Warning: Permanently added '10.128.0.123' (ECDSA) to the list of known hosts. [ 57.450287] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program [ 57.578162] audit: type=1400 audit(1579740210.172:36): avc: denied { map } for pid=7397 comm="syz-executor761" path="/root/syz-executor761374390" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 57.632394] ================================================================== [ 57.632423] BUG: KASAN: use-after-free in con_shutdown+0x85/0x90 [ 57.632431] Write of size 8 at addr ffff88809b08b6c8 by task syz-executor761/7404 [ 57.632433] [ 57.632441] CPU: 1 PID: 7404 Comm: syz-executor761 Not tainted 4.14.166-syzkaller #0 [ 57.632446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.632450] Call Trace: [ 57.632462] dump_stack+0x142/0x197 [ 57.632471] ? con_shutdown+0x85/0x90 [ 57.632482] print_address_description.cold+0x7c/0x1dc [ 57.632490] ? con_shutdown+0x85/0x90 [ 57.632496] kasan_report.cold+0xa9/0x2af [ 57.632503] ? set_palette+0x140/0x140 [ 57.632512] __asan_report_store8_noabort+0x17/0x20 [ 57.632518] con_shutdown+0x85/0x90 [ 57.632527] release_tty+0xbf/0x7c0 [ 57.632537] tty_release_struct+0x3c/0x50 [ 57.632545] tty_release+0xaa3/0xd60 [ 57.632558] ? tty_release_struct+0x50/0x50 [ 57.632563] __fput+0x275/0x7a0 [ 57.632575] ____fput+0x16/0x20 [ 57.632582] task_work_run+0x114/0x190 [ 57.632607] do_exit+0xa1a/0x2cd0 [ 57.632622] ? mm_update_next_owner+0x5d0/0x5d0 [ 57.632635] ? up_read+0x1a/0x40 [ 57.632643] ? __do_page_fault+0x358/0xb80 [ 57.632652] do_group_exit+0x111/0x330 [ 57.632663] SyS_exit_group+0x1d/0x20 [ 57.632669] ? do_group_exit+0x330/0x330 [ 57.632678] do_syscall_64+0x1e8/0x640 [ 57.632686] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 57.632699] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.632706] RIP: 0033:0x43ff38 [ 57.632710] RSP: 002b:00007ffdf49736d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.632720] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 57.632724] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.632729] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.632734] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 57.632738] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 57.632751] [ 57.632755] Allocated by task 7404: [ 57.632763] save_stack_trace+0x16/0x20 [ 57.632770] save_stack+0x45/0xd0 [ 57.632775] kasan_kmalloc+0xce/0xf0 [ 57.632781] kmem_cache_alloc_trace+0x152/0x790 [ 57.632787] vc_allocate+0x148/0x580 [ 57.632792] con_install+0x52/0x400 [ 57.632798] tty_init_dev+0xea/0x3a0 [ 57.632803] tty_open+0x414/0xa10 [ 57.632810] chrdev_open+0x207/0x590 [ 57.632817] do_dentry_open+0x73b/0xeb0 [ 57.632824] vfs_open+0x105/0x220 [ 57.632830] path_openat+0x8bd/0x3f70 [ 57.632836] do_filp_open+0x18e/0x250 [ 57.632842] do_sys_open+0x2c5/0x430 [ 57.632848] SyS_open+0x2d/0x40 [ 57.632854] do_syscall_64+0x1e8/0x640 [ 57.632861] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.632863] [ 57.632866] Freed by task 7408: [ 57.632872] save_stack_trace+0x16/0x20 [ 57.632877] save_stack+0x45/0xd0 [ 57.632883] kasan_slab_free+0x75/0xc0 [ 57.632888] kfree+0xcc/0x270 [ 57.632895] vt_disallocate_all+0x286/0x380 [ 57.632901] vt_ioctl+0x76b/0x2170 [ 57.632908] tty_ioctl+0x841/0x1320 [ 57.632914] do_vfs_ioctl+0x7ae/0x1060 [ 57.632919] SyS_ioctl+0x8f/0xc0 [ 57.632926] do_syscall_64+0x1e8/0x640 [ 57.632932] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.632934] [ 57.632939] The buggy address belongs to the object at ffff88809b08b5c0 [ 57.632939] which belongs to the cache kmalloc-2048 of size 2048 [ 57.632945] The buggy address is located 264 bytes inside of [ 57.632945] 2048-byte region [ffff88809b08b5c0, ffff88809b08bdc0) [ 57.632948] The buggy address belongs to the page: [ 57.632955] page:ffffea00026c2280 count:1 mapcount:0 mapping:ffff88809b08a4c0 index:0x0 compound_mapcount: 0 [ 57.632965] flags: 0xfffe0000008100(slab|head) [ 57.632982] raw: 00fffe0000008100 ffff88809b08a4c0 0000000000000000 0000000100000003 [ 57.632990] raw: ffffea00020fb020 ffffea00026fce20 ffff8880aa800c40 0000000000000000 [ 57.632993] page dumped because: kasan: bad access detected [ 57.632996] [ 57.632998] Memory state around the buggy address: [ 57.633005] ffff88809b08b580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 57.633010] ffff88809b08b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.633016] >ffff88809b08b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.633019] ^ [ 57.633024] ffff88809b08b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.633028] ffff88809b08b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.633031] ================================================================== [ 57.633034] Disabling lock debugging due to kernel taint [ 57.633060] Kernel panic - not syncing: panic_on_warn set ... [ 57.633060] [ 57.633067] CPU: 1 PID: 7404 Comm: syz-executor761 Tainted: G B 4.14.166-syzkaller #0 [ 57.633071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.633073] Call Trace: [ 57.633082] dump_stack+0x142/0x197 [ 57.633089] ? con_shutdown+0x85/0x90 [ 57.633094] panic+0x1f9/0x42d [ 57.633099] ? add_taint.cold+0x16/0x16 [ 57.633116] kasan_end_report+0x47/0x4f [ 57.633123] kasan_report.cold+0x130/0x2af [ 57.633128] ? set_palette+0x140/0x140 [ 57.633135] __asan_report_store8_noabort+0x17/0x20 [ 57.633140] con_shutdown+0x85/0x90 [ 57.633147] release_tty+0xbf/0x7c0 [ 57.633155] tty_release_struct+0x3c/0x50 [ 57.633162] tty_release+0xaa3/0xd60 [ 57.633172] ? tty_release_struct+0x50/0x50 [ 57.633177] __fput+0x275/0x7a0 [ 57.633186] ____fput+0x16/0x20 [ 57.633192] task_work_run+0x114/0x190 [ 57.633200] do_exit+0xa1a/0x2cd0 [ 57.633210] ? mm_update_next_owner+0x5d0/0x5d0 [ 57.633219] ? up_read+0x1a/0x40 [ 57.633225] ? __do_page_fault+0x358/0xb80 [ 57.633232] do_group_exit+0x111/0x330 [ 57.633240] SyS_exit_group+0x1d/0x20 [ 57.633246] ? do_group_exit+0x330/0x330 [ 57.633253] do_syscall_64+0x1e8/0x640 [ 57.633260] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 57.633269] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 57.633272] RIP: 0033:0x43ff38 [ 57.633275] RSP: 002b:00007ffdf49736d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.633281] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff38 [ 57.633285] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.633289] RBP: 00000000004bf950 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.633293] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 57.633296] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 57.634793] Kernel Offset: disabled [ 58.267668] Rebooting in 86400 seconds..