[ 41.186318] audit: type=1800 audit(1578305903.468:31): pid=7873 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.874903] kauditd_printk_skb: 3 callbacks suppressed [ 45.874919] audit: type=1400 audit(1578305908.218:35): avc: denied { map } for pid=8049 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program [ 52.583054] audit: type=1400 audit(1578305914.918:36): avc: denied { map } for pid=8061 comm="syz-executor569" path="/root/syz-executor569135554" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.681947] ================================================================== [ 52.681972] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 [ 52.681979] Read of size 16 at addr ffff888088287840 by task syz-executor569/8061 [ 52.681981] [ 52.681991] CPU: 1 PID: 8061 Comm: syz-executor569 Not tainted 4.19.93-syzkaller #0 [ 52.681996] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.681999] Call Trace: [ 52.682011] dump_stack+0x197/0x210 [ 52.682020] ? soft_cursor+0x439/0xa30 [ 52.682031] print_address_description.cold+0x7c/0x20d [ 52.682039] ? soft_cursor+0x439/0xa30 [ 52.682047] kasan_report.cold+0x8c/0x2ba [ 52.682058] check_memory_region+0x123/0x190 [ 52.682067] memcpy+0x24/0x50 [ 52.682074] soft_cursor+0x439/0xa30 [ 52.682084] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.682097] bit_cursor+0x12fc/0x1a60 [ 52.682109] ? bit_clear+0x530/0x530 [ 52.682118] ? tty_do_resize+0x5e/0x170 [ 52.682133] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 52.682143] ? get_color+0x225/0x430 [ 52.682154] fbcon_cursor+0x58a/0x7b0 [ 52.682161] ? bit_clear+0x530/0x530 [ 52.682172] hide_cursor+0x9e/0x300 [ 52.682181] redraw_screen+0x2ee/0x8e0 [ 52.682192] ? con_flush_chars+0xa0/0xa0 [ 52.682201] ? mutex_unlock+0xd/0x10 [ 52.682210] vc_do_resize+0x118e/0x14a0 [ 52.682227] ? vc_uniscr_alloc+0xd0/0xd0 [ 52.682237] ? lock_acquire+0x16f/0x3f0 [ 52.682244] ? vt_ioctl+0x1ec0/0x2530 [ 52.682254] vc_resize+0x4d/0x60 [ 52.682263] vt_ioctl+0x1fe0/0x2530 [ 52.682272] ? complete_change_console+0x3a0/0x3a0 [ 52.682282] ? avc_has_extended_perms+0xa78/0x10f0 [ 52.682294] ? avc_ss_reset+0x190/0x190 [ 52.682301] ? save_stack+0xa9/0xd0 [ 52.682308] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 52.682318] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 52.682325] ? complete_change_console+0x3a0/0x3a0 [ 52.682335] tty_ioctl+0x7f3/0x1510 [ 52.682345] ? tty_vhangup+0x30/0x30 [ 52.682353] ? find_held_lock+0x35/0x130 [ 52.682384] ? debug_check_no_obj_freed+0x200/0x464 [ 52.682402] ? __might_sleep+0x95/0x190 [ 52.682411] ? trace_hardirqs_off+0x62/0x220 [ 52.682419] ? tty_vhangup+0x30/0x30 [ 52.682430] do_vfs_ioctl+0xd5f/0x1380 [ 52.682438] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.682445] ? selinux_file_ioctl+0x125/0x5e0 [ 52.682454] ? ioctl_preallocate+0x210/0x210 [ 52.682461] ? selinux_file_mprotect+0x620/0x620 [ 52.682467] ? putname+0xef/0x130 [ 52.682476] ? kmem_cache_free+0x222/0x260 [ 52.682484] ? putname+0xf4/0x130 [ 52.682494] ? do_sys_open+0x31d/0x550 [ 52.682505] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.682514] ? security_file_ioctl+0x8d/0xc0 [ 52.682524] ksys_ioctl+0xab/0xd0 [ 52.682534] __x64_sys_ioctl+0x73/0xb0 [ 52.682545] do_syscall_64+0xfd/0x620 [ 52.682556] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.682563] RIP: 0033:0x440249 [ 52.682572] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.682577] RSP: 002b:00007ffc3af94c08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.682585] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 52.682590] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 52.682594] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 52.682599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 52.682603] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 52.682614] [ 52.682618] Allocated by task 8061: [ 52.682626] save_stack+0x45/0xd0 [ 52.682633] kasan_kmalloc+0xce/0xf0 [ 52.682639] __kmalloc+0x15d/0x750 [ 52.682647] fbcon_set_font+0x32d/0x860 [ 52.682653] con_font_op+0xe18/0x1250 [ 52.682659] vt_ioctl+0x35a/0x2530 [ 52.682665] tty_ioctl+0x7f3/0x1510 [ 52.682672] do_vfs_ioctl+0xd5f/0x1380 [ 52.682678] ksys_ioctl+0xab/0xd0 [ 52.682685] __x64_sys_ioctl+0x73/0xb0 [ 52.682692] do_syscall_64+0xfd/0x620 [ 52.682699] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.682701] [ 52.682704] Freed by task 0: [ 52.682706] (stack is not available) [ 52.682708] [ 52.682714] The buggy address belongs to the object at ffff888088287100 [ 52.682714] which belongs to the cache kmalloc-2048 of size 2048 [ 