Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 91.879165][ T9524] ================================================================== [ 91.879222][ T9524] BUG: KASAN: use-after-free in con_shutdown+0x7f/0x90 [ 91.879232][ T9524] Write of size 8 at addr ffff888096fbe108 by task syz-executor565/9524 [ 91.879235][ T9524] [ 91.879248][ T9524] CPU: 0 PID: 9524 Comm: syz-executor565 Not tainted 5.6.0-rc5-syzkaller #0 [ 91.879255][ T9524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.879260][ T9524] Call Trace: [ 91.879277][ T9524] dump_stack+0x188/0x20d [ 91.879289][ T9524] ? con_shutdown+0x7f/0x90 [ 91.879302][ T9524] ? con_shutdown+0x7f/0x90 [ 91.879322][ T9524] print_address_description.constprop.0.cold+0xd3/0x315 [ 91.879333][ T9524] ? con_shutdown+0x7f/0x90 [ 91.879347][ T9524] ? con_shutdown+0x7f/0x90 [ 91.879360][ T9524] __kasan_report.cold+0x1a/0x32 [ 91.879376][ T9524] ? con_shutdown+0x7f/0x90 [ 91.879392][ T9524] kasan_report+0xe/0x20 [ 91.879404][ T9524] con_shutdown+0x7f/0x90 [ 91.879414][ T9524] ? update_region+0x140/0x140 [ 91.879425][ T9524] release_tty+0xca/0x450 [ 91.879441][ T9524] tty_release_struct+0x37/0x50 [ 91.879454][ T9524] tty_release+0xbc7/0xe90 [ 91.879479][ T9524] ? do_tty_hangup+0x30/0x30 [ 91.879490][ T9524] __fput+0x2da/0x850 [ 91.879519][ T9524] task_work_run+0x13f/0x1b0 [ 91.879544][ T9524] do_exit+0xb34/0x2dd0 [ 91.879576][ T9524] ? mm_update_next_owner+0x7a0/0x7a0 [ 91.879593][ T9524] ? up_read+0x1ab/0x750 [ 91.879606][ T9524] ? mark_held_locks+0x9f/0xe0 [ 91.879621][ T9524] ? down_read_non_owner+0x470/0x470 [ 91.879648][ T9524] do_group_exit+0x125/0x340 [ 91.879666][ T9524] __ia32_sys_exit_group+0x3a/0x50 [ 91.879682][ T9524] do_fast_syscall_32+0x270/0xe8f [ 91.879704][ T9524] entry_SYSENTER_compat+0x70/0x7f [ 91.879734][ T9524] [ 91.879747][ T9524] Allocated by task 9524: [ 91.879759][ T9524] save_stack+0x1b/0x80 [ 91.879775][ T9524] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 91.879786][ T9524] kmem_cache_alloc_trace+0x153/0x7d0 [ 91.879796][ T9524] vc_allocate+0x1e2/0x6e0 [ 91.879806][ T9524] con_install+0x4f/0x400 [ 91.879816][ T9524] tty_init_dev+0xf5/0x460 [ 91.879826][ T9524] tty_open+0x47f/0xb30 [ 91.879837][ T9524] chrdev_open+0x219/0x5c0 [ 91.879848][ T9524] do_dentry_open+0x4a2/0x1250 [ 91.879858][ T9524] path_openat+0x122a/0x32b0 [ 91.879869][ T9524] do_filp_open+0x192/0x260 [ 91.879879][ T9524] do_sys_openat2+0x54c/0x740 [ 91.879890][ T9524] do_sys_open+0xc3/0x140 [ 91.879902][ T9524] do_fast_syscall_32+0x270/0xe8f [ 91.879913][ T9524] entry_SYSENTER_compat+0x70/0x7f [ 91.879917][ T9524] [ 91.879922][ T9524] Freed by task 9528: [ 91.879933][ T9524] save_stack+0x1b/0x80 [ 91.879944][ T9524] __kasan_slab_free+0xf7/0x140 [ 91.879954][ T9524] kfree+0x109/0x2b0 [ 91.879966][ T9524] vt_disallocate_all+0x293/0x3b0 [ 91.879976][ T9524] vt_ioctl+0xb79/0x2470 [ 91.879987][ T9524] vt_compat_ioctl+0x410/0x710 [ 91.879997][ T9524] tty_compat_ioctl+0x19c/0x410 [ 91.880009][ T9524] __ia32_compat_sys_ioctl+0x23d/0x2b0 [ 91.880021][ T9524] do_fast_syscall_32+0x270/0xe8f [ 91.880033][ T9524] entry_SYSENTER_compat+0x70/0x7f [ 91.880036][ T9524] [ 91.880045][ T9524] The buggy address belongs to the