[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   76.184443][   T27] audit: type=1800 audit(1576674219.786:25): pid=9015 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   76.204484][   T27] audit: type=1800 audit(1576674219.786:26): pid=9015 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   76.240063][   T27] audit: type=1800 audit(1576674219.796:27): pid=9015 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   88.453306][ T9167] ==================================================================
[   88.453349][ T9167] BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30
[   88.453357][ T9167] Read of size 9 at addr ffff88809fc99451 by task syz-executor426/9167
[   88.453360][ T9167] 
[   88.453370][ T9167] CPU: 1 PID: 9167 Comm: syz-executor426 Not tainted 5.5.0-rc2-next-20191218-syzkaller #0
[   88.453375][ T9167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   88.453378][ T9167] Call Trace:
[   88.453389][ T9167]  dump_stack+0x197/0x210
[   88.453397][ T9167]  ? soft_cursor+0x439/0xa30
[   88.453411][ T9167]  print_address_description.constprop.0.cold+0xd4/0x30b
[   88.453418][ T9167]  ? soft_cursor+0x439/0xa30
[   88.453425][ T9167]  ? soft_cursor+0x439/0xa30
[   88.453434][ T9167]  __kasan_report.cold+0x1b/0x41
[   88.453443][ T9167]  ? soft_cursor+0x439/0xa30
[   88.453453][ T9167]  kasan_report+0x12/0x20
[   88.453461][ T9167]  check_memory_region+0x134/0x1a0
[   88.453470][ T9167]  memcpy+0x24/0x50
[   88.453478][ T9167]  soft_cursor+0x439/0xa30
[   88.453487][ T9167]  ? lockdep_hardirqs_on+0x421/0x5e0
[   88.453501][ T9167]  bit_cursor+0x12fc/0x1a60
[   88.453514][ T9167]  ? bit_clear+0x530/0x530
[   88.453522][ T9167]  ? find_held_lock+0x35/0x130
[   88.453537][ T9167]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   88.453545][ T9167]  ? get_color+0x225/0x430
[   88.453555][ T9167]  fbcon_cursor+0x487/0x660
[   88.453563][ T9167]  ? bit_clear+0x530/0x530
[   88.453575][ T9167]  hide_cursor+0x9d/0x2b0
[   88.453586][ T9167]  redraw_screen+0x60b/0x7d0
[   88.453596][ T9167]  ? respond_string+0x2c0/0x2c0
[   88.453609][ T9167]  vc_do_resize+0x10c9/0x1460
[   88.453617][ T9167]  ? down+0x50/0x90
[   88.453633][ T9167]  ? vc_uniscr_alloc+0xd0/0xd0
[   88.453642][ T9167]  ? lock_acquire+0x190/0x410
[   88.453650][ T9167]  ? vt_ioctl+0x1f56/0x26d0
[   88.453660][ T9167]  vc_resize+0x4d/0x60
[   88.453668][ T9167]  vt_ioctl+0x2076/0x26d0
[   88.453678][ T9167]  ? complete_change_console+0x3a0/0x3a0
[   88.453685][ T9167]  ? lock_downgrade+0x920/0x920
[   88.453694][ T9167]  ? rwlock_bug.part.0+0x90/0x90
[   88.453714][ T9167]  ? tomoyo_path_number_perm+0x214/0x520
[   88.453727][ T9167]  ? find_held_lock+0x35/0x130
[   88.453742][ T9167]  ? tomoyo_path_number_perm+0x214/0x520
[   88.453757][ T9167]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   88.453774][ T9167]  ? tty_jobctrl_ioctl+0x50/0xd40
[   88.453782][ T9167]  ? complete_change_console+0x3a0/0x3a0
[   88.453792][ T9167]  tty_ioctl+0xa37/0x14f0
[   88.453802][ T9167]  ? tty_vhangup+0x30/0x30
[   88.453810][ T9167]  ? tomoyo_path_number_perm+0x454/0x520
[   88.453821][ T9167]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   88.453830][ T9167]  ? tomoyo_path_number_perm+0x25e/0x520
[   88.453840][ T9167]  ? tomoyo_execute_permission+0x4a0/0x4a0
[   88.453862][ T9167]  ? trace_hardirqs_on+0x67/0x240
[   88.453873][ T9167]  ? tty_vhangup+0x30/0x30
[   88.453884][ T9167]  do_vfs_ioctl+0x977/0x14e0
[   88.453895][ T9167]  ? compat_ioctl_preallocate+0x220/0x220
[   88.453903][ T9167]  ? chown_common+0x5c0/0x5c0
[   88.453913][ T9167]  ? __kasan_check_write+0x14/0x20
[   88.453921][ T9167]  ? up_read+0x1cd/0x810
[   88.453936][ T9167]  ? tomoyo_file_ioctl+0x23/0x30
[   88.453945][ T9167]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   88.453954][ T9167]  ? security_file_ioctl+0x8d/0xc0
[   88.453963][ T9167]  ksys_ioctl+0xab/0xd0
[   88.453973][ T9167]  __x64_sys_ioctl+0x73/0xb0
[   88.453985][ T9167]  do_syscall_64+0xfa/0x790
