15:48:48 executing program 5:openat$ttynull(0xffffffffffffff9c, &(0x7f000000

1.  
2. 15:48:48 executing program 5:
3. openat$ttynull(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyUSB1', 0x0, 0x0)
4. r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00')
5. r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00')
6. preadv2(r1, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0)
7. ioctl$GIO_UNIMAP(r1, 0x4b66, &(0x7f0000000180)={0x5, &(0x7f0000000140)=[{}, {}, {}, {}, {}]})
8. preadv2(r0, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0)
9. ioctl$TIOCGDEV(r0, 0x80045432, &(0x7f0000000000))
10. syz_attach_gadget$hid(&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, [{0xd, {0xa21, 0x0, {0x0}}}]}, 0x9)
11.  
12. 15:48:49 executing program 5:
13. openat$ttynull(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyUSB1', 0x0, 0x0)
14. r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00')
15. r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00')
16. preadv2(r1, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0)
17. ioctl$GIO_UNIMAP(r1, 0x4b66, &(0x7f0000000180)={0x5, &(0x7f0000000140)=[{}, {}, {}, {}, {}]})
18. preadv2(r0, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0)
19. ioctl$TIOCGDEV(r0, 0x80045432, &(0x7f0000000000))
20. syz_attach_gadget$hid(&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, [{0xd, {0xa21, 0x0, {0x0}}}]}, 0x9)
21. openat$ttynull(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyUSB1', 0x0, 0x0) (async)
22. syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') (async)
23. syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') (async)
24. preadv2(r1, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0) (async)
25. ioctl$GIO_UNIMAP(r1, 0x4b66, &(0x7f0000000180)={0x5, &(0x7f0000000140)=[{}, {}, {}, {}, {}]}) (async)
26. preadv2(r0, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0) (async)
27. ioctl$TIOCGDEV(r0, 0x80045432, &(0x7f0000000000)) (async)
28. syz_attach_gadget$hid(&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, [{0xd, {0xa21, 0x0, {0x0}}}]}, 0x9) (async)
29.  
30. 15:48:49 executing program 5:
31. openat$ttynull(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyUSB1', 0x0, 0x0)
32. r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') (async)
33. r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00')
34. preadv2(r1, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0) (async)
35. ioctl$GIO_UNIMAP(r1, 0x4b66, &(0x7f0000000180)={0x5, &(0x7f0000000140)=[{}, {}, {}, {}, {}]}) (async)
36. preadv2(r0, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/98, 0x7ffff000}], 0x1, 0x0, 0x0, 0x0) (async)
37. ioctl$TIOCGDEV(r0, 0x80045432, &(0x7f0000000000)) (async, rerun: 64)
38. syz_attach_gadget$hid(&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, [{0xd, {0xa21, 0x0, {0x0}}}]}, 0x9) (rerun: 64)
39.  
