[   47.525421] audit: type=1800 audit(1583190854.541:30): pid=8040 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   52.989979] kauditd_printk_skb: 4 callbacks suppressed
[   52.989993] audit: type=1400 audit(1583190860.041:35): avc:  denied  { map } for  pid=8213 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.1.60' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   59.803221] audit: type=1400 audit(1583190866.851:36): avc:  denied  { map } for  pid=8225 comm="syz-executor888" path="/root/syz-executor888520850" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   59.871046] ==================================================================
[   59.871089] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90
[   59.871100] Write of size 8 at addr ffff88808f40ae08 by task syz-executor888/8234
[   59.871103] 
[   59.871116] CPU: 0 PID: 8234 Comm: syz-executor888 Not tainted 4.19.107-syzkaller #0
[   59.871123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.871128] Call Trace:
[   59.871145]  dump_stack+0x188/0x20d
[   59.871161]  ? con_shutdown+0x7f/0x90
[   59.871178]  print_address_description.cold+0x7c/0x212
[   59.871192]  ? con_shutdown+0x7f/0x90
[   59.871205]  kasan_report.cold+0x88/0x2b9
[   59.871219]  ? set_palette+0x1b0/0x1b0
[   59.871232]  con_shutdown+0x7f/0x90
[   59.871246]  release_tty+0xda/0x4c0
[   59.871260]  tty_release_struct+0x37/0x50
[   59.871272]  tty_release+0xbc7/0xe90
[   59.871292]  ? tty_release_struct+0x50/0x50
[   59.871304]  __fput+0x2cd/0x890
[   59.871321]  task_work_run+0x13f/0x1b0
[   59.871337]  do_exit+0xbcd/0x2f30
[   59.871356]  ? mm_update_next_owner+0x650/0x650
[   59.871372]  ? up_read+0x17/0x110
[   59.871386]  ? __do_page_fault+0x44e/0xdd0
[   59.871403]  do_group_exit+0x125/0x350
[   59.871418]  __x64_sys_exit_group+0x3a/0x50
[   59.871433]  do_syscall_64+0xf9/0x620
[   59.871450]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.871461] RIP: 0033:0x43ff38
[   59.871473] Code: Bad RIP value.
[   59.871481] RSP: 002b:00007fff7ebc4748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   59.871494] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   59.871502] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   59.871509] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   59.871516] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   59.871523] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   59.871537] 
[   59.871543] Allocated by task 8234:
[   59.871553]  kasan_kmalloc+0xbf/0xe0
[   59.871562]  kmem_cache_alloc_trace+0x14d/0x7a0
[   59.871572]  vc_allocate+0x1db/0x6d0
[   59.871582]  con_install+0x4f/0x400
[   59.871591]  tty_init_dev+0xee/0x450
[   59.871601]  tty_open+0x4b0/0xb00
[   59.871610]  chrdev_open+0x219/0x5c0
[   59.871620]  do_dentry_open+0x4a8/0x1160
[   59.871633]  path_openat+0x1031/0x4200
[   59.871645]  do_filp_open+0x1a1/0x280
[   59.871655]  do_sys_open+0x3c0/0x500
[   59.871665]  do_syscall_64+0xf9/0x620
[   59.871676]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.871678] 
[   59.871682] Freed by task 8232:
[   59.871690]  __kasan_slab_free+0xf7/0x140
[   59.871697]  kfree+0xce/0x220
[   59.871709]  vt_disallocate_all+0x293/0x3b0
[   59.871720]  vt_ioctl+0xb79/0x2310
[   59.871730]  tty_ioctl+0x7a1/0x1420
[   59.871740]  do_vfs_ioctl+0xcda/0x12e0
[   59.871750]  ksys_ioctl+0x9b/0xc0
[   59.871760]  __x64_sys_ioctl+0x6f/0xb0
[   59.871772]  do_syscall_64+0xf9/0x620
[   59.871783]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.871786] 
[   59.871795] The buggy address belongs to the object at ffff88808f40ad00
[   59.871795]  which belongs to the cache kmalloc-2048 of size 2048
[   59.871805] The buggy address is located 264 bytes inside of
[   59.871805]  2048-byte region [ffff88808f40ad00, ffff88808f40b500)
[   59.871808] The buggy address belongs to the page:
[   59.871819] page:ffffea00023d0280 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0
[   59.871831] flags: 0xfffe0000008100(slab|head)
[   59.871847] raw: 00fffe0000008100 ffffea00023d0388 ffffea000238a808 ffff88812c3dcc40
[   59.871862] raw: 0000000000000000 ffff88808f40a480 0000000100000003 0000000000000000
[   59.871867] page dumped because: kasan: bad access detected
[   59.871870] 
[   59.871874] Memory state around the buggy address:
[   59.871884]  ffff88808f40ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.871894]  ffff88808f40ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.871903] >ffff88808f40ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.871908]                       ^
[   59.871916]  ffff88808f40ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.871924]  ffff88808f40af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.871928] ==================================================================
[   59.871933] Disabling lock debugging due to kernel taint
[   59.871959] Kernel panic - not syncing: panic_on_warn set ...
[   59.871959] 
[   59.871971] CPU: 0 PID: 8234 Comm: syz-executor888 Tainted: G    B             4.19.107-syzkaller #0
[   59.871978] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.871981] Call Trace:
[   59.871994]  dump_stack+0x188/0x20d
[   59.872008]  panic+0x26a/0x50e
[   59.872020]  ? __warn_printk+0xf3/0xf3
[   59.872037]  ? retint_kernel+0x2d/0x2d
[   59.872052]  ? trace_hardirqs_on+0x55/0x210
[   59.872065]  ? con_shutdown+0x7f/0x90
[   59.872076]  kasan_end_report+0x43/0x49
[   59.872088]  kasan_report.cold+0xa4/0x2b9
[   59.872098]  ? set_palette+0x1b0/0x1b0
[   59.872109]  con_shutdown+0x7f/0x90
[   59.872120]  release_tty+0xda/0x4c0
[   59.872131]  tty_release_struct+0x37/0x50
[   59.872141]  tty_release+0xbc7/0xe90
[   59.872154]  ? tty_release_struct+0x50/0x50
[   59.872163]  __fput+0x2cd/0x890
[   59.872175]  task_work_run+0x13f/0x1b0
[   59.872186]  do_exit+0xbcd/0x2f30
[   59.872202]  ? mm_update_next_owner+0x650/0x650
[   59.872213]  ? up_read+0x17/0x110
[   59.872225]  ? __do_page_fault+0x44e/0xdd0
[   59.872239]  do_group_exit+0x125/0x350
[   59.872252]  __x64_sys_exit_group+0x3a/0x50
[   59.872264]  do_syscall_64+0xf9/0x620
[   59.872277]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.872285] RIP: 0033:0x43ff38
[   59.872294] Code: Bad RIP value.
[   59.872299] RSP: 002b:00007fff7ebc4748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   59.872310] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   59.872316] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   59.872323] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   59.872329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   59.872336] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   59.874172] Kernel Offset: disabled