[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.404006] ================================================================== [ 43.404037] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xc74/0xe10 [ 43.404045] Read of size 1 at addr ffff8880a4ed4e7f by task syz-executor347/6440 [ 43.404046] [ 43.404055] CPU: 0 PID: 6440 Comm: syz-executor347 Not tainted 4.19.115-syzkaller #0 [ 43.404060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.404062] Call Trace: [ 43.404074] dump_stack+0x188/0x20d [ 43.404083] ? bit_putcs+0xc74/0xe10 [ 43.404093] print_address_description.cold+0x7c/0x212 [ 43.404102] ? bit_putcs+0xc74/0xe10 [ 43.404109] kasan_report.cold+0x88/0x2b9 [ 43.404118] bit_putcs+0xc74/0xe10 [ 43.404135] ? bit_cursor+0x1900/0x1900 [ 43.404143] ? vesafb_probe.cold+0x1082/0x1082 [ 43.404153] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 43.404163] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 43.404172] fbcon_putcs+0x434/0x4f0 [ 43.404181] ? bit_cursor+0x1900/0x1900 [ 43.404191] do_update_region+0x398/0x630 [ 43.404202] ? con_get_trans_old+0x280/0x280 [ 43.404212] ? fbcon_set_palette+0x4c6/0x5e0 [ 43.404219] ? fbcon_redraw.isra.0+0x4c0/0x4c0 [ 43.404229] redraw_screen+0x5e1/0x870 [ 43.404238] ? con_flush_chars+0x90/0x90 [ 43.404250] vc_do_resize+0x108e/0x1380 [ 43.404266] ? vc_uniscr_alloc+0xc0/0xc0 [ 43.404275] ? vt_ioctl+0x1e9f/0x2500 [ 43.404287] vt_ioctl+0x1fa2/0x2500 [ 43.404296] ? complete_change_console+0x390/0x390 [ 43.404305] ? avc_has_extended_perms+0x9c6/0x1030 [ 43.404316] ? avc_ss_reset+0x180/0x180 [ 43.404324] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 43.404333] ? complete_change_console+0x390/0x390 [ 43.404341] tty_ioctl+0x7a1/0x1420 [ 43.404350] ? do_syscall_64+0xf9/0x620 [ 43.404357] ? tty_vhangup+0x30/0x30 [ 43.404370] ? find_held_lock+0x2d/0x110 [ 43.404379] ? debug_check_no_obj_freed+0x20a/0x42e [ 43.404390] ? lock_downgrade+0x740/0x740 [ 43.404398] ? tty_vhangup+0x30/0x30 [ 43.404407] do_vfs_ioctl+0xcda/0x12e0 [ 43.404415] ? selinux_file_ioctl+0x46c/0x5d0 [ 43.404423] ? selinux_file_ioctl+0x125/0x5d0 [ 43.404430] ? ioctl_preallocate+0x200/0x200 [ 43.404438] ? selinux_file_mprotect+0x600/0x600 [ 43.404449] ? putname+0xe1/0x120 [ 43.404456] ? rcu_read_lock_sched_held+0xab/0x130 [ 43.404463] ? kmem_cache_free+0x218/0x260 [ 43.404471] ? putname+0xe1/0x120 [ 43.404482] ? security_file_ioctl+0x6c/0xb0 [ 43.404491] ksys_ioctl+0x9b/0xc0 [ 43.404499] __x64_sys_ioctl+0x6f/0xb0 [ 43.404506] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 43.404514] do_syscall_64+0xf9/0x620 [ 43.404524] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.404530] RIP: 0033:0x440219 [ 43.404539] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.404543] RSP: 002b:00007ffecf702ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.404551] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 43.404555] RDX: 0000000020000040 RSI: 000000000000560a RDI: 0000000000000004 [ 43.404559] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 43.404563] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b00 [ 43.404567] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 43.404577] [ 43.404580] Allocated by task 6440: [ 43.404588] kasan_kmalloc+0xbf/0xe0 [ 43.404593] __kmalloc+0x15b/0x770 [ 43.404600] fbcon_set_font+0x331/0x870 [ 43.404607] con_font_op+0xd3e/0x1130 [ 43.404613] vt_ioctl+0xcd0/0x2500 [ 43.404619] tty_ioctl+0x7a1/0x1420 [ 43.404625] do_vfs_ioctl+0xcda/0x12e0 [ 43.404630] ksys_ioctl+0x9b/0xc0 [ 43.404636] __x64_sys_ioctl+0x6f/0xb0 [ 43.404642] do_syscall_64+0xf9/0x620 [ 43.404648] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.404650] [ 43.404653] Freed by task 4688: [ 43.404660] __kasan_slab_free+0xf7/0x140 [ 43.404665] kfree+0xce/0x220 [ 43.404674] skb_free_head+0x91/0xb0 [ 43.404679] skb_release_data+0x600/0x8c0 [ 43.404685] skb_release_all+0x46/0x60 [ 43.404690] consume_skb+0xda/0x380 [ 43.404696] skb_free_datagram+0x16/0xf0 [ 43.404704] netlink_recvmsg+0x667/0xea0 [ 43.404710] sock_recvmsg+0xca/0x110 [ 43.404715] ___sys_recvmsg+0x271/0x580 [ 43.404721] __sys_recvmsg+0xe9/0x1b0 [ 43.404728] do_syscall_64+0xf9/0x620 [ 43.404735] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.404737] [ 43.404742] The buggy address belongs to the object at ffff8880a4ed4d40 [ 43.404742] which belongs to the cache kmalloc-512 