[   88.453995][ T9167]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.454002][ T9167] RIP: 0033:0x440219
[   88.454012][ T9167] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   88.454017][ T9167] RSP: 002b:00007ffe9e4c5938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   88.454025][ T9167] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
[   88.454030][ T9167] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
[   88.454035][ T9167] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
[   88.454040][ T9167] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
[   88.454045][ T9167] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
[   88.454056][ T9167] 
[   88.454060][ T9167] Allocated by task 8909:
[   88.454067][ T9167]  save_stack+0x23/0x90
[   88.454075][ T9167]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   88.454081][ T9167]  kasan_kmalloc+0x9/0x10
[   88.454088][ T9167]  __kmalloc+0x163/0x770
[   88.454094][ T9167]  tomoyo_init_log+0x141f/0x2070
[   88.454101][ T9167]  tomoyo_supervisor+0x33f/0xef0
[   88.454109][ T9167]  tomoyo_unix_entry+0x43f/0x5d0
[   88.454117][ T9167]  tomoyo_socket_connect_permission+0x331/0x380
[   88.454125][ T9167]  tomoyo_socket_connect+0x26/0x30
[   88.454132][ T9167]  security_socket_connect+0x77/0xc0
[   88.454141][ T9167]  __sys_connect_file+0xae/0x1c0
[   88.454147][ T9167]  __sys_connect+0x174/0x1b0
[   88.454154][ T9167]  __x64_sys_connect+0x73/0xb0
[   88.454161][ T9167]  do_syscall_64+0xfa/0x790
[   88.454168][ T9167]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.454170][ T9167] 
[   88.454174][ T9167] Freed by task 8909:
[   88.454180][ T9167]  save_stack+0x23/0x90
[   88.454187][ T9167]  __kasan_slab_free+0x102/0x150
[   88.454193][ T9167]  kasan_slab_free+0xe/0x10
[   88.454199][ T9167]  kfree+0x10a/0x2c0
[   88.454206][ T9167]  tomoyo_supervisor+0x360/0xef0
[   88.454213][ T9167]  tomoyo_unix_entry+0x43f/0x5d0
[   88.454222][ T9167]  tomoyo_socket_connect_permission+0x331/0x380
[   88.454229][ T9167]  tomoyo_socket_connect+0x26/0x30
[   88.454237][ T9167]  security_socket_connect+0x77/0xc0
[   88.454243][ T9167]  __sys_connect_file+0xae/0x1c0
[   88.454250][ T9167]  __sys_connect+0x174/0x1b0
[   88.454256][ T9167]  __x64_sys_connect+0x73/0xb0
[   88.454264][ T9167]  do_syscall_64+0xfa/0x790
[   88.454271][ T9167]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.454273][ T9167] 
[   88.454279][ T9167] The buggy address belongs to the object at ffff88809fc99400
[   88.454279][ T9167]  which belongs to the cache kmalloc-512 of size 512
[   88.454286][ T9167] The buggy address is located 81 bytes inside of
[   88.454286][ T9167]  512-byte region [ffff88809fc99400, ffff88809fc99600)
[   88.454289][ T9167] The buggy address belongs to the page:
[   88.454297][ T9167] page:ffffea00027f2640 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0
[   88.454308][ T9167] raw: 00fffe0000000200 ffffea00027889c8 ffffea00029a7148 ffff8880aa400a80
[   88.454317][ T9167] raw: 0000000000000000 ffff88809fc99000 0000000100000004 0000000000000000
[   88.454321][ T9167] page dumped because: kasan: bad access detected
[   88.454323][ T9167] 
[   88.454326][ T9167] Memory state around the buggy address:
[   88.454333][ T9167]  ffff88809fc99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.454339][ T9167]  ffff88809fc99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.454345][ T9167] >ffff88809fc99400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.454348][ T9167]                                                  ^
[   88.454354][ T9167]  ffff88809fc99480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.454361][ T9167]  ffff88809fc99500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.454364][ T9167] ==================================================================
[   88.454367][ T9167] Disabling lock debugging due to kernel taint
[   88.454415][ T9167] Kernel panic - not syncing: panic_on_warn set ...
