[ 91.072468][ T27] audit: type=1800 audit(1583448956.916:36): pid=10394 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 91.851218][ T27] audit: type=1400 audit(1583448957.766:37): avc: denied { watch } for pid=10482 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.254' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 99.717397][ T27] kauditd_printk_skb: 4 callbacks suppressed [ 99.717412][ T27] audit: type=1400 audit(1583448965.636:42): avc: denied { map } for pid=10582 comm="syz-executor166" path="/root/syz-executor166736520" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 99.810701][T10582] ================================================================== [ 99.810743][T10582] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 [ 99.810750][T10582] Read of size 64 at addr ffff88809e115950 by task syz-executor166/10582 [ 99.810753][T10582] [ 99.810763][T10582] CPU: 0 PID: 10582 Comm: syz-executor166 Not tainted 5.6.0-rc3-syzkaller #0 [ 99.810768][T10582] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.810771][T10582] Call Trace: [ 99.810785][T10582] dump_stack+0x197/0x210 [ 99.810793][T10582] ? soft_cursor+0x439/0xa30 [ 99.810809][T10582] print_address_description.constprop.0.cold+0xd4/0x30b [ 99.810815][T10582] ? soft_cursor+0x439/0xa30 [ 99.810822][T10582] ? soft_cursor+0x439/0xa30 [ 99.810832][T10582] __kasan_report.cold+0x1b/0x32 [ 99.810842][T10582] ? soft_cursor+0x439/0xa30 [ 99.810853][T10582] kasan_report+0x12/0x20 [ 99.810863][T10582] check_memory_region+0x134/0x1a0 [ 99.810873][T10582] memcpy+0x24/0x50 [ 99.810883][T10582] soft_cursor+0x439/0xa30 [ 99.810893][T10582] ? lockdep_hardirqs_on+0x421/0x5e0 [ 99.810911][T10582] bit_cursor+0x12fc/0x1a60 [ 99.810928][T10582] ? bit_clear+0x530/0x530 [ 99.810941][T10582] ? find_held_lock+0x35/0x130 [ 99.810964][T10582] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 99.810976][T10582] ? get_color+0x225/0x430 [ 99.810990][T10582] fbcon_cursor+0x487/0x660 [ 99.811002][T10582] ? bit_clear+0x530/0x530 [ 99.811016][T10582] hide_cursor+0x9d/0x2b0 [ 99.811028][T10582] redraw_screen+0x60b/0x7d0 [ 99.811039][T10582] ? respond_string+0x2c0/0x2c0 [ 99.811057][T10582] vc_do_resize+0x10c9/0x1460 [ 99.811070][T10582] ? down+0x50/0x90 [ 99.811096][T10582] ? vc_uniscr_alloc+0xd0/0xd0 [ 99.811106][T10582] ? lock_acquire+0x190/0x410 [ 99.811115][T10582] ? vt_ioctl+0x1f56/0x26c0 [ 99.811130][T10582] vc_resize+0x4d/0x60 [ 99.811140][T10582] vt_ioctl+0x207b/0x26c0 [ 99.811151][T10582] ? complete_change_console+0x3a0/0x3a0 [ 99.811173][T10582] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 99.811182][T10582] ? tty_jobctrl_ioctl+0x50/0xd40 [ 99.811191][T10582] ? complete_change_console+0x3a0/0x3a0 [ 99.811202][T10582] tty_ioctl+0xa37/0x14f0 [ 99.811213][T10582] ? tty_vhangup+0x30/0x30 [ 99.811221][T10582] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 99.811232][T10582] ? do_vfs_ioctl+0x568/0x13b0 [ 99.811245][T10582] ? ioctl_file_clone+0x180/0x180 [ 99.811255][T10582] ? selinux_file_mprotect+0x620/0x620 [ 99.811263][T10582] ? file_open_root+0x430/0x430 [ 99.811278][T10582] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 99.811299][T10582] ? tomoyo_file_ioctl+0x23/0x30 [ 99.811308][T10582] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.811319][T10582] ? security_file_ioctl+0x8d/0xc0 [ 99.811326][T10582] ? tty_vhangup+0x30/0x30 [ 99.811337][T10582] ksys_ioctl+0x123/0x180 [ 99.811350][T10582] __x64_sys_ioctl+0x73/0xb0 [ 99.811362][T10582] do_syscall_64+0xfa/0x790 [ 99.811375][T10582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.811382][T10582] RIP: 