program: pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) (async) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=@newqdisc={0x44, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {0x0, 0xc}}, [@qdisc_kind_options=@q_codel={{0xa}, {0x14, 0x2, [@TCA_CODEL_INTERVAL={0x8, 0x3, 0x6}, @TCA_CODEL_LIMIT={0x8}]}}]}, 0x44}}, 0x0) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000000)=ANY=[@ANYBLOB="4800000010001fff752b056800080000faff8141", @ANYRES32=0x0, @ANYBLOB="67a9fde500000000280012800a00010076786c616e"], 0x3}}, 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x12, 0x4, &(0x7f0000000380)=ANY=[@ANYBLOB="180000000000000000007b44e4240000e0ffffff84007d58310000009500000000000000"], &(0x7f0000000480)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x33}, 0x94) (async, rerun: 64) r2 = socket$inet_udp(0x2, 0x2, 0x0) (rerun: 64) close(r2) (async) syz_genetlink_get_family_id$l2tp(&(0x7f0000000100), r1) (async) socket$nl_route(0x10, 0x3, 0x0) write$char_usb(0xffffffffffffffff, &(0x7f0000000040)="e2", 0x1068) r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r5, 0x8914, &(0x7f0000000000)) (async, rerun: 64) ioctl$sock_netrom_SIOCADDRT(r3, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async, rerun: 64) connect$netrom(r3, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) (async, rerun: 32) r6 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (rerun: 32) connect$netrom(r6, &(0x7f0000000300)={{0x6, @rose}, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}, 0x48) (async) write$binfmt_misc(r1, &(0x7f0000000000), 0xfffffecc) (async) splice(r0, 0x0, r2, 0x0, 0x4ffe6, 0x0) (async) r7 = socket(0x10, 0x3, 0x0) write(r7, &(0x7f0000000340)="2400000011005f0414f9f4070009040081000000490000000000000008000f0001000000", 0x24) (async, rerun: 64) ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r0, 0x81f8943c, &(0x7f0000000680)={0x0, ""/256, 0x0}) (rerun: 64) ioctl$BTRFS_IOC_TREE_SEARCH_V2(r7, 0xc0709411, &(0x7f0000000240)={{r8, 0x8, 0x1, 0x1ff, 0x8000000000000004, 0x2, 0x9, 0x6, 0x0, 0x1, 0x6, 0x14fc, 0x2, 0x7, 0x1}, 0x28, [0x0, 0x0, 0x0, 0x0, 0x0]}) (async, rerun: 32) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000640)=ANY=[@ANYBLOB="9feb010018000000000000002000000000020000000000000c02000000000000000100000d00000000020000000100000000005f00"], 0x0, 0x3c}, 0x20) (async, rerun: 32) sendmsg$IPCTNL_MSG_EXP_GET_STATS_CPU(r1, &(0x7f0000000480)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x200000}, 0xc, &(0x7f0000000440)={&(0x7f0000000300)={0x14, 0x3, 0x2, 0x201, 0x0, 0x0, {0x5, 0x0, 0x4}, ["", "", "", "", "", "", "", "", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4840}, 0x4008845) (async) r9 = socket$inet_sctp(0x2, 0x1, 0x84) setsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r9, 0x84, 0x6, 0x0, 0x0) [ 86.271390][ T46] Bluetooth: hci0: command tx timeout [ 86.400443][ T5347] ================================================================== [ 86.404209][ T5347] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 86.407786][ T5347] Write of size 4 at addr ffff888043929c24 by task syz.0.0/5347 [ 86.410891][ T5347] [ 86.411853][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.411866][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.411872][ T5347] Call Trace: [ 86.411878][ T5347] [ 86.411883][ T5347] dump_stack_lvl+0xe8/0x150 [ 86.411900][ T5347] print_report+0xba/0x230 [ 86.411911][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.411924][ T5347] kasan_report+0x117/0x150 [ 86.411935][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.411950][ T5347] kasan_check_range+0x264/0x2c0 [ 86.411960][ T5347] sk_skb_reason_drop+0x37/0x170 [ 86.411974][ T5347] nr_transmit_buffer+0x11d/0x1b0 [ 86.411989][ T5347] nr_establish_data_link+0x62/0xb0 [ 86.412002][ T5347] nr_connect+0x6e9/0xdf0 [ 86.412015][ T5347] ? __pfx_nr_connect+0x10/0x10 [ 86.412026][ T5347] ? tomoyo_socket_connect_permission+0x163/0x290 [ 86.412076][ T5347] ? bpf_lsm_socket_connect+0x9/0x20 [ 86.412091][ T5347] __sys_connect+0x312/0x450 [ 86.412104][ T5347] ? __pfx___sys_connect+0x10/0x10 [ 86.412118][ T5347] ? rcu_is_watching+0x15/0xb0 [ 86.412132][ T5347] __x64_sys_connect+0x7a/0x90 [ 86.412143][ T5347] do_syscall_64+0xe2/0xf80 [ 86.412153][ T5347] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.412159][ T5347] ? clear_bhb_loop+0x60/0xb0 [ 86.412166][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.412173][ T5347] RIP: 0033:0x7ff085f9acb9 [ 86.412184][ T5347] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 86.412192][ T5347] RSP: 002b:00007ff086d98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 86.412203][ T5347] RAX: ffffffffffffffda RBX: 00007ff086216090 RCX: 00007ff085f9acb9 [ 86.412216][ T5347] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000047 [ 86.412223][ T5347] RBP: 00007ff086008bf7 R08: 0000000000000000 R09: 0000000000000000 [ 86.412229][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.412235][ T5347] R13: 00007ff086216128 R14: 00007ff086216090 R15: 00007ffe541e1eb8 [ 86.412245][ T5347] [ 86.412248][ T5347] [ 86.497857][ T5347] Allocated by task 5347: [ 86.499763][ T5347] kasan_save_track+0x3e/0x80 [ 86.501933][ T5347] __kasan_slab_alloc+0x6c/0x80 [ 86.504086][ T5347] kmem_cache_alloc_node_noprof+0x427/0x6f0 [ 86.506774][ T5347] __alloc_skb+0x1d7/0x390 [ 86.508832][ T5347] nr_write_internal+0xe2/0xc60 [ 86.511005][ T5347] nr_establish_data_link+0x62/0xb0 [ 86.513272][ T5347] nr_connect+0x6e9/0xdf0 [ 86.515227][ T5347] __sys_connect+0x312/0x450 [ 86.517309][ T5347] __x64_sys_connect+0x7a/0x90 [ 86.519476][ T5347] do_syscall_64+0xe2/0xf80 [ 86.521386][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.523706][ T5347] [ 86.524726][ T5347] Freed by task 5347: [ 86.526217][ T5347] kasan_save_track+0x3e/0x80 [ 86.528085][ T5347] kasan_save_free_info+0x46/0x50 [ 86.530230][ T5347] __kasan_slab_free+0x5c/0x80 [ 86.532274][ T5347] kmem_cache_free+0x195/0x610 [ 86.534322][ T5347] nr_route_frame+0x467/0x7e0 [ 86.536454][ T5347] nr_transmit_buffer+0xe7/0x1b0 [ 86.538589][ T5347] nr_establish_data_link+0x62/0xb0 [ 86.540789][ T5347] nr_connect+0x6e9/0xdf0 [ 86.542535][ T5347] __sys_connect+0x312/0x450 [ 86.544484][ T5347] __x64_sys_connect+0x7a/0x90 [ 86.546506][ T5347] do_syscall_64+0xe2/0xf80 [ 86.548412][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.550692][ T5347] [ 86.551737][ T5347] The buggy address belongs to the object at ffff888043929b40 [ 86.551737][ T5347] which belongs to the cache skbuff_head_cache of size 240 [ 86.557741][ T5347] The buggy address is located 228 bytes inside of [ 86.557741][ T5347] freed 240-byte region [ffff888043929b40, ffff888043929c30) [ 86.563232][ T5347] [ 86.564219][ T5347] The buggy address belongs to the physical page: [ 86.566845][ T5347] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43929 [ 86.570292][ T5347] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 86.573297][ T5347] page_type: f5(slab) [ 86.575165][ T5347] raw: 04fff00000000000 ffff88801bed6dc0 dead000000000122 0000000000000000 [ 86.578827][ T5347] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 86.582527][ T5347] page dumped because: kasan: bad access detected [ 86.585289][ T5347] page_owner tracks the page as allocated [ 86.587758][ T5347] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5032, tgid 5032 (dhcpcd), ts 86361280300, free_ts 86360997106 [ 86.595345][ T5347] post_alloc_hook+0x228/0x280 [ 86.597491][ T5347] get_page_from_freelist+0x24dc/0x2580 [ 86.599734][ T5347] __alloc_frozen_pages_noprof+0x18d/0x380 [ 86.602315][ T5347] alloc_pages_mpol+0x232/0x4a0 [ 86.604413][ T5347] allocate_slab+0x86/0x3a0 [ 86.606454][ T5347] ___slab_alloc+0xd82/0x1760 [ 86.608495][ T5347] __slab_alloc+0x65/0x100 [ 86.610424][ T5347] kmem_cache_alloc_node_noprof+0x4b5/0x6f0 [ 86.612963][ T5347] __alloc_skb+0x1d7/0x390 [ 86.615003][ T5347] alloc_skb_with_frags+0xca/0x890 [ 86.617210][ T5347] sock_alloc_send_pskb+0x878/0x990 [ 86.619400][ T5347] unix_dgram_sendmsg+0x4fb/0x1820 [ 86.621446][ T5347] __sock_sendmsg+0x21c/0x270 [ 86.623693][ T5347] __sys_sendto+0x3c0/0x550 [ 86.625747][ T5347] __x64_sys_sendto+0xde/0x100 [ 86.627880][ T5347] do_syscall_64+0xe2/0xf80 [ 86.629832][ T5347] page last free pid 5032 tgid 5032 stack trace: [ 86.632624][ T5347] __free_frozen_pages+0xbb0/0xd10 [ 86.634574][ T5347] __mmdrop+0xb5/0x750 [ 86.636317][ T5347] finish_task_switch+0x445/0x920 [ 86.638490][ T5347] __schedule+0x14f7/0x4fb0 [ 86.640587][ T5347] schedule+0x164/0x360 [ 86.642468][ T5347] schedule_hrtimeout_range_clock+0x1e7/0x320 [ 86.645165][ T5347] poll_schedule_timeout+0xd0/0x1a0 [ 86.647490][ T5347] do_sys_poll+0x7e8/0x1120 [ 86.649479][ T5347] __se_sys_ppoll+0x209/0x2b0 [ 86.651509][ T5347] do_syscall_64+0xe2/0xf80 [ 86.653631][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.656256][ T5347] [ 86.657326][ T5347] Memory state around the buggy address: [ 86.659747][ T5347] ffff888043929b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 86.663241][ T5347] ffff888043929b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.666619][ T5347] >ffff888043929c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 86.669916][ T5347] ^ [ 86.671952][ T5347] ffff888043929c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 86.675435][ T5347] ffff888043929d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 86.678856][ T5347] ================================================================== [ 86.743814][ T5347] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 86.747164][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.751592][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.756059][ T5347] Call Trace: [ 86.757577][ T5347] [ 86.758910][ T5347] vpanic+0x1e0/0x670 [ 86.760651][ T5347] panic+0xc5/0xd0 [ 86.762299][ T5347] ? __pfx_panic+0x10/0x10 [ 86.764241][ T5347] ? preempt_schedule_thunk+0x16/0x30 [ 86.766634][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.768903][ T5347] ? preempt_schedule_thunk+0x16/0x30 [ 86.771213][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.773491][ T5347] check_panic_on_warn+0x89/0xb0 [ 86.775752][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.777955][ T5347] end_report+0x6f/0x140 [ 86.780152][ T5347] kasan_report+0x128/0x150 [ 86.782034][ T5347] ? sk_skb_reason_drop+0x37/0x170 [ 86.784275][ T5347] kasan_check_range+0x264/0x2c0 [ 86.786454][ T5347] sk_skb_reason_drop+0x37/0x170 [ 86.788627][ T5347] nr_transmit_buffer+0x11d/0x1b0 [ 86.790832][ T5347] nr_establish_data_link+0x62/0xb0 [ 86.793103][ T5347] nr_connect+0x6e9/0xdf0 [ 86.795037][ T5347] ? __pfx_nr_connect+0x10/0x10 [ 86.797168][ T5347] ? tomoyo_socket_connect_permission+0x163/0x290 [ 86.799889][ T5347] ? bpf_lsm_socket_connect+0x9/0x20 [ 86.802315][ T5347] __sys_connect+0x312/0x450 [ 86.804279][ T5347] ? __pfx___sys_connect+0x10/0x10 [ 86.806469][ T5347] ? rcu_is_watching+0x15/0xb0 [ 86.808399][ T5347] __x64_sys_connect+0x7a/0x90 [ 86.810341][ T5347] do_syscall_64+0xe2/0xf80 [ 86.812183][ T5347] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.814597][ T5347] ? clear_bhb_loop+0x60/0xb0 [ 86.816497][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.818837][ T5347] RIP: 0033:0x7ff085f9acb9 [ 86.820537][ T5347] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 86.828754][ T5347] RSP: 002b:00007ff086d98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 86.832081][ T5347] RAX: ffffffffffffffda RBX: 00007ff086216090 RCX: 00007ff085f9acb9 [ 86.835463][ T5347] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000047 [ 86.838936][ T5347] RBP: 00007ff086008bf7 R08: 0000000000000000 R09: 0000000000000000 [ 86.842385][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.845888][ T5347] R13: 00007ff086216128 R14: 00007ff086216090 R15: 00007ffe541e1eb8 [ 86.849397][ T5347] [ 86.851069][ T5347] Kernel Offset: disabled [ 86.853055][ T5347] Rebooting in 86400 seconds..