Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts. [ ***] A start job is running for dev-ttyS0.device (13s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (13s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (14s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (14s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (15s / 1min 30s)[* ] A start job is running for dev-ttyS0.device (15s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (16s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (16s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (17s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (17s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (18s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (18s / 1min 30s)[ *] A start job is running for dev-ttyS0.device (19s / 1min 30s)[ **] A start job is running for dev-ttyS0.device (19s / 1min 30s)[ ***] A start job is running for dev-ttyS0.device (20s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (20s / 1min 30s)[ *** ] A start job is running for dev-ttyS0.device (21s / 1min 30s)[*** ] A start job is running for dev-ttyS0.device (21s / 1min 30s)[** ] A start job is running for dev-ttyS0.device (22s / 1min 30s)[* ] A start job is running for dev-ttyS0.device (22s / 1min 30s)[ 28.962446][ C1] random: crng init done [ 28.966836][ C1] random: 7 urandom warning(s) missed due to ratelimiting executing program executing program executing program executing program executing program executing program [ 29.193259][ T22] audit: type=1400 audit(1602010994.963:8): avc: denied { execmem } for pid=343 comm="syz-executor478" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program [ 29.260588][ T353] ================================================================== [ 29.268683][ T353] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 29.276224][ T353] [ 29.278548][ T353] CPU: 1 PID: 353 Comm: syz-executor478 Not tainted 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 29.293036][ T353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.303065][ T353] Call Trace: [ 29.306558][ T353] dump_stack+0x1b0/0x21e [ 29.310867][ T353] ? __kernel_text_address+0x93/0x110 [ 29.316257][ T353] ? show_regs_print_info+0x12/0x12 [ 29.321440][ T353] ? unwind_get_return_address+0x48/0x90 [ 29.327050][ T353] ? printk+0xc0/0x104 [ 29.331099][ T353] ? kfree+0x12b/0x5d0 [ 29.335236][ T353] ? kfree+0x12b/0x5d0 [ 29.339326][ T353] print_address_description+0x96/0x5d0 [ 29.344842][ T353] ? devkmsg_release+0x11c/0x11c [ 29.350010][ T353] ? stack_trace_save+0x111/0x1e0 [ 29.355002][ T353] ? stack_trace_snprint+0x150/0x150 [ 29.360269][ T353] ? kfree+0x12b/0x5d0 [ 29.364305][ T353] ? kfree+0x12b/0x5d0 [ 29.368392][ T353] kasan_report_invalid_free+0x54/0xc0 [ 29.373835][ T353] __kasan_slab_free+0x102/0x220 [ 29.378757][ T353] ? kmem_cache_free+0xac/0x5c0 [ 29.383582][ T353] ? __kasan_slab_free+0x1e2/0x220 [ 29.388664][ T353] ? __kasan_slab_free+0x168/0x220 [ 29.393748][ T353] ? slab_free_freelist_hook+0xd0/0x150 [ 29.399261][ T353] ? kmem_cache_free+0xac/0x5c0 [ 29.404093][ T353] ? finish_task_switch+0x2e8/0x4c0 [ 29.409270][ T353] ? __schedule+0x8ae/0xe30 [ 29.413743][ T353] ? schedule+0x126/0x1d0 [ 29.418038][ T353] ? schedule_preempt_disabled+0xd/0x20 [ 29.423549][ T353] ? __mutex_lock+0x72d/0xc40 [ 29.428193][ T353] ? mutex_lock+0x106/0x110 [ 29.432666][ T353] ? dev_ioctl+0x452/0xb90 [ 29.437053][ T353] ? mac80211_hwsim_bcn_en_iter+0x5e/0x90 [ 29.442739][ T353] ? hrtimer_try_to_cancel+0x30b/0x690 [ 29.448166][ T353] ? hrtimer_cancel+0x26/0x60 [ 29.452811][ T353] ? mac80211_hwsim_bss_info_changed+0x4fe/0x800 [ 29.459105][ T353] ? mutex_lock+0xa6/0x110 [ 29.463486][ T353] ? mutex_trylock+0xb0/0xb0 [ 29.468047][ T353] ? mutex_lock+0xa6/0x110 [ 29.472438][ T353] slab_free_freelist_hook+0xd0/0x150 [ 29.477792][ T353] ? ieee80211_ibss_leave+0x7d/0xe0 [ 29.482960][ T353] kfree+0x12b/0x5d0 [ 29.486823][ T353] ieee80211_ibss_leave+0x7d/0xe0 [ 29.491815][ T353] rdev_leave_ibss+0x194/0x2f0 [ 29.496552][ T353] __cfg80211_leave_ibss+0x6f/0x100 [ 29.501734][ T353] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 29.507681][ T353] raw_notifier_call_chain+0x9e/0x100 [ 29.513018][ T353] __dev_close_many+0x154/0x320 [ 29.517836][ T353] ? dev_close_many+0x530/0x530 [ 29.522653][ T353] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 29.528706][ T353] __dev_change_flags+0x2db/0x6f0 [ 29.533709][ T353] ? dev_get_flags+0x1c0/0x1c0 [ 29.538440][ T353] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 29.545167][ T353] dev_change_flags+0x85/0x190 [ 29.549900][ T353] dev_ifsioc+0x103/0xa60 [ 29.554200][ T353] ? mutex_lock+0x106/0x110 [ 29.558686][ T353] ? dev_ioctl+0xb90/0xb90 [ 29.563069][ T353] ? full_name_hash+0x97/0xe0 [ 29.567712][ T353] dev_ioctl+0x460/0xb90 [ 29.571923][ T353] sock_do_ioctl+0x227/0x300 [ 29.576530][ T353] ? sock_splice_read+0xf0/0xf0 [ 29.581348][ T353] ? __x64_sys_socket+0x76/0x80 [ 29.586165][ T353] ? __sys_socket+0x115/0x350 [ 29.590809][ T353] ? __x64_sys_socket+0x76/0x80 [ 29.595643][ T353] ? do_syscall_64+0xcb/0x150 [ 29.600302][ T353] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 29.606348][ T353] ? slab_free_freelist_hook+0xd0/0x150 [ 29.611919][ T353] ? __should_failslab+0x8b/0x150 [ 29.616922][ T353] sock_ioctl+0x4cf/0x700 [ 29.621235][ T353] ? sock_poll+0x2f0/0x2f0 [ 29.625621][ T353] ? __mutex_init+0x9d/0xf0 [ 29.630102][ T353] ? percpu_counter_add_batch+0x12d/0x150 [ 29.635802][ T353] ? alloc_file+0x81/0x4b0 [ 29.640186][ T353] ? memcpy+0x38/0x50 [ 29.644136][ T353] ? sock_poll+0x2f0/0x2f0 [ 29.648560][ T353] do_vfs_ioctl+0x746/0x16f0 [ 29.653126][ T353] ? selinux_file_ioctl+0x6e4/0x920 [ 29.658295][ T353] ? ioctl_preallocate+0x240/0x240 [ 29.663387][ T353] ? alloc_empty_file_noaccount+0x70/0x70 [ 29.669086][ T353] ? find_next_zero_bit+0xfb/0x120 [ 29.674164][ T353] ? __fget+0x37c/0x3c0 [ 29.678289][ T353] ? fget_many+0x20/0x20 [ 29.682501][ T353] ? __fpregs_load_activate+0x2d3/0x390 [ 29.688012][ T353] ? security_file_ioctl+0xad/0xc0 [ 29.693096][ T353] __x64_sys_ioctl+0xd4/0x110 [ 29.697745][ T353] do_syscall_64+0xcb/0x150 [ 29.702222][ T353] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 29.708124][ T353] RIP: 0033:0x4479b9 [ 29.711989][ T353] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.731568][ T353] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 29.739972][ T353] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 29.747917][ T353] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 29.755862][ T353] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 29.763808][ T353] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 29.771752][ T353] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 29.779711][ T353] [ 29.782010][ T353] Allocated by task 354: [ 29.786224][ T353] __kasan_kmalloc+0x117/0x1b0 [ 29.790972][ T353] __kmalloc_track_caller+0x201/0x2b0 [ 29.796322][ T353] kmemdup+0x21/0x50 [ 29.800184][ T353] ieee80211_ibss_join+0x6ff/0xcf0 [ 29.805264][ T353] rdev_join_ibss+0x1af/0x310 [ 29.809908][ T353] __cfg80211_join_ibss+0x4a0/0x730 [ 29.815070][ T353] nl80211_join_ibss+0x1420/0x19d0 [ 29.820149][ T353] genl_rcv_msg+0xe76/0x1330 [ 29.824720][ T353] netlink_rcv_skb+0x1f0/0x460 [ 29.829459][ T353] genl_rcv+0x24/0x40 [ 29.833429][ T353] netlink_unicast+0x87c/0xa20 [ 29.838160][ T353] netlink_sendmsg+0x9a7/0xd40 [ 29.842890][ T353] ____sys_sendmsg+0x56f/0x860 [ 29.847622][ T353] __sys_sendmsg+0x26a/0x350 [ 29.852193][ T353] do_syscall_64+0xcb/0x150 [ 29.856663][ T353] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 29.862543][ T353] [ 29.864841][ T353] Freed by task 361: [ 29.868703][ T353] __kasan_slab_free+0x168/0x220 [ 29.873622][ T353] slab_free_freelist_hook+0xd0/0x150 [ 29.878970][ T353] kfree+0x12b/0x5d0 [ 29.882847][ T353] ieee80211_ibss_leave+0x7d/0xe0 [ 29.887837][ T353] rdev_leave_ibss+0x194/0x2f0 [ 29.892582][ T353] __cfg80211_leave_ibss+0x6f/0x100 [ 29.897752][ T353] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 29.903708][ T353] raw_notifier_call_chain+0x9e/0x100 [ 29.909044][ T353] __dev_close_many+0x154/0x320 [ 29.913860][ T353] __dev_change_flags+0x2db/0x6f0 [ 29.918850][ T353] dev_change_flags+0x85/0x190 [ 29.923601][ T353] dev_ifsioc+0x103/0xa60 [ 29.927981][ T353] dev_ioctl+0x460/0xb90 [ 29.932201][ T353] sock_do_ioctl+0x227/0x300 [ 29.936813][ T353] sock_ioctl+0x4cf/0x700 [ 29.941111][ T353] do_vfs_ioctl+0x746/0x16f0 [ 29.945678][ T353] __x64_sys_ioctl+0xd4/0x110 [ 29.950352][ T353] do_syscall_64+0xcb/0x150 [ 29.954835][ T353] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 29.960714][ T353] [ 29.963025][ T353] The buggy address belongs to the object at ffff8881ceaa9200 [ 29.963025][ T353] which belongs to the cache kmalloc-192 of size 192 [ 29.977055][ T353] The buggy address is located 0 bytes inside of [ 29.977055][ T353] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 29.990116][ T353] The buggy address belongs to the page: [ 29.995723][ T353] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 30.004797][ T353] flags: 0x8000000000000200(slab) [ 30.009809][ T353] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 30.018383][ T353] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.026952][ T353] page dumped because: kasan: bad access detected [ 30.033327][ T353] [ 30.036144][ T353] Memory state around the buggy address: [ 30.041756][ T353] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.049782][ T353] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.057825][ T353] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.065862][ T353] ^ [ 30.069910][ T353] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.077936][ T353] ffff8881ceaa9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.085972][ T353] ================================================================== [ 30.094009][ T353] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program [** ] A start job is running for dev-ttyS0.device (24s / 1min 30s)[ 30.154859][ T159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 30.163400][ T159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 30.171550][ T159] ================================================================== [ 30.179603][ T159] BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xed2/0x17f0 [ 30.188006][ T159] Read of size 135 at addr ffff8881ceaa9200 by task kworker/u4:2/159 [ 30.196059][ T159] [ 30.198359][ T159] CPU: 0 PID: 159 Comm: kworker/u4:2 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 30.209516][ T159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.219596][ T159] Workqueue: phy0 ieee80211_iface_work [ 30.225025][ T159] Call Trace: [ 30.228288][ T159] dump_stack+0x1b0/0x21e [ 30.232636][ T159] ? wait_for_xmitr+0x188/0x280 [ 30.237458][ T159] ? show_regs_print_info+0x12/0x12 [ 30.242623][ T159] ? printk+0xc0/0x104 [ 30.246731][ T159] print_address_description+0x96/0x5d0 [ 30.252262][ T159] ? devkmsg_release+0x11c/0x11c [ 30.257177][ T159] ? __kmalloc+0xf7/0x2c0 [ 30.261500][ T159] ? ieee80211_sta_create_ibss+0x2fb/0x570 [ 30.267464][ T159] ? ieee80211_ibss_work+0xf90/0x15c0 [ 30.273069][ T159] ? process_one_work+0x777/0xf90 [ 30.278066][ T159] ? worker_thread+0xa8f/0x1430 [ 30.282908][ T159] ? kthread+0x317/0x340 [ 30.287122][ T159] __kasan_report+0x14b/0x1c0 [ 30.291770][ T159] ? ieee80211_recalc_chanctx_min_def+0xa10/0x1230 [ 30.298250][ T159] ? ieee80211_ibss_build_presp+0xed2/0x17f0 [ 30.304229][ T159] kasan_report+0x27/0x50 [ 30.308532][ T159] check_memory_region+0x2b5/0x2f0 [ 30.313630][ T159] ? ieee80211_ibss_build_presp+0xed2/0x17f0 [ 30.319587][ T159] memcpy+0x25/0x50 [ 30.323364][ T159] ieee80211_ibss_build_presp+0xed2/0x17f0 [ 30.329144][ T159] ? ieee80211_ibss_csa_beacon+0x370/0x370 [ 30.334934][ T159] ? ieee80211_recalc_radar_chanctx+0x1aa/0x640 [ 30.341157][ T159] ? mutex_unlock+0x19/0x40 [ 30.345650][ T159] ? ieee80211_vif_use_channel+0xbe5/0xde0 [ 30.351454][ T159] ? __ieee80211_sta_join_ibss+0x90f/0x1420 [ 30.357312][ T159] __ieee80211_sta_join_ibss+0x938/0x1420 [ 30.363019][ T159] ? ieee80211_ibss_add_sta+0x400/0x400 [ 30.368537][ T159] ? vprintk_store+0x690/0x690 [ 30.373286][ T159] ? devkmsg_release+0x11c/0x11c [ 30.378201][ T159] ? _raw_spin_lock_bh+0xa4/0x180 [ 30.383201][ T159] ? ieee80211_sta_create_ibss+0x249/0x570 [ 30.389014][ T159] ieee80211_sta_create_ibss+0x2fb/0x570 [ 30.394627][ T159] ? devkmsg_release+0x11c/0x11c [ 30.400242][ T159] ? drv_join_ibss+0x3d0/0x3d0 [ 30.404982][ T159] ? __rcu_read_lock+0x50/0x50 [ 30.409732][ T159] ieee80211_ibss_work+0xf90/0x15c0 [ 30.414911][ T159] ? reschedule_interrupt+0xa/0x20 [ 30.420091][ T159] ? ieee80211_ibss_rx_queued_mgmt+0x23f0/0x23f0 [ 30.426411][ T159] ? skb_dequeue+0x12f/0x180 [ 30.430969][ T159] ? ieee80211_iface_work+0x855/0x900 [ 30.436329][ T159] ? read_word_at_a_time+0xe/0x20 [ 30.441333][ T159] ? strscpy+0xa6/0x260 [ 30.445456][ T159] process_one_work+0x777/0xf90 [ 30.450311][ T159] worker_thread+0xa8f/0x1430 [ 30.454957][ T159] kthread+0x317/0x340 [ 30.458996][ T159] ? process_one_work+0xf90/0xf90 [ 30.464053][ T159] ? kthread_destroy_worker+0x270/0x270 [ 30.469567][ T159] ret_from_fork+0x1f/0x30 [ 30.473948][ T159] [ 30.476257][ T159] Allocated by task 354: [ 30.480466][ T159] __kasan_kmalloc+0x117/0x1b0 [ 30.485199][ T159] __kmalloc_track_caller+0x201/0x2b0 [ 30.490539][ T159] kmemdup+0x21/0x50 [ 30.494402][ T159] ieee80211_ibss_join+0x6ff/0xcf0 [ 30.499505][ T159] rdev_join_ibss+0x1af/0x310 [ 30.504151][ T159] __cfg80211_join_ibss+0x4a0/0x730 [ 30.509315][ T159] nl80211_join_ibss+0x1420/0x19d0 [ 30.514405][ T159] genl_rcv_msg+0xe76/0x1330 [ 30.518961][ T159] netlink_rcv_skb+0x1f0/0x460 [ 30.523691][ T159] genl_rcv+0x24/0x40 [ 30.527728][ T159] netlink_unicast+0x87c/0xa20 [ 30.532456][ T159] netlink_sendmsg+0x9a7/0xd40 [ 30.537196][ T159] ____sys_sendmsg+0x56f/0x860 [ 30.542021][ T159] __sys_sendmsg+0x26a/0x350 [ 30.546583][ T159] do_syscall_64+0xcb/0x150 [ 30.551059][ T159] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 30.556911][ T159] [ 30.559224][ T159] Freed by task 361: [ 30.563100][ T159] __kasan_slab_free+0x168/0x220 [ 30.563107][ T159] slab_free_freelist_hook+0xd0/0x150 [ 30.563116][ T159] kfree+0x12b/0x5d0 [ 30.577248][ T159] ieee80211_ibss_leave+0x7d/0xe0 [ 30.582248][ T159] rdev_leave_ibss+0x194/0x2f0 [ 30.586988][ T159] __cfg80211_leave_ibss+0x6f/0x100 [ 30.592290][ T159] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 30.598261][ T159] raw_notifier_call_chain+0x9e/0x100 [ 30.603615][ T159] __dev_close_many+0x154/0x320 [ 30.608445][ T159] __dev_change_flags+0x2db/0x6f0 [ 30.613454][ T159] dev_change_flags+0x85/0x190 [ 30.618211][ T159] dev_ifsioc+0x103/0xa60 [ 30.623041][ T159] dev_ioctl+0x460/0xb90 [ 30.627274][ T159] sock_do_ioctl+0x227/0x300 [ 30.631847][ T159] sock_ioctl+0x4cf/0x700 [ 30.636172][ T159] do_vfs_ioctl+0x746/0x16f0 [ 30.640757][ T159] __x64_sys_ioctl+0xd4/0x110 [ 30.645425][ T159] do_syscall_64+0xcb/0x150 [ 30.649923][ T159] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 30.655790][ T159] [ 30.658096][ T159] The buggy address belongs to the object at ffff8881ceaa9200 [ 30.658096][ T159] which belongs to the cache kmalloc-192 of size 192 [ 30.672129][ T159] The buggy address is located 0 bytes inside of [ 30.672129][ T159] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 30.686160][ T159] The buggy address belongs to the page: [ 30.691765][ T159] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 30.700852][ T159] flags: 0x8000000000000200(slab) [ 30.705860][ T159] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 30.714436][ T159] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.723020][ T159] page dumped because: kasan: bad access detected [ 30.729416][ T159] [ 30.731713][ T159] Memory state around the buggy address: [ 30.737324][ T159] ffff8881ceaa9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.745353][ T159] ffff8881ceaa9180: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc [ 30.753830][ T159] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.761856][ T159] ^ [ 30.765892][ T159] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.773933][ T159] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.781959][ T159] ================================================================== [**[0;3[ 30.792182][ T379] ================================================================== 1m* ] A st[ 30.800883][ T379] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 30.809777][ T379] art job is runni[ 30.812099][ T379] CPU: 1 PID: 379 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 30.824929][ T379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ng for dev-ttyS0[ 30.835001][ T379] Call Trace: [ 30.839712][ T379] dump_stack+0x1b0/0x21e [ 30.844043][ T379] ? show_regs_print_info+0x12/0x12 .device (24s / 1[ 30.849219][ T379] ? printk+0xc0/0x104 [ 30.854671][ T379] ? kfree+0x12b/0x5d0 [ 30.858723][ T379] ? kfree+0x12b/0x5d0 min 30s)[ 30.862771][ T379] print_address_description+0x96/0x5d0 [ 30.868977][ T379] ? devkmsg_release+0x11c/0x11c [ 30.873893][ T379] ? netif_tx_wake_queue+0x1ce/0x210 [ 30.879157][ T379] ? ieee80211_ibss_leave+0x26/0xe0 [ 30.884321][ T379] ? kfree+0x12b/0x5d0 [ 30.888356][ T379] ? kfree+0x12b/0x5d0 [ 30.892407][ T379] kasan_report_invalid_free+0x54/0xc0 [ 30.897832][ T379] __kasan_slab_free+0x102/0x220 [ 30.902826][ T379] ? hrtimer_cancel+0x26/0x60 [ 30.907469][ T379] ? mac80211_hwsim_config+0x692/0x770 [ 30.912894][ T379] ? __rcu_read_lock+0x50/0x50 [ 30.917627][ T379] ? drv_config+0x1a9/0x300 [ 30.922099][ T379] ? call_rcu+0x10/0x10 [ 30.926225][ T379] ? ieee80211_recalc_idle+0x204/0x2e0 [ 30.931664][ T379] slab_free_freelist_hook+0xd0/0x150 [ 30.937012][ T379] ? ieee80211_ibss_leave+0x7d/0xe0 [ 30.942190][ T379] kfree+0x12b/0x5d0 [ 30.946065][ T379] ieee80211_ibss_leave+0x7d/0xe0 [ 30.951082][ T379] rdev_leave_ibss+0x194/0x2f0 [ 30.955832][ T379] __cfg80211_leave_ibss+0x6f/0x100 [ 30.961006][ T379] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 30.966961][ T379] raw_notifier_call_chain+0x9e/0x100 [ 30.972302][ T379] __dev_close_many+0x154/0x320 [ 30.977125][ T379] ? dev_close_many+0x530/0x530 [ 30.981970][ T379] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 30.988030][ T379] __dev_change_flags+0x2db/0x6f0 [ 30.993041][ T379] ? dev_get_flags+0x1c0/0x1c0 [ 30.997776][ T379] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 31.004523][ T379] dev_change_flags+0x85/0x190 [ 31.009257][ T379] dev_ifsioc+0x103/0xa60 [ 31.013557][ T379] ? mutex_lock+0x106/0x110 [ 31.018028][ T379] ? dev_ioctl+0xb90/0xb90 [ 31.022414][ T379] ? full_name_hash+0x97/0xe0 [ 31.027076][ T379] dev_ioctl+0x460/0xb90 [ 31.032030][ T379] sock_do_ioctl+0x227/0x300 [ 31.036606][ T379] ? sock_splice_read+0xf0/0xf0 [ 31.041483][ T379] ? ___slab_alloc+0x2e0/0x450 [ 31.046266][ T379] ? __should_failslab+0x8b/0x150 [ 31.051347][ T379] sock_ioctl+0x4cf/0x700 [ 31.055646][ T379] ? sock_poll+0x2f0/0x2f0 [ 31.060041][ T379] ? __mutex_init+0x9d/0xf0 [ 31.064511][ T379] ? percpu_counter_add_batch+0x12d/0x150 [ 31.070198][ T379] ? alloc_file+0x81/0x4b0 [ 31.074583][ T379] ? memcpy+0x38/0x50 [ 31.078544][ T379] ? sock_poll+0x2f0/0x2f0 [ 31.083107][ T379] do_vfs_ioctl+0x746/0x16f0 [ 31.087670][ T379] ? selinux_file_ioctl+0x6e4/0x920 [ 31.092836][ T379] ? ioctl_preallocate+0x240/0x240 [ 31.097935][ T379] ? alloc_empty_file_noaccount+0x70/0x70 [ 31.103633][ T379] ? find_next_zero_bit+0xfb/0x120 [ 31.108710][ T379] ? __fget+0x37c/0x3c0 [ 31.112842][ T379] ? fget_many+0x20/0x20 [ 31.117061][ T379] ? __fpregs_load_activate+0x2d3/0x390 [ 31.122581][ T379] ? security_file_ioctl+0xad/0xc0 [ 31.127658][ T379] __x64_sys_ioctl+0xd4/0x110 [ 31.132303][ T379] do_syscall_64+0xcb/0x150 [ 31.136772][ T379] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.142646][ T379] RIP: 0033:0x4479b9 [ 31.146517][ T379] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.166117][ T379] RSP: 002b:00007fd30e85fda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 31.174510][ T379] RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 00000000004479b9 [ 31.182455][ T379] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000006 [ 31.190400][ T379] RBP: 00000000006dcc70 R08: 0000000000000000 R09: 0000000000000000 [ 31.198338][ T379] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc7c [ 31.206290][ T379] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000006 [ 31.214304][ T379] [ 31.216615][ T379] Allocated by task 354: [ 31.220852][ T379] __kasan_kmalloc+0x117/0x1b0 [ 31.225584][ T379] __kmalloc_track_caller+0x201/0x2b0 [ 31.230944][ T379] kmemdup+0x21/0x50 [ 31.234805][ T379] ieee80211_ibss_join+0x6ff/0xcf0 [ 31.239885][ T379] rdev_join_ibss+0x1af/0x310 [ 31.244530][ T379] __cfg80211_join_ibss+0x4a0/0x730 [ 31.249702][ T379] nl80211_join_ibss+0x1420/0x19d0 [ 31.254781][ T379] genl_rcv_msg+0xe76/0x1330 [ 31.259338][ T379] netlink_rcv_skb+0x1f0/0x460 [ 31.264070][ T379] genl_rcv+0x24/0x40 [ 31.268036][ T379] netlink_unicast+0x87c/0xa20 [ 31.272781][ T379] netlink_sendmsg+0x9a7/0xd40 [ 31.277514][ T379] ____sys_sendmsg+0x56f/0x860 [ 31.282247][ T379] __sys_sendmsg+0x26a/0x350 [ 31.286820][ T379] do_syscall_64+0xcb/0x150 [ 31.291289][ T379] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.297163][ T379] [ 31.299461][ T379] Freed by task 361: [ 31.303346][ T379] __kasan_slab_free+0x168/0x220 [ 31.308250][ T379] slab_free_freelist_hook+0xd0/0x150 [ 31.313601][ T379] kfree+0x12b/0x5d0 [ 31.313608][ T379] ieee80211_ibss_leave+0x7d/0xe0 [ 31.313620][ T379] rdev_leave_ibss+0x194/0x2f0 [ 31.327224][ T379] __cfg80211_leave_ibss+0x6f/0x100 [ 31.332501][ T379] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 31.338459][ T379] raw_notifier_call_chain+0x9e/0x100 [ 31.343834][ T379] __dev_close_many+0x154/0x320 [ 31.348669][ T379] __dev_change_flags+0x2db/0x6f0 [ 31.353686][ T379] dev_change_flags+0x85/0x190 [ 31.358455][ T379] dev_ifsioc+0x103/0xa60 [ 31.362883][ T379] dev_ioctl+0x460/0xb90 [ 31.367158][ T379] sock_do_ioctl+0x227/0x300 [ 31.371763][ T379] sock_ioctl+0x4cf/0x700 [ 31.376098][ T379] do_vfs_ioctl+0x746/0x16f0 [ 31.380686][ T379] __x64_sys_ioctl+0xd4/0x110 [ 31.385378][ T379] do_syscall_64+0xcb/0x150 [ 31.389866][ T379] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.395736][ T379] [ 31.398051][ T379] The buggy address belongs to the object at ffff8881ceaa9200 [ 31.398051][ T379] which belongs to the cache kmalloc-192 of size 192 [ 31.412087][ T379] The buggy address is located 0 bytes inside of [ 31.412087][ T379] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 31.425181][ T379] The buggy address belongs to the page: [ 31.430797][ T379] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ *[[ 31.440009][ T379] flags: 0x8000000000000200(slab) [ 31.446401][ T379] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 31.454967][ T379] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 0;1;31m*[0;[ 31.463541][ T379] page dumped because: kasan: bad access detected [ 31.471331][ T379] [ 31.473670][ T379] Memory state around the buggy address: [ 31.479281][ T379] ffff8881ceaa9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31m* ] A st[ 31.487337][ T379] ffff8881ceaa9180: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc [ 31.496778][ T379] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.504833][ T379] ^ executing program executing program executing program [ 31.508882][ T379] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc art job is runni[ 31.517013][ T379] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.526435][ T379] ================================================================== executing program executing program executing program ng for dev-ttyS0.device (25s / 1min 30s)[ 31.562881][ T7] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 31.571438][ T7] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 31.581090][ T395] ================================================================== [ 31.589242][ T395] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 31.596779][ T395] [ 31.599190][ T395] CPU: 1 PID: 395 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 31.610623][ T395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.620652][ T395] Call Trace: [ 31.623920][ T395] dump_stack+0x1b0/0x21e [ 31.628225][ T395] ? show_regs_print_info+0x12/0x12 [ 31.633398][ T395] ? printk+0xc0/0x104 [ 31.637447][ T395] ? kfree+0x12b/0x5d0 [ 31.641495][ T395] ? kfree+0x12b/0x5d0 [ 31.645536][ T395] print_address_description+0x96/0x5d0 [ 31.651106][ T395] ? devkmsg_release+0x11c/0x11c [ 31.656019][ T395] ? netif_tx_wake_queue+0x1ce/0x210 [ 31.661276][ T395] ? ieee80211_ibss_leave+0x26/0xe0 [ 31.666464][ T395] ? kfree+0x12b/0x5d0 [ 31.670506][ T395] ? kfree+0x12b/0x5d0 [ 31.674569][ T395] kasan_report_invalid_free+0x54/0xc0 [ 31.679999][ T395] __kasan_slab_free+0x102/0x220 [ 31.684908][ T395] ? hrtimer_cancel+0x26/0x60 [ 31.689561][ T395] ? mac80211_hwsim_config+0x692/0x770 [ 31.695013][ T395] ? __rcu_read_lock+0x50/0x50 [ 31.699750][ T395] ? drv_config+0x1a9/0x300 [ 31.704227][ T395] ? call_rcu+0x10/0x10 [ 31.708355][ T395] ? ieee80211_recalc_idle+0x204/0x2e0 [ 31.713786][ T395] slab_free_freelist_hook+0xd0/0x150 [ 31.719131][ T395] ? ieee80211_ibss_leave+0x7d/0xe0 [ 31.724404][ T395] kfree+0x12b/0x5d0 [ 31.728275][ T395] ieee80211_ibss_leave+0x7d/0xe0 [ 31.733273][ T395] rdev_leave_ibss+0x194/0x2f0 [ 31.738017][ T395] __cfg80211_leave_ibss+0x6f/0x100 [ 31.743205][ T395] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 31.749180][ T395] raw_notifier_call_chain+0x9e/0x100 [ 31.754527][ T395] __dev_close_many+0x154/0x320 [ 31.759350][ T395] ? dev_close_many+0x530/0x530 [ 31.764174][ T395] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 31.770216][ T395] __dev_change_flags+0x2db/0x6f0 [ 31.775229][ T395] ? dev_get_flags+0x1c0/0x1c0 [ 31.779996][ T395] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 31.787616][ T395] ? selinux_perf_event_write+0x100/0x100 [ 31.793309][ T395] dev_change_flags+0x85/0x190 [ 31.798067][ T395] dev_ifsioc+0x103/0xa60 [ 31.802378][ T395] ? mutex_lock+0x106/0x110 [ 31.806854][ T395] ? dev_ioctl+0xb90/0xb90 [ 31.811259][ T395] ? full_name_hash+0x97/0xe0 [ 31.815909][ T395] dev_ioctl+0x460/0xb90 [ 31.820227][ T395] sock_do_ioctl+0x227/0x300 [ 31.824808][ T395] ? sock_splice_read+0xf0/0xf0 [ 31.829636][ T395] ? __x64_sys_socket+0x76/0x80 [ 31.834475][ T395] ? __sys_socket+0x115/0x350 [ 31.839138][ T395] ? __x64_sys_socket+0x76/0x80 [ 31.843969][ T395] ? do_syscall_64+0xcb/0x150 [ 31.848738][ T395] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.854876][ T395] ? slab_free_freelist_hook+0xd0/0x150 [ 31.860408][ T395] ? __should_failslab+0x8b/0x150 [ 31.865440][ T395] sock_ioctl+0x4cf/0x700 [ 31.869744][ T395] ? sock_poll+0x2f0/0x2f0 [ 31.874134][ T395] ? __mutex_init+0x9d/0xf0 [ 31.878612][ T395] ? percpu_counter_add_batch+0x12d/0x150 [ 31.884619][ T395] ? alloc_file+0x81/0x4b0 [ 31.889007][ T395] ? memcpy+0x38/0x50 [ 31.893134][ T395] ? sock_poll+0x2f0/0x2f0 [ 31.898303][ T395] do_vfs_ioctl+0x746/0x16f0 [ 31.902888][ T395] ? selinux_file_ioctl+0x6e4/0x920 [ 31.909971][ T395] ? ioctl_preallocate+0x240/0x240 [ 31.915160][ T395] ? alloc_empty_file_noaccount+0x70/0x70 [ 31.922779][ T395] ? find_next_zero_bit+0xfb/0x120 [ 31.927861][ T395] ? __fget+0x37c/0x3c0 [ 31.932008][ T395] ? fget_many+0x20/0x20 [ 31.936228][ T395] ? __fpregs_load_activate+0x2d3/0x390 [ 31.941761][ T395] ? security_file_ioctl+0xad/0xc0 [ 31.946862][ T395] __x64_sys_ioctl+0xd4/0x110 [ 31.951529][ T395] do_syscall_64+0xcb/0x150 [ 31.956004][ T395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.961886][ T395] RIP: 0033:0x4479b9 [ 31.965753][ T395] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.985341][ T395] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 31.993737][ T395] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 32.001697][ T395] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 32.009641][ T395] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 32.017583][ T395] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 32.025528][ T395] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 32.033474][ T395] [ 32.035775][ T395] Allocated by task 354: [ 32.039990][ T395] __kasan_kmalloc+0x117/0x1b0 [ 32.044724][ T395] __kmalloc_track_caller+0x201/0x2b0 [ 32.050065][ T395] kmemdup+0x21/0x50 [ 32.053930][ T395] ieee80211_ibss_join+0x6ff/0xcf0 [ 32.059010][ T395] rdev_join_ibss+0x1af/0x310 [ 32.063660][ T395] __cfg80211_join_ibss+0x4a0/0x730 [ 32.068876][ T395] nl80211_join_ibss+0x1420/0x19d0 [ 32.073956][ T395] genl_rcv_msg+0xe76/0x1330 [ 32.078519][ T395] netlink_rcv_skb+0x1f0/0x460 [ 32.083270][ T395] genl_rcv+0x24/0x40 [ 32.087240][ T395] netlink_unicast+0x87c/0xa20 [ 32.091998][ T395] netlink_sendmsg+0x9a7/0xd40 [ 32.096733][ T395] ____sys_sendmsg+0x56f/0x860 [ 32.101469][ T395] __sys_sendmsg+0x26a/0x350 [ 32.106032][ T395] do_syscall_64+0xcb/0x150 [ 32.110506][ T395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 32.116364][ T395] [ 32.118688][ T395] Freed by task 361: [ 32.122557][ T395] __kasan_slab_free+0x168/0x220 [ 32.127465][ T395] slab_free_freelist_hook+0xd0/0x150 [ 32.132807][ T395] kfree+0x12b/0x5d0 [ 32.136694][ T395] ieee80211_ibss_leave+0x7d/0xe0 [ 32.141690][ T395] rdev_leave_ibss+0x194/0x2f0 [ 32.146524][ T395] __cfg80211_leave_ibss+0x6f/0x100 [ 32.151810][ T395] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 32.157769][ T395] raw_notifier_call_chain+0x9e/0x100 [ 32.163120][ T395] __dev_close_many+0x154/0x320 [ 32.167949][ T395] __dev_change_flags+0x2db/0x6f0 [ 32.172947][ T395] dev_change_flags+0x85/0x190 [ 32.177687][ T395] dev_ifsioc+0x103/0xa60 [ 32.182003][ T395] dev_ioctl+0x460/0xb90 [ 32.186228][ T395] sock_do_ioctl+0x227/0x300 [ 32.190791][ T395] sock_ioctl+0x4cf/0x700 [ 32.195095][ T395] do_vfs_ioctl+0x746/0x16f0 [ 32.199669][ T395] __x64_sys_ioctl+0xd4/0x110 [ 32.204317][ T395] do_syscall_64+0xcb/0x150 [ 32.208809][ T395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 32.216579][ T395] [ 32.218882][ T395] The buggy address belongs to the object at ffff8881ceaa9200 [ 32.218882][ T395] which belongs to the cache kmalloc-192 of size 192 [ 32.232933][ T395] The buggy address is located 0 bytes inside of [ 32.232933][ T395] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 32.246006][ T395] The buggy address belongs to the page: [ 32.251646][ T395] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 32.260723][ T395] flags: 0x8000000000000200(slab) [ 32.265739][ T395] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 32.274317][ T395] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 32.282869][ T395] page dumped because: kasan: bad access detected [ 32.289267][ T395] [ 32.291566][ T395] Memory state around the buggy address: [ 32.298561][ T395] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.306865][ T395] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.314904][ T395] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.322938][ T395] ^ [ 32.326978][ T395] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.335012][ T395] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.343046][ T395] ================================================================== executing program executing program executing program executing program executing program [ *** ] A start job is running for dev-ttyS0.device (26s / 1min 30s)[ 32.416469][ T7] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 32.424760][ T7] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 32.434298][ T410] ================================================================== [ 32.442404][ T410] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 32.450008][ T410] [ 32.453282][ T410] CPU: 0 PID: 410 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 32.464719][ T410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.474752][ T410] Call Trace: [ 32.478022][ T410] dump_stack+0x1b0/0x21e [ 32.482341][ T410] ? finish_task_switch+0x2be/0x4c0 [ 32.487530][ T410] ? show_regs_print_info+0x12/0x12 [ 32.492709][ T410] ? printk+0xc0/0x104 [ 32.496757][ T410] ? kfree+0x12b/0x5d0 [ 32.500798][ T410] ? kfree+0x12b/0x5d0 [ 32.504838][ T410] print_address_description+0x96/0x5d0 [ 32.510357][ T410] ? devkmsg_release+0x11c/0x11c [ 32.515456][ T410] ? netif_tx_wake_queue+0x1ce/0x210 [ 32.520730][ T410] ? kfree+0x12b/0x5d0 [ 32.524781][ T410] ? kfree+0x12b/0x5d0 [ 32.528828][ T410] kasan_report_invalid_free+0x54/0xc0 [ 32.534262][ T410] __kasan_slab_free+0x102/0x220 [ 32.539187][ T410] ? hrtimer_cancel+0x26/0x60 [ 32.543851][ T410] ? mac80211_hwsim_config+0x692/0x770 [ 32.549284][ T410] ? __rcu_read_lock+0x50/0x50 [ 32.554021][ T410] ? drv_config+0x1a9/0x300 [ 32.558511][ T410] ? call_rcu+0x10/0x10 [ 32.562715][ T410] ? ieee80211_recalc_idle+0x204/0x2e0 [ 32.568161][ T410] slab_free_freelist_hook+0xd0/0x150 [ 32.573521][ T410] ? ieee80211_ibss_leave+0x7d/0xe0 [ 32.578720][ T410] kfree+0x12b/0x5d0 [ 32.582596][ T410] ieee80211_ibss_leave+0x7d/0xe0 [ 32.587594][ T410] rdev_leave_ibss+0x194/0x2f0 [ 32.592350][ T410] __cfg80211_leave_ibss+0x6f/0x100 [ 32.597542][ T410] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 32.603497][ T410] raw_notifier_call_chain+0x9e/0x100 [ 32.608844][ T410] __dev_close_many+0x154/0x320 [ 32.613665][ T410] ? dev_close_many+0x530/0x530 [ 32.618509][ T410] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 32.624571][ T410] __dev_change_flags+0x2db/0x6f0 [ 32.629586][ T410] ? dev_get_flags+0x1c0/0x1c0 [ 32.634330][ T410] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 32.641060][ T410] ? selinux_perf_event_write+0x100/0x100 [ 32.647899][ T410] dev_change_flags+0x85/0x190 [ 32.652913][ T410] dev_ifsioc+0x103/0xa60 [ 32.657235][ T410] ? mutex_lock+0x106/0x110 [ 32.661724][ T410] ? dev_ioctl+0xb90/0xb90 [ 32.666123][ T410] ? full_name_hash+0x97/0xe0 [ 32.670769][ T410] dev_ioctl+0x460/0xb90 [ 32.675955][ T410] sock_do_ioctl+0x227/0x300 [ 32.680532][ T410] ? sock_splice_read+0xf0/0xf0 [ 32.685352][ T410] ? __x64_sys_socket+0x76/0x80 [ 32.690169][ T410] ? __sys_socket+0x115/0x350 [ 32.694814][ T410] ? do_syscall_64+0xcb/0x150 [ 32.699482][ T410] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 32.705544][ T410] sock_ioctl+0x4cf/0x700 [ 32.709857][ T410] ? sock_poll+0x2f0/0x2f0 [ 32.714259][ T410] ? switch_mm_irqs_off+0x46e/0x870 [ 32.719424][ T410] ? switch_mm+0xe0/0xe0 [ 32.723636][ T410] ? _raw_spin_unlock_irq+0x5/0x20 [ 32.728729][ T410] ? finish_task_switch+0x235/0x4c0 [ 32.733896][ T410] ? sock_poll+0x2f0/0x2f0 [ 32.738282][ T410] do_vfs_ioctl+0x746/0x16f0 [ 32.742844][ T410] ? selinux_file_ioctl+0x6e4/0x920 [ 32.748013][ T410] ? ioctl_preallocate+0x240/0x240 [ 32.753754][ T410] ? is_mmconf_reserved+0x420/0x420 [ 32.758928][ T410] ? find_next_zero_bit+0xfb/0x120 [ 32.764011][ T410] ? __fget+0x37c/0x3c0 [ 32.768142][ T410] ? fget_many+0x20/0x20 [ 32.772390][ T410] ? security_file_ioctl+0xad/0xc0 [ 32.777480][ T410] __x64_sys_ioctl+0xd4/0x110 [ 32.782151][ T410] do_syscall_64+0xcb/0x150 [ 32.786648][ T410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 32.792514][ T410] RIP: 0033:0x4479b9 [ 32.796394][ T410] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.815999][ T410] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 32.816006][ T410] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 32.816021][ T410] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 32.840313][ T410] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 32.848271][ T410] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 32.856218][ T410] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 