[   82.306262][   T27] audit: type=1800 audit(1580647899.326:25): pid=9687 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   83.123978][   T27] kauditd_printk_skb: 3 callbacks suppressed
[   83.123989][   T27] audit: type=1800 audit(1580647900.136:29): pid=9687 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   83.151551][   T27] audit: type=1800 audit(1580647900.136:30): pid=9687 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   93.463006][ T9849] ==================================================================
[   93.471476][ T9849] BUG: KASAN: use-after-free in snd_timer_resolution+0xf1/0x110
[   93.479115][ T9849] Read of size 8 at addr ffff88809e0f5a00 by task syz-executor911/9849
[   93.487491][ T9849] 
[   93.489818][ T9849] CPU: 1 PID: 9849 Comm: syz-executor911 Not tainted 5.5.0-rc6-next-20200116-syzkaller #0
[   93.499697][ T9849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   93.510050][ T9849] Call Trace:
[   93.513334][ T9849]  dump_stack+0x197/0x210
[   93.517712][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   93.523597][ T9849]  print_address_description.constprop.0.cold+0xd4/0x30b
[   93.530791][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   93.536096][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   93.541559][ T9849]  __kasan_report.cold+0x1b/0x32
[   93.546530][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   93.552337][ T9849]  kasan_report+0x12/0x20
[   93.556871][ T9849]  __asan_report_load8_noabort+0x14/0x20
[   93.562502][ T9849]  snd_timer_resolution+0xf1/0x110
[   93.567715][ T9849]  snd_seq_info_timer_read+0x95/0x2f1
[   93.573105][ T9849]  snd_info_seq_show+0xcb/0x120
[   93.577968][ T9849]  seq_read+0x4ca/0x1170
[   93.582321][ T9849]  ? seq_open_private+0x50/0x50
[   93.587179][ T9849]  proc_reg_read+0x1f8/0x2b0
[   93.591822][ T9849]  ? proc_reg_unlocked_ioctl+0x2a0/0x2a0
[   93.597592][ T9849]  do_iter_read+0x4a4/0x660
[   93.602298][ T9849]  ? dup_iter+0x260/0x260
[   93.606744][ T9849]  vfs_readv+0xf0/0x160
[   93.611048][ T9849]  ? compat_rw_copy_check_uvector+0x4c0/0x4c0
[   93.617244][ T9849]  ? lock_downgrade+0x920/0x920
[   93.622118][ T9849]  ? handle_mm_fault+0x292/0xa50
[   93.627128][ T9849]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   93.633501][ T9849]  ? __fget_light+0x1ad/0x270
[   93.638190][ T9849]  do_preadv+0x1c4/0x280
[   93.642452][ T9849]  ? do_readv+0x330/0x330
[   93.646785][ T9849]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   93.652241][ T9849]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   93.657813][ T9849]  ? do_syscall_64+0x26/0x790
[   93.662490][ T9849]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.669155][ T9849]  ? do_syscall_64+0x26/0x790
[   93.673832][ T9849]  __x64_sys_preadv+0x9a/0xf0
[   93.678507][ T9849]  do_syscall_64+0xfa/0x790
[   93.683020][ T9849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.688995][ T9849] RIP: 0033:0x441389
[   93.692939][ T9849] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   93.712531][ T9849] RSP: 002b:00007ffc8aa7ce38 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
[   93.721066][ T9849] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441389
[   93.729156][ T9849] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004
[   93.737223][ T9849] RBP: 00007ffc8aa7ce50 R08: 000000000000000f R09: 00000000000000c2
[   93.745191][ T9849] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100
[   93.754774][ T9849] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000
[   93.762768][ T9849] 
[   93.765097][ T9849] Allocated by task 9852:
[   93.769443][ T9849]  save_stack+0x23/0x90
[   93.773674][ T9849]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   93.779568][ T9849]  kasan_kmalloc+0x9/0x10
[   93.784060][ T9849]  kmem_cache_alloc_trace+0x158/0x790
