Warning: Permanently added '10.128.0.118' (ECDSA) to the list of known hosts. executing program executing program [ 51.268621] ================================================================== [ 51.276110] BUG: KASAN: use-after-free in _copy_from_user+0xef/0x140 [ 51.282693] Write of size 32 at addr ffff8880a534b3a0 by task syz-executor745/6430 [ 51.290381] [ 51.291995] CPU: 1 PID: 6430 Comm: syz-executor745 Not tainted 4.19.115-syzkaller #0 [ 51.299866] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.309224] Call Trace: [ 51.311808] dump_stack+0x188/0x20d [ 51.315428] ? _copy_from_user+0xef/0x140 [ 51.319570] print_address_description.cold+0x7c/0x212 [ 51.324867] ? _copy_from_user+0xef/0x140 [ 51.329005] kasan_report.cold+0x88/0x2b9 [ 51.333235] _copy_from_user+0xef/0x140 [ 51.337346] snd_rawmidi_kernel_write1+0x301/0x6c0 [ 51.342401] snd_rawmidi_write+0x2e4/0xb50 [ 51.346774] ? snd_rawmidi_release+0xf0/0xf0 [ 51.351172] ? do_sys_open+0x2e2/0x500 [ 51.355072] ? do_futex+0x165/0x1b80 [ 51.359400] ? wake_up_q+0xf0/0xf0 [ 51.363116] ? find_held_lock+0x2d/0x110 [ 51.367789] ? __fget+0x319/0x510 [ 51.371250] __vfs_write+0xf7/0x760 [ 51.374868] ? snd_rawmidi_release+0xf0/0xf0 [ 51.379263] ? kernel_read+0x110/0x110 [ 51.383139] ? __inode_security_revalidate+0xd3/0x120 [ 51.388336] ? avc_policy_seqno+0x9/0x70 [ 51.392443] ? selinux_file_permission+0x87/0x520 [ 51.398317] ? security_file_permission+0x84/0x220 [ 51.403685] vfs_write+0x206/0x550 [ 51.407233] ksys_write+0x12b/0x2a0 [ 51.410846] ? __ia32_sys_read+0xb0/0xb0 [ 51.414896] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.419640] ? trace_hardirqs_off_caller+0x55/0x210 [ 51.424910] ? do_syscall_64+0x21/0x620 [ 51.428869] do_syscall_64+0xf9/0x620 [ 51.432672] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.438454] RIP: 0033:0x44a3f9 [ 51.441646] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.461949] RSP: 002b:00007f571e99bdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 51.470788] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a3f9 [ 51.478425] RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003 [ 51.487743] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 51.495351] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 51.503246] R13: 00007fff8662259f R14: 00007f571e99c9c0 R15: 20c49ba5e353f7cf [ 51.511171] [ 51.512782] Allocated by task 6430: [ 51.516570] kasan_kmalloc+0xbf/0xe0 [ 51.520382] __kmalloc_node+0x4c/0x70 [ 51.524183] kvmalloc_node+0x61/0xf0 [ 51.527967] open_substream+0x332/0x800 [ 51.531924] rawmidi_open_priv+0x58e/0x6e0 [ 51.536165] snd_rawmidi_open+0x449/0xaf0 [ 51.540306] snd_open+0x212/0x3e2 [ 51.543901] chrdev_open+0x219/0x5c0 [ 51.547615] do_dentry_open+0x4a8/0x1160 [ 51.551683] path_openat+0x1031/0x4200 [ 51.555603] do_filp_open+0x1a1/0x280 [ 51.559392] do_sys_open+0x3c0/0x500 [ 51.563132] do_syscall_64+0xf9/0x620 [ 51.566931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.572163] [ 51.573777] Freed by task 6431: [ 51.577052] __kasan_slab_free+0xf7/0x140 [ 51.581416] kfree+0xce/0x220 [ 51.584524] kvfree+0x59/0x60 [ 51.587628] resize_runtime_buffer+0x29e/0x370 [ 51.592209] snd_rawmidi_output_params+0x128/0x170 [ 51.597130] snd_rawmidi_ioctl+0x640/0x740 [ 51.601367] do_vfs_ioctl+0xcda/0x12e0 [ 51.605241] ksys_ioctl+0x9b/0xc0 [ 51.608691] __x64_sys_ioctl+0x6f/0xb0 [ 51.612589] do_syscall_64+0xf9/0x620 [ 51.616375] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.621618] [ 51.623235] The buggy address belongs to the object at ffff8880a534a640 [ 51.623235] which