program: r0 = syz_open_dev$video4linux(&(0x7f0000000000), 0x10000, 0x440) ioctl$VIDIOC_SUBDEV_G_DV_TIMINGS(r0, 0xc0845658, &(0x7f0000000040)={0x0, @reserved}) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x61, 0x14, 0x50}, [@ldst={0x7}]}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_skb}, 0x48) r1 = syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r2 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r2, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @null, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r2, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) (async) ioctl$sock_ifreq(r1, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) (async) r5 = socket$alg(0x26, 0x5, 0x0) ioctl$sock_SIOCADDRT(r5, 0x890b, &(0x7f0000000100)={0x0, @phonet={0x23, 0x0, 0x8, 0x9}, @rc, @llc={0x1a, 0x308, 0x8, 0xa, 0x6c, 0x9, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, 0xbf, 0x0, 0x0, 0x0, 0x5, 0x0, 0xd28a, 0x8, 0xcaa}) [ 76.646344][ T5300] Bluetooth: hci0: command tx timeout [ 76.651939][ T1314] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.657926][ T1314] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.823098][ T5321] ================================================================== [ 76.826151][ T5321] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 76.829437][ T5321] Write of size 4 at addr ffff888011f5fea4 by task syz.0.0/5321 [ 76.832402][ T5321] [ 76.833380][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.833395][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.833402][ T5321] Call Trace: [ 76.833409][ T5321] [ 76.833416][ T5321] dump_stack_lvl+0x189/0x250 [ 76.833434][ T5321] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.833448][ T5321] ? rcu_is_watching+0x15/0xb0 [ 76.833460][ T5321] ? __kasan_check_byte+0x12/0x40 [ 76.833474][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.833487][ T5321] ? rcu_is_watching+0x15/0xb0 [ 76.833497][ T5321] ? lock_release+0x4b/0x3e0 [ 76.833509][ T5321] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.833522][ T5321] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.833536][ T5321] print_report+0xca/0x240 [ 76.833549][ T5321] ? sk_skb_reason_drop+0x37/0x170 [ 76.833563][ T5321] kasan_report+0x118/0x150 [ 76.833578][ T5321] ? sk_skb_reason_drop+0x37/0x170 [ 76.833595][ T5321] kasan_check_range+0x2b0/0x2c0 [ 76.833609][ T5321] sk_skb_reason_drop+0x37/0x170 [ 76.833624][ T5321] nr_transmit_buffer+0x11d/0x1b0 [ 76.833637][ T5321] nr_establish_data_link+0x62/0xb0 [ 76.833648][ T5321] nr_connect+0x6e6/0xde0 [ 76.833664][ T5321] ? __pfx_nr_connect+0x10/0x10 [ 76.833679][ T5321] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.833752][ T5321] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.833767][ T5321] __sys_connect+0x316/0x440 [ 76.833781][ T5321] ? __pfx___sys_connect+0x10/0x10 [ 76.833797][ T5321] ? rcu_is_watching+0x15/0xb0 [ 76.833810][ T5321] __x64_sys_connect+0x7a/0x90 [ 76.833823][ T5321] do_syscall_64+0xfa/0xfa0 [ 76.833836][ T5321] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.833850][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.833860][ T5321] ? clear_bhb_loop+0x60/0xb0 [ 76.833871][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.833885][ T5321] RIP: 0033:0x7f5c80b8f6c9 [ 76.833897][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.833906][ T5321] RSP: 002b:00007f5c81996038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.833918][ T5321] RAX: ffffffffffffffda RBX: 00007f5c80de6090 RCX: 00007f5c80b8f6c9 [ 76.833926][ T5321] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000007 [ 76.833933][ T5321] RBP: 