[ 55.195320] audit: type=1800 audit(1582984959.778:29): pid=8359 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 55.248034] audit: type=1800 audit(1582984959.788:30): pid=8359 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.531615] kauditd_printk_skb: 5 callbacks suppressed [ 63.531631] audit: type=1400 audit(1582984968.118:36): avc: denied { map } for pid=8546 comm="syz-executor577" path="/root/syz-executor577970905" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 63.629662] ================================================================== [ 63.629701] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x448/0xa20 [ 63.629709] Read of size 64 at addr ffff888093cab3d0 by task syz-executor577/8546 [ 63.629711] [ 63.629721] CPU: 0 PID: 8546 Comm: syz-executor577 Not tainted 4.19.107-syzkaller #0 [ 63.629725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.629733] Call Trace: [ 63.629747] dump_stack+0x188/0x20d [ 63.629759] ? soft_cursor+0x448/0xa20 [ 63.629772] print_address_description.cold+0x7c/0x212 [ 63.629780] ? soft_cursor+0x448/0xa20 [ 63.629787] kasan_report.cold+0x88/0x2b9 [ 63.629796] memcpy+0x20/0x50 [ 63.629804] soft_cursor+0x448/0xa20 [ 63.629817] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 63.629826] bit_cursor+0x1230/0x1900 [ 63.629838] ? bit_clear+0x4e0/0x4e0 [ 63.629851] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 63.629862] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.629870] ? get_color+0x20f/0x420 [ 63.629879] fbcon_cursor+0x572/0x760 [ 63.629886] ? bit_clear+0x4e0/0x4e0 [ 63.629897] hide_cursor+0x99/0x2f0 [ 63.629905] redraw_screen+0x2ed/0x870 [ 63.629914] ? con_flush_chars+0x90/0x90 [ 63.629925] vc_do_resize+0x109e/0x13a0 [ 63.629941] ? vc_uniscr_alloc+0xc0/0xc0 [ 63.629950] ? vt_ioctl+0x1cfc/0x2310 [ 63.629962] vt_ioctl+0x1dff/0x2310 [ 63.629971] ? complete_change_console+0x390/0x390 [ 63.629980] ? avc_has_extended_perms+0x9c6/0x1030 [ 63.629991] ? avc_ss_reset+0x180/0x180 [ 63.629999] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.630007] ? complete_change_console+0x390/0x390 [ 63.630017] tty_ioctl+0x7a1/0x1420 [ 63.630028] ? do_syscall_64+0xf9/0x620 [ 63.630068] ? tty_vhangup+0x30/0x30 [ 63.630098] ? find_held_lock+0x2d/0x110 [ 63.630110] ? debug_check_no_obj_freed+0x20a/0x42e [ 63.630121] ? lock_downgrade+0x740/0x740 [ 63.630130] ? tty_vhangup+0x30/0x30 [ 63.630142] do_vfs_ioctl+0xcda/0x12e0 [ 63.630154] ? selinux_file_ioctl+0x46c/0x5d0 [ 63.630162] ? selinux_file_ioctl+0x125/0x5d0 [ 63.630169] ? ioctl_preallocate+0x200/0x200 [ 63.630177] ? selinux_file_mprotect+0x600/0x600 [ 63.630187] ? putname+0xe1/0x120 [ 63.630198] ? rcu_read_lock_sched_held+0x9b/0x130 [ 63.630205] ? kmem_cache_free+0x218/0x260 [ 63.630213] ? putname+0xe1/0x120 [ 63.630226] ? security_file_ioctl+0x6c/0xb0 [ 63.630234] ksys_ioctl+0x9b/0xc0 [ 63.630242] __x64_sys_ioctl+0x6f/0xb0 [ 63.630249] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 63.630258] do_syscall_64+0xf9/0x620 [ 63.630269] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 63.630276] RIP: 0033:0x440269 [ 63.630286] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.630291] RSP: 002b:00007ffec15e1b38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.630299] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 63.630303] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 63.630308] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 63.630312] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 63.630316] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 63.630326] [ 63.630331] Allocated by task 8546: [ 63.630339] kasan_kmalloc+0xbf/0xe0 [ 63.630345] __kmalloc+0x15b/0x770 [ 63.630353] fbcon_set_font+0x331/0x870 [ 63.630361] con_font_op+0xd3e/0x1130 [ 63.630369] vt_ioctl+0x1615/0x2310 [ 63.630374] tty_ioctl+0x7a1/0x1420 [ 63.630380] do_vfs_ioctl+0xcda/0x12e0 [ 63.630385] ksys_ioctl+0x9b/0xc0 [ 63.630391] __x64_sys_ioctl+0x6f/0xb0 [ 63.630397] do_syscall_64+0xf9/0x620 [ 63.630404] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 63.630406] [ 63.630409] Freed by task 0: [ 63.630411] (stack is not available) [ 63.630413] [ 63.630419] The buggy address belongs to the object at ffff888093ca9a80 [ 63.630419] which belongs to the cache kmalloc-8192 of size 8192 [ 63.630430] The