program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$AUTOFS_DEV_IOCTL_READY(0xffffffffffffffff, 0xc0189376, &(0x7f0000000040)={{0x1, 0x1, 0x18, r2, {0x1}}, './file0\x00'}) sendmsg$NL80211_CMD_REGISTER_BEACONS(r4, &(0x7f0000000240)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x20, 0x0, 0x8, 0x70bd29, 0x25dfdbfb, {{}, {@void, @void, @val={0xc, 0x99, {0x9, 0x4f}}}}, ["", "", "", "", "", "", "", "", ""]}, 0x20}, 0x1, 0x0, 0x0, 0x4014}, 0x4000) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 76.497240][ T4706] Bluetooth: hci0: command tx timeout [ 76.603321][ T1316] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.633546][ T1316] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.764600][ T5360] ================================================================== [ 76.772040][ T5360] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 76.778252][ T5360] Write of size 4 at addr ffff888042ada364 by task syz.0.0/5360 [ 76.793133][ T5360] [ 76.795223][ T5360] CPU: 0 UID: 0 PID: 5360 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.795244][ T5360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.795252][ T5360] Call Trace: [ 76.795261][ T5360] [ 76.795268][ T5360] dump_stack_lvl+0x189/0x250 [ 76.795287][ T5360] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.795305][ T5360] ? rcu_is_watching+0x15/0xb0 [ 76.795358][ T5360] ? __kasan_check_byte+0x12/0x40 [ 76.795374][ T5360] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.795389][ T5360] ? rcu_is_watching+0x15/0xb0 [ 76.795400][ T5360] ? lock_release+0x4b/0x3e0 [ 76.795420][ T5360] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.795433][ T5360] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.795448][ T5360] print_report+0xca/0x240 [ 76.795459][ T5360] ? sk_skb_reason_drop+0x37/0x170 [ 76.795475][ T5360] kasan_report+0x118/0x150 [ 76.795490][ T5360] ? sk_skb_reason_drop+0x37/0x170 [ 76.795510][ T5360] kasan_check_range+0x2b0/0x2c0 [ 76.795526][ T5360] sk_skb_reason_drop+0x37/0x170 [ 76.795550][ T5360] nr_transmit_buffer+0x11d/0x1b0 [ 76.795613][ T5360] nr_establish_data_link+0x62/0xb0 [ 76.795767][ T5360] nr_connect+0x6e6/0xde0 [ 76.795789][ T5360] ? __pfx_nr_connect+0x10/0x10 [ 76.795801][ T5360] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.795821][ T5360] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.795891][ T5360] __sys_connect+0x316/0x440 [ 76.796038][ T5360] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 76.796059][ T5360] ? __pfx___sys_connect+0x10/0x10 [ 76.796086][ T5360] ? rcu_is_watching+0x15/0xb0 [ 76.796102][ T5360] __x64_sys_connect+0x7a/0x90 [ 76.796118][ T5360] do_syscall_64+0xfa/0x3b0 [ 76.796180][ T5360] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.796198][ T5360] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.796209][ T5360] ? clear_bhb_loop+0x60/0xb0 [ 76.796222][ T5360] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.796235][ T5360] RIP: 0033:0x7f437ed8ebe9 [ 76.796247][ T5360] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.796257][ T5360] RSP: 002b:00007f437fb5b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.796272][ T5360] RAX: ffffffffffffffda RBX: 00007f437efb6090 RCX: 00007f437ed8ebe9 [ 76.796282][ T5360] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 76.796292][ T5360] RBP: 00007f437ee11e19 R08: 0000000000000000 R09: 0000000000000000 [ 76.796300][ T5360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.796308][ T5360] R13: 00007f437efb6128 R14: 00007f437efb6090 R15: 00007ffe9fe59868 [ 76.796321][ T5360] [ 76.796327][ T5360] [ 