[ 46.497119] audit: type=1800 audit(1583333039.368:29): pid=8188 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 46.519874] audit: type=1800 audit(1583333039.368:30): pid=8188 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.533941] kauditd_printk_skb: 5 callbacks suppressed [ 55.533956] audit: type=1400 audit(1583333048.398:36): avc: denied { map } for pid=8373 comm="syz-executor135" path="/root/syz-executor135196009" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 56.516533] ================================================================== [ 56.523993] BUG: KASAN: use-after-free in debugfs_remove+0xfd/0x120 [ 56.530412] Read of size 8 at addr ffff88807ed329e0 by task kworker/1:0/19 [ 56.537440] [ 56.539091] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.107-syzkaller #0 [ 56.546462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.555838] Workqueue: events __blk_release_queue [ 56.560690] Call Trace: [ 56.563292] dump_stack+0x188/0x20d [ 56.566941] ? debugfs_remove+0xfd/0x120 [ 56.571016] print_address_description.cold+0x7c/0x212 [ 56.576431] ? debugfs_remove+0xfd/0x120 [ 56.580504] kasan_report.cold+0x88/0x2b9 [ 56.584672] debugfs_remove+0xfd/0x120 [ 56.588663] blk_trace_free+0x31/0x130 [ 56.592561] __blk_trace_remove+0x71/0xa0 [ 56.596726] blk_trace_shutdown+0x5f/0x80 [ 56.600886] __blk_release_queue+0x250/0x510 [ 56.605311] process_one_work+0x91f/0x1640 [ 56.609573] ? pwq_dec_nr_in_flight+0x310/0x310 [ 56.614454] worker_thread+0x96/0xe20 [ 56.618283] ? process_one_work+0x1640/0x1640 [ 56.622851] kthread+0x34a/0x420 [ 56.626352] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 56.631958] ret_from_fork+0x24/0x30 [ 56.635693] [ 56.637392] Allocated by task 8386: [ 56.641042] kasan_kmalloc+0xbf/0xe0 [ 56.644765] kmem_cache_alloc+0x127/0x710 [ 56.648926] __d_alloc+0x2b/0x9e0 [ 56.652453] d_alloc+0x4a/0x240 [ 56.655887] d_alloc_parallel+0xe8/0x1ad0 [ 56.660056] __lookup_slow+0x18d/0x4b0 [ 56.663953] lookup_one_len+0x163/0x190 [ 56.667946] start_creating+0xba/0x1f0 [ 56.671851] __debugfs_create_file+0x62/0x400 [ 56.676494] do_blk_trace_setup+0x361/0xb60 [ 56.680935] __blk_trace_setup+0xca/0x180 [ 56.685109] blk_trace_ioctl+0x15e/0x2e0 [ 56.689191] blkdev_ioctl+0x112/0x1a1c [ 56.693094] block_ioctl+0xe9/0x130 [ 56.696733] do_vfs_ioctl+0xcda/0x12e0 [ 56.700629] ksys_ioctl+0x9b/0xc0 [ 56.704095] __x64_sys_ioctl+0x6f/0xb0 [ 56.708140] do_syscall_64+0xf9/0x620 [ 56.712104] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.717301] [ 56.718938] Freed by task 0: [ 56.722130] __kasan_slab_free+0xf7/0x140 [ 56.726295] kmem_cache_free+0x7f/0x260 [ 56.730474] rcu_process_callbacks+0xb2d/0x17f0 [ 56.735207] __do_softirq+0x26c/0x93c [ 56.739017] [ 56.740664] The buggy address belongs to the object at ffff88807ed329a0 [ 56.740664] which belongs to the cache dentry of size 288 [ 56.753264] The buggy address is located 64 bytes inside of [ 56.753264] 288-byte region [ffff88807ed329a0, ffff88807ed32ac0) [ 56.765067] The buggy address belongs to the page: [ 56.770098] page:ffffea0001fb4c80 count:1 mapcount:0 mapping:ffff88812c2b76c0 index:0x0 [ 56.778518] flags: 0xfffe0000000100(slab) [ 56.782934] raw: 00fffe0000000100 ffffea0001fb4c48 ffffea0001fb4d08 ffff88812c2b76c0 [ 56.790837] raw: 0000000000000000 ffff88807ed32000 000000010000000b 0000000000000000 [ 56.798967] page dumped because: kasan: bad access detected [ 56.804894] [ 56.806532] Memory state around the buggy address: executing program [ 56.811613] ffff88807ed32880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.819104] ffff88807ed32900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 56.826564] >ffff88807ed32980: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 56.833934] ^ [ 56.840435] ffff88807ed32a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.847895] ffff88807ed32a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.855269] ================================================================== [ 56.862835] Disabling lock debugging due to kernel taint [ 56.877182] Kernel panic - not syncing: panic_on_warn set ... [ 56.877182] [ 56.885002] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.19.107-syzkaller #0 [ 56.893972] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.903461] Workqueue: events __blk_release_queue [ 56.908301] Call Trace: [ 56.911295] dump_stack+0x188/0x20d [ 56.915045] panic+0x26a/0x50e [ 56.918418] ? __warn_printk+0xf3/0xf3 [ 56.922443] ? preempt_schedule_common+0x4a/0xc0 [ 56.927196] ? debugfs_remove+0xfd/0x120 [ 56.931273] ? ___preempt_schedule+0x16/0x18 [ 56.935696] ? trace_hardirqs_on+0x55/0x210 [ 56.940033] ? debugfs_remove+0xfd/0x120 [ 56.944092] kasan_end_report+0x43/0x49 [ 56.948063] kasan_report.cold+0xa4/0x2b9 [ 56.952295] debugfs_remove+0xfd/0x120 [ 56.956191] blk_trace_free+0x31/0x130 [ 56.960377] __blk_trace_remove+0x71/0xa0 [ 56.964769] blk_trace_shutdown+0x5f/0x80 [ 56.968984] __blk_release_queue+0x250/0x510 [ 56.973484] process_one_work+0x91f/0x1640 [ 56.977777] ? pwq_dec_nr_in_flight+0x310/0x310 [ 56.982505] worker_thread+0x96/0xe20 [ 56.986312] ? process_one_work+0x1640/0x1640 [ 56.990806] kthread+0x34a/0x420 [ 56.994166] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 56.999696] ret_from_fork+0x24/0x30 [ 57.004573] Kernel Offset: disabled [ 57.008257] Rebooting in 86400 seconds..