[   67.427182][   T27] audit: type=1800 audit(1584633725.786:25): pid=9436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   67.447181][   T27] audit: type=1800 audit(1584633725.796:26): pid=9436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   67.469724][   T27] audit: type=1800 audit(1584633725.796:27): pid=9436 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   68.017359][ T9504] sshd (9504) used greatest stack depth: 23248 bytes left
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   77.437326][ T9590] ==================================================================
[   77.437381][ T9590] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90
[   77.437392][ T9590] Write of size 8 at addr ffff88808d274108 by task syz-executor607/9590
[   77.437396][ T9590] 
[   77.437410][ T9590] CPU: 1 PID: 9590 Comm: syz-executor607 Not tainted 5.6.0-rc6-syzkaller #0
[   77.437417][ T9590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.437421][ T9590] Call Trace:
[   77.437438][ T9590]  dump_stack+0x188/0x20d
[   77.437451][ T9590]  ? con_shutdown+0x7f/0x90
[   77.437464][ T9590]  ? con_shutdown+0x7f/0x90
[   77.437484][ T9590]  print_address_description.constprop.0.cold+0xd3/0x315
[   77.437495][ T9590]  ? con_shutdown+0x7f/0x90
[   77.437508][ T9590]  ? con_shutdown+0x7f/0x90
[   77.437521][ T9590]  __kasan_report.cold+0x1a/0x32
[   77.437538][ T9590]  ? con_shutdown+0x7f/0x90
[   77.437555][ T9590]  kasan_report+0xe/0x20
[   77.437568][ T9590]  con_shutdown+0x7f/0x90
[   77.437578][ T9590]  ? update_region+0x140/0x140
[   77.437589][ T9590]  release_tty+0xca/0x450
[   77.437605][ T9590]  tty_release_struct+0x37/0x50
[   77.437620][ T9590]  tty_release+0xbc7/0xe90
[   77.437659][ T9590]  ? do_tty_hangup+0x30/0x30
[   77.437670][ T9590]  __fput+0x2da/0x850
[   77.437699][ T9590]  task_work_run+0x13f/0x1b0
[   77.437723][ T9590]  do_exit+0xb34/0x2dd0
[   77.437753][ T9590]  ? mm_update_next_owner+0x7a0/0x7a0
[   77.437769][ T9590]  ? up_read+0x1ab/0x750
[   77.437783][ T9590]  ? mark_held_locks+0x9f/0xe0
[   77.437798][ T9590]  ? down_read_non_owner+0x470/0x470
[   77.437823][ T9590]  do_group_exit+0x125/0x340
[   77.437841][ T9590]  __ia32_sys_exit_group+0x3a/0x50
[   77.437856][ T9590]  do_fast_syscall_32+0x270/0xe8f
[   77.437878][ T9590]  entry_SYSENTER_compat+0x70/0x7f
[   77.437907][ T9590] 
[   77.437913][ T9590] Allocated by task 9590:
[   77.437924][ T9590]  save_stack+0x1b/0x80
[   77.437936][ T9590]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   77.437947][ T9590]  kmem_cache_alloc_trace+0x153/0x7d0
[   77.437956][ T9590]  vc_allocate+0x1e2/0x6e0
[   77.437966][ T9590]  con_install+0x4f/0x400
[   77.437976][ T9590]  tty_init_dev+0xf5/0x460
[   77.437985][ T9590]  tty_open+0x47f/0xb30
[   77.437996][ T9590]  chrdev_open+0x219/0x5c0
[   77.438007][ T9590]  do_dentry_open+0x4a2/0x1250
[   77.438017][ T9590]  path_openat+0x122a/0x32b0
[   77.438027][ T9590]  do_filp_open+0x192/0x260
[   77.438037][ T9590]  do_sys_openat2+0x54c/0x740
[   77.438047][ T9590]  do_sys_open+0xc3/0x140
[   77.438059][ T9590]  do_fast_syscall_32+0x270/0xe8f
[   77.438069][ T9590]  entry_SYSENTER_compat+0x70/0x7f
[   77.438073][ T9590] 
[   77.438078][ T9590] Freed by task 9596:
[   77.438088][ T9590]  save_stack+0x1b/0x80
[   77.438099][ T9590]  __kasan_slab_free+0xf7/0x140
[   77.438108][ T9590]  kfree+0x109/0x2b0
[   77.438120][ T9590]  vt_disallocate_all+0x293/0x3b0
[   77.438130][ T9590]  vt_ioctl+0xb79/0x2470
[   77.438141][ T9590]  vt_compat_ioctl+0x410/0x710
[   77.438150][ T9590]  tty_compat_ioctl+0x19c/0x410
