[ 43.003358] audit: type=1800 audit(1575349599.320:31): pid=7619 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 48.035883] kauditd_printk_skb: 3 callbacks suppressed [ 48.035898] audit: type=1400 audit(1575349604.360:35): avc: denied { map } for pid=7796 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts. executing program [ 54.661875] audit: type=1400 audit(1575349610.980:36): avc: denied { map } for pid=7808 comm="syz-executor100" path="/root/syz-executor100446347" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.689719] ================================================================== [ 54.689753] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 54.689761] Read of size 2 at addr ffff8882197613c0 by task syz-executor100/7808 [ 54.689763] [ 54.689775] CPU: 1 PID: 7808 Comm: syz-executor100 Not tainted 4.19.87-syzkaller #0 [ 54.689781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.689785] Call Trace: [ 54.689799] dump_stack+0x197/0x210 [ 54.689808] ? vcs_scr_readw+0xc2/0xd0 [ 54.689823] print_address_description.cold+0x7c/0x20d [ 54.689831] ? vcs_scr_readw+0xc2/0xd0 [ 54.689839] kasan_report.cold+0x8c/0x2ba [ 54.689850] __asan_report_load2_noabort+0x14/0x20 [ 54.689857] vcs_scr_readw+0xc2/0xd0 [ 54.689867] vcs_write+0x646/0xcf0 [ 54.689874] ? save_stack+0xa9/0xd0 [ 54.689932] ? __kasan_slab_free+0x102/0x150 [ 54.689945] ? vcs_size+0x240/0x240 [ 54.689956] ? find_held_lock+0x35/0x130 [ 54.689971] __vfs_write+0x114/0x810 [ 54.689978] ? vcs_size+0x240/0x240 [ 54.689987] ? kernel_read+0x120/0x120 [ 54.689997] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.690007] ? __inode_security_revalidate+0xda/0x120 [ 54.690017] ? avc_policy_seqno+0xd/0x70 [ 54.690024] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.690032] ? selinux_file_permission+0x92/0x550 [ 54.690042] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.690049] ? security_file_permission+0x89/0x230 [ 54.690059] ? rw_verify_area+0x118/0x360 [ 54.690068] vfs_write+0x20c/0x560 [ 54.690078] ksys_write+0x14f/0x2d0 [ 54.690088] ? __ia32_sys_read+0xb0/0xb0 [ 54.690100] ? do_syscall_64+0x26/0x620 [ 54.690110] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.690117] ? do_syscall_64+0x26/0x620 [ 54.690127] __x64_sys_write+0x73/0xb0 [ 54.690136] do_syscall_64+0xfd/0x620 [ 54.690148] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.690156] RIP: 0033:0x444399 [ 54.690166] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.690171] RSP: 002b:00007ffdd9ba9e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.690180] RAX: ffffffffffffffda RBX: 00007ffdd9ba9e20 RCX: 0000000000444399 [ 54.690184] RDX: 00000000fffffecb RSI: 0000000020000300 RDI: 0000000000000003 [ 54.690189] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400c60 [ 54.690193] R10: 00007ffdd9ba9960 R11: 0000000000000246 R12: 00000000004020a0 [ 54.690197] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 54.690208] [ 54.690212] Allocated by task 1: [ 54.690221] save_stack+0x45/0xd0 [ 54.690227] kasan_kmalloc+0xce/0xf0 [ 54.690233] __kmalloc+0x15d/0x750 [ 54.690239] vc_do_resize+0x262/0x14a0 [ 54.690246] vc_resize+0x4d/0x60 [ 54.690256] fbcon_init+0x1062/0x1b00 [ 54.690278] visual_init+0x337/0x620 [ 54.690285] do_bind_con_driver+0x549/0x8c0 [ 54.690293] do_take_over_console+0x449/0x590 [ 54.690299] do_fbcon_takeover+0x116/0x220 [ 54.690305] fbcon_event_notify+0x1786/0x1dba [ 54.690315] notifier_call_chain+0xc2/0x230 [ 54.690323] blocking_notifier_call_chain+0x94/0xb0 [ 54.690333] fb_notifier_call_chain+0x25/0x30 [ 54.690340] register_framebuffer+0x61d/0xa70 [ 54.690348] vga16fb_probe+0x711/0x825 [ 54.690357] platform_drv_probe+0x93/0x160 [ 54.690363] really_probe+0x4a0/0x650 [ 54.690370] driver_probe_device+0x103/0x1b0 [ 54.690376] __device_attach_driver+0x225/0x290 [ 54.690385] bus_for_each_drv+0x16c/0x1f0 [ 54.690391] __device_attach+0x237/0x350 [ 54.690397] device_initial_probe+0x1b/0x20 [ 54.690402] bus_probe_device+0x1f7/0x2a0 [ 54.690409] device_add+0xb42/0x1760 [ 54.690423] platform_device_add+0x366/0x6f0 [ 54.690435] vga16fb_init+0x15f/0x1d6 [ 54.690442] do_one_initcall+0x107/0x78c [ 54.690450] kernel_init_freeable+0x4d4/0x5c8 [ 54.690457] kernel_init+0x12/0x1c2 [ 54.690462] ret_from_fork+0x24/0x30 [ 54.690464] [ 54.690468] Freed by task 0: [ 54.690470] (stack is not available) [ 54.690472] [ 54.690478] The buggy address belongs to the object at ffff888219760100 [ 54.690478] which belongs to the cache kmalloc-8192 of size 8192 [ 54.690485] The buggy address is located 4800 bytes inside of [ 54.690485] 8192-byte region [ffff888219760100, ffff888219762100) [ 54.690487] The buggy address belongs to the page: [ 54.690496] page:ffffea000865d800 count:1 mapcount:0 mapping:ffff88812c315080 index:0x0 compound_mapcount: 0 [ 54.690505] flags: 0x57ffe0000008100(slab|head) [ 54.690517] raw: 057ffe0000008100 ffffea0008688008 ffffea0008628808 ffff88812c315080 [ 54.690526] raw: 0000000000000000 ffff888219760100 0000000100000001 0000000000000000 [ 54.690529] page dumped because: kasan: bad access detected [ 54.690531] [ 54.690534] Memory state around the buggy address: [ 54.690540] ffff888219761280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.690546] ffff888219761300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.690552] >ffff888219761380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 54.690555] ^ [ 54.690561] ffff888219761400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.690567] ffff888219761480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.690570] ================================================================== [ 54.690573] Disabling lock debugging due to kernel taint [ 54.690578] Kernel panic - not syncing: panic_on_warn set ... [ 54.690578] [ 54.690586] CPU: 1 PID: 7808 Comm: syz-executor100 Tainted: G B 4.19.87-syzkaller #0 [ 54.690590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.690592] Call Trace: [ 54.690599] dump_stack+0x197/0x210 [ 54.690606] ? vcs_scr_readw+0xc2/0xd0 [ 54.690613] panic+0x26a/0x50e [ 54.690619] ? __warn_printk+0xf3/0xf3 [ 54.690628] ? lock_downgrade+0x880/0x880 [ 54.690638] ? trace_hardirqs_on+0x67/0x220 [ 54.690645] ? trace_hardirqs_on+0x5e/0x220 [ 54.690655] ? vcs_scr_readw+0xc2/0xd0 [ 54.690662] kasan_end_report+0x47/0x4f [ 54.690669] kasan_report.cold+0xa9/0x2ba [ 54.690678] __asan_report_load2_noabort+0x14/0x20 [ 54.690684] vcs_scr_readw+0xc2/0xd0 [ 54.690691] vcs_write+0x646/0xcf0 [ 54.690697] ? save_stack+0xa9/0xd0 [ 54.690704] ? __kasan_slab_free+0x102/0x150 [ 54.690713] ? vcs_size+0x240/0x240 [ 54.690720] ? find_held_lock+0x35/0x130 [ 54.690730] __vfs_write+0x114/0x810 [ 54.690736] ? vcs_size+0x240/0x240 [ 54.690743] ? kernel_read+0x120/0x120 [ 54.690751] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.690757] ? __inode_security_revalidate+0xda/0x120 [ 54.690765] ? avc_policy_seqno+0xd/0x70 [ 54.690771] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.690778] ? selinux_file_permission+0x92/0x550 [ 54.690786] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.690793] ? security_file_permission+0x89/0x230 [ 54.690801] ? rw_verify_area+0x118/0x360 [ 54.690808] vfs_write+0x20c/0x560 [ 54.690816] ksys_write+0x14f/0x2d0 [ 54.690824] ? __ia32_sys_read+0xb0/0xb0 [ 54.690831] ? do_syscall_64+0x26/0x620 [ 54.690838] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.690845] ? do_syscall_64+0x26/0x620 [ 54.690853] __x64_sys_write+0x73/0xb0 [ 54.690861] do_syscall_64+0xfd/0x620 [ 54.690869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.690874] RIP: 0033:0x444399 [ 54.690880] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.690890] RSP: 002b:00007ffdd9ba9e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.690897] RAX: ffffffffffffffda RBX: 00007ffdd9ba9e20 RCX: 0000000000444399 [ 54.690901] RDX: 00000000fffffecb RSI: 0000000020000300 RDI: 0000000000000003 [ 54.690905] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400c60 [ 54.690909] R10: 00007ffdd9ba9960 R11: 0000000000000246 R12: 00000000004020a0 [ 54.690913] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 [ 54.692530] Kernel Offset: disabled [ 55.475573] Rebooting in 86400 seconds..