./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3597766499
<...>
[ 29.286113][ T3188] 8021q: adding VLAN 0 to HW filter on device bond0
[ 29.306736][ T3188] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
syzkaller login: [ 39.520445][ T27] kauditd_printk_skb: 37 callbacks suppressed
[ 39.520461][ T27] audit: type=1400 audit(1658136919.160:73): avc: denied { transition } for pid=3414 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 39.557703][ T27] audit: type=1400 audit(1658136919.170:74): avc: denied { write } for pid=3414 comm="sh" path="pipe:[27546]" dev="pipefs" ino=27546 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
execve("./syz-executor3597766499", ["./syz-executor3597766499"], 0x7ffc4e7e0150 /* 10 vars */) = 0
brk(NULL) = 0x5555565b6000
brk(0x5555565b6c40) = 0x5555565b6c40
arch_prctl(ARCH_SET_FS, 0x5555565b6300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3597766499", 4096) = 28
brk(0x5555565d7c40) = 0x5555565d7c40
brk(0x5555565d8000) = 0x5555565d8000
mprotect(0x7f8e3904f000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 3
ioctl(3, TIOCLINUX, 0x20000080) = 0
openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4
[ 48.482860][ T27] audit: type=1400 audit(1658136928.130:75): avc: denied { execmem } for pid=3616 comm="syz-executor359" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 48.506901][ T3616] ==================================================================
[ 48.506919][ T3616] BUG: KASAN: stack-out-of-bounds in sys_imageblit+0x1ed0/0x2240
[ 48.506950][ T3616] Write of size 4 at addr ffffc90004127d40 by task syz-executor359/3616
[ 48.506962][ T3616]
[ 48.506966][ T3616] CPU: 1 PID: 3616 Comm: syz-executor359 Not tainted 5.19.0-rc6-syzkaller-00447-g55ea9bd66688 #0
[ 48.506982][ T3616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 48.506989][ T3616] Call Trace:
[ 48.506994][ T3616] <TASK>
[ 48.506998][ T3616] dump_stack_lvl+0xcd/0x134
[ 48.507017][ T3616] print_address_description.constprop.0.cold+0xf/0x467
[ 48.507035][ T3616] ? sys_imageblit+0x1ed0/0x2240
[ 48.507049][ T3616] kasan_report.cold+0xf4/0x1c6
[ 48.507062][ T3616] ? sys_imageblit+0x1ed0/0x2240
[ 48.507077][ T3616] sys_imageblit+0x1ed0/0x2240
[ 48.507093][ T3616] ? sys_copyarea+0x1fa0/0x1fa0
[ 48.507108][ T3616] drm_fbdev_fb_imageblit+0x15c/0x350
[ 48.507126][ T3616] bit_putcs+0x6e1/0xd20
[ 48.507141][ T3616] ? bit_clear+0x4f0/0x4f0
[ 48.507154][ T3616] ? kasan_save_stack+0x2e/0x40
[ 48.507169][ T3616] ? kasan_save_stack+0x1e/0x40
[ 48.507182][ T3616] ? __kasan_kmalloc+0xa6/0xd0
[ 48.507196][ T3616] ? fb_get_color_depth+0x11a/0x240
[ 48.507213][ T3616] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 48.507228][ T3616] ? bit_clear+0x4f0/0x4f0
[ 48.507241][ T3616] fbcon_putcs+0x314/0x3e0
[ 48.507254][ T3616] do_update_region+0x399/0x630
[ 48.507272][ T3616] ? con_get_trans_old+0x2a0/0x2a0
[ 48.507287][ T3616] ? __kmalloc+0x64/0x4d0
[ 48.507299][ T3616] ? fbcon_invert_region+0x8f/0x1c0
[ 48.507313][ T3616] invert_screen+0x1d4/0x600
[ 48.507326][ T3616] ? vc_uniscr_copy_line+0x4c0/0x4c0
[ 48.507339][ T3616] ? rcu_read_lock_sched_held+0x3a/0x70
[ 48.507355][ T3616] ? trace_kmalloc+0x32/0xf0
[ 48.507368][ T3616] ? __kmalloc+0x221/0x4d0
[ 48.507380][ T3616] ? vc_do_resize+0x36c/0x1170
[ 48.507392][ T3616] clear_selection+0x55/0x70
[ 48.507406][ T3616] vc_do_resize+0xe61/0x1170
[ 48.507419][ T3616] ? lock_downgrade+0x6e0/0x6e0
[ 48.507436][ T3616] ? store_bind+0x720/0x720
[ 48.507449][ T3616] fbcon_do_set_font+0x43a/0x6f0
[ 48.507462][ T3616] fbcon_set_font+0x89c/0xab0
[ 48.507476][ T3616] ? fbcon_set_def_font+0x320/0x320
[ 48.507489][ T3616] con_font_op+0x75b/0xcc0
[ 48.507502][ T3616] ? con_write+0x40/0x40
