Warning: Permanently added '10.128.1.57' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 69.748542][ T8788] ================================================================== [ 69.756725][ T8788] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 69.763898][ T8788] Read of size 8 at addr ffff8880a8dd0078 by task syz-executor145/8788 [ 69.772106][ T8788] [ 69.774422][ T8788] CPU: 0 PID: 8788 Comm: syz-executor145 Not tainted 5.4.0-rc6-next-20191111 #0 [ 69.783411][ T8788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.793443][ T8788] Call Trace: [ 69.796712][ T8788] dump_stack+0x197/0x210 [ 69.801021][ T8788] ? __list_add_valid+0x9a/0xa0 [ 69.805902][ T8788] print_address_description.constprop.0.cold+0xd4/0x30b [ 69.812901][ T8788] ? __list_add_valid+0x9a/0xa0 [ 69.817728][ T8788] ? __list_add_valid+0x9a/0xa0 [ 69.822559][ T8788] __kasan_report.cold+0x1b/0x41 [ 69.827474][ T8788] ? __list_add_valid+0x9a/0xa0 [ 69.832341][ T8788] kasan_report+0x12/0x20 [ 69.836663][ T8788] __asan_report_load8_noabort+0x14/0x20 [ 69.842296][ T8788] __list_add_valid+0x9a/0xa0 [ 69.846965][ T8788] snd_timer_open+0x245/0x1150 [ 69.851707][ T8788] ? kmem_cache_alloc_trace+0x397/0x790 [ 69.857231][ T8788] ? snd_timer_close_locked+0xbd0/0xbd0 [ 69.862767][ T8788] ? kstrdup+0x5a/0x70 [ 69.866818][ T8788] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 69.872864][ T8788] ? snd_timer_user_open+0x190/0x190 [ 69.878127][ T8788] ? lock_acquire+0x190/0x410 [ 69.882788][ T8788] ? snd_timer_user_ioctl+0x51/0xa7 [ 69.887968][ T8788] ? __mutex_lock+0x458/0x13c0 [ 69.892722][ T8788] ? snd_timer_user_ioctl+0x51/0xa7 [ 69.897898][ T8788] ? tomoyo_path_number_perm+0x454/0x520 [ 69.903519][ T8788] ? mutex_trylock+0x2f0/0x2f0 [ 69.908268][ T8788] ? tomoyo_path_number_perm+0x25e/0x520 [ 69.913882][ T8788] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 69.919679][ T8788] snd_timer_user_ioctl+0x7a/0xa7 [ 69.924684][ T8788] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 69.930644][ T8788] do_vfs_ioctl+0x977/0x14e0 [ 69.935226][ T8788] ? compat_ioctl_preallocate+0x220/0x220 [ 69.940944][ T8788] ? __kasan_check_write+0x14/0x20 [ 69.946032][ T8788] ? up_read+0x1cd/0x810 [ 69.950255][ T8788] ? tomoyo_file_ioctl+0x23/0x30 [ 69.955170][ T8788] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.961387][ T8788] ? security_file_ioctl+0x8d/0xc0 [ 69.966476][ T8788] ksys_ioctl+0xab/0xd0 [ 69.970611][ T8788] __x64_sys_ioctl+0x73/0xb0 [ 69.975182][ T8788] do_syscall_64+0xfa/0x760 [ 69.979855][ T8788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.985723][ T8788] RIP: 0033:0x444f39 [ 69.989602][ T8788] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.009180][ T8788] RSP: 002b:00007fff55349318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.017608][ T8788] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 70.025570][ T8788] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 70.033518][ T8788] RBP: 0000000000011056 R08: 0000000000000004 R09: 00000000004002e0 [ 70.041499][ T8788] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 70.049501][ T8788] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 70.057464][ T8788] [ 70.059777][ T8788] Allocated by task 8787: [ 70.064103][ T8788] save_stack+0x23/0x90 [ 70.068249][ T8788] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 70.073867][ T8788] kasan_kmalloc+0x9/0x10 [ 70.078184][ T8788] kmem_cache_alloc_trace+0x158/0x790 [ 70.083684][ T8788] snd_timer_instance_new+0x4a/0x300 [ 70.088951][ T8788] __snd_timer_user_ioctl.isra.0+0x665/0x2070 [ 70.095110][ T8788] snd_timer_user_ioctl+0x7a/0xa7 [ 70.100134][ T8788] do_vfs_ioctl+0x977/0x14e0 [ 70.104703][ T8788] ksys_ioctl+0xab/0xd0 [ 70.108883][ T8788] __x64_sys_ioctl+0x73/0xb0 [ 70.113490][ T8788] do_syscall_64+0xfa/0x760 [ 70.117990][ T8788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.124813][ T8788] [ 70.127122][ T8788] Freed by task 8787: [ 70.131087][ T8788] save_stack+0x23/0x90 [ 70.135334][ T8788] __kasan_slab_free+0x102/0x150 [ 70.140244][ T8788] kasan_slab_free+0xe/0x10 [ 70.144883][ T8788] kfree+0x10a/0x2c0 [ 70.148756][ T8788] snd_timer_instance_free+0x7c/0xa0 [ 70.154018][ T8788] __snd_timer_user_ioctl.isra.0+0x160d/0x2070 [ 70.160146][ T8788] snd_timer_user_ioctl+0x7a/0xa7 [ 70.165191][ T8788] do_vfs_ioctl+0x977/0x14e0 [ 70.169760][ T8788] ksys_ioctl+0xab/0xd0 [ 70.173889][ T8788] __x64_sys_ioctl+0x73/0xb0 [ 70.178458][ T8788] do_syscall_64+0xfa/0x760 [ 70.182943][ T8788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.188806][ T8788] [ 70.191113][ T8788] The buggy address