[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.701913][ T25] audit: type=1800 audit(1575427385.858:25): pid=8831 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.721818][ T25] audit: type=1800 audit(1575427385.858:26): pid=8831 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 65.744975][ T25] audit: type=1800 audit(1575427385.858:27): pid=8831 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 76.701472][ T8984] ================================================================== [ 76.709929][ T8984] BUG: KASAN: slab-out-of-bounds in linear_transfer+0x6de/0x970 [ 76.717881][ T8984] Read of size 1 at addr ffff8880a3eb5540 by task syz-executor567/8984 [ 76.726345][ T8984] [ 76.728758][ T8984] CPU: 0 PID: 8984 Comm: syz-executor567 Not tainted 5.4.0-syzkaller #0 [ 76.737078][ T8984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.747126][ T8984] Call Trace: [ 76.750622][ T8984] dump_stack+0x197/0x210 [ 76.755046][ T8984] ? linear_transfer+0x6de/0x970 [ 76.760239][ T8984] print_address_description.constprop.0.cold+0xd4/0x30b [ 76.767413][ T8984] ? linear_transfer+0x6de/0x970 [ 76.772381][ T8984] ? linear_transfer+0x6de/0x970 [ 76.777315][ T8984] __kasan_report.cold+0x1b/0x41 [ 76.782243][ T8984] ? linear_transfer+0x6de/0x970 [ 76.787266][ T8984] kasan_report+0x12/0x20 [ 76.791581][ T8984] check_memory_region+0x134/0x1a0 [ 76.796771][ T8984] memcpy+0x24/0x50 [ 76.800567][ T8984] linear_transfer+0x6de/0x970 [ 76.805334][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.811939][ T8984] ? snd_pcm_plugin_build_copy+0x410/0x410 [ 76.817840][ T8984] ? io_capture_transfer+0x1fd/0x330 [ 76.823633][ T8984] ? rate_dst_frames+0x2e0/0x2e0 [ 76.828564][ T8984] snd_pcm_plug_read_transfer+0x197/0x2e0 [ 76.834279][ T8984] ? snd_pcm_plug_write_transfer+0x3e0/0x3e0 [ 76.840943][ T8984] ? snd_pcm_format_physical_width+0x75/0x90 [ 76.846918][ T8984] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 76.852632][ T8984] ? snd_pcm_plug_client_channels_buf+0x212/0x450 [ 76.859037][ T8984] snd_pcm_oss_read2+0x1f0/0x3f0 [ 76.864046][ T8984] ? snd_pcm_oss_read3+0x420/0x420 [ 76.869146][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.875369][ T8984] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 76.881647][ T8984] snd_pcm_oss_read+0x548/0x6a0 [ 76.886506][ T8984] __vfs_read+0x8a/0x110 [ 76.890918][ T8984] ? snd_pcm_oss_read2+0x3f0/0x3f0 [ 76.896038][ T8984] vfs_read+0x1f0/0x440 [ 76.900200][ T8984] ksys_read+0x14f/0x290 [ 76.904526][ T8984] ? kernel_write+0x130/0x130 [ 76.909195][ T8984] ? do_syscall_64+0x26/0x790 [ 76.913861][ T8984] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.919915][ T8984] ? do_syscall_64+0x26/0x790 [ 76.924760][ T8984] __x64_sys_read+0x73/0xb0 [ 76.929270][ T8984] do_syscall_64+0xfa/0x790 [ 76.933776][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.939667][ T8984] RIP: 0033:0x445a99 [ 76.943560][ T8984] Code: e8 dc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.963698][ T8984] RSP: 002b:00007f2955880ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 76.972106][ T8984] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000445a99 [ 76.980373][ T8984] RDX: 0000000000001000 RSI: 0000000020000380 RDI: 0000000000000003 [ 76.988342][ T8984] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 76.996342][ T8984] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 77.004306][ T8984] R13: 00007ffd9643eb4f R14: 00007f29558819c0 R15: 20c49ba5e353f7cf [ 77.012315][ T8984] [ 77.014634][ T8984] Allocated by task 8984: [ 77.019056][ T8984] save_stack+0x23/0x90 [ 77.023211][ T8984] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 77.028957][ T8984] kasan_kmalloc+0x9/0x10 [ 77.033423][ T8984] __kmalloc_node+0x4e/0x70 [ 77.037926][ T8984] kvmalloc_node+0x68/0x100 [ 77.042421][ T8984] snd_pcm_plugin_alloc+0x585/0x770 [ 77.047627][ T8984] snd_pcm_plug_alloc+0x146/0x330 [ 77.052673][ T8984] snd_pcm_oss_change_params_locked+0x210f/0x3750 [ 77.059160][ T8984] snd_pcm_oss_change_params+0x7b/0xd0 [ 77.064641][ T8984] snd_pcm_oss_get_active_substream+0x136/0x190 [ 77.071071][ T8984] snd_pcm_oss_ioctl+0x1794/0x33a0 [ 77.076168][ T8984] do_vfs_ioctl+0x977/0x14e0 [ 77.080744][ T8984] ksys_ioctl+0xab/0xd0 [ 77.084880][ T8984] __x64_sys_ioctl+0x73/0xb0 [ 77.089554][ T8984] do_syscall_64+0xfa/0x790 [ 77.094060][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.100209][ T8984] [ 77.102524][ T8984] Freed by task 0: [ 77.106619][ T8984] (stack is not available) [ 77.111196][ T8984] [ 77.113533][ T8984] The