Extracting prog: 14m38.494148271s
Minimizing prog: 39m14.442042254s
Simplifying prog options: 15m0.830198389s
Extracting C: 5m59.526125126s
Simplifying C: 0s
extracting reproducer from 24 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-getsockopt$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
r1 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r1, 0x0, 0xe)
program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 30s
testing program (duration=36s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 7, 7]
detailed listing:
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
mmap$auto(0x0, 0x9, 0x3ff57696, 0x9b72, 0x2, 0x8000000000008000)
syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000001280), 0xffffffffffffffff)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x2000, 0x100000004, 0x100000000, 0x0, 0x5, 0x2)
mprotect$auto(0x0, 0x8000000000000001, 0x6)
executing program 3:
open(&(0x7f0000000000)='./file0\x00', 0xa61c2, 0x84)
socket(0x15, 0x5, 0x0)
socket(0x22, 0x2, 0x24)
socket(0x28, 0x5, 0x0)
fallocate$auto(0x8000000000000003, 0x0, 0xd, 0xcbd5d)
sendfile$auto(0x6, 0x3, 0x0, 0xfdef)
executing program 3:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
close_range$auto(0x2, 0x8, 0x0)
openat$auto_proc_loginuid_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/loginuid\x00', 0x1a1081, 0x0)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/devices/virtual/net/bond0/bonding/miimon\x00', 0x62342, 0x0)
read$auto(r0, 0x0, 0x101)
write$auto(0x3, 0x0, 0xfdef)
executing program 2:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
close_range$auto(0x0, 0xfffffffffffff000, 0x2)
socket(0xa, 0x3, 0x71)
socket(0xa, 0x2, 0x88)
setresuid$auto(0x0, 0x8, 0x8000)
ioctl$auto(0x1, 0x890c, 0x8)
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_nl80211(&(0x7f0000000180), r0)
sendmsg$auto_NL80211_CMD_SET_REKEY_OFFLOAD(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000001c0)={0x30, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@NL80211_ATTR_COLOR_CHANGE_ELEMS={0x1c, 0x131, 0x0, 0x1, [@NL80211_ATTR_PMKID={0x15, 0x55, "9da6b8c2443745ef10de92b9528279a9a0"}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x1}, 0x20048014)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0)
sendmsg$auto_BATADV_CMD_GET_MCAST_FLAGS(r0, 0x0, 0x40000)
sendmsg$auto_NL80211_CMD_DEL_PMK(r0, 0x0, 0xa040)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
close_range$auto(r0, 0xfffffffffffff000, 0x2)
socket(0x2, 0x3, 0x1)
socket(0x15, 0x5, 0x0)
timerfd_create$auto(0x9, 0x0)
select$auto(0x6, 0x0, &(0x7f00000000c0)={[0xbb0, 0x8101, 0x80, 0x1, 0xb, 0x4db11da, 0x3, 0x7f, 0x2, 0x0, 0x32, 0x1, 0x10000, 0x7, 0x6, 0xb83]}, 0x0, 0x0)
executing program 0:
mmap$auto(0x0, 0x4020009, 0xdf, 0xeb1, 0x401, 0x8000)
r0 = socket(0x2b, 0x1, 0x1)
r1 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYBLOB="1200", @ANYBLOB="5de1"], 0x1ac}, 0x1, 0x0, 0x0, 0x8000}, 0x40)
recvmmsg$auto(r1, &(0x7f0000000140)={{0x0, 0x1000000c, &(0x7f0000000080)={0x0, 0x803}, 0x5, 0x0, 0x2, 0x8}, 0x800}, 0x10a, 0x8, 0x0)
setsockopt$auto(r0, 0x29, 0x20, 0x0, 0x20)
executing program 3:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000080)='/sys/devices/virtual/net/rose11/tx_queue_len\x00', 0x0, 0x0)
read$auto(r0, 0x0, 0x20)
r1 = openat$auto_proc_fail_nth_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/fail-nth\x00', 0x802, 0x0)
writev$auto(r1, &(0x7f0000000200)={0x0, 0x7}, 0x3)
unshare$auto(0x40000080)
executing program 2:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000)
