[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   65.260757][   T27] audit: type=1800 audit(1584118999.574:25): pid=9354 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   65.296945][   T27] audit: type=1800 audit(1584118999.574:26): pid=9354 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   65.330889][   T27] audit: type=1800 audit(1584118999.584:27): pid=9354 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   75.946555][ T9509] ==================================================================
[   75.946611][ T9509] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90
[   75.946622][ T9509] Write of size 8 at addr ffff888097b72108 by task syz-executor724/9509
[   75.946626][ T9509] 
[   75.946639][ T9509] CPU: 0 PID: 9509 Comm: syz-executor724 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0
[   75.946646][ T9509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.946651][ T9509] Call Trace:
[   75.946669][ T9509]  dump_stack+0x188/0x20d
[   75.946683][ T9509]  ? con_shutdown+0x7f/0x90
[   75.946698][ T9509]  ? con_shutdown+0x7f/0x90
[   75.946714][ T9509]  print_address_description.constprop.0.cold+0xd3/0x315
[   75.946727][ T9509]  ? con_shutdown+0x7f/0x90
[   75.946740][ T9509]  ? con_shutdown+0x7f/0x90
[   75.946751][ T9509]  __kasan_report.cold+0x1a/0x32
[   75.946769][ T9509]  ? con_shutdown+0x7f/0x90
[   75.946788][ T9509]  kasan_report+0xe/0x20
[   75.946801][ T9509]  con_shutdown+0x7f/0x90
[   75.946812][ T9509]  ? update_region+0x140/0x140
[   75.946825][ T9509]  release_tty+0xca/0x450
[   75.946842][ T9509]  tty_release_struct+0x37/0x50
[   75.946856][ T9509]  tty_release+0xbc7/0xe90
[   75.946884][ T9509]  ? do_tty_hangup+0x30/0x30
[   75.946896][ T9509]  __fput+0x2da/0x850
[   75.946924][ T9509]  task_work_run+0x13f/0x1b0
[   75.946946][ T9509]  do_exit+0xb53/0x2e10
[   75.946974][ T9509]  ? mm_update_next_owner+0x7a0/0x7a0
[   75.946989][ T9509]  ? up_read+0x1a8/0x750
[   75.947007][ T9509]  ? down_read_nested+0x430/0x430
[   75.947025][ T9509]  ? handle_mm_fault+0x29e/0x660
[   75.947045][ T9509]  do_group_exit+0x125/0x340
[   75.947064][ T9509]  __x64_sys_exit_group+0x3a/0x50
[   75.947078][ T9509]  do_syscall_64+0xf6/0x790
[   75.947098][ T9509]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   75.947109][ T9509] RIP: 0033:0x43ff38
[   75.947120][ T9509] Code: Bad RIP value.
[   75.947127][ T9509] RSP: 002b:00007ffd0ca7f3e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   75.947139][ T9509] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   75.947146][ T9509] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   75.947154][ T9509] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   75.947160][ T9509] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001
[   75.947172][ T9509] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   75.947198][ T9509] 
[   75.947205][ T9509] Allocated by task 9509:
[   75.947216][ T9509]  save_stack+0x1b/0x40
[   75.947228][ T9509]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   75.947239][ T9509]  kmem_cache_alloc_trace+0x153/0x7d0
[   75.947247][ T9509]  vc_allocate+0x1e2/0x6e0
[   75.947255][ T9509]  con_install+0x4f/0x400
[   75.947265][ T9509]  tty_init_dev+0xf5/0x460
[   75.947273][ T9509]  tty_open+0x47f/0xb30
[   75.947283][ T9509]  chrdev_open+0x219/0x5c0
[   75.947295][ T9509]  do_dentry_open+0x49e/0x1250
[   75.947312][ T9509]  path_openat+0x122a/0x3230
[   75.947321][ T9509]  do_filp_open+0x192/0x260
[   75.947332][ T9509]  do_sys_openat2+0x54c/0x740
[   75.947343][ T9509]  do_sys_open+0xc3/0x140
[   75.947353][ T9509]  do_syscall_64+0xf6/0x790
[   75.947365][ T9509]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   75.947369][ T9509] 
[   75.947374][ T9509] Freed by task 9517:
[   75.947385][ T9509]  save_stack+0x1b/0x40
[   75.947396][ T9509]  __kasan_slab_free+0xf7/0x140
[   75.947406][ T9509]  kfree+0x109/0x2b0
[   75.947416][ T9509]  vt_disallocate_all+0x283/0x370
[   75.947426][ T9509]  vt_ioctl+0x79e/0x2450
[   75.947437][ T9509]  tty_ioctl+0xedd/0x1440
[   75.947446][ T9509]  ksys_ioctl+0x11a/0x180
[   75.947456][ T9509]  __x64_sys_ioctl+0x6f/0xb0