40. xxx index: 0, name: bcdUSB, size: 2
41. xxx index: 1, name: bDeviceClass, size: 1
42. xxx index: 2, name: bDeviceSubClass, size: 1
43. xxx index: 3, name: bDeviceProtocol, size: 1
44. xxx index: 4, name: bMaxPacketSize0, size: 1
45. xxx index: 5, name: idVendor, size: 2
46. xxx index: 6, name: idProduct, size: 2
47. xxx index: 7, name: bcdDevice, size: 2
48. xxx index: 8, name: bmAttributes, size: 1
49. xxx index: 9, name: bMaxPower, size: 1
50. xxx index: 10, name: , size: 2
51. xxx index: 11, name: bNumConfigurations, size: 4
52. xxx index: 12, name: , size: 4
53. xxx index: 13, name: configs, size: 48
54. xxx index: 0, name: bcdUSB, size: 2
55. xxx index: 1, name: bDeviceClass, size: 1
56. xxx index: 2, name: bDeviceSubClass, size: 1
57. xxx index: 3, name: bDeviceProtocol, size: 1
58. xxx index: 4, name: bMaxPacketSize0, size: 1
59. xxx index: 5, name: idVendor, size: 2
60. xxx index: 6, name: idProduct, size: 2
61. xxx index: 7, name: bcdDevice, size: 2
62. xxx index: 8, name: bmAttributes, size: 1
63. xxx index: 9, name: bMaxPower, size: 1
64. xxx index: 10, name: , size: 2
65. xxx index: 11, name: bNumConfigurations, size: 4
66. xxx index: 12, name: , size: 4
67. xxx index: 13, name: configs, size: 96
68. 15:48:49 executing program 5:
69. r0 = openat$ttynull(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyUSB1', 0x0, 0x0)
70. syz_attach_gadget$hid(&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, [{0xd, {0xa21, 0x0, {0x0}}}]}, 0x0)
71. syz_attach_gadget$hid(&(0x7f0000000040)={0x200, 0x6, 0x3f, 0xf7, 0x20, 0x5ac, 0x1440, 0x3, 0x80, 0x20, 0x1, [{0xd, {0x4, 0x1, {&(0x7f0000000140)=ANY=[@ANYBLOB="de4a63ac29c8c4a36ad5117a267a245258bdb17edccedbd4caa5e613ac6e53765ea997f500fe88990f788a90db7903541d316f7acd0f8fa769072acfa52b59d61e093e0f20c0160f59176d1d3a4cda11e3c40f3c4b2391a9e746b0f31a66c4fc5cb6cc3d31d34e7c57104808209d5a5f5d9895c2adf617ea79655104549632a95020acfacaa94d382cd04d0e6f3c5712e51a0cddd070204c67e0e8d57bf63a1acb73914193e254ce8e1b9957ff55369823531bacc2a1a3b73d5d7f3fb0e79bd395caefda53644be60f444d54bff4efb7909d"]}, 0x10}}]}, 0x3)
72. syz_attach_gadget$hid(&(0x7f0000000280)={0x200, 0x3, 0x8, 0x1, 0x48, 0x56a, 0x21, 0x1, 0xe0, 0x82, 0x2, [{0xd, {0x793, 0x1, {&(0x7f0000000000)={[@global=@item_012={0x2, 0x1, 0x8, "1b42"}, @global=@item_012={0x2, 0x1, 0x2, "e5b6"}, @main=@item_4={0x3, 0x0, 0xc, "b0a11a5b"}, @global=@item_4={0x3, 0x1, 0x9, "a9148509"}, @global=@item_4={0x3, 0x1, 0x7, "aaca4bd0"}, @main=@item_012={0x0, 0x0, 0x9}, @global=@item_4={0x3, 0x1, 0x2, "15151f09"}, @local=@item_4={0x3, 0x2, 0x0, "5ce7be2a"}, @global=@item_012={0x1, 0x1, 0x5, "12"}, @main=@item_012={0x0, 0x0, 0xc}]}}, 0x8, 0x1}}, {0xd, {0x3800000000000, 0x0, {&(0x7f0000000240)={[@local=@item_4={0x3, 0x2, 0x7, "5cff6f98"}, @main=@item_012={0x1, 0x0, 0xc, 'b'}, @local=@item_4={0x3, 0x2, 0x7, "ed78f24a"}]}}, 0x8, 0x1}}]}, 0x5)
73. ioctl$TIOCVHANGUP(r0, 0x5437, 0x0)
74.  
