program: r0 = socket$nl_route(0x10, 0x3, 0x0) (async) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) (async) r2 = socket$inet(0x2, 0x80001, 0x84) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='tlb_flush\x00'}, 0x10) getsockopt$inet_sctp_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000000c0)={r3, 0x4, 0x2, 0x5}, 0x10) (async) sendmsg$nl_route(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=@newlink={0x3c, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bond={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BOND_ALL_SLAVES_ACTIVE={0x5, 0x11, 0x5}]}}}]}, 0x3c}}, 0x0) (async) r4 = syz_init_net_socket$x25(0x9, 0x5, 0x0) r5 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) r7 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r7, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r5, 0x890b, &(0x7f00000001c0)={0x1, @default, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x0, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) connect$netrom(r5, &(0x7f0000000300)={{0x6, @default}, [@null, @default, @default, @default, @bcast, @bcast, @default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}]}, 0x48) (async) ioctl$sock_ifreq(r4, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 85.030997][ T5306] Bluetooth: hci0: command tx timeout [ 85.190267][ T5331] (unnamed net_device) (uninitialized): option all_slaves_active: invalid value (5) [ 85.284064][ T5331] ================================================================== [ 85.288608][ T5331] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x170 [ 85.303598][ T5331] Write of size 4 at addr ffff888052ae8ae4 by task syz.0.0/5331 [ 85.308354][ T5331] [ 85.309736][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-13655-gbdc7f8c5adad #0 PREEMPT(full) [ 85.309755][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.309762][ T5331] Call Trace: [ 85.309771][ T5331] [ 85.309777][ T5331] dump_stack_lvl+0x189/0x250 [ 85.309901][ T5331] ? __kasan_check_byte+0x12/0x40 [ 85.309967][ T5331] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.309981][ T5331] ? lock_release+0x4b/0x3e0 [ 85.310019][ T5331] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.310054][ T5331] print_report+0xd2/0x2b0 [ 85.310070][ T5331] ? sk_skb_reason_drop+0x37/0x170 [ 85.310085][ T5331] kasan_report+0x118/0x150 [ 85.310097][ T5331] ? sk_skb_reason_drop+0x37/0x170 [ 85.310113][ T5331] kasan_check_range+0x2b0/0x2c0 [ 85.310125][ T5331] sk_skb_reason_drop+0x37/0x170 [ 85.310139][ T5331] nr_transmit_buffer+0x11d/0x1b0 [ 85.310152][ T5331] nr_establish_data_link+0x62/0xb0 [ 85.310163][ T5331] nr_connect+0x6e6/0xde0 [ 85.310180][ T5331] ? __pfx_nr_connect+0x10/0x10 [ 85.310195][ T5331] ? tomoyo_socket_connect_permission+0x164/0x290 [ 85.310231][ T5331] ? bpf_lsm_socket_connect+0x9/0x20 [ 85.310295][ T5331] __sys_connect+0x316/0x440 [ 85.310309][ T5331] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 85.310326][ T5331] ? __pfx___sys_connect+0x10/0x10 [ 85.310342][ T5331] ? rcu_is_watching+0x15/0xb0 [ 85.310369][ T5331] __x64_sys_connect+0x7a/0x90 [ 85.310382][ T5331] do_syscall_64+0xfa/0x3b0 [ 85.310442][ T5331] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.310459][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.310469][ T5331] ? clear_bhb_loop+0x60/0xb0 [ 85.310483][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.310494][ T5331] RIP: 0033:0x7f6e4e38e929 [ 85.310507][ T5331] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.310516][ T5331] RSP: 002b:00007f6e4f1ac038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 85.310530][ T5331] RAX: ffffffffffffffda RBX: 00007f6e4e5b5fa0 RCX: 00007f6e4e38e929 [ 85.310537][ T5331] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000008 [ 85.310543][ T5331] RBP: 