KASAN: slab-use-after-free Write in binder_add_device ================================================================== BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac drivers/android/binder.c:6932 Write of size 8 at addr ffff0000cd70f008 by task syz-executor/6064 CPU: 1 UID: 0 PID: 6064 Comm: syz-executor Not tainted 6.14.0-rc5-syzkaller-g48a5eed9ad58 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x178/0x530 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386 hlist_add_head include/linux/list.h:1026 [inline] binder_add_device+0x64/0xac drivers/android/binder.c:6932 binderfs_binder_device_create+0x7fc/0x9fc drivers/android/binderfs.c:210 binderfs_fill_super+0x7f4/0xc8c drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6057: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x2cc/0x428 mm/slub.c:4325 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] binderfs_binder_device_create+0x18c/0x9fc drivers/android/binderfs.c:147 binderfs_fill_super+0x7f4/0xc8c drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6057: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kfree+0x180/0x478 mm/slub.c:4757 binderfs_evict_inode+0x160/0x220 drivers/android/binderfs.c:278 evict+0x444/0x978 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput+0x740/0x8e8 fs/inode.c:1972 dentry_unlink_inode+0x3a0/0x4e0 fs/dcache.c:440 __dentry_kill+0x178/0x5e8 fs/dcache.c:643 shrink_kill+0xd4/0x2cc fs/dcache.c:1088 shrink_dentry_list+0x31c/0x768 fs/dcache.c:1115 shrink_dcache_parent+0xc4/0x374 do_one_tree+0x30/0xfc fs/dcache.c:1578 shrink_dcache_for_umount+0xd8/0x188 fs/dcache.c:1595 generic_shutdown_super+0x68/0x2bc fs/super.c:620 kill_anon_super fs/super.c:1237 [inline] kill_litter_super+0x74/0xb8 fs/super.c:1247 binderfs_kill_super+0x44/0x9c drivers/android/binderfs.c:791 deactivate_locked_super+0xc4/0x12c fs/super.c:473 deactivate_super+0xe0/0x100 fs/super.c:506 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1413 __cleanup_mnt+0x20/0x30 fs/namespace.c:1420 task_work_run+0x230/0x2e0 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x4e8/0x1acc kernel/exit.c:938 do_group_exit+0x194/0x22c kernel/exit.c:1087 get_signal+0x13e4/0x1500 kernel/signal.c:3036 do_signal+0x22c/0x3a04 arch/arm64/kernel/signal.c:1658 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000cd70f000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of freed 512-byte region [ffff0000cd70f000, ffff0000cd70f200) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d70c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc335c301 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cd70ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000cd70ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000cd70f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000cd70f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000cd70f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Warning: Permanently added '10.128.1.183' (ED25519) to the list of known hosts. 1970/01/01 00:00:37 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:00:38 parsed 1 programs [ 41.278527][ T6050] cgroup: Unknown subsys name 'net' [ 41.581943][ T6050] cgroup: Unknown subsys name 'cpuset' [ 41.585327][ T6050] cgroup: Unknown subsys name 'rlimit' [ 41.586767][ T6050] cgroup: Unknown subsys name 'memory' [ 41.815565][ T6050] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 54.189838][ T6064] ================================================================== [ 54.191861][ T6064] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac [ 54.193554][ T6064] Write of size 8 at addr ffff0000cd70f008 by task syz-executor/6064 [ 54.195233][ T6064] [ 54.195742][ T6064] CPU: 1 UID: 0 PID: 6064 Comm: syz-executor Not tainted 6.14.0-rc5-syzkaller-g48a5eed9ad58 #0 [ 54.195757][ T6064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 54.195764][ T6064] Call trace: [ 54.195768][ T6064] show_stack+0x2c/0x3c (C) [ 54.195786][ T6064] dump_stack_lvl+0xe4/0x150 [ 54.195800][ T6064] print_report+0x178/0x530 [ 54.195812][ T6064] kasan_report+0xd8/0x138 [ 54.195823][ T6064] __asan_report_store8_noabort+0x20/0x2c [ 54.195836][ T6064] binder_add_device+0x64/0xac [ 54.195850][ T6064] binderfs_binder_device_create+0x7fc/0x9fc [ 54.195864][ T6064] binderfs_fill_super+0x7f4/0xc8c [ 54.195877][ T6064] get_tree_nodev+0xb4/0x144 [ 54.195889][ T6064] binderfs_fs_context_get_tree+0x28/0x38 [ 54.195902][ T6064] vfs_get_tree+0x90/0x28c [ 54.195913][ T6064] do_new_mount+0x278/0x900 [ 54.195925][ T6064] path_mount+0x590/0xe04 [ 54.195936][ T6064] __arm64_sys_mount+0x4f4/0x5d0 [ 54.195948][ T6064] invoke_syscall+0x98/0x2b8 [ 54.195960][ T6064] el0_svc_common+0x130/0x23c [ 54.195972][ T6064] do_el0_svc+0x48/0x58 [ 54.195983][ T6064] el0_svc+0x54/0x168 [ 54.195997][ T6064] el0t_64_sync_handler+0x84/0x108 [ 54.196011][ T6064] el0t_64_sync+0x198/0x19c [ 54.196022][ T6064] [ 54.222237][ T6064] Allocated by task 6057: [ 54.223199][ T6064] kasan_save_track+0x40/0x78 [ 54.224252][ T6064] kasan_save_alloc_info+0x40/0x50 [ 54.225378][ T6064] __kasan_kmalloc+0xac/0xc4 [ 54.226409][ T6064] __kmalloc_cache_noprof+0x2cc/0x428 [ 54.227612][ T6064] binderfs_binder_device_create+0x18c/0x9fc [ 54.228929][ T6064] binderfs_fill_super+0x7f4/0xc8c [ 54.230076][ T6064] get_tree_nodev+0xb4/0x144 [ 54.231112][ T6064] binderfs_fs_context_get_tree+0x28/0x38 [ 54.232452][ T6064] vfs_get_tree+0x90/0x28c [ 54.233460][ T6064] do_new_mount+0x278/0x900 [ 54.234517][ T6064] path_mount+0x590/0xe04 [ 54.235492][ T6064] __arm64_sys_mount+0x4f4/0x5d0 [ 54.236676][ T6064] invoke_syscall+0x98/0x2b8 [ 54.237788][ T6064] el0_svc_common+0x130/0x23c [ 54.238833][ T6064] do_el0_svc+0x48/0x58 [ 54.239796][ T6064] el0_svc+0x54/0x168 [ 54.240745][ T6064] el0t_64_sync_handler+0x84/0x108 [ 54.241953][ T6064] el0t_64_sync+0x198/0x19c [ 54.242997][ T6064] [ 54.243555][ T6064] Freed by task 6057: [ 54.244498][ T6064] kasan_save_track+0x40/0x78 [ 54.245582][ T6064] kasan_save_free_info+0x54/0x6c [ 54.246750][ T6064] __kasan_slab_free+0x64/0x8c [ 54.247990][ T6064] kfree+0x180/0x478 [ 54.248996][ T6064] binderfs_evict_inode+0x160/0x220 [ 54.250271][ T6064] evict+0x444/0x978 [ 54.251428][ T6064] iput+0x740/0x8e8 [ 54.252404][ T6064] dentry_unlink_inode+0x3a0/0x4e0 [ 54.253702][ T6064] __dentry_kill+0x178/0x5e8 [ 54.254800][ T6064] shrink_kill+0xd4/0x2cc [ 54.255783][ T6064] shrink_dentry_list+0x31c/0x768 [ 54.256870][ T6064] shrink_dcache_parent+0xc4/0x374 [ 54.258019][ T6064] do_one_tree+0x30/0xfc [ 54.258962][ T6064] shrink_dcache_for_umount+0xd8/0x188 [ 54.260050][ T6064] generic_shutdown_super+0x68/0x2bc [ 54.261131][ T6064] kill_litter_super+0x74/0xb8 [ 54.262112][ T6064] binderfs_kill_super+0x44/0x9c [ 54.263111][ T6064] deactivate_locked_super+0xc4/0x12c [ 54.264210][ T6064] deactivate_super+0xe0/0x100 [ 54.265266][ T6064] cleanup_mnt+0x34c/0x3dc [ 54.266380][ T6064] __cleanup_mnt+0x20/0x30 [ 54.267310][ T6064] task_work_run+0x230/0x2e0 [ 54.268304][ T6064] do_exit+0x4e8/0x1acc [ 54.269195][ T6064] do_group_exit+0x194/0x22c [ 54.270229][ T6064] get_signal+0x13e4/0x1500 [ 54.271166][ T6064] do_signal+0x22c/0x3a04 [ 54.272223][ T6064] do_notify_resume+0x74/0x1f4 [ 54.273254][ T6064] el0_svc+0xac/0x168 [ 54.274077][ T6064] el0t_64_sync_handler+0x84/0x108 [ 54.275168][ T6064] el0t_64_sync+0x198/0x19c [ 54.276103][ T6064] [ 54.276601][ T6064] The buggy address belongs to the object at ffff0000cd70f000 [ 54.276601][ T6064] which belongs to the cache kmalloc-512 of size 512 [ 54.279806][ T6064] The buggy address is located 8 bytes inside of [ 54.279806][ T6064] freed 512-byte region [ffff0000cd70f000, ffff0000cd70f200) [ 54.282689][ T6064] [ 54.283196][ T6064] The buggy address belongs to the physical page: [ 54.284569][ T6064] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d70c [ 54.286512][ T6064] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 54.288328][ T6064] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 54.289952][ T6064] page_type: f5(slab) [ 54.290792][ T6064] raw: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122 [ 54.292662][ T6064] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 54.294617][ T6064] head: 05ffc00000000040 ffff0000c0001c80 dead000000000100 dead000000000122 [ 54.296615][ T6064] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 54.298481][ T6064] head: 05ffc00000000002 fffffdffc335c301 ffffffffffffffff 0000000000000000 [ 54.300359][ T6064] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 54.302218][ T6064] page dumped because: kasan: bad access detected [ 54.303630][ T6064] [ 54.304158][ T6064] Memory state around the buggy address: [ 54.305395][ T6064] ffff0000cd70ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.307146][ T6064] ffff0000cd70ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.308963][ T6064] >ffff0000cd70f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.310934][ T6064] ^ [ 54.312091][ T6064] ffff0000cd70f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.314317][ T6064] ffff0000cd70f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.316412][ T6064] ================================================================== [ 54.318393][ T6064] Disabling lock debugging due to kernel taint [ 54.407925][ T6069] ================================================================== [ 54.409955][ T6069] BUG: KFENCE: use-after-free write in binder_add_device+0x64/0xac [ 54.409955][ T6069] [ 54.412156][ T6069] Use-after-free write at 0x00000000df735cac (in kfence-#160): [ 54.413728][ T6069] binder_add_device+0x64/0xac [ 54.414780][ T6069] binderfs_binder_device_create+0x7fc/0x9fc [ 54.416043][ T6069] binderfs_fill_super+0x7f4/0xc8c [ 54.417132][ T6069] get_tree_nodev+0xb4/0x144 [ 54.418136][ T6069] binderfs_fs_context_get_tree+0x28/0x38 [ 54.419348][ T6069] vfs_get_tree+0x90/0x28c [ 54.420261][ T6069] do_new_mount+0x278/0x900 [ 54.421250][ T6069] path_mount+0x590/0xe04 [ 54.422174][ T6069] __arm64_sys_mount+0x4f4/0x5d0 [ 54.423278][ T6069] invoke_syscall+0x98/0x2b8 [ 54.424308][ T6069] el0_svc_common+0x130/0x23c [ 54.425279][ T6069] do_el0_svc+0x48/0x58 [ 54.426140][ T6069] el0_svc+0x54/0x168 [ 54.426959][ T6069] el0t_64_sync_handler+0x84/0x108 [ 54.428002][ T6069] el0t_64_sync+0x198/0x19c [ 54.428902][ T6069] [ 54.429380][ T6069] kfence-#160: 0x00000000c2f65cc9-0x00000000e9d2b478, size=280, cache=kmalloc-512 [ 54.429380][ T6069] [ 54.431853][ T6069] allocated by task 6064 on cpu 1 at 54.319964s (0.111888s ago): [ 54.433517][ T6069] binderfs_binder_device_create+0x18c/0x9fc [ 54.434730][ T6069] binderfs_fill_super+0x7f4/0xc8c [ 54.435784][ T6069] get_tree_nodev+0xb4/0x144 [ 54.436705][ T6069] binderfs_fs_context_get_tree+0x28/0x38 [ 54.437976][ T6069] vfs_get_tree+0x90/0x28c [ 54.438885][ T6069] do_new_mount+0x278/0x900 [ 54.439794][ T6069] path_mount+0x590/0xe04 [ 54.440726][ T6069] __arm64_sys_mount+0x4f4/0x5d0 [ 54.441836][ T6069] invoke_syscall+0x98/0x2b8 [ 54.442813][ T6069] el0_svc_common+0x130/0x23c [ 54.443825][ T6069] do_el0_svc+0x48/0x58 [ 54.444801][ T6069] el0_svc+0x54/0x168 [ 54.445678][ T6069] el0t_64_sync_handler+0x84/0x108 [ 54.446788][ T6069] el0t_64_sync+0x198/0x19c [ 54.447769][ T6069] [ 54.448240][ T6069] freed by task 6064 on cpu 1 at 54.386746s (0.061493s ago): [ 54.449905][ T6069] binderfs_evict_inode+0x160/0x220 [ 54.450989][ T6069] evict+0x444/0x978 [ 54.451927][ T6069] iput+0x740/0x8e8 [ 54.452784][ T6069] dentry_unlink_inode+0x3a0/0x4e0 [ 54.453912][ T6069] __dentry_kill+0x178/0x5e8 [ 54.455008][ T6069] shrink_kill+0xd4/0x2cc [ 54.456106][ T6069] shrink_dentry_list+0x31c/0x768 [ 54.457263][ T6069] shrink_dcache_parent+0xc4/0x374 [ 54.458537][ T6069] do_one_tree+0x30/0xfc [ 54.459453][ T6069] shrink_dcache_for_umount+0xd8/0x188 [ 54.460617][ T6069] generic_shutdown_super+0x68/0x2bc [ 54.461746][ T6069] kill_litter_super+0x74/0xb8 [ 54.462750][ T6069] binderfs_kill_super+0x44/0x9c [ 54.463834][ T6069] deactivate_locked_super+0xc4/0x12c [ 54.464975][ T6069] deactivate_super+0xe0/0x100 [ 54.466020][ T6069] cleanup_mnt+0x34c/0x3dc [ 54.467008][ T6069] __cleanup_mnt+0x20/0x30 [ 54.468063][ T6069] task_work_run+0x230/0x2e0 [ 54.469084][ T6069] do_exit+0x4e8/0x1acc [ 54.469979][ T6069] do_group_exit+0x194/0x22c [ 54.470965][ T6069] get_signal+0x13e4/0x1500 [ 54.471938][ T6069] do_signal+0x22c/0x3a04 [ 54.472872][ T6069] do_notify_resume+0x74/0x1f4 [ 54.473950][ T6069] el0_svc+0xac/0x168 [ 54.474884][ T6069] el0t_64_sync_handler+0x84/0x108 [ 54.476038][ T6069] el0t_64_sync+0x198/0x19c [ 54.477053][ T6069] [ 54.477561][ T6069] CPU: 1 UID: 0 PID: 6069 Comm: syz-executor Tainted: G B 6.14.0-rc5-syzkaller-g48a5eed9ad58 #0 [ 54.480110][ T6069] Tainted: [B]=BAD_PAGE [ 54.481154][ T6069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 54.483334][ T6069] ================================================================== [ 54.519957][ T6076] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 54.522004][ T6076] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 54.524167][ T6076] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 54.526148][ T6076] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 54.528169][ T6076] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 54.530216][ T6076] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 55.274151][ T6104] chnl_net:caif_netlink_parms(): no params data found [ 55.292034][ T6104] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.294010][ T6104] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.295776][ T6104] bridge_slave_0: entered allmulticast mode [ 55.297645][ T6104] bridge_slave_0: entered promiscuous mode [ 55.300109][ T6104] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.301983][ T6104] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.303899][ T6104] bridge_slave_1: entered allmulticast mode [ 55.305805][ T6104] bridge_slave_1: entered promiscuous mode [ 55.316524][ T6104] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 55.320924][ T6104] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 55.330934][ T6104] team0: Port device team_slave_0 added [ 55.333102][ T6104] team0: Port device team_slave_1 added [ 55.340583][ T6104] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 55.342497][ T6104] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.348985][ T6104] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 55.352400][ T6104] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 55.354149][ T6104] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.360655][ T6104] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 55.371685][ T6104] hsr_slave_0: entered promiscuous mode [ 55.373512][ T6104] hsr_slave_1: entered promiscuous mode [ 55.473412][ T6104] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 55.476441][ T6104] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 55.479273][ T6104] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 55.482327][ T6104] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 55.492196][ T6104] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.494009][ T6104] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.495938][ T6104] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.497667][ T6104] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.513774][ T6104] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.518650][ T228] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.521249][ T228] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.526250][ T6104] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.541680][ T38] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.543538][ T38] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.552214][ T228] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.554194][ T228] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.600199][ T6104] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.612920][ T6104] veth0_vlan: entered promiscuous mode [ 55.616383][ T6104] veth1_vlan: entered promiscuous mode [ 55.624222][ T6104] veth0_macvtap: entered promiscuous mode [ 55.626819][ T6104] veth1_macvtap: entered promiscuous mode [ 55.635627][ T6104] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 55.639943][ T6104] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 55.644955][ T6104] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.647593][ T6104] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.650622][ T6104] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 55.652868][ T6104] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 56.090419][ T228] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 56.140625][ T228] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 56.230408][ T228] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 56.332515][ T228] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 56.387672][ T11] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 56.391260][ T11] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 56.396862][ T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 56.398794][ T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:00:56 executed programs: 0 [ 56.604931][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 56.607078][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 56.608958][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 56.612059][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 56.614130][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 