75. [ 1534.763685][ T30] kauditd_printk_skb: 53 callbacks suppressed
76. [ 1534.763704][ T30] audit: type=1800 audit(1662479329.803:2103): pid=27411 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71227 res=0 errno=0
77. [ 1534.778293][ T30] audit: type=1800 audit(1662479329.813:2104): pid=27411 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71228 res=0 errno=0
78. [ 1534.819026][ T30] audit: type=1800 audit(1662479329.843:2105): pid=27411 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71229 res=0 errno=0
79. [ 1534.863506][ T30] audit: type=1800 audit(1662479329.843:2106): pid=27413 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71703 res=0 errno=0
80. [ 1534.898684][ T30] audit: type=1800 audit(1662479329.843:2107): pid=27413 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71704 res=0 errno=0
81. [ 1534.943412][ T9889] usb 6-1: USB disconnect, device number 3
82. [ 1534.947021][ T30] audit: type=1800 audit(1662479329.843:2108): pid=27411 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71230 res=0 errno=0
83. [ 1534.947863][ T9889] keyspan_1 ttyUSB0: Keyspan 1 port adapter converter now disconnected from ttyUSB0
84. [ 1534.983522][ T9889] keyspan 6-1:1.0: device disconnected
85. [ 1535.002307][ T9889] keyspan_1 ttyUSB1: Keyspan 1 port adapter converter now disconnected from ttyUSB1
86. [ 1535.012746][ T30] audit: type=1800 audit(1662479329.843:2109): pid=27413 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71705 res=0 errno=0
87. [ 1535.014239][ T9889] keyspan 6-1:1.1: device disconnected
88. [ 1535.080948][ T30] audit: type=1800 audit(1662479329.873:2110): pid=27411 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71231 res=0 errno=0
89. [ 1535.084015][ T30] audit: type=1800 audit(1662479329.883:2111): pid=27413 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71706 res=0 errno=0
90. [ 1535.086776][ T30] audit: type=1800 audit(1662479329.883:2112): pid=27413 uid=0 auid=0 ses=4 subj=unconfined op=collect_data cause=failed comm="syz-executor.5" name="UDC" dev="configfs" ino=71707 res=0 errno=0
91. [ 1535.278800][T27414] ==================================================================
92. [ 1535.283518][T27414] BUG: KASAN: use-after-free in keyspan_close+0x240/0x260
93. [ 1535.290253][T27414] Write of size 4 at addr ffff88805a1e7104 by task syz-executor.5/27414
94. [ 1535.291277][T27414]
95. [ 1535.291555][T27414] CPU: 1 PID: 27414 Comm: syz-executor.5 Not tainted 6.0.0-rc4+ #20
96. [ 1535.292542][T27414] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
97. [ 1535.293836][T27414] Call Trace:
98. [ 1535.294197][T27414] <TASK>
99. [ 1535.295030][T27414] dump_stack_lvl+0xcd/0x134
100. [ 1535.296420][T27414] print_report.cold+0xe5/0x66d
101. [ 1535.297029][T27414] ? keyspan_close+0x240/0x260
102. [ 1535.297650][T27414] kasan_report+0x8a/0x1b0
103. [ 1535.298268][T27414] ? keyspan_close+0x240/0x260
104. [ 1535.298831][T27414] ? keyspan_write+0x670/0x670
105. [ 1535.299482][T27414] keyspan_close+0x240/0x260
106. [ 1535.300008][T27414] serial_port_shutdown+0x89/0x110
107. [ 1535.300598][T27414] ? serial_port_activate+0x280/0x280
108. [ 1535.301331][T27414] tty_port_shutdown+0x1ec/0x270
109. [ 1535.302267][T27414] tty_port_hangup+0x103/0x170
110. [ 1535.303199][T27414] ? serial_write+0x220/0x220
111. [ 1535.303711][T27414] __tty_hangup.part.0+0x65b/0x770
112. [ 1535.304253][T27414] ? file_tty_write.isra.0+0x880/0x880
113. [ 1535.304845][T27414] tty_ioctl+0x956/0x1430
114. [ 1535.305327][T27414] ? send_break+0x3a0/0x3a0
115. [ 1535.305836][T27414] ? __fget_files+0x26b/0x430
