Warning: Permanently added '10.128.0.208' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 53.759421][ T7026] ================================================================== [ 53.759479][ T7026] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 53.759489][ T7026] Write of size 8 at addr ffff8880a3533108 by task syz-executor291/7026 [ 53.759493][ T7026] [ 53.759507][ T7026] CPU: 1 PID: 7026 Comm: syz-executor291 Not tainted 5.6.0-rc7-syzkaller #0 [ 53.759514][ T7026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.759519][ T7026] Call Trace: [ 53.759536][ T7026] dump_stack+0x188/0x20d [ 53.759549][ T7026] ? con_shutdown+0x7f/0x90 [ 53.759563][ T7026] ? con_shutdown+0x7f/0x90 [ 53.759582][ T7026] print_address_description.constprop.0.cold+0xd3/0x315 [ 53.759594][ T7026] ? con_shutdown+0x7f/0x90 [ 53.759608][ T7026] ? con_shutdown+0x7f/0x90 [ 53.759621][ T7026] __kasan_report.cold+0x1a/0x32 [ 53.759639][ T7026] ? con_shutdown+0x7f/0x90 [ 53.759657][ T7026] kasan_report+0xe/0x20 [ 53.759669][ T7026] con_shutdown+0x7f/0x90 [ 53.759680][ T7026] ? update_region+0x140/0x140 [ 53.759691][ T7026] release_tty+0xca/0x450 [ 53.759706][ T7026] tty_release_struct+0x37/0x50 [ 53.759719][ T7026] tty_release+0xbc7/0xe90 [ 53.759745][ T7026] ? do_tty_hangup+0x30/0x30 [ 53.759756][ T7026] __fput+0x2da/0x850 [ 53.759784][ T7026] task_work_run+0x13f/0x1b0 [ 53.759810][ T7026] do_exit+0xb34/0x2dd0 [ 53.759842][ T7026] ? mm_update_next_owner+0x7a0/0x7a0 [ 53.759860][ T7026] ? up_read+0x1ab/0x750 [ 53.759874][ T7026] ? mark_held_locks+0x9f/0xe0 [ 53.759889][ T7026] ? down_read_non_owner+0x470/0x470 [ 53.759916][ T7026] do_group_exit+0x125/0x340 [ 53.759934][ T7026] __ia32_sys_exit_group+0x3a/0x50 [ 53.759949][ T7026] do_fast_syscall_32+0x270/0xe8f [ 53.759972][ T7026] entry_SYSENTER_compat+0x70/0x7f [ 53.760003][ T7026] [ 53.760010][ T7026] Allocated by task 7026: [ 53.760027][ T7026] save_stack+0x1b/0x80 [ 53.760040][ T7026] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 53.760052][ T7026] kmem_cache_alloc_trace+0x153/0x7d0 [ 53.760063][ T7026] vc_allocate+0x1e2/0x6e0 [ 53.760073][ T7026] con_install+0x4f/0x400 [ 53.760083][ T7026] tty_init_dev+0xf5/0x460 [ 53.760093][ T7026] tty_open+0x47f/0xb30 [ 53.760104][ T7026] chrdev_open+0x219/0x5c0 [ 53.760115][ T7026] do_dentry_open+0x4a2/0x1250 [ 53.760127][ T7026] path_openat+0x122a/0x32b0 [ 53.760137][ T7026] do_filp_open+0x192/0x260 [ 53.760148][ T7026] do_sys_openat2+0x54c/0x740 [ 53.760159][ T7026] do_sys_open+0xc3/0x140 [ 53.760171][ T7026] do_fast_syscall_32+0x270/0xe8f [ 53.760182][ T7026] entry_SYSENTER_compat+0x70/0x7f [ 53.760186][ T7026] [ 53.760191][ T7026] Freed by task 7028: [ 53.760202][ T7026] save_stack+0x1b/0x80 [ 53.760213][ T7026] __kasan_slab_free+0xf7/0x140 [ 53.760229][ T7026] kfree+0x109/0x2b0 [ 53.760241][ T7026] vt_disallocate_all+0x293/0x3b0 [ 53.760252][ T7026] vt_ioctl+0xb79/0x2470 [ 53.760263][ T7026] vt_compat_ioctl+0x410/0x710 [ 53.760273][ T7026] tty_compat_ioctl+0x19c/0x410 [ 53.760286][ T7026] __ia32_compat_sys_ioctl+0x23d/0x2b0 [ 53.760298][ T7026] do_fast_syscall_32+0x270/0xe8f [ 53.760309][ T7026] entry_SYSENTER_compat+0x70/0x7f [ 53.760313][ T7026] [ 53.760322][ T7026] The buggy