
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[   26.740725] audit: type=1800 audit(1543718207.610:21): pid=5848 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   31.319855] sshd (5985) used greatest stack depth: 15744 bytes left
Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
[   38.192160] ==================================================================
[   38.199654] BUG: KASAN: use-after-free in debugfs_remove+0x10b/0x130
[   38.199669] Read of size 8 at addr ffff8881cc862460 by task kworker/1:1/22
[   38.199672] 
[   38.199698] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.20.0-rc4+ #358
[   38.199706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.199723] Workqueue: events __blk_release_queue
[   38.213288] Call Trace:
[   38.213312]  dump_stack+0x244/0x39d
[   38.213332]  ? dump_stack_print_info.cold.1+0x20/0x20
[   38.213345]  ? printk+0xa7/0xcf
[   38.213359]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   38.213381]  print_address_description.cold.7+0x9/0x1ff
[   38.221938]  kasan_report.cold.8+0x242/0x309
[   38.221953]  ? debugfs_remove+0x10b/0x130
[   38.221973]  __asan_report_load8_noabort+0x14/0x20
[   38.221986]  debugfs_remove+0x10b/0x130
[   38.222009]  blk_trace_free+0x35/0x130
[   38.236211]  __blk_trace_remove+0x7a/0xa0
[   38.236234]  blk_trace_shutdown+0x63/0x80
[   38.236255]  __blk_release_queue+0x235/0x510
[   38.242448]  process_one_work+0xc90/0x1c40
[   38.242465]  ? mark_held_locks+0x130/0x130
[   38.242490]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   38.242504]  ? __switch_to_asm+0x40/0x70
[   38.242520]  ? __switch_to_asm+0x34/0x70
[   38.255719]  ? __switch_to_asm+0x40/0x70
[   38.255732]  ? __switch_to_asm+0x34/0x70
[   38.255751]  ? __switch_to_asm+0x40/0x70
[   38.265517]  ? __switch_to_asm+0x34/0x70
[   38.265528]  ? __switch_to_asm+0x40/0x70
[   38.265540]  ? __switch_to_asm+0x34/0x70
[   38.265551]  ? __switch_to_asm+0x40/0x70
[   38.265572]  ? __schedule+0x8d7/0x21d0
[   38.265621]  ? lock_downgrade+0x900/0x900
[   38.265640]  ? zap_class+0x640/0x640
[   38.274708]  ? find_held_lock+0x36/0x1c0
[   38.274743]  ? lock_acquire+0x1ed/0x520
[   38.282606]  ? worker_thread+0x3e0/0x1390
[   38.282640]  ? kasan_check_read+0x11/0x20
[   38.282654]  ? do_raw_spin_lock+0x14f/0x350
[   38.282668]  ? kasan_check_read+0x11/0x20
[   38.282692]  ? rwlock_bug.part.2+0x90/0x90
[   38.282711]  ? trace_hardirqs_on+0x310/0x310
[   38.291001]  worker_thread+0x17f/0x1390
[   38.291016]  ? __switch_to_asm+0x34/0x70
[   38.291042]  ? process_one_work+0x1c40/0x1c40
[   38.299669]  ? zap_class+0x640/0x640
[   38.299697]  ? find_held_lock+0x36/0x1c0
[   38.312684]  ? __kthread_parkme+0xce/0x1a0
[   38.312702]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   38.312716]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   38.312732]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   38.312752]  ? trace_hardirqs_on+0xbd/0x310
[   38.312767]  ? kasan_check_read+0x11/0x20
[   38.320974]  ? __kthread_parkme+0xce/0x1a0
[   38.320992]  ? trace_hardirqs_off_caller+0x310/0x310
[   38.321011]  ? trace_hardirqs_off_caller+0x310/0x310
[   38.329120]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   38.329138]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   38.329157]  ? __kthread_parkme+0xfb/0x1a0
[   38.337263]  ? process_one_work+0x1c40/0x1c40
[   38.337279]  kthread+0x35a/0x440
[   38.337297]  ? kthread_stop+0x900/0x900
[   38.345402]  ret_from_fork+0x3a/0x50
[   38.345424] 
[   38.353445] Allocated by task 6005:
[   38.353466]  save_stack+0x43/0xd0
[   38.353478]  kasan_kmalloc+0xc7/0xe0
[   38.353491]  kasan_slab_alloc+0x12/0x20
[   38.353503]  kmem_cache_alloc+0x12e/0x730
[   38.353516]  __d_alloc+0xc8/0xb90
[   38.353527]  d_alloc+0x96/0x380
[   38.353539]  d_alloc_parallel+0x15a/0x1f40
[   38.353557]  __lookup_slow+0x1e6/0x540
[   38.361331]  lookup_one_len+0x1d8/0x220
[   38.361345]  start_creating+0xc6/0x200
[   38.361357]  __debugfs_create_file+0x63/0x400
[   38.361374]  debugfs_create_file+0x57/0x70
[   38.369477]  do_blk_trace_setup+0x45d/0xdb0
[   38.369491]  __blk_trace_setup+0xd5/0x180
[   38.369510]  blk_trace_ioctl+0x17a/0x2f0
[   38.377962]  blkdev_ioctl+0x9e9/0x21b0
[   38.377975]  block_ioctl+0xee/0x130
[   38.377988]  do_vfs_ioctl+0x1de/0x1790
[   38.378004]  ksys_ioctl+0xa9/0xd0
[   38.386374]  __x64_sys_ioctl+0x73/0xb0
[   38.386389]  do_syscall_64+0x1b9/0x820
[   38.386404]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.386412] 
[   38.394769] Freed by task 0:
[   38.394786]  save_stack+0x43/0xd0
[   38.394800]  __kasan_slab_free+0x102/0x150
[   38.394812]  kasan_slab_free+0xe/0x10
[   38.394825]  kmem_cache_free+0x83/0x290
[   38.394838]  __d_free+0x20/0x30
[   38.394856]  rcu_process_callbacks+0x100a/0x1ac0
[   38.403405]  __do_softirq+0x308/0xb7e
[   38.403409] 
[   38.403430] The buggy address belongs to the object at ffff8881cc862420
[   38.403430]  which belongs to the cache dentry of size 288
[   38.403447] The buggy address is located 64 bytes inside of
[   38.403447]  288-byte region [ffff8881cc862420, ffff8881cc862540)
[   38.411197] The buggy address belongs to the page:
[   38.411211] page:ffffea0007321880 count:1 mapcount:0 mapping:ffff8881da980c80 index:0x0
[   38.411222] flags: 0x2fffc0000000200(slab)
[   38.411241] raw: 02fffc0000000200 ffffea0007320b88 ffffea00073218c8 ffff8881da980c80
[   38.420567] raw: 0000000000000000 ffff8881cc862000 000000010000000b 0000000000000000
[   38.420583] page dumped because: kasan: bad access detected
[   38.420588] 
[   38.420599] Memory state around the buggy address:
[   38.430280]  ffff8881cc862300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.430292]  ffff8881cc862380: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   38.430303] >ffff8881cc862400: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
[   38.430314]                                                        ^
[   38.707068]  ffff8881cc862480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.714429]  ffff8881cc862500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   38.721796] ==================================================================
[   38.729151] Disabling lock debugging due to kernel taint
[   38.735620] Kernel panic - not syncing: panic_on_warn set ...
