restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.395002] random: sshd: uninitialized urandom read (32 bytes read) [ 41.759865] audit: type=1400 audit(1575948673.667:35): avc: denied { map } for pid=7223 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 41.812080] random: sshd: uninitialized urandom read (32 bytes read) [ 42.433472] random: sshd: uninitialized urandom read (32 bytes read) [ 42.633572] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.237' (ECDSA) to the list of known hosts. [ 48.156001] random: sshd: uninitialized urandom read (32 bytes read) [ 48.360125] audit: type=1400 audit(1575948680.267:36): avc: denied { map } for pid=7236 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/12/10 03:31:20 parsed 1 programs [ 49.178144] random: cc1: uninitialized urandom read (8 bytes read) 2019/12/10 03:31:22 executed programs: 0 [ 50.574200] audit: type=1400 audit(1575948682.487:37): avc: denied { map } for pid=7236 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 50.620578] audit: type=1400 audit(1575948682.527:38): avc: denied { map } for pid=7236 comm="syz-execprog" path="/root/syzkaller-shm992378374" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 50.911054] IPVS: ftp: loaded support on port[0] = 21 [ 51.942882] IPVS: ftp: loaded support on port[0] = 21 [ 51.956929] chnl_net:caif_netlink_parms(): no params data found [ 51.998751] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.008387] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.016433] device bridge_slave_0 entered promiscuous mode [ 52.026027] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.033377] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.040855] device bridge_slave_1 entered promiscuous mode [ 52.062111] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.076391] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.098108] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.106520] team0: Port device team_slave_0 added [ 52.114549] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.122151] team0: Port device team_slave_1 added [ 52.130356] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.140908] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.153795] IPVS: ftp: loaded support on port[0] = 21 [ 52.223273] device hsr_slave_0 entered promiscuous mode [ 52.260432] device hsr_slave_1 entered promiscuous mode [ 52.301060] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.308818] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.372052] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.378928] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.386373] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.393076] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.415024] chnl_net:caif_netlink_parms(): no params data found [ 52.428422] IPVS: ftp: loaded support on port[0] = 21 [ 52.484257] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.492130] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.499813] device bridge_slave_0 entered promiscuous mode [ 52.508363] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.517508] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.525260] device bridge_slave_1 entered promiscuous mode [ 52.576142] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.587347] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.613231] chnl_net:caif_netlink_parms(): no params data found [ 52.631609] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.639769] team0: Port device team_slave_0 added [ 52.646536] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.654163] team0: Port device team_slave_1 added [ 52.664246] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.674769] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.692168] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.699098] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.722048] IPVS: ftp: loaded support on port[0] = 21 [ 52.725458] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.758593] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.767659] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.786482] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.852788] device hsr_slave_0 entered promiscuous mode [ 52.890492] device hsr_slave_1 entered promiscuous mode [ 52.931787] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.938713] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.962943] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.971105] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.979254] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.987837] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.995452] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.003032] device bridge_slave_0 entered promiscuous mode [ 53.012789] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.019433] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.026797] device bridge_slave_1 entered promiscuous mode [ 53.093447] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.103604] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.119782] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.128341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.137812] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.147697] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.155826] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.168999] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.177380] chnl_net:caif_netlink_parms(): no params data found [ 53.202272] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.211381] team0: Port device team_slave_0 added [ 53.218666] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.226422] team0: Port device team_slave_1 added [ 53.231848] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.239887] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.248472] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.255745] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.272464] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 53.285917] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 53.295000] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 53.303409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 53.333039] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 53.342730] IPVS: ftp: loaded support on port[0] = 21 [ 53.358813] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 53.384277] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 53.452430] device hsr_slave_0 entered promiscuous mode [ 53.490592] device hsr_slave_1 entered promiscuous mode [ 53.530506] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.537747] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.546648] device bridge_slave_0 entered promiscuous mode [ 