00007f6e4e410b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.310549][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.310554][ T5331] R13: 0000000000000000 R14: 00007f6e4e5b5fa0 R15: 00007ffed6728b78 [ 85.310564][ T5331] [ 85.310568][ T5331] [ 85.625301][ T5331] Allocated by task 5331: [ 85.627614][ T5331] kasan_save_track+0x3e/0x80 [ 85.644267][ T5331] __kasan_slab_alloc+0x6c/0x80 [ 85.646795][ T5331] kmem_cache_alloc_node_noprof+0x1bb/0x3c0 [ 85.649520][ T5331] __alloc_skb+0x112/0x2d0 [ 85.651916][ T5331] nr_write_internal+0xe2/0xc60 [ 85.655832][ T5331] nr_establish_data_link+0x62/0xb0 [ 85.658537][ T5331] nr_connect+0x6e6/0xde0 [ 85.670922][ T5331] __sys_connect+0x316/0x440 [ 85.673018][ T5331] __x64_sys_connect+0x7a/0x90 [ 85.675323][ T5331] do_syscall_64+0xfa/0x3b0 [ 85.677855][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.691527][ T5331] [ 85.693343][ T5331] Freed by task 5331: [ 85.696058][ T5331] kasan_save_track+0x3e/0x80 [ 85.700433][ T5331] kasan_save_free_info+0x46/0x50 [ 85.708385][ T5331] __kasan_slab_free+0x62/0x70 [ 85.710893][ T5331] kmem_cache_free+0x18f/0x400 [ 85.713605][ T5331] nr_route_frame+0x467/0x7e0 [ 85.716055][ T5331] nr_transmit_buffer+0xe7/0x1b0 [ 85.718462][ T5331] nr_establish_data_link+0x62/0xb0 [ 85.739142][ T5331] nr_connect+0x6e6/0xde0 [ 85.742180][ T5331] __sys_connect+0x316/0x440 [ 85.744791][ T5331] __x64_sys_connect+0x7a/0x90 [ 85.750684][ T5331] do_syscall_64+0xfa/0x3b0 [ 85.761105][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.764374][ T5331] [ 85.765807][ T5331] The buggy address belongs to the object at ffff888052ae8a00 [ 85.765807][ T5331] which belongs to the cache skbuff_head_cache of size 240 [ 85.782355][ T5331] The buggy address is located 228 bytes inside of [ 85.782355][ T5331] freed 240-byte region [ffff888052ae8a00, ffff888052ae8af0) [ 85.798077][ T5331] [ 85.799574][ T5331] The buggy address belongs to the physical page: [ 85.813444][ T5331] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52ae8 [ 85.818195][ T5331] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.828013][ T5331] page_type: f5(slab) [ 85.840633][ T5331] raw: 04fff00000000000 ffff8880304fac80 dead000000000122 0000000000000000 [ 85.845659][ T5331] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 85.851062][ T5331] page dumped because: kasan: bad access detected [ 85.862988][ T5331] page_owner tracks the page as allocated [ 85.872189][ T5331] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x72820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_MEMALLOC|__GFP_COMP), pid 5336, tgid 5336 (dhcpcd), ts 85276482912, free_ts 85238699863 [ 85.900634][ T5331] post_alloc_hook+0x240/0x2a0 [ 85.907929][ T5331] get_page_from_freelist+0x21e4/0x22c0 [ 85.914327][ T5331] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.918879][ T5331] alloc_pages_mpol+0x232/0x4a0 [ 85.923738][ T5331] allocate_slab+0x8a/0x3b0 [ 85.926495][ T5331] ___slab_alloc+0xbfc/0x1480 [ 85.931991][ T5331] kmem_cache_alloc_node_noprof+0x280/0x3c0 [ 85.938687][ T5331] __alloc_skb+0x112/0x2d0 [ 85.949986][ T5331] __netdev_alloc_skb+0x108/0x970 [ 85.952803][ T5331] __ieee80211_beacon_get+0xe32/0x1630 [ 85.956075][ T5331] ieee80211_beacon_get_tim+0xb4/0x2b0 [ 85.964300][ T5331] mac80211_hwsim_beacon_tx+0x3ce/0x860 [ 85.979489][ T5331] __iterate_interfaces+0x2a8/0x590 [ 85.983040][ T5331] ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 [ 85.987314][ T5331] mac80211_hwsim_beacon+0xbb/0x1c0 [ 85.992638][ T5331] __hrtimer_run_queues+0x52c/0xc60 [ 86.000610][ T5331] page last free pid 13 tgid 13 stack trace: [ 86.010917][ T5331] __free_frozen_pages+0xc71/0xe70 [ 86.014633][ T5331] __tlb_remove_table+0x2d2/0x3b0 [ 86.022267][ T5331] tlb_remove_table_rcu+0x85/0x100 [ 86.033402][ T5331] rcu_core+0xca5/0x1710 [ 86.036343][ T5331] handle_softirqs+0x286/0x870 [ 86.039093][ T5331] do_softirq+0xec/0x180 [ 