[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   69.303617][   T27] audit: type=1800 audit(1577284308.687:25): pid=9241 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   69.323637][   T27] audit: type=1800 audit(1577284308.687:26): pid=9241 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   69.348563][   T27] audit: type=1800 audit(1577284308.697:27): pid=9241 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.118' (ECDSA) to the list of known hosts.
2019/12/25 14:50:51 parsed 1 programs
2019/12/25 14:50:53 executed programs: 0
syzkaller login: [ 1213.792367][ T9408] IPVS: ftp: loaded support on port[0] = 21
[ 1213.860011][ T9408] chnl_net:caif_netlink_parms(): no params data found
[ 1213.887204][ T9408] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1213.895404][ T9408] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1213.903283][ T9408] device bridge_slave_0 entered promiscuous mode
[ 1213.911725][ T9408] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1213.918881][ T9408] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1213.926464][ T9408] device bridge_slave_1 entered promiscuous mode
[ 1213.943788][ T9408] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1213.955356][ T9408] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1213.975264][ T9408] team0: Port device team_slave_0 added
[ 1213.982846][ T9408] team0: Port device team_slave_1 added
[ 1214.040865][ T9408] device hsr_slave_0 entered promiscuous mode
[ 1214.088860][ T9408] device hsr_slave_1 entered promiscuous mode
[ 1214.163271][ T9408] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1214.211530][ T9408] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1214.291258][ T9408] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1214.360638][ T9408] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1214.420398][ T9408] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1214.427530][ T9408] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1214.435352][ T9408] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1214.442456][ T9408] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1214.485097][ T9408] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1214.497224][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1214.517827][ T3441] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1214.536586][ T3441] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1214.545819][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1214.559571][ T9408] 8021q: adding VLAN 0 to HW filter on device team0
[ 1214.570251][ T2737] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1214.581737][ T2737] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1214.588860][ T2737] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1214.611437][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1214.620544][ T3441] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1214.627638][ T3441] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1214.635750][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1214.644300][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1214.652673][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1214.667211][ T9408] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1214.678206][ T9408] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1214.691222][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1214.700475][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1214.709632][ T3441] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1214.725873][ T2737] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1214.733604][ T2737] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1214.745576][ T9408] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1214.977410][ T9418] ==================================================================