[   77.438162][ T9590]  __ia32_compat_sys_ioctl+0x23d/0x2b0
[   77.438174][ T9590]  do_fast_syscall_32+0x270/0xe8f
[   77.438184][ T9590]  entry_SYSENTER_compat+0x70/0x7f
[   77.438187][ T9590] 
[   77.438196][ T9590] The buggy address belongs to the object at ffff88808d274000
[   77.438196][ T9590]  which belongs to the cache kmalloc-2k of size 2048
[   77.438207][ T9590] The buggy address is located 264 bytes inside of
[   77.438207][ T9590]  2048-byte region [ffff88808d274000, ffff88808d274800)
[   77.438217][ T9590] The buggy address belongs to the page:
[   77.438229][ T9590] page:ffffea0002349d00 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   77.438238][ T9590] flags: 0xfffe0000000200(slab)
[   77.438254][ T9590] raw: 00fffe0000000200 ffffea00027b4a08 ffffea0002a274c8 ffff8880aa000e00
[   77.438268][ T9590] raw: 0000000000000000 ffff88808d274000 0000000100000001 0000000000000000
[   77.438273][ T9590] page dumped because: kasan: bad access detected
[   77.438277][ T9590] 
[   77.438281][ T9590] Memory state around the buggy address:
[   77.438291][ T9590]  ffff88808d274000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.438300][ T9590]  ffff88808d274080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.438309][ T9590] >ffff88808d274100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.438314][ T9590]                       ^
[   77.438323][ T9590]  ffff88808d274180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.438332][ T9590]  ffff88808d274200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.438337][ T9590] ==================================================================
[   77.438341][ T9590] Disabling lock debugging due to kernel taint
[   77.438469][ T9590] Kernel panic - not syncing: panic_on_warn set ...
[   77.438482][ T9590] CPU: 1 PID: 9590 Comm: syz-executor607 Tainted: G    B             5.6.0-rc6-syzkaller #0
[   77.438488][ T9590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.438492][ T9590] Call Trace:
[   77.438504][ T9590]  dump_stack+0x188/0x20d
[   77.438519][ T9590]  panic+0x2e3/0x75c
[   77.438530][ T9590]  ? add_taint.cold+0x16/0x16
[   77.438545][ T9590]  ? preempt_schedule_common+0x5e/0xc0
[   77.438557][ T9590]  ? con_shutdown+0x7f/0x90
[   77.438568][ T9590]  ? ___preempt_schedule+0x16/0x18
[   77.438581][ T9590]  ? trace_hardirqs_on+0x55/0x220
[   77.438592][ T9590]  ? con_shutdown+0x7f/0x90
[   77.438604][ T9590]  end_report+0x43/0x49
[   77.438614][ T9590]  ? con_shutdown+0x7f/0x90
[   77.438625][ T9590]  __kasan_report.cold+0xd/0x32
[   77.438637][ T9590]  ? con_shutdown+0x7f/0x90
[   77.438650][ T9590]  kasan_report+0xe/0x20
[   77.438660][ T9590]  con_shutdown+0x7f/0x90
[   77.438670][ T9590]  ? update_region+0x140/0x140
[   77.438679][ T9590]  release_tty+0xca/0x450
[   77.438691][ T9590]  tty_release_struct+0x37/0x50
[   77.438701][ T9590]  tty_release+0xbc7/0xe90
[   77.438716][ T9590]  ? do_tty_hangup+0x30/0x30
[   77.438725][ T9590]  __fput+0x2da/0x850
[   77.438743][ T9590]  task_work_run+0x13f/0x1b0
[   77.438759][ T9590]  do_exit+0xb34/0x2dd0
[   77.438778][ T9590]  ? mm_update_next_owner+0x7a0/0x7a0
[   77.438790][ T9590]  ? up_read+0x1ab/0x750
[   77.438801][ T9590]  ? mark_held_locks+0x9f/0xe0
[   77.438814][ T9590]  ? down_read_non_owner+0x470/0x470
[   77.438829][ T9590]  do_group_exit+0x125/0x340
[   77.438842][ T9590]  __ia32_sys_exit_group+0x3a/0x50
[   77.438854][ T9590]  do_fast_syscall_32+0x270/0xe8f
[   77.438869][ T9590]  entry_SYSENTER_compat+0x70/0x7f
[   77.440245][ T9590] Kernel Offset: disabled
[   78.051070][ T9590] Rebooting in 86400 seconds..