Warning: Permanently added '10.128.0.193' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 95.917544][ T27] audit: type=1400 audit(1575862834.094:42): avc: denied { map } for pid=9706 comm="syz-executor803" path="/root/syz-executor803952129" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 96.105534][ T9732] ================================================================== [ 96.113883][ T9732] BUG: KASAN: use-after-free in get_work_pool+0x1c/0x1b0 [ 96.120913][ T9732] Read of size 8 at addr ffff888093492008 by task syz-executor803/9732 [ 96.129145][ T9732] [ 96.131487][ T9732] CPU: 1 PID: 9732 Comm: syz-executor803 Not tainted 5.4.0-syzkaller #0 [ 96.139806][ T9732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.149866][ T9732] Call Trace: [ 96.153164][ T9732] dump_stack+0x197/0x210 [ 96.157504][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.162200][ T9732] print_address_description.constprop.0.cold+0xd4/0x30b [ 96.169236][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.173926][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.178615][ T9732] __kasan_report.cold+0x1b/0x41 [ 96.183560][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.188244][ T9732] kasan_report+0x12/0x20 [ 96.192585][ T9732] check_memory_region+0x134/0x1a0 [ 96.197817][ T9732] __kasan_check_read+0x11/0x20 [ 96.202674][ T9732] get_work_pool+0x1c/0x1b0 [ 96.207186][ T9732] __flush_work+0x153/0xa50 [ 96.211712][ T9732] ? __kasan_check_read+0x11/0x20 [ 96.216786][ T9732] ? queue_delayed_work_on+0x210/0x210 [ 96.222259][ T9732] ? __kasan_check_read+0x11/0x20 [ 96.227295][ T9732] ? mark_lock+0xc2/0x1220 [ 96.231719][ T9732] ? find_held_lock+0x35/0x130 [ 96.236497][ T9732] ? mark_held_locks+0xa4/0xf0 [ 96.241267][ T9732] ? __cancel_work_timer+0xc4/0x540 [ 96.246649][ T9732] ? __cancel_work_timer+0x1e0/0x540 [ 96.252124][ T9732] ? cancel_work_sync+0x18/0x20 [ 96.256980][ T9732] ? __cancel_work_timer+0x1e0/0x540 [ 96.262271][ T9732] ? lockdep_hardirqs_on+0x421/0x5e0 [ 96.267568][ T9732] ? trace_hardirqs_on+0x67/0x240 [ 96.272613][ T9732] __cancel_work_timer+0x3d9/0x540 [ 96.277736][ T9732] ? console_unlock+0x7b3/0xf00 [ 96.282598][ T9732] ? mod_delayed_work_on+0x200/0x200 [ 96.287894][ T9732] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 96.293631][ T9732] ? console_unlock+0x81e/0xf00 [ 96.298506][ T9732] cancel_work_sync+0x18/0x20 [ 96.303193][ T9732] tty_buffer_cancel_work+0x16/0x20 [ 96.308401][ T9732] release_tty+0x261/0x470 [ 96.312830][ T9732] tty_release_struct+0x3c/0x50 [ 96.317690][ T9732] tty_release+0xbcb/0xe90 [ 96.322125][ T9732] __fput+0x2ff/0x890 [ 96.326115][ T9732] ? do_tty_hangup+0x30/0x30 [ 96.330715][ T9732] ____fput+0x16/0x20 [ 96.334811][ T9732] task_work_run+0x145/0x1c0 [ 96.339420][ T9732] do_exit+0x8e7/0x2ef0 [ 96.343708][ T9732] ? mm_update_next_owner+0x7c0/0x7c0 [ 96.349117][ T9732] ? down_read_non_owner+0x490/0x490 [ 96.354412][ T9732] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 96.360664][ T9732] ? handle_mm_fault+0x4ab/0xa50 [ 96.365621][ T9732] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.371180][ T9732] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.376654][ T9732] do_group_exit+0x135/0x360 [ 96.381286][ T9732] __x64_sys_exit_group+0x44/0x50 [ 96.386495][ T9732] do_syscall_64+0xfa/0x790 [ 96.391044][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.396940][ T9732] RIP: 0033:0x43ff38 [ 96.400842][ T9732] Code: Bad RIP value. [ 96.404933][ T9732] RSP: 002b:00007ffc3c6d7428 