program: ioctl$SIOCGETVIFCNT(0xffffffffffffffff, 0x89e0, 0x0) (async) perf_event_open(&(0x7f00000001c0)={0x2, 0x80, 0x8, 0x6, 0x5, 0x0, 0x0, 0x1, 0xe18b8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf414, 0x1, @perf_config_ext={0x4, 0x4}, 0x1a154, 0x10001, 0x2000, 0x3, 0x101, 0xfdfffffd, 0x40, 0x0, 0xfffffffe, 0x0, 0xfffffffffffffffe}, 0x0, 0x400000000000000, 0xffffffffffffffff, 0x1) (async) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000100)=0x14) r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$TIOCSETD(r1, 0x5423, &(0x7f0000000040)=0x14) (async) socket$phonet_pipe(0x23, 0x5, 0x2) r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) setpgid(r2, r2) (async) r3 = socket$inet(0x2, 0x3, 0x4) sendmmsg$inet(r3, &(0x7f0000000680)=[{{&(0x7f0000000040)={0x2, 0x4e24, @loopback}, 0x10, 0x0}}, {{&(0x7f0000000080)={0x2, 0x4e20, @local}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@ip_retopts={{0x14, 0x0, 0x7, {[@generic={0x44, 0x2}]}}}], 0x18}}], 0x2, 0x0) (async) r4 = socket(0x1e, 0x5, 0x0) (async) r5 = syz_open_procfs(0x0, &(0x7f0000000280)='net/udplite6\x00') msync(&(0x7f0000ffa000/0x4000)=nil, 0x4000, 0x5) (async) preadv(r5, &(0x7f0000000140)=[{&(0x7f0000000000)=""/28, 0x55}], 0x1, 0x59, 0x0) (async) bpf$BPF_PROG_QUERY(0x10, &(0x7f00000004c0)={@map=0x1, 0x9, 0x1, 0x5, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0, 0x0], 0x5, 0x0, &(0x7f0000000380)=[0x0, 0x0], &(0x7f0000000440)=[0x0], &(0x7f0000000480)=[0x0, 0x0], 0x0}, 0x40) (async) ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, &(0x7f0000000580)={&(0x7f0000000540)=[0x0, 0x0], 0x2, 0x80000, 0x0, 0xffffffffffffffff}) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000700)=ANY=[@ANYRES32=r4, @ANYRES32=r5, @ANYBLOB="290000001000000000000000", @ANYRES32=r7, @ANYBLOB="f14def0b7f821bba79696ecf8f5889db680a9122a279ed979bc7e883f7b55e3cf522504e39ded4c7fd2f43aa889748b995e558d2f0afd310210d40be66ae0597dca297fafc439686588ef57aedaa1d167037c490b0197cb3e2191f5d25230c4ed6931bf23660c5863d507a59bb544e03424910f2cbaf2717c7c4918f28630c923706b20642b10d83068a9682c6531c7a3f8febaa129c53e941379d7b06f0f30be4ce10b3518c6ea333af489216ce684ecb141740650888b0437ad6463d94b21aa7166d27cd211893c30f70ced2902aff1313cd5f99045bca3c253e7d8641114dc9f098f52ed24d16daf1e1bf694a4890342c2ff788ca3b98daf6b15b8d79eb2acf1defe797", @ANYRES64=r6], 0x20) (async) setsockopt$packet_tx_ring(r4, 0x10f, 0x87, &(0x7f0000000040)=@req3={0x80000000}, 0xfeda) (async) listen(r4, 0x0) (async) r8 = socket(0x1e, 0x805, 0x0) sendmsg$tipc(r8, &(0x7f0000000080)={&(0x7f0000000100)=@name, 0x10, 0x0}, 0x0) (async) accept4$tipc(r4, 0x0, 0x0, 0x800) (async) setsockopt$packet_tx_ring(r8, 0x10f, 0x87, &(0x7f00000000c0)=@req3={0x80000000}, 0x1c) (async) sendmsg$tipc(r8, &(0x7f0000000640)={&(0x7f0000000300)=@name={0x1e, 0x2, 0x2, {{0x0, 0x2}, 0x1}}, 0x10, 0x0, 0x0, 0x0, 0x0, 0x10}, 0x0) waitid(0x2, r2, 0x0, 0x4, 0x0) ioctl$sock_SIOCGPGRP(0xffffffffffffffff, 0x8904, &(0x7f0000000000)=0x0) waitid(0x1, r9, &(0x7f0000000140), 0x4, 0x0) (async) syz_emit_ethernet(0x82, &(0x7f00000000c0)={@random="195df410dc24", @random, @void, {@ipv6={0x86dd, @gre_packet={0x0, 0x6, "aac4e0", 0x4c, 0x2c, 0x0, @dev, @local, {[@routing={0x3c, 0x0, 0x0, 0x1}]}}}}}, 0x0) lstat(&(0x7f0000000240)='./file2\x00', &(0x7f0000000280)) [ 75.439214][ T4666] Bluetooth: hci0: command tx timeout [ 76.387555][ T1311] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.389982][ T1311] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.392911][ T1311] ================================================================== [ 76.395835][ T1311] BUG: KASAN: slab-use-after-free in tty_write_room+0x35/0x90 [ 76.398634][ T1311] Read of size 8 at addr ffff888043946020 by task aoe_tx0/1311 [ 76.401404][ T1311] [ 76.402399][ T1311] CPU: 0 UID: 0 PID: 1311 Comm: aoe_tx0 Not tainted 