Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. [ 53.071625] audit: type=1400 audit(1576381389.423:36): avc: denied { map } for pid=7796 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/12/15 03:43:09 parsed 1 programs [ 54.626862] audit: type=1400 audit(1576381390.983:37): avc: denied { map } for pid=7796 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17070 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/12/15 03:43:11 executed programs: 0 [ 54.809297] IPVS: ftp: loaded support on port[0] = 21 [ 54.869724] chnl_net:caif_netlink_parms(): no params data found [ 54.902533] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.909716] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.917571] device bridge_slave_0 entered promiscuous mode [ 54.925915] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.932324] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.939698] device bridge_slave_1 entered promiscuous mode [ 54.955550] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.964813] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.981530] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.989459] team0: Port device team_slave_0 added [ 54.995445] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 55.002752] team0: Port device team_slave_1 added [ 55.010260] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 55.017859] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 55.076714] device hsr_slave_0 entered promiscuous mode [ 55.114687] device hsr_slave_1 entered promiscuous mode [ 55.155344] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 55.162713] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 55.178652] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.185192] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.192062] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.198504] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.231515] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 55.238957] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.248366] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.257781] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.277092] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.284742] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.292119] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 55.303786] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 55.310339] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.319723] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.327414] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.333745] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.343217] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.352925] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.359487] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.375570] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.390712] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 55.401022] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.412002] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 55.419606] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.427188] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.435393] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.443029] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.450633] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.462866] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 55.475314] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.486276] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 55.493014] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 55.500883] audit: type=1400 audit(1576381391.863:38): avc: denied { associate } for pid=7812 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/12/15 03:43:16 executed programs: 125 [ 59.885743] ================================================================== [ 59.885772] BUG: KASAN: use-after-free in fbcon_cursor+0x686/0x7b0 [ 59.885779] Read of size 2 at addr ffff88809fedd44c by task syz-executor.0/8323 [ 59.885781] [ 59.885791] CPU: 