Warning: Permanently added '10.128.0.98' (ED25519) to the list of known hosts. 2024/05/01 19:29:05 ignoring optional flag "sandboxArg"="0" 2024/05/01 19:29:05 parsed 1 programs 2024/05/01 19:29:06 executed programs: 0 [ 44.672781] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 44.718675] IPVS: ftp: loaded support on port[0] = 21 [ 44.750185] chnl_net:caif_netlink_parms(): no params data found [ 45.100064] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 45.169610] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 45.176018] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.521479] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 45.528727] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 45.535965] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 45.544165] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 46.378315] F2FS-fs (loop0): Found nat_bits in checkpoint [ 46.394757] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 46.408235] attempt to access beyond end of device [ 46.413483] loop0: rw=524288, want=45072, limit=40427 [ 46.419473] attempt to access beyond end of device [ 46.424869] loop0: rw=0, want=45072, limit=40427 [ 46.438298] attempt to access beyond end of device [ 46.443238] loop0: rw=2049, want=45120, limit=40427 [ 46.452153] ================================================================== [ 46.459618] BUG: KASAN: use-after-free in device_for_each_child+0x136/0x140 [ 46.466697] Read of size 8 at addr ffff88009fd15288 by task kbnepd bnep0/4220 [ 46.474215] [ 46.475836] CPU: 1 PID: 4220 Comm: kbnepd bnep0 Not tainted 4.19.0-syzkaller #0 [ 46.483265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 46.492688] Call Trace: [ 46.495440] dump_stack+0x10c/0x17a [ 46.499045] print_address_description.cold.6+0x9/0x244 [ 46.504381] kasan_report.cold.7+0x242/0x305 [ 46.508764] ? device_for_each_child+0x136/0x140 [ 46.513500] ? __rpm_get_callback+0x2e0/0x2e0 [ 46.517973] __asan_report_load8_noabort+0x14/0x20 [ 46.522879] device_for_each_child+0x136/0x140 [ 46.527453] ? lock_downgrade+0x590/0x590 [ 46.531601] ? device_remove_class_symlinks+0x1f0/0x1f0 [ 46.536960] ? do_raw_spin_unlock+0x172/0x260 [ 46.541462] pm_runtime_set_memalloc_noio+0xc4/0x100 [ 46.546548] netdev_unregister_kobject+0x17c/0x1e0 [ 46.551475] rollback_registered_many+0x669/0xcc0 [ 46.556412] ? __mutex_lock+0x73d/0xdc0 [ 46.560461] ? generic_xdp_install+0x270/0x270 [ 46.565189] ? __mutex_add_waiter+0x170/0x170 [ 46.569773] ? __lock_acquire.isra.10+0x116/0x1870 [ 46.574729] ? remove_wait_queue+0x111/0x1b0 [ 46.579202] rollback_registered+0xdc/0x190 [ 46.583524] ? rollback_registered_many+0xcc0/0xcc0 [ 46.588516] ? bnep_session+0x167b/0x21a0 [ 46.592656] unregister_netdev+0x1a/0x30 [ 46.596717] bnep_session+0x1685/0x21a0 [ 46.601186] ? __schedule+0x146c/0x1c70 [ 46.605144] ? bnep_rx_control+0x9e0/0x9e0 [ 46.609363] ? do_wait_intr_irq+0x2d0/0x2d0 [ 46.613707] ? _raw_spin_unlock_irqrestore+0x63/0x90 [ 46.618882] kthread+0x2f2/0x3b0 [ 46.622223] ? bnep_rx_control+0x9e0/0x9e0 [ 46.626449] ? kthread_park+0xf0/0xf0 [ 46.630225] ret_from_fork+0x35/0x40 [ 46.634002] [ 46.635605] Allocated by task 3901: [ 46.639213] kasan_kmalloc.part.1+0x62/0xf0 [ 46.643508] kasan_kmalloc+0xaf/0xc0 [ 46.647194] kmem_cache_alloc_trace+0x13c/0x260 [ 46.651838] hci_alloc_dev+0x3f/0x1b50 [ 46.655788] __vhci_create_device+0xd8/0x4f0 [ 46.660171] vhci_write+0x281/0x3e0 [ 46.663770] __vfs_write+0x44b/0x890 [ 46.667454] vfs_write+0x13e/0x4b0 [ 46.670964] ksys_write+0xcd/0x1b0 [ 46.674477] __x64_sys_write+0x6e/0xb0 [ 46.678338] do_syscall_64+0xd0/0x340 [ 46.682198] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 46.687364] [ 46.688967] Freed by task 3901: [ 46.692224] __kasan_slab_free+0x167/0x240 [ 46.696552] kasan_slab_free+0xe/0x10 [ 46.700347] kfree+0x110/0x2c0 [ 46.703514] bt_host_release+0x10/0x20 [ 46.707466] device_release+0x74/0x170 [ 46.711342] kobject_put+0x121/0x390 [ 46.715047] put_device+0x12/0x20 [ 46.718475] hci_free_dev+0x10/0x20 [ 46.722163] vhci_release+0x73/0xe0 [ 46.725773] __fput+0x1e0/0x740 [ 46.729026] ____fput+0x9/0x10 [ 46.732222] task_work_run+0x10e/0x180 [ 46.736086] do_exit+0x9c9/0x2a80 [ 46.739512] do_group_exit+0xf1/0x2b0 [ 46.743284] __x64_sys_exit_group+0x39/0x40 [ 46.747860] do_syscall_64+0xd0/0x340 [ 46.751655] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 46.756821] [ 46.758602] The buggy address belongs to the object at ffff88009fd14200 [ 46.758602] which belongs to the cache kmalloc-8192 of size 8192 [ 46.772417] The buggy address is located 4232 bytes inside of [ 46.772417] 8192-byte region [ffff88009fd14200, ffff88009fd16200) [ 46.784456] The buggy address belongs to the page: [ 46.789383] page:ffffea00027f4400 count:1 mapcount:0 mapping:ffff88013bff4400 index:0x0 compound_mapcount: 0 [ 46.800098] flags: 0xfff00000008100(slab|head) [ 46.804758] raw: 00fff00000008100 dead000000000100 dead000000000200 ffff88013bff4400 [ 46.812659] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 [ 46.820785] page dumped because: kasan: bad access detected [ 46.826655] page allocated via order 3, migratetype Unmovable, gfp_mask 0x4352c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 46.842880] get_page_from_freelist+0x2c68/0x41c0 [ 46.847702] __alloc_pages_nodemask+0x390/0x2380 [ 46.852455] alloc_pages_current+0xfd/0x290 [ 46.857026] new_slab+0x49d/0x7f0 [ 46.860461] ___slab_alloc+0x5b3/0x8e0 [ 46.864324] __slab_alloc.isra.22+0x6a/0xa0 [ 46.868649] __kmalloc_node_track_caller+0xe3/0x340 [ 46.873641] __kmalloc_reserve.isra.8+0x2c/0xc0 [ 46.878398] __alloc_skb+0xd7/0x580 [ 46.882182] netlink_dump+0x1e9/0xab0 [ 46.885963] netlink_recvmsg+0x977/0xe70 [ 46.890003] sock_recvmsg+0xb9/0xf0 [ 46.893605] ___sys_recvmsg+0x21c/0x530 [ 46.897552] __sys_recvmsg+0xd6/0x180 [ 46.901334] __x64_sys_recvmsg+0x73/0xb0 [ 46.905822] do_syscall_64+0xd0/0x340 [ 46.909595] [ 46.911201] Memory state around the buggy address: [ 46.916102] ffff88009fd15180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.923537] ffff88009fd15200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.931087] >ffff88009fd15280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.938452] ^ [ 46.942062] ffff88009fd15300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.949414] ffff88009fd15380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.956753] ================================================================== [ 46.964107] Disabling lock debugging due to kernel taint [ 46.971787] Kernel panic - not syncing: panic_on_warn set ... [ 46.971787] [ 46.979715] Kernel Offset: disabled [ 46.983330] Rebooting in 86400 seconds..