[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.160' (ECDSA) to the list of known hosts. 2020/07/04 18:50:25 parsed 1 programs 2020/07/04 18:50:25 executed programs: 0 syzkaller login: [ 42.344957] audit: type=1400 audit(1593888625.873:8): avc: denied { execmem } for pid=6431 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 42.387652] IPVS: ftp: loaded support on port[0] = 21 [ 42.475810] chnl_net:caif_netlink_parms(): no params data found [ 42.624441] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.631117] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.638336] device bridge_slave_0 entered promiscuous mode [ 42.647584] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.654301] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.661948] device bridge_slave_1 entered promiscuous mode [ 42.680427] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 42.689350] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 42.709132] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 42.716659] team0: Port device team_slave_0 added [ 42.722809] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 42.731297] team0: Port device team_slave_1 added [ 42.747192] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 42.753545] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.780100] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 42.792511] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 42.798762] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.825293] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 42.837119] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 42.845127] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 42.914009] device hsr_slave_0 entered promiscuous mode [ 42.950919] device hsr_slave_1 entered promiscuous mode [ 42.991355] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 42.998827] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 43.067767] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.074257] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.081280] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.087648] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.123457] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.129669] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.139352] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.149009] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.168577] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.175966] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.184640] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 43.194976] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 43.201676] 8021q: adding VLAN 0 to HW filter on device team0 [ 43.211636] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.219563] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.226006] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.236089] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.245024] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.251441] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.267024] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 43.274768] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 43.286593] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 43.296528] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.307589] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.316893] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 43.323721] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 43.338037] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 43.345833] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 43.353227] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 43.365184] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 43.377698] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 43.387926] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.421431] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 43.428477] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 43.435575] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 43.446258] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.454017] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 43.464559] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 43.474454] device veth0_vlan entered promiscuous mode [ 43.484428] device veth1_vlan entered promiscuous mode [ 43.498026] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 43.508422] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 