buggy address belongs to the object at ffff8880a3eb5500 [ 77.113533][ T8984] which belongs to the cache kmalloc-64 of size 64 [ 77.127871][ T8984] The buggy address is located 0 bytes to the right of [ 77.127871][ T8984] 64-byte region [ffff8880a3eb5500, ffff8880a3eb5540) [ 77.141672][ T8984] The buggy address belongs to the page: [ 77.147305][ T8984] page:ffffea00028fad40 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0 [ 77.156686][ T8984] raw: 00fffe0000000200 ffffea00027da7c8 ffff8880aa401348 ffff8880aa400380 [ 77.165350][ T8984] raw: 0000000000000000 ffff8880a3eb5000 0000000100000020 0000000000000000 [ 77.173915][ T8984] page dumped because: kasan: bad access detected [ 77.180355][ T8984] [ 77.182752][ T8984] Memory state around the buggy address: [ 77.188522][ T8984] ffff8880a3eb5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.196677][ T8984] ffff8880a3eb5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.205197][ T8984] >ffff8880a3eb5500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 77.213248][ T8984] ^ [ 77.219397][ T8984] ffff8880a3eb5580: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 77.227462][ T8984] ffff8880a3eb5600: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 77.235715][ T8984] ================================================================== [ 77.244146][ T8984] Disabling lock debugging due to kernel taint [ 77.251689][ T8984] Kernel panic - not syncing: panic_on_warn set ... [ 77.258306][ T8984] CPU: 0 PID: 8984 Comm: syz-executor567 Tainted: G B 5.4.0-syzkaller #0 [ 77.268265][ T8984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.278573][ T8984] Call Trace: [ 77.281862][ T8984] dump_stack+0x197/0x210 [ 77.286186][ T8984] panic+0x2e3/0x75c [ 77.290072][ T8984] ? add_taint.cold+0x16/0x16 [ 77.294882][ T8984] ? linear_transfer+0x6de/0x970 [ 77.299814][ T8984] ? preempt_schedule+0x4b/0x60 [ 77.304762][ T8984] ? ___preempt_schedule+0x16/0x18 [ 77.309876][ T8984] ? trace_hardirqs_on+0x5e/0x240 [ 77.315011][ T8984] ? linear_transfer+0x6de/0x970 [ 77.319948][ T8984] end_report+0x47/0x4f [ 77.324098][ T8984] ? linear_transfer+0x6de/0x970 [ 77.329013][ T8984] __kasan_report.cold+0xe/0x41 [ 77.333858][ T8984] ? linear_transfer+0x6de/0x970 [ 77.339733][ T8984] kasan_report+0x12/0x20 [ 77.344047][ T8984] check_memory_region+0x134/0x1a0 [ 77.349144][ T8984] memcpy+0x24/0x50 [ 77.352967][ T8984] linear_transfer+0x6de/0x970 [ 77.357786][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.364050][ T8984] ? snd_pcm_plugin_build_copy+0x410/0x410 [ 77.370026][ T8984] ? io_capture_transfer+0x1fd/0x330 [ 77.375303][ T8984] ? rate_dst_frames+0x2e0/0x2e0 [ 77.380353][ T8984] snd_pcm_plug_read_transfer+0x197/0x2e0 [ 77.386060][ T8984] ? snd_pcm_plug_write_transfer+0x3e0/0x3e0 [ 77.392022][ T8984] ? snd_pcm_format_physical_width+0x75/0x90 [ 77.398528][ T8984] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 77.404259][ T8984] ? snd_pcm_plug_client_channels_buf+0x212/0x450 [ 77.410773][ T8984] snd_pcm_oss_read2+0x1f0/0x3f0 [ 77.415700][ T8984] ? snd_pcm_oss_read3+0x420/0x420 [ 77.420799][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.427024][ T8984] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 77.433426][ T8984] snd_pcm_oss_read+0x548/0x6a0 [ 77.438262][ T8984] __vfs_read+0x8a/0x110 [ 77.442558][ T8984] ? snd_pcm_oss_read2+0x3f0/0x3f0 [ 77.447792][ T8984] vfs_read+0x1f0/0x440 [ 77.451960][ T8984] ksys_read+0x14f/0x290 [ 77.456389][ T8984] ? kernel_write+0x130/0x130 [ 77.461059][ T8984] ? do_syscall_64+0x26/0x790 [ 77.465898][ T8984] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.472248][ T8984] ? do_syscall_64+0x26/0x790 [ 77.477014][ T8984] __x64_sys_read+0x73/0xb0 [ 77.481868][ T8984] do_syscall_64+0xfa/0x790 [ 77.486898][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.492868][ T8984] RIP: 0033:0x445a99 [ 77.496775][ T8984] Code: e8 dc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 77.516384][ T8984] RSP: 002b:00007f2955880ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 77.524840][ T8984] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000445a99 [ 77.532798][ T8984] RDX: 0000000000001000 RSI: 0000000020000380 RDI: 0000000000000003 [ 77.540925][ T8984] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 77.548968][ T8984] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 77.556922][ T8984] R13: 00007ffd9643eb4f R14: 00007f29558819c0 R15: 20c49ba5e353f7cf [ 77.567104][ T8984] Kernel Offset: disabled [ 77.571453][ T8984] Rebooting in 86400 seconds..