[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts. 2020/07/30 12:39:26 parsed 1 programs 2020/07/30 12:39:26 executed programs: 0 syzkaller login: [ 33.628198] audit: type=1400 audit(1596112766.187:8): avc: denied { execmem } for pid=6371 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.889475] IPVS: ftp: loaded support on port[0] = 21 [ 34.734033] chnl_net:caif_netlink_parms(): no params data found [ 34.810844] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.817383] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.825620] device bridge_slave_0 entered promiscuous mode [ 34.833329] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.839903] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.846762] device bridge_slave_1 entered promiscuous mode [ 34.863714] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.872584] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.891527] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.898782] team0: Port device team_slave_0 added [ 34.904242] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.912030] team0: Port device team_slave_1 added [ 34.926469] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 34.932831] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 34.958314] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 34.970059] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 34.976287] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 35.001629] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 35.012276] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 35.019937] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 35.080199] device hsr_slave_0 entered promiscuous mode [ 35.137996] device hsr_slave_1 entered promiscuous mode [ 35.178640] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 35.185865] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 35.248412] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.254836] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.261966] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.268392] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.298296] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 35.304366] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.313761] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.323160] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.341790] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.349351] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.359100] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 35.365167] 8021q: adding VLAN 0 to HW filter on device team0 [ 35.375085] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 35.383290] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.389682] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.400400] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 35.408056] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.414416] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.429051] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 35.443299] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 35.453605] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 35.464896] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 35.472002] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 35.479469] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 35.486974] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 35.495235] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 35.503243] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 35.514571] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 35.523514] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 35.530825] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 35.541271] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 35.593744] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 35.603758] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 35.633075] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 35.640862] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 35.647644] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 35.656560] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 35.664926] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 35.672517] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 35.681894] device veth0_vlan entered promiscuous mode [ 35.691010] device veth1_vlan entered promiscuous mode [ 35.696867] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 35.706649] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 35.719394] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 35.726336] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 35.733620] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 