[ 43.766108] audit: type=1800 audit(1584095716.500:30): pid=7864 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.912648] kauditd_printk_skb: 4 callbacks suppressed [ 47.912661] audit: type=1400 audit(1584095720.670:35): avc: denied { map } for pid=8038 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 54.881381] audit: type=1400 audit(1584095727.640:36): avc: denied { map } for pid=8050 comm="syz-executor980" path="/root/syz-executor980276194" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.933871] ================================================================== [ 54.933912] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 54.933923] Write of size 8 at addr ffff88808ce6a608 by task syz-executor980/8059 [ 54.933926] [ 54.933940] CPU: 0 PID: 8059 Comm: syz-executor980 Not tainted 4.19.109-syzkaller #0 [ 54.933947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.933952] Call Trace: [ 54.933968] dump_stack+0x188/0x20d [ 54.933984] ? con_shutdown+0x7f/0x90 [ 54.934000] print_address_description.cold+0x7c/0x212 [ 54.934014] ? con_shutdown+0x7f/0x90 [ 54.934027] kasan_report.cold+0x88/0x2b9 [ 54.934042] ? set_palette+0x1b0/0x1b0 [ 54.934055] con_shutdown+0x7f/0x90 [ 54.934067] release_tty+0xda/0x4c0 [ 54.934082] tty_release_struct+0x37/0x50 [ 54.934095] tty_release+0xbc7/0xe90 [ 54.934115] ? tty_release_struct+0x50/0x50 [ 54.934129] __fput+0x2cd/0x890 [ 54.934148] task_work_run+0x13f/0x1b0 [ 54.934174] do_exit+0xbcd/0x2f30 [ 54.934196] ? mm_update_next_owner+0x650/0x650 [ 54.934213] ? up_read+0x17/0x110 [ 54.934227] ? __do_page_fault+0x44e/0xdd0 [ 54.934246] do_group_exit+0x125/0x350 [ 54.934262] __x64_sys_exit_group+0x3a/0x50 [ 54.934282] do_syscall_64+0xf9/0x620 [ 54.934299] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.934309] RIP: 0033:0x43ff38 [ 54.934324] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 54.934331] RSP: 002b:00007ffc38d4d998 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 54.934343] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 54.934351] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 54.934359] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 54.934366] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 54.934374] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 54.934391] [ 54.934397] Allocated by task 8059: [ 54.934409] kasan_kmalloc+0xbf/0xe0 [ 54.934420] kmem_cache_alloc_trace+0x14d/0x7a0 [ 54.934431] vc_allocate+0x1db/0x6d0 [ 54.934442] con_install+0x4f/0x400 [ 54.934453] tty_init_dev+0xee/0x450 [ 54.934463] tty_open+0x4b0/0xb00 [ 54.934472] chrdev_open+0x219/0x5c0 [ 54.934482] do_dentry_open+0x4a8/0x1160 [ 54.934495] path_openat+0x1031/0x4200 [ 54.934507] do_filp_open+0x1a1/0x280 [ 54.934517] do_sys_open+0x3c0/0x500 [ 54.934529] do_syscall_64+0xf9/0x620 [ 54.934541] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.934544] [ 54.934549] Freed by task 8060: [ 54.934561] __kasan_slab_free+0xf7/0x140 [ 54.934570] kfree+0xce/0x220 [ 54.934584] vt_disallocate_all+0x293/0x3b0 [ 54.934595] vt_ioctl+0xb79/0x2310 [ 54.934606] tty_ioctl+0x7a1/0x1420 [ 54.934617] do_vfs_ioctl+0xcda/0x12e0 [ 54.934627] ksys_ioctl+0x9b/0xc0 [ 54.934638] __x64_sys_ioctl+0x6f/0xb0 [ 54.934650] do_syscall_64+0xf9/0x620 [ 54.934661] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.934664] [ 54.934672] The buggy address belongs to the object at ffff88808ce6a500 [ 54.934672] which belongs to the cache kmalloc-2048 of size 2048 [ 54.934683] The buggy address is located 264 bytes inside of [ 54.934683] 2048-byte region [ffff88808ce6a500, ffff88808ce6ad00) [ 54.934687] The buggy address belongs to the page: [ 54.934697] page:ffffea0002339a80 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 54.934710] flags: 0xfffe0000008100(slab|head) [ 54.934727] raw: 00fffe0000008100 ffffea0002494b88 ffffea000241f688 ffff88812c3dcc40 [ 54.934740] raw: 0000000000000000 ffff88808ce6a500 0000000100000003 0000000000000000 [ 54.934745] page dumped because: kasan: bad access detected [ 54.934748] [ 54.934751] Memory state around the buggy address: [ 54.934761] ffff88808ce6a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.934771] ffff88808ce6a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.934779] >ffff88808ce6a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.934783] ^ [ 54.934792] ffff88808ce6a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.934800] ffff88808ce6a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.934804] ================================================================== [ 54.934808] Disabling lock debugging due to kernel taint [ 54.934912] Kernel panic - not syncing: panic_on_warn set ... [ 54.934912] [ 54.934925] CPU: 0 PID: 8059 Comm: syz-executor980 Tainted: G B 4.19.109-syzkaller #0 [ 54.934931] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.934934] Call Trace: [ 54.934948] dump_stack+0x188/0x20d [ 54.934964] panic+0x26a/0x50e [ 54.934978] ? __warn_printk+0xf3/0xf3 [ 54.934992] ? preempt_schedule_common+0x4a/0xc0 [ 54.935004] ? con_shutdown+0x7f/0x90 [ 54.935017] ? ___preempt_schedule+0x16/0x18 [ 54.935030] ? trace_hardirqs_on+0x55/0x210 [ 54.935042] ? con_shutdown+0x7f/0x90 [ 54.935053] kasan_end_report+0x43/0x49 [ 54.935066] kasan_report.cold+0xa4/0x2b9 [ 54.935077] ? set_palette+0x1b0/0x1b0 [ 54.935088] con_shutdown+0x7f/0x90 [ 54.935098] release_tty+0xda/0x4c0 [ 54.935111] tty_release_struct+0x37/0x50 [ 54.935123] tty_release+0xbc7/0xe90 [ 54.935138] ? tty_release_struct+0x50/0x50 [ 54.935151] __fput+0x2cd/0x890 [ 54.935172] task_work_run+0x13f/0x1b0 [ 54.935186] do_exit+0xbcd/0x2f30 [ 54.935202] ? mm_update_next_owner+0x650/0x650 [ 54.935215] ? up_read+0x17/0x110 [ 54.935227] ? __do_page_fault+0x44e/0xdd0 [ 54.935241] do_group_exit+0x125/0x350 [ 54.935254] __x64_sys_exit_group+0x3a/0x50 [ 54.935267] do_syscall_64+0xf9/0x620 [ 54.935281] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.935289] RIP: 0033:0x43ff38 [ 54.935301] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 54.935308] RSP: 002b:00007ffc38d4d998 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 54.935319] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 54.935326] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 54.935332] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 54.935338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 54.935343] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 54.936114] Kernel Offset: disabled [ 55.559232] Rebooting in 86400 seconds..