[ 56.328287][ T26] audit: type=1800 audit(1573490356.188:25): pid=8777 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.348350][ T26] audit: type=1800 audit(1573490356.188:26): pid=8777 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.369637][ T26] audit: type=1800 audit(1573490356.198:27): pid=8777 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 57.087983][ T8842] sshd (8842) used greatest stack depth: 22888 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 68.153660][ T8934] ================================================================== [ 68.161853][ T8934] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 68.169207][ T8934] Read of size 8 at addr ffff88809fda1478 by task syz-executor450/8934 [ 68.177430][ T8934] [ 68.179749][ T8934] CPU: 0 PID: 8934 Comm: syz-executor450 Not tainted 5.4.0-rc6-next-20191111 #0 [ 68.188766][ T8934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.198813][ T8934] Call Trace: [ 68.202094][ T8934] dump_stack+0x197/0x210 [ 68.206408][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.211245][ T8934] print_address_description.constprop.0.cold+0xd4/0x30b [ 68.218259][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.223110][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.227944][ T8934] __kasan_report.cold+0x1b/0x41 [ 68.232884][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.237717][ T8934] kasan_report+0x12/0x20 [ 68.242030][ T8934] __asan_report_load8_noabort+0x14/0x20 [ 68.247641][ T8934] __list_add_valid+0x9a/0xa0 [ 68.252310][ T8934] snd_timer_open+0x245/0x1150 [ 68.257232][ T8934] ? kmem_cache_alloc_trace+0x397/0x790 [ 68.262764][ T8934] ? snd_timer_close_locked+0xbd0/0xbd0 [ 68.268295][ T8934] ? kstrdup+0x5a/0x70 [ 68.272379][ T8934] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 68.278429][ T8934] ? snd_timer_user_open+0x190/0x190 [ 68.283900][ T8934] ? lock_acquire+0x190/0x410 [ 68.288559][ T8934] ? snd_timer_user_ioctl+0x51/0xa7 [ 68.293756][ T8934] ? __mutex_lock+0x458/0x13c0 [ 68.298505][ T8934] ? snd_timer_user_ioctl+0x51/0xa7 [ 68.303687][ T8934] ? tomoyo_path_number_perm+0x454/0x520 [ 68.309314][ T8934] ? mutex_trylock+0x2f0/0x2f0 [ 68.314093][ T8934] ? tomoyo_path_number_perm+0x25e/0x520 [ 68.319809][ T8934] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 68.325615][ T8934] snd_timer_user_ioctl+0x7a/0xa7 [ 68.330637][ T8934] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 68.336611][ T8934] do_vfs_ioctl+0x977/0x14e0 [ 68.341240][ T8934] ? compat_ioctl_preallocate+0x220/0x220 [ 68.347078][ T8934] ? __kasan_check_write+0x14/0x20 [ 68.352173][ T8934] ? up_read+0x1cd/0x810 [ 68.356401][ T8934] ? tomoyo_file_ioctl+0x23/0x30 [ 68.361332][ T8934] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.367565][ T8934] ? security_file_ioctl+0x8d/0xc0 [ 68.372661][ T8934] ksys_ioctl+0xab/0xd0 [ 68.376809][ T8934] __x64_sys_ioctl+0x73/0xb0 [ 68.381398][ T8934] do_syscall_64+0xfa/0x760 [ 68.385887][ T8934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.391758][ T8934] RIP: 0033:0x444f39 [ 68.395640][ T8934] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.415223][ T8934] RSP: 002b:00007ffdcbff56d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.423613][ T8934] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 68.431564][ T8934] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 68.439517][ T8934] RBP: 0000000000010a27 R08: 0000000000000004 R09: 00000000004002e0 [ 68.447469][ T8934] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 68.455424][ T8934] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 68.463393][ T8934] [ 68.465704][ T8934] Allocated by task 8933: [ 68.470196][ T8934] save_stack+0x23/0x90 [ 68.474351][ T8934] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 68.479961][ T8934] kasan_kmalloc+0x9/0x10 [ 68.484318][ T8934] kmem_cache_alloc_trace+0x158/0x790 [ 68.489687][ T8934] snd_timer_instance_new+0x4a/0x300 [ 68.495135][ T8934] __snd_timer_user_ioctl.isra.0+0x665/0x2070 [ 68.501323][ T8934] snd_timer_user_ioctl+0x7a/0xa7 [ 68.507096][ T8934] do_vfs_ioctl+0x977/0x14e0 [ 68.511719][ T8934] ksys_ioctl+0xab/0xd0 [ 68.515856][ T8934] __x64_sys_ioctl+0x73/0xb0 [ 68.520426][ T8934] do_syscall_64+0xfa/0x760 [ 68.524912][ T8934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.530787][ T8934] [ 68.533104][ T8934] Freed by task 8933: [ 68.537067][ T8934] save_stack+0x23/0x90 [ 68.541200][ T8934] __kasan_slab_free+0x102/0x150 [ 68.546129][ T8934] kasan_slab_free+0xe/0x10 [ 68.550608][ T8934] kfree+0x10a/0x2c0 [ 68.555364][ T8934] snd_timer_instance_free+0x7c/0xa0 [ 68.560636][ T8934] __snd_timer_user_ioctl.isra.0+0x160d/0x2070 [ 68.566786][ T8934] snd_timer_user_ioctl+0x7a/0xa7 [ 68.571812][ T8934] do_vfs_ioctl+0x977/0x14e0 [ 68.576390][ T8934] ksys_ioctl+0xab/0xd0 [ 68.580537][ T8934] __x64_sys_ioctl+0x73/0xb0 [ 68.585108][ T8934] do_syscall_64+0xfa/0x760 [ 68.589590][ T8934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.595452][ T8934] [ 68.597764][ T8934] The buggy address belongs to the object at ffff88809fda1400 [ 68.597764][ T8934] which belongs to the cache kmalloc-256 of size 256 [ 68.611798][ T8934] The buggy address is located 120 bytes inside of [ 68.611798][ T8934] 256-byte region [ffff88809fda1400, ffff88809fda1500) [ 68.625046][ T8934] The buggy address belongs to the page: [ 68.630659][ T8934] page:ffffea00027f6840 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0xffff88809fda1800 [ 68.641134][ T8934] flags: 0x1fffc0000000200(slab) [ 68.646054][ T8934] raw: 01fffc0000000200 ffffea0002a96a08 ffff8880aa401638 ffff8880aa4008c0 [ 68.654897][ T8934] raw: ffff88809fda1800 ffff88809fda1000 0000000100000006 0000000000000000 [ 68.663468][ T8934] page dumped because: kasan: bad access detected [ 68.669854][ T8934] [ 68.672172][ T8934] Memory state around the buggy address: [ 68.677784][ T8934] ffff88809fda1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.685830][ T8934] ffff88809fda1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.693873][ T8934] >ffff88809fda1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.701908][ T8934] ^ [ 68.709862][ T8934] ffff88809fda1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.717919][ T8934] ffff88809fda1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.725969][ T8934] ================================================================== [ 68.734007][ T8934] Disabling lock debugging due to kernel taint [ 68.740967][ T8934] Kernel panic - not syncing: panic_on_warn set ... [ 68.747571][ T8934] CPU: 0 PID: 8934 Comm: syz-executor450 Tainted: G B 5.4.0-rc6-next-20191111 #0 [ 68.757952][ T8934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.767988][ T8934] Call Trace: [ 68.771271][ T8934] dump_stack+0x197/0x210 [ 68.775581][ T8934] panic+0x2e3/0x75c [ 68.779450][ T8934] ? add_taint.cold+0x16/0x16 [ 68.784110][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.788940][ T8934] ? preempt_schedule+0x4b/0x60 [ 68.793770][ T8934] ? ___preempt_schedule+0x16/0x18 [ 68.798953][ T8934] ? trace_hardirqs_on+0x5e/0x240 [ 68.803958][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.808803][ T8934] end_report+0x47/0x4f [ 68.812939][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.817768][ T8934] __kasan_report.cold+0xe/0x41 [ 68.822597][ T8934] ? __list_add_valid+0x9a/0xa0 [ 68.827424][ T8934] kasan_report+0x12/0x20 [ 68.831732][ T8934] __asan_report_load8_noabort+0x14/0x20 [ 68.837342][ T8934] __list_add_valid+0x9a/0xa0 [ 68.842000][ T8934] snd_timer_open+0x245/0x1150 [ 68.846756][ T8934] ? kmem_cache_alloc_trace+0x397/0x790 [ 68.852297][ T8934] ? snd_timer_close_locked+0xbd0/0xbd0 [ 68.857825][ T8934] ? kstrdup+0x5a/0x70 [ 68.861980][ T8934] __snd_timer_user_ioctl.isra.0+0x7ed/0x2070 [ 68.868032][ T8934] ? snd_timer_user_open+0x190/0x190 [ 68.873315][ T8934] ? lock_acquire+0x190/0x410 [ 68.877988][ T8934] ? snd_timer_user_ioctl+0x51/0xa7 [ 68.883166][ T8934] ? __mutex_lock+0x458/0x13c0 [ 68.887911][ T8934] ? snd_timer_user_ioctl+0x51/0xa7 [ 68.893088][ T8934] ? tomoyo_path_number_perm+0x454/0x520 [ 68.898699][ T8934] ? mutex_trylock+0x2f0/0x2f0 [ 68.903441][ T8934] ? tomoyo_path_number_perm+0x25e/0x520 [ 68.909240][ T8934] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 68.915028][ T8934] snd_timer_user_ioctl+0x7a/0xa7 [ 68.920035][ T8934] ? snd_timer_user_ioctl_compat+0x680/0x680 [ 68.926010][ T8934] do_vfs_ioctl+0x977/0x14e0 [ 68.930582][ T8934] ? compat_ioctl_preallocate+0x220/0x220 [ 68.936282][ T8934] ? __kasan_check_write+0x14/0x20 [ 68.941372][ T8934] ? up_read+0x1cd/0x810 [ 68.945596][ T8934] ? tomoyo_file_ioctl+0x23/0x30 [ 68.950600][ T8934] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.956841][ T8934] ? security_file_ioctl+0x8d/0xc0 [ 68.961951][ T8934] ksys_ioctl+0xab/0xd0 [ 68.966084][ T8934] __x64_sys_ioctl+0x73/0xb0 [ 68.970666][ T8934] do_syscall_64+0xfa/0x760 [ 68.975152][ T8934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.981055][ T8934] RIP: 0033:0x444f39 [ 68.985023][ T8934] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.004623][ T8934] RSP: 002b:00007ffdcbff56d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.013059][ T8934] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f39 [ 69.021013][ T8934] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003 [ 69.028975][ T8934] RBP: 0000000000010a27 R08: 0000000000000004 R09: 00000000004002e0 [ 69.036926][ T8934] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402180 [ 69.044883][ T8934] R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 [ 69.054025][ T8934] Kernel Offset: disabled [ 69.058383][ T8934] Rebooting in 86400 seconds..