52.682720] The buggy address is located 1856 bytes inside of [ 52.682720] 2048-byte region [ffff888088287100, ffff888088287900) [ 52.682723] The buggy address belongs to the page: [ 52.682730] page:ffffea000220a180 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 52.682739] flags: 0xfffe0000008100(slab|head) [ 52.682750] raw: 00fffe0000008100 ffffea0002440588 ffff88812c314948 ffff88812c31cc40 [ 52.682759] raw: 0000000000000000 ffff888088286000 0000000100000003 0000000000000000 [ 52.682762] page dumped because: kasan: bad access detected [ 52.682764] [ 52.682767] Memory state around the buggy address: [ 52.682773] ffff888088287700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682779] ffff888088287780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682785] >ffff888088287800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682788] ^ [ 52.682794] ffff888088287880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682799] ffff888088287900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.682802] ================================================================== [ 52.682805] Disabling lock debugging due to kernel taint [ 52.682810] Kernel panic - not syncing: panic_on_warn set ... [ 52.682810] [ 52.682817] CPU: 1 PID: 8061 Comm: syz-executor569 Tainted: G B 4.19.93-syzkaller #0 [ 52.682821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.682823] Call Trace: [ 52.682831] dump_stack+0x197/0x210 [ 52.682838] ? soft_cursor+0x439/0xa30 [ 52.682845] panic+0x26a/0x50e [ 52.682851] ? __warn_printk+0xf3/0xf3 [ 52.682860] ? lock_downgrade+0x880/0x880 [ 52.682868] ? trace_hardirqs_on+0x67/0x220 [ 52.682874] ? trace_hardirqs_on+0x5e/0x220 [ 52.682882] ? soft_cursor+0x439/0xa30 [ 52.682889] kasan_end_report+0x47/0x4f [ 52.682897] kasan_report.cold+0xa9/0x2ba [ 52.682906] check_memory_region+0x123/0x190 [ 52.682913] memcpy+0x24/0x50 [ 52.682920] soft_cursor+0x439/0xa30 [ 52.682928] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.682937] bit_cursor+0x12fc/0x1a60 [ 52.682946] ? bit_clear+0x530/0x530 [ 52.682952] ? tty_do_resize+0x5e/0x170 [ 52.682963] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 52.682970] ? get_color+0x225/0x430 [ 52.682979] fbcon_cursor+0x58a/0x7b0 [ 52.682985] ? bit_clear+0x530/0x530 [ 52.682994] hide_cursor+0x9e/0x300 [ 52.683001] redraw_screen+0x2ee/0x8e0 [ 52.683010] ? con_flush_chars+0xa0/0xa0 [ 52.683016] ? mutex_unlock+0xd/0x10 [ 52.683024] vc_do_resize+0x118e/0x14a0 [ 52.683035] ? vc_uniscr_alloc+0xd0/0xd0 [ 52.683043] ? lock_acquire+0x16f/0x3f0 [ 52.683050] ? vt_ioctl+0x1ec0/0x2530 [ 52.683058] vc_resize+0x4d/0x60 [ 52.683064] vt_ioctl+0x1fe0/0x2530 [ 52.683072] ? complete_change_console+0x3a0/0x3a0 [ 52.683080] ? avc_has_extended_perms+0xa78/0x10f0 [ 52.683089] ? avc_ss_reset+0x190/0x190 [ 52.683096] ? save_stack+0xa9/0xd0 [ 52.683103] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 52.683110] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 52.683117] ? complete_change_console+0x3a0/0x3a0 [ 52.683125] tty_ioctl+0x7f3/0x1510 [ 52.683133] ? tty_vhangup+0x30/0x30 [ 52.683140] ? find_held_lock+0x35/0x130 [ 52.683148] ? debug_check_no_obj_freed+0x200/0x464 [ 52.683159] ? __might_sleep+0x95/0x190 [ 52.683166] ? trace_hardirqs_off+0x62/0x220 [ 52.683174] ? tty_vhangup+0x30/0x30 [ 52.683181] do_vfs_ioctl+0xd5f/0x1380 [ 52.683187] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.683194] ? selinux_file_ioctl+0x125/0x5e0 [ 52.683201] ? ioctl_preallocate+0x210/0x210 [ 52.683208] ? selinux_file_mprotect+0x620/0x620 [ 52.683213] ? putname+0xef/0x130 [ 52.683221] ? kmem_cache_free+0x222/0x260 [ 52.683227] ? putname+0xf4/0x130 [ 52.683234] ? do_sys_open+0x31d/0x550 [ 52.683243] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.683251] ? security_file_ioctl+0x8d/0xc0 [ 52.683259] ksys_ioctl+0xab/0xd0 [ 52.683267] __x64_sys_ioctl+0x73/0xb0 [ 52.683275] do_syscall_64+0xfd/0x620 [ 52.683284] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.683288] RIP: 0033:0x440249 [ 52.683295] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.683299] RSP: 002b:00007ffc3af94c08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.683305] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440249 [ 52.683309] RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004 [ 52.683314] RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8 [ 52.683318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30 [ 52.683322] R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000 [ 52.684538] Kernel Offset: disabled [ 53.549777] Rebooting in 86400 seconds..