KASAN: slab-use-after-free Write in media_request_alloc
1 view
Skip to first unread message
Mauricio Faria de Oliveira
10:05 AM (3 hours ago) 10:05 AM
to syzbot+37fd81...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a260bd22a355
Mauricio Faria de Oliveira
10:06 AM (3 hours ago) 10:06 AM
to syzbot+2bf29e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
10:43 AM (2 hours ago) 10:43 AM
to linux-...@vger.kernel.org, m...@igalia.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
0c03 length: 249 > 1
[ 106.253750][ T4683] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 106.257543][ T4683] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 106.268568][ T4683] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 106.271990][ T4683] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 106.576059][ T951] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 106.580308][ T951] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 106.963685][ T5367] syz-executor (5367) used greatest stack depth: 18056 bytes left
[ 108.328157][ T4683] Bluetooth: hci0: command tx timeout
[ 109.621987][ T5393] chnl_net:caif_netlink_parms(): no params data found
[ 109.891390][ T5393] bridge0: port 1(bridge_slave_0) entered blocking state
[ 109.895644][ T5393] bridge0: port 1(bridge_slave_0) entered disabled state
[ 109.909027][ T5393] bridge_slave_0: entered allmulticast mode
[ 109.919263][ T5393] bridge_slave_0: entered promiscuous mode
[ 109.931659][ T5393] bridge0: port 2(bridge_slave_1) entered blocking state
[ 109.945562][ T5393] bridge0: port 2(bridge_slave_1) entered disabled state
[ 109.949131][ T5393] bridge_slave_1: entered allmulticast mode
[ 109.958653][ T5393] bridge_slave_1: entered promiscuous mode
[ 110.046797][ T5393] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 110.073157][ T5393] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 110.135915][ T5393] team0: Port device team_slave_0 added
[ 110.146251][ T5393] team0: Port device team_slave_1 added
[ 110.206774][ T5393] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 110.228265][ T5393] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 110.264469][ T5393] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 110.282476][ T5393] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 110.285647][ T5393] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 110.318910][ T5393] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 110.384477][ T5393] hsr_slave_0: entered promiscuous mode
[ 110.398136][ T4683] Bluetooth: hci0: command tx timeout
[ 110.401229][ T5393] hsr_slave_1: entered promiscuous mode
[ 110.714539][ T5393] netdevsim netdevsim4 netdevsim0: renamed from eth0
[ 110.750233][ T5393] netdevsim netdevsim4 netdevsim1: renamed from eth1
[ 110.769066][ T5393] netdevsim netdevsim4 netdevsim2: renamed from eth2
[ 110.782144][ T5393] netdevsim netdevsim4 netdevsim3: renamed from eth3
[ 110.922207][ T5393] 8021q: adding VLAN 0 to HW filter on device bond0
[ 110.963107][ T5393] 8021q: adding VLAN 0 to HW filter on device team0
[ 110.980705][ T1043] bridge0: port 1(bridge_slave_0) entered blocking state
[ 110.983983][ T1043] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 111.004797][ T1043] bridge0: port 2(bridge_slave_1) entered blocking state
[ 111.007951][ T1043] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 111.291338][ T5393] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 111.494424][ T5393] veth0_vlan: entered promiscuous mode
[ 111.504047][ T5393] veth1_vlan: entered promiscuous mode
[ 111.530824][ T5393] veth0_macvtap: entered promiscuous mode
[ 111.537212][ T5393] veth1_macvtap: entered promiscuous mode
[ 111.553943][ T5393] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 111.566659][ T5393] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 111.577390][ T1043] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.586923][ T1043] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.603357][ T1043] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.608797][ T31] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2026/02/26 15:42:15 executed programs: 0
[ 111.847365][ T46] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 111.853330][ T46] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 111.856528][ T46] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 111.860446][ T46] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 111.863901][ T46] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 112.198358][ T5455] chnl_net:caif_netlink_parms(): no params data found
[ 112.267661][ T5455] bridge0: port 1(bridge_slave_0) entered blocking state
[ 112.271489][ T5455] bridge0: port 1(bridge_slave_0) entered disabled state
[ 112.274573][ T5455] bridge_slave_0: entered allmulticast mode
[ 112.279376][ T5455] bridge_slave_0: entered promiscuous mode
