[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.910954] kauditd_printk_skb: 7 callbacks suppressed [ 28.910967] audit: type=1800 audit(1544168118.572:29): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.936892] audit: type=1800 audit(1544168118.572:30): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.265072] FAULT_INJECTION: forcing a failure. [ 44.265072] name failslab, interval 1, probability 0, space 0, times 1 [ 44.276487] CPU: 1 PID: 6056 Comm: syz-executor520 Not tainted 4.20.0-rc5+ #365 [ 44.284063] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.293493] Call Trace: [ 44.296101] dump_stack+0x244/0x39d [ 44.299724] ? dump_stack_print_info.cold.1+0x20/0x20 [ 44.304913] should_fail.cold.4+0xa/0x17 [ 44.308981] ? find_held_lock+0x36/0x1c0 [ 44.313035] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 44.318136] ? depot_save_stack+0x292/0x470 [ 44.322452] ? lock_downgrade+0x900/0x900 [ 44.326643] ? zap_class+0x640/0x640 [ 44.330353] ? trace_hardirqs_off+0xb8/0x310 [ 44.334755] ? kasan_check_read+0x11/0x20 [ 44.338890] ? do_raw_spin_unlock+0xa7/0x330 [ 44.343290] ? find_held_lock+0x36/0x1c0 [ 44.347351] ? __lock_is_held+0xb5/0x140 [ 44.351407] ? save_stack+0x43/0xd0 [ 44.355021] ? perf_trace_sched_process_exec+0x860/0x860 [ 44.360465] ? print_usage_bug+0xc0/0xc0 [ 44.364597] ? do_iter_read+0x4a3/0x650 [ 44.368574] ? __x64_sys_readv+0x75/0xb0 [ 44.372626] ? do_syscall_64+0x1b9/0x820 [ 44.376679] __should_failslab+0x124/0x180 [ 44.380913] should_failslab+0x9/0x14 [ 44.384707] kmem_cache_alloc_trace+0x2d7/0x750 [ 44.389378] snd_pcm_hw_param_near.constprop.34+0x164/0xb30 [ 44.395092] ? kfree+0x11e/0x230 [ 44.398453] ? _snd_pcm_hw_param_min+0x570/0x570 [ 44.403207] ? snd_pcm_oss_change_params_locked+0x2ca8/0x3c60 [ 44.409100] snd_pcm_oss_change_params_locked+0xc16/0x3c60 [ 44.414736] ? snd_pcm_hw_param_near.constprop.34+0xb30/0xb30 [ 44.420679] ? aa_file_perm+0x490/0x1060 [ 44.424745] ? zap_class+0x640/0x640 [ 44.428456] ? find_held_lock+0x36/0x1c0 [ 44.432514] ? __might_fault+0x12b/0x1e0 [ 44.436569] ? lock_downgrade+0x900/0x900 [ 44.440715] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 44.445749] snd_pcm_oss_make_ready_locked+0xbc/0x130 [ 44.450945] snd_pcm_oss_read+0x417/0x830 [ 44.455097] ? snd_pcm_oss_read2+0x450/0x450 [ 44.459495] ? security_file_permission+0x1c2/0x220 [ 44.464504] ? rw_verify_area+0x118/0x360 [ 44.468642] do_iter_read+0x4a3/0x650 [ 44.472440] vfs_readv+0x175/0x1c0 [ 44.475972] ? compat_rw_copy_check_uvector+0x440/0x440 [ 44.481328] ? vfs_write+0x2f3/0x560 [ 44.485034] ? lock_downgrade+0x900/0x900 [ 44.489175] ? __lock_is_held+0xb5/0x140 [ 44.493233] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.498760] ? __fdget_pos+0xde/0x200 [ 44.502549] ? __fdget_raw+0x20/0x20 [ 44.506254] ? __sb_end_write+0xd9/0x110 [ 44.510303] ? vfs_write+0x2ad/0x560 [ 44.514008] do_readv+0x11a/0x310 [ 44.517450] ? vfs_readv+0x1c0/0x1c0 [ 44.521162] ? trace_hardirqs_off_caller+0x310/0x310 [ 44.526253] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.531787] __x64_sys_readv+0x75/0xb0 [ 44.535667] do_syscall_64+0x1b9/0x820 [ 44.539547] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 44.544915] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.549840] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.554799] ? trace_hardirqs_on_caller+0x310/0x310 [ 44.559821] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 44.564832] ? prepare_exit_to_usermode+0x291/0x3b0 [ 44.569840] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.574677] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.579860] RIP: 0033:0x444079 [ 44.583042] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.601946] RSP: 002b:00007ffc8067a328 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 