86.051152][ T5331] __local_bh_enable_ip+0x17d/0x1c0 [ 86.053738][ T5331] batadv_nc_purge_paths+0x318/0x3b0 [ 86.057025][ T5331] batadv_nc_worker+0x328/0x610 [ 86.059548][ T5331] process_scheduled_works+0xae1/0x17b0 [ 86.076026][ T5331] worker_thread+0x8a0/0xda0 [ 86.078343][ T5331] kthread+0x70e/0x8a0 [ 86.088410][ T5331] ret_from_fork+0x3f9/0x770 [ 86.093198][ T5331] ret_from_fork_asm+0x1a/0x30 [ 86.098162][ T5331] [ 86.099215][ T5331] Memory state around the buggy address: [ 86.104438][ T5331] ffff888052ae8980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 86.108561][ T5331] ffff888052ae8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.122526][ T5331] >ffff888052ae8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 86.125840][ T5331] ^ [ 86.129095][ T5331] ffff888052ae8b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 86.153799][ T5331] ffff888052ae8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 86.158194][ T5331] ================================================================== [ 86.284816][ T5331] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 86.294623][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-13655-gbdc7f8c5adad #0 PREEMPT(full) [ 86.307657][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.318500][ T5331] Call Trace: [ 86.321288][ T5331] [ 86.325398][ T5331] dump_stack_lvl+0x99/0x250 [ 86.330171][ T5331] ? __asan_memcpy+0x40/0x70 [ 86.335238][ T5331] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.340807][ T5331] ? __pfx__printk+0x10/0x10 [ 86.342698][ T5331] panic+0x2db/0x790 [ 86.344515][ T5331] ? __pfx_preempt_schedule+0x10/0x10 [ 86.347149][ T5331] ? __pfx_panic+0x10/0x10 [ 86.361736][ T5331] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 86.364370][ T5331] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.367173][ T5331] ? sk_skb_reason_drop+0x37/0x170 [ 86.371905][ T5331] check_panic_on_warn+0x89/0xb0 [ 86.381838][ T5331] ? sk_skb_reason_drop+0x37/0x170 [ 86.384066][ T5331] end_report+0x78/0x160 [ 86.385914][ T5331] kasan_report+0x129/0x150 [ 86.390870][ T5331] ? sk_skb_reason_drop+0x37/0x170 [ 86.393241][ T5331] kasan_check_range+0x2b0/0x2c0 [ 86.395340][ T5331] sk_skb_reason_drop+0x37/0x170 [ 86.412231][ T5331] nr_transmit_buffer+0x11d/0x1b0 [ 86.416830][ T5331] nr_establish_data_link+0x62/0xb0 [ 86.419742][ T5331] nr_connect+0x6e6/0xde0 [ 86.422625][ T5331] ? __pfx_nr_connect+0x10/0x10 [ 86.432709][ T5331] ? tomoyo_socket_connect_permission+0x164/0x290 [ 86.436572][ T5331] ? bpf_lsm_socket_connect+0x9/0x20 [ 86.442555][ T5331] __sys_connect+0x316/0x440 [ 86.452980][ T5331] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 86.457282][ T5331] ? __pfx___sys_connect+0x10/0x10 [ 86.459802][ T5331] ? rcu_is_watching+0x15/0xb0 [ 86.462222][ T5331] __x64_sys_connect+0x7a/0x90 [ 86.465593][ T5331] do_syscall_64+0xfa/0x3b0 [ 86.469689][ T5331] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.473084][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.477086][ T5331] ? clear_bhb_loop+0x60/0xb0 [ 86.480129][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.483357][ T5331] RIP: 0033:0x7f6e4e38e929 [ 86.486646][ T5331] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.534977][ T5331] RSP: 002b:00007f6e4f1ac038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 86.539151][ T5331] RAX: ffffffffffffffda RBX: 00007f6e4e5b5fa0 RCX: 00007f6e4e38e929 [ 86.582890][ T5331] RDX: 0000000000000048 RSI: 0000200000000300 RDI: 0000000000000008 [ 86.586563][ T5331] RBP: 00007f6e4e410b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.591099][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.597501][ T5331] R13: 0000000000000000 R14: 00007f6e4e5b5fa0 R15: 00007ffed6728b78 [ 86.602478][ T5331] [ 86.604863][ T5331] Kernel Offset: disabled [ 86.607514][ T5331] Rebooting in 86400 seconds..