32.864172][ T410] [ 32.866475][ T410] Allocated by task 354: [ 32.870739][ T410] __kasan_kmalloc+0x117/0x1b0 [ 32.875494][ T410] __kmalloc_track_caller+0x201/0x2b0 [ 32.880955][ T410] kmemdup+0x21/0x50 [ 32.884824][ T410] ieee80211_ibss_join+0x6ff/0xcf0 [ 32.889936][ T410] rdev_join_ibss+0x1af/0x310 [ 32.894601][ T410] __cfg80211_join_ibss+0x4a0/0x730 [ 32.899777][ T410] nl80211_join_ibss+0x1420/0x19d0 [ 32.904861][ T410] genl_rcv_msg+0xe76/0x1330 [ 32.909431][ T410] netlink_rcv_skb+0x1f0/0x460 [ 32.914182][ T410] genl_rcv+0x24/0x40 [ 32.918161][ T410] netlink_unicast+0x87c/0xa20 [ 32.922915][ T410] netlink_sendmsg+0x9a7/0xd40 [ 32.927673][ T410] ____sys_sendmsg+0x56f/0x860 [ 32.932418][ T410] __sys_sendmsg+0x26a/0x350 [ 32.937007][ T410] do_syscall_64+0xcb/0x150 [ 32.941499][ T410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 32.947393][ T410] [ 32.949711][ T410] Freed by task 361: [ 32.953599][ T410] __kasan_slab_free+0x168/0x220 [ 32.958538][ T410] slab_free_freelist_hook+0xd0/0x150 [ 32.963959][ T410] kfree+0x12b/0x5d0 [ 32.967845][ T410] ieee80211_ibss_leave+0x7d/0xe0 [ 32.972862][ T410] rdev_leave_ibss+0x194/0x2f0 [ 32.977611][ T410] __cfg80211_leave_ibss+0x6f/0x100 [ 32.982799][ T410] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 32.988778][ T410] raw_notifier_call_chain+0x9e/0x100 [ 32.994143][ T410] __dev_close_many+0x154/0x320 [ 32.999403][ T410] __dev_change_flags+0x2db/0x6f0 [ 33.004398][ T410] dev_change_flags+0x85/0x190 [ 33.009169][ T410] dev_ifsioc+0x103/0xa60 [ 33.013489][ T410] dev_ioctl+0x460/0xb90 [ 33.017706][ T410] sock_do_ioctl+0x227/0x300 [ 33.022268][ T410] sock_ioctl+0x4cf/0x700 [ 33.026568][ T410] do_vfs_ioctl+0x746/0x16f0 [ 33.031131][ T410] __x64_sys_ioctl+0xd4/0x110 [ 33.035775][ T410] do_syscall_64+0xcb/0x150 [ 33.040256][ T410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.046125][ T410] [ 33.048443][ T410] The buggy address belongs to the object at ffff8881ceaa9200 [ 33.048443][ T410] which belongs to the cache kmalloc-192 of size 192 [ 33.062467][ T410] The buggy address is located 0 bytes inside of [ 33.062467][ T410] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 33.075553][ T410] The buggy address belongs to the page: [ 33.081168][ T410] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 33.090256][ T410] flags: 0x8000000000000200(slab) [ 33.095267][ T410] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 33.103839][ T410] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 33.112393][ T410] page dumped because: kasan: bad access detected [ 33.118794][ T410] [ 33.121096][ T410] Memory state around the buggy address: [ 33.126734][ T410] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.134869][ T410] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.142921][ T410] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.150968][ T410] ^ [ 33.155008][ T410] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.163053][ T410] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.171118][ T410] ================================================================== executing program executing program [ ***] A start job is running for dev-ttyS0.device (26s / 1min 30s)[ 33.220613][ T413] ================================================================== [ 33.228778][ T413] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 33.236449][ T413] [ 33.238759][ T413] CPU: 1 PID: 413 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 33.250186][ T413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.260213][ T413] Call Trace: [ 33.263478][ T413] dump_stack+0x1b0/0x21e [ 33.267786][ T413] ? show_regs_print_info+0x12/0x12 [ 33.272973][ T413] ? memset+0x1f/0x40 [ 33.276930][ T413] ? printk+0xc0/0x104 [ 33.280977][ T413] ? kfree+0x12b/0x5d0 [ 33.285039][ T413] ? kfree+0x12b/0x5d0 [ 33.289097][ T413] print_address_description+0x96/0x5d0 [ 33.294612][ T413] ? devkmsg_release+0x11c/0x11c [ 33.299523][ T413] ? unwind_get_return_address_ptr+0x130/0x130 [ 33.305654][ T413] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.311730][ T413] ? kfree+0x12b/0x5d0 [ 33.315789][ T413] ? kfree+0x12b/0x5d0 [ 33.319851][ T413] kasan_report_invalid_free+0x54/0xc0 [ 33.325284][ T413] __kasan_slab_free+0x102/0x220 [ 33.330201][ T413] ? update_load_avg+0x410/0x8f0 [ 33.335237][ T413] ? mac80211_hwsim_bcn_en_iter+0x5e/0x90 [ 33.340937][ T413] ? hrtimer_try_to_cancel+0x30b/0x690 [ 33.346373][ T413] ? hrtimer_cancel+0x26/0x60 [ 33.351186][ T413] ? mac80211_hwsim_bss_info_changed+0x4fe/0x800 [ 33.357492][ T413] ? mutex_lock+0xa6/0x110 [ 33.361892][ T413] ? mutex_trylock+0xb0/0xb0 [ 33.366459][ T413] ? mutex_lock+0xa6/0x110 [ 33.370868][ T413] slab_free_freelist_hook+0xd0/0x150 [ 33.376234][ T413] ? ieee80211_ibss_leave+0x7d/0xe0 [ 33.381405][ T413] kfree+0x12b/0x5d0 [ 33.385309][ T413] ieee80211_ibss_leave+0x7d/0xe0 [ 33.390334][ T413] rdev_leave_ibss+0x194/0x2f0 [ 33.395069][ T413] __cfg80211_leave_ibss+0x6f/0x100 [ 33.400241][ T413] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 33.406199][ T413] raw_notifier_call_chain+0x9e/0x100 [ 33.411658][ T413] __dev_close_many+0x154/0x320 [ 33.416481][ T413] ? dev_close_many+0x530/0x530 [ 33.421341][ T413] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 33.428262][ T413] __dev_change_flags+0x2db/0x6f0 [ 33.433263][ T413] ? dev_get_flags+0x1c0/0x1c0 [ 33.438004][ T413] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 33.444739][ T413] dev_change_flags+0x85/0x190 [ 33.449487][ T413] dev_ifsioc+0x103/0xa60 [ 33.453794][ T413] ? mutex_lock+0x106/0x110 [ 33.458270][ T413] ? dev_ioctl+0xb90/0xb90 [ 33.462674][ T413] ? full_name_hash+0x97/0xe0 [ 33.467339][ T413] dev_ioctl+0x460/0xb90 [ 33.471577][ T413] sock_do_ioctl+0x227/0x300 [ 33.476311][ T413] ? sock_splice_read+0xf0/0xf0 [ 33.481169][ T413] ? __x64_sys_socket+0x76/0x80 [ 33.486005][ T413] ? __sys_socket+0x115/0x350 [ 33.490672][ T413] ? __x64_sys_socket+0x76/0x80 [ 33.495495][ T413] ? do_syscall_64+0xcb/0x150 [ 33.500160][ T413] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.506229][ T413] ? __should_failslab+0x8b/0x150 [ 33.511334][ T413] sock_ioctl+0x4cf/0x700 [ 33.515639][ T413] ? sock_poll+0x2f0/0x2f0 [ 33.520028][ T413] ? __mutex_init+0x9d/0xf0 [ 33.524505][ T413] ? percpu_counter_add_batch+0x12d/0x150 [ 33.530200][ T413] ? alloc_file+0x81/0x4b0 [ 33.534587][ T413] ? memcpy+0x38/0x50 [ 33.538538][ T413] ? sock_poll+0x2f0/0x2f0 [ 33.542922][ T413] do_vfs_ioctl+0x746/0x16f0 [ 33.547486][ T413] ? selinux_file_ioctl+0x6e4/0x920 [ 33.552671][ T413] ? ioctl_preallocate+0x240/0x240 [ 33.557749][ T413] ? alloc_empty_file_noaccount+0x70/0x70 [ 33.563450][ T413] ? find_next_zero_bit+0xfb/0x120 [ 33.563457][ T413] ? __fget+0x37c/0x3c0 [ 33.563467][ T413] ? fget_many+0x20/0x20 [ 33.576937][ T413] ? __fpregs_load_activate+0x2d3/0x390 [ 33.582466][ T413] ? security_file_ioctl+0xad/0xc0 [ 33.587558][ T413] __x64_sys_ioctl+0xd4/0x110 [ 33.592241][ T413] do_syscall_64+0xcb/0x150 [ 33.596729][ T413] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.602624][ T413] RIP: 0033:0x4479b9 [ 33.606501][ T413] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.626095][ T413] RSP: 002b:00007fd30e85fda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.634488][ T413] RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 00000000004479b9 [ 33.642446][ T413] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000006 [ 33.650420][ T413] RBP: 00000000006dcc70 R08: 0000000000000000 R09: 0000000000000000 [ 33.658377][ T413] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc7c [ 33.666436][ T413] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000006 [ 33.674675][ T413] [ 33.676986][ T413] Allocated by task 354: [ 33.681574][ T413] __kasan_kmalloc+0x117/0x1b0 [ 33.686339][ T413] __kmalloc_track_caller+0x201/0x2b0 [ 33.691711][ T413] kmemdup+0x21/0x50 [ 33.695591][ T413] ieee80211_ibss_join+0x6ff/0xcf0 [ 33.700688][ T413] rdev_join_ibss+0x1af/0x310 [ [ 33.705392][ T413] __cfg80211_join_ibss+0x4a0/0x730 [ 33.711956][ T413] nl80211_join_ibss+0x1420/0x19d0 [ 33.717049][ T413] genl_rcv_msg+0xe76/0x1330 **][ 33.721621][ T413] netlink_rcv_skb+0x1f0/0x460 [ 33.727761][ T413] genl_rcv+0x24/0x40 [ 33.731740][ T413] netlink_unicast+0x87c/0xa20 A start job is [ 33.736485][ T413] netlink_sendmsg+0x9a7/0xd40 [ 33.742630][ T413] ____sys_sendmsg+0x56f/0x860 [ 33.747404][ T413] __sys_sendmsg+0x26a/0x350 running for dev-[ 33.751982][ T413] do_syscall_64+0xcb/0x150 [ 33.757861][ T413] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.763745][ T413] ttyS0.device (27[ 33.766079][ T413] Freed by task 361: [ 33.771408][ T413] __kasan_slab_free+0x168/0x220 [ 33.776567][ T413] slab_free_freelist_hook+0xd0/0x150 s / 1min 30s)[ 33.781953][ T413] kfree+0x12b/0x5d0 [ 33.786970][ T413] ieee80211_ibss_leave+0x7d/0xe0 [ 33.792017][ T413] rdev_leave_ibss+0x194/0x2f0 [ 33.796765][ T413] __cfg80211_leave_ibss+0x6f/0x100 [ 33.801934][ T413] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 33.807895][ T413] raw_notifier_call_chain+0x9e/0x100 [ 33.813244][ T413] __dev_close_many+0x154/0x320 [ 33.818078][ T413] __dev_change_flags+0x2db/0x6f0 [ 33.823072][ T413] dev_change_flags+0x85/0x190 [ 33.827901][ T413] dev_ifsioc+0x103/0xa60 [ 33.832221][ T413] dev_ioctl+0x460/0xb90 [ 33.836434][ T413] sock_do_ioctl+0x227/0x300 [ 33.841007][ T413] sock_ioctl+0x4cf/0x700 [ 33.845316][ T413] do_vfs_ioctl+0x746/0x16f0 [ 33.849883][ T413] __x64_sys_ioctl+0xd4/0x110 [ 33.854557][ T413] do_syscall_64+0xcb/0x150 [ 33.859051][ T413] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 33.864907][ T413] [ 33.867234][ T413] The buggy address belongs to the object at ffff8881ceaa9200 [ 33.867234][ T413] which belongs to the cache kmalloc-192 of size 192 [ 33.881257][ T413] The buggy address is located 0 bytes inside of [ 33.881257][ T413] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 33.894337][ T413] The buggy address belongs to the page: [ 33.899946][ T413] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 33.909021][ T413] flags: 0x8000000000000200(slab) [ 33.914032][ T413] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 33.922602][ T413] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 33.931151][ T413] page dumped because: kasan: bad access detected [ 33.937536][ T413] [ 33.939852][ T413] Memory state around the buggy address: [ 33.945458][ T413] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.953500][ T413] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.961539][ T413] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.969584][ T413] ^ [ 33.973625][ T413] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.981657][ T413] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.989685][ T413] ================================================================== executing program executing program executing program executing program executing program executing program [ 34.043889][ T7] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 34.051746][ T7] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 34.061242][ T431] ================================================================== [ 34.069316][ T431] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 34.076834][ T431] [ 34.079147][ T431] CPU: 1 PID: 431 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 34.090567][ T431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.100607][ T431] Call Trace: [ 34.103879][ T431] dump_stack+0x1b0/0x21e [ 34.108185][ T431] ? show_regs_print_info+0x12/0x12 [ 34.113386][ T431] ? printk+0xc0/0x104 [ 34.117433][ T431] ? kfree+0x12b/0x5d0 [ 34.121475][ T431] ? kfree+0x12b/0x5d0 [ 34.125536][ T431] print_address_description+0x96/0x5d0 [ 34.131075][ T431] ? devkmsg_release+0x11c/0x11c [ 34.136076][ T431] ? netif_tx_wake_queue+0x1ce/0x210 [ 34.141335][ T431] ? ieee80211_ibss_leave+0x26/0xe0 [ 34.146508][ T431] ? kfree+0x12b/0x5d0 [ 34.150580][ T431] ? kfree+0x12b/0x5d0 [ 34.154623][ T431] kasan_report_invalid_free+0x54/0xc0 [ 34.160054][ T431] __kasan_slab_free+0x102/0x220 [ 34.164966][ T431] ? hrtimer_cancel+0x26/0x60 [ 34.169615][ T431] ? mac80211_hwsim_config+0x692/0x770 [ 34.175065][ T431] ? __rcu_read_lock+0x50/0x50 [ 34.179805][ T431] ? drv_config+0x1a9/0x300 [ 34.184284][ T431] ? call_rcu+0x10/0x10 [ 34.188413][ T431] ? ieee80211_recalc_idle+0x204/0x2e0 [ 34.193847][ T431] slab_free_freelist_hook+0xd0/0x150 [ 34.199234][ T431] ? ieee80211_ibss_leave+0x7d/0xe0 [ 34.204414][ T431] kfree+0x12b/0x5d0 [ 34.208290][ T431] ieee80211_ibss_leave+0x7d/0xe0 [ 34.213302][ T431] rdev_leave_ibss+0x194/0x2f0 [ 34.218042][ T431] __cfg80211_leave_ibss+0x6f/0x100 [ 34.223240][ T431] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 34.229200][ T431] raw_notifier_call_chain+0x9e/0x100 [ 34.234549][ T431] __dev_close_many+0x154/0x320 [ 34.239387][ T431] ? dev_close_many+0x530/0x530 [ 34.244212][ T431] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 34.250254][ T431] __dev_change_flags+0x2db/0x6f0 [ 34.255257][ T431] ? dev_get_flags+0x1c0/0x1c0 [ 34.259998][ T431] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 34.266733][ T431] ? selinux_perf_event_write+0x100/0x100 [ 34.272428][ T431] dev_change_flags+0x85/0x190 [ 34.277166][ T431] dev_ifsioc+0x103/0xa60 [ 34.281470][ T431] ? mutex_lock+0x106/0x110 [ 34.286816][ T431] ? dev_ioctl+0xb90/0xb90 [ 34.291226][ T431] ? full_name_hash+0x97/0xe0 [ 34.295889][ T431] dev_ioctl+0x460/0xb90 [ 34.300111][ T431] sock_do_ioctl+0x227/0x300 [ 34.304678][ T431] ? sock_splice_read+0xf0/0xf0 [ 34.309503][ T431] ? __x64_sys_socket+0x76/0x80 [ 34.314344][ T431] ? __sys_socket+0x115/0x350 [ 34.314354][ T431] ? __x64_sys_socket+0x76/0x80 [ 34.323962][ T431] ? do_syscall_64+0xcb/0x150 [ 34.328631][ T431] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 34.334729][ T431] ? slab_free_freelist_hook+0xd0/0x150 [ 34.340259][ T431] ? __should_failslab+0x8b/0x150 [ 34.345620][ T431] sock_ioctl+0x4cf/0x700 [ 34.349928][ T431] ? sock_poll+0x2f0/0x2f0 [ 34.354340][ T431] ? __mutex_init+0x9d/0xf0 [[ 34.358844][ T431] ? percpu_counter_add_batch+0x12d/0x150 [ 34.364655][ T431] ? alloc_file+0x81/0x4b0 [ 34.369089][ T431] ? memcpy+0x38/0x50 [ 34.373071][ T431] ? sock_poll+0x2f0/0x2f0 [ 34.377504][ T431] do_vfs_ioctl+0x746/0x16f0 [ 34.382083][ T431] ? selinux_file_ioctl+0x6e4/0x920 *[0[ 34.387275][ T431] ? ioctl_preallocate+0x240/0x240 [ 34.393762][ T431] ? alloc_empty_file_noaccount+0x70/0x70 m[ 34.399487][ T431] ? find_next_zero_bit+0xfb/0x120 [ 34.404654][ T431] ? __fget+0x37c/0x3c0 [ 34.408803][ T431] ? fget_many+0x20/0x20 [ 34.413023][ T431] ? __fpregs_load_activate+0x2d3/0x390 [ 34.418570][ T431] ? security_file_ioctl+0xad/0xc0 [ 34.424013][ T431] __x64_sys_ioctl+0xd4/0x110 ] A start job is[ 34.428674][ T431] do_syscall_64+0xcb/0x150 [ 34.434539][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 running for dev[ 34.440431][ T431] RIP: 0033:0x4479b9 [ 34.445704][ T431] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 34.465307][ T431] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 34.473703][ T431] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 -ttyS0.device (2[ 34.481671][ T431] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 34.491020][ T431] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 34.498996][ T431] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c 8s / 1min 30s)[ 34.506957][ T431] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 34.516122][ T431] [ 34.518428][ T431] Allocated by task 354: [ 34.522651][ T431] __kasan_kmalloc+0x117/0x1b0 [ 34.527397][ T431] __kmalloc_track_caller+0x201/0x2b0 [ 34.532741][ T431] kmemdup+0x21/0x50 [ 34.536611][ T431] ieee80211_ibss_join+0x6ff/0xcf0 [ 34.541695][ T431] rdev_join_ibss+0x1af/0x310 [ 34.546346][ T431] __cfg80211_join_ibss+0x4a0/0x730 [ 34.551523][ T431] nl80211_join_ibss+0x1420/0x19d0 [ 34.556623][ T431] genl_rcv_msg+0xe76/0x1330 [ 34.561186][ T431] netlink_rcv_skb+0x1f0/0x460 [ 34.565922][ T431] genl_rcv+0x24/0x40 [ 34.569876][ T431] netlink_unicast+0x87c/0xa20 [ 34.574631][ T431] netlink_sendmsg+0x9a7/0xd40 [ 34.579383][ T431] ____sys_sendmsg+0x56f/0x860 [ 34.584117][ T431] __sys_sendmsg+0x26a/0x350 [ 34.588682][ T431] do_syscall_64+0xcb/0x150 [ 34.593172][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 34.599031][ T431] [ 34.601334][ T431] Freed by task 361: [ 34.605289][ T431] __kasan_slab_free+0x168/0x220 [ 34.610196][ T431] slab_free_freelist_hook+0xd0/0x150 [ 34.615542][ T431] kfree+0x12b/0x5d0 [ 34.619411][ T431] ieee80211_ibss_leave+0x7d/0xe0 [ 34.624408][ T431] rdev_leave_ibss+0x194/0x2f0 [ 34.629143][ T431] __cfg80211_leave_ibss+0x6f/0x100 [ 34.634314][ T431] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 34.640284][ T431] raw_notifier_call_chain+0x9e/0x100 [ 34.645626][ T431] __dev_close_many+0x154/0x320 [ 34.650457][ T431] __dev_change_flags+0x2db/0x6f0 [ 34.655469][ T431] dev_change_flags+0x85/0x190 [ 34.660206][ T431] dev_ifsioc+0x103/0xa60 [ 34.664507][ T431] dev_ioctl+0x460/0xb90 [ 34.668722][ T431] sock_do_ioctl+0x227/0x300 [ 34.673290][ T431] sock_ioctl+0x4cf/0x700 [ 34.677593][ T431] do_vfs_ioctl+0x746/0x16f0 [ 34.682155][ T431] __x64_sys_ioctl+0xd4/0x110 [ 34.686805][ T431] do_syscall_64+0xcb/0x150 [ 34.691279][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 34.697154][ T431] [ 34.699458][ T431] The buggy address belongs to the object at ffff8881ceaa9200 [ 34.699458][ T431] which belongs to the cache kmalloc-192 of size 192 [ 34.713485][ T431] The buggy address is located 0 bytes inside of [ 34.713485][ T431] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 34.726550][ T431] The buggy address belongs to the page: [ 34.732159][ T431] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 34.741233][ T431] flags: 0x8000000000000200(slab) [ 34.746231][ T431] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 34.754788][ T431] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 34.764431][ T431] page dumped because: kasan: bad access detected [ 34.770825][ T431] [ 34.773134][ T431] Memory state around the buggy address: [ 34.778758][ T431] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.786814][ T431] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.794851][ T431] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.802888][ T431] ^ [ 34.806930][ T431] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.814962][ T431] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.823008][ T431] ================================================================== executing program executing program executing program executing program executing program [ 34.894552][ T7] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 34.902464][ T7] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 34.912135][ T440] ================================================================== [ 34.920210][ T440] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 34.927719][ T440] [ 34.930029][ T440] CPU: 0 PID: 440 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 34.941448][ T440] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.951479][ T440] Call Trace: [ 34.954768][ T440] dump_stack+0x1b0/0x21e [ 34.959077][ T440] ? show_regs_print_info+0x12/0x12 [ 34.964250][ T440] ? printk+0xc0/0x104 [ 34.968294][ T440] ? kfree+0x12b/0x5d0 [ 34.972334][ T440] ? kfree+0x12b/0x5d0 [ 34.976378][ T440] print_address_description+0x96/0x5d0 [ 34.981898][ T440] ? devkmsg_release+0x11c/0x11c [ 34.986809][ T440] ? netif_tx_wake_queue+0x1ce/0x210 [ 34.992082][ T440] ? ieee80211_ibss_leave+0x26/0xe0 [ 34.997250][ T440] ? kfree+0x12b/0x5d0 [ 35.001292][ T440] ? kfree+0x12b/0x5d0 [ 35.005338][ T440] kasan_report_invalid_free+0x54/0xc0 [ 35.010769][ T440] __kasan_slab_free+0x102/0x220 [ 35.015697][ T440] ? hrtimer_cancel+0x26/0x60 [ 35.020556][ T440] ? mac80211_hwsim_config+0x692/0x770 [ 35.025992][ T440] ? __rcu_read_lock+0x50/0x50 [ 35.030731][ T440] ? drv_config+0x1a9/0x300 [ 35.035226][ T440] ? call_rcu+0x10/0x10 [ 35.039359][ T440] ? ieee80211_recalc_idle+0x204/0x2e0 [ 35.044884][ T440] slab_free_freelist_hook+0xd0/0x150 [ 35.050244][ T440] ? ieee80211_ibss_leave+0x7d/0xe0 [ 35.055500][ T440] kfree+0x12b/0x5d0 [ 35.059395][ T440] ieee80211_ibss_leave+0x7d/0xe0 [ 35.064394][ T440] rdev_leave_ibss+0x194/0x2f0 [ 35.069132][ T440] __cfg80211_leave_ibss+0x6f/0x100 [ 35.074302][ T440] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 35.080271][ T440] raw_notifier_call_chain+0x9e/0x100 [ 35.085631][ T440] __dev_close_many+0x154/0x320 [ 35.090454][ T440] ? dev_close_many+0x530/0x530 [ 35.095277][ T440] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 35.101344][ T440] __dev_change_flags+0x2db/0x6f0 [ 35.106342][ T440] ? dev_get_flags+0x1c0/0x1c0 [ 35.111102][ T440] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 35.117834][ T440] ? selinux_perf_event_write+0x100/0x100 [ 35.123525][ T440] dev_change_flags+0x85/0x190 [ 35.128265][ T440] dev_ifsioc+0x103/0xa60 [ 35.132567][ T440] ? mutex_lock+0x106/0x110 [ 35.137043][ T440] ? dev_ioctl+0xb90/0xb90 [ 35.141432][ T440] ? full_name_hash+0x97/0xe0 [ 35.146119][ T440] dev_ioctl+0x460/0xb90 [ 35.150353][ T440] sock_do_ioctl+0x227/0x300 [ 35.154918][ T440] ? sock_splice_read+0xf0/0xf0 [ 35.159742][ T440] ? __x64_sys_socket+0x76/0x80 [ 35.164567][ T440] ? __sys_socket+0x115/0x350 [ 35.169215][ T440] ? __x64_sys_socket+0x76/0x80 [ 35.174055][ T440] ? do_syscall_64+0xcb/0x150 [ 35.178702][ T440] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 35.184740][ T440] ? slab_free_freelist_hook+0xd0/0x150 [ 35.190277][ T440] ? __should_failslab+0x8b/0x150 [ 35.195273][ T440] sock_ioctl+0x4cf/0x700 [ 35.199596][ T440] ? sock_poll+0x2f0/0x2f0 [ 35.203983][ T440] ? __mutex_init+0x9d/0xf0 [ 35.208460][ T440] ? percpu_counter_add_batch+0x12d/0x150 [ 35.214166][ T440] ? alloc_file+0x81/0x4b0 [ 35.218583][ T440] ? memcpy+0x38/0x50 [ 35.222543][ T440] ? sock_poll+0x2f0/0x2f0 [ 35.226938][ T440] do_vfs_ioctl+0x746/0x16f0 [ 35.231511][ T440] ? selinux_file_ioctl+0x6e4/0x920 [ 35.236684][ T440] ? ioctl_preallocate+0x240/0x240 [ 35.241857][ T440] ? alloc_empty_file_noaccount+0x70/0x70 [ 35.247549][ T440] ? find_next_zero_bit+0xfb/0x120 [ 35.252631][ T440] ? __fget+0x37c/0x3c0 [ 35.256756][ T440] ? fget_many+0x20/0x20 [ 35.260970][ T440] ? __fpregs_load_activate+0x2d3/0x390 [ 35.266488][ T440] ? security_file_ioctl+0xad/0xc0 [ 35.271570][ T440] __x64_sys_ioctl+0xd4/0x110 [ 35.276221][ T440] do_syscall_64+0xcb/0x150 [ 35.280717][ T440] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 35.286583][ T440] RIP: 0033:0x4479b9 [ 35.290450][ T440] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 35.310038][ T440] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.318433][ T440] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 35.326383][ T440] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 35.334527][ T440] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 35.342471][ T440] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 35.350418][ T440] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 35.358367][ T440] [ 35.360677][ T440] Allocated by task 354: [ 35.364894][ T440] __kasan_kmalloc+0x117/0x1b0 [ 35.369629][ T440] __kmalloc_track_caller+0x201/0x2b0 [ 35.374985][ T440] kmemdup+0x21/0x50 [ 35.378860][ T440] ieee80211_ibss_join+0x6ff/0xcf0 [ 35.383949][ T440] rdev_join_ibss+0x1af/0x310 [ 35.388602][ T440] __cfg80211_join_ibss+0x4a0/0x730 [ 35.394905][ T440] nl80211_join_ibss+0x1420/0x19d0 [ 35.399991][ T440] genl_rcv_msg+0xe76/0x1330 [ 35.404583][ T440] netlink_rcv_skb+0x1f0/0x460 [ 35.409324][ T440] genl_rcv+0x24/0x40 [ 35.413297][ T440] netlink_unicast+0x87c/0xa20 [ 35.418049][ T440] netlink_sendmsg+0x9a7/0xd40 [ 35.422785][ T440] ____sys_sendmsg+0x56f/0x860 [ 35.427537][ T440] __sys_sendmsg+0x26a/0x350 [ 35.432100][ T440] do_syscall_64+0xcb/0x150 [ 35.436587][ T440] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 35.442535][ T440] [ 35.444854][ T440] Freed by task 361: [ 35.448724][ T440] __kasan_slab_free+0x168/0x220 [ 35.453633][ T440] slab_free_freelist_hook+0xd0/0x150 [ 35.458977][ T440] kfree+0x12b/0x5d0 [ 35.462845][ T440] ieee80211_ibss_leave+0x7d/0xe0 [ 35.467858][ T440] rdev_leave_ibss+0x194/0x2f0 [ 35.472593][ T440] __cfg80211_leave_ibss+0x6f/0x100 [ 35.477762][ T440] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 35.483728][ T440] raw_notifier_call_chain+0x9e/0x100 [ 35.489087][ T440] __dev_close_many+0x154/0x320 [ 35.493908][ T440] __dev_change_flags+0x2db/0x6f0 [ 35.499252][ T440] dev_change_flags+0x85/0x190 [ 35.503987][ T440] dev_ifsioc+0x103/0xa60 [ 35.508288][ T440] dev_ioctl+0x460/0xb90 [ 35.512502][ T440] sock_do_ioctl+0x227/0x300 [ 35.517061][ T440] sock_ioctl+0x4cf/0x700 [ 35.521378][ T440] do_vfs_ioctl+0x746/0x16f0 [ 35.525938][ T440] __x64_sys_ioctl+0xd4/0x110 [ 35.530585][ T440] do_syscall_64+0xcb/0x150 [ 35.535059][ T440] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 35.540919][ T440] [ 35.543222][ T440] The buggy address belongs to the object at ffff8881ceaa9200 [ 35.543222][ T440] which belongs to the cache kmalloc-192 of size 192 [ 35.558128][ T440] The buggy address is located 0 bytes inside of [ 35.558128][ T440] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 35.571192][ T440] The buggy address belongs to the page: [ 35.576797][ T440] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 35.585871][ T440] flags: 0x8000000000000200(slab) [ 35.590870][ T440] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 35.599426][ T440] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 35.607987][ T440] page dumped because: kasan: bad access detected [ 35.614386][ T440] [ 35.616687][ T440] Memory state around the buggy address: [ 35.622291][ T440] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.630325][ T440] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.638355][ T440] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.646401][ T440] ^ [ 35.650441][ T440] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.658479][ T440] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.666507][ T440] ================================================================== executing program executing program executing program executing program executing program [ **] A start job is running for dev-ttyS0.device (29s / 1min 30s)[ 35.710939][ T159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 35.720360][ T159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 35.730262][ T456] ================================================================== [ 35.738354][ T456] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 35.745866][ T456] [ 35.748174][ T456] CPU: 0 PID: 456 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 35.759593][ T456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.769647][ T456] Call Trace: [ 35.772922][ T456] dump_stack+0x1b0/0x21e [ 35.777239][ T456] ? show_regs_print_info+0x12/0x12 [ 35.782444][ T456] ? printk+0xc0/0x104 [ 35.786489][ T456] ? kfree+0x12b/0x5d0 [ 35.790534][ T456] ? kfree+0x12b/0x5d0 [ 35.794574][ T456] print_address_description+0x96/0x5d0 [ 35.800207][ T456] ? devkmsg_release+0x11c/0x11c [ 35.805130][ T456] ? netif_tx_wake_queue+0x1ce/0x210 [ 35.810391][ T456] ? ieee80211_ibss_leave+0x26/0xe0 [ 35.815562][ T456] ? kfree+0x12b/0x5d0 [ 35.819619][ T456] ? kfree+0x12b/0x5d0 [ 35.823699][ T456] kasan_report_invalid_free+0x54/0xc0 [ 35.829137][ T456] __kasan_slab_free+0x102/0x220 [ 35.834070][ T456] ? hrtimer_cancel+0x26/0x60 [ 35.838721][ T456] ? mac80211_hwsim_config+0x692/0x770 [ 35.844166][ T456] ? __rcu_read_lock+0x50/0x50 [ 35.848908][ T456] ? drv_config+0x1a9/0x300 [ 35.853389][ T456] ? call_rcu+0x10/0x10 [ 35.857534][ T456] ? ieee80211_recalc_idle+0x204/0x2e0 [ 35.862984][ T456] slab_free_freelist_hook+0xd0/0x150 [ 35.868330][ T456] ? ieee80211_ibss_leave+0x7d/0xe0 [ 35.873500][ T456] kfree+0x12b/0x5d0 [ 35.877380][ T456] ieee80211_ibss_leave+0x7d/0xe0 [ 35.882378][ T456] rdev_leave_ibss+0x194/0x2f0 [ 35.887137][ T456] __cfg80211_leave_ibss+0x6f/0x100 [ 35.892361][ T456] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 35.898592][ T456] raw_notifier_call_chain+0x9e/0x100 [ 35.903966][ T456] __dev_close_many+0x154/0x320 [ 35.908891][ T456] ? dev_close_many+0x530/0x530 [ 35.913717][ T456] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 35.919755][ T456] __dev_change_flags+0x2db/0x6f0 [ 35.924753][ T456] ? dev_get_flags+0x1c0/0x1c0 [ 35.929490][ T456] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 35.936223][ T456] ? selinux_perf_event_write+0x100/0x100 [ 35.941916][ T456] dev_change_flags+0x85/0x190 [ 35.946656][ T456] dev_ifsioc+0x103/0xa60 [ 35.950956][ T456] ? mutex_lock+0x106/0x110 [ 35.955430][ T456] ? dev_ioctl+0xb90/0xb90 [ 35.959819][ T456] ? full_name_hash+0x97/0xe0 [ 35.964468][ T456] dev_ioctl+0x460/0xb90 [ 35.968691][ T456] sock_do_ioctl+0x227/0x300 [ 35.973254][ T456] ? sock_splice_read+0xf0/0xf0 [ 35.978099][ T456] ? __x64_sys_socket+0x76/0x80 [ 35.982921][ T456] ? _raw_spin_trylock_bh+0x190/0x190 [ 35.988264][ T456] ? do_syscall_64+0xcb/0x150 [ 35.992913][ T456] ? slab_free_freelist_hook+0xd0/0x150 [ 35.998430][ T456] ? __should_failslab+0x8b/0x150 [ 36.003426][ T456] sock_ioctl+0x4cf/0x700 [ 36.007729][ T456] ? sock_poll+0x2f0/0x2f0 [ 36.012143][ T456] ? __mutex_init+0x9d/0xf0 [ 36.016620][ T456] ? percpu_counter_add_batch+0x12d/0x150 [ 36.022310][ T456] ? alloc_file+0x81/0x4b0 [ 36.026698][ T456] ? memcpy+0x38/0x50 [ 36.030655][ T456] ? sock_poll+0x2f0/0x2f0 [ 36.035049][ T456] do_vfs_ioctl+0x746/0x16f0 [ 36.039613][ T456] ? selinux_file_ioctl+0x6e4/0x920 [ 36.044794][ T456] ? ioctl_preallocate+0x240/0x240 [ 36.049875][ T456] ? alloc_empty_file_noaccount+0x70/0x70 [ 36.055570][ T456] ? find_next_zero_bit+0xfb/0x120 [ 36.060668][ T456] ? __fget+0x37c/0x3c0 [ 36.064800][ T456] ? fget_many+0x20/0x20 [ 36.069017][ T456] ? __fpregs_load_activate+0x2d3/0x390 [ 36.074538][ T456] ? security_file_ioctl+0xad/0xc0 [ 36.079633][ T456] __x64_sys_ioctl+0xd4/0x110 [ 36.084286][ T456] do_syscall_64+0xcb/0x150 [ 36.088761][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.094646][ T456] RIP: 0033:0x4479b9 [ 36.098517][ T456] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.118092][ T456] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 36.126476][ T456] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 36.134425][ T456] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 36.142369][ T456] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 36.150315][ T456] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 36.158261][ T456] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 36.166225][ T456] [ 36.168528][ T456] Allocated by task 354: [ 36.172746][ T456] __kasan_kmalloc+0x117/0x1b0 [ 36.177582][ T456] __kmalloc_track_caller+0x201/0x2b0 [ 36.182930][ T456] kmemdup+0x21/0x50 [ 36.186801][ T456] ieee80211_ibss_join+0x6ff/0xcf0 [ 36.191903][ T456] rdev_join_ibss+0x1af/0x310 [ 36.196556][ T456] __cfg80211_join_ibss+0x4a0/0x730 [ 36.201725][ T456] nl80211_join_ibss+0x1420/0x19d0 [ 36.206840][ T456] genl_rcv_msg+0xe76/0x1330 [ 36.211419][ T456] netlink_rcv_skb+0x1f0/0x460 [ 36.216153][ T456] genl_rcv+0x24/0x40 [ 36.220108][ T456] netlink_unicast+0x87c/0xa20 [ 36.224857][ T456] netlink_sendmsg+0x9a7/0xd40 [ 36.229593][ T456] ____sys_sendmsg+0x56f/0x860 [ 36.234330][ T456] __sys_sendmsg+0x26a/0x350 [ 36.238895][ T456] do_syscall_64+0xcb/0x150 [ 36.243374][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.249236][ T456] [ 36.251542][ T456] Freed by task 361: [ 36.255414][ T456] __kasan_slab_free+0x168/0x220 [ 36.260325][ T456] slab_free_freelist_hook+0xd0/0x150 [ 36.265672][ T456] kfree+0x12b/0x5d0 [ 36.269570][ T456] ieee80211_ibss_leave+0x7d/0xe0 [ 36.274569][ T456] rdev_leave_ibss+0x194/0x2f0 [ 36.279306][ T456] __cfg80211_leave_ibss+0x6f/0x100 [ 36.284482][ T456] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 36.290465][ T456] raw_notifier_call_chain+0x9e/0x100 [ 36.295835][ T456] __dev_close_many+0x154/0x320 [ 36.300662][ T456] __dev_change_flags+0x2db/0x6f0 [ 36.305662][ T456] dev_change_flags+0x85/0x190 [ 36.310431][ T456] dev_ifsioc+0x103/0xa60 [ 36.315092][ T456] dev_ioctl+0x460/0xb90 [ 36.319312][ T456] sock_do_ioctl+0x227/0x300 [ 36.325100][ T456] sock_ioctl+0x4cf/0x700 [ 36.329405][ T456] do_vfs_ioctl+0x746/0x16f0 [ 36.334062][ T456] __x64_sys_ioctl+0xd4/0x110 [ 36.338744][ T456] do_syscall_64+0xcb/0x150 [ 36.343224][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.349090][ T456] [ 36.351397][ T456] The buggy address belongs to the object at ffff8881ceaa9200 [ 36.351397][ T456] which belongs to the cache kmalloc-192 of size 192 [ 36.365514][ T456] The buggy address is located 0 bytes inside of [ 36.365514][ T456] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 36.378779][ T456] The buggy address belongs to the page: [ 36.384423][ T456] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 36.393503][ T456] flags: 0x8000000000000200(slab) [ 36.398540][ T456] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 36.407133][ T456] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 36.415718][ T456] page dumped because: kasan: bad access detected [ 36.422973][ T456] [ 36.425280][ T456] Memory state around the buggy address: [ 36.430919][ T456] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.438988][ T456] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.447042][ T456] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.455086][ T456] ^ executing program executing program executing program [ 36.459136][ T456] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.467212][ T456] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.475256][ T456] ================================================================== executing program executing program [ ***] A start job is running for dev-ttyS0.device (30s / 1min 30s)[ 36.513817][ T159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 36.522757][ T159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 36.532336][ T70] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 36.541382][ T476] ================================================================== [ 36.549457][ T476] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 36.557093][ T476] [ 36.559499][ T476] CPU: 0 PID: 476 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 36.571091][ T476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.581131][ T476] Call Trace: [ 36.584430][ T476] dump_stack+0x1b0/0x21e [ 36.588773][ T476] ? show_regs_print_info+0x12/0x12 [ 36.593949][ T476] ? memset+0x1f/0x40 [ 36.597907][ T476] ? printk+0xc0/0x104 [ 36.601996][ T476] ? kfree+0x12b/0x5d0 [ 36.606197][ T476] ? kfree+0x12b/0x5d0 [ 36.610447][ T476] print_address_description+0x96/0x5d0 [ 36.615973][ T476] ? devkmsg_release+0x11c/0x11c [ 36.621219][ T476] ? netif_tx_wake_queue+0x1ce/0x210 [ 36.626490][ T476] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.632764][ T476] ? kfree+0x12b/0x5d0 [ 36.636816][ T476] ? kfree+0x12b/0x5d0 [ 36.640955][ T476] kasan_report_invalid_free+0x54/0xc0 [ 36.646409][ T476] __kasan_slab_free+0x102/0x220 [ 36.651545][ T476] ? hrtimer_cancel+0x26/0x60 [ 36.656391][ T476] ? mac80211_hwsim_config+0x692/0x770 [ 36.661970][ T476] ? __rcu_read_lock+0x50/0x50 [ 36.666715][ T476] ? drv_config+0x1a9/0x300 [ 36.671257][ T476] ? call_rcu+0x10/0x10 [ 36.675684][ T476] ? ieee80211_recalc_idle+0x204/0x2e0 [ 36.681131][ T476] slab_free_freelist_hook+0xd0/0x150 [ 36.686573][ T476] ? ieee80211_ibss_leave+0x7d/0xe0 [ 36.691987][ T476] kfree+0x12b/0x5d0 [ 36.695877][ T476] ieee80211_ibss_leave+0x7d/0xe0 [ 36.701153][ T476] rdev_leave_ibss+0x194/0x2f0 [ 