53.555494] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.562324] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.569522] device bridge_slave_1 entered promiscuous mode [ 53.587759] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 53.597521] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.605556] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 53.646529] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 53.655079] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.666661] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 53.684031] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.706799] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.715584] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 53.723960] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.739591] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 53.751397] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.763623] chnl_net:caif_netlink_parms(): no params data found [ 53.778319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 53.786688] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.812161] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.819487] team0: Port device team_slave_0 added [ 53.828894] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.836700] team0: Port device team_slave_1 added [ 53.847762] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 53.864520] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 53.872655] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 53.883867] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 53.892687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 53.901562] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.922070] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.928779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.958253] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.966704] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.975055] device bridge_slave_0 entered promiscuous mode [ 53.985323] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.992409] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.000154] device bridge_slave_1 entered promiscuous mode [ 54.009321] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 54.073208] device hsr_slave_0 entered promiscuous mode [ 54.131017] device hsr_slave_1 entered promiscuous mode [ 54.191215] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.214879] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.225375] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.233985] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 54.241088] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.251912] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 54.259166] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 54.282559] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.291207] team0: Port device team_slave_0 added [ 54.298917] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.306801] team0: Port device team_slave_1 added [ 54.312894] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.324647] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.337163] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.347971] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.367810] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.462581] device hsr_slave_0 entered promiscuous mode [ 54.500599] device hsr_slave_1 entered promiscuous mode [ 54.542195] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.558274] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.567801] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 54.579635] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.588012] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.595906] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.611987] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.618720] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.625415] chnl_net:caif_netlink_parms(): no params data found [ 54.646504] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.673661] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.686786] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 54.694602] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 54.722673] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.732848] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.745890] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.756241] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.764959] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.773443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.783248] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.796730] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 54.822045] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.822072] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.822910] device bridge_slave_0 entered promiscuous mode [ 54.824110] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 54.824501] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.824739] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.824954] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.824981] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.826678] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.826684] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.828878] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 54.829452] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.829478] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.830515] device bridge_slave_1 entered promiscuous mode [ 54.949179] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 54.959853] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.972641] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.983188] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.990362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.998774] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 54.999719] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 55.006654] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 55.048110] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 55.062780] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 55.072709] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 55.073079] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.073363] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.073388] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.073694] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 55.076259] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 55.079159] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 55.090216] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 55.090727] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 