Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts.
executing program
[   36.105363][ T4219] udevd[4219]: setting mode of /dev/gsmtty12 to 020600 failed: No such file or directory
[   36.108436][ T4219] udevd[4219]: setting owner of /dev/gsmtty12 to uid=0, gid=0 failed: No such file or directory
[   36.158272][ T4218] udevd[4218]: setting mode of /dev/gsmtty33 to 020600 failed: No such file or directory
[   36.160677][ T4218] udevd[4218]: setting owner of /dev/gsmtty33 to uid=0, gid=0 failed: No such file or directory
[   36.219054][ T4220] udevd[4220]: setting mode of /dev/gsmtty56 to 020600 failed: No such file or directory
[   36.221317][ T4220] udevd[4220]: setting owner of /dev/gsmtty56 to uid=0, gid=0 failed: No such file or directory
[   36.234549][ T4221] ==================================================================
[   36.236520][ T4221] BUG: KASAN: use-after-free in gsm_cleanup_mux+0x700/0x7d8
[   36.238137][ T4221] Read of size 4 at addr ffff0000c464a00c by task syz-executor413/4221
[   36.240078][ T4221] 
[   36.240639][ T4221] CPU: 0 PID: 4221 Comm: syz-executor413 Not tainted 6.1.30-syzkaller #0
[   36.242542][ T4221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
[   36.244758][ T4221] Call trace:
[   36.245540][ T4221]  dump_backtrace+0x1c8/0x1f4
[   36.246642][ T4221]  show_stack+0x2c/0x3c
[   36.247618][ T4221]  dump_stack_lvl+0x108/0x170
[   36.248747][ T4221]  print_report+0x174/0x4c0
[   36.249838][ T4221]  kasan_report+0xd4/0x130
[   36.250816][ T4221]  __asan_report_load4_noabort+0x2c/0x38
[   36.252131][ T4221]  gsm_cleanup_mux+0x700/0x7d8
[   36.253258][ T4221]  gsmld_ioctl+0x9d4/0x1384
[   36.254332][ T4221]  tty_ioctl+0x924/0xd8c
[   36.255374][ T4221]  __arm64_sys_ioctl+0x14c/0x1c8
[   36.256540][ T4221]  invoke_syscall+0x98/0x2c0
[   36.257587][ T4221]  el0_svc_common+0x138/0x258
[   36.258670][ T4221]  do_el0_svc+0x64/0x218
[   36.259621][ T4221]  el0_svc+0x58/0x168
[   36.260562][ T4221]  el0t_64_sync_handler+0x84/0xf0
[   36.261723][ T4221]  el0t_64_sync+0x18c/0x190
[   36.262864][ T4221] 
[   36.263370][ T4221] Allocated by task 4216:
[   36.264365][ T4221]  kasan_set_track+0x4c/0x80
[   36.265435][ T4221]  kasan_save_alloc_info+0x24/0x30
[   36.266599][ T4221]  __kasan_kmalloc+0xac/0xc4
[   36.267684][ T4221]  kmalloc_trace+0x7c/0x94
[   36.268763][ T4221]  gsm_dlci_alloc+0x60/0x340
[   36.269819][ T4221]  gsm_activate_mux+0x30/0x268
[   36.270954][ T4221]  gsmld_ioctl+0xbc0/0x1384
[   36.271977][ T4221]  tty_ioctl+0x924/0xd8c
[   36.272960][ T4221]  __arm64_sys_ioctl+0x14c/0x1c8
[   36.274085][ T4221]  invoke_syscall+0x98/0x2c0
[   36.275198][ T4221]  el0_svc_common+0x138/0x258
[   36.276337][ T4221]  do_el0_svc+0x64/0x218
[   36.277353][ T4221]  el0_svc+0x58/0x168
[   36.278292][ T4221]  el0t_64_sync_handler+0x84/0xf0
[   36.279437][ T4221]  el0t_64_sync+0x18c/0x190
[   36.280535][ T4221] 
[   36.281058][ T4221] Freed by task 4216:
[   36.282007][ T4221]  kasan_set_track+0x4c/0x80
[   36.283077][ T4221]  kasan_save_free_info+0x38/0x5c
[   36.284304][ T4221]  ____kasan_slab_free+0x144/0x1c0
[   36.285485][ T4221]  __kasan_slab_free+0x18/0x28
[   36.286523][ T4221]  __kmem_cache_free+0x2c0/0x4b4
[   36.287743][ T4221]  kfree+0xcc/0x1b8
[   36.288634][ T4221]  gsm_dlci_free+0x11c/0x168
[   36.289626][ T4221]  tty_port_put+0xfc/0x190
[   36.290627][ T4221]  gsm_cleanup_mux+0x48c/0x7d8
[   36.291695][ T4221]  gsmld_ioctl+0x9d4/0x1384
[   36.292726][ T4221]  tty_ioctl+0x924/0xd8c
[   36.293688][ T4221]  __arm64_sys_ioctl+0x14c/0x1c8