move_pages$auto(0x1, 0x2000000000003, 0xffffffffffffffff, 0x0, 0x0, 0x8000000000000000)
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
setsockopt$auto(0x5, 0x1, 0x4b, 0x0, 0x9)
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setreuid$auto(0x0, 0x0)
io_uring_setup$auto(0x2, 0x0)
r0 = openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ttyS2\x00', 0x101e81, 0x0)
ioctl$auto_TIOCSETD2(r0, 0x5423, 0x0)
ioctl$auto_TIOCVHANGUP2(r0, 0x5437, 0x0)
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x4, 0x4000000000df, 0x40eb1, 0x401, 0x300000000000)
recvfrom$auto(0x3, 0x0, 0x142e, 0x2, 0x0, 0x0)
openat$auto_proc_pid_attr_operations_base(0xffffffffffffff9c, 0x0, 0x151001, 0x0)
r1 = syz_genetlink_get_family_id$auto_macsec(&(0x7f0000001900), 0xffffffffffffffff)
sendmsg$auto_MACSEC_CMD_GET_TXSC(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000002b00)={&(0x7f0000000180)=ANY=[@ANYBLOB="14000000", @ANYRES16=r1, @ANYBLOB='{o'], 0x14}, 0x1, 0x0, 0x0, 0x880}, 0x0)
executing program 2:
mmap$auto(0x0, 0x400006, 0xfffffffffffffff9, 0x9b72, 0x2, 0x8000)
r0 = socket(0xa, 0x2, 0x0)
r1 = openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/fs/cifs/smbd_keep_alive_interval\x00', 0x8f3b7a51b80ebc01, 0x0)
close_range$auto(r0, r1, 0x3)
r2 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/module/binder/parameters/stop_on_user_error\x00', 0x2, 0x0)
write$auto_kernfs_file_fops_kernfs_internal(r2, &(0x7f0000000040)='\x00', 0x1)
executing program 0:
r0 = openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000000)='/dev/tty46\x00', 0x0, 0x0)
r1 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB="72010000", @ANYBLOB="120027", @ANYBLOB="5de1523353782950330a"], 0x1ac}}, 0x40000)
read$auto(r1, &(0x7f0000000000)='$-]&@\x00', 0xfdef)
ioctl$auto(r0, 0x540a, 0x0)
ioctl$auto_TIOCSTI2(r0, 0x5412, &(0x7f0000000140))
executing program 2:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$auto_nlctrl(&(0x7f0000001100), r1)
sendmsg$auto_CTRL_CMD_GETFAMILY(r1, &(0x7f00000011c0)={0x0, 0x0, &(0x7f0000001180)={&(0x7f0000001140)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r2, @ANYBLOB="01002dbd7000ffdbdf25030000000600010030"], 0x1c}, 0x1, 0x0, 0x0, 0x20000004}, 0x20000044)
r3 = syz_genetlink_get_family_id$auto_thermal(&(0x7f0000000200), r1)
sendmsg$auto_THERMAL_GENL_CMD_TZ_GET_TEMP(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000036c0)=ANY=[@ANYBLOB='\x006\x00\x00', @ANYRES16=r3, @ANYBLOB="01002bbd7000fedbdfa503000000e43501805b"], 0x3600}, 0x1, 0x0, 0x0, 0x4008000}, 0x8084)
executing program 3:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
mmap$auto(0x0, 0x9, 0x3ff57696, 0x9b72, 0x2, 0x8000000000008000)
syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000001280), 0xffffffffffffffff)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x2000, 0x100000004, 0x100000000, 0x0, 0x5, 0x2)
mprotect$auto(0x0, 0x8000000000000001, 0x6)
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
madvise$auto(0x0, 0xffffffffffff0004, 0x19)
close_range$auto(0x2, 0x8, 0x0)
sendmsg$auto_NETDEV_CMD_DEV_GET(0xffffffffffffffff, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x48004}, 0x4050)
io_uring_setup$auto(0x6, 0x0)
io_uring_register$auto(0x2, 0x0, &(0x7f0000000000), 0x3)
syz_clone3(&(0x7f00000004c0)={0x2000000, 0x0, 0x0, 0x0, {0x21}, 0x0, 0x0, 0x0, 0x0}, 0x58)
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
msgsnd$auto(0x5, 0x0, 0x3, 0x8)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mlock$auto(0xfbe8, 0x4)
mlockall$auto(0x7)
arch_prctl$auto(0x5005, 0x9)
executing program 2:
mmap$auto(0x0, 0x400005, 0xdf, 0x9b72, 0x2, 0x8000)
