Warning: Permanently added '10.128.1.143' (ED25519) to the list of known hosts. 2023/09/25 11:03:25 ignoring optional flag "sandboxArg"="0" 2023/09/25 11:03:25 parsed 1 programs 2023/09/25 11:03:25 executed programs: 0 [ 44.949234][ T1633] ================================================================== [ 44.949240][ T1633] BUG: KASAN: use-after-free in gsm_cleanup_mux+0x5c7/0x5f0 [ 44.949252][ T1633] Read of size 4 at addr ffff88800f27400c by task syz-executor.0/1633 [ 44.949257][ T1633] [ 44.949260][ T1633] CPU: 1 PID: 1633 Comm: syz-executor.0 Not tainted 5.19.0-rc3-syzkaller #0 [ 44.949266][ T1633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 44.949270][ T1633] Call Trace: [ 44.949273][ T1633] [ 44.949275][ T1633] dump_stack_lvl+0x44/0x60 [ 44.949284][ T1633] print_report.cold+0x2c0/0x74d [ 44.949291][ T1633] ? gsm_cleanup_mux+0x5c7/0x5f0 [ 44.949297][ T1633] kasan_report+0xdd/0x190 [ 44.949304][ T1633] ? gsm_cleanup_mux+0x5c7/0x5f0 [ 44.949309][ T1633] gsm_cleanup_mux+0x5c7/0x5f0 [ 44.949315][ T1633] ? gsm_dlci_begin_close+0x1f0/0x1f0 [ 44.949322][ T1633] gsmld_ioctl+0x3ce/0x1030 [ 44.949328][ T1633] ? gsm_dlci_begin_open+0x1e0/0x1e0 [ 44.949334][ T1633] ? tomoyo_execute_permission+0x450/0x450 [ 44.949344][ T1633] tty_ioctl+0x5bc/0x1140 [ 44.949350][ T1633] ? send_break+0x370/0x370 [ 44.949356][ T1633] ? reacquire_held_locks+0x370/0x370 [ 44.949364][ T1633] ? __fget_files+0x1c2/0x2e0 [ 44.949373][ T1633] __x64_sys_ioctl+0x125/0x190 [ 44.949380][ T1633] do_syscall_64+0x38/0x80 [ 44.949389][ T1633] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 44.949397][ T1633] RIP: 0033:0x7fe65367c859 [ 44.949402][ T1633] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 44.949408][ T1633] RSP: 002b:00007fe6531de0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.949416][ T1633] RAX: ffffffffffffffda RBX: 00007fe65379c050 RCX: 00007fe65367c859 [ 44.949420][ T1633] RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000005 [ 44.949424][ T1633] RBP: 00007fe6536d8ad0 R08: 0000000000000000 R09: 0000000000000000 [ 44.949428][ T1633] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 44.949432][ T1633] R13: 000000000000006e R14: 00007fe65379c050 R15: 00007ffc6b12c758 [ 44.949437][ T1633] [ 44.949439][ T1633] [ 44.949441][ T1633] Allocated by task 1625: [ 44.949444][ T1633] kasan_save_stack+0x33/0x50 [ 44.949449][ T1633] __kasan_kmalloc+0xab/0xd0 [ 44.949453][ T1633] gsm_dlci_alloc+0x41/0x3d0 [ 44.949458][ T1633] gsmld_ioctl+0xad0/0x1030 [ 44.949463][ T1633] tty_ioctl+0x5bc/0x1140 [ 44.949468][ T1633] __x64_sys_ioctl+0x125/0x190 [ 44.949474][ T1633] do_syscall_64+0x38/0x80 [ 44.949479][ T1633] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 44.949485][ T1633] [ 44.949486][ T1633] Freed by task 1625: [ 44.949488][ T1633] kasan_save_stack+0x33/0x50 [ 44.949493][ T1633] kasan_set_track+0x25/0x30 [ 44.949497][ T1633] kasan_set_free_info+0x24/0x40 [ 44.949503][ T1633] ____kasan_slab_free+0x125/0x1a0 [ 44.949508][ T1633] slab_free_freelist_hook+0xae/0x1e0 [ 44.949515][ T1633] kfree+0xcb/0x590 [ 44.949520][ T1633] gsm_cleanup_mux+0x27d/0x5f0 [ 44.949524][ T1633] gsmld_ioctl+0x3ce/0x1030 [ 44.949529][ T1633] tty_ioctl+0x5bc/0x1140 [ 44.949533][ T1633] __x64_sys_ioctl+0x125/0x190 [ 44.949539][ T1633] do_syscall_64+0x38/0x80 [ 44.949544][ T1633] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 