[ 45.744250] audit: type=1800 audit(1575798209.022:30): pid=7769 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 51.097598] kauditd_printk_skb: 4 callbacks suppressed [ 51.097611] audit: type=1400 audit(1575798214.412:35): avc: denied { map } for pid=7943 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 57.670835] audit: type=1400 audit(1575798220.982:36): avc: denied { map } for pid=7955 comm="syz-executor905" path="/root/syz-executor905512591" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 57.697237] IPVS: ftp: loaded support on port[0] = 21 [ 57.711651] IPVS: ftp: loaded support on port[0] = 21 [ 57.713547] IPVS: ftp: loaded support on port[0] = 21 [ 57.722012] IPVS: ftp: loaded support on port[0] = 21 [ 57.725809] IPVS: ftp: loaded support on port[0] = 21 [ 57.731500] IPVS: ftp: loaded support on port[0] = 21 executing program [ 57.838316] audit: type=1400 audit(1575798221.152:37): avc: denied { create } for pid=7966 comm="syz-executor905" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 57.862944] audit: type=1400 audit(1575798221.152:38): avc: denied { write } for pid=7966 comm="syz-executor905" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 57.889139] audit: type=1400 audit(1575798221.152:39): avc: denied { read } for pid=7966 comm="syz-executor905" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 executing program executing program executing program executing program executing program [ 58.214105] ================================================================== [ 58.214145] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xd5d/0xf10 [ 58.214155] Read of size 1 at addr ffff8880852ab508 by task syz-executor905/7994 [ 58.214158] [ 58.214173] CPU: 0 PID: 7994 Comm: syz-executor905 Not tainted 4.19.88-syzkaller #0 [ 58.214181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.214186] Call Trace: [ 58.214204] dump_stack+0x197/0x210 [ 58.214219] ? bit_putcs+0xd5d/0xf10 [ 58.214239] print_address_description.cold+0x7c/0x20d [ 58.214253] ? bit_putcs+0xd5d/0xf10 [ 58.214266] kasan_report.cold+0x8c/0x2ba [ 58.214285] __asan_report_load1_noabort+0x14/0x20 [ 58.214297] bit_putcs+0xd5d/0xf10 [ 58.214329] ? bit_cursor+0x1a60/0x1a60 [ 58.214347] ? __sanitizer_cov_trace_cmp1+0x1/0x20 [ 58.214363] ? fb_get_color_depth.part.0+0xcf/0x200 [ 58.214380] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.214398] fbcon_putcs+0x42b/0x4f0 [ 58.214414] ? bit_cursor+0x1a60/0x1a60 [ 58.214430] do_update_region+0x42b/0x6f0 [ 58.214451] ? con_get_trans_old+0x2a0/0x2a0 [ 58.214466] ? fbcon_set_palette+0x227/0x610 [ 58.214479] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.214491] ? fbcon_redraw.isra.0+0x490/0x490 [ 58.214509] redraw_screen+0x602/0x8e0 [ 58.214523] ? down+0x70/0x90 [ 58.214536] ? con_flush_chars+0xa0/0xa0 [ 58.214550] ? __down+0x181/0x2c0 [ 58.214572] fbcon_do_set_font+0x73a/0xa40 [ 58.214592] fbcon_copy_font+0x12c/0x190 [ 58.214605] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.214617] ? fbcon_do_set_font+0xa40/0xa40 [ 58.214632] con_font_op+0x69a/0x1250 [ 58.214650] ? con_write+0xd0/0xd0 [ 58.214683] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.214699] ? _copy_from_user+0xdd/0x150 [ 58.214717] vt_ioctl+0x1784/0x2530 [ 58.214734] ? complete_change_console+0x3a0/0x3a0 [ 58.214750] ? avc_has_extended_perms+0xa78/0x10f0 [ 58.214773] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.214788] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 