address belongs to the object at ffff8880a3533000 [ 53.760322][ T7026] which belongs to the cache kmalloc-2k of size 2048 [ 53.760332][ T7026] The buggy address is located 264 bytes inside of [ 53.760332][ T7026] 2048-byte region [ffff8880a3533000, ffff8880a3533800) [ 53.760337][ T7026] The buggy address belongs to the page: [ 53.760349][ T7026] page:ffffea00028d4cc0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 53.760358][ T7026] flags: 0xfffe0000000200(slab) [ 53.760374][ T7026] raw: 00fffe0000000200 ffffea00029b9cc8 ffffea00028da3c8 ffff8880aa000e00 [ 53.760389][ T7026] raw: 0000000000000000 ffff8880a3533000 0000000100000001 0000000000000000 [ 53.760395][ T7026] page dumped because: kasan: bad access detected [ 53.760398][ T7026] [ 53.760402][ T7026] Memory state around the buggy address: [ 53.760413][ T7026] ffff8880a3533000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.760423][ T7026] ffff8880a3533080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.760433][ T7026] >ffff8880a3533100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.760438][ T7026] ^ [ 53.760447][ T7026] ffff8880a3533180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.760457][ T7026] ffff8880a3533200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.760461][ T7026] ================================================================== [ 53.760466][ T7026] Disabling lock debugging due to kernel taint [ 53.760534][ T7026] Kernel panic - not syncing: panic_on_warn set ... [ 53.760546][ T7026] CPU: 1 PID: 7026 Comm: syz-executor291 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 53.760553][ T7026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.760556][ T7026] Call Trace: [ 53.760569][ T7026] dump_stack+0x188/0x20d [ 53.760584][ T7026] panic+0x2e3/0x75c [ 53.760596][ T7026] ? add_taint.cold+0x16/0x16 [ 53.760611][ T7026] ? preempt_schedule_common+0x5e/0xc0 [ 53.760623][ T7026] ? con_shutdown+0x7f/0x90 [ 53.760635][ T7026] ? ___preempt_schedule+0x16/0x18 [ 53.760649][ T7026] ? trace_hardirqs_on+0x55/0x220 [ 53.760663][ T7026] ? con_shutdown+0x7f/0x90 [ 53.760676][ T7026] end_report+0x43/0x49 [ 53.760687][ T7026] ? con_shutdown+0x7f/0x90 [ 53.760698][ T7026] __kasan_report.cold+0xd/0x32 [ 53.760712][ T7026] ? con_shutdown+0x7f/0x90 [ 53.760725][ T7026] kasan_report+0xe/0x20 [ 53.760734][ T7026] con_shutdown+0x7f/0x90 [ 53.760744][ T7026] ? update_region+0x140/0x140 [ 53.760753][ T7026] release_tty+0xca/0x450 [ 53.760766][ T7026] tty_release_struct+0x37/0x50 [ 53.760778][ T7026] tty_release+0xbc7/0xe90 [ 53.760795][ T7026] ? do_tty_hangup+0x30/0x30 [ 53.760805][ T7026] __fput+0x2da/0x850 [ 53.760822][ T7026] task_work_run+0x13f/0x1b0 [ 53.760837][ T7026] do_exit+0xb34/0x2dd0 [ 53.760857][ T7026] ? mm_update_next_owner+0x7a0/0x7a0 [ 53.760870][ T7026] ? up_read+0x1ab/0x750 [ 53.760881][ T7026] ? mark_held_locks+0x9f/0xe0 [ 53.760893][ T7026] ? down_read_non_owner+0x470/0x470 [ 53.760907][ T7026] do_group_exit+0x125/0x340 [ 53.760921][ T7026] __ia32_sys_exit_group+0x3a/0x50 [ 53.760934][ T7026] do_fast_syscall_32+0x270/0xe8f [ 53.760950][ T7026] entry_SYSENTER_compat+0x70/0x7f [ 53.762393][ T7026] Kernel Offset: disabled [ 54.372758][ T7026] Rebooting in 86400 seconds..