[syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c912bf709078 Merge remote-tracking branches 'origin/arm64-..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12fa78ed980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=35545feca25ede03
dashboard link: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/caeac6485006/disk-c912bf70.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/501c87f28da9/vmlinux-c912bf70.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6812e99b7182/Image-c912bf70.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189dcafc06865d38178d@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 709 at net/wireless/scan.c:1148 cfg80211_scan_done+0x2ec/0x51c net/wireless/scan.c:1147
Modules linked in:
CPU: 1 PID: 709 Comm: kworker/u8:8 Not tainted 6.10.0-rc7-syzkaller-gc912bf709078 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: events_unbound cfg80211_wiphy_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cfg80211_scan_done+0x2ec/0x51c net/wireless/scan.c:1147
lr : cfg80211_scan_done+0x2ec/0x51c net/wireless/scan.c:1147
sp : ffff8000999f7780
x29: ffff8000999f7810 x28: 1ffff0001333eef4 x27: dfff800000000000
x26: ffff0000cc7601b8 x25: ffff0000d9271060 x24: ffff0000cc760700
x23: 0000000000000000 x22: ffff0000d9271078 x21: ffff0000d9271070
x20: 1fffe0001b24e20c x19: ffff0000d9271000 x18: 1fffe000367a85de
x17: ffff80008f2dd000 x16: ffff80008054bde8 x15: ffff70001333eef8
x14: 1ffff0001333eef8 x13: 0000000000000006 x12: ffffffffffffffff
x11: ffff70001333eef8 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000c712bc80 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000999f77c6 x4 : ffff0000d927107e x3 : ffff80008a7b1e94
x2 : 0000000000000006 x1 : ffff80008b8023e0 x0 : 0000000000000001
Call trace:
 cfg80211_scan_done+0x2ec/0x51c net/wireless/scan.c:1147
 __ieee80211_scan_completed+0x4e0/0xb30 net/mac80211/scan.c:486
 ieee80211_scan_work+0x1b0/0x19ac net/mac80211/scan.c:1162
 cfg80211_wiphy_work+0x1fc/0x240 net/wireless/core.c:437
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3248
 process_scheduled_works kernel/workqueue.c:3329 [inline]
 worker_thread+0x938/0xecc kernel/workqueue.c:3409
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
irq event stamp: 2371456
hardirqs last  enabled at (2371455): [<ffff800082f99ab0>] __free_object+0x1a8/0x83c lib/debugobjects.c:354
hardirqs last disabled at (2371456): [<ffff80008b13d724>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last  enabled at (2371426): [<ffff80008ae7d078>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last  enabled at (2371426): [<ffff80008ae7d078>] batadv_nc_purge_paths+0x2f4/0x378 net/batman-adv/network-coding.c:471
softirqs last disabled at (2371424): [<ffff80008ae7ce54>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (2371424): [<ffff80008ae7ce54>] batadv_nc_purge_paths+0xd0/0x378 net/batman-adv/network-coding.c:442
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    19272b37aa4f Linux 6.16-rc1
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10e239d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8409c4d4e51ac27
dashboard link: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e239d4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/92d22b0c6493/disk-19272b37.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3fb0142bb63a/vmlinux-19272b37.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3d5f3836ae42/Image-19272b37.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189dcafc06865d38178d@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 2225 at net/wireless/scan.c:1182 cfg80211_scan_done+0x2c8/0x4b0 net/wireless/scan.c:1181
Modules linked in:
CPU: 1 UID: 0 PID: 2225 Comm: kworker/u8:12 Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound cfg80211_wiphy_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cfg80211_scan_done+0x2c8/0x4b0 net/wireless/scan.c:1181
lr : cfg80211_scan_done+0x2c8/0x4b0 net/wireless/scan.c:1181
sp : ffff8000a14d77c0
x29: ffff8000a14d7820 x28: ffff0000c7570700 x27: 1fffe00019a1e20c
x26: 1ffff0001429aef8 x25: dfff800000000000 x24: ffff0000c75701b8
x23: ffff0000cd0f1060 x22: ffff0000c75729f0 x21: ffff0000cd0f1070
x20: ffff8000a14d77e0 x19: ffff0000cd0f1000 x18: 1fffe00033807876
x17: ffff80008f55e000 x16: ffff80008ae5617c x15: 0000000000000002
x14: 1ffff0001429aefc x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001429aefe x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000cc293d00 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000a14d77f0 x4 : ffff0000cd0f1080 x3 : ffff80008a530eec
x2 : 0000000000000010 x1 : ffff80008b492da0 x0 : 0000000000000001
Call trace:
 cfg80211_scan_done+0x2c8/0x4b0 net/wireless/scan.c:1181 (P)
 __ieee80211_scan_completed+0x4ec/0xae0 net/mac80211/scan.c:501
 ieee80211_scan_work+0x140/0x18c4 net/mac80211/scan.c:1177
 cfg80211_wiphy_work+0x2a8/0x48c net/wireless/core.c:435
 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3402
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
irq event stamp: 1301622
hardirqs last  enabled at (1301621): [<ffff8000830764a8>] class_irqsave_destructor include/linux/irqflags.h:266 [inline]
hardirqs last  enabled at (1301621): [<ffff8000830764a8>] __free_object+0x528/0x71c lib/debugobjects.c:524
hardirqs last disabled at (1301622): [<ffff80008ae5160c>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last  enabled at (1301568): [<ffff80008644576c>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last  enabled at (1301568): [<ffff80008644576c>] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
softirqs last  enabled at (1301568): [<ffff80008644576c>] nsim_dev_trap_report_work+0x67c/0x9fc drivers/net/netdevsim/dev.c:851
softirqs last disabled at (1301566): [<ffff8000864456e4>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (1301566): [<ffff8000864456e4>] nsim_dev_trap_report drivers/net/netdevsim/dev.c:816 [inline]
softirqs last disabled at (1301566): [<ffff8000864456e4>] nsim_dev_trap_report_work+0x5f4/0x9fc drivers/net/netdevsim/dev.c:851
---[ end trace 0000000000000000 ]---


