Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 54.141641] audit: type=1400 audit(1579437284.122:36): avc: denied { map } for pid=8045 comm="syz-executor234" path="/root/syz-executor234651426" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 54.235162] ================================================================== [ 54.242700] BUG: KASAN: use-after-free in snd_timer_resolution+0xf1/0x110 [ 54.249707] Read of size 8 at addr ffff88808e6ff3c0 by task syz-executor234/8059 [ 54.257589] [ 54.259224] CPU: 1 PID: 8059 Comm: syz-executor234 Not tainted 4.19.97-syzkaller #0 [ 54.267798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.277233] Call Trace: [ 54.279966] dump_stack+0x197/0x210 [ 54.283597] ? snd_timer_resolution+0xf1/0x110 [ 54.288247] print_address_description.cold+0x7c/0x20d [ 54.293578] ? snd_timer_resolution+0xf1/0x110 [ 54.298151] kasan_report.cold+0x8c/0x2ba [ 54.302396] __asan_report_load8_noabort+0x14/0x20 [ 54.307337] snd_timer_resolution+0xf1/0x110 [ 54.311746] snd_seq_info_timer_read+0x95/0x2f1 [ 54.316416] snd_info_seq_show+0xcb/0x120 [ 54.320561] seq_read+0x4ca/0x1110 [ 54.324104] ? seq_dentry+0x2d0/0x2d0 [ 54.327905] proc_reg_read+0x1f8/0x2b0 [ 54.332051] ? proc_reg_unlocked_ioctl+0x2a0/0x2a0 [ 54.337077] ? security_file_permission+0x89/0x230 [ 54.342018] ? rw_verify_area+0x118/0x360 [ 54.346242] do_iter_read+0x490/0x640 [ 54.350051] ? dup_iter+0x270/0x270 [ 54.353679] vfs_readv+0xf0/0x160 [ 54.357126] ? compat_rw_copy_check_uvector+0x400/0x400 [ 54.362482] ? copy_page_range+0x2030/0x2030 [ 54.367127] ? __do_page_fault+0x676/0xe90 [ 54.371375] ? lock_downgrade+0x880/0x880 [ 54.375686] ? count_memcg_event_mm+0x2b1/0x4d0 [ 54.380397] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.385952] ? __fget_light+0x1a9/0x230 [ 54.389969] do_preadv+0x1c4/0x280 [ 54.393510] ? do_readv+0x370/0x370 [ 54.397130] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.402075] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.406826] ? do_syscall_64+0x26/0x620 [ 54.410799] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.416164] ? do_syscall_64+0x26/0x620 [ 54.420144] __x64_sys_preadv+0x9a/0xf0 [ 54.424122] do_syscall_64+0xfd/0x620 [ 54.428033] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.433301] RIP: 0033:0x4413a9 [ 54.436512] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.455441] RSP: 002b:00007ffdf921a718 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 54.463156] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413a9 [ 54.470442] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004 [ 54.477707] RBP: 00007ffdf921a730 R08: 000000000000000f R09: 00000000000000c2 [ 54.485427] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402120 [ 54.492694] R13: 00000000004021b0 R14: 0000000000000000 R15: 0000000000000000 [ 54.500063] [ 54.501680] Allocated by task 8055: [ 54.505306] save_stack+0x45/0xd0 [ 54.508754] kasan_kmalloc+0xce/0xf0 [ 54.512475] kmem_cache_alloc_trace+0x152/0x760 [ 54.517485] snd_timer_instance_new+0x4f/0x3d0 [ 54.522173] snd_timer_open+0x989/0x1850 [ 54.526233] snd_seq_timer_open+0x240/0x580 [ 54.530558] queue_use+0xcb/0x240 [ 54.534124] snd_seq_queue_alloc+0x2c5/0x4d0 [ 54.538544] snd_seq_ioctl_create_queue+0xb0/0x330 [ 54.543473] snd_seq_kernel_client_ctl+0xf8/0x140 [ 54.548315] alloc_seq_queue.isra.0+0xdc/0x180 [ 54.552899] snd_seq_oss_open+0x2ff/0x960 [ 54.557699] odev_open+0x70/0x90 [ 54.561064] soundcore_open+0x453/0x610 [ 54.565048] chrdev_open+0x245/0x6b0 [ 54.568755] do_dentry_open+0x4c3/0x1210 [ 54.572812] vfs_open+0xa0/0xd0 [ 54.576080] path_openat+0x10d7/0x45e0 [ 54.579961] do_filp_open+0x1a1/0x280 [ 54.583751] do_sys_open+0x3fe/0x550 [ 54.587459] __x64_sys_openat+0x9d/0x100 [ 54.591625] do_syscall_64+0xfd/0x620 [ 54.595417] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.600639] [ 54.602326] Freed by task 8055: [ 54.605614] save_stack+0x45/0xd0 [ 54.609116] __kasan_slab_free+0x102/0x150 [ 54.613352] kasan_slab_free+0xe/0x10 [ 54.617158] kfree+0xcf/0x220 [ 54.620267] snd_timer_close_locked+0x7da/0xc00 [ 54.624931] snd_timer_close+0x8e/0xf0 [ 54.628954] snd_seq_timer_close+0x95/0xd0 [ 54.633191] queue_delete+0x52/0xb0 [ 54.636833] snd_seq_queue_delete+0x4e/0x70 [ 54.641169] snd_seq_ioctl_delete_queue+0x6a/0x90 [ 54.646018] snd_seq_kernel_client_ctl+0xf8/0x140 [ 54.650914] delete_seq_queue.part.0+0xb6/0x120 [ 