[ 95.041955][ T27] audit: type=1800 audit(1578351379.681:26): pid=9716 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 95.864863][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 95.864874][ T27] audit: type=1800 audit(1578351380.521:29): pid=9716 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 95.893072][ T27] audit: type=1800 audit(1578351380.531:30): pid=9716 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.118' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 122.210126][ T9868] ================================================================== [ 122.210176][ T9868] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 [ 122.210184][ T9868] Read of size 16 at addr ffff88809322e740 by task syz-executor134/9868 [ 122.210187][ T9868] [ 122.210197][ T9868] CPU: 0 PID: 9868 Comm: syz-executor134 Not tainted 5.5.0-rc5-syzkaller #0 [ 122.210203][ T9868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.210207][ T9868] Call Trace: [ 122.210221][ T9868] dump_stack+0x197/0x210 [ 122.210229][ T9868] ? soft_cursor+0x439/0xa30 [ 122.210244][ T9868] print_address_description.constprop.0.cold+0xd4/0x30b [ 122.210251][ T9868] ? soft_cursor+0x439/0xa30 [ 122.210259][ T9868] ? soft_cursor+0x439/0xa30 [ 122.210267][ T9868] __kasan_report.cold+0x1b/0x41 [ 122.210276][ T9868] ? soft_cursor+0x439/0xa30 [ 122.210286][ T9868] kasan_report+0x12/0x20 [ 122.210295][ T9868] check_memory_region+0x134/0x1a0 [ 122.210303][ T9868] memcpy+0x24/0x50 [ 122.210312][ T9868] soft_cursor+0x439/0xa30 [ 122.210322][ T9868] ? lockdep_hardirqs_on+0x421/0x5e0 [ 122.210336][ T9868] bit_cursor+0x12fc/0x1a60 [ 122.210349][ T9868] ? bit_clear+0x530/0x530 [ 122.210357][ T9868] ? find_held_lock+0x35/0x130 [ 122.210374][ T9868] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 122.210382][ T9868] ? get_color+0x225/0x430 [ 122.210392][ T9868] fbcon_cursor+0x487/0x660 [ 122.210399][ T9868] ? bit_clear+0x530/0x530 [ 122.210412][ T9868] hide_cursor+0x9d/0x2b0 [ 122.210421][ T9868] redraw_screen+0x60b/0x7d0 [ 122.210430][ T9868] ? respond_string+0x2c0/0x2c0 [ 122.210443][ T9868] vc_do_resize+0x10c9/0x1460 [ 122.210452][ T9868] ? down+0x50/0x90 [ 122.210468][ T9868] ? vc_uniscr_alloc+0xd0/0xd0 [ 122.210477][ T9868] ? lock_acquire+0x190/0x410 [ 122.210484][ T9868] ? vt_ioctl+0x1f56/0x26d0 [ 122.210495][ T9868] vc_resize+0x4d/0x60 [ 122.210503][ T9868] vt_ioctl+0x2076/0x26d0 [ 122.210513][ T9868] ? complete_change_console+0x3a0/0x3a0 [ 122.210520][ T9868] ? lock_downgrade+0x920/0x920 [ 122.210528][ T9868] ? rwlock_bug.part.0+0x90/0x90 [ 122.210540][ T9868] ? tomoyo_path_number_perm+0x214/0x520 [ 122.210548][ T9868] ? find_held_lock+0x35/0x130 [ 122.210557][ T9868] ? tomoyo_path_number_perm+0x214/0x520 [ 122.210566][ T9868] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 122.210577][ T9868] ? tty_jobctrl_ioctl+0x50/0xd40 [ 122.210585][ T9868] ? complete_change_console+0x3a0/0x3a0 [ 122.210596][ T9868] tty_ioctl+0xa37/0x14f0 [ 122.210609][ T9868] ? tty_vhangup+0x30/0x30 [ 122.210618][ T9868] ? tomoyo_path_number_perm+0x454/0x520 [ 122.210628][ T9868] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 122.210637][ T9868] ? tomoyo_path_number_perm+0x25e/0x520 [ 122.210647][ T9868] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 122.210666][ T9868] ? tty_vhangup+0x30/0x30 [ 122.210676][ T9868] do_vfs_ioctl+0x977/0x14e0 [ 122.210687][ T9868] ? compat_ioctl_preallocate+0x220/0x220 [ 122.210696][ T9868] ? kmem_cache_free+0x26b/0x320 [ 122.210706][ T9868] ? putname+0xf4/0x130 [ 122.210715][ T9868] ? do_sys_open+0x31d/0x5d0 [ 122.210727][ T9868] ? tomoyo_file_ioctl+0x23/0x30 [ 122.210735][ T9868] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.210745][ T9868] ? security_file_ioctl+0x8d/0xc0 [ 122.210754][ T9868] ksys_ioctl+0xab/0xd0 [ 122.210764][ T9868] __x64_sys_ioctl+0x73/0xb0 [ 122.210775][ T9868] do_syscall_64+0xfa/0x790 [ 122.210786][ T9868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.210794][ T9868] RIP: 0033:0x440249 [ 122.210804][ T9868] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 122.210809][ T9868] RSP: 002b:00007ffea499a828 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 122.210818][ T9868] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 122.210823][ T9868] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 122.210828][ T9868] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 122.210833][ T9868] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 122.210838][ T9868] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 122.210849][ T9868] [ 122.210853][ T9868] Allocated by task 9868: [ 122.210861][ T9868] save_stack+0x23/0x90 [ 122.210868][ T9868] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 122.210874][ T9868] kasan_kmalloc+0x9/0x10 [ 122.210880][ T9868] __kmalloc+0x163/0x770 [ 122.210886][ T9868] fbcon_set_font+0x32d/0x860 [ 122.210892][ T9868] con_font_op+0xe30/0x1270 [ 122.210899][ T9868] vt_ioctl+0x35a/0x26d0 [ 122.210906][ T9868] tty_ioctl+0xa37/0x14f0 [ 122.210912][ T9868] do_vfs_ioctl+0x977/0x14e0 [ 122.210918][ T9868] ksys_ioctl+0xab/0xd0 [ 122.210925][ T9868] __x64_sys_ioctl+0x73/0xb0 [ 122.210932][ T9868] do_syscall_64+0xfa/0x790 [ 122.210939][ T9868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.210941][ T9868] [ 122.210945][ T9868] Freed by task 9614: [ 122.210952][ T9868] save_stack+0x23/0x90 [ 122.210958][ T9868] __kasan_slab_free+0x102/0x150 [ 122.210964][ T9868] kasan_slab_free+0xe/0x10 [ 122.210970][ T9868] kfree+0x10a/0x2c0 [ 122.210979][ T9868] kvfree+0x61/0x70 [ 122.210988][ T9868] __free_fdtable+0x34/0x80 [ 122.210994][ T9868] put_files_struct+0x253/0x2f0 [ 122.211001][ T9868] exit_files+0x83/0xb0 [ 122.211011][ T9868] do_exit+0xb77/0x2f50 [ 122.211018][ T9868] do_group_exit+0x135/0x360 [ 122.211026][ T9868] __x64_sys_exit_group+0x44/0x50 [ 122.211033][ T9868] do_syscall_64+0xfa/0x790 [ 122.211041][ T9868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.211043][ T9868] [ 122.211049][ T9868] The buggy address belongs to the object at ffff88809322e000 [ 122.211049][ T9868] which belongs to the cache kmalloc-2k of size 2048 [ 122.211056][ T9868] The buggy address is located 1856 bytes inside of [ 122.211056][ T9868] 2048-byte region [ffff88809322e000, ffff88809322e800) [ 122.211059][ T9868] The buggy address belongs to the page: [ 122.211068][ T9868] page:ffffea00024c8b80 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 122.211080][ T9868] raw: 00fffe0000000200 ffffea0002602048 ffffea00025c8a08 ffff8880aa400e00 [ 122.211089][ T9868] raw: 0000000000000000 ffff88809322e000 0000000100000001 0000000000000000 [ 122.211093][ T9868] page dumped because: kasan: bad access detected [ 122.211095][ T9868] [ 122.211098][ T9868] Memory state around the buggy address: [ 122.211104][ T9868] ffff88809322e600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.211116][ T9868] ffff88809322e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.211122][ T9868] >ffff88809322e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.211125][ T9868] ^ [ 122.211132][ T9868] ffff88809322e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.211138][ T9868] ffff88809322e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 122.211141][ T9868] ================================================================== [ 122.211144][ T9868] Disabling lock debugging due to kernel taint [ 122.211149][ T9868] Kernel panic - not syncing: panic_on_warn set ... [ 122.211157][ T9868] CPU: 0 PID: 9868 Comm: syz-executor134 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 122.211161][ T9868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.211163][ T9868] Call Trace: [ 122.211171][ T9868] dump_stack+0x197/0x210 [ 122.211179][ T9868] panic+0x2e3/0x75c [ 122.211186][ T9868] ? add_taint.cold+0x16/0x16 [ 122.211198][ T9868] ? trace_hardirqs_on+0x67/0x240 [ 122.211206][ T9868] ? trace_hardirqs_on+0x5e/0x240 [ 122.211213][ T9868] ? soft_cursor+0x439/0xa30 [ 122.211220][ T9868] end_report+0x47/0x4f [ 122.211227][ T9868] ? soft_cursor+0x439/0xa30 [ 122.211234][ T9868] __kasan_report.cold+0xe/0x41 [ 122.211241][ T9868] ? soft_cursor+0x439/0xa30 [ 122.211250][ T9868] kasan_report+0x12/0x20 [ 122.211259][ T9868] check_memory_region+0x134/0x1a0 [ 122.211266][ T9868] memcpy+0x24/0x50 [ 122.211273][ T9868] soft_cursor+0x439/0xa30 [ 122.211280][ T9868] ? lockdep_hardirqs_on+0x421/0x5e0 [ 122.211290][ T9868] bit_cursor+0x12fc/0x1a60 [ 122.211299][ T9868] ? bit_clear+0x530/0x530 [ 122.211305][ T9868] ? find_held_lock+0x35/0x130 [ 122.211316][ T9868] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 122.211323][ T9868] ? get_color+0x225/0x430 [ 122.211330][ T9868] fbcon_cursor+0x487/0x660 [ 122.211337][ T9868] ? bit_clear+0x530/0x530 [ 122.211346][ T9868] hide_cursor+0x9d/0x2b0 [ 122.211353][ T9868] redraw_screen+0x60b/0x7d0 [ 122.211360][ T9868] ? respond_string+0x2c0/0x2c0 [ 122.211368][ T9868] vc_do_resize+0x10c9/0x1460 [ 122.211375][ T9868] ? down+0x50/0x90 [ 122.211386][ T9868] ? vc_uniscr_alloc+0xd0/0xd0 [ 122.211393][ T9868] ? lock_acquire+0x190/0x410 [ 122.211399][ T9868] ? vt_ioctl+0x1f56/0x26d0 [ 122.211407][ T9868] vc_resize+0x4d/0x60 [ 122.211414][ T9868] vt_ioctl+0x2076/0x26d0 [ 122.211422][ T9868] ? complete_change_console+0x3a0/0x3a0 [ 122.211428][ T9868] ? lock_downgrade+0x920/0x920 [ 122.211435][ T9868] ? rwlock_bug.part.0+0x90/0x90 [ 122.211444][ T9868] ? tomoyo_path_number_perm+0x214/0x520 [ 122.211450][ T9868] ? find_held_lock+0x35/0x130 [ 122.211458][ T9868] ? tomoyo_path_number_perm+0x214/0x520 [ 122.211466][ T9868] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 122.211474][ T9868] ? tty_jobctrl_ioctl+0x50/0xd40 [ 122.211481][ T9868] ? complete_change_console+0x3a0/0x3a0 [ 122.211489][ T9868] tty_ioctl+0xa37/0x14f0 [ 122.211497][ T9868] ? tty_vhangup+0x30/0x30 [ 122.211505][ T9868] ? tomoyo_path_number_perm+0x454/0x520 [ 122.211514][ T9868] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 122.211521][ T9868] ? tomoyo_path_number_perm+0x25e/0x520 [ 122.211530][ T9868] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 122.211543][ T9868] ? tty_vhangup+0x30/0x30 [ 122.211550][ T9868] do_vfs_ioctl+0x977/0x14e0 [ 122.211558][ T9868] ? compat_ioctl_preallocate+0x220/0x220 [ 122.211566][ T9868] ? kmem_cache_free+0x26b/0x320 [ 122.211574][ T9868] ? putname+0xf4/0x130 [ 122.211581][ T9868] ? do_sys_open+0x31d/0x5d0 [ 122.211590][ T9868] ? tomoyo_file_ioctl+0x23/0x30 [ 122.211598][ T9868] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.211605][ T9868] ? security_file_ioctl+0x8d/0xc0 [ 122.211612][ T9868] ksys_ioctl+0xab/0xd0 [ 122.211620][ T9868] __x64_sys_ioctl+0x73/0xb0 [ 122.211628][ T9868] do_syscall_64+0xfa/0x790 [ 122.211636][ T9868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.211641][ T9868] RIP: 0033:0x440249 [ 122.211648][ T9868] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 122.211652][ T9868] RSP: 002b:00007ffea499a828 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 122.211659][ T9868] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 122.211663][ T9868] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 122.211667][ T9868] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 122.211671][ T9868] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 122.211675][ T9868] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 122.213018][ T9868] Kernel Offset: disabled [ 123.274176][ T9868] Rebooting in 86400 seconds..