[ 1214.977568][ T9418] BUG: KASAN: use-after-free in fbcon_cursor+0x4ef/0x660
[ 1214.977577][ T9418] Read of size 2 at addr ffff8880a8f9938c by task syz-executor.0/9418
[ 1214.977580][ T9418] 
[ 1214.977591][ T9418] CPU: 0 PID: 9418 Comm: syz-executor.0 Not tainted 5.5.0-rc2-next-20191220-syzkaller #0
[ 1214.977596][ T9418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1214.977619][ T9418] Call Trace:
[ 1214.977651][ T9418]  dump_stack+0x197/0x210
[ 1214.977660][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.977710][ T9418]  print_address_description.constprop.0.cold+0xd4/0x30b
[ 1214.977718][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.977726][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.977735][ T9418]  __kasan_report.cold+0x1b/0x41
[ 1214.977744][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.977754][ T9418]  kasan_report+0x12/0x20
[ 1214.977764][ T9418]  __asan_report_load2_noabort+0x14/0x20
[ 1214.977772][ T9418]  fbcon_cursor+0x4ef/0x660
[ 1214.977796][ T9418]  ? mark_lock+0xc2/0x1220
[ 1214.977807][ T9418]  fbcon_scrolldelta+0x679/0x1220
[ 1214.977815][ T9418]  ? mark_held_locks+0xa4/0xf0
[ 1214.977823][ T9418]  ? kfree+0x226/0x2c0
[ 1214.977836][ T9418]  ? vc_do_resize+0xa69/0x1460
[ 1214.977842][ T9418]  ? kfree+0x226/0x2c0
[ 1214.977851][ T9418]  ? lockdep_hardirqs_on+0x421/0x5e0
[ 1214.977861][ T9418]  fbcon_set_origin+0x43/0x50
[ 1214.977869][ T9418]  ? fbcon_scrolldelta+0x1220/0x1220
[ 1214.977877][ T9418]  set_origin+0xf3/0x400
[ 1214.977886][ T9418]  vc_do_resize+0xacc/0x1460
[ 1214.977911][ T9418]  ? down+0x50/0x90
[ 1214.977933][ T9418]  ? vc_uniscr_alloc+0xd0/0xd0
[ 1214.977947][ T9418]  ? lock_acquire+0x190/0x410
[ 1214.977983][ T9418]  ? vt_ioctl+0x1463/0x26d0
[ 1214.978004][ T9418]  vc_resize+0x4d/0x60
[ 1214.978020][ T9418]  vt_ioctl+0x14bb/0x26d0
[ 1214.978037][ T9418]  ? complete_change_console+0x3a0/0x3a0
[ 1214.978087][ T9418]  ? tomoyo_execute_permission+0x4a0/0x4a0
[ 1214.978134][ T9418]  ? __sanitizer_cov_trace_switch+0x49/0x80
[ 1214.978145][ T9418]  ? tty_jobctrl_ioctl+0x50/0xd40
[ 1214.978153][ T9418]  ? complete_change_console+0x3a0/0x3a0
[ 1214.978162][ T9418]  tty_ioctl+0xa37/0x14f0
[ 1214.978172][ T9418]  ? tty_vhangup+0x30/0x30
[ 1214.978180][ T9418]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 1214.978221][ T9418]  ? do_vfs_ioctl+0x11b/0x1340
[ 1214.978232][ T9418]  ? ioctl_file_clone+0x180/0x180
[ 1214.978256][ T9418]  ? __fget+0x37f/0x550
[ 1214.978268][ T9418]  ? do_dup2+0x4f0/0x4f0
[ 1214.978307][ T9418]  ? ns_to_kernel_old_timeval+0x100/0x100
[ 1214.978318][ T9418]  ? tomoyo_file_ioctl+0x23/0x30
[ 1214.978327][ T9418]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1214.978378][ T9418]  ? security_file_ioctl+0x8d/0xc0
[ 1214.978390][ T9418]  ? tty_vhangup+0x30/0x30
[ 1214.978406][ T9418]  ksys_ioctl+0x123/0x180
[ 1214.978424][ T9418]  __x64_sys_ioctl+0x73/0xb0
[ 1214.978470][ T9418]  do_syscall_64+0xfa/0x790
[ 1214.978508][ T9418]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1214.978520][ T9418] RIP: 0033:0x45a919
