Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 52.342937] kauditd_printk_skb: 5 callbacks suppressed [ 52.342954] audit: type=1400 audit(1580699712.900:36): avc: denied { map } for pid=8259 comm="syz-executor099" path="/root/syz-executor099743251" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.415395] ================================================================== [ 52.415433] BUG: KASAN: use-after-free in con_shutdown+0x85/0x90 [ 52.415445] Write of size 8 at addr ffff8880a880cf08 by task syz-executor099/8266 [ 52.415449] [ 52.415463] CPU: 0 PID: 8266 Comm: syz-executor099 Not tainted 4.19.101-syzkaller #0 [ 52.415472] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.415476] Call Trace: [ 52.415496] dump_stack+0x197/0x210 [ 52.415515] ? con_shutdown+0x85/0x90 [ 52.415533] print_address_description.cold+0x7c/0x20d [ 52.415550] ? con_shutdown+0x85/0x90 [ 52.415566] kasan_report.cold+0x8c/0x2ba [ 52.415582] ? set_palette+0x1c0/0x1c0 [ 52.415600] __asan_report_store8_noabort+0x17/0x20 [ 52.415614] con_shutdown+0x85/0x90 [ 52.415628] release_tty+0xe4/0x4d0 [ 52.415645] tty_release_struct+0x3c/0x50 [ 52.415660] tty_release+0xbcb/0xe90 [ 52.415691] ? tty_release_struct+0x50/0x50 [ 52.415707] __fput+0x2dd/0x8b0 [ 52.415730] ____fput+0x16/0x20 [ 52.415745] task_work_run+0x145/0x1c0 [ 52.415766] do_exit+0xc1f/0x30d0 [ 52.415792] ? mm_update_next_owner+0x660/0x660 [ 52.415808] ? up_read+0x1a/0x110 [ 52.415823] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.415838] ? __do_page_fault+0x484/0xe90 [ 52.415860] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.415876] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.415893] do_group_exit+0x135/0x370 [ 52.415913] __x64_sys_exit_group+0x44/0x50 [ 52.415930] do_syscall_64+0xfd/0x620 [ 52.415950] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.415962] RIP: 0033:0x43ff78 [ 52.415977] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 52.415984] RSP: 002b:00007ffd1a631718 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.415998] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff78 [ 52.416005] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 52.416013] RBP: 00000000004bf990 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 52.416021] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 52.416029] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 52.416052] [ 52.416058] Allocated by task 8266: [ 52.416071] save_stack+0x45/0xd0 [ 52.416082] kasan_kmalloc+0xce/0xf0 [ 52.416093] kmem_cache_alloc_trace+0x152/0x760 [ 52.416105] vc_allocate+0x1f5/0x760 [ 52.416118] con_install+0x52/0x410 [ 52.416130] tty_init_dev+0xf7/0x460 [ 52.416142] tty_open+0x4bf/0xb70 [ 52.416153] chrdev_open+0x245/0x6b0 [ 52.416164] do_dentry_open+0x4c3/0x1210 [ 52.416175] vfs_open+0xa0/0xd0 [ 52.416189] path_openat+0x1108/0x4500 [ 52.416203] do_filp_open+0x1a1/0x280 [ 52.416214] do_sys_open+0x3fe/0x550 [ 52.416226] __x64_sys_open+0x7e/0xc0 [ 52.416242] do_syscall_64+0xfd/0x620 [ 52.416257] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.416260] [ 52.416275] Freed by task 8267: [ 52.416287] save_stack+0x45/0xd0 [ 52.416300] __kasan_slab_free+0x102/0x150 [ 52.416313] kasan_slab_free+0xe/0x10 [ 52.416324] kfree+0xcf/0x220 [ 52.416339] vt_disallocate_all+0x2bd/0x3e0 [ 52.416352] vt_ioctl+0xc38/0x2530 [ 52.416362] tty_ioctl+0x7f3/0x1510 [ 52.416378] do_vfs_ioctl+0xd5f/0x1380 [ 52.416390] ksys_ioctl+0xab/0xd0 [ 52.416402] __x64_sys_ioctl+0x73/0xb0 [ 52.416415] do_syscall_64+0xfd/0x620 [ 