Warning: Permanently added '10.128.1.4' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 53.183547][ T8] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 53.194429][ T8] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 53.206850][ T8] ================================================================== [ 53.215342][ T8] BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.223752][ T8] Read of size 135 at addr ffff8880145e9c00 by task kworker/u4:0/8 [ 53.231640][ T8] [ 53.233956][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.11.0-rc6-syzkaller #0 [ 53.242318][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.252509][ T8] Workqueue: phy0 ieee80211_iface_work [ 53.258774][ T8] Call Trace: [ 53.262077][ T8] dump_stack+0x137/0x1be [ 53.266519][ T8] print_address_description+0x5f/0x3a0 [ 53.272087][ T8] kasan_report+0x15e/0x200 [ 53.277732][ T8] ? ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.283754][ T8] ? ieee80211_ibss_build_presp+0xc0/0x1850 [ 53.289829][ T8] check_memory_region+0x2b5/0x2f0 [ 53.295359][ T8] ? ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.301504][ T8] memcpy+0x25/0x60 [ 53.306023][ T8] ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.312138][ T8] ? __mutex_unlock_slowpath+0x12d/0x520 [ 53.318068][ T8] ? __ieee80211_sta_join_ibss+0x6d7/0x12f0 [ 53.324188][ T8] __ieee80211_sta_join_ibss+0x708/0x12f0 [ 53.330266][ T8] ieee80211_sta_create_ibss+0x312/0x530 [ 53.335997][ T8] ieee80211_ibss_work+0xdb1/0x1450 [ 53.341556][ T8] ? ieee80211_iface_work+0x9d3/0xb10 [ 53.346990][ T8] process_one_work+0x789/0xfc0 [ 53.351907][ T8] worker_thread+0xac1/0x1300 [ 53.356733][ T8] ? rcu_lock_release+0x20/0x20 [ 53.361677][ T8] kthread+0x39a/0x3c0 [ 53.365764][ T8] ? rcu_lock_release+0x20/0x20 [ 53.370727][ T8] ? kthread_blkcg+0xd0/0xd0 [ 53.375461][ T8] ret_from_fork+0x1f/0x30 [ 53.379953][ T8] [ 53.382642][ T8] Allocated by task 8419: [ 53.386966][ T8] ____kasan_kmalloc+0xbd/0xf0 [ 53.391742][ T8] __kmalloc_track_caller+0x1f7/0x330 [ 53.397131][ T8] kmemdup+0x21/0x50 [ 53.401050][ T8] ieee80211_ibss_join+0x816/0xf30 [ 53.406195][ T8] __cfg80211_join_ibss+0x5aa/0x880 [ 53.411432][ T8] nl80211_join_ibss+0xe09/0x12f0 [ 53.416601][ T8] genl_rcv_msg+0xe4e/0x1280 [ 53.421300][ T8] netlink_rcv_skb+0x190/0x3a0 [ 53.426076][ T8] genl_rcv+0x24/0x40 [ 53.430080][ T8] netlink_unicast+0x786/0x940 [ 53.434851][ T8] netlink_sendmsg+0x9ae/0xd50 [ 53.439604][ T8] ____sys_sendmsg+0x519/0x800 [ 53.444878][ T8] __sys_sendmsg+0x2bf/0x370 [ 53.450516][ T8] do_syscall_64+0x2d/0x70 [ 53.455339][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.461237][ T8] [ 53.464172][ T8] Freed by task 8418: [ 53.468215][ T8] kasan_set_track+0x3d/0x70 [ 53.473367][ T8] kasan_set_free_info+0x1f/0x40 [ 53.478429][ T8] ____kasan_slab_free+0xe2/0x110 [ 53.483810][ T8] slab_free_freelist_hook+0xd6/0x1a0 [ 53.489187][ T8] kfree+0xd1/0x2a0 [ 53.493019][ T8] ieee80211_ibss_leave+0x80/0xf0 [ 53.498054][ T8] __cfg80211_leave_ibss+0x11c/0x200 [ 53.503467][ T8] cfg80211_netdev_notifier_call+0x3f2/0x1160 [ 53.509743][ T8] raw_notifier_call_chain+0xe7/0x170 [ 53.515126][ T8] __dev_close_many+0x1a6/0x390 [ 53.520060][ T8] __dev_change_flags+0x2fe/0x6f0 [ 53.525082][ T8] dev_change_flags+0x85/0x190 [ 53.529866][ T8] dev_ifsioc+0xc7/0xac0 [ 53.534188][ T8] dev_ioctl+0x4d1/0xc70 [ 53.538432][ T8] sock_do_ioctl+0x169/0x260 [ 53.543041][ T8] sock_ioctl+0x416/0x5f0 [ 53.547523][ T8] __se_sys_ioctl+0xfb/0x170 [ 53.552109][ T8] do_syscall_64+0x2d/0x70 [ 53.556696][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.562624][ T8] [ 53.565050][ T8] Last potentially related work creation: [ 53.570768][ T8] kasan_save_stack+0x27/0x50 [ 53.575643][ T8] kasan_record_aux_stack+0xcc/0x100 [ 53.581324][ T8] insert_work+0x54/0x400 [ 53.585699][ T8] __queue_work+0x97f/0xcc0 [ 53.590250][ T8] queue_work_on+0xc1/0x120 [ 53.594884][ T8] call_usermodehelper_exec+0x206/0x3d0 [ 53.600459][ T8] kobject_uevent_env+0x1349/0x1730 [ 53.605804][ T8] kobject_synth_uevent+0x368/0x8a0 [ 53.611143][ T8] uevent_store+0x20/0x60 [ 53.615569][ T8] kernfs_fop_write_iter+0x3b6/0x510 [ 53.621081][ T8] vfs_write+0x896/0xab0 [ 53.625346][ T8] ksys_write+0x11b/0x220 [ 53.629749][ T8] do_syscall_64+0x2d/0x70 [ 53.634359][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.640445][ T8] [ 53.642786][ T8] Second to last potentially related work creation: [ 53.649390][ T8] kasan_save_stack+0x27/0x50 [ 53.654066][ T8] kasan_record_aux_stack+0xcc/0x100 [ 53.659524][ T8] insert_work+0x54/0x400 [ 53.663985][ T8] __queue_work+0x97f/0xcc0 [ 53.668575][ T8] queue_work_on+0xc1/0x120 [ 53.673095][ T8] call_usermodehelper_exec+0x206/0x3d0 [ 53.678735][ T8] kobject_uevent_env+0x1349/0x1730 [ 53.683956][ T8] kobject_synth_uevent+0x368/0x8a0 [ 53.689237][ T8] uevent_store+0x47/0x70 [ 53.693824][ T8] kernfs_fop_write_iter+0x3b6/0x510 [ 53.699331][ T8] vfs_write+0x896/0xab0 [ 53.703611][ T8] ksys_write+0x11b/0x220 [ 53.708415][ T8] do_syscall_64+0x2d/0x70 [ 53.712840][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.718745][ T8] [ 53.721186][ T8] The buggy address belongs to the object at ffff8880145e9c00 [ 53.721186][ T8] which belongs to the cache kmalloc-192 of size 192 [ 53.735333][ T8] The buggy address is located 0 bytes inside of [ 53.735333][ T8] 192-byte region [ffff8880145e9c00, ffff8880145e9cc0) [ 53.748491][ T8] The buggy address belongs to the page: [ 53.754195][ T8] page:00000000c13fc425 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145e9 [ 53.764977][ T8] flags: 0xfff00000000200(slab) [ 53.769873][ T8] raw: 00fff00000000200 ffffea00004a5a40 0000000400000004 ffff888011041500 [ 53.778654][ T8] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 53.787223][ T8] page dumped because: kasan: bad access detected [ 53.793820][ T8] [ 53.796136][ T8] Memory state around the buggy address: [ 53.801757][ T8] ffff8880145e9b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.810360][ T8] ffff8880145e9b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.818444][ T8] >ffff8880145e9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.826615][ T8] ^ [ 53.830682][ T8] ffff8880145e9c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.838769][ T8] ffff8880145e9d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.846846][ T8] ================================================================== [ 53.855114][ T8] Disabling lock debugging due to kernel taint [ 53.862334][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 53.868930][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G B 5.11.0-rc6-syzkaller #0 [ 53.878566][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.888897][ T8] Workqueue: phy0 ieee80211_iface_work [ 53.894377][ T8] Call Trace: [ 53.897685][ T8] dump_stack+0x137/0x1be [ 53.902500][ T8] ? panic+0x1f3/0x800 [ 53.906965][ T8] panic+0x291/0x800 [ 53.910872][ T8] ? preempt_schedule_thunk+0x16/0x18 [ 53.916500][ T8] ? trace_hardirqs_on+0x30/0x80 [ 53.921453][ T8] kasan_report+0x1fb/0x200 [ 53.925956][ T8] ? ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.931938][ T8] ? ieee80211_ibss_build_presp+0xc0/0x1850 [ 53.938269][ T8] check_memory_region+0x2b5/0x2f0 [ 53.943438][ T8] ? ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.949865][ T8] memcpy+0x25/0x60 [ 53.953679][ T8] ieee80211_ibss_build_presp+0xfdb/0x1850 [ 53.960175][ T8] ? __mutex_unlock_slowpath+0x12d/0x520 [ 53.965803][ T8] ? __ieee80211_sta_join_ibss+0x6d7/0x12f0 [ 53.971689][ T8] __ieee80211_sta_join_ibss+0x708/0x12f0 [ 53.977664][ T8] ieee80211_sta_create_ibss+0x312/0x530 [ 53.983470][ T8] ieee80211_ibss_work+0xdb1/0x1450 [ 53.988774][ T8] ? ieee80211_iface_work+0x9d3/0xb10 [ 53.994172][ T8] process_one_work+0x789/0xfc0 [ 53.999135][ T8] worker_thread+0xac1/0x1300 [ 54.003806][ T8] ? rcu_lock_release+0x20/0x20 [ 54.009144][ T8] kthread+0x39a/0x3c0 [ 54.013357][ T8] ? rcu_lock_release+0x20/0x20 [ 54.018376][ T8] ? kthread_blkcg+0xd0/0xd0 [ 54.022993][ T8] ret_from_fork+0x1f/0x30 [ 54.028097][ T8] Kernel Offset: disabled [ 54.032598][ T8] Rebooting in 86400 seconds..