[ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.644717][ T7074] ================================================================== [ 63.644791][ T7074] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xc74/0xe10 [ 63.644804][ T7074] Read of size 1 at addr ffff88809a55493f by task syz-executor321/7074 [ 63.644808][ T7074] [ 63.644826][ T7074] CPU: 0 PID: 7074 Comm: syz-executor321 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 [ 63.644835][ T7074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.644840][ T7074] Call Trace: [ 63.644857][ T7074] dump_stack+0x188/0x20d [ 63.644883][ T7074] print_address_description.constprop.0.cold+0xd3/0x315 [ 63.644897][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.644912][ T7074] __kasan_report.cold+0x35/0x4d [ 63.644930][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.644945][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.644967][ T7074] kasan_report+0x33/0x50 [ 63.644984][ T7074] bit_putcs+0xc74/0xe10 [ 63.645020][ T7074] ? bit_cursor+0x1900/0x1900 [ 63.645034][ T7074] ? vesafb_probe.cold+0x1162/0x1162 [ 63.645057][ T7074] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 63.645076][ T7074] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.645096][ T7074] fbcon_putcs+0x345/0x3f0 [ 63.645111][ T7074] ? bit_cursor+0x1900/0x1900 [ 63.645132][ T7074] do_update_region+0x398/0x630 [ 63.645155][ T7074] ? con_get_trans_old+0x280/0x280 [ 63.645174][ T7074] ? fbcon_set_palette+0x3b1/0x4a0 [ 63.645186][ T7074] ? var_to_display+0x7f0/0x7f0 [ 63.645206][ T7074] redraw_screen+0x64c/0x770 [ 63.645225][ T7074] ? respond_string+0x290/0x290 [ 63.645251][ T7074] vc_do_resize+0xfe6/0x1340 [ 63.645284][ T7074] ? lock_downgrade+0x840/0x840 [ 63.645297][ T7074] ? rwlock_bug.part.0+0x90/0x90 [ 63.645314][ T7074] ? vc_uniscr_alloc+0xc0/0xc0 [ 63.645335][ T7074] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 63.645360][ T7074] vt_ioctl+0x2062/0x26b0 [ 63.645376][ T7074] ? tomoyo_open_control+0xa00/0xa40 [ 63.645392][ T7074] ? lockdep_hardirqs_on+0x463/0x620 [ 63.645409][ T7074] ? complete_change_console+0x3a0/0x3a0 [ 63.645428][ T7074] ? tomoyo_path_number_perm+0x238/0x4d0 [ 63.645447][ T7074] ? tomoyo_execute_permission+0x470/0x470 [ 63.645464][ T7074] ? trace_hardirqs_off+0x50/0x220 [ 63.645482][ T7074] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.645501][ T7074] ? complete_change_console+0x3a0/0x3a0 [ 63.645520][ T7074] tty_ioctl+0xedc/0x1440 [ 63.645537][ T7074] ? tty_vhangup+0x30/0x30 [ 63.645556][ T7074] ? do_vfs_ioctl+0x50c/0x12d0 [ 63.645577][ T7074] ? ioctl_file_clone+0x180/0x180 [ 63.645597][ T7074] ? file_open_root+0x400/0x400 [ 63.645617][ T7074] ? up_read+0x1a8/0x750 [ 63.645644][ T7074] ? tty_vhangup+0x30/0x30 [ 63.645660][ T7074] ksys_ioctl+0x11a/0x180 [ 63.645679][ T7074] __x64_sys_ioctl+0x6f/0xb0 [ 63.645694][ T7074] ? lockdep_hardirqs_on+0x463/0x620 [ 63.645712][ T7074] do_syscall_64+0xf6/0x7d0 [ 63.645731][ T7074] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.645743][ T7074] RIP: 0033:0x440269 [ 63.645759][ T7074] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.645768][ T7074] RSP: 002b:00007fffbc6d1a08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.645782][ T7074] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 63.645791][ T7074] RDX: 0000000020000040 RSI: 000000000000560a RDI: 0000000000000004 [ 63.645801][ T7074] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 63.645810][ T7074] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50 [ 63.645819][ T7074] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 63.645841][ T7074] [ 63.645848][ T7074] Allocated by task 7074: [ 63.645862][ T7074] save_stack+0x1b/0x40 [ 63.645876][ T7074] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.645887][ T7074] __kmalloc+0x161/0x7a0 [ 63.645899][ T7074] fbcon_set_font+0x331/0x870 [ 63.645912][ T7074] con_font_op+0xd65/0x1160 [ 63.645926][ T7074] vt_ioctl+0xce5/0x26b0 [ 63.645939][ T7074] tty_ioctl+0xedc/0x1440 [ 63.645951][ T7074] ksys_ioctl+0x11a/0x180 [ 63.645970][ T7074] __x64_sys_ioctl+0x6f/0xb0 [ 63.645985][ T7074] do_syscall_64+0xf6/0x7d0 [ 63.645998][ T7074] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.646002][ T7074] [ 63.646009][ T7074] Freed by task 5023: [ 63.646021][ T7074] save_stack+0x1b/0x40 [ 63.646034][ T7074] __kasan_slab_free+0xf7/0x140 [ 63.646045][ T7074] kfree+0x109/0x2b0 [ 63.646059][ T7074] kernfs_fop_release+0x124/0x190 [ 63.646070][ T7074] __fput+0x33e/0x880 [ 63.646082][ T7074] task_work_run+0xf4/0x1b0 [ 63.646097][ T7074] exit_to_usermode_loop+0x2fa/0x360 [ 63.646112][ T7074] do_syscall_64+0x6b1/0x7d0 [ 63.646125][ T7074] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.646129][ T7074] [ 63.646141][ T7074] The buggy address belongs to the object at ffff88809a554800 [ 63.646141][ T7074] which belongs to the cache kmalloc-512 of size 512 [ 63.646153][ T7074] The buggy address is located 319 bytes inside of [ 63.646153][ T7074] 512-byte region [ffff88809a554800, ffff88809a554a00) [ 63.646158][ T7074] The buggy address belongs to the page: [ 63.646174][ T7074] page:ffffea0002695500 refcount:1 mapcount:0 mapping:000000003202ca1c index:0x0 [ 63.646185][ T7074] flags: 0xfffe0000000200(slab) [ 63.646204][ T7074] raw: 00fffe0000000200 ffffea00027ae508 ffffea00025d7e88 ffff8880aa000a80 [ 63.646221][ T7074] raw: 0000000000000000 ffff88809a554000 0000000100000004 0000000000000000 [ 63.646228][ T7074] page dumped because: kasan: bad access detected [ 63.646232][ T7074] [ 63.646237][ T7074] Memory state around the buggy address: [ 63.646248][ T7074] ffff88809a554800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.646259][ T7074] ffff88809a554880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.646271][ T7074] >ffff88809a554900: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.646277][ T7074] ^ [ 63.646289][ T7074] ffff88809a554980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.646301][ T7074] ffff88809a554a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.646307][ T7074] ================================================================== [ 63.646312][ T7074] Disabling lock debugging due to kernel taint [ 63.646319][ T7074] Kernel panic - not syncing: panic_on_warn set ... [ 63.646334][ T7074] CPU: 0 PID: 7074 Comm: syz-executor321 Tainted: G B 5.7.0-rc1-next-20200415-syzkaller #0 [ 63.646341][ T7074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.646345][ T7074] Call Trace: [ 63.646358][ T7074] dump_stack+0x188/0x20d [ 63.646375][ T7074] panic+0x2e3/0x75c [ 63.646389][ T7074] ? add_taint.cold+0x16/0x16 [ 63.646408][ T7074] ? print_shadow_for_address+0xb8/0x114 [ 63.646421][ T7074] ? trace_hardirqs_on+0x55/0x220 [ 63.646434][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.646448][ T7074] end_report+0x4d/0x53 [ 63.646461][ T7074] __kasan_report.cold+0xd/0x4d [ 63.646475][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.646488][ T7074] ? bit_putcs+0xc74/0xe10 [ 63.646500][ T7074] kasan_report+0x33/0x50 [ 63.646513][ T7074] bit_putcs+0xc74/0xe10 [ 63.646535][ T7074] ? bit_cursor+0x1900/0x1900 [ 63.646548][ T7074] ? vesafb_probe.cold+0x1162/0x1162 [ 63.646565][ T7074] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 63.646580][ T7074] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.646594][ T7074] fbcon_putcs+0x345/0x3f0 [ 63.646607][ T7074] ? bit_cursor+0x1900/0x1900 [ 63.646623][ T7074] do_update_region+0x398/0x630 [ 63.646640][ T7074] ? con_get_trans_old+0x280/0x280 [ 63.646654][ T7074] ? fbcon_set_palette+0x3b1/0x4a0 [ 63.646666][ T7074] ? var_to_display+0x7f0/0x7f0 [ 63.646682][ T7074] redraw_screen+0x64c/0x770 [ 63.646697][ T7074] ? respond_string+0x290/0x290 [ 63.646715][ T7074] vc_do_resize+0xfe6/0x1340 [ 63.646736][ T7074] ? lock_downgrade+0x840/0x840 [ 63.646747][ T7074] ? rwlock_bug.part.0+0x90/0x90 [ 63.646760][ T7074] ? vc_uniscr_alloc+0xc0/0xc0 [ 63.646776][ T7074] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 63.646792][ T7074] vt_ioctl+0x2062/0x26b0 [ 63.646805][ T7074] ? tomoyo_open_control+0xa00/0xa40 [ 63.646819][ T7074] ? lockdep_hardirqs_on+0x463/0x620 [ 63.646835][ T7074] ? complete_change_console+0x3a0/0x3a0 [ 63.646851][ T7074] ? tomoyo_path_number_perm+0x238/0x4d0 [ 63.646867][ T7074] ? tomoyo_execute_permission+0x470/0x470 [ 63.646881][ T7074] ? trace_hardirqs_off+0x50/0x220 [ 63.646895][ T7074] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.646912][ T7074] ? complete_change_console+0x3a0/0x3a0 [ 63.646926][ T7074] tty_ioctl+0xedc/0x1440 [ 63.646940][ T7074] ? tty_vhangup+0x30/0x30 [ 63.646960][ T7074] ? do_vfs_ioctl+0x50c/0x12d0 [ 63.646976][ T7074] ? ioctl_file_clone+0x180/0x180 [ 63.646991][ T7074] ? file_open_root+0x400/0x400 [ 63.647006][ T7074] ? up_read+0x1a8/0x750 [ 63.647024][ T7074] ? tty_vhangup+0x30/0x30 [ 63.647038][ T7074] ksys_ioctl+0x11a/0x180 [ 63.647054][ T7074] __x64_sys_ioctl+0x6f/0xb0 [ 63.647068][ T7074] ? lockdep_hardirqs_on+0x463/0x620 [ 63.647083][ T7074] do_syscall_64+0xf6/0x7d0 [ 63.647098][ T7074] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.647106][ T7074] RIP: 0033:0x440269 [ 63.647120][ T7074] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.647127][ T7074] RSP: 002b:00007fffbc6d1a08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.647139][ T7074] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 63.647147][ T7074] RDX: 0000000020000040 RSI: 000000000000560a RDI: 0000000000000004 [ 63.647155][ T7074] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 63.647163][ T7074] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50 [ 63.647171][ T7074] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 63.648652][ T7074] Kernel Offset: disabled [ 64.619532][ T7074] Rebooting in 86400 seconds..