Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 105.637991][ T9794] ================================================================== [ 105.638167][ T9794] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 [ 105.638176][ T9794] Read of size 16 at addr ffff8880a05ac740 by task syz-executor746/9794 [ 105.638178][ T9794] [ 105.638220][ T9794] CPU: 1 PID: 9794 Comm: syz-executor746 Not tainted 5.5.0-rc5-next-20200110-syzkaller #0 [ 105.638226][ T9794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.638252][ T9794] Call Trace: [ 105.638319][ T9794] dump_stack+0x197/0x210 [ 105.638328][ T9794] ? soft_cursor+0x439/0xa30 [ 105.638374][ T9794] print_address_description.constprop.0.cold+0xd4/0x30b [ 105.638381][ T9794] ? soft_cursor+0x439/0xa30 [ 105.638389][ T9794] ? soft_cursor+0x439/0xa30 [ 105.638397][ T9794] __kasan_report.cold+0x1b/0x32 [ 105.638406][ T9794] ? soft_cursor+0x439/0xa30 [ 105.638416][ T9794] kasan_report+0x12/0x20 [ 105.638425][ T9794] check_memory_region+0x134/0x1a0 [ 105.638433][ T9794] memcpy+0x24/0x50 [ 105.638441][ T9794] soft_cursor+0x439/0xa30 [ 105.638472][ T9794] ? lockdep_hardirqs_on+0x421/0x5e0 [ 105.638486][ T9794] bit_cursor+0x12fc/0x1a60 [ 105.638499][ T9794] ? bit_clear+0x530/0x530 [ 105.638506][ T9794] ? find_held_lock+0x35/0x130 [ 105.638553][ T9794] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 105.638561][ T9794] ? get_color+0x225/0x430 [ 105.638571][ T9794] fbcon_cursor+0x487/0x660 [ 105.638578][ T9794] ? bit_clear+0x530/0x530 [ 105.638646][ T9794] hide_cursor+0x9d/0x2b0 [ 105.638657][ T9794] redraw_screen+0x60b/0x7d0 [ 105.638667][ T9794] ? respond_string+0x2c0/0x2c0 [ 105.638681][ T9794] vc_do_resize+0x10c9/0x1460 [ 105.638693][ T9794] ? down+0x50/0x90 [ 105.638711][ T9794] ? vc_uniscr_alloc+0xd0/0xd0 [ 105.638720][ T9794] ? lock_acquire+0x190/0x410 [ 105.638747][ T9794] ? vt_ioctl+0x1f56/0x26d0 [ 105.638759][ T9794] vc_resize+0x4d/0x60 [ 105.638769][ T9794] vt_ioctl+0x2076/0x26d0 [ 105.638780][ T9794] ? complete_change_console+0x3a0/0x3a0 [ 105.638795][ T9794] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 105.638804][ T9794] ? tty_jobctrl_ioctl+0x50/0xd40 [ 105.638813][ T9794] ? complete_change_console+0x3a0/0x3a0 [ 105.638823][ T9794] tty_ioctl+0xa37/0x14f0 [ 105.638833][ T9794] ? tty_vhangup+0x30/0x30 [ 105.638841][ T9794] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 105.638876][ T9794] ? do_vfs_ioctl+0x11f/0x12e0 [ 105.638887][ T9794] ? ioctl_file_clone+0x180/0x180 [ 105.638920][ T9794] ? file_open_root+0x5f0/0x5f0 [ 105.638981][ T9794] ? tomoyo_file_ioctl+0x23/0x30 [ 105.638990][ T9794] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.639026][ T9794] ? security_file_ioctl+0x8d/0xc0 [ 105.639034][ T9794] ? tty_vhangup+0x30/0x30 [ 105.639043][ T9794] ksys_ioctl+0x123/0x180 [ 105.639053][ T9794] __x64_sys_ioctl+0x73/0xb0 [ 105.639098][ T9794] do_syscall_64+0xfa/0x790 [ 105.639121][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.639142][ T9794] RIP: 0033:0x440249 [ 105.639178][ T9794] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.639183][ T9794] RSP: 002b:00007ffe0c9539d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 105.639212][ T9794] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 