[ 50.768328] audit: type=1800 audit(1584876658.529:30): pid=8251 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 55.533582] kauditd_printk_skb: 4 callbacks suppressed [ 55.533595] audit: type=1400 audit(1584876663.329:35): avc: denied { map } for pid=8422 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts. [ 62.582621] audit: type=1400 audit(1584876670.379:36): avc: denied { map } for pid=8434 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/22 11:31:10 parsed 1 programs [ 63.906313] audit: type=1400 audit(1584876671.699:37): avc: denied { map } for pid=8434 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=3741 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/03/22 11:31:11 executed programs: 0 [ 64.108512] IPVS: ftp: loaded support on port[0] = 21 [ 64.174827] chnl_net:caif_netlink_parms(): no params data found [ 64.229849] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.236356] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.243930] device bridge_slave_0 entered promiscuous mode [ 64.251547] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.258052] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.265207] device bridge_slave_1 entered promiscuous mode [ 64.281838] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 64.290886] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 64.308261] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 64.315909] team0: Port device team_slave_0 added [ 64.321907] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 64.329462] team0: Port device team_slave_1 added [ 64.345528] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 64.351955] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.377343] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 64.389185] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 64.395410] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.420700] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 64.431677] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 64.439145] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 64.499116] device hsr_slave_0 entered promiscuous mode [ 64.567525] device hsr_slave_1 entered promiscuous mode [ 64.637800] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 64.644884] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 64.700318] audit: type=1400 audit(1584876672.499:38): avc: denied { create } for pid=8452 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 64.723847] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.725214] audit: type=1400 audit(1584876672.499:39): avc: denied { write } for pid=8452 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 64.730677] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.755367] audit: type=1400 audit(1584876672.499:40): avc: denied { read } for pid=8452 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 64.761353] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.791057] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.828597] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 64.834658] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.845363] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 64.854575] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 64.873509] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.880937] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.889583] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 64.900430] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 64.906531] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.916171] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 64.924213] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.930599] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.941437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 64.949490] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.955831] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.978991] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 64.986890] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 64.995857] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 65.003954] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 65.013380] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 65.023739] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 65.029936] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 65.044415] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 65.052834] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 65.059950] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 65.071401] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 65.085117] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 