[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 531.537584][ T7028] ================================================================== [ 531.537727][ T7028] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 531.537739][ T7028] Write of size 8 at addr ffff88809328d108 by task syz-executor003/7028 [ 531.537743][ T7028] [ 531.537764][ T7028] CPU: 0 PID: 7028 Comm: syz-executor003 Not tainted 5.6.0-rc7-syzkaller #0 [ 531.537771][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.537778][ T7028] Call Trace: [ 531.537886][ T7028] dump_stack+0x188/0x20d [ 531.537926][ T7028] ? con_shutdown+0x7f/0x90 [ 531.537939][ T7028] ? con_shutdown+0x7f/0x90 [ 531.538017][ T7028] print_address_description.constprop.0.cold+0xd3/0x315 [ 531.538029][ T7028] ? con_shutdown+0x7f/0x90 [ 531.538042][ T7028] ? con_shutdown+0x7f/0x90 [ 531.538055][ T7028] __kasan_report.cold+0x1a/0x32 [ 531.538072][ T7028] ? con_shutdown+0x7f/0x90 [ 531.538089][ T7028] kasan_report+0xe/0x20 [ 531.538102][ T7028] con_shutdown+0x7f/0x90 [ 531.538113][ T7028] ? update_region+0x140/0x140 [ 531.538147][ T7028] release_tty+0xca/0x450 [ 531.538163][ T7028] tty_release_struct+0x37/0x50 [ 531.538177][ T7028] tty_release+0xbc7/0xe90 [ 531.538203][ T7028] ? do_tty_hangup+0x30/0x30 [ 531.538270][ T7028] __fput+0x2da/0x850 [ 531.538320][ T7028] task_work_run+0x13f/0x1b0 [ 531.538391][ T7028] do_exit+0xb34/0x2dd0 [ 531.538421][ T7028] ? mm_update_next_owner+0x7a0/0x7a0 [ 531.538471][ T7028] ? up_read+0x1ab/0x750 [ 531.538485][ T7028] ? mark_held_locks+0x9f/0xe0 [ 531.538499][ T7028] ? down_read_non_owner+0x470/0x470 [ 531.538575][ T7028] ? handle_mm_fault+0x491/0xa10 [ 531.538595][ T7028] do_group_exit+0x125/0x340 [ 531.538614][ T7028] __x64_sys_exit_group+0x3a/0x50 [ 531.538634][ T7028] do_syscall_64+0xf6/0x7d0 [ 531.538717][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 531.538727][ T7028] RIP: 0033:0x43ff38 [ 531.538765][ T7028] Code: Bad RIP value. [ 531.538772][ T7028] RSP: 002b:00007ffe144ba468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 531.538784][ T7028] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 531.538791][ T7028] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 531.538799][ T7028] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 531.538806][ T7028] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 531.538813][ T7028] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 531.538844][ T7028] [ 531.538851][ T7028] Allocated by task 7028: [ 531.538863][ T7028] save_stack+0x1b/0x80 [ 531.538875][ T7028] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 531.538886][ T7028] kmem_cache_alloc_trace+0x153/0x7d0 [ 531.538897][ T7028] vc_allocate+0x1e2/0x6e0 [ 531.538906][ T7028] con_install+0x4f/0x400 [ 531.538916][ T7028] tty_init_dev+0xf5/0x460 [ 531.538925][ T7028] tty_open+0x47f/0xb30 [ 531.538936][ T7028] chrdev_open+0x219/0x5c0 [ 531.538946][ T7028] do_dentry_open+0x4a2/0x1250 [ 531.538957][ T7028] path_openat+0x122a/0x32b0 [ 531.538998][ T7028] do_filp_open+0x192/0x260 [ 531.539008][ T7028] do_sys_openat2+0x54c/0x740 [ 531.539018][ T7028] do_sys_open+0xc3/0x140 [ 531.539029][ T7028] do_syscall_64+0xf6/0x7d0 [ 531.539040][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 531.539043][ T7028] [ 531.539049][ T7028] Freed by task 7026: [ 531.539060][ T7028] save_stack+0x1b/0x80 [ 531.539071][ T7028] __kasan_slab_free+0xf7/0x140 [ 531.539078][ T7028] kfree+0x109/0x2b0 [ 531.539088][ T7028] vt_disallocate_all+0x293/0x3b0 [ 531.539097][ T7028] vt_ioctl+0xb79/0x2470 [ 531.539105][ T7028] tty_ioctl+0xedd/0x1440 [ 531.539114][ T7028] ksys_ioctl+0x11a/0x180 [ 531.539123][ T7028] __x64_sys_ioctl+0x6f/0xb0 [ 531.539132][ T7028] do_syscall_64+0xf6/0x7d0 [ 531.539142][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 531.539144][ T7028] [ 