[ 112.283631][ T5455] bridge0: port 2(bridge_slave_1) entered blocking state
[ 112.286737][ T5455] bridge0: port 2(bridge_slave_1) entered disabled state
[ 112.290395][ T5455] bridge_slave_1: entered allmulticast mode
[ 112.294412][ T5455] bridge_slave_1: entered promiscuous mode
[ 112.316604][ T5455] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 112.341890][ T5455] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 112.393270][ T5455] team0: Port device team_slave_0 added
[ 112.409121][ T5455] team0: Port device team_slave_1 added
[ 112.458152][ T5455] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 112.461130][ T5455] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 112.478873][ T46] Bluetooth: hci0: command tx timeout
[ 112.488075][ T5455] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 112.499491][ T5455] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 112.502401][ T5455] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 112.529001][ T5455] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 112.605799][ T5455] hsr_slave_0: entered promiscuous mode
[ 112.609713][ T5455] hsr_slave_1: entered promiscuous mode
[ 112.612785][ T5455] debugfs: 'hsr0' already exists in 'hsr'
[ 112.615353][ T5455] Cannot create hsr debugfs directory
[ 112.771926][ T5455] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 112.783380][ T5455] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 112.791273][ T5455] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 112.797627][ T5455] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 112.875456][ T5455] 8021q: adding VLAN 0 to HW filter on device bond0
[ 112.896056][ T5455] 8021q: adding VLAN 0 to HW filter on device team0
[ 112.904713][ T3999] bridge0: port 1(bridge_slave_0) entered blocking state
[ 112.908134][ T3999] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 112.919758][ T951] bridge0: port 2(bridge_slave_1) entered blocking state
[ 112.923095][ T951] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 113.112452][ T5455] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 113.155690][ T5455] veth0_vlan: entered promiscuous mode
[ 113.164569][ T5455] veth1_vlan: entered promiscuous mode
[ 113.190733][ T5455] veth0_macvtap: entered promiscuous mode
[ 113.197471][ T5455] veth1_macvtap: entered promiscuous mode
[ 113.215022][ T5455] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 113.226089][ T5455] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 113.234855][ T31] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.244504][ T31] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.255609][ T31] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.292821][ T31] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.359090][ T951] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 113.362546][ T951] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 113.429892][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 113.433619][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 114.122967][ T1043] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.429752][ T1043] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.483912][ T1043] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.549421][ T1043] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.761462][ T1043] bridge_slave_1: left allmulticast mode
[ 114.764161][ T1043] bridge_slave_1: left promiscuous mode
[ 114.767497][ T1043] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.802242][ T1043] bridge_slave_0: left allmulticast mode
[ 114.804855][ T1043] bridge_slave_0: left promiscuous mode
[ 114.807653][ T1043] bridge0: port 1(bridge_slave_0) entered disabled state
[ 115.196541][ T1043] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 115.203611][ T1043] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 115.210418][ T1043] bond0 (unregistering): Released all slaves
[ 115.367021][ T1043] hsr_slave_0: left promiscuous mode
[ 115.388260][ T1043] hsr_slave_1: left promiscuous mode
[ 115.391568][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 115.394769][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 115.413510][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 115.416877][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 115.453664][ T1043] veth1_macvtap: left promiscuous mode
[ 115.456467][ T1043] veth0_macvtap: left promiscuous mode
[ 115.464776][ T1043] veth1_vlan: left promiscuous mode
[ 115.466936][ T1043] veth0_vlan: left promiscuous mode
[ 115.943578][ T1043] team0 (unregistering): Port device team_slave_1 removed
[ 115.984498][ T1043] team0 (unregistering): Port device team_slave_0 removed
[ 116.563465][ T1043] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.715509][ T1043] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.787744][ T1043] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.860315][ T1043] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 117.037674][ T1043] bridge_slave_1: left allmulticast mode