close_range$auto(0x2, 0x8, 0x0)
openat$auto_proc_loginuid_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/loginuid\x00', 0x1a1081, 0x0)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/devices/platform/i8042/serio1/resetafter\x00', 0x129102, 0x0)
read$auto(r0, 0x0, 0x18)
write$auto(0x3, 0x0, 0xfdef)
executing program 0:
open(&(0x7f0000000000)='./file0\x00', 0xa61c2, 0x84)
socket(0xa, 0x2, 0x0)
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
socketpair$auto(0x1e, 0x1, 0x8000000000000000, 0x0)
fallocate$auto(0x8000000000000003, 0x0, 0xd, 0xcbd5d)
sendfile$auto(0x6, 0x3, 0x0, 0xfdef)
executing program 1:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB="72010000", @ANYBLOB=' \x00\''], 0x1ac}}, 0x40000)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[], 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000040)=ANY=[@ANYBLOB="1b00"], 0x1ac}, 0x1, 0x0, 0x0, 0x40}, 0x40000)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0x3, 0x0)
executing program 3:
socket(0x10, 0x2, 0x0)
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
sendmsg$auto_NFSD_CMD_THREADS_SET(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=0x0, @ANYBLOB='\rV'], 0x24}, 0x1, 0x0, 0x0, 0x20000010}, 0x200000c4)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB="72010000", @ANYBLOB='^'], 0x1ac}, 0x1, 0x0, 0x0, 0xc000}, 0xc814)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=ANY=[], 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x1c03, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0x3, 0x0)
executing program 2:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
r1 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r1, 0x0, 0xe)
executing program 1:
mmap$auto(0x0, 0x20009, 0x10000000000df, 0xeb2, 0x401, 0x8000)
sysfs$auto(0x2, 0x10000000000048, 0x0)
r0 = fsopen$auto(0x0, 0x1)
close_range$auto(0x2, 0x8, 0x0)
r1 = openat$auto_kvm_chardev_ops_kvm_main(0xffffffffffffff9c, &(0x7f00000011c0), 0xe0180, 0x0)
ioctl$auto_KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$auto(0x3, 0x4030ae7b, r0)
executing program 0:
mmap$auto(0x0, 0x40009, 0x3, 0x9b72, 0x7, 0x28000)
ioctl$auto_PPPIOCGDEBUG(0xffffffffffffffff, 0x80047441, 0x0)
close_range$auto(0x2, 0x8000, 0x0)
r0 = socketpair$auto(0x1e, 0x5, 0x8000000000000000, 0x0)
close_range$auto(r0, r0, 0x0)
r1 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vbi2\x00', 0xa200, 0x0)
ioctl$auto(r1, 0xc0585611, r1)
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-getsockopt$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
r1 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r1, 0x0, 0xe)
program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 1m40s
testing program (duration=1m46s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 7, 7]
detailed listing:
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
mmap$auto(0x0, 0x9, 0x3ff57696, 0x9b72, 0x2, 0x8000000000008000)
syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000001280), 0xffffffffffffffff)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x2000, 0x100000004, 0x100000000, 0x0, 0x5, 0x2)
mprotect$auto(0x0, 0x8000000000000001, 0x6)
executing program 3:
open(&(0x7f0000000000)='./file0\x00', 0xa61c2, 0x84)
socket(0x15, 0x5, 0x0)
socket(0x22, 0x2, 0x24)
socket(0x28, 0x5, 0x0)
fallocate$auto(0x8000000000000003, 0x0, 0xd, 0xcbd5d)
sendfile$auto(0x6, 0x3, 0x0, 0xfdef)
executing program 3:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
close_range$auto(0x2, 0x8, 0x0)
openat$auto_proc_loginuid_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/loginuid\x00', 0x1a1081, 0x0)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/devices/virtual/net/bond0/bonding/miimon\x00', 0x62342, 0x0)
