[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.732706][ T26] audit: type=1800 audit(1573489239.385:25): pid=8723 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.759561][ T26] audit: type=1800 audit(1573489239.385:26): pid=8723 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.827941][ T26] audit: type=1800 audit(1573489239.385:27): pid=8723 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 81.612461][ T8878] ================================================================== [ 81.620920][ T8878] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 81.628110][ T8878] Read of size 8 at addr ffff88809fddac78 by task syz-executor552/8878 [ 81.636333][ T8878] [ 81.638658][ T8878] CPU: 1 PID: 8878 Comm: syz-executor552 Not tainted 5.4.0-rc6-next-20191111 #0 [ 81.647664][ T8878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.657752][ T8878] Call Trace: [ 81.661029][ T8878] dump_stack+0x197/0x210 [ 81.665469][ T8878] ? __list_add_valid+0x9a/0xa0 [ 81.670311][ T8878] print_address_description.constprop.0.cold+0xd4/0x30b [ 81.677317][ T8878] ? __list_add_valid+0x9a/0xa0 [ 81.682158][ T8878] ? __list_add_valid+0x9a/0xa0 [ 81.687039][ T8878] __kasan_report.cold+0x1b/0x41 [ 81.691980][ T8878] ? __list_add_valid+0x9a/0xa0 [ 81.696917][ T8878] kasan_report+0x12/0x20 [ 81.701231][ T8878] __asan_report_load8_noabort+0x14/0x20 [ 81.706860][ T8878] __list_add_valid+0x9a/0xa0 [ 81.711518][ T8878] snd_timer_open+0x245/0x1150 [ 81.716265][ T8878] ? kmem_cache_alloc_trace+0x397/0x790 [ 81.721817][ T8878] ? snd_timer_close_locked+0xbd0/0xbd0 [ 81.727356][ T8878] ? kstrdup+0x5a/0x70 [ 81.731406][ T8878] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 81.737455][ T8878] ? snd_timer_user_open+0x190/0x190 [ 81.742718][ T8878] ? lock_acquire+0x190/0x410 [ 81.747387][ T8878] ? snd_timer_user_ioctl+0x51/0xa7 [ 81.752568][ T8878] ? __mutex_lock+0x458/0x13c0 [ 81.757312][ T8878] ? snd_timer_user_ioctl+0x51/0xa7 [ 81.762515][ T8878] ? tomoyo_path_number_perm+0x454/0x520 [ 81.768176][ T8878] ? mutex_trylock+0x2f0/0x2f0 [ 81.772929][ T8878] ? tomoyo_path_number_perm+0x25e/0x520 [ 81.778549][ T8878] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 81.784364][ T8878] snd_timer_user_ioctl+0x7a/0xa7 [ 81.789910][ T8878] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 81.795875][ T8878] do_vfs_ioctl+0x977/0x14e0 [ 81.800445][ T8878] ? compat_ioctl_preallocate+0x220/0x220 [ 81.806146][ T8878] ? __kasan_check_write+0x14/0x20 [ 81.811291][ T8878] ? up_read+0x1cd/0x810 [ 81.815516][ T8878] ? tomoyo_file_ioctl+0x23/0x30 [ 81.820445][ T8878] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 81.826677][ T8878] ? security_file_ioctl+0x8d/0xc0 [ 81.831883][ T8878] ksys_ioctl+0xab/0xd0 [ 81.836043][ T8878] __x64_sys_ioctl+0x73/0xb0 [ 81.840623][ T8878] do_syscall_64+0xfa/0x760 [ 81.845141][ T8878] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.851020][ T8878] RIP: 0033:0x444f39 [ 81.854903][ T8878] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 81.874497][ T8878] RSP: 002b:00007ffdea23b2b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 81.882889][ T8878] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 81.890839][ T8878] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 81.898790][ T8878] RBP: 0000000000013ea8 R08: 0000000000000004 R09: 00000000004002e0 [ 81.906739][ T8878] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 81.914688][ T8878] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 81.922655][ T8878] [ 81.925057][ T8878] Allocated by task 8877: [ 81.929371][ T8878] save_stack+0x23/0x90 [ 81.933631][ T8878] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 81.939248][ T8878] kasan_kmalloc+0x9/0x10 [ 81.943615][ T8878] kmem_cache_alloc_trace+0x158/0x790 [ 81.948983][ T8878] snd_timer_instance_new+0x4a/0x300 [ 81.954277][ T8878] __snd_timer_user_ioctl.isra.0+0x665/0x2070 [ 81.960334][ T8878] snd_timer_user_ioctl+0x7a/0xa7 [ 81.965345][ T8878] do_vfs_ioctl+0x977/0x14e0 [ 81.969919][ T8878] ksys_ioctl+0xab/0xd0 [ 81.974050][ T8878] __x64_sys_ioctl+0x73/0xb0 [ 81.978627][ T8878] do_syscall_64+0xfa/0x760 [ 81.983109][ T8878] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.988970][ T8878] [ 81.991275][ T8878] Freed by task 8877: [ 81.995232][ T8878] save_stack+0x23/0x90 [ 81.999371][ T8878] __kasan_slab_free+0x102/0x150 [ 82.004294][ T8878] kasan_slab_free+0xe/0x10 [ 82.008775][ T8878] kfree+0x10a/0x2c0 [ 82.012658][ T8878] snd_timer_instance_free+0x7c/0xa0 [ 82.017921][ T8878] __snd_timer_user_ioctl.isra.0+0x160d/0x2070 [ 82.024051][ T8878] snd_timer_user_ioctl+0x7a/0xa7 [ 82.029058][ T8878] do_vfs_ioctl+0x977/0x14e0 [ 82.033631][ T8878] ksys_ioctl+0xab/0xd0 [ 82.037763][ T8878] __x64_sys_ioctl+0x73/0xb0 [ 82.042342][ T8878] do_syscall_64+0xfa/0x760 [ 82.046821][ T8878] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.052681][ T8878] [ 82.054989][ T8878] The buggy address belongs to the object at ffff88809fddac00 [ 82.054989][ T8878] which belongs to the cache kmalloc-256 of size 256 [ 82.070236][ T8878] The buggy address is located 120 bytes inside of [ 82.070236][ T8878] 256-byte region [ffff88809fddac00, ffff88809fddad00) [ 82.083655][ T8878] The buggy address belongs to the page: [ 82.089385][ T8878] page:ffffea00027f7680 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0xffff88809fddae00 [ 82.099784][ T8878] flags: 0x1fffc0000000200(slab) [ 82.104712][ T8878] raw: 01fffc0000000200 ffffea00027f79c8 ffff8880aa401638 ffff8880aa4008c0 [ 82.113284][ T8878] raw: ffff88809fddae00 ffff88809fdda000 0000000100000007 0000000000000000 [ 82.122362][ T8878] page dumped because: kasan: bad access detected [ 82.128747][ T8878] [ 82.131056][ T8878] Memory state around the buggy address: [ 82.136665][ T8878] ffff88809fddab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.144701][ T8878] ffff88809fddab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.152749][ T8878] >ffff88809fddac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.160796][ T8878] ^ [ 82.172605][ T8878] ffff88809fddac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.180653][ T8878] ffff88809fddad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 82.188700][ T8878] ================================================================== [ 82.196749][ T8878] Disabling lock debugging due to kernel taint [ 82.203067][ T8878] Kernel panic - not syncing: panic_on_warn set ... [ 82.209663][ T8878] CPU: 1 PID: 8878 Comm: syz-executor552 Tainted: G B 5.4.0-rc6-next-20191111 #0 [ 82.221444][ T8878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.231524][ T8878] Call Trace: [ 82.234813][ T8878] dump_stack+0x197/0x210 [ 82.239124][ T8878] panic+0x2e3/0x75c [ 82.243059][ T8878] ? add_taint.cold+0x16/0x16 [ 82.247761][ T8878] ? __list_add_valid+0x9a/0xa0 [ 82.252590][ T8878] ? preempt_schedule+0x4b/0x60 [ 82.257417][ T8878] ? ___preempt_schedule+0x16/0x18 [ 82.262519][ T8878] ? trace_hardirqs_on+0x5e/0x240 [ 82.267519][ T8878] ? __list_add_valid+0x9a/0xa0 [ 82.272386][ T8878] end_report+0x47/0x4f [ 82.276537][ T8878] ? __list_add_valid+0x9a/0xa0 [ 82.281362][ T8878] __kasan_report.cold+0xe/0x41 [ 82.286233][ T8878] ? __list_add_valid+0x9a/0xa0 [ 82.291059][ T8878] kasan_report+0x12/0x20 [ 82.295378][ T8878] __asan_report_load8_noabort+0x14/0x20 [ 82.301000][ T8878] __list_add_valid+0x9a/0xa0 [ 82.305660][ T8878] snd_timer_open+0x245/0x1150 [ 82.310415][ T8878] ? kmem_cache_alloc_trace+0x397/0x790 [ 82.315946][ T8878] ? snd_timer_close_locked+0xbd0/0xbd0 [ 82.321473][ T8878] ? kstrdup+0x5a/0x70 [ 82.325524][ T8878] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 82.331569][ T8878] ? snd_timer_user_open+0x190/0x190 [ 82.336829][ T8878] ? lock_acquire+0x190/0x410 [ 82.341500][ T8878] ? snd_timer_user_ioctl+0x51/0xa7 [ 82.346687][ T8878] ? __mutex_lock+0x458/0x13c0 [ 82.351430][ T8878] ? snd_timer_user_ioctl+0x51/0xa7 [ 82.356602][ T8878] ? tomoyo_path_number_perm+0x454/0x520 [ 82.362208][ T8878] ? mutex_trylock+0x2f0/0x2f0 [ 82.366945][ T8878] ? tomoyo_path_number_perm+0x25e/0x520 [ 82.372553][ T8878] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 82.378347][ T8878] snd_timer_user_ioctl+0x7a/0xa7 [ 82.383697][ T8878] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 82.393037][ T8878] do_vfs_ioctl+0x977/0x14e0 [ 82.397605][ T8878] ? compat_ioctl_preallocate+0x220/0x220 [ 82.403299][ T8878] ? __kasan_check_write+0x14/0x20 [ 82.408397][ T8878] ? up_read+0x1cd/0x810 [ 82.412616][ T8878] ? tomoyo_file_ioctl+0x23/0x30 [ 82.418397][ T8878] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.424612][ T8878] ? security_file_ioctl+0x8d/0xc0 [ 82.429701][ T8878] ksys_ioctl+0xab/0xd0 [ 82.433834][ T8878] __x64_sys_ioctl+0x73/0xb0 [ 82.438399][ T8878] do_syscall_64+0xfa/0x760 [ 82.442879][ T8878] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.448743][ T8878] RIP: 0033:0x444f39 [ 82.452627][ T8878] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 82.472210][ T8878] RSP: 002b:00007ffdea23b2b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 82.480599][ T8878] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 82.488547][ T8878] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 82.496498][ T8878] RBP: 0000000000013ea8 R08: 0000000000000004 R09: 00000000004002e0 [ 82.504457][ T8878] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 82.512415][ T8878] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 82.521716][ T8878] Kernel Offset: disabled [ 82.526079][ T8878] Rebooting in 86400 seconds..