44.949549][ T1633] [ 44.949550][ T1633] The buggy address belongs to the object at ffff88800f274000 [ 44.949550][ T1633] which belongs to the cache kmalloc-2k of size 2048 [ 44.949555][ T1633] The buggy address is located 12 bytes inside of [ 44.949555][ T1633] 2048-byte region [ffff88800f274000, ffff88800f274800) [ 44.949558][ T1633] [ 44.949559][ T1633] The buggy address belongs to the physical page: [ 44.949562][ T1633] page:ffffea00003c9c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf270 [ 44.949568][ T1633] head:ffffea00003c9c00 order:3 compound_mapcount:0 compound_pincount:0 [ 44.949573][ T1633] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 44.949582][ T1633] raw: 00fff00000010200 ffffea0000319000 dead000000000002 ffff888008842000 [ 44.949588][ T1633] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 44.949590][ T1633] page dumped because: kasan: bad access detected [ 44.949594][ T1633] page_owner tracks the page as allocated [ 44.949596][ T1633] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 938, tgid 938 (udevd), ts 6695580468, free_ts 6693891901 [ 44.949607][ T1633] post_alloc_hook+0x203/0x2f0 [ 44.949613][ T1633] get_page_from_freelist+0x16fb/0x3410 [ 44.949619][ T1633] __alloc_pages+0x1d0/0x4c0 [ 44.949625][ T1633] allocate_slab+0x26c/0x390 [ 44.949630][ T1633] ___slab_alloc+0x955/0xce0 [ 44.949635][ T1633] __slab_alloc.constprop.0+0x45/0x80 [ 44.949641][ T1633] __kmalloc_node_track_caller+0x349/0x490 [ 44.949647][ T1633] __alloc_skb+0x8c/0x270 [ 44.949653][ T1633] netlink_sendmsg+0x848/0xc60 [ 44.949660][ T1633] sock_sendmsg+0xb2/0xe0 [ 44.949665][ T1633] ____sys_sendmsg+0x604/0x810 [ 44.949669][ T1633] ___sys_sendmsg+0xf4/0x170 [ 44.949674][ T1633] __sys_sendmsg+0xdb/0x170 [ 44.949679][ T1633] do_syscall_64+0x38/0x80 [ 44.949684][ T1633] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 44.949689][ T1633] page last free stack trace: [ 44.949690][ T1633] free_pcp_prepare+0x4be/0xc70 [ 44.949697][ T1633] free_unref_page+0x1d/0x530 [ 44.949702][ T1633] __unfreeze_partials+0x193/0x1b0 [ 44.949708][ T1633] qlist_free_all+0x6a/0x170 [ 44.949713][ T1633] kasan_quarantine_reduce+0x17a/0x1a0 [ 44.949718][ T1633] __kasan_slab_alloc+0xa6/0xc0 [ 44.949722][ T1633] kmem_cache_alloc+0x244/0x3b0 [ 44.949726][ T1633] getname_flags.part.0+0x4a/0x430 [ 44.949732][ T1633] do_sys_openat2+0xec/0x410 [ 44.949737][ T1633] __x64_sys_openat+0x134/0x1d0 [ 44.949741][ T1633] do_syscall_64+0x38/0x80 [ 44.949746][ T1633] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 44.949750][ T1633] [ 44.949751][ T1633] Memory state around the buggy address: [ 44.949755][ T1633] ffff88800f273f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.949758][ T1633] ffff88800f273f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.949762][ T1633] >ffff88800f274000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.949764][ T1633] ^ [ 44.949767][ T1633] ffff88800f274080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.949771][ T1633] ffff88800f274100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.949773][ T1633] ================================================================== [ 44.949776][ T1633] Kernel panic - not syncing: panic_on_warn set ... [ 45.585476][ T1633] Kernel Offset: disabled [ 45.589788][ T1633] Rebooting in 86400 seconds..