[   93.790045][ T9849]  snd_timer_instance_new+0x4a/0x300
[   93.795597][ T9849]  snd_seq_timer_open+0x1c0/0x590
[   93.800624][ T9849]  queue_use+0xf1/0x270
[   93.804798][ T9849]  snd_seq_queue_alloc+0x2c5/0x4d0
[   93.809915][ T9849]  snd_seq_ioctl_create_queue+0xb0/0x330
[   93.815544][ T9849]  snd_seq_kernel_client_ctl+0xf8/0x140
[   93.821185][ T9849]  alloc_seq_queue.isra.0+0xdc/0x180
[   93.826463][ T9849]  snd_seq_oss_open+0x2ff/0x960
[   93.831311][ T9849]  odev_open+0x70/0x90
[   93.835456][ T9849]  soundcore_open+0x453/0x610
[   93.840123][ T9849]  chrdev_open+0x245/0x6b0
[   93.844531][ T9849]  do_dentry_open+0x4ca/0x1350
[   93.849290][ T9849]  vfs_open+0xa0/0xd0
[   93.853275][ T9849]  path_openat+0x12fd/0x34d0
[   93.857881][ T9849]  do_filp_open+0x192/0x260
[   93.862496][ T9849]  do_sys_openat2+0x633/0x840
[   93.867188][ T9849]  do_sys_open+0xfc/0x190
[   93.871533][ T9849]  __x64_sys_openat+0x9d/0x100
[   93.876401][ T9849]  do_syscall_64+0xfa/0x790
[   93.881027][ T9849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.886947][ T9849] 
[   93.889267][ T9849] Freed by task 9852:
[   93.893678][ T9849]  save_stack+0x23/0x90
[   93.897959][ T9849]  __kasan_slab_free+0x102/0x150
[   93.902991][ T9849]  kasan_slab_free+0xe/0x10
[   93.907517][ T9849]  kfree+0x10a/0x2c0
[   93.911409][ T9849]  snd_timer_instance_free+0x7c/0xa0
[   93.916886][ T9849]  snd_seq_timer_close+0x99/0xe0
[   93.922347][ T9849]  queue_delete+0x52/0xb0
[   93.926688][ T9849]  snd_seq_queue_delete+0x4e/0x70
[   93.931845][ T9849]  snd_seq_ioctl_delete_queue+0x6a/0x90
[   93.937395][ T9849]  snd_seq_kernel_client_ctl+0xf8/0x140
[   93.943130][ T9849]  delete_seq_queue.part.0+0xb6/0x120
[   93.948672][ T9849]  snd_seq_oss_release+0x116/0x150
[   93.953774][ T9849]  odev_release+0x54/0x80
[   93.958444][ T9849]  __fput+0x2ff/0x890
[   93.962421][ T9849]  ____fput+0x16/0x20
[   93.966396][ T9849]  task_work_run+0x145/0x1c0
[   93.970975][ T9849]  do_exit+0xbcb/0x2f80
[   93.975127][ T9849]  do_group_exit+0x135/0x360
[   93.979712][ T9849]  __x64_sys_exit_group+0x44/0x50
[   93.984746][ T9849]  do_syscall_64+0xfa/0x790
[   93.989518][ T9849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.995502][ T9849] 
[   93.997823][ T9849] The buggy address belongs to the object at ffff88809e0f5a00
[   93.997823][ T9849]  which belongs to the cache kmalloc-256 of size 256
[   94.011877][ T9849] The buggy address is located 0 bytes inside of
[   94.011877][ T9849]  256-byte region [ffff88809e0f5a00, ffff88809e0f5b00)
[   94.025157][ T9849] The buggy address belongs to the page:
[   94.030789][ T9849] page:ffffea0002783d40 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0
[   94.039938][ T9849] flags: 0xfffe0000000200(slab)
[   94.044799][ T9849] raw: 00fffe0000000200 ffffea0002783948 ffffea00027872c8 ffff8880aa4008c0
[   94.053400][ T9849] raw: 0000000000000000 ffff88809e0f5000 0000000100000008 0000000000000000
[   94.061998][ T9849] page dumped because: kasan: bad access detected
[   94.068532][ T9849] 
[   94.070871][ T9849] Memory state around the buggy address:
[   94.076658][ T9849]  ffff88809e0f5900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.084829][ T9849]  ffff88809e0f5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.092930][ T9849] >ffff88809e0f5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.100985][ T9849]                    ^
[   94.105048][ T9849]  ffff88809e0f5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.113112][ T9849]  ffff88809e0f5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.121341][ T9849] ==================================================================
[   94.131137][ T9849] Disabling lock debugging due to kernel taint
[   94.138145][ T9849] Kernel panic - not syncing: panic_on_warn set ...
