[ 35.576671][ T26] audit: type=1800 audit(1554874757.669:27): pid=7546 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[ 35.599353][ T26] audit: type=1800 audit(1554874757.669:28): pid=7546 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 36.290740][ T26] audit: type=1800 audit(1554874758.459:29): pid=7546 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[ 36.311204][ T26] audit: type=1800 audit(1554874758.459:30): pid=7546 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 68.895711][ T7699] IPVS: ftp: loaded support on port[0] = 21
[ 71.150496][ C1] hrtimer: interrupt took 26165929 ns
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[ 167.811280][ C0] ==================================================================
[ 167.819651][ C0] BUG: KASAN: use-after-free in __list_del_entry_valid+0xd2/0xf5
[ 167.827365][ C0] Read of size 8 at addr ffff8880a9363ee0 by task swapper/0/0
[ 167.834813][ C0]
[ 167.837138][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4-next-20190409 #21
[ 167.845449][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 167.855500][ C0] Call Trace:
[ 167.858780][ C0]
[ 167.861646][ C0] dump_stack+0x172/0x1f0
[ 167.865973][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 167.871343][ C0] print_address_description.cold+0x7c/0x20d
[ 167.877320][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 167.882696][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 167.888065][ C0] kasan_report.cold+0x1b/0x40
[ 167.892842][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 167.898217][ C0] __asan_report_load8_noabort+0x14/0x20
[ 167.903846][ C0] __list_del_entry_valid+0xd2/0xf5
[ 167.909045][ C0] snd_timer_process_callbacks+0x7f/0x2f0
[ 167.914774][ C0] snd_timer_interrupt+0x578/0xdd0
[ 167.919904][ C0] snd_hrtimer_callback+0x219/0x3e0
[ 167.925111][ C0] __hrtimer_run_queues+0x33e/0xde0
[ 167.930307][ C0] ? snd_hrtimer_close+0x130/0x130
[ 167.935424][ C0] ? hrtimer_start_range_ns+0xc80/0xc80
[ 167.940962][ C0] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 167.946675][ C0] ? ktime_get_update_offsets_now+0x2d9/0x440
[ 167.952743][ C0] hrtimer_interrupt+0x314/0x770
[ 167.957690][ C0] smp_apic_timer_interrupt+0x120/0x570
[ 167.963239][ C0] apic_timer_interrupt+0xf/0x20
[ 167.968166][ C0]
[ 167.971103][ C0] RIP: 0010:native_safe_halt+0x2/0x10
[ 167.976475][ C0] Code: ff ff ff 48 89 c7 48 89 45 d8 e8 99 65 8e fa 48 8b 45 d8 e9 ce fe ff ff 48 89 df e8 88 65 8e fa eb 82 90 90 90 90 90 90 fb f4 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f4 c3 90 90 90 90 90 90
[ 167.996080][ C0] RSP: 0018:ffffffff88807d08 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
[ 168.004493][ C0] RAX: 1ffffffff1124ad9 RBX: ffffffff8887a100 RCX: 0000000000000000
[ 168.012458][ C0] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8887a97c
[ 168.020443][ C0] RBP: ffffffff88807d38 R08: ffffffff8887a100 R09: 0000000000000000
[ 168.028404][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 168.036368][ C0] R13: ffffffff889256b8 R14: 0000000000000000 R15: 0000000000000000
[ 168.044360][ C0] ? default_idle+0x4e/0x330
[ 168.048950][ C0] arch_cpu_idle+0x10/0x20
[ 168.053362][ C0] default_idle_call+0x36/0x90
[ 168.058121][ C0] do_idle+0x386/0x570
[ 168.062186][ C0] ? arch_cpu_idle_exit+0x80/0x80
[ 168.067202][ C0] ? trace_hardirqs_on+0x67/0x230
[ 168.072222][ C0] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 168.078458][ C0] ? debug_smp_processor_id+0x3c/0x280
[ 168.084004][ C0] cpu_startup_entry+0x1b/0x20
[ 168.088865][ C0] rest_init+0x245/0x37b
