[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 62.964232][ T27] audit: type=1800 audit(1574720532.154:25): pid=8950 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.986752][ T27] audit: type=1800 audit(1574720532.154:26): pid=8950 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.022682][ T27] audit: type=1800 audit(1574720532.154:27): pid=8950 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.137' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 75.190691][ T9105] devpts: called with bogus options [ 75.208515][ T9107] devpts: called with bogus options executing program [ 75.294092][ T9109] devpts: called with bogus options executing program [ 75.374661][ T9111] devpts: called with bogus options executing program [ 75.444605][ T9113] devpts: called with bogus options executing program executing program [ 75.494440][ T9115] devpts: called with bogus options [ 75.553052][ T9117] devpts: called with bogus options executing program [ 75.615306][ T9119] devpts: called with bogus options executing program [ 75.714361][ T9121] devpts: called with bogus options executing program executing program [ 75.887010][ T9125] devpts: called with bogus options [ 75.899454][ T9127] devpts: called with bogus options [ 75.958636][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] [ 76.029790][ T9126] debugfs: Directory 'loop0' with parent 'block' already present! executing program executing program executing program [ 76.112798][ T9130] devpts: called with bogus options [ 76.125983][ T9132] devpts: called with bogus options [ 76.138834][ T9135] devpts: called with bogus options [ 76.159741][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] [ 76.199483][ T9133] debugfs: Directory 'loop0' with parent 'block' already present! executing program [ 76.212725][ T9135] debugfs: File 'dropped' in directory 'loop0' already present! [ 76.223433][ T9135] debugfs: File 'msg' in directory 'loop0' already present! [ 76.231110][ T9135] debugfs: File 'trace0' in directory 'loop0' already present! [ 76.239469][ T9131] debugfs: File 'dropped' in directory 'loop0' already present! [ 76.247807][ T9131] debugfs: File 'msg' in directory 'loop0' already present! [ 76.255413][ T9131] debugfs: File 'trace0' in directory 'loop0' already present! [ 76.268562][ T9138] devpts: called with bogus options [ 76.307464][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program [ 76.373278][ T9141] devpts: called with bogus options [ 76.387430][ T9143] devpts: called with bogus options [ 76.428284][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program executing program [ 76.614215][ T9146] devpts: called with bogus options [ 76.628877][ T9148] devpts: called with bogus options [ 76.638705][ T9151] devpts: called with bogus options [ 76.659724][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program executing program [ 76.912155][ T9154] devpts: called with bogus options [ 76.927447][ T9156] devpts: called with bogus options [ 76.937003][ T9159] devpts: called with bogus options [ 76.969580][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 77.028975][ T9158] debugfs: Directory 'loop0' with parent 'block' already present! [ 77.040977][ T9155] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.049469][ T9155] debugfs: File 'msg' in directory 'loop0' already present! [ 77.060732][ T9161] devpts: called with bogus options [ 77.066211][ T9155] debugfs: File 'trace0' in directory 'loop0' already present! executing program [ 77.075564][ T9158] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.083847][ T9158] debugfs: File 'msg' in directory 'loop0' already present! [ 77.091906][ T9158] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.100372][ T9161] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.108376][ T9161] debugfs: File 'msg' in directory 'loop0' already present! [ 77.115922][ T9161] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.132488][ T9165] devpts: called with bogus options [ 77.177984][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program executing