[ 117.051515][ T1043] bridge_slave_1: left promiscuous mode
[ 117.054331][ T1043] bridge0: port 2(bridge_slave_1) entered disabled state
[ 117.070719][ T1043] bridge_slave_0: left allmulticast mode
[ 117.073222][ T1043] bridge_slave_0: left promiscuous mode
[ 117.075883][ T1043] bridge0: port 1(bridge_slave_0) entered disabled state
[ 117.470534][ T1043] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 117.476031][ T1043] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 117.483636][ T1043] bond0 (unregistering): Released all slaves
[ 117.741781][ T1043] hsr_slave_0: left promiscuous mode
[ 117.744650][ T1043] hsr_slave_1: left promiscuous mode
[ 117.747513][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 117.762774][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 117.778823][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 117.782013][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 117.792752][ T1043] veth1_macvtap: left promiscuous mode
[ 117.795248][ T1043] veth0_macvtap: left promiscuous mode
[ 117.797711][ T1043] veth1_vlan: left promiscuous mode
[ 117.818197][ T1043] veth0_vlan: left promiscuous mode
[ 118.255958][ T1043] team0 (unregistering): Port device team_slave_1 removed
[ 118.280291][ T1043] team0 (unregistering): Port device team_slave_0 removed
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3231907968=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d1b870e1003b
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d1b870e1003b52891d2196c1e2ee42fe905010ba\"
/usr/bin/ld: /tmp/cczH2ZJp.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1721a006580000
Tested on:
commit: a260bd22 media: mc: fix potential use-after-free in me..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=42a29b5eebe67b17
dashboard link: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: no patches were applied.
syzbot tried to test the proposed patch but the build/boot failed:
0c03 length: 249 > 1
[ 106.253750][ T4683] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 106.257543][ T4683] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 106.268568][ T4683] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 106.271990][ T4683] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 106.576059][ T951] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 106.580308][ T951] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 106.963685][ T5367] syz-executor (5367) used greatest stack depth: 18056 bytes left
[ 108.328157][ T4683] Bluetooth: hci0: command tx timeout
[ 109.621987][ T5393] chnl_net:caif_netlink_parms(): no params data found
[ 109.891390][ T5393] bridge0: port 1(bridge_slave_0) entered blocking state
[ 109.895644][ T5393] bridge0: port 1(bridge_slave_0) entered disabled state
[ 109.909027][ T5393] bridge_slave_0: entered allmulticast mode
[ 109.919263][ T5393] bridge_slave_0: entered promiscuous mode
[ 109.931659][ T5393] bridge0: port 2(bridge_slave_1) entered blocking state
[ 109.945562][ T5393] bridge0: port 2(bridge_slave_1) entered disabled state
[ 109.949131][ T5393] bridge_slave_1: entered allmulticast mode
[ 109.958653][ T5393] bridge_slave_1: entered promiscuous mode
[ 110.046797][ T5393] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 110.073157][ T5393] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 110.135915][ T5393] team0: Port device team_slave_0 added
[ 110.146251][ T5393] team0: Port device team_slave_1 added
[ 110.206774][ T5393] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 110.228265][ T5393] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 110.264469][ T5393] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 110.282476][ T5393] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 110.285647][ T5393] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 110.318910][ T5393] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 110.384477][ T5393] hsr_slave_0: entered promiscuous mode
[ 110.398136][ T4683] Bluetooth: hci0: command tx timeout
[ 110.401229][ T5393] hsr_slave_1: entered promiscuous mode
[ 110.714539][ T5393] netdevsim netdevsim4 netdevsim0: renamed from eth0
[ 110.750233][ T5393] netdevsim netdevsim4 netdevsim1: renamed from eth1
[ 110.769066][ T5393] netdevsim netdevsim4 netdevsim2: renamed from eth2
[ 110.782144][ T5393] netdevsim netdevsim4 netdevsim3: renamed from eth3
[ 110.922207][ T5393] 8021q: adding VLAN 0 to HW filter on device bond0
[ 110.963107][ T5393] 8021q: adding VLAN 0 to HW filter on device team0
[ 110.980705][ T1043] bridge0: port 1(bridge_slave_0) entered blocking state
[ 110.983983][ T1043] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 111.004797][ T1043] bridge0: port 2(bridge_slave_1) entered blocking state