55.092528] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 55.182048] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 55.182445] team0: Port device team_slave_0 added [ 55.183174] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 55.183488] team0: Port device team_slave_1 added [ 55.184071] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 55.185323] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 55.192194] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 55.194514] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 55.197924] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 55.198326] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.198736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 55.218625] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.240691] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.291568] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 55.293828] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 55.306961] ================================================================== [ 55.306996] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x288/0x550 [ 55.307004] Read of size 32 at addr ffffffff87064ba0 by task syz-executor.3/7303 [ 55.307006] [ 55.307017] CPU: 0 PID: 7303 Comm: syz-executor.3 Not tainted 4.14.158-syzkaller #0 [ 55.307021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.307025] Call Trace: [ 55.307035] dump_stack+0x142/0x197 [ 55.307045] ? fbcon_get_font+0x288/0x550 [ 55.307056] print_address_description.cold+0x5/0x1dc [ 55.307064] ? fbcon_get_font+0x288/0x550 [ 55.307071] kasan_report.cold+0xa9/0x2af [ 55.307082] check_memory_region+0x123/0x190 [ 55.307090] memcpy+0x24/0x50 [ 55.307097] fbcon_get_font+0x288/0x550 [ 55.307106] ? display_to_var+0x7e0/0x7e0 [ 55.307113] con_font_op+0x1d5/0x1060 [ 55.307120] ? avc_has_extended_perms+0x7b7/0xe40 [ 55.307127] ? con_write+0xc0/0xc0 [ 55.307136] ? security_capable+0x8e/0xc0 [ 55.307146] ? ns_capable_common+0x12c/0x160 [ 55.307155] vt_ioctl+0xb80/0x2170 [ 55.307161] ? avc_has_extended_perms+0x8ec/0xe40 [ 55.307168] ? futex_wake+0x134/0x430 [ 55.307176] ? complete_change_console+0x360/0x360 [ 55.307182] ? avc_ss_reset+0x110/0x110 [ 55.307196] ? tty_jobctrl_ioctl+0x44/0xc10 [ 55.307202] ? complete_change_console+0x360/0x360 [ 55.307212] tty_ioctl+0x841/0x1320 [ 55.307220] ? tty_vhangup+0x30/0x30 [ 55.307229] ? __might_fault+0x110/0x1d0 [ 55.307242] ? __might_sleep+0x93/0xb0 [ 55.307251] ? __fget+0x210/0x370 [ 55.307262] ? tty_vhangup+0x30/0x30 [ 55.307270] do_vfs_ioctl+0x7ae/0x1060 [ 55.307280] ? selinux_file_mprotect+0x5d0/0x5d0 [ 55.307295] ? lock_downgrade+0x740/0x740 [ 55.307305] ? ioctl_preallocate+0x1c0/0x1c0 [ 55.307315] ? __fget+0x237/0x370 [ 55.307327] ? security_file_ioctl+0x7d/0xb0 [ 55.307333] ? security_file_ioctl+0x89/0xb0 [ 55.307342] SyS_ioctl+0x8f/0xc0 [ 55.307349] ? do_vfs_ioctl+0x1060/0x1060 [ 55.307361] do_syscall_64+0x1e8/0x640 [ 55.307369] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.307383] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.307390] RIP: 0033:0x45a6f9 [ 55.307395] RSP: 002b:00007f37b09edc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.307402] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 [ 55.307407] RDX: 0000000000713000 RSI: 0000000000004b60 RDI: 0000000000000004 [ 55.307411] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 55.307415] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37b09ee6d4 [ 55.307418] R13: 00000000004c6d87 R14: 00000000004dd3e0 R15: 00000000ffffffff [ 55.307430] [ 55.307433] The buggy address belongs to the variable: [ 55.307440] fontdata_8x16+0x1000/0x1120 [ 55.307442] [ 55.307444] Memory state around the buggy address: [ 55.307451] ffffffff87064a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.307456] ffffffff87064b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.307461] >ffffffff87064b80: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa [ 55.307464] ^ [ 55.307469] ffffffff87064c00: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa [ 55.307473] ffffffff87064c80: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 55.307475] ================================================================== [ 55.307478] Disabling lock debugging due to kernel taint [ 55.307531] Kernel panic - not syncing: panic_on_warn set ... [ 55.307531] [ 55.307537] CPU: 0 PID: 7303 Comm: syz-executor.3 Tainted: G B 4.14.158-syzkaller #0 [ 55.307540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.307542] Call Trace: [ 55.307548] dump_stack+0x142/0x197 [ 55.307555] ? fbcon_get_font+0x288/0x550 [ 55.307561] panic+0x1f9/0x42d [ 55.307565] ? add_taint.cold+0x16/0x16 [ 55.307570] ? ___preempt_schedule+0x16/0x18 [ 55.307579] kasan_end_report+0x47/0x4f [ 55.307585] kasan_report.cold+0x130/0x2af [ 55.307592] check_memory_region+0x123/0x190 [ 55.307599] memcpy+0x24/0x50 [ 55.307606] fbcon_get_font+0x288/0x550 [ 55.307613] ? display_to_var+0x7e0/0x7e0 [ 55.307619] con_font_op+0x1d5/0x1060 [ 55.307625] ? avc_has_extended_perms+0x7b7/0xe40 [ 55.307632] ? con_write+0xc0/0xc0 [ 55.307639] ? security_capable+0x8e/0xc0 [ 55.307647] ? ns_capable_common+0x12c/0x160 [ 55.307654] vt_ioctl+0xb80/0x2170 [ 55.307658] ? avc_has_extended_perms+0x8ec/0xe40 [ 55.307663] ? futex_wake+0x134/0x430 [ 55.307669] ? complete_change_console+0x360/0x360 [ 55.307675] ? avc_ss_reset+0x110/0x110 [ 55.307683] ? tty_jobctrl_ioctl+0x44/0xc10 [ 55.307688] ? complete_change_console+0x360/0x360 [ 55.307694] tty_ioctl+0x841/0x1320 [ 55.307700] ? tty_vhangup+0x30/0x30 [ 55.307706] ? __might_fault+0x110/0x1d0 [ 55.307715] ? __might_sleep+0x93/0xb0 [ 55.307720] ? __fget+0x210/0x370 [ 55.307729] ? tty_vhangup+0x30/0x30 [ 55.307735] do_vfs_ioctl+0x7ae/0x1060 [ 55.307742] ? selinux_file_mprotect+0x5d0/0x5d0 [ 55.307748] ? lock_downgrade+0x740/0x740 [ 55.307762] ? ioctl_preallocate+0x1c0/0x1c0 [ 55.307769] ? __fget+0x237/0x370 [ 55.307778] ? security_file_ioctl+0x7d/0xb0 [ 55.307784] ? security_file_ioctl+0x89/0xb0 [ 55.307791] SyS_ioctl+0x8f/0xc0 [ 55.307798] ? do_vfs_ioctl+0x1060/0x1060 [ 55.307805] do_syscall_64+0x1e8/0x640 [ 55.307810] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.307819] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 55.307823] RIP: 0033:0x45a6f9 [ 55.307826] RSP: 002b:00007f37b09edc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.307833] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 [ 55.307837] RDX: 0000000000713000 RSI: 0000000000004b60 RDI: 0000000000000004 [ 55.307840] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 55.307843] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37b09ee6d4 [ 55.307847] R13: 00000000004c6d87 R14: 00000000004dd3e0 R15: 00000000ffffffff [ 55.311003] Kernel Offset: disabled [ 55.924182] Rebooting in 86400 seconds..