program: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100), 0x800, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000040)=0x14) io_setup(0x5, &(0x7f0000002740)=0x0) io_pgetevents(r1, 0x1, 0x1, &(0x7f0000000140)=[{}], 0x0, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) ioctl$sock_inet_SIOCSIFNETMASK(r2, 0x891c, &(0x7f0000000380)={'wg1\x00', {0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0x20}}}) r3 = socket(0x10, 0x2, 0x0) write(r3, &(0x7f0000000040)="1c0000001a009b8a140000003b9b301f00"/28, 0x1c) recvmmsg(r3, &(0x7f0000002ec0), 0x400000000000ec0, 0x2, &(0x7f00000001c0)={0x77359400}) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000080)={&(0x7f0000000200)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x1}}, [@NFT_MSG_DELCHAIN={0x84, 0x5, 0xa, 0x301, 0x0, 0x0, {0x1, 0x0, 0x6}, [@NFTA_CHAIN_USERDATA={0x70, 0xc, "2588bdf76145705bdcd87dd8d1307fe879437e4ca8c0a88cc58dce2abccbb43b1b0ecf128556556e65dd273def4806b3c0cc6db0231fdda1dd2623861bea9a4752fda4c74fc75f76064ddcfebd99b0aea44f1c4c8a32908420d9ae8998e31d876b68f2b36835e7307799cf7b"}]}, @NFT_MSG_DELTABLE={0xb4, 0x2, 0xa, 0x201, 0x0, 0x0, {0x1, 0x0, 0xa}, [@NFTA_TABLE_HANDLE={0xc, 0x4, 0x1, 0x0, 0x4}, @NFTA_TABLE_FLAGS={0x8, 0x2, 0x1, 0x0, 0x1}, @NFTA_TABLE_USERDATA={0x7c, 0x6, "8fa6f58b2c4c98218bbec250e838e362273b7f18ab25bbcedd640a96b534359c713000e419772d122afabfc0d23d82d4e157198f3e118904b004d1dce449cb077bd4c82ae6499f8ff87a7c6d42796a18d63ee0af038c23f12f0634ed65241afcd403702aed8f11a717a229b53c765309df234779386aa7b2"}, @NFTA_TABLE_FLAGS={0x8}, @NFTA_TABLE_FLAGS={0x8, 0x2, 0x1, 0x0, 0x2}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0xa}}}, 0x160}, 0x1, 0x0, 0x0, 0x40}, 0x8844) r4 = socket$nl_route(0x10, 0x3, 0x0) io_pgetevents(r1, 0x1, 0x1, &(0x7f0000000180)=[{}], 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) io_submit(r1, 0x1, &(0x7f00000001c0)=[&(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0}]) r5 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100), 0x800, 0x0) ioctl$TIOCSETD(r5, 0x5423, &(0x7f0000000040)=0x14) [ 75.407826][ T4659] Bluetooth: hci0: command tx timeout [ 76.342725][ T1311] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.345237][ T1311] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.348475][ T1311] ================================================================== [ 76.351685][ T1311] BUG: KASAN: slab-use-after-free in pty_write_room+0x89/0xb0 [ 76.354930][ T1311] Read of size 8 at addr ffff88803381d018 by task aoe_tx0/1311 [ 76.357884][ T1311] [ 76.359080][ T1311] CPU: 0 UID: 0 PID: 1311 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) [ 76.359094][ T1311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.359102][ T1311] Call Trace: [ 76.359108][ T1311] [ 76.359115][ T1311] dump_stack_lvl+0xe8/0x150 [ 76.359135][ T1311] print_report+0xba/0x230 [ 76.359149][ T1311] ? pty_write_room+0x89/0xb0 [ 76.359166][ T1311] kasan_report+0x117/0x150 [ 76.359180][ T1311] ? pty_write_room+0x89/0xb0 [ 76.359196][ T1311] pty_write_room+0x89/0xb0 [ 76.359211][ T1311] handle_tx+0x163/0x610 [ 76.359230][ T1311] dev_hard_start_xmit+0x2cd/0x7f0 [ 76.359304][ T1311] __dev_queue_xmit+0x168f/0x3850 [ 76.359317][ T1311] ? __dev_queue_xmit+0x274/0x3850 [ 76.359330][ T1311] ? __lock_acquire+0x6b5/0x2cf0 [ 76.359343][ T1311] ? __pfx___dev_queue_xmit+0x10/0x10 [ 76.359357][ T1311] ? do_raw_spin_lock+0x12b/0x2f0 [ 76.359377][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.359389][ T1311] tx+0x6b/0x190 [ 76.359401][ T1311] ? __pfx_tx+0x10/0x10 [ 76.359413][ T1311] kthread+0x1e0/0x3f0 [ 76.359423][ T1311] ? lock_acquire+0x106/0x330 [ 76.359435][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.359446][ T1311] ? __pfx_default_wake_function+0x10/0x10 [ 76.359458][ T1311] ? __kthread_parkme+0x7a/0x1f0 [ 76.359473][ T1311] kthread+0x388/0x470 [ 76.359488][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.359497][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.359512][ T1311] ret_from_fork+0x51e/0xb90 [ 76.359525][ T1311] ? __pfx_ret_from_fork+0x10/0x10 [ 76.359537][ T1311] ? __switch_to+0xc7d/0x1400 [ 76.359547][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.359562][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.359588][ T1311] [ 76.359593][ T1311] [ 76.434784][ T1311] Allocated by task 5311: [ 76.436801][ T1311] kasan_save_track+0x3e/0x80 [ 76.438928][ T1311] __kasan_kmalloc+0x93/0xb0 [ 76.441079][ T1311] __kmalloc_cache_noprof+0x31c/0x660 [ 76.443557][ T1311] alloc_tty_struct+0xa6/0x7a0 [ 76.445710][ T1311] pty_common_install+0x17d/0x760 [ 76.447866][ T1311] tty_init_dev+0xd7/0x4d0 [ 76.449704][ T1311] ptmx_open+0x117/0x340 [ 76.451457][ T1311] chrdev_open+0x4cd/0x5e0 [ 76.453330][ T1311] do_dentry_open+0x785/0x14e0 [ 76.455313][ T1311] vfs_open+0x3b/0x340 [ 76.457059][ T1311] path_openat+0x2e08/0x3860 [ 76.459290][ T1311] do_file_open+0x23e/0x4a0 [ 76.461325][ T1311] do_sys_openat2+0x113/0x200 [ 76.463282][ T1311] __x64_sys_openat+0x138/0x170 [ 76.465496][ T1311] do_syscall_64+0x14d/0xf80 [ 76.467633][ T1311] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.470311][ T1311] [ 76.471465][ T1311] Freed by task 5298: [ 76.473278][ T1311] kasan_save_track+0x3e/0x80 [ 76.475463][ T1311] kasan_save_free_info+0x46/0x50 [ 76.477647][ T1311] __kasan_slab_free+0x5c/0x80 [ 76.479731][ T1311] kfree+0x1c1/0x610 [ 76.481449][ T1311] process_scheduled_works+0xaec/0x17a0 [ 76.483962][ T1311] worker_thread+0xa50/0xfc0 [ 76.486015][ T1311] kthread+0x388/0x470 [ 76.487703][ T1311] ret_from_fork+0x51e/0xb90 [ 76.489750][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.491799][ T1311] [ 76.492853][ T1311] Last potentially related work creation: [ 76.495306][ T1311] kasan_save_stack+0x3e/0x60 [ 76.497400][ T1311] kasan_record_aux_stack+0xbd/0xd0 [ 76.499606][ T1311] insert_work+0x3d/0x330 [ 76.501502][ T1311] __queue_work+0xccf/0xf90 [ 76.503540][ T1311] queue_work_on+0x106/0x1d0 [ 76.505665][ T1311] release_tty+0x4c1/0x570 [ 76.507684][ T1311] tty_release_struct+0xb8/0xd0 [ 76.509847][ T1311] tty_release+0xcb0/0x1710 [ 76.511904][ T1311] __fput+0x44f/0xa70 [ 76.513712][ T1311] task_work_run+0x1d9/0x270 [ 76.515789][ T1311] exit_to_user_mode_loop+0xed/0x480 [ 76.518198][ T1311] do_syscall_64+0x32d/0xf80 [ 76.520235][ T1311] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.522826][ T1311] [ 76.523901][ T1311] The buggy address belongs to the object at ffff88803381d000 [ 76.523901][ T1311] which belongs to the cache kmalloc-cg-2k of size 2048 [ 76.530303][ T1311] The buggy address is located 24 bytes inside of [ 76.530303][ T1311] freed 2048-byte region [ffff88803381d000, ffff88803381d800) [ 76.536353][ T1311] [ 76.537472][ T1311] The buggy address belongs to the physical page: [ 76.540334][ T1311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33818 [ 76.544182][ T1311] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 76.547980][ T1311] memcg:ffff88803946c801 [ 76.549842][ T1311] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 76.553221][ T1311] page_type: f5(slab) [ 76.555107][ T1311] raw: 04fff00000000040 ffff88801a8583c0 dead000000000100 dead000000000122 [ 76.559043][ T1311] raw: 0000000000000000 0000000800080008 00000000f5000000 ffff88803946c801 [ 76.562812][ T1311] head: 04fff00000000040 ffff88801a8583c0 dead000000000100 dead000000000122 [ 76.566609][ T1311] head: 0000000000000000 0000000800080008 00000000f5000000 ffff88803946c801 [ 76.570502][ T1311] head: 04fff00000000003 ffffea0000ce0601 00000000ffffffff 00000000ffffffff [ 76.574513][ T1311] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 76.578393][ T1311] page dumped because: kasan: bad access detected [ 76.581317][ T1311] page_owner tracks the page as allocated [ 76.583828][ T1311] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 15647114748, free_ts 15446853204 [ 76.592609][ T1311] post_alloc_hook+0x231/0x280 [ 76.594722][ T1311] get_page_from_freelist+0x24dc/0x2580 [ 76.597244][ T1311] __alloc_frozen_pages_noprof+0x18d/0x380 [ 76.599882][ T1311] allocate_slab+0x77/0x660 [ 76.601754][ T1311] refill_objects+0x331/0x3c0 [ 76.603818][ T1311] __pcs_replace_empty_main+0x2b9/0x620 [ 76.606159][ T1311] __kmalloc_node_track_caller_noprof+0x572/0x7b0 [ 76.608929][ T1311] kmemdup_noprof+0x2b/0x70 [ 76.610958][ T1311] neigh_sysctl_register+0xae/0xa90 [ 76.613219][ T1311] devinet_sysctl_register+0xad/0x200 [ 76.615526][ T1311] inetdev_init+0x2a4/0x4e0 [ 76.617550][ T1311] inetdev_event+0x30d/0x1610 [ 76.619417][ T1311] notifier_call_chain+0x19d/0x3a0 [ 76.621679][ T1311] register_netdevice+0x173a/0x1cf0 [ 76.623983][ T1311] register_netdev+0x40/0x60 [ 76.626215][ T1311] e1000_probe+0x1e94/0x2af0 [ 76.628229][ T1311] page last free pid 1 tgid 1 stack trace: [ 76.630816][ T1311] __free_frozen_pages+0xc01/0xd80 [ 76.633090][ T1311] __slab_free+0x263/0x2b0 [ 76.635132][ T1311] qlist_free_all+0x97/0x100 [ 76.637208][ T1311] kasan_quarantine_reduce+0x148/0x160 [ 76.639682][ T1311] __kasan_slab_alloc+0x22/0x80 [ 76.641844][ T1311] __kmalloc_cache_noprof+0x2ba/0x660 [ 76.643879][ T1311] lookup_or_create_module_kobject+0x75/0x170 [ 76.646460][ T1311] module_add_driver+0x79/0x320 [ 76.648539][ T1311] bus_add_driver+0x391/0x670 [ 76.650553][ T1311] driver_register+0x23a/0x320 [ 76.652644][ T1311] e1000_init_module+0x40/0x80 [ 76.654649][ T1311] do_one_initcall+0x250/0x840 [ 76.656873][ T1311] do_initcall_level+0x104/0x190 [ 76.658954][ T1311] do_initcalls+0x59/0xa0 [ 76.660870][ T1311] kernel_init_freeable+0x2a6/0x3e0 [ 76.663286][ T1311] kernel_init+0x1d/0x1d0 [ 76.665106][ T1311] [ 76.666210][ T1311] Memory state around the buggy address: [ 76.668683][ T1311] ffff88803381cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.672085][ T1311] ffff88803381cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.675593][ T1311] >ffff88803381d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.679312][ T1311] ^ [ 76.681479][ T1311] ffff88803381d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.684902][ T1311] ffff88803381d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.688453][ T1311] ================================================================== [ 76.692212][ T1311] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.695464][ T1311] CPU: 0 UID: 0 PID: 1311 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) [ 76.699493][ T1311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.703658][ T1311] Call Trace: [ 76.705073][ T1311] [ 76.706370][ T1311] vpanic+0x56c/0xa60 [ 76.708219][ T1311] ? __pfx_vpanic+0x10/0x10 [ 76.710259][ T1311] ? irqentry_exit+0x59e/0x620 [ 76.712393][ T1311] panic+0xc5/0xd0 [ 76.714124][ T1311] ? __pfx_panic+0x10/0x10 [ 76.716036][ T1311] ? pty_write_room+0x89/0xb0 [ 76.717961][ T1311] ? pty_write_room+0x89/0xb0 [ 76.719953][ T1311] check_panic_on_warn+0x89/0xb0 [ 76.721885][ T1311] ? pty_write_room+0x89/0xb0 [ 76.723799][ T1311] end_report+0x6f/0x140 [ 76.725500][ T1311] kasan_report+0x128/0x150 [ 76.727225][ T1311] ? pty_write_room+0x89/0xb0 [ 76.729098][ T1311] pty_write_room+0x89/0xb0 [ 76.730900][ T1311] handle_tx+0x163/0x610 [ 76.732686][ T1311] dev_hard_start_xmit+0x2cd/0x7f0 [ 76.734815][ T1311] __dev_queue_xmit+0x168f/0x3850 [ 76.737077][ T1311] ? __dev_queue_xmit+0x274/0x3850 [ 76.739382][ T1311] ? __lock_acquire+0x6b5/0x2cf0 [ 76.741590][ T1311] ? __pfx___dev_queue_xmit+0x10/0x10 [ 76.744088][ T1311] ? do_raw_spin_lock+0x12b/0x2f0 [ 76.746429][ T1311] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.748760][ T1311] tx+0x6b/0x190 [ 76.750381][ T1311] ? __pfx_tx+0x10/0x10 [ 76.752164][ T1311] kthread+0x1e0/0x3f0 [ 76.753704][ T1311] ? lock_acquire+0x106/0x330 [ 76.755709][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.757617][ T1311] ? __pfx_default_wake_function+0x10/0x10 [ 76.760151][ T1311] ? __kthread_parkme+0x7a/0x1f0 [ 76.762270][ T1311] kthread+0x388/0x470 [ 76.764070][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.766103][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.768093][ T1311] ret_from_fork+0x51e/0xb90 [ 76.770145][ T1311] ? __pfx_ret_from_fork+0x10/0x10 [ 76.772449][ T1311] ? __switch_to+0xc7d/0x1400 [ 76.774562][ T1311] ? __pfx_kthread+0x10/0x10 [ 76.776509][ T1311] ret_from_fork_asm+0x1a/0x30 [ 76.778575][ T1311] [ 76.780195][ T1311] Kernel Offset: disabled [ 76.782084][ T1311] Rebooting in 86400 seconds..