[ 111.007951][ T1043] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 111.291338][ T5393] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 111.494424][ T5393] veth0_vlan: entered promiscuous mode
[ 111.504047][ T5393] veth1_vlan: entered promiscuous mode
[ 111.530824][ T5393] veth0_macvtap: entered promiscuous mode
[ 111.537212][ T5393] veth1_macvtap: entered promiscuous mode
[ 111.553943][ T5393] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 111.566659][ T5393] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 111.577390][ T1043] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.586923][ T1043] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.603357][ T1043] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 111.608797][ T31] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2026/02/26 15:42:15 executed programs: 0
[ 111.847365][ T46] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 111.853330][ T46] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 111.856528][ T46] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 111.860446][ T46] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 111.863901][ T46] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 112.198358][ T5455] chnl_net:caif_netlink_parms(): no params data found
[ 112.267661][ T5455] bridge0: port 1(bridge_slave_0) entered blocking state
[ 112.271489][ T5455] bridge0: port 1(bridge_slave_0) entered disabled state
[ 112.274573][ T5455] bridge_slave_0: entered allmulticast mode
[ 112.279376][ T5455] bridge_slave_0: entered promiscuous mode
[ 112.283631][ T5455] bridge0: port 2(bridge_slave_1) entered blocking state
[ 112.286737][ T5455] bridge0: port 2(bridge_slave_1) entered disabled state
[ 112.290395][ T5455] bridge_slave_1: entered allmulticast mode
[ 112.294412][ T5455] bridge_slave_1: entered promiscuous mode
[ 112.316604][ T5455] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 112.341890][ T5455] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 112.393270][ T5455] team0: Port device team_slave_0 added
[ 112.409121][ T5455] team0: Port device team_slave_1 added
[ 112.458152][ T5455] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 112.461130][ T5455] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 112.478873][ T46] Bluetooth: hci0: command tx timeout
[ 112.488075][ T5455] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 112.499491][ T5455] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 112.502401][ T5455] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 112.529001][ T5455] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 112.605799][ T5455] hsr_slave_0: entered promiscuous mode
[ 112.609713][ T5455] hsr_slave_1: entered promiscuous mode
[ 112.612785][ T5455] debugfs: 'hsr0' already exists in 'hsr'
[ 112.615353][ T5455] Cannot create hsr debugfs directory
[ 112.771926][ T5455] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 112.783380][ T5455] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 112.791273][ T5455] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 112.797627][ T5455] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 112.875456][ T5455] 8021q: adding VLAN 0 to HW filter on device bond0
[ 112.896056][ T5455] 8021q: adding VLAN 0 to HW filter on device team0
[ 112.904713][ T3999] bridge0: port 1(bridge_slave_0) entered blocking state
[ 112.908134][ T3999] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 112.919758][ T951] bridge0: port 2(bridge_slave_1) entered blocking state
[ 112.923095][ T951] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 113.112452][ T5455] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 113.155690][ T5455] veth0_vlan: entered promiscuous mode
[ 113.164569][ T5455] veth1_vlan: entered promiscuous mode
[ 113.190733][ T5455] veth0_macvtap: entered promiscuous mode
[ 113.197471][ T5455] veth1_macvtap: entered promiscuous mode
[ 113.215022][ T5455] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 113.226089][ T5455] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 113.234855][ T31] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.244504][ T31] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.255609][ T31] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.292821][ T31] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 113.359090][ T951] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 113.362546][ T951] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 113.429892][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 113.433619][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 114.122967][ T1043] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.429752][ T1043] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.483912][ T1043] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.549421][ T1043] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 114.761462][ T1043] bridge_slave_1: left allmulticast mode