77.089638][ T5360] Allocated by task 5360: [ 77.091435][ T5360] kasan_save_track+0x3e/0x80 [ 77.093485][ T5360] __kasan_slab_alloc+0x6c/0x80 [ 77.095664][ T5360] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 [ 77.098927][ T5360] __alloc_skb+0x112/0x2d0 [ 77.101334][ T5360] nr_write_internal+0xe2/0xc60 [ 77.112447][ T5360] nr_establish_data_link+0x62/0xb0 [ 77.120300][ T5360] nr_connect+0x6e6/0xde0 [ 77.136930][ T5360] __sys_connect+0x316/0x440 [ 77.139740][ T5360] __x64_sys_connect+0x7a/0x90 [ 77.143043][ T5360] do_syscall_64+0xfa/0x3b0 [ 77.145254][ T5360] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.147694][ T5360] [ 77.161975][ T5360] Freed by task 5360: [ 77.164424][ T5360] kasan_save_track+0x3e/0x80 [ 77.167094][ T5360] kasan_save_free_info+0x46/0x50 [ 77.169923][ T5360] __kasan_slab_free+0x5b/0x80 [ 77.172521][ T5360] kmem_cache_free+0x18f/0x400 [ 77.174981][ T5360] nr_route_frame+0x467/0x7e0 [ 77.177619][ T5360] nr_transmit_buffer+0xe7/0x1b0 [ 77.195217][ T5360] nr_establish_data_link+0x62/0xb0 [ 77.197915][ T5360] nr_connect+0x6e6/0xde0 [ 77.200040][ T5360] __sys_connect+0x316/0x440 [ 77.202242][ T5360] __x64_sys_connect+0x7a/0x90 [ 77.204820][ T5360] do_syscall_64+0xfa/0x3b0 [ 77.217871][ T5360] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.223203][ T5360] [ 77.224704][ T5360] The buggy address belongs to the object at ffff888042ada280 [ 77.224704][ T5360] which belongs to the cache skbuff_head_cache of size 240 [ 77.234140][ T5360] The buggy address is located 228 bytes inside of [ 77.234140][ T5360] freed 240-byte region [ffff888042ada280, ffff888042ada370) [ 77.239795][ T5360] [ 77.240948][ T5360] The buggy address belongs to the physical page: [ 77.243779][ T5360] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42ada [ 77.263801][ T5360] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 77.267059][ T5360] page_type: f5(slab) [ 77.279243][ T5360] raw: 04fff00000000000 ffff8880304dcdc0 dead000000000122 0000000000000000 [ 77.289993][ T5360] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 77.293967][ T5360] page dumped because: kasan: bad access detected [ 77.296917][ T5360] page_owner tracks the page as allocated [ 77.304683][ T5360] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4896, tgid 4896 (kworker/0:3), ts 76745738620, free_ts 76740868395 [ 77.315489][ T5360] post_alloc_hook+0x240/0x2a0 [ 77.317784][ T5360] get_page_from_freelist+0x21e4/0x22c0 [ 77.342855][ T5360] __alloc_frozen_pages_noprof+0x181/0x370 [ 77.345508][ T5360] alloc_pages_mpol+0x232/0x4a0 [ 77.347762][ T5360] allocate_slab+0x8a/0x370 [ 77.362777][ T5360] ___slab_alloc+0xbeb/0x1410 [ 77.365563][ T5360] kmem_cache_alloc_noprof+0x283/0x3c0 [ 77.368058][ T5360] skb_clone+0x212/0x3a0 [ 77.369868][ T5360] maybe_deliver+0x98/0x160 [ 77.371718][ T5360] br_flood+0x31a/0x6a0 [ 77.373457][ T5360] br_dev_xmit+0x11b3/0x1840 [ 77.389070][ T5360] dev_hard_start_xmit+0x2d4/0x830 [ 77.391068][ T5360] __dev_queue_xmit+0x1b8d/0x3b50 [ 77.393073][ T5360] ip6_finish_output2+0x11bc/0x16a0 [ 77.395261][ T5360] ip6_finish_output+0x234/0x7d0 [ 77.397412][ T5360] NF_HOOK+0x9e/0x380 [ 77.414360][ T5360] page last free pid 5359 tgid 5358 stack trace: [ 77.422225][ T5360] __free_frozen_pages+0xbc4/0xd30 [ 77.424732][ T5360] rcu_core+0xca8/0x1770 [ 77.426854][ T5360] handle_softirqs+0x283/0x870 [ 77.431389][ T5360] __irq_exit_rcu+0xca/0x1f0 [ 77.450209][ T5360] irq_exit_rcu+0x9/0x30 [ 77.451968][ T5360] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 77.454804][ T5360] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 