Warning: Permanently added '10.128.0.126' (ECDSA) to the list of known hosts. [ 51.930673] audit: type=1400 audit(1578016302.284:36): avc: denied { map } for pid=7688 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/01/03 01:51:42 parsed 1 programs [ 53.615161] audit: type=1400 audit(1578016303.964:37): avc: denied { map } for pid=7688 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17148 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/01/03 01:51:44 executed programs: 0 [ 53.794069] IPVS: ftp: loaded support on port[0] = 21 [ 53.855412] chnl_net:caif_netlink_parms(): no params data found [ 53.891502] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.898393] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.905477] device bridge_slave_0 entered promiscuous mode [ 53.912950] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.919406] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.926594] device bridge_slave_1 entered promiscuous mode [ 53.942272] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.951613] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.967925] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.975200] team0: Port device team_slave_0 added [ 53.981033] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.988394] team0: Port device team_slave_1 added [ 53.993923] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.001504] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.057833] device hsr_slave_0 entered promiscuous mode [ 54.096209] device hsr_slave_1 entered promiscuous mode [ 54.147459] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.154625] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.174405] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.180888] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.187820] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.194168] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.225510] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.232586] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.243265] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.252002] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.270428] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.278067] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.285048] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.295486] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.301818] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.310946] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.318576] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.324907] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.334304] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.342348] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.348804] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.367128] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.374783] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.383866] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.393323] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.403643] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.412814] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.419461] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.433401] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 54.441029] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 54.447812] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 54.459160] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.502223] audit: type=1400 audit(1578016304.854:38): avc: denied { associate } for pid=7704 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 54.579490] ================================================================== [ 54.579526] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 54.579538] Read of size 16 at addr ffff88809390b710 by task syz-executor.0/7720 [ 54.579542] [ 54.579556] CPU: 0 PID: 7720 Comm: syz-executor.0 Not tainted 4.19.92-syzkaller #0 [ 54.579565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.579569] Call Trace: [ 54.579587] dump_stack+0x197/0x210 [ 54.579604] ? fbcon_get_font+0x2b2/0x5e0 [ 54.579623] print_address_description.cold+0x7c/0x20d [ 54.579639] ? fbcon_get_font+0x2b2/0x5e0 [ 54.579654] kasan_report.cold+0x8c/0x2ba [ 54.579675] check_memory_region+0x123/0x190 [ 54.579691] memcpy+0x24/0x50 [ 54.579707] fbcon_get_font+0x2b2/0x5e0 [ 54.579724] ? display_to_var+0x7e0/0x7e0 [ 54.579739] con_font_op+0x20b/0x1250 [ 54.579759] ? con_write+0xd0/0xd0 [ 54.579797] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.579815] ? _copy_from_user+0xdd/0x150 [ 54.579834] vt_ioctl+0x1784/0x2530 [ 54.579853] ? complete_change_console+0x3a0/0x3a0 [ 54.579872] ? avc_has_extended_perms+0xa78/0x10f0 [ 54.579897] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 54.579917] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 54.579933] ? complete_change_console+0x3a0/0x3a0 [ 54.579948] tty_ioctl+0x7f3/0x1510 [ 54.579963] ? tty_vhangup+0x30/0x30 [ 54.579977] ? mark_held_locks+0x100/0x100 [ 54.580000] ? __fget+0x340/0x540 [ 54.580023] ? __might_sleep+0x95/0x190 [ 54.580038] ? tty_vhangup+0x30/0x30 [ 54.580055] do_vfs_ioctl+0xd5f/0x1380 [ 54.580070] ? selinux_file_ioctl+0x46f/0x5e0 [ 54.580085] ? selinux_file_ioctl+0x125/0x5e0 [ 54.580109] ? ioctl_preallocate+0x210/0x210 [ 54.580124] ? selinux_file_mprotect+0x620/0x620 [ 54.580147] ? iterate_fd+0x360/0x360 [ 