[   38.741528] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G    B             4.20.0-rc4+ #358
[   38.749840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.759219] Workqueue: events __blk_release_queue
[   38.764057] Call Trace:
[   38.766657]  dump_stack+0x244/0x39d
[   38.770298]  ? dump_stack_print_info.cold.1+0x20/0x20
[   38.775497]  panic+0x2ad/0x55c
[   38.778692]  ? add_taint.cold.5+0x16/0x16
[   38.782841]  ? preempt_schedule+0x4d/0x60
[   38.786991]  ? ___preempt_schedule+0x16/0x18
[   38.791399]  ? trace_hardirqs_on+0xb4/0x310
[   38.795728]  kasan_end_report+0x47/0x4f
[   38.799707]  kasan_report.cold.8+0x76/0x309
[   38.804033]  ? debugfs_remove+0x10b/0x130
[   38.808185]  __asan_report_load8_noabort+0x14/0x20
[   38.813116]  debugfs_remove+0x10b/0x130
[   38.817096]  blk_trace_free+0x35/0x130
[   38.820981]  __blk_trace_remove+0x7a/0xa0
[   38.825129]  blk_trace_shutdown+0x63/0x80
[   38.829279]  __blk_release_queue+0x235/0x510
[   38.833678]  process_one_work+0xc90/0x1c40
[   38.837912]  ? mark_held_locks+0x130/0x130
[   38.842156]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   38.846823]  ? __switch_to_asm+0x40/0x70
[   38.850879]  ? __switch_to_asm+0x34/0x70
[   38.854937]  ? __switch_to_asm+0x40/0x70
[   38.858996]  ? __switch_to_asm+0x34/0x70
[   38.863054]  ? __switch_to_asm+0x40/0x70
[   38.867117]  ? __switch_to_asm+0x34/0x70
[   38.871175]  ? __switch_to_asm+0x40/0x70
[   38.875234]  ? __switch_to_asm+0x34/0x70
[   38.879292]  ? __switch_to_asm+0x40/0x70
[   38.883379]  ? __schedule+0x8d7/0x21d0
[   38.887272]  ? lock_downgrade+0x900/0x900
[   38.891433]  ? zap_class+0x640/0x640
[   38.895151]  ? find_held_lock+0x36/0x1c0
[   38.899222]  ? lock_acquire+0x1ed/0x520
[   38.903199]  ? worker_thread+0x3e0/0x1390
[   38.907355]  ? kasan_check_read+0x11/0x20
[   38.911504]  ? do_raw_spin_lock+0x14f/0x350
[   38.915826]  ? kasan_check_read+0x11/0x20
[   38.919977]  ? rwlock_bug.part.2+0x90/0x90
[   38.924213]  ? trace_hardirqs_on+0x310/0x310
[   38.928631]  worker_thread+0x17f/0x1390
[   38.932617]  ? __switch_to_asm+0x34/0x70
[   38.936697]  ? process_one_work+0x1c40/0x1c40
[   38.941198]  ? zap_class+0x640/0x640
[   38.944915]  ? find_held_lock+0x36/0x1c0
[   38.948988]  ? __kthread_parkme+0xce/0x1a0
[   38.953221]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   38.958331]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   38.963440]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   38.968034]  ? trace_hardirqs_on+0xbd/0x310
[   38.972355]  ? kasan_check_read+0x11/0x20
[   38.976554]  ? __kthread_parkme+0xce/0x1a0
[   38.980799]  ? trace_hardirqs_off_caller+0x310/0x310
[   38.985909]  ? trace_hardirqs_off_caller+0x310/0x310
[   38.991015]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   38.996124]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   39.001674]  ? __kthread_parkme+0xfb/0x1a0
[   39.005931]  ? process_one_work+0x1c40/0x1c40
[   39.010425]  kthread+0x35a/0x440
[   39.013796]  ? kthread_stop+0x900/0x900
[   39.017769]  ret_from_fork+0x3a/0x50
[   39.022389] Kernel Offset: disabled
[   39.026012] Rebooting in 86400 seconds..