program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) pipe(&(0x7f0000000d00)={0xffffffffffffffff, 0xffffffffffffffff}) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) (async) r4 = socket$inet_udp(0x2, 0x2, 0x0) write$FUSE_ENTRY(r2, &(0x7f0000000240)={0x90, 0x0, 0x0, {0x2, 0x3, 0x400, 0x1, 0x8a35, 0x1000, {0x6, 0x7, 0x9, 0x46, 0x2, 0x5e12, 0x4, 0x8, 0x8, 0x8000, 0x5, 0x0, 0x0, 0x200, 0x8000}}}, 0x90) (async) bind$inet(r3, &(0x7f0000000140)={0x2, 0x0, @local}, 0x10) (async) sendmmsg$inet(r4, &(0x7f0000000500)=[{{&(0x7f0000000080)={0x2, 0x4e20, @multicast1}, 0x10, 0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB='p\x00\x00\x00\x00\x00\x00\x00v'], 0x70}}], 0x1, 0x2000c044) write$binfmt_misc(r2, &(0x7f0000000240), 0xfffffecc) splice(r1, 0x0, r3, 0x0, 0x7151, 0x0) (async) sendmsg$NFT_BATCH(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=ANY=[@ANYRES8=0x0], 0x7c}}, 0x2000c450) (async) r5 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r7 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r7, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r5, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async) connect$netrom(r5, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) (async) r8 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) connect$netrom(r8, &(0x7f0000000300)={{0x6, @rose}, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}, 0x48) (async) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f00000000c0)=ANY=[@ANYBLOB="140000001000010000000000000000000315000a0000000a000c090900020073797a320000000014000480100001800a00010072656469720000000900010073797a3100000000140000001100010000000000000000000e00000a"], 0x68}, 0x1, 0x0, 0x0, 0x4000850}, 0x24000840) close(0x3) syz_mount_image$squashfs(&(0x7f0000000000), &(0x7f0000000200)='./file1\x00', 0x0, &(0x7f0000000240)=ANY=[], 0x1, 0x1a4, &(0x7f0000000440)="$eJzs0L9rE2Ecx/H397knPypUjYpDBRuwGC9Uk7uqg1NwipADBxfBoCGNTTFR08tgSwtdpCDVDv4DOtVRBZ1EFJyLg+Cg59JNmqE4iINE7vJU8G/weQ33ue8H7p6HbzvshRng9+5ykwoJh/18RNDApIw6pUb52szfTW6MgotmXjf5zOREuLh0q9HptBbyF/Lk/imAH0n3twpfcFQxECrI593lZkNuBAwrdNVsQK5G8SFOnZ77iAk9zpHrOAwL61xS9KRQgwOlfvduKVxcOj3fbcy15lq3fX/mfPlsuXzOL92c77TKrxD3gSiesIIbkAkYc1dI1bm/pfcxLYjbVpEjxQHpOhtbzqkT0wOUu8MQ4V1hQOarbufVFU6SvRZfvsph4SlOwFSNMYUmOaiKXFYvxdOf9M+UIrvqOGeadzqza1eV/EpvVmQnK942qYKHX/SYiVfDId6zFjEVUY3YjNj+xqS8iU/Z26tejZ/PzXSM45DmXqPfX/DS8EF08Pgg4OdgPPmdSu6Vg7fmGxN82XuxLMuyLMuyLMuy/gN/AgAA//96xWPy") listxattr(&(0x7f00000000c0)='./file1\x00', &(0x7f0000000300)=""/195, 0xc3) (async) listen(r0, 0x9) newfstatat(0xffffffffffffff9c, &(0x7f0000000fc0)='./file1\x00', &(0x7f0000001000), 0x1000) setresuid(0x0, 0xee00, 0x0) (async) socket$nl_generic(0x10, 0x3, 0x10) [ 75.944053][ T5315] Bluetooth: hci0: command tx timeout [ 76.048695][ T5338] ================================================================== [ 76.052053][ T5338] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 76.055300][ T5338] Write of size 4 at addr ffff8880124c00e4 by task syz.0.0/5338 [ 76.058442][ T5338] [ 76.059461][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.059470][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.059475][ T5338] Call Trace: [ 76.059480][ T5338] [ 76.059483][ T5338] dump_stack_lvl+0xe8/0x150 [ 76.059495][ T5338] print_report+0xca/0x240 [ 76.059503][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.059509][ T5338] kasan_report+0x118/0x150 [ 76.059547][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.059554][ T5338] kasan_check_range+0x2b0/0x2c0 [ 76.059562][ T5338] sk_skb_reason_drop+0x37/0x170 [ 76.059568][ T5338] nr_transmit_buffer+0x11d/0x1b0 [ 76.059577][ T5338] nr_establish_data_link+0x62/0xb0 [ 76.059587][ T5338] nr_connect+0x6e6/0xde0 [ 76.059600][ T5338] ? __pfx_nr_connect+0x10/0x10 [ 76.059611][ T5338] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.059624][ T5338] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.059634][ T5338] __sys_connect+0x316/0x440 [ 