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 96.413348][ T9732] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 96.421323][ T9732] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 96.429301][ T9732] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 96.437273][ T9732] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001 [ 96.445249][ T9732] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 96.453228][ T9732] [ 96.455551][ T9732] Allocated by task 9732: [ 96.459892][ T9732] save_stack+0x23/0x90 [ 96.464051][ T9732] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 96.469686][ T9732] kasan_kmalloc+0x9/0x10 [ 96.474020][ T9732] kmem_cache_alloc_trace+0x158/0x790 [ 96.479395][ T9732] vc_allocate+0x1fc/0x760 [ 96.483821][ T9732] con_install+0x52/0x410 [ 96.488156][ T9732] tty_init_dev+0xf9/0x470 [ 96.492586][ T9732] tty_open+0x4a5/0xbb0 [ 96.496742][ T9732] chrdev_open+0x245/0x6b0 [ 96.501160][ T9732] do_dentry_open+0x4e6/0x1380 [ 96.505922][ T9732] vfs_open+0xa0/0xd0 [ 96.509904][ T9732] path_openat+0x10df/0x4500 [ 96.514493][ T9732] do_filp_open+0x1a1/0x280 [ 96.518995][ T9732] do_sys_open+0x3fe/0x5d0 [ 96.523409][ T9732] __x64_sys_open+0x7e/0xc0 [ 96.527918][ T9732] do_syscall_64+0xfa/0x790 [ 96.532424][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.538402][ T9732] [ 96.540729][ T9732] Freed by task 9731: [ 96.544710][ T9732] save_stack+0x23/0x90 [ 96.548868][ T9732] __kasan_slab_free+0x102/0x150 [ 96.553803][ T9732] kasan_slab_free+0xe/0x10 [ 96.558308][ T9732] kfree+0x10a/0x2c0 [ 96.562209][ T9732] vt_disallocate_all+0x2bd/0x3e0 [ 96.567233][ T9732] vt_ioctl+0xc38/0x26d0 [ 96.571485][ T9732] tty_ioctl+0xa37/0x14f0 [ 96.575813][ T9732] do_vfs_ioctl+0x977/0x14e0 [ 96.580851][ T9732] ksys_ioctl+0xab/0xd0 [ 96.585031][ T9732] __x64_sys_ioctl+0x73/0xb0 [ 96.589629][ T9732] do_syscall_64+0xfa/0x790 [ 96.594137][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.600021][ T9732] [ 96.602351][ T9732] The buggy address belongs to the object at ffff888093492000 [ 96.602351][ T9732] which belongs to the cache kmalloc-2k of size 2048 [ 96.616407][ T9732] The buggy address is located 8 bytes inside of [ 96.616407][ T9732] 2048-byte region [ffff888093492000, ffff888093492800) [ 96.629592][ T9732] The buggy address belongs to the page: [ 96.635228][ T9732] page:ffffea00024d2480 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 96.644348][ T9732] raw: 00fffe0000000200 ffffea00027f3548 ffffea00024d45c8 ffff8880aa400e00 [ 96.652940][ T9732] raw: 0000000000000000 ffff888093492000 0000000100000001 0000000000000000 [ 96.661525][ T9732] page dumped because: kasan: bad access detected [ 96.667936][ T9732] [ 96.670265][ T9732] Memory state around the buggy address: [ 96.675893][ T9732] ffff888093491f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 96.683946][ T9732] ffff888093491f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 96.691986][ T9732] >ffff888093492000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.700063][ T9732] ^ [ 96.704411][ T9732] ffff888093492080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.712459][ T9732] ffff888093492100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.720525][ T9732] ================================================================== [ 96.728566][ T9732] Disabling lock debugging due to kernel taint [ 96.736644][ T9732] Kernel panic - not syncing: panic_on_warn set ... [ 96.743245][ T9732] CPU: 1 PID: 9732 Comm: syz-executor803 Tainted: G B 5.4.0-syzkaller #0 [ 96.753085][ T9732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.763122][ T9732] Call Trace: [ 96.766396][ T9732] dump_stack+0x197/0x210 [ 96.771663][ T9732] panic+0x2e3/0x75c [ 96.775607][ T9732] ? add_taint.cold+0x16/0x16 [ 96.780272][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.784943][ T9732] ? preempt_schedule+0x4b/0x60 [ 96.789776][ T9732] ? ___preempt_schedule+0x16/0x18 [ 96.794865][ T9732] ? trace_hardirqs_on+0x5e/0x240 [ 96.799866][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.804523][ T9732] end_report+0x47/0x4f [ 96.809700][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.814361][ T9732] __kasan_report.cold+0xe/0x41 [ 96.819205][ T9732] ? get_work_pool+0x1c/0x1b0 [ 96.823864][ T9732] kasan_report+0x12/0x20 [ 96.828345][ T9732] check_memory_region+0x134/0x1a0 [ 96.833434][ T9732] __kasan_check_read+0x11/0x20 [ 96.838317][ T9732] get_work_pool+0x1c/0x1b0 [ 96.842806][ T9732] __flush_work+0x153/0xa50 [ 96.847285][ T9732] ? __kasan_check_read+0x11/0x20 [ 96.852288][ T9732] ? queue_delayed_work_on+0x210/0x210 [ 96.857727][ T9732] ? __kasan_check_read+0x11/0x20 [ 96.862746][ T9732] ? mark_lock+0xc2/0x1220 [ 96.867161][ T9732] ? find_held_lock+0x35/0x130 [ 96.871917][ T9732] ? mark_held_locks+0xa4/0xf0 [ 96.876662][ T9732] ? __cancel_work_timer+0xc4/0x540 [ 96.881838][ T9732] ? __cancel_work_timer+0x1e0/0x540 [ 96.887154][ T9732] ? cancel_work_sync+0x18/0x20 [ 96.892038][ T9732] ? __cancel_work_timer+0x1e0/0x540 [ 96.897302][ T9732] ? lockdep_hardirqs_on+0x421/0x5e0 [ 96.902568][ T9732] ? trace_hardirqs_on+0x67/0x240 [ 96.907579][ T9732] __cancel_work_timer+0x3d9/0x540 [ 96.912678][ T9732] ? console_unlock+0x7b3/0xf00 [ 96.917509][ T9732] ? mod_delayed_work_on+0x200/0x200 [ 96.922773][ T9732] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 96.928471][ T9732] ? console_unlock+0x81e/0xf00 [ 96.933311][ T9732] cancel_work_sync+0x18/0x20 [ 96.937969][ T9732] tty_buffer_cancel_work+0x16/0x20 [ 96.943144][ T9732] release_tty+0x261/0x470 [ 96.947540][ T9732] tty_release_struct+0x3c/0x50 [ 96.952371][ T9732] tty_release+0xbcb/0xe90 [ 96.956767][ T9732] __fput+0x2ff/0x890 [ 96.960730][ T9732] ? do_tty_hangup+0x30/0x30 [ 96.965302][ T9732] ____fput+0x16/0x20 [ 96.969283][ T9732] task_work_run+0x145/0x1c0 [ 96.973866][ T9732] do_exit+0x8e7/0x2ef0 [ 96.978075][ T9732] ? mm_update_next_owner+0x7c0/0x7c0 [ 96.983455][ T9732] ? down_read_non_owner+0x490/0x490 [ 96.988723][ T9732] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 96.995086][ T9732] ? handle_mm_fault+0x4ab/0xa50 [ 97.000007][ T9732] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 97.005450][ T9732] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 97.010895][ T9732] do_group_exit+0x135/0x360 [ 97.015523][ T9732] __x64_sys_exit_group+0x44/0x50 [ 97.020528][ T9732] do_syscall_64+0xfa/0x790 [ 97.025021][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 97.030922][ T9732] RIP: 0033:0x43ff38 [ 97.034803][ T9732] Code: Bad RIP value. [ 97.038846][ T9732] RSP: 002b:00007ffc3c6d7428 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 97.047310][ T9732] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 97.055280][ T9732] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 97.063235][ T9732] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 97.071187][ T9732] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001 [ 97.079143][ T9732] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 97.088543][ T9732] Kernel Offset: disabled [ 97.092871][ T9732] Rebooting in 86400 seconds..