44.609660] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444079 [ 44.616938] RDX: 0000000000000001 RSI: 0000000020001640 RDI: 0000000000000003 [ 44.624223] RBP: 00000000006cf018 R08: 0000000000000001 R09: 0000000000000037 [ 44.631503] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 44.638772] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 44.658215] ================================================================== [ 44.665683] BUG: KASAN: slab-out-of-bounds in default_read_copy_kernel+0xe1/0x140 [ 44.673303] Write of size 64 at addr ffff8881cec699c0 by task syz-executor520/6056 [ 44.681007] [ 44.682628] CPU: 1 PID: 6056 Comm: syz-executor520 Not tainted 4.20.0-rc5+ #365 [ 44.690139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.699545] Call Trace: [ 44.702141] dump_stack+0x244/0x39d [ 44.705759] ? dump_stack_print_info.cold.1+0x20/0x20 [ 44.710942] ? printk+0xa7/0xcf [ 44.714215] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 44.719052] print_address_description.cold.7+0x9/0x1ff [ 44.724403] kasan_report.cold.8+0x242/0x309 [ 44.728799] ? default_read_copy_kernel+0xe1/0x140 [ 44.733721] check_memory_region+0x13e/0x1b0 [ 44.738122] memcpy+0x37/0x50 [ 44.741225] default_read_copy_kernel+0xe1/0x140 [ 44.745982] ? default_write_copy_kernel+0x140/0x140 [ 44.751096] interleaved_copy+0xd1/0x110 [ 44.755155] __snd_pcm_lib_xfer+0x115f/0x1f23 [ 44.759646] ? snd_pcm_hw_rule_noresample_func+0x120/0x120 [ 44.765275] ? default_write_copy_kernel+0x140/0x140 [ 44.770461] ? pcm_lib_apply_appl_ptr+0x580/0x580 [ 44.775308] ? _raw_read_unlock_irq+0x60/0x80 [ 44.779797] ? __snd_pcm_stream_unlock_mode+0x12a/0x150 [ 44.785151] ? snd_pcm_delay+0x26d/0x380 [ 44.789211] ? snd_pcm_kernel_ioctl+0x73/0x220 [ 44.793785] ? wake_up_q+0x100/0x100 [ 44.797491] ? snd_pcm_oss_prepare+0x150/0x150 [ 44.802150] ? find_held_lock+0x36/0x1c0 [ 44.806218] snd_pcm_oss_read3+0x1c8/0x410 [ 44.810533] ? snd_pcm_oss_write+0xa60/0xa60 [ 44.814986] ? trace_hardirqs_on+0xbd/0x310 [ 44.819322] ? kasan_check_read+0x11/0x20 [ 44.823591] ? __snd_pcm_stream_unlock_mode+0x125/0x150 [ 44.828955] io_capture_transfer+0x27d/0x310 [ 44.833472] ? snd_pcm_plug_slave_size+0x1d0/0x350 [ 44.838404] snd_pcm_plug_read_transfer+0x1d7/0x3b0 [ 44.843414] ? kasan_check_write+0x14/0x20 [ 44.847644] ? snd_pcm_plug_write_transfer+0x490/0x490 [ 44.852937] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 44.858032] ? snd_pcm_plug_client_channels_buf+0x212/0x450 [ 44.863745] snd_pcm_oss_read2+0x221/0x450 [ 44.867990] ? snd_pcm_oss_read3+0x410/0x410 [ 44.872391] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.877929] ? snd_pcm_oss_prepare+0x118/0x150 [ 44.882525] snd_pcm_oss_read+0x638/0x830 [ 44.886697] ? snd_pcm_oss_read2+0x450/0x450 [ 44.891118] ? security_file_permission+0x1c2/0x220 [ 44.896127] ? rw_verify_area+0x118/0x360 [ 44.900267] do_iter_read+0x4a3/0x650 [ 44.904064] vfs_readv+0x175/0x1c0 [ 44.907599] ? compat_rw_copy_check_uvector+0x440/0x440 [ 44.912958] ? vfs_write+0x2f3/0x560 [ 44.916668] ? lock_downgrade+0x900/0x900 [ 44.920805] ? __lock_is_held+0xb5/0x140 [ 44.924870] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.930408] ? __fdget_pos+0xde/0x200 [ 44.934204] ? __fdget_raw+0x20/0x20 [ 44.937961] ? __sb_end_write+0xd9/0x110 [ 44.942207] ? vfs_write+0x2ad/0x560 [ 44.945908] do_readv+0x11a/0x310 [ 44.949368] ? vfs_readv+0x1c0/0x1c0 [ 44.953071] ? trace_hardirqs_off_caller+0x310/0x310 [ 44.958174] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.963708] __x64_sys_readv+0x75/0xb0 [ 44.967608] do_syscall_64+0x1b9/0x820 [ 44.971482] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 44.976837] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.981760] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.986602] ? trace_hardirqs_on_caller+0x310/0x310 [ 44.991608] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 44.996619] ? prepare_exit_to_usermode+0x291/0x3b0 [ 45.001633] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.006471] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.011652] RIP: 0033:0x444079 [ 45.014837] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.033825] RSP: 002b:00007ffc8067a328 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 45.041532] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444079 [ 45.048899] RDX: 0000000000000001 RSI: 0000000020001640 RDI: 0000000000000003 [ 45.056172] RBP: 00000000006cf018 R08: 0000000000000001 R09: 0000000000000037 [ 45.063503] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 45.070793] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 45.078069] [ 45.079724] Allocated by task 6056: [ 45.083394] save_stack+0x43/0xd0 [ 45.086866] kasan_kmalloc+0xc7/0xe0 [ 45.090564] __kmalloc_node+0x50/0x70 [ 45.094502] kvmalloc_node+0x65/0xf0 [ 45.098202] snd_pcm_plugin_alloc+0x577/0x770 [ 45.102681] snd_pcm_plug_alloc+0x149/0x340 [ 45.106988] snd_pcm_oss_change_params_locked+0x2209/0x3c60 [ 45.112686] snd_pcm_oss_make_ready_locked+0xbc/0x130 [ 45.117864] snd_pcm_oss_read+0x417/0x830 [ 45.122010] do_iter_read+0x4a3/0x650 [ 45.125799] vfs_readv+0x175/0x1c0 [ 45.129328] do_readv+0x11a/0x310 [ 45.132783] __x64_sys_readv+0x75/0xb0 [ 45.136658] do_syscall_64+0x1b9/0x820 [ 45.140533] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.145705] [ 45.147319] Freed by task 9: [ 45.150333] save_stack+0x43/0xd0 [ 45.153787] __kasan_slab_free+0x102/0x150 [ 45.158036] kasan_slab_free+0xe/0x10 [ 45.161832] kfree+0xcf/0x230 [ 45.164928] kzfree+0x28/0x30 [ 45.168021] apparmor_task_free+0x13a/0x1e0 [ 45.172339] security_task_free+0x4a/0x80 [ 45.176476] __put_task_struct+0x195/0x620 [ 45.180699] delayed_put_task_struct+0x2ff/0x4c0 [ 45.185459] rcu_process_callbacks+0x100a/0x1ac0 [ 45.190233] __do_softirq+0x308/0xb7e [ 45.194026] [ 45.195647] The buggy address belongs to the object at ffff8881cec699c0 [ 45.195647] which belongs to the cache kmalloc-32 of size 32 [ 45.208140] The buggy address is located 0 bytes inside of [ 45.208140] 32-byte region [ffff8881cec699c0, ffff8881cec699e0) [ 45.219753] The buggy address belongs to the page: [ 45.224688] page:ffffea00073b1a40 count:1 mapcount:0 mapping:ffff8881da8001c0 index:0xffff8881cec69fc1 [ 45.234135] flags: 0x2fffc0000000200(slab) [ 45.238371] raw: 02fffc0000000200 ffffea00073a3748 ffff8881da801248 ffff8881da8001c0 [ 45.246259] raw: ffff8881cec69fc1 ffff8881cec69000 000000010000003f 0000000000000000 [ 45.254264] page dumped because: kasan: bad access detected [ 45.259970] [ 45.261584] Memory state around the buggy address: [ 45.266501] ffff8881cec69880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.273884] ffff8881cec69900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.281242] >ffff8881cec69980: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 45.288683] ^ [ 45.295179] ffff8881cec69a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.302535] ffff8881cec69a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.309884] ================================================================== [ 45.317239] Disabling lock debugging due to kernel taint [ 45.322903] Kernel panic - not syncing: panic_on_warn set ... [ 45.328790] CPU: 1 PID: 6056 Comm: syz-executor520 Tainted: G B 4.20.0-rc5+ #365 [ 45.337611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.346952] Call Trace: [ 45.349550] dump_stack+0x244/0x39d [ 45.353204] ? dump_stack_print_info.cold.1+0x20/0x20 [ 45.358403] panic+0x2ad/0x55c [ 45.361584] ? add_taint.cold.5+0x16/0x16 [ 45.365719] ? preempt_schedule+0x4d/0x60 [ 45.369857] ? ___preempt_schedule+0x16/0x18 [ 45.374265] ? trace_hardirqs_on+0xb4/0x310 [ 45.378719] kasan_end_report+0x47/0x4f [ 45.382682] kasan_report.cold.8+0x76/0x309 [ 45.387044] ? default_read_copy_kernel+0xe1/0x140 [ 45.391977] check_memory_region+0x13e/0x1b0 [ 45.396382] memcpy+0x37/0x50 [ 45.399480] default_read_copy_kernel+0xe1/0x140 [ 45.404246] ? default_write_copy_kernel+0x140/0x140 [ 45.409340] interleaved_copy+0xd1/0x110 [ 45.413408] __snd_pcm_lib_xfer+0x115f/0x1f23 [ 45.417902] ? snd_pcm_hw_rule_noresample_func+0x120/0x120 [ 45.423513] ? default_write_copy_kernel+0x140/0x140 [ 45.428602] ? pcm_lib_apply_appl_ptr+0x580/0x580 [ 45.433438] ? _raw_read_unlock_irq+0x60/0x80 [ 45.437924] ? __snd_pcm_stream_unlock_mode+0x12a/0x150 [ 45.443284] ? snd_pcm_delay+0x26d/0x380 [ 45.447335] ? snd_pcm_kernel_ioctl+0x73/0x220 [ 45.451904] ? wake_up_q+0x100/0x100 [ 45.455604] ? snd_pcm_oss_prepare+0x150/0x150 [ 45.460177] ? find_held_lock+0x36/0x1c0 [ 45.464232] snd_pcm_oss_read3+0x1c8/0x410 [ 45.468458] ? snd_pcm_oss_write+0xa60/0xa60 [ 45.472857] ? trace_hardirqs_on+0xbd/0x310 [ 45.477169] ? kasan_check_read+0x11/0x20 [ 45.481303] ? __snd_pcm_stream_unlock_mode+0x125/0x150 [ 45.486659] io_capture_transfer+0x27d/0x310 [ 45.491062] ? snd_pcm_plug_slave_size+0x1d0/0x350 [ 45.495987] snd_pcm_plug_read_transfer+0x1d7/0x3b0 [ 45.501012] ? kasan_check_write+0x14/0x20 [ 45.505266] ? snd_pcm_plug_write_transfer+0x490/0x490 [ 45.510554] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 45.515566] ? snd_pcm_plug_client_channels_buf+0x212/0x450 [ 45.521271] snd_pcm_oss_read2+0x221/0x450 [ 45.525503] ? snd_pcm_oss_read3+0x410/0x410 [ 45.529905] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.535564] ? snd_pcm_oss_prepare+0x118/0x150 [ 45.540147] snd_pcm_oss_read+0x638/0x830 [ 45.544285] ? snd_pcm_oss_read2+0x450/0x450 [ 45.548679] ? security_file_permission+0x1c2/0x220 [ 45.553686] ? rw_verify_area+0x118/0x360 [ 45.557821] do_iter_read+0x4a3/0x650 [ 45.561615] vfs_readv+0x175/0x1c0 [ 45.565143] ? compat_rw_copy_check_uvector+0x440/0x440 [ 45.570494] ? vfs_write+0x2f3/0x560 [ 45.574211] ? lock_downgrade+0x900/0x900 [ 45.578348] ? __lock_is_held+0xb5/0x140 [ 45.582403] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.587929] ? __fdget_pos+0xde/0x200 [ 45.591716] ? __fdget_raw+0x20/0x20 [ 45.595418] ? __sb_end_write+0xd9/0x110 [ 45.599575] ? vfs_write+0x2ad/0x560 [ 45.603277] do_readv+0x11a/0x310 [ 45.606715] ? vfs_readv+0x1c0/0x1c0 [ 45.610434] ? trace_hardirqs_off_caller+0x310/0x310 [ 45.615526] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.621053] __x64_sys_readv+0x75/0xb0 [ 45.624929] do_syscall_64+0x1b9/0x820 [ 45.628804] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 45.634158] ? syscall_return_slowpath+0x5e0/0x5e0 [ 45.639075] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.643911] ? trace_hardirqs_on_caller+0x310/0x310 [ 45.648916] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 45.653922] ? prepare_exit_to_usermode+0x291/0x3b0 [ 45.659060] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.664005] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.669191] RIP: 0033:0x444079 [ 45.672370] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.691265] RSP: 002b:00007ffc8067a328 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 [ 45.698970] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444079 [ 45.706236] RDX: 0000000000000001 RSI: 0000000020001640 RDI: 0000000000000003 [ 45.713502] RBP: 00000000006cf018 R08: 0000000000000001 R09: 0000000000000037 [ 45.720765] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 45.728034] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 45.736252] Kernel Offset: disabled [ 45.739935] Rebooting in 86400 seconds..