[ 51.818999] NOHZ: local_softirq_pending 08 [ 51.823429] NOHZ: local_softirq_pending 08 [ 195.166978] NOHZ: local_softirq_pending 08 [ 196.451014] NOHZ: local_softirq_pending 08 [ 196.455891] NOHZ: local_softirq_pending 08 [ 237.404421] NOHZ: local_softirq_pending 08 [ 237.408706] NOHZ: local_softirq_pending 08 [ 412.110860] NOHZ: local_softirq_pending 08 [ 423.001409] NOHZ: local_softirq_pending 08 [ 423.008504] NOHZ: local_softirq_pending 08 [ 463.581856] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 463.588839] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 463.596902] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 463.604714] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 463.614372] device bridge_slave_1 left promiscuous mode [ 463.620537] bridge0: port 2(bridge_slave_1) entered disabled state [ 463.663060] device bridge_slave_0 left promiscuous mode [ 463.668773] bridge0: port 1(bridge_slave_0) entered disabled state [ 463.724389] device veth1_macvtap left promiscuous mode [ 463.730360] device veth0_macvtap left promiscuous mode [ 463.738120] device veth1_vlan left promiscuous mode [ 463.743927] device veth0_vlan left promiscuous mode [ 463.851489] device hsr_slave_1 left promiscuous mode [ 463.901183] device hsr_slave_0 left promiscuous mode [ 463.960661] team0 (unregistering): Port device team_slave_1 removed [ 463.971431] team0 (unregistering): Port device team_slave_0 removed [ 463.981712] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 464.023189] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 464.089685] bond0 (unregistering): Released all slaves [ 466.451467] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.458175] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.466833] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.474031] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.482461] device bridge_slave_1 left promiscuous mode [ 466.487928] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.568854] device bridge_slave_0 left promiscuous mode [ 466.574613] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.621317] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.628038] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.635971] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.642772] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.651187] device bridge_slave_1 left promiscuous mode [ 466.656621] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.699187] device bridge_slave_0 left promiscuous mode [ 466.704653] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.760246] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.766934] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.775284] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.782201] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.789826] device bridge_slave_1 left promiscuous mode [ 466.795255] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.838810] device bridge_slave_0 left promiscuous mode [ 466.844246] bridge0: port 1(bridge_slave_0) entered disabled state [ 466.901164] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 466.908564] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 466.916004] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 466.923506] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 466.932111] device bridge_slave_1 left promiscuous mode [ 466.937546] bridge0: port 2(bridge_slave_1) entered disabled state [ 466.978945] device bridge_slave_0 left promiscuous mode [ 466.984409] bridge0: port 1(bridge_slave_0) entered disabled state [ 467.030367] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 467.037581] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 467.045849] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 