35.741486] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 35.751272] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 35.758209] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 35.765777] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 35.775123] device veth0_macvtap entered promiscuous mode [ 35.781876] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 35.790060] device veth1_macvtap entered promiscuous mode [ 35.796116] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 35.805678] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 35.815135] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 35.824424] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 35.832369] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 35.839404] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 35.846524] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 35.854349] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 35.862348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 35.873670] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 35.880706] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 35.887348] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 35.895050] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/07/30 12:39:31 executed programs: 31 [ 39.085835] Bluetooth: hci0 command 0x0409 tx timeout [ 41.164497] Bluetooth: hci0 command 0x041b tx timeout [ 41.694567] ================================================================== [ 41.702059] BUG: KASAN: use-after-free in delete_and_unsubscribe_port+0x3c7/0x4a0 [ 41.709676] Read of size 8 at addr ffff88809ba7bae0 by task syz-executor.0/7545 [ 41.717094] [ 41.718704] CPU: 0 PID: 7545 Comm: syz-executor.0 Not tainted 4.14.190-syzkaller #0 [ 41.726470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.735818] Call Trace: [ 41.738388] dump_stack+0x1b2/0x283 [ 41.741998] print_address_description.cold+0x54/0x1d3 [ 41.747257] kasan_report_error.cold+0x8a/0x194 [ 41.751904] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 41.757167] __asan_report_load8_noabort+0x68/0x70 [ 41.762078] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 41.767330] delete_and_unsubscribe_port+0x3c7/0x4a0 [ 41.772412] snd_seq_port_disconnect+0x3e9/0x500 [ 41.777158] ? check_subscription_permission.isra.0+0x112/0x1e0 [ 41.783217] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 41.788565] ? snd_seq_ioctl_running_mode+0x140/0x140 [ 41.793748] ? lock_acquire+0x170/0x3f0 [ 41.797716] ? lock_downgrade+0x740/0x740 [ 41.801844] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 41.806936] snd_seq_kernel_client_ctl+0xcb/0x110 [ 41.811763] snd_seq_oss_midi_close+0x29c/0x400 [ 41.816413] ? snd_seq_oss_midi_open_all+0xc0/0xc0 [ 41.821333] ? snd_seq_oss_midi_reset+0xb9/0x400 [ 41.826067] snd_seq_oss_synth_reset+0x39d/0x830 [ 41.830807] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 41.835898] ? __lock_acquire+0x5fc/0x3f20 [ 41.840120] ? trace_hardirqs_on+0x10/0x10 [ 41.844337] snd_seq_oss_reset+0x64/0x250 [ 41.848479] snd_seq_oss_ioctl+0x9a5/0xc30 [ 41.852700] ? snd_seq_oss_midi_info_user+0xf0/0xf0 [ 41.857721] odev_ioctl+0x4f/0x90 [ 41.861151] ? odev_open+0x80/0x80 [ 41.864672] do_vfs_ioctl+0x75a/0xff0 [ 41.868448] ? selinux_inode_setxattr+0x730/0x730 [ 41.873278] ? ioctl_preallocate+0x1a0/0x1a0 [ 41.877675] ? lock_downgrade+0x740/0x740 [ 41.881803] ? __fget+0x225/0x360 [ 41.885250] ? security_file_ioctl+0x83/0xb0 [ 41.889649] SyS_ioctl+0x7f/0xb0 [ 41.892995] ? do_vfs_ioctl+0xff0/0xff0 [ 41.896959] do_syscall_64+0x1d5/0x640 [ 41.900826] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 41.906005] RIP: 0033:0x45cc79 [ 41.909169] RSP: 002b:00007f4936687c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.916851] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cc79 [ 41.924097] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 41.931351] RBP: 000000000078c078 R08: 0000000000000000 R09: 0000000000000000 [ 41.938615] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c04c [ 41.945870] R13: 00007ffe5e5e566f R14: 00007f49366889c0 R15: 000000000078c04c [ 41.953131] [ 41.954735] Allocated by task 7543: [ 41.958344] kasan_kmalloc+0xeb/0x160 [ 41.962138] kmem_cache_alloc_trace+0x131/0x3d0 [ 41.966783] snd_seq_port_connect+0x5d/0x4d0 [ 41.971283] snd_seq_ioctl_subscribe_port+0x1d4/0x370 [ 41.976464] snd_seq_kernel_client_ctl+0xcb/0x110 [ 41.981291] snd_seq_oss_midi_open+0x485/0x590 [ 41.985850] snd_seq_oss_synth_setup_midi+0x104/0x4d0 [ 41.991017] snd_seq_oss_open+0x7a0/0x920 [ 41.995138] odev_open+0x62/0x80 [ 41.998477] soundcore_open+0x3ee/0x5a0 [ 42.002423] chrdev_open+0x23c/0x6d0 [ 42.006112] do_dentry_open+0x44b/0xec0 [ 42.010060] vfs_open+0x105/0x220 [ 42.013486] path_openat+0x628/0x2970 [ 42.017262] do_filp_open+0x179/0x3c0 [ 42.021052] do_sys_open+0x296/0x410 [ 42.024758] do_syscall_64+0x1d5/0x640 [ 42.028633] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 42.033882] [ 42.035497] Freed by task 7544: [ 42.038770] kasan_slab_free+0xc3/0x1a0 [ 42.042728] kfree+0xc9/0x250 [ 42.045818] snd_seq_port_disconnect+0x3f1/0x500 [ 42.050545] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 42.055890] snd_seq_kernel_client_ctl+0xcb/0x110 [ 42.060738] snd_seq_oss_midi_close+0x29c/0x400 [ 42.065390] snd_seq_oss_synth_reset+0x39d/0x830 [ 42.070137] snd_seq_oss_reset+0x64/0x250 [ 42.074279] snd_seq_oss_ioctl+0x9a5/0xc30 [ 42.078506] odev_ioctl+0x4f/0x90 [ 42.081954] do_vfs_ioctl+0x75a/0xff0 [ 42.085754] SyS_ioctl+0x7f/0xb0 [ 42.089551] do_syscall_64+0x1d5/0x640 [ 42.093436] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 42.098608] [ 42.100209] The buggy address belongs to the object at ffff88809ba7ba80 [ 42.100209] which belongs to the cache kmalloc-128 of size 128 [ 42.112855] The buggy address is located 96 bytes inside of [ 42.112855] 128-byte region [ffff88809ba7ba80, ffff88809ba7bb00) [ 42.124665] The buggy address belongs to the page: [ 42.129582] page:ffffea00026e9ec0 count:1 mapcount:0 mapping:ffff88809ba7b000 index:0x0 [ 42.137701] flags: 0xfffe0000000100(slab) [ 42.141831] raw: 00fffe0000000100 ffff88809ba7b000 0000000000000000 0000000100000015 [ 42.149694] raw: ffffea00026d52e0 ffff88812fe50548 ffff88812fe52640 0000000000000000 [ 42.157558] page dumped because: kasan: bad access detected [ 42.163250] [ 42.164853] Memory state around the buggy address: [ 42.169760] ffff88809ba7b980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 42.177095] ffff88809ba7ba00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 42.184447] >ffff88809ba7ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.191780] ^ [ 42.198248] ffff88809ba7bb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.205593] ffff88809ba7bb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.212924] ================================================================== [ 42.220255] Disabling lock debugging due to kernel taint [ 42.225677] Kernel panic - not syncing: panic_on_warn set ... [ 42.225677] [ 42.233012] CPU: 0 PID: 7545 Comm: syz-executor.0 Tainted: G B 4.14.190-syzkaller #0 [ 42.242003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.251342] Call Trace: [ 42.253926] dump_stack+0x1b2/0x283 [ 42.257604] panic+0x1f9/0x42d [ 42.260775] ? add_taint.cold+0x16/0x16 [ 42.264729] ? lock_downgrade+0x740/0x740 [ 42.268870] kasan_end_report+0x43/0x49 [ 42.272828] kasan_report_error.cold+0xa7/0x194 [ 42.277504] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 42.282776] __asan_report_load8_noabort+0x68/0x70 [ 42.287683] ? delete_and_unsubscribe_port+0x3c7/0x4a0 [ 42.292944] delete_and_unsubscribe_port+0x3c7/0x4a0 [ 42.298039] snd_seq_port_disconnect+0x3e9/0x500 [ 42.302785] ? check_subscription_permission.isra.0+0x112/0x1e0 [ 42.308820] snd_seq_ioctl_unsubscribe_port+0x1d4/0x370 [ 42.314169] ? snd_seq_ioctl_running_mode+0x140/0x140 [ 42.319349] ? lock_acquire+0x170/0x3f0 [ 42.323302] ? lock_downgrade+0x740/0x740 [ 42.327423] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 42.332516] snd_seq_kernel_client_ctl+0xcb/0x110 [ 42.337353] snd_seq_oss_midi_close+0x29c/0x400 [ 42.342022] ? snd_seq_oss_midi_open_all+0xc0/0xc0 [ 42.347041] ? snd_seq_oss_midi_reset+0xb9/0x400 [ 42.351781] snd_seq_oss_synth_reset+0x39d/0x830 [ 42.356533] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 42.361622] ? __lock_acquire+0x5fc/0x3f20 [ 42.365832] ? trace_hardirqs_on+0x10/0x10 [ 42.370074] snd_seq_oss_reset+0x64/0x250 [ 42.374214] snd_seq_oss_ioctl+0x9a5/0xc30 [ 42.378433] ? snd_seq_oss_midi_info_user+0xf0/0xf0 [ 42.383437] odev_ioctl+0x4f/0x90 [ 42.386875] ? odev_open+0x80/0x80 [ 42.390390] do_vfs_ioctl+0x75a/0xff0 [ 42.394180] ? selinux_inode_setxattr+0x730/0x730 [ 42.398996] ? ioctl_preallocate+0x1a0/0x1a0 [ 42.403391] ? lock_downgrade+0x740/0x740 [ 42.407526] ? __fget+0x225/0x360 [ 42.410984] ? security_file_ioctl+0x83/0xb0 [ 42.415381] SyS_ioctl+0x7f/0xb0 [ 42.418737] ? do_vfs_ioctl+0xff0/0xff0 [ 42.422697] do_syscall_64+0x1d5/0x640 [ 42.426585] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 42.431849] RIP: 0033:0x45cc79 [ 42.435012] RSP: 002b:00007f4936687c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.442712] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cc79 [ 42.449973] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 42.457232] RBP: 000000000078c078 R08: 0000000000000000 R09: 0000000000000000 [ 42.464478] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c04c [ 42.471737] R13: 00007ffe5e5e566f R14: 00007f49366889c0 R15: 000000000078c04c [ 42.479912] Kernel Offset: disabled [ 42.483522] Rebooting in 86400 seconds..