Re: inconsistent lock state in sco_sock_timeout

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 62fb9874 Linux 5.13
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=97db59f30a49b2ea
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=16b9edc8300000

Note: testing is done by a robot and is best-effort only.

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT
Failed loading %lu audit modules, %lu are supported.
result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory
LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $
$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �
� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �












"
$
&
(
*
,
.
0
2
4
6
8
:
<
>
@
B
D
F
H
J
L
N
P
R
T
V
X
Z
\
^
`
b
d
f
h
j
l
n
p
r
t
v
x
z
|
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L*** stack smashing detected ***: terminated
N P R T V X Z \ ^ ` b d f h j l n p r t

Tested on:

commit: 62fb9874 Linux 5.13
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10cfd4ac300000

kernel config: https://syzkaller.appspot.com/x/.config?x=97db59f30a49b2ea
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=151dcf34300000

[Desmond Cheong Zhi Xi]

On 28/6/21 2:57 pm, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.
> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables

> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory
> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���

> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $
> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Seems like kernel memory is being corrupted? Modified the patch slightly.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 62fb9874 Linux 5.13
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=97db59f30a49b2ea
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=16405ab4300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 7fef2edf sd: don't mess with SD_MINORS for CONFIG_DEBUG_BL..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cfe2c0e42bc9993d

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=13a86d9c300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 7fef2edf sd: don't mess with SD_MINORS for CONFIG_DEBUG_BL..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cfe2c0e42bc9993d
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=10bb01e2300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT

Failed loading %lu audit modules, %lu are supported.

result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory

LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����

 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �

� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

Tested on:

commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=126db174300000
kernel config: https://syzkaller.appspot.com/x/.config?x=4374ef2865daa37d

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=15ab1e54300000

[Desmond Cheong Zhi Xi]

On 19/7/21 8:22 pm, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.

> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables
> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory

> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���
> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $

> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Same memory corruption that happened before, but should be unrelated to
the patch. Rebasing the patch and retrying.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT

Failed loading %lu audit modules, %lu are supported.

result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory

LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����

 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �

� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

*** stack smashing detected ***: ter

Tested on:

commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=11d3845c300000

kernel config: https://syzkaller.appspot.com/x/.config?x=4374ef2865daa37d
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=16e33432300000

[Desmond Cheong Zhi Xi]

On 19/7/21 10:08 pm, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.

> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables
> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory

> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���
> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $

> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

patch is already applied


Tested on:

commit: 8cae8cd8 seq_file: disallow extremely large seq buffer..
git tree: upstream

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=123de8cc300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 8cae8cd8 seq_file: disallow extremely large seq buffer..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=4374ef2865daa37d
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
patch: https://syzkaller.appspot.com/x/patch.diff?x=1402eea6300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: ff117646 Linux 5.14-rc3
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=a9e88c90e7151783

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=111f4ab6300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Tweaked some timings.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT

Failed loading %lu audit modules, %lu are supported.

result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory

LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����

 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �

� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

Tested on:

commit: 7d549995 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=141d4fb2300000

kernel config: https://syzkaller.appspot.com/x/.config?x=a9e88c90e7151783
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=134162dc300000

[Desmond Cheong Zhi Xi]

On 28/7/21 2:54 pm, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.

> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables
> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory

> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���
> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $

> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT

Failed loading %lu audit modules, %lu are supported.

result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory

LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����

 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �

� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

Tested on:

commit: 4010a528 Merge tag 'fixes_for_v5.14-rc4' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131f4a66300000

kernel config: https://syzkaller.appspot.com/x/.config?x=a9e88c90e7151783
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=17e1c4c6300000

[Desmond Cheong Zhi Xi]

On 29/7/21 7:34 pm, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.

> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables
> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory

> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���
> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $

> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Testing an old version of the patch to see if the stack smashing
indicates an error with the patch, or if there's something else that the
reproducer is tripping on.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 7e96bf47 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=a9e88c90e7151783
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=10b3ce62300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/bluetooth/sco.c
checking file net/bluetooth/sco.c
Hunk #1 succeeded at 212 (offset -19 lines).
Hunk #2 succeeded at 245 (offset -19 lines).
Hunk #3 succeeded at 255 (offset -19 lines).
Hunk #4 succeeded at 551 (offset -17 lines).
Hunk #5 succeeded at 566 (offset -17 lines).
Hunk #6 succeeded at 585 (offset -17 lines).
checking file net/bluetooth/sco.c
Hunk #1 succeeded at 80 (offset -4 lines).
Hunk #2 FAILED at 191.
Hunk #3 succeeded at 1084 (offset -10 lines).
Hunk #4 succeeded at 1102 (offset -10 lines).
Hunk #5 succeeded at 1128 (offset -10 lines).
1 out of 5 hunks FAILED



Tested on:

commit: 764a5bc8 Merge tag 'drm-fixes-2021-07-30' of git://ano..
git tree: upstream

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=10e1451e300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in sco_sock_connect

INFO: task syz-executor.2:10266 blocked for more than 143 seconds.
Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.2 state:D stack:28176 pid:10266 ppid: 8810 flags:0x00000000
Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
RSP: 002b:00007f6dd9f6b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd9304140f R14: 00007f6dd9f6b300 R15: 0000000000022000
INFO: task syz-executor.3:10271 blocked for more than 143 seconds.
Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.3 state:D stack:27528 pid:10271 ppid: 8811 flags:0x00000000
Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
RSP: 002b:00007fa247894188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007fff191fe8bf R14: 00007fa247894300 R15: 0000000000022000
INFO: task syz-executor.5:10280 blocked for more than 143 seconds.
Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.5 state:D stack:28176 pid:10280 ppid: 8813 flags:0x00000004
Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
RSP: 002b:00007f99b29e8188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd50f0436f R14: 00007f99b29e8300 R15: 0000000000022000
INFO: task syz-executor.3:10293 blocked for more than 143 seconds.
Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.3 state:D stack:28176 pid:10293 ppid: 8811 flags:0x00000000
Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
RSP: 002b:00007fa247894188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007fff191fe8bf R14: 00007fa247894300 R15: 0000000000022000
INFO: task syz-executor.1:10306 blocked for more than 144 seconds.
Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1 state:D stack:27528 pid:10306 ppid: 8812 flags:0x00000004
Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
RSP: 002b:00007f19e1af9188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffe520f021f R14: 00007f19e1af9300 R15: 0000000000022000

Showing all locks held in the system:
1 lock held by khungtaskd/1553:
#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446
1 lock held by in:imklog/8142:
#0: ffff888017bca0f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:974
1 lock held by syz-executor.0/10257:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
1 lock held by syz-executor.2/10266:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
1 lock held by syz-executor.3/10271:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
1 lock held by syz-executor.5/10280:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
1 lock held by syz-executor.3/10293:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589
1 lock held by syz-executor.1/10306:
#0: ffff88802a8b8078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:589

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1553 Comm: khungtaskd Not tainted 5.14.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4865 Comm: systemd-journal Not tainted 5.14.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mark_usage kernel/locking/lockdep.c:4514 [inline]
RIP: 0010:__lock_acquire+0x89c/0x54a0 kernel/locking/lockdep.c:4969
Code: 00 00 41 8b b5 d0 09 00 00 85 f6 74 18 ba 06 00 00 00 4c 89 e6 4c 89 ef e8 e1 da ff ff 85 c0 0f 84 8f 05 00 00 ba 08 00 00 00 <4c> 89 e6 4c 89 ef e8 c9 da ff ff 85 c0 0f 84 77 05 00 00 48 c7 c2
RSP: 0018:ffffc9000167f498 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffff8880159d09d4 RCX: 1ffff11002b3a13d
RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffffffff8fcb9b79
RBP: 0000000000000004 R08: 0000000000000000 R09: ffffffff8fcb78a7
R10: 0000000000000000 R11: 0000000000086088 R12: ffff8880159d09f0
R13: ffff8880159d0000 R14: 0000000000000000 R15: 0000000000000002
FS: 00007f459ece38c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f459c10a000 CR3: 000000002d434000 CR4: 0000000000350ee0
Call Trace:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
rcu_lock_acquire include/linux/rcupdate.h:267 [inline]
rcu_read_lock include/linux/rcupdate.h:687 [inline]
is_bpf_text_address+0x36/0x170 kernel/bpf/core.c:704
kernel_text_address kernel/extable.c:151 [inline]
kernel_text_address+0xbd/0xf0 kernel/extable.c:120
__kernel_text_address+0x9/0x30 kernel/extable.c:105
unwind_get_return_address arch/x86/kernel/unwind_orc.c:318 [inline]
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:313
arch_stack_walk+0x93/0xe0 arch/x86/kernel/stacktrace.c:26
stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348
task_work_add+0x3a/0x190 kernel/task_work.c:38
fput_many.part.0+0xbb/0x170 fs/file_table.c:341
fput_many fs/file_table.c:336 [inline]
fput+0x3b/0x50 fs/file_table.c:357
path_openat+0x19bd/0x27f0 fs/namei.c:3516
do_filp_open+0x1aa/0x400 fs/namei.c:3534
do_sys_openat2+0x16d/0x420 fs/open.c:1204
do_sys_open fs/open.c:1220 [inline]
__do_sys_open fs/open.c:1228 [inline]
__se_sys_open fs/open.c:1224 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1224
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f459e272840
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffc2c1c5968 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffc2c1c5c70 RCX: 00007f459e272840
RDX: 00000000000001a0 RSI: 0000000000080042 RDI: 000055b3e3bc26e0
RBP: 000000000000000d R08: 0000000000000000 R09: 00000000ffffffff
R10: 0000000000000069 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000055b3e3bb7040 R14: 00007ffc2c1c5c30 R15: 000055b3e3bc2500


Tested on:

commit: 4669e13c Merge tag 'block-5.14-2021-07-30' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e9c48e300000
kernel config: https://syzkaller.appspot.com/x/.config?x=d23f03ce85356de1
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060

compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=140323d4300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: sleeping function called from invalid context in lock_sock_nested

BUG: sleeping function called from invalid context at net/core/sock.c:3161
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 10457, name: syz-executor.5
1 lock held by syz-executor.5/10457:
#0: ffffffff8d2ed220 (hci_sk_list.lock){++++}-{2:2}, at: hci_sock_dev_event+0x3db/0x660 net/bluetooth/hci_sock.c:763
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 10457 Comm: syz-executor.5 Not tainted 5.14.0-rc3-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:9154
lock_sock_nested+0x25/0x120 net/core/sock.c:3161
lock_sock include/net/sock.h:1613 [inline]
hci_sock_dev_event+0x465/0x660 net/bluetooth/hci_sock.c:765
hci_unregister_dev+0x2fd/0x1130 net/bluetooth/hci_core.c:4033
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
__do_sys_exit_group kernel/exit.c:933 [inline]
__se_sys_exit_group kernel/exit.c:931 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007ffc8f73be28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffc8f73c5e8 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007ffc8f73c5e8
R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004bef54
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000400538

======================================================


Tested on:

commit: f3438b4c Merge tag '5.14-rc3-smb3-fixes' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d631b2300000

kernel config: https://syzkaller.appspot.com/x/.config?x=d23f03ce85356de1
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=17a374ae300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in sco_sock_connect

INFO: task syz-executor.1:10268 blocked for more than 143 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:28176 pid:10268 ppid: 8832 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fb122278188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007fff685e37ff R14: 00007fb122278300 R15: 0000000000022000
INFO: task syz-executor.0:10271 blocked for more than 143 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:10271 ppid: 8834 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007ff29a5f1188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007fff000e552f R14: 00007ff29a5f1300 R15: 0000000000022000
INFO: task syz-executor.3:10273 blocked for more than 143 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:27528 pid:10273 ppid: 8838 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f6abbcf0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd08b6560f R14: 00007f6abbcf0300 R15: 0000000000022000
INFO: task syz-executor.4:10287 blocked for more than 143 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:28176 pid:10287 ppid: 8836 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f43d9c36188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffe9d81503f R14: 00007f43d9c36300 R15: 0000000000022000
INFO: task syz-executor.0:10297 blocked for more than 144 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:10297 ppid: 8834 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007ff29a5f1188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007fff000e552f R14: 00007ff29a5f1300 R15: 0000000000022000
INFO: task syz-executor.2:10308 blocked for more than 144 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:27528 pid:10308 ppid: 8837 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f51057f7188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007fffef7de9ef R14: 00007f51057f7300 R15: 0000000000022000
INFO: task syz-executor.5:10329 blocked for more than 144 seconds.

