[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 76.135703][ T27] audit: type=1800 audit(1578040549.551:25): pid=8882 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 76.164924][ T27] audit: type=1800 audit(1578040549.551:26): pid=8882 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 76.209381][ T27] audit: type=1800 audit(1578040549.551:27): pid=8882 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. 2020/01/03 08:35:57 parsed 1 programs 2020/01/03 08:35:59 executed programs: 0 syzkaller login: [ 86.607547][ T9051] IPVS: ftp: loaded support on port[0] = 21 [ 86.674070][ T9051] chnl_net:caif_netlink_parms(): no params data found [ 86.705824][ T9051] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.714216][ T9051] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.722225][ T9051] device bridge_slave_0 entered promiscuous mode [ 86.730935][ T9051] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.738110][ T9051] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.748098][ T9051] device bridge_slave_1 entered promiscuous mode [ 86.766419][ T9051] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 86.777475][ T9051] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 86.798486][ T9051] team0: Port device team_slave_0 added [ 86.806376][ T9051] team0: Port device team_slave_1 added [ 86.856863][ T9051] device hsr_slave_0 entered promiscuous mode [ 86.905456][ T9051] device hsr_slave_1 entered promiscuous mode [ 86.982215][ T9051] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 87.038176][ T9051] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 87.086750][ T9051] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 87.137411][ T9051] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 87.186629][ T9051] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.193961][ T9051] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.201786][ T9051] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.208916][ T9051] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.251744][ T9051] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.265946][ T3018] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 87.276766][ T3018] bridge0: port 1(bridge_slave_0) entered disabled state [ 87.285802][ T3018] bridge0: port 2(bridge_slave_1) entered disabled state [ 87.293741][ T3018] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 87.307750][ T9051] 8021q: adding VLAN 0 to HW filter on device team0 [ 87.318225][ T2982] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 87.327436][ T2982] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.334475][ T2982] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.356858][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 87.365634][ T2705] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.372736][ T2705] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.380923][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 87.392688][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 87.401039][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 87.417866][ T9051] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 87.428660][ T9051] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 87.441801][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 87.450897][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 87.459481][ T2705] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 87.477637][ T2982] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 87.485863][ T2982] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 87.499699][ T9051] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 87.622557][ T9055] ================================================================== [ 87.622618][ T9055] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 87.622631][ T9055] Read of size 16 at addr ffff8880956c4d10 by task syz-executor.0/9055 [ 87.622636][ T9055] [ 87.622651][ T9055] CPU: 0 PID: 9055 Comm: syz-executor.0 Not tainted 5.5.0-rc4-syzkaller #0 [ 87.622661][ T9055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.622667][ T9055] Call Trace: [ 87.622685][ T9055] dump_stack+0x197/0x210 [ 87.622698][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.622719][ T9055] print_address_description.constprop.0.cold+0xd4/0x30b [ 87.622730][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.622742][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.622756][ T9055] __kasan_report.cold+0x1b/0x41 [ 87.622772][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.622788][ T9055] kasan_report+0x12/0x20 [ 87.622813][ T9055] check_memory_region+0x134/0x1a0 [ 87.622829][ T9055] memcpy+0x24/0x50 [ 87.622844][ T9055] fbcon_get_font+0x2b2/0x5e0 [ 87.622859][ T9055] ? display_to_var+0x7e0/0x7e0 [ 87.622876][ T9055] con_font_op+0x20b/0x1270 [ 87.622891][ T9055] ? lock_downgrade+0x920/0x920 [ 87.622910][ T9055] ? con_write+0xd0/0xd0 [ 87.622939][ T9055] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 87.622956][ T9055] ? _copy_from_user+0x12c/0x1a0 [ 87.622973][ T9055] vt_ioctl+0x181a/0x26d0 [ 87.622990][ T9055] ? complete_change_console+0x3a0/0x3a0 [ 87.623003][ T9055] ? lock_downgrade+0x920/0x920 [ 87.623020][ T9055] ? rwlock_bug.part.0+0x90/0x90 [ 87.623038][ T9055] ? tomoyo_path_number_perm+0x214/0x520 [ 87.623053][ T9055] ? find_held_lock+0x35/0x130 [ 87.623072][ T9055] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.623089][ T9055] ? tty_jobctrl_ioctl+0x50/0xd40 [ 87.623103][ T9055] ? complete_change_console+0x3a0/0x3a0 [ 87.623122][ T9055] tty_ioctl+0xa37/0x14f0 [ 87.623147][ T9055] ? tty_vhangup+0x30/0x30 [ 87.623162][ T9055] ? tomoyo_path_number_perm+0x454/0x520 [ 87.623183][ T9055] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 87.623199][ T9055] ? tomoyo_path_number_perm+0x25e/0x520 [ 87.623219][ T9055] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 87.623254][ T9055] ? tty_vhangup+0x30/0x30 [ 87.623272][ T9055] do_vfs_ioctl+0x977/0x14e0 [ 87.623293][ T9055] ? compat_ioctl_preallocate+0x220/0x220 [ 87.623307][ T9055] ? __fget+0x37f/0x550 [ 87.623328][ T9055] ? ksys_dup3+0x3e0/0x3e0 [ 87.623345][ T9055] ? ns_to_kernel_old_timeval+0x100/0x100 [ 87.623366][ T9055] ? tomoyo_file_ioctl+0x23/0x30 [ 87.623382][ T9055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.623395][ T9055] ? security_file_ioctl+0x8d/0xc0 [ 87.623413][ T9055] ksys_ioctl+0xab/0xd0 [ 87.623430][ T9055] __x64_sys_ioctl+0x73/0xb0 [ 87.623450][ T9055] do_syscall_64+0xfa/0x790 [ 87.623470][ T9055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.623481][ T9055] RIP: 0033:0x45a9e9 [ 87.623496][ T9055] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.623504][ T9055] RSP: 002b:00007fe99335ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.623518][ T9055] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 87.623526][ T9055] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 87.623535][ T9055] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 87.623544][ T9055] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe99335b6d4 [ 87.623553][ T9055] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 87.623573][ T9055] [ 87.623580][ T9055] Allocated by task 9055: [ 87.623593][ T9055] save_stack+0x23/0x90 [ 87.623606][ T9055] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 87.623617][ T9055] kasan_kmalloc+0x9/0x10 [ 87.623628][ T9055] __kmalloc+0x163/0x770 [ 87.623639][ T9055] fbcon_set_font+0x32d/0x860 [ 87.623653][ T9055] con_font_op+0xe30/0x1270 [ 87.623664][ T9055] vt_ioctl+0xd2e/0x26d0 [ 87.623677][ T9055] tty_ioctl+0xa37/0x14f0 [ 87.623689][ T9055] do_vfs_ioctl+0x977/0x14e0 [ 87.623700][ T9055] ksys_ioctl+0xab/0xd0 [ 87.623712][ T9055] __x64_sys_ioctl+0x73/0xb0 [ 87.623727][ T9055] do_syscall_64+0xfa/0x790 [ 87.623742][ T9055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.623746][ T9055] [ 87.623752][ T9055] Freed by task 0: [ 87.623757][ T9055] (stack is not available) [ 87.623761][ T9055] [ 87.623772][ T9055] The buggy address belongs to the object at ffff8880956c4000 [ 87.623772][ T9055] which belongs to the cache kmalloc-4k of size 4096 [ 87.623785][ T9055] The buggy address is located 3344 bytes inside of [ 87.623785][ T9055] 4096-byte region [ffff8880956c4000, ffff8880956c5000) [ 87.623791][ T9055] The buggy address belongs to the page: [ 87.623812][ T9055] page:ffffea000255b100 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 87.623832][ T9055] raw: 00fffe0000010200 ffffea000254a088 ffffea000240c308 ffff8880aa402000 [ 87.623849][ T9055] raw: 0000000000000000 