[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 66.065447][ T27] audit: type=1800 audit(1576162362.511:25): pid=9065 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 66.085593][ T27] audit: type=1800 audit(1576162362.521:26): pid=9065 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 66.115217][ T27] audit: type=1800 audit(1576162362.521:27): pid=9065 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 76.517848][ T9224] ================================================================== [ 76.527242][ T9224] BUG: KASAN: use-after-free in try_to_grab_pending+0x115/0x910 [ 76.536475][ T9224] Write of size 8 at addr ffff88808f5dc008 by task syz-executor535/9224 [ 76.545297][ T9224] [ 76.548334][ T9224] CPU: 1 PID: 9224 Comm: syz-executor535 Not tainted 5.5.0-rc1-syzkaller #0 [ 76.558462][ T9224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.558475][ T9224] Call Trace: [ 76.558508][ T9224] dump_stack+0x197/0x210 [ 76.558527][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.558549][ T9224] print_address_description.constprop.0.cold+0xd4/0x30b [ 76.558562][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.558575][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.558590][ T9224] __kasan_report.cold+0x1b/0x41 [ 76.558606][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.558623][ T9224] kasan_report+0x12/0x20 [ 76.558638][ T9224] check_memory_region+0x134/0x1a0 [ 76.558653][ T9224] __kasan_check_write+0x14/0x20 [ 76.558666][ T9224] try_to_grab_pending+0x115/0x910 [ 76.558679][ T9224] ? __kasan_check_read+0x11/0x20 [ 76.558696][ T9224] __cancel_work_timer+0xc4/0x540 [ 76.558713][ T9224] ? mod_delayed_work_on+0x200/0x200 [ 76.558731][ T9224] ? get_work_pool+0x1b0/0x1b0 [ 76.558756][ T9224] cancel_work_sync+0x18/0x20 [ 76.558774][ T9224] tty_buffer_cancel_work+0x16/0x20 [ 76.558788][ T9224] release_tty+0x261/0x470 [ 76.558802][ T9224] tty_release_struct+0x3c/0x50 [ 76.558814][ T9224] tty_release+0xbcb/0xe90 [ 76.558836][ T9224] __fput+0x2ff/0x890 [ 76.558849][ T9224] ? do_tty_hangup+0x30/0x30 [ 76.558862][ T9224] ____fput+0x16/0x20 [ 76.558876][ T9224] task_work_run+0x145/0x1c0 [ 76.558895][ T9224] do_exit+0x8e7/0x2ef0 [ 76.558916][ T9224] ? mm_update_next_owner+0x7c0/0x7c0 [ 76.558935][ T9224] ? down_read_non_owner+0x490/0x490 [ 76.558953][ T9224] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.558970][ T9224] ? handle_mm_fault+0x4ab/0xa50 [ 76.558990][ T9224] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 76.559006][ T9224] do_group_exit+0x135/0x360 [ 76.559026][ T9224] __ia32_sys_exit_group+0x44/0x50 [ 76.559041][ T9224] do_fast_syscall_32+0x27b/0xe16 [ 76.559063][ T9224] entry_SYSENTER_compat+0x70/0x7f [ 76.559076][ T9224] RIP: 0023:0xf7f2fa39 [ 76.559092][ T9224] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 76.559099][ T9224] RSP: 002b:00000000ffb692bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 76.559111][ T9224] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080ed298 [ 76.559117][ T9224] RDX: 0000000000000000 RSI: 00000000080d6fdc RDI: 00000000080ed2a0 [ 76.559123][ T9224] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 76.559166][ T9224] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 76.559174][ T9224] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 76.559189][ T9224] [ 76.559197][ T9224] Allocated by task 9224: [ 76.559210][ T9224] save_stack+0x23/0x90 [ 76.559220][ T9224] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 76.559230][ T9224] kasan_kmalloc+0x9/0x10 [ 76.559239][ T9224] kmem_cache_alloc_trace+0x158/0x790 [ 76.559252][ T9224] vc_allocate+0x1fc/0x760 [ 76.559262][ T9224] con_install+0x52/0x410 [ 76.559272][ T9224] tty_init_dev+0xf9/0x470 [ 76.559282][ T9224] tty_open+0x4a5/0xbb0 [ 76.559292][ T9224] chrdev_open+0x245/0x6b0 [ 76.559306][ T9224] do_dentry_open+0x4e6/0x1380 [ 76.559317][ T9224] vfs_open+0xa0/0xd0 [ 76.559332][ T9224] path_openat+0x10df/0x4500 [ 76.559344][ T9224] do_filp_open+0x1a1/0x280 [ 76.559353][ T9224] do_sys_open+0x3fe/0x5d0 [ 76.559362][ T9224] __ia32_compat_sys_open+0x79/0xb0 [ 76.559374][ T9224] do_fast_syscall_32+0x27b/0xe16 [ 76.559387][ T9224] entry_SYSENTER_compat+0x70/0x7f [ 76.559391][ T9224] [ 76.559397][ T9224] Freed by task 9227: [ 76.559407][ T9224] save_stack+0x23/0x90 [ 76.559418][ T9224] __kasan_slab_free+0x102/0x150 [ 76.559429][ T9224] kasan_slab_free+0xe/0x10 [ 76.559439][ T9224] kfree+0x10a/0x2c0 [ 76.559454][ T9224] vt_disallocate_all+0x2bd/0x3e0 [ 76.559466][ T9224] vt_ioctl+0xc38/0x26d0 [ 76.559479][ T9224] vt_compat_ioctl+0x457/0x7a0 [ 76.559497][ T9224] tty_compat_ioctl+0x1b0/0x420 [ 76.559513][ T9224] __ia32_compat_sys_ioctl+0x233/0x610 [ 76.559526][ T9224] do_fast_syscall_32+0x27b/0xe16 [ 76.559538][ T9224] entry_SYSENTER_compat+0x70/0x7f [ 76.559541][ T9224] [ 76.559551][ T9224] The buggy address belongs to the object at ffff88808f5dc000 [ 76.559551][ T9224] which belongs to the cache kmalloc-2k of size 2048 [ 76.559563][ T9224] The buggy address is located 8 bytes inside of [ 76.559563][ T9224] 2048-byte region [ffff88808f5dc000, ffff88808f5dc800) [ 76.559568][ T9224] The buggy address belongs to the page: [ 76.559583][ T9224] page:ffffea00023d7700 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 76.559600][ T9224] raw: 00fffe0000000200 ffffea0002a36cc8 ffffea00025cd748 ffff8880aa400e00 [ 76.559614][ T9224] raw: 0000000000000000 ffff88808f5dc000 0000000100000001 0000000000000000 [ 76.559620][ T9224] page dumped because: kasan: bad access detected [ 76.559623][ T9224] [ 76.559627][ T9224] Memory state around the buggy address: [ 76.559636][ T9224] ffff88808f5dbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.559647][ T9224] ffff88808f5dbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.559657][ T9224] >ffff88808f5dc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.559663][ T9224] ^ [ 76.559673][ T9224] ffff88808f5dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.559683][ T9224] ffff88808f5dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.559688][ T9224] ================================================================== [ 76.559693][ T9224] Disabling lock debugging due to kernel taint [ 76.559701][ T9224] Kernel panic - not syncing: panic_on_warn set ... [ 76.559717][ T9224] CPU: 1 PID: 9224 Comm: syz-executor535 Tainted: G B 5.5.0-rc1-syzkaller #0 [ 76.559724][ T9224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.559727][ T9224] Call Trace: [ 76.559743][ T9224] dump_stack+0x197/0x210 [ 76.559757][ T9224] panic+0x2e3/0x75c [ 76.559769][ T9224] ? add_taint.cold+0x16/0x16 [ 76.559791][ T9224] ? ___preempt_schedule+0x16/0x18 [ 76.559808][ T9224] ? trace_hardirqs_off+0x59/0x240 [ 76.559823][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.559835][ T9224] end_report+0x47/0x4f [ 76.559847][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.559858][ T9224] __kasan_report.cold+0xe/0x41 [ 76.559872][ T9224] ? try_to_grab_pending+0x115/0x910 [ 76.559884][ T9224] kasan_report+0x12/0x20 [ 76.559895][ T9224] check_memory_region+0x134/0x1a0 [ 76.559904][ T9224] __kasan_check_write+0x14/0x20 [ 76.559914][ T9224] try_to_grab_pending+0x115/0x910 [ 76.559923][ T9224] ? __kasan_check_read+0x11/0x20 [ 76.559934][ T9224] __cancel_work_timer+0xc4/0x540 [ 76.559945][ T9224] ? mod_delayed_work_on+0x200/0x200 [ 76.559957][ T9224] ? get_work_pool+0x1b0/0x1b0 [ 76.559972][ T9224] cancel_work_sync+0x18/0x20 [ 76.559983][ T9224] tty_buffer_cancel_work+0x16/0x20 [ 76.559992][ T9224] release_tty+0x261/0x470 [ 76.560004][ T9224] tty_release_struct+0x3c/0x50 [ 76.560013][ T9224] tty_release+0xbcb/0xe90 [ 76.560028][ T9224] __fput+0x2ff/0x890 [ 76.560042][ T9224] ? do_tty_hangup+0x30/0x30 [ 76.560054][ T9224] ____fput+0x16/0x20 [ 76.560067][ T9224] task_work_run+0x145/0x1c0 [ 76.560082][ T9224] do_exit+0x8e7/0x2ef0 [ 76.560100][ T9224] ? mm_update_next_owner+0x7c0/0x7c0 [ 76.560116][ T9224] ? down_read_non_owner+0x490/0x490 [ 76.560130][ T9224] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.560141][ T9224] ? handle_mm_fault+0x4ab/0xa50 [ 76.560154][ T9224] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 76.560168][ T9224] do_group_exit+0x135/0x360 [ 76.560183][ T9224] __ia32_sys_exit_group+0x44/0x50 [ 76.560195][ T9224] do_fast_syscall_32+0x27b/0xe16 [ 76.560209][ T9224] entry_SYSENTER_compat+0x70/0x7f [ 76.560218][ T9224] RIP: 0023:0xf7f2fa39 [ 76.560231][ T9224] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 76.560238][ T9224] RSP: 002b:00000000ffb692bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 76.560249][ T9224] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080ed298 [ 76.560257][ T9224] RDX: 0000000000000000 RSI: 00000000080d6fdc RDI: 00000000080ed2a0 [ 76.560264][ T9224] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 76.560271][ T9224] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 76.560277][ T9224] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 76.562141][ T9224] Kernel Offset: disabled [ 77.507518][ T9224] Rebooting in 86400 seconds..