Not tainted 5.14.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27528 pid:10329 ppid: 8839 flags:0x00004004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f24d999f188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd3ac2489f R14: 00007f24d999f300 R15: 0000000000022000

Showing all locks held in the system:

1 lock held by khungtaskd/1568:

#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

1 lock held by in:imklog/8139:
#0: ffff888018cd7c70 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:974
1 lock held by syz-executor.4/10254:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.1/10268:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.0/10271:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.3/10273:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.4/10287:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.0/10297:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.2/10308:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586
1 lock held by syz-executor.5/10329:
#0: ffff88803080c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:586

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 1568 Comm: khungtaskd Not tainted 5.14.0-rc3-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
NMI backtrace for cpu 0 skipped: idling at acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline]
NMI backtrace for cpu 0 skipped: idling at acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:553

Tested on:

commit: f3438b4c Merge tag '5.14-rc3-smb3-fixes' of git://git...
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15bfe68e300000

kernel config: https://syzkaller.appspot.com/x/.config?x=d23f03ce85356de1
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=17d404ae300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in sco_sock_connect

INFO: task syz-executor.0:10247 blocked for more than 143 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:27528 pid:10247 ppid: 8828 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fc5ed2da188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd76467b5f R14: 00007fc5ed2da300 R15: 0000000000022000
INFO: task syz-executor.1:10250 blocked for more than 143 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:28176 pid:10250 ppid: 8834 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007faf2867a188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffed3bdcc0f R14: 00007faf2867a300 R15: 0000000000022000
INFO: task syz-executor.4:10262 blocked for more than 143 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27528 pid:10262 ppid: 8833 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fbb3856a188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffce90c33ff R14: 00007fbb3856a300 R15: 0000000000022000

INFO: task syz-executor.1:10268 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:28176 pid:10268 ppid: 8834 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007faf2867a188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffed3bdcc0f R14: 00007faf2867a300 R15: 0000000000022000
INFO: task syz-executor.3:10274 blocked for more than 144 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:27528 pid:10274 ppid: 8832 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f2ff203f188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd66c8e24f R14: 00007f2ff203f300 R15: 0000000000022000
INFO: task syz-executor.5:10304 blocked for more than 144 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27528 pid:10304 ppid: 8835 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fe57c4d0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffe17738acf R14: 00007fe57c4d0300 R15: 0000000000022000
INFO: task syz-executor.2:10310 blocked for more than 144 seconds.
Not tainted 5.14.0-rc4-syzkaller #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:27528 pid:10310 ppid: 8831 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f9dfecf9188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffe2fac53cf R14: 00007f9dfecf9300 R15: 0000000000022000

Showing all locks held in the system:
1 lock held by khungtaskd/1649:
#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

1 lock held by in:imklog/8144:
#0: ffff88801ee999f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:974
1 lock held by syz-executor.1/10239:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.0/10247:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.1/10250:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.4/10262:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

1 lock held by syz-executor.1/10268:

#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.3/10274:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.5/10304:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584
1 lock held by syz-executor.2/10310:
#0: ffff88802b414078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:584

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1649 Comm: khungtaskd Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:553


Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15700c01300000
kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=141f283a300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

possible deadlock in sco_conn_del

======================================================
WARNING: possible circular locking dependency detected
5.14.0-rc4-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/14867 is trying to acquire lock:
ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1613 [inline]
ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191

but task is already holding lock:
ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1497 [inline]
ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1608

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:959 [inline]
__mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
hci_connect_cfm include/net/bluetooth/hci_core.h:1482 [inline]
hci_remote_features_evt net/bluetooth/hci_event.c:3263 [inline]
hci_event_packet+0x2f4d/0x7c50 net/bluetooth/hci_event.c:6240
hci_rx_work+0x4f8/0xd30 net/bluetooth/hci_core.c:5122
process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422

kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

-> #1 (&hdev->lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:959 [inline]
__mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
sco_connect net/bluetooth/sco.c:245 [inline]
sco_sock_connect+0x227/0xa10 net/bluetooth/sco.c:601

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3051 [inline]
check_prevs_add kernel/locking/lockdep.c:3174 [inline]
validate_chain kernel/locking/lockdep.c:3789 [inline]
__lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015

lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590

lock_sock_nested+0xca/0x120 net/core/sock.c:3170
lock_sock include/net/sock.h:1613 [inline]
sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015

vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922

get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288

other info that might help us debug this:

Chain exists of:
sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(hci_cb_list_lock);
lock(&hdev->lock);
lock(hci_cb_list_lock);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);

*** DEADLOCK ***

3 locks held by syz-executor.2/14867:
#0: ffff8880353ccff0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0xb7/0x1130 net/bluetooth/hci_core.c:1728
#1: ffff8880353cc078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_do_close+0x22e/0x1130 net/bluetooth/hci_core.c:1765
#2: ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1497 [inline]
#2: ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1608

stack backtrace:
CPU: 1 PID: 14867 Comm: syz-executor.2 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2131
check_prev_add kernel/locking/lockdep.c:3051 [inline]
check_prevs_add kernel/locking/lockdep.c:3174 [inline]
validate_chain kernel/locking/lockdep.c:3789 [inline]
__lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015

lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590

lock_sock_nested+0xca/0x120 net/core/sock.c:3170
lock_sock include/net/sock.h:1613 [inline]
sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015

vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922

get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288

RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.

RSP: 002b:00007f6d191c4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: 0000000000000000 RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 00040000000007fc
RBP: 00000000004bfcb9 R08: ffffffffffffffff R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffcc98fb13f R14: 00007f6d191c4300 R15: 0000000000022000
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in sock_put include/net/sock.h:1815 [inline]
BUG: KASAN: use-after-free in sco_conn_del+0x161/0x2a0 net/bluetooth/sco.c:196
Write of size 4 at addr ffff88803e3c1080 by task syz-executor.2/14867

CPU: 1 PID: 14867 Comm: syz-executor.2 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:1815 [inline]
sco_conn_del+0x161/0x2a0 net/bluetooth/sco.c:196
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015

vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922

get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288

RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.

RSP: 002b:00007f6d191c4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: 0000000000000000 RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 00040000000007fc
RBP: 00000000004bfcb9 R08: ffffffffffffffff R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffcc98fb13f R14: 00007f6d191c4300 R15: 0000000000022000

Allocated by task 14822:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1808
sk_alloc+0x32/0xbc0 net/core/sock.c:1861
sco_sock_alloc.constprop.0+0x31/0x220 net/bluetooth/sco.c:501
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:536
bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1450
sock_create net/socket.c:1501 [inline]
__sys_socket+0xef/0x200 net/socket.c:1543
__do_sys_socket net/socket.c:1552 [inline]
__se_sys_socket net/socket.c:1550 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1550

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 14867:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1625 [inline]
slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
slab_free mm/slub.c:3210 [inline]
kfree+0xe4/0x530 mm/slub.c:4264
sk_prot_free net/core/sock.c:1844 [inline]
__sk_destruct+0x6a8/0x900 net/core/sock.c:1929
sk_destruct+0xbd/0xe0 net/core/sock.c:1944
__sk_free+0xef/0x3d0 net/core/sock.c:1955
sk_free+0x78/0xa0 net/core/sock.c:1966
sock_put include/net/sock.h:1816 [inline]
sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:422
sco_conn_del+0x153/0x2a0 net/bluetooth/sco.c:195
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015

vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922

get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288

The buggy address belongs to the object at ffff88803e3c1000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
2048-byte region [ffff88803e3c1000, ffff88803e3c1800)
The buggy address belongs to the page:
page:ffffea0000f8f000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3e3c0
head:ffffea0000f8f000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5, ts 73813642786, free_ts 61784687158
prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
alloc_slab_page mm/slub.c:1688 [inline]
allocate_slab+0x32e/0x4b0 mm/slub.c:1828
new_slab mm/slub.c:1891 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x4ba/0x820 mm/slub.c:2800
__slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]
__kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4650
kmalloc_reserve net/core/skbuff.c:355 [inline]
pskb_expand_head+0x15e/0x1060 net/core/skbuff.c:1696
netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1296
netlink_broadcast_filtered+0x65/0xdc0 net/netlink/af_netlink.c:1501
netlink_broadcast net/netlink/af_netlink.c:1546 [inline]
nlmsg_multicast include/net/netlink.h:1033 [inline]
nlmsg_notify+0x90/0x250 net/netlink/af_netlink.c:2547
rtnl_notify net/core/rtnetlink.c:741 [inline]
rtmsg_ifinfo_send net/core/rtnetlink.c:3835 [inline]
rtmsg_ifinfo_event net/core/rtnetlink.c:3850 [inline]
rtmsg_ifinfo_event net/core/rtnetlink.c:3838 [inline]
rtmsg_ifinfo+0xf0/0x120 net/core/rtnetlink.c:3856
netdev_state_change net/core/dev.c:1516 [inline]
netdev_state_change+0x114/0x130 net/core/dev.c:1507
linkwatch_do_dev+0x151/0x1b0 net/core/link_watch.c:167
__linkwatch_run_queue+0x1ea/0x630 net/core/link_watch.c:212
linkwatch_event+0x4a/0x60 net/core/link_watch.c:251
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1346 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
free_unref_page_prepare mm/page_alloc.c:3332 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3411
__vunmap+0x783/0xb70 mm/vmalloc.c:2587
__vfree+0x3c/0xd0 mm/vmalloc.c:2635
vfree+0x5a/0x90 mm/vmalloc.c:2666
kcov_put kernel/kcov.c:408 [inline]
kcov_put+0x26/0x40 kernel/kcov.c:404
kcov_close+0xc/0x10 kernel/kcov.c:510

__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922

get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86

Memory state around the buggy address:
ffff88803e3c0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88803e3c1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803e3c1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803e3c1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803e3c1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15923d3e300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=134d8e3a300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Trying something simpler.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Write in sco_conn_del

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in sock_put include/net/sock.h:1815 [inline]

BUG: KASAN: use-after-free in sco_conn_del+0x170/0x2b0 net/bluetooth/sco.c:200
Write of size 4 at addr ffff88801c504080 by task syz-executor.0/16456

CPU: 0 PID: 16456 Comm: syz-executor.0 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:1815 [inline]

sco_conn_del+0x170/0x2b0 net/bluetooth/sco.c:200
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1206

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302

do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.

