Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. executing program [ 44.076609][ T3967] ================================================================== [ 44.078667][ T3967] BUG: KASAN: use-after-free in gsm_cleanup_mux+0x660/0x738 [ 44.080446][ T3967] Read of size 4 at addr ffff0000c8b4a00c by task syz-executor242/3967 [ 44.082516][ T3967] [ 44.083096][ T3967] CPU: 0 PID: 3967 Comm: syz-executor242 Not tainted 5.15.113-syzkaller #0 [ 44.085203][ T3967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 44.087741][ T3967] Call trace: [ 44.088570][ T3967] dump_backtrace+0x0/0x530 [ 44.089762][ T3967] show_stack+0x2c/0x3c [ 44.090734][ T3967] dump_stack_lvl+0x108/0x170 [ 44.091857][ T3967] print_address_description+0x7c/0x3f0 [ 44.093308][ T3967] kasan_report+0x174/0x1e4 [ 44.094489][ T3967] __asan_report_load4_noabort+0x44/0x50 [ 44.095933][ T3967] gsm_cleanup_mux+0x660/0x738 [ 44.097069][ T3967] gsmld_ioctl+0xa48/0x13d8 [ 44.098136][ T3967] tty_ioctl+0x954/0xdf4 [ 44.099163][ T3967] __arm64_sys_ioctl+0x14c/0x1c8 [ 44.100341][ T3967] invoke_syscall+0x98/0x2b8 [ 44.101513][ T3967] el0_svc_common+0x138/0x258 [ 44.102690][ T3967] do_el0_svc+0x58/0x14c [ 44.103765][ T3967] el0_svc+0x7c/0x1f0 [ 44.104756][ T3967] el0t_64_sync_handler+0x84/0xe4 [ 44.105995][ T3967] el0t_64_sync+0x1a0/0x1a4 [ 44.107125][ T3967] [ 44.107691][ T3967] Allocated by task 3962: [ 44.108799][ T3967] ____kasan_kmalloc+0xbc/0xfc [ 44.110100][ T3967] __kasan_kmalloc+0x10/0x1c [ 44.111352][ T3967] kmem_cache_alloc_trace+0x27c/0x47c [ 44.112791][ T3967] gsm_dlci_alloc+0x60/0x340 [ 44.113974][ T3967] gsm_activate_mux+0x30/0x300 [ 44.115161][ T3967] gsmld_ioctl+0xc1c/0x13d8 [ 44.116368][ T3967] tty_ioctl+0x954/0xdf4 [ 44.117491][ T3967] __arm64_sys_ioctl+0x14c/0x1c8 [ 44.118758][ T3967] invoke_syscall+0x98/0x2b8 [ 44.119966][ T3967] el0_svc_common+0x138/0x258 [ 44.121167][ T3967] do_el0_svc+0x58/0x14c [ 44.122268][ T3967] el0_svc+0x7c/0x1f0 [ 44.123344][ T3967] el0t_64_sync_handler+0x84/0xe4 [ 44.124658][ T3967] el0t_64_sync+0x1a0/0x1a4 [ 44.125820][ T3967] [ 44.126425][ T3967] Freed by task 3962: [ 44.127435][ T3967] kasan_set_track+0x4c/0x84 [ 44.128629][ T3967] kasan_set_free_info+0x28/0x4c [ 44.129901][ T3967] ____kasan_slab_free+0x118/0x164 [ 44.131225][ T3967] __kasan_slab_free+0x18/0x28 [ 44.132497][ T3967] slab_free_freelist_hook+0x128/0x1ec [ 44.133945][ T3967] kfree+0x178/0x410 [ 44.134927][ T3967] gsm_dlci_free+0x11c/0x168 [ 44.136171][ T3967] tty_port_put+0x140/0x1bc [ 44.137369][ T3967] gsm_cleanup_mux+0x488/0x738 [ 44.138618][ T3967] gsmld_ioctl+0xa48/0x13d8 [ 44.139778][ T3967] tty_ioctl+0x954/0xdf4 [ 44.140881][ T3967] __arm64_sys_ioctl+0x14c/0x1c8 [ 44.142173][ T3967] invoke_syscall+0x98/0x2b8 [ 44.143291][ T3967] el0_svc_common+0x138/0x258 [ 44.144454][ T3967] do_el0_svc+0x58/0x14c [ 44.145471][ T3967] el0_svc+0x7c/0x1f0 [ 44.146407][ T3967] el0t_64_sync_handler+0x84/0xe4 [ 44.147570][ T3967] el0t_64_sync+0x1a0/0x1a4 [ 44.148757][ T3967] [ 44.149356][ T3967] The buggy address belongs to the object at ffff0000c8b4a000 [ 44.149356][ T3967] which belongs to the cache kmalloc-2k of size 2048 [ 44.152976][ T3967] The buggy address is located 12 bytes inside of [ 44.152976][ T3967] 2048-byte region [ffff0000c8b4a000, ffff0000c8b4a800) [ 44.156403][ T3967] The buggy address belongs to the page: [ 44.157803][ T3967] page:0000000003bf807d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108b48 [ 44.160449][ T3967] head:0000000003bf807d order:3 compound_mapcount:0 compound_pincount:0 [ 44.162634][ T3967] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 44.164713][ T3967] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900 [ 44.166747][ T3967] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 