Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 76.288815][ T6528] sp0: Synchronizing with TNC
[ 76.376461][ T6528] ==================================================================
[ 76.384729][ T6528] BUG: KASAN: use-after-free in sixpack_close+0x236/0x270
[ 76.391891][ T6528] Read of size 8 at addr ffff8880788cac90 by task syz-executor090/6528
[ 76.400148][ T6528]
[ 76.402505][ T6528] CPU: 0 PID: 6528 Comm: syz-executor090 Not tainted 5.15.0-next-20211112-syzkaller #0
[ 76.412176][ T6528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 76.422365][ T6528] Call Trace:
[ 76.425657][ T6528]
[ 76.428603][ T6528] dump_stack_lvl+0xcd/0x134
[ 76.433250][ T6528] print_address_description.constprop.0.cold+0x8d/0x320
[ 76.440299][ T6528] ? sixpack_close+0x236/0x270
[ 76.445092][ T6528] ? sixpack_close+0x236/0x270
[ 76.449878][ T6528] kasan_report.cold+0x83/0xdf
[ 76.454667][ T6528] ? sixpack_close+0x236/0x270
[ 76.459461][ T6528] sixpack_close+0x236/0x270
[ 76.464078][ T6528] ? sp_set_mac_address+0x3d0/0x3d0
[ 76.469297][ T6528] tty_ldisc_close+0x110/0x190
[ 76.474097][ T6528] tty_ldisc_kill+0x94/0x150
[ 76.478712][ T6528] tty_ldisc_release+0xe3/0x2a0
[ 76.483588][ T6528] tty_release_struct+0x20/0xe0
[ 76.488589][ T6528] tty_release+0xc70/0x1200
[ 76.493168][ T6528] __fput+0x286/0x9f0
[ 76.497169][ T6528] ? tty_release_struct+0xe0/0xe0
[ 76.502224][ T6528] task_work_run+0xdd/0x1a0
[ 76.506758][ T6528] do_exit+0xc14/0x2b40
[ 76.510946][ T6528] ? lock_downgrade+0x6e0/0x6e0
[ 76.515822][ T6528] ? lock_downgrade+0x6e0/0x6e0
[ 76.520706][ T6528] ? mm_update_next_owner+0x7a0/0x7a0
[ 76.526116][ T6528] do_group_exit+0x125/0x310
[ 76.530735][ T6528] __x64_sys_exit_group+0x3a/0x50
[ 76.535787][ T6528] do_syscall_64+0x35/0xb0
[ 76.540228][ T6528] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.546148][ T6528] RIP: 0033:0x7f6ba32c3f89
[ 76.550670][ T6528] Code: Unable to access opcode bytes at RIP 0x7f6ba32c3f5f.
[ 76.558042][ T6528] RSP: 002b:00007ffc56c579d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 76.566478][ T6528] RAX: ffffffffffffffda RBX: 00007f6ba3337330 RCX: 00007f6ba32c3f89
[ 76.574466][ T6528] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 76.582452][ T6528] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 76.590442][ T6528] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6ba3337330
[ 76.598430][ T6528] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 76.606441][ T6528]
[ 76.609471][ T6528]
[ 76.611907][ T6528] Allocated by task 6528:
[ 76.616228][ T6528] kasan_save_stack+0x1e/0x50
[ 76.620909][ T6528] __kasan_kmalloc+0xa9/0xd0
[ 76.625510][ T6528] kvmalloc_node+0x61/0x120
[ 76.630016][ T6528] alloc_netdev_mqs+0x98/0xec0
[ 76.634767][ T6528] sixpack_open+0xfa/0xa50
[ 76.639306][ T6528] tty_ldisc_open+0x9b/0x110
[ 76.643889][ T6528] tty_set_ldisc+0x2f1/0x680
[ 76.648465][ T6528] tty_ioctl+0xae0/0x1670
[ 76.652788][ T6528] __x64_sys_ioctl+0x193/0x200
[ 76.657548][ T6528] do_syscall_64+0x35/0xb0
[ 76.661977][ T6528] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.667962][ T6528]
[ 76.670275][ T6528] Freed by task 6528:
[ 76.674239][ T6528] kasan_save_stack+0x1e/0x50
[ 76.678906][ T6528] kasan_set_track+0x21/0x30
[ 76.683479][ T6528] kasan_set_free_info+0x20/0x30
[ 76.688630][ T6528] __kasan_slab_free+0xff/0x130
[ 76.693486][ T6528] slab_free_freelist_hook+0x8b/0x1c0
[ 76.698862][ T6528] kfree+0xf6/0x560
[ 76.702661][ T6528] kvfree+0x42/0x50
[ 76.706458][ T6528] device_release+0x9f/0x240
[ 76.711050][ T6528] kobject_put+0x1c8/0x540
[ 76.715455][ T6528] netdev_run_todo+0x75a/0xa80
[ 76.720206][ T6528] sixpack_close+0x184/0x270