RSP: 002b:00007f263d3c2218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056bf88
RBP: 000000000056bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fffbc1cac3f R14: 00007f263d3c2300 R15: 0000000000022000

Allocated by task 14804:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1808
sk_alloc+0x32/0xbc0 net/core/sock.c:1861

sco_sock_alloc.constprop.0+0x31/0x220 net/bluetooth/sco.c:505
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:540

bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1450
sock_create net/socket.c:1501 [inline]
__sys_socket+0xef/0x200 net/socket.c:1543
__do_sys_socket net/socket.c:1552 [inline]
__se_sys_socket net/socket.c:1550 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1550
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 16456:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1625 [inline]
slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
slab_free mm/slub.c:3210 [inline]
kfree+0xe4/0x530 mm/slub.c:4264
sk_prot_free net/core/sock.c:1844 [inline]
__sk_destruct+0x6a8/0x900 net/core/sock.c:1929
sk_destruct+0xbd/0xe0 net/core/sock.c:1944
__sk_free+0xef/0x3d0 net/core/sock.c:1955
sk_free+0x78/0xa0 net/core/sock.c:1966
sock_put include/net/sock.h:1816 [inline]

sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:426
sco_conn_del+0x162/0x2b0 net/bluetooth/sco.c:199
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1206

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302

do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801c504000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff88801c504000, ffff88801c504800)

The buggy address belongs to the page:

page:ffffea0000714000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c500
head:ffffea0000714000 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842000

raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 6742497855, free_ts 0

prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391

alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2119
alloc_pages+0x238/0x2a0 mm/mempolicy.c:2242

alloc_slab_page mm/slub.c:1688 [inline]
allocate_slab+0x32e/0x4b0 mm/slub.c:1828
new_slab mm/slub.c:1891 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x4ba/0x820 mm/slub.c:2800
__slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]

slab_alloc mm/slub.c:2964 [inline]
kmem_cache_alloc_trace+0x30f/0x3c0 mm/slub.c:2981
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
acpi_os_allocate_zeroed include/acpi/platform/aclinuxex.h:57 [inline]
acpi_ds_create_walk_state+0x88/0x1ff drivers/acpi/acpica/dswstate.c:518
acpi_ps_execute_method+0x19d/0x61c drivers/acpi/acpica/psxface.c:134
acpi_ns_evaluate+0x6c7/0x966 drivers/acpi/acpica/nseval.c:205
acpi_ut_evaluate_object+0xf1/0x3f6 drivers/acpi/acpica/uteval.c:60
acpi_rs_get_method_data+0x7e/0xe5 drivers/acpi/acpica/rsutils.c:650
acpi_walk_resources drivers/acpi/acpica/rsxface.c:616 [inline]
acpi_walk_resources+0xf3/0x1ca drivers/acpi/acpica/rsxface.c:594
acpi_pci_link_get_current+0x1d8/0x3f0 drivers/acpi/pci_link.c:256
acpi_pci_link_set+0x598/0xa70 drivers/acpi/pci_link.c:362
page_owner free stack trace missing

Memory state around the buggy address:

ffff88801c503f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801c504000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801c504080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801c504100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801c504180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=156eeec9d00000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=1758bb1e300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

general protection fault in lock_sock_nested

general protection fault, probably for non-canonical address 0xdffffc0000000014: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a0-0x00000000000000a7]
CPU: 1 PID: 10098 Comm: kworker/1:4 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: events sco_sock_timeout
RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4885
Code: e5 0d 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 89 c4 e5 0d e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b c0 c3 eb 8e 0f 84 52 f3 ff
RSP: 0018:ffffc9000a90fa98 EFLAGS: 00010016
RAX: dffffc0000000000 RBX: 00000000000000a0 RCX: 0000000000000000
RDX: 0000000000000014 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801fe79c40 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055ee3be43a88 CR3: 000000000b68e000 CR4: 0000000000350ee0
Call Trace:

lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590

__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
spin_lock_bh include/linux/spinlock.h:359 [inline]
lock_sock_nested+0x40/0x120 net/core/sock.c:3162
lock_sock include/net/sock.h:1613 [inline]
sco_sock_timeout+0x48/0x1b0 net/bluetooth/sco.c:87

process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Modules linked in:
---[ end trace 7b2073259572ed8f ]---
RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4885
Code: e5 0d 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 89 c4 e5 0d e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b c0 c3 eb 8e 0f 84 52 f3 ff
RSP: 0018:ffffc9000a90fa98 EFLAGS: 00010016
RAX: dffffc0000000000 RBX: 00000000000000a0 RCX: 0000000000000000
RDX: 0000000000000014 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801fe79c40 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055ee3be43a88 CR3: 000000000b68e000 CR4: 0000000000350ee0

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=123861c9d00000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=16ab3672300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Fixes the null-ptr dereference.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: workqueue leaked lock or atomic in sco_sock_timeout

BUG: workqueue leaked lock or atomic: kworker/0:4/0x00000001/8679
last function: sco_sock_timeout
1 lock held by kworker/0:4/8679:
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: sco_sock_timeout+0x1a/0x280 net/bluetooth/sco.c:85
CPU: 0 PID: 8679 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout

Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

process_one_work.cold+0xa2/0xba kernel/workqueue.c:2291

worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: sleeping function called from invalid context at kernel/workqueue.c:2302
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8679, name: kworker/0:4
1 lock held by kworker/0:4/8679:
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: sco_sock_timeout+0x1a/0x280 net/bluetooth/sco.c:85

Preemption disabled at:
[<0000000000000000>] 0x0

CPU: 0 PID: 8679 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events sco_sock_timeout

Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:9154
process_one_work+0xaca/0x1630 kernel/workqueue.c:2302

worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: workqueue leaked lock or atomic: kworker/0:4/0x00000001/8679
last function: wg_packet_tx_worker
1 lock held by kworker/0:4/8679:
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
#0: ffff8880202c2020 (&conn->lock#2){+.+.}-{2:2}, at: sco_sock_timeout+0x1a/0x280 net/bluetooth/sco.c:85
CPU: 0 PID: 8679 Comm: kworker/0:4 Tainted: G W 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: wg-crypt-wg1 wg_packet_tx_worker

Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

process_one_work.cold+0xa2/0xba kernel/workqueue.c:2291

worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

======================================================

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=16063162300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=149eeec9d00000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in sco_sock_connect

INFO: task syz-executor.2:10268 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:27528 pid:10268 ppid: 8834 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f25195b2188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007fff9752628f R14: 00007f25195b2300 R15: 0000000000022000
INFO: task syz-executor.5:10301 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:28176 pid:10301 ppid: 8835 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f85c4e63188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007fff0fbdc98f R14: 00007f85c4e63300 R15: 0000000000022000
INFO: task syz-executor.5:10352 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:29512 pid:10352 ppid: 8835 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f85c4e42188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007fff0fbdc98f R14: 00007f85c4e42300 R15: 0000000000022000
INFO: task syz-executor.0:10299 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:10299 ppid: 8833 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f25c344e188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc490d26af R14: 00007f25c344e300 R15: 0000000000022000
INFO: task syz-executor.3:10313 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:28176 pid:10313 ppid: 8828 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007fb34a53e188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd4a4327bf R14: 00007fb34a53e300 R15: 0000000000022000
INFO: task syz-executor.0:10331 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:10331 ppid: 8833 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f25c344e188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc490d26af R14: 00007f25c344e300 R15: 0000000000022000
INFO: task syz-executor.1:10329 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:27664 pid:10329 ppid: 8837 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f7da1d28188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc380186af R14: 00007f7da1d28300 R15: 0000000000022000
INFO: task syz-executor.0:10335 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28712 pid:10335 ppid: 8833 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x4665d9
RSP: 002b:00007f25c344e188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc490d26af R14: 00007f25c344e300 R15: 0000000000022000

Showing all locks held in the system:

2 locks held by kworker/u4:0/8:
1 lock held by khungtaskd/1648:

#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

1 lock held by in:imklog/8109:
1 lock held by syz-executor.2/10268:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

1 lock held by syz-executor.3/10274:

#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.5/10301:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.5/10352:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/10299:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.3/10313:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/10331:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.1/10329:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/10335:
#0: ffff888034d8c078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

=============================================

NMI backtrace for cpu 0

CPU: 0 PID: 1648 Comm: khungtaskd Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295

kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:553

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=176b3672300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=16495c52300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in sco_sock_connect

INFO: task syz-executor.2:12003 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:28176 pid:12003 ppid: 10432 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f6310be4188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd20630f0f R14: 00007f6310be4300 R15: 0000000000022000
INFO: task syz-executor.0:12007 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:12007 ppid: 10434 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f1a3d18b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd9a12e01f R14: 00007f1a3d18b300 R15: 0000000000022000
INFO: task syz-executor.5:12018 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27528 pid:12018 ppid: 10433 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fc6b4196188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffc9a014f6f R14: 00007fc6b4196300 R15: 0000000000022000
INFO: task syz-executor.4:12047 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27952 pid:12047 ppid: 10435 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fa649369188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9

RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007fffa720a01f R14: 00007fa649369300 R15: 0000000000022000
INFO: task syz-executor.0:12037 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28280 pid:12037 ppid: 10434 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f1a3d18b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd9a12e01f R14: 00007f1a3d18b300 R15: 0000000000022000
INFO: task syz-executor.5:12048 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27352 pid:12048 ppid: 10433 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fc6b4175188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9

RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007ffc9a014f6f R14: 00007fc6b4175300 R15: 0000000000022000
INFO: task syz-executor.0:12040 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:12040 ppid: 12037 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f1a3d18b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd9a12e01f R14: 00007f1a3d18b300 R15: 0000000000022000
INFO: task syz-executor.3:12041 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:28176 pid:12041 ppid: 10436 flags:0x00000000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007ff389e08188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007fff1b5c0c9f R14: 00007ff389e08300 R15: 0000000000022000
INFO: task syz-executor.1:12044 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:28176 pid:12044 ppid: 10437 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fbee4520188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd897440ff R14: 00007fbee4520300 R15: 0000000000022000
INFO: task syz-executor.1:12059 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:28176 pid:12059 ppid: 10437 flags:0x00000004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104
sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007fbee4520188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd897440ff R14: 00007fbee4520300 R15: 0000000000022000

Showing all locks held in the system:

1 lock held by khungtaskd/1652:

#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

1 lock held by in:imklog/8137:
#0: ffff888032e96ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:974
1 lock held by syz-executor.2/12003:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.3/12004:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/12007:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.5/12018:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.4/12047:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/12037:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.5/12048:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.0/12040:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.3/12041:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.1/12044:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.1/12059:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.3/12062:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.1/12076:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594
1 lock held by syz-executor.1/12077:
#0: ffff888047240078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect+0x1ab/0xa20 net/bluetooth/sco.c:594

=============================================

NMI backtrace for cpu 0

CPU: 0 PID: 1652 Comm: khungtaskd Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1

CPU: 1 PID: 4852 Comm: systemd-journal Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

RIP: 0010:memory_is_nonzero mm/kasan/generic.c:114 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xa0/0x180 mm/kasan/generic.c:189
Code: 0f 49 da 49 c1 fb 03 45 85 db 0f 84 c5 00 00 00 45 89 db 4a 8d 14 d8 eb 0d 48 83 c0 08 48 39 d0 0f 84 a9 00 00 00 48 83 38 00 <74> ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2
RSP: 0018:ffffc900010efda8 EFLAGS: 00000246
RAX: ffffed10054d4150 RBX: ffffed10054d4200 RCX: ffffffff83ef4b0d
RDX: ffffed10054d4200 RSI: 0000000000000fe0 RDI: ffff88802a6a0020
RBP: ffffed10054d4004 R08: 0000000000000001 R09: ffff88802a6a0fff
R10: ffffed10054d41ff R11: 000000000000003f R12: 0000000000000004
R13: ffff88802a6a0020 R14: ffff88802a6a0020 R15: ffffffff8d6ca188
FS: 00007f08fd78a8c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f08fac6c000 CR3: 000000002a524000 CR4: 0000000000350ee0
Call Trace:
strncpy_from_user+0x9d/0x3e0 lib/strncpy_from_user.c:136
getname_flags.part.0+0x95/0x4f0 fs/namei.c:149
getname_flags+0x9a/0xe0 include/linux/audit.h:319
getname fs/namei.c:209 [inline]
user_path_create fs/namei.c:3660 [inline]
do_mkdirat+0x8d/0x310 fs/namei.c:3838

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7f08fca45687
Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 09 d8 2b 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 d7 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd2a8b9dd8 EFLAGS: 00000293 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00007ffd2a8bce40 RCX: 00007f08fca45687
RDX: 0000000000000000 RSI: 00000000000001ed RDI: 0000560e4ea248a0
RBP: 00007ffd2a8b9e10 R08: 0000560e4e33e3e5 R09: 0000000000000018
R10: 0000000000000069 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 0000560e4ea248a0 R15: 00007ffd2a8ba450

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=170ab852300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=16dcf766300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:

checking file net/bluetooth/rfcomm/sock.c
checking file net/bluetooth/sco.c
checking file include/net/bluetooth/bluetooth.h
checking file net/bluetooth/hci_core.c
checking file net/bluetooth/hci_sock.c
checking file net/bluetooth/hci_sysfs.c
checking file net/bluetooth/sco.c
Hunk #1 succeeded at 569 (offset -8 lines).
Hunk #2 FAILED at 589.
1 out of 2 hunks FAILED

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=17c1a021300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in sco_sock_connect

INFO: task syz-executor.2:10272 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:28176 pid:10272 ppid: 8824 flags:0x00004004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f5067e4f188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd9dd5789f R14: 00007f5067e4f300 R15: 0000000000022000
INFO: task syz-executor.2:10292 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:28176 pid:10292 ppid: 8824 flags:0x00004004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f5067e4f188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffd9dd5789f R14: 00007f5067e4f300 R15: 0000000000022000
INFO: task syz-executor.0:10290 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:28176 pid:10290 ppid: 8827 flags:0x00004000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f69e31e4188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffc63c562df R14: 00007f69e31e4300 R15: 0000000000022000
INFO: task syz-executor.1:10301 blocked for more than 143 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:27528 pid:10301 ppid: 8829 flags:0x00004000

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f85e7879188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffcdc91672f R14: 00007f85e7879300 R15: 0000000000022000
INFO: task syz-executor.5:10317 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27528 pid:10317 ppid: 8825 flags:0x00004004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f1b49727188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffc5d22563f R14: 00007f1b49727300 R15: 0000000000022000
INFO: task syz-executor.4:10323 blocked for more than 144 seconds.

Not tainted 5.14.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27456 pid:10323 ppid: 8828 flags:0x00004004

Call Trace:
context_switch kernel/sched/core.c:4683 [inline]
__schedule+0x93a/0x26f0 kernel/sched/core.c:5940
schedule+0xd3/0x270 kernel/sched/core.c:6019
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6078
__mutex_lock_common kernel/locking/mutex.c:1036 [inline]
__mutex_lock+0x7b6/0x10a0 kernel/locking/mutex.c:1104

sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

__sys_connect_file+0x155/0x1a0 net/socket.c:1879
__sys_connect+0x161/0x190 net/socket.c:1896
__do_sys_connect net/socket.c:1906 [inline]
__se_sys_connect net/socket.c:1903 [inline]
__x64_sys_connect+0x6f/0xb0 net/socket.c:1903
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9

RSP: 002b:00007f05c075d188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000080 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80

R13: 00007ffebc49ed5f R14: 00007f05c075d300 R15: 0000000000022000

Showing all locks held in the system:

3 locks held by kworker/u4:0/8:
#0: ffff8880b9d35a98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x1e/0x30 kernel/sched/core.c:460
#1: ffffc90000cd7db0 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1630 kernel/workqueue.c:2251
#2: ffff8880b9d24258 (&base->lock){..-.}-{2:2}, at: lock_timer_base+0x5a/0x1f0 kernel/time/timer.c:946
1 lock held by khungtaskd/1650:

#0: ffffffff8b97ba40 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

1 lock held by in:imklog/8140:
#0: ffff88801d792370 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:974
1 lock held by syz-executor.3/10260:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597
1 lock held by syz-executor.2/10272:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597
1 lock held by syz-executor.2/10292:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597
1 lock held by syz-executor.0/10290:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597
1 lock held by syz-executor.1/10301:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

1 lock held by syz-executor.5/10317:

#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597
1 lock held by syz-executor.4/10323:
#0: ffff888038338078 (&hdev->lock){+.+.}-{3:3}, at: sco_sock_connect.cold+0x1a0/0x940 net/bluetooth/sco.c:597

=============================================

NMI backtrace for cpu 0

CPU: 0 PID: 1650 Comm: khungtaskd Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
watchdog+0xd0a/0xfc0 kernel/hung_task.c:295
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1

CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: bat_events batadv_nc_worker
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]

RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]

RIP: 0010:kasan_check_range+0xde/0x180 mm/kasan/generic.c:189
Code: 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 <74> f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c 2c eb 0c
RSP: 0018:ffffc90000cd79d8 EFLAGS: 00000046
RAX: fffffbfff1f9712e RBX: fffffbfff1f9712f RCX: ffffffff815ac8d2
RDX: fffffbfff1f9712f RSI: 0000000000000008 RDI: ffffffff8fcb8970
RBP: fffffbfff1f9712e R08: 0000000000000000 R09: ffffffff8fcb8977
R10: fffffbfff1f9712e R11: 0000000000000000 R12: ffff888011a9df00
R13: ffff888011a9d4c0 R14: 0000000000000000 R15: 68198999668f55b3
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f4fb1d48000 CR3: 0000000014bfb000 CR4: 0000000000350ee0
Call Trace:
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
hlock_class kernel/locking/lockdep.c:199 [inline]
__lock_acquire+0x1442/0x54a0 kernel/locking/lockdep.c:5011

lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590

rcu_lock_acquire include/linux/rcupdate.h:267 [inline]
rcu_read_lock include/linux/rcupdate.h:687 [inline]

batadv_nc_process_nc_paths.part.0+0xec/0x3c0 net/batman-adv/network-coding.c:683
batadv_nc_process_nc_paths net/batman-adv/network-coding.c:675 [inline]
batadv_nc_worker+0xafa/0xe50 net/batman-adv/network-coding.c:724

process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422

kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=13c2a172300000
kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060

compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=10bcf766300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Write in sco_conn_del

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in sock_put include/net/sock.h:1815 [inline]

BUG: KASAN: use-after-free in sco_conn_del+0x161/0x2a0 net/bluetooth/sco.c:205
Write of size 4 at addr ffff88801fd9c080 by task syz-executor.4/15533

CPU: 0 PID: 15533 Comm: syz-executor.4 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105

print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:1815 [inline]

sco_conn_del+0x161/0x2a0 net/bluetooth/sco.c:205
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1204

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.

RSP: 002b:00007f5a0e112218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca

RAX: fffffffffffffe00 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056bf88

RBP: 000000000056bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fff2b691f8f R14: 00007f5a0e112300 R15: 0000000000022000

Allocated by task 16375:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1808
sk_alloc+0x32/0xbc0 net/core/sock.c:1861

sco_sock_alloc.constprop.0+0x31/0x220 net/bluetooth/sco.c:495
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:530

bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1450
sock_create net/socket.c:1501 [inline]
__sys_socket+0xef/0x200 net/socket.c:1543
__do_sys_socket net/socket.c:1552 [inline]
__se_sys_socket net/socket.c:1550 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1550

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 15533:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38

kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1625 [inline]
slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
slab_free mm/slub.c:3210 [inline]
kfree+0xe4/0x530 mm/slub.c:4264
sk_prot_free net/core/sock.c:1844 [inline]
__sk_destruct+0x6a8/0x900 net/core/sock.c:1929
sk_destruct+0xbd/0xe0 net/core/sock.c:1944
__sk_free+0xef/0x3d0 net/core/sock.c:1955
sk_free+0x78/0xa0 net/core/sock.c:1966
sock_put include/net/sock.h:1816 [inline]

sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:416
sco_conn_del+0x153/0x2a0 net/bluetooth/sco.c:204
sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1204

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801fd9c000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff88801fd9c000, ffff88801fd9c800)

The buggy address belongs to the page:

page:ffffea00007f6600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fd98
head:ffffea00007f6600 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8831, ts 75291977433, free_ts 75271895652

prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391

alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244

alloc_slab_page mm/slub.c:1688 [inline]
allocate_slab+0x32e/0x4b0 mm/slub.c:1828
new_slab mm/slub.c:1891 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x4ba/0x820 mm/slub.c:2800
__slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]

__kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4650
kmalloc_reserve net/core/skbuff.c:355 [inline]

__alloc_skb+0xde/0x340 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1112 [inline]
nlmsg_new include/net/netlink.h:953 [inline]
inet6_ifinfo_notify+0x72/0x150 net/ipv6/addrconf.c:5973
addrconf_notify+0x4c5/0x2400 net/ipv6/addrconf.c:3615
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2123
call_netdevice_notifiers_extack net/core/dev.c:2135 [inline]
call_netdevice_notifiers net/core/dev.c:2149 [inline]
__dev_notify_flags+0x110/0x2b0 net/core/dev.c:8860
dev_change_flags+0x112/0x170 net/core/dev.c:8898
do_setlink+0x90a/0x3900 net/core/rtnetlink.c:2721
__rtnl_newlink+0xddb/0x1760 net/core/rtnetlink.c:3393

