[ 49.297319] audit: type=1800 audit(1583556555.751:29): pid=8062 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 49.322050] audit: type=1800 audit(1583556555.761:30): pid=8062 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 73.731055] kauditd_printk_skb: 5 callbacks suppressed [ 73.731068] audit: type=1400 audit(1583556580.191:36): avc: denied { map } for pid=8245 comm="syz-executor302" path="/root/syz-executor302355151" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 73.799649] ================================================================== [ 73.799690] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 73.799701] Write of size 8 at addr ffff88808d23f6c8 by task syz-executor302/8254 [ 73.799705] [ 73.799719] CPU: 1 PID: 8254 Comm: syz-executor302 Not tainted 4.19.108-syzkaller #0 [ 73.799727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.799732] Call Trace: [ 73.799755] dump_stack+0x188/0x20d [ 73.799768] ? con_shutdown+0x7f/0x90 [ 73.799785] print_address_description.cold+0x7c/0x212 [ 73.799797] ? con_shutdown+0x7f/0x90 [ 73.799809] kasan_report.cold+0x88/0x2b9 [ 73.799821] ? set_palette+0x1b0/0x1b0 [ 73.799842] con_shutdown+0x7f/0x90 [ 73.799855] release_tty+0xda/0x4c0 [ 73.799868] tty_release_struct+0x37/0x50 [ 73.799879] tty_release+0xbc7/0xe90 [ 73.799896] ? tty_release_struct+0x50/0x50 [ 73.799910] __fput+0x2cd/0x890 [ 73.799929] task_work_run+0x13f/0x1b0 [ 73.799948] do_exit+0xbcd/0x2f30 [ 73.799968] ? mm_update_next_owner+0x650/0x650 [ 73.799984] ? up_read+0x17/0x110 [ 73.799998] ? __do_page_fault+0x44e/0xdd0 [ 73.800016] do_group_exit+0x125/0x350 [ 73.800039] __x64_sys_exit_group+0x3a/0x50 [ 73.800054] do_syscall_64+0xf9/0x620 [ 73.800071] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.800082] RIP: 0033:0x43ff38 [ 73.800094] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 73.800102] RSP: 002b:00007fffefab12f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.800114] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 73.800121] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 73.800129] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 73.800136] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001 [ 73.800143] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 73.800161] [ 73.800167] Allocated by task 8254: [ 73.800180] kasan_kmalloc+0xbf/0xe0 [ 73.800191] kmem_cache_alloc_trace+0x14d/0x7a0 [ 73.800203] vc_allocate+0x1db/0x6d0 [ 73.800214] con_install+0x4f/0x400 [ 73.800225] tty_init_dev+0xee/0x450 [ 73.800236] tty_open+0x4b0/0xb00 [ 73.800246] chrdev_open+0x219/0x5c0 [ 73.800256] do_dentry_open+0x4a8/0x1160 [ 73.800268] path_openat+0x1031/0x4200 [ 73.800280] do_filp_open+0x1a1/0x280 [ 73.800290] do_sys_open+0x3c0/0x500 [ 73.800302] do_syscall_64+0xf9/0x620 [ 73.800312] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.800315] [ 73.800320] Freed by task 8256: [ 73.800331] __kasan_slab_free+0xf7/0x140 [ 73.800340] kfree+0xce/0x220 [ 73.800353] vt_disallocate_all+0x293/0x3b0 [ 73.800363] vt_ioctl+0xb79/0x2310 [ 73.800374] tty_ioctl+0x7a1/0x1420 [ 73.800385] do_vfs_ioctl+0xcda/0x12e0 [ 73.800394] ksys_ioctl+0x9b/0xc0 [ 73.800404] __x64_sys_ioctl+0x6f/0xb0 [ 73.800415] do_syscall_64+0xf9/0x620 [ 73.800425] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.800428] [ 73.800437] The buggy address belongs to the object at ffff88808d23f5c0 [ 73.800437] which belongs to the cache kmalloc-2048 of size 2048 [ 73.800448] The buggy address is located 264 bytes inside of [ 73.800448] 2048-byte region [ffff88808d23f5c0, ffff88808d23fdc0) [ 73.800452] The buggy address belongs to the page: [ 73.800463] page:ffffea0002348f80 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 73.800476] flags: 0xfffe0000008100(slab|head) [ 73.800492] raw: 00fffe0000008100 ffffea0002353588 ffffea0002358088 ffff88812c3dcc40 [ 73.800506] raw: 0000000000000000 ffff88808d23e4c0 0000000100000003 0000000000000000 [ 73.800511] page dumped because: kasan: bad access detected [ 73.800513] [ 73.800517] Memory state around the buggy address: [ 73.800526] ffff88808d23f580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 73.800535] ffff88808d23f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.800544] >ffff88808d23f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.800549] ^ [ 73.800557] ffff88808d23f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.800565] ffff88808d23f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.800569] ================================================================== [ 73.800573] Disabling lock debugging due to kernel taint [ 73.800642] Kernel panic - not syncing: panic_on_warn set ... [ 73.800642] [ 73.800654] CPU: 1 PID: 8254 Comm: syz-executor302 Tainted: G B 4.19.108-syzkaller #0 [ 73.800660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.800663] Call Trace: [ 73.800676] dump_stack+0x188/0x20d [ 73.800689] panic+0x26a/0x50e [ 73.800699] ? __warn_printk+0xf3/0xf3 [ 73.800707] ? retint_kernel+0x2d/0x2d [ 73.800721] ? trace_hardirqs_on+0x55/0x210 [ 73.800731] ? con_shutdown+0x7f/0x90 [ 73.800742] kasan_end_report+0x43/0x49 [ 73.800752] kasan_report.cold+0xa4/0x2b9 [ 73.800761] ? set_palette+0x1b0/0x1b0 [ 73.800771] con_shutdown+0x7f/0x90 [ 73.800780] release_tty+0xda/0x4c0 [ 73.800790] tty_release_struct+0x37/0x50 [ 73.800799] tty_release+0xbc7/0xe90 [ 73.800811] ? tty_release_struct+0x50/0x50 [ 73.800821] __fput+0x2cd/0x890 [ 73.800832] task_work_run+0x13f/0x1b0 [ 73.800842] do_exit+0xbcd/0x2f30 [ 73.800855] ? mm_update_next_owner+0x650/0x650 [ 73.800865] ? up_read+0x17/0x110 [ 73.800874] ? __do_page_fault+0x44e/0xdd0 [ 73.800886] do_group_exit+0x125/0x350 [ 73.800896] __x64_sys_exit_group+0x3a/0x50 [ 73.800906] do_syscall_64+0xf9/0x620 [ 73.800917] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.800923] RIP: 0033:0x43ff38 [ 73.800933] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 73.800938] RSP: 002b:00007fffefab12f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.800946] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 73.800951] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 73.800957] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 73.800962] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001 [ 73.800967] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 73.802632] Kernel Offset: disabled [ 74.431859] Rebooting in 86400 seconds..