[ 48.571942] audit: type=1800 audit(1582893684.657:31): pid=8050 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 53.831536] kauditd_printk_skb: 3 callbacks suppressed [ 53.831549] audit: type=1400 audit(1582893689.987:35): avc: denied { map } for pid=8222 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program [ 61.093457] audit: type=1400 audit(1582893697.247:36): avc: denied { map } for pid=8234 comm="syz-executor286" path="/root/syz-executor286947685" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 61.151140] ================================================================== [ 61.151181] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 61.151190] Write of size 8 at addr ffff888086dc6588 by task syz-executor286/8244 [ 61.151192] [ 61.151204] CPU: 1 PID: 8244 Comm: syz-executor286 Not tainted 4.19.106-syzkaller #0 [ 61.151212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.151216] Call Trace: [ 61.151231] dump_stack+0x188/0x20d [ 61.151245] ? con_shutdown+0x7f/0x90 [ 61.151261] print_address_description.cold+0x7c/0x212 [ 61.151274] ? con_shutdown+0x7f/0x90 [ 61.151287] kasan_report.cold+0x88/0x2b9 [ 61.151299] ? set_palette+0x1b0/0x1b0 [ 61.151312] con_shutdown+0x7f/0x90 [ 61.151326] release_tty+0xda/0x4c0 [ 61.151340] tty_release_struct+0x37/0x50 [ 61.151352] tty_release+0xbc7/0xe90 [ 61.151371] ? tty_release_struct+0x50/0x50 [ 61.151385] __fput+0x2cd/0x890 [ 61.151403] task_work_run+0x13f/0x1b0 [ 61.151421] do_exit+0xbcd/0x2f30 [ 61.151441] ? mm_update_next_owner+0x650/0x650 [ 61.151457] ? up_read+0x17/0x110 [ 61.151470] ? __do_page_fault+0x44e/0xdd0 [ 61.151488] do_group_exit+0x125/0x350 [ 61.151503] __x64_sys_exit_group+0x3a/0x50 [ 61.151517] do_syscall_64+0xf9/0x620 [ 61.151534] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.151545] RIP: 0033:0x43ff38 [ 61.151557] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 61.151564] RSP: 002b:00007ffdac1ab4d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.151577] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 61.151584] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 61.151592] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 61.151599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 61.151607] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 61.151625] [ 61.151631] Allocated by task 8244: [ 61.151644] kasan_kmalloc+0xbf/0xe0 [ 61.151654] kmem_cache_alloc_trace+0x14d/0x7a0 [ 61.151666] vc_allocate+0x1db/0x6d0 [ 61.151676] con_install+0x4f/0x400 [ 61.151686] tty_init_dev+0xee/0x450 [ 61.151696] tty_open+0x4b0/0xb00 [ 61.151705] chrdev_open+0x219/0x5c0 [ 61.151715] do_dentry_open+0x4a8/0x1160 [ 61.151734] path_openat+0x1031/0x4200 [ 61.151746] do_filp_open+0x1a1/0x280 [ 61.151756] do_sys_open+0x3c0/0x500 [ 61.151767] do_syscall_64+0xf9/0x620 [ 61.151779] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.151782] [ 61.151787] Freed by task 8241: [ 61.151798] __kasan_slab_free+0xf7/0x140 [ 61.151807] kfree+0xce/0x220 [ 61.151819] vt_disallocate_all+0x293/0x3b0 [ 61.151829] vt_ioctl+0xb79/0x2320 [ 61.151838] tty_ioctl+0x7a1/0x1420 [ 61.151849] do_vfs_ioctl+0xcda/0x12e0 [ 61.151858] ksys_ioctl+0x9b/0xc0 [ 61.151868] __x64_sys_ioctl+0x6f/0xb0 [ 61.151880] do_syscall_64+0xf9/0x620 [ 61.151892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.151895] [ 61.151904] The buggy address belongs to the object at ffff888086dc6480 [ 61.151904] which belongs to the cache kmalloc-2048 of size 2048 [ 61.151914] The buggy address is located 264 bytes inside of [ 61.151914] 2048-byte region [ffff888086dc6480, ffff888086dc6c80) [ 61.151918] The buggy address belongs to the page: [ 61.151928] page:ffffea00021b7180 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 61.151941] flags: 0xfffe0000008100(slab|head) [ 61.151957] raw: 00fffe0000008100 ffffea0002608108 ffffea0002530888 ffff88812c3dcc40 [ 61.151971] raw: 0000000000000000 ffff888086dc6480 0000000100000003 0000000000000000 [ 61.151976] page dumped because: kasan: bad access detected [ 61.151980] [ 61.151983] Memory state around the buggy address: [ 61.151993] ffff888086dc6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.152002] ffff888086dc6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.152011] >ffff888086dc6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.152016] ^ [ 61.152025] ffff888086dc6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.152035] ffff888086dc6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.152038] ================================================================== [ 61.152042] Disabling lock debugging due to kernel taint [ 61.152048] Kernel panic - not syncing: panic_on_warn set ... [ 61.152048] [ 61.152061] CPU: 1 PID: 8244 Comm: syz-executor286 Tainted: G B 4.19.106-syzkaller #0 [ 61.152067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.152071] Call Trace: [ 61.152084] dump_stack+0x188/0x20d [ 61.152098] panic+0x26a/0x50e [ 61.152109] ? __warn_printk+0xf3/0xf3 [ 61.152122] ? lock_downgrade+0x740/0x740 [ 61.152137] ? print_shadow_for_address+0xb8/0x114 [ 61.152147] ? trace_hardirqs_on+0x55/0x210 [ 61.152160] ? con_shutdown+0x7f/0x90 [ 61.152169] kasan_end_report+0x43/0x49 [ 61.152180] kasan_report.cold+0xa4/0x2b9 [ 61.152192] ? set_palette+0x1b0/0x1b0 [ 61.152203] con_shutdown+0x7f/0x90 [ 61.152214] release_tty+0xda/0x4c0 [ 61.152227] tty_release_struct+0x37/0x50 [ 61.152237] tty_release+0xbc7/0xe90 [ 61.152252] ? tty_release_struct+0x50/0x50 [ 61.152263] __fput+0x2cd/0x890 [ 61.152277] task_work_run+0x13f/0x1b0 [ 61.152291] do_exit+0xbcd/0x2f30 [ 61.152306] ? mm_update_next_owner+0x650/0x650 [ 61.152319] ? up_read+0x17/0x110 [ 61.152329] ? __do_page_fault+0x44e/0xdd0 [ 61.152343] do_group_exit+0x125/0x350 [ 61.152356] __x64_sys_exit_group+0x3a/0x50 [ 61.152368] do_syscall_64+0xf9/0x620 [ 61.152382] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.152390] RIP: 0033:0x43ff38 [ 61.152402] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 61.152408] RSP: 002b:00007ffdac1ab4d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.152417] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 61.152424] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 61.152430] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 61.152437] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 61.152444] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 61.153953] Kernel Offset: disabled [ 61.774490] Rebooting in 86400 seconds..