Warning: Permanently added '10.128.0.162' (ECDSA) to the list of known hosts. executing program [ 87.829466][ T9732] ================================================================== [ 87.829508][ T9732] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 [ 87.829516][ T9732] Read of size 16 at addr ffff88809fbb1740 by task syz-executor427/9732 [ 87.829519][ T9732] [ 87.829529][ T9732] CPU: 0 PID: 9732 Comm: syz-executor427 Not tainted 5.5.0-rc5-syzkaller #0 [ 87.829534][ T9732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.829538][ T9732] Call Trace: [ 87.829551][ T9732] dump_stack+0x197/0x210 [ 87.829559][ T9732] ? soft_cursor+0x439/0xa30 [ 87.829572][ T9732] print_address_description.constprop.0.cold+0xd4/0x30b [ 87.829579][ T9732] ? soft_cursor+0x439/0xa30 [ 87.829587][ T9732] ? soft_cursor+0x439/0xa30 [ 87.829595][ T9732] __kasan_report.cold+0x1b/0x41 [ 87.829604][ T9732] ? soft_cursor+0x439/0xa30 [ 87.829613][ T9732] kasan_report+0x12/0x20 [ 87.829622][ T9732] check_memory_region+0x134/0x1a0 [ 87.829631][ T9732] memcpy+0x24/0x50 [ 87.829639][ T9732] soft_cursor+0x439/0xa30 [ 87.829648][ T9732] ? lockdep_hardirqs_on+0x421/0x5e0 [ 87.829662][ T9732] bit_cursor+0x12fc/0x1a60 [ 87.829675][ T9732] ? bit_clear+0x530/0x530 [ 87.829683][ T9732] ? find_held_lock+0x35/0x130 [ 87.829699][ T9732] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.829707][ T9732] ? get_color+0x225/0x430 [ 87.829717][ T9732] fbcon_cursor+0x487/0x660 [ 87.829724][ T9732] ? bit_clear+0x530/0x530 [ 87.829737][ T9732] hide_cursor+0x9d/0x2b0 [ 87.829746][ T9732] redraw_screen+0x60b/0x7d0 [ 87.829755][ T9732] ? respond_string+0x2c0/0x2c0 [ 87.829767][ T9732] vc_do_resize+0x10c9/0x1460 [ 87.829775][ T9732] ? down+0x50/0x90 [ 87.829792][ T9732] ? vc_uniscr_alloc+0xd0/0xd0 [ 87.829800][ T9732] ? lock_acquire+0x190/0x410 [ 87.829808][ T9732] ? vt_ioctl+0x1f56/0x26d0 [ 87.829818][ T9732] vc_resize+0x4d/0x60 [ 87.829827][ T9732] vt_ioctl+0x2076/0x26d0 [ 87.829836][ T9732] ? complete_change_console+0x3a0/0x3a0 [ 87.829843][ T9732] ? lock_downgrade+0x920/0x920 [ 87.829852][ T9732] ? rwlock_bug.part.0+0x90/0x90 [ 87.829868][ T9732] ? tomoyo_path_number_perm+0x214/0x520 [ 87.829876][ T9732] ? find_held_lock+0x35/0x130 [ 87.829885][ T9732] ? tomoyo_path_number_perm+0x214/0x520 [ 87.829894][ T9732] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.829904][ T9732] ? tty_jobctrl_ioctl+0x50/0xd40 [ 87.829912][ T9732] ? complete_change_console+0x3a0/0x3a0 [ 87.829923][ T9732] tty_ioctl+0xa37/0x14f0 [ 87.829933][ T9732] ? tty_vhangup+0x30/0x30 [ 87.829941][ T9732] ? tomoyo_path_number_perm+0x454/0x520 [ 87.829952][ T9732] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 87.829960][ T9732] ? tomoyo_path_number_perm+0x25e/0x520 [ 87.829971][ T9732] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 87.829989][ T9732] ? tty_vhangup+0x30/0x30 [ 87.830000][ T9732] do_vfs_ioctl+0x977/0x14e0 [ 87.830011][ T9732] ? compat_ioctl_preallocate+0x220/0x220 [ 87.830021][ T9732] ? kmem_cache_free+0x26b/0x320 [ 87.830030][ T9732] ? putname+0xf4/0x130 [ 87.830040][ T9732] ? do_sys_open+0x31d/0x5d0 [ 87.830051][ T9732] ? tomoyo_file_ioctl+0x23/0x30 [ 87.830060][ T9732] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.830069][ T9732] ? security_file_ioctl+0x8d/0xc0 [ 87.830078][ T9732] ksys_ioctl+0xab/0xd0 [ 87.830088][ T9732] __x64_sys_ioctl+0x73/0xb0 [ 87.830100][ T9732] do_syscall_64+0xfa/0x790 [ 87.830111][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.830118][ T9732] RIP: 0033:0x440249 [ 87.830129][ T9732] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.830133][ T9732] RSP: 