Warning: Permanently added '10.128.1.131' (ED25519) to the list of known hosts. executing program syzkaller login: [ 35.647031][ T4223] ================================================================== [ 35.649422][ T4223] BUG: KASAN: slab-out-of-bounds in cfg80211_wext_freq+0x170/0x1ac [ 35.651663][ T4223] Read of size 2 at addr ffff0000cf4a7540 by task syz-executor108/4223 [ 35.653936][ T4223] [ 35.654622][ T4223] CPU: 0 PID: 4223 Comm: syz-executor108 Not tainted 6.1.94-syzkaller #0 [ 35.656813][ T4223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 35.659713][ T4223] Call trace: [ 35.660600][ T4223] dump_backtrace+0x1c8/0x1f4 [ 35.661907][ T4223] show_stack+0x2c/0x3c [ 35.663152][ T4223] dump_stack_lvl+0x108/0x170 [ 35.664451][ T4223] print_report+0x174/0x4c0 [ 35.665636][ T4223] kasan_report+0xd4/0x130 [ 35.666866][ T4223] __asan_report_load2_noabort+0x2c/0x38 [ 35.668393][ T4223] cfg80211_wext_freq+0x170/0x1ac [ 35.669818][ T4223] cfg80211_wext_siwscan+0x430/0xee8 [ 35.671257][ T4223] ioctl_standard_iw_point+0x7f0/0xdc4 [ 35.672716][ T4223] ioctl_standard_call+0xcc/0x264 [ 35.674048][ T4223] wext_ioctl_dispatch+0x16c/0x3ec [ 35.675502][ T4223] wext_handle_ioctl+0x1f8/0x3f4 [ 35.676817][ T4223] sock_ioctl+0x140/0x858 [ 35.678040][ T4223] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.679340][ T4223] invoke_syscall+0x98/0x2c0 [ 35.680643][ T4223] el0_svc_common+0x138/0x258 [ 35.681917][ T4223] do_el0_svc+0x64/0x218 [ 35.683072][ T4223] el0_svc+0x58/0x168 [ 35.684212][ T4223] el0t_64_sync_handler+0x84/0xf0 [ 35.685564][ T4223] el0t_64_sync+0x18c/0x190 [ 35.686761][ T4223] [ 35.687359][ T4223] Allocated by task 4223: [ 35.688696][ T4223] kasan_set_track+0x4c/0x80 [ 35.689931][ T4223] kasan_save_alloc_info+0x24/0x30 [ 35.691371][ T4223] __kasan_kmalloc+0xac/0xc4 [ 35.692554][ T4223] __kmalloc+0xd8/0x1c4 [ 35.693769][ T4223] ioctl_standard_iw_point+0x3b8/0xdc4 [ 35.695232][ T4223] ioctl_standard_call+0xcc/0x264 [ 35.696682][ T4223] wext_ioctl_dispatch+0x16c/0x3ec [ 35.698111][ T4223] wext_handle_ioctl+0x1f8/0x3f4 [ 35.699518][ T4223] sock_ioctl+0x140/0x858 [ 35.700781][ T4223] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.702188][ T4223] invoke_syscall+0x98/0x2c0 [ 35.703472][ T4223] el0_svc_common+0x138/0x258 [ 35.704845][ T4223] do_el0_svc+0x64/0x218 [ 35.706037][ T4223] el0_svc+0x58/0x168 [ 35.707133][ T4223] el0t_64_sync_handler+0x84/0xf0 [ 35.708538][ T4223] el0t_64_sync+0x18c/0x190 [ 35.709736][ T4223] [ 35.710320][ T4223] The buggy address belongs to the object at ffff0000cf4a7400 [ 35.710320][ T4223] which belongs to the cache kmalloc-512 of size 512 [ 35.714225][ T4223] The buggy address is located 320 bytes inside of [ 35.714225][ T4223] 512-byte region [ffff0000cf4a7400, ffff0000cf4a7600) [ 35.718001][ T4223] [ 35.718692][ T4223] The buggy address belongs to the physical page: [ 35.720491][ T4223] page:00000000c65c4785 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f4a4 [ 35.723341][ T4223] head:00000000c65c4785 order:2 compound_mapcount:0 compound_pincount:0 [ 35.725538][ T4223] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 35.727705][ T4223] raw: 05ffc00000010200 0000000000000000 dead000000000001 ffff0000c0002600 [ 35.730006][ T4223] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 35.732347][ T4223] page dumped because: kasan: bad access detected [ 35.734094][ T4223] [ 35.734742][ T4223] Memory state around the buggy address: [ 35.736254][ T4223] ffff0000cf4a7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.738592][ T4223] ffff0000cf4a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.740805][ T4223] >ffff0000cf4a7500: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc [ 35.743026][ T4223] ^ [ 35.744716][ T4223] ffff0000cf4a7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.746854][ T4223] ffff0000cf4a7600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.749073][ T4223] ================================================================== [ 35.751677][ T4223] Disabling lock debugging due to kernel taint [ 35.753084][ T4223] ================================================================================ [ 35.754818][ T4223] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:2749:8 [ 35.756618][ T4223] index 33 is out of range for type 'struct iw_freq[32]' [ 35.758551][ T4223] CPU: 0 PID: 4223 Comm: syz-executor108 Tainted: G B 6.1.94-syzkaller #0 [ 35.761142][ T4223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 35.763770][ T4223] Call trace: [ 35.764674][ T4223] dump_backtrace+0x1c8/0x1f4 [ 35.765926][ T4223] show_stack+0x2c/0x3c [ 35.767002][ T4223] dump_stack_lvl+0x108/0x170 [ 35.768252][ T4223] dump_stack+0x1c/0x5c [ 35.769363][ T4223] __ubsan_handle_out_of_bounds+0xfc/0x148 [ 35.770880][ T4223] cfg80211_wext_siwscan+0x4a0/0xee8 [ 35.772277][ T4223] ioctl_standard_iw_point+0x7f0/0xdc4 [ 35.773744][ T4223] ioctl_standard_call+0xcc/0x264 [ 35.775171][ T4223] wext_ioctl_dispatch+0x16c/0x3ec [ 35.776470][ T4223] wext_handle_ioctl+0x1f8/0x3f4 [ 35.777860][ T4223] sock_ioctl+0x140/0x858 [ 35.778959][ T4223] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.780242][ T4223] invoke_syscall+0x98/0x2c0 [ 35.781484][ T4223] el0_svc_common+0x138/0x258 [ 35.782864][ T4223] do_el0_svc+0x64/0x218 [ 35.783984][ T4223] el0_svc+0x58/0x168 [ 35.785004][ T4223] el0t_64_sync_handler+0x84/0xf0 [ 35.786358][ T4223] el0t_64_sync+0x18c/0x190 [ 35.787697][ T4223] ================================================================================