KASAN: slab-use-after-free Write in binder_add_device ================================================================== BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac drivers/android/binder.c:6932 Write of size 8 at addr ffff0000d114f408 by task syz-executor/5633 CPU: 1 UID: 0 PID: 5633 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x178/0x518 mm/kasan/report.c:489 kasan_report+0xd8/0x138 mm/kasan/report.c:602 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386 hlist_add_head include/linux/list.h:1026 [inline] binder_add_device+0x64/0xac drivers/android/binder.c:6932 binderfs_binder_device_create+0x798/0x958 drivers/android/binderfs.c:210 binderfs_fill_super+0x7ac/0xc04 drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4d8/0x5ac fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 5615: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x90/0xa8 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x2c8/0x3f0 mm/slub.c:4325 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] binderfs_binder_device_create+0x18c/0x958 drivers/android/binderfs.c:147 binderfs_fill_super+0x7ac/0xc04 drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4d8/0x5ac fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 5615: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kfree+0x16c/0x484 mm/slub.c:4757 binderfs_evict_inode+0x160/0x220 drivers/android/binderfs.c:278 evict+0x444/0x978 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput+0x740/0x8e8 fs/inode.c:1972 dentry_unlink_inode+0x3a0/0x4e0 fs/dcache.c:422 __dentry_kill+0x178/0x5e8 fs/dcache.c:625 shrink_kill+0xd4/0x2cc fs/dcache.c:1070 shrink_dentry_list+0x31c/0x768 fs/dcache.c:1097 shrink_dcache_parent+0xc4/0x374 do_one_tree+0x30/0xfc fs/dcache.c:1560 shrink_dcache_for_umount+0xd8/0x188 fs/dcache.c:1577 generic_shutdown_super+0x68/0x2bc fs/super.c:620 kill_anon_super fs/super.c:1237 [inline] kill_litter_super+0x74/0xb8 fs/super.c:1247 binderfs_kill_super+0x44/0x9c drivers/android/binderfs.c:791 deactivate_locked_super+0xc4/0x12c fs/super.c:473 deactivate_super+0xe0/0x100 fs/super.c:506 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1413 __cleanup_mnt+0x20/0x30 fs/namespace.c:1420 task_work_run+0x230/0x2e0 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x4e8/0x1acc kernel/exit.c:938 do_group_exit+0x194/0x22c kernel/exit.c:1087 get_signal+0x1418/0x1534 kernel/signal.c:3036 do_signal+0x22c/0x39e4 arch/arm64/kernel/signal.c:1658 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000d114f400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of freed 512-byte region [ffff0000d114f400, ffff0000d114f600) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11114c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0001c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0001c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc3445301 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d114f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000d114f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000d114f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d114f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d114f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== forked to background, child pid 5276 [ 13.431516][ T5277] 8021q: adding VLAN 0 to HW filter on device bond0 [ 13.434705][ T5277] eql: remember to turn off Van-Jacobson compression on your slave devices [ 13.489682][ T29] gve 0000:00:00.0 enp0s0: Device link is up. Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.7' (ED25519) to the list of known hosts. 1970/01/01 00:00:38 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:00:39 parsed 1 programs syzkaller login: [ 41.361195][ T5606] cgroup: Unknown subsys name 'net' [ 41.597075][ T5606] cgroup: Unknown subsys name 'cpuset' [ 41.600744][ T5606] cgroup: Unknown subsys name 'rlimit' [ 41.602244][ T5606] cgroup: Unknown subsys name 'memory' [ 41.797909][ T5606] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 52.915740][ T5615] chnl_net:caif_netlink_parms(): no params data found [ 52.964183][ T5615] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.966426][ T5615] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.968373][ T5615] bridge_slave_0: entered allmulticast mode [ 52.970362][ T5615] bridge_slave_0: entered promiscuous mode [ 52.974347][ T5615] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.976314][ T5615] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.978229][ T5615] bridge_slave_1: entered allmulticast mode [ 52.980202][ T5615] bridge_slave_1: entered promiscuous mode [ 52.991947][ T5615] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 52.995702][ T5615] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 53.009097][ T5615] team0: Port device team_slave_0 added [ 53.011778][ T5615] team0: Port device team_slave_1 added [ 53.021521][ T5615] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 53.023375][ T5615] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 53.030089][ T5615] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 53.034011][ T5615] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 53.035687][ T5615] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 53.042066][ T5615] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 53.058679][ T5615] hsr_slave_0: entered promiscuous mode [ 53.060596][ T5615] hsr_slave_1: entered promiscuous mode [ 53.115766][ T5615] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 53.120994][ T5615] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 53.124171][ T5615] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 53.127483][ T5615] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 53.140929][ T5615] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.142867][ T5615] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.145324][ T5615] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.147171][ T5615] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.171150][ T5615] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.180916][ T29] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.183807][ T29] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.191934][ T5615] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.199404][ T29] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.201261][ T29] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.207899][ T44] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.209735][ T44] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.278324][ T5615] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.294602][ T5615] veth0_vlan: entered promiscuous mode [ 53.300362][ T5615] veth1_vlan: entered promiscuous mode [ 53.311304][ T5615] veth0_macvtap: entered promiscuous mode [ 53.314322][ T5615] veth1_macvtap: entered promiscuous mode [ 53.321696][ T5615] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 53.328896][ T5615] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 53.332576][ T5615] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.335763][ T5615] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.338082][ T5615] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.340268][ T5615] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.472244][ T5635] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 53.476049][ T5635] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 53.479585][ T5635] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 53.482429][ T5635] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 53.484693][ T5635] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 53.487603][ T5635] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 53.746703][ T29] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 53.768129][ T5633] ================================================================== [ 53.770219][ T5633] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac [ 53.772140][ T5633] Write of size 8 at addr ffff0000d114f408 by task syz-executor/5633 [ 53.774170][ T5633] [ 53.774726][ T5633] CPU: 1 UID: 0 PID: 5633 Comm: syz-executor Not tainted 6.13.0-syzkaller-09338-g05dbaf8dd8bf #0 [ 53.774741][ T5633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 53.774751][ T5633] Call trace: [ 53.774755][ T5633] show_stack+0x2c/0x3c (C) [ 53.774771][ T5633] dump_stack_lvl+0xe4/0x150 [ 53.774785][ T5633] print_report+0x178/0x518 [ 53.774798][ T5633] kasan_report+0xd8/0x138 [ 53.774809][ T5633] __asan_report_store8_noabort+0x20/0x2c [ 53.774823][ T5633] binder_add_device+0x64/0xac [ 53.774837][ T5633] binderfs_binder_device_create+0x798/0x958 [ 53.774850][ T5633] binderfs_fill_super+0x7ac/0xc04 [ 53.774863][ T5633] get_tree_nodev+0xb4/0x144 [ 53.774874][ T5633] binderfs_fs_context_get_tree+0x28/0x38 [ 53.774888][ T5633] vfs_get_tree+0x90/0x28c [ 53.774899][ T5633] do_new_mount+0x278/0x900 [ 53.774911][ T5633] path_mount+0x590/0xe04 [ 53.774922][ T5633] __arm64_sys_mount+0x4d8/0x5ac [ 53.774933][ T5633] invoke_syscall+0x98/0x2b8 [ 53.774945][ T5633] el0_svc_common+0x130/0x23c [ 53.774956][ T5633] do_el0_svc+0x48/0x58 [ 53.774967][ T5633] el0_svc+0x54/0x168 [ 53.774982][ T5633] el0t_64_sync_handler+0x84/0x108 [ 53.774996][ T5633] el0t_64_sync+0x198/0x19c [ 53.775008][ T5633] [ 53.804845][ T5633] Allocated by task 5615: [ 53.805915][ T5633] kasan_save_track+0x40/0x78 [ 53.807126][ T5633] kasan_save_alloc_info+0x40/0x50 [ 53.808387][ T5633] __kasan_kmalloc+0x90/0xa8 [ 53.809565][ T5633] __kmalloc_cache_noprof+0x2c8/0x3f0 [ 53.810924][ T5633] binderfs_binder_device_create+0x18c/0x958 [ 53.812512][ T5633] binderfs_fill_super+0x7ac/0xc04 [ 53.813770][ T5633] get_tree_nodev+0xb4/0x144 [ 53.814887][ T5633] binderfs_fs_context_get_tree+0x28/0x38 [ 53.816377][ T5633] vfs_get_tree+0x90/0x28c [ 