Warning: Permanently added '10.128.10.40' (ED25519) to the list of known hosts. 2025/07/16 17:38:35 ignoring optional flag "sandboxArg"="0" 2025/07/16 17:38:36 parsed 1 programs [ 114.677800][ T3471] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 119.442459][ T3528] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 119.453261][ T3528] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 119.463520][ T3528] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 119.475830][ T3528] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 126.186975][ T1450] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 126.195339][ T1450] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 126.213585][ T1450] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 126.222361][ T1450] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 2025/07/16 17:38:51 executed programs: 0 [ 131.793739][ T4007] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 131.804473][ T4007] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 131.818689][ T4007] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 131.830053][ T4007] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 141.198131][ T1450] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 141.206409][ T1450] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 141.233380][ T1174] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 141.241740][ T1174] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 2025/07/16 17:39:04 executed programs: 2 [ 142.328019][ T4876] ================================================================== [ 142.338937][ T4876] BUG: KASAN: slab-use-after-free in mas_next_slot+0x18b/0xb00 [ 142.346912][ T4876] Read of size 8 at addr ffff888104b28a00 by task syz.2.46/4876 [ 142.355207][ T4876] [ 142.357577][ T4876] CPU: 0 UID: 0 PID: 4876 Comm: syz.2.46 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(none) [ 142.357597][ T4876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 142.357613][ T4876] Call Trace: [ 142.357624][ T4876] [ 142.357631][ T4876] dump_stack_lvl+0x18a/0x250 [ 142.357654][ T4876] ? __pfx_dump_stack_lvl+0x10/0x10 [ 142.357672][ T4876] ? rcu_is_watching+0x1f/0xa0 [ 142.357689][ T4876] ? lock_release+0x42/0x2f0 [ 142.357707][ T4876] ? lock_acquire+0x69/0x210 [ 142.357726][ T4876] ? __virt_addr_valid+0x1a8/0x400 [ 142.357743][ T4876] ? __virt_addr_valid+0x301/0x400 [ 142.357762][ T4876] print_report+0xca/0x230 [ 142.357779][ T4876] ? mas_next_slot+0x18b/0xb00 [ 142.357798][ T4876] kasan_report+0x118/0x150 [ 142.357814][ T4876] ? mas_next_slot+0x18b/0xb00 [ 142.357834][ T4876] mas_next_slot+0x18b/0xb00 [ 142.357857][ T4876] mas_find+0x9cc/0xc00 [ 142.357878][ T4876] __se_sys_mremap+0xb09/0xd70 [ 142.357905][ T4876] ? __pfx___se_sys_mremap+0x10/0x10 [ 142.357950][ T4876] ? switch_fpu_return+0x12c/0x1c0 [ 142.357969][ T4876] ? __x64_sys_mremap+0x20/0xc0 [ 142.357998][ T4876] do_syscall_64+0x8f/0x250 [ 142.358024][ T4876] ? fpregs_assert_state_consistent+0x66/0x90 [ 142.358049][ T4876] ? clear_bhb_loop+0x60/0xb0 [ 142.358066][ T4876] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 142.358082][ T4876] RIP: 0033:0x7f2fbc2fe929 [ 142.358102][ T4876] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 142.358115][ T4876] RSP: 002b:00007f2fbbd6f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 [ 142.358146][ T4876] RAX: ffffffffffffffda RBX: 00007f2fbc525fa0 RCX: 00007f2fbc2fe929 [ 142.358156][ T4876] RDX: 0000000000600002 RSI: 0000000000600002 RDI: 0000200000000000 [ 142.358166][ T4876] RBP: 00007f2fbc380b39 R08: 0000200000a00000 R09: 0000000000000000 [ 142.358176][ T4876] R10: 0000000000000007 R11: 0000000000000246 R12: 0000000000000000 [ 142.358186][ T4876] R13: 0000000000000000 R14: 00007f2fbc525fa0 R15: 00007ffd237a5788 [ 142.358200][ T4876] [ 142.358205][ T4876] [ 142.597723][ T4876] Allocated by task 4876: [ 142.603535][ T4876] kasan_save_track+0x3e/0x80 [ 142.610753][ T4876] __kasan_slab_alloc+0x6c/0x80 [ 142.616787][ T4876] kmem_cache_alloc_bulk_noprof+0x40d/0x640 [ 142.625089][ T4876] mas_alloc_nodes+0x3ed/0x870 [ 142.631489][ T4876] mas_preallocate+0x809/0xd30 [ 142.639136][ T4876] __split_vma+0x290/0xa20 [ 142.645555][ T4876] vms_gather_munmap_vmas+0x2de/0x1030 [ 142.652808][ T4876] mmap_region+0x715/0x1f70 [ 142.658440][ T4876] do_mmap+0xc30/0x10b0 [ 142.663342][ T4876] vm_mmap_pgoff+0x200/0x3e0 [ 142.668315][ T4876] do_syscall_64+0x8f/0x250 [ 142.673651][ T4876] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 142.680493][ T4876] [ 142.682949][ T4876] Freed by task 1330: [ 142.687476][ T4876] kasan_save_track+0x3e/0x80 [ 142.693042][ T4876] kasan_save_free_info+0x46/0x50 [ 142.699790][ T4876] __kasan_slab_free+0x62/0x70 [ 142.705231][ T4876] kmem_cache_free+0x175/0x460 [ 142.710305][ T4876] rcu_core+0xbee/0x1530 [ 142.715651][ T4876] handle_softirqs+0x19a/0x500 [ 142.721691][ T4876] do_softirq+0xde/0x170 [ 142.727429][ T4876] __local_bh_enable_ip+0x6b/0x70 [ 142.733133][ T4876] cfg80211_inform_single_bss_data+0xf62/0x18a0 [ 142.740648][ T4876] cfg80211_inform_bss_data+0x1f0/0x3690 [ 142.747029][ T4876] cfg80211_inform_bss_frame_data+0x3d5/0x680 [ 142.753784][ T4876] ieee80211_bss_info_update+0x578/0x7b0 [ 142.759550][ T4876] ieee80211_ibss_rx_queued_mgmt+0x92d/0x2710 [ 142.765735][ T4876] ieee80211_iface_work+0x7c3/0xf20 [ 142.771196][ T4876] cfg80211_wiphy_work+0x2e9/0x530 [ 142.776356][ T4876] process_scheduled_works+0xa3d/0x1530 [ 142.782382][ T4876] worker_thread+0xa03/0xeb0 [ 142.787059][ T4876] kthread+0x66a/0x760 [ 142.791413][ T4876] ret_from_fork+0x1b7/0x380 [ 142.796650][ T4876] ret_from_fork_asm+0x1a/0x30 [ 142.801469][ T4876] [ 142.803914][ T4876] Last potentially related work creation: [ 142.809846][ T4876] kasan_save_stack+0x3e/0x60 [ 142.814746][ T4876] kasan_record_aux_stack+0xbd/0xd0 [ 142.820221][ T4876] call_rcu+0x14a/0x790 [ 142.824391][ T4876] mas_wr_store_entry+0x19c1/0x2960 [ 142.829689][ T4876] mas_store_prealloc+0xc77/0x1330 [ 142.835023][ T4876] vma_complete+0x419/0xbc0 [ 142.839657][ T4876] __split_vma+0x8df/0xa20 [ 142.844305][ T4876] vms_gather_munmap_vmas+0x2de/0x1030 [ 142.849893][ T4876] do_vmi_align_munmap+0x246/0x390 [ 142.855083][ T4876] do_vmi_munmap+0x253/0x2e0 [ 142.859740][ T4876] do_munmap+0xe1/0x140 [ 142.863938][ T4876] mremap_to+0x304/0x7b0 [ 142.868374][ T4876] __se_sys_mremap+0xa85/0xd70 [ 142.873566][ T4876] do_syscall_64+0x8f/0x250 [ 142.878646][ T4876] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 142.885628][ T4876] [ 142.888090][ T4876] The buggy address belongs to the object at ffff888104b28a00 [ 142.888090][ T4876] which belongs to the cache maple_node of size 256 [ 142.902376][ T4876] The buggy address is located 0 bytes inside of [ 142.902376][ T4876] freed 256-byte region [ffff888104b28a00, ffff888104b28b00) [ 142.918426][ T4876] [ 142.920780][ T4876] The buggy address belongs to the physical page: [ 142.927752][ T4876] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104b28 [ 142.938066][ T4876] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 142.948621][ T4876] flags: 0x200000000000040(head|node=0|zone=2) [ 142.956741][ T4876] page_type: f5(slab) [ 142.961010][ T4876] raw: 0200000000000040 ffff888100091000 ffffea00045e3580 dead000000000002 [ 142.970837][ T4876] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 142.980008][ T4876] head: 0200000000000040 ffff888100091000 ffffea00045e3580 dead000000000002 [ 142.989148][ T4876] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 142.998063][ T4876] head: 0200000000000001 ffffea000412ca01 00000000ffffffff 00000000ffffffff [ 143.006895][ T4876] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 [ 143.016064][ T4876] page dumped because: kasan: bad access detected [ 143.022619][ T4876] page_owner tracks the page as allocated [ 143.029232][ T4876] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 26, tgid 26 (kdevtmpfs), ts 7639518065, free_ts 0 [ 143.045851][ T4876] post_alloc_hook+0x168/0x1a0 [ 143.050649][ T4876] get_page_from_freelist+0x295c/0x2aa0 [ 143.056302][ T4876] __alloc_frozen_pages_noprof+0x26b/0x460 [ 143.062651][ T4876] alloc_pages_mpol+0xd1/0x330 [ 143.067720][ T4876] allocate_slab+0x8a/0x350 [ 143.072349][ T4876] ___slab_alloc+0x9dc/0x10e0 [ 143.077080][ T4876] kmem_cache_alloc_bulk_noprof+0x1c7/0x640 [ 143.083113][ T4876] mas_alloc_nodes+0x3ed/0x870 [ 143.088544][ T4876] mas_insert+0x38c/0x7c0 [ 143.092919][ T4876] mas_alloc_cyclic+0x20e/0x630 [ 143.097822][ T4876] mtree_alloc_cyclic+0x196/0x220 [ 143.102891][ T4876] simple_offset_add+0xdc/0x190 [ 143.107870][ T4876] shmem_mknod+0xfa/0x1d0 [ 143.112220][ T4876] vfs_mknod+0x37c/0x3c0 [ 143.116584][ T4876] devtmpfs_work_loop+0x98b/0xcf0 [ 143.121924][ T4876] devtmpfsd+0x4d/0x50 [ 143.126195][ T4876] page_owner free stack trace missing [ 143.131863][ T4876] [ 143.134202][ T4876] Memory state around the buggy address: [ 143.140298][ T4876] ffff888104b28900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 143.148735][ T4876] ffff888104b28980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 143.157471][ T4876] >ffff888104b28a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.165796][ T4876] ^ [ 143.170341][ T4876] ffff888104b28a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.179491][ T4876] ffff888104b28b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 143.188629][ T4876] ================================================================== [ 143.199003][ T4876] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 143.208055][ T4876] Kernel Offset: disabled [ 143.212703][ T4876] Rebooting in 86400 seconds..