[ 96.654319][ T27] audit: type=1800 audit(1578037268.270:40): pid=9606 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 100.102502][ T27] audit: type=1400 audit(1578037271.740:41): avc: denied { map } for pid=9781 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts. [ 106.812608][ T27] audit: type=1400 audit(1578037278.450:42): avc: denied { map } for pid=9793 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/01/03 07:41:18 parsed 1 programs [ 108.548566][ T27] audit: type=1400 audit(1578037280.190:43): avc: denied { map } for pid=9793 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1035 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/01/03 07:41:20 executed programs: 0 [ 108.791944][ T9810] IPVS: ftp: loaded support on port[0] = 21 [ 108.859796][ T9810] chnl_net:caif_netlink_parms(): no params data found [ 108.889625][ T9810] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.896997][ T9810] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.904832][ T9810] device bridge_slave_0 entered promiscuous mode [ 108.913201][ T9810] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.927724][ T9810] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.935876][ T9810] device bridge_slave_1 entered promiscuous mode [ 108.962135][ T9810] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 108.974703][ T9810] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 109.003118][ T9810] team0: Port device team_slave_0 added [ 109.011748][ T9810] team0: Port device team_slave_1 added [ 109.090649][ T9810] device hsr_slave_0 entered promiscuous mode [ 109.167886][ T9810] device hsr_slave_1 entered promiscuous mode [ 109.244414][ T27] audit: type=1400 audit(1578037280.880:44): avc: denied { create } for pid=9810 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 109.247047][ T9810] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 109.275901][ T27] audit: type=1400 audit(1578037280.880:45): avc: denied { write } for pid=9810 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 109.301238][ T27] audit: type=1400 audit(1578037280.880:46): avc: denied { read } for pid=9810 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 109.360310][ T9810] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 109.429931][ T9810] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 109.500816][ T9810] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 109.560948][ T9810] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.568190][ T9810] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.575930][ T9810] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.583040][ T9810] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.625774][ T9810] 8021q: adding VLAN 0 to HW filter on device bond0 [ 109.640180][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 109.650888][ T2847] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.659688][ T2847] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.668198][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 109.681230][ T9810] 8021q: adding VLAN 0 to HW filter on device team0 [ 109.692004][ T2846] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 109.700567][ T2846] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.707673][ T2846] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.718979][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 109.727326][ T2847] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.734434][ T2847] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.754173][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 109.763580][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 109.775019][ T2850] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 109.789874][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 109.801266][ T2850] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 109.812523][ T9810] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 109.829481][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 109.836917][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 109.851028][ T9810] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 109.866272][ T27] audit: type=1400 audit(1578037281.500:47): avc: denied { associate } for pid=9810 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 109.971068][ T9815] ================================================================== [ 109.971130][ T9815] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 109.971143][ T9815] Read of size 16 at addr ffff88809548cd10 by task syz-executor.0/9815 [ 109.971147][ T9815] [ 109.971163][ T9815] CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 5.5.0-rc4-syzkaller #0 [ 109.971172][ T9815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.971178][ T9815] Call Trace: [ 109.971196][ T9815] dump_stack+0x197/0x210 [ 109.971210][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.971230][ T9815] print_address_description.constprop.0.cold+0xd4/0x30b [ 109.971243][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.971256][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.971271][ T9815] __kasan_report.cold+0x1b/0x41 [ 109.971286][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.971302][ T9815] kasan_report+0x12/0x20 [ 109.971316][ T9815] check_memory_region+0x134/0x1a0 [ 109.971330][ T9815] memcpy+0x24/0x50 [ 109.971344][ T9815] fbcon_get_font+0x2b2/0x5e0 [ 109.971361][ T9815] ? display_to_var+0x7e0/0x7e0 [ 109.971380][ T9815] con_font_op+0x20b/0x1270 [ 109.971396][ T9815] ? lock_downgrade+0x920/0x920 [ 109.971413][ T9815] ? con_write+0xd0/0xd0 [ 109.971442][ T9815] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.971458][ T9815] ? _copy_from_user+0x12c/0x1a0 [ 109.971474][ T9815] vt_ioctl+0x181a/0x26d0 [ 109.971490][ T9815] ? complete_change_console+0x3a0/0x3a0 [ 109.971502][ T9815] ? lock_downgrade+0x920/0x920 [ 109.971517][ T9815] ? rwlock_bug.part.0+0x90/0x90 [ 109.971535][ T9815] ? tomoyo_path_number_perm+0x214/0x520 [ 109.971549][ T9815] ? find_held_lock+0x35/0x130 [ 109.971567][ T9815] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 109.971584][ T9815] ? tty_jobctrl_ioctl+0x50/0xd40 [ 109.971596][ T9815] ? complete_change_console+0x3a0/0x3a0 [ 109.971614][ T9815] tty_ioctl+0xa37/0x14f0 [ 109.971633][ T9815] ? tty_vhangup+0x30/0x30 [ 109.971647][ T9815] ? tomoyo_path_number_perm+0x454/0x520 [ 109.971668][ T9815] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 109.971684][ T9815] ? tomoyo_path_number_perm+0x25e/0x520 [ 109.971701][ T9815] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 109.971734][ T9815] ? ___might_sleep+0x163/0x2c0 [ 109.971755][ T9815] ? tty_vhangup+0x30/0x30 [ 109.971772][ T9815] do_vfs_ioctl+0x977/0x14e0 [ 109.971790][ T9815] ? compat_ioctl_preallocate+0x220/0x220 [ 109.971805][ T9815] ? selinux_file_mprotect+0x620/0x620 [ 109.971817][ T9815] ? __fget+0x37f/0x550 [ 109.971836][ T9815] ? ksys_dup3+0x3e0/0x3e0 [ 109.971853][ T9815] ? ns_to_kernel_old_timeval+0x100/0x100 [ 109.971873][ T9815] ? tomoyo_file_ioctl+0x23/0x30 [ 109.971888][ T9815] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 109.971902][ T9815] ? security_file_ioctl+0x8d/0xc0 [ 109.971920][ T9815] ksys_ioctl+0xab/0xd0 [ 109.971937][ T9815] __x64_sys_ioctl+0x73/0xb0 [ 109.971955][ T9815] do_syscall_64+0xfa/0x790 [ 109.971975][ T9815] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.971986][ T9815] RIP: 0033:0x45a9e9 [ 109.972001][ T9815] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 109.972009][ T9815] RSP: 002b:00007fd9740f6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.972022][ T9815] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 109.972030][ T9815] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 109.972038][ T9815] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 109.972046][ T9815] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd9740f76d4 [ 109.972054][ T9815] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 109.972073][ T9815] [ 109.972080][ T9815] Allocated by task 9813: [ 109.972092][ T9815] save_stack+0x23/0x90 [ 109.972105][ T9815] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 109.972116][ T9815] kasan_kmalloc+0x9/0x10 [ 109.972127][ T9815] __kmalloc+0x163/0x770 [ 109.972138][ T9815] fbcon_set_font+0x32d/0x860 [ 109.972152][ T9815] con_font_op+0xe30/0x1270 [ 109.972163][ T9815] vt_ioctl+0xd2e/0x26d0 [ 109.972175][ T9815] tty_ioctl+0xa37/0x14f0 [ 109.972187][ T9815] do_vfs_ioctl+0x977/0x14e0 [ 109.972198][ T9815] ksys_ioctl+0xab/0xd0 [ 109.972209][ T9815] __x64_sys_ioctl+0x73/0xb0 [ 109.972222][ T9815] do_syscall_64+0xfa/0x790 [ 109.972235][ T9815] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.972239][ T9815] [ 109.972245][ T9815] Freed by task 0: [ 109.972249][ T9815] (stack is not available) [ 109.972252][ T9815] [ 109.972263][ T9815] The buggy address belongs to the object at ffff88809548c000 [ 109.972263][ T9815] which belongs to the cache kmalloc-4k of size 4096 [ 109.972274][ T9815] The buggy address is located 3344 bytes inside of [ 109.972274][ T9815] 4096-byte region [ffff88809548c000, ffff88809548d000) [ 109.972279][ T9815] The buggy address belongs to the page: [ 109.972293][ T9815] page:ffffea0002552300 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 109.972310][ T9815] raw: 00fffe0000010200 ffffea00025b6a08 