00007f5c80c11f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.833939][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.833950][ T5321] R13: 00007f5c80de6128 R14: 00007f5c80de6090 R15: 00007ffc3ac6f208 [ 76.833961][ T5321] [ 76.833965][ T5321] [ 77.080853][ T5321] Allocated by task 5321: [ 77.083165][ T5321] kasan_save_track+0x3e/0x80 [ 77.085305][ T5321] __kasan_slab_alloc+0x6c/0x80 [ 77.106076][ T5321] kmem_cache_alloc_node_noprof+0x433/0x710 [ 77.108586][ T5321] __alloc_skb+0x112/0x2d0 [ 77.110463][ T5321] nr_write_internal+0xe2/0xc60 [ 77.112464][ T5321] nr_establish_data_link+0x62/0xb0 [ 77.146611][ T5321] nr_connect+0x6e6/0xde0 [ 77.148417][ T5321] __sys_connect+0x316/0x440 [ 77.150357][ T5321] __x64_sys_connect+0x7a/0x90 [ 77.152672][ T5321] do_syscall_64+0xfa/0xfa0 [ 77.154749][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.157332][ T5321] [ 77.158478][ T5321] Freed by task 5321: [ 77.160075][ T5321] kasan_save_track+0x3e/0x80 [ 77.161962][ T5321] __kasan_save_free_info+0x46/0x50 [ 77.164052][ T5321] __kasan_slab_free+0x5c/0x80 [ 77.165985][ T5321] kmem_cache_free+0x19b/0x690 [ 77.169041][ T5321] nr_route_frame+0x467/0x7e0 [ 77.170975][ T5321] nr_transmit_buffer+0xe7/0x1b0 [ 77.173030][ T5321] nr_establish_data_link+0x62/0xb0 [ 77.175337][ T5321] nr_connect+0x6e6/0xde0 [ 77.179048][ T5321] __sys_connect+0x316/0x440 [ 77.182653][ T5321] __x64_sys_connect+0x7a/0x90 [ 77.186760][ T5321] do_syscall_64+0xfa/0xfa0 [ 77.189278][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.192266][ T5321] [ 77.193242][ T5321] The buggy address belongs to the object at ffff888011f5fdc0 [ 77.193242][ T5321] which belongs to the cache skbuff_head_cache of size 240 [ 77.198539][ T5321] The buggy address is located 228 bytes inside of [ 77.198539][ T5321] freed 240-byte region [ffff888011f5fdc0, ffff888011f5feb0) [ 77.203839][ T5321] [ 77.204777][ T5321] The buggy address belongs to the physical page: [ 77.207350][ T5321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5f [ 77.210887][ T5321] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 77.213517][ T5321] page_type: f5(slab) [ 77.215200][ T5321] raw: 00fff00000000000 ffff88801bad5c80 0000000000000000 0000000000000001 [ 77.218939][ T5321] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 77.222457][ T5321] page dumped because: kasan: bad access detected [ 77.225133][ T5321] page_owner tracks the page as allocated [ 77.227301][ T5321] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP), pid 5014, tgid 5014 (dhcpcd), ts 71889589066, free_ts 71864017985 [ 77.234110][ T5321] post_alloc_hook+0x240/0x2a0 [ 77.236027][ T5321] get_page_from_freelist+0x2365/0x2440 [ 77.238264][ T5321] __alloc_frozen_pages_noprof+0x181/0x370 [ 77.240627][ T5321] alloc_pages_mpol+0x232/0x4a0 [ 77.242590][ T5321] allocate_slab+0x96/0x350 [ 77.244502][ T5321] ___slab_alloc+0xe94/0x18a0 [ 77.246469][ T5321] __slab_alloc+0x65/0x100 [ 77.248288][ T5321] kmem_cache_alloc_node_noprof+0x4c5/0x710 [ 77.250407][ T5321] __alloc_skb+0x112/0x2d0 [ 77.252006][ T5321] netlink_dump+0x167/0xe90 [ 77.255297][ T5321] __netlink_dump_start+0x5cb/0x7e0 [ 77.257371][ T5321] rtnetlink_rcv_msg+0x9eb/0xb70 [ 77.259544][ T5321] netlink_rcv_skb+0x208/0x470 [ 77.261464][ T5321] netlink_unicast+0x82f/0x9e0 [ 77.263527][ T5321] netlink_sendmsg+0x805/0xb30 [ 77.265580][ T5321] __sock_sendmsg+0x21c/0x270 [ 77.267469][ T5321] page last free pid 5286 tgid 5286 stack trace: [ 77.270117][ T5321] __free_frozen_pages+0xbc4/0xd30 [ 77.272122][ T5321] vfree+0x25a/0x400 [ 77.273642][ T5321] kcov_close+0x28/0x50 [ 77.275335][ T5321] __fput+0x44c/0xa70 [ 77.276956][ T5321] fput_close_sync+0x119/0x200 [ 77.278985][ T5321] __x64_sys_close+0x7f/0x110 [ 77.280964][ T5321] do_syscall_64+0xfa/0xfa0 [ 77.282720][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.284752][ T5321] [ 77.285616][ T5321] Memory state around the buggy address: [ 77.287861][ T5321] ffff888011f5fd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 77.291082][ T5321] ffff888011f5fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.294269][ T5321] >ffff888011f5fe80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 77.297404][ T5321] ^ [ 77.299518][ T5321] ffff888011f5ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.302680][ T5321] ffff888011f5ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.305816][ T5321] ================================================================== [ 77.407430][ T5327] 8021q: adding VLAN 0 to HW filter on device bond0 [ 77.433484][ T5327] bond0: (slave rose0): Enslaving as an active interface with an up link [ 77.438739][ T5321] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.441950][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 77.445988][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.462303][ T5321] Call Trace: [ 77.463770][ T5321] [ 77.465072][ T5321] dump_stack_lvl+0x99/0x250 [ 77.467262][ T5321] ? __asan_memcpy+0x40/0x70 [ 77.471699][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.478923][ T5321] ? __pfx__printk+0x10/0x10 [ 77.480724][ T5321] vpanic+0x237/0x6d0 [ 77.482332][ T5321] ? __pfx_vpanic+0x10/0x10 [ 77.484116][ T5321] ? preempt_schedule_common+0x83/0xd0 [ 77.486290][ T5321] ? preempt_schedule+0xae/0xc0 [ 77.495350][ T5321] panic+0xb9/0xc0 [ 77.496842][ T5321] ? __pfx_panic+0x10/0x10 [ 77.505557][ T5321] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 77.508239][ T5321] ? sk_skb_reason_drop+0x37/0x170 [ 77.510328][ T5321] check_panic_on_warn+0x89/0xb0 [ 77.512319][ T5321] ? sk_skb_reason_drop+0x37/0x170 [ 77.514471][ T5321] end_report+0x78/0x160 [ 77.516220][ T5321] kasan_report+0x129/0x150 [ 77.526413][ T5321] ? sk_skb_reason_drop+0x37/0x170 [ 77.529310][ T5321] kasan_check_range+0x2b0/0x2c0 [ 77.532170][ T5321] sk_skb_reason_drop+0x37/0x170 [ 77.534666][ T5321] nr_transmit_buffer+0x11d/0x1b0 [ 77.536677][ T5321] nr_establish_data_link+0x62/0xb0 [ 77.539658][ T5321] nr_connect+0x6e6/0xde0 [ 77.542030][ T5321] ? __pfx_nr_connect+0x10/0x10 [ 77.545926][ T5321] ? tomoyo_socket_connect_permission+0x164/0x290 [ 77.570620][ T5321] ? bpf_lsm_socket_connect+0x9/0x20 [ 77.572889][ T5321] __sys_connect+0x316/0x440 [ 77.574682][ T5321] ? __pfx___sys_connect+0x10/0x10 [ 77.576772][ T5321] ? rcu_is_watching+0x15/0xb0 [ 77.578847][ T5321] __x64_sys_connect+0x7a/0x90 [ 77.580717][ T5321] do_syscall_64+0xfa/0xfa0 [ 77.585655][ T5321] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.589769][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.592400][ T5321] ? clear_bhb_loop+0x60/0xb0 [ 77.594523][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.597098][ T5321] RIP: 0033:0x7f5c80b8f6c9 [ 77.601263][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 77.612297][ T5321] RSP: 002b:00007f5c81996038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 77.615665][ T5321] RAX: ffffffffffffffda RBX: 00007f5c80de6090 RCX: 00007f5c80b8f6c9 [ 77.619095][ T5321] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000007 [ 77.622129][ T5321] RBP: 00007f5c80c11f91 R08: 0000000000000000 R09: 0000000000000000 [ 77.625027][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.628526][ T5321] R13: 00007f5c80de6128 R14: 00007f5c80de6090 R15: 00007ffc3ac6f208 [ 77.633794][ T5321] [ 77.635851][ T5321] Kernel Offset: disabled [ 77.639364][ T5321] Rebooting in 86400 seconds..