Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 55.270100] audit: type=1400 audit(1584342699.758:36): avc: denied { map } for pid=8081 comm="syz-executor118" path="/root/syz-executor118471358" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 55.344901] ================================================================== [ 55.344944] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 55.344955] Write of size 8 at addr ffff8880852b4a08 by task syz-executor118/8094 [ 55.344959] [ 55.344972] CPU: 1 PID: 8094 Comm: syz-executor118 Not tainted 4.19.109-syzkaller #0 [ 55.344980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.344985] Call Trace: [ 55.345001] dump_stack+0x188/0x20d [ 55.345016] ? con_shutdown+0x7f/0x90 [ 55.345033] print_address_description.cold+0x7c/0x212 [ 55.345048] ? con_shutdown+0x7f/0x90 [ 55.345061] kasan_report.cold+0x88/0x2b9 [ 55.345076] ? set_palette+0x1b0/0x1b0 [ 55.345090] con_shutdown+0x7f/0x90 [ 55.345103] release_tty+0xda/0x4c0 [ 55.345118] tty_release_struct+0x37/0x50 [ 55.345131] tty_release+0xbc7/0xe90 [ 55.345150] ? tty_release_struct+0x50/0x50 [ 55.345164] __fput+0x2cd/0x890 [ 55.345183] task_work_run+0x13f/0x1b0 [ 55.345201] do_exit+0xbcd/0x2f30 [ 55.345222] ? mm_update_next_owner+0x650/0x650 [ 55.345240] ? up_read+0x17/0x110 [ 55.345253] ? __do_page_fault+0x44e/0xdd0 [ 55.345273] do_group_exit+0x125/0x350 [ 55.345289] __x64_sys_exit_group+0x3a/0x50 [ 55.345304] do_syscall_64+0xf9/0x620 [ 55.345321] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.345331] RIP: 0033:0x43ff58 [ 55.345344] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 55.345351] RSP: 002b:00007ffe53f2b948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 55.345364] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff58 [ 55.345371] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 55.345380] RBP: 00000000004bf970 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 55.345387] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 55.345394] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 55.345412] [ 55.345418] Allocated by task 8094: [ 55.345431] kasan_kmalloc+0xbf/0xe0 [ 55.345442] kmem_cache_alloc_trace+0x14d/0x7a0 [ 55.345453] vc_allocate+0x1db/0x6d0 [ 55.345465] con_install+0x4f/0x400 [ 55.345476] tty_init_dev+0xee/0x450 [ 55.345486] tty_open+0x4b0/0xb00 [ 55.345496] chrdev_open+0x219/0x5c0 [ 55.345505] do_dentry_open+0x4a8/0x1160 [ 55.345519] path_openat+0x1031/0x4200 [ 55.345531] do_filp_open+0x1a1/0x280 [ 55.345541] do_sys_open+0x3c0/0x500 [ 55.345553] do_syscall_64+0xf9/0x620 [ 55.345565] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.345568] [ 55.345574] Freed by task 8090: [ 55.345585] __kasan_slab_free+0xf7/0x140 [ 55.345595] kfree+0xce/0x220 [ 55.345607] vt_disallocate_all+0x293/0x3b0 [ 55.345619] vt_ioctl+0xb79/0x2310 [ 55.345630] tty_ioctl+0x7a1/0x1420 [ 55.345646] do_vfs_ioctl+0xcda/0x12e0 [ 55.345656] ksys_ioctl+0x9b/0xc0 [ 55.345681] __x64_sys_ioctl+0x6f/0xb0 [ 55.345693] do_syscall_64+0xf9/0x620 [ 55.345705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.345708] [ 55.345717] The buggy address belongs to the object at ffff8880852b4900 [ 55.345717] which belongs to the cache kmalloc-2048 of size 2048 [ 55.345729] The buggy address is located 264 bytes inside of [ 55.345729] 2048-byte region [ffff8880852b4900, ffff8880852b5100) [ 55.345733] The buggy address belongs to the page: [ 55.345744] page:ffffea000214ad00 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 55.345757] flags: 0xfffe0000008100(slab|head) [ 55.345774] raw: 00fffe0000008100 ffffea0002321188 ffffea000203a808 ffff88812c3dcc40 [ 55.345789] raw: 0000000000000000 ffff8880852b4080 0000000100000003 0000000000000000 [ 55.345794] page dumped because: kasan: bad access detected [ 55.345797] [ 55.345801] Memory state around the buggy address: [ 55.345811] ffff8880852b4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.345821] ffff8880852b4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.345830] >ffff8880852b4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.345835] ^ [ 55.345844] ffff8880852b4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.345854] ffff8880852b4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.345858] ================================================================== [ 55.345862] Disabling lock debugging due to kernel taint [ 55.345901] Kernel panic - not syncing: panic_on_warn set ... [ 55.345901] [ 55.345913] CPU: 1 PID: 8094 Comm: syz-executor118 Tainted: G B 4.19.109-syzkaller #0 [ 55.345918] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.345921] Call Trace: [ 55.345934] dump_stack+0x188/0x20d [ 55.345953] panic+0x26a/0x50e [ 55.345965] ? __warn_printk+0xf3/0xf3 [ 55.345975] ? retint_kernel+0x2d/0x2d [ 55.345991] ? trace_hardirqs_on+0x55/0x210 [ 55.346003] ? con_shutdown+0x7f/0x90 [ 55.346016] kasan_end_report+0x43/0x49 [ 55.346029] kasan_report.cold+0xa4/0x2b9 [ 55.346040] ? set_palette+0x1b0/0x1b0 [ 55.346052] con_shutdown+0x7f/0x90 [ 55.346063] release_tty+0xda/0x4c0 [ 55.346076] tty_release_struct+0x37/0x50 [ 55.346088] tty_release+0xbc7/0xe90 [ 55.346103] ? tty_release_struct+0x50/0x50 [ 55.346115] __fput+0x2cd/0x890 [ 55.346128] task_work_run+0x13f/0x1b0 [ 55.346141] do_exit+0xbcd/0x2f30 [ 55.346157] ? mm_update_next_owner+0x650/0x650 [ 55.346170] ? up_read+0x17/0x110 [ 55.346182] ? __do_page_fault+0x44e/0xdd0 [ 55.346196] do_group_exit+0x125/0x350 [ 55.346210] __x64_sys_exit_group+0x3a/0x50 [ 55.346223] do_syscall_64+0xf9/0x620 [ 55.346236] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.346244] RIP: 0033:0x43ff58 [ 55.346255] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 55.346262] RSP: 002b:00007ffe53f2b948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 55.346272] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff58 [ 55.346279] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 55.346286] RBP: 00000000004bf970 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 55.346293] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 55.346299] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 55.347530] Kernel Offset: disabled [ 55.958342] Rebooting in 86400 seconds..