[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.700316][ T28] audit: type=1400 audit(1599659511.433:8): avc: denied { execmem } for pid=6846 comm="syz-executor747" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 67.761468][ T6851] ================================================================== [ 67.761525][ T6851] BUG: KASAN: global-out-of-bounds in fbcon_resize+0x781/0x810 [ 67.761537][ T6851] Read of size 4 at addr ffffffff8896c2d8 by task syz-executor747/6851 [ 67.761541][ T6851] [ 67.761555][ T6851] CPU: 1 PID: 6851 Comm: syz-executor747 Not tainted 5.9.0-rc4-syzkaller #0 [ 67.761562][ T6851] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.761568][ T6851] Call Trace: [ 67.761583][ T6851] dump_stack+0x198/0x1fd [ 67.761598][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761609][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761627][ T6851] print_address_description.constprop.0.cold+0x5/0x497 [ 67.761642][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761656][ T6851] ? lockdep_hardirqs_off+0x96/0xd0 [ 67.761671][ T6851] ? vprintk_func+0x97/0x1a6 [ 67.761686][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761697][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761707][ T6851] kasan_report.cold+0x1f/0x37 [ 67.761723][ T6851] ? fbcon_resize+0x781/0x810 [ 67.761736][ T6851] fbcon_resize+0x781/0x810 [ 67.761754][ T6851] ? display_to_var+0x7b0/0x7b0 [ 67.761786][ T6851] ? vc_do_resize+0x2f6/0x1150 [ 67.761796][ T6851] ? __kmalloc+0x1c7/0x310 [ 67.761813][ T6851] ? display_to_var+0x7b0/0x7b0 [ 67.761828][ T6851] vc_do_resize+0x535/0x1150 [ 67.761860][ T6851] ? lock_release+0x8f0/0x8f0 [ 67.761871][ T6851] ? lock_downgrade+0x830/0x830 [ 67.761883][ T6851] ? rwlock_bug.part.0+0x90/0x90 [ 67.761894][ T6851] ? check_preemption_disabled+0x50/0x130 [ 67.761906][ T6851] ? store_bind+0x6a0/0x6a0 [ 67.761921][ T6851] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 67.761934][ T6851] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 67.761946][ T6851] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 67.761967][ T6851] vt_ioctl+0x11d2/0x2cc0 [ 67.761982][ T6851] ? lock_downgrade+0x830/0x830 [ 67.762003][ T6851] ? vt_waitactive+0x350/0x350 [ 67.762016][ T6851] ? check_preemption_disabled+0x50/0x130 [ 67.762026][ T6851] ? kfree+0x221/0x2b0 [ 67.762042][ T6851] ? tomoyo_path_number_perm+0x415/0x4d0 [ 67.762055][ T6851] ? lockdep_hardirqs_on+0x53/0x100 [ 67.762075][ T6851] ? tomoyo_path_number_perm+0x244/0x4d0 [ 67.762092][ T6851] ? tomoyo_execute_permission+0x470/0x470 [ 67.762112][ T6851] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 67.762129][ T6851] ? tty_jobctrl_ioctl+0x4d/0x1010 [ 67.762141][ T6851] ? vt_waitactive+0x350/0x350 [ 67.762158][ T6851] tty_ioctl+0x1019/0x15f0 [ 67.762175][ T6851] ? tty_fasync+0x390/0x390 [ 67.762186][ T6851] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 67.762200][ T6851] ? do_vfs_ioctl+0x27d/0x1090 [ 67.762214][ T6851] ? generic_block_fiemap+0x60/0x60 [ 67.762228][ T6851] ? selinux_inode_getsecctx+0x90/0x90 [ 67.762240][ T6851] ? lock_acquire+0x1f3/0xae0 [ 67.762259][ T6851] ? __fget_files+0x294/0x400 [ 67.762278][ T6851] ? bpf_lsm_file_ioctl+0x5/0x10 [ 67.762291][ T6851] ? tty_fasync+0x390/0x390 [ 67.762307][ T6851] __x64_sys_ioctl+0x193/0x200 [ 67.762325][ T6851] do_syscall_64+0x2d/0x70 [ 67.762339][ T6851] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.762351][ T6851] RIP: 0033:0x445959 [ 67.762366][ T6851] Code: e8 fc b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.762374][ T6851] RSP: 002b:00007ff020829db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 67.762389][ T6851] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445959 [ 67.762398][ T6851] RDX: 0000000020001740 RSI: 0000000000005609 RDI: 0000000000000006 [ 67.762407][ T6851] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000 [ 67.762415][ T6851] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac3c [ 67.762425][ T6851] R13: 00007fff73df80ff R14: 00007ff02082a9c0 R15: 20c49ba5e353f7cf [ 67.762446][ T6851] [ 67.762451][ T6851] The buggy address belongs to the variable: [ 67.762464][ T6851] font_vga_8x16+0x58/0x60 [ 67.762468][ T6851] [ 