================================================================== BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 Write of size 2 at addr ffff88809e7af000 by task syz-executor.3/16926 CPU: 1 PID: 16926 Comm: syz-executor.3 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 do_loop_readv_writev fs/read_write.c:734 [inline] do_loop_readv_writev fs/read_write.c:721 [inline] do_iter_read+0x48e/0x6e0 fs/read_write.c:955 vfs_readv+0xe5/0x150 fs/read_write.c:1073 do_readv+0x139/0x300 fs/read_write.c:1110 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d4d9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f483483fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 RAX: ffffffffffffffda RBX: 00000000000265c0 RCX: 000000000045d4d9 RDX: 000000000000014e RSI: 0000000020000440 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffcf36277cf R14: 00007f48348409c0 R15: 000000000118cf4c Allocated by task 6879: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x1a8/0x320 mm/slab.c:3664 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:666 [inline] tomoyo_init_log+0x1335/0x1e50 security/tomoyo/audit.c:275 tomoyo_supervisor+0x32f/0xeb0 security/tomoyo/common.c:2097 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] tomoyo_path_number_perm+0x3ed/0x4d0 security/tomoyo/file.c:734 tomoyo_path_mkdir+0x98/0xe0 security/tomoyo/tomoyo.c:167 security_path_mkdir+0xe8/0x160 security/security.c:1085 do_mkdirat+0x14b/0x2d0 fs/namei.c:3670 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88809e7af000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff88809e7af000, ffff88809e7af200) The buggy address belongs to the page: page:00000000813a818f refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e7af400 pfn:0x9e7af flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00023ee408 ffffea00025cfdc8 ffff8880aa040600 raw: ffff88809e7af400 ffff88809e7af000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809e7aef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809e7aef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88809e7af000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809e7af080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809e7af100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================