buggy address is located 6480 bytes inside of [ 63.630430] 8192-byte region [ffff888093ca9a80, ffff888093caba80) [ 63.630433] The buggy address belongs to the page: [ 63.630440] page:ffffea00024f2a00 count:1 mapcount:0 mapping:ffff88812c3d5080 index:0x0 compound_mapcount: 0 [ 63.630448] flags: 0xfffe0000008100(slab|head) [ 63.630460] raw: 00fffe0000008100 ffffea00024faa08 ffffea00024ea208 ffff88812c3d5080 [ 63.630468] raw: 0000000000000000 ffff888093ca9a80 0000000100000001 0000000000000000 [ 63.630472] page dumped because: kasan: bad access detected [ 63.630473] [ 63.630476] Memory state around the buggy address: [ 63.630482] ffff888093cab280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.630488] ffff888093cab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.630493] >ffff888093cab380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.630496] ^ [ 63.630503] ffff888093cab400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.630510] ffff888093cab480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.630512] ================================================================== [ 63.630515] Disabling lock debugging due to kernel taint [ 63.630519] Kernel panic - not syncing: panic_on_warn set ... [ 63.630519] [ 63.630528] CPU: 0 PID: 8546 Comm: syz-executor577 Tainted: G B 4.19.107-syzkaller #0 [ 63.630532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.630534] Call Trace: [ 63.630546] dump_stack+0x188/0x20d [ 63.630557] panic+0x26a/0x50e [ 63.630564] ? __warn_printk+0xf3/0xf3 [ 63.630572] ? lock_downgrade+0x740/0x740 [ 63.630581] ? print_shadow_for_address+0xb8/0x114 [ 63.630593] ? trace_hardirqs_on+0x55/0x210 [ 63.630601] ? soft_cursor+0x448/0xa20 [ 63.630608] kasan_end_report+0x43/0x49 [ 63.630615] kasan_report.cold+0xa4/0x2b9 [ 63.630622] memcpy+0x20/0x50 [ 63.630629] soft_cursor+0x448/0xa20 [ 63.630639] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 63.630647] bit_cursor+0x1230/0x1900 [ 63.630657] ? bit_clear+0x4e0/0x4e0 [ 63.630667] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 63.630675] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.630683] ? get_color+0x20f/0x420 [ 63.630691] fbcon_cursor+0x572/0x760 [ 63.630698] ? bit_clear+0x4e0/0x4e0 [ 63.630705] hide_cursor+0x99/0x2f0 [ 63.630714] redraw_screen+0x2ed/0x870 [ 63.630721] ? con_flush_chars+0x90/0x90 [ 63.630731] vc_do_resize+0x109e/0x13a0 [ 63.630743] ? vc_uniscr_alloc+0xc0/0xc0 [ 63.630750] ? vt_ioctl+0x1cfc/0x2310 [ 63.630760] vt_ioctl+0x1dff/0x2310 [ 63.630769] ? complete_change_console+0x390/0x390 [ 63.630776] ? avc_has_extended_perms+0x9c6/0x1030 [ 63.630785] ? avc_ss_reset+0x180/0x180 [ 63.630792] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 63.630800] ? complete_change_console+0x390/0x390 [ 63.630808] tty_ioctl+0x7a1/0x1420 [ 63.630816] ? do_syscall_64+0xf9/0x620 [ 63.630823] ? tty_vhangup+0x30/0x30 [ 63.630835] ? find_held_lock+0x2d/0x110 [ 63.630844] ? debug_check_no_obj_freed+0x20a/0x42e [ 63.630853] ? lock_downgrade+0x740/0x740 [ 63.630860] ? tty_vhangup+0x30/0x30 [ 63.630867] do_vfs_ioctl+0xcda/0x12e0 [ 63.630875] ? selinux_file_ioctl+0x46c/0x5d0 [ 63.630883] ? selinux_file_ioctl+0x125/0x5d0 [ 63.630890] ? ioctl_preallocate+0x200/0x200 [ 63.630898] ? selinux_file_mprotect+0x600/0x600 [ 63.630907] ? putname+0xe1/0x120 [ 63.630914] ? rcu_read_lock_sched_held+0x9b/0x130 [ 63.630921] ? kmem_cache_free+0x218/0x260 [ 63.630927] ? putname+0xe1/0x120 [ 63.630937] ? security_file_ioctl+0x6c/0xb0 [ 63.630943] ksys_ioctl+0x9b/0xc0 [ 63.630951] __x64_sys_ioctl+0x6f/0xb0 [ 63.630958] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 63.630965] do_syscall_64+0xf9/0x620 [ 63.630974] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 63.630979] RIP: 0033:0x440269 [ 63.630986] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.630990] RSP: 002b:00007ffec15e1b38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 63.630996] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 63.631015] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 63.631019] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 63.631022] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 63.631026] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 63.632685] Kernel Offset: disabled [ 64.491078] Rebooting in 86400 seconds..