Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   67.738576] kauditd_printk_skb: 3 callbacks suppressed
[   67.738590] audit: type=1400 audit(1583424328.117:36): avc:  denied  { map } for  pid=8080 comm="syz-executor284" path="/root/syz-executor284987904" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   67.806222] ==================================================================
[   67.806263] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90
[   67.806274] Write of size 8 at addr ffff8880a09b84c8 by task syz-executor284/8088
[   67.806277] 
[   67.806289] CPU: 1 PID: 8088 Comm: syz-executor284 Not tainted 4.19.107-syzkaller #0
[   67.806297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.806301] Call Trace:
[   67.806319]  dump_stack+0x188/0x20d
[   67.806334]  ? con_shutdown+0x7f/0x90
[   67.806349]  print_address_description.cold+0x7c/0x212
[   67.806361]  ? con_shutdown+0x7f/0x90
[   67.806373]  kasan_report.cold+0x88/0x2b9
[   67.806385]  ? set_palette+0x1b0/0x1b0
[   67.806397]  con_shutdown+0x7f/0x90
[   67.806408]  release_tty+0xda/0x4c0
[   67.806421]  tty_release_struct+0x37/0x50
[   67.806432]  tty_release+0xbc7/0xe90
[   67.806449]  ? tty_release_struct+0x50/0x50
[   67.806462]  __fput+0x2cd/0x890
[   67.806479]  task_work_run+0x13f/0x1b0
[   67.806496]  do_exit+0xbcd/0x2f30
[   67.806515]  ? mm_update_next_owner+0x650/0x650
[   67.806531]  ? up_read+0x17/0x110
[   67.806545]  ? __do_page_fault+0x44e/0xdd0
[   67.806563]  do_group_exit+0x125/0x350
[   67.806579]  __x64_sys_exit_group+0x3a/0x50
[   67.806594]  do_syscall_64+0xf9/0x620
[   67.806611]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   67.806621] RIP: 0033:0x43ff38
[   67.806633] Code: Bad RIP value.
[   67.806640] RSP: 002b:00007ffee4d52668 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.806652] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   67.806659] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   67.806665] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.806672] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   67.806678] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   67.806694] 
[   67.806699] Allocated by task 8088:
[   67.806711]  kasan_kmalloc+0xbf/0xe0
[   67.806727]  kmem_cache_alloc_trace+0x14d/0x7a0
[   67.806737]  vc_allocate+0x1db/0x6d0
[   67.806747]  con_install+0x4f/0x400
[   67.806756]  tty_init_dev+0xee/0x450
[   67.806765]  tty_open+0x4b0/0xb00
[   67.806774]  chrdev_open+0x219/0x5c0
[   67.806783]  do_dentry_open+0x4a8/0x1160
[   67.806794]  path_openat+0x1031/0x4200
[   67.806802]  do_filp_open+0x1a1/0x280
[   67.806811]  do_sys_open+0x3c0/0x500
[   67.806821]  do_syscall_64+0xf9/0x620
[   67.806832]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   67.806835] 
[   67.806840] Freed by task 8090:
[   67.806850]  __kasan_slab_free+0xf7/0x140
[   67.806858]  kfree+0xce/0x220
[   67.806874]  vt_disallocate_all+0x293/0x3b0
[   67.806884]  vt_ioctl+0xb79/0x2310
[   67.806894]  tty_ioctl+0x7a1/0x1420
[   67.806903]  do_vfs_ioctl+0xcda/0x12e0
[   67.806912]  ksys_ioctl+0x9b/0xc0
[   67.806921]  __x64_sys_ioctl+0x6f/0xb0
[   67.806931]  do_syscall_64+0xf9/0x620
[   67.806942]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   67.806945] 
[   67.806953] The buggy address belongs to the object at ffff8880a09b83c0
[   67.806953]  which belongs to the cache kmalloc-2048 of size 2048
[   67.806963] The buggy address is located 264 bytes inside of
[   67.806963]  2048-byte region [ffff8880a09b83c0, ffff8880a09b8bc0)
[   67.806967] The buggy address belongs to the page:
[   67.806977] page:ffffea0002826e00 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0
[   67.806989] flags: 0xfffe0000008100(slab|head)
[   67.807004] raw: 00fffe0000008100 ffffea0002828a88 ffffea000283ee08 ffff88812c3dcc40
[   67.807017] raw: 0000000000000000 ffff8880a09b83c0 0000000100000003 0000000000000000
[   67.807022] page dumped because: kasan: bad access detected
[   67.807025] 
[   67.807028] Memory state around the buggy address:
[   67.807037]  ffff8880a09b8380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   67.807046]  ffff8880a09b8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.807055] >ffff8880a09b8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.807060]                                               ^
[   67.807068]  ffff8880a09b8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.807076]  ffff8880a09b8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.807080] ==================================================================
[   67.807084] Disabling lock debugging due to kernel taint
[   67.807104] Kernel panic - not syncing: panic_on_warn set ...
[   67.807104] 
[   67.807115] CPU: 1 PID: 8088 Comm: syz-executor284 Tainted: G    B             4.19.107-syzkaller #0
[   67.807121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.807124] Call Trace:
[   67.807137]  dump_stack+0x188/0x20d
[   67.807151]  panic+0x26a/0x50e
[   67.807164]  ? __warn_printk+0xf3/0xf3
[   67.807175]  ? retint_kernel+0x2d/0x2d
[   67.807190]  ? trace_hardirqs_on+0x55/0x210
[   67.807200]  ? con_shutdown+0x7f/0x90
[   67.807211]  kasan_end_report+0x43/0x49
[   67.807221]  kasan_report.cold+0xa4/0x2b9
[   67.807232]  ? set_palette+0x1b0/0x1b0
[   67.807241]  con_shutdown+0x7f/0x90
[   67.807251]  release_tty+0xda/0x4c0
[   67.807262]  tty_release_struct+0x37/0x50
[   67.807272]  tty_release+0xbc7/0xe90
[   67.807285]  ? tty_release_struct+0x50/0x50
[   67.807294]  __fput+0x2cd/0x890
[   67.807308]  task_work_run+0x13f/0x1b0
[   67.807319]  do_exit+0xbcd/0x2f30
[   67.807333]  ? mm_update_next_owner+0x650/0x650
[   67.807345]  ? up_read+0x17/0x110
[   67.807355]  ? __do_page_fault+0x44e/0xdd0
[   67.807367]  do_group_exit+0x125/0x350
[   67.807379]  __x64_sys_exit_group+0x3a/0x50
[   67.807389]  do_syscall_64+0xf9/0x620
[   67.807402]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   67.807409] RIP: 0033:0x43ff38
[   67.807417] Code: Bad RIP value.
[   67.807423] RSP: 002b:00007ffee4d52668 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.807432] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   67.807438] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   67.807445] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.807450] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   67.807456] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   67.808851] Kernel Offset: disabled