531.539152][ T7028] The buggy address belongs to the object at ffff88809328d000 [ 531.539152][ T7028] which belongs to the cache kmalloc-2k of size 2048 [ 531.539161][ T7028] The buggy address is located 264 bytes inside of [ 531.539161][ T7028] 2048-byte region [ffff88809328d000, ffff88809328d800) [ 531.539164][ T7028] The buggy address belongs to the page: [ 531.539173][ T7028] page:ffffea00024ca340 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 531.539182][ T7028] flags: 0xfffe0000000200(slab) [ 531.539196][ T7028] raw: 00fffe0000000200 ffffea00024ca308 ffffea0002501e08 ffff8880aa000e00 [ 531.539207][ T7028] raw: 0000000000000000 ffff88809328d000 0000000100000001 0000000000000000 [ 531.539212][ T7028] page dumped because: kasan: bad access detected [ 531.539214][ T7028] [ 531.539218][ T7028] Memory state around the buggy address: [ 531.539226][ T7028] ffff88809328d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.539233][ T7028] ffff88809328d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.539241][ T7028] >ffff88809328d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.539245][ T7028] ^ [ 531.539253][ T7028] ffff88809328d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.539260][ T7028] ffff88809328d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 531.539264][ T7028] ================================================================== [ 531.539268][ T7028] Disabling lock debugging due to kernel taint [ 531.539273][ T7028] Kernel panic - not syncing: panic_on_warn set ... [ 531.539284][ T7028] CPU: 0 PID: 7028 Comm: syz-executor003 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 531.539288][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.539291][ T7028] Call Trace: [ 531.539302][ T7028] dump_stack+0x188/0x20d [ 531.539315][ T7028] panic+0x2e3/0x75c [ 531.539324][ T7028] ? add_taint.cold+0x16/0x16 [ 531.539340][ T7028] ? print_shadow_for_address+0xb8/0x114 [ 531.539383][ T7028] ? trace_hardirqs_on+0x55/0x220 [ 531.539396][ T7028] ? con_shutdown+0x7f/0x90 [ 531.539408][ T7028] end_report+0x43/0x49 [ 531.539418][ T7028] ? con_shutdown+0x7f/0x90 [ 531.539429][ T7028] __kasan_report.cold+0xd/0x32 [ 531.539442][ T7028] ? con_shutdown+0x7f/0x90 [ 531.539456][ T7028] kasan_report+0xe/0x20 [ 531.539467][ T7028] con_shutdown+0x7f/0x90 [ 531.539477][ T7028] ? update_region+0x140/0x140 [ 531.539484][ T7028] release_tty+0xca/0x450 [ 531.539494][ T7028] tty_release_struct+0x37/0x50 [ 531.539502][ T7028] tty_release+0xbc7/0xe90 [ 531.539516][ T7028] ? do_tty_hangup+0x30/0x30 [ 531.539524][ T7028] __fput+0x2da/0x850 [ 531.539541][ T7028] task_work_run+0x13f/0x1b0 [ 531.539557][ T7028] do_exit+0xb34/0x2dd0 [ 531.539575][ T7028] ? mm_update_next_owner+0x7a0/0x7a0 [ 531.539586][ T7028] ? up_read+0x1ab/0x750 [ 531.539597][ T7028] ? mark_held_locks+0x9f/0xe0 [ 531.539609][ T7028] ? down_read_non_owner+0x470/0x470 [ 531.539623][ T7028] ? handle_mm_fault+0x491/0xa10 [ 531.539635][ T7028] do_group_exit+0x125/0x340 [ 531.539653][ T7028] __x64_sys_exit_group+0x3a/0x50 [ 531.539665][ T7028] do_syscall_64+0xf6/0x7d0 [ 531.539680][ T7028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 531.539693][ T7028] RIP: 0033:0x43ff38 [ 531.539700][ T7028] Code: Bad RIP value. [ 531.539706][ T7028] RSP: 002b:00007ffe144ba468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 531.539726][ T7028] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 531.539735][ T7028] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 531.539741][ T7028] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 531.539752][ T7028] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 531.539759][ T7028] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 531.541163][ T7028] Kernel Offset: disabled [ 532.267525][ T7028] Rebooting in 86400 seconds..