[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.129679][ T6830] ================================================================== [ 61.129721][ T6830] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c36/0x2210 [ 61.129729][ T6830] Read of size 2 at addr ffffffff8899f6be by task syz-executor094/6830 [ 61.129731][ T6830] [ 61.129741][ T6830] CPU: 1 PID: 6830 Comm: syz-executor094 Not tainted 5.9.0-rc3-syzkaller #0 [ 61.129745][ T6830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.129749][ T6830] Call Trace: [ 61.129760][ T6830] dump_stack+0x198/0x1fd [ 61.129770][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129777][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129787][ T6830] print_address_description.constprop.0.cold+0x5/0x497 [ 61.129797][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129807][ T6830] ? lockdep_hardirqs_off+0x96/0xd0 [ 61.129816][ T6830] ? vprintk_func+0x97/0x1a6 [ 61.129826][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129833][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129840][ T6830] kasan_report.cold+0x1f/0x37 [ 61.129850][ T6830] ? lock_downgrade+0x830/0x830 [ 61.129857][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.129867][ T6830] vga16fb_imageblit+0x1c36/0x2210 [ 61.129880][ T6830] ? fb_pad_unaligned_buffer+0x9f/0x320 [ 61.129892][ T6830] soft_cursor+0x514/0xa30 [ 61.129908][ T6830] bit_cursor+0x1166/0x17d0 [ 61.129921][ T6830] ? kmalloc_array.constprop.0+0x20/0x20 [ 61.129935][ T6830] ? do_update_region+0x47c/0x630 [ 61.129945][ T6830] ? fb_get_color_depth+0x11a/0x240 [ 61.129954][ T6830] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.129961][ T6830] ? get_color+0x20e/0x410 [ 61.129972][ T6830] fbcon_cursor+0x537/0x660 [ 61.129979][ T6830] ? kmalloc_array.constprop.0+0x20/0x20 [ 61.129986][ T6830] ? fbcon_set_palette+0x3a8/0x490 [ 61.129997][ T6830] set_cursor+0x1d2/0x240 [ 61.130006][ T6830] redraw_screen+0x4b9/0x770 [ 61.130014][ T6830] ? vga16fb_update_fix+0x4a0/0x4a0 [ 61.130023][ T6830] ? vc_init+0x430/0x430 [ 61.130033][ T6830] ? fbcon_set_palette+0x3a8/0x490 [ 61.130043][ T6830] fbcon_modechanged+0x575/0x710 [ 61.130054][ T6830] fbcon_update_vcs+0x3a/0x50 [ 61.130062][ T6830] do_fb_ioctl+0x62e/0x690 [ 61.130071][ T6830] ? fb_set_suspend+0x1a0/0x1a0 [ 61.130082][ T6830] ? tomoyo_execute_permission+0x470/0x470 [ 61.130097][ T6830] ? lock_is_held_type+0xbb/0xf0 [ 61.130109][ T6830] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.130119][ T6830] ? do_vfs_ioctl+0x27d/0x1090 [ 61.130147][ T6830] ? __x64_sys_openat+0x13f/0x1f0 [ 61.130158][ T6830] fb_ioctl+0xdd/0x130 [ 61.130166][ T6830] ? do_fb_ioctl+0x690/0x690 [ 61.130174][ T6830] __x64_sys_ioctl+0x193/0x200 [ 61.130184][ T6830] do_syscall_64+0x2d/0x70 [ 61.130193][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.130200][ T6830] RIP: 0033:0x4403d9 [ 61.130210][ T6830] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.130215][ T6830] RSP: 002b:00007ffe2e9b7208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.130224][ T6830] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 61.130229][ T6830] RDX: 00000000200001c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 61.130234][ T6830] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.130239][ T6830] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 61.130244][ T6830] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 61.130256][ T6830] [ 61.130259][ T6830] The buggy address belongs to the variable: [ 61.130266][ T6830] transl_h+0x3e/0x40 [ 61.130268][ T6830] [ 61.130271][ T6830] Memory state around the buggy address: [ 61.130278][ T6830] ffffffff8899f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.130284][ T6830] ffffffff8899f600: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 [ 61.130290][ T6830] >ffffffff8899f680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 [ 61.130293][ T6830] ^ [ 61.130299][ T6830] ffffffff8899f700: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 [ 61.130305][ T6830] ffffffff8899f780: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 02 f9 [ 61.130308][ T6830] ================================================================== [ 61.130311][ T6830] Disabling lock debugging due to kernel taint [ 61.130315][ T6830] Kernel panic - not syncing: panic_on_warn set ... [ 61.130322][ T6830] CPU: 1 PID: 6830 Comm: syz-executor094 Tainted: G B 5.9.0-rc3-syzkaller #0 [ 61.130326][ T6830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.130327][ T6830] Call Trace: [ 61.130334][ T6830] dump_stack+0x198/0x1fd [ 61.130342][ T6830] ? vga16fb_imageblit+0x1c30/0x2210 [ 61.130350][ T6830] panic+0x347/0x7c0 [ 61.130357][ T6830] ? __warn_printk+0xf3/0xf3 [ 61.130366][ T6830] ? trace_hardirqs_on+0x55/0x220 [ 61.130374][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.130380][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.130386][ T6830] end_report+0x4d/0x53 [ 61.130392][ T6830] kasan_report.cold+0xd/0x37 [ 61.130399][ T6830] ? lock_downgrade+0x830/0x830 [ 61.130406][ T6830] ? vga16fb_imageblit+0x1c36/0x2210 [ 61.130413][ T6830] vga16fb_imageblit+0x1c36/0x2210 [ 61.130421][ T6830] ? fb_pad_unaligned_buffer+0x9f/0x320 [ 61.130429][ T6830] soft_cursor+0x514/0xa30 [ 61.130437][ T6830] bit_cursor+0x1166/0x17d0 [ 61.130446][ T6830] ? kmalloc_array.constprop.0+0x20/0x20 [ 61.130454][ T6830] ? do_update_region+0x47c/0x630 [ 61.130462][ T6830] ? fb_get_color_depth+0x11a/0x240 [ 61.130468][ T6830] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.130474][ T6830] ? get_color+0x20e/0x410 [ 61.130481][ T6830] fbcon_cursor+0x537/0x660 [ 61.130488][ T6830] ? kmalloc_array.constprop.0+0x20/0x20 [ 61.130494][ T6830] ? fbcon_set_palette+0x3a8/0x490 [ 61.130501][ T6830] set_cursor+0x1d2/0x240 [ 61.130508][ T6830] redraw_screen+0x4b9/0x770 [ 61.130515][ T6830] ? vga16fb_update_fix+0x4a0/0x4a0 [ 61.130522][ T6830] ? vc_init+0x430/0x430 [ 61.130529][ T6830] ? fbcon_set_palette+0x3a8/0x490 [ 61.130536][ T6830] fbcon_modechanged+0x575/0x710 [ 61.130543][ T6830] fbcon_update_vcs+0x3a/0x50 [ 61.130550][ T6830] do_fb_ioctl+0x62e/0x690 [ 61.130557][ T6830] ? fb_set_suspend+0x1a0/0x1a0 [ 61.130564][ T6830] ? tomoyo_execute_permission+0x470/0x470 [ 61.130573][ T6830] ? lock_is_held_type+0xbb/0xf0 [ 61.130581][ T6830] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 61.130588][ T6830] ? do_vfs_ioctl+0x27d/0x1090 [ 61.130598][ T6830] ? __x64_sys_openat+0x13f/0x1f0 [ 61.130606][ T6830] fb_ioctl+0xdd/0x130 [ 61.130612][ T6830] ? do_fb_ioctl+0x690/0x690 [ 61.130619][ T6830] __x64_sys_ioctl+0x193/0x200 [ 61.130626][ T6830] do_syscall_64+0x2d/0x70 [ 61.130632][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.130637][ T6830] RIP: 0033:0x4403d9 [ 61.130643][ T6830] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.130647][ T6830] RSP: 002b:00007ffe2e9b7208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.130653][ T6830] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 61.130657][ T6830] RDX: 00000000200001c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 61.130661][ T6830] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.130665][ T6830] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 61.130669][ T6830] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 61.131657][ T6830] Kernel Offset: disabled [ 61.857486][ T6830] Rebooting in 86400 seconds..