467.052626] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 467.060198] device bridge_slave_1 left promiscuous mode [ 467.065647] bridge0: port 2(bridge_slave_1) entered disabled state [ 467.108812] device bridge_slave_0 left promiscuous mode [ 467.114872] bridge0: port 1(bridge_slave_0) entered disabled state [ 467.175184] device veth1_macvtap left promiscuous mode [ 467.181425] device veth0_macvtap left promiscuous mode [ 467.186719] device veth1_vlan left promiscuous mode [ 467.191815] device veth0_vlan left promiscuous mode [ 467.197126] device veth1_macvtap left promiscuous mode [ 467.202496] device veth0_macvtap left promiscuous mode [ 467.207818] device veth1_vlan left promiscuous mode [ 467.213769] device veth0_vlan left promiscuous mode [ 467.219349] device veth1_macvtap left promiscuous mode [ 467.224903] device veth0_macvtap left promiscuous mode [ 467.230390] device veth1_vlan left promiscuous mode [ 467.235425] device veth0_vlan left promiscuous mode [ 467.240937] device veth1_macvtap left promiscuous mode [ 467.246241] device veth0_macvtap left promiscuous mode [ 467.251649] device veth1_vlan left promiscuous mode [ 467.256711] device veth0_vlan left promiscuous mode [ 467.262281] device veth1_macvtap left promiscuous mode [ 467.267640] device veth0_macvtap left promiscuous mode [ 467.273206] device veth1_vlan left promiscuous mode [ 467.278383] device veth0_vlan left promiscuous mode [ 467.561542] device hsr_slave_1 left promiscuous mode [ 467.600693] device hsr_slave_0 left promiscuous mode [ 467.654716] team0 (unregistering): Port device team_slave_1 removed [ 467.666165] team0 (unregistering): Port device team_slave_0 removed [ 467.675459] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 467.740713] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 467.811179] bond0 (unregistering): Released all slaves [ 467.951897] device hsr_slave_1 left promiscuous mode [ 468.000331] device hsr_slave_0 left promiscuous mode [ 468.044571] team0 (unregistering): Port device team_slave_1 removed [ 468.055384] team0 (unregistering): Port device team_slave_0 removed [ 468.064457] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.112773] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.166385] bond0 (unregistering): Released all slaves [ 468.259698] device hsr_slave_1 left promiscuous mode [ 468.301460] device hsr_slave_0 left promiscuous mode [ 468.356320] team0 (unregistering): Port device team_slave_1 removed [ 468.365535] team0 (unregistering): Port device team_slave_0 removed [ 468.376408] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.420865] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.496690] bond0 (unregistering): Released all slaves [ 468.599535] device hsr_slave_1 left promiscuous mode [ 468.651745] device hsr_slave_0 left promiscuous mode [ 468.696187] team0 (unregistering): Port device team_slave_1 removed [ 468.705114] team0 (unregistering): Port device team_slave_0 removed [ 468.714164] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 468.760666] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 468.829013] bond0 (unregistering): Released all slaves [ 468.941903] device hsr_slave_1 left promiscuous mode [ 469.010372] device hsr_slave_0 left promiscuous mode [ 469.066213] team0 (unregistering): Port device team_slave_1 removed [ 469.075160] team0 (unregistering): Port device team_slave_0 removed [ 469.086272] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 469.130800] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 469.186699] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.255' (ECDSA) to the list of known hosts. [ 469.593167] ================================================================== [ 469.600902] BUG: KASAN: use-after-free in _copy_from_user+0x8e/0xd0 [ 469.607351] Write of size 32 at addr ffff88806f7ee560 by task syz-executor489/26413 [ 469.615253] [ 469.616867] CPU: 0 PID: 26413 Comm: syz-executor489 Not tainted 4.19.123-syzkaller #0 [ 469.624990] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 469.634347] Call Trace: [ 469.636984] dump_stack+0x123/0x177 [ 469.640684] print_address_description.cold.8+0x9/0x1ff [ 469.646075] kasan_report.cold.9+0x242/0x309 [ 469.650466] ? _copy_from_user+0x8e/0xd0 [ 469.654506] check_memory_region+0x13e/0x1b0 [ 469.658899] kasan_check_write+0x14/0x20 [ 469.662938] _copy_from_user+0x8e/0xd0 [ 469.666886] snd_rawmidi_kernel_write1+0x2a0/0x5d0 [ 469.671940] snd_rawmidi_write+0x271/0xaa0 [ 469.676167] ? snd_rawmidi_release+0xf0/0xf0 [ 469.680568] ? save_stack+0xa9/0xd0 [ 469.684199] ? save_stack+0x43/0xd0 [ 469.687812] ? __kasan_slab_free+0x102/0x150 [ 469.692202] ? kasan_slab_free+0xe/0x10 [ 469.696165] ? kmem_cache_free+0x83/0x290 [ 469.700395] ? putname+0xa8/0xe0 [ 469.703743] ? do_sys_open+0x16e/0x350 [ 469.707606] ? __x64_sys_open+0x79/0xb0 [ 469.711602] ? do_syscall_64+0xd0/0x4e0 [ 469.715606] ? wake_up_q+0x100/0x100 [ 469.719351] ? find_held_lock+0x36/0x1d0 [ 469.723407] __vfs_write+0xe3/0x890 [ 469.727009] ? kernel_read+0x130/0x130 [ 469.730972] ? __might_sleep+0x95/0x190 [ 469.735294] ? __inode_security_revalidate+0x9d/0xc0 [ 469.740561] ? selinux_file_permission+0x326/0x3f0 [ 469.745656] ? security_file_permission+0x46/0x190 [ 469.750630] ? rw_verify_area+0xb8/0x2b0 [ 469.754683] vfs_write+0x150/0x4d0 [ 469.758217] ksys_write+0x103/0x260 [ 469.761850] ? __ia32_sys_read+0xa0/0xa0 [ 469.765886] ? do_syscall_64+0x21/0x4e0 [ 469.769851] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 469.775191] __x64_sys_write+0x6e/0xb0 [ 469.779067] do_syscall_64+0xd0/0x4e0 [ 469.782857] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 469.788109] RIP: 0033:0x44a3e9 [ 469.791277] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 469.810516] RSP: 002b:00007fcd45a0ddb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 469.818202] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a3e9 [ 469.825447] RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003 [ 469.832809] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 469.840072] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 469.847317] R13: 00007ffc3002ea7f R14: 00007fcd45a0e9c0 R15: 20c49ba5e353f7cf [ 469.854572] [ 469.856178] Allocated by task 26413: [ 469.859887] save_stack+0x43/0xd0 [ 469.863316] kasan_kmalloc+0xc7/0xe0 [ 469.867002] __kmalloc_node+0x50/0x70 [ 469.870829] kvmalloc_node+0x68/0x70 [ 469.874534] open_substream+0x2e5/0x770 [ 469.878490] rawmidi_open_priv+0x3fe/0x750 [ 469.882705] snd_rawmidi_open+0x4d3/0xa20 [ 469.886911] snd_open+0x1d3/0x37c [ 469.890342] chrdev_open+0x1ed/0x5c0 [ 469.894045] do_dentry_open+0x3f1/0x1010 [ 469.898106] vfs_open+0x9a/0xc0 [ 469.901385] path_openat+0x6fa/0x3c60 [ 469.905157] do_filp_open+0x177/0x250 [ 469.908947] do_sys_open+0x1dd/0x350 [ 469.912634] __x64_sys_open+0x79/0xb0 [ 469.916478] do_syscall_64+0xd0/0x4e0 [ 469.920272] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 469.925436] [ 469.927055] Freed by task 26416: [ 469.930409] save_stack+0x43/0xd0 [ 469.933837] __kasan_slab_free+0x102/0x150 [ 469.938047] kasan_slab_free+0xe/0x10 [ 469.941837] kfree+0xcf/0x220 [ 469.944918] kvfree+0x2c/0x30 [ 469.948027] resize_runtime_buffer+0x236/0x360 [ 469.952583] snd_rawmidi_output_params+0xff/0x140 [ 469.957418] snd_rawmidi_ioctl+0x49e/0x5a0 [ 469.961640] do_vfs_ioctl+0x196/0x10c0 [ 469.965501] ksys_ioctl+0x62/0x90 [ 469.968926] __x64_sys_ioctl+0x6e/0xb0 [ 469.972787] do_syscall_64+0xd0/0x4e0 [ 469.976580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 469.981741] [ 469.984040] The buggy address belongs to the object at ffff88806f7ee300 [ 469.984040] which belongs to the cache