program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @null, @bpq0, 0x6, 'syz0\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @null, @default]}) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @null, @bpq0, 0x6, 'syz0\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @null, @default]}) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) r4 = socket$inet(0x2, 0x1, 0x0) setsockopt$inet_opts(r4, 0x0, 0x4, &(0x7f0000000000)="8907040400", 0x5) setsockopt$SO_BINDTODEVICE(r4, 0x1, 0x19, &(0x7f00000000c0)='bridge_slave_1\x00', 0x10) connect$inet(r4, &(0x7f0000000080)={0x2, 0x0, @broadcast}, 0x10) bind$inet6(r3, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) (async) bind$inet6(r3, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) r5 = syz_open_dev$sg(&(0x7f0000000300), 0x4, 0x420401) ioctl$SG_SET_DEBUG(r5, 0x227e, &(0x7f0000000340)) listen(r3, 0x3) setsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, &(0x7f0000000040)='syz_tun\x00', 0x10) syz_emit_ethernet(0x36, &(0x7f0000000140)=ANY=[@ANYBLOB="aaaaaaaaaaaa0180c2000000080045000028000000000006907864010101ac1414aa00004e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="341922bf6f9826ed"], 0x0) r6 = syz_init_net_socket$ax25(0x3, 0x5, 0x6) setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f00000001c0)=@bpq0, 0x10) (async) setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f00000001c0)=@bpq0, 0x10) syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/arp\x00') (async) r7 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/arp\x00') preadv(r7, &(0x7f0000000000)=[{&(0x7f0000000200)=""/233, 0xe9}], 0x1, 0xfff, 0x0) (async) preadv(r7, &(0x7f0000000000)=[{&(0x7f0000000200)=""/233, 0xe9}], 0x1, 0xfff, 0x0) r8 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r8, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 71.410720][ T4663] Bluetooth: hci0: command tx timeout [ 71.594106][ T5314] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.599767][ T5314] bond0: (slave rose0): Enslaving as an active interface with an up link [ 72.320533][ T5313] ================================================================== [ 72.323766][ T5313] BUG: KASAN: slab-use-after-free in ax25_release+0x87d/0x950 [ 72.326710][ T5313] Read of size 1 at addr ffff88803eeae8cc by task syz.0.0/5313 [ 72.329677][ T5313] [ 72.330608][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Not tainted 6.13.0-rc7-syzkaller-00209-g9528d418de4d #0 [ 72.334402][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.338418][ T5313] Call Trace: [ 72.339591][ T5313] [ 72.340600][ T5313] dump_stack_lvl+0x241/0x360 [ 72.342626][ T5313] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.344502][ T5313] ? __pfx__printk+0x10/0x10 [ 72.346247][ T5313] ? _printk+0xd5/0x120 [ 72.347839][ T5313] ? __virt_addr_valid+0x183/0x530 [ 72.349824][ T5313] ? __virt_addr_valid+0x183/0x530 [ 72.351794][ T5313] print_report+0x169/0x550 [ 72.353647][ T5313] ? __virt_addr_valid+0x183/0x530 [ 72.355813][ T5313] ? __virt_addr_valid+0x183/0x530 [ 72.357920][ T5313] ? __virt_addr_valid+0x45f/0x530 [ 72.359853][ T5313] ? __phys_addr+0xba/0x170 [ 72.361544][ T5313] ? ax25_release+0x87d/0x950 [ 72.363261][ T5313] kasan_report+0x143/0x180 [ 72.364963][ T5313] ? ax25_release+0x87d/0x950 [ 72.366874][ T5313] ax25_release+0x87d/0x950 [ 72.368956][ T5313] sock_close+0xbc/0x240 [ 72.370642][ T5313] ? __pfx_sock_close+0x10/0x10 [ 72.372790][ T5313] __fput+0x23c/0xa50 [ 72.374519][ T5313] task_work_run+0x24f/0x310 [ 72.376260][ T5313] ? _raw_spin_unlock+0x28/0x50 [ 72.378075][ T5313] ? __pfx_task_work_run+0x10/0x10 [ 72.379855][ T5313] ? syscall_exit_to_user_mode+0xa3/0x340 [ 72.381750][ T5313] syscall_exit_to_user_mode+0x13f/0x340 [ 72.383808][ T5313] do_syscall_64+0x100/0x230 [ 72.385372][ T5313] ? clear_bhb_loop+0x35/0x90 [ 72.386984][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.389146][ T5313] RIP: 0033:0x7efca3385d29 [ 72.390906][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.397915][ T5313] RSP: 002b:00007ffd2b6616c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 72.400959][ T5313] RAX: 0000000000000000 RBX: 00007efca3577ba0 RCX: 00007efca3385d29 [ 72.403697][ T5313] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 72.406432][ T5313] RBP: 00007efca3577ba0 R08: 0000000000000000 R09: 00007ffd2b6619bf [ 72.409231][ T5313] R10: 00007efca3577ac0 R11: 0000000000000246 R12: 00000000000119fa [ 72.412063][ T5313] R13: 00007efca3575fa0 R14: 0000000000000032 R15: ffffffffffffffff [ 72.414995][ T5313] [ 72.416185][ T5313] [ 72.417150][ T5313] Allocated by task 5315: [ 72.418787][ T5313] kasan_save_track+0x3f/0x80 [ 72.420544][ T5313] __kasan_kmalloc+0x98/0xb0 [ 72.422298][ T5313] __kmalloc_cache_noprof+0x243/0x390 [ 72.424333][ T5313] ax25_dev_device_up+0x58/0x620 [ 72.426235][ T5313] ax25_device_event+0x4f3/0x580 [ 72.428124][ T5313] notifier_call_chain+0x1a5/0x3f0 [ 72.430107][ T5313] __dev_notify_flags+0x207/0x400 [ 72.432040][ T5313] dev_change_flags+0xf0/0x1a0 [ 72.433952][ T5313] dev_ifsioc+0x7c8/0xe70 [ 72.435581][ T5313] dev_ioctl+0x719/0x1340 [ 72.437236][ T5313] sock_do_ioctl+0x240/0x460 [ 72.439012][ T5313] sock_ioctl+0x626/0x8e0 [ 72.440663][ T5313] __se_sys_ioctl+0xf5/0x170 [ 72.442414][ T5313] do_syscall_64+0xf3/0x230 [ 72.444168][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.446277][ T5313] [ 72.447084][ T5313] Freed by task 5314: [ 72.448660][ T5313] kasan_save_track+0x3f/0x80 [ 72.450432][ T5313] kasan_save_free_info+0x40/0x50 [ 72.452274][ T5313] __kasan_slab_free+0x59/0x70 [ 72.454006][ T5313] kfree+0x196/0x430 [ 72.455466][ T5313] ax25_device_event+0x529/0x580 [ 72.457288][ T5313] notifier_call_chain+0x1a5/0x3f0 [ 72.459256][ T5313] dev_close_many+0x33c/0x4c0 [ 72.461015][ T5313] dev_close+0x1c0/0x2c0 [ 72.462620][ T5313] bpq_device_event+0x372/0x8b0 [ 72.464441][ T5313] notifier_call_chain+0x1a5/0x3f0 [ 72.466358][ T5313] dev_close_many+0x33c/0x4c0 [ 72.468196][ T5313] dev_close+0x1c0/0x2c0 [ 72.470063][ T5313] bond_setup_by_slave+0x66/0x390 [ 72.472000][ T5313] bond_enslave+0x7b4/0x3ac0 [ 72.473810][ T5313] bond_do_ioctl+0x749/0xb50 [ 72.475473][ T5313] dev_ifsioc+0xb73/0xe70 [ 72.477145][ T5313] dev_ioctl+0x719/0x1340 [ 72.478880][ T5313] sock_do_ioctl+0x240/0x460 [ 72.480726][ T5313] sock_ioctl+0x626/0x8e0 [ 72.482258][ T5313] __se_sys_ioctl+0xf5/0x170 [ 72.484057][ T5313] do_syscall_64+0xf3/0x230 [ 72.485785][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.488005][ T5313] [ 72.488878][ T5313] The buggy address belongs to the object at ffff88803eeae800 [ 72.488878][ T5313] which belongs to the cache kmalloc-256 of size 256 [ 72.493954][ T5313] The buggy address is located 204 bytes inside of [ 72.493954][ T5313] freed 256-byte region [ffff88803eeae800, ffff88803eeae900) [ 72.498898][ T5313] [ 72.499776][ T5313] The buggy address belongs to the physical page: [ 72.502104][ T5313] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3eeae [ 72.505297][ T5313] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 72.508029][ T5313] page_type: f5(slab) [ 72.509491][ T5313] raw: 04fff00000000000 ffff88801ac41b40 ffffea0000fbaa00 dead000000000004 [ 72.512412][ T5313] raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 [ 72.516066][ T5313] page dumped because: kasan: bad access detected [ 72.518571][ T5313] page_owner tracks the page as allocated [ 72.520554][ T5313] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 19591470250, free_ts 0 [ 72.526894][ T5313] post_alloc_hook+0x1f3/0x230 [ 72.528769][ T5313] get_page_from_freelist+0x365c/0x37a0 [ 72.530882][ T5313] __alloc_pages_noprof+0x292/0x710 [ 72.533134][ T5313] alloc_pages_mpol_noprof+0x3e1/0x780 [ 72.535663][ T5313] alloc_slab_page+0x6a/0x110 [ 72.537442][ T5313] allocate_slab+0x5a/0x2b0 [ 72.539218][ T5313] ___slab_alloc+0xc27/0x14a0 [ 72.541271][ T5313] __slab_alloc+0x58/0xa0 [ 72.543267][ T5313] __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 [ 72.545987][ T5313] kmemdup_noprof+0x2a/0x60 [ 72.547705][ T5313] ip6_route_net_init+0xe4/0x7c0 [ 72.549453][ T5313] ops_init+0x31e/0x590 [ 72.550981][ T5313] register_pernet_operations+0x30d/0x630 [ 72.553156][ T5313] register_pernet_subsys+0x28/0x40 [ 72.555107][ T5313] ip6_route_init+0x120/0x410 [ 72.556908][ T5313] inet6_init+0x335/0x6a0 [ 72.558623][ T5313] page_owner free stack trace missing [ 72.560520][ T5313] [ 72.561388][ T5313] Memory state around the buggy address: [ 72.563349][ T5313] ffff88803eeae780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.566226][ T5313] ffff88803eeae800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.569121][ T5313] >ffff88803eeae880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.572003][ T5313] ^ [ 72.574389][ T5313] ffff88803eeae900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.577208][ T5313] ffff88803eeae980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.580236][ T5313] ================================================================== [ 72.603831][ T5313] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.606524][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Not tainted 6.13.0-rc7-syzkaller-00209-g9528d418de4d #0 [ 72.610996][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.614573][ T5313] Call Trace: [ 72.615832][ T5313] [ 72.616854][ T5313] dump_stack_lvl+0x241/0x360 [ 72.618636][ T5313] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.620408][ T5313] ? __pfx__printk+0x10/0x10 [ 72.622075][ T5313] ? preempt_schedule+0xe1/0xf0 [ 72.623929][ T5313] ? vscnprintf+0x5d/0x90 [ 72.625601][ T5313] panic+0x349/0x880 [ 72.627127][ T5313] ? check_panic_on_warn+0x21/0xb0 [ 72.629139][ T5313] ? __pfx_panic+0x10/0x10 [ 72.630836][ T5313] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 72.633091][ T5313] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 72.635758][ T5313] ? print_report+0x502/0x550 [ 72.637628][ T5313] check_panic_on_warn+0x86/0xb0 [ 72.639549][ T5313] ? ax25_release+0x87d/0x950 [ 72.641325][ T5313] end_report+0x77/0x160 [ 72.643068][ T5313] kasan_report+0x154/0x180 [ 72.644700][ T5313] ? ax25_release+0x87d/0x950 [ 72.646409][ T5313] ax25_release+0x87d/0x950 [ 72.648080][ T5313] sock_close+0xbc/0x240 [ 72.649691][ T5313] ? __pfx_sock_close+0x10/0x10 [ 72.651452][ T5313] __fput+0x23c/0xa50 [ 72.652867][ T5313] task_work_run+0x24f/0x310 [ 72.654549][ T5313] ? _raw_spin_unlock+0x28/0x50 [ 72.656288][ T5313] ? __pfx_task_work_run+0x10/0x10 [ 72.658281][ T5313] ? syscall_exit_to_user_mode+0xa3/0x340 [ 72.660328][ T5313] syscall_exit_to_user_mode+0x13f/0x340 [ 72.662466][ T5313] do_syscall_64+0x100/0x230 [ 72.664345][ T5313] ? clear_bhb_loop+0x35/0x90 [ 72.666163][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.668480][ T5313] RIP: 0033:0x7efca3385d29 [ 72.670225][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.677319][ T5313] RSP: 002b:00007ffd2b6616c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 72.680045][ T5313] RAX: 0000000000000000 RBX: 00007efca3577ba0 RCX: 00007efca3385d29 [ 72.682610][ T5313] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 72.685359][ T5313] RBP: 00007efca3577ba0 R08: 0000000000000000 R09: 00007ffd2b6619bf [ 72.688012][ T5313] R10: 00007efca3577ac0 R11: 0000000000000246 R12: 00000000000119fa [ 72.690816][ T5313] R13: 00007efca3575fa0 R14: 0000000000000032 R15: ffffffffffffffff [ 72.693675][ T5313] [ 72.694858][ T5313] Kernel Offset: disabled [ 72.696460][ T5313] Rebooting in 86400 seconds..