program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) r4 = syz_open_dev$vcsn(&(0x7f0000000040), 0x8000000000000000, 0x8000) r5 = perf_event_open(&(0x7f0000000240)={0x4, 0x80, 0x3, 0x9, 0x81, 0x9, 0x0, 0x4, 0x4004, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x1, 0x0, 0x6, 0x2, @perf_bp={&(0x7f0000000140)}, 0x0, 0x0, 0xabc00000, 0x3, 0x1ff, 0x800, 0x8, 0x0, 0x7fffffff, 0x0, 0x40}, 0xffffffffffffffff, 0xb, 0xffffffffffffffff, 0x8) perf_event_open$cgroup(&(0x7f00000000c0)={0x0, 0x80, 0x2c, 0x1, 0x6, 0xc, 0x0, 0x784c, 0x20000, 0x2, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x7, 0x4, @perf_config_ext={0x9, 0xb81}, 0x8, 0xfffffffffffffffb, 0xe48, 0x4, 0x3, 0x124f, 0x7f, 0x0, 0x2}, r4, 0xe, r5, 0x8) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r1, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 75.242102][ T5311] Bluetooth: hci0: command tx timeout [ 75.342538][ T5335] ================================================================== [ 75.346460][ T5335] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 75.350282][ T5335] Write of size 4 at addr ffff88801fa320e4 by task syz.0.0/5335 [ 75.353700][ T5335] [ 75.354798][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.354814][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.354822][ T5335] Call Trace: [ 75.354831][ T5335] [ 75.354837][ T5335] dump_stack_lvl+0xe8/0x150 [ 75.354859][ T5335] print_report+0xca/0x240 [ 75.354874][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.354885][ T5335] kasan_report+0x118/0x150 [ 75.354946][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.354959][ T5335] kasan_check_range+0x2b0/0x2c0 [ 75.354971][ T5335] sk_skb_reason_drop+0x37/0x170 [ 75.354981][ T5335] nr_transmit_buffer+0x11d/0x1b0 [ 75.354993][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.355004][ T5335] nr_connect+0x6e6/0xde0 [ 75.355020][ T5335] ? __pfx_nr_connect+0x10/0x10 [ 75.355034][ T5335] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.355051][ T5335] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.355065][ T5335] __sys_connect+0x316/0x440 [ 75.355081][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.355097][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.355112][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.355125][ T5335] do_syscall_64+0xec/0xf80 [ 75.355169][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.355182][ T5335] ? trace_irq_disable+0x37/0x100 [ 75.355197][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.355209][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.355219][ T5335] RIP: 0033:0x7fb309f8f7c9 [ 75.355229][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.355235][ T5335] RSP: 002b:00007fb30adba038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.355244][ T5335] RAX: ffffffffffffffda RBX: 00007fb30a1e6090 RCX: 00007fb309f8f7c9 [ 75.355248][ T5335] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 75.355252][ T5335] RBP: 00007fb30a013f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.355256][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.355260][ T5335] R13: 00007fb30a1e6128 R14: 00007fb30a1e6090 R15: 00007ffe7d060048 [ 75.355267][ T5335] [ 75.355270][ T5335] [ 75.447407][ T5335] Allocated by task 5335: [ 75.449376][ T5335] kasan_save_track+0x3e/0x80 [ 75.451384][ T5335] __kasan_slab_alloc+0x6c/0x80 [ 75.453578][ T5335] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 75.456135][ T5335] __alloc_skb+0x1dc/0x3a0 [ 75.458715][ T5335] nr_write_internal+0xe2/0xc60 [ 75.461445][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.464293][ T5335] nr_connect+0x6e6/0xde0 [ 75.466310][ T5335] __sys_connect+0x316/0x440 [ 75.468556][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.471199][ T5335] do_syscall_64+0xec/0xf80 [ 75.473147][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.475714][ T5335] [ 75.476808][ T5335] Freed by task 5335: [ 75.478617][ T5335] kasan_save_track+0x3e/0x80 [ 75.480741][ T5335] kasan_save_free_info+0x46/0x50 [ 75.483043][ T5335] __kasan_slab_free+0x5c/0x80 [ 75.485250][ T5335] kmem_cache_free+0x197/0x620 [ 75.487430][ T5335] nr_route_frame+0x467/0x7e0 [ 75.489528][ T5335] nr_transmit_buffer+0xe7/0x1b0 [ 75.491673][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.493885][ T5335] nr_connect+0x6e6/0xde0 [ 75.495744][ T5335] __sys_connect+0x316/0x440 [ 75.497901][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.500254][ T5335] do_syscall_64+0xec/0xf80 [ 75.502571][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.505232][ T5335] [ 75.506333][ T5335] The buggy address belongs to the object at ffff88801fa32000 [ 75.506333][ T5335] which belongs to the cache skbuff_head_cache of size 240 [ 75.512736][ T5335] The buggy address is located 228 bytes inside of [ 75.512736][ T5335] freed 240-byte region [ffff88801fa32000, ffff88801fa320f0) [ 75.518804][ T5335] [ 75.519784][ T5335] The buggy address belongs to the physical page: [ 75.522395][ T5335] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fa32 [ 75.525752][ T5335] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.528589][ T5335] page_type: f5(slab) [ 75.530250][ T5335] raw: 00fff00000000000 ffff88801babdc80 dead000000000122 0000000000000000 [ 