program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) sendfile(r0, r2, 0x0, 0x3) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) r4 = memfd_secret(0x0) futimesat(r4, 0x0, 0x0) (async) keyctl$update(0x2, 0x0, 0x0, 0x2d) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async) ioctl$GIO_CMAP(r4, 0x4b70, &(0x7f0000000040)) (async) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 85.318195][ T4681] Bluetooth: hci0: command tx timeout [ 85.368952][ T5346] ================================================================== [ 85.372536][ T5346] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 85.375834][ T5346] Write of size 4 at addr ffff88802305a224 by task syz.0.0/5346 [ 85.378900][ T5346] [ 85.379924][ T5346] CPU: 0 UID: 0 PID: 5346 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.379938][ T5346] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.379945][ T5346] Call Trace: [ 85.379952][ T5346] [ 85.379958][ T5346] dump_stack_lvl+0xe8/0x150 [ 85.379975][ T5346] print_report+0xca/0x240 [ 85.379986][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.379996][ T5346] kasan_report+0x118/0x150 [ 85.380045][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.380056][ T5346] kasan_check_range+0x2b0/0x2c0 [ 85.380067][ T5346] sk_skb_reason_drop+0x37/0x170 [ 85.380076][ T5346] nr_transmit_buffer+0x11d/0x1b0 [ 85.380087][ T5346] nr_establish_data_link+0x62/0xb0 [ 85.380096][ T5346] nr_connect+0x6e6/0xde0 [ 85.380116][ T5346] ? __pfx_nr_connect+0x10/0x10 [ 85.380127][ T5346] ? tomoyo_socket_connect_permission+0x164/0x290 [ 85.380143][ T5346] ? bpf_lsm_socket_connect+0x9/0x20 [ 85.380158][ T5346] __sys_connect+0x316/0x440 [ 85.380179][ T5346] ? __pfx___sys_connect+0x10/0x10 [ 85.380191][ T5346] ? rcu_is_watching+0x15/0xb0 [ 85.380201][ T5346] __x64_sys_connect+0x7a/0x90 [ 85.380210][ T5346] do_syscall_64+0xec/0xf80 [ 85.380243][ T5346] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.380253][ T5346] ? trace_irq_disable+0x37/0x100 [ 85.380265][ T5346] ? clear_bhb_loop+0x60/0xb0 [ 85.380276][ T5346] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.380286][ T5346] RIP: 0033:0x7f3d7f98f7c9 [ 85.380296][ T5346] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.380305][ T5346] RSP: 002b:00007f3d807e2038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 85.380317][ T5346] RAX: ffffffffffffffda RBX: 00007f3d7fbe5fa0 RCX: 00007f3d7f98f7c9 [ 85.380325][ T5346] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 85.380331][ T5346] RBP: 00007f3d7fa13f91 R08: 0000000000000000 R09: 0000000000000000 [ 85.380337][ T5346] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.380342][ T5346] R13: 00007f3d7fbe6038 R14: 00007f3d7fbe5fa0 R15: 00007ffcb016e548 [ 85.380352][ T5346] [ 85.380356][ T5346] [ 85.472332][ T5346] Allocated by task 5346: [ 85.474378][ T5346] kasan_save_track+0x3e/0x80 [ 85.476452][ T5346] __kasan_slab_alloc+0x6c/0x80 [ 85.478465][ T5346] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 85.480929][ T5346] __alloc_skb+0x1dc/0x3a0 [ 85.482821][ T5346] nr_write_internal+0xe2/0xc60 [ 85.484877][ T5346] nr_establish_data_link+0x62/0xb0 [ 85.487146][ T5346] nr_connect+0x6e6/0xde0 [ 85.489113][ T5346] __sys_connect+0x316/0x440 [ 85.491248][ T5346] __x64_sys_connect+0x7a/0x90 [ 