read$auto(r0, 0x0, 0x101)
write$auto(0x3, 0x0, 0xfdef)
executing program 2:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
close_range$auto(0x0, 0xfffffffffffff000, 0x2)
socket(0xa, 0x3, 0x71)
socket(0xa, 0x2, 0x88)
setresuid$auto(0x0, 0x8, 0x8000)
ioctl$auto(0x1, 0x890c, 0x8)
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$auto_nl80211(&(0x7f0000000180), r0)
sendmsg$auto_NL80211_CMD_SET_REKEY_OFFLOAD(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000001c0)={0x30, r1, 0x1, 0x70bd2b, 0x25dfdbfd, {}, [@NL80211_ATTR_COLOR_CHANGE_ELEMS={0x1c, 0x131, 0x0, 0x1, [@NL80211_ATTR_PMKID={0x15, 0x55, "9da6b8c2443745ef10de92b9528279a9a0"}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x1}, 0x20048014)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0)
sendmsg$auto_BATADV_CMD_GET_MCAST_FLAGS(r0, 0x0, 0x40000)
sendmsg$auto_NL80211_CMD_DEL_PMK(r0, 0x0, 0xa040)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
close_range$auto(r0, 0xfffffffffffff000, 0x2)
socket(0x2, 0x3, 0x1)
socket(0x15, 0x5, 0x0)
timerfd_create$auto(0x9, 0x0)
select$auto(0x6, 0x0, &(0x7f00000000c0)={[0xbb0, 0x8101, 0x80, 0x1, 0xb, 0x4db11da, 0x3, 0x7f, 0x2, 0x0, 0x32, 0x1, 0x10000, 0x7, 0x6, 0xb83]}, 0x0, 0x0)
executing program 0:
mmap$auto(0x0, 0x4020009, 0xdf, 0xeb1, 0x401, 0x8000)
r0 = socket(0x2b, 0x1, 0x1)
r1 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYBLOB="1200", @ANYBLOB="5de1"], 0x1ac}, 0x1, 0x0, 0x0, 0x8000}, 0x40)
recvmmsg$auto(r1, &(0x7f0000000140)={{0x0, 0x1000000c, &(0x7f0000000080)={0x0, 0x803}, 0x5, 0x0, 0x2, 0x8}, 0x800}, 0x10a, 0x8, 0x0)
setsockopt$auto(r0, 0x29, 0x20, 0x0, 0x20)
executing program 3:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000080)='/sys/devices/virtual/net/rose11/tx_queue_len\x00', 0x0, 0x0)
read$auto(r0, 0x0, 0x20)
r1 = openat$auto_proc_fail_nth_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/fail-nth\x00', 0x802, 0x0)
writev$auto(r1, &(0x7f0000000200)={0x0, 0x7}, 0x3)
unshare$auto(0x40000080)
executing program 2:
socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x40009, 0xdf, 0x9b72, 0x7, 0x28000)
move_pages$auto(0x1, 0x2000000000003, 0xffffffffffffffff, 0x0, 0x0, 0x8000000000000000)
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
setsockopt$auto(0x5, 0x1, 0x4b, 0x0, 0x9)
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
setreuid$auto(0x0, 0x0)
io_uring_setup$auto(0x2, 0x0)
r0 = openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000400)='/dev/ttyS2\x00', 0x101e81, 0x0)
ioctl$auto_TIOCSETD2(r0, 0x5423, 0x0)
ioctl$auto_TIOCVHANGUP2(r0, 0x5437, 0x0)
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
mmap$auto(0x0, 0x4, 0x4000000000df, 0x40eb1, 0x401, 0x300000000000)
recvfrom$auto(0x3, 0x0, 0x142e, 0x2, 0x0, 0x0)
openat$auto_proc_pid_attr_operations_base(0xffffffffffffff9c, 0x0, 0x151001, 0x0)
r1 = syz_genetlink_get_family_id$auto_macsec(&(0x7f0000001900), 0xffffffffffffffff)
sendmsg$auto_MACSEC_CMD_GET_TXSC(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000002b00)={&(0x7f0000000180)=ANY=[@ANYBLOB="14000000", @ANYRES16=r1, @ANYBLOB='{o'], 0x14}, 0x1, 0x0, 0x0, 0x880}, 0x0)
executing program 2:
mmap$auto(0x0, 0x400006, 0xfffffffffffffff9, 0x9b72, 0x2, 0x8000)
r0 = socket(0xa, 0x2, 0x0)
r1 = openat$auto_proc_reg_file_ops_compat_inode(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/fs/cifs/smbd_keep_alive_interval\x00', 0x8f3b7a51b80ebc01, 0x0)
close_range$auto(r0, r1, 0x3)