[ 114.764161][ T1043] bridge_slave_1: left promiscuous mode
[ 114.767497][ T1043] bridge0: port 2(bridge_slave_1) entered disabled state
[ 114.802242][ T1043] bridge_slave_0: left allmulticast mode
[ 114.804855][ T1043] bridge_slave_0: left promiscuous mode
[ 114.807653][ T1043] bridge0: port 1(bridge_slave_0) entered disabled state
[ 115.196541][ T1043] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 115.203611][ T1043] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 115.210418][ T1043] bond0 (unregistering): Released all slaves
[ 115.367021][ T1043] hsr_slave_0: left promiscuous mode
[ 115.388260][ T1043] hsr_slave_1: left promiscuous mode
[ 115.391568][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 115.394769][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 115.413510][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 115.416877][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 115.453664][ T1043] veth1_macvtap: left promiscuous mode
[ 115.456467][ T1043] veth0_macvtap: left promiscuous mode
[ 115.464776][ T1043] veth1_vlan: left promiscuous mode
[ 115.466936][ T1043] veth0_vlan: left promiscuous mode
[ 115.943578][ T1043] team0 (unregistering): Port device team_slave_1 removed
[ 115.984498][ T1043] team0 (unregistering): Port device team_slave_0 removed
[ 116.563465][ T1043] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.715509][ T1043] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.787744][ T1043] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 116.860315][ T1043] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 117.037674][ T1043] bridge_slave_1: left allmulticast mode
[ 117.051515][ T1043] bridge_slave_1: left promiscuous mode
[ 117.054331][ T1043] bridge0: port 2(bridge_slave_1) entered disabled state
[ 117.070719][ T1043] bridge_slave_0: left allmulticast mode
[ 117.073222][ T1043] bridge_slave_0: left promiscuous mode
[ 117.075883][ T1043] bridge0: port 1(bridge_slave_0) entered disabled state
[ 117.470534][ T1043] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 117.476031][ T1043] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 117.483636][ T1043] bond0 (unregistering): Released all slaves
[ 117.741781][ T1043] hsr_slave_0: left promiscuous mode
[ 117.744650][ T1043] hsr_slave_1: left promiscuous mode
[ 117.747513][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 117.762774][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 117.778823][ T1043] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 117.782013][ T1043] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 117.792752][ T1043] veth1_macvtap: left promiscuous mode
[ 117.795248][ T1043] veth0_macvtap: left promiscuous mode
[ 117.797711][ T1043] veth1_vlan: left promiscuous mode
[ 117.818197][ T1043] veth0_vlan: left promiscuous mode
[ 118.255958][ T1043] team0 (unregistering): Port device team_slave_1 removed
[ 118.280291][ T1043] team0 (unregistering): Port device team_slave_0 removed
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3231907968=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d1b870e1003b
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d1b870e1003b52891d2196c1e2ee42fe905010ba -X github.com/google/syzkaller/prog.gitRevisionDate=20251128-125159" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d1b870e1003b52891d2196c1e2ee42fe905010ba\"
/usr/bin/ld: /tmp/cczH2ZJp.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1721a006580000
Tested on:
commit: a260bd22 media: mc: fix potential use-after-free in me..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=42a29b5eebe67b17
dashboard link: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: no patches were applied.
Mauricio Faria de Oliveira
12:27 PM (1 hour ago) 12:27 PM
to syzbot+2bf29e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
12:48 PM (15 minutes ago) 12:48 PM
to linux-...@vger.kernel.org, m...@igalia.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+2bf29e...@syzkaller.appspotmail.com
Tested-by: syzbot+2bf29e...@syzkaller.appspotmail.com
Tested on:
commit: a260bd22 media: mc: fix potential use-after-free in me..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14274d5a580000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+2bf29e...@syzkaller.appspotmail.com
Tested-by: syzbot+2bf29e...@syzkaller.appspotmail.com
Tested on:
commit: a260bd22 media: mc: fix potential use-after-free in me..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=42a29b5eebe67b17
dashboard link: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
dashboard link: https://syzkaller.appspot.com/bug?extid=2bf29e42be0666f2df70
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: no patches were applied.
Reply all
Reply to author
Forward
0 new messages