53.817463][ T5633] do_new_mount+0x278/0x900 [ 53.818646][ T5633] path_mount+0x590/0xe04 [ 53.819702][ T5633] __arm64_sys_mount+0x4d8/0x5ac [ 53.820944][ T5633] invoke_syscall+0x98/0x2b8 [ 53.822169][ T5633] el0_svc_common+0x130/0x23c [ 53.823353][ T5633] do_el0_svc+0x48/0x58 [ 53.824411][ T5633] el0_svc+0x54/0x168 [ 53.825440][ T5633] el0t_64_sync_handler+0x84/0x108 [ 53.826726][ T5633] el0t_64_sync+0x198/0x19c [ 53.827841][ T5633] [ 53.828425][ T5633] Freed by task 5615: [ 53.829479][ T5633] kasan_save_track+0x40/0x78 [ 53.830671][ T5633] kasan_save_free_info+0x54/0x6c [ 53.831856][ T5633] __kasan_slab_free+0x48/0x68 [ 53.832998][ T5633] kfree+0x16c/0x484 [ 53.833949][ T5633] binderfs_evict_inode+0x160/0x220 [ 53.835273][ T5633] evict+0x444/0x978 [ 53.836286][ T5633] iput+0x740/0x8e8 [ 53.837201][ T5633] dentry_unlink_inode+0x3a0/0x4e0 [ 53.838523][ T5633] __dentry_kill+0x178/0x5e8 [ 53.839723][ T5633] shrink_kill+0xd4/0x2cc [ 53.840859][ T5633] shrink_dentry_list+0x31c/0x768 [ 53.842232][ T5633] shrink_dcache_parent+0xc4/0x374 [ 53.843603][ T5633] do_one_tree+0x30/0xfc [ 53.844746][ T5633] shrink_dcache_for_umount+0xd8/0x188 [ 53.846355][ T5633] generic_shutdown_super+0x68/0x2bc [ 53.847738][ T5633] kill_litter_super+0x74/0xb8 [ 53.848941][ T5633] binderfs_kill_super+0x44/0x9c [ 53.850221][ T5633] deactivate_locked_super+0xc4/0x12c [ 53.851625][ T5633] deactivate_super+0xe0/0x100 [ 53.852871][ T5633] cleanup_mnt+0x34c/0x3dc [ 53.854085][ T5633] __cleanup_mnt+0x20/0x30 [ 53.855192][ T5633] task_work_run+0x230/0x2e0 [ 53.856431][ T5633] do_exit+0x4e8/0x1acc [ 53.857559][ T5633] do_group_exit+0x194/0x22c [ 53.858774][ T5633] get_signal+0x1418/0x1534 [ 53.860103][ T5633] do_signal+0x22c/0x39e4 [ 53.861299][ T5633] do_notify_resume+0x74/0x1f4 [ 53.862502][ T5633] el0_svc+0xac/0x168 [ 53.863498][ T5633] el0t_64_sync_handler+0x84/0x108 [ 53.864826][ T5633] el0t_64_sync+0x198/0x19c [ 53.865948][ T5633] [ 53.866539][ T5633] The buggy address belongs to the object at ffff0000d114f400 [ 53.866539][ T5633] which belongs to the cache kmalloc-512 of size 512 [ 53.870219][ T5633] The buggy address is located 8 bytes inside of [ 53.870219][ T5633] freed 512-byte region [ffff0000d114f400, ffff0000d114f600) [ 53.873823][ T5633] [ 53.874420][ T5633] The buggy address belongs to the physical page: [ 53.876104][ T5633] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11114c [ 53.878512][ T5633] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 53.880748][ T5633] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 53.882699][ T5633] page_type: f5(slab) [ 53.883722][ T5633] raw: 05ffc00000000040 ffff0000c0001c80 dead000000000122 0000000000000000 [ 53.885875][ T5633] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 53.888134][ T5633] head: 05ffc00000000040 ffff0000c0001c80 dead000000000122 0000000000000000 [ 53.890329][ T5633] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 53.892538][ T5633] head: 05ffc00000000002 fffffdffc3445301 ffffffffffffffff 0000000000000000 [ 53.894842][ T5633] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 53.897093][ T5633] page dumped because: kasan: bad access detected [ 53.898725][ T5633] [ 53.899300][ T5633] Memory state around the buggy address: [ 53.900791][ T5633] ffff0000d114f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.902915][ T5633] ffff0000d114f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.904952][ T5633] >ffff0000d114f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.906956][ T5633] ^ [ 53.908101][ T5633] ffff0000d114f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.910210][ T5633] ffff0000d114f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.912318][ T5633] ================================================================== [ 53.920872][ T5633] Disabling lock debugging due to kernel taint [ 53.965520][ T29] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.027418][ T29] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.076036][ T29] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.713206][ T44] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 54.715346][ T44] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 54.724608][ T44] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 54.727636][ T44] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:00:55 executed programs: 0 [ 55.067696][ T5179] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 55.069850][ T5179] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 55.071863][ T5179] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 55.074097][ T5179] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 55.076332][ T5179] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 55.078241][ T5179] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 55.116624][ T5702] chnl_net:caif_netlink_parms(): no params data found [ 55.133231][ T5702] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.135155][ T5702] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.136975][ T5702] bridge_slave_0: entered allmulticast mode [ 55.138704][ T5702] bridge_slave_0: entered promiscuous mode [ 55.141545][ T5702] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.143328][ T5702] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.145262][ T5702] bridge_slave_1: entered allmulticast mode [ 55.147133][ T5702] bridge_slave_1: entered promiscuous mode [ 55.155652][ T5702] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 55.158927][ T5702] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 55.167529][ T5702] team0: Port device team_slave_0 added [ 55.169893][ T5702] team0: Port device team_slave_1 added [ 55.177105][ T5702] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 55.178859][ T5702] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.185783][ T5702] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 55.189398][ T5702] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 55.191272][ T5702] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.198318][ T5702] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 55.210287][ T5702] hsr_slave_0: entered promiscuous mode [ 55.212081][ T5702] hsr_slave_1: entered promiscuous mode [ 55.213668][ T5702] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 55.215903][ T5702] Cannot create hsr debugfs directory [ 57.134943][ T5635] Bluetooth: hci0: command tx timeout [ 57.407915][ T29] bridge_slave_1: left allmulticast mode [ 57.409527][ T29] bridge_slave_1: left promiscuous mode [ 57.411027][ T29] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.414567][ T29] bridge_slave_0: left allmulticast mode [ 57.416150][ T29] bridge_slave_0: left promiscuous mode [ 57.417659][ T29] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.086107][ T29] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 59.136613][ T29] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 59.175684][ T29] bond0 (unregistering): Released all slaves [ 59.214924][ T5635] Bluetooth: hci0: command tx timeout [ 59.247441][ T29] hsr_slave_0: left promiscuous mode [ 59.249135][ T29] hsr_slave_1: left promiscuous mode [ 59.250748][ T29] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 59.252635][ T29] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 59.256736][ T29] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 59.258574][ T29] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 59.262176][ T29] veth1_macvtap: left promiscuous mode [ 59.263609][ T29] veth0_macvtap: left promiscuous mode [ 59.265089][ T29] veth1_vlan: left promiscuous mode [ 59.266466][ T29] veth0_vlan: left promiscuous mode [ 61.035505][ T29] team0 (unregistering): Port device team_slave_1 removed [ 61.216103][ T29] team0 (unregistering): Port device team_slave_0 removed [ 61.294898][ T5635] Bluetooth: hci0: command tx timeout [ 63.376299][ T5635] Bluetooth: hci0: command tx timeout [ 63.687377][ T5702] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.690169][ T5702] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.693258][ T5702] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.698266][ T5702] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.753304][ T5702] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.759338][ T5702] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.762719][ T1286] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.764481][ T1286] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.768222][ T1286] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.770030][ T1286] bridge0: port 2(bridge_slave_1) entered forwarding state syzkaller build log: go env (err=) GO111MODULE='auto' GOARCH='amd64' GOBIN='' GOCACHE='/syzkaller/.cache/go-build' GOENV='/syzkaller/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/syzkaller/jobs-2/linux/gopath' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/usr/local/go' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.22.7' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3998276162=/tmp/go-build -gno-record-gcc-switches' git status (err=) HEAD detached at 865ef71e58 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=865ef71e5889541e7310ee9b3da3a945f354da8b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250128-130822'" -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog mkdir -p ./bin/linux_arm64 aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \ -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_arm64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"865ef71e5889541e7310ee9b3da3a945f354da8b\" /usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/ccs2xnms.o: in function `Connection::Connect(char const*, char const*)': executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0xd8): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking