Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 64.803617] kauditd_printk_skb: 5 callbacks suppressed [ 64.803633] audit: type=1400 audit(1585373240.960:36): avc: denied { map } for pid=8683 comm="syz-executor869" path="/root/syz-executor869079836" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program [ 65.017326] ================================================================== [ 65.017370] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 65.017382] Write of size 8 at addr ffff888085a22fc8 by task syz-executor869/8703 [ 65.017385] [ 65.017399] CPU: 1 PID: 8703 Comm: syz-executor869 Not tainted 4.19.113-syzkaller #0 [ 65.017407] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.017412] Call Trace: [ 65.017431] dump_stack+0x188/0x20d [ 65.017446] ? con_shutdown+0x7f/0x90 [ 65.017464] print_address_description.cold+0x7c/0x212 [ 65.017478] ? con_shutdown+0x7f/0x90 [ 65.017491] kasan_report.cold+0x88/0x2b9 [ 65.017504] ? set_palette+0x1b0/0x1b0 [ 65.017518] con_shutdown+0x7f/0x90 [ 65.017532] release_tty+0xda/0x4c0 [ 65.017547] tty_release_struct+0x37/0x50 [ 65.017570] tty_release+0xbc7/0xe90 [ 65.017592] ? tty_release_struct+0x50/0x50 [ 65.017607] __fput+0x2cd/0x890 [ 65.017627] task_work_run+0x13f/0x1b0 [ 65.017646] do_exit+0xbcd/0x2f30 [ 65.017669] ? mm_update_next_owner+0x650/0x650 [ 65.017689] ? up_read+0x17/0x110 [ 65.017703] ? __do_page_fault+0x44e/0xdd0 [ 65.017723] do_group_exit+0x125/0x350 [ 65.017740] __x64_sys_exit_group+0x3a/0x50 [ 65.017755] do_syscall_64+0xf9/0x620 [ 65.017773] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.017784] RIP: 0033:0x43ff38 [ 65.017798] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 65.017807] RSP: 002b:00007ffc256474d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 65.017820] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 65.017828] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 65.017837] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.017845] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 65.017853] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 65.017873] [ 65.017880] Allocated by task 8703: [ 65.017894] kasan_kmalloc+0xbf/0xe0 [ 65.017906] kmem_cache_alloc_trace+0x14d/0x7a0 [ 65.017918] vc_allocate+0x1db/0x6d0 [ 65.017929] con_install+0x4f/0x400 [ 65.017941] tty_init_dev+0xee/0x450 [ 65.017952] tty_open+0x4b0/0xb00 [ 65.017963] chrdev_open+0x219/0x5c0 [ 65.017973] do_dentry_open+0x4a8/0x1160 [ 65.017987] path_openat+0x1031/0x4200 [ 65.017997] do_filp_open+0x1a1/0x280 [ 65.018008] do_sys_open+0x3c0/0x500 [ 65.018020] do_syscall_64+0xf9/0x620 [ 65.018031] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.018035] [ 65.018041] Freed by task 8704: [ 65.018053] __kasan_slab_free+0xf7/0x140 [ 65.018062] kfree+0xce/0x220 [ 65.018075] vt_disallocate_all+0x293/0x3b0 [ 65.018087] vt_ioctl+0xb79/0x2310 [ 65.018099] tty_ioctl+0x7a1/0x1420 [ 65.018110] do_vfs_ioctl+0xcda/0x12e0 [ 65.018121] ksys_ioctl+0x9b/0xc0 [ 65.018156] __x64_sys_ioctl+0x6f/0xb0 [ 65.018169] do_syscall_64+0xf9/0x620 [ 65.018181] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.018185] [ 65.018195] The buggy address belongs to the object at ffff888085a22ec0 [ 65.018195] which belongs to the cache kmalloc-2048 of size 2048 [ 65.018207] The buggy address is located 264 bytes inside of [ 65.018207] 2048-byte region [ffff888085a22ec0, ffff888085a236c0) [ 65.018212] The buggy address belongs to the page: [ 65.018224] page:ffffea0002168880 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 65.018246] flags: 0xfffe0000008100(slab|head) [ 65.018264] raw: 00fffe0000008100 ffffea0002913408 ffffea00021b8f08 ffff88812c3dcc40 [ 65.018280] raw: 0000000000000000 ffff888085a22640 0000000100000003 0000000000000000 [ 65.018285] page dumped because: kasan: bad access detected [ 65.018289] [ 65.018293] Memory state around the buggy address: [ 65.018305] ffff888085a22e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 65.018315] ffff888085a22f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.018333] >ffff888085a22f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.018338] ^ [ 65.018349] ffff888085a23000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.018359] ffff888085a23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.018364] ================================================================== [ 65.018369] Disabling lock debugging due to kernel taint [ 65.018513] Kernel panic - not syncing: panic_on_warn set ... [ 65.018513] [ 65.018529] CPU: 1 PID: 8703 Comm: syz-executor869 Tainted: G B 4.19.113-syzkaller #0 [ 65.018536] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.018540] Call Trace: [ 65.018566] dump_stack+0x188/0x20d [ 65.018583] panic+0x26a/0x50e [ 65.018597] ? __warn_printk+0xf3/0xf3 [ 65.018613] ? preempt_schedule_common+0x4a/0xc0 [ 65.018626] ? con_shutdown+0x7f/0x90 [ 65.018640] ? ___preempt_schedule+0x16/0x18 [ 65.018654] ? trace_hardirqs_on+0x55/0x210 [ 65.018666] ? con_shutdown+0x7f/0x90 [ 65.018678] kasan_end_report+0x43/0x49 [ 65.018691] kasan_report.cold+0xa4/0x2b9 [ 65.018704] ? set_palette+0x1b0/0x1b0 [ 65.018716] con_shutdown+0x7f/0x90 [ 65.018728] release_tty+0xda/0x4c0 [ 65.018740] tty_release_struct+0x37/0x50 [ 65.018752] tty_release+0xbc7/0xe90 [ 65.018769] ? tty_release_struct+0x50/0x50 [ 65.018781] __fput+0x2cd/0x890 [ 65.018797] task_work_run+0x13f/0x1b0 [ 65.018811] do_exit+0xbcd/0x2f30 [ 65.018828] ? mm_update_next_owner+0x650/0x650 [ 65.018843] ? up_read+0x17/0x110 [ 65.018854] ? __do_page_fault+0x44e/0xdd0 [ 65.018869] do_group_exit+0x125/0x350 [ 65.018884] __x64_sys_exit_group+0x3a/0x50 [ 65.018897] do_syscall_64+0xf9/0x620 [ 65.018911] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.018920] RIP: 0033:0x43ff38 [ 65.018932] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 65.018938] RSP: 002b:00007ffc256474d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 65.018950] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 65.018957] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 65.018965] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.018972] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 65.018979] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 65.020178] Kernel Offset: disabled