76.059647][ T5338] ? __pfx___sys_connect+0x10/0x10 [ 76.059662][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.059676][ T5338] __x64_sys_connect+0x7a/0x90 [ 76.059687][ T5338] do_syscall_64+0xec/0xf80 [ 76.059721][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.059727][ T5338] ? trace_irq_disable+0x37/0x100 [ 76.059736][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 76.059742][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.059749][ T5338] RIP: 0033:0x7fd17638f7c9 [ 76.059757][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.059762][ T5338] RSP: 002b:00007fd177180038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.059771][ T5338] RAX: ffffffffffffffda RBX: 00007fd1765e6090 RCX: 00007fd17638f7c9 [ 76.059775][ T5338] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000008 [ 76.059780][ T5338] RBP: 00007fd176413f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.059784][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.059788][ T5338] R13: 00007fd1765e6128 R14: 00007fd1765e6090 R15: 00007ffe728234e8 [ 76.059794][ T5338] [ 76.059797][ T5338] [ 76.149414][ T5338] Allocated by task 5338: [ 76.151313][ T5338] kasan_save_track+0x3e/0x80 [ 76.153389][ T5338] __kasan_slab_alloc+0x6c/0x80 [ 76.155497][ T5338] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 76.158067][ T5338] __alloc_skb+0x1dc/0x3a0 [ 76.159976][ T5338] nr_write_internal+0xe2/0xc60 [ 76.162060][ T5338] nr_establish_data_link+0x62/0xb0 [ 76.164353][ T5338] nr_connect+0x6e6/0xde0 [ 76.166258][ T5338] __sys_connect+0x316/0x440 [ 76.168300][ T5338] __x64_sys_connect+0x7a/0x90 [ 76.169964][ T5338] do_syscall_64+0xec/0xf80 [ 76.171552][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.173952][ T5338] [ 76.174999][ T5338] Freed by task 5338: [ 76.176633][ T5338] kasan_save_track+0x3e/0x80 [ 76.178397][ T5338] kasan_save_free_info+0x46/0x50 [ 76.180489][ T5338] __kasan_slab_free+0x5c/0x80 [ 76.182484][ T5338] kmem_cache_free+0x197/0x620 [ 76.184575][ T5338] nr_route_frame+0x467/0x7e0 [ 76.186638][ T5338] nr_transmit_buffer+0xe7/0x1b0 [ 76.188870][ T5338] nr_establish_data_link+0x62/0xb0 [ 76.191183][ T5338] nr_connect+0x6e6/0xde0 [ 76.192927][ T5338] __sys_connect+0x316/0x440 [ 76.194834][ T5338] __x64_sys_connect+0x7a/0x90 [ 76.196883][ T5338] do_syscall_64+0xec/0xf80 [ 76.198894][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.201172][ T5338] [ 76.202169][ T5338] The buggy address belongs to the object at ffff8880124c0000 [ 76.202169][ T5338] which belongs to the cache skbuff_head_cache of size 240 [ 76.208129][ T5338] The buggy address is located 228 bytes inside of [ 76.208129][ T5338] freed 240-byte region [ffff8880124c0000, ffff8880124c00f0) [ 76.213623][ T5338] [ 76.214652][ T5338] The buggy address belongs to the physical page: [ 76.217483][ T5338] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124c0 [ 76.221101][ T5338] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 76.223933][ T5338] page_type: f5(slab) [ 76.225409][ T5338] raw: 00fff00000000000 ffff88803041cc80 dead000000000122 0000000000000000 [ 76.229027][ T5338] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 76.232423][ T5338] page dumped because: kasan: bad access detected [ 76.234908][ T5338] page_owner tracks the page as allocated [ 76.237141][ T5338] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5338, tgid 5336 (syz.0.0), ts 76048502296, free_ts 75977045914 [ 76.244688][ T5338] post_alloc_hook+0x234/0x290 [ 76.246470][ T5338] get_page_from_freelist+0x24e0/0x2580 [ 76.248663][ T5338] __alloc_frozen_pages_noprof+0x181/0x370 [ 76.251086][ T5338] alloc_pages_mpol+0x232/0x4a0 [ 76.253009][ T5338] allocate_slab+0x86/0x3b0 [ 76.254830][ T5338] ___slab_alloc+0xe53/0x1820 [ 76.256700][ T5338] __slab_alloc+0x65/0x100 [ 76.258545][ T5338] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 76.260963][ T5338] __alloc_skb+0x1dc/0x3a0 [ 76.262909][ T5338] nr_write_internal+0xe2/0xc60 [ 76.265122][ T5338] nr_establish_data_link+0x62/0xb0 [ 76.267414][ T5338] nr_connect+0x6e6/0xde0 [ 76.269380][ T5338] __sys_connect+0x316/0x440 [ 76.271412][ T5338] __x64_sys_connect+0x7a/0x90 [ 76.273517][ T5338] do_syscall_64+0xec/0xf80 [ 76.275352][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.277878][ T5338] page last free pid 76 tgid 76 stack trace: [ 76.280332][ T5338] free_unref_folios+0xdb3/0x14f0 [ 76.282427][ T5338] shrink_folio_list+0x4785/0x4f90 [ 76.284664][ T5338] evict_folios+0x473e/0x57f0 [ 76.286529][ T5338] try_to_shrink_lruvec+0x8a3/0xb50 [ 76.288856][ T5338] shrink_one+0x25c/0x720 [ 76.290522][ T5338] shrink_node+0x2f7d/0x35b0 [ 76.292444][ T5338] kswapd+0x145a/0x2820 [ 76.294254][ T5338] kthread+0x711/0x8a0 [ 76.296033][ T5338] ret_from_fork+0x510/0xa50 [ 76.298081][ T5338] ret_from_fork_asm+0x1a/0x30 [ 76.300235][ T5338] [ 76.301311][ T5338] Memory state around the buggy address: [ 76.303703][ T5338] ffff8880124bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.307228][ T5338] ffff8880124c0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.310779][ T5338] >ffff8880124c0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 76.314243][ T5338] ^ [ 76.317234][ T5338] ffff8880124c0100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 76.320780][ T5338] ffff8880124c0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.324211][ T5338] ================================================================== [ 76.344628][ T5338] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.348162][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.351905][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.356547][ T5338] Call Trace: [ 76.358101][ T5338] [ 76.359302][ T5338] vpanic+0x1e0/0x670 [ 76.360995][ T5338] panic+0xb9/0xc0 [ 76.362563][ T5338] ? __pfx_panic+0x10/0x10 [ 76.364349][ T5338] ? preempt_schedule_thunk+0x16/0x30 [ 76.366596][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.368474][ T5338] ? preempt_schedule_thunk+0x16/0x30 [ 76.370484][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.372485][ T5338] check_panic_on_warn+0x89/0xb0 [ 76.374280][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.376325][ T5338] end_report+0x6f/0x140 [ 76.378023][ T5338] kasan_report+0x129/0x150 [ 76.379859][ T5338] ? sk_skb_reason_drop+0x37/0x170 [ 76.381913][ T5338] kasan_check_range+0x2b0/0x2c0 [ 76.383946][ T5338] sk_skb_reason_drop+0x37/0x170 [ 76.386090][ T5338] nr_transmit_buffer+0x11d/0x1b0 [ 76.388204][ T5338] nr_establish_data_link+0x62/0xb0 [ 76.390254][ T5338] nr_connect+0x6e6/0xde0 [ 76.391978][ T5338] ? __pfx_nr_connect+0x10/0x10 [ 76.393990][ T5338] ? tomoyo_socket_connect_permission+0x164/0x290 [ 76.396571][ T5338] ? bpf_lsm_socket_connect+0x9/0x20 [ 76.398803][ T5338] __sys_connect+0x316/0x440 [ 76.400733][ T5338] ? __pfx___sys_connect+0x10/0x10 [ 76.403014][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.405136][ T5338] __x64_sys_connect+0x7a/0x90 [ 76.407213][ T5338] do_syscall_64+0xec/0xf80 [ 76.409198][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.411737][ T5338] ? trace_irq_disable+0x37/0x100 [ 76.413767][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 76.415757][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.418201][ T5338] RIP: 0033:0x7fd17638f7c9 [ 76.420232][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.428054][ T5338] RSP: 002b:00007fd177180038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 76.431553][ T5338] RAX: ffffffffffffffda RBX: 00007fd1765e6090 RCX: 00007fd17638f7c9 [ 76.434853][ T5338] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000008 [ 76.438192][ T5338] RBP: 00007fd176413f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.441632][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.444941][ T5338] R13: 00007fd1765e6128 R14: 00007fd1765e6090 R15: 00007ffe728234e8 [ 76.448348][ T5338] [ 76.449994][ T5338] Kernel Offset: disabled [ 76.451846][ T5338] Rebooting in 86400 seconds..