[ 437.715131][ T6968] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 437.725104][ T6968] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 437.837583][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 437.957464][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 438.067207][ T712] wlan1: authentication with 08:02:11:00:00:00 timed out [ 438.204354][ T7105] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 438.238199][ T9] wlan1: No basic rates, using min rate instead [ 438.245274][ T9] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 438.254934][ T9] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 438.367061][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 438.477023][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 438.587216][ T62] wlan1: authentication with 08:02:11:00:00:00 timed out [ 438.732055][ T7107] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 438.768109][ T6896] wlan1: No basic rates, using min rate instead [ 438.775065][ T6896] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 438.784212][ T6896] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 438.897017][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 439.007083][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 439.117000][ T62] wlan1: authentication with 08:02:11:00:00:00 timed out [ 439.258061][ T7109] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 439.289059][ T6896] wlan1: No basic rates, using min rate instead [ 439.296103][ T6896] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 439.306095][ T6896] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 439.417157][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 439.537294][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 439.646971][ T62] wlan1: authentication with 08:02:11:00:00:00 timed out [ 439.784515][ T7111] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 439.817813][ T6968] wlan1: No basic rates, using min rate instead [ 439.824784][ T6968] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 439.834330][ T6968] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 439.947621][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 440.057543][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 440.171527][ T62] wlan1: authentication with 08:02:11:00:00:00 timed out [ 440.311412][ T7113] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 440.358567][ T9] wlan1: No basic rates, using min rate instead [ 440.366137][ T9] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 440.375701][ T9] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 440.487012][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 440.499602][ T712] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 440.554800][ T712] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 440.596968][ T62] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 440.642641][ T712] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 440.702727][ T712] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 440.713294][ T62] wlan1: authentication with 08:02:11:00:00:00 timed out [ 441.368988][ T712] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.44' (ED25519) to the list of known hosts. executing program [ 443.800511][ T712] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 443.808818][ T712] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 443.827619][ T6927] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 443.835476][ T6927] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 executing program executing program [ 443.858500][ T7250] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 443.881720][ T7251] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 443.897507][ T6968] wlan1: No basic rates, using min rate instead executing program executing program [ 443.904935][ T6968] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 443.914172][ T6968] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 443.922081][ T7252] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 443.945137][ T7253] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program executing program [ 443.968715][ T7254] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 443.990105][ T7255] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program executing program [ 444.013261][ T7256] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.027407][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 444.037819][ T7257] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program executing program executing program [ 444.061442][ T7258] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.082102][ T7259] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.105250][ T7260] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program executing program [ 444.126628][ T7261] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.147319][ T712] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 444.155077][ T7262] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program executing program [ 444.179821][ T7263] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.200150][ T7264] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium executing program [ 444.221461][ T7265] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.245100][ T7267] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 444.259071][ T712] wlan1: authentication with 08:02:11:00:00:00 timed out [ 444.266866][ T712] ================================================================== executing program [ 444.274960][ T712] BUG: KASAN: slab-use-after-free in __lock_acquire+0x8e/0xc10 [ 444.282537][ T712] Read of size 8 at addr ffff8880737a6980 by task kworker/u4:5/712 [ 444.290590][ T712] [ 444.292916][ T712] CPU: 0 PID: 712 Comm: kworker/u4:5 Not tainted 6.7.0-rc2-syzkaller #0 [ 444.301243][ T712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 444.311423][ T712] Workqueue: events_unbound cfg80211_wiphy_work [ 444.317694][ T712] Call Trace: [ 444.321096][ T712] [ 444.324068][ T712] dump_stack_lvl+0x214/0x310 [ 444.328921][ T712] ? __pfx_dump_stack_lvl+0x10/0x10 [ 444.334153][ T712] ? __pfx__printk+0x10/0x10 [ 444.338828][ T712] ? _printk+0xd5/0x120 [ 444.343057][ T712] print_report+0x167/0x540 [ 444.347846][ T712] ? __pfx_stack_trace_save+0x10/0x10 [ 444.353230][ T712] ? __virt_addr_valid+0x211/0x2a0 [ 444.358530][ T712] ? __phys_addr+0x90/0x130 [ 444.363054][ T712] ? __lock_acquire+0x8e/0xc10 [ 444.368086][ T712] kasan_report+0x142/0x180 [ 444.372586][ T712] ? __lock_acquire+0x8e/0xc10 [ 444.377654][ T712] __lock_acquire+0x8e/0xc10 [ 444.382246][ T712] ? __lock_acquire+0x5cc/0xc10 [ 444.387083][ T712] lock_acquire+0x1a8/0x3a0 [ 444.391660][ T712] ? lockref_get+0x15/0x60 [ 444.396061][ T712] ? __pfx_lock_acquire+0x10/0x10 [ 444.401175][ T712] ? simple_pin_fs+0x91/0x160 [ 444.405861][ T712] ? __pfx_lock_release+0x10/0x10 [ 444.410965][ T712] ? do_raw_spin_lock+0x14d/0x3b0 [ 444.416160][ T712] _raw_spin_lock+0x2e/0x40 [ 444.420657][ T712] ? lockref_get+0x15/0x60 [ 444.425149][ T712] lockref_get+0x15/0x60 [ 444.429499][ T712] simple_recursive_removal+0x35/0x7c0 [ 444.435147][ T712] ? mntput+0x65/0xc0 [ 444.439561][ T712] ? __pfx_remove_one+0x10/0x10 [ 444.444682][ T712] debugfs_remove+0x49/0x70 [ 444.449486][ T712] ieee80211_sta_debugfs_remove+0x40/0x60 [ 444.455309][ T712] __sta_info_destroy_part2+0x302/0x3c0 [ 444.460935][ T712] ? sta_info_destroy_addr+0xd3/0x1f0 [ 444.466296][ T712] sta_info_destroy_addr+0x1b2/0x1f0 [ 444.471659][ T712] ieee80211_destroy_auth_data+0xfb/0x280 [ 444.477372][ T712] ieee80211_sta_work+0x1291/0x3420 [ 444.482736][ T712] ? __lock_acquire+0x5cc/0xc10 [ 444.487589][ T712] ? skb_dequeue+0x113/0x150 [ 444.492256][ T712] ? __pfx_lock_release+0x10/0x10 [ 444.497264][ T712] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 444.502800][ T712] ? do_raw_spin_unlock+0x13b/0x8b0 [ 444.508093][ T712] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 444.514091][ T712] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 444.520517][ T712] ? cfg80211_wiphy_work+0x1fc/0x260 [ 444.525993][ T712] ? skb_dequeue+0x113/0x150 [ 444.530660][ T712] ? ieee80211_iface_work+0x9b2/0xcc0 [ 444.536019][ T712] ? ieee80211_iface_work+0xbcc/0xcc0 [ 444.541473][ T712] cfg80211_wiphy_work+0x221/0x260 [ 444.546575][ T712] ? process_scheduled_works+0x7c2/0x1260 [ 444.552380][ T712] process_scheduled_works+0x889/0x1260 [ 444.558090][ T712] ? __pfx_process_scheduled_works+0x10/0x10 [ 444.564083][ T712] ? assign_work+0x351/0x3b0 [ 444.568665][ T712] worker_thread+0xa5f/0xf60 [ 444.573258][ T712] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 444.579155][ T712] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 444.585472][ T712] ? __pfx_worker_thread+0x10/0x10 [ 444.590664][ T712] kthread+0x28f/0x300 [ 444.594749][ T712] ? __pfx_worker_thread+0x10/0x10 [ 444.599843][ T712] ? __pfx_kthread+0x10/0x10 [ 444.604416][ T712] ret_from_fork+0x4b/0x80 [ 444.609194][ T712] ? __pfx_kthread+0x10/0x10 [ 444.613772][ T712] ret_from_fork_asm+0x1b/0x30 [ 444.618529][ T712] [ 444.621543][ T712] [ 444.623848][ T712] Allocated by task 6968: [ 444.628198][ T712] kasan_set_track+0x4f/0x80 [ 444.632774][ T712] __kasan_slab_alloc+0x66/0x80 [ 444.637615][ T712] slab_post_alloc_hook+0x67/0x3c0 [ 444.642760][ T712] kmem_cache_alloc_lru+0x100/0x280 [ 444.647946][ T712] __d_alloc+0x31/0x990 [ 444.652109][ T712] d_alloc_parallel+0xf7/0x1560 [ 444.657002][ T712] __lookup_slow+0x117/0x3f0 [ 444.661573][ T712] lookup_one_len+0x173/0x2b0 [ 444.666235][ T712] start_creating+0x187/0x310 [ 444.670901][ T712] debugfs_create_dir+0x25/0x3f0 [ 444.675832][ T712] ieee80211_sta_debugfs_add+0x132/0x680 [ 444.681475][ T712] sta_info_insert_rcu+0xc29/0x1410 [ 444.686748][ T712] sta_info_insert+0x15/0x40 [ 444.691321][ T712] ieee80211_prep_connection+0x833/0xa00 [ 444.697289][ T712] ieee80211_mgd_auth+0xbe8/0x1260 [ 444.702386][ T712] cfg80211_mlme_auth+0x56a/0xa40 [ 444.707490][ T712] cfg80211_conn_do_work+0x5e7/0xe20 [ 444.712875][ T712] cfg80211_conn_work+0x279/0x4c0 [ 444.717986][ T712] process_scheduled_works+0x889/0x1260 [ 444.723541][ T712] worker_thread+0xa5f/0xf60 [ 444.728123][ T712] kthread+0x28f/0x300 [ 444.732611][ T712] ret_from_fork+0x4b/0x80 [ 444.737031][ T712] ret_from_fork_asm+0x1b/0x30 [ 444.741794][ T712] [ 444.744103][ T712] Freed by task 0: [ 444.747803][ T712] kasan_set_track+0x4f/0x80 [ 444.752628][ T712] kasan_save_free_info+0x28/0x40 [ 444.757632][ T712] ____kasan_slab_free+0x122/0x1f0 [ 444.762731][ T712] kmem_cache_free+0x2f0/0x520 [ 444.767481][ T712] rcu_core+0xcca/0x15f0 [ 444.771711][ T712] __do_softirq+0x1be/0x586 [ 444.776195][ T712] [ 444.778499][ T712] Last potentially related work creation: [ 444.784191][ T712] kasan_save_stack+0x3f/0x60 [ 444.788874][ T712] __kasan_record_aux_stack+0xad/0xc0 [ 444.794315][ T712] call_rcu+0x159/0x8e0 [ 444.798535][ T712] __dentry_kill+0x560/0x730 [ 444.803194][ T712] dentry_kill+0xbb/0x2a0 [ 444.807589][ T712] dput+0x194/0x360 [ 444.811381][ T712] simple_recursive_removal+0x26d/0x7c0 [ 444.816915][ T712] debugfs_remove+0x49/0x70 [ 444.821405][ T712] ieee80211_debugfs_recreate_netdev+0x5b/0x5e0 [ 444.827738][ T712] drv_remove_interface+0x118/0x4e0 [ 444.832957][ T712] ieee80211_change_mac+0xaf6/0x1110 [ 444.838420][ T712] dev_set_mac_address+0x3b7/0x620 [ 444.843529][ T712] dev_set_mac_address_user+0x31/0x50 [ 444.848890][ T712] dev_ifsioc+0xbd8/0xe70 [ 444.853208][ T712] dev_ioctl+0xab2/0x1220 [ 444.857966][ T712] sock_do_ioctl+0x240/0x460 [ 444.862584][ T712] sock_ioctl+0x602/0x8c0 [ 444.866906][ T712] __se_sys_ioctl+0xfc/0x170 [ 444.871484][ T712] do_syscall_64+0x4d/0x120 [ 444.875969][ T712] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 444.881938][ T712] [ 444.884334][ T712] Second to last potentially related work creation: [ 444.890915][ T712] kasan_save_stack+0x3f/0x60 [ 444.895666][ T712] __kasan_record_aux_stack+0xad/0xc0 [ 444.901023][ T712] call_rcu+0x159/0x8e0 [ 444.905230][ T712] __dentry_kill+0x560/0x730 [ 444.909801][ T712] dentry_kill+0xbb/0x2a0 [ 444.914117][ T712] dput+0x194/0x360 [ 444.917996][ T712] simple_recursive_removal+0x26d/0x7c0 [ 444.923529][ T712] debugfs_remove+0x49/0x70 [ 444.928020][ T712] ieee80211_sta_debugfs_remove+0x40/0x60 [ 444.933726][ T712] __sta_info_destroy_part2+0x302/0x3c0 [ 444.939288][ T712] sta_info_destroy_addr+0x1b2/0x1f0 [ 444.945053][ T712] ieee80211_destroy_auth_data+0xfb/0x280 [ 444.950768][ T712] ieee80211_sta_work+0x1291/0x3420 [ 444.955971][ T712] cfg80211_wiphy_work+0x221/0x260 [ 444.961113][ T712] process_scheduled_works+0x889/0x1260 [ 444.966730][ T712] worker_thread+0xa5f/0xf60 [ 444.971479][ T712] kthread+0x28f/0x300 [ 444.975560][ T712] ret_from_fork+0x4b/0x80 [ 444.980142][ T712] ret_from_fork_asm+0x1b/0x30 [ 444.984900][ T712] [ 444.987209][ T712] The buggy address belongs to the object at ffff8880737a68d0 [ 444.987209][ T712] which belongs to the cache dentry of size 312 [ 445.000843][ T712] The buggy address is located 176 bytes inside of [ 445.000843][ T712] freed 312-byte region [ffff8880737a68d0, ffff8880737a6a08) [ 445.014622][ T712] [ 445.016930][ T712] The buggy address belongs to the physical page: [ 445.023425][ T712] page:ffffea0001cde980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x737a6 [ 445.034362][ T712] head:ffffea0001cde980 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 445.043362][ T712] memcg:ffff88801e1cbe01 [ 445.047665][ T712] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 445.055633][ T712] page_type: 0xffffffff() [ 445.060090][ T712] raw: 00fff00000000840 ffff88814000a780 dead000000000100 dead000000000122 [ 445.068919][ T712] raw: 0000000000000000 0000000000150015 00000001ffffffff ffff88801e1cbe01 [ 445.077490][ T712] page dumped because: kasan: bad access detected [ 445.083898][ T712] page_owner tracks the page as allocated [ 445.089597][ T712] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5794, tgid 5794 (udevd), ts 115088098531, free_ts 11856689449 [ 445.113717][ T712] post_alloc_hook+0x10f/0x130 [ 445.118504][ T712] get_page_from_freelist+0x345c/0x3600 [ 445.124124][ T712] __alloc_pages+0x255/0x650 [ 445.128719][ T712] alloc_pages_mpol+0x3de/0x690 [ 445.133656][ T712] alloc_slab_page+0x6a/0x170 [ 445.138330][ T712] new_slab+0x70/0x270 [ 445.142384][ T712] ___slab_alloc+0x94b/0xee0 [ 445.146979][ T712] kmem_cache_alloc_lru+0x187/0x280 [ 445.152250][ T712] __d_alloc+0x31/0x990 [ 445.156564][ T712] d_alloc_parallel+0xf7/0x1560 [ 445.161398][ T712] path_openat+0x92f/0x3250 [ 445.165884][ T712] do_filp_open+0x234/0x490 [ 445.170380][ T712] do_sys_openat2+0x13e/0x1d0 [ 445.175037][ T712] __x64_sys_openat+0x247/0x2a0 [ 445.179865][ T712] do_syscall_64+0x4d/0x120 [ 445.184350][ T712] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 445.190232][ T712] page last free stack trace: [ 445.194886][ T712] free_unref_page_prepare+0x808/0x920 [ 445.200338][ T712] free_unref_page+0x37/0x3a0 [ 445.205091][ T712] free_contig_range+0x91/0x140 [ 445.210025][ T712] destroy_args+0x8a/0x890 [ 445.214521][ T712] debug_vm_pgtable+0x466/0x770 [ 445.219361][ T712] do_one_initcall+0x211/0x6e0 [ 445.224117][ T712] do_initcall_level+0x15a/0x280 [ 445.229324][ T712] do_initcalls+0x3f/0x80 [ 445.233931][ T712] kernel_init_freeable+0x3ec/0x580 [ 445.239114][ T712] kernel_init+0x1d/0x2a0 [ 445.243441][ T712] ret_from_fork+0x4b/0x80 [ 445.247845][ T712] ret_from_fork_asm+0x1b/0x30 [ 445.252601][ T712] [ 445.254998][ T712] Memory state around the buggy address: [ 445.260626][ T712] ffff8880737a6880: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 445.268674][ T712] ffff8880737a6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 445.276990][ T712] >ffff8880737a6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 445.285126][ T712] ^ [ 445.289258][ T712] ffff8880737a6a00: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb [ 445.297311][ T712] ffff8880737a6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 445.305609][ T712] ================================================================== [ 445.313697][ T712] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 445.321175][ T712] Kernel Offset: disabled [ 445.325503][ T712] Rebooting in 86400 seconds..