Warning: Permanently added '10.128.1.112' (ED25519) to the list of known hosts. 2023/07/31 21:41:57 ignoring optional flag "sandboxArg"="0" 2023/07/31 21:41:57 parsed 1 programs 2023/07/31 21:41:57 executed programs: 0 [ 52.409835][ T2285] ================================================================== [ 52.418279][ T2285] BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x6ab/0x730 [ 52.426082][ T2285] Read of size 4 at addr ffff88800ffa000c by task syz-executor.0/2285 [ 52.434415][ T2285] [ 52.436843][ T2285] CPU: 0 PID: 2285 Comm: syz-executor.0 Not tainted 6.5.0-rc4-syzkaller #0 [ 52.445511][ T2285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 52.456252][ T2285] Call Trace: [ 52.459633][ T2285] [ 52.462753][ T2285] dump_stack_lvl+0x3d/0x60 [ 52.467632][ T2285] print_report+0xc4/0x620 [ 52.472231][ T2285] kasan_report+0xda/0x110 [ 52.477160][ T2285] ? gsm_cleanup_mux+0x6ab/0x730 [ 52.482541][ T2285] ? gsm_cleanup_mux+0x6ab/0x730 [ 52.487642][ T2285] gsm_cleanup_mux+0x6ab/0x730 [ 52.492411][ T2285] ? gsm_dlci_begin_close+0x210/0x210 [ 52.498766][ T2285] ? apparmor_capable+0x144/0x460 [ 52.503871][ T2285] ? apparmor_sb_pivotroot+0x2c0/0x2c0 [ 52.509342][ T2285] gsmld_ioctl+0x414/0x15c0 [ 52.514461][ T2285] ? lock_acquire+0x12a/0x2b0 [ 52.519310][ T2285] ? gsm_dlci_config.part.0+0x1010/0x1010 [ 52.525383][ T2285] ? __ldsem_down_read_nested+0xb8/0x6e0 [ 52.531330][ T2285] ? tty_ldisc_ref_wait+0x23/0x80 [ 52.536644][ T2285] ? tomoyo_execute_permission+0x450/0x450 [ 52.542969][ T2285] tty_ioctl+0x5c1/0x11a0 [ 52.547321][ T2285] ? send_break+0x370/0x370 [ 52.552181][ T2285] ? reacquire_held_locks+0x380/0x380 [ 52.557837][ T2285] ? lock_acquire+0x12a/0x2b0 [ 52.562783][ T2285] ? __fget_files+0x1b7/0x2d0 [ 52.567478][ T2285] __x64_sys_ioctl+0x12b/0x1a0 [ 52.572339][ T2285] do_syscall_64+0x38/0x80 [ 52.577527][ T2285] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.583633][ T2285] RIP: 0033:0x7f660027c859 [ 52.588047][ T2285] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 52.608358][ T2285] RSP: 002b:00007f6600f670c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.621108][ T2285] RAX: ffffffffffffffda RBX: 00007f660039c050 RCX: 00007f660027c859 [ 52.629697][ T2285] RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000005 [ 52.638195][ T2285] RBP: 00007f66002d8ad0 R08: 0000000000000000 R09: 0000000000000000 [ 52.646947][ T2285] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 52.656133][ T2285] R13: 000000000000006e R14: 00007f660039c050 R15: 00007ffc4e757e38 [ 52.664368][ T2285] [ 52.667389][ T2285] [ 52.669799][ T2285] Allocated by task 2279: [ 52.674421][ T2285] kasan_save_stack+0x33/0x50 [ 52.679280][ T2285] kasan_set_track+0x25/0x30 [ 52.684489][ T2285] __kasan_kmalloc+0xa2/0xb0 [ 52.689789][ T2285] gsm_dlci_alloc+0x45/0x750 [ 52.694406][ T2285] gsmld_ioctl+0xdf9/0x15c0 [ 52.698916][ T2285] tty_ioctl+0x5c1/0x11a0 [ 52.703255][ T2285] __x64_sys_ioctl+0x12b/0x1a0 [ 52.708014][ T2285] do_syscall_64+0x38/0x80 [ 52.712572][ T2285] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.718458][ T2285] [ 52.721031][ T2285] Freed by task 2279: [ 52.725192][ T2285] kasan_save_stack+0x33/0x50 [ 52.730149][ T2285] kasan_set_track+0x25/0x30 [ 52.735009][ T2285] kasan_save_free_info+0x2b/0x40 [ 52.740038][ T2285] ____kasan_slab_free+0x15e/0x1b0 [ 52.745409][ T2285] slab_free_freelist_hook+0x10b/0x1e0 [ 52.751113][ T2285] __kmem_cache_free+0xba/0x340 [ 52.755966][ T2285] gsm_cleanup_mux+0x2a9/0x730 [ 52.761159][ T2285] gsmld_ioctl+0x414/0x15c0 [ 52.765807][ T2285] tty_ioctl+0x5c1/0x11a0 [ 52.770323][ T2285] __x64_sys_ioctl+0x12b/0x1a0 [ 52.775975][ T2285] do_syscall_64+0x38/0x80 [ 52.780655][ T2285] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.787527][ T2285] [ 52.790016][ T2285] The buggy address belongs to the object at ffff88800ffa0000 [ 52.790016][ T2285] which belongs to the cache kmalloc-2k of size 2048 [ 52.807188][ T2285] The buggy address is located 12 bytes inside of [ 52.807188][ T2285] freed 2048-byte region [ffff88800ffa0000, ffff88800ffa0800) [ 52.823533][ T2285] [ 52.828232][ T2285] The buggy address belongs to the physical page: [ 52.836199][ T2285] page:ffffea00003fe800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xffa0 [ 52.846330][ T2285] head:ffffea00003fe800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 52.856591][ T2285] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 52.867163][ T2285] page_type: 0xffffffff() [ 52.872532][ T2285] raw: 00fff00000010200 ffff888008c42000 dead000000000100 dead000000000122 [ 52.881549][ T2285] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 52.890392][ T2285] page dumped because: kasan: bad access detected [ 52.897162][ T2285] page_owner tracks the page as allocated [ 52.903133][ T2285] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 27, tgid 27 (kworker/u4:2), ts 4108010488, free_ts 0 [ 52.923564][ T2285] post_alloc_hook+0x281/0x2f0 [ 52.928489][ T2285] get_page_from_freelist+0xfcb/0x31e0 [ 52.937253][ T2285] __alloc_pages+0x1d0/0x470 [ 52.942001][ T2285] allocate_slab+0x24e/0x360 [ 52.946574][ T2285] ___slab_alloc+0x7a7/0x1000 [ 52.951584][ T2285] __slab_alloc.constprop.0+0x4d/0x90 [ 52.957216][ T2285] __kmem_cache_alloc_node+0x143/0x390 [ 52.963714][ T2285] __kmalloc+0x4c/0x160 [ 52.968304][ T2285] scsi_alloc_target+0x115/0xad0 [ 52.973763][ T2285] __scsi_scan_target+0x122/0xb60 [ 52.979223][ T2285] scsi_scan_channel+0xf0/0x190 [ 52.984769][ T2285] scsi_scan_host_selected+0x1f7/0x2d0 [ 52.990310][ T2285] do_scan_async+0x3d/0x480 [ 52.995067][ T2285] async_run_entry_fn+0x92/0x4f0 [ 53.000971][ T2285] process_one_work+0x922/0x1370 [ 53.006601][ T2285] worker_thread+0xfb/0xe40 [ 53.011586][ T2285] page_owner free stack trace missing [ 53.017475][ T2285] [ 53.020250][ T2285] Memory state around the buggy address: [ 53.026496][ T2285] ffff88800ff9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.034910][ T2285] ffff88800ff9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.043670][ T2285] >ffff88800ffa0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.053036][ T2285] ^ [ 53.057543][ T2285] ffff88800ffa0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.066433][ T2285] ffff88800ffa0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.075997][ T2285] ================================================================== [ 53.088881][ T2285] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 53.096448][ T2285] Kernel Offset: disabled [ 53.100785][ T2285] Rebooting in 86400 seconds..