audit: type=1804 audit(1665584098.963:9287): pid=4245 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.5" name="/root/syzkaller-testdir3401044116/syzkaller.Azig3h/365/bus" dev="sda1" ino=15385 res=1 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4251 at net/mac80211/rx.c:4592 ieee80211_rx_napi.cold+0x11/0x80 net/mac80211/rx.c:4592 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 4251 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 panic+0x26a/0x50e kernel/panic.c:186 __warn.cold+0x20/0x5a kernel/panic.c:541 report_bug+0x262/0x2b0 lib/bug.c:183 fixup_bug arch/x86/kernel/traps.c:178 [inline] fixup_bug arch/x86/kernel/traps.c:173 [inline] do_error_trap+0x1d7/0x310 arch/x86/kernel/traps.c:296 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038 RIP: 0010:ieee80211_rx_napi.cold+0x11/0x80 net/mac80211/rx.c:4592 Code: ff e8 c4 15 4e f9 48 c7 c7 c0 c0 67 89 e8 23 47 df ff 0f 0b e9 02 0c 8c ff e8 ac 15 4e f9 48 c7 c7 c0 c0 67 89 e8 0b 47 df ff <0f> 0b e9 64 82 8c ff e8 94 15 4e f9 48 c7 c7 c0 c0 67 89 e8 f3 46 RSP: 0018:ffff8880ba107d00 EFLAGS: 00010282 RAX: 0000000000000024 RBX: ffff888062dcd7c8 RCX: 0000000000000000 RDX: 0000000000000100 RSI: ffffffff814dff01 RDI: ffffed1017420f92 RBP: 0000000000000000 R08: 0000000000000024 R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000000 R12: ffff888098494800 R13: ffff888062dcbe80 R14: ffff888062dcbe80 R15: ffff888098494800 ieee80211_rx include/net/mac80211.h:4109 [inline] ieee80211_tasklet_handler+0x101/0x160 net/mac80211/main.c:229 tasklet_action_common.constprop.0+0x265/0x360 kernel/softirq.c:522 __do_softirq+0x265/0x980 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x215/0x260 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:get_lock_parent_ip include/linux/ftrace.h:694 [inline] RIP: 0010:preempt_latency_start kernel/sched/core.c:3216 [inline] RIP: 0010:preempt_count_add+0xa2/0x190 kernel/sched/core.c:3241 Code: e2 0b 85 d2 75 11 65 8b 05 ab 70 c0 7e 0f b6 c0 3d f4 00 00 00 7f 64 65 8b 05 9a 70 c0 7e 25 ff ff ff 7f 39 c5 74 03 5b 5d c3 <48> 8b 5c 24 10 48 89 df e8 41 15 0a 00 85 c0 75 35 65 48 8b 2c 25 RSP: 0018:ffff888069216e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff81b09071 RDI: 0000000000000001 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000005 R11: 000000002fa6afbd R12: ffff88806bd97d20 R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000700840 alloc_buffer_head+0x85/0x130 fs/buffer.c:3375 alloc_page_buffers+0x169/0x5c0 fs/buffer.c:830 create_empty_buffers+0x2c/0x760 fs/buffer.c:1528 create_page_buffers+0x212/0x350 fs/buffer.c:1645 __block_write_begin_int+0x22b/0x17b0 fs/buffer.c:1957 ext4_da_write_begin+0x4e1/0x10e0 fs/ext4/inode.c:3109 generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295 ext4_file_write_iter+0x2fe/0xf20 fs/ext4/file.c:272 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 __kernel_write+0x109/0x370 fs/read_write.c:506 dump_emit+0x183/0x300 fs/coredump.c:801 elf_core_dump+0x33c0/0x4c10 fs/binfmt_elf.c:2392 do_coredump+0x1d4e/0x2d60 fs/coredump.c:765 get_signal+0xed9/0x1f70 kernel/signal.c:2583 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fc8925cf5a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc890f00168 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffe5 RBX: 00007fc8926f0120 RCX: 00007fc8925cf5a9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 RBP: 00007fc89262a580 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000010000101 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcc4e5d67f R14: 00007fc890f00300 R15: 0000000000022000 Kernel Offset: disabled Rebooting in 86400 seconds.. ---------------- Code disassembly (best guess): 0: e2 0b loop 0xd 2: 85 d2 test %edx,%edx 4: 75 11 jne 0x17 6: 65 8b 05 ab 70 c0 7e mov %gs:0x7ec070ab(%rip),%eax # 0x7ec070b8 d: 0f b6 c0 movzbl %al,%eax 10: 3d f4 00 00 00 cmp $0xf4,%eax 15: 7f 64 jg 0x7b 17: 65 8b 05 9a 70 c0 7e mov %gs:0x7ec0709a(%rip),%eax # 0x7ec070b8 1e: 25 ff ff ff 7f and $0x7fffffff,%eax 23: 39 c5 cmp %eax,%ebp 25: 74 03 je 0x2a 27: 5b pop %rbx 28: 5d pop %rbp 29: c3 retq * 2a: 48 8b 5c 24 10 mov 0x10(%rsp),%rbx <-- trapping instruction 2f: 48 89 df mov %rbx,%rdi 32: e8 41 15 0a 00 callq 0xa1578 37: 85 c0 test %eax,%eax 39: 75 35 jne 0x70 3b: 65 gs 3c: 48 rex.W 3d: 8b .byte 0x8b 3e: 2c 25 sub $0x25,%al