[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 69.392890][ T26] kauditd_printk_skb: 5 callbacks suppressed [ 69.392910][ T26] audit: type=1800 audit(1561371835.646:33): pid=9182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 69.422010][ T26] audit: type=1800 audit(1561371835.646:34): pid=9182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [ 70.134092][ T26] audit: type=1400 audit(1561371836.386:35): avc: denied { map } for pid=9357 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 76.534808][ T26] audit: type=1400 audit(1561371842.786:36): avc: denied { map } for pid=9369 comm="syz-executor786" path="/root/syz-executor786584454" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program [ 76.977202][ T12] ================================================================== [ 76.985352][ T12] BUG: KASAN: use-after-free in debugfs_remove+0x11a/0x130 [ 76.985371][ T12] Read of size 8 at addr ffff88808d439898 by task kworker/0:1/12 [ 76.985382][ T12] [ 76.985395][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc5+ #32 [ 76.985402][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.985417][ T12] Workqueue: events __blk_release_queue [ 77.000365][ T12] Call Trace: [ 77.000386][ T12] dump_stack+0x172/0x1f0 [ 77.000400][ T12] ? debugfs_remove+0x11a/0x130 [ 77.000418][ T12] print_address_description.cold+0x7c/0x20d [ 77.000436][ T12] ? debugfs_remove+0x11a/0x130 [ 77.010209][ T12] ? debugfs_remove+0x11a/0x130 [ 77.010225][ T12] __kasan_report.cold+0x1b/0x40 [ 77.010243][ T12] ? __sanitizer_cov_trace_cmp1+0x10/0x20 [ 77.010262][ T12] ? debugfs_remove+0x11a/0x130 [ 77.025841][ T12] kasan_report+0x12/0x20 [ 77.025859][ T12] __asan_report_load8_noabort+0x14/0x20 [ 77.025878][ T12] debugfs_remove+0x11a/0x130 [ 77.033474][ T12] blk_trace_free+0x38/0x140 [ 77.033495][ T12] __blk_trace_remove+0x78/0xa0 [ 77.033514][ T12] blk_trace_shutdown+0x67/0x90 [ 77.049159][ T12] __blk_release_queue+0x1d6/0x330 [ 77.049179][ T12] process_one_work+0x989/0x1790 [ 77.049203][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 77.058953][ T12] ? lock_acquire+0x16f/0x3f0 [ 77.058981][ T12] worker_thread+0x98/0xe40 [ 77.058995][ T12] ? trace_hardirqs_on+0x67/0x220 [ 77.059024][ T12] kthread+0x354/0x420 [ 77.069566][ T12] ? process_one_work+0x1790/0x1790 [ 77.069581][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 77.069599][ T12] ret_from_fork+0x24/0x30 [ 77.069619][ T12] [ 77.079551][ T12] Allocated by task 9379: [ 77.079566][ T12] save_stack+0x23/0x90 [ 77.079579][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 77.079592][ T12] kasan_slab_alloc+0xf/0x20 [ 77.079603][ T12] kmem_cache_alloc+0x11a/0x6f0 [ 77.079622][ T12] __d_alloc+0x2e/0x8c0 [ 77.088859][ T12] d_alloc+0x4d/0x280 [ 77.088872][ T12] d_alloc_parallel+0xf4/0x1bb0 [ 77.088885][ T12] __lookup_slow+0x1ab/0x500 [ 77.088897][ T12] lookup_one_len+0x16d/0x1a0 [ 77.088916][ T12] start_creating+0xbf/0x1e0 [ 77.088935][ T12] debugfs_create_dir+0x26/0x3a0 [ 77.098609][ T12] blk_mq_debugfs_register+0x8c/0x420 [ 77.098623][ T12] blk_register_queue+0x1cd/0x3a0 [ 77.098635][ T12] __device_add_disk+0xe8d/0x11c0 [ 77.098646][ T12] device_add_disk+0x2b/0x40 [ 77.098657][ T12] loop_add+0x635/0x8d0 [ 77.098675][ T12] loop_probe+0x161/0x1a0 [ 77.110978][ T9383] kobject: 'queue' (0000000087fc6c3d): kobject_add_internal: parent: 'loop0', set: '' [ 77.114061][ T12] kobj_lookup+0x260/0x460 [ 77.119321][ T9383] kobject: 'mq' (00000000d5ed6755): kobject_add_internal: parent: 'loop0', set: '' [ 77.123258][ T12] get_gendisk+0x4d/0x390 [ 77.123270][ T12] __blkdev_get+0x457/0x1660 [ 77.123281][ T12] blkdev_get+0xc4/0x990 [ 77.123299][ T12] blkdev_open+0x205/0x290 [ 77.128749][ T9383] kobject: 'mq' (00000000d5ed6755): kobject_uevent_env [ 77.132366][ T12] do_dentry_open+0x4df/0x1250 [ 77.132379][ T12] vfs_open+0xa0/0xd0 [ 77.132398][ T12] path_openat+0x10e9/0x46d0 [ 77.138002][ T9383] kobject: 'mq' (00000000d5ed6755): kobject_uevent_env: filter function caused the event to drop! [ 77.143811][ T12] do_filp_open+0x1a1/0x280 [ 77.143824][ T12] do_sys_open+0x3fe/0x5d0 [ 77.143846][ T12] __x64_sys_open+0x7e/0xc0 [ 77.148634][ T9383] kobject: '0' (00000000410a0505): kobject_add_internal: parent: 'mq', set: '' [ 77.150562][ T12] do_syscall_64+0xfd/0x680 [ 77.150576][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.150586][ T12] [ 77.155046][ T9383] kobject: 'cpu0' (0000000081864098): kobject_add_internal: parent: '0', set: '' [ 77.159046][ T12] Freed by task 0: [ 77.159060][ T12] save_stack+0x23/0x90 [ 77.159072][ T12] __kasan_slab_free+0x102/0x150 [ 77.159085][ T12] kasan_slab_free+0xe/0x10 [ 77.159096][ T12] kmem_cache_free+0x86/0x260 [ 77.159107][ T12] __d_free+0x20/0x30 [ 77.159127][ T12] rcu_core+0xba5/0x1500 [ 77.165358][ T9383] kobject: 'cpu1' (00000000e322b6fb): kobject_add_internal: parent: '0', set: '' [ 77.169316][ T12] __do_softirq+0x25c/0x94c [ 77.169321][ T12] [ 77.169332][ T12] The buggy address belongs to the object at ffff88808d439840 [ 77.169332][ T12] which belongs to the cache dentry of size 288 [ 77.169345][ T12] The buggy address is located 88 bytes inside of [ 77.169345][ T12] 288-byte region [ffff88808d439840, ffff88808d439960) [ 77.169350][ T12] The buggy address belongs to the page: [ 77.169362][ T12] page:ffffea0002350e40 refcount:1 mapcount:0 mapping:ffff8880aa5907c0 index:0x0 [ 77.176920][ T9383] kobject: 'queue' (0000000087fc6c3d): kobject_uevent_env [ 77.178360][ T12] flags: 0x1fffc0000000200(slab) [ 77.178379][ T12] raw: 01fffc0000000200 ffffea000235f6c8 ffffea000235f788 ffff8880aa5907c0 [ 77.178395][ T12] raw: 0000000000000000 ffff88808d439000 000000010000000b 0000000000000000 [ 77.178414][ T12] page dumped because: kasan: bad access detected [ 77.182432][ T9383] kobject: 'queue' (0000000087fc6c3d): kobject_uevent_env: filter function caused the event to drop! [ 77.187209][ T12] [ 77.187214][ T12] Memory state around the buggy address: [ 77.187227][ T12] ffff88808d439780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.187238][ T12] ffff88808d439800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 77.187249][ T12] >ffff88808d439880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.187255][ T12] ^ [ 77.187265][ T12] ffff88808d439900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 77.187279][ T12] ffff88808d439980: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 77.195093][ T9383] kobject: 'iosched' (0000000097073804): kobject_add_internal: parent: 'queue', set: '' [ 77.196519][ T12] ================================================================== [ 77.196525][ T12] Disabling lock debugging due to kernel taint [ 77.206442][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 77.213391][ T9383] kobject: 'iosched' (0000000097073804): kobject_uevent_env [ 77.216439][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc5+ #32 [ 77.216448][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.216462][ T12] Workqueue: events __blk_release_queue [ 77.216469][ T12] Call Trace: [ 77.216494][ T12] dump_stack+0x172/0x1f0 [ 77.221813][ T9383] kobject: 'iosched' (0000000097073804): kobject_uevent_env: filter function caused the event to drop! [ 77.226088][ T12] panic+0x2cb/0x744 [ 77.226108][ T12] ? __warn_printk+0xf3/0xf3 [ 77.230546][ T9383] kobject: 'integrity' (00000000ae026443): kobject_add_internal: parent: 'loop0', set: '' [ 77.234563][ T12] ? debugfs_remove+0x11a/0x130 [ 77.234584][ T12] ? preempt_schedule+0x4b/0x60 [ 77.244990][ T9383] kobject: 'integrity' (00000000ae026443): kobject_uevent_env [ 77.249023][ T12] ? ___preempt_schedule+0x16/0x18 [ 77.249038][ T12] ? trace_hardirqs_on+0x5e/0x220 [ 77.249058][ T12] ? debugfs_remove+0x11a/0x130 [ 77.259187][ T9383] kobject: 'integrity' (00000000ae026443): kobject_uevent_env: filter function caused the event to drop! [ 77.263244][ T12] end_report+0x47/0x4f [ 77.263264][ T12] ? debugfs_remove+0x11a/0x130 [ 77.692192][ T12] __kasan_report.cold+0xe/0x40 [ 77.697041][ T12] ? __sanitizer_cov_trace_cmp1+0x10/0x20 [ 77.702757][ T12] ? debugfs_remove+0x11a/0x130 [ 77.707600][ T12] kasan_report+0x12/0x20 [ 77.711928][ T12] __asan_report_load8_noabort+0x14/0x20 [ 77.717553][ T12] debugfs_remove+0x11a/0x130 [ 77.722233][ T12] blk_trace_free+0x38/0x140 [ 77.726813][ T12] __blk_trace_remove+0x78/0xa0 [ 77.731675][ T12] blk_trace_shutdown+0x67/0x90 [ 77.736520][ T12] __blk_release_queue+0x1d6/0x330 [ 77.741625][ T12] process_one_work+0x989/0x1790 [ 77.746559][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 77.751923][ T12] ? lock_acquire+0x16f/0x3f0 [ 77.756595][ T12] worker_thread+0x98/0xe40 [ 77.761090][ T12] ? trace_hardirqs_on+0x67/0x220 [ 77.766112][ T12] kthread+0x354/0x420 [ 77.770175][ T12] ? process_one_work+0x1790/0x1790 [ 77.775363][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 77.781595][ T12] ret_from_fork+0x24/0x30 [ 77.787056][ T12] Kernel Offset: disabled [ 77.791372][ T12] Rebooting in 86400 seconds..