56.616034][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 56.666302][ T6144] chnl_net:caif_netlink_parms(): no params data found [ 56.683179][ T6144] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.684947][ T6144] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.686762][ T6144] bridge_slave_0: entered allmulticast mode [ 56.688604][ T6144] bridge_slave_0: entered promiscuous mode [ 56.691273][ T6144] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.692998][ T6144] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.694798][ T6144] bridge_slave_1: entered allmulticast mode [ 56.696548][ T6144] bridge_slave_1: entered promiscuous mode [ 56.704484][ T6144] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 56.707798][ T6144] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 56.716472][ T6144] team0: Port device team_slave_0 added [ 56.718758][ T6144] team0: Port device team_slave_1 added [ 56.727434][ T6144] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 56.729226][ T6144] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 56.736852][ T6144] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 56.740900][ T6144] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 56.742560][ T6144] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 56.748944][ T6144] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 56.759892][ T6144] hsr_slave_0: entered promiscuous mode [ 56.761683][ T6144] hsr_slave_1: entered promiscuous mode [ 56.763241][ T6144] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 56.765067][ T6144] Cannot create hsr debugfs directory [ 58.639661][ T53] Bluetooth: hci0: command tx timeout [ 59.413430][ T228] bridge_slave_1: left allmulticast mode [ 59.414891][ T228] bridge_slave_1: left promiscuous mode [ 59.416343][ T228] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.421538][ T228] bridge_slave_0: left allmulticast mode [ 59.423075][ T228] bridge_slave_0: left promiscuous mode [ 59.424642][ T228] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.719782][ T53] Bluetooth: hci0: command tx timeout [ 61.080940][ T228] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 61.130812][ T228] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 61.180479][ T228] bond0 (unregistering): Released all slaves [ 61.256138][ T228] hsr_slave_0: left promiscuous mode [ 61.257982][ T228] hsr_slave_1: left promiscuous mode [ 61.259829][ T228] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 61.261632][ T228] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 61.263860][ T228] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 61.265649][ T228] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 61.269069][ T228] veth1_macvtap: left promiscuous mode [ 61.271655][ T228] veth0_macvtap: left promiscuous mode [ 61.273106][ T228] veth1_vlan: left promiscuous mode [ 61.274393][ T228] veth0_vlan: left promiscuous mode [ 62.799646][ T53] Bluetooth: hci0: command tx timeout [ 62.990247][ T228] team0 (unregistering): Port device team_slave_1 removed [ 63.220337][ T228] team0 (unregistering): Port device team_slave_0 removed syzkaller build log: go env (err=) GO111MODULE='auto' GOARCH='amd64' GOBIN='' GOCACHE='/syzkaller/.cache/go-build' GOENV='/syzkaller/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/syzkaller/jobs-2/linux/gopath' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.23.6' GODEBUG='' GOTELEMETRY='local' GOTELEMETRYDIR='/syzkaller/.config/go/telemetry' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4209286580=/tmp/go-build -gno-record-gcc-switches' git status (err=) HEAD detached at c3901742785 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c3901742785ff25afdc6f470af7b25b69d7c4f2f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250301-144328'" -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog mkdir -p ./bin/linux_arm64 aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \ -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_arm64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"c3901742785ff25afdc6f470af7b25b69d7c4f2f\" /usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/ccaHnC3s.o: in function `Connection::Connect(char const*, char const*)': executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0xd8): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking