[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   43.912415][ T7446] IPVS: ftp: loaded support on port[0] = 21
[   44.370094][ T7451] can: request_module (can-proto-0) failed.
[   45.471769][ T7451] can: request_module (can-proto-0) failed.
[   45.483018][ T7451] can: request_module (can-proto-0) failed.
Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts.
2019/11/11 23:26:31 parsed 1 programs
2019/11/11 23:26:32 executed programs: 0
[   52.874439][ T7522] IPVS: ftp: loaded support on port[0] = 21
[   52.993343][ T7524] IPVS: ftp: loaded support on port[0] = 21
[   53.025193][ T7527] IPVS: ftp: loaded support on port[0] = 21
[   53.052092][ T7528] IPVS: ftp: loaded support on port[0] = 21
[   53.112041][ T7531] IPVS: ftp: loaded support on port[0] = 21
[   53.112462][ T7522] chnl_net:caif_netlink_parms(): no params data found
[   53.134968][ T7532] IPVS: ftp: loaded support on port[0] = 21
[   53.198498][ T7522] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.207060][ T7522] bridge0: port 1(bridge_slave_0) entered disabled state
[   53.215091][ T7522] device bridge_slave_0 entered promiscuous mode
[   53.245560][ T7524] chnl_net:caif_netlink_parms(): no params data found
[   53.259820][ T7522] bridge0: port 2(bridge_slave_1) entered blocking state
[   53.266891][ T7522] bridge0: port 2(bridge_slave_1) entered disabled state
[   53.274931][ T7522] device bridge_slave_1 entered promiscuous mode
[   53.336384][ T7522] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   53.367497][ T7524] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.375615][ T7524] bridge0: port 1(bridge_slave_0) entered disabled state
[   53.383364][ T7524] device bridge_slave_0 entered promiscuous mode
[   53.391817][ T7524] bridge0: port 2(bridge_slave_1) entered blocking state
[   53.398937][ T7524] bridge0: port 2(bridge_slave_1) entered disabled state
[   53.406501][ T7524] device bridge_slave_1 entered promiscuous mode
[   53.415087][ T7522] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   53.474211][ T7524] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   53.490200][ T7522] team0: Port device team_slave_0 added
[   53.498367][ T7522] team0: Port device team_slave_1 added
[   53.521863][ T7524] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   53.531353][ T7528] chnl_net:caif_netlink_parms(): no params data found
[   53.540177][ T7527] chnl_net:caif_netlink_parms(): no params data found
[   53.555693][ T7532] chnl_net:caif_netlink_parms(): no params data found
[   53.593264][ T7524] team0: Port device team_slave_0 added
[   53.600388][ T7524] team0: Port device team_slave_1 added
[   53.623041][ T7531] chnl_net:caif_netlink_parms(): no params data found
[   53.640596][ T7527] bridge0: port 1(bridge_slave_0) entered blocking state
[   53.647653][ T7527] bridge0: port 1(bridge_slave_0) entered disabled state
[   53.657648][ T7527] device bridge_slave_0 entered promiscuous mode
[   53.665787][ T7527] bridge0: port 2(bridge_slave_1) entered blocking state
[   53.673700][ T7527] bridge0: port 2(bridge_slave_1) entered disabled state
[   53.681559][ T7527] device bridge_slave_1 entered promiscuous mode
[   53.761403][ T7524] device hsr_slave_0 entered promiscuous mode
[   53.799377][ T7524] device hsr_slave_1 entered promiscuous mode
[   53.881367][ T7522] device hsr_slave_0 entered promiscuous mode
[   53.919349][ T7522] device hsr_slave_1 entered promiscuous mode
[   53.959090][ T7522] debugfs: Directory 'hsr0' with parent '/' already present!
[   53.978418][ T7527] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   53.997165][ T7528] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.004617][ T7528] bridge0: port 1(bridge_slave_0) entered disabled state
[   54.013011][ T7528] device bridge_slave_0 entered promiscuous mode
[   54.020540][ T7528] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.027726][ T7528] bridge0: port 2(bridge_slave_1) entered disabled state
[   54.036014][ T7528] device bridge_slave_1 entered promiscuous mode
[   54.047340][ T7527] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   54.070483][ T7532] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.077568][ T7532] bridge0: port 1(bridge_slave_0) entered disabled state
[   54.085210][ T7532] device bridge_slave_0 entered promiscuous mode
[   54.093201][ T7532] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.106321][ T7532] bridge0: port 2(bridge_slave_1) entered disabled state
[   54.114027][ T7532] device bridge_slave_1 entered promiscuous mode
[   54.129807][ T7527] team0: Port device team_slave_0 added
[   54.189948][ T7528] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   54.214184][ T7531] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.227471][ T7531] bridge0: port 1(bridge_slave_0) entered disabled state
[   54.244141][ T7531] device bridge_slave_0 entered promiscuous mode
[   54.270266][ T7527] team0: Port device team_slave_1 added
[   54.318808][ T7528] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   54.362506][ T7531] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.383905][ T7531] bridge0: port 2(bridge_slave_1) entered disabled state
[   54.454112][ T7531] device bridge_slave_1 entered promiscuous mode
[   54.484017][ T7532] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   54.612787][ T7532] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   54.832316][ T7527] device hsr_slave_0 entered promiscuous mode
[   54.884751][ T7527] device hsr_slave_1 entered promiscuous mode
[   54.984698][ T7527] debugfs: Directory 'hsr0' with parent '/' already present!
[   55.010003][ T7528] team0: Port device team_slave_0 added
[   55.018123][ T7531] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   55.100939][ T7528] team0: Port device team_slave_1 added
[   55.114682][ T7531] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   55.167196][ T7522] 8021q: adding VLAN 0 to HW filter on device bond0
[   55.191502][ T7532] team0: Port device team_slave_0 added
[   55.265722][ T7531] team0: Port device team_slave_0 added
[   55.326211][ T7532] team0: Port device team_slave_1 added
[   55.376722][ T7528] device hsr_slave_0 entered promiscuous mode
[   55.440485][ T7528] device hsr_slave_1 entered promiscuous mode
[   55.473219][ T7528] debugfs: Directory 'hsr0' with parent '/' already present!
[   55.500166][ T7522] 8021q: adding VLAN 0 to HW filter on device team0
[   55.511310][ T2744] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   55.525893][ T2744] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   55.575556][ T7524] 8021q: adding VLAN 0 to HW filter on device bond0
[   55.610377][ T7531] team0: Port device team_slave_1 added
[   55.671191][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   55.696056][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   55.723100][    T5] bridge0: port 1(bridge_slave_0) entered blocking state
[   55.730453][    T5] bridge0: port 1(bridge_slave_0) entered forwarding state
[   55.756874][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   55.774339][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   55.786687][    T5] bridge0: port 2(bridge_slave_1) entered blocking state
[   55.793820][    T5] bridge0: port 2(bridge_slave_1) entered forwarding state
[   55.816770][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   55.831195][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   55.921343][ T7532] device hsr_slave_0 entered promiscuous mode
[   55.989598][ T7532] device hsr_slave_1 entered promiscuous mode
[   56.038970][ T7532] debugfs: Directory 'hsr0' with parent '/' already present!
[   56.048118][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   56.071194][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   56.091057][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   56.124154][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   56.163951][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   56.221593][ T7531] device hsr_slave_0 entered promiscuous mode
[   56.259316][ T7531] device hsr_slave_1 entered promiscuous mode
[   56.279275][ T7531] debugfs: Directory 'hsr0' with parent '/' already present!
[   56.288362][ T7524] 8021q: adding VLAN 0 to HW filter on device team0
[   56.350281][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   56.384433][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   56.412029][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   56.442933][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   56.458674][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   56.487427][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   56.502044][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   56.553495][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   56.566737][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   56.583645][ T7534] bridge0: port 1(bridge_slave_0) entered blocking state
[   56.590831][ T7534] bridge0: port 1(bridge_slave_0) entered forwarding state
[   56.702814][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   56.757370][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   56.785262][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   56.829381][ T7624] bridge0: port 2(bridge_slave_1) entered blocking state
[   56.836474][ T7624] bridge0: port 2(bridge_slave_1) entered forwarding state
[   56.899461][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   56.939421][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   56.948087][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   57.020206][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   57.028697][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   57.070142][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   57.143921][ T7524] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   57.190006][ T7524] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   57.264418][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   57.280226][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   57.288671][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   57.353844][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   57.386519][ T7534] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   57.426811][ T7527] 8021q: adding VLAN 0 to HW filter on device bond0
[   57.472310][ T7528] 8021q: adding VLAN 0 to HW filter on device bond0
[   57.480079][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   57.541306][ T7524] 8021q: adding VLAN 0 to HW filter on device batadv0
[   57.554231][ T7522] 8021q: adding VLAN 0 to HW filter on device batadv0
[   57.572209][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   57.605205][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   57.629257][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   57.636735][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   57.703250][ T7527] 8021q: adding VLAN 0 to HW filter on device team0
[   57.723901][ T7452] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   57.732042][ T7452] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   57.747880][ T7452] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   57.763629][ T7452] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   57.783803][ T7528] 8021q: adding VLAN 0 to HW filter on device team0
[   57.802183][ T7532] 8021q: adding VLAN 0 to HW filter on device bond0
[   57.848780][ T7531] 8021q: adding VLAN 0 to HW filter on device bond0
[   57.856658][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   57.874100][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   57.882703][   T17] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.889913][   T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[   57.897712][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   57.906614][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   57.915032][   T17] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.922099][   T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[   57.929730][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[   57.938157][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[   57.951437][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   57.959971][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   57.968153][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   57.976695][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   57.990183][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   57.998079][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   58.006325][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   58.015332][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   58.024315][   T17] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.031534][   T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.039441][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   58.047935][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   58.056276][   T17] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.063346][   T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.071587][ T7452] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   58.085333][ T7531] 8021q: adding VLAN 0 to HW filter on device team0
2019/11/11 23:26:37 executed programs: 6
[   58.116573][ T7527] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   58.135220][ T7527] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   58.157907][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   58.163972][ T7727] ==================================================================
[   58.166520][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   58.173446][ T7727] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xb0
[   58.173452][ T7727] Read of size 8 at addr ffff8880a7bed938 by task syz-executor.3/7727
[   58.173454][ T7727] 
[   58.173461][ T7727] CPU: 1 PID: 7727 Comm: syz-executor.3 Not tainted 5.4.0-rc2+ #0
[   58.173464][ T7727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.173468][ T7727] Call Trace:
[   58.173477][ T7727]  dump_stack+0x113/0x167
[   58.173490][ T7727]  print_address_description.constprop.8.cold.10+0x9/0x31d
[   58.173494][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.173499][ T7727]  __kasan_report.cold.11+0x1b/0x3a
[   58.173502][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.173508][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.173513][ T7727]  kasan_report+0x12/0x20
[   58.173519][ T7727]  __asan_report_load8_noabort+0x14/0x20
[   58.173523][ T7727]  __list_add_valid+0x8f/0xb0
[   58.173535][ T7727]  snd_timer_open+0x1db/0xf50
[   58.173541][ T7727]  ? kmem_cache_alloc_trace+0x39b/0x780
[   58.173546][ T7727]  ? snd_timer_close_locked+0xb20/0xb20
[   58.173550][ T7727]  ? memcpy+0x45/0x50
[   58.173560][ T7727]  ? kstrdup+0x42/0x60
[   58.173570][ T7727]  __snd_timer_user_ioctl.isra.27+0xc8d/0x1de0
[   58.173577][ T7727]  ? snd_timer_user_open+0x140/0x140
[   58.173585][ T7727]  ? lock_acquire+0x194/0x410
[   58.173588][ T7727]  ? snd_timer_user_ioctl+0x4d/0xa4
[   58.173598][ T7727]  ? __mutex_lock+0x5be/0x1410
[   58.173610][ T7727]  ? tomoyo_path_number_perm+0x3eb/0x4c0
[   58.173615][ T7727]  ? snd_timer_user_ioctl+0x4d/0xa4
[   58.173621][ T7727]  ? mutex_lock_io_nested+0x1280/0x1280
[   58.173627][ T7727]  ? tomoyo_path_number_perm+0x218/0x4c0
[   58.173632][ T7727]  ? tomoyo_execute_permission+0x460/0x460
[   58.173640][ T7727]  ? match_held_lock+0x590/0x5b0
[   58.173651][ T7727]  snd_timer_user_ioctl+0x77/0xa4
[   58.173659][ T7727]  do_vfs_ioctl+0x196/0x1150
[   58.173668][ T7727]  ? ioctl_preallocate+0x1c0/0x1c0
[   58.173675][ T7727]  ? __fget+0x2b1/0x420
[   58.173684][ T7727]  ? ksys_dup3+0x2e0/0x2e0
[   58.173693][ T7727]  ? put_timespec64+0xa9/0x100
[   58.173699][ T7727]  ? nsecs_to_jiffies+0x20/0x20
[   58.173710][ T7727]  ? tomoyo_file_ioctl+0x14/0x20
[   58.173718][ T7727]  ksys_ioctl+0x62/0x90
[   58.173722][ T7727]  ? lockdep_hardirqs_on+0x42d/0x5d0
[   58.173730][ T7727]  __x64_sys_ioctl+0x6e/0xb0
[   58.173739][ T7727]  do_syscall_64+0xca/0x5d0
[   58.173748][ T7727]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.173754][ T7727] RIP: 0033:0x45a219
[   58.173760][ T7727] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   58.173763][ T7727] RSP: 002b:00007feaeabf5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.173769][ T7727] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
[   58.173772][ T7727] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003
[   58.173774][ T7727] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[   58.173777][ T7727] R10: 0000000000000000 R11: 0000000000000246 R12: 00007feaeabf66d4
[   58.173781][ T7727] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff
[   58.173791][ T7727] 
[   58.173794][ T7727] Allocated by task 7724:
[   58.173798][ T7727]  save_stack+0x21/0x90
[   58.173801][ T7727]  __kasan_kmalloc.constprop.9+0xc7/0xd0
[   58.173804][ T7727]  kasan_kmalloc+0x9/0x10
[   58.173806][ T7727]  kmem_cache_alloc_trace+0x15b/0x780
[   58.173810][ T7727]  snd_timer_instance_new+0x46/0x2c0
[   58.173813][ T7727]  __snd_timer_user_ioctl.isra.27+0xb0c/0x1de0
[   58.173816][ T7727]  snd_timer_user_ioctl+0x77/0xa4
[   58.173819][ T7727]  do_vfs_ioctl+0x196/0x1150
[   58.173821][ T7727]  ksys_ioctl+0x62/0x90
[   58.173823][ T7727]  __x64_sys_ioctl+0x6e/0xb0
[   58.173827][ T7727]  do_syscall_64+0xca/0x5d0
[   58.173830][ T7727]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.173832][ T7727] 
[   58.173833][ T7727] Freed by task 7724:
[   58.173836][ T7727]  save_stack+0x21/0x90
[   58.173839][ T7727]  __kasan_slab_free+0x102/0x150
[   58.173842][ T7727]  kasan_slab_free+0xe/0x10
[   58.173844][ T7727]  kfree+0x108/0x2c0
[   58.173847][ T7727]  snd_timer_instance_free+0x62/0x80
[   58.173851][ T7727]  __snd_timer_user_ioctl.isra.27+0xcbe/0x1de0
[   58.173854][ T7727]  snd_timer_user_ioctl+0x77/0xa4
[   58.173856][ T7727]  do_vfs_ioctl+0x196/0x1150
[   58.173859][ T7727]  ksys_ioctl+0x62/0x90
[   58.173861][ T7727]  __x64_sys_ioctl+0x6e/0xb0
[   58.173865][ T7727]  do_syscall_64+0xca/0x5d0
[   58.173868][ T7727]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.173870][ T7727] 
[   58.173873][ T7727] The buggy address belongs to the object at ffff8880a7bed8c0
[   58.173873][ T7727]  which belongs to the cache kmalloc-256 of size 256
[   58.173876][ T7727] The buggy address is located 120 bytes inside of
[   58.173876][ T7727]  256-byte region [ffff8880a7bed8c0, ffff8880a7bed9c0)
[   58.173878][ T7727] The buggy address belongs to the page:
[   58.173882][ T7727] page:ffffea00029efb40 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0
[   58.173887][ T7727] flags: 0x1fffc0000000200(slab)
[   58.173894][ T7727] raw: 01fffc0000000200 ffffea00026c4688 ffffea00023b8588 ffff8880aa4008c0
[   58.173897][ T7727] raw: 0000000000000000 ffff8880a7bed000 000000010000000c 0000000000000000
[   58.173899][ T7727] page dumped because: kasan: bad access detected
[   58.173901][ T7727] 
[   58.173903][ T7727] Memory state around the buggy address:
[   58.173906][ T7727]  ffff8880a7bed800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   58.173909][ T7727]  ffff8880a7bed880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   58.173912][ T7727] >ffff8880a7bed900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.173914][ T7727]                                         ^
[   58.173916][ T7727]  ffff8880a7bed980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   58.173919][ T7727]  ffff8880a7beda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   58.173921][ T7727] ==================================================================
[   58.173923][ T7727] Disabling lock debugging due to kernel taint
[   58.174662][ T7727] Kernel panic - not syncing: panic_on_warn set ...
[   58.188584][ T7624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   58.196566][ T7727] CPU: 1 PID: 7727 Comm: syz-executor.3 Tainted: G    B             5.4.0-rc2+ #0
[   58.196569][ T7727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.196571][ T7727] Call Trace:
[   58.196586][ T7727]  dump_stack+0x113/0x167
[   58.196593][ T7727]  ? __list_add_valid+0x20/0xb0
[   58.196599][ T7727]  panic+0x223/0x4dc
[   58.196607][ T7727]  ? add_taint.cold.8+0x11/0x11
[   58.196614][ T7727]  ? ___preempt_schedule+0x16/0x20
[   58.196619][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.196625][ T7727]  end_report+0x47/0x4f
[   58.196628][ T7727]  __kasan_report.cold.11+0xe/0x3a
[   58.196631][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.196636][ T7727]  ? __list_add_valid+0x8f/0xb0
[   58.196640][ T7727]  kasan_report+0x12/0x20
[   58.196645][ T7727]  __asan_report_load8_noabort+0x14/0x20
[   58.196649][ T7727]  __list_add_valid+0x8f/0xb0
[   58.196658][ T7727]  snd_timer_open+0x1db/0xf50
[   58.196662][ T7727]  ? kmem_cache_alloc_trace+0x39b/0x780
[   58.196666][ T7727]  ? snd_timer_close_locked+0xb20/0xb20
[   58.196669][ T7727]  ? memcpy+0x45/0x50
[   58.196678][ T7727]  ? kstrdup+0x42/0x60
[   58.196683][ T7727]  __snd_timer_user_ioctl.isra.27+0xc8d/0x1de0
[   58.196687][ T7727]  ? snd_timer_user_open+0x140/0x140
[   58.196693][ T7727]  ? lock_acquire+0x194/0x410
[   58.196696][ T7727]  ? snd_timer_user_ioctl+0x4d/0xa4
[   58.196703][ T7727]  ? __mutex_lock+0x5be/0x1410
[   58.196708][ T7727]  ? tomoyo_path_number_perm+0x3eb/0x4c0
[   58.196711][ T7727]  ? snd_timer_user_ioctl+0x4d/0xa4
[   58.196716][ T7727]  ? mutex_lock_io_nested+0x1280/0x1280
[   58.196720][ T7727]  ? tomoyo_path_number_perm+0x218/0x4c0
[   58.196724][ T7727]  ? tomoyo_execute_permission+0x460/0x460
[   58.196730][ T7727]  ? match_held_lock+0x590/0x5b0
[   58.196736][ T7727]  snd_timer_user_ioctl+0x77/0xa4
[   58.196742][ T7727]  do_vfs_ioctl+0x196/0x1150
[   58.196748][ T7727]  ? ioctl_preallocate+0x1c0/0x1c0
[   58.196754][ T7727]  ? __fget+0x2b1/0x420
[   58.196759][ T7727]  ? ksys_dup3+0x2e0/0x2e0
[   58.196768][ T7727]  ? put_timespec64+0xa9/0x100
[   58.196773][ T7727]  ? nsecs_to_jiffies+0x20/0x20
[   58.196780][ T7727]  ? tomoyo_file_ioctl+0x14/0x20
[   58.196785][ T7727]  ksys_ioctl+0x62/0x90
[   58.196788][ T7727]  ? lockdep_hardirqs_on+0x42d/0x5d0
[   58.196791][ T7727]  __x64_sys_ioctl+0x6e/0xb0
[   58.196796][ T7727]  do_syscall_64+0xca/0x5d0
[   58.196804][ T7727]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.196810][ T7727] RIP: 0033:0x45a219
[   58.196816][ T7727] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   58.196818][ T7727] RSP: 002b:00007feaeabf5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.196823][ T7727] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
[   58.196825][ T7727] RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003
[   58.196828][ T7727] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[   58.196831][ T7727] R10: 0000000000000000 R11: 0000000000000246 R12: 00007feaeabf66d4
[   58.196833][ T7727] R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff
[   58.198341][ T7727] Kernel Offset: disabled
[   59.074252][ T7727] Rebooting in 86400 seconds..