program: r0 = socket$kcm(0x10, 0x2, 0x0) (async) r1 = memfd_create(&(0x7f0000000100)='+\x88\xc7s\x00\x00\x942nod\xffv\x00\x00\x8cZ_Pv\x03\xa7\xc1\b\xec\x90Q\x85\x83\xcd\x16\xdcw\'\x8a\xe5N\x8c\x17\xfd\xc5\xad\xe1\xc4\xdfe\xfa\xf1&\x01\x89E`~[UW\x18\xd5y\x15\x1fx\x17\f\xbc\xd1.\x8cA\x17\x86\xb7-j!Y\x92\xd9\xc4\r8\xd0\xc9Xf\xda\xf2\x1fb\x14\x96g@*\xef\xae\xf8\xa7\x11\xa3\xf0\x8a*\xbc\x87\xcd\x1fl\xfc\xf3]\xb8\xbd\x02\v<\fl\xa6#\x9c\xfb\x05\xcb\x9c\xe2\xc8\x05\xa5\xa5\xeb\xa9\xef\xe3\xf1b\x81\xec\xac\xb6\x80\xd5\xf5S\x85\x06O\x05\xb8\xa1\x15\xcc\x17\xe8s\x95\x95B\xee_\x98\x91)\xe7\xa8+\x8c\xee\x83@q\x16\xcf3\x0f\x81\xa8\xa9`i\x01m:\xcc\x1c\xed<\xcfA3n\xfd\n>\x03\xae\f \xdbH', 0x2) fcntl$addseals(r1, 0x409, 0x12) (async) mmap(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x0, 0x11, r1, 0x0) (async, rerun: 64) mmap(&(0x7f0000ffc000/0x1000)=nil, 0x1008, 0x0, 0x13, r1, 0x0) (async, rerun: 64) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {}, [@IFLA_MASTER={0x8}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) (async) r4 = socket(0x11, 0x80a, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000300)={'bond0\x00', 0x0}) sendmsg$nl_route(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=@newlink={0x3c, 0x10, 0x401, 0x1, 0x0, {0x0, 0x0, 0x0, r5, 0x0, 0xc1}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bond={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BOND_FAIL_OVER_MAC={0x5, 0xd, 0x1}]}}}]}, 0x3c}}, 0x0) sendmsg$kcm(r0, &(0x7f0000000600)={0x0, 0xfffffffe, &(0x7f0000000080)=[{&(0x7f0000000000)="2e00000010008188040f80ec59acbc0413a1f8480d0000005e140604000000000e000a000f00000002800000121f", 0x2e}], 0x1}, 0x0) [ 72.248760][ T4661] Bluetooth: hci0: command tx timeout [ 72.386317][ T5316] bridge_slave_0: left allmulticast mode [ 72.388495][ T5316] bridge_slave_0: left promiscuous mode [ 72.392253][ T5315] ================================================================== [ 72.395184][ T5315] BUG: KASAN: slab-use-after-free in __mmap_region+0x1802/0x2cd0 [ 72.398025][ T5315] Read of size 8 at addr ffff88803651ebc0 by task syz.0.0/5315 [ 72.400850][ T5315] [ 72.401781][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0 [ 72.405939][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.409945][ T5315] Call Trace: [ 72.411294][ T5315] [ 72.412410][ T5315] dump_stack_lvl+0x241/0x360 [ 72.414245][ T5315] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.416159][ T5315] ? __pfx__printk+0x10/0x10 [ 72.417906][ T5315] ? _printk+0xd5/0x120 [ 72.419446][ T5315] ? __virt_addr_valid+0x183/0x530 [ 72.421350][ T5315] ? __virt_addr_valid+0x183/0x530 [ 72.423238][ T5315] print_report+0x169/0x550 [ 72.424968][ T5315] ? __virt_addr_valid+0x183/0x530 [ 72.426954][ T5315] ? __virt_addr_valid+0x183/0x530 [ 72.428796][ T5315] ? __virt_addr_valid+0x45f/0x530 [ 72.430804][ T5315] ? __phys_addr+0xba/0x170 [ 72.432752][ T5315] ? __mmap_region+0x1802/0x2cd0 [ 72.434471][ T5315] kasan_report+0x143/0x180 [ 72.436205][ T5315] ? __mmap_region+0x1802/0x2cd0 [ 72.438187][ T5315] __mmap_region+0x1802/0x2cd0 [ 72.439896][ T5315] ? __pfx___mmap_region+0x10/0x10 [ 72.441525][ T5315] ? __pfx___might_resched+0x10/0x10 [ 72.443292][ T5315] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10 [ 72.445768][ T5315] ? cap_mmap_addr+0x163/0x2c0 [ 72.447732][ T5315] mmap_region+0x226/0x2c0 [ 72.449263][ T5315] do_mmap+0x8f0/0x1000 [ 72.450709][ T5315] ? __pfx_do_mmap+0x10/0x10 [ 72.452543][ T5315] ? __pfx_down_write_killable+0x10/0x10 [ 72.454642][ T5315] ? common_file_perm+0x1a6/0x210 [ 72.456495][ T5315] vm_mmap_pgoff+0x1dd/0x3d0 [ 72.458130][ T5315] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 72.459924][ T5315] ? __fget_files+0x2a/0x410 [ 72.461602][ T5315] ? __fget_files+0x395/0x410 [ 72.463433][ T5315] ? __fget_files+0x2a/0x410 [ 72.465257][ T5315] ksys_mmap_pgoff+0x4eb/0x720 [ 72.467127][ T5315] ? __x64_sys_mmap+0x7f/0x140 [ 72.468959][ T5315] do_syscall_64+0xf3/0x230 [ 72.470699][ T5315] ? clear_bhb_loop+0x35/0x90 [ 72.472584][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.474843][ T5315] RIP: 0033:0x7efc3777ff19 [ 72.476549][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.483855][ T5315] RSP: 002b:00007efc371dd058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 72.486985][ T5315] RAX: ffffffffffffffda RBX: 00007efc37946080 RCX: 00007efc3777ff19 [ 72.489840][ T5315] RDX: 0000000000000000 RSI: 0000000000001008 RDI: 0000000020ffc000 [ 72.492950][ T5315] RBP: 00007efc377f3986 R08: 0000000000000004 R09: 0000000000000000 [ 72.495919][ T5315] R10: 0000000000000013 R11: 0000000000000246 R12: 0000000000000000 [ 72.498656][ T5315] R13: 0000000000000001 R14: 00007efc37946080 R15: 00007fff1cb21f08 [ 72.501480][ T5315] [ 72.502614][ T5315] [ 72.503478][ T5315] Allocated by task 5315: [ 72.504930][ T5315] kasan_save_track+0x3f/0x80 [ 72.506605][ T5315] __kasan_slab_alloc+0x66/0x80 [ 72.508371][ T5315] kmem_cache_alloc_noprof+0x1d9/0x380 [ 72.510327][ T5315] vm_area_alloc+0x24/0x1d0 [ 72.511867][ T5315] __mmap_region+0x196e/0x2cd0 [ 72.513673][ T5315] mmap_region+0x226/0x2c0 [ 72.515301][ T5315] do_mmap+0x8f0/0x1000 [ 72.516759][ T5315] vm_mmap_pgoff+0x1dd/0x3d0 [ 72.518415][ T5315] ksys_mmap_pgoff+0x4eb/0x720 [ 72.519985][ T5315] do_syscall_64+0xf3/0x230 [ 72.521415][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.523415][ T5315] [ 72.524275][ T5315] Freed by task 16: [ 72.525571][ T5315] kasan_save_track+0x3f/0x80 [ 72.527253][ T5315] kasan_save_free_info+0x40/0x50 [ 72.529177][ T5315] __kasan_slab_free+0x59/0x70 [ 72.530995][ T5315] kmem_cache_free+0x195/0x410 [ 72.532624][ T5315] rcu_core+0xaaa/0x17a0 [ 72.534191][ T5315] handle_softirqs+0x2d4/0x9b0 [ 72.535955][ T5315] run_ksoftirqd+0xca/0x130 [ 72.537609][ T5315] smpboot_thread_fn+0x544/0xa30 [ 72.539422][ T5315] kthread+0x2f0/0x390 [ 72.540957][ T5315] ret_from_fork+0x4b/0x80 [ 72.542628][ T5315] ret_from_fork_asm+0x1a/0x30 [ 72.544487][ T5315] [ 72.545477][ T5315] Last potentially related work creation: [ 72.547651][ T5315] kasan_save_stack+0x3f/0x60 [ 72.549489][ T5315] __kasan_record_aux_stack+0xac/0xc0 [ 72.551450][ T5315] call_rcu+0x167/0xa70 [ 72.553097][ T5315] vma_complete+0x97f/0xb50 [ 72.554859][ T5315] commit_merge+0x6f6/0x760 [ 72.556712][ T5315] vma_merge_existing_range+0x13b8/0x16f0 [ 72.558855][ T5315] __mmap_region+0x175b/0x2cd0 [ 72.560633][ T5315] mmap_region+0x226/0x2c0 [ 72.562319][ T5315] do_mmap+0x8f0/0x1000 [ 72.563755][ T5315] vm_mmap_pgoff+0x1dd/0x3d0 [ 72.565456][ T5315] ksys_mmap_pgoff+0x4eb/0x720 [ 72.567101][ T5315] do_syscall_64+0xf3/0x230 [ 72.568685][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.570739][ T5315] [ 72.571577][ T5315] The buggy address belongs to the object at ffff88803651eba0 [ 72.571577][ T5315] which belongs to the cache vm_area_struct of size 184 [ 