85.493466][ T5346] do_syscall_64+0xec/0xf80 [ 85.495506][ T5346] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.498121][ T5346] [ 85.499240][ T5346] Freed by task 5346: [ 85.501034][ T5346] kasan_save_track+0x3e/0x80 [ 85.503117][ T5346] kasan_save_free_info+0x46/0x50 [ 85.505319][ T5346] __kasan_slab_free+0x5c/0x80 [ 85.507407][ T5346] kmem_cache_free+0x197/0x620 [ 85.509414][ T5346] nr_route_frame+0x467/0x7e0 [ 85.511375][ T5346] nr_transmit_buffer+0xe7/0x1b0 [ 85.513491][ T5346] nr_establish_data_link+0x62/0xb0 [ 85.515731][ T5346] nr_connect+0x6e6/0xde0 [ 85.517727][ T5346] __sys_connect+0x316/0x440 [ 85.519784][ T5346] __x64_sys_connect+0x7a/0x90 [ 85.521903][ T5346] do_syscall_64+0xec/0xf80 [ 85.523775][ T5346] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.526383][ T5346] [ 85.527484][ T5346] The buggy address belongs to the object at ffff88802305a140 [ 85.527484][ T5346] which belongs to the cache skbuff_head_cache of size 240 [ 85.533613][ T5346] The buggy address is located 228 bytes inside of [ 85.533613][ T5346] freed 240-byte region [ffff88802305a140, ffff88802305a230) [ 85.539244][ T5346] [ 85.540378][ T5346] The buggy address belongs to the physical page: [ 85.543107][ T5346] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2305a [ 85.547018][ T5346] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 85.550122][ T5346] page_type: f5(slab) [ 85.551815][ T5346] raw: 00fff00000000000 ffff88803040fdc0 dead000000000122 0000000000000000 [ 85.555263][ T5346] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 85.558896][ T5346] page dumped because: kasan: bad access detected [ 85.561567][ T5346] page_owner tracks the page as allocated [ 85.563884][ T5346] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 787, tgid 787 (kworker/0:2), ts 85364507446, free_ts 85349851330 [ 85.571384][ T5346] post_alloc_hook+0x234/0x290 [ 85.573261][ T5346] get_page_from_freelist+0x24e0/0x2580 [ 85.575439][ T5346] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.577886][ T5346] alloc_pages_mpol+0x232/0x4a0 [ 85.579887][ T5346] allocate_slab+0x86/0x3b0 [ 85.581735][ T5346] ___slab_alloc+0xe53/0x1820 [ 85.583711][ T5346] __slab_alloc+0x65/0x100 [ 85.585520][ T5346] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 85.587906][ T5346] __alloc_skb+0x1dc/0x3a0 [ 85.589855][ T5346] __pskb_copy_fclone+0xa8/0xfb0 [ 85.591815][ T5346] hsr_create_tagged_frame+0x24e/0xe10 [ 85.594058][ T5346] hsr_forward_skb+0x1013/0x2860 [ 85.596232][ T5346] hsr_dev_xmit+0x242/0x360 [ 85.598143][ T5346] dev_hard_start_xmit+0x2cd/0x800 [ 85.600272][ T5346] __dev_queue_xmit+0x149d/0x31c0 [ 85.602453][ T5346] ip6_finish_output+0x234/0x7d0 [ 85.604522][ T5346] page last free pid 5345 tgid 5345 stack trace: [ 85.607386][ T5346] __free_frozen_pages+0xbc8/0xd30 [ 85.610220][ T5346] __kasan_populate_vmalloc+0x1b2/0x1d0 [ 85.612955][ T5346] alloc_vmap_area+0xdc4/0x14e0 [ 85.615354][ T5346] __get_vm_area_node+0x1f8/0x300 [ 85.618029][ T5346] __vmalloc_node_range_noprof+0x371/0x16a0 [ 85.621109][ T5346] __vmalloc_node_noprof+0xc2/0x110 [ 85.623770][ T5346] dup_task_struct+0x228/0x9a0 [ 85.625890][ T5346] copy_process+0x4ea/0x3950 [ 85.627682][ T5346] kernel_clone+0x21e/0x820 [ 85.629417][ T5346] __se_sys_clone3+0x256/0x2d0 [ 