ffffea000256e588 ffff8880aa402000 [ 109.972325][ T9815] raw: 0000000000000000 ffff88809548c000 0000000100000001 0000000000000000 [ 109.972332][ T9815] page dumped because: kasan: bad access detected [ 109.972335][ T9815] [ 109.972340][ T9815] Memory state around the buggy address: [ 109.972352][ T9815] ffff88809548cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 109.972363][ T9815] ffff88809548cc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 109.972374][ T9815] >ffff88809548cd00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 109.972379][ T9815] ^ [ 109.972391][ T9815] ffff88809548cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 109.972403][ T9815] ffff88809548ce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 109.972408][ T9815] ================================================================== [ 109.972413][ T9815] Disabling lock debugging due to kernel taint [ 109.972449][ T9815] Kernel panic - not syncing: panic_on_warn set ... [ 109.972464][ T9815] CPU: 0 PID: 9815 Comm: syz-executor.0 Tainted: G B 5.5.0-rc4-syzkaller #0 [ 109.972471][ T9815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.972475][ T9815] Call Trace: [ 109.972490][ T9815] dump_stack+0x197/0x210 [ 109.972506][ T9815] panic+0x2e3/0x75c [ 109.972520][ T9815] ? add_taint.cold+0x16/0x16 [ 109.972531][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.972547][ T9815] ? preempt_schedule+0x4b/0x60 [ 109.972560][ T9815] ? ___preempt_schedule+0x16/0x18 [ 109.972576][ T9815] ? trace_hardirqs_on+0x5e/0x240 [ 109.972589][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.972601][ T9815] end_report+0x47/0x4f [ 109.972612][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.972624][ T9815] __kasan_report.cold+0xe/0x41 [ 109.972636][ T9815] ? fbcon_get_font+0x2b2/0x5e0 [ 109.972649][ T9815] kasan_report+0x12/0x20 [ 109.972662][ T9815] check_memory_region+0x134/0x1a0 [ 109.972675][ T9815] memcpy+0x24/0x50 [ 109.972687][ T9815] fbcon_get_font+0x2b2/0x5e0 [ 109.972700][ T9815] ? display_to_var+0x7e0/0x7e0 [ 109.972724][ T9815] con_font_op+0x20b/0x1270 [ 109.972737][ T9815] ? lock_downgrade+0x920/0x920 [ 109.972750][ T9815] ? con_write+0xd0/0xd0 [ 109.972771][ T9815] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.972786][ T9815] ? _copy_from_user+0x12c/0x1a0 [ 109.972798][ T9815] vt_ioctl+0x181a/0x26d0 [ 109.972812][ T9815] ? complete_change_console+0x3a0/0x3a0 [ 109.972823][ T9815] ? lock_downgrade+0x920/0x920 [ 109.972836][ T9815] ? rwlock_bug.part.0+0x90/0x90 [ 109.972849][ T9815] ? tomoyo_path_number_perm+0x214/0x520 [ 109.972861][ T9815] ? find_held_lock+0x35/0x130 [ 109.972876][ T9815] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 109.972889][ T9815] ? tty_jobctrl_ioctl+0x50/0xd40 [ 109.972901][ T9815] ? complete_change_console+0x3a0/0x3a0 [ 109.972915][ T9815] tty_ioctl+0xa37/0x14f0 [ 109.972929][ T9815] ? tty_vhangup+0x30/0x30 [ 109.972942][ T9815] ? tomoyo_path_number_perm+0x454/0x520 [ 109.972958][ T9815] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 109.972972][ T9815] ? tomoyo_path_number_perm+0x25e/0x520 [ 109.972987][ T9815] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 109.973004][ T9815] ? ___might_sleep+0x163/0x2c0 [ 109.973021][ T9815] ? tty_vhangup+0x30/0x30 [ 109.973035][ T9815] do_vfs_ioctl+0x977/0x14e0 [ 109.973051][ T9815] ? compat_ioctl_preallocate+0x220/0x220 [ 109.973064][ T9815] ? selinux_file_mprotect+0x620/0x620 [ 109.973075][ T9815] ? __fget+0x37f/0x550 [ 109.973090][ T9815] ? ksys_dup3+0x3e0/0x3e0 [ 109.973104][ T9815] ? ns_to_kernel_old_timeval+0x100/0x100 [ 109.973120][ T9815] ? tomoyo_file_ioctl+0x23/0x30 [ 109.973135][ T9815] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 109.973147][ T9815] ? security_file_ioctl+0x8d/0xc0 [ 109.973160][ T9815] ksys_ioctl+0xab/0xd0 [ 109.973173][ T9815] __x64_sys_ioctl+0x73/0xb0 [ 109.973187][ T9815] do_syscall_64+0xfa/0x790 [ 109.973204][ T9815] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.973213][ T9815] RIP: 0033:0x45a9e9 [ 109.973225][ T9815] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 109.973232][ T9815] RSP: 002b:00007fd9740f6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.973243][ T9815] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 109.973250][ T9815] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 109.973257][ T9815] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 109.973265][ T9815] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd9740f76d4 [ 109.973273][ T9815] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 109.974856][ T9815] Kernel Offset: disabled [ 110.905602][ T9815] Rebooting in 86400 seconds..