[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.736075][ T6860] ================================================================== [ 59.736136][ T6860] BUG: KASAN: use-after-free in bit_putcs+0xbb6/0xd20 [ 59.736149][ T6860] Read of size 1 at addr ffff88809df498fe by task syz-executor859/6860 [ 59.736153][ T6860] [ 59.736169][ T6860] CPU: 1 PID: 6860 Comm: syz-executor859 Not tainted 5.9.0-rc6-syzkaller #0 [ 59.736177][ T6860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.736183][ T6860] Call Trace: [ 59.736202][ T6860] dump_stack+0x198/0x1fd [ 59.736221][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736234][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736253][ T6860] print_address_description.constprop.0.cold+0xae/0x497 [ 59.736272][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736288][ T6860] ? lockdep_hardirqs_off+0x96/0xd0 [ 59.736305][ T6860] ? vprintk_func+0x95/0x1d4 [ 59.736324][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736338][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736351][ T6860] kasan_report.cold+0x1f/0x37 [ 59.736371][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.736390][ T6860] bit_putcs+0xbb6/0xd20 [ 59.736430][ T6860] ? bit_cursor+0x1720/0x1720 [ 59.736446][ T6860] ? find_held_lock+0x2d/0x110 [ 59.736467][ T6860] ? __atomic_notifier_call_chain+0x91/0x180 [ 59.736488][ T6860] ? lock_downgrade+0x830/0x830 [ 59.736501][ T6860] ? fb_get_color_depth+0x11a/0x240 [ 59.736518][ T6860] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 59.736539][ T6860] ? bit_cursor+0x1720/0x1720 [ 59.736553][ T6860] fbcon_putcs+0x35a/0x450 [ 59.736574][ T6860] ? fb_flashcursor+0x430/0x430 [ 59.736593][ T6860] do_con_write+0xb6b/0x1dd0 [ 59.736632][ T6860] ? do_con_trol+0x54c0/0x54c0 [ 59.736661][ T6860] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 59.736682][ T6860] con_write+0x22/0xb0 [ 59.736700][ T6860] n_tty_write+0x3ce/0xf80 [ 59.736739][ T6860] ? n_tty_receive_char_lnext+0x700/0x700 [ 59.736759][ T6860] ? __init_waitqueue_head+0x110/0x110 [ 59.736779][ T6860] ? __might_fault+0x190/0x1d0 [ 59.736802][ T6860] tty_write+0x4d9/0x870 [ 59.736818][ T6860] ? n_tty_receive_char_lnext+0x700/0x700 [ 59.736842][ T6860] ? tty_read+0x290/0x290 [ 59.736858][ T6860] vfs_write+0x2b0/0x730 [ 59.736881][ T6860] ksys_write+0x12d/0x250 [ 59.736896][ T6860] ? __ia32_sys_read+0xb0/0xb0 [ 59.736913][ T6860] ? check_preemption_disabled+0x50/0x130 [ 59.736926][ T6860] ? syscall_enter_from_user_mode+0x1d/0x60 [ 59.736940][ T6860] do_syscall_64+0x2d/0x70 [ 59.736954][ T6860] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.736962][ T6860] RIP: 0033:0x4403c9 [ 59.736972][ T6860] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.736978][ T6860] RSP: 002b:00007ffd97e140c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.736987][ T6860] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 59.736994][ T6860] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 59.736999][ T6860] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 59.737005][ T6860] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 59.737011][ T6860] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 59.737025][ T6860] [ 59.737029][ T6860] Allocated by task 6860: [ 59.737038][ T6860] kasan_save_stack+0x1b/0x40 [ 59.737046][ T6860] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.737053][ T6860] __kmalloc+0x1b0/0x360 [ 59.737062][ T6860] tomoyo_init_log+0x1376/0x1ee0 [ 59.737070][ T6860] tomoyo_supervisor+0x34d/0xef0 [ 59.737078][ T6860] tomoyo_env_perm+0x17f/0x1f0 [ 59.737087][ T6860] tomoyo_find_next_domain+0x1438/0x1f77 [ 59.737095][ T6860] tomoyo_bprm_check_security+0x121/0x1a0 [ 59.737105][ T6860] security_bprm_check+0x45/0xa0 [ 59.737113][ T6860] bprm_execve+0x879/0x1b10 [ 59.737121][ T6860] do_execveat_common+0x626/0x7c0 [ 59.737128][ T6860] __x64_sys_execve+0x8f/0xc0 [ 59.737136][ T6860] do_syscall_64+0x2d/0x70 [ 59.737144][ T6860] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.737146][ T6860] [ 59.737150][ T6860] Freed by task 6860: [ 59.737158][ T6860] kasan_save_stack+0x1b/0x40 [ 59.737165][ T6860] kasan_set_track+0x1c/0x30 [ 59.737172][ T6860] kasan_set_free_info+0x1b/0x30 [ 59.737180][ T6860] __kasan_slab_free+0xd8/0x120 [ 59.737186][ T6860] kfree+0x10e/0x2b0 [ 59.737194][ T6860] tomoyo_supervisor+0x36e/0xef0 [ 59.737202][ T6860] tomoyo_env_perm+0x17f/0x1f0 [ 59.737210][ T6860] tomoyo_find_next_domain+0x1438/0x1f77 [ 59.737218][ T6860] tomoyo_bprm_check_security+0x121/0x1a0 [ 59.737226][ T6860] security_bprm_check+0x45/0xa0 [ 59.737233][ T6860] bprm_execve+0x879/0x1b10 [ 59.737241][ T6860] do_execveat_common+0x626/0x7c0 [ 59.737249][ T6860] __x64_sys_execve+0x8f/0xc0 [ 59.737256][ T6860] do_syscall_64+0x2d/0x70 [ 59.737264][ T6860] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.737267][ T6860] [ 59.737273][ T6860] The buggy address belongs to the object at ffff88809df49800 [ 59.737273][ T6860] which belongs to the cache kmalloc-1k of size 1024 [ 59.737281][ T6860] The buggy address is located 254 bytes inside of [ 59.737281][ T6860] 1024-byte region [ffff88809df49800, ffff88809df49c00) [ 59.737284][ T6860] The buggy address belongs to the page: [ 59.737295][ T6860] page:000000001b295380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9df49 [ 59.737302][ T6860] flags: 0xfffe0000000200(slab) [ 59.737314][ T6860] raw: 00fffe0000000200 ffffea00027dc7c8 ffff8880aa041850 ffff8880aa040700 [ 59.737323][ T6860] raw: 0000000000000000 ffff88809df49000 0000000100000002 0000000000000000 [ 59.737327][ T6860] page dumped because: kasan: bad access detected [ 59.737330][ T6860] [ 59.737332][ T6860] Memory state around the buggy address: [ 59.737339][ T6860] ffff88809df49780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.737346][ T6860] ffff88809df49800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.737353][ T6860] >ffff88809df49880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.737357][ T6860] ^ [ 59.737363][ T6860] ffff88809df49900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.737370][ T6860] ffff88809df49980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.737373][ T6860] ================================================================== [ 59.737377][ T6860] Disabling lock debugging due to kernel taint [ 59.737381][ T6860] Kernel panic - not syncing: panic_on_warn set ... [ 59.737389][ T6860] CPU: 1 PID: 6860 Comm: syz-executor859 Tainted: G B 5.9.0-rc6-syzkaller #0 [ 59.737392][ T6860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.737394][ T6860] Call Trace: [ 59.737402][ T6860] dump_stack+0x198/0x1fd [ 59.737409][ T6860] ? bit_putcs+0xb00/0xd20 [ 59.737416][ T6860] panic+0x382/0x7fb [ 59.737424][ T6860] ? __warn_printk+0xf3/0xf3 [ 59.737433][ T6860] ? trace_hardirqs_on+0x55/0x220 [ 59.737440][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.737447][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.737453][ T6860] end_report+0x4d/0x53 [ 59.737459][ T6860] kasan_report.cold+0xd/0x37 [ 59.737467][ T6860] ? bit_putcs+0xbb6/0xd20 [ 59.737474][ T6860] bit_putcs+0xbb6/0xd20 [ 59.737484][ T6860] ? bit_cursor+0x1720/0x1720 [ 59.737491][ T6860] ? find_held_lock+0x2d/0x110 [ 59.737499][ T6860] ? __atomic_notifier_call_chain+0x91/0x180 [ 59.737506][ T6860] ? lock_downgrade+0x830/0x830 [ 59.737512][ T6860] ? fb_get_color_depth+0x11a/0x240 [ 59.737519][ T6860] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 59.737527][ T6860] ? bit_cursor+0x1720/0x1720 [ 59.737533][ T6860] fbcon_putcs+0x35a/0x450 [ 59.737540][ T6860] ? fb_flashcursor+0x430/0x430 [ 59.737547][ T6860] do_con_write+0xb6b/0x1dd0 [ 59.737557][ T6860] ? do_con_trol+0x54c0/0x54c0 [ 59.737565][ T6860] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 59.737572][ T6860] con_write+0x22/0xb0 [ 59.737579][ T6860] n_tty_write+0x3ce/0xf80 [ 59.737589][ T6860] ? n_tty_receive_char_lnext+0x700/0x700 [ 59.737597][ T6860] ? __init_waitqueue_head+0x110/0x110 [ 59.737604][ T6860] ? __might_fault+0x190/0x1d0 [ 59.737611][ T6860] tty_write+0x4d9/0x870 [ 59.737618][ T6860] ? n_tty_receive_char_lnext+0x700/0x700 [ 59.737625][ T6860] ? tty_read+0x290/0x290 [ 59.737631][ T6860] vfs_write+0x2b0/0x730 [ 59.737639][ T6860] ksys_write+0x12d/0x250 [ 59.737646][ T6860] ? __ia32_sys_read+0xb0/0xb0 [ 59.737654][ T6860] ? check_preemption_disabled+0x50/0x130 [ 59.737661][ T6860] ? syscall_enter_from_user_mode+0x1d/0x60 [ 59.737669][ T6860] do_syscall_64+0x2d/0x70 [ 59.737675][ T6860] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.737680][ T6860] RIP: 0033:0x4403c9 [ 59.737687][ T6860] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.737691][ T6860] RSP: 002b:00007ffd97e140c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.737697][ T6860] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 59.737701][ T6860] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 59.737705][ T6860] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 59.737710][ T6860] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 59.737714][ T6860] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 59.739037][ T6860] Kernel Offset: disabled [ 60.634560][ T6860] Rebooting in 86400 seconds..