Warning: Permanently added '10.128.1.79' (ED25519) to the list of known hosts. 1970/01/01 00:00:58 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:00:59 parsed 1 programs [ 59.247657][ T6448] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS 1970/01/01 00:00:59 executed programs: 0 [ 59.282659][ T5672] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 59.284776][ T5672] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 59.286810][ T5672] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 59.289719][ T5672] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 59.291729][ T5672] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 59.293642][ T5672] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 59.361885][ T6456] chnl_net:caif_netlink_parms(): no params data found [ 59.390304][ T6456] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.391934][ T6456] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.393641][ T6456] bridge_slave_0: entered allmulticast mode [ 59.395389][ T6456] bridge_slave_0: entered promiscuous mode [ 59.398305][ T6456] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.400322][ T6456] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.401965][ T6456] bridge_slave_1: entered allmulticast mode [ 59.403838][ T6456] bridge_slave_1: entered promiscuous mode [ 59.416753][ T6456] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 59.420810][ T6456] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 59.432955][ T6456] team0: Port device team_slave_0 added [ 59.436153][ T6456] team0: Port device team_slave_1 added [ 59.446793][ T6456] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 59.448303][ T6456] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 59.454221][ T6456] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 59.457958][ T6456] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 59.459594][ T6456] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 59.465220][ T6456] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 59.520835][ T6456] hsr_slave_0: entered promiscuous mode [ 59.569511][ T6456] hsr_slave_1: entered promiscuous mode [ 60.349743][ T6456] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 60.370618][ T6456] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 60.400867][ T6456] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 60.441220][ T6456] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 60.537321][ T6456] 8021q: adding VLAN 0 to HW filter on device bond0 [ 60.545975][ T6456] 8021q: adding VLAN 0 to HW filter on device team0 [ 60.550444][ T6112] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.552061][ T6112] bridge0: port 1(bridge_slave_0) entered forwarding state [ 60.558123][ T6112] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.559848][ T6112] bridge0: port 2(bridge_slave_1) entered forwarding state [ 60.656187][ T6456] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 60.678525][ T6456] veth0_vlan: entered promiscuous mode [ 60.684966][ T6456] veth1_vlan: entered promiscuous mode [ 60.703749][ T6456] veth0_macvtap: entered promiscuous mode [ 60.706871][ T6456] veth1_macvtap: entered promiscuous mode [ 60.716564][ T6456] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 60.722357][ T6456] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 60.726705][ T6456] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 60.728782][ T6456] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 60.733615][ T6456] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 60.735568][ T6456] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 60.778983][ T6115] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 60.783362][ T6115] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 60.784398][ T40] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 60.786684][ T40] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 61.370389][ T5672] Bluetooth: hci0: command 0x0409 tx timeout [ 61.697222][ T6548] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 62.557201][ T6624] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 63.419464][ T6700] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 63.449309][ T5672] Bluetooth: hci0: command 0x041b tx timeout [ 64.274467][ T6775] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.276807][ T6775] ================================================================== [ 64.278598][ T6775] BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb+0x164/0x190 [ 64.280513][ T6775] Read of size 4 at addr ffff0000d47e6560 by task syz-executor.0/6775 [ 64.282508][ T6775] [ 64.283004][ T6775] CPU: 1 PID: 6775 Comm: syz-executor.0 Not tainted 6.7.0-rc4-syzkaller-00020-gd46efae31672 #0 [ 64.285377][ T6775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 64.287674][ T6775] Call trace: [ 64.288466][ T6775] dump_backtrace+0x1b8/0x1e4 [ 64.289497][ T6775] show_stack+0x2c/0x44 [ 64.290446][ T6775] dump_stack_lvl+0xd0/0x124 [ 64.291542][ T6775] print_report+0x174/0x514 [ 64.292645][ T6775] kasan_report+0xd8/0x138 [ 64.293775][ T6775] __asan_report_load4_noabort+0x20/0x2c [ 64.295064][ T6775] nfc_alloc_send_skb+0x164/0x190 [ 64.296276][ T6775] nfc_llcp_send_ui_frame+0x22c/0x554 [ 64.297536][ T6775] llcp_sock_sendmsg+0x1f8/0x358 [ 64.298518][ T6775] ____sys_sendmsg+0x56c/0x840 [ 64.299720][ T6775] __sys_sendmmsg+0x318/0x7d8 [ 64.300819][ T6775] __arm64_sys_sendmmsg+0xa0/0xbc [ 64.301932][ T6775] invoke_syscall+0x98/0x2b8 [ 64.302933][ T6775] el0_svc_common+0x130/0x23c [ 64.303988][ T6775] do_el0_svc+0x48/0x58 [ 64.304981][ T6775] el0_svc+0x54/0x158 [ 64.305874][ T6775] el0t_64_sync_handler+0x84/0xfc [ 64.307028][ T6775] el0t_64_sync+0x190/0x194 [ 64.308009][ T6775] [ 64.308517][ T6775] Allocated by task 6775: [ 64.309479][ T6775] kasan_set_track+0x4c/0x7c [ 64.310435][ T6775] kasan_save_alloc_info+0x24/0x30 [ 64.311602][ T6775] __kasan_kmalloc+0xac/0xc4 [ 64.312690][ T6775] kmalloc_trace+0x70/0x88 [ 64.313710][ T6775] nfc_allocate_device+0x124/0x45c [ 64.314874][ T6775] nci_allocate_device+0x1ac/0x324 [ 64.315999][ T6775] virtual_ncidev_open+0x84/0x1bc [ 64.317072][ T6775] misc_open+0x2f0/0x368 [ 64.318106][ T6775] chrdev_open+0x3c8/0x4dc [ 64.319213][ T6775] do_dentry_open+0x778/0x12b4 [ 64.320350][ T6775] vfs_open+0x7c/0x90 [ 64.321290][ T6775] path_openat+0x1f6c/0x2888 [ 64.322462][ T6775] do_filp_open+0x1bc/0x3cc [ 64.323503][ T6775] do_sys_openat2+0x124/0x1b8 [ 64.324517][ T6775] __arm64_sys_openat+0x1f0/0x240 [ 64.325689][ T6775] invoke_syscall+0x98/0x2b8 [ 64.326805][ T6775] el0_svc_common+0x130/0x23c [ 64.327916][ T6775] do_el0_svc+0x48/0x58 [ 64.328889][ T6775] el0_svc+0x54/0x158 [ 64.329879][ T6775] el0t_64_sync_handler+0x84/0xfc [ 64.331075][ T6775] el0t_64_sync+0x190/0x194 [ 64.332158][ T6775] [ 64.332676][ T6775] Freed by task 6774: [ 64.333567][ T6775] kasan_set_track+0x4c/0x7c [ 64.334631][ T6775] kasan_save_free_info+0x38/0x5c [ 64.335714][ T6775] ____kasan_slab_free+0x144/0x1c0 [ 64.336959][ T6775] __kasan_slab_free+0x18/0x28 [ 64.338051][ T6775] __kmem_cache_free+0x2ac/0x480 [ 64.339129][ T6775] kfree+0xb8/0x19c [ 64.340078][ T6775] nfc_release+0x1d4/0x27c [ 64.341114][ T6775] device_release+0x8c/0x1ac [ 64.342255][ T6775] kobject_put+0x1c4/0x3c4 [ 64.343364][ T6775] put_device+0x28/0x40 [ 64.344379][ T6775] nci_free_device+0x40/0x60 [ 64.345445][ T6775] virtual_ncidev_close+0x78/0xa0 [ 64.346564][ T6775] __fput+0x308/0x90c [ 64.347433][ T6775] __fput_sync+0x60/0x9c [ 64.348451][ T6775] __arm64_sys_close+0x150/0x1e0 [ 64.349569][ T6775] invoke_syscall+0x98/0x2b8 [ 64.350600][ T6775] el0_svc_common+0x130/0x23c [ 64.351603][ T6775] do_el0_svc+0x48/0x58 [ 64.352518][ T6775] el0_svc+0x54/0x158 [ 64.353572][ T6775] el0t_64_sync_handler+0x84/0xfc [ 64.354764][ T6775] el0t_64_sync+0x190/0x194 [ 64.355799][ T6775] [ 64.356328][ T6775] The buggy address belongs to the object at ffff0000d47e6000 [ 64.356328][ T6775] which belongs to the cache kmalloc-2k of size 2048 [ 64.359612][ T6775] The buggy address is located 1376 bytes inside of [ 64.359612][ T6775] freed 2048-byte region [ffff0000d47e6000, ffff0000d47e6800) [ 64.362847][ T6775] [ 64.363403][ T6775] The buggy address belongs to the physical page: [ 64.364705][ T6775] page:0000000040d782ed refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d47e1000 pfn:0x1147e0 [ 64.367355][ T6775] head:0000000040d782ed order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 64.369233][ T6775] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 64.370957][ T6775] page_type: 0xffffffff() [ 64.371926][ T6775] raw: 05ffc00000000840 ffff0000c0002000 ffff0000c0000948 fffffc0003620c10 [ 64.374043][ T6775] raw: ffff0000d47e1000 0000000000080004 00000001ffffffff 0000000000000000 [ 64.376023][ T6775] page dumped because: kasan: bad access detected [ 64.377393][ T6775] [ 64.377888][ T6775] Memory state around the buggy address: [ 64.379226][ T6775] ffff0000d47e6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.381013][ T6775] ffff0000d47e6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.382816][ T6775] >ffff0000d47e6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.384643][ T6775] ^ [ 64.386109][ T6775] ffff0000d47e6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.387913][ T6775] ffff0000d47e6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.389707][ T6775] ================================================================== [ 64.392353][ T6775] Disabling lock debugging due to kernel taint 1970/01/01 00:01:04 executed programs: 4 [ 64.490337][ T2220] ieee802154 phy0 wpan0: encryption failed: -22 [ 64.491698][ T2220] ieee802154 phy1 wpan1: encryption failed: -22 [ 65.243763][ T6828] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 65.529236][ T5672] Bluetooth: hci0: command 0x040f tx timeout [ 66.096993][ T6833] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 66.944871][ T6838] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 67.619172][ T5672] Bluetooth: hci0: command 0x0419 tx timeout [ 67.791162][ T6843] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 68.639072][ T6848] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 69.485867][ T6853] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) 1970/01/01 00:01:09 executed programs: 10 [ 69.609485][ T2128] cfg80211: failed to load regulatory.db [ 70.331857][ T6858] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 71.180046][ T6863] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 72.026384][ T6868] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 72.872525][ T6873] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 73.717946][ T6878] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)