program: socket$nl_route(0x10, 0x3, 0x0) (async) r0 = socket$inet6_udp(0xa, 0x2, 0x0) (async) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002080)={0xffffffffffffffff}) close(r1) (async) r2 = socket$inet_smc(0x2b, 0x1, 0x0) ioctl$int_in(r2, 0x5452, &(0x7f00000000c0)=0x10000) io_setup(0x7, &(0x7f0000000240)=0x0) io_submit(r3, 0x1, &(0x7f0000000080)=[&(0x7f0000000540)={0x0, 0x0, 0x0, 0x8, 0x0, r1, 0x0}]) (async) prctl$PR_SET_SECCOMP(0x4e, 0x1, 0x0) (async) prctl$PR_SET_SECCOMP(0x4e, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000c80)={'lo\x00'}) [ 85.356856][ T5305] Bluetooth: hci0: command tx timeout [ 85.476376][ T5332] ================================================================== [ 85.480143][ T5332] BUG: KASAN: slab-out-of-bounds in _raw_spin_lock+0x2e/0x40 [ 85.483876][ T5332] Read of size 1 at addr ffff8880522f6a60 by task syz.0.0/5332 [ 85.487243][ T5332] [ 85.488267][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted 6.16.0-rc2-syzkaller-00318-g739a6c93cc75 #0 PREEMPT(full) [ 85.488281][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.488289][ T5332] Call Trace: [ 85.488297][ T5332] [ 85.488304][ T5332] dump_stack_lvl+0x189/0x250 [ 85.488330][ T5332] ? __kasan_check_byte+0x12/0x40 [ 85.488386][ T5332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.488404][ T5332] ? lock_release+0x4b/0x3e0 [ 85.488423][ T5332] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.488437][ T5332] print_report+0xd2/0x2b0 [ 85.488454][ T5332] ? _raw_spin_lock+0x2e/0x40 [ 85.488469][ T5332] kasan_report+0x118/0x150 [ 85.488482][ T5332] ? _raw_spin_lock+0x2e/0x40 [ 85.488497][ T5332] ? __futex_pivot_hash+0x226/0x460 [ 85.488510][ T5332] __kasan_check_byte+0x2a/0x40 [ 85.488520][ T5332] lock_acquire+0x8d/0x360 [ 85.488535][ T5332] ? futex_hash_allocate+0x7eb/0xba0 [ 85.488549][ T5332] _raw_spin_lock+0x2e/0x40 [ 85.488564][ T5332] ? __futex_pivot_hash+0x226/0x460 [ 85.488583][ T5332] __futex_pivot_hash+0x226/0x460 [ 85.488598][ T5332] futex_hash_allocate+0xa6b/0xba0 [ 85.488610][ T5332] ? __pfx_futex_hash_allocate+0x10/0x10 [ 85.488622][ T5332] ? __pfx_var_wake_function+0x10/0x10 [ 85.488635][ T5332] ? static_key_count+0x41/0x70 [ 85.488647][ T5332] ? security_task_prctl+0x163/0x190 [ 85.488665][ T5332] __se_sys_prctl+0x9e8/0x1940 [ 85.488682][ T5332] ? __pfx___se_sys_prctl+0x10/0x10 [ 85.488696][ T5332] ? do_syscall_64+0xbe/0x3b0 [ 85.488708][ T5332] ? __x64_sys_prctl+0x20/0xc0 [ 85.488723][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.488732][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.488748][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.488762][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 85.488773][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.488784][ T5332] RIP: 0033:0x7f4c1ad8e929 [ 85.488799][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.488808][ T5332] RSP: 002b:00007f4c171b3038 EFLAGS: 00000246 ORIG_RAX: 000000000000009d [ 85.488823][ T5332] RAX: ffffffffffffffda RBX: 00007f4c1afb6160 RCX: 00007f4c1ad8e929 [ 85.488830][ T5332] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000004e [ 85.488836][ T5332] RBP: 00007f4c1ae10b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.488842][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.488849][ T5332] R13: 0000000000000001 R14: 00007f4c1afb6160 R15: 00007ffcfa3bbb88 [ 85.488860][ T5332] [ 85.488865][ T5332] [ 85.603619][ T5332] Allocated by task 5328: [ 85.605540][ T5332] kasan_save_track+0x3e/0x80 [ 85.607877][ T5332] __kasan_kmalloc+0x93/0xb0 [ 85.610046][ T5332] __kvmalloc_node_noprof+0x30d/0x5f0 [ 85.612235][ T5332] futex_hash_allocate+0x3f4/0xba0 [ 85.614322][ T5332] __se_sys_prctl+0x9e8/0x1940 [ 85.616347][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.618387][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.620813][ T5332] [ 85.622030][ T5332] The buggy address belongs to the object at ffff8880522f6a00 [ 85.622030][ T5332] which belongs to the cache kmalloc-cg-64 of size 64 [ 85.628858][ T5332] The buggy address is located 32 bytes to the right of [ 85.628858][ T5332] allocated 64-byte region [ffff8880522f6a00, ffff8880522f6a40) [ 85.635371][ T5332] [ 85.636451][ T5332] The buggy address belongs to the physical page: [ 85.639253][ T5332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x522f6 [ 85.642818][ T5332] memcg:ffff8880432ee401 [ 85.644563][ T5332] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.647677][ T5332] page_type: f5(slab) [ 85.649488][ T5332] raw: 04fff00000000000 ffff88801a449c80 dead000000000122 0000000000000000 [ 85.653216][ T5332] raw: 0000000000000000 0000000080200020 00000000f5000000 ffff8880432ee401 [ 85.657062][ T5332] page dumped because: kasan: bad access detected [ 