Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 42.747615] audit: type=1800 audit(1585429971.490:33): pid=7793 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 46.844342] kauditd_printk_skb: 1 callbacks suppressed [ 46.844355] audit: type=1400 audit(1585429975.590:35): avc: denied { map } for pid=7967 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.247' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 65.262489] audit: type=1400 audit(1585429994.010:36): avc: denied { map } for pid=7979 comm="syz-executor089" path="/root/syz-executor089977404" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 65.355769] ================================================================== [ 65.355810] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 65.355820] Write of size 8 at addr ffff8880a574e248 by task syz-executor089/7986 [ 65.355824] [ 65.355837] CPU: 0 PID: 7986 Comm: syz-executor089 Not tainted 4.19.113-syzkaller #0 [ 65.355844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.355849] Call Trace: [ 65.355864] dump_stack+0x188/0x20d [ 65.355878] ? con_shutdown+0x7f/0x90 [ 65.355894] print_address_description.cold+0x7c/0x212 [ 65.355907] ? con_shutdown+0x7f/0x90 [ 65.355920] kasan_report.cold+0x88/0x2b9 [ 65.355934] ? set_palette+0x1b0/0x1b0 [ 65.355947] con_shutdown+0x7f/0x90 [ 65.355960] release_tty+0xda/0x4c0 [ 65.355974] tty_release_struct+0x37/0x50 [ 65.355987] tty_release+0xbc7/0xe90 [ 65.356008] ? tty_release_struct+0x50/0x50 [ 65.356021] __fput+0x2cd/0x890 [ 65.356040] task_work_run+0x13f/0x1b0 [ 65.356058] do_exit+0xbcd/0x2f30 [ 65.356079] ? mm_update_next_owner+0x650/0x650 [ 65.356095] ? up_read+0x17/0x110 [ 65.356108] ? __do_page_fault+0x44e/0xdd0 [ 65.356127] do_group_exit+0x125/0x350 [ 65.356142] __x64_sys_exit_group+0x3a/0x50 [ 65.356157] do_syscall_64+0xf9/0x620 [ 65.356174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.356183] RIP: 0033:0x43ffe8 [ 65.356195] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 65.356201] RSP: 002b:00007ffddea0f908 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 65.356211] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ffe8 [ 65.356217] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 65.356223] RBP: 00000000004bfa30 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.356230] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 65.356235] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 65.356249] [ 65.356254] Allocated by task 7986: [ 65.356264] kasan_kmalloc+0xbf/0xe0 [ 65.356273] kmem_cache_alloc_trace+0x14d/0x7a0 [ 65.356283] vc_allocate+0x1db/0x6d0 [ 65.356293] con_install+0x4f/0x400 [ 65.356303] tty_init_dev+0xee/0x450 [ 65.356313] tty_open+0x4b0/0xb00 [ 65.356321] chrdev_open+0x219/0x5c0 [ 65.356330] do_dentry_open+0x4a8/0x1160 [ 65.356342] path_openat+0x1031/0x4200 [ 65.356351] do_filp_open+0x1a1/0x280 [ 65.356359] do_sys_open+0x3c0/0x500 [ 65.356369] do_syscall_64+0xf9/0x620 [ 65.356379] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.356382] [ 65.356386] Freed by task 7990: [ 65.356396] __kasan_slab_free+0xf7/0x140 [ 65.356405] kfree+0xce/0x220 [ 65.356416] vt_disallocate_all+0x293/0x3b0 [ 65.356427] vt_ioctl+0xb79/0x2310 [ 65.356436] tty_ioctl+0x7a1/0x1420 [ 65.356445] do_vfs_ioctl+0xcda/0x12e0 [ 65.356454] ksys_ioctl+0x9b/0xc0 [ 65.356463] __x64_sys_ioctl+0x6f/0xb0 [ 65.356473] do_syscall_64+0xf9/0x620 [ 65.356482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.356485] [ 65.356492] The buggy address belongs to the object at ffff8880a574e140 [ 65.356492] which belongs to the cache kmalloc-2048 of size 2048 [ 65.356501] The buggy address is located 264 bytes inside of [ 65.356501] 2048-byte region [ffff8880a574e140, ffff8880a574e940) [ 65.356517] The buggy address belongs to the page: [ 65.356525] page:ffffea000295d380 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 65.356535] flags: 0xfffe0000008100(slab|head) [ 65.356549] raw: 00fffe0000008100 ffffea000295e988 ffffea00021dd488 ffff88812c3dcc40 [ 65.356560] raw: 0000000000000000 ffff8880a574e140 0000000100000003 0000000000000000 [ 65.356564] page dumped because: kasan: bad access detected [ 65.356566] [ 65.356569] Memory state around the buggy address: [ 65.356576] ffff8880a574e100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 65.356584] ffff8880a574e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.356591] >ffff8880a574e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.356595] ^ [ 65.356602] ffff8880a574e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.356610] ffff8880a574e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.356613] ================================================================== [ 65.356617] Disabling lock debugging due to kernel taint [ 65.356646] Kernel panic - not syncing: panic_on_warn set ... [ 65.356646] [ 65.356659] CPU: 0 PID: 7986 Comm: syz-executor089 Tainted: G B 4.19.113-syzkaller #0 [ 65.356664] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.356667] Call Trace: [ 65.356679] dump_stack+0x188/0x20d [ 65.356692] panic+0x26a/0x50e [ 65.356704] ? __warn_printk+0xf3/0xf3 [ 65.356714] ? retint_kernel+0x2d/0x2d [ 65.356729] ? trace_hardirqs_on+0x55/0x210 [ 65.356741] ? con_shutdown+0x7f/0x90 [ 65.356753] kasan_end_report+0x43/0x49 [ 65.356782] kasan_report.cold+0xa4/0x2b9 [ 65.356794] ? set_palette+0x1b0/0x1b0 [ 65.356806] con_shutdown+0x7f/0x90 [ 65.356817] release_tty+0xda/0x4c0 [ 65.356829] tty_release_struct+0x37/0x50 [ 65.356839] tty_release+0xbc7/0xe90 [ 65.356855] ? tty_release_struct+0x50/0x50 [ 65.356866] __fput+0x2cd/0x890 [ 65.356879] task_work_run+0x13f/0x1b0 [ 65.356892] do_exit+0xbcd/0x2f30 [ 65.356907] ? mm_update_next_owner+0x650/0x650 [ 65.356932] ? up_read+0x17/0x110 [ 65.356942] ? __do_page_fault+0x44e/0xdd0 [ 65.356956] do_group_exit+0x125/0x350 [ 65.356966] __x64_sys_exit_group+0x3a/0x50 [ 65.356975] do_syscall_64+0xf9/0x620 [ 65.356984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.356990] RIP: 0033:0x43ffe8 [ 65.356999] Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 [ 65.357003] RSP: 002b:00007ffddea0f908 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 65.357011] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ffe8 [ 65.357016] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 65.357021] RBP: 00000000004bfa30 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.357026] R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001 [ 65.357030] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 65.358261] Kernel Offset: disabled [ 65.970814] Rebooting in 86400 seconds..