belongs to the object at ffff8880a8dd0000 [ 70.191113][ T8788] which belongs to the cache kmalloc-256 of size 256 [ 70.205139][ T8788] The buggy address is located 120 bytes inside of [ 70.205139][ T8788] 256-byte region [ffff8880a8dd0000, ffff8880a8dd0100) [ 70.218385][ T8788] The buggy address belongs to the page: [ 70.224009][ T8788] page:ffffea0002a37400 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0xffff8880a8dd0a00 [ 70.234404][ T8788] flags: 0x1fffc0000000200(slab) [ 70.239330][ T8788] raw: 01fffc0000000200 ffffea0002976fc8 ffff8880aa401638 ffff8880aa4008c0 [ 70.247906][ T8788] raw: ffff8880a8dd0a00 ffff8880a8dd0000 0000000100000005 0000000000000000 [ 70.256461][ T8788] page dumped because: kasan: bad access detected [ 70.262842][ T8788] [ 70.265150][ T8788] Memory state around the buggy address: [ 70.270757][ T8788] ffff8880a8dcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.278796][ T8788] ffff8880a8dcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.286835][ T8788] >ffff8880a8dd0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.295026][ T8788] ^ [ 70.303076][ T8788] ffff8880a8dd0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.311136][ T8788] ffff8880a8dd0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.319183][ T8788] ================================================================== [ 70.327218][ T8788] Disabling lock debugging due to kernel taint [ 70.334132][ T8788] Kernel panic - not syncing: panic_on_warn set ... [ 70.340722][ T8788] CPU: 0 PID: 8788 Comm: syz-executor145 Tainted: G B 5.4.0-rc6-next-20191111 #0 [ 70.351103][ T8788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.361157][ T8788] Call Trace: [ 70.364428][ T8788] dump_stack+0x197/0x210 [ 70.368738][ T8788] panic+0x2e3/0x75c [ 70.372608][ T8788] ? add_taint.cold+0x16/0x16 [ 70.377260][ T8788] ? __list_add_valid+0x9a/0xa0 [ 70.382098][ T8788] ? preempt_schedule+0x4b/0x60 [ 70.386936][ T8788] ? ___preempt_schedule+0x16/0x18 [ 70.392030][ T8788] ? trace_hardirqs_on+0x5e/0x240 [ 70.397029][ T8788] ? __list_add_valid+0x9a/0xa0 [ 70.401853][ T8788] end_report+0x47/0x4f [ 70.405984][ T8788] ? __list_add_valid+0x9a/0xa0 [ 70.410818][ T8788] __kasan_report.cold+0xe/0x41 [ 70.415649][ T8788] ? __list_add_valid+0x9a/0xa0 [ 70.420474][ T8788] kasan_report+0x12/0x20 [ 70.424776][ T8788] __asan_report_load8_noabort+0x14/0x20 [ 70.430386][ T8788] __list_add_valid+0x9a/0xa0 [ 70.435045][ T8788] snd_timer_open+0x245/0x1150 [ 70.439782][ T8788] ? kmem_cache_alloc_trace+0x397/0x790 [ 70.445413][ T8788] ? snd_timer_close_locked+0xbd0/0xbd0 [ 70.450944][ T8788] ? kstrdup+0x5a/0x70 [ 70.454988][ T8788] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 70.461028][ T8788] ? snd_timer_user_open+0x190/0x190 [ 70.466293][ T8788] ? lock_acquire+0x190/0x410 [ 70.470947][ T8788] ? snd_timer_user_ioctl+0x51/0xa7 [ 70.476123][ T8788] ? __mutex_lock+0x458/0x13c0 [ 70.480862][ T8788] ? snd_timer_user_ioctl+0x51/0xa7 [ 70.486060][ T8788] ? tomoyo_path_number_perm+0x454/0x520 [ 70.491693][ T8788] ? mutex_trylock+0x2f0/0x2f0 [ 70.496436][ T8788] ? tomoyo_path_number_perm+0x25e/0x520 [ 70.502044][ T8788] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 70.507831][ T8788] snd_timer_user_ioctl+0x7a/0xa7 [ 70.512829][ T8788] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 70.518795][ T8788] do_vfs_ioctl+0x977/0x14e0 [ 70.523362][ T8788] ? compat_ioctl_preallocate+0x220/0x220 [ 70.529078][ T8788] ? __kasan_check_write+0x14/0x20 [ 70.534175][ T8788] ? up_read+0x1cd/0x810 [ 70.538427][ T8788] ? tomoyo_file_ioctl+0x23/0x30 [ 70.543378][ T8788] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.549600][ T8788] ? security_file_ioctl+0x8d/0xc0 [ 70.554694][ T8788] ksys_ioctl+0xab/0xd0 [ 70.558826][ T8788] __x64_sys_ioctl+0x73/0xb0 [ 70.563392][ T8788] do_syscall_64+0xfa/0x760 [ 70.567872][ T8788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.573773][ T8788] RIP: 0033:0x444f39 [ 70.577688][ T8788] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.597279][ T8788] RSP: 002b:00007fff55349318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.605670][ T8788] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 70.613614][ T8788] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 70.621601][ T8788] RBP: 0000000000011056 R08: 0000000000000004 R09: 00000000004002e0 [ 70.629549][ T8788] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 70.637496][ T8788] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 70.646786][ T8788] Kernel Offset: disabled [ 70.651979][ T8788] Rebooting in 86400 seconds..