kmalloc-4096 of size 4096 [ 469.996860] The buggy address is located 608 bytes inside of [ 469.996860] 4096-byte region [ffff88806f7ee300, ffff88806f7ef300) [ 470.008811] The buggy address belongs to the page: [ 470.013879] page:ffffea0001bdfb80 count:1 mapcount:0 mapping:ffff88812c29cdc0 index:0x0 compound_mapcount: 0 [ 470.024121] flags: 0xfffe0000008100(slab|head) [ 470.028683] raw: 00fffe0000008100 ffffea0001c96e08 ffffea0002353d08 ffff88812c29cdc0 [ 470.036574] raw: 0000000000000000 ffff88806f7ee300 0000000100000001 0000000000000000 [ 470.044450] page dumped because: kasan: bad access detected [ 470.050141] [ 470.051745] Memory state around the buggy address: [ 470.056650] ffff88806f7ee400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 470.064177] ffff88806f7ee480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 470.071547] >ffff88806f7ee500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 470.078884] ^ [ 470.085873] ffff88806f7ee580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 470.093223] ffff88806f7ee600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 470.100573] ================================================================== [ 470.107908] Disabling lock debugging due to kernel taint [ 470.113764] Kernel panic - not syncing: panic_on_warn set ... [ 470.113764] [ 470.121125] CPU: 0 PID: 26413 Comm: syz-executor489 Tainted: G B 4.19.123-syzkaller #0 [ 470.130471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 470.139815] Call Trace: [ 470.142411] dump_stack+0x123/0x177 [ 470.146077] panic+0x1cd/0x375 [ 470.149277] ? __warn_printk+0xd6/0xd6 [ 470.153142] ? ___preempt_schedule+0x16/0x18 [ 470.157536] kasan_end_report+0x47/0x4f [ 470.161491] kasan_report.cold.9+0x76/0x309 [ 470.166171] ? _copy_from_user+0x8e/0xd0 [ 470.170218] check_memory_region+0x13e/0x1b0 [ 470.174620] kasan_check_write+0x14/0x20 [ 470.178655] _copy_from_user+0x8e/0xd0 [ 470.182538] snd_rawmidi_kernel_write1+0x2a0/0x5d0 [ 470.187456] snd_rawmidi_write+0x271/0xaa0 [ 470.191671] ? snd_rawmidi_release+0xf0/0xf0 [ 470.196053] ? save_stack+0xa9/0xd0 [ 470.199664] ? save_stack+0x43/0xd0 [ 470.203267] ? __kasan_slab_free+0x102/0x150 [ 470.207648] ? kasan_slab_free+0xe/0x10 [ 470.211609] ? kmem_cache_free+0x83/0x290 [ 470.215750] ? putname+0xa8/0xe0 [ 470.219098] ? do_sys_open+0x16e/0x350 [ 470.223000] ? __x64_sys_open+0x79/0xb0 [ 470.226947] ? do_syscall_64+0xd0/0x4e0 [ 470.230936] ? wake_up_q+0x100/0x100 [ 470.234645] ? find_held_lock+0x36/0x1d0 [ 470.238752] __vfs_write+0xe3/0x890 [ 470.242403] ? kernel_read+0x130/0x130 [ 470.246283] ? __might_sleep+0x95/0x190 [ 470.250246] ? __inode_security_revalidate+0x9d/0xc0 [ 470.255325] ? selinux_file_permission+0x326/0x3f0 [ 470.260232] ? security_file_permission+0x46/0x190 [ 470.265163] ? rw_verify_area+0xb8/0x2b0 [ 470.269227] vfs_write+0x150/0x4d0 [ 470.272748] ksys_write+0x103/0x260 [ 470.276357] ? __ia32_sys_read+0xa0/0xa0 [ 470.280403] ? do_syscall_64+0x21/0x4e0 [ 470.284354] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 470.289720] __x64_sys_write+0x6e/0xb0 [ 470.293591] do_syscall_64+0xd0/0x4e0 [ 470.297371] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 470.302562] RIP: 0033:0x44a3e9 [ 470.305737] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 470.324927] RSP: 002b:00007fcd45a0ddb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 470.332636] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 000000000044a3e9 [ 470.339885] RDX: 0000000020000339 RSI: 00000000200001c0 RDI: 0000000000000003 [ 470.347143] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 470.354573] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 470.361824] R13: 00007ffc3002ea7f R14: 00007fcd45a0e9c0 R15: 20c49ba5e353f7cf [ 470.370658] Kernel Offset: disabled [ 470.374284] Rebooting in 86400 seconds..