[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. 2020/07/04 06:31:11 parsed 1 programs 2020/07/04 06:31:11 executed programs: 0 syzkaller login: [ 52.696826][ T6832] IPVS: ftp: loaded support on port[0] = 21 [ 52.775412][ T6832] chnl_net:caif_netlink_parms(): no params data found [ 52.820264][ T6832] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.828246][ T6832] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.836698][ T6832] device bridge_slave_0 entered promiscuous mode [ 52.844743][ T6832] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.852191][ T6832] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.859866][ T6832] device bridge_slave_1 entered promiscuous mode [ 52.878298][ T6832] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 52.888994][ T6832] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 52.909293][ T6832] team0: Port device team_slave_0 added [ 52.916810][ T6832] team0: Port device team_slave_1 added [ 52.932709][ T6832] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 52.939866][ T6832] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 52.965765][ T6832] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 52.977662][ T6832] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 52.984582][ T6832] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 53.010505][ T6832] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 53.089094][ T6832] device hsr_slave_0 entered promiscuous mode [ 53.146474][ T6832] device hsr_slave_1 entered promiscuous mode [ 53.260375][ T6832] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 53.318888][ T6832] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 53.358367][ T6832] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 53.398172][ T6832] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 53.451554][ T6832] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.458696][ T6832] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.466415][ T6832] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.473470][ T6832] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.512735][ T6832] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.526646][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.535989][ T3651] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.543798][ T3651] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.551851][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 53.564283][ T6832] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.574597][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.583917][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.591011][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.602430][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.611156][ T3651] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.618253][ T3651] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.637851][ T3652] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.646933][ T3652] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.661973][ T6832] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 53.672459][ T6832] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 53.686305][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.694203][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.703234][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.712003][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.729055][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 53.736612][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 53.750628][ T6832] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.767843][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 53.778121][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 53.795057][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 53.804141][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 53.814899][ T6832] device veth0_vlan entered promiscuous mode [ 53.821519][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 53.829695][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 53.841813][ T6832] device veth1_vlan entered promiscuous mode [ 53.862906][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 53.871330][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 53.880087][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 53.888954][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 53.900720][ T6832] device veth0_macvtap entered promiscuous mode [ 53.909966][ T6832] device veth1_macvtap entered promiscuous mode [ 53.924796][ T6832] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 53.932446][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 53.941057][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 53.949218][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 53.958001][ T3651] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 53.970035][ T6832] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 53.977308][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 53.985646][ T2479] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 54.240659][ T7041] ================================================================== [ 54.240700][ T7041] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c36/0x2210 [ 54.240707][ T7041] Read of size 2 at addr ffffffff889972be by task syz-executor.0/7041 [ 54.240709][ T7041] [ 54.240718][ T7041] CPU: 0 PID: 7041 Comm: syz-executor.0 Not tainted 5.8.0-rc3-syzkaller #0 [ 54.240723][ T7041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.240726][ T7041] Call Trace: [ 54.240737][ T7041] dump_stack+0x18f/0x20d [ 54.240746][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.240753][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.240775][ T7041] print_address_description.constprop.0.cold+0x5/0x436 [ 54.240783][ T7041] ? fbcon_modechanged+0x36c/0x710 [ 54.240789][ T7041] ? fbcon_update_vcs+0x3a/0x50 [ 54.240797][ T7041] ? fb_set_var+0xae8/0xd60 [ 54.240806][ T7041] ? lockdep_hardirqs_off+0x66/0xa0 [ 54.240814][ T7041] ? vprintk_func+0x97/0x1a6 [ 54.240823][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.240829][ T7041] kasan_report.cold+0x1f/0x37 [ 54.240837][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.240846][ T7041] vga16fb_imageblit+0x1c36/0x2210 [ 54.240856][ T7041] ? fb_pad_unaligned_buffer+0x9f/0x320 [ 54.240866][ T7041] soft_cursor+0x514/0xa30 [ 54.240876][ T7041] ? lockdep_hardirqs_on+0x6a/0xe0 [ 54.240885][ T7041] bit_cursor+0x1166/0x17d0 [ 54.240896][ T7041] ? kmalloc_array.constprop.0+0x20/0x20 [ 54.240908][ T7041] ? do_update_region+0x47c/0x630 [ 54.240917][ T7041] ? fb_get_color_depth+0x11a/0x240 [ 54.240926][ T7041] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 54.240933][ T7041] ? get_color+0x20e/0x410 [ 54.240942][ T7041] fbcon_cursor+0x52b/0x650 [ 54.240949][ T7041] ? kmalloc_array.constprop.0+0x20/0x20 [ 54.240956][ T7041] ? fbcon_set_palette+0x3a8/0x490 [ 54.240964][ T7041] set_cursor+0x1dd/0x230 [ 54.240972][ T7041] redraw_screen+0x4b7/0x770 [ 54.240980][ T7041] ? wait_for_completion+0x260/0x260 [ 54.241006][ T7041] ? vc_init+0x440/0x440 [ 54.241019][ T7041] vc_do_resize+0x110e/0x13f0 [ 54.241036][ T7041] ? store_bind+0x6a0/0x6a0 [ 54.241046][ T7041] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 54.241058][ T7041] fbcon_modechanged+0x36c/0x710 [ 54.241068][ T7041] fbcon_update_vcs+0x3a/0x50 [ 54.241076][ T7041] fb_set_var+0xae8/0xd60 [ 54.241085][ T7041] ? fb_blank+0x190/0x190 [ 54.241093][ T7041] ? lock_release+0x8d0/0x8d0 [ 54.241104][ T7041] ? lock_is_held_type+0xb0/0xe0 [ 54.241118][ T7041] ? do_fb_ioctl+0x2f2/0x6c0 [ 54.241133][ T7041] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 54.241141][ T7041] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 54.241149][ T7041] ? trace_hardirqs_on+0x5f/0x220 [ 54.241160][ T7041] do_fb_ioctl+0x33f/0x6c0 [ 54.241169][ T7041] ? fb_set_suspend+0x1a0/0x1a0 [ 54.241178][ T7041] ? tomoyo_execute_permission+0x470/0x470 [ 54.241202][ T7041] ? __might_fault+0x11f/0x1d0 [ 54.241214][ T7041] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 54.241223][ T7041] ? do_vfs_ioctl+0x27d/0x1090 [ 54.241238][ T7041] ? __fget_files+0x294/0x400 [ 54.241249][ T7041] fb_ioctl+0xdd/0x130 [ 54.241256][ T7041] ? do_fb_ioctl+0x6c0/0x6c0 [ 54.241262][ T7041] ksys_ioctl+0x11a/0x180 [ 54.241270][ T7041] __x64_sys_ioctl+0x6f/0xb0 [ 54.241278][ T7041] ? lockdep_hardirqs_on+0x6a/0xe0 [ 54.241285][ T7041] do_syscall_64+0x60/0xe0 [ 54.241293][ T7041] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 54.241299][ T7041] RIP: 0033:0x45cb29 [ 54.241302][ T7041] Code: Bad RIP value. [ 54.241306][ T7041] RSP: 002b:00007fedb20a7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.241313][ T7041] RAX: ffffffffffffffda RBX: 00000000004e55e0 RCX: 000000000045cb29 [ 54.241317][ T7041] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 54.241322][ T7041] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 54.241326][ T7041] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 54.241330][ T7041] R13: 00000000000002fd R14: 00000000004c58a5 R15: 00007fedb20a86d4 [ 54.241339][ T7041] [ 54.241342][ T7041] The buggy address belongs to the variable: [ 54.241349][ T7041] transl_h+0x3e/0x40 [ 54.241350][ T7041] [ 54.241353][ T7041] Memory state around the buggy address: [ 54.241359][ T7041] ffffffff88997180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.241365][ T7041] ffffffff88997200: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 54.241370][ T7041] >ffffffff88997280: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa [ 54.241373][ T7041] ^ [ 54.241378][ T7041] ffffffff88997300: 00 01 fa fa fa fa fa fa 00 00 00 04 fa fa fa fa [ 54.241388][ T7041] ffffffff88997380: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 02 fa [ 54.241391][ T7041] ================================================================== [ 54.241393][ T7041] Disabling lock debugging due to kernel taint [ 54.241397][ T7041] Kernel panic - not syncing: panic_on_warn set ... [ 54.241404][ T7041] CPU: 0 PID: 7041 Comm: syz-executor.0 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 54.241407][ T7041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.241409][ T7041] Call Trace: [ 54.241415][ T7041] dump_stack+0x18f/0x20d [ 54.241422][ T7041] ? vga16fb_imageblit+0x1b40/0x2210 [ 54.241429][ T7041] panic+0x2e3/0x75c [ 54.241436][ T7041] ? __warn_printk+0xf3/0xf3 [ 54.241444][ T7041] ? trace_hardirqs_on+0x55/0x220 [ 54.241451][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.241456][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.241462][ T7041] end_report+0x4d/0x53 [ 54.241467][ T7041] kasan_report.cold+0xd/0x37 [ 54.241474][ T7041] ? vga16fb_imageblit+0x1c36/0x2210 [ 54.241481][ T7041] vga16fb_imageblit+0x1c36/0x2210 [ 54.241489][ T7041] ? fb_pad_unaligned_buffer+0x9f/0x320 [ 54.241496][ T7041] soft_cursor+0x514/0xa30 [ 54.241504][ T7041] ? lockdep_hardirqs_on+0x6a/0xe0 [ 54.241511][ T7041] bit_cursor+0x1166/0x17d0 [ 54.241519][ T7041] ? kmalloc_array.constprop.0+0x20/0x20 [ 54.241527][ T7041] ? do_update_region+0x47c/0x630 [ 54.241533][ T7041] ? fb_get_color_depth+0x11a/0x240 [ 54.241541][ T7041] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 54.241546][ T7041] ? get_color+0x20e/0x410 [ 54.241553][ T7041] fbcon_cursor+0x52b/0x650 [ 54.241580][ T7041] ? kmalloc_array.constprop.0+0x20/0x20 [ 54.241586][ T7041] ? fbcon_set_palette+0x3a8/0x490 [ 54.241593][ T7041] set_cursor+0x1dd/0x230 [ 54.241601][ T7041] redraw_screen+0x4b7/0x770 [ 54.241621][ T7041] ? wait_for_completion+0x260/0x260 [ 54.241628][ T7041] ? vc_init+0x440/0x440 [ 54.241636][ T7041] vc_do_resize+0x110e/0x13f0 [ 54.241646][ T7041] ? store_bind+0x6a0/0x6a0 [ 54.241653][ T7041] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 54.241661][ T7041] fbcon_modechanged+0x36c/0x710 [ 54.241668][ T7041] fbcon_update_vcs+0x3a/0x50 [ 54.241674][ T7041] fb_set_var+0xae8/0xd60 [ 54.241682][ T7041] ? fb_blank+0x190/0x190 [ 54.241692][ T7041] ? lock_release+0x8d0/0x8d0 [ 54.241704][ T7041] ? lock_is_held_type+0xb0/0xe0 [ 54.241718][ T7041] ? do_fb_ioctl+0x2f2/0x6c0 [ 54.241733][ T7041] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 54.241743][ T7041] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 54.241749][ T7041] ? trace_hardirqs_on+0x5f/0x220 [ 54.241757][ T7041] do_fb_ioctl+0x33f/0x6c0 [ 54.241764][ T7041] ? fb_set_suspend+0x1a0/0x1a0 [ 54.241770][ T7041] ? tomoyo_execute_permission+0x470/0x470 [ 54.241778][ T7041] ? __might_fault+0x11f/0x1d0 [ 54.241786][ T7041] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 54.241792][ T7041] ? do_vfs_ioctl+0x27d/0x1090 [ 54.241801][ T7041] ? __fget_files+0x294/0x400 [ 54.241808][ T7041] fb_ioctl+0xdd/0x130 [ 54.241815][ T7041] ? do_fb_ioctl+0x6c0/0x6c0 [ 54.241820][ T7041] ksys_ioctl+0x11a/0x180 [ 54.241826][ T7041] __x64_sys_ioctl+0x6f/0xb0 [ 54.241833][ T7041] ? lockdep_hardirqs_on+0x6a/0xe0 [ 54.241839][ T7041] do_syscall_64+0x60/0xe0 [ 54.241845][ T7041] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 54.241850][ T7041] RIP: 0033:0x45cb29 [ 54.241852][ T7041] Code: Bad RIP value. [ 54.241855][ T7041] RSP: 002b:00007fedb20a7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.241861][ T7041] RAX: ffffffffffffffda RBX: 00000000004e55e0 RCX: 000000000045cb29 [ 54.241864][ T7041] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 54.241868][ T7041] RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 [ 54.241871][ T7041] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 54.241875][ T7041] R13: 00000000000002fd R14: 00000000004c58a5 R15: 00007fedb20a86d4 [ 54.243092][ T7041] Kernel Offset: disabled [ 55.056412][ T7041] Rebooting in 86400 seconds..