Warning: Permanently added '10.128.1.173' (ED25519) to the list of known hosts. executing program executing program executing program executing program [ 45.184833][ T4021] ================================================================== [ 45.187056][ T4021] BUG: KASAN: use-after-free in ax25_fillin_cb+0x39c/0x588 [ 45.188883][ T4021] Read of size 4 at addr ffff0000c11d3838 by task syz-executor282/4021 [ 45.190964][ T4021] [ 45.191584][ T4021] CPU: 1 PID: 4021 Comm: syz-executor282 Not tainted 5.15.178-syzkaller #0 [ 45.193798][ T4021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.196383][ T4021] Call trace: [ 45.197237][ T4021] dump_backtrace+0x0/0x530 [ 45.198460][ T4021] show_stack+0x2c/0x3c [ 45.199506][ T4021] dump_stack_lvl+0x108/0x170 [ 45.200706][ T4021] print_address_description+0x7c/0x3f0 [ 45.202053][ T4021] kasan_report+0x174/0x1e4 [ 45.203166][ T4021] __asan_report_load4_noabort+0x44/0x50 [ 45.204537][ T4021] ax25_fillin_cb+0x39c/0x588 [ 45.205805][ T4021] ax25_setsockopt+0x980/0xcdc [ 45.207086][ T4021] __sys_setsockopt+0x3a8/0x6b4 [ 45.208355][ T4021] __arm64_sys_setsockopt+0xb8/0xd4 [ 45.209729][ T4021] invoke_syscall+0x98/0x2b8 [ 45.210931][ T4021] el0_svc_common+0x138/0x258 [ 45.213383][ T4021] do_el0_svc+0x58/0x14c [ 45.215632][ T4021] el0_svc+0x7c/0x1f0 [ 45.217890][ T4021] el0t_64_sync_handler+0x84/0xe4 [ 45.220417][ T4021] el0t_64_sync+0x1a0/0x1a4 [ 45.221526][ T4021] [ 45.222099][ T4021] Allocated by task 4018: [ 45.223175][ T4021] ____kasan_kmalloc+0xbc/0xfc [ 45.224348][ T4021] __kasan_kmalloc+0x10/0x1c [ 45.225432][ T4021] kmem_cache_alloc_trace+0x27c/0x47c [ 45.226787][ T4021] ax25_dev_device_up+0x5c/0x548 [ 45.228037][ T4021] ax25_device_event+0x500/0x58c [ 45.229394][ T4021] raw_notifier_call_chain+0xd4/0x164 [ 45.230773][ T4021] __dev_notify_flags+0x2ac/0x534 [ 45.232006][ T4021] dev_change_flags+0xc8/0x154 [ 45.233207][ T4021] dev_ifsioc+0x140/0xfe4 [ 45.234311][ T4021] dev_ioctl+0x4e0/0xd3c [ 45.235287][ T4021] sock_do_ioctl+0x1dc/0x2dc [ 45.236391][ T4021] sock_ioctl+0x4f0/0x8ac [ 45.237470][ T4021] __arm64_sys_ioctl+0x14c/0x1c8 [ 45.238669][ T4021] invoke_syscall+0x98/0x2b8 [ 45.239804][ T4021] el0_svc_common+0x138/0x258 [ 45.240914][ T4021] do_el0_svc+0x58/0x14c [ 45.242044][ T4021] el0_svc+0x7c/0x1f0 [ 45.243020][ T4021] el0t_64_sync_handler+0x84/0xe4 [ 45.244303][ T4021] el0t_64_sync+0x1a0/0x1a4 [ 45.245453][ T4021] [ 45.246032][ T4021] Freed by task 4020: [ 45.247041][ T4021] kasan_set_track+0x4c/0x84 [ 45.248199][ T4021] kasan_set_free_info+0x28/0x4c [ 45.249493][ T4021] ____kasan_slab_free+0x118/0x164 [ 45.250777][ T4021] __kasan_slab_free+0x18/0x28 [ 45.251951][ T4021] slab_free_freelist_hook+0x128/0x1ec [ 45.253327][ T4021] kfree+0x178/0x410 [ 45.254269][ T4021] ax25_release+0x57c/0x82c [ 45.255414][ T4021] sock_close+0xb8/0x1fc [ 45.256467][ T4021] __fput+0x1c4/0x800 [ 45.257456][ T4021] ____fput+0x20/0x30 [ 45.258516][ T4021] task_work_run+0x130/0x1e4 [ 45.259647][ T4021] do_exit+0x670/0x20bc [ 45.260677][ T4021] do_group_exit+0x110/0x268 [ 45.261864][ T4021] __wake_up_parent+0x0/0x60 [ 45.262988][ T4021] invoke_syscall+0x98/0x2b8 [ 45.264148][ T4021] el0_svc_common+0x138/0x258 [ 45.265365][ T4021] do_el0_svc+0x58/0x14c [ 45.266485][ T4021] el0_svc+0x7c/0x1f0 [ 45.267454][ T4021] el0t_64_sync_handler+0x84/0xe4 [ 45.268707][ T4021] el0t_64_sync+0x1a0/0x1a4 [ 45.269815][ T4021] [ 45.270391][ T4021] The buggy address belongs to the object at ffff0000c11d3800 [ 45.270391][ T4021] which belongs to the cache kmalloc-256 of size 256 [ 45.274013][ T4021] The buggy address is located 56 bytes inside of [ 45.274013][ T4021] 256-byte region [ffff0000c11d3800, ffff0000c11d3900) [ 45.277322][ T4021] The buggy address belongs to the page: [ 45.278700][ T4021] page:00000000817a66f4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1011d2 [ 45.281245][ T4021] head:00000000817a66f4 order:1 compound_mapcount:0 [ 45.282855][ T4021] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 