[ 1214.978534][ T9418] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1214.978542][ T9418] RSP: 002b:00007fde31333c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1214.978554][ T9418] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
[ 1214.978563][ T9418] RDX: 0000000020000000 RSI: 0000000000005609 RDI: 0000000000000003
[ 1214.978570][ T9418] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1214.978577][ T9418] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fde313346d4
[ 1214.978584][ T9418] R13: 00000000004c6fec R14: 00000000004dd790 R15: 00000000ffffffff
[ 1214.978601][ T9418] 
[ 1214.978631][ T9418] Allocated by task 9418:
[ 1214.978643][ T9418]  save_stack+0x23/0x90
[ 1214.978656][ T9418]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1214.978667][ T9418]  kasan_kmalloc+0x9/0x10
[ 1214.978677][ T9418]  __kmalloc+0x163/0x770
[ 1214.978688][ T9418]  vc_do_resize+0x262/0x1460
[ 1214.978699][ T9418]  vc_resize+0x4d/0x60
[ 1214.978710][ T9418]  vt_ioctl+0x14bb/0x26d0
[ 1214.978719][ T9418]  tty_ioctl+0xa37/0x14f0
[ 1214.978730][ T9418]  ksys_ioctl+0x123/0x180
[ 1214.978742][ T9418]  __x64_sys_ioctl+0x73/0xb0
[ 1214.978756][ T9418]  do_syscall_64+0xfa/0x790
[ 1214.978768][ T9418]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1214.978772][ T9418] 
[ 1214.978778][ T9418] Freed by task 9418:
[ 1214.978790][ T9418]  save_stack+0x23/0x90
[ 1214.978803][ T9418]  __kasan_slab_free+0x102/0x150
[ 1214.978815][ T9418]  kasan_slab_free+0xe/0x10
[ 1214.978826][ T9418]  kfree+0x10a/0x2c0
[ 1214.978839][ T9418]  vc_do_resize+0xa69/0x1460
[ 1214.978851][ T9418]  vc_resize+0x4d/0x60
[ 1214.978864][ T9418]  vt_ioctl+0x14bb/0x26d0
[ 1214.978874][ T9418]  tty_ioctl+0xa37/0x14f0
[ 1214.978887][ T9418]  ksys_ioctl+0x123/0x180
[ 1214.978900][ T9418]  __x64_sys_ioctl+0x73/0xb0
[ 1214.978915][ T9418]  do_syscall_64+0xfa/0x790
[ 1214.978929][ T9418]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1214.978933][ T9418] 
[ 1214.978944][ T9418] The buggy address belongs to the object at ffff8880a8f99380
[ 1214.978944][ T9418]  which belongs to the cache kmalloc-32 of size 32
[ 1214.978957][ T9418] The buggy address is located 12 bytes inside of
[ 1214.978957][ T9418]  32-byte region [ffff8880a8f99380, ffff8880a8f993a0)
[ 1214.978962][ T9418] The buggy address belongs to the page:
[ 1214.978977][ T9418] page:ffffea0002a3e640 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a8f99fc1
[ 1214.978998][ T9418] raw: 00fffe0000000200 ffffea0002a4d6c8 ffffea00028d4e48 ffff8880aa4001c0
[ 1214.979016][ T9418] raw: ffff8880a8f99fc1 ffff8880a8f99000 000000010000003f 0000000000000000
[ 1214.979023][ T9418] page dumped because: kasan: bad access detected
[ 1214.979027][ T9418] 
[ 1214.979031][ T9418] Memory state around the buggy address:
[ 1214.979044][ T9418]  ffff8880a8f99280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 1214.979055][ T9418]  ffff8880a8f99300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 1214.979066][ T9418] >ffff8880a8f99380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 1214.979072][ T9418]                       ^
[ 1214.979083][ T9418]  ffff8880a8f99400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 1214.979095][ T9418]  ffff8880a8f99480: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
[ 1214.979100][ T9418] ==================================================================
[ 1214.979106][ T9418] Disabling lock debugging due to kernel taint
[ 1214.979440][ T9418] Kernel panic - not syncing: panic_on_warn set ...
