[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts. 2020/07/30 03:47:37 parsed 1 programs 2020/07/30 03:47:37 executed programs: 0 syzkaller login: [ 42.272866][ T6833] IPVS: ftp: loaded support on port[0] = 21 [ 42.359261][ T6833] chnl_net:caif_netlink_parms(): no params data found [ 42.404397][ T6833] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.412295][ T6833] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.420401][ T6833] device bridge_slave_0 entered promiscuous mode [ 42.428737][ T6833] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.435805][ T6833] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.443621][ T6833] device bridge_slave_1 entered promiscuous mode [ 42.461448][ T6833] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 42.472520][ T6833] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 42.493171][ T6833] team0: Port device team_slave_0 added [ 42.500493][ T6833] team0: Port device team_slave_1 added [ 42.515288][ T6833] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 42.522253][ T6833] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.548384][ T6833] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 42.560494][ T6833] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 42.567426][ T6833] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.593329][ T6833] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 42.660765][ T6833] device hsr_slave_0 entered promiscuous mode [ 42.699184][ T6833] device hsr_slave_1 entered promiscuous mode [ 42.805203][ T6833] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 42.850821][ T6833] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 42.891889][ T6833] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 42.949969][ T6833] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 43.001512][ T6833] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.008669][ T6833] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.016208][ T6833] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.023341][ T6833] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.058427][ T6833] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.071013][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.080892][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.089822][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.098996][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 43.111200][ T6833] 8021q: adding VLAN 0 to HW filter on device team0 [ 43.122632][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.132176][ T2700] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.139282][ T2700] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.159188][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.168644][ T2700] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.175735][ T2700] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.186025][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 43.196567][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 43.205325][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 43.218938][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.231532][ T6833] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 43.242743][ T6833] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 43.251529][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.271409][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 43.278879][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 43.292585][ T6833] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 43.309534][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.327528][ T6833] device veth0_vlan entered promiscuous mode [ 43.336180][ T3359] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.344980][ T3359] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 43.353424][ T3359] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 43.365755][ T6833] device veth1_vlan entered promiscuous mode [ 43.374869][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 43.393879][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.403172][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.413860][ T6833] device veth0_macvtap entered promiscuous mode [ 43.423572][ T6833] device veth1_macvtap entered promiscuous mode [ 43.444739][ T6833] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 43.452948][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 43.461841][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 43.470488][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 43.479418][ T2509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.492645][ T6833] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 43.500122][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 43.509045][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.634377][ T7530] ================================================================== [ 46.642538][ T7530] BUG: KASAN: double-free or invalid-free in snd_seq_port_disconnect+0x570/0x610 [ 46.651625][ T7530] [ 46.653935][ T7530] CPU: 1 PID: 7530 Comm: syz-executor.0 Not tainted 5.8.0-rc7-syzkaller #0 [ 46.662501][ T7530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.672559][ T7530] Call Trace: [ 46.675828][ T7530] dump_stack+0x1f0/0x31e [ 46.680137][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.685763][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.691396][ T7530] print_address_description+0x66/0x5a0 [ 46.696944][ T7530] ? vprintk_emit+0x342/0x3c0 [ 46.701608][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.707212][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.712817][ T7530] ? printk+0x62/0x83 [ 46.716779][ T7530] ? vprintk_emit+0x339/0x3c0 [ 46.721443][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.727049][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.732651][ T7530] kasan_report_invalid_free+0x54/0xd0 [ 46.738103][ T7530] __kasan_slab_free+0xae/0x170 [ 46.742962][ T7530] ? trace_lock_release+0x137/0x1a0 [ 46.748148][ T7530] ? do_raw_spin_unlock+0x134/0x8d0 [ 46.753320][ T7530] ? lockdep_hardirqs_off+0x2f/0xa0 [ 46.758490][ T7530] ? _raw_spin_unlock_irqrestore+0x68/0xd0 [ 46.764276][ T7530] ? trace_hardirqs_off+0x2d/0x70 [ 46.769279][ T7530] ? _raw_spin_unlock_irqrestore+0xb4/0xd0 [ 46.775192][ T7530] ? debug_check_no_obj_freed+0x592/0x640 [ 46.780949][ T7530] ? snd_seq_port_disconnect+0x568/0x610 [ 46.786561][ T7530] ? lock_is_held_type+0x87/0xe0 [ 46.791474][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 46.797081][ T7530] kfree+0x10a/0x220 [ 46.800954][ T7530] snd_seq_port_disconnect+0x570/0x610 [ 46.806424][ T7530] snd_seq_ioctl_unsubscribe_port+0x349/0x6c0 [ 46.812465][ T7530] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 46.818252][ T7530] snd_seq_oss_midi_close+0x397/0x620 [ 46.823603][ T7530] snd_seq_oss_synth_reset+0x335/0x8b0 [ 46.829050][ T7530] snd_seq_oss_reset+0x5b/0x250 [ 46.833872][ T7530] snd_seq_oss_ioctl+0x5c2/0x1090 [ 46.838871][ T7530] ? do_vfs_ioctl+0x6bc/0x16d0 [ 46.843609][ T7530] odev_ioctl+0x51/0x70 [ 46.847740][ T7530] ? odev_poll+0x70/0x70 [ 46.851960][ T7530] __se_sys_ioctl+0xf9/0x160 [ 46.856535][ T7530] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 46.862948][ T7530] do_syscall_64+0x73/0xe0 [ 46.867341][ T7530] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 46.873210][ T7530] RIP: 0033:0x45c429 [ 46.877098][ T7530] Code: 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.896692][ T7530] RSP: 002b:00007f25d0cb3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 46.906127][ T7530] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045c429 [ 46.914079][ T7530] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 46.922030][ T7530] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 46.929991][ T7530] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 46.937936][ T7530] R13: 00007ffe03b9f5df R14: 00007f25d0cb49c0 R15: 000000000078bfac [ 46.945894][ T7530] [ 46.948223][ T7530] Allocated by task 7529: [ 46.952527][ T7530] __kasan_kmalloc+0x103/0x140 [ 46.957262][ T7530] kmem_cache_alloc_trace+0x234/0x300 [ 46.962607][ T7530] snd_seq_port_connect+0x66/0x460 [ 46.967966][ T7530] snd_seq_ioctl_subscribe_port+0x349/0x6c0 [ 46.973842][ T7530] snd_seq_oss_midi_open+0x4db/0x830 [ 46.979100][ T7530] snd_seq_oss_synth_setup_midi+0x108/0x510 [ 46.984965][ T7530] snd_seq_oss_open+0x899/0xe90 [ 46.989795][ T7530] odev_open+0x5e/0x90 [ 46.993834][ T7530] chrdev_open+0x498/0x580 [ 46.998222][ T7530] do_dentry_open+0x813/0x1070 [ 47.002954][ T7530] path_openat+0x278d/0x37f0 [ 47.007512][ T7530] do_filp_open+0x191/0x3a0 [ 47.011991][ T7530] do_sys_openat2+0x463/0x770 [ 47.016660][ T7530] __x64_sys_openat+0x1c8/0x1f0 [ 47.021488][ T7530] do_syscall_64+0x73/0xe0 [ 47.025878][ T7530] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.031745][ T7530] [ 47.034048][ T7530] Freed by task 7529: [ 47.038003][ T7530] __kasan_slab_free+0x114/0x170 [ 47.042909][ T7530] kfree+0x10a/0x220 [ 47.046776][ T7530] snd_seq_port_disconnect+0x570/0x610 [ 47.052205][ T7530] snd_seq_ioctl_unsubscribe_port+0x349/0x6c0 [ 47.058243][ T7530] snd_seq_oss_midi_close+0x397/0x620 [ 47.063588][ T7530] snd_seq_oss_synth_reset+0x335/0x8b0 [ 47.069025][ T7530] snd_seq_oss_reset+0x5b/0x250 [ 47.073852][ T7530] snd_seq_oss_ioctl+0x5c2/0x1090 [ 47.078976][ T7530] odev_ioctl+0x51/0x70 [ 47.083101][ T7530] __se_sys_ioctl+0xf9/0x160 [ 47.087671][ T7530] do_syscall_64+0x73/0xe0 [ 47.092069][ T7530] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.097946][ T7530] [ 47.100257][ T7530] The buggy address belongs to the object at ffff8880a3acdd00 [ 47.100257][ T7530] which belongs to the cache kmalloc-128 of size 128 [ 47.114294][ T7530] The buggy address is located 0 bytes inside of [ 47.114294][ T7530] 128-byte region [ffff8880a3acdd00, ffff8880a3acdd80) [ 47.127462][ T7530] The buggy address belongs to the page: [ 47.133071][ T7530] page:ffffea00028eb340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 47.142157][ T7530] flags: 0xfffe0000000200(slab) [ 47.146980][ T7530] raw: 00fffe0000000200 ffffea00025c5208 ffffea0002a371c8 ffff8880aa400700 [ 47.156671][ T7530] raw: 0000000000000000 ffff8880a3acd000 0000000100000010 0000000000000000 [ 47.165253][ T7530] page dumped because: kasan: bad access detected [ 47.171634][ T7530] [ 47.173934][ T7530] Memory state around the buggy address: [ 47.179549][ T7530] ffff8880a3acdc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.187583][ T7530] ffff8880a3acdc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.195620][ T7530] >ffff8880a3acdd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.203659][ T7530] ^ [ 47.207702][ T7530] ffff8880a3acdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.215755][ T7530] ffff8880a3acde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.223798][ T7530] ================================================================== [ 47.231832][ T7530] Disabling lock debugging due to kernel taint [ 47.237959][ T7530] Kernel panic - not syncing: panic_on_warn set ... [ 47.244534][ T7530] CPU: 1 PID: 7530 Comm: syz-executor.0 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 47.254473][ T7530] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.264498][ T7530] Call Trace: [ 47.267764][ T7530] dump_stack+0x1f0/0x31e [ 47.272074][ T7530] ? snd_seq_port_disconnect+0x520/0x610 [ 47.277706][ T7530] panic+0x264/0x7a0 [ 47.281570][ T7530] ? trace_hardirqs_off+0x24/0x70 [ 47.286564][ T7530] ? _raw_spin_unlock_irqrestore+0x68/0xd0 [ 47.292517][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 47.298121][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 47.303735][ T7530] kasan_report_invalid_free+0xc1/0xd0 [ 47.309178][ T7530] __kasan_slab_free+0xae/0x170 [ 47.314001][ T7530] ? trace_lock_release+0x137/0x1a0 [ 47.319185][ T7530] ? do_raw_spin_unlock+0x134/0x8d0 [ 47.324374][ T7530] ? lockdep_hardirqs_off+0x2f/0xa0 [ 47.329549][ T7530] ? _raw_spin_unlock_irqrestore+0x68/0xd0 [ 47.335323][ T7530] ? trace_hardirqs_off+0x2d/0x70 [ 47.340318][ T7530] ? _raw_spin_unlock_irqrestore+0xb4/0xd0 [ 47.346191][ T7530] ? debug_check_no_obj_freed+0x592/0x640 [ 47.351888][ T7530] ? snd_seq_port_disconnect+0x568/0x610 [ 47.357492][ T7530] ? lock_is_held_type+0x87/0xe0 [ 47.362399][ T7530] ? snd_seq_port_disconnect+0x570/0x610 [ 47.367999][ T7530] kfree+0x10a/0x220 [ 47.371871][ T7530] snd_seq_port_disconnect+0x570/0x610 [ 47.377305][ T7530] snd_seq_ioctl_unsubscribe_port+0x349/0x6c0 [ 47.383350][ T7530] ? _raw_spin_unlock_irqrestore+0x6f/0xd0 [ 47.389128][ T7530] snd_seq_oss_midi_close+0x397/0x620 [ 47.394470][ T7530] snd_seq_oss_synth_reset+0x335/0x8b0 [ 47.399900][ T7530] snd_seq_oss_reset+0x5b/0x250 [ 47.404719][ T7530] snd_seq_oss_ioctl+0x5c2/0x1090 [ 47.409730][ T7530] ? do_vfs_ioctl+0x6bc/0x16d0 [ 47.414462][ T7530] odev_ioctl+0x51/0x70 [ 47.418587][ T7530] ? odev_poll+0x70/0x70 [ 47.422806][ T7530] __se_sys_ioctl+0xf9/0x160 [ 47.427366][ T7530] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.433399][ T7530] do_syscall_64+0x73/0xe0 [ 47.437784][ T7530] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.443645][ T7530] RIP: 0033:0x45c429 [ 47.447509][ T7530] Code: 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.467176][ T7530] RSP: 002b:00007f25d0cb3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 47.475559][ T7530] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045c429 [ 47.483506][ T7530] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 47.491450][ T7530] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 47.499395][ T7530] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 47.508599][ T7530] R13: 00007ffe03b9f5df R14: 00007f25d0cb49c0 R15: 000000000078bfac [ 47.517864][ T7530] Kernel Offset: disabled [ 47.522175][ T7530] Rebooting in 86400 seconds..