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req

[Lizhi Xu]

The scan req of a registered device may have been released, so it should
be checked to be valid before comparing it with the current req.

Reported-by: syzbot+189dcafc06865d38178d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 net/wireless/scan.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e8a4fe44ec2d..bfd40797e608 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1176,10 +1176,14 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request,
 			struct cfg80211_scan_info *info)
 {
 	struct cfg80211_scan_info old_info = request->info;
+	struct cfg80211_scan_request *rdev_req, *rdev_int_req;
+
+	rdev_req = wiphy_to_rdev(request->wiphy)->scan_req;
+	rdev_int_req = wiphy_to_rdev(request->wiphy)->int_scan_req;
 
 	trace_cfg80211_scan_done(request, info);
-	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req &&
-		request != wiphy_to_rdev(request->wiphy)->int_scan_req);
+	WARN_ON((rdev_req && request != rdev_req) &&
+		(rdev_int_req && request != rdev_int_req));
 
 	request->info = *info;
 
-- 
2.43.0

Re: [PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req

[Johannes Berg]

On Thu, 2025-06-19 at 16:05 +0800, Lizhi Xu wrote:
> The scan req of a registered device may have been released, so it should
> be checked to be valid before comparing it with the current req.
> 

I don't understand the subject/commit log at all. You're now accepting
scan_done() with a NULL scan request, why does that make sense?

johannes

Re: [PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req

[Lizhi Xu]

On Fri, 20 Jun 2025 13:01:51 +0200, Johannes Berg wrote:
> > The scan req of a registered device may have been released, so it should
> > be checked to be valid before comparing it with the current req.
> >
> 
> I don't understand the subject/commit log at all. You're now accepting
> scan_done() with a NULL scan request, why does that make sense?
It is meaningless to compare the registered device with NULL scan_req with
the current scan request.

