Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts.
executing program
[   50.498189][ T3507] ==================================================================
[   50.506418][ T3507] BUG: KASAN: use-after-free in gsm_cleanup_mux+0x76a/0x850
[   50.513751][ T3507] Read of size 4 at addr ffff88814b40700c by task syz-executor192/3507
[   50.522007][ T3507] 
[   50.524343][ T3507] CPU: 1 PID: 3507 Comm: syz-executor192 Not tainted 5.15.118-syzkaller #0
[   50.532936][ T3507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[   50.542993][ T3507] Call Trace:
[   50.546282][ T3507]  <TASK>
[   50.549227][ T3507]  dump_stack_lvl+0x1e3/0x2cb
[   50.553933][ T3507]  ? io_uring_drop_tctx_refs+0x19d/0x19d
[   50.559587][ T3507]  ? _printk+0xd1/0x111
[   50.563769][ T3507]  ? __wake_up_klogd+0xcc/0x100
[   50.568650][ T3507]  ? panic+0x84d/0x84d
[   50.572737][ T3507]  ? _raw_spin_lock_irqsave+0xdd/0x120
[   50.578321][ T3507]  print_address_description+0x63/0x3b0
[   50.583898][ T3507]  ? gsm_cleanup_mux+0x76a/0x850
[   50.588860][ T3507]  kasan_report+0x16b/0x1c0
[   50.593388][ T3507]  ? gsm_cleanup_mux+0x76a/0x850
[   50.598354][ T3507]  gsm_cleanup_mux+0x76a/0x850
[   50.603143][ T3507]  ? gsm_control_transmit+0x3b0/0x3b0
[   50.608543][ T3507]  ? __might_fault+0xb4/0x110
[   50.613255][ T3507]  gsmld_ioctl+0xaae/0x15b0
[   50.617811][ T3507]  ? gsmld_write+0x120/0x120
[   50.622436][ T3507]  ? tty_ldisc_ref_wait+0x21/0x70
[   50.627483][ T3507]  ? ldsem_down_read+0xb2/0xe0
[   50.632279][ T3507]  ? gsmld_write+0x120/0x120
[   50.636884][ T3507]  tty_ioctl+0x8ff/0xc50
[   50.641143][ T3507]  ? bpf_lsm_file_ioctl+0x5/0x10
[   50.646102][ T3507]  ? tty_get_icount+0xa0/0xa0
[   50.650887][ T3507]  __se_sys_ioctl+0xf1/0x160
[   50.655504][ T3507]  do_syscall_64+0x3d/0xb0
[   50.659943][ T3507]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   50.665857][ T3507] RIP: 0033:0x7f5d05d7ac69
[   50.670295][ T3507] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   50.690030][ T3507] RSP: 002b:00007f5d05d0b318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   50.698467][ T3507] RAX: ffffffffffffffda RBX: 00007f5d05e024d8 RCX: 00007f5d05d7ac69
[   50.706458][ T3507] RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
[   50.714448][ T3507] RBP: 00007f5d05e024d0 R08: 00007f5d05d0b700 R09: 0000000000000000
[   50.722527][ T3507] R10: 00007f5d05d0b700 R11: 0000000000000246 R12: 00007f5d05dd008c
[   50.730518][ T3507] R13: 00007ffda9f25b2f R14: 00007f5d05d0b400 R15: 0000000000022000
[   50.738528][ T3507]  </TASK>
[   50.741601][ T3507] 
[   50.743933][ T3507] Allocated by task 3501:
[   50.748270][ T3507]  ____kasan_kmalloc+0xba/0xf0
[   50.753064][ T3507]  kmem_cache_alloc_trace+0x143/0x290
[   50.758455][ T3507]  gsm_dlci_alloc+0x53/0x3a0
[   50.763085][ T3507]  gsm_activate_mux+0x1c/0x330
[   50.767867][ T3507]  gsmld_ioctl+0xd46/0x15b0
[   50.772386][ T3507]  tty_ioctl+0x8ff/0xc50
[   50.776642][ T3507]  __se_sys_ioctl+0xf1/0x160
[   50.781249][ T3507]  do_syscall_64+0x3d/0xb0
[   50.785686][ T3507]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   50.791603][ T3507] 
[   50.793936][ T3507] Freed by task 3501:
[   50.797923][ T3507]  kasan_set_track+0x4b/0x80
[   50.802530][ T3507]  kasan_set_free_info+0x1f/0x40
[   50.807489][ T3507]  ____kasan_slab_free+0xd8/0x120
[   50.812534][ T3507]  slab_free_freelist_hook+0xdd/0x160
[   50.817925][ T3507]  kfree+0xf1/0x270
[   50.821775][ T3507]  gsm_cleanup_mux+0x574/0x850
[   50.826537][ T3507]  gsmld_ioctl+0xaae/0x15b0
[   50.831032][ T3507]  tty_ioctl+0x8ff/0xc50
[   50.835263][ T3507]  __se_sys_ioctl+0xf1/0x160
[   50.840023][ T3507]  do_syscall_64+0x3d/0xb0
[   50.844431][ T3507]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   50.850424][ T3507] 
[   50.852736][ T3507] The buggy address belongs to the object at ffff88814b407000
[   50.852736][ T3507]  which belongs to the cache kmalloc-2k of size 2048
[   50.866777][ T3507] The buggy address is located 12 bytes inside of
[   50.866777][ T3507]  2048-byte region [ffff88814b407000, ffff88814b407800)
[   50.880044][ T3507] The buggy address belongs to the page:
[   50.885660][ T3507] page:ffffea00052d0000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14b400
[   50.895884][ T3507] head:ffffea00052d0000 order:3 compound_mapcount:0 compound_pincount:0
[   50.904197][ T3507] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
[   50.912264][ T3507] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888011c42000
[   50.920848][ T3507] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   50.929414][ T3507] page dumped because: kasan: bad access detected
