===================================================== BUG: KMSAN: uninit-value in lock_sock_nested+0x280/0x2c0 net/core/sock.c:3050 CPU: 0 PID: 8451 Comm: kworker/0:4 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 lock_sock_nested+0x280/0x2c0 net/core/sock.c:3050 l2cap_sock_teardown_cb+0xb9/0x890 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0x3e3/0x1d50 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0xeea/0x1050 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x1da/0x590 net/bluetooth/l2cap_core.c:436 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421 kthread+0x521/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2907 [inline] __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210 __netdev_alloc_skb+0x450/0x7f0 net/core/skbuff.c:446 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2852 [inline] netdev_alloc_skb_ip_align include/linux/skbuff.h:2862 [inline] batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline] batadv_iv_ogm_queue_add+0x1376/0x1c40 net/batman-adv/bat_iv_ogm.c:670 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:849 [inline] batadv_iv_ogm_schedule+0x128d/0x1670 net/batman-adv/bat_iv_ogm.c:869 batadv_iv_send_outstanding_bat_ogm_packet+0xd6e/0xef0 net/batman-adv/bat_iv_ogm.c:1723 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421 kthread+0x521/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ===================================================== ===================================================== BUG: KMSAN: uninit-value in l2cap_sock_teardown_cb+0x840/0x890 net/bluetooth/l2cap_sock.c:1541 CPU: 0 PID: 8451 Comm: kworker/0:4 Tainted: G B 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 l2cap_sock_teardown_cb+0x840/0x890 net/bluetooth/l2cap_sock.c:1541 l2cap_chan_del+0x3e3/0x1d50 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0xeea/0x1050 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x1da/0x590 net/bluetooth/l2cap_core.c:436 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421 kthread+0x521/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2907 [inline] __kmalloc_node_track_caller+0xa37/0x1430 mm/slub.c:4527 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x2f8/0xb30 net/core/skbuff.c:210 __netdev_alloc_skb+0x450/0x7f0 net/core/skbuff.c:446 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2852 [inline] netdev_alloc_skb_ip_align include/linux/skbuff.h:2862 [inline] batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline] batadv_iv_ogm_queue_add+0x1376/0x1c40 net/batman-adv/bat_iv_ogm.c:670 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:849 [inline] batadv_iv_ogm_schedule+0x128d/0x1670 net/batman-adv/bat_iv_ogm.c:869 batadv_iv_send_outstanding_bat_ogm_packet+0xd6e/0xef0 net/batman-adv/bat_iv_ogm.c:1723 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421 kthread+0x521/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ===================================================== BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 7b070067 P4D 7b070067 PUD 7b071067 PMD 0 Oops: 0010 [#1] SMP CPU: 0 PID: 8451 Comm: kworker/0:4 Tainted: G B 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff88807e2cf9e8 EFLAGS: 00010286 RAX: ffff88808bdad6a0 RBX: ffff88808c5ad400 RCX: 000000008c1ad6a0 RDX: ffff88808c1ad6a0 RSI: 0000000000000110 RDI: ffff88808c5ad400 RBP: ffff88807e2cfa78 R08: ffffea000000000f R09: ffff88813fffa000 R10: 3d3d3d3d3d3d3d00 R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000 R13: ffff88807b300a78 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000007b06f000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: l2cap_sock_teardown_cb+0x716/0x890 net/bluetooth/l2cap_sock.c:1545 l2cap_chan_del+0x3e3/0x1d50 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0xeea/0x1050 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x1da/0x590 net/bluetooth/l2cap_core.c:436 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421 kthread+0x521/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 0000000000000000 ---[ end trace 14baa2999d5d4ce6 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff88807e2cf9e8 EFLAGS: 00010286 RAX: ffff88808bdad6a0 RBX: ffff88808c5ad400 RCX: 000000008c1ad6a0 RDX: ffff88808c1ad6a0 RSI: 0000000000000110 RDI: ffff88808c5ad400 RBP: ffff88807e2cfa78 R08: ffffea000000000f R09: ffff88813fffa000 R10: 3d3d3d3d3d3d3d00 R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000 R13: ffff88807b300a78 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000007b06f000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400