[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 68.872823][ T7225] ================================================================== [ 68.881310][ T7225] BUG: KASAN: use-after-free in try_to_grab_pending+0x112/0x8e0 [ 68.888973][ T7225] Write of size 8 at addr ffff88809ef32008 by task syz-executor234/7225 [ 68.897298][ T7225] [ 68.899650][ T7225] CPU: 0 PID: 7225 Comm: syz-executor234 Not tainted 5.6.0-syzkaller #0 [ 68.908673][ T7225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.918877][ T7225] Call Trace: [ 68.922185][ T7225] dump_stack+0x188/0x20d [ 68.926763][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 68.932156][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 68.937466][ T7225] print_address_description.constprop.0.cold+0xd3/0x315 [ 68.944508][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 68.949899][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 68.955198][ T7225] __kasan_report.cold+0x1a/0x32 [ 68.960266][ T7225] ? firmware_map_remove+0x123/0x19a [ 68.965569][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 68.970887][ T7225] kasan_report+0xe/0x20 [ 68.975152][ T7225] check_memory_region+0x128/0x190 [ 68.980381][ T7225] try_to_grab_pending+0x112/0x8e0 [ 68.985521][ T7225] __cancel_work_timer+0xa6/0x500 [ 68.990572][ T7225] ? mod_delayed_work_on+0x1f0/0x1f0 [ 68.995884][ T7225] ? console_unlock+0x7a6/0xf00 [ 69.000767][ T7225] ? lockdep_hardirqs_on+0x417/0x5d0 [ 69.006075][ T7225] ? get_work_pool+0x1a0/0x1a0 [ 69.011409][ T7225] release_tty+0x253/0x450 [ 69.015847][ T7225] tty_release_struct+0x37/0x50 [ 69.020718][ T7225] tty_release+0xbc7/0xe90 [ 69.025173][ T7225] ? do_tty_hangup+0x30/0x30 [ 69.029777][ T7225] __fput+0x2da/0x850 [ 69.033815][ T7225] task_work_run+0x13f/0x1b0 [ 69.038435][ T7225] do_exit+0xb34/0x2dd0 [ 69.042626][ T7225] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.048018][ T7225] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 69.053587][ T7225] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 69.059591][ T7225] ? down_read_non_owner+0x470/0x470 [ 69.065370][ T7225] do_group_exit+0x125/0x340 [ 69.070006][ T7225] __ia32_sys_exit_group+0x3a/0x50 [ 69.075140][ T7225] do_fast_syscall_32+0x270/0xe8f [ 69.080196][ T7225] entry_SYSENTER_compat+0x70/0x7f [ 69.085776][ T7225] [ 69.088115][ T7225] Allocated by task 7225: [ 69.092471][ T7225] save_stack+0x1b/0x80 [ 69.096811][ T7225] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.102471][ T7225] kmem_cache_alloc_trace+0x153/0x7d0 [ 69.107863][ T7225] vc_allocate+0x1e2/0x6e0 [ 69.113783][ T7225] con_install+0x4f/0x400 [ 69.118138][ T7225] tty_init_dev+0xf5/0x460 [ 69.122573][ T7225] tty_open+0x47f/0xb30 [ 69.126768][ T7225] chrdev_open+0x219/0x5c0 [ 69.131920][ T7225] do_dentry_open+0x4a2/0x1250 [ 69.136701][ T7225] path_openat+0x122a/0x32b0 [ 69.141303][ T7225] do_filp_open+0x192/0x260 [ 69.145821][ T7225] do_sys_openat2+0x54c/0x740 [ 69.150514][ T7225] do_sys_open+0xc3/0x140 [ 69.154863][ T7225] do_fast_syscall_32+0x270/0xe8f [ 69.159946][ T7225] entry_SYSENTER_compat+0x70/0x7f [ 69.165086][ T7225] [ 69.167543][ T7225] Freed by task 7235: [ 69.171549][ T7225] save_stack+0x1b/0x80 [ 69.175722][ T7225] __kasan_slab_free+0xf7/0x140 [ 69.180582][ T7225] kfree+0x109/0x2b0 [ 69.184469][ T7225] vt_disallocate_all+0x293/0x3b0 [ 69.189484][ T7225] vt_ioctl+0xb79/0x2470 [ 69.193737][ T7225] vt_compat_ioctl+0x410/0x710 [ 69.198529][ T7225] tty_compat_ioctl+0x19c/0x410 [ 69.203371][ T7225] __ia32_compat_sys_ioctl+0x23d/0x2b0 [ 69.208857][ T7225] do_fast_syscall_32+0x270/0xe8f [ 69.213914][ T7225] entry_SYSENTER_compat+0x70/0x7f [ 69.219043][ T7225] [ 69.221373][ T7225] The buggy address belongs to the object at ffff88809ef32000 [ 69.221373][ T7225] which belongs to the cache kmalloc-2k of size 2048 [ 69.235640][ T7225] The buggy address is located 8 bytes inside of [ 69.235640][ T7225] 2048-byte region [ffff88809ef32000, ffff88809ef32800) [ 69.249953][ T7225] The buggy address belongs to the page: [ 69.255585][ T7225] page:ffffea00027bcc80 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 69.264676][ T7225] flags: 0xfffe0000000200(slab) [ 69.269625][ T7225] raw: 00fffe0000000200 ffffea0002a17c88 ffffea0002773848 ffff8880aa000e00 [ 69.278321][ T7225] raw: 0000000000000000 ffff88809ef32000 0000000100000001 0000000000000000 [ 69.287104][ T7225] page dumped because: kasan: bad access detected [ 69.293518][ T7225] [ 69.295834][ T7225] Memory state around the buggy address: [ 69.301456][ T7225] ffff88809ef31f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 69.309509][ T7225] ffff88809ef31f80: 00 01 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.317714][ T7225] >ffff88809ef32000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.326001][ T7225] ^ [ 69.330434][ T7225] ffff88809ef32080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.338495][ T7225] ffff88809ef32100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.346642][ T7225] ================================================================== [ 69.354868][ T7225] Disabling lock debugging due to kernel taint [ 69.361006][ T7225] Kernel panic - not syncing: panic_on_warn set ... [ 69.367581][ T7225] CPU: 0 PID: 7225 Comm: syz-executor234 Tainted: G B 5.6.0-syzkaller #0 [ 69.377288][ T7225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.387334][ T7225] Call Trace: [ 69.390624][ T7225] dump_stack+0x188/0x20d [ 69.394954][ T7225] panic+0x2e3/0x75c [ 69.398845][ T7225] ? add_taint.cold+0x16/0x16 [ 69.403533][ T7225] ? print_shadow_for_address+0xb8/0x114 [ 69.409210][ T7225] ? trace_hardirqs_off+0x50/0x220 [ 69.414315][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 69.419589][ T7225] end_report+0x43/0x49 [ 69.423906][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 69.429340][ T7225] __kasan_report.cold+0xd/0x32 [ 69.434205][ T7225] ? firmware_map_remove+0x123/0x19a [ 69.439498][ T7225] ? try_to_grab_pending+0x112/0x8e0 [ 69.444778][ T7225] kasan_report+0xe/0x20 [ 69.449009][ T7225] check_memory_region+0x128/0x190 [ 69.454124][ T7225] try_to_grab_pending+0x112/0x8e0 [ 69.459244][ T7225] __cancel_work_timer+0xa6/0x500 [ 69.464272][ T7225] ? mod_delayed_work_on+0x1f0/0x1f0 [ 69.469564][ T7225] ? console_unlock+0x7a6/0xf00 [ 69.474402][ T7225] ? lockdep_hardirqs_on+0x417/0x5d0 [ 69.479788][ T7225] ? get_work_pool+0x1a0/0x1a0 [ 69.484759][ T7225] release_tty+0x253/0x450 [ 69.490710][ T7225] tty_release_struct+0x37/0x50 [ 69.495683][ T7225] tty_release+0xbc7/0xe90 [ 69.500228][ T7225] ? do_tty_hangup+0x30/0x30 [ 69.504808][ T7225] __fput+0x2da/0x850 [ 69.508808][ T7225] task_work_run+0x13f/0x1b0 [ 69.513391][ T7225] do_exit+0xb34/0x2dd0 [ 69.517832][ T7225] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.523481][ T7225] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 69.529234][ T7225] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 69.535320][ T7225] ? down_read_non_owner+0x470/0x470 [ 69.540633][ T7225] do_group_exit+0x125/0x340 [ 69.545231][ T7225] __ia32_sys_exit_group+0x3a/0x50 [ 69.550333][ T7225] do_fast_syscall_32+0x270/0xe8f [ 69.555348][ T7225] entry_SYSENTER_compat+0x70/0x7f [ 69.561878][ T7225] Kernel Offset: disabled [ 69.566220][ T7225] Rebooting in 86400 seconds..