0 PID: 8323 Comm: syz-executor.0 Not tainted 4.19.89-syzkaller #0 [ 59.885796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.885798] Call Trace: [ 59.885811] dump_stack+0x197/0x210 [ 59.885820] ? fbcon_cursor+0x686/0x7b0 [ 59.885832] print_address_description.cold+0x7c/0x20d [ 59.885840] ? fbcon_cursor+0x686/0x7b0 [ 59.885848] kasan_report.cold+0x8c/0x2ba [ 59.885859] __asan_report_load2_noabort+0x14/0x20 [ 59.885866] fbcon_cursor+0x686/0x7b0 [ 59.885877] fbcon_scrolldelta+0x675/0x1330 [ 59.885887] ? mark_held_locks+0xb1/0x100 [ 59.885895] ? kfree+0x170/0x220 [ 59.885904] ? vc_do_resize+0xa69/0x14a0 [ 59.885911] ? kfree+0x170/0x220 [ 59.885919] ? lockdep_hardirqs_on+0x415/0x5d0 [ 59.885929] fbcon_set_origin+0x43/0x50 [ 59.885936] ? fbcon_scrolldelta+0x1330/0x1330 [ 59.885943] set_origin+0x341/0x440 [ 59.885952] vc_do_resize+0xacc/0x14a0 [ 59.885969] ? vc_uniscr_alloc+0xd0/0xd0 [ 59.885979] ? lock_acquire+0x16f/0x3f0 [ 59.885987] ? vt_ioctl+0x1414/0x2530 [ 59.885998] vc_resize+0x4d/0x60 [ 59.886006] vt_ioctl+0x146c/0x2530 [ 59.886016] ? complete_change_console+0x3a0/0x3a0 [ 59.886027] ? avc_has_extended_perms+0xa78/0x10f0 [ 59.886040] ? avc_ss_reset+0x190/0x190 [ 59.886049] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 59.886060] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 59.886068] ? complete_change_console+0x3a0/0x3a0 [ 59.886076] tty_ioctl+0x7f3/0x1510 [ 59.886085] ? tty_vhangup+0x30/0x30 [ 59.886093] ? mark_held_locks+0x100/0x100 [ 59.886108] ? __fget+0x340/0x540 [ 59.886122] ? __might_sleep+0x95/0x190 [ 59.886129] ? tty_vhangup+0x30/0x30 [ 59.886138] do_vfs_ioctl+0xd5f/0x1380 [ 59.886147] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.886154] ? selinux_file_ioctl+0x125/0x5e0 [ 59.886163] ? ioctl_preallocate+0x210/0x210 [ 59.886170] ? selinux_file_mprotect+0x620/0x620 [ 59.886182] ? iterate_fd+0x360/0x360 [ 59.886190] ? nsecs_to_jiffies+0x30/0x30 [ 59.886206] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.886217] ? security_file_ioctl+0x8d/0xc0 [ 59.886232] ksys_ioctl+0xab/0xd0 [ 59.886248] __x64_sys_ioctl+0x73/0xb0 [ 59.886264] do_syscall_64+0xfd/0x620 [ 59.886282] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.886297] RIP: 0033:0x45a909 [ 59.886307] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.886312] RSP: 002b:00007f77cb9d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.886320] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a909 [ 59.886324] RDX: 0000000020000000 RSI: 0000000000005609 RDI: 0000000000000003 [ 59.886329] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.886334] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f77cb9d46d4 [ 59.886338] R13: 00000000004c7009 R14: 00000000004dd670 R15: 00000000ffffffff [ 59.886349] [ 59.886352] Allocated by task 7820: [ 59.886360] save_stack+0x45/0xd0 [ 59.886367] kasan_kmalloc+0xce/0xf0 [ 59.886373] __kmalloc+0x15d/0x750 [ 59.886379] vc_do_resize+0x262/0x14a0 [ 59.886385] vc_resize+0x4d/0x60 [ 59.886392] vt_ioctl+0x146c/0x2530 [ 59.886398] tty_ioctl+0x7f3/0x1510 [ 59.886404] do_vfs_ioctl+0xd5f/0x1380 [ 59.886410] ksys_ioctl+0xab/0xd0 [ 59.886417] __x64_sys_ioctl+0x73/0xb0 [ 59.886424] do_syscall_64+0xfd/0x620 [ 59.886431] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.886433] [ 59.886436] Freed by task 8323: [ 59.886443] save_stack+0x45/0xd0 [ 59.886450] __kasan_slab_free+0x102/0x150 [ 59.886457] kasan_slab_free+0xe/0x10 [ 59.886463] kfree+0xcf/0x220 [ 59.886469] vc_do_resize+0xa69/0x14a0 [ 59.886475] vc_resize+0x4d/0x60 [ 59.886482] vt_ioctl+0x146c/0x2530 [ 59.886488] tty_ioctl+0x7f3/0x1510 [ 59.886494] do_vfs_ioctl+0xd5f/0x1380 [ 59.886500] ksys_ioctl+0xab/0xd0 [ 59.886506] __x64_sys_ioctl+0x73/0xb0 [ 59.886514] do_syscall_64+0xfd/0x620 [ 59.886521] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.886523] [ 59.886528] The buggy address belongs to the object at ffff88809fedd440 [ 59.886528] which belongs to the cache kmalloc-32 of size 32 [ 59.886535] The buggy address is located 12 bytes inside of [ 59.886535] 32-byte region [ffff88809fedd440, ffff88809fedd460) [ 59.886537] The