Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.18' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 34.096497] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready executing program [ 34.187836] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready executing program executing program [ 34.359907] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 34.366322] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 34.375042] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 34.382186] ================================================================== [ 34.389706] BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.397402] Read of size 135 at addr ffff8880b5365d00 by task kworker/u4:4/2963 [ 34.404918] [ 34.406550] CPU: 1 PID: 2963 Comm: kworker/u4:4 Not tainted 4.19.155-syzkaller #0 [ 34.414153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.423497] Workqueue: phy0 ieee80211_iface_work [ 34.428249] Call Trace: [ 34.430821] dump_stack+0x1fc/0x2fe [ 34.434437] print_address_description.cold+0x54/0x219 [ 34.439701] kasan_report_error.cold+0x8a/0x1c7 [ 34.444356] ? ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.449709] kasan_report+0x8f/0x96 [ 34.453341] ? ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.458688] memcpy+0x20/0x50 [ 34.461782] ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.466962] ? ieee80211_he_cap_ie_to_sta_he_cap+0x410/0x410 [ 34.472743] ? wait_for_completion_io+0x10/0x10 [ 34.477398] ? ieee80211_vif_use_channel+0x6e5/0xaa0 [ 34.482507] __ieee80211_sta_join_ibss+0x677/0x1f30 [ 34.487525] ? ieee80211_ibss_timer+0x60/0x60 [ 34.492022] ? vprintk_func+0x81/0x17e [ 34.495979] ? printk+0xba/0xed [ 34.499337] ? log_store.cold+0x16/0x16 [ 34.503310] ieee80211_sta_create_ibss.cold+0xcb/0x12b [ 34.508579] ? ieee80211_sta_active_ibss+0x350/0x350 [ 34.513675] ieee80211_ibss_work.cold+0x53/0x687 [ 34.518421] ? ieee80211_ibss_rx_queued_mgmt+0x18b0/0x18b0 [ 34.524029] ? mark_held_locks+0xa6/0xf0 [ 34.528076] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 34.533164] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.537751] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 34.542868] ieee80211_iface_work+0x7ba/0x8a0 [ 34.547353] process_one_work+0x864/0x1570 [ 34.551578] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 34.556243] worker_thread+0x64c/0x1130 [ 34.560205] ? __kthread_parkme+0x133/0x1e0 [ 34.564517] ? process_one_work+0x1570/0x1570 [ 34.569016] kthread+0x33f/0x460 [ 34.572383] ? kthread_park+0x180/0x180 [ 34.576365] ret_from_fork+0x24/0x30 [ 34.580081] [ 34.581709] Allocated by task 8128: [ 34.585333] __kmalloc_track_caller+0x155/0x3c0 [ 34.589982] kmemdup+0x23/0x50 [ 34.593160] ieee80211_ibss_join+0x7ee/0xe80 [ 34.597552] __cfg80211_join_ibss+0x73a/0x11e0 [ 34.602118] nl80211_join_ibss+0xd59/0x1300 [ 34.606420] genl_family_rcv_msg+0x642/0xc40 [ 34.610810] genl_rcv_msg+0xbf/0x160 [ 34.614503] netlink_rcv_skb+0x160/0x440 [ 34.618566] genl_rcv+0x24/0x40 [ 34.621857] netlink_unicast+0x4d5/0x690 [ 34.625917] netlink_sendmsg+0x6bb/0xc40 [ 34.629976] sock_sendmsg+0xc3/0x120 [ 34.633681] ___sys_sendmsg+0x7bb/0x8e0 [ 34.637653] __x64_sys_sendmsg+0x132/0x220 [ 34.641920] do_syscall_64+0xf9/0x620 [ 34.645705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.650872] [ 34.652482] Freed by task 8120: [ 34.655765] kfree+0xcc/0x210 [ 34.658860] ieee80211_ibss_leave+0x83/0xd8 [ 34.663164] __cfg80211_leave_ibss+0x191/0x7c0 [ 34.667748] __cfg80211_leave+0x318/0x430 [ 34.671900] cfg80211_netdev_notifier_call+0xcb0/0x1aa0 [ 34.677263] notifier_call_chain+0xc0/0x230 [ 34.681575] __dev_close_many+0xee/0x2e0 [ 34.685617] __dev_change_flags+0x273/0x660 [ 34.689938] dev_change_flags+0x7e/0x140 [ 34.693982] dev_ifsioc+0x2ce/0x8c0 [ 34.697609] dev_ioctl+0x1ab/0xc4c [ 34.701135] sock_do_ioctl+0x148/0x2d0 [ 34.705005] sock_ioctl+0x2ef/0x5d0 [ 34.708617] do_vfs_ioctl+0xcdb/0x12e0 [ 34.712483] ksys_ioctl+0x9b/0xc0 [ 34.715918] __x64_sys_ioctl+0x6f/0xb0 [ 34.719793] do_syscall_64+0xf9/0x620 [ 34.723575] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.728740] [ 34.730349] The buggy address belongs to the object at ffff8880b5365d00 [ 34.730349] which belongs to the cache kmalloc-192 of size 192 [ 34.743002] The buggy address is located 0 bytes inside of [ 34.743002] 192-byte region [ffff8880b5365d00, ffff8880b5365dc0) [ 34.754706] The buggy address belongs to the page: [ 34.759616] page:ffffea0002d4d940 count:1 mapcount:0 mapping:ffff88813bff0040 index:0xffff8880b5365000 [ 34.769040] flags: 0xfff00000000100(slab) [ 34.773173] raw: 00fff00000000100 ffffea0002d4df88 ffffea0002d36fc8 ffff88813bff0040 [ 34.781055] raw: ffff8880b5365000 ffff8880b5365000 0000000100000009 0000000000000000 [ 34.788917] page dumped because: kasan: bad access detected [ 34.794605] [ 34.796211] Memory state around the buggy address: [ 34.801123] ffff8880b5365c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.808464] ffff8880b5365c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.815932] >ffff8880b5365d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.823285] ^ [ 34.826635] ffff8880b5365d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.834016] ffff8880b5365e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.841355] ================================================================== [ 34.848713] Disabling lock debugging due to kernel taint [ 34.854576] Kernel panic - not syncing: panic_on_warn set ... [ 34.854576] [ 34.861949] CPU: 1 PID: 2963 Comm: kworker/u4:4 Tainted: G B 4.19.155-syzkaller #0 [ 34.870955] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.880321] Workqueue: phy0 ieee80211_iface_work [ 34.885072] Call Trace: [ 34.887660] dump_stack+0x1fc/0x2fe [ 34.891284] panic+0x26a/0x50e [ 34.894463] ? __warn_printk+0xf3/0xf3 [ 34.898334] ? preempt_schedule_common+0x45/0xc0 [ 34.903080] ? ___preempt_schedule+0x16/0x18 [ 34.907472] ? trace_hardirqs_on+0x55/0x210 [ 34.911781] kasan_end_report+0x43/0x49 [ 34.915754] kasan_report_error.cold+0xa7/0x1c7 [ 34.920525] ? ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.925879] kasan_report+0x8f/0x96 [ 34.929559] ? ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.934937] memcpy+0x20/0x50 [ 34.938030] ieee80211_ibss_build_presp+0x109d/0x15c0 [ 34.943233] ? ieee80211_he_cap_ie_to_sta_he_cap+0x410/0x410 [ 34.949021] ? wait_for_completion_io+0x10/0x10 [ 34.953683] ? ieee80211_vif_use_channel+0x6e5/0xaa0 [ 34.958770] __ieee80211_sta_join_ibss+0x677/0x1f30 [ 34.963786] ? ieee80211_ibss_timer+0x60/0x60 [ 34.968275] ? vprintk_func+0x81/0x17e [ 34.972161] ? printk+0xba/0xed [ 34.975422] ? log_store.cold+0x16/0x16 [ 34.979384] ieee80211_sta_create_ibss.cold+0xcb/0x12b [ 34.984652] ? ieee80211_sta_active_ibss+0x350/0x350 [ 34.989751] ieee80211_ibss_work.cold+0x53/0x687 [ 34.994493] ? ieee80211_ibss_rx_queued_mgmt+0x18b0/0x18b0 [ 35.000110] ? mark_held_locks+0xa6/0xf0 [ 35.004170] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 35.009275] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.013870] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 35.018979] ieee80211_iface_work+0x7ba/0x8a0 [ 35.023567] process_one_work+0x864/0x1570 [ 35.027787] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 35.032440] worker_thread+0x64c/0x1130 [ 35.036410] ? __kthread_parkme+0x133/0x1e0 [ 35.040728] ? process_one_work+0x1570/0x1570 [ 35.045213] kthread+0x33f/0x460 [ 35.049273] ? kthread_park+0x180/0x180 [ 35.053313] ret_from_fork+0x24/0x30 [ 35.057745] Kernel Offset: disabled [ 35.061379] Rebooting in 86400 seconds..