116. [ 1535.306338][T27414] ? __sanitizer_cov_trace_pc+0x1a/0x40
117. [ 1535.306974][T27414] ? send_break+0x3a0/0x3a0
118. [ 1535.307469][T27414] __x64_sys_ioctl+0x193/0x200
119. [ 1535.307994][T27414] do_syscall_64+0x35/0x80
120. [ 1535.308485][T27414] entry_SYSCALL_64_after_hwframe+0x63/0xcd
121. [ 1535.309767][T27414] RIP: 0033:0x7ff1e4ca80fd
122. [ 1535.310341][T27414] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
123. [ 1535.312316][T27414] RSP: 002b:00007ff1e5421bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
124. [ 1535.313434][T27414] RAX: ffffffffffffffda RBX: 00007ff1e4d9c4e0 RCX: 00007ff1e4ca80fd
125. [ 1535.314392][T27414] RDX: 0000000000000000 RSI: 0000000000005437 RDI: 0000000000000003
126. [ 1535.315199][T27414] RBP: 00007ff1e4d0b606 R08: 0000000000000000 R09: 0000000000000000
127. [ 1535.316024][T27414] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
128. [ 1535.316864][T27414] R13: 00007fffcf5e0c9f R14: 00007fffcf5e0e40 R15: 00007ff1e5421d80
129. [ 1535.317706][T27414] </TASK>
130. [ 1535.318041][T27414]
131. [ 1535.318302][T27414] Allocated by task 9889:
132. [ 1535.318761][T27414] kasan_save_stack+0x1e/0x40
133. [ 1535.319269][T27414] __kasan_kmalloc+0xa9/0xd0
134. [ 1535.319781][T27414] kmem_cache_alloc_trace+0x19b/0x380
135. [ 1535.320341][T27414] keyspan_port_probe+0xbe/0xe40
136. [ 1535.320885][T27414] usb_serial_device_probe+0xfe/0x3d0
137. [ 1535.323736][T27414] really_probe+0x249/0xa90
138. [ 1535.324314][T27414] __driver_probe_device+0x1df/0x4d0
139. [ 1535.324885][T27414] driver_probe_device+0x4c/0x1a0
140. [ 1535.325502][T27414] __device_attach_driver+0x1da/0x2d0
141. [ 1535.326113][T27414] bus_for_each_drv+0x15f/0x1e0
142. [ 1535.326681][T27414] __device_attach+0x283/0x480
143. [ 1535.327220][T27414] bus_probe_device+0x1e4/0x290
144. [ 1535.327790][T27414] device_add+0xc96/0x1da0
145. [ 1535.328326][T27414] usb_serial_probe.cold+0x163f/0x291e
146. [ 1535.328948][T27414] usb_probe_interface+0x361/0x800
147. [ 1535.329520][T27414] really_probe+0x249/0xa90
148. [ 1535.330009][T27414] __driver_probe_device+0x1df/0x4d0
149. [ 1535.330589][T27414] driver_probe_device+0x4c/0x1a0
150. [ 1535.331351][T27414] __device_attach_driver+0x1da/0x2d0
151. [ 1535.332089][T27414] bus_for_each_drv+0x15f/0x1e0
152. [ 1535.332768][T27414] __device_attach+0x283/0x480
153. [ 1535.333389][T27414] bus_probe_device+0x1e4/0x290
154. [ 1535.333963][T27414] device_add+0xc96/0x1da0
155. [ 1535.334507][T27414] usb_set_configuration+0x1014/0x1900
156. [ 1535.335179][T27414] usb_generic_driver_probe+0x9d/0xe0
157. [ 1535.335816][T27414] usb_probe_device+0xd4/0x2a0
158. [ 1535.336401][T27414] really_probe+0x249/0xa90
159. [ 1535.336978][T27414] __driver_probe_device+0x1df/0x4d0
160. [ 1535.337692][T27414] driver_probe_device+0x4c/0x1a0
161. [ 1535.338255][T27414] __device_attach_driver+0x1da/0x2d0
162. [ 1535.338944][T27414] bus_for_each_drv+0x15f/0x1e0
163. [ 1535.339535][T27414] __device_attach+0x283/0x480
164. [ 1535.340111][T27414] bus_probe_device+0x1e4/0x290
165. [ 1535.340690][T27414] device_add+0xc96/0x1da0
166. [ 1535.341239][T27414] usb_new_device.cold+0x69d/0x10ef
167. [ 1535.341833][T27414] hub_event+0x23bd/0x4260
168. [ 1535.342477][T27414] process_one_work+0x9c7/0x1650
169. [ 1535.343054][T27414] worker_thread+0x623/0x1070
170. [ 1535.346009][T27414] kthread+0x2e9/0x3a0
171. [ 1535.346481][T27414] ret_from_fork+0x1f/0x30
172. [ 1535.347000][T27414]
173. [ 1535.348270][T27414] Freed by task 9889:
174. [ 1535.348724][T27414] kasan_save_stack+0x1e/0x40