r2 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/module/binder/parameters/stop_on_user_error\x00', 0x2, 0x0)
write$auto_kernfs_file_fops_kernfs_internal(r2, &(0x7f0000000040)='\x00', 0x1)
executing program 0:
r0 = openat$auto_tty_fops_tty_io(0xffffffffffffff9c, &(0x7f0000000000)='/dev/tty46\x00', 0x0, 0x0)
r1 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYBLOB="72010000", @ANYBLOB="120027", @ANYBLOB="5de1523353782950330a"], 0x1ac}}, 0x40000)
read$auto(r1, &(0x7f0000000000)='$-]&@\x00', 0xfdef)
ioctl$auto(r0, 0x540a, 0x0)
ioctl$auto_TIOCSTI2(r0, 0x5412, &(0x7f0000000140))
executing program 2:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$auto_nlctrl(&(0x7f0000001100), r1)
sendmsg$auto_CTRL_CMD_GETFAMILY(r1, &(0x7f00000011c0)={0x0, 0x0, &(0x7f0000001180)={&(0x7f0000001140)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r2, @ANYBLOB="01002dbd7000ffdbdf25030000000600010030"], 0x1c}, 0x1, 0x0, 0x0, 0x20000004}, 0x20000044)
r3 = syz_genetlink_get_family_id$auto_thermal(&(0x7f0000000200), r1)
sendmsg$auto_THERMAL_GENL_CMD_TZ_GET_TEMP(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000036c0)=ANY=[@ANYBLOB='\x006\x00\x00', @ANYRES16=r3, @ANYBLOB="01002bbd7000fedbdfa503000000e43501805b"], 0x3600}, 0x1, 0x0, 0x0, 0x4008000}, 0x8084)
executing program 3:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
mmap$auto(0x0, 0x9, 0x3ff57696, 0x9b72, 0x2, 0x8000000000008000)
syz_genetlink_get_family_id$auto_ioam6(&(0x7f0000001280), 0xffffffffffffffff)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mbind$auto(0x2000, 0x100000004, 0x100000000, 0x0, 0x5, 0x2)
mprotect$auto(0x0, 0x8000000000000001, 0x6)
executing program 1:
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
madvise$auto(0x0, 0xffffffffffff0004, 0x19)
close_range$auto(0x2, 0x8, 0x0)
sendmsg$auto_NETDEV_CMD_DEV_GET(0xffffffffffffffff, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x48004}, 0x4050)
io_uring_setup$auto(0x6, 0x0)
io_uring_register$auto(0x2, 0x0, &(0x7f0000000000), 0x3)
syz_clone3(&(0x7f00000004c0)={0x2000000, 0x0, 0x0, 0x0, {0x21}, 0x0, 0x0, 0x0, 0x0}, 0x58)
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000)
msgsnd$auto(0x5, 0x0, 0x3, 0x8)
madvise$auto(0x0, 0xffffffffffff0005, 0x19)
mlock$auto(0xfbe8, 0x4)
mlockall$auto(0x7)
arch_prctl$auto(0x5005, 0x9)
executing program 2:
mmap$auto(0x0, 0x400005, 0xdf, 0x9b72, 0x2, 0x8000)
close_range$auto(0x2, 0x8, 0x0)
openat$auto_proc_loginuid_operations_base(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/loginuid\x00', 0x1a1081, 0x0)
r0 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/devices/platform/i8042/serio1/resetafter\x00', 0x129102, 0x0)
read$auto(r0, 0x0, 0x18)
write$auto(0x3, 0x0, 0xfdef)
executing program 0:
open(&(0x7f0000000000)='./file0\x00', 0xa61c2, 0x84)
socket(0xa, 0x2, 0x0)
mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000)
socketpair$auto(0x1e, 0x1, 0x8000000000000000, 0x0)
fallocate$auto(0x8000000000000003, 0x0, 0xd, 0xcbd5d)
sendfile$auto(0x6, 0x3, 0x0, 0xfdef)
executing program 1:
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
r0 = socket(0x10, 0x2, 0x0)
sendmsg$auto_NL80211_CMD_GET_REG(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB="72010000", @ANYBLOB=' \x00\''], 0x1ac}}, 0x40000)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[], 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000040)=ANY=[@ANYBLOB="1b00"], 0x1ac}, 0x1, 0x0, 0x0, 0x40}, 0x40000)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x2, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0x3, 0x0)
executing program 3:
socket(0x10, 0x2, 0x0)
