[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.424887] audit: type=1400 audit(1599021418.465:8): avc: denied { execmem } for pid=6362 comm="syz-executor361" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program executing program [ 37.500546] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 37.569803] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 37.629604] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program [ 37.917497] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 37.979368] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program [ 38.107465] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 38.157343] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 38.249211] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 38.365899] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program [ 38.575800] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 38.635822] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 38.745058] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 38.845552] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 38.928818] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 39.048927] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program [ 39.236692] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 39.365690] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 39.445493] blktrace: Concurrent blktraces are not allowed on loop0 executing program [ 39.508147] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 39.638594] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program [ 39.819165] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program executing program executing program [ 40.047589] blktrace: Concurrent blktraces are not allowed on loop0 [ 40.057678] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 40.126901] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 40.258782] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 40.328352] blktrace: Concurrent blktraces are not allowed on loop0 executing program [ 40.386468] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program [ 40.575796] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program [ 40.637777] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 40.698195] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 40.754722] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program [ 40.808011] blktrace: Concurrent blktraces are not allowed on loop0 executing program [ 40.860188] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program [ 41.065243] blktrace: Concurrent blktraces are not allowed on loop0 executing program [ 41.118260] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 41.481086] blktrace: Concurrent blktraces are not allowed on loop0 [ 41.491441] blktrace: Concurrent blktraces are not allowed on loop0 [ 41.501582] blktrace: Concurrent blktraces are not allowed on loop0 executing program executing program executing program executing program executing program executing program [ 41.804428] blktrace: Concurrent blktraces are not allowed on loop0 [ 41.848421] ================================================================== [ 41.855923] BUG: KASAN: use-after-free in debugfs_remove+0xef/0x110 [ 41.862315] Read of size 8 at addr ffff8880a6b37340 by task kworker/0:0/3 [ 41.869230] [ 41.870836] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.14.195-syzkaller #0 [ 41.878097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.887449] Workqueue: events __blk_release_queue [ 41.892266] Call Trace: [ 41.894850] dump_stack+0x1b2/0x283 [ 41.898656] print_address_description.cold+0x54/0x1d3 [ 41.903912] kasan_report_error.cold+0x8a/0x194 [ 41.908560] ? debugfs_remove+0xef/0x110 [ 41.912613] __asan_report_load8_noabort+0x68/0x70 [ 41.917535] ? debugfs_remove+0xef/0x110 [ 41.921573] debugfs_remove+0xef/0x110 [ 41.925456] blk_trace_free+0x31/0x130 [ 41.929333] __blk_trace_remove+0x68/0xc0 [ 41.933464] blk_trace_shutdown+0x77/0xe0 [ 