[   19.494208] ==================================================================
[   19.494876] BUG: KASAN: slab-use-after-free in gsm_dlci_config+0xf8e/0x1030
[   19.495509] Read of size 4 at addr ffff88800be3800c by task ExploitGSM/215
[   19.496102] 
[   19.496253] CPU: 3 PID: 215 Comm: ExploitGSM Not tainted 6.9.0-rc3+ #76
[   19.496785] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   19.497228] Call Trace:
[   19.497367]  <TASK>
[   19.497483]  dump_stack_lvl+0x1ab/0x260
[   19.497702]  print_report+0xce/0x610
[   19.497898]  ? gsm_dlci_config+0xf8e/0x1030
[   19.498124]  ? kasan_complete_mode_report_info+0x7c/0x200
[   19.498407]  ? gsm_dlci_config+0xf8e/0x1030
[   19.498636]  kasan_report+0xb9/0xf0
[   19.498826]  ? gsm_dlci_config+0xf8e/0x1030
[   19.499050]  __asan_report_load4_noabort+0x14/0x20
[   19.499312]  gsm_dlci_config+0xf8e/0x1030
[   19.499533]  ? __pfx_gsm_dlci_config+0x10/0x10
[   19.499771]  ? __pfx_autoremove_wake_function+0x10/0x10
[   19.500050]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   19.500334]  gsmld_ioctl+0x102f/0x1740
[   19.500537]  ? __pfx_gsmld_ioctl+0x10/0x10
[   19.500756]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   19.501034]  ? ldsem_down_read+0xc1/0x6f0
[   19.501251]  ? __sanitizer_cov_trace_switch+0x54/0xa0
[   19.501513]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   19.501798]  ? __sanitizer_cov_trace_switch+0x54/0xa0
[   19.502061]  tty_ioctl+0x7a2/0x1620
[   19.502249]  ? __pfx_gsmld_ioctl+0x10/0x10
[   19.502468]  ? __pfx_tty_ioctl+0x10/0x10
[   19.502676]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   19.502930]  ? fpregs_assert_state_consistent+0x8b/0xf0
[   19.503200]  ? syscall_exit_to_user_mode+0x93/0x1f0
[   19.503456]  ? do_syscall_64+0x87/0x120
[   19.503660]  ? __fget_light+0x198/0x560
[   19.503866]  ? security_file_ioctl+0x99/0xc0
[   19.504095]  ? __pfx_tty_ioctl+0x10/0x10
[   19.504306]  __x64_sys_ioctl+0x1b4/0x230
[   19.504510]  x64_sys_call+0x1206/0x20b0
[   19.504710]  do_syscall_64+0x7b/0x120
[   19.504898]  ? __kasan_check_write+0x14/0x20
[   19.505118]  ? _raw_spin_lock_irq+0xb0/0x160
[   19.505355]  ? __kasan_check_write+0x14/0x20
[   19.505587]  ? recalc_sigpending+0x1ac/0x250
[   19.505825]  ? __set_task_blocked+0xaf/0x220
[   19.506049]  ? _raw_spin_unlock_irq+0x3a/0xa0
[   19.506819]  ? sigprocmask+0x10e/0x390
[   19.507265]  ? __pfx_sigprocmask+0x10/0x10
[   19.507566]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   19.507940]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   19.508296]  ? __x64_sys_rt_sigprocmask+0x224/0x2f0
[   19.508618]  ? __pfx___x64_sys_rt_sigprocmask+0x10/0x10
[   19.508971]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   19.509309]  ? fpregs_assert_state_consistent+0x8b/0xf0
[   19.509671]  ? syscall_exit_to_user_mode+0x93/0x1f0
[   19.509998]  ? do_syscall_64+0x87/0x120
[   19.510274]  ? clear_bhb_loop+0x15/0x70
[   19.510542]  ? clear_bhb_loop+0x15/0x70
[   19.510804]  ? clear_bhb_loop+0x15/0x70
[   19.511060]  ? clear_bhb_loop+0x15/0x70
[   19.511333]  ? clear_bhb_loop+0x15/0x70
[   19.511587]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   19.511910] RIP: 0033:0x45729f
[   19.512129] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[   19.513192] RSP: 002b:00007f1715600150 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   19.513611] RAX: ffffffffffffffda RBX: 00007f1715600640 RCX: 000000000045729f