buggy address belongs to the page: [ 59.886545] page:ffffea00027fb740 count:1 mapcount:0 mapping:ffff88812c31c1c0 index:0xffff88809feddfc1 [ 59.886552] flags: 0xfffe0000000100(slab) [ 59.886563] raw: 00fffe0000000100 ffffea0002818d48 ffffea00027f48c8 ffff88812c31c1c0 [ 59.886571] raw: ffff88809feddfc1 ffff88809fedd000 000000010000003f 0000000000000000 [ 59.886575] page dumped because: kasan: bad access detected [ 59.886577] [ 59.886579] Memory state around the buggy address: [ 59.886585] ffff88809fedd300: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 59.886591] ffff88809fedd380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 59.886597] >ffff88809fedd400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 59.886600] ^ [ 59.886606] ffff88809fedd480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 59.886611] ffff88809fedd500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 59.886614] ================================================================== [ 59.886617] Disabling lock debugging due to kernel taint [ 59.886621] Kernel panic - not syncing: panic_on_warn set ... [ 59.886621] [ 59.886629] CPU: 0 PID: 8323 Comm: syz-executor.0 Tainted: G B 4.19.89-syzkaller #0 [ 59.886633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.886635] Call Trace: [ 59.886643] dump_stack+0x197/0x210 [ 59.886651] ? fbcon_cursor+0x686/0x7b0 [ 59.886658] panic+0x26a/0x50e [ 59.886664] ? __warn_printk+0xf3/0xf3 [ 59.886673] ? lock_downgrade+0x880/0x880 [ 59.886684] ? trace_hardirqs_on+0x67/0x220 [ 59.886691] ? trace_hardirqs_on+0x5e/0x220 [ 59.886699] ? fbcon_cursor+0x686/0x7b0 [ 59.886707] kasan_end_report+0x47/0x4f [ 59.886715] kasan_report.cold+0xa9/0x2ba [ 59.886725] __asan_report_load2_noabort+0x14/0x20 [ 59.886731] fbcon_cursor+0x686/0x7b0 [ 59.886740] fbcon_scrolldelta+0x675/0x1330 [ 59.886748] ? mark_held_locks+0xb1/0x100 [ 59.886754] ? kfree+0x170/0x220 [ 59.886761] ? vc_do_resize+0xa69/0x14a0 [ 59.886767] ? kfree+0x170/0x220 [ 59.886775] ? lockdep_hardirqs_on+0x415/0x5d0 [ 59.886783] fbcon_set_origin+0x43/0x50 [ 59.886790] ? fbcon_scrolldelta+0x1330/0x1330 [ 59.886797] set_origin+0x341/0x440 [ 59.886805] vc_do_resize+0xacc/0x14a0 [ 59.886817] ? vc_uniscr_alloc+0xd0/0xd0 [ 59.886825] ? lock_acquire+0x16f/0x3f0 [ 59.886832] ? vt_ioctl+0x1414/0x2530 [ 59.886841] vc_resize+0x4d/0x60 [ 59.886849] vt_ioctl+0x146c/0x2530 [ 59.886857] ? complete_change_console+0x3a0/0x3a0 [ 59.886866] ? avc_has_extended_perms+0xa78/0x10f0 [ 59.886876] ? avc_ss_reset+0x190/0x190 [ 59.886884] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 59.886892] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 59.886900] ? complete_change_console+0x3a0/0x3a0 [ 59.886907] tty_ioctl+0x7f3/0x1510 [ 59.886915] ? tty_vhangup+0x30/0x30 [ 59.886922] ? mark_held_locks+0x100/0x100 [ 59.886931] ? __fget+0x340/0x540 [ 59.886941] ? __might_sleep+0x95/0x190 [ 59.886948] ? tty_vhangup+0x30/0x30 [ 59.886956] do_vfs_ioctl+0xd5f/0x1380 [ 59.886964] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.886971] ? selinux_file_ioctl+0x125/0x5e0 [ 59.886979] ? ioctl_preallocate+0x210/0x210 [ 59.886987] ? selinux_file_mprotect+0x620/0x620 [ 59.886996] ? iterate_fd+0x360/0x360 [ 59.887002] ? nsecs_to_jiffies+0x30/0x30 [ 59.887012] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.887020] ? security_file_ioctl+0x8d/0xc0 [ 59.887027] ksys_ioctl+0xab/0xd0 [ 59.887036] __x64_sys_ioctl+0x73/0xb0 [ 59.887044] do_syscall_64+0xfd/0x620 [ 59.887054] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.887058] RIP: 0033:0x45a909 [ 59.887065] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.887069] RSP: 002b:00007f77cb9d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.887075] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a909 [ 59.887080] RDX: 0000000020000000 RSI: 0000000000005609 RDI: 0000000000000003 [ 59.887084] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.887088] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f77cb9d46d4 [ 59.887092] R13: 00000000004c7009 R14: 00000000004dd670 R15: 00000000ffffffff [ 59.888633] Kernel Offset: disabled