[ 1214.979457][ T9418] CPU: 0 PID: 9418 Comm: syz-executor.0 Tainted: G    B             5.5.0-rc2-next-20191220-syzkaller #0
[ 1214.979469][ T9418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1214.979478][ T9418] Call Trace:
[ 1214.979495][ T9418]  dump_stack+0x197/0x210
[ 1214.979562][ T9418]  panic+0x2e3/0x75c
[ 1214.979578][ T9418]  ? add_taint.cold+0x16/0x16
[ 1214.979632][ T9418]  ? trace_hardirqs_on+0x5e/0x240
[ 1214.979653][ T9418]  ? trace_hardirqs_on+0x5e/0x240
[ 1214.979669][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.979685][ T9418]  end_report+0x47/0x4f
[ 1214.979700][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.979723][ T9418]  __kasan_report.cold+0xe/0x41
[ 1214.979739][ T9418]  ? fbcon_cursor+0x4ef/0x660
[ 1214.979755][ T9418]  kasan_report+0x12/0x20
[ 1214.979772][ T9418]  __asan_report_load2_noabort+0x14/0x20
[ 1214.979787][ T9418]  fbcon_cursor+0x4ef/0x660
[ 1214.979803][ T9418]  ? mark_lock+0xc2/0x1220
[ 1214.979820][ T9418]  fbcon_scrolldelta+0x679/0x1220
[ 1214.979835][ T9418]  ? mark_held_locks+0xa4/0xf0
[ 1214.979849][ T9418]  ? kfree+0x226/0x2c0
[ 1214.979865][ T9418]  ? vc_do_resize+0xa69/0x1460
[ 1214.979880][ T9418]  ? kfree+0x226/0x2c0
[ 1214.979895][ T9418]  ? lockdep_hardirqs_on+0x421/0x5e0
[ 1214.979912][ T9418]  fbcon_set_origin+0x43/0x50
[ 1214.979928][ T9418]  ? fbcon_scrolldelta+0x1220/0x1220
[ 1214.979942][ T9418]  set_origin+0xf3/0x400
[ 1214.979957][ T9418]  vc_do_resize+0xacc/0x1460
[ 1214.979973][ T9418]  ? down+0x50/0x90
[ 1214.979997][ T9418]  ? vc_uniscr_alloc+0xd0/0xd0
[ 1214.980012][ T9418]  ? lock_acquire+0x190/0x410
[ 1214.980028][ T9418]  ? vt_ioctl+0x1463/0x26d0
[ 1214.980043][ T9418]  vc_resize+0x4d/0x60
[ 1214.980059][ T9418]  vt_ioctl+0x14bb/0x26d0
[ 1214.980081][ T9418]  ? complete_change_console+0x3a0/0x3a0
[ 1214.980100][ T9418]  ? tomoyo_execute_permission+0x4a0/0x4a0
[ 1214.980119][ T9418]  ? __sanitizer_cov_trace_switch+0x49/0x80
[ 1214.980136][ T9418]  ? tty_jobctrl_ioctl+0x50/0xd40
[ 1214.980152][ T9418]  ? complete_change_console+0x3a0/0x3a0
[ 1214.980166][ T9418]  tty_ioctl+0xa37/0x14f0
[ 1214.980181][ T9418]  ? tty_vhangup+0x30/0x30
[ 1214.980197][ T9418]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 1214.980212][ T9418]  ? do_vfs_ioctl+0x11b/0x1340
[ 1214.980229][ T9418]  ? ioctl_file_clone+0x180/0x180
[ 1214.980243][ T9418]  ? __fget+0x37f/0x550
[ 1214.980259][ T9418]  ? do_dup2+0x4f0/0x4f0
[ 1214.980276][ T9418]  ? ns_to_kernel_old_timeval+0x100/0x100
[ 1214.980292][ T9418]  ? tomoyo_file_ioctl+0x23/0x30
[ 1214.980309][ T9418]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1214.980325][ T9418]  ? security_file_ioctl+0x8d/0xc0
[ 1214.980338][ T9418]  ? tty_vhangup+0x30/0x30
[ 1214.980354][ T9418]  ksys_ioctl+0x123/0x180
[ 1214.980376][ T9418]  __x64_sys_ioctl+0x73/0xb0
[ 1214.980393][ T9418]  do_syscall_64+0xfa/0x790
[ 1214.980409][ T9418]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1214.980422][ T9418] RIP: 0033:0x45a919
[ 1214.980437][ T9418] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1214.980449][ T9418] RSP: 002b:00007fde31333c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1214.980471][ T9418] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
[ 1214.980477][ T9418] RDX: 0000000020000000 RSI: 0000000000005609 RDI: 0000000000000003
[ 1214.980483][ T9418] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1214.980488][ T9418] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fde313346d4
[ 1214.980493][ T9418] R13: 00000000004c6fec R14: 00000000004dd790 R15: 00000000ffffffff
[ 1214.981915][ T9418] Kernel Offset: disabled
[ 1215.945085][ T9418] Rebooting in 86400 seconds..