[ 45.593617] audit: type=1800 audit(1582484783.756:29): pid=8154 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 45.641996] audit: type=1800 audit(1582484783.766:30): pid=8154 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. syzkaller login: [ 54.137189] kauditd_printk_skb: 5 callbacks suppressed [ 54.137205] audit: type=1400 audit(1582484792.306:36): avc: denied { map } for pid=8338 comm="syz-executor117" path="/root/syz-executor117483353" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.155817] IPVS: ftp: loaded support on port[0] = 21 [ 54.180297] IPVS: ftp: loaded support on port[0] = 21 [ 54.185781] IPVS: ftp: loaded support on port[0] = 21 [ 54.193698] IPVS: ftp: loaded support on port[0] = 21 [ 54.198609] IPVS: ftp: loaded support on port[0] = 21 [ 54.214762] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 54.618029] ================================================================== [ 54.618068] BUG: KASAN: use-after-free in con_shutdown+0x85/0x90 [ 54.618080] Write of size 8 at addr ffff8880896fa1c8 by task syz-executor117/8385 [ 54.618084] [ 54.618099] CPU: 0 PID: 8385 Comm: syz-executor117 Not tainted 4.19.105-syzkaller #0 [ 54.618107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.618113] Call Trace: [ 54.618131] dump_stack+0x197/0x210 [ 54.618148] ? con_shutdown+0x85/0x90 [ 54.618166] print_address_description.cold+0x7c/0x20d [ 54.618182] ? con_shutdown+0x85/0x90 [ 54.618206] kasan_report.cold+0x8c/0x2ba [ 54.618221] ? set_palette+0x1c0/0x1c0 [ 54.618238] __asan_report_store8_noabort+0x17/0x20 [ 54.618252] con_shutdown+0x85/0x90 [ 54.618265] release_tty+0xe4/0x4d0 [ 54.618282] tty_release_struct+0x3c/0x50 [ 54.618296] tty_release+0xbcb/0xe90 [ 54.618318] ? tty_release_struct+0x50/0x50 [ 54.618333] __fput+0x2dd/0x8b0 [ 54.618355] ____fput+0x16/0x20 [ 54.618369] task_work_run+0x145/0x1c0 [ 54.618392] exit_to_usermode_loop+0x273/0x2c0 [ 54.618411] do_syscall_64+0x53d/0x620 [ 54.618431] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.618443] RIP: 0033:0x4059d1 [ 54.618457] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 54.618465] RSP: 002b:00007fff411960f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 54.618479] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004059d1 [ 54.618487] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 54.618495] RBP: 0000000000000005 R08: 0000209d20080522 R09: 0000209d20080522 [ 54.618504] R10: 0000209d20080522 R11: 0000000000000293 R12: 00000000006dbc3c [ 54.618513] R13: 0000000000000001 R14: 00000000006dbc30 R15: 0000000000000064 [ 54.618532] [ 54.618539] Allocated by task 8386: [ 54.618552] save_stack+0x45/0xd0 [ 54.618564] kasan_kmalloc+0xce/0xf0 [ 54.618575] kmem_cache_alloc_trace+0x152/0x760 [ 54.618588] vc_allocate+0x1f5/0x760 [ 54.618599] con_install+0x52/0x410 [ 54.618611] tty_init_dev+0xf7/0x460 [ 54.618622] tty_open+0x4bf/0xb70 [ 54.618633] chrdev_open+0x245/0x6b0 [ 54.618644] do_dentry_open+0x4c3/0x1210 [ 54.618654] vfs_open+0xa0/0xd0 [ 54.618668] path_openat+0x10d8/0x44a0 [ 54.618681] do_filp_open+0x1a1/0x280 [ 54.618692] do_sys_open+0x3fe/0x550 [ 54.618702] __x64_sys_open+0x7e/0xc0 [ 54.618715] do_syscall_64+0xfd/0x620 [ 54.618728] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.618732] [ 54.618738] Freed by task 8390: [ 54.618750] save_stack+0x45/0xd0 [ 54.618762] __kasan_slab_free+0x102/0x150 [ 54.618773] kasan_slab_free+0xe/0x10 [ 54.618784] kfree+0xcf/0x220 [ 54.618799] vt_disallocate_all+0x2bd/0x3e0 [ 54.618811] vt_ioctl+0xc38/0x2530 [ 54.618822] tty_ioctl+0x7f3/0x1510 [ 54.618834] do_vfs_ioctl+0xd5f/0x1380 [ 54.618844] ksys_ioctl+0xab/0xd0 [ 54.618856] __x64_sys_ioctl+0x73/0xb0 [ 54.618868] do_syscall_64+0xfd/0x620 [ 54.618881] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.618885] [ 54.618895] The buggy address belongs to the object at ffff8880896fa0c0 [ 54.618895] which belongs to the cache kmalloc-2048 of size 2048 [ 54.618908] The buggy address is located 264 bytes inside of [ 54.618908] 2048-byte region [ffff8880896fa0c0, ffff8880896fa8c0) [ 54.618912] The buggy address belongs to the page: [ 54.618926] page:ffffea000225be80 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 54.618942] flags: 0xfffe0000008100(slab|head) [ 54.618962] raw: 00fffe0000008100 ffffea000284ad08 ffffea0001f50e08 ffff88812c31cc40 [ 54.618978] raw: 0000000000000000 ffff8880896fa0c0 0000000100000003 0000000000000000 [ 54.618983] page dumped because: kasan: bad access detected [ 54.618987] [ 54.618991] Memory state around the buggy address: [ 54.619002] ffff8880896fa080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.619013] ffff8880896fa100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.619023] >ffff8880896fa180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.619029] ^ [ 54.619040] ffff8880896fa200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.619050] ffff8880896fa280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.619055] ================================================================== [ 54.619060] Disabling lock debugging due to kernel taint [ 54.619095] Kernel panic - not syncing: panic_on_warn set ... [ 54.619095] [ 54.619109] CPU: 0 PID: 8385 Comm: syz-executor117 Tainted: G B 4.19.105-syzkaller #0 [ 54.619116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.619120] Call Trace: [ 54.619135] dump_stack+0x197/0x210 [ 54.619150] ? con_shutdown+0x85/0x90 [ 54.619169] panic+0x26a/0x50e [ 54.619183] ? __warn_printk+0xf3/0xf3 [ 54.619201] ? retint_kernel+0x2d/0x2d [ 54.619219] ? trace_hardirqs_on+0x5e/0x220 [ 54.619234] ? con_shutdown+0x85/0x90 [ 54.619247] kasan_end_report+0x47/0x4f [ 54.619261] kasan_report.cold+0xa9/0x2ba [ 54.619274] ? set_palette+0x1c0/0x1c0 [ 54.619289] __asan_report_store8_noabort+0x17/0x20 [ 54.619301] con_shutdown+0x85/0x90 [ 54.619314] release_tty+0xe4/0x4d0 [ 54.619328] tty_release_struct+0x3c/0x50 [ 54.619341] tty_release+0xbcb/0xe90 [ 54.619358] ? tty_release_struct+0x50/0x50 [ 54.619370] __fput+0x2dd/0x8b0 [ 54.619387] ____fput+0x16/0x20 [ 54.619400] task_work_run+0x145/0x1c0 [ 54.619418] exit_to_usermode_loop+0x273/0x2c0 [ 54.619434] do_syscall_64+0x53d/0x620 [ 54.619450] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.619460] RIP: 0033:0x4059d1 [ 54.619472] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 54.619479] RSP: 002b:00007fff411960f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 54.619491] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004059d1 [ 54.619498] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 54.619506] RBP: 0000000000000005 R08: 0000209d20080522 R09: 0000209d20080522 [ 54.619514] R10: 0000209d20080522 R11: 0000000000000293 R12: 00000000006dbc3c [ 54.619522] R13: 0000000000000001 R14: 00000000006dbc30 R15: 0000000000000064 [ 54.621047] Kernel Offset: disabled [ 55.246314] Rebooting in 86400 seconds..