[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   56.118331][   T27] audit: type=1800 audit(1561978368.113:25): pid=8637 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   56.155439][   T27] audit: type=1800 audit(1561978368.113:26): pid=8637 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   56.176352][   T27] audit: type=1800 audit(1561978368.113:27): pid=8637 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   67.606036][   T12] ==================================================================
[   67.614441][   T12] BUG: KASAN: use-after-free in debugfs_remove+0x10d/0x130
[   67.622082][   T12] Read of size 8 at addr ffff8880a6a20bc0 by task kworker/0:1/12
[   67.629865][   T12] 
[   67.632182][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6-next-20190628 #25
[   67.640963][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.651188][   T12] Workqueue: events __blk_release_queue
[   67.656738][   T12] Call Trace:
[   67.660022][   T12]  dump_stack+0x172/0x1f0
[   67.664334][   T12]  ? debugfs_remove+0x10d/0x130
[   67.669165][   T12]  print_address_description.cold+0xd4/0x306
[   67.675267][   T12]  ? debugfs_remove+0x10d/0x130
[   67.680134][   T12]  ? debugfs_remove+0x10d/0x130
[   67.685069][   T12]  __kasan_report.cold+0x1b/0x36
[   67.690023][   T12]  ? write_comp_data+0x70/0x70
[   67.694790][   T12]  ? debugfs_remove+0x10d/0x130
[   67.699697][   T12]  kasan_report+0x12/0x17
[   67.704103][   T12]  __asan_report_load8_noabort+0x14/0x20
[   67.709809][   T12]  debugfs_remove+0x10d/0x130
[   67.714581][   T12]  blk_trace_free+0x38/0x140
[   67.719519][   T12]  __blk_trace_remove+0x78/0xa0
[   67.724358][   T12]  blk_trace_shutdown+0x67/0x90
[   67.729193][   T12]  __blk_release_queue+0x1de/0x340
[   67.734295][   T12]  process_one_work+0x9af/0x1740
[   67.739347][   T12]  ? pwq_dec_nr_in_flight+0x320/0x320
[   67.744735][   T12]  ? lock_acquire+0x190/0x410
[   67.749410][   T12]  worker_thread+0x98/0xe40
[   67.753989][   T12]  ? trace_hardirqs_on+0x67/0x240
[   67.759016][   T12]  kthread+0x361/0x430
[   67.763075][   T12]  ? process_one_work+0x1740/0x1740
[   67.768382][   T12]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   67.774716][   T12]  ret_from_fork+0x24/0x30
[   67.779242][   T12] 
[   67.781551][   T12] Allocated by task 8801:
[   67.785863][   T12]  save_stack+0x23/0x90
[   67.789994][   T12]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   67.795694][   T12]  kasan_slab_alloc+0xf/0x20
[   67.800262][   T12]  kmem_cache_alloc+0x121/0x710
[   67.805100][   T12]  __d_alloc+0x2e/0x8c0
[   67.809246][   T12]  d_alloc+0x4d/0x280
[   67.814221][   T12]  d_alloc_parallel+0xf4/0x1c30
[   67.819076][   T12]  __lookup_slow+0x1ab/0x500
[   67.823644][   T12]  lookup_one_len+0x16d/0x1a0
[   67.828295][   T12]  start_creating+0xbf/0x1e0
[   67.832878][   T12]  __debugfs_create_file+0x65/0x3d0
[   67.838171][   T12]  debugfs_create_file+0x5a/0x70
[   67.843110][   T12]  do_blk_trace_setup+0x361/0xb50
[   67.848226][   T12]  __blk_trace_setup+0xe3/0x190
[   67.853319][   T12]  blk_trace_ioctl+0x170/0x300
[   67.858166][   T12]  blkdev_ioctl+0x126/0x1c1a
[   67.862910][   T12]  block_ioctl+0xee/0x130
[   67.867421][   T12]  do_vfs_ioctl+0xdb6/0x13e0
[   67.872252][   T12]  ksys_ioctl+0xab/0xd0
[   67.876393][   T12]  __x64_sys_ioctl+0x73/0xb0
[   67.881065][   T12]  do_syscall_64+0xfd/0x6a0
[   67.885556][   T12]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   67.891420][   T12] 
[   67.893723][   T12] Freed by task 0:
[   67.897525][   T12]  save_stack+0x23/0x90
[   67.901706][   T12]  __kasan_slab_free+0x102/0x150
[   67.906620][   T12]  kasan_slab_free+0xe/0x10
[   67.911110][   T12]  kmem_cache_free+0x86/0x320
[   67.915872][   T12]  __d_free+0x20/0x30
[   67.919921][   T12]  rcu_core+0x67f/0x1580
[   67.924144][   T12]  rcu_core_si+0x9/0x10
[   67.928276][   T12]  __do_softirq+0x262/0x98c
[   67.932766][   T12] 
[   67.935075][   T12] The buggy address belongs to the object at ffff8880a6a20b80
[   67.935075][   T12]  which belongs to the cache dentry of size 288
[   67.948680][   T12] The buggy address is located 64 bytes inside of
[   67.948680][   T12]  288-byte region [ffff8880a6a20b80, ffff8880a6a20ca0)
[   67.961971][   T12] The buggy address belongs to the page:
[   67.967588][   T12] page:ffffea00029a8800 refcount:1 mapcount:0 mapping:ffff88821bc47540 index:0x0
[   67.976691][   T12] flags: 0x1fffc0000000200(slab)
[   67.981616][   T12] raw: 01fffc0000000200 ffffea0002a84d48 ffffea0002261888 ffff88821bc47540
[   67.990217][   T12] raw: 0000000000000000 ffff8880a6a20080 000000010000000b 0000000000000000
[   67.998910][   T12] page dumped because: kasan: bad access detected
[   68.005298][   T12] 
[   68.007610][   T12] Memory state around the buggy address:
[   68.013225][   T12]  ffff8880a6a20a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   68.021449][   T12]  ffff8880a6a20b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   68.029643][   T12] >ffff8880a6a20b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.037687][   T12]                                            ^
[   68.043842][   T12]  ffff8880a6a20c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   68.052017][   T12]  ffff8880a6a20c80: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
[   68.060080][   T12] ==================================================================
[   68.068230][   T12] Disabling lock debugging due to kernel taint
[   68.075730][   T12] Kernel panic - not syncing: panic_on_warn set ...