52.416428] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.416432] [ 52.416441] The buggy address belongs to the object at ffff8880a880ce00 [ 52.416441] which belongs to the cache kmalloc-2048 of size 2048 [ 52.416453] The buggy address is located 264 bytes inside of [ 52.416453] 2048-byte region [ffff8880a880ce00, ffff8880a880d600) [ 52.416457] The buggy address belongs to the page: [ 52.416469] page:ffffea0002a20300 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 52.416482] flags: 0xfffe0000008100(slab|head) [ 52.416498] raw: 00fffe0000008100 ffffea0002a17e88 ffffea0002a21a08 ffff88812c31cc40 [ 52.416511] raw: 0000000000000000 ffff8880a880c580 0000000100000003 0000000000000000 [ 52.416515] page dumped because: kasan: bad access detected [ 52.416518] [ 52.416521] Memory state around the buggy address: [ 52.416530] ffff8880a880ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.416538] ffff8880a880ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.416546] >ffff8880a880cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.416550] ^ [ 52.416564] ffff8880a880cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.416572] ffff8880a880d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.416576] ================================================================== [ 52.416579] Disabling lock debugging due to kernel taint [ 52.416781] Kernel panic - not syncing: panic_on_warn set ... [ 52.416781] [ 52.416795] CPU: 0 PID: 8266 Comm: syz-executor099 Tainted: G B 4.19.101-syzkaller #0 [ 52.416801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.416804] Call Trace: [ 52.416819] dump_stack+0x197/0x210 [ 52.416833] ? con_shutdown+0x85/0x90 [ 52.416846] panic+0x26a/0x50e [ 52.416858] ? __warn_printk+0xf3/0xf3 [ 52.416867] ? con_shutdown+0x85/0x90 [ 52.416882] ? trace_hardirqs_on+0x5e/0x220 [ 52.416891] ? trace_hardirqs_on+0x5e/0x220 [ 52.416903] ? con_shutdown+0x85/0x90 [ 52.416914] kasan_end_report+0x47/0x4f [ 52.416926] kasan_report.cold+0xa9/0x2ba [ 52.416936] ? set_palette+0x1c0/0x1c0 [ 52.416949] __asan_report_store8_noabort+0x17/0x20 [ 52.416959] con_shutdown+0x85/0x90 [ 52.416970] release_tty+0xe4/0x4d0 [ 52.416981] tty_release_struct+0x3c/0x50 [ 52.416991] tty_release+0xbcb/0xe90 [ 52.417004] ? tty_release_struct+0x50/0x50 [ 52.417015] __fput+0x2dd/0x8b0 [ 52.417028] ____fput+0x16/0x20 [ 52.417038] task_work_run+0x145/0x1c0 [ 52.417050] do_exit+0xc1f/0x30d0 [ 52.417064] ? mm_update_next_owner+0x660/0x660 [ 52.417075] ? up_read+0x1a/0x110 [ 52.417086] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.417096] ? __do_page_fault+0x484/0xe90 [ 52.417110] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.417122] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.417133] do_group_exit+0x135/0x370 [ 52.417144] __x64_sys_exit_group+0x44/0x50 [ 52.417156] do_syscall_64+0xfd/0x620 [ 52.417169] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.417176] RIP: 0033:0x43ff78 [ 52.417187] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 52.417193] RSP: 002b:00007ffd1a631718 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.417202] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff78 [ 52.417208] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 52.417215] RBP: 00000000004bf990 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 52.417221] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 52.417226] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 52.418914] Kernel Offset: disabled [ 53.109913] Rebooting in 86400 seconds..