Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.158' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.308761][ T6823] ================================================================== [ 58.308802][ T6823] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbb6/0xd20 [ 58.308810][ T6823] Read of size 1 at addr ffff8880a1d92230 by task syz-executor726/6823 [ 58.308812][ T6823] [ 58.308823][ T6823] CPU: 0 PID: 6823 Comm: syz-executor726 Not tainted 5.8.0-rc4-next-20200710-syzkaller #0 [ 58.308828][ T6823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.308842][ T6823] Call Trace: [ 58.308853][ T6823] dump_stack+0x18f/0x20d [ 58.308862][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.308869][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.308880][ T6823] print_address_description.constprop.0.cold+0xae/0x497 [ 58.308891][ T6823] ? lock_downgrade+0x820/0x820 [ 58.308901][ T6823] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.308910][ T6823] ? vprintk_func+0x97/0x1a6 [ 58.308919][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.308926][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.308933][ T6823] kasan_report.cold+0x1f/0x37 [ 58.308941][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.308950][ T6823] bit_putcs+0xbb6/0xd20 [ 58.308966][ T6823] ? bit_cursor+0x17d0/0x17d0 [ 58.308974][ T6823] ? vga16fb_update_fix+0x4a0/0x4a0 [ 58.308987][ T6823] ? fb_get_color_depth+0x11a/0x240 [ 58.308996][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.309005][ T6823] ? bit_cursor+0x17d0/0x17d0 [ 58.309014][ T6823] fbcon_putcs+0x33c/0x3f0 [ 58.309027][ T6823] do_update_region+0x399/0x630 [ 58.309039][ T6823] ? con_get_trans_old+0x280/0x280 [ 58.309050][ T6823] ? fbcon_set_palette+0x3a8/0x490 [ 58.309059][ T6823] ? var_to_display+0x7f0/0x7f0 [ 58.309070][ T6823] redraw_screen+0x64e/0x770 [ 58.309079][ T6823] ? wait_for_completion+0x260/0x260 [ 58.309087][ T6823] ? vc_init+0x430/0x430 [ 58.309100][ T6823] vc_do_resize+0xeec/0x1170 [ 58.309116][ T6823] ? lock_downgrade+0x820/0x820 [ 58.309125][ T6823] ? store_bind+0x6a0/0x6a0 [ 58.309135][ T6823] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 58.309144][ T6823] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 58.309153][ T6823] ? trace_hardirqs_on+0x5f/0x220 [ 58.309165][ T6823] vt_ioctl+0xeba/0x2c20 [ 58.309174][ T6823] ? lock_downgrade+0x7e1/0x820 [ 58.309183][ T6823] ? vt_waitactive+0x350/0x350 [ 58.309192][ T6823] ? trace_hardirqs_on+0x5f/0x220 [ 58.309205][ T6823] ? tomoyo_path_number_perm+0x244/0x4d0 [ 58.309214][ T6823] ? tomoyo_execute_permission+0x470/0x470 [ 58.309224][ T6823] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.309232][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.309241][ T6823] ? tty_jobctrl_ioctl+0x4d/0x1010 [ 58.309249][ T6823] ? vt_waitactive+0x350/0x350 [ 58.309259][ T6823] tty_ioctl+0x1019/0x15f0 [ 58.309268][ T6823] ? tty_fasync+0x390/0x390 [ 58.309277][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.309286][ T6823] ? do_vfs_ioctl+0x27d/0x1090 [ 58.309295][ T6823] ? generic_block_fiemap+0x60/0x60 [ 58.309303][ T6823] ? do_sys_openat2+0xa2/0x3b0 [ 58.309312][ T6823] ? build_open_flags+0x650/0x650 [ 58.309319][ T6823] ? sockfd_lookup_light+0xc6/0x170 [ 58.309329][ T6823] ? __sys_sendmsg+0x10c/0x1b0 [ 58.309337][ T6823] ? __sys_sendmsg_sock+0xb0/0xb0 [ 58.309350][ T6823] ? tty_fasync+0x390/0x390 [ 58.309358][ T6823] ksys_ioctl+0x11a/0x180 [ 58.309368][ T6823] __x64_sys_ioctl+0x6f/0xb0 [ 58.309376][ T6823] ? lockdep_hardirqs_on+0x6a/0xe0 [ 58.309384][ T6823] do_syscall_64+0x60/0xe0 [ 58.309394][ T6823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.309402][ T6823] RIP: 0033:0x4403a9 [ 58.309405][ T6823] Code: Bad RIP value. [ 58.309410][ T6823] RSP: 002b:00007fffdfee7ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.309418][ T6823] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 58.309423][ T6823] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 58.309428][ T6823] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 58.309433][ T6823] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 58.309438][ T6823] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 58.309448][ T6823] [ 58.309452][ T6823] Allocated by task 6823: [ 58.309459][ T6823] kasan_save_stack+0x1b/0x40 [ 58.309466][ T6823] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.309474][ T6823] __kmalloc+0x1a8/0x320 [ 58.309481][ T6823] fbcon_set_font+0x34f/0x8b0 [ 58.309488][ T6823] con_font_op+0xd25/0x1110 [ 58.309495][ T6823] vt_ioctl+0x1be1/0x2c20 [ 58.309502][ T6823] tty_ioctl+0x1019/0x15f0 [ 58.309509][ T6823] ksys_ioctl+0x11a/0x180 [ 58.309515][ T6823] __x64_sys_ioctl+0x6f/0xb0 [ 58.309522][ T6823] do_syscall_64+0x60/0xe0 [ 58.309531][ T6823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.309533][ T6823] [ 58.309539][ T6823] The buggy address belongs to the object at ffff8880a1d92000 [ 58.309539][ T6823] which belongs to the cache kmalloc-1k of size 1024 [ 58.309546][ T6823] The buggy address is located 560 bytes inside of [ 58.309546][ T6823] 1024-byte region [ffff8880a1d92000, ffff8880a1d92400) [ 58.309549][ T6823] The buggy address belongs to the page: [ 58.309559][ T6823] page:00000000d6cd4725 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa1d92 [ 58.309566][ T6823] flags: 0xfffe0000000200(slab) [ 58.309577][ T6823] raw: 00fffe0000000200 ffffea000256b548 ffffea00023751c8 ffff8880aa000700 [ 58.309587][ T6823] raw: 0000000000000000 ffff8880a1d92000 0000000100000002 0000000000000000 [ 58.309590][ T6823] page dumped because: kasan: bad access detected [ 58.309593][ T6823] [ 58.309595][ T6823] Memory state around the buggy address: [ 58.309608][ T6823] ffff8880a1d92100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.309614][ T6823] ffff8880a1d92180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.309621][ T6823] >ffff8880a1d92200: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.309624][ T6823] ^ [ 58.309630][ T6823] ffff8880a1d92280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.309636][ T6823] ffff8880a1d92300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.309639][ T6823] ================================================================== [ 58.309642][ T6823] Disabling lock debugging due to kernel taint [ 58.309646][ T6823] Kernel panic - not syncing: panic_on_warn set ... [ 58.309655][ T6823] CPU: 0 PID: 6823 Comm: syz-executor726 Tainted: G B 5.8.0-rc4-next-20200710-syzkaller #0 [ 58.309659][ T6823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.309661][ T6823] Call Trace: [ 58.309668][ T6823] dump_stack+0x18f/0x20d [ 58.309676][ T6823] ? bit_putcs+0xb40/0xd20 [ 58.309684][ T6823] panic+0x2e3/0x75c [ 58.309692][ T6823] ? __warn_printk+0xf3/0xf3 [ 58.309701][ T6823] ? trace_hardirqs_on+0x55/0x220 [ 58.309708][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.309714][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.309721][ T6823] end_report+0x4d/0x53 [ 58.309728][ T6823] kasan_report.cold+0xd/0x37 [ 58.309735][ T6823] ? bit_putcs+0xbb6/0xd20 [ 58.309742][ T6823] bit_putcs+0xbb6/0xd20 [ 58.309752][ T6823] ? bit_cursor+0x17d0/0x17d0 [ 58.309758][ T6823] ? vga16fb_update_fix+0x4a0/0x4a0 [ 58.309767][ T6823] ? fb_get_color_depth+0x11a/0x240 [ 58.309774][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.309782][ T6823] ? bit_cursor+0x17d0/0x17d0 [ 58.309790][ T6823] fbcon_putcs+0x33c/0x3f0 [ 58.309798][ T6823] do_update_region+0x399/0x630 [ 58.309807][ T6823] ? con_get_trans_old+0x280/0x280 [ 58.309816][ T6823] ? fbcon_set_palette+0x3a8/0x490 [ 58.309824][ T6823] ? var_to_display+0x7f0/0x7f0 [ 58.309832][ T6823] redraw_screen+0x64e/0x770 [ 58.309839][ T6823] ? wait_for_completion+0x260/0x260 [ 58.309847][ T6823] ? vc_init+0x430/0x430 [ 58.309856][ T6823] vc_do_resize+0xeec/0x1170 [ 58.309867][ T6823] ? lock_downgrade+0x820/0x820 [ 58.309874][ T6823] ? store_bind+0x6a0/0x6a0 [ 58.309883][ T6823] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 58.309891][ T6823] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 58.309898][ T6823] ? trace_hardirqs_on+0x5f/0x220 [ 58.309907][ T6823] vt_ioctl+0xeba/0x2c20 [ 58.309914][ T6823] ? lock_downgrade+0x7e1/0x820 [ 58.309922][ T6823] ? vt_waitactive+0x350/0x350 [ 58.309930][ T6823] ? trace_hardirqs_on+0x5f/0x220 [ 58.309938][ T6823] ? tomoyo_path_number_perm+0x244/0x4d0 [ 58.309946][ T6823] ? tomoyo_execute_permission+0x470/0x470 [ 58.309954][ T6823] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.309961][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.309968][ T6823] ? tty_jobctrl_ioctl+0x4d/0x1010 [ 58.309976][ T6823] ? vt_waitactive+0x350/0x350 [ 58.309983][ T6823] tty_ioctl+0x1019/0x15f0 [ 58.309991][ T6823] ? tty_fasync+0x390/0x390 [ 58.309998][ T6823] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.310005][ T6823] ? do_vfs_ioctl+0x27d/0x1090 [ 58.310013][ T6823] ? generic_block_fiemap+0x60/0x60 [ 58.310019][ T6823] ? do_sys_openat2+0xa2/0x3b0 [ 58.310026][ T6823] ? build_open_flags+0x650/0x650 [ 58.310033][ T6823] ? sockfd_lookup_light+0xc6/0x170 [ 58.310041][ T6823] ? __sys_sendmsg+0x10c/0x1b0 [ 58.310048][ T6823] ? __sys_sendmsg_sock+0xb0/0xb0 [ 58.310057][ T6823] ? tty_fasync+0x390/0x390 [ 58.310064][ T6823] ksys_ioctl+0x11a/0x180 [ 58.310071][ T6823] __x64_sys_ioctl+0x6f/0xb0 [ 58.310079][ T6823] ? lockdep_hardirqs_on+0x6a/0xe0 [ 58.310086][ T6823] do_syscall_64+0x60/0xe0 [ 58.310095][ T6823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.310100][ T6823] RIP: 0033:0x4403a9 [ 58.310102][ T6823] Code: Bad RIP value. [ 58.310106][ T6823] RSP: 002b:00007fffdfee7ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.310113][ T6823] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 58.310117][ T6823] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 58.310121][ T6823] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 58.310126][ T6823] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 58.310130][ T6823] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 58.311118][ T6823] Kernel Offset: disabled [ 59.256950][ T6823] Rebooting in 86400 seconds..