175. [ 1535.349548][T27414] kasan_set_track+0x21/0x30
176. [ 1535.350366][T27414] kasan_set_free_info+0x20/0x30
177. [ 1535.350948][T27414] __kasan_slab_free+0x11d/0x1b0
178. [ 1535.351858][T27414] kfree+0xe9/0x650
179. [ 1535.352419][T27414] usb_serial_device_remove+0x13f/0x1a0
180. [ 1535.353751][T27414] device_remove+0xc8/0x170
181. [ 1535.354337][T27414] device_release_driver_internal+0x1a7/0x360
182. [ 1535.355115][T27414] bus_remove_device+0x2e3/0x590
183. [ 1535.355743][T27414] device_del+0x5d2/0xe80
184. [ 1535.356235][T27414] usb_serial_disconnect+0x23e/0x3b0
185. [ 1535.359170][T27414] usb_unbind_interface+0x1bd/0x890
186. [ 1535.359780][T27414] device_remove+0x11f/0x170
187. [ 1535.360323][T27414] device_release_driver_internal+0x1a7/0x360
188. [ 1535.361044][T27414] bus_remove_device+0x2e3/0x590
189. [ 1535.361639][T27414] device_del+0x5d2/0xe80
190. [ 1535.362164][T27414] usb_disable_device+0x214/0x600
191. [ 1535.363154][T27414] usb_disconnect+0x285/0x860
192. [ 1535.363780][T27414] hub_event+0x1c1b/0x4260
193. [ 1535.364352][T27414] process_one_work+0x9c7/0x1650
194. [ 1535.364949][T27414] worker_thread+0x623/0x1070
195. [ 1535.365506][T27414] kthread+0x2e9/0x3a0
196. [ 1535.365994][T27414] ret_from_fork+0x1f/0x30
197. [ 1535.366536][T27414]
198. [ 1535.366845][T27414] Last potentially related work creation:
199. [ 1535.367511][T27414] kasan_save_stack+0x1e/0x40
200. [ 1535.368006][T27414] __kasan_record_aux_stack+0xbe/0xd0
201. [ 1535.368683][T27414] insert_work+0x4a/0x390
202. [ 1535.369233][T27414] __queue_work+0x4d4/0x1200
203. [ 1535.369793][T27414] queue_work_on+0xee/0x110
204. [ 1535.370360][T27414] call_usermodehelper_exec+0x1cc/0x490
205. [ 1535.371060][T27414] kobject_uevent_env+0xf14/0x1640
206. [ 1535.371892][T27414] kset_register+0x49/0x60
207. [ 1535.372422][T27414] __class_register+0x20b/0x4a0
208. [ 1535.373135][T27414] __class_create+0xca/0x140
209. [ 1535.373757][T27414] ghid_setup+0x71/0x150
210. [ 1535.374263][T27414] hidg_alloc_inst+0x179/0x250
211. [ 1535.375290][T27414] try_get_usb_function_instance+0x122/0x1e0
212. [ 1535.376253][T27414] usb_get_function_instance+0x13/0xa0
213. [ 1535.376888][T27414] function_make+0x105/0x3e0
214. [ 1535.377384][T27414] configfs_mkdir+0x46a/0xb90
215. [ 1535.377874][T27414] vfs_mkdir+0x69f/0xa30
216. [ 1535.378364][T27414] do_mkdirat+0x249/0x2c0
217. [ 1535.380745][T27414] __x64_sys_mkdir+0x61/0x80
218. [ 1535.381310][T27414] do_syscall_64+0x35/0x80
219. [ 1535.381806][T27414] entry_SYSCALL_64_after_hwframe+0x63/0xcd
220. [ 1535.382426][T27414]
221. [ 1535.382704][T27414] Second to last potentially related work creation:
222. [ 1535.383370][T27414] kasan_save_stack+0x1e/0x40
223. [ 1535.383916][T27414] __kasan_record_aux_stack+0xbe/0xd0
224. [ 1535.384537][T27414] insert_work+0x4a/0x390
225. [ 1535.385070][T27414] __queue_work+0x4d4/0x1200
226. [ 1535.385629][T27414] queue_work_on+0xee/0x110
227. [ 1535.386147][T27414] call_usermodehelper_exec+0x1cc/0x490
228. [ 1535.386784][T27414] kobject_uevent_env+0xf14/0x1640
229. [ 1535.387561][T27414] netdev_queue_update_kobjects+0x3ba/0x4d0
230. [ 1535.388214][T27414] netdev_register_kobject+0x333/0x400
231. [ 1535.388897][T27414] register_netdevice+0xbe9/0x1370
232. [ 1535.389657][T27414] __ip_tunnel_create+0x398/0x580
233. [ 1535.390647][T27414] ip_tunnel_init_net+0x32c/0xa40
234. [ 1535.391661][T27414] ops_init+0xaf/0x420
235. [ 1535.392141][T27414] setup_net+0x415/0xa40
236. [ 1535.392610][T27414] copy_net_ns+0x2d9/0x660
237. [ 1535.393098][T27414] create_new_namespaces.isra.0+0x3cb/0xae0
