================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline] BUG: KASAN: slab-use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline] BUG: KASAN: slab-use-after-free in __refcount_sub_and_test include/linux/refcount.h:389 [inline] BUG: KASAN: slab-use-after-free in __refcount_dec_and_test include/linux/refcount.h:432 [inline] BUG: KASAN: slab-use-after-free in refcount_dec_and_test include/linux/refcount.h:450 [inline] BUG: KASAN: slab-use-after-free in skb_unref include/linux/skbuff.h:1292 [inline] BUG: KASAN: slab-use-after-free in __sk_skb_reason_drop net/core/skbuff.c:1212 [inline] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x37/0x110 net/core/skbuff.c:1240 Write of size 4 at addr ffff888028413ae4 by task syz.1.20211/26054 CPU: 1 UID: 0 PID: 26054 Comm: syz.1.20211 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:112 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline] __refcount_sub_and_test include/linux/refcount.h:389 [inline] __refcount_dec_and_test include/linux/refcount.h:432 [inline] refcount_dec_and_test include/linux/refcount.h:450 [inline] skb_unref include/linux/skbuff.h:1292 [inline] __sk_skb_reason_drop net/core/skbuff.c:1212 [inline] sk_skb_reason_drop+0x37/0x110 net/core/skbuff.c:1240 dev_kfree_skb_any include/linux/netdevice.h:4248 [inline] team_dummy_transmit+0x1a/0x30 drivers/net/team/team_core.c:502 team_xmit+0x271/0x3d0 drivers/net/team/team_core.c:1848 __netdev_start_xmit include/linux/netdevice.h:5343 [inline] netdev_start_xmit include/linux/netdevice.h:5352 [inline] __dev_direct_xmit+0x4af/0x750 net/core/dev.c:4934 dev_direct_xmit include/linux/netdevice.h:3414 [inline] packet_xmit+0x1b4/0x320 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3077 [inline] packet_sendmsg+0x3ebc/0x50f0 net/packet/af_packet.c:3109 sock_sendmsg_nosec net/socket.c:722 [inline] __sock_sendmsg net/socket.c:737 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2633 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2687 __sys_sendmmsg+0x27c/0x4e0 net/socket.c:2776 __do_sys_sendmmsg net/socket.c:2803 [inline] __se_sys_sendmmsg net/socket.c:2800 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2800 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8bbef9c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8bbd1f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f8bbf215fa0 RCX: 00007f8bbef9c819 RDX: 0000000000000001 RSI: 0000200000000440 RDI: 000000000000000c RBP: 00007f8bbf032c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f8bbf216038 R14: 00007f8bbf215fa0 R15: 00007ffd0576f838 Allocated by task 26054: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4918 __alloc_skb+0x1d0/0x7d0 net/core/skbuff.c:702 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6734 sock_alloc_send_pskb+0x878/0x990 net/core/sock.c:2998 packet_alloc_skb net/packet/af_packet.c:2927 [inline] packet_snd net/packet/af_packet.c:3020 [inline] packet_sendmsg+0x33eb/0x50f0 net/packet/af_packet.c:3109 sock_sendmsg_nosec net/socket.c:722 [inline] __sock_sendmsg net/socket.c:737 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2633 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2687 __sys_sendmmsg+0x27c/0x4e0 net/socket.c:2776 __do_sys_sendmmsg net/socket.c:2803 [inline] __se_sys_sendmmsg net/socket.c:2800 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2800 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 26054: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kmem_cache_free+0x187/0x630 mm/slub.c:6295 kfree_skb_reason include/linux/skbuff.h:1322 [inline] __tcf_kfree_skb_list+0x15c/0x330 net/sched/sch_generic.c:59 tcf_kfree_skb_list include/net/sch_generic.h:1184 [inline] __dev_xmit_skb net/core/dev.c:4300 [inline] __dev_queue_xmit+0x21ba/0x3980 net/core/dev.c:4831 dev_queue_xmit include/linux/netdevice.h:3401 [inline] team_dev_queue_xmit include/linux/if_team.h:249 [inline] team_queue_override_transmit drivers/net/team/team_core.c:813 [inline] team_xmit+0x1d2/0x3d0 drivers/net/team/team_core.c:1846 __netdev_start_xmit include/linux/netdevice.h:5343 [inline] netdev_start_xmit include/linux/netdevice.h:5352 [inline] __dev_direct_xmit+0x4af/0x750 net/core/dev.c:4934 dev_direct_xmit include/linux/netdevice.h:3414 [inline] packet_xmit+0x1b4/0x320 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3077 [inline] packet_sendmsg+0x3ebc/0x50f0 net/packet/af_packet.c:3109 sock_sendmsg_nosec net/socket.c:722 [inline] __sock_sendmsg net/socket.c:737 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2633 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2687 __sys_sendmmsg+0x27c/0x4e0 net/socket.c:2776 __do_sys_sendmmsg net/socket.c:2803 [inline] __se_sys_sendmmsg net/socket.c:2800 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2800 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888028413a00 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 228 bytes inside of freed 240-byte region [ffff888028413a00, ffff888028413af0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28413 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88823be66000 dead000000000122 0000000000000000 raw: 0000000000000000 00000008000c000c 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26054, tgid 26050 (syz.1.20211), ts 1563638120754, free_ts 1563541372252 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4873 skb_clone+0x212/0x3a0 net/core/skbuff.c:2107 do_one_broadcast net/netlink/af_netlink.c:1455 [inline] netlink_broadcast_filtered+0x5f8/0xeb0 net/netlink/af_netlink.c:1533 netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1557 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline] kobject_uevent_net_broadcast+0x378/0x560 lib/kobject_uevent.c:410 kobject_uevent_env+0x55c/0x9e0 lib/kobject_uevent.c:608 device_add+0x557/0xb70 drivers/base/core.c:3672 rfkill_register+0x17a/0x9c0 net/rfkill/core.c:1098 nfc_register_device+0x14a/0x380 net/nfc/core.c:1132 nci_register_device+0x8a1/0xa00 net/nfc/nci/core.c:1293 page last free pid 26052 tgid 26049 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __folio_put+0x414/0x4f0 mm/swap.c:112 af_alg_free_areq_sgls crypto/af_alg.c:766 [inline] af_alg_free_resources+0x55f/0x750 crypto/af_alg.c:1103 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline] skcipher_recvmsg+0xbb8/0x1140 crypto/algif_skcipher.c:221 sock_recvmsg_nosec net/socket.c:1072 [inline] sock_recvmsg+0x172/0x1b0 net/socket.c:1094 ____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2853 ___sys_recvmsg+0x215/0x590 net/socket.c:2895 __sys_recvmsg net/socket.c:2928 [inline] __do_sys_recvmsg net/socket.c:2934 [inline] __se_sys_recvmsg net/socket.c:2931 [inline] __x64_sys_recvmsg+0x1ba/0x2a0 net/socket.c:2931 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888028413980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888028413a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888028413a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ^ ffff888028413b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888028413b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================