65.095468] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 65.136237] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 65.143498] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 65.150412] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 65.162436] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 65.170258] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 65.177272] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 65.186980] device veth0_vlan entered promiscuous mode [ 65.197400] device veth1_vlan entered promiscuous mode [ 65.214687] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 65.224433] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 65.232035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 65.240075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 65.251398] device veth0_macvtap entered promiscuous mode [ 65.257911] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 65.266132] device veth1_macvtap entered promiscuous mode [ 65.272729] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 65.281641] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 65.291542] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 65.301193] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 65.308503] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 65.315163] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 65.322883] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 65.330307] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 65.339104] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 65.350288] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 65.357245] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 65.363781] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 65.371736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 65.492976] audit: type=1400 audit(1584876673.289:41): avc: denied { associate } for pid=8452 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 65.556907] ================================================================== [ 65.556935] BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0x137/0x150 [ 65.556941] Read of size 1 at addr ffffffff87ad63e0 by task syz-executor.0/8489 [ 65.556943] [ 65.556951] CPU: 1 PID: 8489 Comm: syz-executor.0 Not tainted 4.19.112-syzkaller #0 [ 65.556955] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.556958] Call Trace: [ 65.556968] dump_stack+0x188/0x20d [ 65.556976] ? fb_pad_aligned_buffer+0x137/0x150 [ 65.556985] print_address_description.cold+0x5/0x212 [ 65.556993] ? fb_pad_aligned_buffer+0x137/0x150 [ 65.556999] kasan_report.cold+0x88/0x2b9 [ 65.557008] fb_pad_aligned_buffer+0x137/0x150 [ 65.557019] bit_putcs+0xc21/0xe10 [ 65.557063] ? bit_cursor+0x1900/0x1900 [ 65.557077] ? vesafb_probe.cold+0x1082/0x1082 [ 65.557093] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 65.557109] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 65.557126] fbcon_putcs+0x434/0x4f0 [ 65.557142] ? bit_cursor+0x1900/0x1900 [ 65.557159] do_update_region+0x398/0x630 [ 65.557179] ? con_get_trans_old+0x280/0x280 [ 65.557197] ? fbcon_set_palette+0x4c6/0x5e0 [ 65.557211] ? fbcon_redraw.isra.0+0x4c0/0x4c0 [ 65.557228] redraw_screen+0x5e1/0x870 [ 65.557243] ? con_flush_chars+0x90/0x90 [ 65.557258] ? console_lock+0x25/0x80 [ 65.557279] fbcon_do_set_font+0x727/0xa30 [ 65.557299] ? fbcon_do_set_font+0xa30/0xa30 [ 65.557319] fbcon_copy_font+0x125/0x190 [ 65.557335] con_font_op+0x63f/0x1130 [ 65.557353] ? con_write+0xe0/0xe0 [ 65.557366] ? lock_downgrade+0x740/0x740 [ 65.557390] ? __might_fault+0x192/0x1d0 [ 65.557409] vt_ioctl+0x1615/0x2310 [ 65.557426] ? complete_change_console+0x390/0x390 [ 65.557439] ? avc_has_extended_perms+0x9c6/0x1030 [ 65.557460] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 65.557469] ? complete_change_console+0x390/0x390 [ 65.557478] tty_ioctl+0x7a1/0x1420 [ 65.557485] ? tty_vhangup+0x30/0x30 [ 65.557493] ? mark_held_locks+0xf0/0xf0 [ 65.557502] ? mark_held_locks+0xf0/0xf0 [ 65.557508] ? find_held_lock+0x2d/0x110 [ 65.557517] ? debug_check_no_obj_freed+0x20a/0x42e [ 65.557529] ? tty_vhangup+0x30/0x30 [ 65.557537] do_vfs_ioctl+0xcda/0x12e0 [ 65.557546] ? selinux_file_ioctl+0x46c/0x5d0 [ 65.557553] ? selinux_file_ioctl+0x125/0x5d0 [ 65.557560] ? check_preemption_disabled+0x41/0x280 [ 65.557567] ? ioctl_preallocate+0x200/0x200 [ 65.557574] ? selinux_file_mprotect+0x600/0x600 [ 65.557583] ? __fget+0x340/0x510 [ 65.557592] ? iterate_fd+0x350/0x350 [ 65.557603] ? security_file_ioctl+0x6c/0xb0 [ 65.557611] ksys_ioctl+0x9b/0xc0 [ 65.557619] __x64_sys_ioctl+0x6f/0xb0 [ 65.557625] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 65.557634] do_syscall_64+0xf9/0x620 [ 