program [ 77.257739][ T9167] devpts: called with bogus options [ 77.269304][ T9170] devpts: called with bogus options [ 77.278398][ T9172] devpts: called with bogus options [ 77.309942][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 77.365873][ T9168] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.374663][ T9168] debugfs: File 'msg' in directory 'loop0' already present! [ 77.386057][ T9174] devpts: called with bogus options [ 77.391964][ T9168] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.400879][ T9171] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.408772][ T9171] debugfs: File 'msg' in directory 'loop0' already present! executing program [ 77.416356][ T9171] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.424413][ T9174] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.432146][ T9174] debugfs: File 'msg' in directory 'loop0' already present! [ 77.439766][ T9174] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.453864][ T9177] devpts: called with bogus options [ 77.488541][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program [ 77.583783][ T9180] devpts: called with bogus options [ 77.596389][ T9182] devpts: called with bogus options [ 77.639512][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 77.697430][ T9182] debugfs: File 'dropped' in directory 'loop0' already present! [ 77.705137][ T9182] debugfs: File 'msg' in directory 'loop0' already present! [ 77.713956][ T9182] debugfs: File 'trace0' in directory 'loop0' already present! [ 77.726144][ T9185] devpts: called with bogus options executing program [ 77.798937][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 77.860339][ T9187] devpts: called with bogus options [ 77.873488][ T9190] devpts: called with bogus options [ 77.909394][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] [ 77.938917][ T9189] debugfs: Directory 'loop0' with parent 'block' already present! executing program executing program executing program [ 78.061950][ T9193] devpts: called with bogus options [ 78.073866][ T9195] devpts: called with bogus options [ 78.085924][ T9198] devpts: called with bogus options [ 78.129339][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] [ 78.186750][ T9194] debugfs: File 'dropped' in directory 'loop0' already present! [ 78.195036][ T9194] debugfs: File 'msg' in directory 'loop0' already present! [ 78.202666][ T9194] debugfs: File 'trace0' in directory 'loop0' already present! [ 78.210591][ T9198] debugfs: File 'dropped' in directory 'loop0' already present! [ 78.223661][ T9198] debugfs: File 'msg' in directory 'loop0' already present! executing program [ 78.231393][ T9198] debugfs: File 'trace0' in directory 'loop0' already present! [ 78.244390][ T9201] devpts: called with bogus options [ 78.298563][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program executing program [ 78.349309][ T9201] debugfs: Directory 'loop0' with parent 'block' already present! [ 78.370777][ T9204] devpts: called with bogus options [ 78.381482][ T9206] devpts: called with bogus options [ 78.393528][ T9208] devpts: called with bogus options [ 78.418244][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 78.660829][ T9211] devpts: called with bogus options executing program [ 78.699534][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program [ 78.760061][ T9214] devpts: called with bogus options [ 78.772801][ T9216] devpts: called with bogus options [ 78.784584][ T9219] devpts: called with bogus options [ 78.810034][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 78.858977][ T9217] debugfs: Directory 'loop0' with parent 'block' already present! [ 78.871231][ T9215] debugfs: File 'dropped' in directory 'loop0' already present! [ 78.880291][ T9215] debugfs: File 'msg' in directory 'loop0' already present! [ 78.891415][ T9221] devpts: called with bogus options [ 78.897070][ T9215] debugfs: File 'trace0' in directory 'loop0' already present! executing program [ 78.905760][ T9217] debugfs: File 'dropped' in directory 'loop0' already present! [ 78.914694][ T9217] debugfs: File 'msg' in directory 'loop0' already present! [ 78.922839][ T9217] debugfs: File 'trace0' in directory 'loop0' already present! [ 78.931165][ T9221] debugfs: File 'dropped' in directory 'loop0' already present! [ 78.939179][ T9221] debugfs: File 'msg' in directory 'loop0' already present! [ 78.947512][ T9221] debugfs: File 'trace0' in directory 'loop0' already present! [ 78.962547][ T9225] devpts: called with bogus options [ 79.007675][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program [ 79.109288][ T9228] devpts: called with bogus options [ 79.123394][ T9230] devpts: called with bogus options [ 79.149341][ T17] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program executing program executing program [ 79.342226][ T9233] devpts: called with bogus options [ 79.355277][ T9235] devpts: called with bogus options [ 79.365762][ T9238] devpts: called with bogus options [ 79.389305][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 79.539558][ T5] relay: one or more items not logged [item size (56) > sub-buffer size (9)] [ 79.569281][ T9234] debugfs: Directory 'loop0' with parent 'block' already present! executing program [ 79.595157][ T9241] devpts: called with bogus options [ 79.610729][ T9244] devpts: called with bogus options [ 79.638711][ T17] ================================================================== [ 79.647107][ T17] BUG: KASAN: use-after-free in relay_switch_subbuf+0x8be/0x920 [ 79.654788][ T17] Read of size 8 at addr ffff8880a2c3e4f8 by task kworker/1:0/17 [ 79.662588][ T17] [ 79.664921][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.4.0-rc8-next-20191125-syzkaller #0 [ 79.674298][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.684367][ T17] Workqueue: events __blk_release_queue [ 79.689894][ T17] Call Trace: [ 79.693174][ T17] dump_stack+0x197/0x210 [ 79.697515][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 79.703069][ T17] print_address_description.constprop.0.cold+0xd4/0x30b [ 79.710093][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 79.715362][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 79.720897][ T17] __kasan_report.cold+0x1b/0x41 [ 79.725969][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 79.731251][ T17] kasan_report+0x12/0x20 [ 79.735691][ T17] __asan_report_load8_noabort+0x14/0x20 [ 79.741421][ T17] relay_switch_subbuf+0x8be/0x920 [ 79.746562][ T17] relay_flush+0x1c4/0x280 [ 79.750977][ T17] __blk_trace_startstop.isra.0+0x216/0x630 [ 79.756857][ T17] ? blk_msg_write+0xd0/0xd0 [ 79.761434][ T17] ? blk_mq_sysfs_deinit+0x10b/0x150 [ 79.766699][ T17] ? blk_mq_release+0x2ed/0x410 [ 79.771568][ T17] blk_trace_shutdown+0x5f/0x90 [ 79.776407][ T17] __blk_release_queue+0x219/0x380 [ 79.781517][ T17] process_one_work+0x9af/0x1740 [ 79.786448][ T17] ? pwq_dec_nr_in_flight+0x320/0x320 [ 79.791806][ T17] ? lock_acquire+0x190/0x410 [ 79.796475][ T17] worker_thread+0x98/0xe40 [ 79.800978][ T17] kthread+0x361/0x430 [ 79.805034][ T17] ? process_one_work+0x1740/0x1740 [ 79.810216][ T17] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 79.815935][ T17] ret_from_fork+0x24/0x30 [ 79.820337][ T17] [ 79.822648][ T17] Allocated by task 9238: [ 79.826971][ T17] save_stack+0x23/0x90 [ 79.831116][ T17] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.836732][ T17] kasan_slab_alloc+0xf/0x20 [ 79.841304][ T17] kmem_cache_alloc+0x121/0x710 [ 79.846141][ T17] __d_alloc+0x2e/0x8c0 [ 79.850298][ T17] d_alloc+0x4d/0x280 [ 79.854271][ T17] d_alloc_parallel+0xf4/0x1c00 [ 79.859108][ T17] __lookup_slow+0x1ab/0x500 [ 79.863701][ T17] lookup_one_len+0x16d/0x1a0 [ 79.868394][ T17] start_creating+0xc5/0x1d0 [ 79.872966][ T17] __debugfs_create_file+0x65/0x3f0 [ 79.878178][ T17] debugfs_create_file+0x5a/0x70 [ 79.883105][ T17] blk_create_buf_file_callback+0x33/0x40 [ 79.888807][ T17] relay_create_buf_file+0xf9/0x180 [ 79.893983][ T17] relay_open_buf.part.0+0x76e/0xb60 [ 79.899266][ T17] relay_open+0x523/0x980 [ 79.903591][ T17] do_blk_trace_setup+0x3f0/0xb50 [ 79.908600][ T17] __blk_trace_setup+0xe3/0x190 [ 79.913447][ T17] blk_trace_ioctl+0x170/0x300 [ 79.918315][ T17] blkdev_ioctl+0x126/0x1dc0 [ 79.922896][ T17] block_ioctl+0xee/0x130 [ 79.927208][ T17] do_vfs_ioctl+0x977/0x14e0 [ 79.931780][ T17] ksys_ioctl+0xab/0xd0 [ 79.935924][ T17] __x64_sys_ioctl+0x73/0xb0 [ 79.940515][ T17] do_syscall_64+0xfa/0x790 [ 79.945016][ T17] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.951023][ T17] [ 79.953455][ T17] Freed by task 0: [ 79.957191][ T17] save_stack+0x23/0x90 [ 79.961342][ T17] __kasan_slab_free+0x102/0x150 [ 79.966369][ T17] kasan_slab_free+0xe/0x10 [ 79.970867][ T17] kmem_cache_free+0x86/0x320 [ 79.975526][ T17] __d_free+0x20/0x30 [ 79.979487][ T17] rcu_core+0x570/0x1540 [ 79.983709][ T17] rcu_core_si+0x9/0x10 [ 79.987847][ T17] __do_softirq+0x262/0x98c [ 79.992410][ T17] [ 79.994720][ T17] The buggy address belongs to the object at ffff8880a2c3e4a0 [ 79.994720][ T17] which belongs to the cache dentry of size 288 [ 80.009016][ T17] The buggy address is located 88 bytes inside of [ 80.009016][ T17] 288-byte region [ffff8880a2c3e4a0, ffff8880a2c3e5c0) [ 80.022204][ T17] The buggy address belongs to the page: [ 80.027827][ T17] page:ffffea00028b0f80 refcount:1 mapcount:0 mapping:ffff8880aa576000 index:0x0 [ 80.036922][ T17] raw: 01fffc0000000200 ffffea000241e688 ffffea0002341108 ffff8880aa576000 [ 80.045494][ T17] raw: 0000000000000000 ffff8880a2c3e080 000000010000000b 0000000000000000 [ 80.054069][ T17] page dumped because: kasan: bad access detected [ 80.060472][ T17] [ 80.062779][ T17] Memory state around the buggy address: [ 80.068404][ T17] ffff8880a2c3e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.076461][ T17] ffff8880a2c3e400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 80.084534][ T17] >ffff8880a2c3e480: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 80.092585][ T17] ^ [ 80.100674][ T17] ffff8880a2c3e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.108755][ T17] ffff8880a2c3e580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 80.116912][ T17] ================================================================== [ 80.125076][ T17] Disabling lock debugging due to kernel taint [ 80.131391][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 80.137984][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.4.0-rc8-next-20191125-syzkaller #0 [ 80.148939][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.158996][ T17] Workqueue: events __blk_release_queue [ 80.164525][ T17] Call Trace: [ 80.167801][ T17] dump_stack+0x197/0x210 [ 80.172119][ T17] panic+0x2e3/0x75c [ 80.175998][ T17] ? add_taint.cold+0x16/0x16 [ 80.180674][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 80.186096][ T17] ? preempt_schedule+0x4b/0x60 [ 80.190942][ T17] ? ___preempt_schedule+0x16/0x18 [ 80.196103][ T17] ? trace_hardirqs_on+0x5e/0x240 [ 80.201121][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 80.206385][ T17] end_report+0x47/0x4f [ 80.210653][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 80.216041][ T17] __kasan_report.cold+0xe/0x41 [ 80.220949][ T17] ? relay_switch_subbuf+0x8be/0x920 [ 80.226225][ T17] kasan_report+0x12/0x20 [ 80.230559][ T17] __asan_report_load8_noabort+0x14/0x20 [ 80.236183][ T17] relay_switch_subbuf+0x8be/0x920 [ 80.241280][ T17] relay_flush+0x1c4/0x280 [ 80.245836][ T17] __blk_trace_startstop.isra.0+0x216/0x630 [ 80.251713][ T17] ? blk_msg_write+0xd0/0xd0 [ 80.256286][ T17] ? blk_mq_sysfs_deinit+0x10b/0x150 [ 80.261551][ T17] ? blk_mq_release+0x2ed/0x410 [ 80.266387][ T17] blk_trace_shutdown+0x5f/0x90 [ 80.271233][ T17] __blk_release_queue+0x219/0x380 [ 80.276331][ T17] process_one_work+0x9af/0x1740 [ 80.281257][ T17] ? pwq_dec_nr_in_flight+0x320/0x320 [ 80.286617][ T17] ? lock_acquire+0x190/0x410 [ 80.291282][ T17] worker_thread+0x98/0xe40 [ 80.295774][ T17] kthread+0x361/0x430 [ 80.299838][ T17] ? process_one_work+0x1740/0x1740 [ 80.305111][ T17] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 80.310818][ T17] ret_from_fork+0x24/0x30 [ 80.316726][ T17] Kernel Offset: disabled [ 80.321129][ T17] Rebooting in 86400 seconds..