[   19.514008] RDX: 00007ffec2d9523c RSI: 0000000040384708 RDI: 0000000000000006
[   19.514401] RBP: 00007f17156001d0 R08: 0000000000000000 R09: 00007ffec2d94e5f
[   19.514776] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f1715600640
[   19.515170] R13: 0000000000000016 R14: 000000000041e0c0 R15: 00007f1714e00000
[   19.515566]  </TASK>
[   19.515698] 
[   19.515796] Allocated by task 214:
[   19.515990]  kasan_save_stack+0x28/0x50
[   19.516207]  kasan_save_track+0x14/0x40
[   19.516427]  kasan_save_alloc_info+0x38/0x50
[   19.516672]  __kasan_kmalloc+0xb1/0xc0
[   19.516890]  kmalloc_trace+0x180/0x3b0
[   19.517100]  gsm_dlci_alloc+0x50/0x810
[   19.517321]  gsmld_ioctl+0x1404/0x1740
[   19.517540]  tty_ioctl+0x7a2/0x1620
[   19.518068]  __x64_sys_ioctl+0x1b4/0x230
[   19.518349]  x64_sys_call+0x1206/0x20b0
[   19.518609]  do_syscall_64+0x7b/0x120
[   19.518859]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   19.519194] 
[   19.519302] Freed by task 211:
[   19.519516]  kasan_save_stack+0x28/0x50
[   19.519789]  kasan_save_track+0x14/0x40
[   19.520046]  kasan_save_free_info+0x3b/0x60
[   19.520276]  poison_slab_object+0x10e/0x190
[   19.520513]  __kasan_slab_free+0x34/0x60
[   19.520734]  kfree+0xfa/0x2e0
[   19.520909]  gsm_dlci_free+0x11d/0x170
[   19.521130]  tty_port_put+0x172/0x1e0
[   19.521340]  gsm_cleanup_mux+0x33a/0x860
[   19.521562]  gsmld_ioctl+0x558/0x1740
[   19.521802]  tty_ioctl+0x7a2/0x1620
[   19.522007]  __x64_sys_ioctl+0x1b4/0x230
[   19.522240]  x64_sys_call+0x1206/0x20b0
[   19.522458]  do_syscall_64+0x7b/0x120
[   19.522660]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   19.522942] 
[   19.523031] The buggy address belongs to the object at ffff88800be38000
[   19.523031]  which belongs to the cache kmalloc-1k of size 1024
[   19.523702] The buggy address is located 12 bytes inside of
[   19.523702]  freed 1024-byte region [ffff88800be38000, ffff88800be38400)
[   19.524385] 
[   19.524473] The buggy address belongs to the physical page:
[   19.524780] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbe38
[   19.525221] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   19.525614] flags: 0xfffffe0000840(slab|head|node=0|zone=1|lastcpupid=0x3fffff)
[   19.526038] page_type: 0xffffffff()
[   19.526244] raw: 000fffffe0000840 ffff888001042dc0 dead000000000122 0000000000000000
[   19.526661] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   19.527087] head: 000fffffe0000840 ffff888001042dc0 dead000000000122 0000000000000000
[   19.527512] head: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   19.527910] head: 000fffffe0000003 ffffea00002f8e01 ffffea00002f8e48 00000000ffffffff
[   19.528341] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[   19.528939] page dumped because: kasan: bad access detected
[   19.529409] 
[   19.529509] Memory state around the buggy address:
[   19.529840]  ffff88800be37f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   19.530310]  ffff88800be37f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   19.530774] >ffff88800be38000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.531214]                       ^
[   19.531436]  ffff88800be38080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.531890]  ffff88800be38100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.532324] ==================================================================
[   19.532796] Disabling lock debugging due to kernel taint