ffff8880956c4000 0000000100000001 0000000000000000 [ 87.623856][ T9055] page dumped because: kasan: bad access detected [ 87.623860][ T9055] [ 87.623865][ T9055] Memory state around the buggy address: [ 87.623877][ T9055] ffff8880956c4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 87.623889][ T9055] ffff8880956c4c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 87.623901][ T9055] >ffff8880956c4d00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.623906][ T9055] ^ [ 87.623918][ T9055] ffff8880956c4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.623930][ T9055] ffff8880956c4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.623936][ T9055] ================================================================== [ 87.623941][ T9055] Disabling lock debugging due to kernel taint [ 87.623948][ T9055] Kernel panic - not syncing: panic_on_warn set ... [ 87.623963][ T9055] CPU: 0 PID: 9055 Comm: syz-executor.0 Tainted: G B 5.5.0-rc4-syzkaller #0 [ 87.623971][ T9055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.623975][ T9055] Call Trace: [ 87.623990][ T9055] dump_stack+0x197/0x210 [ 87.624007][ T9055] panic+0x2e3/0x75c [ 87.624021][ T9055] ? add_taint.cold+0x16/0x16 [ 87.624041][ T9055] ? trace_hardirqs_on+0x67/0x240 [ 87.624054][ T9055] ? trace_hardirqs_on+0x5e/0x240 [ 87.624067][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.624079][ T9055] end_report+0x47/0x4f [ 87.624089][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.624102][ T9055] __kasan_report.cold+0xe/0x41 [ 87.624115][ T9055] ? fbcon_get_font+0x2b2/0x5e0 [ 87.624129][ T9055] kasan_report+0x12/0x20 [ 87.624144][ T9055] check_memory_region+0x134/0x1a0 [ 87.624155][ T9055] memcpy+0x24/0x50 [ 87.624167][ T9055] fbcon_get_font+0x2b2/0x5e0 [ 87.624181][ T9055] ? display_to_var+0x7e0/0x7e0 [ 87.624195][ T9055] con_font_op+0x20b/0x1270 [ 87.624209][ T9055] ? lock_downgrade+0x920/0x920 [ 87.624225][ T9055] ? con_write+0xd0/0xd0 [ 87.624246][ T9055] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 87.624260][ T9055] ? _copy_from_user+0x12c/0x1a0 [ 87.624273][ T9055] vt_ioctl+0x181a/0x26d0 [ 87.624288][ T9055] ? complete_change_console+0x3a0/0x3a0 [ 87.624300][ T9055] ? lock_downgrade+0x920/0x920 [ 87.624314][ T9055] ? rwlock_bug.part.0+0x90/0x90 [ 87.624329][ T9055] ? tomoyo_path_number_perm+0x214/0x520 [ 87.624342][ T9055] ? find_held_lock+0x35/0x130 [ 87.624358][ T9055] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 87.624373][ T9055] ? tty_jobctrl_ioctl+0x50/0xd40 [ 87.624385][ T9055] ? complete_change_console+0x3a0/0x3a0 [ 87.624400][ T9055] tty_ioctl+0xa37/0x14f0 [ 87.624416][ T9055] ? tty_vhangup+0x30/0x30 [ 87.624430][ T9055] ? tomoyo_path_number_perm+0x454/0x520 [ 87.624447][ T9055] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 87.624461][ T9055] ? tomoyo_path_number_perm+0x25e/0x520 [ 87.624478][ T9055] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 87.624501][ T9055] ? tty_vhangup+0x30/0x30 [ 87.624515][ T9055] do_vfs_ioctl+0x977/0x14e0 [ 87.624532][ T9055] ? compat_ioctl_preallocate+0x220/0x220 [ 87.624545][ T9055] ? __fget+0x37f/0x550 [ 87.624561][ T9055] ? ksys_dup3+0x3e0/0x3e0 [ 87.624576][ T9055] ? ns_to_kernel_old_timeval+0x100/0x100 [ 87.624593][ T9055] ? tomoyo_file_ioctl+0x23/0x30 [ 87.624608][ T9055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.624620][ T9055] ? security_file_ioctl+0x8d/0xc0 [ 87.624638][ T9055] ksys_ioctl+0xab/0xd0 [ 87.624651][ T9055] __x64_sys_ioctl+0x73/0xb0 [ 87.624665][ T9055] do_syscall_64+0xfa/0x790 [ 87.624678][ T9055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.624686][ T9055] RIP: 0033:0x45a9e9 [ 87.624699][ T9055] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.624707][ T9055] RSP: 002b:00007fe99335ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.624719][ T9055] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 87.624726][ T9055] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 87.624733][ T9055] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 87.624741][ T9055] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe99335b6d4 [ 87.624748][ T9055] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 87.626169][ T9055] Kernel Offset: disabled [ 88.548900][ T9055] Rebooting in 86400 seconds..