238. [ 1535.393675][T27414] unshare_nsproxy_namespaces+0xc8/0x1f0
239. [ 1535.394179][T27414] ksys_unshare+0x450/0x920
240. [ 1535.394543][T27414] __x64_sys_unshare+0x2d/0x40
241. [ 1535.394903][T27414] do_syscall_64+0x35/0x80
242. [ 1535.395245][T27414] entry_SYSCALL_64_after_hwframe+0x63/0xcd
243. [ 1535.395686][T27414]
244. [ 1535.395870][T27414] The buggy address belongs to the object at ffff88805a1e7100
245. [ 1535.395870][T27414] which belongs to the cache kmalloc-192 of size 192
246. [ 1535.397321][T27414] The buggy address is located 4 bytes inside of
247. [ 1535.397321][T27414] 192-byte region [ffff88805a1e7100, ffff88805a1e71c0)
248. [ 1535.398715][T27414]
249. [ 1535.398983][T27414] The buggy address belongs to the physical page:
250. [ 1535.399696][T27414] page:ffffea00016879c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a1e7
251. [ 1535.400798][T27414] flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
252. [ 1535.401737][T27414] raw: 04fff00000000200 0000000000000000 dead000000000001 ffff888011c41a00
253. [ 1535.402665][T27414] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
254. [ 1535.403539][T27414] page dumped because: kasan: bad access detected
255. [ 1535.404217][T27414] page_owner tracks the page as allocated
256. [ 1535.404822][T27414] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6450, tgid 6450 (syz-executor.1), ts 146447587150, free_ts 146293511182
257. [ 1535.406772][T27414] prep_new_page+0x2c6/0x350
258. [ 1535.407293][T27414] get_page_from_freelist+0xae9/0x3a80
259. [ 1535.407902][T27414] __alloc_pages+0x321/0x710
260. [ 1535.408442][T27414] alloc_pages+0x117/0x2f0
261. [ 1535.409008][T27414] new_slab+0x246/0x3a0
262. [ 1535.409522][T27414] ___slab_alloc+0xa50/0x1060
263. [ 1535.410060][T27414] __slab_alloc.isra.0+0x4d/0xa0
264. [ 1535.410657][T27414] kmem_cache_alloc_trace+0x35b/0x380
265. [ 1535.411298][T27414] call_usermodehelper_setup+0x97/0x340
266. [ 1535.411942][T27414] kobject_uevent_env+0xef5/0x1640
267. [ 1535.412547][T27414] netdev_queue_update_kobjects+0x3ba/0x4d0
268. [ 1535.413237][T27414] netdev_register_kobject+0x333/0x400
269. [ 1535.413846][T27414] register_netdevice+0xbe9/0x1370
270. [ 1535.414418][T27414] veth_newlink+0x4d6/0x9a0
271. [ 1535.415773][T27414] __rtnl_newlink+0xfbc/0x16f0
272. [ 1535.422342][T27414] rtnl_newlink+0x64/0xa0
273. [ 1535.422922][T27414] page last free stack trace:
274. [ 1535.423542][T27414] free_pcp_prepare+0x5ab/0xd00
275. [ 1535.424257][T27414] free_unref_page+0x19/0x410
276. [ 1535.424949][T27414] __vunmap+0x6ff/0xaa0
277. [ 1535.425503][T27414] free_work+0x58/0x70
278. [ 1535.426109][T27414] process_one_work+0x9c7/0x1650
279. [ 1535.426746][T27414] worker_thread+0x623/0x1070
280. [ 1535.427351][T27414] kthread+0x2e9/0x3a0
281. [ 1535.427931][T27414] ret_from_fork+0x1f/0x30
282. [ 1535.428531][T27414]
283. [ 1535.428898][T27414] Memory state around the buggy address:
284. [ 1535.447515][T27414] ffff88805a1e7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
285. [ 1535.448615][T27414] ffff88805a1e7080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
286. [ 1535.449652][T27414] >ffff88805a1e7100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
287. [ 1535.450553][T27414] ^
288. [ 1535.451028][T27414] ffff88805a1e7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
289. [ 1535.452014][T27414] ffff88805a1e7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
290. [ 1535.452858][T27414] ==================================================================
291. [ 1535.672305][T27414] Kernel panic - not syncing: panic_on_warn set ...