72.576442][ T5315] The buggy address is located 32 bytes inside of [ 72.576442][ T5315] freed 184-byte region [ffff88803651eba0, ffff88803651ec58) [ 72.581071][ T5315] [ 72.581917][ T5315] The buggy address belongs to the physical page: [ 72.584176][ T5315] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3651e [ 72.587379][ T5315] anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 72.590186][ T5315] page_type: f5(slab) [ 72.591743][ T5315] raw: 04fff00000000000 ffff88801be90b40 ffffea00010faa40 dead000000000005 [ 72.594818][ T5315] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 72.597818][ T5315] page dumped because: kasan: bad access detected [ 72.600219][ T5315] page_owner tracks the page as allocated [ 72.602384][ T5315] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5080, tgid 5080 (rm), ts 36363469590, free_ts 36360176430 [ 72.609290][ T5315] post_alloc_hook+0x1f3/0x230 [ 72.611016][ T5315] get_page_from_freelist+0x365c/0x37a0 [ 72.613199][ T5315] __alloc_pages_noprof+0x292/0x710 [ 72.615236][ T5315] alloc_pages_mpol_noprof+0x3e8/0x680 [ 72.617257][ T5315] alloc_slab_page+0x6a/0x140 [ 72.619182][ T5315] allocate_slab+0x5a/0x2f0 [ 72.621114][ T5315] ___slab_alloc+0xcd1/0x14b0 [ 72.623489][ T5315] __slab_alloc+0x58/0xa0 [ 72.625258][ T5315] kmem_cache_alloc_noprof+0x268/0x380 [ 72.627740][ T5315] vm_area_dup+0x27/0x290 [ 72.629262][ T5315] __split_vma+0x1cb/0xc50 [ 72.630894][ T5315] vms_gather_munmap_vmas+0x2e6/0x1600 [ 72.632890][ T5315] __mmap_region+0x7de/0x2cd0 [ 72.634671][ T5315] mmap_region+0x1d0/0x2c0 [ 72.636330][ T5315] do_mmap+0x8f0/0x1000 [ 72.637886][ T5315] vm_mmap_pgoff+0x1dd/0x3d0 [ 72.639661][ T5315] page last free pid 5080 tgid 5080 stack trace: [ 72.642073][ T5315] free_unref_folios+0xf62/0x1a90 [ 72.643960][ T5315] folios_put_refs+0x76c/0x860 [ 72.645656][ T5315] free_pages_and_swap_cache+0x5c8/0x690 [ 72.647758][ T5315] tlb_flush_mmu+0x3a3/0x680 [ 72.649497][ T5315] tlb_finish_mmu+0xd4/0x200 [ 72.651297][ T5315] exit_mmap+0x496/0xc20 [ 72.652926][ T5315] __mmput+0x115/0x3c0 [ 72.654445][ T5315] exec_mmap+0x7a5/0x890 [ 72.656055][ T5315] begin_new_exec+0x1285/0x1f90 [ 72.657854][ T5315] load_elf_binary+0x95b/0x2770 [ 72.659682][ T5315] bprm_execve+0xaf5/0x17a0 [ 72.661330][ T5315] do_execveat_common+0x55f/0x6f0 [ 72.663094][ T5315] __x64_sys_execve+0x92/0xb0 [ 72.664699][ T5315] do_syscall_64+0xf3/0x230 [ 72.666338][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.668430][ T5315] [ 72.669299][ T5315] Memory state around the buggy address: [ 72.671167][ T5315] ffff88803651ea80: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb [ 72.674160][ T5315] ffff88803651eb00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 72.676807][ T5315] >ffff88803651eb80: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb [ 72.679602][ T5315] ^ [ 72.681998][ T5315] ffff88803651ec00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 72.685299][ T5315] ffff88803651ec80: fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb [ 72.688484][ T5315] ================================================================== [ 72.692457][ T5316] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.707270][ T5316] bridge_slave_1: left allmulticast mode [ 72.709686][ T5316] bridge_slave_1: left promiscuous mode [ 72.711907][ T5316] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.720957][ T5316] bond0: (slave