58.214800] ? complete_change_console+0x3a0/0x3a0 [ 58.214814] tty_ioctl+0x7f3/0x1510 [ 58.214867] ? tty_vhangup+0x30/0x30 [ 58.214880] ? mark_held_locks+0x100/0x100 [ 58.214901] ? __fget+0x340/0x540 [ 58.214921] ? __might_sleep+0x95/0x190 [ 58.214934] ? tty_vhangup+0x30/0x30 [ 58.214948] do_vfs_ioctl+0xd5f/0x1380 [ 58.214962] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.214974] ? selinux_file_ioctl+0x125/0x5e0 [ 58.214987] ? ioctl_preallocate+0x210/0x210 [ 58.215000] ? selinux_file_mprotect+0x620/0x620 [ 58.215019] ? iterate_fd+0x360/0x360 [ 58.215035] ? calculate_sigpending+0x87/0xa0 [ 58.215054] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.215068] ? security_file_ioctl+0x8d/0xc0 [ 58.215085] ksys_ioctl+0xab/0xd0 [ 58.215103] __x64_sys_ioctl+0x73/0xb0 [ 58.215121] do_syscall_64+0xfd/0x620 [ 58.215137] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.215148] RIP: 0033:0x447839 [ 58.215162] Code: e8 3c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.215169] RSP: 002b:00007f3ec94e4d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.215180] RAX: ffffffffffffffda RBX: 00000000006ddc88 RCX: 0000000000447839 [ 58.215189] RDX: 0000000020000180 RSI: 0000000000004b72 RDI: 0000000000000003 [ 58.215195] RBP: 00000000006ddc80 R08: 00007f3ec94e5700 R09: 0000000000000000 [ 58.215200] R10: 00007f3ec94e5700 R11: 0000000000000246 R12: 00000000006ddc8c [ 58.215204] R13: 0000000000000000 R14: 00000000f72a8fce R15: 0000000000000001 [ 58.215215] [ 58.215220] Allocated by task 7974: [ 58.215228] save_stack+0x45/0xd0 [ 58.215235] kasan_kmalloc+0xce/0xf0 [ 58.215241] __kmalloc+0x15d/0x750 [ 58.215248] fbcon_set_font+0x32d/0x860 [ 58.215255] con_font_op+0xe18/0x1250 [ 58.215262] vt_ioctl+0xd2e/0x2530 [ 58.215267] tty_ioctl+0x7f3/0x1510 [ 58.215274] do_vfs_ioctl+0xd5f/0x1380 [ 58.215279] ksys_ioctl+0xab/0xd0 [ 58.215286] __x64_sys_ioctl+0x73/0xb0 [ 58.215293] do_syscall_64+0xfd/0x620 [ 58.215300] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.215302] [ 58.215305] Freed by task 0: [ 58.215308] (stack is not available) [ 58.215309] [ 58.215316] The buggy address belongs to the object at ffff8880852aad00 [ 58.215316] which belongs to the cache kmalloc-2048 of size 2048 [ 58.215325] The buggy address is located 8 bytes to the right of [ 58.215325] 2048-byte region [ffff8880852aad00, ffff8880852ab500) [ 58.215328] The buggy address belongs to the page: [ 58.215338] page:ffffea000214aa80 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 58.215349] flags: 0xfffe0000008100(slab|head) [ 58.215363] raw: 00fffe0000008100 ffffea00024e0308 ffffea000258de08 ffff88812c31cc40 [ 58.215373] raw: 0000000000000000 ffff8880852aa480 0000000100000003 0000000000000000 [ 58.215377] page dumped because: kasan: bad access detected [ 58.215379] [ 58.215382] Memory state around the buggy address: [ 58.215388] ffff8880852ab400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.215394] ffff8880852ab480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.215400] >ffff8880852ab500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.215402] ^ [ 58.215408] ffff8880852ab580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.215414] ffff8880852ab600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.215417] ================================================================== [ 58.215420] Disabling lock debugging due to kernel taint [ 58.215824] Kernel panic - not syncing: panic_on_warn set ... [ 58.215824] [ 58.215838] CPU: 0 