292. [ 1535.673150][T27414] CPU: 0 PID: 27414 Comm: syz-executor.5 Not tainted 6.0.0-rc4+ #20
293. [ 1535.674061][T27414] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
294. [ 1535.675569][T27414] Call Trace:
295. [ 1535.675965][T27414] <TASK>
296. [ 1535.676320][T27414] dump_stack_lvl+0xcd/0x134
297. [ 1535.676892][T27414] panic+0x2d7/0x636
298. [ 1535.677388][T27414] ? panic_print_sys_info.part.0+0x10b/0x10b
299. [ 1535.678089][T27414] ? preempt_schedule_common+0x5e/0xc0
300. [ 1535.678735][T27414] ? keyspan_close+0x240/0x260
301. [ 1535.679839][T27414] ? preempt_schedule_thunk+0x16/0x18
302. [ 1535.680470][T27414] ? keyspan_close+0x240/0x260
303. [ 1535.681081][T27414] end_report.part.0+0x3f/0x7c
304. [ 1535.681638][T27414] kasan_report.cold+0x8/0x12
305. [ 1535.682193][T27414] ? keyspan_close+0x240/0x260
306. [ 1535.682750][T27414] ? keyspan_write+0x670/0x670
307. [ 1535.683298][T27414] keyspan_close+0x240/0x260
308. [ 1535.683845][T27414] serial_port_shutdown+0x89/0x110
309. [ 1535.684408][T27414] ? serial_port_activate+0x280/0x280
310. [ 1535.685010][T27414] tty_port_shutdown+0x1ec/0x270
311. [ 1535.685571][T27414] tty_port_hangup+0x103/0x170
312. [ 1535.686094][T27414] ? serial_write+0x220/0x220
313. [ 1535.686614][T27414] __tty_hangup.part.0+0x65b/0x770
314. [ 1535.687174][T27414] ? file_tty_write.isra.0+0x880/0x880
315. [ 1535.687783][T27414] tty_ioctl+0x956/0x1430
316. [ 1535.688274][T27414] ? send_break+0x3a0/0x3a0
317. [ 1535.688795][T27414] ? __fget_files+0x26b/0x430
318. [ 1535.689343][T27414] ? __sanitizer_cov_trace_pc+0x1a/0x40
319. [ 1535.689940][T27414] ? send_break+0x3a0/0x3a0
320. [ 1535.690447][T27414] __x64_sys_ioctl+0x193/0x200
321. [ 1535.690989][T27414] do_syscall_64+0x35/0x80
322. [ 1535.691486][T27414] entry_SYSCALL_64_after_hwframe+0x63/0xcd
323. [ 1535.692123][T27414] RIP: 0033:0x7ff1e4ca80fd
324. [ 1535.692601][T27414] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
325. [ 1535.701816][T27414] RSP: 002b:00007ff1e5421bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
326. [ 1535.702775][T27414] RAX: ffffffffffffffda RBX: 00007ff1e4d9c4e0 RCX: 00007ff1e4ca80fd
327. [ 1535.703630][T27414] RDX: 0000000000000000 RSI: 0000000000005437 RDI: 0000000000000003
328. [ 1535.704508][T27414] RBP: 00007ff1e4d0b606 R08: 0000000000000000 R09: 0000000000000000
329. [ 1535.705853][T27414] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
330. [ 1535.710329][T27414] R13: 00007fffcf5e0c9f R14: 00007fffcf5e0e40 R15: 00007ff1e5421d80
331. [ 1535.713830][T27414] </TASK>
332. [ 1535.714398][T27414] Kernel Offset: disabled
333. [ 1535.715868][T27414] Rebooting in 86400 seconds..
334.  
