Warning: Permanently added '10.128.1.61' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 69.480772] kauditd_printk_skb: 3 callbacks suppressed [ 69.480786] audit: type=1400 audit(1582951369.611:36): avc: denied { map } for pid=8126 comm="syz-executor571" path="/root/syz-executor571703251" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 69.570577] ================================================================== [ 69.570627] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 69.570638] Write of size 8 at addr ffff88808f153808 by task syz-executor571/8134 [ 69.570642] [ 69.570655] CPU: 1 PID: 8134 Comm: syz-executor571 Not tainted 4.19.107-syzkaller #0 [ 69.570662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.570667] Call Trace: [ 69.570683] dump_stack+0x188/0x20d [ 69.570697] ? con_shutdown+0x7f/0x90 [ 69.570714] print_address_description.cold+0x7c/0x212 [ 69.570727] ? con_shutdown+0x7f/0x90 [ 69.570739] kasan_report.cold+0x88/0x2b9 [ 69.570752] ? set_palette+0x1b0/0x1b0 [ 69.570766] con_shutdown+0x7f/0x90 [ 69.570778] release_tty+0xda/0x4c0 [ 69.570793] tty_release_struct+0x37/0x50 [ 69.570806] tty_release+0xbc7/0xe90 [ 69.570826] ? tty_release_struct+0x50/0x50 [ 69.570839] __fput+0x2cd/0x890 [ 69.570857] task_work_run+0x13f/0x1b0 [ 69.570875] do_exit+0xbcd/0x2f30 [ 69.570894] ? mm_update_next_owner+0x650/0x650 [ 69.570911] ? up_read+0x17/0x110 [ 69.570924] ? __do_page_fault+0x44e/0xdd0 [ 69.570943] do_group_exit+0x125/0x350 [ 69.570958] __x64_sys_exit_group+0x3a/0x50 [ 69.570972] do_syscall_64+0xf9/0x620 [ 69.570987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.570996] RIP: 0033:0x43ff38 [ 69.571009] Code: Bad RIP value. [ 69.571016] RSP: 002b:00007ffeaa9f61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.571027] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 69.571033] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 69.571038] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 69.571044] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 69.571049] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 69.571062] [ 69.571067] Allocated by task 8134: [ 69.571076] kasan_kmalloc+0xbf/0xe0 [ 69.571084] kmem_cache_alloc_trace+0x14d/0x7a0 [ 69.571092] vc_allocate+0x1db/0x6d0 [ 69.571101] con_install+0x4f/0x400 [ 69.571110] tty_init_dev+0xee/0x450 [ 69.571120] tty_open+0x4b0/0xb00 [ 69.571130] chrdev_open+0x219/0x5c0 [ 69.571140] do_dentry_open+0x4a8/0x1160 [ 69.571151] path_openat+0x1031/0x4200 [ 69.571159] do_filp_open+0x1a1/0x280 [ 69.571169] do_sys_open+0x3c0/0x500 [ 69.571180] do_syscall_64+0xf9/0x620 [ 69.571192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.571195] [ 69.571201] Freed by task 8135: [ 69.571212] __kasan_slab_free+0xf7/0x140 [ 69.571220] kfree+0xce/0x220 [ 69.571233] vt_disallocate_all+0x293/0x3b0 [ 69.571245] vt_ioctl+0xb79/0x2310 [ 69.571255] tty_ioctl+0x7a1/0x1420 [ 69.571267] do_vfs_ioctl+0xcda/0x12e0 [ 69.571277] ksys_ioctl+0x9b/0xc0 [ 69.571287] __x64_sys_ioctl+0x6f/0xb0 [ 69.571298] do_syscall_64+0xf9/0x620 [ 69.571310] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.571313] [ 69.571321] The buggy address belongs to the object at ffff88808f153700 [ 69.571321] which belongs to the cache kmalloc-2048 of size 2048 [ 69.571331] The buggy address is located 264 bytes inside of [ 69.571331] 2048-byte region [ffff88808f153700, ffff88808f153f00) [ 69.571335] The buggy address belongs to the page: [ 69.571344] page:ffffea00023c5480 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 69.571356] flags: 0xfffe0000008100(slab|head) [ 69.571373] raw: 00fffe0000008100 ffffea00023b7588 ffffea00023c3088 ffff88812c3dcc40 [ 69.571386] raw: 0000000000000000 ffff88808f152600 0000000100000003 0000000000000000 [ 69.571392] page dumped because: kasan: bad access detected [ 69.571395] [ 69.571399] Memory state around the buggy address: [ 69.571408] ffff88808f153700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.571418] ffff88808f153780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.571427] >ffff88808f153800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.571432] ^ [ 69.571441] ffff88808f153880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.571451] ffff88808f153900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.571455] ================================================================== [ 69.571459] Disabling lock debugging due to kernel taint [ 69.571465] Kernel panic - not syncing: panic_on_warn set ... [ 69.571465] [ 69.571478] CPU: 1 PID: 8134 Comm: syz-executor571 Tainted: G B 4.19.107-syzkaller #0 [ 69.571484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.571487] Call Trace: [ 69.571500] dump_stack+0x188/0x20d [ 69.571514] panic+0x26a/0x50e [ 69.571527] ? __warn_printk+0xf3/0xf3 [ 69.571540] ? lock_downgrade+0x740/0x740 [ 69.571554] ? print_shadow_for_address+0xb8/0x114 [ 69.571566] ? trace_hardirqs_on+0x55/0x210 [ 69.571578] ? con_shutdown+0x7f/0x90 [ 69.571589] kasan_end_report+0x43/0x49 [ 69.571608] kasan_report.cold+0xa4/0x2b9 [ 69.571620] ? set_palette+0x1b0/0x1b0 [ 69.571631] con_shutdown+0x7f/0x90 [ 69.571641] release_tty+0xda/0x4c0 [ 69.571654] tty_release_struct+0x37/0x50 [ 69.571665] tty_release+0xbc7/0xe90 [ 69.571680] ? tty_release_struct+0x50/0x50 [ 69.571692] __fput+0x2cd/0x890 [ 69.571705] task_work_run+0x13f/0x1b0 [ 69.571719] do_exit+0xbcd/0x2f30 [ 69.571735] ? mm_update_next_owner+0x650/0x650 [ 69.571747] ? up_read+0x17/0x110 [ 69.571759] ? __do_page_fault+0x44e/0xdd0 [ 69.571773] do_group_exit+0x125/0x350 [ 69.571787] __x64_sys_exit_group+0x3a/0x50 [ 69.571800] do_syscall_64+0xf9/0x620 [ 69.571813] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.571822] RIP: 0033:0x43ff38 [ 69.571830] Code: Bad RIP value. [ 69.571836] RSP: 002b:00007ffeaa9f61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.571846] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 69.571852] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 69.571858] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 69.571865] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 69.571871] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 69.573204] Kernel Offset: disabled [ 70.161256] Rebooting in 86400 seconds..