75.533715][ T5335] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 75.537195][ T5335] page dumped because: kasan: bad access detected [ 75.539987][ T5335] page_owner tracks the page as allocated [ 75.542544][ T5335] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5335, tgid 5333 (syz.0.0), ts 75342279073, free_ts 40406596523 [ 75.550992][ T5335] post_alloc_hook+0x234/0x290 [ 75.553010][ T5335] get_page_from_freelist+0x24e0/0x2580 [ 75.555316][ T5335] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.557780][ T5335] alloc_pages_mpol+0x232/0x4a0 [ 75.559770][ T5335] allocate_slab+0x86/0x3b0 [ 75.561647][ T5335] ___slab_alloc+0xe53/0x1820 [ 75.563587][ T5335] __slab_alloc+0x65/0x100 [ 75.565621][ T5335] kmem_cache_alloc_node_noprof+0x4ce/0x720 [ 75.568427][ T5335] __alloc_skb+0x1dc/0x3a0 [ 75.570575][ T5335] nr_write_internal+0xe2/0xc60 [ 75.572703][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.575200][ T5335] nr_connect+0x6e6/0xde0 [ 75.577227][ T5335] __sys_connect+0x316/0x440 [ 75.579334][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.581600][ T5335] do_syscall_64+0xec/0xf80 [ 75.583580][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.586261][ T5335] page last free pid 4938 tgid 4938 stack trace: [ 75.589205][ T5335] free_unref_folios+0xdb3/0x14f0 [ 75.591464][ T5335] folios_put_refs+0x584/0x670 [ 75.593428][ T5335] free_pages_and_swap_cache+0x277/0x520 [ 75.596011][ T5335] tlb_flush_mmu+0x3a0/0x680 [ 75.598152][ T5335] tlb_finish_mmu+0xc3/0x1d0 [ 75.600263][ T5335] exit_mmap+0x439/0xb10 [ 75.602210][ T5335] __mmput+0x118/0x430 [ 75.604090][ T5335] exit_mm+0x169/0x230 [ 75.606044][ T5335] do_exit+0x627/0x22f0 [ 75.607896][ T5335] do_group_exit+0x21c/0x2d0 [ 75.609981][ T5335] __x64_sys_exit_group+0x3f/0x40 [ 75.612354][ T5335] __pfx_syscall_get_nr+0x0/0x10 [ 75.614629][ T5335] do_syscall_64+0xec/0xf80 [ 75.616595][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.619431][ T5335] [ 75.620515][ T5335] Memory state around the buggy address: [ 75.623090][ T5335] ffff88801fa31f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.626694][ T5335] ffff88801fa32000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.630157][ T5335] >ffff88801fa32080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 75.634507][ T5335] ^ [ 75.638536][ T5335] ffff88801fa32100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 75.642223][ T5335] ffff88801fa32180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.645647][ T5335] ================================================================== [ 75.706116][ T5334] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.722768][ T5334] bond0: (slave rose0): Enslaving as an active interface with an up link [ 75.729411][ T5335] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.732613][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.736571][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.740957][ T5335] Call Trace: [ 75.742396][ T5335] [ 75.743654][ T5335] vpanic+0x1e0/0x670 [ 75.745380][ T5335] panic+0xb9/0xc0 [ 75.746994][ T5335] ? __pfx_panic+0x10/0x10 [ 75.749004][ T5335] ? preempt_schedule_thunk+0x16/0x30 [ 75.751310][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.753498][ T5335] ? preempt_schedule_thunk+0x16/0x30 [ 75.755748][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.758052][ T5335] check_panic_on_warn+0x89/0xb0 [ 75.760205][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.762421][ T5335] end_report+0x6f/0x140 [ 75.764225][ T5335] kasan_report+0x129/0x150 [ 75.766145][ T5335] ? sk_skb_reason_drop+0x37/0x170 [ 75.768397][ T5335] kasan_check_range+0x2b0/0x2c0 [ 75.770550][ T5335] sk_skb_reason_drop+0x37/0x170 [ 75.772900][ T5335] nr_transmit_buffer+0x11d/0x1b0 [ 75.775193][ T5335] nr_establish_data_link+0x62/0xb0 [ 75.777455][ T5335] nr_connect+0x6e6/0xde0 [ 75.779409][ T5335] ? __pfx_nr_connect+0x10/0x10 [ 75.781533][ T5335] ? tomoyo_socket_connect_permission+0x164/0x290 [ 75.784314][ T5335] ? bpf_lsm_socket_connect+0x9/0x20 [ 75.786613][ T5335] __sys_connect+0x316/0x440 [ 75.788582][ T5335] ? __pfx___sys_connect+0x10/0x10 [ 75.790782][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.792815][ T5335] __x64_sys_connect+0x7a/0x90 [ 75.794879][ T5335] do_syscall_64+0xec/0xf80 [ 75.796832][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.799404][ T5335] ? trace_irq_disable+0x37/0x100 [ 75.801652][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.803664][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.806185][ T5335] RIP: 0033:0x7fb309f8f7c9 [ 75.808136][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.815808][ T5335] RSP: 002b:00007fb30adba038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.819229][ T5335] RAX: ffffffffffffffda RBX: 00007fb30a1e6090 RCX: 00007fb309f8f7c9 [ 75.822557][ T5335] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000005 [ 75.826001][ T5335] RBP: 00007fb30a013f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.829341][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.832701][ T5335] R13: 00007fb30a1e6128 R14: 00007fb30a1e6090 R15: 00007ffe7d060048 [ 75.835499][ T5335] [ 75.836895][ T5335] Kernel Offset: disabled [ 75.838702][ T5335] Rebooting in 86400 seconds..