[ 168.093107][ C0] arch_call_rest_init+0xe/0x1b
[ 168.097951][ C0] start_kernel+0x816/0x84f
[ 168.102451][ C0] ? mem_encrypt_init+0xb/0xb
[ 168.107127][ C0] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 168.113359][ C0] ? x86_family+0x41/0x50
[ 168.117684][ C0] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 168.123921][ C0] x86_64_start_reservations+0x29/0x2b
[ 168.129375][ C0] x86_64_start_kernel+0x77/0x7b
[ 168.134308][ C0] secondary_startup_64+0xa4/0xb0
[ 168.139333][ C0]
[ 168.141652][ C0] Allocated by task 7722:
[ 168.145977][ C0] save_stack+0x45/0xd0
[ 168.150125][ C0] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 168.155747][ C0] kasan_kmalloc+0x9/0x10
[ 168.160068][ C0] kmem_cache_alloc_trace+0x151/0x760
[ 168.165430][ C0] snd_timer_instance_new+0x4f/0x3d0
[ 168.170736][ C0] snd_timer_open+0x8a7/0x1760
[ 168.175492][ C0] snd_seq_timer_open+0x240/0x590
[ 168.180528][ C0] queue_use+0xcb/0x240
[ 168.184678][ C0] snd_seq_queue_alloc+0x2c5/0x4d0
[ 168.189781][ C0] snd_seq_ioctl_create_queue+0xb0/0x330
[ 168.195417][ C0] snd_seq_ioctl+0x224/0x3e0
[ 168.200006][ C0] do_vfs_ioctl+0xd6e/0x1390
[ 168.204594][ C0] ksys_ioctl+0xab/0xd0
[ 168.208744][ C0] __x64_sys_ioctl+0x73/0xb0
[ 168.213421][ C0] do_syscall_64+0x103/0x610
[ 168.218183][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 168.224058][ C0]
[ 168.226380][ C0] Freed by task 7722:
[ 168.230365][ C0] save_stack+0x45/0xd0
[ 168.234519][ C0] __kasan_slab_free+0x102/0x150
[ 168.239451][ C0] kasan_slab_free+0xe/0x10
[ 168.243947][ C0] kfree+0xcf/0x230
[ 168.247748][ C0] snd_timer_close_locked+0x6fd/0xd60
[ 168.253114][ C0] snd_timer_close+0x2e/0x70
[ 168.257699][ C0] snd_seq_timer_close+0x91/0xd0
[ 168.262631][ C0] queue_delete+0x52/0xb0
[ 168.266951][ C0] snd_seq_queue_client_leave+0x36/0x170
[ 168.272574][ C0] seq_free_client1.part.0+0xf3/0x270
[ 168.277942][ C0] seq_free_client+0x80/0xf0
[ 168.282523][ C0] snd_seq_release+0x55/0xf0
[ 168.287104][ C0] __fput+0x2e5/0x8d0
[ 168.291078][ C0] ____fput+0x16/0x20
[ 168.295053][ C0] task_work_run+0x14a/0x1c0
[ 168.299637][ C0] exit_to_usermode_loop+0x273/0x2c0
[ 168.305088][ C0] do_syscall_64+0x52d/0x610
[ 168.309672][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 168.315551][ C0]
[ 168.317876][ C0] The buggy address belongs to the object at ffff8880a9363e40
[ 168.317876][ C0] which belongs to the cache kmalloc-256 of size 256
[ 168.331923][ C0] The buggy address is located 160 bytes inside of
[ 168.331923][ C0] 256-byte region [ffff8880a9363e40, ffff8880a9363f40)
[ 168.345185][ C0] The buggy address belongs to the page:
[ 168.350824][ C0] page:ffffea0002a4d8c0 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0xffff8880a9363940
[ 168.360976][ C0] flags: 0x1fffc0000000200(slab)
[ 168.365919][ C0] raw: 01fffc0000000200 ffffea0002a21a48 ffffea0002a2e048 ffff88812c3f07c0
[ 168.374505][ C0] raw: ffff8880a9363940 ffff8880a9363080 0000000100000009 0000000000000000
[ 168.383082][ C0] page dumped because: kasan: bad access detected
[ 168.389504][ C0]
[ 168.391822][ C0] Memory state around the buggy address:
[ 168.397450][ C0] ffff8880a9363d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 168.405512][ C0] ffff8880a9363e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 168.413565][ C0] >ffff8880a9363e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.421616][ C0] ^
[ 168.428818][ C0] ffff8880a9363f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 168.437489][ C0] ffff8880a9363f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 168.445550][ C0] ==================================================================