[ 48.507515][ T3616] vt_ioctl+0x1efa/0x2b20
[ 48.507528][ T3616] ? vt_waitactive+0x350/0x350
[ 48.507541][ T3616] ? tomoyo_path_number_perm+0x441/0x590
[ 48.507559][ T3616] ? lockdep_hardirqs_on+0x79/0x100
[ 48.507574][ T3616] ? tomoyo_path_number_perm+0x24e/0x590
[ 48.507590][ T3616] ? tomoyo_execute_permission+0x4a0/0x4a0
[ 48.507606][ T3616] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 48.507621][ T3616] ? vt_waitactive+0x350/0x350
[ 48.507634][ T3616] tty_ioctl+0xbbd/0x15e0
[ 48.507647][ T3616] ? tty_fasync+0x390/0x390
[ 48.507659][ T3616] ? selinux_inode_getsecctx+0x90/0x90
[ 48.507672][ T3616] ? find_held_lock+0x2d/0x110
[ 48.507686][ T3616] ? ptrace_notify+0xfa/0x140
[ 48.507699][ T3616] ? lock_downgrade+0x6e0/0x6e0
[ 48.507714][ T3616] ? selinux_file_ioctl+0xb1/0x270
[ 48.507727][ T3616] ? tty_fasync+0x390/0x390
[ 48.507738][ T3616] __x64_sys_ioctl+0x193/0x200
[ 48.507753][ T3616] do_syscall_64+0x35/0xb0
[ 48.507764][ T3616] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.507782][ T3616] RIP: 0033:0x7f8e38fe2339
[ 48.507792][ T3616] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 48.507805][ T3616] RSP: 002b:00007ffc7c6dc8d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 48.507819][ T3616] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8e38fe2339
[ 48.507829][ T3616] RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
[ 48.507837][ T3616] RBP: 00007f8e38fa6120 R08: 000000000000000d R09: 0000000000000000
[ 48.507846][ T3616] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8e38fa61b0
[ 48.507859][ T3616] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 48.507869][ T3616] </TASK>
[ 48.507873][ T3616]
[ 48.507877][ T3616] The buggy address belongs to the virtual mapping at
[ 48.507877][ T3616] [ffffc90004120000, ffffc90004129000) created by:
[ 48.507877][ T3616] kernel_clone+0xe7/0xab0
[ 48.507896][ T3616]
[ 48.507898][ T3616] The buggy address belongs to the physical page:
[ 48.507904][ T3616] page:ffffea00007a6b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e9ae
[ 48.507922][ T3616] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 48.507939][ T3616] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 48.507951][ T3616] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 48.507958][ T3616] page dumped because: kasan: bad access detected
[ 48.507963][ T3616] page_owner tracks the page as allocated
[ 48.507967][ T3616] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 7665331315, free_ts 0
[ 48.507989][ T3616] get_page_from_freelist+0x1290/0x3b70
[ 48.508002][ T3616] __alloc_pages+0x1c7/0x510
[ 48.508013][ T3616] alloc_pages+0x1aa/0x310
[ 48.508027][ T3616] __vmalloc_node_range+0x735/0x13e0
[ 48.508042][ T3616] copy_process+0x156e/0x7020
[ 48.508053][ T3616] kernel_clone+0xe7/0xab0
[ 48.508064][ T3616] kernel_thread+0xb5/0xf0
[ 48.508075][ T3616] kthreadd+0x4ea/0x750
[ 48.508086][ T3616] ret_from_fork+0x1f/0x30
[ 48.508099][ T3616] page_owner free stack trace missing
[ 48.508103][ T3616]
[ 48.508105][ T3616] Memory state around the buggy address:
[ 48.508111][ T3616] ffffc90004127c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 48.508119][ T3616] ffffc90004127c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 48.508128][ T3616] >ffffc90004127d00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3
[ 48.508134][ T3616] ^
[ 48.508140][ T3616] ffffc90004127d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 48.508149][ T3616] ffffc90004127e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 48.508155][ T3616] ==================================================================
[ 48.508165][ T3616] Kernel panic - not syncing: panic_on_warn set ...
