Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program gin: [ 80.311433][ T9859] ================================================================== [ 80.311490][ T9859] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 80.311501][ T9859] Write of size 8 at addr ffff8880944a6108 by task syz-executor836/9859 [ 80.311504][ T9859] [ 80.311519][ T9859] CPU: 1 PID: 9859 Comm: syz-executor836 Not tainted 5.6.0-rc5-syzkaller #0 [ 80.311526][ T9859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.311531][ T9859] Call Trace: [ 80.311549][ T9859] dump_stack+0x188/0x20d [ 80.311562][ T9859] ? con_shutdown+0x7f/0x90 [ 80.311575][ T9859] ? con_shutdown+0x7f/0x90 [ 80.311604][ T9859] print_address_description.constprop.0.cold+0xd3/0x315 [ 80.311615][ T9859] ? con_shutdown+0x7f/0x90 [ 80.311629][ T9859] ? con_shutdown+0x7f/0x90 [ 80.311641][ T9859] __kasan_report.cold+0x1a/0x32 [ 80.311660][ T9859] ? con_shutdown+0x7f/0x90 [ 80.311678][ T9859] kasan_report+0xe/0x20 [ 80.311690][ T9859] con_shutdown+0x7f/0x90 [ 80.311701][ T9859] ? update_region+0x140/0x140 [ 80.311713][ T9859] release_tty+0xca/0x450 [ 80.311730][ T9859] tty_release_struct+0x37/0x50 [ 80.311744][ T9859] tty_release+0xbc7/0xe90 [ 80.311772][ T9859] ? do_tty_hangup+0x30/0x30 [ 80.311784][ T9859] __fput+0x2da/0x850 [ 80.311814][ T9859] task_work_run+0x13f/0x1b0 [ 80.311841][ T9859] do_exit+0xb34/0x2dd0 [ 80.311893][ T9859] ? mm_update_next_owner+0x7a0/0x7a0 [ 80.311908][ T9859] ? up_read+0x1ab/0x750 [ 80.311923][ T9859] ? mark_held_locks+0x9f/0xe0 [ 80.311939][ T9859] ? down_read_non_owner+0x470/0x470 [ 80.311961][ T9859] ? handle_mm_fault+0x491/0xa10 [ 80.311982][ T9859] do_group_exit+0x125/0x340 [ 80.312001][ T9859] __x64_sys_exit_group+0x3a/0x50 [ 80.312016][ T9859] do_syscall_64+0xf6/0x7d0 [ 80.312036][ T9859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.312047][ T9859] RIP: 0033:0x43ff58 [ 80.312060][ T9859] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 80.312067][ T9859] RSP: 002b:00007ffd0003ea88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 80.312079][ T9859] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff58 [ 80.312086][ T9859] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 80.312094][ T9859] RBP: 00000000004bf970 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 80.312100][ T9859] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 80.312107][ T9859] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 80.312137][ T9859] [ 80.312144][ T9859] Allocated by task 9859: [ 80.312163][ T9859] save_stack+0x1b/0x80 [ 80.312175][ T9859] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 80.312187][ T9859] kmem_cache_alloc_trace+0x153/0x7d0 [ 80.312197][ T9859] vc_allocate+0x1e2/0x6e0 [ 80.312207][ T9859] con_install+0x4f/0x400 [ 80.312217][ T9859] tty_init_dev+0xf5/0x460 [ 80.312227][ T9859] tty_open+0x47f/0xb30 [ 80.312237][ T9859] chrdev_open+0x219/0x5c0 [ 80.312249][ T9859] do_dentry_open+0x4a2/0x1250 [ 80.312259][ T9859] path_openat+0x122a/0x32b0 [ 80.312270][ T9859] do_filp_open+0x192/0x260 [ 80.312281][ T9859] do_sys_openat2+0x54c/0x740 [ 80.312291][ T9859] do_sys_open+0xc3/0x140 [ 80.312303][ T9859] do_syscall_64+0xf6/0x7d0 [ 80.312315][ T9859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.312319][ T9859] [ 80.312325][ T9859] Freed by task 9852: [ 80.312336][ T9859] save_stack+0x1b/0x80 [ 80.312346][ T9859] __kasan_slab_free+0xf7/0x140 [ 80.312356][ T9859] kfree+0x109/0x2b0 [ 80.312376][ T9859] vt_disallocate_all+0x293/0x3b0 [ 80.312386][ T9859] vt_ioctl+0xb79/0x2470 [ 80.312396][ T9859] tty_ioctl+0xedd/0x1440 [ 80.312408][ T9859] ksys_ioctl+0x11a/0x180 [ 80.312420][ T9859] __x64_sys_ioctl+0x6f/0xb0 [ 80.312431][ T9859] do_syscall_64+0xf6/0x7d0 [ 80.312442][ T9859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.312445][ T9859] [ 80.312455][ T9859] The buggy address