[ 76.724782][ T6528] tty_ldisc_close+0x110/0x190
[ 76.729544][ T6528] tty_ldisc_kill+0x94/0x150
[ 76.734119][ T6528] tty_ldisc_release+0xe3/0x2a0
[ 76.738960][ T6528] tty_release_struct+0x20/0xe0
[ 76.743796][ T6528] tty_release+0xc70/0x1200
[ 76.748280][ T6528] __fput+0x286/0x9f0
[ 76.753561][ T6528] task_work_run+0xdd/0x1a0
[ 76.758050][ T6528] do_exit+0xc14/0x2b40
[ 76.762203][ T6528] do_group_exit+0x125/0x310
[ 76.766790][ T6528] __x64_sys_exit_group+0x3a/0x50
[ 76.771801][ T6528] do_syscall_64+0x35/0xb0
[ 76.776200][ T6528] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.782081][ T6528]
[ 76.784389][ T6528] The buggy address belongs to the object at ffff8880788ca000
[ 76.784389][ T6528] which belongs to the cache kmalloc-cg-4k of size 4096
[ 76.798782][ T6528] The buggy address is located 3216 bytes inside of
[ 76.798782][ T6528] 4096-byte region [ffff8880788ca000, ffff8880788cb000)
[ 76.812232][ T6528] The buggy address belongs to the page:
[ 76.817864][ T6528] page:ffffea0001e23200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x788c8
[ 76.827999][ T6528] head:ffffea0001e23200 order:3 compound_mapcount:0 compound_pincount:0
[ 76.836302][ T6528] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 76.844277][ T6528] raw: 00fff00000010200 ffffea0001e28a00 dead000000000003 ffff888010c4c280
[ 76.852855][ T6528] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
[ 76.861431][ T6528] page dumped because: kasan: bad access detected
[ 76.867909][ T6528] page_owner tracks the page as allocated
[ 76.873604][ T6528] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2965, ts 23164777597, free_ts 18335335301
[ 76.892692][ T6528] get_page_from_freelist+0xa72/0x2f50
[ 76.898152][ T6528] __alloc_pages+0x1b2/0x500
[ 76.902745][ T6528] alloc_pages+0x1a7/0x300
[ 76.907165][ T6528] new_slab+0x32d/0x4a0
[ 76.911312][ T6528] ___slab_alloc+0x918/0xfe0
[ 76.915887][ T6528] __slab_alloc.constprop.0+0x4d/0xa0
[ 76.921260][ T6528] __kmalloc_node+0x2cb/0x390
[ 76.925947][ T6528] kvmalloc_node+0x61/0x120
[ 76.930464][ T6528] seq_read_iter+0x7e7/0x1240
[ 76.935201][ T6528] kernfs_fop_read_iter+0x44f/0x5f0
[ 76.940677][ T6528] new_sync_read+0x421/0x6e0
[ 76.945281][ T6528] vfs_read+0x35c/0x600
[ 76.949447][ T6528] ksys_read+0x12d/0x250
[ 76.953681][ T6528] do_syscall_64+0x35/0xb0
[ 76.958087][ T6528] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.963968][ T6528] page last free stack trace:
[ 76.968619][ T6528] free_pcp_prepare+0x374/0x870
[ 76.973455][ T6528] free_unref_page+0x19/0x690
[ 76.978118][ T6528] free_contig_range+0xa8/0xf0
[ 76.982870][ T6528] destroy_args+0xa8/0x646
[ 76.987267][ T6528] debug_vm_pgtable+0x2984/0x2a16
[ 76.992391][ T6528] do_one_initcall+0x103/0x650
[ 76.997158][ T6528] kernel_init_freeable+0x6b1/0x73a
[ 77.002360][ T6528] kernel_init+0x1a/0x1d0
[ 77.006739][ T6528] ret_from_fork+0x1f/0x30
[ 77.011146][ T6528]
[ 77.013459][ T6528] Memory state around the buggy address:
[ 77.019085][ T6528] ffff8880788cab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.027159][ T6528] ffff8880788cac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.035233][ T6528] >ffff8880788cac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.043298][ T6528] ^
[ 77.047872][ T6528] ffff8880788cad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.056032][ T6528] ffff8880788cad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.064135][ T6528] ==================================================================
[ 77.072180][ T6528] Disabling lock debugging due to kernel taint
[ 77.078465][ T6528] Kernel panic - not syncing: panic_on_warn set ...
