[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 75.094312][ T27] audit: type=1800 audit(1584298687.137:25): pid=9392 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 75.130645][ T27] audit: type=1800 audit(1584298687.137:26): pid=9392 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 75.168793][ T27] audit: type=1800 audit(1584298687.137:27): pid=9392 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 85.386185][ T9557] ================================================================== [ 85.386241][ T9557] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 85.386251][ T9557] Write of size 8 at addr ffff88809ef89108 by task syz-executor689/9557 [ 85.386255][ T9557] [ 85.386267][ T9557] CPU: 1 PID: 9557 Comm: syz-executor689 Not tainted 5.6.0-rc5-syzkaller #0 [ 85.386273][ T9557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.386278][ T9557] Call Trace: [ 85.386301][ T9557] dump_stack+0x188/0x20d [ 85.386313][ T9557] ? con_shutdown+0x7f/0x90 [ 85.386324][ T9557] ? con_shutdown+0x7f/0x90 [ 85.386342][ T9557] print_address_description.constprop.0.cold+0xd3/0x315 [ 85.386352][ T9557] ? con_shutdown+0x7f/0x90 [ 85.386363][ T9557] ? con_shutdown+0x7f/0x90 [ 85.386375][ T9557] __kasan_report.cold+0x1a/0x32 [ 85.386392][ T9557] ? con_shutdown+0x7f/0x90 [ 85.386410][ T9557] kasan_report+0xe/0x20 [ 85.386422][ T9557] con_shutdown+0x7f/0x90 [ 85.386433][ T9557] ? update_region+0x140/0x140 [ 85.386443][ T9557] release_tty+0xca/0x450 [ 85.386459][ T9557] tty_release_struct+0x37/0x50 [ 85.386472][ T9557] tty_release+0xbc7/0xe90 [ 85.386498][ T9557] ? do_tty_hangup+0x30/0x30 [ 85.386508][ T9557] __fput+0x2da/0x850 [ 85.386536][ T9557] task_work_run+0x13f/0x1b0 [ 85.386559][ T9557] do_exit+0xb34/0x2dd0 [ 85.386587][ T9557] ? mm_update_next_owner+0x7a0/0x7a0 [ 85.386604][ T9557] ? up_read+0x1ab/0x750 [ 85.386622][ T9557] ? down_read_non_owner+0x470/0x470 [ 85.386646][ T9557] do_group_exit+0x125/0x340 [ 85.386664][ T9557] __ia32_sys_exit_group+0x3a/0x50 [ 85.386678][ T9557] do_fast_syscall_32+0x270/0xe8f [ 85.386698][ T9557] entry_SYSENTER_compat+0x70/0x7f [ 85.386727][ T9557] [ 85.386733][ T9557] Allocated by task 9557: [ 85.386745][ T9557] save_stack+0x1b/0x80 [ 85.386757][ T9557] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 85.386768][ T9557] kmem_cache_alloc_trace+0x153/0x7d0 [ 85.386779][ T9557] vc_allocate+0x1e2/0x6e0 [ 85.386789][ T9557] con_install+0x4f/0x400 [ 85.386798][ T9557] tty_init_dev+0xf5/0x460 [ 85.386808][ T9557] tty_open+0x47f/0xb30 [ 85.386819][ T9557] chrdev_open+0x219/0x5c0 [ 85.386837][ T9557] do_dentry_open+0x4a2/0x1250 [ 85.386848][ T9557] path_openat+0x122a/0x32b0 [ 85.386859][ T9557] do_filp_open+0x192/0x260 [ 85.386869][ T9557] do_sys_openat2+0x54c/0x740 [ 85.386880][ T9557] do_sys_open+0xc3/0x140 [ 85.386891][ T9557] do_fast_syscall_32+0x270/0xe8f [ 85.386902][ T9557] entry_SYSENTER_compat+0x70/0x7f [ 85.386906][ T9557] [ 85.386911][ T9557] Freed by task 9556: [ 85.386922][ T9557] save_stack+0x1b/0x80 [ 85.386933][ T9557] __kasan_slab_free+0xf7/0x140 [ 85.386943][ T9557] kfree+0x109/0x2b0 [ 85.386954][ T9557] vt_disallocate_all+0x293/0x3b0 [ 85.386964][ T9557] vt_ioctl+0xb79/0x2470 [ 85.386974][ T9557] vt_compat_ioctl+0x410/0x710 [ 85.386985][ T9557] tty_compat_ioctl+0x19c/0x410 [ 85.386995][ T9557] __ia32_compat_sys_ioctl+0x23d/0x2b0 [ 85.387005][ T9557] do_fast_syscall_32+0x270/0xe8f [ 85.387015][ T9557] entry_SYSENTER_compat+0x70/0x7f [ 85.387019][ T9557] [ 85.387027][ T9557] The buggy address belongs to the object at ffff88809ef89000 [ 85.387027][ T9557] which belongs to the cache kmalloc-2k of size 2048 [ 85.387037][ T9557] The buggy address is located 264 bytes inside of [ 85.387037][ T9557] 2048-byte region [ffff88809ef89000, ffff88809ef89800) [ 85.387042][ T9557] The buggy address belongs to the page: [ 85.387052][ T9557] page:ffffea00027be240 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 85.387062][ T9557] flags: 0xfffe0000000200(slab) [ 85.387078][ T9557] raw: 00fffe0000000200 ffffea00029f7b08 ffffea0002a2a988 ffff8880aa000e00 [ 85.387091][ T9557] raw: 0000000000000000 ffff88809ef89000 0000000100000001 0000000000000000 [ 85.387097][ T9557] page dumped because: kasan: bad access detected [ 85.387100][ T9557] [ 85.387104][ T9557] Memory state around the buggy address: [ 85.387113][ T9557] ffff88809ef89000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.387123][ T9557] ffff88809ef89080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.387132][ T9557] >ffff88809ef89100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.387136][ T9557] ^ [ 85.387145][ T9557] ffff88809ef89180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.387153][ T9557] ffff88809ef89200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.387158][ T9557] ================================================================== [ 85.387162][ T9557] Disabling lock debugging due to kernel taint [ 85.387303][ T9557] Kernel panic - not syncing: panic_on_warn set ... [ 85.387316][ T9557] CPU: 1 PID: 9557 Comm: syz-executor689 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 85.387322][ T9557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.387325][ T9557] Call Trace: [ 85.387337][ T9557] dump_stack+0x188/0x20d [ 85.387351][ T9557] panic+0x2e3/0x75c [ 85.387362][ T9557] ? add_taint.cold+0x16/0x16 [ 85.387375][ T9557] ? preempt_schedule_common+0x5e/0xc0 [ 85.387385][ T9557] ? con_shutdown+0x7f/0x90 [ 85.387397][ T9557] ? ___preempt_schedule+0x16/0x18 [ 85.387411][ T9557] ? trace_hardirqs_on+0x55/0x220 [ 85.387424][ T9557] ? con_shutdown+0x7f/0x90 [ 85.387437][ T9557] end_report+0x43/0x49 [ 85.387447][ T9557] ? con_shutdown+0x7f/0x90 [ 85.387458][ T9557] __kasan_report.cold+0xd/0x32 [ 85.387471][ T9557] ? con_shutdown+0x7f/0x90 [ 85.387485][ T9557] kasan_report+0xe/0x20 [ 85.387495][ T9557] con_shutdown+0x7f/0x90 [ 85.387505][ T9557] ? update_region+0x140/0x140 [ 85.387515][ T9557] release_tty+0xca/0x450 [ 85.387528][ T9557] tty_release_struct+0x37/0x50 [ 85.387539][ T9557] tty_release+0xbc7/0xe90 [ 85.387556][ T9557] ? do_tty_hangup+0x30/0x30 [ 85.387566][ T9557] __fput+0x2da/0x850 [ 85.387584][ T9557] task_work_run+0x13f/0x1b0 [ 85.387602][ T9557] do_exit+0xb34/0x2dd0 [ 85.387623][ T9557] ? mm_update_next_owner+0x7a0/0x7a0 [ 85.387636][ T9557] ? up_read+0x1ab/0x750 [ 85.387651][ T9557] ? down_read_non_owner+0x470/0x470 [ 85.387666][ T9557] do_group_exit+0x125/0x340 [ 85.387679][ T9557] __ia32_sys_exit_group+0x3a/0x50 [ 85.387691][ T9557] do_fast_syscall_32+0x270/0xe8f [ 85.387706][ T9557] entry_SYSENTER_compat+0x70/0x7f [ 85.389421][ T9557] Kernel Offset: disabled [ 85.991861][ T9557] Rebooting in 86400 seconds..