syzkaller login: [ 305.376154] random: crng init done 2017/08/12 13:28:43 parsed 1 programs 2017/08/12 13:28:43 executed programs: 0 2017/08/12 13:28:48 executed programs: 4852 2017/08/12 13:28:53 executed programs: 9877 2017/08/12 13:28:58 executed programs: 14961 2017/08/12 13:29:03 executed programs: 20735 2017/08/12 13:29:08 executed programs: 26352 2017/08/12 13:29:13 executed programs: 32333 2017/08/12 13:29:18 executed programs: 38007 2017/08/12 13:29:23 executed programs: 43992 2017/08/12 13:29:28 executed programs: 49636 2017/08/12 13:29:33 executed programs: 55576 2017/08/12 13:29:38 executed programs: 61548 [ 953.058180] ================================================================== [ 953.058742] BUG: KASAN: use-after-free in snd_seq_queue_alloc+0x558/0x590 [ 953.059360] Read of size 4 at addr ffff88003a63b540 by task syz-executor0/4566 [ 953.059848] [ 953.059962] CPU: 1 PID: 4566 Comm: syz-executor0 Not tainted 4.13.0-rc4-next-20170811 #1 [ 953.060488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 953.061043] Call Trace: [ 953.061227] dump_stack+0x194/0x257 [ 953.061483] ? arch_local_irq_restore+0x53/0x53 [ 953.061799] ? show_regs_print_info+0x65/0x65 [ 953.062110] ? retint_kernel+0x10/0x10 [ 953.062376] ? snd_seq_queue_alloc+0x558/0x590 [ 953.062690] print_address_description+0x7f/0x260 [ 953.063020] ? snd_seq_queue_alloc+0x558/0x590 [ 953.063329] kasan_report+0x24e/0x340 [ 953.063590] __asan_report_load4_noabort+0x14/0x20 [ 953.063922] snd_seq_queue_alloc+0x558/0x590 [ 953.064219] ? snd_seq_queue_get_cur_queues+0x20/0x20 [ 953.064578] ? __might_sleep+0x95/0x190 [ 953.064862] snd_seq_ioctl_create_queue+0xad/0x310 [ 953.065193] ? snd_seq_ioctl_delete_queue+0x90/0x90 [ 953.065538] snd_seq_ioctl+0x204/0x400 [ 953.065806] ? snd_seq_open+0x570/0x570 [ 953.066096] ? snd_seq_open+0x570/0x570 [ 953.066364] do_vfs_ioctl+0x1b1/0x1520 [ 953.066623] ? _cond_resched+0x14/0x30 [ 953.066889] ? ioctl_preallocate+0x2b0/0x2b0 [ 953.067199] ? selinux_capable+0x40/0x40 [ 953.067566] ? SyS_futex+0x285/0x380 [ 953.067887] ? SyS_futex+0x28e/0x380 [ 953.068219] ? security_file_ioctl+0x7d/0xb0 [ 953.068598] ? security_file_ioctl+0x89/0xb0 [ 953.068979] SyS_ioctl+0x8f/0xc0 [ 953.069275] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 953.069687] RIP: 0033:0x446739 [ 953.069967] RSP: 002b:00007f61cecfac08 EFLAGS: 00000282 ORIG_RAX: 0000000000000010 [ 953.070630] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000446739 [ 953.071249] RDX: 0000000020045000 RSI: 00000000c08c5332 RDI: 0000000000000004 [ 953.071865] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 953.072482] R10: 0000000000000000 R11: 0000000000000282 R12: 00000000ffffffff [ 953.073424] R13: 0000000000002690 R14: 00000000006e4750 R15: 00000000408c5333 [ 953.073944] [ 953.074070] Allocated by task 4566: [ 953.074314] save_stack_trace+0x16/0x20 [ 953.074577] save_stack+0x43/0xd0 [ 953.074805] kasan_kmalloc+0xaa/0xd0 [ 953.075060] kmem_cache_alloc_trace+0x108/0x700 [ 953.075371] snd_seq_queue_alloc+0xa5/0x590 [ 953.075653] snd_seq_ioctl_create_queue+0xad/0x310 [ 953.075974] snd_seq_ioctl+0x204/0x400 [ 953.076237] do_vfs_ioctl+0x1b1/0x1520 [ 953.076492] SyS_ioctl+0x8f/0xc0 [ 953.076713] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 953.077033] [ 953.077142] Freed by task 4592: [ 953.077357] save_stack_trace+0x16/0x20 [ 953.077617] save_stack+0x43/0xd0 [ 953.077843] kasan_slab_free+0x6e/0xc0 [ 953.078110] kfree+0xd3/0x260 [ 953.078316] queue_delete+0x90/0xb0 [ 953.078555] snd_seq_queue_delete+0x3c/0x50 [ 953.078838] snd_seq_ioctl_delete_queue+0x6a/0x90 [ 953.079215] snd_seq_ioctl+0x204/0x400 [ 953.079470] do_vfs_ioctl+0x1b1/0x1520 [ 953.079723] SyS_ioctl+0x8f/0xc0 [ 953.079944] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 953.080262] [ 953.080370] The buggy address belongs to the object at ffff88003a63b540 [ 953.080370] which belongs to the cache kmalloc-512 of size 512 [ 953.081199] The buggy address is located 0 bytes inside of [ 953.081199] 512-byte region [ffff88003a63b540, ffff88003a63b740) [ 953.081971] The buggy address belongs to the page: [ 953.082314] page:ffffea0000cc5ce8 count:1 mapcount:0 mapping:ffff88003a63b040 index:0x0 [ 953.082867] flags: 0x100000000000100(slab) [ 953.083158] raw: 0100000000000100 ffff88003a63b040 0000000000000000 0000000100000006 [ 953.083675] raw: ffffea0000d8caf8 ffffea0000d85430 ffff88003e800600 [ 953.084103] page dumped because: kasan: bad access detected [ 953.084476] [ 953.084583] Memory state around the buggy address: [ 953.084920] ffff88003a63b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 953.085407] ffff88003a63b480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 953.085887] >ffff88003a63b500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 953.086472] ^ [ 953.086893] ffff88003a63b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 953.087441] ffff88003a63b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 953.087917] ================================================================== [ 953.088442] Disabling lock debugging due to kernel taint [ 953.088862] Kernel panic - not syncing: panic_on_warn set ... [ 953.088862] [ 953.089588] CPU: 1 PID: 4566 Comm: syz-executor0 Tainted: G B 4.13.0-rc4-next-20170811 #1 [ 953.090518] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 953.091163] Call Trace: [ 953.091330] dump_stack+0x194/0x257 [ 953.091590] ? arch_local_irq_restore+0x53/0x53 [ 953.091895] ? kasan_end_report+0x32/0x50 [ 953.092195] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 953.092496] ? snd_seq_queue_alloc+0x540/0x590 [ 953.092785] panic+0x1e4/0x417 [ 953.093000] ? __warn+0x1d9/0x1d9 [ 953.093280] ? snd_seq_queue_alloc+0x558/0x590 [ 953.093573] kasan_end_report+0x50/0x50 [ 953.093856] kasan_report+0x137/0x340 [ 953.094727] __asan_report_load4_noabort+0x14/0x20 [ 953.095092] snd_seq_queue_alloc+0x558/0x590 [ 953.095369] ? snd_seq_queue_get_cur_queues+0x20/0x20 [ 953.095713] ? __might_sleep+0x95/0x190 [ 953.095978] snd_seq_ioctl_create_queue+0xad/0x310 [ 953.096337] ? snd_seq_ioctl_delete_queue+0x90/0x90 [ 953.096653] snd_seq_ioctl+0x204/0x400 [ 953.096934] ? snd_seq_open+0x570/0x570 [ 953.097256] ? snd_seq_open+0x570/0x570 [ 953.097506] do_vfs_ioctl+0x1b1/0x1520 [ 953.097749] ? _cond_resched+0x14/0x30 [ 953.098012] ? ioctl_preallocate+0x2b0/0x2b0 [ 953.098347] ? selinux_capable+0x40/0x40 [ 953.098604] ? SyS_futex+0x285/0x380 [ 953.098913] ? SyS_futex+0x28e/0x380 [ 953.099190] ? security_file_ioctl+0x7d/0xb0 [ 953.099482] ? security_file_ioctl+0x89/0xb0 [ 953.099765] SyS_ioctl+0x8f/0xc0 [ 953.099982] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 953.100336] RIP: 0033:0x446739 [ 953.100552] RSP: 002b:00007f61cecfac08 EFLAGS: 00000282 ORIG_RAX: 0000000000000010 [ 953.101076] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000446739 [ 953.101548] RDX: 0000000020045000 RSI: 00000000c08c5332 RDI: 0000000000000004 [ 953.102028] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 953.102523] R10: 0000000000000000 R11: 0000000000000282 R12: 00000000ffffffff [ 953.102988] R13: 0000000000002690 R14: 00000000006e4750 R15: 00000000408c5333 [ 953.103601] Dumping ftrace buffer: [ 953.103851] (ftrace buffer empty) [ 953.104093] Kernel Offset: disabled [ 953.104331] Rebooting in 86400 seconds..