Starting Permit User Sessions...
         Starting OpenBSD Secure Shell server...
[  OK  ] Started Permit User Sessions.
[  OK  ] Started Getty on tty6.
[  OK  ] Started Getty on tty2.
[  OK  ] Started Getty on tty5.
[  OK  ] Started Getty on tty4.
[  OK  ] Started Getty on tty3.
[  OK  ] Started Getty on tty1.
[  OK  ] Started OpenBSD Secure Shell server.
Warning: Permanently added '10.128.0.70' (ECDSA) to the list of known hosts.
executing program
[*     ] A start job is running for dev-ttyS0.device (8s / 1min 30s)[**    ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[***   ] A start job is running for dev-ttyS0.device (9s / 1min 30s)[ ***  ] A start job is running for dev-ttyS0.device (10s / 1min 30s)[  *** ] A start job is running for dev-ttyS0.device (11s / 1min 30s)[   ***] A start job is running for dev-ttyS0.device (11s / 1min 30s)[   19.618714][   T22] audit: type=1400 audit(1628065872.747:8): avc:  denied  { execmem } for  pid=336 comm="syz-executor523" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   19.657073][  T337] ==================================================================
[   19.665176][  T337] BUG: KASAN: use-after-free in filp_close+0x31/0x140
[   19.665183][  T337] Read of size 8 at addr ffff8881e5def3b8 by task syz-executor523/337
[   19.665191][  T337] 
[   19.682340][  T337] CPU: 0 PID: 337 Comm: syz-executor523 Not tainted 5.4.125-syzkaller-00012-ge7e1f9adf836 #0
[   19.692464][  T337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   19.702505][  T337] Call Trace:
[   19.705800][  T337]  dump_stack+0x1d8/0x24e
[   19.710112][  T337]  ? show_regs_print_info+0x12/0x12
[   19.715303][  T337]  ? printk+0xcf/0x114
[   19.719698][  T337]  print_address_description+0x9b/0x650
[   19.725229][  T337]  ? devkmsg_release+0x11c/0x11c
[   19.730147][  T337]  __kasan_report+0x182/0x260
[[   19.734805][  T337]  ? filp_close+0x31/0x140
[   19.739281][  T337]  kasan_report+0x30/0x60
    *[0;[   19.743601][  T337]  check_memory_region+0x2a5/0x2e0
[   19.750077][  T337]  filp_close+0x31/0x140
[   19.754303][  T337]  __x64_sys_close+0x62/0xc0
1;31m*] [   19.758877][  T337]  do_syscall_64+0xcb/0x1e0
[   19.764396][  T337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   19.770267][  T337] RIP: 0033:0x4021c3
A start job is r[   19.774166][  T337] Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
[   19.795124][  T337] RSP: 002b:00007ffd256a6858 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   19.803531][  T337] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004021c3
unning for dev-t[   19.811492][  T337] RDX: 00000000200000c0 RSI: 0000000000000005 RDI: 0000000000000005
[   19.820819][  T337] RBP: 00007ffd256a6868 R08: 0000000000000006 R09: 00000000004aa000
[   19.828780][  T337] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd256a6870
[   19.836751][  T337] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
tyS0.device (12s[   19.844701][  T337] 
[   19.848386][  T337] Allocated by task 337:
 / 1min 30s)[   19.852613][  T337]  __kasan_kmalloc+0x137/0x1e0
[   19.858372][  T337]  kmem_cache_alloc+0x115/0x290
[   19.863199][  T337]  __alloc_file+0x26/0x380
[   19.867591][  T337]  alloc_empty_file+0xa9/0x1b0
[   19.872347][  T337]  alloc_file+0x57/0x4d0
[   19.876564][  T337]  alloc_file_pseudo+0x272/0x300
[   19.881467][  T337]  create_pipe_files+0x2de/0x620
[   19.886377][  T337]  __do_pipe_flags+0x46/0x200
[   19.891026][  T337]  do_pipe2+0xd0/0x300