0033:0x440269 [ 99.811392][T10582] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 99.811396][T10582] RSP: 002b:00007ffc94be72d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 99.811404][T10582] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 99.811409][T10582] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 99.811413][T10582] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 99.811418][T10582] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 99.811422][T10582] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 99.811440][T10582] [ 99.811449][T10582] Allocated by task 10582: [ 99.811457][T10582] save_stack+0x23/0x90 [ 99.811465][T10582] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 99.811472][T10582] kasan_kmalloc+0x9/0x10 [ 99.811482][T10582] __kmalloc+0x163/0x770 [ 99.811490][T10582] fbcon_set_font+0x32d/0x860 [ 99.811497][T10582] con_font_op+0xe30/0x1270 [ 99.811504][T10582] vt_ioctl+0x181a/0x26c0 [ 99.811510][T10582] tty_ioctl+0xa37/0x14f0 [ 99.811517][T10582] ksys_ioctl+0x123/0x180 [ 99.811526][T10582] __x64_sys_ioctl+0x73/0xb0 [ 99.811534][T10582] do_syscall_64+0xfa/0x790 [ 99.811542][T10582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.811544][T10582] [ 99.811547][T10582] Freed by task 10359: [ 99.811554][T10582] save_stack+0x23/0x90 [ 99.811561][T10582] __kasan_slab_free+0x102/0x150 [ 99.811568][T10582] kasan_slab_free+0xe/0x10 [ 99.811574][T10582] kfree+0x10a/0x2c0 [ 99.811582][T10582] tomoyo_init_log+0x15b5/0x2070 [ 99.811590][T10582] tomoyo_supervisor+0x32c/0xee0 [ 99.811596][T10582] tomoyo_env_perm+0x18e/0x210 [ 99.811603][T10582] tomoyo_find_next_domain+0x1354/0x1f6c [ 99.811610][T10582] tomoyo_bprm_check_security+0x124/0x1a0 [ 99.811617][T10582] security_bprm_check+0x63/0xb0 [ 99.811631][T10582] search_binary_handler+0x71/0x570 [ 99.811639][T10582] __do_execve_file.isra.0+0x12fc/0x2270 [ 99.811646][T10582] __x64_sys_execve+0x8f/0xc0 [ 99.811654][T10582] do_syscall_64+0xfa/0x790 [ 99.811661][T10582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.811664][T10582] [ 99.811670][T10582] The buggy address belongs to the object at ffff88809e114000 [ 99.811670][T10582] which belongs to the cache kmalloc-8k of size 8192 [ 99.811677][T10582] The buggy address is located 6480 bytes inside of [ 99.811677][T10582] 8192-byte region [ffff88809e114000, ffff88809e116000) [ 99.811679][T10582] The buggy address belongs to the page: [ 99.811689][T10582] page:ffffea0002784500 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 99.811695][T10582] flags: 0xfffe0000010200(slab|head) [ 99.811707][T10582] raw: 00fffe0000010200 ffffea000260a408 ffffea00021adf08 ffff8880aa4021c0 [ 99.811715][T10582] raw: 0000000000000000 ffff88809e114000 0000000100000001 0000000000000000 [ 99.811719][T10582] page dumped because: kasan: bad access detected [ 99.811721][T10582] [ 99.811724][T10582] Memory state around the buggy address: [ 99.811730][T10582] ffff88809e115800: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.811736][T10582] ffff88809e115880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.811742][T10582] >ffff88809e115900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.811745][T10582] ^ [ 99.811751][T10582] ffff88809e115980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.811757][T10582] ffff88809e115a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.811760][T10582] ================================================================== [ 99.811763][T10582] Disabling lock debugging due to kernel taint [ 99.811768][T10582] Kernel