54.580161] ? nsecs_to_jiffies+0x30/0x30 [ 54.580184] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.580198] ? security_file_ioctl+0x8d/0xc0 [ 54.580216] ksys_ioctl+0xab/0xd0 [ 54.580235] __x64_sys_ioctl+0x73/0xb0 [ 54.580253] do_syscall_64+0xfd/0x620 [ 54.580273] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.580284] RIP: 0033:0x45a9e9 [ 54.580299] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.580307] RSP: 002b:00007f1ed25d1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.580321] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 54.580330] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 54.580338] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 54.580347] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ed25d26d4 [ 54.580355] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 54.580375] [ 54.580382] Allocated by task 7718: [ 54.580396] save_stack+0x45/0xd0 [ 54.580409] kasan_kmalloc+0xce/0xf0 [ 54.580421] __kmalloc+0x15d/0x750 [ 54.580433] fbcon_set_font+0x32d/0x860 [ 54.580446] con_font_op+0xe18/0x1250 [ 54.580458] vt_ioctl+0xd2e/0x2530 [ 54.580469] tty_ioctl+0x7f3/0x1510 [ 54.580481] do_vfs_ioctl+0xd5f/0x1380 [ 54.580493] ksys_ioctl+0xab/0xd0 [ 54.580506] __x64_sys_ioctl+0x73/0xb0 [ 54.580520] do_syscall_64+0xfd/0x620 [ 54.580533] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.580537] [ 54.580543] Freed by task 0: [ 54.580547] (stack is not available) [ 54.580550] [ 54.580561] The buggy address belongs to the object at ffff88809390aa00 [ 54.580561] which belongs to the cache kmalloc-4096 of size 4096 [ 54.580573] The buggy address is located 3344 bytes inside of [ 54.580573] 4096-byte region [ffff88809390aa00, ffff88809390ba00) [ 54.580578] The buggy address belongs to the page: [ 54.580589] page:ffffea00024e4280 count:1 mapcount:0 mapping:ffff88812c31cdc0 index:0x0 compound_mapcount: 0 [ 54.580604] flags: 0xfffe0000008100(slab|head) [ 54.580622] raw: 00fffe0000008100 ffffea000263d388 ffffea0002584808 ffff88812c31cdc0 [ 54.580639] raw: 0000000000000000 ffff88809390aa00 0000000100000001 0000000000000000 [ 54.580645] page dumped because: kasan: bad access detected [ 54.580648] [ 54.580653] Memory state around the buggy address: [ 54.580664] ffff88809390b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.580675] ffff88809390b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.580685] >ffff88809390b700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.580691] ^ [ 54.580701] ffff88809390b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.580713] ffff88809390b800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.580718] ================================================================== [ 54.580722] Disabling lock debugging due to kernel taint [ 54.580730] Kernel panic - not syncing: panic_on_warn set ... [ 54.580730] [ 54.580744] CPU: 0 PID: 7720 Comm: syz-executor.0 Tainted: G B 4.19.92-syzkaller #0 [ 54.580750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.580754] Call Trace: [ 54.580768] dump_stack+0x197/0x210 [ 54.580788] ? fbcon_get_font+0x2b2/0x5e0 [ 54.580799] panic+0x26a/0x50e [ 54.580811] ? __warn_printk+0xf3/0xf3 [ 54.580828] ? lock_downgrade+0x880/0x880 [ 54.580844] ? trace_hardirqs_on+0x67/0x220 [ 54.580856] ? trace_hardirqs_on+0x5e/0x220 [ 54.580870] ? fbcon_get_font+0x2b2/0x5e0 [ 54.580884] kasan_end_report+0x47/0x4f [ 54.580900] kasan_report.cold+0xa9/0x2ba [ 54.580916] check_memory_region+0x123/0x190 [ 54.580930] memcpy+0x24/0x50 [ 54.580943] fbcon_get_font+0x2b2/0x5e0 [ 54.580957] ? display_to_var+0x7e0/0x7e0 [ 54.580971] con_font_op+0x20b/0x1250 [ 54.580987] ? con_write+0xd0/0xd0 [ 54.581006] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.581022] ? _copy_from_user+0xdd/0x150 [ 54.581038] vt_ioctl+0x1784/0x2530 [ 54.581054] ? complete_change_console+0x3a0/0x3a0 [ 54.581071] ? avc_has_extended_perms+0xa78/0x10f0 [ 54.581090] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 54.581108] ? tty_jobctrl_ioctl+0x50/0xcd0 [ 54.581123] ? complete_change_console+0x3a0/0x3a0 [ 54.581135] tty_ioctl+0x7f3/0x1510 [ 54.581148] ? tty_vhangup+0x30/0x30 [ 54.581163] ? mark_held_locks+0x100/0x100 [ 54.581181] ? __fget+0x340/0x540 [ 54.581199] ? __might_sleep+0x95/0x190 [ 54.581211] ? tty_vhangup+0x30/0x30 [ 54.581225] do_vfs_ioctl+0xd5f/0x1380 [ 54.581239] ? selinux_file_ioctl+0x46f/0x5e0 [ 54.581253] ? selinux_file_ioctl+0x125/0x5e0 [ 54.581267] ? ioctl_preallocate+0x210/0x210 [ 54.581281] ? selinux_file_mprotect+0x620/0x620 [ 54.581298] ? iterate_fd+0x360/0x360 [ 54.581310] ? nsecs_to_jiffies+0x30/0x30 [ 54.581328] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.581341] ? security_file_ioctl+0x8d/0xc0 [ 54.581355] ksys_ioctl+0xab/0xd0 [ 54.581371] __x64_sys_ioctl+0x73/0xb0 [ 54.581386] do_syscall_64+0xfd/0x620 [ 54.581402] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.581411] RIP: 0033:0x45a9e9 [ 54.581424] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.581431] RSP: 002b:00007f1ed25d1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.581443] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a9e9 [ 54.581451] RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000004 [ 54.581459] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 54.581466] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ed25d26d4 [ 54.581474] R13: 00000000004c3bb5 R14: 00000000004d94d8 R15: 00000000ffffffff [ 54.582889] Kernel Offset: disabled [ 55.317836] Rebooting in 86400 seconds..