[ 32.646388] audit: type=1800 audit(1579649598.302:33): pid=7149 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.668513] audit: type=1800 audit(1579649598.302:34): pid=7149 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.518474] random: sshd: uninitialized urandom read (32 bytes read) [ 36.987737] audit: type=1400 audit(1579649602.642:35): avc: denied { map } for pid=7324 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.044220] random: sshd: uninitialized urandom read (32 bytes read) [ 37.782929] random: sshd: uninitialized urandom read (32 bytes read) [ 52.169404] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 57.792306] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 57.916004] audit: type=1400 audit(1579649623.572:36): avc: denied { map } for pid=7336 comm="syz-executor232" path="/root/syz-executor232983573" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 58.101543] ================================================================== [ 58.109643] BUG: KASAN: use-after-free in snd_timer_resolution+0xd8/0xf0 [ 58.116864] Read of size 8 at addr ffff88809890b580 by task syz-executor232/7363 [ 58.125111] [ 58.126776] CPU: 1 PID: 7363 Comm: syz-executor232 Not tainted 4.14.166-syzkaller #0 [ 58.135960] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.145997] Call Trace: [ 58.150214] dump_stack+0x142/0x197 [ 58.154210] ? snd_timer_resolution+0xd8/0xf0 [ 58.159340] print_address_description.cold+0x7c/0x1dc [ 58.165329] ? snd_timer_resolution+0xd8/0xf0 [ 58.170339] kasan_report.cold+0xa9/0x2af [ 58.175566] __asan_report_load8_noabort+0x14/0x20 [ 58.180801] snd_timer_resolution+0xd8/0xf0 [ 58.185323] snd_seq_info_timer_read+0x96/0x2be [ 58.189995] snd_info_seq_show+0xcb/0x120 [ 58.194211] seq_read+0x51a/0x1280 [ 58.197851] ? seq_lseek+0x3c0/0x3c0 [ 58.201762] ? avc_policy_seqno+0x9/0x20 [ 58.206030] ? selinux_file_permission+0x85/0x480 [ 58.211280] ? iov_iter_advance+0x218/0xc60 [ 58.216023] proc_reg_read+0xfa/0x170 [ 58.220341] ? seq_lseek+0x3c0/0x3c0 [ 58.224424] do_iter_read+0x3e2/0x5b0 [ 58.228236] vfs_readv+0xd3/0x130 [ 58.231997] ? compat_rw_copy_check_uvector+0x310/0x310 [ 58.237538] ? save_trace+0x290/0x290 [ 58.241517] ? __do_page_fault+0x4e9/0xb80 [ 58.245844] ? find_held_lock+0x35/0x130 [ 58.250304] ? __do_page_fault+0x4e9/0xb80 [ 58.254827] ? __fget_light+0x172/0x1f0 [ 58.259511] do_preadv+0x15d/0x200 [ 58.263167] ? do_readv+0x2d0/0x2d0 [ 58.267125] ? SyS_writev+0x30/0x30 [ 58.271218] SyS_preadv+0x31/0x40 [ 58.275381] do_syscall_64+0x1e8/0x640 [ 58.279566] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.286153] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.291769] RIP: 0033:0x441979 [ 58.295144] RSP: 002b:00007ffcf23cf7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.303447] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441979 [ 58.312405] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004 [ 58.319987] RBP: 000000000000e2a2 R08: 000000000000000f R09: 0000000000402780 [ 58.328065] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004026f0 [ 58.336736] R13: 0000000000402780 R14: 0000000000000000 R15: 0000000000000000 [ 58.344168] [ 58.345790] Allocated by task 7359: [ 58.349536] save_stack_trace+0x16/0x20 [ 58.353925] save_stack+0x45/0xd0 [ 58.357576] kasan_kmalloc+0xce/0xf0 [ 58.361382] kmem_cache_alloc_trace+0x152/0x790 [ 58.366056] snd_timer_instance_new+0x4f/0x3c0 [ 58.371204] snd_timer_open+0x882/0x15e0 [ 58.375268] snd_seq_timer_open+0x210/0x520 [ 58.379895] queue_use+0x9e/0x200 [ 58.383743] snd_seq_queue_alloc+0x2b5/0x490 [ 58.388149] snd_seq_ioctl_create_queue+0xad/0x2f0 [ 58.393184] snd_seq_kernel_client_ctl+0xd7/0x120 [ 58.398257] alloc_seq_queue.isra.0+0xcd/0x150 [ 58.403226] snd_seq_oss_open+0x2d7/0x8d0 [ 58.407510] odev_open+0x69/0x90 [ 58.411064] soundcore_open+0x3f3/0x5a0 [ 58.415355] chrdev_open+0x207/0x590 [ 58.419174] do_dentry_open+0x73b/0xeb0 [ 58.423142] vfs_open+0x105/0x220 [ 58.426719] path_openat+0x8bd/0x3f70 [ 58.430830] do_filp_open+0x18e/0x250 [ 58.434872] do_sys_open+0x2c5/0x430 [ 58.438728] SyS_openat+0x30/0x40 [ 58.442369] do_syscall_64+0x1e8/0x640 [ 58.446255] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.451693] [ 58.453313] Freed by task 7359: [ 58.456836] save_stack_trace+0x16/0x20 [ 58.460806] save_stack+0x45/0xd0 [ 58.464671] kasan_slab_free+0x75/0xc0 [ 58.468727] kfree+0xcc/0x270 [ 58.471834] snd_timer_close_locked+0x758/0xb80 [ 58.476812] snd_timer_close+0x7b/0xe0 [ 58.480803] snd_seq_timer_close+0x91/0xd0 [ 58.485062] queue_delete+0x52/0xb0 [ 58.489284] snd_seq_queue_delete+0x41/0x60 [ 58.493756] snd_seq_ioctl_delete_queue+0x6a/0x90 [ 58.498899] snd_seq_kernel_client_ctl+0xd7/0x120 [ 58.503940] delete_seq_queue.part.0+0xa7/0xf0 [ 58.509265] snd_seq_oss_release+0x103/0x140 [ 58.514049] odev_release+0x54/0x80 [ 58.517761] __fput+0x275/0x7a0 [ 58.521036] ____fput+0x16/0x20 [ 58.524498] task_work_run+0x114/0x190 [ 58.528520] do_exit+0xa1a/0x2cd0 [ 58.532121] do_group_exit+0x111/0x330 [ 58.536123] SyS_exit_group+0x1d/0x20 [ 58.539941] do_syscall_64+0x1e8/0x640 [ 58.543828] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.549331] [ 58.550999] The buggy address belongs to the object at ffff88809890b580 [ 58.550999] which belongs to the cache kmalloc-256 of size 256 [ 58.564198] The buggy address is located 0 bytes inside of [ 58.564198] 256-byte region [ffff88809890b580, ffff88809890b680) [ 58.576722] The buggy address belongs to the page: [ 58.582402] page:ffffea00026242c0 count:1 mapcount:0 mapping:ffff88809890b080 index:0x0 [ 58.590551] flags: 0xfffe0000000100(slab) [ 58.595200] raw: 00fffe0000000100 ffff88809890b080 0000000000000000 000000010000000c [ 58.603507] raw: ffffea00023c2f20 ffffea0002a3ef60 ffff8880aa8007c0 0000000000000000 [ 58.611504] page dumped because: kasan: bad access detected [ 58.617548] [ 58.619175] Memory state around the buggy address: [ 58.624432] ffff88809890b480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.631882] ffff88809890b500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 58.639582] >ffff88809890b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.647207] ^ executing program [ 58.651718] ffff88809890b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.659355] ffff88809890b680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 58.667251] ================================================================== [ 58.675038] Disabling lock debugging due to kernel taint [ 58.681698] Kernel panic - not syncing: panic_on_warn set ... [ 58.681698] [ 58.689391] CPU: 1 PID: 7363 Comm: syz-executor232 Tainted: G B 4.14.166-syzkaller #0 [ 58.699472] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.709232] Call Trace: [ 58.711991] dump_stack+0x142/0x197 [ 58.716132] ? snd_timer_resolution+0xd8/0xf0 [ 58.720727] panic+0x1f9/0x42d [ 58.724335] ? add_taint.cold+0x16/0x16 [ 58.728818] ? ___preempt_schedule+0x16/0x18 [ 58.733550] kasan_end_report+0x47/0x4f [ 58.737676] kasan_report.cold+0x130/0x2af [ 58.741913] __asan_report_load8_noabort+0x14/0x20 [ 58.746985] snd_timer_resolution+0xd8/0xf0 [ 58.751859] snd_seq_info_timer_read+0x96/0x2be [ 58.756842] snd_info_seq_show+0xcb/0x120 [ 58.761357] seq_read+0x51a/0x1280 [ 58.765847] ? seq_lseek+0x3c0/0x3c0 [ 58.769717] ? avc_policy_seqno+0x9/0x20 [ 58.774641] ? selinux_file_permission+0x85/0x480 [ 58.779591] ? iov_iter_advance+0x218/0xc60 [ 58.784208] proc_reg_read+0xfa/0x170 [ 58.788296] ? seq_lseek+0x3c0/0x3c0 [ 58.792004] do_iter_read+0x3e2/0x5b0 [ 58.795794] vfs_readv+0xd3/0x130 [ 58.799246] ? compat_rw_copy_check_uvector+0x310/0x310 [ 58.804615] ? save_trace+0x290/0x290 [ 58.808692] ? __do_page_fault+0x4e9/0xb80 [ 58.813116] ? find_held_lock+0x35/0x130 [ 58.817172] ? __do_page_fault+0x4e9/0xb80 [ 58.821635] ? __fget_light+0x172/0x1f0 [ 58.825825] do_preadv+0x15d/0x200 [ 58.829371] ? do_readv+0x2d0/0x2d0 [ 58.833991] ? SyS_writev+0x30/0x30 [ 58.837740] SyS_preadv+0x31/0x40 [ 58.841543] do_syscall_64+0x1e8/0x640 [ 58.845552] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.850652] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.856135] RIP: 0033:0x441979 [ 58.859536] RSP: 002b:00007ffcf23cf7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 58.867464] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441979 [ 58.874734] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004 [ 58.882362] RBP: 000000000000e2a2 R08: 000000000000000f R09: 0000000000402780 [ 58.889732] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004026f0 [ 58.897323] R13: 0000000000402780 R14: 0000000000000000 R15: 0000000000000000 [ 58.906279] Kernel Offset: disabled [ 58.910131] Rebooting in 86400 seconds..