[....] Starting periodic command[ 39.183254] audit: type=1800 audit(1576509529.492:32): pid=7448 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.849958] audit: type=1800 audit(1576509530.152:33): pid=7448 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.451943] kauditd_printk_skb: 1 callbacks suppressed [ 44.451956] audit: type=1400 audit(1576509534.762:35): avc: denied { map } for pid=7625 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts. executing program [ 51.164092] audit: type=1400 audit(1576509541.472:36): avc: denied { map } for pid=7637 comm="syz-executor684" path="/root/syz-executor684138354" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.248645] ================================================================== [ 51.248673] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c8b/0x2200 [ 51.248681] Read of size 2 at addr ffffffff87ef2bde by task syz-executor684/7637 [ 51.248683] [ 51.248693] CPU: 0 PID: 7637 Comm: syz-executor684 Not tainted 4.19.89-syzkaller #0 [ 51.248697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.248700] Call Trace: [ 51.248712] dump_stack+0x197/0x210 [ 51.248722] ? vga16fb_imageblit+0x1c8b/0x2200 [ 51.248733] print_address_description.cold+0x5/0x20d [ 51.248742] ? vga16fb_imageblit+0x1c8b/0x2200 [ 51.248750] kasan_report.cold+0x8c/0x2ba [ 51.248761] __asan_report_load2_noabort+0x14/0x20 [ 51.248769] vga16fb_imageblit+0x1c8b/0x2200 [ 51.248785] soft_cursor+0x4fb/0xa30 [ 51.248796] ? lockdep_hardirqs_on+0x415/0x5d0 [ 51.248809] bit_cursor+0x12fc/0x1a60 [ 51.248821] ? bit_clear+0x530/0x530 [ 51.248828] ? fbcon_putcs+0x42b/0x4f0 [ 51.248835] ? fbcon_putcs+0x271/0x4f0 [ 51.248850] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 51.248858] ? get_color+0x225/0x430 [ 51.248867] fbcon_cursor+0x58a/0x7b0 [ 51.248874] ? bit_clear+0x530/0x530 [ 51.248885] set_cursor+0x1fb/0x280 [ 51.248894] redraw_screen+0x60f/0x8e0 [ 51.248900] ? efifb_probe.cold+0x17e9/0x17e9 [ 51.248909] ? con_flush_chars+0xa0/0xa0 [ 51.248919] ? fbcon_set_palette+0x227/0x610 [ 51.248929] fbcon_modechanged+0x5f3/0x900 [ 51.248940] fbcon_event_notify+0x1bd/0x1dba [ 51.248949] ? lock_acquire+0x16f/0x3f0 [ 51.248962] notifier_call_chain+0xc2/0x230 [ 51.248975] blocking_notifier_call_chain+0x94/0xb0 [ 51.248986] fb_notifier_call_chain+0x25/0x30 [ 51.248994] fb_set_var+0xc8f/0xe80 [ 51.249005] ? fb_set_suspend+0x130/0x130 [ 51.249013] ? lock_acquire+0x16f/0x3f0 [ 51.249021] ? lock_fb_info+0x1f/0x80 [ 51.249035] ? __mutex_lock+0x3cd/0x1300 [ 51.249043] ? mark_held_locks+0x100/0x100 [ 51.249051] ? lock_acquire+0x16f/0x3f0 [ 51.249058] ? lock_fb_info+0x1f/0x80 [ 51.249069] ? mutex_trylock+0x1e0/0x1e0 [ 51.249076] ? down+0x70/0x90 [ 51.249092] ? do_fb_ioctl+0x3e1/0xab0 [ 51.249103] ? mutex_lock_nested+0x16/0x20 [ 51.249113] do_fb_ioctl+0x450/0xab0 [ 51.249122] ? fb_read+0x580/0x580 [ 51.249131] ? kasan_check_read+0x11/0x20 [ 51.249141] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.249150] ? avc_has_extended_perms+0xa78/0x10f0 [ 51.249163] ? avc_ss_reset+0x190/0x190 [ 51.249172] ? __kasan_slab_free+0x102/0x150 [ 51.249179] ? kasan_slab_free+0xe/0x10 [ 51.249186] ? kmem_cache_free+0x86/0x260 [ 51.249193] ? putname+0xef/0x130 [ 51.249200] ? do_sys_open+0x318/0x550 [ 51.249206] ? __x64_sys_openat+0x9d/0x100 [ 51.249215] ? do_syscall_64+0xfd/0x620 [ 51.249222] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.249246] fb_ioctl+0xe6/0x130 [ 51.249253] ? do_fb_ioctl+0xab0/0xab0 [ 51.249262] do_vfs_ioctl+0xd5f/0x1380 [ 51.249270] ? selinux_file_ioctl+0x46f/0x5e0 [ 51.249277] ? selinux_file_ioctl+0x125/0x5e0 [ 51.249286] ? ioctl_preallocate+0x210/0x210 [ 51.249294] ? selinux_file_mprotect+0x620/0x620 [ 51.249306] ? kmem_cache_free+0x222/0x260 [ 51.249317] ? do_sys_open+0x31d/0x550 [ 51.249329] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.249336] ? security_file_ioctl+0x8d/0xc0 [ 51.249345] ksys_ioctl+0xab/0xd0 [ 51.249355] __x64_sys_ioctl+0x73/0xb0 [ 51.249364] do_syscall_64+0xfd/0x620 [ 51.249374] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.249381] RIP: 0033:0x440309 [ 51.249391] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.249396] RSP: 002b:00007ffddbbccb58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 51.249404] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 51.249409] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 51.249413] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 51.249418] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 51.249422] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 51.249433] [ 51.249435] The buggy address belongs to the variable: [ 51.249443] transl_h+0x3e/0x40 [ 51.249445] [ 51.249448] Memory state around the buggy address: [ 51.249455] ffffffff87ef2a80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa [ 51.249461] ffffffff87ef2b00: 00 00 00 00 00 fa fa fa fa fa fa fa 04 fa fa fa [ 51.249467] >ffffffff87ef2b80: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00 [ 51.249470] ^ [ 51.249476] ffffffff87ef2c00: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 00 04 [ 51.249482] ffffffff87ef2c80: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00 [ 51.249485] ================================================================== [ 51.249488] Disabling lock debugging due to kernel taint [ 51.249493] Kernel panic - not syncing: panic_on_warn set ... [ 51.249493] [ 51.249500] CPU: 0 PID: 7637 Comm: syz-executor684 Tainted: G B 4.19.89-syzkaller #0 [ 51.249504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.249506] Call Trace: [ 51.249514] dump_stack+0x197/0x210 [ 51.249522] ? vga16fb_imageblit+0x1c8b/0x2200 [ 51.249529] panic+0x26a/0x50e [ 51.249535] ? __warn_printk+0xf3/0xf3 [ 51.249543] ? lock_downgrade+0x880/0x880 [ 51.249553] ? trace_hardirqs_on+0x67/0x220 [ 51.249559] ? trace_hardirqs_on+0x5e/0x220 [ 51.249568] ? vga16fb_imageblit+0x1c8b/0x2200 [ 51.249575] kasan_end_report+0x47/0x4f [ 51.249583] kasan_report.cold+0xa9/0x2ba [ 51.249592] __asan_report_load2_noabort+0x14/0x20 [ 51.249599] vga16fb_imageblit+0x1c8b/0x2200 [ 51.249609] soft_cursor+0x4fb/0xa30 [ 51.249617] ? lockdep_hardirqs_on+0x415/0x5d0 [ 51.249627] bit_cursor+0x12fc/0x1a60 [ 