PID: 7994 Comm: syz-executor905 Tainted: G B 4.19.88-syzkaller #0 [ 58.215847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.215854] Call Trace: [ 58.215869] dump_stack+0x197/0x210 [ 58.215883] ? bit_putcs+0xd5d/0xf10 [ 58.215895] panic+0x26a/0x50e [ 58.215907] ? __warn_printk+0xf3/0xf3 [ 58.215919] ? bit_putcs+0xd5d/0xf10 [ 58.215933] ? preempt_schedule+0x4b/0x60 [ 58.215947] ? ___preempt_schedule+0x16/0x18 [ 58.215961] ? trace_hardirqs_on+0x5e/0x220 [ 58.215974] ? bit_putcs+0xd5d/0xf10 [ 58.215988] kasan_end_report+0x47/0x4f [ 58.216002] kasan_report.cold+0xa9/0x2ba [ 58.216017] __asan_report_load1_noabort+0x14/0x20 [ 58.216028] bit_putcs+0xd5d/0xf10 [ 58.216049] ? bit_cursor+0x1a60/0x1a60 [ 58.216063] ? __sanitizer_cov_trace_cmp1+0x1/0x20 [ 58.216082] ? fb_get_color_depth.part.0+0xcf/0x200 [ 58.216095] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.216108] fbcon_putcs+0x42b/0x4f0 [ 58.216121] ? bit_cursor+0x1a60/0x1a60 [ 58.216135] do_update_region+0x42b/0x6f0 [ 58.216151] ? con_get_trans_old+0x2a0/0x2a0 [ 58.216164] ? fbcon_set_palette+0x227/0x610 [ 58.216173] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.216181] ? fbcon_redraw.isra.0+0x490/0x490 [ 58.216191] redraw_screen+0x602/0x8e0 [ 58.216200] ? down+0x70/0x90 [ 58.216212] ? con_flush_chars+0xa0/0xa0 [ 58.216223] ? __down+0x181/0x2c0 [ 58.216237] fbcon_do_set_font+0x73a/0xa40 [ 58.216251] fbcon_copy_font+0x12c/0x190 [ 58.216262] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.216273] ? fbcon_do_set_font+0xa40/0xa40 [ 58.216284] con_font_op+0x69a/0x1250 [ 58.216298] ? con_write+0xd0/0xd0 [ 58.216315] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.216328] ? _copy_from_user+0xdd/0x150 [ 58.216341] vt_ioctl+0x1784/0x2530 [ 58.216355] ? complete_change_console+0x3a0/0x3a0 [ 58.216370] ? avc_has_extended_perms+0xa78/0x10f0 [ 58.216389] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.216404] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 58.216417] ? complete_change_console+0x3a0/0x3a0 [ 58.216428] tty_ioctl+0x7f3/0x1510 [ 58.216440] ? tty_vhangup+0x30/0x30 [ 58.216453] ? mark_held_locks+0x100/0x100 [ 58.216468] ? __fget+0x340/0x540 [ 58.216483] ? __might_sleep+0x95/0x190 [ 58.216494] ? tty_vhangup+0x30/0x30 [ 58.216507] do_vfs_ioctl+0xd5f/0x1380 [ 58.216521] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.216536] ? selinux_file_ioctl+0x125/0x5e0 [ 58.216555] ? ioctl_preallocate+0x210/0x210 [ 58.216571] ? selinux_file_mprotect+0x620/0x620 [ 58.216585] ? iterate_fd+0x360/0x360 [ 58.216598] ? calculate_sigpending+0x87/0xa0 [ 58.216611] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.216624] ? security_file_ioctl+0x8d/0xc0 [ 58.216637] ksys_ioctl+0xab/0xd0 [ 58.216649] __x64_sys_ioctl+0x73/0xb0 [ 58.216663] do_syscall_64+0xfd/0x620 [ 58.216676] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.216686] RIP: 0033:0x447839 [ 58.216698] Code: e8 3c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.216707] RSP: 002b:00007f3ec94e4d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.216728] RAX: ffffffffffffffda RBX: 00000000006ddc88 RCX: 0000000000447839 [ 58.216738] RDX: 0000000020000180 RSI: 0000000000004b72 RDI: 0000000000000003 [ 58.216747] RBP: 00000000006ddc80 R08: 00007f3ec94e5700 R09: 0000000000000000 [ 58.216756] R10: 00007f3ec94e5700 R11: 0000000000000246 R12: 00000000006ddc8c [ 58.216769] R13: 0000000000000000 R14: 00000000f72a8fce R15: 0000000000000001 [ 58.218751] Kernel Offset: disabled