[ 77.085050][ T6528] CPU: 0 PID: 6528 Comm: syz-executor090 Tainted: G B 5.15.0-next-20211112-syzkaller #0
[ 77.096071][ T6528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 77.106122][ T6528] Call Trace:
[ 77.109394][ T6528]
[ 77.112318][ T6528] dump_stack_lvl+0xcd/0x134
[ 77.116912][ T6528] panic+0x2b0/0x6dd
[ 77.120806][ T6528] ? __warn_printk+0xf3/0xf3
[ 77.125399][ T6528] ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 77.131640][ T6528] ? trace_hardirqs_on+0x38/0x1c0
[ 77.136668][ T6528] ? trace_hardirqs_on+0x51/0x1c0
[ 77.141694][ T6528] ? sixpack_close+0x236/0x270
[ 77.146455][ T6528] ? sixpack_close+0x236/0x270
[ 77.151215][ T6528] end_report.cold+0x63/0x6f
[ 77.155801][ T6528] kasan_report.cold+0x71/0xdf
[ 77.160562][ T6528] ? sixpack_close+0x236/0x270
[ 77.165422][ T6528] sixpack_close+0x236/0x270
[ 77.170118][ T6528] ? sp_set_mac_address+0x3d0/0x3d0
[ 77.175337][ T6528] tty_ldisc_close+0x110/0x190
[ 77.180103][ T6528] tty_ldisc_kill+0x94/0x150
[ 77.184695][ T6528] tty_ldisc_release+0xe3/0x2a0
[ 77.189545][ T6528] tty_release_struct+0x20/0xe0
[ 77.194408][ T6528] tty_release+0xc70/0x1200
[ 77.198906][ T6528] __fput+0x286/0x9f0
[ 77.202885][ T6528] ? tty_release_struct+0xe0/0xe0
[ 77.207962][ T6528] task_work_run+0xdd/0x1a0
[ 77.212465][ T6528] do_exit+0xc14/0x2b40
[ 77.216636][ T6528] ? lock_downgrade+0x6e0/0x6e0
[ 77.221490][ T6528] ? lock_downgrade+0x6e0/0x6e0
[ 77.226354][ T6528] ? mm_update_next_owner+0x7a0/0x7a0
[ 77.231732][ T6528] do_group_exit+0x125/0x310
[ 77.236327][ T6528] __x64_sys_exit_group+0x3a/0x50
[ 77.241353][ T6528] do_syscall_64+0x35/0xb0
[ 77.245767][ T6528] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.251663][ T6528] RIP: 0033:0x7f6ba32c3f89
[ 77.256078][ T6528] Code: Unable to access opcode bytes at RIP 0x7f6ba32c3f5f.
[ 77.263464][ T6528] RSP: 002b:00007ffc56c579d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 77.271878][ T6528] RAX: ffffffffffffffda RBX: 00007f6ba3337330 RCX: 00007f6ba32c3f89
[ 77.279845][ T6528] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 77.287805][ T6528] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 77.295766][ T6528] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6ba3337330
[ 77.303731][ T6528] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 77.311875][ T6528]
[ 77.314940][ T6528] Kernel Offset: disabled
[ 77.319288][ T6528] Rebooting in 86400 seconds..