6.14.0-rc7-syzkaller-00186-gd07de43e3f05 #0 [ 76.402412][ T1311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.402419][ T1311] Call Trace: [ 76.402425][ T1311] [ 76.402431][ T1311] dump_stack_lvl+0x241/0x360 [ 76.402445][ T1311] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.402455][ T1311] ? __pfx__printk+0x10/0x10 [ 76.402465][ T1311] ? _printk+0xd5/0x120 [ 76.402474][ T1311] ? __virt_addr_valid+0x183/0x530 [ 76.402484][ T1311] ? __virt_addr_valid+0x183/0x530 [ 76.402494][ T1311] print_report+0x16e/0x5b0 [ 76.402507][ T1311] ? __virt_addr_valid+0x183/0x530 [ 76.402516][ T1311] ? __virt_addr_valid+0x183/0x530 [ 76.402525][ T1311] ? __virt_addr_valid+0x45f/0x530 [ 76.402533][ T1311] ? __phys_addr+0xba/0x170 [ 76.402542][ T1311] ? tty_write_room+0x35/0x90 [ 76.402556][ T1311] kasan_report+0x143/0x180 [ 76.402567][ T1311] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.402583][ T1311] ? tty_write_room+0x35/0x90 [ 76.402598][ T1311] tty_write_room+0x35/0x90 [ 76.402611][ T1311] handle_tx+0x164/0x640 [ 76.402628][ T1311] dev_hard_start_xmit+0x27a/0x7d0 [ 76.402695][ T1311] __dev_queue_xmit+0x1b73/0x3f50 [ 76.402709][ T1311] ? __dev_queue_xmit+0x2f4/0x3f50 [ 76.402721][ T1311] ? __pfx___dev_queue_xmit+0x10/0x10 [ 76.402733][ T1311] ? skb_dequeue+0x113/0x150 [ 76.402744][ T1311] ? do_raw_spin_lock+0x14f/0x370 [ 76.402757][ T1311] ? __pfx_lock_release+0x10/0x10 [ 76.402774][ T1311] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 76.402790][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.402803][ T1311] ? lockdep_hardirqs_on+0x99/0x150 [ 76.402816][ T1311] tx+0x6b/0x180 [ 76.402825][ T1311] ? __pfx_tx+0x10/0x10 [ 76.402832][ T1311] kthread+0x23a/0x450 [ 76.402838][ T1311] ? _raw_spin_unlock_irqrestore+0x8f/0x140 [ 76.402847][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402853][ T1311] ? __pfx_default_wake_function+0x10/0x10 [ 76.402861][ T1311] ? __kthread_parkme+0x169/0x1d0 [ 76.402870][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402876][ T1311] kthread+0x7a9/0x920 [ 76.402885][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402894][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402900][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402910][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402919][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402934][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.402942][ T1311] ? lockdep_hardirqs_on+0x99/0x150 [ 76.402950][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402960][ T1311] ret_from_fork+0x4b/0x80 [ 76.402968][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.402977][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.402987][ T1311] [ 76.402990][ T1311] [ 76.506555][ T1311] Allocated by task 5321: [ 76.508256][ T1311] kasan_save_track+0x3f/0x80 [ 76.510051][ T1311] __kasan_kmalloc+0x98/0xb0 [ 76.511776][ T1311] __kmalloc_cache_noprof+0x243/0x390 [ 76.513981][ T1311] alloc_tty_struct+0xa9/0x7d0 [ 76.515972][ T1311] tty_init_dev+0x5b/0x4c0 [ 76.517629][ T1311] tty_open+0x9d9/0xde0 [ 76.519291][ T1311] chrdev_open+0x521/0x600 [ 76.521167][ T1311] do_dentry_open+0xdec/0x1960 [ 76.523110][ T1311] vfs_open+0x3b/0x370 [ 76.524710][ T1311] path_openat+0x2c81/0x3590 [ 76.526484][ T1311] do_filp_open+0x27f/0x4e0 [ 76.528409][ T1311] do_sys_openat2+0x13e/0x1d0 [ 76.530357][ T1311] __x64_sys_openat+0x247/0x2a0 [ 76.532231][ T1311] do_syscall_64+0xf3/0x230 [ 76.534091][ T1311] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.536463][ T1311] [ 76.537472][ T1311] Freed by task 5313: [ 76.539316][ T1311] kasan_save_track+0x3f/0x80 [ 76.541178][ T1311] kasan_save_free_info+0x40/0x50 [ 76.543184][ T1311] __kasan_slab_free+0x59/0x70 [ 76.545861][ T1311] kfree+0x196/0x430 [ 76.547469][ T1311] process_scheduled_works+0xabe/0x18e0 [ 76.549624][ T1311] worker_thread+0x870/0xd30 [ 76.551430][ T1311] kthread+0x7a9/0x920 [ 76.553069][ T1311] ret_from_fork+0x4b/0x80 [ 76.554858][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.556741][ T1311] [ 76.557705][ T1311] Last potentially related work creation: [ 76.560065][ T1311] kasan_save_stack+0x3f/0x60 [ 76.561949][ T1311] kasan_record_aux_stack+0xaa/0xc0 [ 76.564084][ T1311] insert_work+0x3e/0x330 [ 76.565785][ T1311] __queue_work+0xd9a/0x1090 [ 76.567512][ T1311] queue_work_on+0x1c2/0x380 [ 76.569332][ T1311] tty_release_struct+0xbc/0xe0 [ 76.571247][ T1311] tty_release+0xd06/0x12c0 [ 76.573238][ T1311] __fput+0x3e9/0x9f0 [ 76.574901][ T1311] task_work_run+0x24f/0x310 [ 76.576728][ T1311] syscall_exit_to_user_mode+0x13f/0x340 [ 76.578916][ T1311] do_syscall_64+0x100/0x230 [ 76.580731][ T1311] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.583133][ T1311] [ 76.584101][ T1311] The buggy address belongs to the object at ffff888043946000 [ 76.584101][ T1311] which belongs to the cache kmalloc-cg-2k of size 2048 [ 76.589262][ T1311] The buggy address is located 32 bytes inside of [ 76.589262][ T1311] freed 2048-byte region [ffff888043946000, ffff888043946800) [ 76.594463][ T1311] [ 76.595429][ T1311] The buggy address belongs to the physical page: [ 76.597929][ T1311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43940 [ 76.601233][ T1311] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 76.604399][ T1311] memcg:ffff888040f41981 [ 76.606002][ T1311] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 76.608753][ T1311] page_type: f5(slab) [ 76.610241][ T1311] raw: 04fff00000000040 ffff88801b04f3c0 dead000000000122 0000000000000000 [ 76.613489][ T1311] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888040f41981 [ 76.616703][ T1311] head: 04fff00000000040 ffff88801b04f3c0 dead000000000122 0000000000000000 [ 76.620018][ T1311] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888040f41981 [ 76.623355][ T1311] head: 04fff00000000003 ffffea00010e5001 ffffffffffffffff 0000000000000000 [ 76.626837][ T1311] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 76.630225][ T1311] page dumped because: kasan: bad access detected [ 76.632717][ T1311] page_owner tracks the page as allocated [ 76.634942][ T1311] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5321, tgid 5320 (syz.0.0), ts 75515242181, free_ts 67480004613 [ 76.642772][ T1311] post_alloc_hook+0x1f4/0x240 [ 76.644686][ T1311] get_page_from_freelist+0x365c/0x37a0 [ 76.646882][ T1311] __alloc_frozen_pages_noprof+0x292/0x710 [ 76.649183][ T1311] alloc_pages_mpol+0x311/0x660 [ 76.651042][ T1311] allocate_slab+0x8f/0x3a0 [ 76.652798][ T1311] ___slab_alloc+0xc27/0x14a0 [ 76.654600][ T1311] __slab_alloc+0x58/0xa0 [ 76.656234][ T1311] __kmalloc_cache_noprof+0x27b/0x390 [ 76.658355][ T1311] alloc_tty_struct+0xa9/0x7d0 [ 76.660307][ T1311] pty_common_install+0x160/0x760 [ 76.662282][ T1311] tty_init_dev+0xc1/0x4c0 [ 76.664311][ T1311] ptmx_open+0xe7/0x2d0 [ 76.665963][ T1311] chrdev_open+0x521/0x600 [ 76.667836][ T1311] do_dentry_open+0xdec/0x1960 [ 76.669806][ T1311] vfs_open+0x3b/0x370 [ 76.671480][ T1311] path_openat+0x2c81/0x3590 [ 76.673374][ T1311] page last free pid 5303 tgid 5303 stack trace: [ 76.675751][ T1311] free_frozen_pages+0xe0d/0x10e0 [ 76.677822][ T1311] __put_partials+0x160/0x1c0 [ 76.679577][ T1311] put_cpu_partial+0x17c/0x250 [ 76.681519][ T1311] __slab_free+0x290/0x380 [ 76.683393][ T1311] qlist_free_all+0x9a/0x140 [ 76.685354][ T1311] kasan_quarantine_reduce+0x14f/0x170 [ 76.687716][ T1311] __kasan_slab_alloc+0x23/0x80 [ 76.689649][ T1311] __kmalloc_node_track_caller_noprof+0x237/0x4c0 [ 76.692292][ T1311] memdup_user+0x2b/0xc0 [ 76.694128][ T1311] strndup_user+0x68/0xc0 [ 76.695876][ T1311] __se_sys_mount+0x9f/0x3c0 [ 76.697553][ T1311] do_syscall_64+0xf3/0x230 [ 76.699243][ T1311] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.701343][ T1311] [ 76.702281][ T1311] Memory state around the buggy address: [ 76.704451][ T1311] ffff888043945f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.707357][ T1311] ffff888043945f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.710350][ T1311] >ffff888043946000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.713608][ T1311] ^ [ 76.715608][ T1311] ffff888043946080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.718656][ T1311] ffff888043946100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.721775][ T1311] ================================================================== [ 76.725358][ T1311] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.728344][ T1311] CPU: 0 UID: 0 PID: 1311 Comm: aoe_tx0 Not tainted 6.14.0-rc7-syzkaller-00186-gd07de43e3f05 #0 [ 76.732466][ T1311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.736611][ T1311] Call Trace: [ 76.738029][ T1311] [ 76.739134][ T1311] dump_stack_lvl+0x241/0x360 [ 76.740991][ T1311] ? mark_lock+0x9a/0x360 [ 76.742725][ T1311] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.744863][ T1311] ? __pfx__printk+0x10/0x10 [ 76.746633][ T1311] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 76.748918][ T1311] ? vscnprintf+0x5d/0x90 [ 76.750543][ T1311] panic+0x349/0x880 [ 76.752087][ T1311] ? check_panic_on_warn+0x21/0xb0 [ 76.754099][ T1311] ? __pfx_panic+0x10/0x10 [ 76.755971][ T1311] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 76.758308][ T1311] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 76.760711][ T1311] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.763277][ T1311] check_panic_on_warn+0x86/0xb0 [ 76.765295][ T1311] ? tty_write_room+0x35/0x90 [ 76.767255][ T1311] end_report+0x77/0x160 [ 76.768950][ T1311] kasan_report+0x154/0x180 [ 76.770763][ T1311] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.773364][ T1311] ? tty_write_room+0x35/0x90 [ 76.775299][ T1311] tty_write_room+0x35/0x90 [ 76.777259][ T1311] handle_tx+0x164/0x640 [ 76.778982][ T1311] dev_hard_start_xmit+0x27a/0x7d0 [ 76.780911][ T1311] __dev_queue_xmit+0x1b73/0x3f50 [ 76.782872][ T1311] ? __dev_queue_xmit+0x2f4/0x3f50 [ 76.784841][ T1311] ? __pfx___dev_queue_xmit+0x10/0x10 [ 76.786872][ T1311] ? skb_dequeue+0x113/0x150 [ 76.788736][ T1311] ? do_raw_spin_lock+0x14f/0x370 [ 76.790771][ T1311] ? __pfx_lock_release+0x10/0x10 [ 76.792735][ T1311] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 76.794976][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.797007][ T1311] ? lockdep_hardirqs_on+0x99/0x150 [ 76.799093][ T1311] tx+0x6b/0x180 [ 76.800606][ T1311] ? __pfx_tx+0x10/0x10 [ 76.802212][ T1311] kthread+0x23a/0x450 [ 76.803911][ T1311] ? _raw_spin_unlock_irqrestore+0x8f/0x140 [ 76.806264][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.807956][ T1311] ? __pfx_default_wake_function+0x10/0x10 [ 76.810202][ T1311] ? __kthread_parkme+0x169/0x1d0 [ 76.812121][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.814016][ T1311] kthread+0x7a9/0x920 [ 76.815644][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.817556][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.819442][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.821228][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.823036][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.825091][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.827134][ T1311] ? lockdep_hardirqs_on+0x99/0x150 [ 76.829276][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.831143][ T1311] ret_from_fork+0x4b/0x80 [ 76.832949][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.834808][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.836661][ T1311] [ 76.838201][ T1311] Kernel Offset: disabled [ 76.839986][ T1311] Rebooting in 86400 seconds..