43.515833] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.524653] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.535270] device veth0_macvtap entered promiscuous mode [ 43.542441] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 43.551110] device veth1_macvtap entered promiscuous mode [ 43.557207] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 43.566548] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 43.577075] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 43.586959] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 43.594402] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 43.601853] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 43.609311] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 43.617182] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 43.625133] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.636129] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 43.643878] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 43.651191] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 43.659039] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 43.864910] ================================================================== [ 43.864943] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1d01/0x2260 [ 43.864950] Read of size 2 at addr ffffffff87cfd9fe by task syz-executor.0/6654 [ 43.864952] [ 43.864961] CPU: 1 PID: 6654 Comm: syz-executor.0 Not tainted 4.19.131-syzkaller #0 [ 43.864966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.864968] Call Trace: [ 43.864979] dump_stack+0x1fc/0x2fe [ 43.864991] print_address_description.cold+0x5/0x219 [ 43.865000] kasan_report_error.cold+0x8a/0x1c7 [ 43.865008] ? vga16fb_imageblit+0x1d01/0x2260 [ 43.865015] __asan_report_load2_noabort+0x88/0x90 [ 43.865024] ? vga16fb_imageblit+0x1d01/0x2260 [ 43.865044] vga16fb_imageblit+0x1d01/0x2260 [ 43.865062] ? trace_hardirqs_off+0xcf/0x200 [ 43.865075] ? fb_pad_unaligned_buffer+0x3f/0x320 [ 43.865092] soft_cursor+0x514/0xa30 [ 43.865113] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.865130] bit_cursor+0x1239/0x1820 [ 43.865143] ? bit_update_start+0x1f0/0x1f0 [ 43.865150] ? fbcon_putcs+0x336/0x4f0 [ 43.865160] ? do_update_region+0x47c/0x630 [ 43.865167] ? fb_get_color_depth+0x11a/0x240 [ 43.865175] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 43.865182] ? get_color+0x20e/0x410 [ 43.865191] fbcon_cursor+0x555/0x760 [ 43.865199] ? bit_update_start+0x1f0/0x1f0 [ 43.865206] ? fbcon_set_palette+0x4d0/0x5f0 [ 43.865214] set_cursor+0x1dd/0x230 [ 43.865221] redraw_screen+0x5ee/0x870 [ 43.865229] ? wait_for_completion_io+0x10/0x10 [ 43.865236] ? vc_init+0x440/0x440 [ 43.865247] vc_do_resize+0x1132/0x1440 [ 43.865261] ? redraw_screen+0x870/0x870 [ 43.865274] fbcon_modechanged+0x4df/0x9f0 [ 43.865285] fbcon_event_notify+0x197/0x1d80 [ 43.865295] notifier_call_chain+0xc0/0x230 [ 43.865305] blocking_notifier_call_chain+0x85/0xa0 [ 43.865313] fb_set_var+0xc51/0xe20 [ 43.865321] ? fb_set_suspend+0x130/0x130 [ 43.865328] ? __lock_acquire+0x6de/0x3ff0 [ 43.865340] ? lock_acquire+0x170/0x3c0 [ 43.865346] ? do_fb_ioctl+0x350/0xb50 [ 43.865366] ? lock_acquire+0x170/0x3c0 [ 43.865372] ? do_fb_ioctl+0x33e/0xb50 [ 43.865382] do_fb_ioctl+0x3cf/0xb50 [ 43.865390] ? register_framebuffer+0x9e0/0x9e0 [ 43.865399] ? avc_has_extended_perms+0xe4/0xea0 [ 43.865407] ? check_preemption_disabled+0x41/0x280 [ 43.865417] ? avc_has_extended_perms+0x86d/0xea0 [ 43.865427] ? futex_wake+0x159/0x480 [ 43.865436] ? avc_ss_reset+0x170/0x170 [ 43.865444] ? __lock_acquire+0x6de/0x3ff0 [ 43.865461] ? debug_check_no_obj_freed+0x201/0x482 [ 43.865472] fb_ioctl+0xdd/0x130 [ 43.865478] ? do_fb_ioctl+0xb50/0xb50 [ 43.865487] do_vfs_ioctl+0xcdb/0x12e0 [ 43.865495] ? selinux_file_ioctl+0x506/0x6c0 [ 43.865503] ? ioctl_preallocate+0x200/0x200 [ 43.865510] ? selinux_inode_link+0x20/0x20 [ 43.865519] ? __fget+0x356/0x510 [ 43.865528] ? do_dup2+0x450/0x450 [ 43.865540] ksys_ioctl+0x9b/0xc0 [ 43.865549] __x64_sys_ioctl+0x6f/0xb0 [ 43.865557] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.865566] do_syscall_64+0xf9/0x620 [ 43.865575] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.865582] RIP: 0033:0x45cb29 [ 43.865590] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.865595] RSP: 002b:00007ff853921c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.865602] RAX: ffffffffffffffda RBX: 00000000004e55e0 RCX: 000000000045cb29 [ 43.865606] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 43.865610] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 