Warning: Permanently added '10.128.1.23' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program [ 74.190881] audit: type=1400 audit(1584190559.302:36): avc: denied { map } for pid=8129 comm="syz-executor082" path="/root/syz-executor082187039" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 74.264706] ================================================================== [ 74.264748] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 74.264758] Write of size 8 at addr ffff8880965094c8 by task syz-executor082/8136 [ 74.264761] [ 74.264775] CPU: 0 PID: 8136 Comm: syz-executor082 Not tainted 4.19.109-syzkaller #0 [ 74.264783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.264787] Call Trace: [ 74.264803] dump_stack+0x188/0x20d [ 74.264819] ? con_shutdown+0x7f/0x90 [ 74.264836] print_address_description.cold+0x7c/0x212 [ 74.264849] ? con_shutdown+0x7f/0x90 [ 74.264861] kasan_report.cold+0x88/0x2b9 [ 74.264875] ? set_palette+0x1b0/0x1b0 [ 74.264889] con_shutdown+0x7f/0x90 [ 74.264901] release_tty+0xda/0x4c0 [ 74.264917] tty_release_struct+0x37/0x50 [ 74.264930] tty_release+0xbc7/0xe90 [ 74.264950] ? tty_release_struct+0x50/0x50 [ 74.265006] __fput+0x2cd/0x890 [ 74.265027] task_work_run+0x13f/0x1b0 [ 74.265041] do_exit+0xbcd/0x2f30 [ 74.265060] ? mm_update_next_owner+0x650/0x650 [ 74.265076] ? up_read+0x17/0x110 [ 74.265088] ? __do_page_fault+0x44e/0xdd0 [ 74.265108] do_group_exit+0x125/0x350 [ 74.265124] __x64_sys_exit_group+0x3a/0x50 [ 74.265139] do_syscall_64+0xf9/0x620 [ 74.265156] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.265167] RIP: 0033:0x43ff38 [ 74.265180] Code: Bad RIP value. [ 74.265187] RSP: 002b:00007ffcb41f34c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.265198] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 74.265204] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 74.265211] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 74.265219] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 74.265226] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 74.265244] [ 74.265251] Allocated by task 8136: [ 74.265263] kasan_kmalloc+0xbf/0xe0 [ 74.265273] kmem_cache_alloc_trace+0x14d/0x7a0 [ 74.265286] vc_allocate+0x1db/0x6d0 [ 74.265297] con_install+0x4f/0x400 [ 74.265307] tty_init_dev+0xee/0x450 [ 74.265318] tty_open+0x4b0/0xb00 [ 74.265327] chrdev_open+0x219/0x5c0 [ 74.265338] do_dentry_open+0x4a8/0x1160 [ 74.265351] path_openat+0x1031/0x4200 [ 74.265363] do_filp_open+0x1a1/0x280 [ 74.265374] do_sys_open+0x3c0/0x500 [ 74.265386] do_syscall_64+0xf9/0x620 [ 74.265398] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.265401] [ 74.265407] Freed by task 8141: [ 74.265417] __kasan_slab_free+0xf7/0x140 [ 74.265427] kfree+0xce/0x220 [ 74.265445] vt_disallocate_all+0x293/0x3b0 [ 74.265457] vt_ioctl+0xb79/0x2310 [ 74.265468] tty_ioctl+0x7a1/0x1420 [ 74.265478] do_vfs_ioctl+0xcda/0x12e0 [ 74.265488] ksys_ioctl+0x9b/0xc0 [ 74.265497] __x64_sys_ioctl+0x6f/0xb0 [ 74.265535] do_syscall_64+0xf9/0x620 [ 74.265546] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.265549] [ 74.265558] The buggy address belongs to the object at ffff8880965093c0 [ 74.265558] which belongs to the cache kmalloc-2048 of size 2048 [ 74.265569] The buggy address is located 264 bytes inside of [ 74.265569] 2048-byte region [ffff8880965093c0, ffff888096509bc0) [ 74.265573] The buggy address belongs to the page: [ 74.265589] page:ffffea0002594200 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 74.265606] flags: 0xfffe0000008100(slab|head) [ 74.265623] raw: 00fffe0000008100 ffffea0002630488 ffffea000258fb88 ffff88812c3dcc40 [ 74.265638] raw: 0000000000000000 ffff8880965082c0 0000000100000003 0000000000000000 [ 74.265643] page dumped because: kasan: bad access detected [ 74.265646] [ 74.265650] Memory state around the buggy address: [ 74.265660] ffff888096509380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 74.265670] ffff888096509400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265680] >ffff888096509480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265685] ^ [ 74.265694] ffff888096509500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265704] ffff888096509580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265709] ================================================================== [ 74.265712] Disabling lock debugging due to kernel taint [ 74.265765] Kernel panic - not syncing: panic_on_warn set ... [ 74.265765] [ 74.265780] CPU: 0 PID: 8136 Comm: syz-executor082 Tainted: G B 4.19.109-syzkaller #0 [ 74.265786] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.265790] Call Trace: [ 74.265804] dump_stack+0x188/0x20d [ 74.265821] panic+0x26a/0x50e [ 74.265835] ? __warn_printk+0xf3/0xf3 [ 74.265846] ? retint_kernel+0x2d/0x2d [ 74.265863] ? trace_hardirqs_on+0x55/0x210 [ 74.265875] ? con_shutdown+0x7f/0x90 [ 74.265888] kasan_end_report+0x43/0x49 [ 74.265900] kasan_report.cold+0xa4/0x2b9 [ 74.265912] ? set_palette+0x1b0/0x1b0 [ 74.265922] con_shutdown+0x7f/0x90 [ 74.265934] release_tty+0xda/0x4c0 [ 74.265947] tty_release_struct+0x37/0x50 [ 74.265958] tty_release+0xbc7/0xe90 [ 74.265974] ? tty_release_struct+0x50/0x50 [ 74.265986] __fput+0x2cd/0x890 [ 74.265999] task_work_run+0x13f/0x1b0 [ 74.266012] do_exit+0xbcd/0x2f30 [ 74.266026] ? mm_update_next_owner+0x650/0x650 [ 74.266040] ? up_read+0x17/0x110 [ 74.266051] ? __do_page_fault+0x44e/0xdd0 [ 74.266065] do_group_exit+0x125/0x350 [ 74.266078] __x64_sys_exit_group+0x3a/0x50 [ 74.266090] do_syscall_64+0xf9/0x620 [ 74.266102] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.266111] RIP: 0033:0x43ff38 [ 74.266121] Code: Bad RIP value. [ 74.266127] RSP: 002b:00007ffcb41f34c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.266137] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 74.266144] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 74.266151] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 74.266157] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 74.266164] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 74.267659] Kernel Offset: disabled