[ 54.085482] audit: type=1800 audit(1583290181.267:29): pid=8193 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 54.129684] audit: type=1800 audit(1583290181.267:30): pid=8193 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 63.977925] kauditd_printk_skb: 5 callbacks suppressed [ 63.977940] audit: type=1400 audit(1583290191.167:36): avc: denied { map } for pid=8378 comm="syz-executor553" path="/root/syz-executor553561881" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 64.056048] ================================================================== [ 64.056138] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 64.056154] Write of size 8 at addr ffff88808c3c8fc8 by task syz-executor553/8386 [ 64.056158] [ 64.056174] CPU: 0 PID: 8386 Comm: syz-executor553 Not tainted 4.19.107-syzkaller #0 [ 64.056184] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.056188] Call Trace: [ 64.056217] dump_stack+0x188/0x20d [ 64.056237] ? con_shutdown+0x7f/0x90 [ 64.056260] print_address_description.cold+0x7c/0x212 [ 64.056286] ? con_shutdown+0x7f/0x90 [ 64.056306] kasan_report.cold+0x88/0x2b9 [ 64.056319] ? set_palette+0x1b0/0x1b0 [ 64.056336] con_shutdown+0x7f/0x90 [ 64.056366] release_tty+0xda/0x4c0 [ 64.056383] tty_release_struct+0x37/0x50 [ 64.056394] tty_release+0xbc7/0xe90 [ 64.056413] ? tty_release_struct+0x50/0x50 [ 64.056428] __fput+0x2cd/0x890 [ 64.056447] task_work_run+0x13f/0x1b0 [ 64.056467] do_exit+0xbcd/0x2f30 [ 64.056488] ? mm_update_next_owner+0x650/0x650 [ 64.056505] ? up_read+0x17/0x110 [ 64.056520] ? __do_page_fault+0x44e/0xdd0 [ 64.056539] do_group_exit+0x125/0x350 [ 64.056553] __x64_sys_exit_group+0x3a/0x50 [ 64.056569] do_syscall_64+0xf9/0x620 [ 64.056587] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.056598] RIP: 0033:0x43ff38 [ 64.056612] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 64.056619] RSP: 002b:00007ffc03822e48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.056631] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 64.056639] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 64.056647] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 64.056653] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 64.056660] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 64.056676] [ 64.056681] Allocated by task 8386: [ 64.056691] kasan_kmalloc+0xbf/0xe0 [ 64.056700] kmem_cache_alloc_trace+0x14d/0x7a0 [ 64.056708] vc_allocate+0x1db/0x6d0 [ 64.056717] con_install+0x4f/0x400 [ 64.056727] tty_init_dev+0xee/0x450 [ 64.056735] tty_open+0x4b0/0xb00 [ 64.056744] chrdev_open+0x219/0x5c0 [ 64.056753] do_dentry_open+0x4a8/0x1160 [ 64.056763] path_openat+0x1031/0x4200 [ 64.056771] do_filp_open+0x1a1/0x280 [ 64.056779] do_sys_open+0x3c0/0x500 [ 64.056789] do_syscall_64+0xf9/0x620 [ 64.056799] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.056801] [ 64.056805] Freed by task 8388: [ 64.056814] __kasan_slab_free+0xf7/0x140 [ 64.056822] kfree+0xce/0x220 [ 64.056835] vt_disallocate_all+0x293/0x3b0 [ 64.056845] vt_ioctl+0xb79/0x2310 [ 64.056853] tty_ioctl+0x7a1/0x1420 [ 64.056864] do_vfs_ioctl+0xcda/0x12e0 [ 64.056873] ksys_ioctl+0x9b/0xc0 [ 64.056882] __x64_sys_ioctl+0x6f/0xb0 [ 64.056893] do_syscall_64+0xf9/0x620 [ 64.056904] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.056907] [ 64.056922] The buggy address belongs to the object at ffff88808c3c8ec0 [ 64.056922] which belongs to the cache kmalloc-2048 of size 2048 [ 64.056933] The buggy address is located 264 bytes inside of [ 64.056933] 2048-byte region [ffff88808c3c8ec0, ffff88808c3c96c0) [ 64.056936] The buggy address belongs to the page: [ 64.056947] page:ffffea000230f200 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 64.056961] flags: 0xfffe0000008100(slab|head) [ 64.056977] raw: 00fffe0000008100 ffffea0001d3b208 ffffea0001da5708 ffff88812c3dcc40 [ 64.056990] raw: 0000000000000000 ffff88808c3c8640 0000000100000003 0000000000000000 [ 64.056995] page dumped because: kasan: bad access detected [ 64.056999] [ 64.057002] Memory state around the buggy address: [ 64.057011] ffff88808c3c8e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 64.057020] ffff88808c3c8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.057028] >ffff88808c3c8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.057032] ^ [ 64.057040] ffff88808c3c9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.057056] ffff88808c3c9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.057061] ================================================================== [ 64.057065] Disabling lock debugging due to kernel taint [ 64.057144] Kernel panic - not syncing: panic_on_warn set ... [ 64.057144] [ 64.057157] CPU: 0 PID: 8386 Comm: syz-executor553 Tainted: G B 4.19.107-syzkaller #0 [ 64.057164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.057167] Call Trace: [ 64.057180] dump_stack+0x188/0x20d [ 64.057194] panic+0x26a/0x50e [ 64.057207] ? __warn_printk+0xf3/0xf3 [ 64.057217] ? retint_kernel+0x2d/0x2d [ 64.057232] ? trace_hardirqs_on+0x55/0x210 [ 64.057244] ? con_shutdown+0x7f/0x90 [ 64.057255] kasan_end_report+0x43/0x49 [ 64.057267] kasan_report.cold+0xa4/0x2b9 [ 64.057279] ? set_palette+0x1b0/0x1b0 [ 64.057289] con_shutdown+0x7f/0x90 [ 64.057299] release_tty+0xda/0x4c0 [ 64.057311] tty_release_struct+0x37/0x50 [ 64.057321] tty_release+0xbc7/0xe90 [ 64.057335] ? tty_release_struct+0x50/0x50 [ 64.057346] __fput+0x2cd/0x890 [ 64.057359] task_work_run+0x13f/0x1b0 [ 64.057372] do_exit+0xbcd/0x2f30 [ 64.057387] ? mm_update_next_owner+0x650/0x650 [ 64.057400] ? up_read+0x17/0x110 [ 64.057411] ? __do_page_fault+0x44e/0xdd0 [ 64.057423] do_group_exit+0x125/0x350 [ 64.057434] __x64_sys_exit_group+0x3a/0x50 [ 64.057444] do_syscall_64+0xf9/0x620 [ 64.057455] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.057462] RIP: 0033:0x43ff38 [ 64.057475] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 64.057481] RSP: 002b:00007ffc03822e48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.057491] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 64.057497] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 64.057504] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 64.057509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 64.057515] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 64.059152] Kernel Offset: disabled [ 64.693156] Rebooting in 86400 seconds..