[   68.079431][ T8804] kobject: '7:0' (00000000f3c65e39): kobject_add_internal: parent: 'bdi', set: 'devices'
[   68.082328][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.2.0-rc6-next-20190628 #25
[   68.082340][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.092568][ T8804] kobject: '7:0' (00000000f3c65e39): kobject_uevent_env
[   68.102356][   T12] Workqueue: events __blk_release_queue
[   68.102363][   T12] Call Trace:
[   68.102380][   T12]  dump_stack+0x172/0x1f0
[   68.102395][   T12]  panic+0x2dc/0x755
[   68.102411][   T12]  ? add_taint.cold+0x16/0x16
[   68.114165][ T8804] kobject: '7:0' (00000000f3c65e39): fill_kobj_path: path = '/devices/virtual/bdi/7:0'
[   68.119449][   T12]  ? debugfs_remove+0x10d/0x130
[   68.119465][   T12]  ? preempt_schedule+0x4b/0x60
[   68.119478][   T12]  ? ___preempt_schedule+0x16/0x18
[   68.119497][   T12]  ? trace_hardirqs_on+0x5e/0x240
[   68.127183][ T8804] kobject: 'loop0' (000000003504fae6): kobject_add_internal: parent: 'block', set: 'devices'
[   68.128456][   T12]  ? debugfs_remove+0x10d/0x130
[   68.128473][   T12]  end_report+0x47/0x4f
[   68.144970][ T8804] kobject: 'loop0' (000000003504fae6): kobject_uevent_env
[   68.151103][   T12]  ? debugfs_remove+0x10d/0x130
[   68.151121][   T12]  __kasan_report.cold+0xe/0x36
[   68.156007][ T8804] kobject: 'loop0' (000000003504fae6): kobject_uevent_env: uevent_suppress caused the event to drop!
[   68.160771][   T12]  ? write_comp_data+0x70/0x70
[   68.160788][   T12]  ? debugfs_remove+0x10d/0x130
[   68.166368][ T8804] kobject: 'holders' (00000000f8a9d899): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   68.170953][   T12]  kasan_report+0x12/0x17
[   68.170970][   T12]  __asan_report_load8_noabort+0x14/0x20
[   68.181540][ T8804] kobject: 'slaves' (000000006352b251): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   68.186023][   T12]  debugfs_remove+0x10d/0x130
[   68.186036][   T12]  blk_trace_free+0x38/0x140
[   68.186047][   T12]  __blk_trace_remove+0x78/0xa0
[   68.186060][   T12]  blk_trace_shutdown+0x67/0x90
[   68.186081][   T12]  __blk_release_queue+0x1de/0x340
[   68.190561][ T8804] kobject: 'loop0' (000000003504fae6): kobject_uevent_env
[   68.197379][   T12]  process_one_work+0x9af/0x1740
[   68.197397][   T12]  ? pwq_dec_nr_in_flight+0x320/0x320
[   68.197410][   T12]  ? lock_acquire+0x190/0x410
[   68.197428][   T12]  worker_thread+0x98/0xe40
[   68.202534][ T8804] kobject: 'loop0' (000000003504fae6): fill_kobj_path: path = '/devices/virtual/block/loop0'
[   68.207076][   T12]  ? trace_hardirqs_on+0x67/0x240
[   68.207094][   T12]  kthread+0x361/0x430
[   68.207107][   T12]  ? process_one_work+0x1740/0x1740
[   68.207123][   T12]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   68.223750][ T8804] kobject: 'queue' (00000000ae909bca): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   68.227811][   T12]  ret_from_fork+0x24/0x30
[   68.230183][   T12] Kernel Offset: disabled
[   68.372462][   T12] Rebooting in 86400 seconds..