object at ffff888096fbe000 [ 91.880045][ T9524] which belongs to the cache kmalloc-2k of size 2048 [ 91.880056][ T9524] The buggy address is located 264 bytes inside of [ 91.880056][ T9524] 2048-byte region [ffff888096fbe000, ffff888096fbe800) [ 91.880060][ T9524] The buggy address belongs to the page: [ 91.880072][ T9524] page:ffffea00025bef80 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 91.880081][ T9524] flags: 0xfffe0000000200(slab) [ 91.880104][ T9524] raw: 00fffe0000000200 ffffea00024e9888 ffffea000280a708 ffff8880aa000e00 [ 91.880118][ T9524] raw: 0000000000000000 ffff888096fbe000 0000000100000001 0000000000000000 [ 91.880123][ T9524] page dumped because: kasan: bad access detected [ 91.880126][ T9524] [ 91.880130][ T9524] Memory state around the buggy address: [ 91.880141][ T9524] ffff888096fbe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.880150][ T9524] ffff888096fbe080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.880160][ T9524] >ffff888096fbe100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.880165][ T9524] ^ [ 91.880174][ T9524] ffff888096fbe180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.880184][ T9524] ffff888096fbe200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.880188][ T9524] ================================================================== [ 91.880193][ T9524] Disabling lock debugging due to kernel taint [ 91.880276][ T9524] Kernel panic - not syncing: panic_on_warn set ... [ 91.880289][ T9524] CPU: 0 PID: 9524 Comm: syz-executor565 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 91.880295][ T9524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.880298][ T9524] Call Trace: [ 91.880311][ T9524] dump_stack+0x188/0x20d [ 91.880326][ T9524] panic+0x2e3/0x75c [ 91.880338][ T9524] ? add_taint.cold+0x16/0x16 [ 91.880353][ T9524] ? preempt_schedule_common+0x5e/0xc0 [ 91.880364][ T9524] ? con_shutdown+0x7f/0x90 [ 91.880376][ T9524] ? ___preempt_schedule+0x16/0x18 [ 91.880390][ T9524] ? trace_hardirqs_on+0x55/0x220 [ 91.880404][ T9524] ? con_shutdown+0x7f/0x90 [ 91.880416][ T9524] end_report+0x43/0x49 [ 91.880427][ T9524] ? con_shutdown+0x7f/0x90 [ 91.880438][ T9524] __kasan_report.cold+0xd/0x32 [ 91.880449][ T9524] ? con_shutdown+0x7f/0x90 [ 91.880461][ T9524] kasan_report+0xe/0x20 [ 91.880470][ T9524] con_shutdown+0x7f/0x90 [ 91.880480][ T9524] ? update_region+0x140/0x140 [ 91.880489][ T9524] release_tty+0xca/0x450 [ 91.880500][ T9524] tty_release_struct+0x37/0x50 [ 91.880510][ T9524] tty_release+0xbc7/0xe90 [ 91.880525][ T9524] ? do_tty_hangup+0x30/0x30 [ 91.880534][ T9524] __fput+0x2da/0x850 [ 91.880553][ T9524] task_work_run+0x13f/0x1b0 [ 91.880568][ T9524] do_exit+0xb34/0x2dd0 [ 91.880589][ T9524] ? mm_update_next_owner+0x7a0/0x7a0 [ 91.880601][ T9524] ? up_read+0x1ab/0x750 [ 91.880612][ T9524] ? mark_held_locks+0x9f/0xe0 [ 91.880625][ T9524] ? down_read_non_owner+0x470/0x470 [ 91.880646][ T9524] do_group_exit+0x125/0x340 [ 91.880660][ T9524] __ia32_sys_exit_group+0x3a/0x50 [ 91.880676][ T9524] do_fast_syscall_32+0x270/0xe8f [ 91.880692][ T9524] entry_SYSENTER_compat+0x70/0x7f [ 91.882274][ T9524] Kernel Offset: disabled [ 92.497560][ T9524] Rebooting in 86400 seconds..