54.655616] snd_seq_oss_release+0x116/0x150 [ 54.660035] odev_release+0x54/0x80 [ 54.663668] __fput+0x2dd/0x8b0 [ 54.666940] ____fput+0x16/0x20 [ 54.670225] task_work_run+0x145/0x1c0 [ 54.674108] do_exit+0xc1f/0x30d0 [ 54.677553] do_group_exit+0x135/0x370 [ 54.681438] __x64_sys_exit_group+0x44/0x50 [ 54.685803] do_syscall_64+0xfd/0x620 [ 54.690016] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.695313] [ 54.696931] The buggy address belongs to the object at ffff88808e6ff3c0 [ 54.696931] which belongs to the cache kmalloc-256 of size 256 [ 54.709583] The buggy address is located 0 bytes inside of [ 54.709583] 256-byte region [ffff88808e6ff3c0, ffff88808e6ff4c0) [ 54.721277] The buggy address belongs to the page: [ 54.726208] page:ffffea000239bfc0 count:1 mapcount:0 mapping:ffff88812c31c7c0 index:0x0 [ 54.734501] flags: 0xfffe0000000100(slab) [ 54.738657] raw: 00fffe0000000100 ffffea00022b5a88 ffffea00023643c8 ffff88812c31c7c0 [ 54.746538] raw: 0000000000000000 ffff88808e6ff000 000000010000000c 0000000000000000 [ 54.754534] page dumped because: kasan: bad access detected [ 54.760581] [ 54.762196] Memory state around the buggy address: [ 54.767122] ffff88808e6ff280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.774654] ffff88808e6ff300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.782009] >ffff88808e6ff380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.789417] ^ [ 54.794859] ffff88808e6ff400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.802221] ffff88808e6ff480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 54.809681] ================================================================== [ 54.817031] Disabling lock debugging due to kernel taint [ 54.823796] Kernel panic - not syncing: panic_on_warn set ... [ 54.823796] [ 54.831579] CPU: 1 PID: 8059 Comm: syz-executor234 Tainted: G B 4.19.97-syzkaller #0 [ 54.840816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.850184] Call Trace: [ 54.852783] dump_stack+0x197/0x210 [ 54.856455] ? snd_timer_resolution+0xf1/0x110 [ 54.861093] panic+0x26a/0x50e [ 54.864285] ? __warn_printk+0xf3/0xf3 [ 54.868277] ? snd_timer_resolution+0xf1/0x110 [ 54.872853] ? preempt_schedule+0x4b/0x60 [ 54.877289] ? ___preempt_schedule+0x16/0x18 [ 54.881702] ? trace_hardirqs_on+0x5e/0x220 [ 54.886021] ? snd_timer_resolution+0xf1/0x110 [ 54.890598] kasan_end_report+0x47/0x4f [ 54.894572] kasan_report.cold+0xa9/0x2ba [ 54.898715] __asan_report_load8_noabort+0x14/0x20 [ 54.903652] snd_timer_resolution+0xf1/0x110 [ 54.908069] snd_seq_info_timer_read+0x95/0x2f1 [ 54.912763] snd_info_seq_show+0xcb/0x120 [ 54.916913] seq_read+0x4ca/0x1110 [ 54.920463] ? seq_dentry+0x2d0/0x2d0 [ 54.924303] proc_reg_read+0x1f8/0x2b0 [ 54.928207] ? proc_reg_unlocked_ioctl+0x2a0/0x2a0 [ 54.933399] ? security_file_permission+0x89/0x230 [ 54.938335] ? rw_verify_area+0x118/0x360 [ 54.942597] do_iter_read+0x490/0x640 [ 54.946399] ? dup_iter+0x270/0x270 [ 54.950197] vfs_readv+0xf0/0x160 [ 54.954033] ? compat_rw_copy_check_uvector+0x400/0x400 [ 54.959445] ? copy_page_range+0x2030/0x2030 [ 54.963854] ? __do_page_fault+0x676/0xe90 [ 54.968113] ? lock_downgrade+0x880/0x880 [ 54.972253] ? count_memcg_event_mm+0x2b1/0x4d0 [ 54.976916] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.982449] ? __fget_light+0x1a9/0x230 [ 54.986438] do_preadv+0x1c4/0x280 [ 54.989980] ? do_readv+0x370/0x370 [ 54.993610] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.998360] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.003143] ? do_syscall_64+0x26/0x620 [ 55.007124] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.012482] ? do_syscall_64+0x26/0x620 [ 55.016455] __x64_sys_preadv+0x9a/0xf0 [ 55.020564] do_syscall_64+0xfd/0x620 [ 55.024367] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.029559] RIP: 0033:0x4413a9 [ 55.032806] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.051972] RSP: 002b:00007ffdf921a718 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 55.059673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413a9 [ 55.066936] RDX: 0000000000000227 RSI: 00000000200017c0 RDI: 0000000000000004 [ 55.074326] RBP: 00007ffdf921a730 R08: 000000000000000f R09: 00000000000000c2 [ 55.081849] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402120 [ 55.089213] R13: 00000000004021b0 R14: 0000000000000000 R15: 0000000000000000 [ 55.098020] Kernel Offset: disabled [ 55.102469] Rebooting in 86400 seconds..