[   36.294834][ T4221]  invoke_syscall+0x98/0x2c0
[   36.295888][ T4221]  el0_svc_common+0x138/0x258
[   36.297001][ T4221]  do_el0_svc+0x64/0x218
[   36.298019][ T4221]  el0_svc+0x58/0x168
[   36.298954][ T4221]  el0t_64_sync_handler+0x84/0xf0
[   36.300143][ T4221]  el0t_64_sync+0x18c/0x190
[   36.301248][ T4221] 
[   36.301815][ T4221] The buggy address belongs to the object at ffff0000c464a000
[   36.301815][ T4221]  which belongs to the cache kmalloc-2k of size 2048
[   36.305094][ T4221] The buggy address is located 12 bytes inside of
[   36.305094][ T4221]  2048-byte region [ffff0000c464a000, ffff0000c464a800)
[   36.308183][ T4221] 
[   36.308744][ T4221] The buggy address belongs to the physical page:
[   36.310240][ T4221] page:00000000e54018b5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104648
[   36.312673][ T4221] head:00000000e54018b5 order:3 compound_mapcount:0 compound_pincount:0
[   36.314623][ T4221] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
[   36.316538][ T4221] raw: 05ffc00000010200 0000000000000000 dead000000000001 ffff0000c0002900
[   36.318521][ T4221] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   36.320506][ T4221] page dumped because: kasan: bad access detected
[   36.322030][ T4221] 
[   36.322573][ T4221] Memory state around the buggy address:
[   36.323832][ T4221]  ffff0000c4649f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.325607][ T4221]  ffff0000c4649f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.327527][ T4221] >ffff0000c464a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.329392][ T4221]                       ^
[   36.330406][ T4221]  ffff0000c464a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.332511][ T4221]  ffff0000c464a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.334408][ T4221] ==================================================================
[   36.345585][ T4221] Disabling lock debugging due to kernel taint
[   36.346942][ T4221] ================================================================================
[   36.349046][ T4221] UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:131:9
[   36.350983][ T4221] index 1163 is out of range for type 'unsigned long[8]'
[   36.352629][ T4221] CPU: 0 PID: 4221 Comm: syz-executor413 Tainted: G    B              6.1.30-syzkaller #0
[   36.354834][ T4221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
[   36.357135][ T4221] Call trace:
[   36.357838][ T4221]  dump_backtrace+0x1c8/0x1f4
[   36.358912][ T4221]  show_stack+0x2c/0x3c
[   36.359852][ T4221]  dump_stack_lvl+0x108/0x170
[   36.360909][ T4221]  dump_stack+0x1c/0x58
[   36.361876][ T4221]  __ubsan_handle_out_of_bounds+0xfc/0x148
[   36.363242][ T4221]  queued_spin_lock_slowpath+0x9fc/0xe48
[   36.364629][ T4221]  do_raw_spin_lock+0x330/0x358
[   36.365859][ T4221]  _raw_spin_lock_irqsave+0x74/0xb4
[   36.367054][ T4221]  gsm_send+0x31c/0x604
[   36.367997][ T4221]  gsm_cleanup_mux+0x1a0/0x7d8
[   36.369093][ T4221]  gsmld_ioctl+0x9d4/0x1384
[   36.370162][ T4221]  tty_ioctl+0x924/0xd8c
[   36.371157][ T4221]  __arm64_sys_ioctl+0x14c/0x1c8
[   36.372317][ T4221]  invoke_syscall+0x98/0x2c0
[   36.373395][ T4221]  el0_svc_common+0x138/0x258
[   36.374504][ T4221]  do_el0_svc+0x64/0x218
[   36.375542][ T4221]  el0_svc+0x58/0x168
[   36.376494][ T4221]  el0t_64_sync_handler+0x84/0xf0
[   36.377666][ T4221]  el0t_64_sync+0x18c/0x190
[   36.378798][ T4221] ================================================================================