65.557643] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.557649] RIP: 0033:0x45c849 [ 65.557657] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.557661] RSP: 002b:00007fafd6cb6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 65.557668] RAX: ffffffffffffffda RBX: 00007fafd6cb76d4 RCX: 000000000045c849 [ 65.557672] RDX: 0000000020000080 RSI: 0000000000004b72 RDI: 0000000000000003 [ 65.557676] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 65.557680] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 65.557684] R13: 000000000000036c R14: 00000000004c5dd7 R15: 000000000076bf0c [ 65.557693] [ 65.557695] The buggy address belongs to the variable: [ 65.557703] fontdata_8x16+0x1000/0x1120 [ 65.557704] [ 65.557707] Memory state around the buggy address: [ 65.557713] ffffffff87ad6280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 65.557718] ffffffff87ad6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 65.557723] >ffffffff87ad6380: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 65.557726] ^ [ 65.557731] ffffffff87ad6400: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa [ 65.557736] ffffffff87ad6480: 06 fa fa fa fa fa fa fa 00 00 03 fa fa fa fa fa [ 65.557739] ================================================================== [ 65.557741] Disabling lock debugging due to kernel taint [ 65.557841] Kernel panic - not syncing: panic_on_warn set ... [ 65.557841] [ 65.557858] CPU: 1 PID: 8489 Comm: syz-executor.0 Tainted: G B 4.19.112-syzkaller #0 [ 65.557870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.557878] Call Trace: [ 65.557895] dump_stack+0x188/0x20d [ 65.557912] panic+0x26a/0x50e [ 65.557929] ? __warn_printk+0xf3/0xf3 [ 65.557947] ? preempt_schedule_common+0x4a/0xc0 [ 65.557963] ? fb_pad_aligned_buffer+0x137/0x150 [ 65.557980] ? ___preempt_schedule+0x16/0x18 [ 65.557997] ? trace_hardirqs_on+0x55/0x210 [ 65.558012] ? fb_pad_aligned_buffer+0x137/0x150 [ 65.558029] kasan_end_report+0x43/0x49 [ 65.558045] kasan_report.cold+0xa4/0x2b9 [ 65.558061] fb_pad_aligned_buffer+0x137/0x150 [ 65.558077] bit_putcs+0xc21/0xe10 [ 65.558101] ? bit_cursor+0x1900/0x1900 [ 65.558117] ? vesafb_probe.cold+0x1082/0x1082 [ 65.558133] ? fb_get_color_depth.part.0+0xc6/0x1f0 [ 65.558149] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 65.558165] fbcon_putcs+0x434/0x4f0 [ 65.558182] ? bit_cursor+0x1900/0x1900 [ 65.558198] do_update_region+0x398/0x630 [ 65.558214] ? con_get_trans_old+0x280/0x280 [ 65.558230] ? fbcon_set_palette+0x4c6/0x5e0 [ 65.558247] ? fbcon_redraw.isra.0+0x4c0/0x4c0 [ 65.558263] redraw_screen+0x5e1/0x870 [ 65.558279] ? con_flush_chars+0x90/0x90 [ 65.558296] ? console_lock+0x25/0x80 [ 65.558331] fbcon_do_set_font+0x727/0xa30 [ 65.558348] ? fbcon_do_set_font+0xa30/0xa30 [ 65.558365] fbcon_copy_font+0x125/0x190 [ 65.558381] con_font_op+0x63f/0x1130 [ 65.558397] ? con_write+0xe0/0xe0 [ 65.558413] ? lock_downgrade+0x740/0x740 [ 65.558431] ? __might_fault+0x192/0x1d0 [ 65.558447] vt_ioctl+0x1615/0x2310 [ 65.558464] ? complete_change_console+0x390/0x390 [ 65.558481] ? avc_has_extended_perms+0x9c6/0x1030 [ 65.558504] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 65.558521] ? complete_change_console+0x390/0x390 [ 65.558536] tty_ioctl+0x7a1/0x1420 [ 65.558552] ? tty_vhangup+0x30/0x30 [ 65.558568] ? mark_held_locks+0xf0/0xf0 [ 65.558584] ? mark_held_locks+0xf0/0xf0 [ 65.558600] ? find_held_lock+0x2d/0x110 [ 65.558618] ? debug_check_no_obj_freed+0x20a/0x42e [ 65.558634] ? tty_vhangup+0x30/0x30 [ 65.558649] do_vfs_ioctl+0xcda/0x12e0 [ 65.558666] ? selinux_file_ioctl+0x46c/0x5d0 [ 65.558684] ? selinux_file_ioctl+0x125/0x5d0 [ 65.558701] ? check_preemption_disabled+0x41/0x280 [ 65.558717] ? ioctl_preallocate+0x200/0x200 [ 65.558735] ? selinux_file_mprotect+0x600/0x600 [ 65.558750] ? __fget+0x340/0x510 [ 65.558766] ? iterate_fd+0x350/0x350 [ 65.558782] ? security_file_ioctl+0x6c/0xb0 [ 65.558797] ksys_ioctl+0x9b/0xc0 [ 65.558821] __x64_sys_ioctl+0x6f/0xb0 [ 65.558839] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 65.558855] do_syscall_64+0xf9/0x620 [ 65.558872] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.558887] RIP: 0033:0x45c849 [ 65.558902] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.558914] RSP: 002b:00007fafd6cb6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 65.558936] RAX: ffffffffffffffda RBX: 00007fafd6cb76d4 RCX: 000000000045c849 [ 65.558942] RDX: 0000000020000080 RSI: 0000000000004b72 RDI: 0000000000000003 [ 65.558947] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 65.558953] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 65.558958] R13: 000000000000036c R14: 00000000004c5dd7 R15: 000000000076bf0c [ 65.559962] Kernel Offset: disabled [ 66.309849] Rebooting in 86400 seconds..