85.659833][ T5332] page_owner tracks the page as allocated [ 85.662296][ T5332] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5304, tgid 5304 (syz-executor), ts 82807964795, free_ts 0 [ 85.669805][ T5332] post_alloc_hook+0x240/0x2a0 [ 85.672092][ T5332] get_page_from_freelist+0x21e4/0x22c0 [ 85.675076][ T5332] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.678389][ T5332] alloc_pages_mpol+0x232/0x4a0 [ 85.680666][ T5332] allocate_slab+0x8a/0x3b0 [ 85.682753][ T5332] ___slab_alloc+0xbfc/0x1480 [ 85.684990][ T5332] __kvmalloc_node_noprof+0x429/0x5f0 [ 85.687607][ T5332] alloc_netdev_mqs+0xc9e/0x11e0 [ 85.690402][ T5332] nsim_create+0x7a/0xef0 [ 85.693154][ T5332] __nsim_dev_port_add+0x70a/0xb20 [ 85.696749][ T5332] nsim_dev_port_add_all+0x35/0xe0 [ 85.699507][ T5332] nsim_drv_probe+0x883/0xb70 [ 85.701975][ T5332] really_probe+0x26a/0x9a0 [ 85.704091][ T5332] __driver_probe_device+0x18c/0x2f0 [ 85.706468][ T5332] driver_probe_device+0x4f/0x430 [ 85.708902][ T5332] __device_attach_driver+0x2ce/0x530 [ 85.711450][ T5332] page_owner free stack trace missing [ 85.714706][ T5332] [ 85.716417][ T5332] Memory state around the buggy address: [ 85.719436][ T5332] ffff8880522f6900: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 85.723273][ T5332] ffff8880522f6980: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 85.726690][ T5332] >ffff8880522f6a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 85.730134][ T5332] ^ [ 85.733159][ T5332] ffff8880522f6a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 85.736479][ T5332] ffff8880522f6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.739942][ T5332] ================================================================== [ 85.744242][ T5332] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.747357][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted 6.16.0-rc2-syzkaller-00318-g739a6c93cc75 #0 PREEMPT(full) [ 85.752241][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.757896][ T5332] Call Trace: [ 85.759492][ T5332] [ 85.760716][ T5332] dump_stack_lvl+0x99/0x250 [ 85.762551][ T5332] ? __asan_memcpy+0x40/0x70 [ 85.764383][ T5332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.766478][ T5332] ? __pfx__printk+0x10/0x10 [ 85.768427][ T5332] panic+0x2db/0x790 [ 85.770091][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.772453][ T5332] ? __pfx_panic+0x10/0x10 [ 85.774426][ T5332] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 85.776922][ T5332] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 85.779513][ T5332] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.782279][ T5332] ? _raw_spin_lock+0x2e/0x40 [ 85.784569][ T5332] check_panic_on_warn+0x89/0xb0 [ 85.789289][ T5332] ? _raw_spin_lock+0x2e/0x40 [ 85.791428][ T5332] end_report+0x78/0x160 [ 85.793268][ T5332] kasan_report+0x129/0x150 [ 85.795322][ T5332] ? _raw_spin_lock+0x2e/0x40 [ 85.797603][ T5332] ? __futex_pivot_hash+0x226/0x460 [ 85.800299][ T5332] __kasan_check_byte+0x2a/0x40 [ 85.802926][ T5332] lock_acquire+0x8d/0x360 [ 85.804947][ T5332] ? futex_hash_allocate+0x7eb/0xba0 [ 85.807326][ T5332] _raw_spin_lock+0x2e/0x40 [ 85.809343][ T5332] ? __futex_pivot_hash+0x226/0x460 [ 85.811784][ T5332] __futex_pivot_hash+0x226/0x460 [ 85.814462][ T5332] futex_hash_allocate+0xa6b/0xba0 [ 85.817632][ T5332] ? __pfx_futex_hash_allocate+0x10/0x10 [ 85.820428][ T5332] ? __pfx_var_wake_function+0x10/0x10 [ 85.822886][ T5332] ? static_key_count+0x41/0x70 [ 85.825110][ T5332] ? security_task_prctl+0x163/0x190 [ 85.827524][ T5332] __se_sys_prctl+0x9e8/0x1940 [ 85.829571][ T5332] ? __pfx___se_sys_prctl+0x10/0x10 [ 85.831833][ T5332] ? do_syscall_64+0xbe/0x3b0 [ 85.833887][ T5332] ? __x64_sys_prctl+0x20/0xc0 [ 85.836030][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.838164][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.840562][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.843898][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 85.846737][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.849394][ T5332] RIP: 0033:0x7f4c1ad8e929 [ 85.851189][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.858861][ T5332] RSP: 002b:00007f4c171b3038 EFLAGS: 00000246 ORIG_RAX: 000000000000009d [ 85.862367][ T5332] RAX: ffffffffffffffda RBX: 00007f4c1afb6160 RCX: 00007f4c1ad8e929 [ 85.866359][ T5332] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000004e [ 85.869984][ T5332] RBP: 00007f4c1ae10b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.873259][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.876806][ T5332] R13: 0000000000000001 R14: 00007f4c1afb6160 R15: 00007ffcfa3bbb88 [ 85.880248][ T5332] [ 85.881872][ T5332] Kernel Offset: disabled [ 85.883907][ T5332] Rebooting in 86400 seconds..