[   75.947468][ T9509]  do_syscall_64+0xf6/0x790
[   75.947479][ T9509]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   75.947483][ T9509] 
[   75.947491][ T9509] The buggy address belongs to the object at ffff888097b72000
[   75.947491][ T9509]  which belongs to the cache kmalloc-2k of size 2048
[   75.947502][ T9509] The buggy address is located 264 bytes inside of
[   75.947502][ T9509]  2048-byte region [ffff888097b72000, ffff888097b72800)
[   75.947506][ T9509] The buggy address belongs to the page:
[   75.947518][ T9509] page:ffffea00025edc80 refcount:1 mapcount:0 mapping:00000000232dc3cd index:0x0
[   75.947527][ T9509] flags: 0xfffe0000000200(slab)
[   75.947543][ T9509] raw: 00fffe0000000200 ffffea00025ef288 ffffea000261a148 ffff8880aa000e00
[   75.947557][ T9509] raw: 0000000000000000 ffff888097b72000 0000000100000001 0000000000000000
[   75.947562][ T9509] page dumped because: kasan: bad access detected
[   75.947565][ T9509] 
[   75.947569][ T9509] Memory state around the buggy address:
[   75.947578][ T9509]  ffff888097b72000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.947587][ T9509]  ffff888097b72080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.947597][ T9509] >ffff888097b72100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.947600][ T9509]                       ^
[   75.947609][ T9509]  ffff888097b72180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.947618][ T9509]  ffff888097b72200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.947623][ T9509] ==================================================================
[   75.947627][ T9509] Disabling lock debugging due to kernel taint
[   75.949653][ T9509] Kernel panic - not syncing: panic_on_warn set ...
[   75.949669][ T9509] CPU: 0 PID: 9509 Comm: syz-executor724 Tainted: G    B             5.6.0-rc3-next-20200228-syzkaller #0
[   75.949675][ T9509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.949679][ T9509] Call Trace:
[   75.949696][ T9509]  dump_stack+0x188/0x20d
[   75.949712][ T9509]  panic+0x2e3/0x75c
[   75.949725][ T9509]  ? add_taint.cold+0x16/0x16
[   75.949742][ T9509]  ? preempt_schedule_common+0x5e/0xc0
[   75.949757][ T9509]  ? con_shutdown+0x7f/0x90
[   75.949770][ T9509]  ? ___preempt_schedule+0x16/0x18
[   75.949780][ T9509]  ? trace_hardirqs_on+0x55/0x220
[   75.949793][ T9509]  ? con_shutdown+0x7f/0x90
[   75.949804][ T9509]  end_report+0x43/0x49
[   75.949814][ T9509]  ? con_shutdown+0x7f/0x90
[   75.949821][ T9509]  __kasan_report.cold+0xd/0x32
[   75.949833][ T9509]  ? con_shutdown+0x7f/0x90
[   75.949845][ T9509]  kasan_report+0xe/0x20
[   75.949856][ T9509]  con_shutdown+0x7f/0x90
[   75.949867][ T9509]  ? update_region+0x140/0x140
[   75.949878][ T9509]  release_tty+0xca/0x450
[   75.949892][ T9509]  tty_release_struct+0x37/0x50
[   75.949904][ T9509]  tty_release+0xbc7/0xe90
[   75.949921][ T9509]  ? do_tty_hangup+0x30/0x30
[   75.949931][ T9509]  __fput+0x2da/0x850
[   75.949948][ T9509]  task_work_run+0x13f/0x1b0
[   75.949960][ T9509]  do_exit+0xb53/0x2e10
[   75.949977][ T9509]  ? mm_update_next_owner+0x7a0/0x7a0
[   75.949989][ T9509]  ? up_read+0x1a8/0x750
[   75.950003][ T9509]  ? down_read_nested+0x430/0x430
[   75.950017][ T9509]  ? handle_mm_fault+0x29e/0x660
[   75.950030][ T9509]  do_group_exit+0x125/0x340
[   75.950044][ T9509]  __x64_sys_exit_group+0x3a/0x50
[   75.950054][ T9509]  do_syscall_64+0xf6/0x790
[   75.950069][ T9509]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   75.950078][ T9509] RIP: 0033:0x43ff38
[   75.950090][ T9509] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
[   75.950096][ T9509] RSP: 002b:00007ffd0ca7f3e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   75.950107][ T9509] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38
[   75.950114][ T9509] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   75.950120][ T9509] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0
[   75.950127][ T9509] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001
[   75.950133][ T9509] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000
[   75.951572][ T9509] Kernel Offset: disabled
[   76.704746][ T9509] Rebooting in 86400 seconds..