43.865614] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 43.865618] R13: 00000000000002fd R14: 00000000004c58a5 R15: 00007ff8539226d4 [ 43.865627] [ 43.865630] The buggy address belongs to the variable: [ 43.865637] transl_h+0x3e/0x40 [ 43.865639] [ 43.865641] Memory state around the buggy address: [ 43.865648] ffffffff87cfd880: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00 [ 43.865653] ffffffff87cfd900: fa fa fa fa 00 00 00 00 00 fa fa fa fa fa fa fa [ 43.865658] >ffffffff87cfd980: 04 fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 43.865661] ^ [ 43.865666] ffffffff87cfda00: 00 00 00 00 fa fa fa fa 00 01 fa fa fa fa fa fa [ 43.865671] ffffffff87cfda80: 00 00 00 04 fa fa fa fa 00 00 04 fa fa fa fa fa [ 43.865674] ================================================================== [ 43.865676] Disabling lock debugging due to kernel taint [ 43.865680] Kernel panic - not syncing: panic_on_warn set ... [ 43.865680] [ 43.865687] CPU: 1 PID: 6654 Comm: syz-executor.0 Tainted: G B 4.19.131-syzkaller #0 [ 43.865691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.865693] Call Trace: [ 43.865701] dump_stack+0x1fc/0x2fe [ 43.865708] panic+0x26a/0x50e [ 43.865715] ? __warn_printk+0xf3/0xf3 [ 43.865722] ? lock_downgrade+0x720/0x720 [ 43.865729] ? print_shadow_for_address+0xb8/0x114 [ 43.865735] ? trace_hardirqs_on+0x55/0x210 [ 43.865743] kasan_end_report+0x43/0x49 [ 43.865749] kasan_report_error.cold+0xa7/0x1c7 [ 43.865756] ? vga16fb_imageblit+0x1d01/0x2260 [ 43.865762] __asan_report_load2_noabort+0x88/0x90 [ 43.865770] ? vga16fb_imageblit+0x1d01/0x2260 [ 43.865777] vga16fb_imageblit+0x1d01/0x2260 [ 43.865785] ? trace_hardirqs_off+0xcf/0x200 [ 43.865791] ? fb_pad_unaligned_buffer+0x3f/0x320 [ 43.865798] soft_cursor+0x514/0xa30 [ 43.865807] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.865814] bit_cursor+0x1239/0x1820 [ 43.865824] ? bit_update_start+0x1f0/0x1f0 [ 43.865830] ? fbcon_putcs+0x336/0x4f0 [ 43.865837] ? do_update_region+0x47c/0x630 [ 43.865844] ? fb_get_color_depth+0x11a/0x240 [ 43.865850] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 43.865857] ? get_color+0x20e/0x410 [ 43.865865] fbcon_cursor+0x555/0x760 [ 43.865871] ? bit_update_start+0x1f0/0x1f0 [ 43.865878] ? fbcon_set_palette+0x4d0/0x5f0 [ 43.865885] set_cursor+0x1dd/0x230 [ 43.865891] redraw_screen+0x5ee/0x870 [ 43.865897] ? wait_for_completion_io+0x10/0x10 [ 43.865903] ? vc_init+0x440/0x440 [ 43.865911] vc_do_resize+0x1132/0x1440 [ 43.865922] ? redraw_screen+0x870/0x870 [ 43.865932] fbcon_modechanged+0x4df/0x9f0 [ 43.865941] fbcon_event_notify+0x197/0x1d80 [ 43.865948] notifier_call_chain+0xc0/0x230 [ 43.865956] blocking_notifier_call_chain+0x85/0xa0 [ 43.865963] fb_set_var+0xc51/0xe20 [ 43.865970] ? fb_set_suspend+0x130/0x130 [ 43.865977] ? __lock_acquire+0x6de/0x3ff0 [ 43.865985] ? lock_acquire+0x170/0x3c0 [ 43.865991] ? do_fb_ioctl+0x350/0xb50 [ 43.866005] ? lock_acquire+0x170/0x3c0 [ 43.866011] ? do_fb_ioctl+0x33e/0xb50 [ 43.866019] do_fb_ioctl+0x3cf/0xb50 [ 43.866026] ? register_framebuffer+0x9e0/0x9e0 [ 43.866041] ? avc_has_extended_perms+0xe4/0xea0 [ 43.866047] ? check_preemption_disabled+0x41/0x280 [ 43.866056] ? avc_has_extended_perms+0x86d/0xea0 [ 43.866063] ? futex_wake+0x159/0x480 [ 43.866070] ? avc_ss_reset+0x170/0x170 [ 43.866078] ? __lock_acquire+0x6de/0x3ff0 [ 43.866090] ? debug_check_no_obj_freed+0x201/0x482 [ 43.866098] fb_ioctl+0xdd/0x130 [ 43.866104] ? do_fb_ioctl+0xb50/0xb50 [ 43.866111] do_vfs_ioctl+0xcdb/0x12e0 [ 43.866118] ? selinux_file_ioctl+0x506/0x6c0 [ 43.866125] ? ioctl_preallocate+0x200/0x200 [ 43.866132] ? selinux_inode_link+0x20/0x20 [ 43.866139] ? __fget+0x356/0x510 [ 43.866147] ? do_dup2+0x450/0x450 [ 43.866164] ksys_ioctl+0x9b/0xc0 [ 43.866178] __x64_sys_ioctl+0x6f/0xb0 [ 43.866190] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.866202] do_syscall_64+0xf9/0x620 [ 43.866217] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.866225] RIP: 0033:0x45cb29 [ 43.866233] Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.866236] RSP: 002b:00007ff853921c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.866242] RAX: ffffffffffffffda RBX: 00000000004e55e0 RCX: 000000000045cb29 [ 43.866246] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 43.866250] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 43.866254] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 43.866258] R13: 00000000000002fd R14: 00000000004c58a5 R15: 00007ff8539226d4 [ 43.867515] Kernel Offset: disabled [ 44.676584] Rebooting in 86400 seconds..