program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000f80)={'wlan1\x00', &(0x7f0000000f40)=@ethtool_stats}) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000400)=@newlink={0x40, 0x10, 0x401, 0x0, 0xfffffffe, {0x0, 0x0, 0x0, 0x0, 0xd07, 0x1a001}, [@IFLA_IFNAME={0x14, 0x3, 'wlan1\x00'}, @IFLA_ADDRESS={0xa, 0x1, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x5336ae46a3975501}}]}, 0x40}, 0x1, 0x0, 0x0, 0x4010}, 0x0) [ 76.508076][ T1312] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.510727][ T1312] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.514125][ T5296] Bluetooth: hci0: command tx timeout [ 76.694906][ T5317] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 76.731820][ T55] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 76.735528][ T55] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 76.857335][ T13] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 76.966475][ T43] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 77.077660][ T43] wlan1: authentication with 08:02:11:00:00:00 timed out [ 77.081218][ T43] ================================================================== [ 77.084734][ T43] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 [ 77.087968][ T43] Read of size 1 at addr ffff888042fe4828 by task kworker/u4:3/43 [ 77.091172][ T43] [ 77.092263][ T43] CPU: 0 UID: 0 PID: 43 Comm: kworker/u4:3 Not tainted syzkaller #0 PREEMPT(full) [ 77.092277][ T43] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.092284][ T43] Workqueue: events_unbound cfg80211_wiphy_work [ 77.092298][ T43] Call Trace: [ 77.092302][ T43] [ 77.092307][ T43] dump_stack_lvl+0x189/0x250 [ 77.092322][ T43] ? __virt_addr_valid+0x1c8/0x5c0 [ 77.092329][ T43] ? rcu_is_watching+0x15/0xb0 [ 77.092343][ T43] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.092349][ T43] ? rcu_is_watching+0x15/0xb0 [ 77.092357][ T43] ? lock_release+0x4b/0x3e0 [ 77.092365][ T43] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 77.092375][ T43] ? __virt_addr_valid+0x1c8/0x5c0 [ 77.092381][ T43] ? __virt_addr_valid+0x4a5/0x5c0 [ 77.092387][ T43] print_report+0xca/0x240 [ 77.092396][ T43] ? _raw_spin_lock+0x2e/0x40 [ 77.092404][ T43] kasan_report+0x118/0x150 [ 77.092464][ T43] ? _raw_spin_lock+0x2e/0x40 [ 77.092479][ T43] ? lockref_get+0x15/0x60 [ 77.092491][ T43] __kasan_check_byte+0x2a/0x40 [ 77.092501][ T43] lock_acquire+0x8d/0x360 [ 77.092514][ T43] ? do_raw_spin_lock+0x121/0x290 [ 77.092526][ T43] _raw_spin_lock+0x2e/0x40 [ 77.092541][ T43] ? lockref_get+0x15/0x60 [ 77.092549][ T43] lockref_get+0x15/0x60 [ 77.092558][ T43] __simple_recursive_removal+0x33/0x510 [ 77.092572][ T43] ? mntput+0x65/0xc0 [ 77.092585][ T43] ? __pfx_remove_one+0x10/0x10 [ 77.092595][ T43] debugfs_remove+0x5b/0x70 [ 77.092603][ T43] ieee80211_sta_debugfs_remove+0x40/0x70 [ 77.092619][ T43] __sta_info_destroy_part2+0x352/0x450 [ 77.092631][ T43] sta_info_destroy_addr+0xf5/0x140 [ 77.092642][ T43] ieee80211_destroy_auth_data+0x12d/0x260 [ 77.092655][ T43] ieee80211_sta_work+0x11cf/0x3600 [ 77.092669][ T43] ? __lock_acquire+0xab9/0xd20 [ 77.092682][ T43] ? __lock_acquire+0xab9/0xd20 [ 77.092694][ T43] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 77.092705][ T43] ? do_raw_spin_lock+0x121/0x290 [ 77.092716][ T43] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 77.092730][ T43] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.092746][ T43] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 77.092759][ T43] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 