51.249636] ? bit_clear+0x530/0x530 [ 51.249642] ? fbcon_putcs+0x42b/0x4f0 [ 51.249648] ? fbcon_putcs+0x271/0x4f0 [ 51.249658] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 51.249665] ? get_color+0x225/0x430 [ 51.249672] fbcon_cursor+0x58a/0x7b0 [ 51.249679] ? bit_clear+0x530/0x530 [ 51.249686] set_cursor+0x1fb/0x280 [ 51.249694] redraw_screen+0x60f/0x8e0 [ 51.249700] ? efifb_probe.cold+0x17e9/0x17e9 [ 51.249708] ? con_flush_chars+0xa0/0xa0 [ 51.249715] ? fbcon_set_palette+0x227/0x610 [ 51.249723] fbcon_modechanged+0x5f3/0x900 [ 51.249732] fbcon_event_notify+0x1bd/0x1dba [ 51.249740] ? lock_acquire+0x16f/0x3f0 [ 51.249749] notifier_call_chain+0xc2/0x230 [ 51.249759] blocking_notifier_call_chain+0x94/0xb0 [ 51.249768] fb_notifier_call_chain+0x25/0x30 [ 51.249775] fb_set_var+0xc8f/0xe80 [ 51.249784] ? fb_set_suspend+0x130/0x130 [ 51.249791] ? lock_acquire+0x16f/0x3f0 [ 51.249798] ? lock_fb_info+0x1f/0x80 [ 51.249808] ? __mutex_lock+0x3cd/0x1300 [ 51.249815] ? mark_held_locks+0x100/0x100 [ 51.249822] ? lock_acquire+0x16f/0x3f0 [ 51.249829] ? lock_fb_info+0x1f/0x80 [ 51.249838] ? mutex_trylock+0x1e0/0x1e0 [ 51.249844] ? down+0x70/0x90 [ 51.249856] ? do_fb_ioctl+0x3e1/0xab0 [ 51.249865] ? mutex_lock_nested+0x16/0x20 [ 51.249873] do_fb_ioctl+0x450/0xab0 [ 51.249880] ? fb_read+0x580/0x580 [ 51.249888] ? kasan_check_read+0x11/0x20 [ 51.249896] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.249904] ? avc_has_extended_perms+0xa78/0x10f0 [ 51.249914] ? avc_ss_reset+0x190/0x190 [ 51.249921] ? __kasan_slab_free+0x102/0x150 [ 51.249928] ? kasan_slab_free+0xe/0x10 [ 51.249934] ? kmem_cache_free+0x86/0x260 [ 51.249939] ? putname+0xef/0x130 [ 51.249945] ? do_sys_open+0x318/0x550 [ 51.249952] ? __x64_sys_openat+0x9d/0x100 [ 51.249959] ? do_syscall_64+0xfd/0x620 [ 51.249966] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.249981] fb_ioctl+0xe6/0x130 [ 51.249988] ? do_fb_ioctl+0xab0/0xab0 [ 51.249995] do_vfs_ioctl+0xd5f/0x1380 [ 51.250002] ? selinux_file_ioctl+0x46f/0x5e0 [ 51.250009] ? selinux_file_ioctl+0x125/0x5e0 [ 51.250016] ? ioctl_preallocate+0x210/0x210 [ 51.250024] ? selinux_file_mprotect+0x620/0x620 [ 51.250031] ? kmem_cache_free+0x222/0x260 [ 51.250039] ? do_sys_open+0x31d/0x550 [ 51.250048] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.250055] ? security_file_ioctl+0x8d/0xc0 [ 51.250062] ksys_ioctl+0xab/0xd0 [ 51.250070] __x64_sys_ioctl+0x73/0xb0 [ 51.250078] do_syscall_64+0xfd/0x620 [ 51.250087] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.250091] RIP: 0033:0x440309 [ 51.250098] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.250102] RSP: 002b:00007ffddbbccb58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 51.250108] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 51.250112] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 51.250116] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 51.250120] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 51.250124] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 51.251575] Kernel Offset: disabled [ 52.133499] Rebooting in 86400 seconds..