Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. 2020/07/30 12:22:27 parsed 1 programs 2020/07/30 12:22:27 executed programs: 0 syzkaller login: [ 660.932737] audit: type=1400 audit(1596111747.759:8): avc: denied { execmem } for pid=6380 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 661.236159] IPVS: ftp: loaded support on port[0] = 21 [ 662.066403] chnl_net:caif_netlink_parms(): no params data found [ 662.172054] bridge0: port 1(bridge_slave_0) entered blocking state [ 662.179086] bridge0: port 1(bridge_slave_0) entered disabled state [ 662.187583] device bridge_slave_0 entered promiscuous mode [ 662.194826] bridge0: port 2(bridge_slave_1) entered blocking state [ 662.202301] bridge0: port 2(bridge_slave_1) entered disabled state [ 662.209839] device bridge_slave_1 entered promiscuous mode [ 662.227753] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 662.236974] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 662.260213] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 662.268250] team0: Port device team_slave_0 added [ 662.275565] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 662.282829] team0: Port device team_slave_1 added [ 662.300167] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 662.306569] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 662.331860] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 662.343490] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 662.350013] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 662.375363] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 662.386543] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 662.394064] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 662.448731] device hsr_slave_0 entered promiscuous mode [ 662.495550] device hsr_slave_1 entered promiscuous mode [ 662.535889] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 662.543101] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 662.614843] bridge0: port 2(bridge_slave_1) entered blocking state [ 662.621547] bridge0: port 2(bridge_slave_1) entered forwarding state [ 662.628732] bridge0: port 1(bridge_slave_0) entered blocking state [ 662.635267] bridge0: port 1(bridge_slave_0) entered forwarding state [ 662.670335] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 662.678210] 8021q: adding VLAN 0 to HW filter on device bond0 [ 662.687029] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 662.697341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 662.716586] bridge0: port 1(bridge_slave_0) entered disabled state [ 662.724483] bridge0: port 2(bridge_slave_1) entered disabled state [ 662.736161] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 662.742279] 8021q: adding VLAN 0 to HW filter on device team0 [ 662.751953] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 662.760082] bridge0: port 1(bridge_slave_0) entered blocking state [ 662.766519] bridge0: port 1(bridge_slave_0) entered forwarding state [ 662.776333] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 662.784081] bridge0: port 2(bridge_slave_1) entered blocking state [ 662.790628] bridge0: port 2(bridge_slave_1) entered forwarding state [ 662.806911] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 662.814795] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 662.823640] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 662.833962] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 662.844468] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 662.853958] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 662.860127] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 662.873155] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 662.881361] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 662.888512] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 662.900377] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 662.961140] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 662.971443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 663.005795] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 663.012918] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 663.019942] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 663.030949] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 663.038667] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 663.045965] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 663.053151] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 663.062668] device veth0_vlan entered promiscuous mode [ 663.072362] device veth1_vlan entered promiscuous mode [ 663.087720] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 663.097852] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 663.104716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 663.113429] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 663.123369] device veth0_macvtap entered promiscuous mode [ 663.130754] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 663.139764] device veth1_macvtap entered promiscuous mode [ 