[   88.454429][ T9167] CPU: 1 PID: 9167 Comm: syz-executor426 Tainted: G    B             5.5.0-rc2-next-20191218-syzkaller #0
[   88.454443][ T9167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   88.454452][ T9167] Call Trace:
[   88.454466][ T9167]  dump_stack+0x197/0x210
[   88.454483][ T9167]  panic+0x2e3/0x75c
[   88.454499][ T9167]  ? add_taint.cold+0x16/0x16
[   88.454516][ T9167]  ? trace_hardirqs_on+0x5e/0x240
[   88.454532][ T9167]  ? trace_hardirqs_on+0x5e/0x240
[   88.454547][ T9167]  ? soft_cursor+0x439/0xa30
[   88.454562][ T9167]  end_report+0x47/0x4f
[   88.454577][ T9167]  ? soft_cursor+0x439/0xa30
[   88.454592][ T9167]  __kasan_report.cold+0xe/0x41
[   88.454607][ T9167]  ? soft_cursor+0x439/0xa30
[   88.454622][ T9167]  kasan_report+0x12/0x20
[   88.454638][ T9167]  check_memory_region+0x134/0x1a0
[   88.454652][ T9167]  memcpy+0x24/0x50
[   88.454667][ T9167]  soft_cursor+0x439/0xa30
[   88.454682][ T9167]  ? lockdep_hardirqs_on+0x421/0x5e0
[   88.454698][ T9167]  bit_cursor+0x12fc/0x1a60
[   88.454714][ T9167]  ? bit_clear+0x530/0x530
[   88.454728][ T9167]  ? find_held_lock+0x35/0x130
[   88.454746][ T9167]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   88.454760][ T9167]  ? get_color+0x225/0x430
[   88.454775][ T9167]  fbcon_cursor+0x487/0x660
[   88.454790][ T9167]  ? bit_clear+0x530/0x530
[   88.454806][ T9167]  hide_cursor+0x9d/0x2b0
[   88.454823][ T9167]  redraw_screen+0x60b/0x7d0
[   88.454839][ T9167]  ? respond_string+0x2c0/0x2c0
[   88.454862][ T9167]  vc_do_resize+0x10c9/0x1460
[   88.454877][ T9167]  ? down+0x50/0x90
[   88.454900][ T9167]  ? vc_uniscr_alloc+0xd0/0xd0
[   88.454914][ T9167]  ? lock_acquire+0x190/0x410
[   88.454928][ T9167]  ? vt_ioctl+0x1f56/0x26d0
[   88.454943][ T9167]  vc_resize+0x4d/0x60
[   88.454957][ T9167]  vt_ioctl+0x2076/0x26d0
[   88.454973][ T9167]  ? complete_change_console+0x3a0/0x3a0
[   88.454987][ T9167]  ? lock_downgrade+0x920/0x920
[   88.455002][ T9167]  ? rwlock_bug.part.0+0x90/0x90
[   88.455018][ T9167]  ? tomoyo_path_number_perm+0x214/0x520
[   88.455032][ T9167]  ? find_held_lock+0x35/0x130
[   88.455048][ T9167]  ? tomoyo_path_number_perm+0x214/0x520
[   88.455064][ T9167]  ? __sanitizer_cov_trace_switch+0x49/0x80
[   88.455080][ T9167]  ? tty_jobctrl_ioctl+0x50/0xd40
[   88.455094][ T9167]  ? complete_change_console+0x3a0/0x3a0
[   88.455110][ T9167]  tty_ioctl+0xa37/0x14f0
[   88.455126][ T9167]  ? tty_vhangup+0x30/0x30
[   88.455141][ T9167]  ? tomoyo_path_number_perm+0x454/0x520
[   88.455158][ T9167]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   88.455174][ T9167]  ? tomoyo_path_number_perm+0x25e/0x520
[   88.455191][ T9167]  ? tomoyo_execute_permission+0x4a0/0x4a0
[   88.455209][ T9167]  ? trace_hardirqs_on+0x67/0x240
[   88.455225][ T9167]  ? tty_vhangup+0x30/0x30
[   88.455240][ T9167]  do_vfs_ioctl+0x977/0x14e0
[   88.455257][ T9167]  ? compat_ioctl_preallocate+0x220/0x220
[   88.455270][ T9167]  ? chown_common+0x5c0/0x5c0
[   88.455286][ T9167]  ? __kasan_check_write+0x14/0x20
[   88.455301][ T9167]  ? up_read+0x1cd/0x810
[   88.455319][ T9167]  ? tomoyo_file_ioctl+0x23/0x30
[   88.455335][ T9167]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   88.455351][ T9167]  ? security_file_ioctl+0x8d/0xc0
[   88.455366][ T9167]  ksys_ioctl+0xab/0xd0
[   88.455382][ T9167]  __x64_sys_ioctl+0x73/0xb0
[   88.455398][ T9167]  do_syscall_64+0xfa/0x790
[   88.455413][ T9167]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.455425][ T9167] RIP: 0033:0x440219
[   88.455442][ T9167] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   88.455447][ T9167] RSP: 002b:00007ffe9e4c5938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   88.455456][ T9167] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
[   88.455461][ T9167] RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
[   88.455467][ T9167] RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
[   88.455472][ T9167] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
[   88.455479][ T9167] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
[   88.456982][ T9167] Kernel Offset: disabled
[   89.566094][ T9167] Rebooting in 86400 seconds..