belongs to the cache kmalloc-4096 of size 4096 [ 51.636135] The buggy address is located 3424 bytes inside of [ 51.636135] 4096-byte region [ffff8880a534a640, ffff8880a534b640) [ 51.650252] The buggy address belongs to the page: [ 51.655460] page:ffffea000294d280 count:1 mapcount:0 mapping:ffff88812c3dcdc0 index:0x0 compound_mapcount: 0 [ 51.665426] flags: 0xfffe0000008100(slab|head) [ 51.670101] raw: 00fffe0000008100 ffffea0002942988 ffffea0002920208 ffff88812c3dcdc0 [ 51.678130] raw: 0000000000000000 ffff8880a534a640 0000000100000001 0000000000000000 [ 51.686539] page dumped because: kasan: bad access detected [ 51.692232] [ 51.693846] Memory state around the buggy address: [ 51.698848] ffff8880a534b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.706299] ffff8880a534b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.713642] >ffff8880a534b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.720993] ^ [ 51.725382] ffff8880a534b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.732901] ffff8880a534b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.740342] ================================================================== [ 51.747955] Disabling lock debugging due to kernel taint [ 51.757297] Kernel panic - not syncing: panic_on_warn set ... [ 51.757297] [ 51.764875] CPU: 0 PID: 6430 Comm: syz-executor745 Tainted: G B 4.19.115-syzkaller #0 [ 51.774410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.784137] Call Trace: [ 51.787014] dump_stack+0x188/0x20d [ 51.790642] panic+0x26a/0x50e [ 51.793825] ? __warn_printk+0xf3/0xf3 [ 51.798143] ? preempt_schedule_common+0x4a/0xc0 [ 51.802974] ? _copy_from_user+0xef/0x140 [ 51.807111] ? ___preempt_schedule+0x16/0x18 [ 51.812488] ? trace_hardirqs_on+0x55/0x210 [ 51.816897] ? _copy_from_user+0xef/0x140 [ 51.821368] kasan_end_report+0x43/0x49 [ 51.825410] kasan_report.cold+0xa4/0x2b9 [ 51.829561] _copy_from_user+0xef/0x140 [ 51.833545] snd_rawmidi_kernel_write1+0x301/0x6c0 [ 51.841520] snd_rawmidi_write+0x2e4/0xb50 [ 51.845747] ? snd_rawmidi_release+0xf0/0xf0 [ 51.850143] ? do_sys_open+0x2e2/0x500 [ 51.854279] ? do_futex+0x165/0x1b80 [ 51.858109] ? wake_up_q+0xf0/0xf0 [ 51.861810] ? find_held_lock+0x2d/0x110 [ 51.865885] ? __fget+0x319/0x510 [ 51.869539] __vfs_write+0xf7/0x760 [ 51.873267] ? snd_rawmidi_release+0xf0/0xf0 [ 51.878196] ? kernel_read+0x110/0x110 [ 51.882189] ? __inode_security_revalidate+0xd3/0x120 [ 51.887470] ? avc_policy_seqno+0x9/0x70 [ 51.891619] ? selinux_file_permission+0x87/0x520 [ 51.896725] ? security_file_permission+0x84/0x220 [ 51.901819] vfs_write+0x206/0x550 [ 51.905452] ksys_write+0x12b/0x2a0 [ 51.909079] ? __ia32_sys_read+0xb0/0xb0 [ 51.913237] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.918338] ? trace_hardirqs_off_caller+0x55/0x210 [ 51.923526] ? do_syscall_64+0x21/0x620 [ 51.927839] do_syscall_64+0xf9/0x620 [ 51.932841] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.938502] RIP: 0033:0x44a3f9 [ 51.941857] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.961476] RSP: 002b:00007f571e99bdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 51.970069] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a3f9 [ 51.977362] RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003 [ 51.984715] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 51.992016] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 51.999295] R13: 00007fff8662259f R14: 00007f571e99c9c0 R15: 20c49ba5e353f7cf [ 52.008040] Kernel Offset: disabled [ 52.011667] Rebooting in 86400 seconds..