335. VM DIAGNOSIS:
336. 23:48:50 Registers:
337. info registers vcpu 0
338. RAX=0000000000000001 RBX=0000000000000000 RCX=ffffffff815e4ba2 RDX=0000000000000000
339. RSI=0000000000000008 RDI=ffffffff90eaa898 RBP=00000000000000db RSP=ffffc9000b6ff7b8
340. R8 =1ffff11002acdc52 R9 =fffffbfff21d5514 R10=ffffffff90eaa89f R11=fffffbfff21d5513
341. R12=0000000000000004 R13=ffff88801566d7c0 R14=dffffc0000000000 R15=0000000000000025
342. RIP=ffffffff815e4baa RFL=00000047 [---Z-PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
343. ES =0000 0000000000000000 00000000 00000000
344. CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
345. SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
346. DS =0000 0000000000000000 00000000 00000000
347. FS =0000 0000000000000000 00000000 00000000
348. GS =0000 ffff88802cc00000 00000000 00000000
349. LDT=0000 fffffe0000000000 00000000 00000000
350. TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
351. GDT= fffffe0000001000 0000007f
352. IDT= fffffe0000000000 00000fff
353. CR0=80050033 CR2=000000c0009ec008 CR3=000000001c8d9000 CR4=00350ef0
354. DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
355. DR6=00000000ffff0ff0 DR7=0000000000000400
356. EFER=0000000000000d01
357. FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0
358. FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
359. FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
360. FPR4=0000000000000000 0000 FPR5=8100000000000000 4007
361. FPR6=8740000000000000 4008 FPR7=8740000000000000 4008
362. XMM00=32323a33342f6b636f6c622f7665642f XMM01=3432323a33342f6b636f6c622f766564
363. XMM02=000000000000000d000000c003837140 XMM03=000000000000000b000000c003837160
364. XMM04=000000000000000b000000c003837180 XMM05=000000000000000b000000c0038371a0
365. XMM06=000000000000000b000000c0038371c0 XMM07=000000000000000f000000c003837350
366. XMM08=000000000000000e000000c003837370 XMM09=000000000000000e000000c003837390
367. XMM10=000000000000000f000000c0038373b0 XMM11=000000000000000f000000c0038373d0
368. XMM12=000000000000000f000000c0038373f0 XMM13=000000000000000f000000c003837410
369. XMM14=000000000000000f000000c003837430 XMM15=00000000000000000000000000000000
370. info registers vcpu 1
371. RAX=0000000000000033 RBX=0000000000000000 RCX=0000000000000000 RDX=00000000000003f8
372. RSI=ffff8880170857c0 RDI=ffffffff916c1f40 RBP=ffffffff916c1f00 RSP=ffffc9000739f5c0
373. R8 =ffffffff84624951 R9 =000000000000001f R10=0000000000000001 R11=ffffed1002c4c046
374. R12=0000000000000000 R13=0000000000000033 R14=0000000000000000 R15=0000000000000010
375. RIP=ffffffff8462497b RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
376. ES =0000 0000000000000000 00000000 00000000
377. CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
378. SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
379. DS =0000 0000000000000000 00000000 00000000
380. FS =0000 00007ff1e5422700 00000000 00000000
381. GS =0000 ffff88807ec00000 00000000 00000000
382. LDT=0000 fffffe0000000000 00000000 00000000
383. TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
384. GDT= fffffe0000048000 0000007f
385. IDT= fffffe0000000000 00000fff
386. CR0=80050033 CR2=00005652fedc4788 CR3=0000000013f55000 CR4=00350ee0
387. DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
388. DR6=00000000ffff0ff0 DR7=0000000000000400
389. EFER=0000000000000d01
390. FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
391. FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
392. FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
393. FPR4=0000000000000000 0000 FPR5=8100000000000000 4007
394. FPR6=8740000000000000 4008 FPR7=8740000000000000 4008
395. XMM00=00000000000f42400000000000000000 XMM01=000000000000000000000000000f4240
396. XMM02=00007ff1e4d76b6000007ff1e4d76b48 XMM03=00007ff1e4d76b4000007ff1e52da4c0
397. XMM04=52247a267a11d56aa3c4c829ac634ade XMM05=00000000000000000000000000001000
398. XMM06=ca95d39be7b03f7f5d3db7a3a1c2ac1b XMM07=5323983655ff57991b8ece54e2934191
399. XMM08=73cb1a3af67bd5e8e0674c2070d0dd0c XMM09=00000000000000000000000000000000
400. XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
401. XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
402. XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000