Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 95.842280][ T27] audit: type=1400 audit(1584080847.643:42): avc: denied { map } for pid=10411 comm="syz-executor349" path="/root/syz-executor349438112" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 95.910951][T10418] ================================================================== [ 95.911011][T10418] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 95.911023][T10418] Write of size 8 at addr ffff8880a7de7108 by task syz-executor349/10418 [ 95.911027][T10418] [ 95.911041][T10418] CPU: 1 PID: 10418 Comm: syz-executor349 Not tainted 5.6.0-rc5-syzkaller #0 [ 95.911049][T10418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.911053][T10418] Call Trace: [ 95.911071][T10418] dump_stack+0x188/0x20d [ 95.911084][T10418] ? con_shutdown+0x7f/0x90 [ 95.911098][T10418] ? con_shutdown+0x7f/0x90 [ 95.911117][T10418] print_address_description.constprop.0.cold+0xd3/0x315 [ 95.911127][T10418] ? con_shutdown+0x7f/0x90 [ 95.911139][T10418] ? con_shutdown+0x7f/0x90 [ 95.911152][T10418] __kasan_report.cold+0x1a/0x32 [ 95.911177][T10418] ? con_shutdown+0x7f/0x90 [ 95.911196][T10418] kasan_report+0xe/0x20 [ 95.911209][T10418] con_shutdown+0x7f/0x90 [ 95.911220][T10418] ? update_region+0x140/0x140 [ 95.911232][T10418] release_tty+0xca/0x450 [ 95.911249][T10418] tty_release_struct+0x37/0x50 [ 95.911263][T10418] tty_release+0xbc7/0xe90 [ 95.911291][T10418] ? do_tty_hangup+0x30/0x30 [ 95.911302][T10418] __fput+0x2da/0x850 [ 95.911332][T10418] task_work_run+0x13f/0x1b0 [ 95.911357][T10418] do_exit+0xb34/0x2dd0 [ 95.911389][T10418] ? mm_update_next_owner+0x7a0/0x7a0 [ 95.911403][T10418] ? up_read+0x1ab/0x750 [ 95.911422][T10418] ? mark_held_locks+0x9f/0xe0 [ 95.911438][T10418] ? down_read_non_owner+0x470/0x470 [ 95.911460][T10418] ? handle_mm_fault+0x491/0xa10 [ 95.911480][T10418] do_group_exit+0x125/0x340 [ 95.911497][T10418] __x64_sys_exit_group+0x3a/0x50 [ 95.911512][T10418] do_syscall_64+0xf6/0x7d0 [ 95.911530][T10418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.911540][T10418] RIP: 0033:0x43ff38 [ 95.911552][T10418] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 95.911559][T10418] RSP: 002b:00007ffd981df7d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 95.911571][T10418] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 95.911579][T10418] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 95.911587][T10418] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 95.911594][T10418] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 95.911601][T10418] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 95.911629][T10418] [ 95.911635][T10418] Allocated by task 10418: [ 95.911648][T10418] save_stack+0x1b/0x80 [ 95.911659][T10418] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 95.911671][T10418] kmem_cache_alloc_trace+0x153/0x7d0 [ 95.911682][T10418] vc_allocate+0x1e2/0x6e0 [ 95.911692][T10418] con_install+0x4f/0x400 [ 95.911702][T10418] tty_init_dev+0xf5/0x460 [ 95.911712][T10418] tty_open+0x47f/0xb30 [ 95.911724][T10418] chrdev_open+0x219/0x5c0 [ 95.911735][T10418] do_dentry_open+0x4a2/0x1250 [ 95.911746][T10418] path_openat+0x122a/0x32b0 [ 95.911757][T10418] do_filp_open+0x192/0x260 [ 95.911767][T10418] do_sys_openat2+0x54c/0x740 [ 95.911777][T10418] do_sys_open+0xc3/0x140 [ 95.911787][T10418] do_syscall_64+0xf6/0x7d0 [ 95.911798][T10418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.911801][T10418] [ 95.911806][T10418] Freed by task 10420: [ 95.911817][T10418] save_stack+0x1b/0x80 [ 95.911829][T10418] __kasan_slab_free+0xf7/0x140 [ 95.911839][T10418] kfree+0x109/0x2b0 [ 95.911852][T10418] vt_disallocate_all+0x293/0x3b0 [ 95.911861][T10418] vt_ioctl+0xb79/0x2470 [ 95.911871][T10418] tty_ioctl+0xedd/0x1440 [ 95.911883][T10418] ksys_ioctl+0x11a/0x180 [ 95.911894][T10418] __x64_sys_ioctl+0x6f/0xb0 [ 95.911906][T10418] do_syscall_64+0xf6/0x7d0 [ 95.911918][T10418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.911922][T10418] [ 95.911931][T10418] The buggy address belongs to the object at ffff8880a7de7000 [ 95.911931][T10418] which belongs to the cache kmalloc-2k of size 2048 [ 95.911942][T10418] The buggy address is located 264 bytes inside of [ 95.911942][T10418] 2048-byte region [ffff8880a7de7000, ffff8880a7de7800) [ 95.911947][T10418] The buggy address belongs to the page: [ 95.911958][T10418] page:ffffea00029f79c0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 95.911968][T10418] flags: 0xfffe0000000200(slab) [ 95.911985][T10418] raw: 00fffe0000000200 ffffea0002a11988 ffffea00029b9f48 ffff8880aa000e00 [ 95.912000][T10418] raw: 0000000000000000 ffff8880a7de7000 0000000100000001 0000000000000000 [ 95.912005][T10418] page dumped because: kasan: bad access detected [ 95.912009][T10418] [ 95.912013][T10418] Memory state around the buggy address: [ 95.912022][T10418] ffff8880a7de7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.912033][T10418] ffff8880a7de7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.912043][T10418] >ffff8880a7de7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.912048][T10418] ^ [ 95.912059][T10418] ffff8880a7de7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.912068][T10418] ffff8880a7de7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 95.912073][T10418] ================================================================== [ 95.912077][T10418] Disabling lock debugging due to kernel taint [ 95.912160][T10418] Kernel panic - not syncing: panic_on_warn set ... [ 95.912174][T10418] CPU: 1 PID: 10418 Comm: syz-executor349 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 95.912179][T10418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.912183][T10418] Call Trace: [ 95.912197][T10418] dump_stack+0x188/0x20d [ 95.912213][T10418] panic+0x2e3/0x75c [ 95.912225][T10418] ? add_taint.cold+0x16/0x16 [ 95.912242][T10418] ? preempt_schedule_common+0x5e/0xc0 [ 95.912254][T10418] ? con_shutdown+0x7f/0x90 [ 95.912267][T10418] ? ___preempt_schedule+0x16/0x18 [ 95.912288][T10418] ? trace_hardirqs_on+0x55/0x220 [ 95.912300][T10418] ? con_shutdown+0x7f/0x90 [ 95.912313][T10418] end_report+0x43/0x49 [ 95.912323][T10418] ? con_shutdown+0x7f/0x90 [ 95.912335][T10418] __kasan_report.cold+0xd/0x32 [ 95.912348][T10418] ? con_shutdown+0x7f/0x90 [ 95.912360][T10418] kasan_report+0xe/0x20 [ 95.912369][T10418] con_shutdown+0x7f/0x90 [ 95.912379][T10418] ? update_region+0x140/0x140 [ 95.912389][T10418] release_tty+0xca/0x450 [ 95.912402][T10418] tty_release_struct+0x37/0x50 [ 95.912414][T10418] tty_release+0xbc7/0xe90 [ 95.912432][T10418] ? do_tty_hangup+0x30/0x30 [ 95.912443][T10418] __fput+0x2da/0x850 [ 95.912463][T10418] task_work_run+0x13f/0x1b0 [ 95.912481][T10418] do_exit+0xb34/0x2dd0 [ 95.912502][T10418] ? mm_update_next_owner+0x7a0/0x7a0 [ 95.912514][T10418] ? up_read+0x1ab/0x750 [ 95.912525][T10418] ? mark_held_locks+0x9f/0xe0 [ 95.912538][T10418] ? down_read_non_owner+0x470/0x470 [ 95.912554][T10418] ? handle_mm_fault+0x491/0xa10 [ 95.912567][T10418] do_group_exit+0x125/0x340 [ 95.912580][T10418] __x64_sys_exit_group+0x3a/0x50 [ 95.912593][T10418] do_syscall_64+0xf6/0x7d0 [ 95.912607][T10418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.912616][T10418] RIP: 0033:0x43ff38 [ 95.912627][T10418] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 95.912634][T10418] RSP: 002b:00007ffd981df7d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 95.912645][T10418] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 95.912651][T10418] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 95.912657][T10418] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 95.912663][T10418] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 95.912670][T10418] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 95.914031][T10418] Kernel Offset: disabled