002b:00007ffdd43faf18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.830142][ T9732] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 87.830147][ T9732] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 87.830151][ T9732] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 87.830156][ T9732] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 87.830161][ T9732] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 87.830172][ T9732] [ 87.830176][ T9732] Allocated by task 9732: [ 87.830184][ T9732] save_stack+0x23/0x90 [ 87.830191][ T9732] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 87.830197][ T9732] kasan_kmalloc+0x9/0x10 [ 87.830203][ T9732] __kmalloc+0x163/0x770 [ 87.830210][ T9732] fbcon_set_font+0x32d/0x860 [ 87.830216][ T9732] con_font_op+0xe30/0x1270 [ 87.830222][ T9732] vt_ioctl+0x35a/0x26d0 [ 87.830229][ T9732] tty_ioctl+0xa37/0x14f0 [ 87.830235][ T9732] do_vfs_ioctl+0x977/0x14e0 [ 87.830242][ T9732] ksys_ioctl+0xab/0xd0 [ 87.830248][ T9732] __x64_sys_ioctl+0x73/0xb0 [ 87.830255][ T9732] do_syscall_64+0xfa/0x790 [ 87.830263][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.830265][ T9732] [ 87.830268][ T9732] Freed by task 9473: [ 87.830275][ T9732] save_stack+0x23/0x90 [ 87.830281][ T9732] __kasan_slab_free+0x102/0x150 [ 87.830288][ T9732] kasan_slab_free+0xe/0x10 [ 87.830293][ T9732] kfree+0x10a/0x2c0 [ 87.830300][ T9732] tomoyo_supervisor+0x360/0xef0 [ 87.830307][ T9732] tomoyo_env_perm+0x18e/0x210 [ 87.830314][ T9732] tomoyo_find_next_domain+0x1354/0x1f6c [ 87.830323][ T9732] tomoyo_bprm_check_security+0x124/0x1a0 [ 87.830329][ T9732] security_bprm_check+0x63/0xb0 [ 87.830336][ T9732] search_binary_handler+0x71/0x570 [ 87.830344][ T9732] __do_execve_file.isra.0+0x1329/0x22b0 [ 87.830350][ T9732] __x64_sys_execve+0x8f/0xc0 [ 87.830358][ T9732] do_syscall_64+0xfa/0x790 [ 87.830365][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.830367][ T9732] [ 87.830373][ T9732] The buggy address belongs to the object at ffff88809fbb1000 [ 87.830373][ T9732] which belongs to the cache kmalloc-2k of size 2048 [ 87.830380][ T9732] The buggy address is located 1856 bytes inside of [ 87.830380][ T9732] 2048-byte region [ffff88809fbb1000, ffff88809fbb1800) [ 87.830383][ T9732] The buggy address belongs to the page: [ 87.830391][ T9732] page:ffffea00027eec40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 87.830403][ T9732] raw: 00fffe0000000200 ffffea00027d0ac8 ffffea00027645c8 ffff8880aa400e00 [ 87.830452][ T9732] raw: 0000000000000000 ffff88809fbb1000 0000000100000001 0000000000000000 [ 87.830463][ T9732] page dumped because: kasan: bad access detected [ 87.830466][ T9732] [ 87.830469][ T9732] Memory state around the buggy address: [ 87.830477][ T9732] ffff88809fbb1600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.830483][ T9732] ffff88809fbb1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.830490][ T9732] >ffff88809fbb1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.830494][ T9732] ^ [ 87.830500][ T9732] ffff88809fbb1780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.830506][ T9732] ffff88809fbb1800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.830509][ T9732] ================================================================== [ 87.830512][ T9732] Disabling lock debugging due to kernel taint [ 87.830517][ T9732] Kernel panic - not syncing: panic_on_warn set ... [ 87.830527][ T9732] CPU: 0 PID: 9732 Comm: syz-executor427 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 87.830532][ T9732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.830534][ T9732] Call Trace: [ 87.830549][ T9732] dump_stack+0x197/0x210 [ 87.830558][ T9732] panic+0x2e3/0x75c [ 87.830566][ T9732] ? add_taint.cold+0x16/0x16 [ 87.830578][ T9732] ? trace_hardirqs_on+0x67/0x240 [ 87.830585][ T9732] ? trace_hardirqs_on+0x5e/0x240 [ 87.830594][ T9732] ? soft_cursor+0x439/0xa30 [ 87.830601][ T9732] end_report+0x47/0x4f [ 87.830608][ T9732] ? soft_cursor+0x439/0xa30 [ 87.830615][ T9732] __kasan_report.cold+0xe/0x41 [ 87.830623][ T9732] ? soft_cursor+0x439/0xa30 [ 87.830630][ T9732] kasan_report+0x12/0x20 [ 87.830638][ T9732] check_memory_region+0x134/0x1a0 [ 87.830645][ T9732] memcpy+0x24/0x50 [ 87.830652][ T9732] soft_cursor+0x439/0xa30 [ 87.830659][ T9732] ? lockdep_hardirqs_on+0x421/0x5e0 [ 87.830669][ T9732] bit_cursor+0x12fc/0x1a60 [ 87.830679][ T9732] ? bit_clear+0x530/0x530 [ 87.830685][ T9732] ? find_held_lock+0x35/0x130 [ 87.830696][ T9732] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.830703][ T9732] ? get_color+0x225/0x430 [ 87.830711][ T9732] fbcon_cursor+0x487/0x660 [ 87.830718][ T9732] ? bit_clear+0x530/0x530 [ 87.830727][ T9732] hide_cursor+0x9d/0x2b0 [ 87.830734][ T9732] redraw_screen+0x60b/0x7d0 [ 87.830741][ T9732] ? respond_string+0x2c0/0x2c0 [ 87.830750][ T9732] vc_do_resize+0x10c9/0x1460 [ 87.830757][ T9732] ? down+0x50/0x90 [ 87.830768][ T9732] ? vc_uniscr_alloc+0xd0/0xd0 [ 87.830775][ T9732] ? lock_acquire+0x190/0x410 [ 87.830781][ T9732] ? vt_ioctl+0x1f56/0x26d0 [ 87.830789][ T9732] vc_resize+0x4d/0x60 [ 87.830796][ T9732] vt_ioctl+0x2076/0x26d0 [ 87.830804][ T9732] ? complete_change_console+0x3a0/0x3a0 [ 87.830810][ T9732] ? lock_downgrade+0x920/0x920 [ 87.830818][ T9732] ? rwlock_bug.part.0+0x90/0x90 [ 87.830827][ T9732] ? tomoyo_path_number_perm+0x214/0x520 [ 87.830834][ T9732] ? find_held_lock+0x35/0x130 [ 87.830842][ T9732] ? tomoyo_path_number_perm+0x214/0x520 [ 87.830850][ T9732] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.830858][ T9732] ? tty_jobctrl_ioctl+0x50/0xd40 [ 87.830865][ T9732] ? complete_change_console+0x3a0/0x3a0 [ 87.830873][ T9732] tty_ioctl+0xa37/0x14f0 [ 87.830882][ T9732] ? tty_vhangup+0x30/0x30 [ 87.830889][ T9732] ? tomoyo_path_number_perm+0x454/0x520 [ 87.830898][ T9732] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 87.830906][ T9732] ? tomoyo_path_number_perm+0x25e/0x520 [ 87.830915][ T9732] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 87.830927][ T9732] ? tty_vhangup+0x30/0x30 [ 87.830935][ T9732] do_vfs_ioctl+0x977/0x14e0 [ 87.830944][ T9732] ? compat_ioctl_preallocate+0x220/0x220 [ 87.830951][ T9732] ? kmem_cache_free+0x26b/0x320 [ 87.830960][ T9732] ? putname+0xf4/0x130 [ 87.830967][ T9732] ? do_sys_open+0x31d/0x5d0 [ 87.830976][ T9732] ? tomoyo_file_ioctl+0x23/0x30 [ 87.830984][ T9732] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.830991][ T9732] ? security_file_ioctl+0x8d/0xc0 [ 87.830999][ T9732] ksys_ioctl+0xab/0xd0 [ 87.831007][ T9732] __x64_sys_ioctl+0x73/0xb0 [ 87.831015][ T9732] do_syscall_64+0xfa/0x790 [ 87.831024][ T9732] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.831030][ T9732] RIP: 0033:0x440249 [ 87.831038][ T9732] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.831042][ T9732] RSP: 002b:00007ffdd43faf18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.831049][ T9732] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 87.831053][ T9732] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 87.831057][ T9732] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 87.831062][ T9732] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 87.831066][ T9732] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 87.832751][ T9732] Kernel Offset: disabled [ 88.911171][ T9732] Rebooting in 86400 seconds..