77.092773][ T43] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 77.092785][ T43] ? skb_dequeue+0x10e/0x150 [ 77.092830][ T43] ? ieee80211_iface_work+0xfc4/0x12d0 [ 77.092847][ T43] ? ieee80211_iface_work+0x11d6/0x12d0 [ 77.092861][ T43] ? rcu_is_watching+0x15/0xb0 [ 77.092876][ T43] cfg80211_wiphy_work+0x2bb/0x470 [ 77.092886][ T43] ? process_scheduled_works+0x9ef/0x17b0 [ 77.092900][ T43] process_scheduled_works+0xae1/0x17b0 [ 77.092917][ T43] ? __pfx_process_scheduled_works+0x10/0x10 [ 77.092933][ T43] worker_thread+0x8a0/0xda0 [ 77.092951][ T43] kthread+0x711/0x8a0 [ 77.092961][ T43] ? __pfx_worker_thread+0x10/0x10 [ 77.092974][ T43] ? __pfx_kthread+0x10/0x10 [ 77.092984][ T43] ? _raw_spin_unlock_irq+0x23/0x50 [ 77.092998][ T43] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.093011][ T43] ? __pfx_kthread+0x10/0x10 [ 77.093021][ T43] ret_from_fork+0x4bc/0x870 [ 77.093035][ T43] ? __pfx_ret_from_fork+0x10/0x10 [ 77.093050][ T43] ? __pfx_kthread+0x10/0x10 [ 77.093059][ T43] ret_from_fork_asm+0x1a/0x30 [ 77.093075][ T43] [ 77.093079][ T43] [ 77.232612][ T43] Allocated by task 55: [ 77.234325][ T43] kasan_save_track+0x3e/0x80 [ 77.236369][ T43] __kasan_slab_alloc+0x6c/0x80 [ 77.238467][ T43] kmem_cache_alloc_lru_noprof+0x35d/0x6d0 [ 77.240982][ T43] __d_alloc+0x36/0x7a0 [ 77.242685][ T43] d_alloc_parallel+0xe5/0x15e0 [ 77.244723][ T43] __lookup_slow+0x116/0x3d0 [ 77.246614][ T43] simple_start_creating+0xfd/0x1e0 [ 77.248835][ T43] debugfs_start_creating+0x10f/0x180 [ 77.251192][ T43] debugfs_create_dir+0x28/0x420 [ 77.253419][ T43] ieee80211_sta_debugfs_add+0x12c/0x850 [ 77.255784][ T43] sta_info_insert_rcu+0x1c54/0x2840 [ 77.258383][ T43] sta_info_insert+0x16/0xc0 [ 77.260865][ T43] ieee80211_prep_connection+0xfce/0x13f0 [ 77.263200][ T43] ieee80211_mgd_auth+0xee6/0x1770 [ 77.265516][ T43] cfg80211_mlme_auth+0x632/0x9c0 [ 77.267583][ T43] cfg80211_conn_do_work+0x501/0xd10 [ 77.269686][ T43] cfg80211_conn_work+0x2c0/0x460 [ 77.271871][ T43] process_scheduled_works+0xae1/0x17b0 [ 77.274190][ T43] worker_thread+0x8a0/0xda0 [ 77.276189][ T43] kthread+0x711/0x8a0 [ 77.277979][ T43] ret_from_fork+0x4bc/0x870 [ 77.280150][ T43] ret_from_fork_asm+0x1a/0x30 [ 77.282755][ T43] [ 77.284068][ T43] Freed by task 15: [ 77.286113][ T43] kasan_save_track+0x3e/0x80 [ 77.288568][ T43] __kasan_save_free_info+0x46/0x50 [ 77.291447][ T43] __kasan_slab_free+0x5c/0x80 [ 77.293990][ T43] kmem_cache_free+0x19b/0x690 [ 77.296330][ T43] rcu_core+0xcab/0x1770 [ 77.298141][ T43] handle_softirqs+0x286/0x870 [ 77.300096][ T43] run_ksoftirqd+0x9b/0x100 [ 77.302006][ T43] smpboot_thread_fn+0x542/0xa60 [ 77.303918][ T43] kthread+0x711/0x8a0 [ 77.305668][ T43] ret_from_fork+0x4bc/0x870 [ 77.307649][ T43] ret_from_fork_asm+0x1a/0x30 [ 77.309744][ T43] [ 77.310828][ T43] Last potentially related work creation: [ 77.313339][ T43] kasan_save_stack+0x3e/0x60 [ 77.315413][ T43] kasan_record_aux_stack+0xbd/0xd0 [ 77.317680][ T43] call_rcu+0x157/0x9c0 [ 77.319454][ T43] __dentry_kill+0x4d2/0x660 [ 77.321413][ T43] dput+0x19f/0x2b0 [ 77.323065][ T43] find_next_child+0x1e5/0x250 [ 77.325153][ T43] __simple_recursive_removal+0x10b/0x510 [ 77.327547][ T43] debugfs_remove+0x5b/0x70 [ 77.329583][ T43] ieee80211_debugfs_recreate_netdev+0xbf/0x1460 [ 77.332421][ T43] drv_remove_interface+0x1fa/0x590 [ 77.334750][ T43] ieee80211_change_mac+0x912/0x12d0 [ 77.337025][ T43] netif_set_mac_address+0x2fc/0x4c0 [ 77.339310][ T43] do_setlink+0x88c/0x41c0 [ 77.341436][ T43] rtnl_newlink+0x1619/0x1c80 [ 77.343489][ T43] rtnetlink_rcv_msg+0x7cf/0xb70 [ 77.345703][ T43] netlink_rcv_skb+0x208/0x470 [ 77.347815][ T43] netlink_unicast+0x82f/0x9e0 [ 77.349847][ T43] netlink_sendmsg+0x805/0xb30 [ 77.351912][ T43] __sock_sendmsg+0x21c/0x270 [ 77.353858][ T43] ____sys_sendmsg+0x505/0x830 [ 77.355787][ T43] ___sys_sendmsg+0x21f/0x2a0 [ 77.357830][ T43] __x64_sys_sendmsg+0x19b/0x260 [ 77.360002][ T43] do_syscall_64+0xfa/0xfa0 [ 77.361729][ T43] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.364205][ T43] [ 77.365241][ T43] The buggy address belongs to the object at ffff888042fe4758 [ 77.365241][ T43] which belongs to the cache dentry of size 312 [ 77.370819][ T43] The buggy address is located 208 bytes inside of [ 77.370819][ T43] freed 312-byte region [ffff888042fe4758, ffff888042fe4890) [ 77.376583][ T43] [ 77.377693][ T43] The buggy address belongs to the physical page: [ 77.380339][ T43] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42fe4 [ 77.383995][ T43] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 77.387663][ T43] memcg:ffff88803695fd01 [ 77.389634][ T43] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 77.392831][ T43] page_type: f5(slab) [ 77.394477][ T43] raw: 04fff00000000040 ffff888030409780 dead000000000122 0000000000000000 [ 77.398165][ T43] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803695fd01 [ 77.401897][ T43] head: 04fff00000000040 ffff888030409780 dead000000000122 0000000000000000 [ 77.405616][ T43] head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803695fd01 [ 77.409332][ T43] head: 04fff00000000001 ffffea00010bf901 00000000ffffffff 00000000ffffffff [ 77.413022][ T43] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 77.416715][ T43] page dumped because: kasan: bad access detected [ 77.419391][ T43] page_owner tracks the page as allocated [ 77.421867][ T43] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5319, tgid 5319 (dhcpcd), ts 76674626466, free_ts 0 [ 77.430941][ T43] post_alloc_hook+0x240/0x2a0 [ 77.433068][ T43] get_page_from_freelist+0x2365/0x2440 [ 77.435482][ T43] __alloc_frozen_pages_noprof+0x181/0x370 [ 77.438059][ T43] alloc_pages_mpol+0x232/0x4a0 [ 77.440109][ T43] allocate_slab+0x96/0x3a0 [ 77.441953][ T43] ___slab_alloc+0xe94/0x18a0 [ 77.443890][ T43] __slab_alloc+0x65/0x100 [ 77.445708][ T43] kmem_cache_alloc_lru_noprof+0x3ef/0x6d0 [ 77.448040][ T43] __d_alloc+0x36/0x7a0 [ 77.449744][ T43] d_alloc_pseudo+0x21/0xc0 [ 77.451747][ T43] alloc_file_pseudo+0xcc/0x210 [ 77.453884][ T43] sock_alloc_file+0xb8/0x2e0 [ 77.455993][ T43] __sys_socket+0x13d/0x1b0 [ 77.458000][ T43] __x64_sys_socket+0x7a/0x90 [ 77.460000][ T43] do_syscall_64+0xfa/0xfa0 [ 77.462030][ T43] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.464656][ T43] page_owner free stack trace missing [ 77.467024][ T43] [ 77.468129][ T43] Memory state around the buggy address: [ 77.470586][ T43] ffff888042fe4700: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb [ 77.474133][ T43] ffff888042fe4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.477568][ T43] >ffff888042fe4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.481036][ T43] ^ [ 77.483446][ T43] ffff888042fe4880: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 77.486924][ T43] ffff888042fe4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.490322][ T43] ================================================================== [ 77.494252][ T43] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.497398][ T43] CPU: 0 UID: 0 PID: 43 Comm: kworker/u4:3 Not tainted syzkaller #0 PREEMPT(full) [ 77.501361][ T43] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.505966][ T43] Workqueue: events_unbound cfg80211_wiphy_work [ 77.508728][ T43] Call Trace: [ 77.510203][ T43] [ 77.511558][ T43] dump_stack_lvl+0x99/0x250 [ 77.513627][ T43] ? __asan_memcpy+0x40/0x70 [ 77.515671][ T43] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.517976][ T43] ? __pfx__printk+0x10/0x10 [ 77.520005][ T43] vpanic+0x237/0x6d0 [ 77.521799][ T43] ? __pfx_vpanic+0x10/0x10 [ 77.523811][ T43] panic+0xb9/0xc0 [ 77.525502][ T43] ? __pfx_panic+0x10/0x10 [ 77.527510][ T43] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 77.530139][ T43] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 77.532693][ T43] ? is_module_address+0x17/0xf0 [ 77.534872][ T43] ? _raw_spin_lock+0x2e/0x40 [ 77.536993][ T43] check_panic_on_warn+0x89/0xb0 [ 77.539152][ T43] ? _raw_spin_lock+0x2e/0x40 [ 77.541300][ T43] end_report+0x78/0x160 [ 77.543223][ T43] kasan_report+0x129/0x150 [ 77.545223][ T43] ? _raw_spin_lock+0x2e/0x40 [ 77.547316][ T43] ? lockref_get+0x15/0x60 [ 77.549344][ T43] __kasan_check_byte+0x2a/0x40 [ 77.551467][ T43] lock_acquire+0x8d/0x360 [ 77.553413][ T43] ? do_raw_spin_lock+0x121/0x290 [ 77.555589][ T43] _raw_spin_lock+0x2e/0x40 [ 77.557583][ T43] ? lockref_get+0x15/0x60 [ 77.559559][ T43] lockref_get+0x15/0x60 [ 77.561433][ T43] __simple_recursive_removal+0x33/0x510 [ 77.563870][ T43] ? mntput+0x65/0xc0 [ 77.565677][ T43] ? __pfx_remove_one+0x10/0x10 [ 77.567800][ T43] debugfs_remove+0x5b/0x70 [ 77.569783][ T43] ieee80211_sta_debugfs_remove+0x40/0x70 [ 77.572316][ T43] __sta_info_destroy_part2+0x352/0x450 [ 77.574725][ T43] sta_info_destroy_addr+0xf5/0x140 [ 77.577002][ T43] ieee80211_destroy_auth_data+0x12d/0x260 [ 77.579326][ T43] ieee80211_sta_work+0x11cf/0x3600 [ 77.581419][ T43] ? __lock_acquire+0xab9/0xd20 [ 77.583351][ T43] ? __lock_acquire+0xab9/0xd20 [ 77.585298][ T43] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 77.587582][ T43] ? do_raw_spin_lock+0x121/0x290 [ 77.589786][ T43] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 77.592206][ T43] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.594287][ T43] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 77.596672][ T43] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 77.599447][ T43] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 77.601804][ T43] ? skb_dequeue+0x10e/0x150 [ 77.603782][ T43] ? ieee80211_iface_work+0xfc4/0x12d0 [ 77.606199][ T43] ? ieee80211_iface_work+0x11d6/0x12d0 [ 77.608684][ T43] ? rcu_is_watching+0x15/0xb0 [ 77.610840][ T43] cfg80211_wiphy_work+0x2bb/0x470 [ 77.613177][ T43] ? process_scheduled_works+0x9ef/0x17b0 [ 77.615765][ T43] process_scheduled_works+0xae1/0x17b0 [ 77.618200][ T43] ? __pfx_process_scheduled_works+0x10/0x10 [ 77.620848][ T43] worker_thread+0x8a0/0xda0 [ 77.622924][ T43] kthread+0x711/0x8a0 [ 77.624766][ T43] ? __pfx_worker_thread+0x10/0x10 [ 77.627016][ T43] ? __pfx_kthread+0x10/0x10 [ 77.629089][ T43] ? _raw_spin_unlock_irq+0x23/0x50 [ 77.631454][ T43] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.633735][ T43] ? __pfx_kthread+0x10/0x10 [ 77.635787][ T43] ret_from_fork+0x4bc/0x870 [ 77.637919][ T43] ? __pfx_ret_from_fork+0x10/0x10 [ 77.640211][ T43] ? __pfx_kthread+0x10/0x10 [ 77.642305][ T43] ret_from_fork_asm+0x1a/0x30 [ 77.644468][ T43] [ 77.646175][ T43] Kernel Offset: disabled [ 77.648124][ T43] Rebooting in 86400 seconds..