Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program [ 60.611772] audit: type=1400 audit(1581252640.321:36): avc: denied { map } for pid=8020 comm="syz-executor681" path="/root/syz-executor681324337" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 60.672572] ================================================================== [ 60.672610] BUG: KASAN: use-after-free in con_shutdown+0x85/0x90 [ 60.672622] Write of size 8 at addr ffff88808eb9f548 by task syz-executor681/8028 [ 60.672626] [ 60.672641] CPU: 0 PID: 8028 Comm: syz-executor681 Not tainted 4.19.102-syzkaller #0 [ 60.672649] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.672654] Call Trace: [ 60.672671] dump_stack+0x197/0x210 [ 60.672688] ? con_shutdown+0x85/0x90 [ 60.672718] print_address_description.cold+0x7c/0x20d [ 60.672735] ? con_shutdown+0x85/0x90 [ 60.672750] kasan_report.cold+0x8c/0x2ba [ 60.672766] ? set_palette+0x1c0/0x1c0 [ 60.672785] __asan_report_store8_noabort+0x17/0x20 [ 60.672799] con_shutdown+0x85/0x90 [ 60.672815] release_tty+0xe4/0x4d0 [ 60.672831] tty_release_struct+0x3c/0x50 [ 60.672846] tty_release+0xbcb/0xe90 [ 60.672869] ? tty_release_struct+0x50/0x50 [ 60.672884] __fput+0x2dd/0x8b0 [ 60.672906] ____fput+0x16/0x20 [ 60.672919] task_work_run+0x145/0x1c0 [ 60.672940] do_exit+0xc1f/0x30d0 [ 60.672959] ? mm_update_next_owner+0x660/0x660 [ 60.672971] ? up_read+0x1a/0x110 [ 60.672982] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.672993] ? __do_page_fault+0x484/0xe90 [ 60.673010] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.673022] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.673039] do_group_exit+0x135/0x370 [ 60.673053] __x64_sys_exit_group+0x44/0x50 [ 60.673065] do_syscall_64+0xfd/0x620 [ 60.673081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.673089] RIP: 0033:0x43ff38 [ 60.673100] Code: Bad RIP value. [ 60.673107] RSP: 002b:00007ffd081b84d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.673117] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 60.673124] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.673130] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.673136] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.673143] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 60.673157] [ 60.673162] Allocated by task 8028: [ 60.673172] save_stack+0x45/0xd0 [ 60.673181] kasan_kmalloc+0xce/0xf0 [ 60.673191] kmem_cache_alloc_trace+0x152/0x760 [ 60.673201] vc_allocate+0x1f5/0x760 [ 60.673211] con_install+0x52/0x410 [ 60.673220] tty_init_dev+0xf7/0x460 [ 60.673229] tty_open+0x4bf/0xb70 [ 60.673237] chrdev_open+0x245/0x6b0 [ 60.673245] do_dentry_open+0x4c3/0x1210 [ 60.673254] vfs_open+0xa0/0xd0 [ 60.673265] path_openat+0x10d8/0x44a0 [ 60.673275] do_filp_open+0x1a1/0x280 [ 60.673286] do_sys_open+0x3fe/0x550 [ 60.673298] __x64_sys_open+0x7e/0xc0 [ 60.673312] do_syscall_64+0xfd/0x620 [ 60.673325] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.673329] [ 60.673334] Freed by task 8030: [ 60.673346] save_stack+0x45/0xd0 [ 60.673358] __kasan_slab_free+0x102/0x150 [ 60.673372] kasan_slab_free+0xe/0x10 [ 60.673382] kfree+0xcf/0x220 [ 60.673398] vt_disallocate_all+0x2bd/0x3e0 [ 60.673411] vt_ioctl+0xc38/0x2530 [ 60.673421] tty_ioctl+0x7f3/0x1510 [ 60.673432] do_vfs_ioctl+0xd5f/0x1380 [ 60.673443] ksys_ioctl+0xab/0xd0 [ 60.673454] __x64_sys_ioctl+0x73/0xb0 [ 60.673468] do_syscall_64+0xfd/0x620 [ 60.673482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.673486] [ 60.673493] The buggy address belongs to the object at ffff88808eb9f440 [ 60.673493] which belongs to the cache kmalloc-2048 of size 2048 [ 60.673504] The buggy address is located 264 bytes inside of [ 60.673504] 2048-byte region [ffff88808eb9f440, ffff88808eb9fc40) [ 60.673508] The buggy address belongs to the page: [ 60.673519] page:ffffea00023ae780 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 60.673533] flags: 0xfffe0000008100(slab|head) [ 60.673550] raw: 00fffe0000008100 ffffea0001ffb088 ffffea0002579708 ffff88812c31cc40 [ 60.673565] raw: 0000000000000000 ffff88808eb9e340 0000000100000003 0000000000000000 [ 60.673571] page dumped because: kasan: bad access detected [ 60.673574] [ 60.673577] Memory state around the buggy address: [ 60.673588] ffff88808eb9f400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 60.673598] ffff88808eb9f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.673608] >ffff88808eb9f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.673614] ^ [ 60.673624] ffff88808eb9f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.673634] ffff88808eb9f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.673639] ================================================================== [ 60.673643] Disabling lock debugging due to kernel taint [ 60.673674] Kernel panic - not syncing: panic_on_warn set ... [ 60.673674] [ 60.673685] CPU: 0 PID: 8028 Comm: syz-executor681 Tainted: G B 4.19.102-syzkaller #0 [ 60.673690] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.673693] Call Trace: [ 60.673713] dump_stack+0x197/0x210 [ 60.673728] ? con_shutdown+0x85/0x90 [ 60.673741] panic+0x26a/0x50e [ 60.673755] ? __warn_printk+0xf3/0xf3 [ 60.673767] ? con_shutdown+0x85/0x90 [ 60.673784] ? trace_hardirqs_on+0x5e/0x220 [ 60.673795] ? trace_hardirqs_on+0x5e/0x220 [ 60.673809] ? con_shutdown+0x85/0x90 [ 60.673822] kasan_end_report+0x47/0x4f [ 60.673836] kasan_report.cold+0xa9/0x2ba [ 60.673849] ? set_palette+0x1c0/0x1c0 [ 60.673862] __asan_report_store8_noabort+0x17/0x20 [ 60.673873] con_shutdown+0x85/0x90 [ 60.673884] release_tty+0xe4/0x4d0 [ 60.673896] tty_release_struct+0x3c/0x50 [ 60.673906] tty_release+0xbcb/0xe90 [ 60.673919] ? tty_release_struct+0x50/0x50 [ 60.673931] __fput+0x2dd/0x8b0 [ 60.673946] ____fput+0x16/0x20 [ 60.673955] task_work_run+0x145/0x1c0 [ 60.673968] do_exit+0xc1f/0x30d0 [ 60.673984] ? mm_update_next_owner+0x660/0x660 [ 60.673996] ? up_read+0x1a/0x110 [ 60.674008] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.674021] ? __do_page_fault+0x484/0xe90 [ 60.674037] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.674049] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.674062] do_group_exit+0x135/0x370 [ 60.674075] __x64_sys_exit_group+0x44/0x50 [ 60.674089] do_syscall_64+0xfd/0x620 [ 60.674104] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.674112] RIP: 0033:0x43ff38 [ 60.674121] Code: Bad RIP value. [ 60.674128] RSP: 002b:00007ffd081b84d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.674139] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 60.674146] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.674153] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.674161] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.674168] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 60.675329] Kernel Offset: disabled [ 61.328755] Rebooting in 86400 seconds..