[   19.895065][  T337]  __x64_sys_pipe2+0x56/0x60
[   19.899628][  T337]  do_syscall_64+0xcb/0x1e0
[   19.904099][  T337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   19.909951][  T337] 
[   19.912252][  T337] Freed by task 337:
[   19.916116][  T337]  __kasan_slab_free+0x18a/0x240
[   19.921021][  T337]  slab_free_freelist_hook+0x7b/0x150
[   19.926361][  T337]  kfree+0xe0/0x660
[   19.930137][  T337]  put_fs_context+0x57c/0x690
[   19.934825][  T337]  fscontext_release+0x61/0x80
[   19.939557][  T337]  __fput+0x27d/0x6c0
[   19.943520][  T337]  task_work_run+0x186/0x1b0
[   19.948074][  T337]  prepare_exit_to_usermode+0x2b0/0x310
[   19.953584][  T337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   19.959440][  T337] 
[   19.961737][  T337] The buggy address belongs to the object at ffff8881e5def380
[   19.961737][  T337]  which belongs to the cache filp of size 280
[   19.975148][  T337] The buggy address is located 56 bytes inside of
[   19.975148][  T337]  280-byte region [ffff8881e5def380, ffff8881e5def498)
[   19.988305][  T337] The buggy address belongs to the page:
[   19.993904][  T337] page:ffffea0007977b80 refcount:1 mapcount:0 mapping:ffff8881f5cfa000 index:0x0 compound_mapcount: 0
[   20.004791][  T337] flags: 0x8000000000010200(slab|head)
[   20.010229][  T337] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfa000
[   20.018779][  T337] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[   20.027336][  T337] page dumped because: kasan: bad access detected
[   20.033711][  T337] page_owner tracks the page as allocated
[   20.039411][  T337] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
[   20.054386][  T337]  prep_new_page+0x19a/0x380
[   20.058939][  T337]  get_page_from_freelist+0x550/0x8b0
[   20.064275][  T337]  __alloc_pages_nodemask+0x3a2/0x880
[   20.069613][  T337]  alloc_slab_page+0x39/0x3e0
[   20.074254][  T337]  new_slab+0x97/0x460
[   20.078290][  T337]  ___slab_alloc+0x330/0x4c0
[   20.082845][  T337]  kmem_cache_alloc+0x18b/0x290
[   20.087659][  T337]  __alloc_file+0x26/0x380
[   20.092052][  T337]  alloc_empty_file+0xa9/0x1b0
[   20.096786][  T337]  path_openat+0x125/0x3da0
[   20.101255][  T337]  do_filp_open+0x208/0x450
[   20.105728][  T337]  do_sys_open+0x383/0x7c0
[   20.110114][  T337]  do_syscall_64+0xcb/0x1e0
[   20.114582][  T337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   20.120434][  T337] page last free stack trace:
[   20.125080][  T337]  __free_pages_ok+0xc60/0xd80
[   20.129820][  T337]  __free_pages+0x8f/0x250
[   20.134206][  T337]  __free_slab+0x237/0x2f0
[   20.138593][  T337]  unfreeze_partials+0x14f/0x180
[   20.143502][  T337]  put_cpu_partial+0xb5/0x150
[   20.148322][  T337]  ___cache_free+0x352/0x4e0
[   20.152881][  T337]  quarantine_reduce+0x17a/0x1e0
[   20.157789][  T337]  __kasan_kmalloc+0x43/0x1e0
[   20.162434][  T337]  __kmalloc+0x140/0x2f0
[   20.166644][  T337]  tty_write+0x304/0x880
[   20.170866][  T337]  __vfs_write+0x103/0x780
[   20.175246][  T337]  vfs_write+0x212/0x4e0
[   20.179455][  T337]  ksys_write+0x186/0x2b0
[   20.183750][  T337]  do_syscall_64+0xcb/0x1e0
[   20.188226][  T337]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   20.194080][  T337] 
[   20.196373][  T337] Memory state around the buggy address:
[   20.201970][  T337]  ffff8881e5def280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   20.210000][  T337]  ffff8881e5def300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   20.218044][  T337] >ffff8881e5def38