85.631577][ T5346] do_syscall_64+0xec/0xf80 [ 85.633527][ T5346] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.635797][ T5346] [ 85.636765][ T5346] Memory state around the buggy address: [ 85.639085][ T5346] ffff88802305a100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 85.642583][ T5346] ffff88802305a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.646000][ T5346] >ffff88802305a200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 85.649401][ T5346] ^ [ 85.651640][ T5346] ffff88802305a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.654807][ T5346] ffff88802305a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 85.658088][ T5346] ================================================================== [ 85.677805][ T5346] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.681038][ T5346] CPU: 0 UID: 0 PID: 5346 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.685030][ T5346] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.689339][ T5346] Call Trace: [ 85.690658][ T5346] [ 85.691772][ T5346] vpanic+0x1e0/0x670 [ 85.693475][ T5346] panic+0xb9/0xc0 [ 85.695110][ T5346] ? __pfx_panic+0x10/0x10 [ 85.697129][ T5346] ? preempt_schedule_thunk+0x16/0x30 [ 85.699589][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.701766][ T5346] ? preempt_schedule_thunk+0x16/0x30 [ 85.704065][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.706338][ T5346] check_panic_on_warn+0x89/0xb0 [ 85.708539][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.710759][ T5346] end_report+0x6f/0x140 [ 85.712431][ T5346] kasan_report+0x129/0x150 [ 85.714297][ T5346] ? sk_skb_reason_drop+0x37/0x170 [ 85.716525][ T5346] kasan_check_range+0x2b0/0x2c0 [ 85.718416][ T5346] sk_skb_reason_drop+0x37/0x170 [ 85.720510][ T5346] nr_transmit_buffer+0x11d/0x1b0 [ 85.723130][ T5346] nr_establish_data_link+0x62/0xb0 [ 85.725507][ T5346] nr_connect+0x6e6/0xde0 [ 85.727460][ T5346] ? __pfx_nr_connect+0x10/0x10 [ 85.729660][ T5346] ? tomoyo_socket_connect_permission+0x164/0x290 [ 85.732441][ T5346] ? bpf_lsm_socket_connect+0x9/0x20 [ 85.734733][ T5346] __sys_connect+0x316/0x440 [ 85.736552][ T5346] ? __pfx___sys_connect+0x10/0x10 [ 85.738716][ T5346] ? rcu_is_watching+0x15/0xb0 [ 85.740829][ T5346] __x64_sys_connect+0x7a/0x90 [ 85.742817][ T5346] do_syscall_64+0xec/0xf80 [ 85.744722][ T5346] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.747208][ T5346] ? trace_irq_disable+0x37/0x100 [ 85.749545][ T5346] ? clear_bhb_loop+0x60/0xb0 [ 85.751449][ T5346] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.754082][ T5346] RIP: 0033:0x7f3d7f98f7c9 [ 85.755844][ T5346] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.763859][ T5346] RSP: 002b:00007f3d807e2038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 85.767365][ T5346] RAX: ffffffffffffffda RBX: 00007f3d7fbe5fa0 RCX: 00007f3d7f98f7c9 [ 85.770879][ T5346] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 85.774242][ T5346] RBP: 00007f3d7fa13f91 R08: 0000000000000000 R09: 0000000000000000 [ 85.777543][ T5346] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.781193][ T5346] R13: 00007f3d7fbe6038 R14: 00007f3d7fbe5fa0 R15: 00007ffcb016e548 [ 85.784636][ T5346] [ 85.786395][ T5346] Kernel Offset: disabled [ 85.788353][ T5346] Rebooting in 86400 seconds..