belongs to the object at ffff8880944a6000 [ 80.312455][ T9859] which belongs to the cache kmalloc-2k of size 2048 [ 80.312466][ T9859] The buggy address is located 264 bytes inside of [ 80.312466][ T9859] 2048-byte region [ffff8880944a6000, ffff8880944a6800) [ 80.312470][ T9859] The buggy address belongs to the page: [ 80.312483][ T9859] page:ffffea0002512980 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 80.312492][ T9859] flags: 0xfffe0000000200(slab) [ 80.312509][ T9859] raw: 00fffe0000000200 ffffea0002502888 ffffea00025134c8 ffff8880aa000e00 [ 80.312524][ T9859] raw: 0000000000000000 ffff8880944a6000 0000000100000001 0000000000000000 [ 80.312529][ T9859] page dumped because: kasan: bad access detected [ 80.312533][ T9859] [ 80.312537][ T9859] Memory state around the buggy address: [ 80.312547][ T9859] ffff8880944a6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.312557][ T9859] ffff8880944a6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.312567][ T9859] >ffff8880944a6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.312572][ T9859] ^ [ 80.312582][ T9859] ffff8880944a6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.312598][ T9859] ffff8880944a6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.312604][ T9859] ================================================================== [ 80.312608][ T9859] Disabling lock debugging due to kernel taint [ 80.312667][ T9859] Kernel panic - not syncing: panic_on_warn set ... [ 80.312681][ T9859] CPU: 1 PID: 9859 Comm: syz-executor836 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 80.312687][ T9859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.312691][ T9859] Call Trace: [ 80.312705][ T9859] dump_stack+0x188/0x20d [ 80.312720][ T9859] panic+0x2e3/0x75c [ 80.312732][ T9859] ? add_taint.cold+0x16/0x16 [ 80.312748][ T9859] ? preempt_schedule_common+0x5e/0xc0 [ 80.312760][ T9859] ? con_shutdown+0x7f/0x90 [ 80.312773][ T9859] ? ___preempt_schedule+0x16/0x18 [ 80.312786][ T9859] ? trace_hardirqs_on+0x55/0x220 [ 80.312800][ T9859] ? con_shutdown+0x7f/0x90 [ 80.312812][ T9859] end_report+0x43/0x49 [ 80.312822][ T9859] ? con_shutdown+0x7f/0x90 [ 80.312833][ T9859] __kasan_report.cold+0xd/0x32 [ 80.312847][ T9859] ? con_shutdown+0x7f/0x90 [ 80.312860][ T9859] kasan_report+0xe/0x20 [ 80.312870][ T9859] con_shutdown+0x7f/0x90 [ 80.312881][ T9859] ? update_region+0x140/0x140 [ 80.312890][ T9859] release_tty+0xca/0x450 [ 80.312904][ T9859] tty_release_struct+0x37/0x50 [ 80.312916][ T9859] tty_release+0xbc7/0xe90 [ 80.312934][ T9859] ? do_tty_hangup+0x30/0x30 [ 80.312943][ T9859] __fput+0x2da/0x850 [ 80.312962][ T9859] task_work_run+0x13f/0x1b0 [ 80.312980][ T9859] do_exit+0xb34/0x2dd0 [ 80.313001][ T9859] ? mm_update_next_owner+0x7a0/0x7a0 [ 80.313013][ T9859] ? up_read+0x1ab/0x750 [ 80.313024][ T9859] ? mark_held_locks+0x9f/0xe0 [ 80.313036][ T9859] ? down_read_non_owner+0x470/0x470 [ 80.313052][ T9859] ? handle_mm_fault+0x491/0xa10 [ 80.313066][ T9859] do_group_exit+0x125/0x340 [ 80.313080][ T9859] __x64_sys_exit_group+0x3a/0x50 [ 80.313092][ T9859] do_syscall_64+0xf6/0x7d0 [ 80.313107][ T9859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.313116][ T9859] RIP: 0033:0x43ff58 [ 80.313126][ T9859] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 80.313133][ T9859] RSP: 002b:00007ffd0003ea88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 80.313143][ T9859] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff58 [ 80.313149][ T9859] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 80.313155][ T9859] RBP: 00000000004bf970 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 80.313161][ T9859] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 80.313167][ T9859] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 80.314172][ T9859] Kernel Offset: disabled [ 81.077768][ T9859] Rebooting in 86400 seconds..