syzbot

==================================================================
BUG: KASAN: use-after-free in n_tty_check_throttle drivers/tty/n_tty.c:264 [inline]
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x26a4/0x2ab0 drivers/tty/n_tty.c:1759
Read of size 1 at addr ffff8880a5a54301 by task syz-executor899/8162

CPU: 0 PID: 8162 Comm: syz-executor899 Not tainted 4.19.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 n_tty_check_throttle drivers/tty/n_tty.c:264 [inline]
 n_tty_receive_buf_common+0x26a4/0x2ab0 drivers/tty/n_tty.c:1759
 n_tty_receive_buf2+0x34/0x40 drivers/tty/n_tty.c:1775
 tty_ldisc_receive_buf+0xad/0x1c0 drivers/tty/tty_buffer.c:456
 paste_selection+0x1ff/0x443 drivers/tty/vt/selection.c:359
 tioclinux+0x133/0x470 drivers/tty/vt/vt.c:3019
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441329
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdb6721268 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441329
RDX: 0000000020000040 RSI: 000000000000541c RDI: 0000000000000004
RBP: 000000000000d496 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020a0
R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8162:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15d/0x750 mm/slab.c:3736
 kmalloc_array include/linux/slab.h:637 [inline]
 set_selection+0x7e4/0x1370 drivers/tty/vt/selection.c:293
 tioclinux+0x11c/0x470 drivers/tty/vt/vt.c:3015
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8163:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 set_selection+0x801/0x1370 drivers/tty/vt/selection.c:300
 tioclinux+0x11c/0x470 drivers/tty/vt/vt.c:3015
 vt_ioctl+0x19ab/0x2530 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a5a54300
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 1 bytes inside of
 512-byte region [ffff8880a5a54300, ffff8880a5a54500)
The buggy address belongs to the page:
page:ffffea0002969500 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000241c6c8 ffffea0002961d08 ffff88812c31c940
raw: 0000000000000000 ffff8880a5a54080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a5a54200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5a54280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a5a54300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a5a54380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a5a54400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================