Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. [ 44.290216] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program [ 44.421997] audit: type=1400 audit(1584718446.134:36): avc: denied { map } for pid=7348 comm="syz-executor837" path="/root/syz-executor837228334" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.491882] ================================================================== [ 44.491916] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 44.491923] Write of size 8 at addr ffff88809b15eac8 by task syz-executor837/7356 [ 44.491925] [ 44.491933] CPU: 0 PID: 7356 Comm: syz-executor837 Not tainted 4.14.174-syzkaller #0 [ 44.491938] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.491941] Call Trace: [ 44.491953] dump_stack+0x13e/0x194 [ 44.491962] ? con_shutdown+0x7f/0x90 [ 44.491972] print_address_description.cold+0x7c/0x1e2 [ 44.491980] ? con_shutdown+0x7f/0x90 [ 44.491987] kasan_report.cold+0xa9/0x2ae [ 44.491995] ? set_palette+0x130/0x130 [ 44.492003] con_shutdown+0x7f/0x90 [ 44.492011] release_tty+0xb6/0x7a0 [ 44.492020] tty_release_struct+0x37/0x50 [ 44.492028] tty_release+0xaa6/0xd60 [ 44.492042] ? tty_release_struct+0x50/0x50 [ 44.492050] __fput+0x25f/0x790 [ 44.492079] task_work_run+0x113/0x190 [ 44.492092] do_exit+0x9f2/0x2b00 [ 44.492101] ? __do_page_fault+0x4e4/0xb40 [ 44.492110] ? mm_update_next_owner+0x5b0/0x5b0 [ 44.492120] ? lock_downgrade+0x6e0/0x6e0 [ 44.492135] do_group_exit+0x100/0x310 [ 44.492144] SyS_exit_group+0x19/0x20 [ 44.492150] ? do_group_exit+0x310/0x310 [ 44.492157] do_syscall_64+0x1d5/0x640 [ 44.492170] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.492177] RIP: 0033:0x43ff38 [ 44.492181] RSP: 002b:00007ffcfa09aed8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.492190] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 44.492194] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 44.492197] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.492201] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 44.492205] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 44.492217] [ 44.492221] Allocated by task 7356: [ 44.492228] save_stack+0x32/0xa0 [ 44.492234] kasan_kmalloc+0xbf/0xe0 [ 44.492240] kmem_cache_alloc_trace+0x14d/0x7b0 [ 44.492247] vc_allocate+0x142/0x550 [ 44.492252] con_install+0x4f/0x3e0 [ 44.492266] tty_init_dev+0xe1/0x3a0 [ 44.492271] tty_open+0x410/0x9c0 [ 44.492277] chrdev_open+0x1fc/0x540 [ 44.492284] do_dentry_open+0x732/0xe90 [ 44.492290] vfs_open+0x105/0x220 [ 44.492297] path_openat+0x8ca/0x3c50 [ 44.492302] do_filp_open+0x18e/0x250 [ 44.492308] do_sys_open+0x29d/0x3f0 [ 44.492314] do_syscall_64+0x1d5/0x640 [ 44.492321] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.492324] [ 44.492327] Freed by task 7358: [ 44.492333] save_stack+0x32/0xa0 [ 44.492339] kasan_slab_free+0x75/0xc0 [ 44.492344] kfree+0xcb/0x260 [ 44.492350] vt_disallocate_all+0x25c/0x340 [ 44.492355] vt_ioctl+0x6e3/0x1f00 [ 44.492361] tty_ioctl+0x6c5/0x1220 [ 44.492367] do_vfs_ioctl+0x75a/0xfe0 [ 44.492373] SyS_ioctl+0x7f/0xb0 [ 44.492384] do_syscall_64+0x1d5/0x640 [ 44.492391] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.492394] [ 44.492399] The buggy address belongs to the object at ffff88809b15e9c0 [ 44.492399] which belongs to the cache kmalloc-2048 of size 2048 [ 44.492405] The buggy address is located 264 bytes inside of [ 44.492405] 2048-byte region [ffff88809b15e9c0, ffff88809b15f1c0) [ 44.492408] The buggy address belongs to the page: [ 44.492414] page:ffffea00026c5780 count:1 mapcount:0 mapping:ffff88809b15e140 index:0x0 compound_mapcount: 0 [ 44.492425] flags: 0xfffe0000008100(slab|head) [ 44.492436] raw: 00fffe0000008100 ffff88809b15e140 0000000000000000 0000000100000003 [ 44.492444] raw: ffffea0002649ca0 ffffea00026e45a0 ffff88812fe56c40 0000000000000000 [ 44.492447] page dumped because: kasan: bad access detected [ 44.492449] [ 44.492452] Memory state around the buggy address: [ 44.492458] ffff88809b15e980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 44.492463] ffff88809b15ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.492469] >ffff88809b15ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.492472] ^ [ 44.492477] ffff88809b15eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.492483] ffff88809b15eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.492486] ================================================================== [ 44.492488] Disabling lock debugging due to kernel taint [ 44.492522] Kernel panic - not syncing: panic_on_warn set ... [ 44.492522] [ 44.492529] CPU: 0 PID: 7356 Comm: syz-executor837 Tainted: G B 4.14.174-syzkaller #0 [ 44.492533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.492535] Call Trace: [ 44.492544] dump_stack+0x13e/0x194 [ 44.492551] panic+0x1f9/0x42d [ 44.492558] ? add_taint.cold+0x16/0x16 [ 44.492569] ? con_shutdown+0x7f/0x90 [ 44.492575] kasan_end_report+0x43/0x49 [ 44.492582] kasan_report.cold+0x12f/0x2ae [ 44.492589] ? set_palette+0x130/0x130 [ 44.492595] con_shutdown+0x7f/0x90 [ 44.492602] release_tty+0xb6/0x7a0 [ 44.492609] tty_release_struct+0x37/0x50 [ 44.492616] tty_release+0xaa6/0xd60 [ 44.492626] ? tty_release_struct+0x50/0x50 [ 44.492631] __fput+0x25f/0x790 [ 44.492642] task_work_run+0x113/0x190 [ 44.492650] do_exit+0x9f2/0x2b00 [ 44.492657] ? __do_page_fault+0x4e4/0xb40 [ 44.492665] ? mm_update_next_owner+0x5b0/0x5b0 [ 44.492672] ? lock_downgrade+0x6e0/0x6e0 [ 44.492681] do_group_exit+0x100/0x310 [ 44.492688] SyS_exit_group+0x19/0x20 [ 44.492693] ? do_group_exit+0x310/0x310 [ 44.492699] do_syscall_64+0x1d5/0x640 [ 44.492708] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.492712] RIP: 0033:0x43ff38 [ 44.492716] RSP: 002b:00007ffcfa09aed8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.492722] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 44.492725] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 44.492729] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.492733] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 44.492736] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 44.494067] Kernel Offset: disabled [ 45.077160] Rebooting in 86400 seconds..