Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program [ 60.549614] audit: type=1400 audit(1584657684.007:36): avc: denied { map } for pid=8203 comm="syz-executor526" path="/root/syz-executor526808915" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 60.622350] ================================================================== [ 60.622394] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 60.622412] Write of size 8 at addr ffff888098c12cc8 by task syz-executor526/8212 [ 60.622416] [ 60.622430] CPU: 1 PID: 8212 Comm: syz-executor526 Not tainted 4.19.111-syzkaller #0 [ 60.622438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.622442] Call Trace: [ 60.622555] dump_stack+0x188/0x20d [ 60.622576] ? con_shutdown+0x7f/0x90 [ 60.622593] print_address_description.cold+0x7c/0x212 [ 60.622607] ? con_shutdown+0x7f/0x90 [ 60.622619] kasan_report.cold+0x88/0x2b9 [ 60.622633] ? set_palette+0x1b0/0x1b0 [ 60.622646] con_shutdown+0x7f/0x90 [ 60.622660] release_tty+0xda/0x4c0 [ 60.622675] tty_release_struct+0x37/0x50 [ 60.622688] tty_release+0xbc7/0xe90 [ 60.622708] ? tty_release_struct+0x50/0x50 [ 60.622722] __fput+0x2cd/0x890 [ 60.622741] task_work_run+0x13f/0x1b0 [ 60.622755] do_exit+0xbcd/0x2f30 [ 60.622771] ? mm_update_next_owner+0x650/0x650 [ 60.622784] ? up_read+0x17/0x110 [ 60.622794] ? __do_page_fault+0x44e/0xdd0 [ 60.622814] do_group_exit+0x125/0x350 [ 60.622829] __x64_sys_exit_group+0x3a/0x50 [ 60.622842] do_syscall_64+0xf9/0x620 [ 60.622858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.622869] RIP: 0033:0x43ff38 [ 60.622881] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 60.622888] RSP: 002b:00007ffe7cf4a7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.622900] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 60.622908] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.622916] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.622923] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.622930] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 60.622943] [ 60.622948] Allocated by task 8212: [ 60.622957] kasan_kmalloc+0xbf/0xe0 [ 60.622966] kmem_cache_alloc_trace+0x14d/0x7a0 [ 60.622974] vc_allocate+0x1db/0x6d0 [ 60.622982] con_install+0x4f/0x400 [ 60.622990] tty_init_dev+0xee/0x450 [ 60.622997] tty_open+0x4b0/0xb00 [ 60.623004] chrdev_open+0x219/0x5c0 [ 60.623013] do_dentry_open+0x4a8/0x1160 [ 60.623023] path_openat+0x1031/0x4200 [ 60.623032] do_filp_open+0x1a1/0x280 [ 60.623039] do_sys_open+0x3c0/0x500 [ 60.623048] do_syscall_64+0xf9/0x620 [ 60.623057] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.623060] [ 60.623065] Freed by task 8210: [ 60.623076] __kasan_slab_free+0xf7/0x140 [ 60.623085] kfree+0xce/0x220 [ 60.623097] vt_disallocate_all+0x293/0x3b0 [ 60.623107] vt_ioctl+0xb79/0x2310 [ 60.623116] tty_ioctl+0x7a1/0x1420 [ 60.623127] do_vfs_ioctl+0xcda/0x12e0 [ 60.623136] ksys_ioctl+0x9b/0xc0 [ 60.623145] __x64_sys_ioctl+0x6f/0xb0 [ 60.623156] do_syscall_64+0xf9/0x620 [ 60.623171] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.623174] [ 60.623181] The buggy address belongs to the object at ffff888098c12bc0 [ 60.623181] which belongs to the cache kmalloc-2048 of size 2048 [ 60.623192] The buggy address is located 264 bytes inside of [ 60.623192] 2048-byte region [ffff888098c12bc0, ffff888098c133c0) [ 60.623196] The buggy address belongs to the page: [ 60.623207] page:ffffea0002630480 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 60.623219] flags: 0xfffe0000008100(slab|head) [ 60.623236] raw: 00fffe0000008100 ffffea0002637188 ffffea0002495788 ffff88812c3dcc40 [ 60.623248] raw: 0000000000000000 ffff888098c12340 0000000100000003 0000000000000000 [ 60.623254] page dumped because: kasan: bad access detected [ 60.623257] [ 60.623261] Memory state around the buggy address: [ 60.623271] ffff888098c12b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 60.623281] ffff888098c12c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.623290] >ffff888098c12c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.623295] ^ [ 60.623304] ffff888098c12d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.623314] ffff888098c12d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.623318] ================================================================== [ 60.623322] Disabling lock debugging due to kernel taint [ 60.623346] Kernel panic - not syncing: panic_on_warn set ... [ 60.623346] [ 60.623360] CPU: 1 PID: 8212 Comm: syz-executor526 Tainted: G B 4.19.111-syzkaller #0 [ 60.623367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.623370] Call Trace: [ 60.623383] dump_stack+0x188/0x20d [ 60.623399] panic+0x26a/0x50e [ 60.623412] ? __warn_printk+0xf3/0xf3 [ 60.623422] ? retint_kernel+0x2d/0x2d [ 60.623437] ? trace_hardirqs_on+0x55/0x210 [ 60.623449] ? con_shutdown+0x7f/0x90 [ 60.623461] kasan_end_report+0x43/0x49 [ 60.623473] kasan_report.cold+0xa4/0x2b9 [ 60.623483] ? set_palette+0x1b0/0x1b0 [ 60.623495] con_shutdown+0x7f/0x90 [ 60.623512] release_tty+0xda/0x4c0 [ 60.623525] tty_release_struct+0x37/0x50 [ 60.623536] tty_release+0xbc7/0xe90 [ 60.623551] ? tty_release_struct+0x50/0x50 [ 60.623562] __fput+0x2cd/0x890 [ 60.623575] task_work_run+0x13f/0x1b0 [ 60.623589] do_exit+0xbcd/0x2f30 [ 60.623604] ? mm_update_next_owner+0x650/0x650 [ 60.623617] ? up_read+0x17/0x110 [ 60.623628] ? __do_page_fault+0x44e/0xdd0 [ 60.623642] do_group_exit+0x125/0x350 [ 60.623654] __x64_sys_exit_group+0x3a/0x50 [ 60.623666] do_syscall_64+0xf9/0x620 [ 60.623680] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.623688] RIP: 0033:0x43ff38 [ 60.623699] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 60.623705] RSP: 002b:00007ffe7cf4a7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.623716] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 60.623722] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.623728] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.623735] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.623741] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 60.625000] Kernel Offset: disabled [ 61.239538] Rebooting in 86400 seconds..