45.284846][ T4021] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002480 [ 45.287234][ T4021] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 45.289376][ T4021] page dumped because: kasan: bad access detected [ 45.291076][ T4021] [ 45.291694][ T4021] Memory state around the buggy address: [ 45.293084][ T4021] ffff0000c11d3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.295086][ T4021] ffff0000c11d3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.297184][ T4021] >ffff0000c11d3800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.299181][ T4021] ^ [ 45.300623][ T4021] ffff0000c11d3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.302646][ T4021] ffff0000c11d3900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.304706][ T4021] ================================================================== [ 45.306776][ T4021] Disabling lock debugging due to kernel taint [ 45.310149][ T4021] Unable to handle kernel paging request at virtual address ab8002590000155c [ 45.312378][ T4021] Mem abort info: [ 45.313290][ T4021] ESR = 0x0000000096000004 [ 45.314423][ T4021] EC = 0x25: DABT (current EL), IL = 32 bits [ 45.316313][ T4021] SET = 0, FnV = 0 [ 45.317311][ T4021] EA = 0, S1PTW = 0 [ 45.318307][ T4021] FSC = 0x04: level 0 translation fault [ 45.319714][ T4021] Data abort info: [ 45.320637][ T4021] ISV = 0, ISS = 0x00000004 [ 45.321779][ T4021] CM = 0, WnR = 0 [ 45.322724][ T4021] [ab8002590000155c] address between user and kernel address ranges [ 45.324608][ T4021] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 45.326401][ T4021] Modules linked in: [ 45.327389][ T4021] CPU: 1 PID: 4021 Comm: syz-executor282 Tainted: G B 5.15.178-syzkaller #0 [ 45.329844][ T4021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.332452][ T4021] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 45.334377][ T4021] pc : ax25_release+0x50c/0x82c [ 45.335567][ T4021] lr : ax25_release+0x504/0x82c [ 45.336839][ T4021] sp : ffff80001fe479f0 [ 45.337892][ T4021] x29: ffff80001fe47a10 x28: dfff800000000000 x27: ffff0000cb269080 [ 45.340019][ T4021] x26: ffff0000cb454028 x25: ffff0000cb454031 x24: 00000000ffffffff [ 45.342049][ T4021] x23: ab8002590000155c x22: ffff0000c11d3800 x21: ffff0000de33a418 [ 45.344044][ T4021] x20: ffff0000cb269000 x19: 1fffe0001968a805 x18: 0000000000000000 [ 45.346112][ T4021] x17: 0000000000000000 x16: ffff8000084c44a8 x15: 0000000000000004 [ 45.348186][ T4021] x14: ffff0000c1b00000 x13: 0000000000ff0100 x12: 0000000000000001 [ 45.350334][ T4021] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c1b00000 [ 45.352276][ T4021] x8 : ffff800010dd0198 x7 : 0000000000000000 x6 : ffff8000083b965c [ 45.354329][ T4021] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800010dd018c [ 45.356231][ T4021] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001 [ 45.358185][ T4021] Call trace: [ 45.359027][ T4021] ax25_release+0x50c/0x82c [ 45.360227][ T4021] sock_close+0xb8/0x1fc [ 45.361276][ T4021] __fput+0x1c4/0x800 [ 45.362206][ T4021] ____fput+0x20/0x30 [ 45.363250][ T4021] task_work_run+0x130/0x1e4 [ 45.364406][ T4021] do_exit+0x670/0x20bc [ 45.365410][ T4021] do_group_exit+0x110/0x268 [ 45.366565][ T4021] __wake_up_parent+0x0/0x60 [ 45.367703][ T4021] invoke_syscall+0x98/0x2b8 [ 45.368875][ T4021] el0_svc_common+0x138/0x258 [ 45.370079][ T4021] do_el0_svc+0x58/0x14c [ 45.371135][ T4021] el0_svc+0x7c/0x1f0 [ 45.372141][ T4021] el0t_64_sync_handler+0x84/0xe4 [ 45.373406][ T4021] el0t_64_sync+0x1a0/0x1a4 [ 45.374547][ T4021] Code: d503201f 97c51913 52800038 4b1803f8 (b87802f8) [ 45.376350][ T4021] ---[ end trace 5836615c0ece5022 ]--- [ 45.661768][ T4021] Kernel panic - not syncing: Oops: Fatal exception [ 45.663429][ T4021] SMP: stopping secondary CPUs [ 45.664611][ T4021] Kernel Offset: disabled [ 45.665597][ T4021] CPU features: 0x8,000081c1,21302e40 [ 45.666933][ T4021] Memory Limit: none [ 45.938387][ T4021] Rebooting in 86400 seconds..