mmap$auto(0x0, 0x20009, 0x4000000000df, 0xeb1, 0x401, 0x8000)
sendmsg$auto_NFSD_CMD_THREADS_SET(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=0x0, @ANYBLOB='\rV'], 0x24}, 0x1, 0x0, 0x0, 0x20000010}, 0x200000c4)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB="72010000", @ANYBLOB='^'], 0x1ac}, 0x1, 0x0, 0x0, 0xc000}, 0xc814)
sendmsg$auto_NL80211_CMD_GET_REG(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=ANY=[], 0x1ac}, 0x1, 0x0, 0x0, 0x4004810}, 0x800)
sendmmsg$auto(0x3, &(0x7f0000000080)={{0x0, 0x1c03, &(0x7f00000002c0)={0x0, 0xc4}, 0x1, 0x0, 0x0, 0x9}, 0x7}, 0x3, 0x0)
executing program 2:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
r1 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r1, 0x0, 0xe)
executing program 1:
mmap$auto(0x0, 0x20009, 0x10000000000df, 0xeb2, 0x401, 0x8000)
sysfs$auto(0x2, 0x10000000000048, 0x0)
r0 = fsopen$auto(0x0, 0x1)
close_range$auto(0x2, 0x8, 0x0)
r1 = openat$auto_kvm_chardev_ops_kvm_main(0xffffffffffffff9c, &(0x7f00000011c0), 0xe0180, 0x0)
ioctl$auto_KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$auto(0x3, 0x4030ae7b, r0)
executing program 0:
mmap$auto(0x0, 0x40009, 0x3, 0x9b72, 0x7, 0x28000)
ioctl$auto_PPPIOCGDEBUG(0xffffffffffffffff, 0x80047441, 0x0)
close_range$auto(0x2, 0x8000, 0x0)
r0 = socketpair$auto(0x1e, 0x5, 0x8000000000000000, 0x0)
close_range$auto(r0, r0, 0x0)
r1 = openat$auto_v4l2_fops_v4l2_dev(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vbi2\x00', 0xa200, 0x0)
ioctl$auto(r1, 0xc0585611, r1)
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-getsockopt$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
r1 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r1, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
single: successfully extracted reproducer
found reproducer with 6 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-getsockopt$auto-openat$auto_force_devcoredump_fops_hci_vhci
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-getsockopt$auto-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = socket(0xa, 0x801, 0x84)
getsockopt$auto(r0, 0x84, 0x72, 0x0, &(0x7f0000000100)=0x22a)
write$auto(0xffffffffffffffff, 0x0, 0xe)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-socket-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
socket(0xa, 0x801, 0x84)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-socketpair$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
socketpair$auto(0x5, 0x2, 0x7, 0x0)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, 0x0, 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
detailed listing:
executing program 0:
mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xffffffffffffffff, 0x8000)
r0 = openat$auto_force_devcoredump_fops_hci_vhci(0xffffffffffffff9c, &(0x7f0000000c40)='/sys/kernel/debug/bluetooth/hci0/force_devcoredump\x00', 0x2, 0x0)
write$auto(r0, 0x0, 0xe)
program crashed: KASAN: slab-use-after-free Read in force_devcd_write
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap$auto-openat$auto_force_devcoredump_fops_hci_vhci-write$auto
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
reproducing took 1h14m8.786566146s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x317/0x330 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff88807dfa6000 by task syz.0.616/6717
CPU: 0 UID: 0 PID: 6717 Comm: syz.0.616 Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
force_devcd_write+0x317/0x330 drivers/bluetooth/hci_vhci.c:327
full_proxy_write+0x13c/0x200 fs/debugfs/file.c:398
