program: r0 = syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) r1 = socket$igmp(0x2, 0x3, 0x2) setsockopt$MRT_PIM(r1, 0x0, 0xcf, &(0x7f0000000080), 0x4) r2 = syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r5, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r3, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r3, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) (async) ioctl$sock_ifreq(r2, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) ioctl$VIDIOC_G_CROP(r0, 0xc014563b, &(0x7f0000001480)={0xe, {0x0, 0x0, 0x7fffffff}}) r6 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0) (async) r7 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff) sendmsg$TIPC_NL_MON_SET(r6, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000240)={&(0x7f0000000380)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r7, @ANYBLOB="00022abd7000fadbdf25110000000000d5a958f6cc6dde5f96e8679325c987ebe60c456c2108a54bbf48552f9875d48743584ed2b93b653471d455f57c65a6cb872daacb104b418dc27daeabc63c9df215d429818f18f3b5bc67d12efadb91e21a95a959520027f510ff1531a2b20656a87e89275c61c9294c265b59ae2faf8b033fc23058902806d07a9c6a4f685e71b64253070d8fe2ddf18b5ffa0982adc6dceeae5b0760cc0f7233517421be69cf14c7bb70e6a013ec107c344f827108e0e59afa46a15ac159c53da24548407c7afdc01d649ec72c51132133a5e208fb8afc265f3c7591e5ed89e2f6ac009088000000000000000807615a80891447bde9f6d98478bb8b1671928152678443b94fbf57f902ec7dd90fd598aaff22baa139bc5e2eddbbf52100000000000000"], 0x24}, 0x1, 0x0, 0x0, 0x8044800}, 0x0) [ 75.078850][ T4677] Bluetooth: hci0: command tx timeout [ 75.179191][ T5332] ================================================================== [ 75.182729][ T5332] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 75.186338][ T5332] Write of size 4 at addr ffff88801a3f7c24 by task syz.0.0/5332 [ 75.189696][ T5332] [ 75.190853][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.190868][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.190875][ T5332] Call Trace: [ 75.190884][ T5332] [ 75.190890][ T5332] dump_stack_lvl+0xe8/0x150 [ 75.190909][ T5332] print_report+0xca/0x240 [ 75.190921][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.190932][ T5332] kasan_report+0x118/0x150 [ 75.190999][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.191011][ T5332] kasan_check_range+0x2b0/0x2c0 [ 75.191023][ T5332] sk_skb_reason_drop+0x37/0x170 [ 75.191033][ T5332] nr_transmit_buffer+0x11d/0x1b0 [ 75.191045][ T5332] nr_establish_data_link+0x62/0xb0 [ 75.191081][ T5332] nr_connect+0x6e6/0xde0 [ 75.191098][ T5332] ? __pfx_nr_connect+0x10/0x10 [ 75.191112][ T5332] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.191128][ T5332] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.191144][ T5332] __sys_connect+0x316/0x440 [ 75.191161][ T5332] ? __pfx___sys_connect+0x10/0x10 [ 75.191179][ T5332] ? rcu_is_watching+0x15/0xb0 [ 75.191195][ T5332] __x64_sys_connect+0x7a/0x90 [ 75.191210][ T5332] do_syscall_64+0xec/0xf80 [ 75.191253][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.191264][ T5332] ? trace_irq_disable+0x37/0x100 [ 75.191279][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 75.191291][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.191302][ T5332] RIP: 0033:0x7f36ccb8f7c9 [ 75.191313][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.191323][ T5332] RSP: 002b:00007f36cd990038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.191336][ T5332] RAX: ffffffffffffffda RBX: 00007f36ccde6090 RCX: 00007f36ccb8f7c9 [ 75.191345][ T5332] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000006 [ 75.191352][ T5332] RBP: 00007f36ccc13f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.191360][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.191368][ T5332] R13: 00007f36ccde6128 R14: 00007f36ccde6090 R15: 00007fff8d77a378 [ 75.191381][ T5332] [ 75.191386][ T5332] [ 75.283541][ T5332] Allocated by task 5332: [ 75.285309][ T5332] kasan_save_track+0x3e/0x80 [ 75.287440][ T5332] __kasan_slab_alloc+0x6c/0x80 [ 75.289607][ T5332] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 75.292192][ T5332] __alloc_skb+0x1dc/0x3a0 [ 75.294223][ T5332] nr_write_internal+0xe2/0xc60 [ 75.296425][ T5332] nr_establish_data_link+0x62/0xb0 [ 75.298478][ T5332] nr_connect+0x6e6/0xde0 [ 75.300208][ T5332] __sys_connect+0x316/0x440 [ 75.302302][ T5332] __x64_sys_connect+0x7a/0x90 [ 75.304444][ T5332] do_syscall_64+0xec/0xf80 [ 75.306483][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.309121][ T5332] [ 75.310190][ T5332] Freed by task 5332: [ 75.311840][ T5332] kasan_save_track+0x3e/0x80 [ 75.313827][ T5332] kasan_save_free_info+0x46/0x50 [ 75.316063][ T5332] __kasan_slab_free+0x5c/0x80 [ 75.318209][ T5332] kmem_cache_free+0x197/0x620 [ 75.320352][ T5332] nr_route_frame+0x467/0x7e0 [ 75.322410][ T5332] nr_transmit_buffer+0xe7/0x1b0 [ 75.324555][ T5332] nr_establish_data_link+0x62/0xb0 [ 75.326823][ T5332] nr_connect+0x6e6/0xde0 [ 75.328757][ T5332] __sys_connect+0x316/0x440 [ 75.330756][ T5332] __x64_sys_connect+0x7a/0x90 [ 75.332925][ T5332] do_syscall_64+0xec/0xf80 [ 75.334857][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.337424][ T5332] [ 75.338718][ T5332] The buggy address belongs to the object at ffff88801a3f7b40 [ 75.338718][ T5332] which belongs to the cache skbuff_head_cache of size 240 [ 75.346237][ T5332] The buggy address is located 228 bytes inside of [ 75.346237][ T5332] freed 240-byte region [ffff88801a3f7b40, ffff88801a3f7c30) [ 75.352417][ T5332] [ 75.353513][ T5332] The buggy address belongs to the physical page: [ 75.356377][ T5332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a3f7 [ 75.359984][ T5332] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.362656][ T5332] page_type: f5(slab) [ 75.364383][ T5332] raw: 00fff00000000000 ffff88801badadc0 dead000000000122 0000000000000000 [ 75.367795][ T5332] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 75.371461][ T5332] page dumped because: kasan: bad access detected [ 75.374274][ T5332] page_owner tracks the page as allocated [ 75.376859][ T5332] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5328, tgid 5328 (kworker/0:5), ts 75150773028, free_ts 73059053016 [ 75.384677][ T5332] post_alloc_hook+0x234/0x290 [ 75.386357][ T5332] get_page_from_freelist+0x24e0/0x2580 [ 75.388476][ T5332] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.390784][ T5332] alloc_pages_mpol+0x232/0x4a0 [ 75.392766][ T5332] allocate_slab+0x86/0x3b0 [ 75.394601][ T5332] ___slab_alloc+0xe53/0x1820 [ 75.396616][ T5332] __slab_alloc+0x65/0x100 [ 75.398625][ T5332] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 75.401239][ T5332] __alloc_skb+0x1dc/0x3a0 [ 75.402971][ T5332] __pskb_copy_fclone+0xa8/0xfb0 [ 75.404880][ T5332] hsr_create_tagged_frame+0x24e/0xe10 [ 75.407301][ T5332] hsr_forward_skb+0x1013/0x2860 [ 75.409431][ T5332] hsr_dev_xmit+0x242/0x360 [ 75.411509][ T5332] dev_hard_start_xmit+0x2cd/0x800 [ 75.413681][ T5332] __dev_queue_xmit+0x149d/0x31c0 [ 75.415801][ T5332] ip6_finish_output+0x234/0x7d0 [ 75.417864][ T5332] page last free pid 79 tgid 79 stack trace: [ 75.420269][ T5332] __free_frozen_pages+0xbc8/0xd30 [ 75.422425][ T5332] rcu_core+0xc8e/0x1720 [ 75.424239][ T5332] handle_softirqs+0x22b/0x7c0 [ 75.426284][ T5332] do_softirq+0x76/0xd0 [ 75.428075][ T5332] __local_bh_enable_ip+0xf8/0x130 [ 75.430220][ T5332] scomp_acomp_comp_decomp+0x6ef/0x9e0 [ 75.432427][ T5332] crypto_acomp_compress+0x42f/0xb20 [ 75.434673][ T5332] zswap_store+0xdc6/0x1f10 [ 75.436694][ T5332] swap_writeout+0x710/0xd70 [ 75.438594][ T5332] shrink_folio_list+0x323f/0x4f90 [ 75.440895][ T5332] evict_folios+0x473e/0x57f0 [ 75.442916][ T5332] try_to_shrink_lruvec+0x8a3/0xb50 [ 75.445257][ T5332] shrink_one+0x25c/0x720 [ 75.447143][ T5332] shrink_node+0x2f7d/0x35b0 [ 75.449112][ T5332] kswapd+0x145a/0x2820 [ 75.450767][ T5332] kthread+0x711/0x8a0 [ 75.452383][ T5332] [ 75.453416][ T5332] Memory state around the buggy address: [ 75.455596][ T5332] ffff88801a3f7b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 75.458590][ T5332] ffff88801a3f7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.461910][ T5332] >ffff88801a3f7c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 75.465404][ T5332] ^ [ 75.467660][ T5332] ffff88801a3f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.471083][ T5332] ffff88801a3f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 75.474210][ T5332] ================================================================== [ 75.622899][ T5333] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.637336][ T5333] bond0: (slave rose0): Enslaving as an active interface with an up link [ 75.651270][ T5332] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.654163][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.657698][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.661979][ T5332] Call Trace: [ 75.663360][ T5332] [ 75.664570][ T5332] vpanic+0x1e0/0x670 [ 75.666316][ T5332] panic+0xb9/0xc0 [ 75.667933][ T5332] ? __pfx_panic+0x10/0x10 [ 75.669852][ T5332] ? preempt_schedule_thunk+0x16/0x30 [ 75.672164][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.674275][ T5332] ? preempt_schedule_thunk+0x16/0x30 [ 75.676608][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.678862][ T5332] check_panic_on_warn+0x89/0xb0 [ 75.680919][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.683077][ T5332] end_report+0x6f/0x140 [ 75.684749][ T5332] kasan_report+0x129/0x150 [ 75.686672][ T5332] ? sk_skb_reason_drop+0x37/0x170 [ 75.689022][ T5332] kasan_check_range+0x2b0/0x2c0 [ 75.691213][ T5332] sk_skb_reason_drop+0x37/0x170 [ 75.693115][ T5332] nr_transmit_buffer+0x11d/0x1b0 [ 75.695344][ T5332] nr_establish_data_link+0x62/0xb0 [ 75.697682][ T5332] nr_connect+0x6e6/0xde0 [ 75.699704][ T5332] ? __pfx_nr_connect+0x10/0x10 [ 75.701881][ T5332] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.704688][ T5332] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.707036][ T5332] __sys_connect+0x316/0x440 [ 75.708990][ T5332] ? __pfx___sys_connect+0x10/0x10 [ 75.711121][ T5332] ? rcu_is_watching+0x15/0xb0 [ 75.713274][ T5332] __x64_sys_connect+0x7a/0x90 [ 75.715559][ T5332] do_syscall_64+0xec/0xf80 [ 75.717564][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.720266][ T5332] ? trace_irq_disable+0x37/0x100 [ 75.722230][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 75.724085][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.726298][ T5332] RIP: 0033:0x7f36ccb8f7c9 [ 75.728134][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.735272][ T5332] RSP: 002b:00007f36cd990038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.738727][ T5332] RAX: ffffffffffffffda RBX: 00007f36ccde6090 RCX: 00007f36ccb8f7c9 [ 75.742026][ T5332] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000006 [ 75.745463][ T5332] RBP: 00007f36ccc13f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.748710][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.752031][ T5332] R13: 00007f36ccde6128 R14: 00007f36ccde6090 R15: 00007fff8d77a378 [ 75.755267][ T5332] [ 75.756826][ T5332] Kernel Offset: disabled [ 75.758606][ T5332] Rebooting in 86400 seconds..