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1346 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
free_unref_page_prepare mm/page_alloc.c:3332 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3411

unfreeze_partials+0x17c/0x1d0 mm/slub.c:2418
put_cpu_partial+0x13d/0x230 mm/slub.c:2454
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2992
__alloc_skb+0x20b/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1112 [inline]
nlmsg_new include/net/netlink.h:953 [inline]
inet_netconf_notify_devconf+0xdd/0x250 net/ipv4/devinet.c:2093
__devinet_sysctl_unregister net/ipv4/devinet.c:2599 [inline]
devinet_sysctl_unregister net/ipv4/devinet.c:2623 [inline]
inetdev_event+0xe55/0x15d0 net/ipv4/devinet.c:1606
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2123
call_netdevice_notifiers_extack net/core/dev.c:2135 [inline]
call_netdevice_notifiers net/core/dev.c:2149 [inline]
dev_change_name+0x447/0x690 net/core/dev.c:1406
do_setlink+0x2b54/0x3900 net/core/rtnetlink.c:2701
__rtnl_newlink+0xddb/0x1760 net/core/rtnetlink.c:3393

Memory state around the buggy address:

ffff88801fd9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801fd9c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801fd9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801fd9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801fd9c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=108bfd3a300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=15c55a76300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in sco_conn_del

Kill sk ffff88802ee10000 in sco_conn_del

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in sock_put include/net/sock.h:1815 [inline]

BUG: KASAN: use-after-free in sco_conn_del+0x1e2/0x330 net/bluetooth/sco.c:207
Write of size 4 at addr ffff88802ee10080 by task syz-executor.3/5712

CPU: 0 PID: 5712 Comm: syz-executor.3 Not tainted 5.14.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:167 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:1815 [inline]

sco_conn_del+0x1e2/0x330 net/bluetooth/sco.c:207
sco_disconn_cfm+0xff/0x150 net/bluetooth/sco.c:1232

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.

RSP: 002b:00007f4ab8037218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca

RAX: fffffffffffffe00 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056bf88
RBP: 000000000056bf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf8c

R13: 00007ffdc27aa17f R14: 00007f4ab8037300 R15: 0000000000022000

Allocated by task 6814:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1808
sk_alloc+0x32/0xbc0 net/core/sock.c:1861

sco_sock_alloc.constprop.0+0x31/0x220 net/bluetooth/sco.c:499
sco_sock_create+0xd5/0x1b0 net/bluetooth/sco.c:534

bt_sock_create+0x17c/0x340 net/bluetooth/af_bluetooth.c:130
__sock_create+0x353/0x790 net/socket.c:1450
sock_create net/socket.c:1501 [inline]
__sys_socket+0xef/0x200 net/socket.c:1543
__do_sys_socket net/socket.c:1552 [inline]
__se_sys_socket net/socket.c:1550 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1550
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 5712:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1625 [inline]
slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
slab_free mm/slub.c:3210 [inline]
kfree+0xe4/0x530 mm/slub.c:4264
sk_prot_free net/core/sock.c:1844 [inline]
__sk_destruct+0x6a8/0x900 net/core/sock.c:1929
sk_destruct+0xbd/0xe0 net/core/sock.c:1944
__sk_free+0xef/0x3d0 net/core/sock.c:1955
sk_free+0x78/0xa0 net/core/sock.c:1966
sock_put include/net/sock.h:1816 [inline]

sco_sock_kill+0x18d/0x1b0 net/bluetooth/sco.c:420
sco_conn_del+0x1d4/0x330 net/bluetooth/sco.c:206
sco_disconn_cfm+0xff/0x150 net/bluetooth/sco.c:1232

hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0xbd4/0x2a60 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:922
get_signal+0x47f/0x2160 kernel/signal.c:2808
arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348

kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3594
drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1647
unregister_sysctl_table fs/proc/proc_sysctl.c:1685 [inline]
unregister_sysctl_table+0xc2/0x190 fs/proc/proc_sysctl.c:1660
__addrconf_sysctl_unregister net/ipv6/addrconf.c:6994 [inline]
addrconf_sysctl_unregister+0xee/0x1c0 net/ipv6/addrconf.c:7022
addrconf_ifdown.isra.0+0xf8f/0x15b0 net/ipv6/addrconf.c:3849
addrconf_notify+0x606/0x2400 net/ipv6/addrconf.c:3631

notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2123
call_netdevice_notifiers_extack net/core/dev.c:2135 [inline]
call_netdevice_notifiers net/core/dev.c:2149 [inline]

unregister_netdevice_many+0x951/0x1790 net/core/dev.c:11093
ip_tunnel_delete_nets+0x39f/0x5b0 net/ipv4/ip_tunnel.c:1122
ops_exit_list+0x10d/0x160 net/core/net_namespace.c:178
cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595

process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Second to last potentially related work creation:

kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348

__call_rcu kernel/rcu/tree.c:3029 [inline]
call_rcu+0xb1/0x750 kernel/rcu/tree.c:3109
netlink_release+0xdd4/0x1dd0 net/netlink/af_netlink.c:812
__sock_release+0xcd/0x280 net/socket.c:648
sock_close+0x18/0x20 net/socket.c:1300

__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:164

tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209

__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88802ee10000

which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of

2048-byte region [ffff88802ee10000, ffff88802ee10800)

The buggy address belongs to the page:

page:ffffea0000bb8400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802ee11000 pfn:0x2ee10
head:ffffea0000bb8400 order:3 compound_mapcount:0 compound_pincount:0

flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000010200 ffffea0000dbe808 ffffea0000bba408 ffff888010842000
raw: ffff88802ee11000 0000000000080007 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8432, ts 57620575320, free_ts 57598452059

prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
alloc_slab_page mm/slub.c:1688 [inline]
allocate_slab+0x32e/0x4b0 mm/slub.c:1828
new_slab mm/slub.c:1891 [inline]
new_slab_objects mm/slub.c:2637 [inline]
___slab_alloc+0x4ba/0x820 mm/slub.c:2800
__slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
slab_alloc_node mm/slub.c:2922 [inline]

slab_alloc mm/slub.c:2964 [inline]
__kmalloc+0x312/0x330 mm/slub.c:4108

kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0x110/0x290 net/core/sock.c:1808
sk_alloc+0x32/0xbc0 net/core/sock.c:1861

__netlink_create+0x63/0x2f0 net/netlink/af_netlink.c:640
netlink_create+0x3ad/0x5e0 net/netlink/af_netlink.c:703

__sock_create+0x353/0x790 net/socket.c:1450
sock_create net/socket.c:1501 [inline]
__sys_socket+0xef/0x200 net/socket.c:1543
__do_sys_socket net/socket.c:1552 [inline]
__se_sys_socket net/socket.c:1550 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1550
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1346 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
free_unref_page_prepare mm/page_alloc.c:3332 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3411

qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:2956 [inline]
kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2992
__alloc_skb+0x20b/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1112 [inline]

netlink_alloc_large_skb net/netlink/af_netlink.c:1186 [inline]
netlink_sendmsg+0x967/0xdb0 net/netlink/af_netlink.c:1904
sock_sendmsg_nosec net/socket.c:703 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:723
____sys_sendmsg+0x6e8/0x810 net/socket.c:2392
___sys_sendmsg+0xf3/0x170 net/socket.c:2446
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2475

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:

ffff88802ee0ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802ee10000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802ee10080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802ee10100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802ee10180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10a36d42300000

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=13011c9a300000

[Desmond Cheong Zhi Xi]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: c500bee1 Linux 5.14-rc4
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=166c8f6532dd88df
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=1573ccae300000

Note: testing is done by a robot and is best-effort only.