panic - not syncing: panic_on_warn set ... [ 99.811776][T10582] CPU: 0 PID: 10582 Comm: syz-executor166 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 99.811780][T10582] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.811782][T10582] Call Trace: [ 99.811790][T10582] dump_stack+0x197/0x210 [ 99.811800][T10582] panic+0x2e3/0x75c [ 99.811808][T10582] ? add_taint.cold+0x16/0x16 [ 99.811821][T10582] ? trace_hardirqs_on+0x67/0x240 [ 99.811828][T10582] ? trace_hardirqs_on+0x5e/0x240 [ 99.811843][T10582] ? soft_cursor+0x439/0xa30 [ 99.811851][T10582] end_report+0x47/0x4f [ 99.811857][T10582] ? soft_cursor+0x439/0xa30 [ 99.811864][T10582] __kasan_report.cold+0xe/0x32 [ 99.811872][T10582] ? soft_cursor+0x439/0xa30 [ 99.811880][T10582] kasan_report+0x12/0x20 [ 99.811889][T10582] check_memory_region+0x134/0x1a0 [ 99.811896][T10582] memcpy+0x24/0x50 [ 99.811903][T10582] soft_cursor+0x439/0xa30 [ 99.811910][T10582] ? lockdep_hardirqs_on+0x421/0x5e0 [ 99.811922][T10582] bit_cursor+0x12fc/0x1a60 [ 99.811932][T10582] ? bit_clear+0x530/0x530 [ 99.811939][T10582] ? find_held_lock+0x35/0x130 [ 99.811951][T10582] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 99.811959][T10582] ? get_color+0x225/0x430 [ 99.811969][T10582] fbcon_cursor+0x487/0x660 [ 99.811975][T10582] ? bit_clear+0x530/0x530 [ 99.811983][T10582] hide_cursor+0x9d/0x2b0 [ 99.811991][T10582] redraw_screen+0x60b/0x7d0 [ 99.812000][T10582] ? respond_string+0x2c0/0x2c0 [ 99.812011][T10582] vc_do_resize+0x10c9/0x1460 [ 99.812018][T10582] ? down+0x50/0x90 [ 99.812032][T10582] ? vc_uniscr_alloc+0xd0/0xd0 [ 99.812040][T10582] ? lock_acquire+0x190/0x410 [ 99.812047][T10582] ? vt_ioctl+0x1f56/0x26c0 [ 99.812057][T10582] vc_resize+0x4d/0x60 [ 99.812065][T10582] vt_ioctl+0x207b/0x26c0 [ 99.812074][T10582] ? complete_change_console+0x3a0/0x3a0 [ 99.812087][T10582] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 99.812094][T10582] ? tty_jobctrl_ioctl+0x50/0xd40 [ 99.812102][T10582] ? complete_change_console+0x3a0/0x3a0 [ 99.812110][T10582] tty_ioctl+0xa37/0x14f0 [ 99.812118][T10582] ? tty_vhangup+0x30/0x30 [ 99.812125][T10582] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 99.812133][T10582] ? do_vfs_ioctl+0x568/0x13b0 [ 99.812142][T10582] ? ioctl_file_clone+0x180/0x180 [ 99.812149][T10582] ? selinux_file_mprotect+0x620/0x620 [ 99.812156][T10582] ? file_open_root+0x430/0x430 [ 99.812165][T10582] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 99.812178][T10582] ? tomoyo_file_ioctl+0x23/0x30 [ 99.812189][T10582] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.812197][T10582] ? security_file_ioctl+0x8d/0xc0 [ 99.812203][T10582] ? tty_vhangup+0x30/0x30 [ 99.812212][T10582] ksys_ioctl+0x123/0x180 [ 99.812221][T10582] __x64_sys_ioctl+0x73/0xb0 [ 99.812229][T10582] do_syscall_64+0xfa/0x790 [ 99.812239][T10582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.812244][T10582] RIP: 0033:0x440269 [ 99.812251][T10582] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 99.812255][T10582] RSP: 002b:00007ffc94be72d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 99.812261][T10582] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269 [ 99.812265][T10582] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 99.812269][T10582] RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8 [ 99.812273][T10582] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50 [ 99.812277][T10582] R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000 [ 99.813800][T10582] Kernel Offset: disabled [ 100.823671][T10582] Rebooting in 86400 seconds..