Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 62.682404] audit: type=1400 audit(1583352740.323:36): avc: denied { map } for pid=8425 comm="syz-executor519" path="/root/syz-executor519868653" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 62.793808] ================================================================== [ 62.793853] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 62.793864] Write of size 8 at addr ffff8880a89aef48 by task syz-executor519/8436 [ 62.793867] [ 62.793882] CPU: 1 PID: 8436 Comm: syz-executor519 Not tainted 4.19.107-syzkaller #0 [ 62.793889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.793894] Call Trace: [ 62.793911] dump_stack+0x188/0x20d [ 62.793926] ? con_shutdown+0x7f/0x90 [ 62.793943] print_address_description.cold+0x7c/0x212 [ 62.793958] ? con_shutdown+0x7f/0x90 [ 62.793970] kasan_report.cold+0x88/0x2b9 [ 62.793984] ? set_palette+0x1b0/0x1b0 [ 62.793997] con_shutdown+0x7f/0x90 [ 62.794010] release_tty+0xda/0x4c0 [ 62.794025] tty_release_struct+0x37/0x50 [ 62.794047] tty_release+0xbc7/0xe90 [ 62.794066] ? tty_release_struct+0x50/0x50 [ 62.794080] __fput+0x2cd/0x890 [ 62.794099] task_work_run+0x13f/0x1b0 [ 62.794117] do_exit+0xbcd/0x2f30 [ 62.794138] ? mm_update_next_owner+0x650/0x650 [ 62.794155] ? up_read+0x17/0x110 [ 62.794169] ? __do_page_fault+0x44e/0xdd0 [ 62.794189] do_group_exit+0x125/0x350 [ 62.794203] __x64_sys_exit_group+0x3a/0x50 [ 62.794218] do_syscall_64+0xf9/0x620 [ 62.794235] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.794246] RIP: 0033:0x4402a8 [ 62.794267] Code: Bad RIP value. [ 62.794275] RSP: 002b:00007ffe9c2d0fb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 62.794287] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004402a8 [ 62.794295] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 62.794302] RBP: 00000000004c0530 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.794310] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 62.794317] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 62.794335] [ 62.794342] Allocated by task 8436: [ 62.794355] kasan_kmalloc+0xbf/0xe0 [ 62.794365] kmem_cache_alloc_trace+0x14d/0x7a0 [ 62.794376] vc_allocate+0x1db/0x6d0 [ 62.794387] con_install+0x4f/0x400 [ 62.794397] tty_init_dev+0xee/0x450 [ 62.794407] tty_open+0x4b0/0xb00 [ 62.794417] chrdev_open+0x219/0x5c0 [ 62.794427] do_dentry_open+0x4a8/0x1160 [ 62.794439] path_openat+0x1031/0x4200 [ 62.794448] do_filp_open+0x1a1/0x280 [ 62.794458] do_sys_open+0x3c0/0x500 [ 62.794470] do_syscall_64+0xf9/0x620 [ 62.794482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.794485] [ 62.794491] Freed by task 8438: [ 62.794501] __kasan_slab_free+0xf7/0x140 [ 62.794510] kfree+0xce/0x220 [ 62.794523] vt_disallocate_all+0x293/0x3b0 [ 62.794535] vt_ioctl+0xb79/0x2310 [ 62.794545] tty_ioctl+0x7a1/0x1420 [ 62.794556] do_vfs_ioctl+0xcda/0x12e0 [ 62.794566] ksys_ioctl+0x9b/0xc0 [ 62.794576] __x64_sys_ioctl+0x6f/0xb0 [ 62.794588] do_syscall_64+0xf9/0x620 [ 62.794598] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.794601] [ 62.794610] The buggy address belongs to the object at ffff8880a89aee40 [ 62.794610] which belongs to the cache kmalloc-2048 of size 2048 [ 62.794621] The buggy address is located 264 bytes inside of [ 62.794621] 2048-byte region [ffff8880a89aee40, ffff8880a89af640) [ 62.794625] The buggy address belongs to the page: [ 62.794635] page:ffffea0002a26b80 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 62.794648] flags: 0xfffe0000008100(slab|head) [ 62.794664] raw: 00fffe0000008100 ffffea000208bd08 ffffea0002237b08 ffff88812c3dcc40 [ 62.794677] raw: 0000000000000000 ffff8880a89ae5c0 0000000100000003 0000000000000000 [ 62.794682] page dumped because: kasan: bad access detected [ 62.794685] [ 62.794688] Memory state around the buggy address: [ 62.794698] ffff8880a89aee00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 62.794715] ffff8880a89aee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.794725] >ffff8880a89aef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.794730] ^ [ 62.794739] ffff8880a89aef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.794749] ffff8880a89af000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.794753] ================================================================== [ 62.794758] Disabling lock debugging due to kernel taint [ 62.794806] Kernel panic - not syncing: panic_on_warn set ... [ 62.794806] [ 62.794819] CPU: 1 PID: 8436 Comm: syz-executor519 Tainted: G B 4.19.107-syzkaller #0 [ 62.794825] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.794829] Call Trace: [ 62.794843] dump_stack+0x188/0x20d [ 62.794857] panic+0x26a/0x50e [ 62.794870] ? __warn_printk+0xf3/0xf3 [ 62.794881] ? retint_kernel+0x2d/0x2d [ 62.794898] ? trace_hardirqs_on+0x55/0x210 [ 62.794911] ? con_shutdown+0x7f/0x90 [ 62.794922] kasan_end_report+0x43/0x49 [ 62.794934] kasan_report.cold+0xa4/0x2b9 [ 62.794946] ? set_palette+0x1b0/0x1b0 [ 62.794958] con_shutdown+0x7f/0x90 [ 62.794969] release_tty+0xda/0x4c0 [ 62.794981] tty_release_struct+0x37/0x50 [ 62.794993] tty_release+0xbc7/0xe90 [ 62.795008] ? tty_release_struct+0x50/0x50 [ 62.795019] __fput+0x2cd/0x890 [ 62.795033] task_work_run+0x13f/0x1b0 [ 62.795055] do_exit+0xbcd/0x2f30 [ 62.795070] ? mm_update_next_owner+0x650/0x650 [ 62.795081] ? up_read+0x17/0x110 [ 62.795092] ? __do_page_fault+0x44e/0xdd0 [ 62.795105] do_group_exit+0x125/0x350 [ 62.795117] __x64_sys_exit_group+0x3a/0x50 [ 62.795129] do_syscall_64+0xf9/0x620 [ 62.795142] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.795150] RIP: 0033:0x4402a8 [ 62.795159] Code: Bad RIP value. [ 62.795166] RSP: 002b:00007ffe9c2d0fb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 62.795177] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004402a8 [ 62.795184] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 62.795192] RBP: 00000000004c0530 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.795199] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 62.795205] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 62.796395] Kernel Offset: disabled