Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 67.738576] kauditd_printk_skb: 3 callbacks suppressed [ 67.738590] audit: type=1400 audit(1583424328.117:36): avc: denied { map } for pid=8080 comm="syz-executor284" path="/root/syz-executor284987904" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 67.806222] ================================================================== [ 67.806263] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 67.806274] Write of size 8 at addr ffff8880a09b84c8 by task syz-executor284/8088 [ 67.806277] [ 67.806289] CPU: 1 PID: 8088 Comm: syz-executor284 Not tainted 4.19.107-syzkaller #0 [ 67.806297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.806301] Call Trace: [ 67.806319] dump_stack+0x188/0x20d [ 67.806334] ? con_shutdown+0x7f/0x90 [ 67.806349] print_address_description.cold+0x7c/0x212 [ 67.806361] ? con_shutdown+0x7f/0x90 [ 67.806373] kasan_report.cold+0x88/0x2b9 [ 67.806385] ? set_palette+0x1b0/0x1b0 [ 67.806397] con_shutdown+0x7f/0x90 [ 67.806408] release_tty+0xda/0x4c0 [ 67.806421] tty_release_struct+0x37/0x50 [ 67.806432] tty_release+0xbc7/0xe90 [ 67.806449] ? tty_release_struct+0x50/0x50 [ 67.806462] __fput+0x2cd/0x890 [ 67.806479] task_work_run+0x13f/0x1b0 [ 67.806496] do_exit+0xbcd/0x2f30 [ 67.806515] ? mm_update_next_owner+0x650/0x650 [ 67.806531] ? up_read+0x17/0x110 [ 67.806545] ? __do_page_fault+0x44e/0xdd0 [ 67.806563] do_group_exit+0x125/0x350 [ 67.806579] __x64_sys_exit_group+0x3a/0x50 [ 67.806594] do_syscall_64+0xf9/0x620 [ 67.806611] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.806621] RIP: 0033:0x43ff38 [ 67.806633] Code: Bad RIP value. [ 67.806640] RSP: 002b:00007ffee4d52668 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.806652] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 67.806659] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 67.806665] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 67.806672] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 67.806678] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 67.806694] [ 67.806699] Allocated by task 8088: [ 67.806711] kasan_kmalloc+0xbf/0xe0 [ 67.806727] kmem_cache_alloc_trace+0x14d/0x7a0 [ 67.806737] vc_allocate+0x1db/0x6d0 [ 67.806747] con_install+0x4f/0x400 [ 67.806756] tty_init_dev+0xee/0x450 [ 67.806765] tty_open+0x4b0/0xb00 [ 67.806774] chrdev_open+0x219/0x5c0 [ 67.806783] do_dentry_open+0x4a8/0x1160 [ 67.806794] path_openat+0x1031/0x4200 [ 67.806802] do_filp_open+0x1a1/0x280 [ 67.806811] do_sys_open+0x3c0/0x500 [ 67.806821] do_syscall_64+0xf9/0x620 [ 67.806832] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.806835] [ 67.806840] Freed by task 8090: [ 67.806850] __kasan_slab_free+0xf7/0x140 [ 67.806858] kfree+0xce/0x220 [ 67.806874] vt_disallocate_all+0x293/0x3b0 [ 67.806884] vt_ioctl+0xb79/0x2310 [ 67.806894] tty_ioctl+0x7a1/0x1420 [ 67.806903] do_vfs_ioctl+0xcda/0x12e0 [ 67.806912] ksys_ioctl+0x9b/0xc0 [ 67.806921] __x64_sys_ioctl+0x6f/0xb0 [ 67.806931] do_syscall_64+0xf9/0x620 [ 67.806942] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.806945] [ 67.806953] The buggy address belongs to the object at ffff8880a09b83c0 [ 67.806953] which belongs to the cache kmalloc-2048 of size 2048 [ 67.806963] The buggy address is located 264 bytes inside of [ 67.806963] 2048-byte region [ffff8880a09b83c0, ffff8880a09b8bc0) [ 67.806967] The buggy address belongs to the page: [ 67.806977] page:ffffea0002826e00 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 67.806989] flags: 0xfffe0000008100(slab|head) [ 67.807004] raw: 00fffe0000008100 ffffea0002828a88 ffffea000283ee08 ffff88812c3dcc40 [ 67.807017] raw: 0000000000000000 ffff8880a09b83c0 0000000100000003 0000000000000000 [ 67.807022] page dumped because: kasan: bad access detected [ 67.807025] [ 67.807028] Memory state around the buggy address: [ 67.807037] ffff8880a09b8380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 67.807046] ffff8880a09b8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.807055] >ffff8880a09b8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.807060] ^ [ 67.807068] ffff8880a09b8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.807076] ffff8880a09b8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.807080] ================================================================== [ 67.807084] Disabling lock debugging due to kernel taint [ 67.807104] Kernel panic - not syncing: panic_on_warn set ... [ 67.807104] [ 67.807115] CPU: 1 PID: 8088 Comm: syz-executor284 Tainted: G B 4.19.107-syzkaller #0 [ 67.807121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.807124] Call Trace: [ 67.807137] dump_stack+0x188/0x20d [ 67.807151] panic+0x26a/0x50e [ 67.807164] ? __warn_printk+0xf3/0xf3 [ 67.807175] ? retint_kernel+0x2d/0x2d [ 67.807190] ? trace_hardirqs_on+0x55/0x210 [ 67.807200] ? con_shutdown+0x7f/0x90 [ 67.807211] kasan_end_report+0x43/0x49 [ 67.807221] kasan_report.cold+0xa4/0x2b9 [ 67.807232] ? set_palette+0x1b0/0x1b0 [ 67.807241] con_shutdown+0x7f/0x90 [ 67.807251] release_tty+0xda/0x4c0 [ 67.807262] tty_release_struct+0x37/0x50 [ 67.807272] tty_release+0xbc7/0xe90 [ 67.807285] ? tty_release_struct+0x50/0x50 [ 67.807294] __fput+0x2cd/0x890 [ 67.807308] task_work_run+0x13f/0x1b0 [ 67.807319] do_exit+0xbcd/0x2f30 [ 67.807333] ? mm_update_next_owner+0x650/0x650 [ 67.807345] ? up_read+0x17/0x110 [ 67.807355] ? __do_page_fault+0x44e/0xdd0 [ 67.807367] do_group_exit+0x125/0x350 [ 67.807379] __x64_sys_exit_group+0x3a/0x50 [ 67.807389] do_syscall_64+0xf9/0x620 [ 67.807402] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.807409] RIP: 0033:0x43ff38 [ 67.807417] Code: Bad RIP value. [ 67.807423] RSP: 002b:00007ffee4d52668 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.807432] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 67.807438] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 67.807445] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 67.807450] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 67.807456] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 67.808851] Kernel Offset: disabled