[ 48.508170][ T3616] CPU: 1 PID: 3616 Comm: syz-executor359 Not tainted 5.19.0-rc6-syzkaller-00447-g55ea9bd66688 #0
[ 48.508184][ T3616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 48.508190][ T3616] Call Trace:
[ 48.508193][ T3616] <TASK>
[ 48.508197][ T3616] dump_stack_lvl+0xcd/0x134
[ 48.508211][ T3616] panic+0x2d7/0x636
[ 48.508224][ T3616] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 48.508238][ T3616] ? sys_imageblit+0x1ed0/0x2240
[ 48.508253][ T3616] ? sys_imageblit+0x1ed0/0x2240
[ 48.508267][ T3616] end_report.part.0+0x3f/0x7c
[ 48.508280][ T3616] kasan_report.cold+0x93/0x1c6
[ 48.508293][ T3616] ? sys_imageblit+0x1ed0/0x2240
[ 48.508307][ T3616] sys_imageblit+0x1ed0/0x2240
[ 48.508322][ T3616] ? sys_copyarea+0x1fa0/0x1fa0
[ 48.508337][ T3616] drm_fbdev_fb_imageblit+0x15c/0x350
[ 48.508353][ T3616] bit_putcs+0x6e1/0xd20
[ 48.508366][ T3616] ? bit_clear+0x4f0/0x4f0
[ 48.508380][ T3616] ? kasan_save_stack+0x2e/0x40
[ 48.508393][ T3616] ? kasan_save_stack+0x1e/0x40
[ 48.508406][ T3616] ? __kasan_kmalloc+0xa6/0xd0
[ 48.508419][ T3616] ? fb_get_color_depth+0x11a/0x240
[ 48.508434][ T3616] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 48.508448][ T3616] ? bit_clear+0x4f0/0x4f0
[ 48.508460][ T3616] fbcon_putcs+0x314/0x3e0
[ 48.508473][ T3616] do_update_region+0x399/0x630
[ 48.508488][ T3616] ? con_get_trans_old+0x2a0/0x2a0
[ 48.508503][ T3616] ? __kmalloc+0x64/0x4d0
[ 48.508515][ T3616] ? fbcon_invert_region+0x8f/0x1c0
[ 48.508528][ T3616] invert_screen+0x1d4/0x600
[ 48.508540][ T3616] ? vc_uniscr_copy_line+0x4c0/0x4c0
[ 48.508552][ T3616] ? rcu_read_lock_sched_held+0x3a/0x70
[ 48.508567][ T3616] ? trace_kmalloc+0x32/0xf0
[ 48.508579][ T3616] ? __kmalloc+0x221/0x4d0
[ 48.508591][ T3616] ? vc_do_resize+0x36c/0x1170
[ 48.508603][ T3616] clear_selection+0x55/0x70
[ 48.508616][ T3616] vc_do_resize+0xe61/0x1170
[ 48.508629][ T3616] ? lock_downgrade+0x6e0/0x6e0
[ 48.508644][ T3616] ? store_bind+0x720/0x720
[ 48.508656][ T3616] fbcon_do_set_font+0x43a/0x6f0
[ 48.508669][ T3616] fbcon_set_font+0x89c/0xab0
[ 48.508682][ T3616] ? fbcon_set_def_font+0x320/0x320
[ 48.508695][ T3616] con_font_op+0x75b/0xcc0
[ 48.508707][ T3616] ? con_write+0x40/0x40
[ 48.508720][ T3616] vt_ioctl+0x1efa/0x2b20
[ 48.508732][ T3616] ? vt_waitactive+0x350/0x350
[ 48.508745][ T3616] ? tomoyo_path_number_perm+0x441/0x590
[ 48.508760][ T3616] ? lockdep_hardirqs_on+0x79/0x100
[ 48.508774][ T3616] ? tomoyo_path_number_perm+0x24e/0x590
[ 48.508790][ T3616] ? tomoyo_execute_permission+0x4a0/0x4a0
[ 48.508806][ T3616] ? __sanitizer_cov_trace_switch+0x50/0x90
[ 48.508820][ T3616] ? vt_waitactive+0x350/0x350
[ 48.508833][ T3616] tty_ioctl+0xbbd/0x15e0
[ 48.508844][ T3616] ? tty_fasync+0x390/0x390
[ 48.508856][ T3616] ? selinux_inode_getsecctx+0x90/0x90
[ 48.508868][ T3616] ? find_held_lock+0x2d/0x110
[ 48.508882][ T3616] ? ptrace_notify+0xfa/0x140
[ 48.508893][ T3616] ? lock_downgrade+0x6e0/0x6e0
[ 48.508912][ T3616] ? selinux_file_ioctl+0xb1/0x270
[ 48.508924][ T3616] ? tty_fasync+0x390/0x390
[ 48.508936][ T3616] __x64_sys_ioctl+0x193/0x200
[ 48.508948][ T3616] do_syscall_64+0x35/0xb0
[ 48.508960][ T3616] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.508975][ T3616] RIP: 0033:0x7f8e38fe2339
[ 48.508998][ T3616] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 48.509010][ T3616] RSP: 002b:00007ffc7c6dc8d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 48.509022][ T3616] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8e38fe2339
[ 48.509031][ T3616] RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
[ 48.509039][ T3616] RBP: 00007f8e38fa6120 R08: 000000000000000d R09: 0000000000000000
[ 48.509047][ T3616] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8e38fa61b0
[ 48.509055][ T3616] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 48.509064][ T3616] </TASK>
[ 48.509248][ T3616] Kernel Offset: disabled
[ 49.501553][ T3616] Rebooting in 86400 seconds..