67.762473][ T6851] Memory state around the buggy address: [ 67.762485][ T6851] ffffffff8896c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.762494][ T6851] ffffffff8896c200: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 [ 67.762504][ T6851] >ffffffff8896c280: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 [ 67.762510][ T6851] ^ [ 67.762520][ T6851] ffffffff8896c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.762530][ T6851] ffffffff8896c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.762536][ T6851] ================================================================== [ 67.762541][ T6851] Disabling lock debugging due to kernel taint [ 67.762547][ T6851] Kernel panic - not syncing: panic_on_warn set ... [ 67.762560][ T6851] CPU: 1 PID: 6851 Comm: syz-executor747 Tainted: G B 5.9.0-rc4-syzkaller #0 [ 67.762566][ T6851] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.762569][ T6851] Call Trace: [ 67.762580][ T6851] dump_stack+0x198/0x1fd [ 67.762590][ T6851] ? fbcon_resize+0x720/0x810 [ 67.762600][ T6851] panic+0x347/0x7c0 [ 67.762613][ T6851] ? __warn_printk+0xf3/0xf3 [ 67.762626][ T6851] ? trace_hardirqs_on+0x55/0x220 [ 67.762635][ T6851] ? fbcon_resize+0x781/0x810 [ 67.762643][ T6851] ? fbcon_resize+0x781/0x810 [ 67.762652][ T6851] end_report+0x4d/0x53 [ 67.762661][ T6851] kasan_report.cold+0xd/0x37 [ 67.762671][ T6851] ? fbcon_resize+0x781/0x810 [ 67.762681][ T6851] fbcon_resize+0x781/0x810 [ 67.762692][ T6851] ? display_to_var+0x7b0/0x7b0 [ 67.762706][ T6851] ? vc_do_resize+0x2f6/0x1150 [ 67.762714][ T6851] ? __kmalloc+0x1c7/0x310 [ 67.762725][ T6851] ? display_to_var+0x7b0/0x7b0 [ 67.762734][ T6851] vc_do_resize+0x535/0x1150 [ 67.762750][ T6851] ? lock_release+0x8f0/0x8f0 [ 67.762760][ T6851] ? lock_downgrade+0x830/0x830 [ 67.762770][ T6851] ? rwlock_bug.part.0+0x90/0x90 [ 67.762779][ T6851] ? check_preemption_disabled+0x50/0x130 [ 67.762788][ T6851] ? store_bind+0x6a0/0x6a0 [ 67.762798][ T6851] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 67.762809][ T6851] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 67.762819][ T6851] ? _raw_spin_unlock_irqrestore+0x6f/0x90 [ 67.762832][ T6851] vt_ioctl+0x11d2/0x2cc0 [ 67.762843][ T6851] ? lock_downgrade+0x830/0x830 [ 67.762854][ T6851] ? vt_waitactive+0x350/0x350 [ 67.762864][ T6851] ? check_preemption_disabled+0x50/0x130 [ 67.762873][ T6851] ? kfree+0x221/0x2b0 [ 67.762885][ T6851] ? tomoyo_path_number_perm+0x415/0x4d0 [ 67.762897][ T6851] ? lockdep_hardirqs_on+0x53/0x100 [ 67.762910][ T6851] ? tomoyo_path_number_perm+0x244/0x4d0 [ 67.762923][ T6851] ? tomoyo_execute_permission+0x470/0x470 [ 67.762946][ T6851] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 67.762958][ T6851] ? tty_jobctrl_ioctl+0x4d/0x1010 [ 67.762966][ T6851] ? vt_waitactive+0x350/0x350 [ 67.762977][ T6851] tty_ioctl+0x1019/0x15f0 [ 67.762993][ T6851] ? tty_fasync+0x390/0x390 [ 67.763003][ T6851] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 67.763013][ T6851] ? do_vfs_ioctl+0x27d/0x1090 [ 67.763024][ T6851] ? generic_block_fiemap+0x60/0x60 [ 67.763037][ T6851] ? selinux_inode_getsecctx+0x90/0x90 [ 67.763048][ T6851] ? lock_acquire+0x1f3/0xae0 [ 67.763064][ T6851] ? __fget_files+0x294/0x400 [ 67.763078][ T6851] ? bpf_lsm_file_ioctl+0x5/0x10 [ 67.763089][ T6851] ? tty_fasync+0x390/0x390 [ 67.763102][ T6851] __x64_sys_ioctl+0x193/0x200 [ 67.763115][ T6851] do_syscall_64+0x2d/0x70 [ 67.763126][ T6851] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.763135][ T6851] RIP: 0033:0x445959 [ 67.763147][ T6851] Code: e8 fc b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.763153][ T6851] RSP: 002b:00007ff020829db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 67.763164][ T6851] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445959 [ 67.763171][ T6851] RDX: 0000000020001740 RSI: 0000000000005609 RDI: 0000000000000006 [ 67.763178][ T6851] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000 [ 67.763185][ T6851] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac3c [ 67.763193][ T6851] R13: 00007fff73df80ff R14: 00007ff02082a9c0 R15: 20c49ba5e353f7cf [ 67.764583][ T6851] Kernel Offset: disabled [ 68.562956][ T6851] Rebooting in 86400 seconds..