36.705997][ T476] __cfg80211_leave_ibss+0x6f/0x100 [ 36.711568][ T476] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 36.717688][ T476] raw_notifier_call_chain+0x9e/0x100 [ 36.723044][ T476] __dev_close_many+0x154/0x320 [ 36.727880][ T476] ? dev_close_many+0x530/0x530 [ 36.733258][ T476] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 36.739506][ T476] __dev_change_flags+0x2db/0x6f0 [ 36.744516][ T476] ? dev_get_flags+0x1c0/0x1c0 [ 36.749314][ T476] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 36.756145][ T476] dev_change_flags+0x85/0x190 [ 36.760893][ T476] dev_ifsioc+0x103/0xa60 [ 36.765810][ T476] ? mutex_lock+0x106/0x110 [ 36.771491][ T476] ? dev_ioctl+0xb90/0xb90 [ 36.775978][ T476] ? full_name_hash+0x97/0xe0 [ 36.780638][ T476] dev_ioctl+0x460/0xb90 [ 36.784870][ T476] sock_do_ioctl+0x227/0x300 [ 36.789734][ T476] ? sock_splice_read+0xf0/0xf0 [ 36.794571][ T476] ? __x64_sys_socket+0x76/0x80 [ 36.799406][ T476] ? __sys_socket+0x115/0x350 [ 36.804062][ T476] ? __x64_sys_socket+0x76/0x80 [ 36.809027][ T476] ? do_syscall_64+0xcb/0x150 [ 36.813859][ T476] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.820112][ T476] ? slab_free_freelist_hook+0xd0/0x150 [ 36.825801][ T476] ? __should_failslab+0x8b/0x150 [ 36.830825][ T476] sock_ioctl+0x4cf/0x700 [ 36.835138][ T476] ? sock_poll+0x2f0/0x2f0 [ 36.839763][ T476] ? __mutex_init+0x9d/0xf0 [ 36.844389][ T476] ? percpu_counter_add_batch+0x12d/0x150 [ 36.850479][ T476] ? alloc_file+0x81/0x4b0 [ 36.854885][ T476] ? memcpy+0x38/0x50 [ 36.858858][ T476] ? sock_poll+0x2f0/0x2f0 [ 36.863301][ T476] do_vfs_ioctl+0x746/0x16f0 [ 36.867881][ T476] ? selinux_file_ioctl+0x6e4/0x920 [ 36.873256][ T476] ? ioctl_preallocate+0x240/0x240 [ 36.878856][ T476] ? alloc_empty_file_noaccount+0x70/0x70 [ 36.884789][ T476] ? find_next_zero_bit+0xfb/0x120 [ 36.890139][ T476] ? __fget+0x37c/0x3c0 [ 36.894282][ T476] ? fget_many+0x20/0x20 [ 36.898775][ T476] ? __fpregs_load_activate+0x2d3/0x390 [ 36.904565][ T476] ? security_file_ioctl+0xad/0xc0 [ 36.909949][ T476] __x64_sys_ioctl+0xd4/0x110 [ 36.914742][ T476] do_syscall_64+0xcb/0x150 [ 36.919384][ T476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 36.925355][ T476] RIP: 0033:0x4479b9 [ 36.929290][ T476] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.949948][ T476] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 36.958601][ T476] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 36.967029][ T476] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 36.975276][ T476] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 36.983546][ T476] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 36.991640][ T476] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 36.999764][ T476] [ 37.002077][ T476] Allocated by task 354: [ 37.006438][ T476] __kasan_kmalloc+0x117/0x1b0 [ 37.011402][ T476] __kmalloc_track_caller+0x201/0x2b0 [ 37.017029][ T476] kmemdup+0x21/0x50 [ 37.021280][ T476] ieee80211_ibss_join+0x6ff/0xcf0 [ 37.026603][ T476] rdev_join_ibss+0x1af/0x310 [ 37.031632][ T476] __cfg80211_join_ibss+0x4a0/0x730 [ 37.036972][ T476] nl80211_join_ibss+0x1420/0x19d0 [ 37.042157][ T476] genl_rcv_msg+0xe76/0x1330 [ 37.047044][ T476] netlink_rcv_skb+0x1f0/0x460 [ 37.052667][ T476] genl_rcv+0x24/0x40 [ 37.056796][ T476] netlink_unicast+0x87c/0xa20 [ 37.061717][ T476] netlink_sendmsg+0x9a7/0xd40 [ 37.066465][ T476] ____sys_sendmsg+0x56f/0x860 [ 37.071214][ T476] __sys_sendmsg+0x26a/0x350 [ 37.076150][ T476] do_syscall_64+0xcb/0x150 [ 37.080979][ T476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.088663][ T476] [ 37.091052][ T476] Freed by task 361: [ 37.094933][ T476] __kasan_slab_free+0x168/0x220 [ 37.100036][ T476] slab_free_freelist_hook+0xd0/0x150 [ 37.106089][ T476] kfree+0x12b/0x5d0 [ 37.110028][ T476] ieee80211_ibss_leave+0x7d/0xe0 [ 37.115097][ T476] rdev_leave_ibss+0x194/0x2f0 [ 37.120194][ T476] __cfg80211_leave_ibss+0x6f/0x100 [ 37.125376][ T476] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 37.131373][ T476] raw_notifier_call_chain+0x9e/0x100 [ 37.136761][ T476] __dev_close_many+0x154/0x320 [ 37.141841][ T476] __dev_change_flags+0x2db/0x6f0 [ 37.147569][ T476] dev_change_flags+0x85/0x190 [ 37.152429][ T476] dev_ifsioc+0x103/0xa60 [ 37.156859][ T476] dev_ioctl+0x460/0xb90 [ 37.161183][ T476] sock_do_ioctl+0x227/0x300 [ 37.165883][ T476] sock_ioctl+0x4cf/0x700 [ 37.170599][ T476] do_vfs_ioctl+0x746/0x16f0 [ 37.175484][ T476] __x64_sys_ioctl+0xd4/0x110 [ 37.180526][ T476] do_syscall_64+0xcb/0x150 [ 37.185015][ T476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.191020][ T476] [ 37.193608][ T476] The buggy address belongs to the object at ffff8881ceaa9200 [ 37.193608][ T476] which belongs to the cache kmalloc-192 of size 192 [ 37.208006][ T476] The buggy address is located 0 bytes inside of [ 37.208006][ T476] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 37.221500][ T476] The buggy address belongs to the page: [ 37.227404][ T476] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 37.236799][ T476] flags: 0x8000000000000200(slab) [ 37.242315][ T476] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 37.251219][ T476] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 37.261325][ T476] page dumped because: kasan: bad access detected [ 37.267968][ T476] [ 37.270445][ T476] Memory state around the buggy address: [ 37.276393][ T476] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.284521][ T476] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.292818][ T476] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.301137][ T476] ^ [ 37.305325][ T476] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc executing program executing program executing program [ 37.313545][ T476] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.321587][ T476] ================================================================== executing program executing program executing program [ *** ] A start job is running for dev-ttyS0.device (31s / 1min 30s)[ 37.373494][ T159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 37.381935][ T159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 37.390078][ T481] ================================================================== [ 37.398882][ T481] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 37.406723][ T481] [ 37.409048][ T481] CPU: 0 PID: 481 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 37.421963][ T481] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.432324][ T481] Call Trace: [ 37.435630][ T481] dump_stack+0x1b0/0x21e [ 37.440178][ T481] ? show_regs_print_info+0x12/0x12 [ 37.445656][ T481] ? printk+0xc0/0x104 [ 37.449709][ T481] ? kfree+0x12b/0x5d0 [ 37.453758][ T481] ? kfree+0x12b/0x5d0 [ 37.457937][ T481] print_address_description+0x96/0x5d0 [ 37.463463][ T481] ? devkmsg_release+0x11c/0x11c [ 37.468455][ T481] ? netif_tx_wake_queue+0x1ce/0x210 [ 37.473864][ T481] ? ieee80211_ibss_leave+0x26/0xe0 [ 37.479283][ T481] ? kfree+0x12b/0x5d0 [ 37.483335][ T481] ? kfree+0x12b/0x5d0 [ 37.487814][ T481] kasan_report_invalid_free+0x54/0xc0 [ 37.494047][ T481] __kasan_slab_free+0x102/0x220 [ 37.499253][ T481] ? hrtimer_cancel+0x26/0x60 [ 37.504396][ T481] ? mac80211_hwsim_config+0x692/0x770 [ 37.510071][ T481] ? __rcu_read_lock+0x50/0x50 [ 37.515285][ T481] ? drv_config+0x1a9/0x300 [ 37.519812][ T481] ? call_rcu+0x10/0x10 [ 37.523972][ T481] ? ieee80211_recalc_idle+0x204/0x2e0 [ 37.530022][ T481] slab_free_freelist_hook+0xd0/0x150 [ 37.535711][ T481] ? ieee80211_ibss_leave+0x7d/0xe0 [ 37.540996][ T481] kfree+0x12b/0x5d0 [ 37.545076][ T481] ieee80211_ibss_leave+0x7d/0xe0 [ 37.550502][ T481] rdev_leave_ibss+0x194/0x2f0 [ 37.556838][ T481] __cfg80211_leave_ibss+0x6f/0x100 [ 37.562037][ T481] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 37.568095][ T481] raw_notifier_call_chain+0x9e/0x100 [ 37.573514][ T481] __dev_close_many+0x154/0x320 [ 37.578371][ T481] ? dev_close_many+0x530/0x530 [ 37.583256][ T481] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 37.589498][ T481] __dev_change_flags+0x2db/0x6f0 [ 37.594681][ T481] ? dev_get_flags+0x1c0/0x1c0 [ 37.599704][ T481] ? cred_has_capability+0x2b2/0x3f0 [ 37.605088][ T481] ? selinux_perf_event_write+0x100/0x100 [ 37.612047][ T481] dev_change_flags+0x85/0x190 [ 37.617004][ T481] dev_ifsioc+0x103/0xa60 [ 37.622060][ T481] ? mutex_lock+0xa6/0x110 [ 37.626549][ T481] ? dev_ioctl+0xb90/0xb90 [ 37.631065][ T481] ? full_name_hash+0x97/0xe0 [ 37.635725][ T481] dev_ioctl+0x460/0xb90 [ 37.640217][ T481] sock_do_ioctl+0x227/0x300 [ 37.644899][ T481] ? sock_splice_read+0xf0/0xf0 [ 37.649729][ T481] ? __x64_sys_socket+0x76/0x80 [ 37.654674][ T481] ? __sys_socket+0x115/0x350 [ 37.659420][ T481] ? __x64_sys_socket+0x76/0x80 [ 37.664260][ T481] ? do_syscall_64+0xcb/0x150 [ 37.669100][ T481] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.675236][ T481] ? slab_free_freelist_hook+0xd0/0x150 [ 37.681179][ T481] ? __should_failslab+0x8b/0x150 [ 37.686191][ T481] sock_ioctl+0x4cf/0x700 [ 37.690606][ T481] ? sock_poll+0x2f0/0x2f0 [ 37.695019][ T481] ? __mutex_init+0x9d/0xf0 [ 37.699807][ T481] ? percpu_counter_add_batch+0x12d/0x150 [ 37.705602][ T481] ? alloc_file+0x81/0x4b0 [ 37.710000][ T481] ? memcpy+0x38/0x50 [ 37.714041][ T481] ? sock_poll+0x2f0/0x2f0 [ 37.718447][ T481] do_vfs_ioctl+0x746/0x16f0 [ 37.723030][ T481] ? selinux_file_ioctl+0x6e4/0x920 [ 37.728208][ T481] ? ioctl_preallocate+0x240/0x240 [ 37.733685][ T481] ? alloc_empty_file_noaccount+0x70/0x70 [ 37.739486][ T481] ? find_next_zero_bit+0xfb/0x120 [ 37.744771][ T481] ? __fget+0x37c/0x3c0 [ 37.749061][ T481] ? fget_many+0x20/0x20 [ 37.753718][ T481] ? __fpregs_load_activate+0x2d3/0x390 [ 37.759405][ T481] ? security_file_ioctl+0xad/0xc0 [ 37.764603][ T481] __x64_sys_ioctl+0xd4/0x110 [ 37.769775][ T481] do_syscall_64+0xcb/0x150 [ 37.774265][ T481] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.780496][ T481] RIP: 0033:0x4479b9 [ 37.784559][ T481] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.804292][ T481] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 37.812686][ T481] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 37.820792][ T481] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000005 [ 37.828932][ T481] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 37.836886][ T481] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 37.844889][ T481] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 37.852962][ T481] [ 37.855283][ T481] Allocated by task 354: [ 37.859624][ T481] __kasan_kmalloc+0x117/0x1b0 [ 37.864426][ T481] __kmalloc_track_caller+0x201/0x2b0 [ 37.869774][ T481] kmemdup+0x21/0x50 [ 37.873650][ T481] ieee80211_ibss_join+0x6ff/0xcf0 [ 37.878925][ T481] rdev_join_ibss+0x1af/0x310 [ 37.883596][ T481] __cfg80211_join_ibss+0x4a0/0x730 [ 37.889102][ T481] nl80211_join_ibss+0x1420/0x19d0 [ 37.894472][ T481] genl_rcv_msg+0xe76/0x1330 [ 37.899195][ T481] netlink_rcv_skb+0x1f0/0x460 [ 37.904049][ T481] genl_rcv+0x24/0x40 [ 37.908201][ T481] netlink_unicast+0x87c/0xa20 [ 37.913200][ T481] netlink_sendmsg+0x9a7/0xd40 [ 37.918125][ T481] ____sys_sendmsg+0x56f/0x860 [ 37.923015][ T481] __sys_sendmsg+0x26a/0x350 [ 37.927591][ T481] do_syscall_64+0xcb/0x150 [ 37.932089][ T481] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 37.938222][ T481] [ 37.940532][ T481] Freed by task 361: [ 37.944414][ T481] __kasan_slab_free+0x168/0x220 [ 37.949478][ T481] slab_free_freelist_hook+0xd0/0x150 [ 37.954845][ T481] kfree+0x12b/0x5d0 [ 37.959033][ T481] ieee80211_ibss_leave+0x7d/0xe0 [ 37.964290][ T481] rdev_leave_ibss+0x194/0x2f0 [ 37.969145][ T481] __cfg80211_leave_ibss+0x6f/0x100 [ 37.974515][ T481] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 37.980900][ T481] raw_notifier_call_chain+0x9e/0x100 [ 37.986581][ T481] __dev_close_many+0x154/0x320 [ 37.991418][ T481] __dev_change_flags+0x2db/0x6f0 [ 37.996779][ T481] dev_change_flags+0x85/0x190 [ 38.002025][ T481] dev_ifsioc+0x103/0xa60 [ 38.006443][ T481] dev_ioctl+0x460/0xb90 [ 38.010802][ T481] sock_do_ioctl+0x227/0x300 [ 38.015440][ T481] sock_ioctl+0x4cf/0x700 [ 38.019864][ T481] do_vfs_ioctl+0x746/0x16f0 [ 38.024432][ T481] __x64_sys_ioctl+0xd4/0x110 [ 38.029089][ T481] do_syscall_64+0xcb/0x150 [ 38.033722][ T481] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.039660][ T481] [ 38.041972][ T481] The buggy address belongs to the object at ffff8881ceaa9200 [ 38.041972][ T481] which belongs to the cache kmalloc-192 of size 192 [ 38.056732][ T481] The buggy address is located 0 bytes inside of [ 38.056732][ T481] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 38.070112][ T481] The buggy address belongs to the page: [ 38.075959][ T481] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 38.085410][ T481] flags: 0x8000000000000200(slab) [ 38.090551][ T481] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 38.099204][ T481] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 38.107764][ T481] page dumped because: kasan: bad access detected [ 38.114240][ T481] [ 38.116549][ T481] Memory state around the buggy address: [ 38.122164][ T481] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.130365][ T481] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.138468][ T481] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.146645][ T481] ^ [ 38.150722][ T481] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.158810][ T481] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.167883][ T481] ================================================================== executing program executing program [ *** ] A start job is running for dev-ttyS0.device (32s / 1min 30s)[ 38.211411][ T159] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 38.219948][ T159] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 38.228668][ T487] ================================================================== [ 38.236949][ T487] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 38.244471][ T487] [ 38.246798][ T487] CPU: 0 PID: 487 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 38.258374][ T487] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.268553][ T487] Call Trace: [ 38.272005][ T487] dump_stack+0x1b0/0x21e [ 38.276365][ T487] ? show_regs_print_info+0x12/0x12 [ 38.281555][ T487] ? printk+0xc0/0x104 [ 38.285851][ T487] ? kfree+0x12b/0x5d0 [ 38.289910][ T487] ? kfree+0x12b/0x5d0 [ 38.294261][ T487] print_address_description+0x96/0x5d0 [ 38.299952][ T487] ? devkmsg_release+0x11c/0x11c [ 38.304971][ T487] ? netif_tx_wake_queue+0x1ce/0x210 [ 38.310242][ T487] ? ieee80211_ibss_leave+0x26/0xe0 [ 38.315427][ T487] ? kfree+0x12b/0x5d0 [ 38.319655][ T487] ? kfree+0x12b/0x5d0 [ 38.323773][ T487] kasan_report_invalid_free+0x54/0xc0 [ 38.329611][ T487] __kasan_slab_free+0x102/0x220 [ 38.334764][ T487] ? hrtimer_cancel+0x26/0x60 [ 38.339697][ T487] ? mac80211_hwsim_config+0x692/0x770 [ 38.345392][ T487] ? __rcu_read_lock+0x50/0x50 [ 38.350266][ T487] ? drv_config+0x1a9/0x300 [ 38.355409][ T487] ? call_rcu+0x10/0x10 [ 38.359716][ T487] ? ieee80211_recalc_idle+0x204/0x2e0 [ 38.365292][ T487] slab_free_freelist_hook+0xd0/0x150 [ 38.370919][ T487] ? ieee80211_ibss_leave+0x7d/0xe0 [ 38.376476][ T487] kfree+0x12b/0x5d0 [ 38.380537][ T487] ieee80211_ibss_leave+0x7d/0xe0 [ 38.385645][ T487] rdev_leave_ibss+0x194/0x2f0 [ 38.390397][ T487] __cfg80211_leave_ibss+0x6f/0x100 [ 38.395815][ T487] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 38.401815][ T487] raw_notifier_call_chain+0x9e/0x100 [ 38.407249][ T487] __dev_close_many+0x154/0x320 [ 38.412255][ T487] ? dev_close_many+0x530/0x530 [ 38.417090][ T487] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 38.423399][ T487] __dev_change_flags+0x2db/0x6f0 [ 38.428441][ T487] ? dev_get_flags+0x1c0/0x1c0 [ 38.433193][ T487] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 38.440208][ T487] dev_change_flags+0x85/0x190 [ 38.445126][ T487] dev_ifsioc+0x103/0xa60 [ 38.450029][ T487] ? mutex_lock+0x106/0x110 [ 38.455038][ T487] ? dev_ioctl+0xb90/0xb90 [ 38.459501][ T487] ? full_name_hash+0x97/0xe0 [ 38.464286][ T487] dev_ioctl+0x460/0xb90 [ 38.468745][ T487] sock_do_ioctl+0x227/0x300 [ 38.473486][ T487] ? sock_splice_read+0xf0/0xf0 [ 38.478669][ T487] ? __x64_sys_socket+0x76/0x80 [ 38.483569][ T487] ? __sys_socket+0x115/0x350 [ 38.488395][ T487] ? __x64_sys_socket+0x76/0x80 [ 38.493229][ T487] ? do_syscall_64+0xcb/0x150 [ 38.497895][ T487] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.504191][ T487] ? __should_failslab+0x8b/0x150 [ 38.509399][ T487] sock_ioctl+0x4cf/0x700 [ 38.513878][ T487] ? sock_poll+0x2f0/0x2f0 [ 38.519281][ T487] ? __mutex_init+0x9d/0xf0 [ 38.523782][ T487] ? percpu_counter_add_batch+0x12d/0x150 [ 38.529637][ T487] ? alloc_file+0x81/0x4b0 [ 38.534032][ T487] ? memcpy+0x38/0x50 [ 38.538208][ T487] ? sock_poll+0x2f0/0x2f0 [ 38.542748][ T487] do_vfs_ioctl+0x746/0x16f0 [ 38.547324][ T487] ? selinux_file_ioctl+0x6e4/0x920 [ 38.552641][ T487] ? ioctl_preallocate+0x240/0x240 [ 38.557735][ T487] ? alloc_empty_file_noaccount+0x70/0x70 [ 38.563527][ T487] ? find_next_zero_bit+0xfb/0x120 [ 38.568665][ T487] ? __fget+0x37c/0x3c0 [ 38.573810][ T487] ? fget_many+0x20/0x20 [ 38.578200][ T487] ? __fpregs_load_activate+0x2d3/0x390 [ 38.583728][ T487] ? security_file_ioctl+0xad/0xc0 [ 38.588962][ T487] __x64_sys_ioctl+0xd4/0x110 [ 38.594383][ T487] do_syscall_64+0xcb/0x150 [ 38.599008][ T487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.605168][ T487] RIP: 0033:0x4479b9 [ 38.609189][ T487] Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.629253][ T487] RSP: 002b:00007fd30e880da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.637951][ T487] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004479b9 [ 38.646280][ T487] RDX: 00000000200008c0 RSI: 0000000000008914 RDI: 0000000000000006 [ 38.654327][ T487] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000 [ 38.662437][ T487] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 38.670759][ T487] R13: 0000000000000000 R14: 000000306e616c77 R15: 0000000000000000 [ 38.679248][ T487] [ 38.681781][ T487] Allocated by task 354: [ 38.686783][ T487] __kasan_kmalloc+0x117/0x1b0 [ 38.691553][ T487] __kmalloc_track_caller+0x201/0x2b0 [ 38.697053][ T487] kmemdup+0x21/0x50 [ 38.701154][ T487] ieee80211_ibss_join+0x6ff/0xcf0 [ 38.706578][ T487] rdev_join_ibss+0x1af/0x310 [ 38.711322][ T487] __cfg80211_join_ibss+0x4a0/0x730 [ 38.716501][ T487] nl80211_join_ibss+0x1420/0x19d0 [ 38.721590][ T487] genl_rcv_msg+0xe76/0x1330 [ 38.726160][ T487] netlink_rcv_skb+0x1f0/0x460 [ 38.730909][ T487] genl_rcv+0x24/0x40 [ 38.734867][ T487] netlink_unicast+0x87c/0xa20 [ 38.739770][ T487] netlink_sendmsg+0x9a7/0xd40 [ 38.744639][ T487] ____sys_sendmsg+0x56f/0x860 [ 38.749573][ T487] __sys_sendmsg+0x26a/0x350 [ 38.754833][ T487] do_syscall_64+0xcb/0x150 [ 38.759568][ T487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.765595][ T487] [ 38.767973][ T487] Freed by task 361: [ 38.771903][ T487] __kasan_slab_free+0x168/0x220 [ 38.777105][ T487] slab_free_freelist_hook+0xd0/0x150 [ 38.782776][ T487] kfree+0x12b/0x5d0 [ 38.786865][ T487] ieee80211_ibss_leave+0x7d/0xe0 [ 38.792133][ T487] rdev_leave_ibss+0x194/0x2f0 [ 38.796886][ T487] __cfg80211_leave_ibss+0x6f/0x100 [ 38.802083][ T487] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 38.808274][ T487] raw_notifier_call_chain+0x9e/0x100 [ 38.813640][ T487] __dev_close_many+0x154/0x320 [ 38.819812][ T487] __dev_change_flags+0x2db/0x6f0 [ 38.824824][ T487] dev_change_flags+0x85/0x190 [ 38.829680][ T487] dev_ifsioc+0x103/0xa60 [ 38.834472][ T487] dev_ioctl+0x460/0xb90 [ 38.838706][ T487] sock_do_ioctl+0x227/0x300 [ 38.843281][ T487] sock_ioctl+0x4cf/0x700 [ 38.847891][ T487] do_vfs_ioctl+0x746/0x16f0 [ 38.852586][ T487] __x64_sys_ioctl+0xd4/0x110 [ 38.857559][ T487] do_syscall_64+0xcb/0x150 [ 38.862212][ T487] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 38.868273][ T487] [ 38.870759][ T487] The buggy address belongs to the object at ffff8881ceaa9200 [ 38.870759][ T487] which belongs to the cache kmalloc-192 of size 192 [ 38.885210][ T487] The buggy address is located 0 bytes inside of [ 38.885210][ T487] 192-byte region [ffff8881ceaa9200, ffff8881ceaa92c0) [ 38.898958][ T487] The buggy address belongs to the page: [ 38.904818][ T487] page:ffffea00073aaa40 refcount:1 mapcount:0 mapping:ffff8881da802a00 index:0x0 [ 38.914173][ T487] flags: 0x8000000000000200(slab) [ 38.919279][ T487] raw: 8000000000000200 0000000000000000 0000000100000001 ffff8881da802a00 [ 38.927847][ T487] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 38.936410][ T487] page dumped because: kasan: bad access detected [ 38.942802][ T487] [ 38.945133][ T487] Memory state around the buggy address: [ 38.950843][ T487] ffff8881ceaa9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.958888][ T487] ffff8881ceaa9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.967076][ T487] >ffff8881ceaa9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.975300][ T487] ^ executing program executing program executing program executing program executing program [ 38.979414][ T487] ffff8881ceaa9280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.988284][ T487] ffff8881ceaa9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.996659][ T487] ================================================================== [*** ] A start job is running for dev-ttyS0.device (33s / 1min 30s)[ 39.046102][ T84] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 39.054262][ T84] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 39.063750][ T511] ================================================================== [ 39.071832][ T511] BUG: KASAN: double-free or invalid-free in kfree+0x12b/0x5d0 [ 39.079516][ T511] [ 39.082013][ T511] CPU: 0 PID: 511 Comm: syz-executor478 Tainted: G B 5.4.69-syzkaller-00001-gab402fc4c187 #0 [ 39.094510][ T511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.104855][ T511] Call Trace: [ 39.108135][ T511] dump_stack+0x1b0/0x21e [ 39.112569][ T511] ? finish_task_switch+0x2be/0x4c0 [ 39.117752][ T511] ? show_regs_print_info+0x12/0x12 [ 39.122935][ T511] ? printk+0xc0/0x104 [ 39.126987][ T511] ? kfree+0x12b/0x5d0 [ 39.131244][ T511] ? kfree+0x12b/0x5d0 [ 39.135301][ T511] print_address_description+0x96/0x5d0 [ 39.140833][ T511] ? devkmsg_release+0x11c/0x11c [ 39.145847][ T511] ? netif_tx_wake_queue+0x1ce/0x210 [ 39.151376][ T511] ? ieee80211_ibss_leave+0x26/0xe0 [ 39.156745][ T511] ? kfree+0x12b/0x5d0 [ 39.160799][ T511] ? kfree+0x12b/0x5d0 [ 39.164851][ T511] kasan_report_invalid_free+0x54/0xc0 [ 39.170444][ T511] __kasan_slab_free+0x102/0x220 [ 39.175533][ T511] ? hrtimer_cancel+0x26/0x60 [ 39.180205][ T511] ? mac80211_hwsim_config+0x692/0x770 [ 39.185654][ T511] ? __rcu_read_lock+0x50/0x50 [ 39.190567][ T511] ? drv_config+0x1a9/0x300 [ 39.195402][ T511] ? call_rcu+0x10/0x10 [ 39.199556][ T511] ? ieee80211_recalc_idle+0x204/0x2e0 [ 39.205007][ T511] slab_free_freelist_hook+0xd0/0x150 [ 39.210503][ T511] ? ieee80211_ibss_leave+0x7d/0xe0 [ 39.215698][ T511] kfree+0x12b/0x5d0 [ 39.219701][ T511] ieee80211_ibss_leave+0x7d/0xe0 [ 39.224716][ T511] rdev_leave_ibss+0x194/0x2f0 [ 39.229471][ T511] __cfg80211_leave_ibss+0x6f/0x100 [ 39.234757][ T511] cfg80211_netdev_notifier_call+0x46b/0xee0 [ 39.240727][ T511] raw_notifier_call_chain+0x9e/0x100 [ 39.246082][ T511] __dev_close_many+0x154/0x320 [ 39.250919][ T511] ? dev_close_many+0x530/0x530 [ 39.255976][ T511] ? ieee80211_set_multicast_list+0x158/0x1f0 [ 39.262114][ T511] __dev_change_flags+0x2db/0x6f0 [ 39.267124][ T511] ? dev_get_flags+0x1c0/0x1c0 [ 39.271875][ T511] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 39.278703][ T511] ? selinux_perf_event_write+0x100/0x100 [ 39.284550][ T511] dev_change_flags+0x85/0x190 [ 39.289472][ T511] dev_ifsioc+0x103/0xa60