Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.617640][ T6840] ================================================================== [ 62.617686][ T6840] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c36/0x2210 [ 62.617694][ T6840] Read of size 2 at addr ffffffff889a403e by task syz-executor575/6840 [ 62.617697][ T6840] [ 62.617708][ T6840] CPU: 0 PID: 6840 Comm: syz-executor575 Not tainted 5.9.0-rc2-next-20200828-syzkaller #0 [ 62.617714][ T6840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.617717][ T6840] Call Trace: [ 62.617729][ T6840] dump_stack+0x18f/0x20d [ 62.617739][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.617746][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.617759][ T6840] print_address_description.constprop.0.cold+0x5/0x497 [ 62.617769][ T6840] ? fb_ioctl+0xdd/0x130 [ 62.617780][ T6840] ? __x64_sys_ioctl+0x193/0x200 [ 62.617790][ T6840] ? do_syscall_64+0x2d/0x70 [ 62.617799][ T6840] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.617809][ T6840] ? vprintk_func+0x97/0x1a6 [ 62.617819][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.617826][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.617835][ T6840] kasan_report.cold+0x1f/0x37 [ 62.617845][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.617854][ T6840] vga16fb_imageblit+0x1c36/0x2210 [ 62.617866][ T6840] ? fb_pad_unaligned_buffer+0x3f/0x320 [ 62.617878][ T6840] soft_cursor+0x514/0xa30 [ 62.617891][ T6840] ? lockdep_hardirqs_on+0x76/0xf0 [ 62.617901][ T6840] bit_cursor+0x1166/0x17d0 [ 62.617914][ T6840] ? kmalloc_array.constprop.0+0x20/0x20 [ 62.617928][ T6840] ? do_update_region+0x47c/0x630 [ 62.617938][ T6840] ? fb_get_color_depth+0x11a/0x240 [ 62.617948][ T6840] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 62.617958][ T6840] ? get_color+0x20e/0x410 [ 62.617968][ T6840] fbcon_cursor+0x537/0x660 [ 62.617976][ T6840] ? kmalloc_array.constprop.0+0x20/0x20 [ 62.617985][ T6840] ? fbcon_set_palette+0x3a8/0x490 [ 62.617996][ T6840] set_cursor+0x1d2/0x240 [ 62.618005][ T6840] redraw_screen+0x4b9/0x770 [ 62.618013][ T6840] ? vga16fb_update_fix+0x4a0/0x4a0 [ 62.618022][ T6840] ? vc_init+0x430/0x430 [ 62.618036][ T6840] ? fbcon_set_palette+0x3a8/0x490 [ 62.618049][ T6840] fbcon_modechanged+0x575/0x710 [ 62.618062][ T6840] fbcon_update_vcs+0x3a/0x50 [ 62.618070][ T6840] do_fb_ioctl+0x62e/0x690 [ 62.618080][ T6840] ? fb_set_suspend+0x1a0/0x1a0 [ 62.618090][ T6840] ? tomoyo_execute_permission+0x470/0x470 [ 62.618105][ T6840] ? lock_is_held_type+0xbb/0xf0 [ 62.618118][ T6840] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 62.618128][ T6840] ? do_vfs_ioctl+0x27d/0x1090 [ 62.618149][ T6840] ? __x64_sys_openat+0x13f/0x1f0 [ 62.618160][ T6840] fb_ioctl+0xdd/0x130 [ 62.618168][ T6840] ? do_fb_ioctl+0x690/0x690 [ 62.618178][ T6840] __x64_sys_ioctl+0x193/0x200 [ 62.618188][ T6840] do_syscall_64+0x2d/0x70 [ 62.618197][ T6840] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.618205][ T6840] RIP: 0033:0x4403d9 [ 62.618216][ T6840] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.618221][ T6840] RSP: 002b:00007ffe94903538 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.618232][ T6840] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 62.618238][ T6840] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 62.618244][ T6840] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 62.618250][ T6840] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 62.618256][ T6840] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 62.618268][ T6840] [ 62.618272][ T6840] The buggy address belongs to the variable: [ 62.618281][ T6840] transl_h+0x3e/0x40 [ 62.618284][ T6840] [ 62.618287][ T6840] Memory state around the buggy address: [ 62.618295][ T6840] ffffffff889a3f00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.618302][ T6840] ffffffff889a3f80: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 [ 62.618309][ T6840] >ffffffff889a4000: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 [ 62.618313][ T6840] ^ [ 62.618319][ T6840] ffffffff889a4080: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 [ 62.618332][ T6840] ffffffff889a4100: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 02 f9 [ 62.618336][ T6840] ================================================================== [ 62.618339][ T6840] Disabling lock debugging due to kernel taint [ 62.618344][ T6840] Kernel panic - not syncing: panic_on_warn set ... [ 62.618354][ T6840] CPU: 0 PID: 6840 Comm: syz-executor575 Tainted: G B 5.9.0-rc2-next-20200828-syzkaller #0 [ 62.618358][ T6840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.618360][ T6840] Call Trace: [ 62.618368][ T6840] dump_stack+0x18f/0x20d [ 62.618376][ T6840] ? vga16fb_imageblit+0x1bd0/0x2210 [ 62.618385][ T6840] panic+0x2e3/0x75c [ 62.618394][ T6840] ? __warn_printk+0xf3/0xf3 [ 62.618405][ T6840] ? trace_hardirqs_on+0x55/0x220 [ 62.618413][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.618420][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.618428][ T6840] end_report+0x4d/0x53 [ 62.618436][ T6840] kasan_report.cold+0xd/0x37 [ 62.618444][ T6840] ? vga16fb_imageblit+0x1c36/0x2210 [ 62.618452][ T6840] vga16fb_imageblit+0x1c36/0x2210 [ 62.618461][ T6840] ? fb_pad_unaligned_buffer+0x3f/0x320 [ 62.618470][ T6840] soft_cursor+0x514/0xa30 [ 62.618480][ T6840] ? lockdep_hardirqs_on+0x76/0xf0 [ 62.618488][ T6840] bit_cursor+0x1166/0x17d0 [ 62.618497][ T6840] ? kmalloc_array.constprop.0+0x20/0x20 [ 62.618506][ T6840] ? do_update_region+0x47c/0x630 [ 62.618514][ T6840] ? fb_get_color_depth+0x11a/0x240 [ 62.618522][ T6840] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 62.618531][ T6840] ? get_color+0x20e/0x410 [ 62.618538][ T6840] fbcon_cursor+0x537/0x660 [ 62.618546][ T6840] ? kmalloc_array.constprop.0+0x20/0x20 [ 62.618554][ T6840] ? fbcon_set_palette+0x3a8/0x490 [ 62.618562][ T6840] set_cursor+0x1d2/0x240 [ 62.618570][ T6840] redraw_screen+0x4b9/0x770 [ 62.618577][ T6840] ? vga16fb_update_fix+0x4a0/0x4a0 [ 62.618585][ T6840] ? vc_init+0x430/0x430 [ 62.618594][ T6840] ? fbcon_set_palette+0x3a8/0x490 [ 62.618604][ T6840] fbcon_modechanged+0x575/0x710 [ 62.618614][ T6840] fbcon_update_vcs+0x3a/0x50 [ 62.618621][ T6840] do_fb_ioctl+0x62e/0x690 [ 62.618629][ T6840] ? fb_set_suspend+0x1a0/0x1a0 [ 62.618637][ T6840] ? tomoyo_execute_permission+0x470/0x470 [ 62.618648][ T6840] ? lock_is_held_type+0xbb/0xf0 [ 62.618657][ T6840] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 62.618665][ T6840] ? do_vfs_ioctl+0x27d/0x1090 [ 62.618678][ T6840] ? __x64_sys_openat+0x13f/0x1f0 [ 62.618686][ T6840] fb_ioctl+0xdd/0x130 [ 62.618694][ T6840] ? do_fb_ioctl+0x690/0x690 [ 62.618702][ T6840] __x64_sys_ioctl+0x193/0x200 [ 62.618710][ T6840] do_syscall_64+0x2d/0x70 [ 62.618718][ T6840] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.618724][ T6840] RIP: 0033:0x4403d9 [ 62.618731][ T6840] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.618736][ T6840] RSP: 002b:00007ffe94903538 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.618744][ T6840] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 62.618749][ T6840] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 62.618754][ T6840] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 62.618759][ T6840] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 62.618764][ T6840] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 62.619879][ T6840] Kernel Offset: disabled [ 63.358856][ T6840] Rebooting in 86400 seconds..