41.937594] __blk_release_queue+0x227/0x4b0 [ 41.941981] process_one_work+0x793/0x14a0 [ 41.946195] ? work_busy+0x320/0x320 [ 41.949901] ? worker_thread+0x158/0xff0 [ 41.953947] ? _raw_spin_unlock_irq+0x24/0x80 [ 41.958422] worker_thread+0x5cc/0xff0 [ 41.962303] ? rescuer_thread+0xc80/0xc80 [ 41.966452] kthread+0x30d/0x420 [ 41.969810] ? kthread_create_on_node+0xd0/0xd0 [ 41.974474] ret_from_fork+0x24/0x30 [ 41.978183] [ 41.979785] Allocated by task 6910: [ 41.983388] kasan_kmalloc+0xeb/0x160 [ 41.987163] kmem_cache_alloc+0x124/0x3c0 [ 41.991289] __d_alloc+0x2a/0xa20 [ 41.994715] d_alloc+0x46/0x240 [ 41.997975] __lookup_hash+0x101/0x270 [ 42.001837] lookup_one_len+0x279/0x3a0 [ 42.005801] start_creating.part.0+0x62/0x150 [ 42.010271] __debugfs_create_file+0x8a/0x480 [ 42.014742] do_blk_trace_setup+0x358/0xb80 [ 42.019233] __blk_trace_setup+0xa3/0x120 [ 42.023703] blk_trace_ioctl+0x136/0x250 [ 42.027739] blkdev_ioctl+0xec/0x1830 [ 42.031515] block_ioctl+0xd9/0x120 [ 42.035119] do_vfs_ioctl+0x75a/0xff0 [ 42.038893] SyS_ioctl+0x7f/0xb0 [ 42.042235] do_syscall_64+0x1d5/0x640 [ 42.046099] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 42.051275] [ 42.052894] Freed by task 7: [ 42.055913] kasan_slab_free+0xc3/0x1a0 [ 42.059862] kmem_cache_free+0x7c/0x2b0 [ 42.063810] rcu_process_callbacks+0x780/0x1180 [ 42.068456] __do_softirq+0x254/0xa1d [ 42.072237] [ 42.073840] The buggy address belongs to the object at ffff8880a6b37300 [ 42.073840] which belongs to the cache dentry of size 288 [ 42.086041] The buggy address is located 64 bytes inside of [ 42.086041] 288-byte region [ffff8880a6b37300, ffff8880a6b37420) [ 42.097839] The buggy address belongs to the page: [ 42.102749] page:ffffea00029acdc0 count:1 mapcount:0 mapping:ffff8880a6b37040 index:0x0 [ 42.110885] flags: 0xfffe0000000100(slab) [ 42.115008] raw: 00fffe0000000100 ffff8880a6b37040 0000000000000000 000000010000000b [ 42.122865] raw: ffffea00029acda0 ffffea00029ace20 ffff88821f8b9680 0000000000000000 [ 42.130736] page dumped because: kasan: bad access detected [ 42.136422] [ 42.138024] Memory state around the buggy address: [ 42.142984] ffff8880a6b37200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.150329] ffff8880a6b37280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.157672] >ffff8880a6b37300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.165004] ^ [ 42.170430] ffff8880a6b37380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.177764] ffff8880a6b37400: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 42.185233] ================================================================== [ 42.192572] Disabling lock debugging due to kernel taint executing program [ 42.217965] Kernel panic - not syncing: panic_on_warn set ... [ 42.217965] [ 42.225361] CPU: 0 PID: 3 Comm: kworker/0:0 Tainted: G B 4.14.195-syzkaller #0 [ 42.233835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.243173] Workqueue: events __blk_release_queue [ 42.247999] Call Trace: [ 42.250564] dump_stack+0x1b2/0x283 [ 42.254168] panic+0x1f9/0x42d [ 42.257338] ? add_taint.cold+0x16/0x16 [ 42.261360] ? ___preempt_schedule+0x16/0x18 [ 42.265793] kasan_end_report+0x43/0x49 [ 42.269745] kasan_report_error.cold+0xa7/0x194 [ 42.274405] ? debugfs_remove+0xef/0x110 [ 42.278455] __asan_report_load8_noabort+0x68/0x70 [ 42.283358] ? debugfs_remove+0xef/0x110 [ 42.287396] debugfs_remove+0xef/0x110 [ 42.291275] blk_trace_free+0x31/0x130 [ 42.295153] __blk_trace_remove+0x68/0xc0 [ 42.299274] blk_trace_shutdown+0x77/0xe0 [ 42.303413] __blk_release_queue+0x227/0x4b0 [ 42.307812] process_one_work+0x793/0x14a0 [ 42.312025] ? work_busy+0x320/0x320 [ 42.315727] ? worker_thread+0x158/0xff0 [ 42.319765] ? _raw_spin_unlock_irq+0x24/0x80 [ 42.324244] worker_thread+0x5cc/0xff0 [ 42.328156] ? rescuer_thread+0xc80/0xc80 [ 42.332280] kthread+0x30d/0x420 [ 42.335649] ? kthread_create_on_node+0xd0/0xd0 [ 42.340300] ret_from_fork+0x24/0x30 [ 42.345283] Kernel Offset: disabled [ 42.348945] Rebooting in 86400 seconds..