77.458442][ T5360] [ 77.459528][ T5360] Memory state around the buggy address: [ 77.462686][ T5360] ffff888042ada200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 77.466514][ T5360] ffff888042ada280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.486335][ T5360] >ffff888042ada300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 77.489792][ T5360] ^ [ 77.493670][ T5360] ffff888042ada380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 77.500739][ T5360] ffff888042ada400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 77.512215][ T5360] ================================================================== [ 77.673328][ T5360] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.678721][ T5360] CPU: 0 UID: 0 PID: 5360 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 77.690168][ T5360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.700528][ T5360] Call Trace: [ 77.702568][ T5360] [ 77.704053][ T5360] dump_stack_lvl+0x99/0x250 [ 77.710659][ T5360] ? __asan_memcpy+0x40/0x70 [ 77.720075][ T5360] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.726561][ T5360] ? __pfx__printk+0x10/0x10 [ 77.728760][ T5360] vpanic+0x281/0x750 [ 77.730389][ T5360] ? __pfx_print_hex_dump+0x10/0x10 [ 77.732734][ T5360] ? __pfx_vpanic+0x10/0x10 [ 77.734590][ T5360] ? preempt_schedule_common+0x83/0xd0 [ 77.736814][ T5360] ? preempt_schedule+0xae/0xc0 [ 77.740627][ T5360] panic+0xb9/0xc0 [ 77.745841][ T5360] ? __pfx_panic+0x10/0x10 [ 77.750456][ T5360] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 77.756395][ T5360] ? sk_skb_reason_drop+0x37/0x170 [ 77.764462][ T5360] check_panic_on_warn+0x89/0xb0 [ 77.767488][ T5360] ? sk_skb_reason_drop+0x37/0x170 [ 77.773776][ T5360] end_report+0x78/0x160 [ 77.781339][ T5360] kasan_report+0x129/0x150 [ 77.787813][ T5360] ? sk_skb_reason_drop+0x37/0x170 [ 77.791461][ T5360] kasan_check_range+0x2b0/0x2c0 [ 77.797899][ T5360] sk_skb_reason_drop+0x37/0x170 [ 77.804357][ T5360] nr_transmit_buffer+0x11d/0x1b0 [ 77.807223][ T5360] nr_establish_data_link+0x62/0xb0 [ 77.810430][ T5360] nr_connect+0x6e6/0xde0 [ 77.814885][ T5360] ? __pfx_nr_connect+0x10/0x10 [ 77.820418][ T5360] ? tomoyo_socket_connect_permission+0x164/0x290 [ 77.825051][ T5360] ? bpf_lsm_socket_connect+0x9/0x20 [ 77.828362][ T5360] __sys_connect+0x316/0x440 [ 77.831073][ T5360] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 77.834903][ T5360] ? __pfx___sys_connect+0x10/0x10 [ 77.838077][ T5360] ? rcu_is_watching+0x15/0xb0 [ 77.841302][ T5360] __x64_sys_connect+0x7a/0x90 [ 77.843747][ T5360] do_syscall_64+0xfa/0x3b0 [ 77.845984][ T5360] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.848203][ T5360] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.850670][ T5360] ? clear_bhb_loop+0x60/0xb0 [ 77.853043][ T5360] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.856797][ T5360] RIP: 0033:0x7f437ed8ebe9 [ 77.860637][ T5360] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 77.871177][ T5360] RSP: 002b:00007f437fb5b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 77.875912][ T5360] RAX: ffffffffffffffda RBX: 00007f437efb6090 RCX: 00007f437ed8ebe9 [ 77.881315][ T5360] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 77.885833][ T5360] RBP: 00007f437ee11e19 R08: 0000000000000000 R09: 0000000000000000 [ 77.890804][ T5360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.896631][ T5360] R13: 00007f437efb6128 R14: 00007f437efb6090 R15: 00007ffe9fe59868 [ 77.902286][ T5360] [ 77.904153][ T5360] Kernel Offset: disabled [ 77.907435][ T5360] Rebooting in 86400 seconds..