[ 168.454047][ C0] Disabling lock debugging due to kernel taint
[ 168.460185][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 168.466765][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.1.0-rc4-next-20190409 #21
[ 168.476470][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 168.486531][ C0] Call Trace:
[ 168.489820][ C0]
[ 168.492673][ C0] dump_stack+0x172/0x1f0
[ 168.496997][ C0] panic+0x2cb/0x72b
[ 168.500886][ C0] ? __warn_printk+0xf3/0xf3
[ 168.505466][ C0] ? lock_downgrade+0x880/0x880
[ 168.510309][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 168.515668][ C0] ? trace_hardirqs_off+0x62/0x220
[ 168.520767][ C0] ? trace_hardirqs_off+0x59/0x220
[ 168.525968][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 168.531330][ C0] end_report+0x47/0x4f
[ 168.535478][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 168.540840][ C0] kasan_report.cold+0xe/0x40
[ 168.545515][ C0] ? __list_del_entry_valid+0xd2/0xf5
[ 168.550886][ C0] __asan_report_load8_noabort+0x14/0x20
[ 168.556507][ C0] __list_del_entry_valid+0xd2/0xf5
[ 168.561696][ C0] snd_timer_process_callbacks+0x7f/0x2f0
[ 168.567408][ C0] snd_timer_interrupt+0x578/0xdd0
[ 168.572521][ C0] snd_hrtimer_callback+0x219/0x3e0
[ 168.577716][ C0] __hrtimer_run_queues+0x33e/0xde0
[ 168.582924][ C0] ? snd_hrtimer_close+0x130/0x130
[ 168.588029][ C0] ? hrtimer_start_range_ns+0xc80/0xc80
[ 168.593563][ C0] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 168.599276][ C0] ? ktime_get_update_offsets_now+0x2d9/0x440
[ 168.605338][ C0] hrtimer_interrupt+0x314/0x770
[ 168.610288][ C0] smp_apic_timer_interrupt+0x120/0x570
[ 168.615832][ C0] apic_timer_interrupt+0xf/0x20
[ 168.620755][ C0]
[ 168.623685][ C0] RIP: 0010:native_safe_halt+0x2/0x10
[ 168.629063][ C0] Code: ff ff ff 48 89 c7 48 89 45 d8 e8 99 65 8e fa 48 8b 45 d8 e9 ce fe ff ff 48 89 df e8 88 65 8e fa eb 82 90 90 90 90 90 90 fb f4 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f4 c3 90 90 90 90 90 90
[ 168.648660][ C0] RSP: 0018:ffffffff88807d08 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
[ 168.657064][ C0] RAX: 1ffffffff1124ad9 RBX: ffffffff8887a100 RCX: 0000000000000000
[ 168.665026][ C0] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8887a97c
[ 168.672985][ C0] RBP: ffffffff88807d38 R08: ffffffff8887a100 R09: 0000000000000000
[ 168.680943][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 168.688899][ C0] R13: ffffffff889256b8 R14: 0000000000000000 R15: 0000000000000000
[ 168.696888][ C0] ? default_idle+0x4e/0x330
[ 168.701470][ C0] arch_cpu_idle+0x10/0x20
[ 168.705885][ C0] default_idle_call+0x36/0x90
[ 168.710644][ C0] do_idle+0x386/0x570
[ 168.714706][ C0] ? arch_cpu_idle_exit+0x80/0x80
[ 168.719721][ C0] ? trace_hardirqs_on+0x67/0x230
[ 168.724733][ C0] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 168.730964][ C0] ? debug_smp_processor_id+0x3c/0x280
[ 168.736413][ C0] cpu_startup_entry+0x1b/0x20
[ 168.741167][ C0] rest_init+0x245/0x37b
[ 168.745404][ C0] arch_call_rest_init+0xe/0x1b
[ 168.750249][ C0] start_kernel+0x816/0x84f
[ 168.754741][ C0] ? mem_encrypt_init+0xb/0xb
[ 168.759408][ C0] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 168.765638][ C0] ? x86_family+0x41/0x50
[ 168.769957][ C0] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 168.776191][ C0] x86_64_start_reservations+0x29/0x2b
[ 168.781640][ C0] x86_64_start_kernel+0x77/0x7b
[ 168.786571][ C0] secondary_startup_64+0xa4/0xb0
[ 168.792282][ C0] Kernel Offset: disabled
[ 168.796599][ C0] Rebooting in 86400 seconds..