[   94.144754][ T9849] CPU: 1 PID: 9849 Comm: syz-executor911 Tainted: G    B             5.5.0-rc6-next-20200116-syzkaller #0
[   94.156537][ T9849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   94.166710][ T9849] Call Trace:
[   94.170000][ T9849]  dump_stack+0x197/0x210
[   94.174344][ T9849]  panic+0x2e3/0x75c
[   94.178251][ T9849]  ? add_taint.cold+0x16/0x16
[   94.182926][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   94.188279][ T9849]  ? preempt_schedule+0x4b/0x60
[   94.193193][ T9849]  ? ___preempt_schedule+0x16/0x18
[   94.198596][ T9849]  ? trace_hardirqs_on+0x5e/0x240
[   94.203651][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   94.209019][ T9849]  end_report+0x47/0x4f
[   94.213173][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   94.218468][ T9849]  __kasan_report.cold+0xe/0x32
[   94.223501][ T9849]  ? snd_timer_resolution+0xf1/0x110
[   94.228881][ T9849]  kasan_report+0x12/0x20
[   94.233216][ T9849]  __asan_report_load8_noabort+0x14/0x20
[   94.238845][ T9849]  snd_timer_resolution+0xf1/0x110
[   94.243958][ T9849]  snd_seq_info_timer_read+0x95/0x2f1
[   94.249519][ T9849]  snd_info_seq_show+0xcb/0x120
[   94.254456][ T9849]  seq_read+0x4ca/0x1170
[   94.258711][ T9849]  ? seq_open_private+0x50/0x50
[   94.263659][ T9849]  proc_reg_read+0x1f8/0x2b0
[   94.268348][ T9849]  ? proc_reg_unlocked_ioctl+0x2a0/0x2a0
[   94.273974][ T9849]  do_iter_read+0x4a4/0x660
[   94.278477][ T9849]  ? dup_iter+0x260/0x260
[   94.283611][ T9849]  vfs_readv+0xf0/0x160
[   94.287761][ T9849]  ? compat_rw_copy_check_uvector+0x4c0/0x4c0
[   94.294261][ T9849]  ? lock_downgrade+0x920/0x920
[   94.299236][ T9849]  ? handle_mm_fault+0x292/0xa50
[   94.304698][ T9849]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   94.310993][ T9849]  ? __fget_light+0x1ad/0x270
[   94.315732][ T9849]  do_preadv+0x1c4/0x280
[   94.320055][ T9849]  ? do_readv+0x330/0x330
[   94.324381][ T9849]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   94.329835][ T9849]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   94.335389][ T9849]  ? do_syscall_64+0x26/0x790
[   94.340190][ T9849]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.346303][ T9849]  ? do_syscall_64+0x26/0x790
[   94.350982][ T9849]  __x64_sys_preadv+0x9a/0xf0
[   94.355661][ T9849]  do_syscall_64+0xfa/0x790
[   94.360157][ T9849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.366145][ T9849] RIP: 0033:0x441389
[   94.370140][ T9849] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   94.390981][ T9849] RSP: 002b:00007ffc8aa7ce38 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
[   94.399390][ T9849] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441389
[   94.407377][ T9849] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004
[   94.415339][ T9849] RBP: 00007ffc8aa7ce50 R08: 000000000000000f R09: 00000000000000c2
[   94.423409][ T9849] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402100
[   94.431387][ T9849] R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000
[   94.440824][ T9849] Kernel Offset: disabled
[   94.445160][ T9849] Rebooting in 86400 seconds..