of size 512 [ 43.404749] The buggy address is located 319 bytes inside of [ 43.404749] 512-byte region [ffff8880a4ed4d40, ffff8880a4ed4f40) [ 43.404751] The buggy address belongs to the page: [ 43.404758] page:ffffea000293b500 count:1 mapcount:0 mapping:ffff88812c3dc940 index:0xffff8880a4ed40c0 [ 43.404764] flags: 0xfffe0000000100(slab) [ 43.404776] raw: 00fffe0000000100 ffffea0002969d88 ffffea00027d1508 ffff88812c3dc940 [ 43.404784] raw: ffff8880a4ed40c0 ffff8880a4ed40c0 0000000100000005 0000000000000000 [ 43.404793] page dumped because: kasan: bad access detected [ 43.404795] [ 43.404797] Memory state around the buggy address: [ 43.404803] ffff8880a4ed4d00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 43.404809] ffff8880a4ed4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.404814] >ffff8880a4ed4e00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 43.404817] ^ [ 43.404822] ffff8880a4ed4e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.404827] ffff8880a4ed4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.404829] ================================================================== [ 43.404832] Disabling lock debugging due to kernel taint [ 43.404836] Kernel panic - not syncing: panic_on_warn set ... [ 43.404836] [ 43.404843] CPU: 0 PID: 6440 Comm: syz-executor347 Tainted: G B 4.19.115-syzkaller #0 [ 43.404848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.404850] Call Trace: [ 43.404857] dump_stack+0x188/0x20d [ 43.404866] panic+0x26a/0x50e [ 43.404873] ? __warn_printk+0xf3/0xf3 [ 43.404881] ? lock_downgrade+0x740/0x740 [ 43.404888] ? print_shadow_for_address+0xb8/0x114 [ 43.404895] ? trace_hardirqs_on+0x55/0x210 [ 43.404903] ? bit_putcs+0xc74/0xe10 [ 43.404909] kasan_end_report+0x43/0x49 [ 43.404916] kasan_report.cold+0xa4/0x2b9 [ 43.404924] bit_putcs+0xc74/0xe10 [ 43.404936] ? bit_cursor+0x1900/0x1900 [ 43.404942] ? vesafb_probe.cold+0x1082/0x1082 [ 43.404950] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 43.404957] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 43.404964] fbcon_putcs+0x434/0x4f0 [ 43.404972] ? bit_cursor+0x1900/0x1900 [ 43.404979] do_update_region+0x398/0x630 [ 43.404987] ? con_get_trans_old+0x280/0x280 [ 43.404995] ? fbcon_set_palette+0x4c6/0x5e0 [ 43.405002] ? fbcon_redraw.isra.0+0x4c0/0x4c0 [ 43.405009] redraw_screen+0x5e1/0x870 [ 43.405017] ? con_flush_chars+0x90/0x90 [ 43.405026] vc_do_resize+0x108e/0x1380 [ 43.405036] ? vc_uniscr_alloc+0xc0/0xc0 [ 43.405043] ? vt_ioctl+0x1e9f/0x2500 [ 43.405052] vt_ioctl+0x1fa2/0x2500 [ 43.405060] ? complete_change_console+0x390/0x390 [ 43.405067] ? avc_has_extended_perms+0x9c6/0x1030 [ 43.405075] ? avc_ss_reset+0x180/0x180 [ 43.405081] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 43.405089] ? complete_change_console+0x390/0x390 [ 43.405097] tty_ioctl+0x7a1/0x1420 [ 43.405105] ? do_syscall_64+0xf9/0x620 [ 43.405111] ? tty_vhangup+0x30/0x30 [ 43.405119] ? find_held_lock+0x2d/0x110 [ 43.405127] ? debug_check_no_obj_freed+0x20a/0x42e [ 43.405135] ? lock_downgrade+0x740/0x740 [ 43.405141] ? tty_vhangup+0x30/0x30 [ 43.405148] do_vfs_ioctl+0xcda/0x12e0 [ 43.405155] ? selinux_file_ioctl+0x46c/0x5d0 [ 43.405162] ? selinux_file_ioctl+0x125/0x5d0 [ 43.405169] ? ioctl_preallocate+0x200/0x200 [ 43.405176] ? selinux_file_mprotect+0x600/0x600 [ 43.405184] ? putname+0xe1/0x120 [ 43.405191] ? rcu_read_lock_sched_held+0xab/0x130 [ 43.405196] ? kmem_cache_free+0x218/0x260 [ 43.405203] ? putname+0xe1/0x120 [ 43.405212] ? security_file_ioctl+0x6c/0xb0 [ 43.405219] ksys_ioctl+0x9b/0xc0 [ 43.405226] __x64_sys_ioctl+0x6f/0xb0 [ 43.405232] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 43.405239] do_syscall_64+0xf9/0x620 [ 43.405247] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.405251] RIP: 0033:0x440219 [ 43.405257] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.405261] RSP: 002b:00007ffecf702ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.405267] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 [ 43.405271] RDX: 0000000020000040 RSI: 000000000000560a RDI: 0000000000000004 [ 43.405275] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 43.405278] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b00 [ 43.405282] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 43.407052] Kernel Offset: disabled [ 44.306921] Rebooting in 86400 seconds..