[Desmond Cheong Zhi Xi]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

Testing on bluetooth-next.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

resolv_context.c current->__from_res current->__refcount > 0 ctx->conf == NULL current == ctx ctx->__refcount > 0 __resolv_context_put maybe_init context_reuse resolv_conf.c conf->__refcount > 0 /etc/resolv.conf conf == ptr init->nameserver_list[i]->sa_family == AF_INET6 !alloc_buffer_has_failed (&buffer) global_copy->free_list_start == 0 || global_copy->free_list_start & 1 conf->nameserver_list[i]->sa_family == AF_INET6 resolv_conf_matches (resp, conf) conf_decrement update_from_conf __resolv_conf_attach __resolv_conf_allocate resolv_conf_get_1 __resolv_conf_get_current cannot allocate memory for thread-local data: ABORT
Failed loading %lu audit modules, %lu are supported.
result <= GL(dl_tls_max_dtv_idx) + 1 result == GL(dl_tls_max_dtv_idx) + 1 listp->slotinfo[cnt].gen <= GL(dl_tls_generation) map->l_tls_modid == total + cnt map->l_tls_blocksize >= map->l_tls_initimage_size (size_t) map->l_tls_offset >= map->l_tls_blocksize cannot create TLS data structures ../elf/dl-tls.c listp != NULL idx == 0 dlopen _dl_add_to_slotinfo _dl_allocate_tls_init _dl_next_tls_modid GLIBC_TUNABLES /etc/suid-debug glibc.rtld.nns glibc.malloc.trim_threshold MALLOC_TRIM_THRESHOLD_ glibc.malloc.perturb MALLOC_PERTURB_ glibc.elision.tries glibc.elision.enable glibc.malloc.mxfast glibc.elision.skip_lock_busy glibc.malloc.top_pad MALLOC_TOP_PAD_ glibc.cpu.x86_shstk glibc.cpu.hwcap_mask LD_HWCAP_MASK glibc.malloc.mmap_max MALLOC_MMAP_MAX_ glibc.cpu.x86_ibt glibc.cpu.hwcaps glibc.malloc.arena_max MALLOC_ARENA_MAX glibc.malloc.mmap_threshold MALLOC_MMAP_THRESHOLD_ glibc.cpu.x86_data_cache_size glibc.malloc.tcache_count glibc.malloc.arena_test MALLOC_ARENA_TEST glibc.malloc.tcache_max glibc.malloc.check MALLOC_CHECK_ sbrk() failure while processing tunables
glibc.elision.skip_lock_after_retries glibc.cpu.x86_shared_cache_size glibc.cpu.x86_non_temporal_threshold glibc.elision.skip_trylock_internal_abort glibc.malloc.tcache_unsorted_limit glibc.elision.skip_lock_internal_abort glibc.pthread.mutex_spin_count glibc.rtld.optional_static_tls P"��p ��0"�� "��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp /var/profile GCONV_PATH GETCONF_DIR HOSTALIASES LD_AUDIT LD_DEBUG LD_DEBUG_OUTPUT LD_DYNAMIC_WEAK LD_HWCAP_MASK LD_LIBRARY_PATH LD_ORIGIN_PATH LD_PRELOAD LD_PROFILE LD_SHOW_AUXV LD_USE_LOAD_BIAS LOCALDOMAIN LOCPATH MALLOC_TRACE NIS_PATH NLSPATH RESOLV_HOST_CONF RES_OPTIONS TMPDIR TZDIR LD_PREFER_MAP_32BIT_EXEC i586 i686 haswell xeon_phi sse2 x86_64 avx512_1 LD_WARN setup-vdso.h ph->p_type != PT_TLS get-dynamic-info.h out of memory
LINUX_2.6 __vdso_clock_gettime __vdso_gettimeofday __vdso_time __vdso_getcpu __vdso_clock_getres LD_LIBRARY_PATH LD_BIND_NOW LD_BIND_NOT LD_DYNAMIC_WEAK LD_PROFILE_OUTPUT LD_ASSUME_KERNEL info[DT_PLTREL]->d_un.d_val == DT_RELA info[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))
WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
setup_vdso elf_get_dynamic_info AVX CX8 FMA HTT IBT RTM AVX2 BMI1 BMI2 CMOV FMA4 SSE2 I586 I686 LZCNT MOVBE SHSTK SSSE3 POPCNT SSE4_1 AVX512F OSXSAVE AVX512CD AVX512BW AVX512DQ AVX512ER AVX512PF AVX512VL AVX_Usable FMA_Usable AVX2_Usable FMA4_Usable Slow_SSE4_2 XSAVEC_Usable AVX512F_Usable AVX512DQ_Usable Fast_Copy_Backward Fast_Unaligned_Copy Prefer_No_VZEROUPPER Prefer_MAP_32BIT_EXEC AVX_Fast_Unaligned_Load MathVec_Prefer_No_AVX512 Prefer_PMINUB_for_stringop Slow_BSF Prefer_ERMS Fast_Rep_String Prefer_FSRM /proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown> %s: %s: %s%s%s%s%s
DYNAMIC LINKER BUG!!! error while loading shared libraries gconv.c irreversible != NULL outbuf != NULL && *outbuf != NULL __gconv gconv_db.c step->__end_fct == NULL __gconv_release_step gconv_conf.c result == NULL elem != NULL cwd != NULL alias module ISO-10646/UCS4/ =INTERNAL->ucs4 =ucs4->INTERNAL UCS-4LE// =INTERNAL->ucs4le =ucs4le->INTERNAL ISO-10646/UTF8/ =INTERNAL->utf8 =utf8->INTERNAL ISO-10646/UCS2/ =ucs2->INTERNAL =INTERNAL->ucs2 ANSI_X3.4-1968// =ascii->INTERNAL =INTERNAL->ascii UNICODEBIG// =ucs2reverse->INTERNAL =INTERNAL->ucs2reverse .so __gconv_get_path UCS4// ISO-10646/UCS4/ UCS-4// ISO-10646/UCS4/ UCS-4BE// ISO-10646/UCS4/ CSUCS4// ISO-10646/UCS4/ ISO-10646// ISO-10646/UCS4/ 10646-1:1993// ISO-10646/UCS4/ 10646-1:1993/UCS4/ ISO-10646/UCS4/ OSF00010104// ISO-10646/UCS4/ OSF00010105// ISO-10646/UCS4/ OSF00010106// ISO-10646/UCS4/ WCHAR_T// INTERNAL UTF8// ISO-10646/UTF8/ UTF-8// ISO-10646/UTF8/ ISO-IR-193// ISO-10646/UTF8/ OSF05010001// ISO-10646/UTF8/ ISO-10646/UTF-8/ ISO-10646/UTF8/ UCS2// ISO-10646/UCS2/ UCS-2// ISO-10646/UCS2/ OSF00010100// ISO-10646/UCS2/ OSF00010101// ISO-10646/UCS2/ OSF00010102// ISO-10646/UCS2/ ANSI_X3.4// ANSI_X3.4-1968// ISO-IR-6// ANSI_X3.4-1968// ANSI_X3.4-1986// ANSI_X3.4-1968// ISO_646.IRV:1991// ANSI_X3.4-1968// ASCII// ANSI_X3.4-1968// ISO646-US// ANSI_X3.4-1968// US-ASCII// ANSI_X3.4-1968// US// ANSI_X3.4-1968// IBM367// ANSI_X3.4-1968// CP367// ANSI_X3.4-1968// CSASCII// ANSI_X3.4-1968// OSF00010020// ANSI_X3.4-1968// UNICODELITTLE// ISO-10646/UCS2/ UCS-2LE// ISO-10646/UCS2/ UCS-2BE// UNICODEBIG// gconv-modules /usr/lib/x86_64-linux-gnu/gconv gconv_builtin.c cnt < sizeof (map) / sizeof (map[0]) __gconv_get_builtin_trans ../iconv/skeleton.c outbufstart == NULL outbuf == outerr inend - *inptrp < 4 gconv_simple.c *outptrp + 4 > outend ../iconv/loop.c ch != 0xc0 && ch != 0xc1 ����� nstatus == __GCONV_FULL_OUTPUT (state->__count & 7) <= sizeof (state->__value) inptr - bytebuf > (state->__count & 7) inend != &bytebuf[MAX_NEEDED_INPUT] inend - inptr > (state->__count & ~7) inend - inptr <= sizeof (state->__value) internal_ucs2reverse_loop_single __gconv_transform_internal_ucs2reverse ucs2reverse_internal_loop_single __gconv_transform_ucs2reverse_internal __gconv_transform_internal_ucs2 __gconv_transform_ucs2_internal __gconv_transform_utf8_internal __gconv_transform_internal_utf8 __gconv_transform_internal_ascii __gconv_transform_ascii_internal __gconv_transform_ucs4le_internal __gconv_transform_internal_ucs4le __gconv_transform_ucs4_internal __gconv_transform_internal_ucs4 internal_ucs2_loop_single ucs2_internal_loop_single utf8_internal_loop_single internal_utf8_loop_single internal_ascii_loop_single ucs4le_internal_loop GCONV_PATH /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache gconv_dl.c obj->counter > 0 found->handle == NULL gconv gconv_init gconv_end do_release_shlib __gconv_find_shlib ,TRANSLIT /IGNORE ,IGNORE LOCPATH


 + 3 ?HP[hw LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANG findlocale.c locale_codeset != NULL /../ _nl_find_locale /usr/lib/locale n -  loadlocale.c category == LC_CTYPE ����x���`���P���8����������� ��� �����������h���(���
V � . _nl_intern_locale_data loadarchive.c archmapped == &headmap headmap.len == archive_stat.st_size _nl_archive_subfreeres _nl_load_locale_from_archive /usr/lib/locale/locale-archive upper lower alpha digit xdigit space print graph blank cntrl punct alnum toupper tolower 8 H H H H H I ��������������� � ( ( �������������������������������������������������������������������������������������������������������� � ��� ��� � ��� ��� �� � � x �� � � x ���� � ���� � ����������� ����������� ����������� ����������� > > � ~ ~ � ~ ~ � � ��� ��� ��� ��� ��� ��� ��� ��� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ a b c d e f g h i j k l m n o p q r s t u v w x y z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ����
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` A B C D E F G H I J K L M N O P Q R S T U V W X Y Z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( C ) < < - ( R ) u , > > 1 / 4 1 / 2 3 / 4 A E x s s a e I J i j ' n O E o e s L J L j l j N J N j n j D Z D z d z ' ^ ' ` _ : ~ H h S S s s # # ` W w i s s s ? J ` ` A ; E I I O Y O I A V G D E Z I T H I K L M N X O P R S T Y F C H P S O I Y a e i i y a v g d e z i t h i k l m n x o p r s s t y f c h p s o i y o y o & b t h Y ` Y ` Y ` f p & Q q 6 6 W w 9 0 9 0 9 0 0 9 0 0 S H s h F f K H k h H h D J d j G J g j T I t i k r s j T H e e S H s h S S s r S S S Y O D J G ` Y E Z ` I Y I J L ` N ` T S H K ` U ` D H A B V G D E Z H Z I J K L M N O P R S T U F X C Z C H S H S H H A ` Y ` ` E ` Y U Y A a b v g d e z h z i j k l m n o p r s t u f x c z c h s h s h h ` ` y ` ` e ` y u y a y o d j g ` y e z ` i y i j l ` n ` t s h k ` u ` d h O ` o ` F H f h Y H y h E ` e ` G ` g ` G H g h G H g h Z H ` z h ` K ` k ` K ` k ` N ` n ` N G n g P ` p ` O ` o ` C ` C ` T ` t ` U u H ` h ` T C Z t c z S H ` s h ` C H ` c h ` C H ` c h ` i Z H ` z h ` C H ` c h ` A ` a ` A ` a ` E ` e ` A ` a ` Z H ` z h ` Z ` z ` Z ` z ` I ` i ` O ` o ` O ` o ` U ` u ` U ` u ` C H ` c h ` Y ` y ` - - - - - - - ' ' , ' " " , , " + o . . . . . . ` ` ` ` ` ` < > ! ! / ? ? ? ! ! ? C = R s E U R I N R a / c a / s C c / o c / u g H H H h I I L l N N o P Q R R R T E L ( T M ) Z O h m Z B C e e E F M o i D d e i j 1 / 3 2 / 3 1 / 5 2 / 5 3 / 5 4 / 5 1 / 6 5 / 6 1 / 8 3 / 8 5 / 8 7 / 8 1 / I I I I I I I V V V I V I I V I I I I X X X I X I I L C D M i i i i i i i v v v i v i i v i i i i x x x i x i i l c d m < - - > < - > < = = > < = > - / \ * | : ~ < = > = < < > > < < < > > > N U L S O H S T X E T X E O T E N Q A C K B E L B S H T L F V T F F C R S O S I D L E D C 1 D C 2 D C 3 D C 4 N A K S Y N E T B C A N E M S U B E S C F S G S R S U S S P D E L _ N L ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 1 0 ) ( 1 1 ) ( 1 2 ) ( 1 3 ) ( 1 4 ) ( 1 5 ) ( 1 6 ) ( 1 7 ) ( 1 8 ) ( 1 9 ) ( 2 0 ) 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 1 0 . 1 1 . 1 2 . 1 3 . 1 4 . 1 5 . 1 6 . 1 7 . 1 8 . 1 9 . 2 0 . ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( A ) ( B ) ( C ) ( D ) ( E ) ( F ) ( G ) ( H ) ( I ) ( J ) ( K ) ( L ) ( M ) ( N ) ( O ) ( P ) ( Q ) ( R ) ( S ) ( T ) ( U ) ( V ) ( W ) ( X ) ( Y ) ( Z ) ( a ) ( b ) ( c ) ( d ) ( e ) ( f ) ( g ) ( h ) ( i ) ( j ) ( k ) ( l ) ( m ) ( n ) ( o ) ( p ) ( q ) ( r ) ( s ) ( t ) ( u ) ( v ) ( w ) ( x ) ( y ) ( z ) ( 0 ) - | + + + + + + + + + o : : = = = = = = = ( 2 1 ) ( 2 2 ) ( 2 3 ) ( 2 4 ) ( 2 5 ) ( 2 6 ) ( 2 7 ) ( 2 8 ) ( 2 9 ) ( 3 0 ) ( 3 1 ) ( 3 2 ) ( 3 3 ) ( 3 4 ) ( 3 5 ) ( 3 6 ) ( 3 7 ) ( 3 8 ) ( 3 9 ) ( 4 0 ) ( 4 1 ) ( 4 2 ) ( 4 3 ) ( 4 4 ) ( 4 5 ) ( 4 6 ) ( 4 7 ) ( 4 8 ) ( 4 9 ) ( 5 0 ) h P a d a A U b a r o V p c p A n A u A m A k A K B M B G B c a l k c a l p F n F u F u g m g k g H z k H z M H z G H z T H z u l m l d l k l f m n m u m m m c m k m m m ^ 2 c m ^ 2 m ^ 2 k m ^ 2 m m ^ 3 c m ^ 3 m ^ 3 k m ^ 3 m / s m / s ^ 2 P a k P a M P a G P a r a d r a d / s r a d / s ^ 2 p s n s u s m s p V n V u V m V k V M V p W n W u W m W k W M W a . m . B q c c c d C / k g C o . d B G y h a H P i n K K K M k t l m l n l o g l x m b m i l m o l P H p . m . P P M P R s r S v W b f f f i f l f f i f f l s t + _ _ _ , . ; : ? ! ( ) { } # & * + - < > = \ $ % @ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A C D G J K N O P Q S T U V W X Y Z a b c d f h i j k m n p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G J K L M N O P Q S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B D E F G I J K L M O S T U V W X Y a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9  % , 3 7 : > B F J N R V Y ] a e i m q u y } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �

#
(
-
2
7
<
A
F
K
P
U
Z
_
d
i
n
s
x
{
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

" ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �       $ ) / 4 ; ? D I N S Z c g k o s w {  � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " & * / 4 8 ; = ? A C E G I K M O Q S U W Y [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
" $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! "! $! &! (! ,! -! .! /! 0! 1! 3! 4! 9! E! F! G! H! I! S! T! U! V! W! X! Y! Z! [! \! ]! ^! _! `! a! b! c! d! e! f! g! h! i! j! k! l! m! n! o! p! q! r! s! t! u! v! w! x! y! z! {! |! }! ~! ! �! �! �! �! �! �! " " " " #" 6" <" d" e" j" k" �" �" $ $ $ $ $ $ $ $ $ $
$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ !$ #$ $$ `$ a$ b$ c$ d$ e$ f$ g$ h$ i$ j$ k$ l$ m$ n$ o$ p$ q$ r$ s$ t$ u$ v$ w$ x$ y$ z$ {$ |$ }$ ~$ $ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ �$ % % % % % % % $% ,% 4% <% �% t* u* v* 0 �0 Q2 R2 S2 T2 U2 V2 W2 X2 Y2 Z2 [2 \2 ]2 ^2 _2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 �2 q3 r3 s3 t3 u3 v3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 �3 � � � � � � )� � � � � � � � � � �
� � � � � � M� N� O� P� R� T� U� V� W� Y� Z� [� \� _� `� a� b� c� d� e� f� h� i� j� k� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
� � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
� � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �












"
$
&
(
*
,
.
0
2
4
6
8
:
<
>
@
B
D
F
H
J
L
N
P
R
T
V
X
Z
\
^
`
b
d
f
h
j
l
n
p
r
t
v
x
z
|
~
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�

 " $ & ( * , . 0 2 4 6 8 : < > @ B D F H J L N P R T V X Z \ ^ ` b d f h j l n p r t v x z | ~ � � � � � �

Tested on:

commit: 654e6f77 Bluetooth: btusb: Enable MSFT extension for M..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=132d819a300000
kernel config: https://syzkaller.appspot.com/x/.config?x=8ad348e95b6c6795

dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=10842b42300000

[Desmond Cheong Zhi Xi]

On 4/8/21 5:46 am, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
>

> resolv_context.ccurrent->__from_rescurrent->__refcount > 0ctx->conf == NULLcurrent == ctxctx->__refcount > 0__resolv_context_putmaybe_initcontext_reuseresolv_conf.cconf->__refcount > 0/etc/resolv.confconf == ptrinit->nameserver_list[i]->sa_family == AF_INET6!alloc_buffer_has_failed (&buffer)global_copy->free_list_start == 0 || global_copy->free_list_start & 1conf->nameserver_list[i]->sa_family == AF_INET6resolv_conf_matches (resp, conf)conf_decrementupdate_from_conf__resolv_conf_attach__resolv_conf_allocateresolv_conf_get_1__resolv_conf_get_currentcannot allocate memory for thread-local data: ABORT

> Failed loading %lu audit modules, %lu are supported.
> result <= GL(dl_tls_max_dtv_idx) + 1result == GL(dl_tls_max_dtv_idx) + 1listp->slotinfo[cnt].gen <= GL(dl_tls_generation)map->l_tls_modid == total + cntmap->l_tls_blocksize >= map->l_tls_initimage_size(size_t) map->l_tls_offset >= map->l_tls_blocksizecannot create TLS data structures../elf/dl-tls.clistp != NULLidx == 0dlopen_dl_add_to_slotinfo_dl_allocate_tls_init_dl_next_tls_modidGLIBC_TUNABLES/etc/suid-debugglibc.rtld.nnsglibc.malloc.trim_thresholdMALLOC_TRIM_THRESHOLD_glibc.malloc.perturbMALLOC_PERTURB_glibc.elision.triesglibc.elision.enableglibc.malloc.mxfastglibc.elision.skip_lock_busyglibc.malloc.top_padMALLOC_TOP_PAD_glibc.cpu.x86_shstkglibc.cpu.hwcap_maskLD_HWCAP_MASKglibc.malloc.mmap_maxMALLOC_MMAP_MAX_glibc.cpu.x86_ibtglibc.cpu.hwcapsglibc.malloc.arena_maxMALLOC_ARENA_MAXglibc.malloc.mmap_thresholdMALLOC_MMAP_THRESHOLD_glibc.cpu.x86_data_cache_sizeglibc.malloc.tcache_countglibc.malloc.arena_testMALLOC_ARENA_TESTglibc.malloc.tcache_maxglibc.malloc.checkMALLOC_CHECK_sbrk() failure while processing tunables

> glibc.elision.skip_lock_after_retriesglibc.cpu.x86_shared_cache_sizeglibc.cpu.x86_non_temporal_thresholdglibc.elision.skip_trylock_internal_abortglibc.malloc.tcache_unsorted_limitglibc.elision.skip_lock_internal_abortglibc.pthread.mutex_spin_countglibc.rtld.optional_static_tlsP"��p ��0"��"��p ��p ��p ��p ���!���!���!���!��X!��0!�� !��� ��p ��p ��p ��p ��� ��p ��X ��� ��p ��p ��p ��p ��p ��p ��` ��/var/tmp/var/profileGCONV_PATHGETCONF_DIRHOSTALIASESLD_AUDITLD_DEBUGLD_DEBUG_OUTPUTLD_DYNAMIC_WEAKLD_HWCAP_MASKLD_LIBRARY_PATHLD_ORIGIN_PATHLD_PRELOADLD_PROFILELD_SHOW_AUXVLD_USE_LOAD_BIASLOCALDOMAINLOCPATHMALLOC_TRACENIS_PATHNLSPATHRESOLV_HOST_CONFRES_OPTIONSTMPDIRTZDIRLD_PREFER_MAP_32BIT_EXECi586i686haswellxeon_phisse2x86_64avx512_1LD_WARNsetup-vdso.hph->p_type != PT_TLSget-dynamic-info.hout of memory
> LINUX_2.6__vdso_clock_gettime__vdso_gettimeofday__vdso_time__vdso_getcpu__vdso_clock_getresLD_LIBRARY_PATHLD_BIND_NOWLD_BIND_NOTLD_DYNAMIC_WEAKLD_PROFILE_OUTPUTLD_ASSUME_KERNELinfo[DT_PLTREL]->d_un.d_val == DT_RELAinfo[DT_RELAENT]->d_un.d_val == sizeof (ElfW(Rela))

> WARNING: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.

> setup_vdsoelf_get_dynamic_infoAVXCX8FMAHTTIBTRTMAVX2BMI1BMI2CMOVFMA4SSE2I586I686LZCNTMOVBESHSTKSSSE3POPCNTSSE4_1AVX512FOSXSAVEAVX512CDAVX512BWAVX512DQAVX512ERAVX512PFAVX512VLAVX_UsableFMA_UsableAVX2_UsableFMA4_UsableSlow_SSE4_2XSAVEC_UsableAVX512F_UsableAVX512DQ_UsableFast_Copy_BackwardFast_Unaligned_CopyPrefer_No_VZEROUPPERPrefer_MAP_32BIT_EXECAVX_Fast_Unaligned_LoadMathVec_Prefer_No_AVX512Prefer_PMINUB_for_stringopSlow_BSFPrefer_ERMSFast_Rep_StringPrefer_FSRM/proc/sys/kernel/osrelease ,���+���+��f+��1+��L*���*���*��L*���.���.��V.�� .��L*���-���-��N-�� -��L*���,���,��L*��@,��B/���+���+��O+�� +�� /���)���*���.���)��q.��<.���.���-���)��y-��:-���,���,���)��q,��,,���)���+��<program name unknown>%s: %s: %s%s%s%s%s
> DYNAMIC LINKER BUG!!!error while loading shared librariesgconv.cirreversible != NULLoutbuf != NULL && *outbuf != NULL__gconvgconv_db.cstep->__end_fct == NULL__gconv_release_stepgconv_conf.cresult == NULLelem != NULLcwd != NULLaliasmoduleISO-10646/UCS4/=INTERNAL->ucs4=ucs4->INTERNALUCS-4LE//=INTERNAL->ucs4le=ucs4le->INTERNALISO-10646/UTF8/=INTERNAL->utf8=utf8->INTERNALISO-10646/UCS2/=ucs2->INTERNAL=INTERNAL->ucs2ANSI_X3.4-1968//=ascii->INTERNAL=INTERNAL->asciiUNICODEBIG//=ucs2reverse->INTERNAL=INTERNAL->ucs2reverse.so__gconv_get_pathUCS4//ISO-10646/UCS4/UCS-4//ISO-10646/UCS4/UCS-4BE//ISO-10646/UCS4/CSUCS4//ISO-10646/UCS4/ISO-10646//ISO-10646/UCS4/10646-1:1993//ISO-10646/UCS4/10646-1:1993/UCS4/ISO-10646/UCS4/OSF00010104//ISO-10646/UCS4/OSF00010105//ISO-10646/UCS4/OSF00010106//ISO-10646/UCS4/WCHAR_T//INTERNALUTF8//ISO-10646/UTF8/UTF-8//ISO-10646/UTF8/ISO-IR-193//ISO-10646/UTF8/OSF05010001//ISO-10646/UTF8/ISO-10646/UTF-8/ISO-10646/UTF8/UCS2//ISO-10646/UCS2/UCS-2//ISO-10646/UCS2/OSF00010100//ISO-10646/UCS2/OSF00010101//ISO-10646/UCS2/OSF00010102//ISO-10646/UCS2/ANSI_X3.4//ANSI_X3.4-1968//ISO-IR-6//ANSI_X3.4-1968//ANSI_X3.4-1986//ANSI_X3.4-1968//ISO_646.IRV:1991//ANSI_X3.4-1968//ASCII//ANSI_X3.4-1968//ISO646-US//ANSI_X3.4-1968//US-ASCII//ANSI_X3.4-1968//US//ANSI_X3.4-1968//IBM367//ANSI_X3.4-1968//CP367//ANSI_X3.4-1968//CSASCII//ANSI_X3.4-1968//OSF00010020//ANSI_X3.4-1968//UNICODELITTLE//ISO-10646/UCS2/UCS-2LE//ISO-10646/UCS2/UCS-2BE//UNICODEBIG//gconv-modules/usr/lib/x86_64-linux-gnu/gconvgconv_builtin.ccnt < sizeof (map) / sizeof (map[0])__gconv_get_builtin_trans../iconv/skeleton.coutbufstart == NULLoutbuf == outerrinend - *inptrp < 4gconv_simple.c*outptrp + 4 > outend../iconv/loop.cch != 0xc0 && ch != 0xc1�����nstatus == __GCONV_FULL_OUTPUT(state->__count & 7) <= sizeof (state->__value)inptr - bytebuf > (state->__count & 7)inend != &bytebuf[MAX_NEEDED_INPUT]inend - inptr > (state->__count & ~7)inend - inptr <= sizeof (state->__value)internal_ucs2reverse_loop_single__gconv_transform_internal_ucs2reverseucs2reverse_internal_loop_single__gconv_transform_ucs2reverse_internal__gconv_transform_internal_ucs2__gconv_transform_ucs2_internal__gconv_transform_utf8_internal__gconv_transform_internal_utf8__gconv_transform_internal_ascii__gconv_transform_ascii_internal__gconv_transform_ucs4le_internal__gconv_transform_internal_ucs4le__gconv_transform_ucs4_internal__gconv_transform_internal_ucs4internal_ucs2_loop_singleucs2_internal_loop_singleutf8_internal_loop_singleinternal_utf8_loop_singleinternal_ascii_loop_singleucs4le_internal_loopGCONV_PATH/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cachegconv_dl.cobj->counter > 0found->handle == NULLgconvgconv_initgconv_enddo_release_shlib__gconv_find_shlib,TRANSLIT/IGNORE,IGNORELOCPATH
>
>
>  + 3?HP[hwLC_COLLATELC_CTYPELC_MONETARYLC_NUMERICLC_TIMELC_MESSAGESLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENTLC_IDENTIFICATIONLC_ALLLANGfindlocale.clocale_codeset != NULL/../_nl_find_locale/usr/lib/locale n -  loadlocale.ccategory == LC_CTYPE����x���`���P���8����������� ��� �����������h���(���

> V � . _nl_intern_locale_data loadarchive.carchmapped == &headmapheadmap.len == archive_stat.st_size_nl_archive_subfreeres_nl_load_locale_from_archive/usr/lib/locale/locale-archiveupperloweralphadigitxdigitspaceprintgraphblankcntrlpunctalnumtouppertolower 8HHHHHI��������������� � ( (��������������������������������������������������������������������������������������������������������� ��� ��� � ��� ��� ��� � x ��� � x����� ����� ����������� ����������� ����������� ����������� > > � ~~ � ~~� � ��� ��� ��� ��� ��� ��� ��� ��� �����������������������������������������������������������������������������������������������������������������������������������
>  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

>  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ �������������������������������������������������������������������������������������������������������������������������������� ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ` � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � (C)<<-(R)u,>> 1/4 1/2 3/4 AExssaeIJij'nOEoesLJLjljNJNjnjDZDzdz'^'`_:~HhSSss##`Wwisss?J``A;EIIOYOIAVGDEZITHIKLMNXOPRSTYFCHPSOIYaeiiyavgdezithiklmnxoprsstyfchpsoiyoyo&bthY`Y`Y`fp&Qq66Ww9090900900SHshFfKHkhHhDJdjGJgjTItikrsjTHeeSHshSSsrSSSYODJG`YEZ`IYIJL`N`TSHK`U`DHABVGDEZHZIJKLMNOPRSTUFXCZCHSHSHHA`Y``E`YUYAabvgdezhzijklmnoprstufxczchshshh``y``e`yuyayodjg`yez`iyijl`n`tshk`u`dhO`o`FHfhYHyhE`e`G`g`GHghGHghZH`zh`K`k`K`k`N`n`NGngP`p`O`o`C`C`T`t`UuH`h`TCZtczSH`sh`CH`ch`CH`ch`iZH`zh`CH`ch`A`a`A`a`E`e`A`a`ZH`zh`Z`z`Z`z`I`i`O`o`O`o`U`u`U`u`CH`ch`Y`y` -------'','"",,"+o...... ``````<>!!/???!!? C=RsEURINRa/ca/sCc/oc/ugHHHhIILlNNoPQRRRTEL(TM)ZOhmZBCeeEFMoiDdeij 1/3 2/3 1/5 2/5 3/5 4/5 1/6 5/6 1/8 3/8 5/8 7/8 1/IIIIIIIVVVIVIIVIIIIXXXIXIILCDMiiiiiiivvviviiviiiixxxixiilcdm<--><-><==><=>-/\*|:~<=>=<<>><<<>>>NULSOHSTXETXEOTENQACKBELBSHTLFVTFFCRSOSIDLEDC1DC2DC3DC4NAKSYNETBCANEMSUBESCFSGSRSUSSPDEL_NL(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(A)(B)(C)(D)(E)(F)(G)(H)(I)(J)(K)(L)(M)(N)(O)(P)(Q)(R)(S)(T)(U)(V)(W)(X)(Y)(Z)(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)(k)(l)(m)(n)(o)(p)(q)(r)(s)(t)(u)(v)(w)(x)(y)(z)(0)-|+++++++++o::====== =(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32)(33)(34)(35)(36)(37)(38)(39)(40)(41)(42)(43)(44)(45)(46)(47)(48)(49)(50)hPadaAUbaroVpcpAnAuAmAkAKBMBGBcalkcalpFnFuFugmgkgHzkHzMHzGHzTHzulmldlklfmnmummmcmkmmm^2cm^2m^2km^2mm^3cm^3m^3km^3m/sm/s^2PakPaMPaGParadrad/srad/s^2psnsusmspVnVuVmVkVMVpWnWuWmWkWMWa.m.BqcccdC/kgCo.dBGyhaHPinKKKMktlmlnloglxmbmilmolPHp.m.PPMPRsrSvWbfffiflffifflst+___,.;:?!(){}#&*+-<>=\$%@!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzACDGJKNOPQSTUVWXYZabcdfhijkmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABDEFGJKLMNOPQSTUVWXYabcdefghijklmnopqrstuvwxyzABDEFGIJKLMOSTUVWXYabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890123456789012345678901234567890123456789  %,37:>BFJNRVY]aeimquy}������������������������������������������ $ ( + . 1 4 7 : = @ C F I L O R U Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  $ ' * . 2 5 8 ; > A D G K O S W [ ^ b e i m r v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , 0 4 8 = A E H L P T X \ ` d h k o r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % * / 4 9 > C F K P U Z ^ b f j n r v z � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> ! & ) , 0 5 8 ; ? B F J N Q S U W Y ] a f k p u x } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ + 2 9 @ G L O S X \ _ c h n r u y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  % * / 4 9 = A E I M Q U Y ^ c h m r w | � � � � � � � � � � � � � � � � � � � � � � � � � � � # ( - 2 7 < A F K P V \ b h n t z � � � � � � � � � � � � � � � � � � � � � � � � � � � $ ) . 3 8 = B G L Q V [ ` e j o t y ~ � � � � � � � � � � � � � � � � � � � � � � � � �
>
>
>
>
>
>
>
> #
> (
> -
> 2
> 7
> <
> A
> F
> K
> P
> U
> Z
> _
> d
> i
> n
> s
> x
> {
> ~
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
> �
>

> " ( . 4 : @ F L R X ^ d i m q v z ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �     $)/4;?DINSZcgkosw{ ������������������������������ "&*/48;=?ACEGIKMOQSUWY[^adgjmpsvy| ������������������������������������������� # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # & ) , / 2 5 8 ; > A D G J M P S V Y \ _ b e h k n q t w z } � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " % ( + . 1 4 7 : = @ C F I L O R U X [ ^ a d g j m p s v y | � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �  ! $ ' * - 0 3 6 9 < ? B E H K N Q T W Z ] ` c f i l o r u x { ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ���������������2 3 I R S � � � � � � � � � � � � � � � � p q r s t u v w z { | } ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
>  ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O Q R S T U V W X Y Z [ \ ^ _ j k r s t u � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �
> " $ % & / 5 6 7 9 : < D G H I _ ` a b c � � � � ! ! ! ! !

> ! !!! ! ! ! ! ! ! ! ! ! ! ! !!!"!$!&!(!,!-!.!/!0!1!3!4!9!E!F!G!H!I!S!T!U!V!W!X!Y!Z![!\!]!^!_!`!a!b!c!d!e!f!g!h!i!j!k!l!m!n!o!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~! !�!�!�!�!�!�! " " " "#"6"<"d"e"j"k"�"�"$ $ $ $ $ $ $ $ $ $
> $ $$$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$#$$$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$~$ $�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$�$% %% % % % %$%,%4%<%�%t*u*v*0�0Q2R2S2T2U2V2W2X2Y2Z2[2\2]2^2_2�2�2�2�2�2�2�2�2�2�2�2�2�2�2�2q3r3s3t3u3v3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3�3� � � � � �)�� � � � � � � � � �

> � ��� � �M�N�O�P�R�T�U�V�W�Y�Z�[�\�_�`�a�b�c�d�e�f�h�i�j�k��� � � � � � � � � �
> � ��� � � � � � � � � � � � � � � � � � � �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� ;� <� =� >� @� A� B� C� D� F� J� K� L� M� N� O� P� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � � � � � � � � �
> � � � � � � � � � � � � � � � � � � � � � � � !� "� #� $� %� &� '� (� )� *� +� ,� -� .� /� 0� 1� 2� 3� 4� 5� 6� 7� 8� 9� :� ;� <� =� >� ?� @� A� B� C� D� E� F� G� H� I� J� K� L� M� N� O� P� Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� _� `� a� b� c� d� e� f� g� h� i� j� k� l� m� n� o� p� q� r� s� t� u� v� w� x� y� z� {� |� }� ~� � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ��

>  "$&(*,.02468:<>@BDFHJLNPRTVXZ\^`bdfhjlnprtvxz|~����������������������������������������������������������������

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2f6d7c...@syzkaller.appspotmail.com

Tested on:

commit: 654e6f77 Bluetooth: btusb: Enable MSFT extension for M..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=8ad348e95b6c6795
dashboard link: https://syzkaller.appspot.com/bug?extid=2f6d7c28bb4bf7e82060
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

patch: https://syzkaller.appspot.com/x/patch.diff?x=10260172300000