105.639217][ T9794] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 105.639221][ T9794] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 105.639226][ T9794] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 105.639230][ T9794] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 105.639241][ T9794] [ 105.639266][ T9794] Allocated by task 9794: [ 105.639275][ T9794] save_stack+0x23/0x90 [ 105.639282][ T9794] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 105.639289][ T9794] kasan_kmalloc+0x9/0x10 [ 105.639295][ T9794] __kmalloc+0x163/0x770 [ 105.639302][ T9794] fbcon_set_font+0x32d/0x860 [ 105.639309][ T9794] con_font_op+0xe30/0x1270 [ 105.639316][ T9794] vt_ioctl+0x35a/0x26d0 [ 105.639323][ T9794] tty_ioctl+0xa37/0x14f0 [ 105.639330][ T9794] ksys_ioctl+0x123/0x180 [ 105.639337][ T9794] __x64_sys_ioctl+0x73/0xb0 [ 105.639344][ T9794] do_syscall_64+0xfa/0x790 [ 105.639351][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.639353][ T9794] [ 105.639357][ T9794] Freed by task 9523: [ 105.639364][ T9794] save_stack+0x23/0x90 [ 105.639370][ T9794] __kasan_slab_free+0x102/0x150 [ 105.639377][ T9794] kasan_slab_free+0xe/0x10 [ 105.639383][ T9794] kfree+0x10a/0x2c0 [ 105.639438][ T9794] __sk_destruct+0x5d8/0x7f0 [ 105.639446][ T9794] sk_destruct+0xd5/0x110 [ 105.639453][ T9794] __sk_free+0xfb/0x360 [ 105.639460][ T9794] sk_free+0x83/0xb0 [ 105.639499][ T9794] deferred_put_nlk_sk+0x163/0x300 [ 105.639519][ T9794] rcu_core+0x5e3/0x1440 [ 105.639526][ T9794] rcu_core_si+0x9/0x10 [ 105.639533][ T9794] __do_softirq+0x262/0x98c [ 105.639535][ T9794] [ 105.639541][ T9794] The buggy address belongs to the object at ffff8880a05ac000 [ 105.639541][ T9794] which belongs to the cache kmalloc-2k of size 2048 [ 105.639548][ T9794] The buggy address is located 1856 bytes inside of [ 105.639548][ T9794] 2048-byte region [ffff8880a05ac000, ffff8880a05ac800) [ 105.639551][ T9794] The buggy address belongs to the page: [ 105.639582][ T9794] page:ffffea0002816b00 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 105.639593][ T9794] raw: 00fffe0000000200 ffffea000292c088 ffffea0002a4e0c8 ffff8880aa400e00 [ 105.639602][ T9794] raw: 0000000000000000 ffff8880a05ac000 0000000100000001 0000000000000000 [ 105.639635][ T9794] page dumped because: kasan: bad access detected [ 105.639637][ T9794] [ 105.639640][ T9794] Memory state around the buggy address: [ 105.639646][ T9794] ffff8880a05ac600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.639652][ T9794] ffff8880a05ac680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.639658][ T9794] >ffff8880a05ac700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.639662][ T9794] ^ [ 105.639668][ T9794] ffff8880a05ac780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.639674][ T9794] ffff8880a05ac800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.639677][ T9794] ================================================================== [ 105.639679][ T9794] Disabling lock debugging due to kernel taint [ 105.639702][ T9794] Kernel panic - not syncing: panic_on_warn set ... [ 105.639710][ T9794] CPU: 1 PID: 9794 Comm: syz-executor746 Tainted: G B 5.5.0-rc5-next-20200110-syzkaller #0 [ 105.639714][ T9794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.639716][ T9794] Call Trace: [ 105.639724][ T9794] dump_stack+0x197/0x210 [ 105.639753][ T9794] panic+0x2e3/0x75c [ 105.639761][ T9794] ? add_taint.cold+0x16/0x16 [ 105.639790][ T9794] ? trace_hardirqs_on+0x67/0x240 [ 105.639798][ T9794] ? trace_hardirqs_on+0x5e/0x240 [ 105.639805][ T9794] ? soft_cursor+0x439/0xa30 [ 105.639813][ T9794] end_report+0x47/0x4f [ 105.639826][ T9794] ? soft_cursor+0x439/0xa30 [ 105.639833][ T9794] __kasan_report.cold+0xe/0x32 [ 105.639841][ T9794] ? soft_cursor+0x439/0xa30 [ 105.639849][ T9794] kasan_report+0x12/0x20 [ 105.639856][ T9794] check_memory_region+0x134/0x1a0 [ 105.639863][ T9794] memcpy+0x24/0x50 [ 105.639870][ T9794] soft_cursor+0x439/0xa30 [ 105.639877][ T9794] ? lockdep_hardirqs_on+0x421/0x5e0 [ 105.639887][ T9794] bit_cursor+0x12fc/0x1a60 [ 105.639896][ T9794] ? bit_clear+0x530/0x530 [ 105.639903][ T9794] ? find_held_lock+0x35/0x130 [ 105.639913][ T9794] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 105.639920][ T9794] ? get_color+0x225/0x430 [ 105.639927][ T9794] fbcon_cursor+0x487/0x660 [ 105.639938][ T9794] ? bit_clear+0x530/0x530 [ 105.639946][ T9794] hide_cursor+0x9d/0x2b0 [ 105.639955][ T9794] redraw_screen+0x60b/0x7d0 [ 105.639963][ T9794] ? respond_string+0x2c0/0x2c0 [ 105.639973][ T9794] vc_do_resize+0x10c9/0x1460 [ 105.639980][ T9794] ? down+0x50/0x90 [ 105.639992][ T9794] ? vc_uniscr_alloc+0xd0/0xd0 [ 105.639999][ T9794] ? lock_acquire+0x190/0x410 [ 105.640007][ T9794] ? vt_ioctl+0x1f56/0x26d0 [ 105.640016][ T9794] vc_resize+0x4d/0x60 [ 105.640024][ T9794] vt_ioctl+0x2076/0x26d0 [ 105.640033][ T9794] ? complete_change_console+0x3a0/0x3a0 [ 105.640044][ T9794] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 105.640051][ T9794] ? tty_jobctrl_ioctl+0x50/0xd40 [ 105.640060][ T9794] ? complete_change_console+0x3a0/0x3a0 [ 105.640067][ T9794] tty_ioctl+0xa37/0x14f0 [ 105.640075][ T9794] ? tty_vhangup+0x30/0x30 [ 105.640083][ T9794] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 105.640090][ T9794] ? do_vfs_ioctl+0x11f/0x12e0 [ 105.640099][ T9794] ? ioctl_file_clone+0x180/0x180 [ 105.640105][ T9794] ? file_open_root+0x5f0/0x5f0 [ 105.640118][ T9794] ? tomoyo_file_ioctl+0x23/0x30 [ 105.640126][ T9794] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.640132][ T9794] ? security_file_ioctl+0x8d/0xc0 [ 105.640139][ T9794] ? tty_vhangup+0x30/0x30 [ 105.640147][ T9794] ksys_ioctl+0x123/0x180 [ 105.640155][ T9794] __x64_sys_ioctl+0x73/0xb0 [ 105.640163][ T9794] do_syscall_64+0xfa/0x790 [ 105.640171][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.640176][ T9794] RIP: 0033:0x440249 [ 105.640183][ T9794] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.640187][ T9794] RSP: 002b:00007ffe0c9539d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 105.640193][ T9794] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 105.640198][ T9794] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 105.640202][ T9794] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 105.640206][ T9794] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 105.640209][ T9794] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 105.641873][ T9794] Kernel Offset: disabled [ 106.611383][ T9794] Rebooting in 86400 seconds..