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efd1698d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff14c8bd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007efd16ba5fa0 RCX: 00007efd1698d169
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007efd16a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efd16ba5fa0 R14: 00007efd16ba5fa0 R15: 0000000000000003
Allocated by task 5961:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634
misc_open+0x35a/0x420 drivers/char/misc.c:179
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x735/0x1c40 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5961:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2c4/0x4d0 mm/slub.c:4757
vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2db0 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x24ed/0x26c0 kernel/signal.c:3036
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807dfa6000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff88807dfa6000, ffff88807dfa6400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7dfa0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b041dc0 ffffea00009e4800 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b041dc0 ffffea00009e4800 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f7e801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5650, tgid 5650 (dhcpcd), ts 59114035306, free_ts 58816981388
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x221/0x2470 mm/page_alloc.c:4740
alloc_pages_mpol+0x1fc/0x540 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc5d/0x1720 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_node_track_caller_noprof+0x2f1/0x510 mm/slub.c:4313
kmemdup_noprof+0x29/0x60 mm/util.c:136
bpf_migrate_filter net/core/filter.c:1269 [inline]
bpf_prepare_filter+0xc4f/0x1100 net/core/filter.c:1355
bpf_prog_create_from_user+0x1e4/0x2d0 net/core/filter.c:1449
seccomp_prepare_filter kernel/seccomp.c:693 [inline]
seccomp_prepare_user_filter kernel/seccomp.c:730 [inline]
seccomp_set_mode_filter kernel/seccomp.c:1965 [inline]
do_seccomp+0x7b6/0x2640 kernel/seccomp.c:2085
prctl_set_seccomp+0x4b/0x70 kernel/seccomp.c:2138
__do_sys_prctl+0xf42/0x2450 kernel/sys.c:2551
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5503 tgid 5503 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x6db/0xfb0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_node_noprof+0x223/0x3c0 mm/slub.c:4216
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:596
alloc_skb include/linux/skbuff.h:1331 [inline]
alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6522
sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2914
unix_dgram_sendmsg+0x45e/0x1880 net/unix/af_unix.c:2017
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:733 [inline]
sock_write_iter+0x4fe/0x5b0 net/socket.c:1137
do_iter_readv_writev+0x655/0x950 fs/read_write.c:820
vfs_writev+0x363/0xdd0 fs/read_write.c:1050
do_writev+0x297/0x340 fs/read_write.c:1096
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807dfa5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807dfa5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807dfa6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807dfa6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807dfa6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x317/0x330 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff88807dfa6000 by task syz.0.616/6717
CPU: 0 UID: 0 PID: 6717 Comm: syz.0.616 Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
force_devcd_write+0x317/0x330 drivers/bluetooth/hci_vhci.c:327
full_proxy_write+0x13c/0x200 fs/debugfs/file.c:398