[   50.935813][ T3507] page_owner tracks the page as allocated
[   50.941512][ T3507] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 11595371377, free_ts 0
[   50.959643][ T3507]  get_page_from_freelist+0x322a/0x33c0
[   50.965188][ T3507]  __alloc_pages+0x272/0x700
[   50.969773][ T3507]  alloc_page_interleave+0x22/0x1c0
[   50.974971][ T3507]  new_slab+0xbb/0x4b0
[   50.979030][ T3507]  ___slab_alloc+0x6f6/0xe10
[   50.983608][ T3507]  __kmalloc_node_track_caller+0x1f6/0x390
[   50.989405][ T3507]  __alloc_skb+0x12c/0x590
[   50.993901][ T3507]  rtmsg_ifinfo_build_skb+0x81/0x180
[   50.999186][ T3507]  rtmsg_ifinfo+0x71/0x120
[   51.003608][ T3507]  register_netdevice+0x13ae/0x1700
[   51.008890][ T3507]  register_netdev+0x37/0x50
[   51.013476][ T3507]  nr_proto_init+0x16f/0x822
[   51.018063][ T3507]  do_one_initcall+0x22b/0x7a0
[   51.022821][ T3507]  do_initcall_level+0x157/0x207
[   51.027875][ T3507]  do_initcalls+0x49/0x86
[   51.032295][ T3507]  kernel_init_freeable+0x43c/0x5c5
[   51.037498][ T3507] page_owner free stack trace missing
[   51.042852][ T3507] 
[   51.045169][ T3507] Memory state around the buggy address:
[   51.050785][ T3507]  ffff88814b406f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.058842][ T3507]  ffff88814b406f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.066900][ T3507] >ffff88814b407000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.075383][ T3507]                       ^
[   51.079697][ T3507]  ffff88814b407080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.087837][ T3507]  ffff88814b407100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.095886][ T3507] ==================================================================
[   51.103933][ T3507] Disabling lock debugging due to kernel taint
[   51.113128][ T3507] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   51.120336][ T3507] CPU: 1 PID: 3507 Comm: syz-executor192 Tainted: G    B             5.15.118-syzkaller #0
[   51.130302][ T3507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[   51.140344][ T3507] Call Trace:
[   51.143610][ T3507]  <TASK>
[   51.146671][ T3507]  dump_stack_lvl+0x1e3/0x2cb
[   51.151340][ T3507]  ? io_uring_drop_tctx_refs+0x19d/0x19d
[   51.157058][ T3507]  ? panic+0x84d/0x84d
[   51.161116][ T3507]  ? rcu_is_watching+0x11/0xa0
[   51.165866][ T3507]  ? preempt_schedule_common+0xa6/0xd0
[   51.171315][ T3507]  panic+0x318/0x84d
[   51.175199][ T3507]  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[   51.181346][ T3507]  ? check_panic_on_warn+0x1d/0xa0
[   51.186444][ T3507]  ? fb_is_primary_device+0xcc/0xcc
[   51.191632][ T3507]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   51.197598][ T3507]  ? _raw_spin_unlock+0x40/0x40
[   51.202438][ T3507]  check_panic_on_warn+0x7e/0xa0
[   51.207363][ T3507]  ? gsm_cleanup_mux+0x76a/0x850
[   51.212290][ T3507]  end_report+0x6d/0xf0
[   51.216437][ T3507]  kasan_report+0x18e/0x1c0
[   51.220942][ T3507]  ? gsm_cleanup_mux+0x76a/0x850
[   51.225875][ T3507]  gsm_cleanup_mux+0x76a/0x850
[   51.230628][ T3507]  ? gsm_control_transmit+0x3b0/0x3b0
[   51.235993][ T3507]  ? __might_fault+0xb4/0x110
[   51.240668][ T3507]  gsmld_ioctl+0xaae/0x15b0
[   51.245167][ T3507]  ? gsmld_write+0x120/0x120
[   51.249745][ T3507]  ? tty_ldisc_ref_wait+0x21/0x70
[   51.254758][ T3507]  ? ldsem_down_read+0xb2/0xe0
[   51.259513][ T3507]  ? gsmld_write+0x120/0x120
[   51.264088][ T3507]  tty_ioctl+0x8ff/0xc50
[   51.268316][ T3507]  ? bpf_lsm_file_ioctl+0x5/0x10
[   51.273242][ T3507]  ? tty_get_icount+0xa0/0xa0
[   51.277904][ T3507]  __se_sys_ioctl+0xf1/0x160
[   51.282482][ T3507]  do_syscall_64+0x3d/0xb0
[   51.286886][ T3507]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   51.292765][ T3507] RIP: 0033:0x7f5d05d7ac69
[   51.297172][ T3507] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   51.316765][ T3507] RSP: 002b:00007f5d05d0b318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   51.325256][ T3507] RAX: ffffffffffffffda RBX: 00007f5d05e024d8 RCX: 00007f5d05d7ac69
[   51.333219][ T3507] RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
[   51.341264][ T3507] RBP: 00007f5d05e024d0 R08: 00007f5d05d0b700 R09: 0000000000000000
[   51.349222][ T3507] R10: 00007f5d05d0b700 R11: 0000000000000246 R12: 00007f5d05dd008c
[   51.357178][ T3507] R13: 00007ffda9f25b2f R14: 00007f5d05d0b400 R15: 0000000000022000
[   51.365141][ T3507]  </TASK>
[   51.368351][ T3507] Kernel Offset: disabled
[   51.372667][ T3507] Rebooting in 86400 seconds..