663.146484] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 663.155959] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 663.165693] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 663.175867] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 663.183061] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 663.190418] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 663.197965] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 663.205197] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 663.212937] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 663.223947] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 663.231587] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 663.238304] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 663.246234] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/07/30 12:22:32 executed programs: 30 [ 666.446218] Bluetooth: hci0 command 0x0409 tx timeout [ 668.525856] Bluetooth: hci0 command 0x041b tx timeout [ 670.605412] Bluetooth: hci0 command 0x040f tx timeout 2020/07/30 12:22:37 executed programs: 277 [ 672.685351] Bluetooth: hci0 command 0x0419 tx timeout 2020/07/30 12:22:42 executed programs: 527 2020/07/30 12:22:47 executed programs: 773 2020/07/30 12:22:52 executed programs: 1017 2020/07/30 12:22:57 executed programs: 1265 2020/07/30 12:23:02 executed programs: 1653 2020/07/30 12:23:07 executed programs: 2103 2020/07/30 12:23:12 executed programs: 2615 2020/07/30 12:23:17 executed programs: 3120 2020/07/30 12:23:22 executed programs: 3564 2020/07/30 12:23:27 executed programs: 3997 2020/07/30 12:23:32 executed programs: 4423 2020/07/30 12:23:37 executed programs: 4861 [ 731.331808] ================================================================== [ 731.339510] BUG: KASAN: use-after-free in delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.347173] Read of size 8 at addr ffff88808aa5f890 by task syz-executor.0/22652 [ 731.354723] [ 731.356371] CPU: 1 PID: 22652 Comm: syz-executor.0 Not tainted 4.14.190-syzkaller #0 [ 731.364255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 731.373637] Call Trace: [ 731.376325] dump_stack+0x1b2/0x283 [ 731.380060] print_address_description.cold+0x54/0x1d3 [ 731.385364] kasan_report_error.cold+0x8a/0x194 [ 731.390049] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.395351] __asan_report_load8_noabort+0x68/0x70 [ 731.400305] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.405596] delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.410738] snd_seq_port_disconnect+0x372/0x500 [ 731.415551] ? check_subscription_permission.isra.0+0x112/0x1e0 [ 731.421674] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 731.427122] ? snd_seq_ioctl_running_mode+0x140/0x140 [ 731.432462] ? lock_acquire+0x170/0x3f0 [ 731.436466] ? lock_downgrade+0x740/0x740 [ 731.440733] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 731.445879] snd_seq_kernel_client_ctl+0xcb/0x110 [ 731.450846] snd_seq_oss_midi_close+0x29c/0x400 [ 731.455571] ? snd_seq_oss_midi_open_all+0xc0/0xc0 [ 731.460525] ? snd_seq_oss_midi_reset+0xb9/0x400 [ 731.465311] snd_seq_oss_synth_reset+0x39d/0x830 [ 731.470118] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 731.475255] ? __lock_acquire+0x5fc/0x3f20 [ 731.479527] ? trace_hardirqs_on+0x10/0x10 [ 731.483834] snd_seq_oss_reset+0x64/0x250 [ 731.488049] snd_seq_oss_ioctl+0x9a5/0xc30 [ 731.492334] ? snd_seq_oss_midi_info_user+0xf0/0xf0 [ 731.497479] ? futex_exit_release+0x220/0x220 [ 731.502027] odev_ioctl+0x4f/0x90 [ 731.505510] ? odev_open+0x80/0x80 [ 731.509171] do_vfs_ioctl+0x75a/0xff0 [ 731.513078] ? selinux_inode_setxattr+0x730/0x730 [ 731.517947] ? ioctl_preallocate+0x1a0/0x1a0 [ 731.522406] ? lock_downgrade+0x740/0x740 [ 731.526711] ? __fget+0x225/0x360 [ 731.530298] ? security_file_ioctl+0x83/0xb0 [ 731.534737] SyS_ioctl+0x7f/0xb0 [ 731.538124] ? do_vfs_ioctl+0xff0/0xff0 [ 731.542146] do_syscall_64+0x1d5/0x640 [ 731.546083] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 731.551301] RIP: 0033:0x45cc79 [ 731.554570] RSP: 002b:00007fc7fd2b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 731.562326] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cc79 [ 731.569668] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 731.576952] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 731.584232] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 731.591520] R13: 00007ffdabb79c3f R14: 00007fc7fd2b19c0 R15: 000000000078bfac [ 731.598858] [ 731.600493] Allocated by task 22651: [ 731.604259] kasan_kmalloc+0xeb/0x160 [ 731.608086] kmem_cache_alloc_trace+0x131/0x3d0 [ 731.612805] snd_seq_port_connect+0x5d/0x4d0 [ 731.617251] snd_seq_ioctl_subscribe_port+0x1d4/0x370 [ 731.622487] snd_seq_kernel_client_ctl+0xcb/0x110 [ 731.627369] snd_seq_oss_midi_open+0x485/0x590 [ 731.632000] snd_seq_oss_synth_setup_midi+0x104/0x4d0 [ 731.637211] snd_seq_oss_open+0x7a0/0x920 [ 731.641387] odev_open+0x62/0x80 [ 731.644846] soundcore_open+0x3ee/0x5a0 [ 731.648842] chrdev_open+0x23c/0x6d0 [ 731.652628] do_dentry_open+0x44b/0xec0 [ 731.656634] vfs_open+0x105/0x220 [ 731.660108] path_openat+0x628/0x2970 [ 731.663929] do_filp_open+0x179/0x3c0 [ 731.667789] do_sys_open+0x296/0x410 [ 731.671563] do_syscall_64+0x1d5/0x640 [ 731.675498] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 731.680694] [ 731.682352] Freed by task 22651: [ 731.685737] kasan_slab_free+0xc3/0x1a0 [ 731.689760] kfree+0xc9/0x250 [ 731.692896] snd_seq_port_disconnect+0x3f1/0x500 [ 731.697689] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 731.703138] snd_seq_kernel_client_ctl+0xcb/0x110 [ 731.708041] snd_seq_oss_midi_close+0x29c/0x400 [ 731.712802] snd_seq_oss_synth_reset+0x39d/0x830 [ 731.717649] snd_seq_oss_reset+0x64/0x250 [ 731.721851] snd_seq_oss_ioctl+0x9a5/0xc30 [ 731.726106] odev_ioctl+0x4f/0x90 [ 731.729583] do_vfs_ioctl+0x75a/0xff0 [ 731.733393] SyS_ioctl+0x7f/0xb0 [ 731.736771] do_syscall_64+0x1d5/0x640 [ 731.740684] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 731.745885] [ 731.747511] The buggy address belongs to the object at ffff88808aa5f840 [ 731.747511] which belongs to the cache kmalloc-128 of size 128 [ 731.760190] The buggy address is located 80 bytes inside of [ 731.760190] 128-byte region [ffff88808aa5f840, ffff88808aa5f8c0) [ 731.772006] The buggy address belongs to the page: [ 731.776983] page:ffffea00022a97c0 count:1 mapcount:0 mapping:ffff88808aa5f000 index:0x0 [ 731.785153] flags: 0xfffe0000000100(slab) [ 731.789316] raw: 00fffe0000000100 ffff88808aa5f000 0000000000000000 0000000100000015 [ 731.797204] raw: ffffea00022a5960 ffffea00022ebce0 ffff88812fe52640 0000000000000000 [ 731.805103] page dumped because: kasan: bad access detected [ 731.810816] [ 731.812436] Memory state around the buggy address: [ 731.817388] ffff88808aa5f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 731.824777] ffff88808aa5f800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 731.832155] >ffff88808aa5f880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 731.839528] ^ [ 731.843466] ffff88808aa5f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 731.850852] ffff88808aa5f980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 731.858242] ================================================================== [ 731.865605] Disabling lock debugging due to kernel taint [ 731.871076] Kernel panic - not syncing: panic_on_warn set ... [ 731.871076] [ 731.878447] CPU: 1 PID: 22652 Comm: syz-executor.0 Tainted: G B 4.14.190-syzkaller #0 [ 731.887540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 731.896895] Call Trace: [ 731.899494] dump_stack+0x1b2/0x283 [ 731.903246] panic+0x1f9/0x42d [ 731.906475] ? add_taint.cold+0x16/0x16 [ 731.910460] ? lock_downgrade+0x740/0x740 [ 731.914626] kasan_end_report+0x43/0x49 [ 731.918647] kasan_report_error.cold+0xa7/0x194 [ 731.923357] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.928719] __asan_report_load8_noabort+0x68/0x70 [ 731.933730] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.939078] delete_and_unsubscribe_port+0x3c7/0x4a0 [ 731.944342] snd_seq_port_disconnect+0x372/0x500 [ 731.949137] ? check_subscription_permission.isra.0+0x112/0x1e0 [ 731.955231] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 731.960661] ? snd_seq_ioctl_running_mode+0x140/0x140 [ 731.965881] ? lock_acquire+0x170/0x3f0 [ 731.969937] ? lock_downgrade+0x740/0x740 [ 731.974151] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 731.979303] snd_seq_kernel_client_ctl+0xcb/0x110 [ 731.984237] snd_seq_oss_midi_close+0x29c/0x400 [ 731.989012] ? snd_seq_oss_midi_open_all+0xc0/0xc0 [ 731.994030] ? snd_seq_oss_midi_reset+0xb9/0x400 [ 731.998877] snd_seq_oss_synth_reset+0x39d/0x830 [ 732.003685] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 732.008847] ? __lock_acquire+0x5fc/0x3f20 [ 732.013167] ? trace_hardirqs_on+0x10/0x10 [ 732.017492] snd_seq_oss_reset+0x64/0x250 [ 732.021701] snd_seq_oss_ioctl+0x9a5/0xc30 [ 732.025990] ? snd_seq_oss_midi_info_user+0xf0/0xf0 [ 732.031047] ? futex_exit_release+0x220/0x220 [ 732.035579] odev_ioctl+0x4f/0x90 [ 732.039077] ? odev_open+0x80/0x80 [ 732.042636] do_vfs_ioctl+0x75a/0xff0 [ 732.046468] ? selinux_inode_setxattr+0x730/0x730 [ 732.051371] ? ioctl_preallocate+0x1a0/0x1a0 [ 732.055801] ? lock_downgrade+0x740/0x740 [ 732.060039] ? __fget+0x225/0x360 [ 732.063548] ? security_file_ioctl+0x83/0xb0 [ 732.067991] SyS_ioctl+0x7f/0xb0 [ 732.071391] ? do_vfs_ioctl+0xff0/0xff0 [ 732.075388] do_syscall_64+0x1d5/0x640 [ 732.079298] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 732.084499] RIP: 0033:0x45cc79 [ 732.087691] RSP: 002b:00007fc7fd2b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 732.095458] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cc79 [ 732.102785] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 732.110099] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 732.117411] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 732.124756] R13: 00007ffdabb79c3f R14: 00007fc7fd2b19c0 R15: 000000000078bfac [ 732.133637] Kernel Offset: disabled [ 732.137321] Rebooting in 86400 seconds..