bond_slave_0): Releasing backup interface [ 72.727284][ T5316] bond0: (slave bond_slave_1): Releasing backup interface [ 72.745563][ T5316] team0: Port device team_slave_0 removed [ 72.751204][ T5316] team0: Port device team_slave_1 removed [ 72.753953][ T5316] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 72.756858][ T5316] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 72.761319][ T5316] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 72.764342][ T5316] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 72.777967][ T5315] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.780494][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0 [ 72.784301][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.788114][ T5315] Call Trace: [ 72.789259][ T5315] [ 72.790232][ T5315] dump_stack_lvl+0x241/0x360 [ 72.791917][ T5315] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.793850][ T5315] ? __pfx__printk+0x10/0x10 [ 72.795461][ T5315] ? preempt_schedule+0xe1/0xf0 [ 72.797242][ T5315] ? vscnprintf+0x5d/0x90 [ 72.798899][ T5315] panic+0x349/0x880 [ 72.800266][ T5315] ? check_panic_on_warn+0x21/0xb0 [ 72.801881][ T5315] ? __pfx_panic+0x10/0x10 [ 72.803274][ T5315] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 72.805532][ T5315] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 72.807957][ T5315] ? print_report+0x502/0x550 [ 72.809701][ T5315] check_panic_on_warn+0x86/0xb0 [ 72.811505][ T5315] ? __mmap_region+0x1802/0x2cd0 [ 72.813430][ T5315] end_report+0x77/0x160 [ 72.814926][ T5315] kasan_report+0x154/0x180 [ 72.816527][ T5315] ? __mmap_region+0x1802/0x2cd0 [ 72.818223][ T5315] __mmap_region+0x1802/0x2cd0 [ 72.819931][ T5315] ? __pfx___mmap_region+0x10/0x10 [ 72.821714][ T5315] ? __pfx___might_resched+0x10/0x10 [ 72.823665][ T5315] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10 [ 72.825957][ T5315] ? cap_mmap_addr+0x163/0x2c0 [ 72.827656][ T5315] mmap_region+0x226/0x2c0 [ 72.829370][ T5315] do_mmap+0x8f0/0x1000 [ 72.830924][ T5315] ? __pfx_do_mmap+0x10/0x10 [ 72.832687][ T5315] ? __pfx_down_write_killable+0x10/0x10 [ 72.834737][ T5315] ? common_file_perm+0x1a6/0x210 [ 72.836567][ T5315] vm_mmap_pgoff+0x1dd/0x3d0 [ 72.838309][ T5315] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 72.840251][ T5315] ? __fget_files+0x2a/0x410 [ 72.841987][ T5315] ? __fget_files+0x395/0x410 [ 72.843731][ T5315] ? __fget_files+0x2a/0x410 [ 72.845408][ T5315] ksys_mmap_pgoff+0x4eb/0x720 [ 72.847257][ T5315] ? __x64_sys_mmap+0x7f/0x140 [ 72.848976][ T5315] do_syscall_64+0xf3/0x230 [ 72.850367][ T5315] ? clear_bhb_loop+0x35/0x90 [ 72.851865][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.853934][ T5315] RIP: 0033:0x7efc3777ff19 [ 72.855453][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.861803][ T5315] RSP: 002b:00007efc371dd058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 72.864948][ T5315] RAX: ffffffffffffffda RBX: 00007efc37946080 RCX: 00007efc3777ff19 [ 72.867678][ T5315] RDX: 0000000000000000 RSI: 0000000000001008 RDI: 0000000020ffc000 [ 72.870385][ T5315] RBP: 00007efc377f3986 R08: 0000000000000004 R09: 0000000000000000 [ 72.873224][ T5315] R10: 0000000000000013 R11: 0000000000000246 R12: 0000000000000000 [ 72.876066][ T5315] R13: 0000000000000001 R14: 00007efc37946080 R15: 00007fff1cb21f08 [ 72.878855][ T5315] [ 72.880217][ T5315] Kernel Offset: disabled [ 72.881740][ T5315] Rebooting in 86400 seconds..