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efd1698d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff14c8bd58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007efd16ba5fa0 RCX: 00007efd1698d169
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007efd16a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efd16ba5fa0 R14: 00007efd16ba5fa0 R15: 0000000000000003
Allocated by task 5961:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:634
misc_open+0x35a/0x420 drivers/char/misc.c:179
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x735/0x1c40 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5961:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x2c4/0x4d0 mm/slub.c:4757
vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:670
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2db0 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
get_signal+0x24ed/0x26c0 kernel/signal.c:3036
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807dfa6000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff88807dfa6000, ffff88807dfa6400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7dfa0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b041dc0 ffffea00009e4800 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b041dc0 ffffea00009e4800 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f7e801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5650, tgid 5650 (dhcpcd), ts 59114035306, free_ts 58816981388
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x221/0x2470 mm/page_alloc.c:4740
alloc_pages_mpol+0x1fc/0x540 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2587 [inline]
new_slab+0x23d/0x330 mm/slub.c:2640
___slab_alloc+0xc5d/0x1720 mm/slub.c:3826
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_node_track_caller_noprof+0x2f1/0x510 mm/slub.c:4313
kmemdup_noprof+0x29/0x60 mm/util.c:136
bpf_migrate_filter net/core/filter.c:1269 [inline]
bpf_prepare_filter+0xc4f/0x1100 net/core/filter.c:1355
bpf_prog_create_from_user+0x1e4/0x2d0 net/core/filter.c:1449
seccomp_prepare_filter kernel/seccomp.c:693 [inline]
seccomp_prepare_user_filter kernel/seccomp.c:730 [inline]
seccomp_set_mode_filter kernel/seccomp.c:1965 [inline]
do_seccomp+0x7b6/0x2640 kernel/seccomp.c:2085
prctl_set_seccomp+0x4b/0x70 kernel/seccomp.c:2138
__do_sys_prctl+0xf42/0x2450 kernel/sys.c:2551
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5503 tgid 5503 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_frozen_pages+0x6db/0xfb0 mm/page_alloc.c:2660
__put_partials+0x14c/0x170 mm/slub.c:3153
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4115 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_node_noprof+0x223/0x3c0 mm/slub.c:4216
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:596
alloc_skb include/linux/skbuff.h:1331 [inline]
alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6522
sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2914
unix_dgram_sendmsg+0x45e/0x1880 net/unix/af_unix.c:2017
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:733 [inline]
sock_write_iter+0x4fe/0x5b0 net/socket.c:1137
do_iter_readv_writev+0x655/0x950 fs/read_write.c:820
vfs_writev+0x363/0xdd0 fs/read_write.c:1050
do_writev+0x297/0x340 fs/read_write.c:1096
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807dfa5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807dfa5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807dfa6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807dfa6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807dfa6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================