[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. 2020/08/04 01:04:47 parsed 1 programs 2020/08/04 01:04:47 executed programs: 0 syzkaller login: [ 1050.023676][ T6869] IPVS: ftp: loaded support on port[0] = 21 [ 1050.134035][ T6869] chnl_net:caif_netlink_parms(): no params data found [ 1050.192291][ T6869] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.200276][ T6869] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.208859][ T6869] device bridge_slave_0 entered promiscuous mode [ 1050.218481][ T6869] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.225622][ T6869] bridge0: port 2(bridge_slave_1) entered disabled state [ 1050.233734][ T6869] device bridge_slave_1 entered promiscuous mode [ 1050.253939][ T6869] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1050.264979][ T6869] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1050.287933][ T6869] team0: Port device team_slave_0 added [ 1050.295264][ T6869] team0: Port device team_slave_1 added [ 1050.314769][ T6869] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1050.321801][ T6869] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1050.347865][ T6869] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1050.360272][ T6869] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1050.367328][ T6869] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1050.393276][ T6869] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1050.460241][ T6869] device hsr_slave_0 entered promiscuous mode [ 1050.517065][ T6869] device hsr_slave_1 entered promiscuous mode [ 1050.649017][ T6869] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1050.699979][ T6869] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1050.759696][ T6869] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1050.819587][ T6869] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1050.893875][ T6869] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.901203][ T6869] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.909283][ T6869] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.916489][ T6869] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.963444][ T6869] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1050.978072][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1050.989703][ T6846] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.998836][ T6846] bridge0: port 2(bridge_slave_1) entered disabled state [ 1051.007136][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1051.020729][ T6869] 8021q: adding VLAN 0 to HW filter on device team0 [ 1051.032216][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1051.041402][ T6838] bridge0: port 1(bridge_slave_0) entered blocking state [ 1051.048740][ T6838] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1051.067202][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1051.075721][ T6838] bridge0: port 2(bridge_slave_1) entered blocking state [ 1051.082965][ T6838] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1051.109238][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1051.118241][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1051.126996][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1051.135201][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1051.144989][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1051.153981][ T6869] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1051.173036][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1051.180673][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1051.197257][ T6869] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1051.217204][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 1051.226024][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1051.250567][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 1051.260512][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1051.271747][ T6869] device veth0_vlan entered promiscuous mode [ 1051.279626][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1051.287937][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1051.301442][ T6869] device veth1_vlan entered promiscuous mode [ 1051.325131][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1051.333903][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1051.343100][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1051.352152][ T6846] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1051.363137][ T6869] device veth0_macvtap entered promiscuous mode [ 1051.374352][ T6869] device veth1_macvtap entered promiscuous mode [ 1051.392104][ T6869] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1051.400073][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1051.409389][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 1051.417736][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1051.426985][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1051.438797][ T6869] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1051.447535][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1051.456984][ T6838] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1051.469984][ T6869] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1051.479043][ T6869] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1051.493007][ T6869] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1051.504699][ T6869] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1053.108481][ T7114] ================================================================== [ 1053.116843][ T7114] BUG: KASAN: double-free or invalid-free in snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.125979][ T7114] [ 1053.128334][ T7114] CPU: 1 PID: 7114 Comm: syz-executor.0 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 1053.138119][ T7114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1053.148948][ T7114] Call Trace: [ 1053.152284][ T7114] dump_stack+0x18f/0x20d [ 1053.156676][ T7114] print_address_description.constprop.0.cold+0xae/0x497 [ 1053.163816][ T7114] ? lockdep_hardirqs_off+0x7e/0xb0 [ 1053.169049][ T7114] ? vprintk_func+0x97/0x1a6 [ 1053.173661][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.179313][ T7114] kasan_report_invalid_free+0x51/0x80 [ 1053.184811][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.190476][ T7114] __kasan_slab_free+0x107/0x120 [ 1053.195444][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.201100][ T7114] kfree+0x103/0x2c0 [ 1053.205030][ T7114] snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.210536][ T7114] snd_seq_ioctl_unsubscribe_port+0x1fc/0x400 [ 1053.216677][ T7114] ? snd_seq_ioctl_running_mode+0x180/0x180 [ 1053.222680][ T7114] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 1053.228526][ T7114] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 1053.234547][ T7114] snd_seq_kernel_client_ctl+0xeb/0x130 [ 1053.240134][ T7114] snd_seq_oss_midi_close+0x36e/0x4d0 [ 1053.245526][ T7114] ? snd_seq_oss_midi_open_all+0xe0/0xe0 [ 1053.251284][ T7114] ? tomoyo_execute_permission+0x470/0x470 [ 1053.257103][ T7114] snd_seq_oss_synth_reset+0x418/0x860 [ 1053.262573][ T7114] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 1053.268394][ T7114] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 1053.274412][ T7114] snd_seq_oss_reset+0x6f/0x290 [ 1053.279331][ T7114] snd_seq_oss_ioctl+0xb7b/0xd40 [ 1053.284339][ T7114] ? snd_seq_oss_midi_info_user+0x140/0x140 [ 1053.290326][ T7114] ? __fget_files+0x294/0x400 [ 1053.295011][ T7114] odev_ioctl+0x4f/0x90 [ 1053.299191][ T7114] ? odev_open+0x90/0x90 [ 1053.303464][ T7114] __x64_sys_ioctl+0x193/0x200 [ 1053.308384][ T7114] do_syscall_64+0x2d/0x70 [ 1053.312808][ T7114] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1053.318832][ T7114] RIP: 0033:0x45cce9 [ 1053.322763][ T7114] Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1053.342374][ T7114] RSP: 002b:00007f482db27c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1053.350788][ T7114] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cce9 [ 1053.358769][ T7114] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 1053.366856][ T7114] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 1053.374825][ T7114] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 1053.382795][ T7114] R13: 00007fff71d3c76f R14: 00007f482db289c0 R15: 000000000078bfac [ 1053.390803][ T7114] [ 1053.393125][ T7114] Allocated by task 7113: [ 1053.397457][ T7114] kasan_save_stack+0x1b/0x40 [ 1053.402140][ T7114] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 1053.407826][ T7114] kmem_cache_alloc_trace+0x16e/0x2c0 [ 1053.413211][ T7114] snd_seq_port_connect+0x5d/0x520 [ 1053.418412][ T7114] snd_seq_ioctl_subscribe_port+0x1fc/0x400 [ 1053.424327][ T7114] snd_seq_kernel_client_ctl+0xeb/0x130 [ 1053.429873][ T7114] snd_seq_oss_midi_open+0x466/0x6e0 [ 1053.435160][ T7114] snd_seq_oss_synth_setup_midi+0x123/0x520 [ 1053.441052][ T7114] snd_seq_oss_open+0x87e/0xa10 [ 1053.445901][ T7114] odev_open+0x6c/0x90 [ 1053.450015][ T7114] soundcore_open+0x445/0x600 [ 1053.454719][ T7114] chrdev_open+0x266/0x770 [ 1053.460095][ T7114] do_dentry_open+0x4b9/0x11b0 [ 1053.464860][ T7114] path_openat+0x1b9a/0x2730 [ 1053.469452][ T7114] do_filp_open+0x17e/0x3c0 [ 1053.474005][ T7114] do_sys_openat2+0x16d/0x420 [ 1053.478849][ T7114] __x64_sys_openat+0x13f/0x1f0 [ 1053.483729][ T7114] do_syscall_64+0x2d/0x70 [ 1053.488162][ T7114] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1053.494039][ T7114] [ 1053.496366][ T7114] Freed by task 7113: [ 1053.500351][ T7114] kasan_save_stack+0x1b/0x40 [ 1053.505048][ T7114] kasan_set_track+0x1c/0x30 [ 1053.509667][ T7114] kasan_set_free_info+0x1b/0x30 [ 1053.514612][ T7114] __kasan_slab_free+0xd8/0x120 [ 1053.519507][ T7114] kfree+0x103/0x2c0 [ 1053.523420][ T7114] snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.528878][ T7114] snd_seq_ioctl_unsubscribe_port+0x1fc/0x400 [ 1053.534946][ T7114] snd_seq_kernel_client_ctl+0xeb/0x130 [ 1053.540581][ T7114] snd_seq_oss_midi_close+0x36e/0x4d0 [ 1053.545961][ T7114] snd_seq_oss_synth_reset+0x418/0x860 [ 1053.551434][ T7114] snd_seq_oss_reset+0x6f/0x290 [ 1053.556303][ T7114] snd_seq_oss_ioctl+0xb7b/0xd40 [ 1053.561299][ T7114] odev_ioctl+0x4f/0x90 [ 1053.565476][ T7114] __x64_sys_ioctl+0x193/0x200 [ 1053.570232][ T7114] do_syscall_64+0x2d/0x70 [ 1053.574651][ T7114] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1053.580704][ T7114] [ 1053.583025][ T7114] The buggy address belongs to the object at ffff88809ec61200 [ 1053.583025][ T7114] which belongs to the cache kmalloc-128 of size 128 [ 1053.597071][ T7114] The buggy address is located 0 bytes inside of [ 1053.597071][ T7114] 128-byte region [ffff88809ec61200, ffff88809ec61280) [ 1053.610158][ T7114] The buggy address belongs to the page: [ 1053.615785][ T7114] page:00000000e56da995 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9ec61 [ 1053.625930][ T7114] flags: 0xfffe0000000200(slab) [ 1053.630776][ T7114] raw: 00fffe0000000200 ffffea0002a0dbc8 ffffea000279ac48 ffff8880aa000400 [ 1053.639352][ T7114] raw: 0000000000000000 ffff88809ec61000 0000000100000010 0000000000000000 [ 1053.648347][ T7114] page dumped because: kasan: bad access detected [ 1053.654746][ T7114] [ 1053.657058][ T7114] Memory state around the buggy address: [ 1053.662748][ T7114] ffff88809ec61100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1053.670857][ T7114] ffff88809ec61180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1053.678913][ T7114] >ffff88809ec61200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1053.686963][ T7114] ^ [ 1053.691021][ T7114] ffff88809ec61280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1053.699077][ T7114] ffff88809ec61300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1053.707135][ T7114] ================================================================== [ 1053.715200][ T7114] Disabling lock debugging due to kernel taint [ 1053.721363][ T7114] Kernel panic - not syncing: panic_on_warn set ... [ 1053.728121][ T7114] CPU: 1 PID: 7114 Comm: syz-executor.0 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 1053.739297][ T7114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1053.749341][ T7114] Call Trace: [ 1053.752626][ T7114] dump_stack+0x18f/0x20d [ 1053.756980][ T7114] panic+0x2e3/0x75c [ 1053.760859][ T7114] ? __warn_printk+0xf3/0xf3 [ 1053.765444][ T7114] ? _raw_spin_unlock_irqrestore+0x5b/0xe0 [ 1053.771252][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.776886][ T7114] end_report+0x4d/0x53 [ 1053.781064][ T7114] kasan_report_invalid_free+0x6d/0x80 [ 1053.786550][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.792171][ T7114] __kasan_slab_free+0x107/0x120 [ 1053.797094][ T7114] ? snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.802739][ T7114] kfree+0x103/0x2c0 [ 1053.806640][ T7114] snd_seq_port_disconnect+0x4c1/0x5c0 [ 1053.812097][ T7114] snd_seq_ioctl_unsubscribe_port+0x1fc/0x400 [ 1053.818162][ T7114] ? snd_seq_ioctl_running_mode+0x180/0x180 [ 1053.824068][ T7114] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 1053.829867][ T7114] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 1053.835840][ T7114] snd_seq_kernel_client_ctl+0xeb/0x130 [ 1053.841383][ T7114] snd_seq_oss_midi_close+0x36e/0x4d0 [ 1053.846750][ T7114] ? snd_seq_oss_midi_open_all+0xe0/0xe0 [ 1053.852423][ T7114] ? tomoyo_execute_permission+0x470/0x470 [ 1053.858232][ T7114] snd_seq_oss_synth_reset+0x418/0x860 [ 1053.863685][ T7114] ? snd_seq_oss_synth_cleanup+0x460/0x460 [ 1053.869482][ T7114] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 1053.875368][ T7114] snd_seq_oss_reset+0x6f/0x290 [ 1053.880239][ T7114] snd_seq_oss_ioctl+0xb7b/0xd40 [ 1053.885194][ T7114] ? snd_seq_oss_midi_info_user+0x140/0x140 [ 1053.892043][ T7114] ? __fget_files+0x294/0x400 [ 1053.896739][ T7114] odev_ioctl+0x4f/0x90 [ 1053.900989][ T7114] ? odev_open+0x90/0x90 [ 1053.905263][ T7114] __x64_sys_ioctl+0x193/0x200 [ 1053.910019][ T7114] do_syscall_64+0x2d/0x70 [ 1053.914434][ T7114] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1053.920308][ T7114] RIP: 0033:0x45cce9 [ 1053.924186][ T7114] Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1053.944098][ T7114] RSP: 002b:00007f482db27c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1053.952535][ T7114] RAX: ffffffffffffffda RBX: 00000000000154c0 RCX: 000000000045cce9 [ 1053.960851][ T7114] RDX: 0000000000000000 RSI: 0000000000005100 RDI: 0000000000000003 [ 1053.969171][ T7114] RBP: 000000000078bfd8 R08: 0000000000000000 R09: 0000000000000000 [ 1053.977157][ T7114] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac [ 1053.985114][ T7114] R13: 00007fff71d3c76f R14: 00007f482db289c0 R15: 000000000078bfac [ 1053.994328][ T7114] Kernel Offset: disabled [ 1053.998662][ T7114] Rebooting in 86400 seconds..