Warning: Permanently added '10.128.1.106' (ED25519) to the list of known hosts. executing program [ 36.101970][ T6234] warning: `syz-executor854' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 [ 36.107105][ T6234] ================================================================== [ 36.109094][ T6234] BUG: KASAN: slab-out-of-bounds in cfg80211_wext_freq+0x170/0x1ac [ 36.110999][ T6234] Read of size 2 at addr ffff0000cd6ce140 by task syz-executor854/6234 [ 36.112924][ T6234] [ 36.113537][ T6234] CPU: 1 PID: 6234 Comm: syz-executor854 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 [ 36.116025][ T6234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 36.118355][ T6234] Call trace: [ 36.119243][ T6234] dump_backtrace+0x1b8/0x1e4 [ 36.120429][ T6234] show_stack+0x2c/0x3c [ 36.121443][ T6234] dump_stack_lvl+0xe4/0x150 [ 36.122634][ T6234] print_report+0x198/0x538 [ 36.123673][ T6234] kasan_report+0xd8/0x138 [ 36.124817][ T6234] __asan_report_load2_noabort+0x20/0x2c [ 36.126189][ T6234] cfg80211_wext_freq+0x170/0x1ac [ 36.127372][ T6234] cfg80211_wext_siwscan+0x438/0xef0 [ 36.128750][ T6234] ioctl_standard_iw_point+0x7f0/0xdc4 [ 36.130045][ T6234] ioctl_standard_call+0xcc/0x264 [ 36.131300][ T6234] wext_ioctl_dispatch+0x1b4/0x534 [ 36.132426][ T6234] wext_handle_ioctl+0x1f8/0x3f4 [ 36.133639][ T6234] sock_ioctl+0x15c/0x838 [ 36.134667][ T6234] __arm64_sys_ioctl+0x14c/0x1c8 [ 36.135965][ T6234] invoke_syscall+0x98/0x2b8 [ 36.137121][ T6234] el0_svc_common+0x130/0x23c [ 36.138337][ T6234] do_el0_svc+0x48/0x58 [ 36.139380][ T6234] el0_svc+0x54/0x168 [ 36.140281][ T6234] el0t_64_sync_handler+0x84/0xfc [ 36.141457][ T6234] el0t_64_sync+0x190/0x194 [ 36.142543][ T6234] [ 36.143103][ T6234] Allocated by task 6234: [ 36.144098][ T6234] kasan_save_track+0x40/0x78 [ 36.145323][ T6234] kasan_save_alloc_info+0x40/0x50 [ 36.146581][ T6234] __kasan_kmalloc+0xac/0xc4 [ 36.147649][ T6234] __kmalloc+0x2b8/0x508 [ 36.148725][ T6234] ioctl_standard_iw_point+0x3b8/0xdc4 [ 36.150039][ T6234] ioctl_standard_call+0xcc/0x264 [ 36.151266][ T6234] wext_ioctl_dispatch+0x1b4/0x534 [ 36.152567][ T6234] wext_handle_ioctl+0x1f8/0x3f4 [ 36.153779][ T6234] sock_ioctl+0x15c/0x838 [ 36.154807][ T6234] __arm64_sys_ioctl+0x14c/0x1c8 [ 36.156013][ T6234] invoke_syscall+0x98/0x2b8 [ 36.157072][ T6234] el0_svc_common+0x130/0x23c [ 36.158238][ T6234] do_el0_svc+0x48/0x58 [ 36.159228][ T6234] el0_svc+0x54/0x168 [ 36.160239][ T6234] el0t_64_sync_handler+0x84/0xfc [ 36.161488][ T6234] el0t_64_sync+0x190/0x194 [ 36.162610][ T6234] [ 36.163228][ T6234] The buggy address belongs to the object at ffff0000cd6ce000 [ 36.163228][ T6234] which belongs to the cache kmalloc-512 of size 512 [ 36.166697][ T6234] The buggy address is located 4 bytes to the right of [ 36.166697][ T6234] allocated 316-byte region [ffff0000cd6ce000, ffff0000cd6ce13c) [ 36.170272][ T6234] [ 36.170855][ T6234] The buggy address belongs to the physical page: [ 36.172371][ T6234] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d6cc [ 36.174569][ T6234] head: order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.176529][ T6234] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 36.178461][ T6234] page_type: 0xffffffff() [ 36.179520][ T6234] raw: 05ffc00000000840 ffff0000c0001c80 fffffdffc335a900 dead000000000002 [ 36.181645][ T6234] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 36.183732][ T6234] head: 05ffc00000000840 ffff0000c0001c80 fffffdffc335a900 dead000000000002 [ 36.185783][ T6234] head: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 36.187855][ T6234] head: 05ffc00000000002 fffffdffc335b301 fffffdffc335b348 00000000ffffffff [ 36.190042][ T6234] head: 0000000400000000 0000000000000000 00000000ffffffff 0000000000000000 [ 36.192199][ T6234] page dumped because: kasan: bad access detected [ 36.193738][ T6234] [ 36.194235][ T6234] Memory state around the buggy address: [ 36.195534][ T6234] ffff0000cd6ce000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.197543][ T6234] ffff0000cd6ce080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.199592][ T6234] >ffff0000cd6ce100: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc [ 36.201485][ T6234] ^ [ 36.202984][ T6234] ffff0000cd6ce180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.204955][ T6234] ffff0000cd6ce200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.206977][ T6234] ================================================================== [ 36.209216][ T6234] Disabling lock debugging due to kernel taint [ 36.210676][ T6234] ------------[ cut here ]------------ [ 36.211931][ T6234] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3411:8 [ 36.213774][ T6234] index 33 is out of range for type 'struct iw_freq[32]' [ 36.215752][ T6234] CPU: 1 PID: 6234 Comm: syz-executor854 Tainted: G B 6.9.0-rc7-syzkaller-gfda5695d692c #0 [ 36.218473][ T6234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 36.220986][ T6234] Call trace: [ 36.221703][ T6234] dump_backtrace+0x1b8/0x1e4 [ 36.222794][ T6234] show_stack+0x2c/0x3c [ 36.223827][ T6234] dump_stack_lvl+0xe4/0x150 [ 36.224787][ T6234] dump_stack+0x1c/0x28 [ 36.225782][ T6234] __ubsan_handle_out_of_bounds+0xf8/0x148 [ 36.227205][ T6234] cfg80211_wext_siwscan+0x4a8/0xef0 [ 36.228581][ T6234] ioctl_standard_iw_point+0x7f0/0xdc4 [ 36.229873][ T6234] ioctl_standard_call+0xcc/0x264 [ 36.231063][ T6234] wext_ioctl_dispatch+0x1b4/0x534 [ 36.232306][ T6234] wext_handle_ioctl+0x1f8/0x3f4 [ 36.233450][ T6234] sock_ioctl+0x15c/0x838 [ 36.234546][ T6234] __arm64_sys_ioctl+0x14c/0x1c8 [ 36.235691][ T6234] invoke_syscall+0x98/0x2b8 [ 36.236849][ T6234] el0_svc_common+0x130/0x23c [ 36.238041][ T6234] do_el0_svc+0x48/0x58 [ 36.239025][ T6234] el0_svc+0x54/0x168 [ 36.239995][ T6234] el0t_64_sync_handler+0x84/0xfc [ 36.241225][ T6234] el0t_64_sync+0x190/0x194 [ 36.242423][ T6234] ---[ end trace ]---