Because there is a check for scan_req being NULL in ___cfg80211_scan_done(),
cfg80211_scan_done() is not directly exited when the scan_req of the registered
device is NULL.

Lizhi

Re: [syzbot] Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done
Author: lizhi.xu@windriver.com

#syz test

diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index cd8385ecafd9..7fc1e98abb2c 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -498,6 +498,8 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
 
 	if (scan_req != local->int_scan_req) {
 		local->scan_info.aborted = aborted;
+		printk("local: %p, sr: %p, wip: %p, %s\n",
+		local, scan_req, scan_req->wiphy, __func__);
 		cfg80211_scan_done(scan_req, &local->scan_info);
 	}
 
@@ -1123,6 +1125,8 @@ void ieee80211_scan_work(struct wiphy *wiphy, struct wiphy_work *work)
 		/* need to complete scan in cfg80211 */
 		rcu_assign_pointer(local->scan_req, scan_req);
 		aborted = true;
+		printk("local: %p, sr: %p, wip: %p, %s\n",
+			local, scan_req, scan_req->wiphy, __func__);
 		goto out_complete;
 	}
 
@@ -1135,6 +1139,8 @@ void ieee80211_scan_work(struct wiphy *wiphy, struct wiphy_work *work)
 	do {
 		if (!ieee80211_sdata_running(sdata)) {
 			aborted = true;
+			printk("2local: %p, sr: %p, wip: %p, %s\n",
+				local, scan_req, scan_req->wiphy, __func__);
 			goto out_complete;
 		}
 
@@ -1147,6 +1153,8 @@ void ieee80211_scan_work(struct wiphy *wiphy, struct wiphy_work *work)
 			/* if no more bands/channels left, complete scan */
 			if (local->scan_channel_idx >= scan_req->n_channels) {
 				aborted = false;
+				printk("3local: %p, sr: %p, wip: %p, %s\n",
+				local, scan_req, scan_req->wiphy, __func__);
 				goto out_complete;
 			}
 			ieee80211_scan_state_decision(local, &next_delay);
@@ -1165,6 +1173,8 @@ void ieee80211_scan_work(struct wiphy *wiphy, struct wiphy_work *work)
 			break;
 		case SCAN_ABORT:
 			aborted = true;
+			printk("4local: %p, sr: %p, wip: %p, %s\n",
+			local, scan_req, scan_req->wiphy, __func__);
 			goto out_complete;
 		}
 	} while (next_delay == 0);
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e8a4fe44ec2d..7c1f80be24bb 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1178,6 +1178,11 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request,
 	struct cfg80211_scan_info old_info = request->info;
 
 	trace_cfg80211_scan_done(request, info);
+	printk("r: %p, wiphy: %p, scan_req: %p, int_scan_req: %p, %s\n",
+		request, request->wiphy,
+		wiphy_to_rdev(request->wiphy)->scan_req,
+		wiphy_to_rdev(request->wiphy)->int_scan_req,
+		__func__);
 	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req &&
 		request != wiphy_to_rdev(request->wiphy)->int_scan_req);
 

Re: [syzbot] Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done
Author: lizhi.xu@windriver.com

#syz test

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e8a4fe44ec2d..bfd40797e608 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1176,10 +1176,14 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request,
 			struct cfg80211_scan_info *info)
 {
 	struct cfg80211_scan_info old_info = request->info;
+	struct cfg80211_scan_request *rdev_req, *rdev_int_req;
+
+	rdev_req = wiphy_to_rdev(request->wiphy)->scan_req;
+	rdev_int_req = wiphy_to_rdev(request->wiphy)->int_scan_req;
 
 	trace_cfg80211_scan_done(request, info);
-	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req &&
-		request != wiphy_to_rdev(request->wiphy)->int_scan_req);
+	WARN_ON((rdev_req && request != rdev_req) &&
+		(rdev_int_req && request != rdev_int_req));
 
 	request->info = *info;
 

Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in cfg80211_scan_done

local: 00000000ce6d1311, sr: 000000002b737337, wip: 000000003108bf1a, __ieee80211_scan_completed
r: 000000002b737337, wiphy: 000000003108bf1a, scan_req: 0000000000000000, int_scan_req: 0000000000000000, cfg80211_scan_done
------------[ cut here ]------------
WARNING: CPU: 0 PID: 226 at net/wireless/scan.c:1187 cfg80211_scan_done+0x340/0x530 net/wireless/scan.c:1186
Modules linked in:
CPU: 0 UID: 0 PID: 226 Comm: kworker/u8:5 Not tainted 6.16.0-rc1-syzkaller-00004-g39dfc971e42d-dirty #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound cfg80211_wiphy_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cfg80211_scan_done+0x340/0x530 net/wireless/scan.c:1186
lr : cfg80211_scan_done+0x340/0x530 net/wireless/scan.c:1186
sp : ffff80009b7077a0
x29: ffff80009b707820 x28: 1ffff000136e0ef8 x27: dfff800000000000
x26: ffff0000d7c281b8 x25: ffff0000d7c28700 x24: ffff0000d7c281b8
x23: ffff0000cc5a5060 x22: ffff0000d7c2a9f0 x21: ffff0000cc5a5070
x20: 1fffe000198b4a0c x19: ffff0000cc5a5000 x18: 1fffe00033802c76
x17: 3030303030303030 x16: ffff80008ae56384 x15: 0000000000000001
x14: 1fffe00033802ce2 x13: 0000000000000000 x12: 0000000000000000
x11: ffff600033802ce3 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000c5b21e80 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009b707138 x4 : ffff80008f657060 x3 : ffff8000807bb518
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000007c
Call trace:
 cfg80211_scan_done+0x340/0x530 net/wireless/scan.c:1186 (P)
 __ieee80211_scan_completed+0x84c/0xb00 net/mac80211/scan.c:503
 ieee80211_scan_work+0x15b8/0x1a04 net/mac80211/scan.c:1187
 cfg80211_wiphy_work+0x2a8/0x48c net/wireless/core.c:435
 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3402
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
irq event stamp: 1298636
hardirqs last  enabled at (1298635): [<ffff800080550034>] __up_console_sem kernel/printk/printk.c:344 [inline]
hardirqs last  enabled at (1298635): [<ffff800080550034>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
hardirqs last disabled at (1298636): [<ffff80008ae51814>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last  enabled at (1298570): [<ffff80008644576c>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last  enabled at (1298570): [<ffff80008644576c>] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
softirqs last  enabled at (1298570): [<ffff80008644576c>] nsim_dev_trap_report_work+0x67c/0x9fc drivers/net/netdevsim/dev.c:851
softirqs last disabled at (1298568): [<ffff8000864456e4>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (1298568): [<ffff8000864456e4>] nsim_dev_trap_report drivers/net/netdevsim/dev.c:816 [inline]
softirqs last disabled at (1298568): [<ffff8000864456e4>] nsim_dev_trap_report_work+0x5f4/0x9fc drivers/net/netdevsim/dev.c:851
---[ end trace 0000000000000000 ]---
3local: 00000000ce6d1311, sr: 00000000b53c744c, wip: 000000003108bf1a, ieee80211_scan_work
local: 00000000ce6d1311, sr: 00000000b53c744c, wip: 000000003108bf1a, __ieee80211_scan_completed
r: 00000000b53c744c, wiphy: 000000003108bf1a, scan_req: 00000000b53c744c, int_scan_req: 0000000000000000, cfg80211_scan_done


Tested on:

commit:         39dfc971 arm64/ptrace: Fix stack-out-of-bounds read in..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11b6b5d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8409c4d4e51ac27
dashboard link: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15dc6370580000

Re: [syzbot] [wireless?] WARNING in cfg80211_scan_done

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free

unregister_netdevice: waiting for wlan0 to become free. Usage count = 2


Tested on:

commit:         39dfc971 arm64/ptrace: Fix stack-out-of-bounds read in..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=15fa850c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8409c4d4e51ac27
dashboard link: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=116a850c580000