5345] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 [ 85.712139][ T5345] __alloc_skb+0x112/0x2d0 [ 85.714246][ T5345] nr_write_internal+0xe2/0xc60 [ 85.716500][ T5345] nr_establish_data_link+0x62/0xb0 [ 85.718860][ T5345] nr_connect+0x6e6/0xde0 [ 85.720825][ T5345] __sys_connect+0x316/0x440 [ 85.722890][ T5345] __x64_sys_connect+0x7a/0x90 [ 85.724840][ T5345] do_syscall_64+0xfa/0x3b0 [ 85.726782][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.729209][ T5345] [ 85.730175][ T5345] Freed by task 5345: [ 85.731712][ T5345] kasan_save_track+0x3e/0x80 [ 85.733553][ T5345] kasan_save_free_info+0x46/0x50 [ 85.735639][ T5345] __kasan_slab_free+0x62/0x70 [ 85.737542][ T5345] kmem_cache_free+0x18f/0x400 [ 85.739643][ T5345] nr_route_frame+0x467/0x7e0 [ 85.741405][ T5345] nr_transmit_buffer+0xe7/0x1b0 [ 85.743420][ T5345] nr_establish_data_link+0x62/0xb0 [ 85.745506][ T5345] nr_connect+0x6e6/0xde0 [ 85.747300][ T5345] __sys_connect+0x316/0x440 [ 85.749769][ T5345] __x64_sys_connect+0x7a/0x90 [ 85.751926][ T5345] do_syscall_64+0xfa/0x3b0 [ 85.754013][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.756673][ T5345] [ 85.757726][ T5345] The buggy address belongs to the object at ffff8880437103c0 [ 85.757726][ T5345] which belongs to the cache skbuff_head_cache of size 240 [ 85.764178][ T5345] The buggy address is located 228 bytes inside of [ 85.764178][ T5345] freed 240-byte region [ffff8880437103c0, ffff8880437104b0) [ 85.769684][ T5345] [ 85.770725][ T5345] The buggy address belongs to the physical page: [ 85.773492][ T5345] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43710 [ 85.777174][ T5345] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.780243][ T5345] page_type: f5(slab) [ 85.782059][ T5345] raw: 04fff00000000000 ffff88801bef7b40 dead000000000122 0000000000000000 [ 85.785826][ T5345] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 85.789600][ T5345] page dumped because: kasan: bad access detected [ 85.794217][ T5345] page_owner tracks the page as allocated [ 85.796609][ T5345] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5034, tgid 5034 (dhcpcd), ts 85565679698, free_ts 85545428158 [ 85.804121][ T5345] post_alloc_hook+0x240/0x2a0 [ 85.806031][ T5345] get_page_from_freelist+0x21e4/0x22c0 [ 85.808234][ T5345] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.810673][ T5345] alloc_pages_mpol+0x232/0x4a0 [ 85.812858][ T5345] allocate_slab+0x8a/0x3b0 [ 85.814855][ T5345] ___slab_alloc+0xbfc/0x1480 [ 85.816933][ T5345] kmem_cache_alloc_node_noprof+0x280/0x3c0 [ 85.819807][ T5345] __alloc_skb+0x112/0x2d0 [ 85.822087][ T5345] alloc_skb_with_frags+0xca/0x890 [ 85.824671][ T5345] sock_alloc_send_pskb+0x857/0x990 [ 85.827034][ T5345] unix_dgram_sendmsg+0x4f6/0x1870 [ 85.829418][ T5345] __sock_sendmsg+0x21c/0x270 [ 85.831601][ T5345] __sys_sendto+0x3bd/0x520 [ 85.833785][ T5345] __x64_sys_sendto+0xde/0x100 [ 85.835920][ T5345] do_syscall_64+0xfa/0x3b0 [ 85.838002][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.840625][ T5345] page last free pid 5347 tgid 5347 stack trace: [ 85.843483][ T5345] __free_frozen_pages+0xc71/0xe70 [ 85.846070][ T5345] __slab_free+0x326/0x400 [ 85.848405][ T5345] qlist_free_all+0x97/0x140 [ 85.850553][ T5345] kasan_quarantine_reduce+0x148/0x160 [ 85.853012][ T5345] __kasan_slab_alloc+0x22/0x80 [ 85.855253][ T5345] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 [ 85.857967][ T5345] __alloc_skb+0x112/0x2d0 [ 85.860028][ T5345] alloc_skb_with_frags+0xca/0x890 [ 85.862336][ T5345] sock_alloc_send_pskb+0x857/0x990 [ 85.864695][ T5345] unix_dgram_sendmsg+0x4f6/0x1870 [ 85.866912][ T5345] __sock_sendmsg+0x21c/0x270 [ 85.869066][ T5345] sock_write_iter+0x258/0x330 [ 85.871285][ T5345] vfs_write+0x548/0xa90 [ 85.873328][ T5345] ksys_write+0x145/0x250 [ 85.875345][ T5345] do_syscall_64+0xfa/0x3b0 [ 85.877509][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.880173][ T5345] [ 85.881261][ T5345] Memory state around the buggy address: [ 85.883757][ T5345] ffff888043710380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 85.887329][ T5345] ffff888043710400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.890952][ T5345] >ffff888043710480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 85.894536][ T5345] ^ [ 85.896959][ T5345] ffff888043710500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.900775][ T5345] ffff888043710580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 85.904135][ T5345] ================================================================== [ 85.947215][ T5344] bpq0: entered allmulticast mode [ 85.954544][ T5345] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.958233][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) [ 85.962735][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.967693][ T5345] Call Trace: [ 85.969471][ T5345] [ 85.970886][ T5345] dump_stack_lvl+0x99/0x250 [ 85.973093][ T5345] ? __asan_memcpy+0x40/0x70 [ 85.975547][ T5345] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.978355][ T5345] ? __pfx__printk+0x10/0x10 [ 85.980669][ T5345] panic+0x2db/0x790 [ 85.982486][ T5345] ? __pfx_preempt_schedule+0x10/0x10 [ 85.984945][ T5345] ? __pfx_panic+0x10/0x10 [ 85.986922][ T5345] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 85.989592][ T5345] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.992367][ T5345] ? sk_skb_reason_drop+0x37/0x170 [ 85.994796][ T5345] check_panic_on_warn+0x89/0xb0 [ 85.997022][ T5345] ? sk_skb_reason_drop+0x37/0x170 [ 85.999257][ T5345] end_report+0x78/0x160 [ 86.001198][ T5345] kasan_report+0x129/0x150 [ 86.003258][ T5345] ? sk_skb_reason_drop+0x37/0x170 [ 86.005460][ T5345] kasan_check_range+0x2b0/0x2c0 [ 86.007718][ T5345] sk_skb_reason_drop+0x37/0x170 [ 86.009887][ T5345] nr_transmit_buffer+0x11d/0x1b0 [ 86.012179][ T5345] nr_establish_data_link+0x62/0xb0 [ 86.014532][ T5345] nr_connect+0x6e6/0xde0 [ 86.016473][ T5345] ? __pfx_nr_connect+0x10/0x10 [ 86.018630][ T5345] ? tomoyo_socket_connect_permission+0x164/0x290 [ 86.021610][ T5345] ? bpf_lsm_socket_connect+0x9/0x20 [ 86.024229][ T5345] __sys_connect+0x316/0x440 [ 86.026498][ T5345] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 86.029308][ T5345] ? __pfx___sys_connect+0x10/0x10 [ 86.031493][ T5345] ? rcu_is_watching+0x15/0xb0 [ 86.033682][ T5345] __x64_sys_connect+0x7a/0x90 [ 86.035832][ T5345] do_syscall_64+0xfa/0x3b0 [ 86.037897][ T5345] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.040255][ T5345] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.043005][ T5345] ? clear_bhb_loop+0x60/0xb0 [ 86.045648][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.048320][ T5345] RIP: 0033:0x7f486958e9a9 [ 86.050442][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.059002][ T5345] RSP: 002b:00007f486a334038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 86.062781][ T5345] RAX: ffffffffffffffda RBX: 00007f48697b6080 RCX: 00007f486958e9a9 [ 86.066331][ T5345] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 86.069907][ T5345] RBP: 00007f4869610d69 R08: 0000000000000000 R09: 0000000000000000 [ 86.073420][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.077005][ T5345] R13: 0000000000000000 R14: 00007f48697b6080 R15: 00007ffdeab27988 [ 86.080777][ T5345] [ 86.082547][ T5345] Kernel Offset: disabled [ 86.084512][ T5345] Rebooting in 86400 seconds..