44.168965][ T3967] page dumped because: kasan: bad access detected [ 44.170655][ T3967] [ 44.171236][ T3967] Memory state around the buggy address: [ 44.172689][ T3967] ffff0000c8b49f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.174798][ T3967] ffff0000c8b49f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.176811][ T3967] >ffff0000c8b4a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.178988][ T3967] ^ [ 44.180085][ T3967] ffff0000c8b4a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.182180][ T3967] ffff0000c8b4a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.184164][ T3967] ================================================================== [ 44.186157][ T3967] Disabling lock debugging due to kernel taint [ 44.191976][ T3967] Unable to handle kernel paging request at virtual address dfff80000000000a [ 44.194217][ T3967] Mem abort info: [ 44.195101][ T3967] ESR = 0x0000000096000006 [ 44.196403][ T3967] EC = 0x25: DABT (current EL), IL = 32 bits [ 44.197794][ T3967] SET = 0, FnV = 0 [ 44.198664][ T3967] EA = 0, S1PTW = 0 [ 44.199560][ T3967] FSC = 0x06: level 2 translation fault [ 44.200813][ T3967] Data abort info: [ 44.201673][ T3967] ISV = 0, ISS = 0x00000006 [ 44.202802][ T3967] CM = 0, WnR = 0 [ 44.203767][ T3967] [dfff80000000000a] address between user and kernel address ranges [ 44.207116][ T3967] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 44.208589][ T3967] Modules linked in: [ 44.209474][ T3967] CPU: 0 PID: 3967 Comm: syz-executor242 Tainted: G B 5.15.113-syzkaller #0 [ 44.211828][ T3967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 44.214345][ T3967] pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 44.216335][ T3967] pc : tty_write_room+0x48/0x8c [ 44.217591][ T3967] lr : tty_write_room+0x3c/0x8c [ 44.218877][ T3967] sp : ffff80001cdc7810 [ 44.219932][ T3967] x29: ffff80001cdc7810 x28: 0000000000000001 x27: dfff800000000000 [ 44.221998][ T3967] x26: 1ffff000039b8f14 x25: 0000000000000000 x24: 1fffe00019984cc0 [ 44.224086][ T3967] x23: dfff800000000000 x22: 0000000000000f7a x21: dfff800000000000 [ 44.226169][ T3967] x20: 0000000000000050 x19: ffff0000c7838a00 x18: 0000000000000000 [ 44.228206][ T3967] x17: ff8080000b3ef030 x16: 0000000000000000 x15: ffff80000b3ef030 [ 44.230313][ T3967] x14: 0000000000000002 x13: ffffffffffffffff x12: 0000000000000000 [ 44.232413][ T3967] x11: ff8080000b3d191c x10: 0000000000000000 x9 : ffff80001842e390 [ 44.234504][ T3967] x8 : 000000000000000a x7 : 0000000000000000 x6 : ffff800008268c6c [ 44.236538][ T3967] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000b3d1934 [ 44.238601][ T3967] x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 [ 44.240730][ T3967] Call trace: [ 44.241575][ T3967] tty_write_room+0x48/0x8c [ 44.242767][ T3967] gsmld_output+0x4c/0x1d0 [ 44.243946][ T3967] gsm_send+0x4dc/0x798 [ 44.245020][ T3967] gsm_cleanup_mux+0x1a0/0x738 [ 44.246238][ T3967] gsmld_ioctl+0xa48/0x13d8 [ 44.247394][ T3967] tty_ioctl+0x954/0xdf4 [ 44.248477][ T3967] __arm64_sys_ioctl+0x14c/0x1c8 [ 44.249732][ T3967] invoke_syscall+0x98/0x2b8 [ 44.250855][ T3967] el0_svc_common+0x138/0x258 [ 44.252093][ T3967] do_el0_svc+0x58/0x14c [ 44.253176][ T3967] el0_svc+0x7c/0x1f0 [ 44.254187][ T3967] el0t_64_sync_handler+0x84/0xe4 [ 44.255465][ T3967] el0t_64_sync+0x1a0/0x1a4 [ 44.256641][ T3967] Code: 9753d81a f9400288 91014114 d343fe88 (38756908) [ 44.258399][ T3967] ---[ end trace abbff69097bf988f ]--- [ 44.604040][ T3967] Kernel panic - not syncing: Oops: Fatal exception [ 44.605620][ T3967] SMP: stopping secondary CPUs [ 44.606829][ T3967] Kernel Offset: disabled [ 44.607827][ T3967] CPU features: 0x000081c1,21302e40 [ 44.609086][ T3967] Memory Limit: none [ 44.938157][ T3967] Rebooting in 86400 seconds..