
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[   27.866795] audit: type=1800 audit(1543718095.537:21): pid=5874 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
syzkaller login: [   40.244845] ==================================================================
[   40.252775] BUG: KASAN: use-after-free in debugfs_remove+0x10b/0x130
[   40.259281] Read of size 8 at addr ffff8881b65f2080 by task kworker/1:0/17
[   40.259290] 
[   40.259300] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 4.20.0-rc4+ #137
[   40.259306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.259325] Workqueue: events __blk_release_queue
[   40.259330] Call Trace:
[   40.259355]  dump_stack+0x244/0x39d
[   40.278466]  ? dump_stack_print_info.cold.1+0x20/0x20
[   40.278480]  ? printk+0xa7/0xcf
[   40.278493]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   40.278514]  print_address_description.cold.7+0x9/0x1ff
[   40.278528]  kasan_report.cold.8+0x242/0x309
[   40.278542]  ? debugfs_remove+0x10b/0x130
[   40.278558]  __asan_report_load8_noabort+0x14/0x20
[   40.278570]  debugfs_remove+0x10b/0x130
[   40.278594]  blk_trace_free+0x35/0x130
[   40.292864]  __blk_trace_remove+0x7a/0xa0
[   40.299078]  blk_trace_shutdown+0x63/0x80
[   40.307576]  __blk_release_queue+0x235/0x510
[   40.317708]  process_one_work+0xc90/0x1c40
[   40.317726]  ? mark_held_locks+0x130/0x130
[   40.317748]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   40.317761]  ? __switch_to_asm+0x40/0x70
[   40.317771]  ? __switch_to_asm+0x34/0x70
[   40.317782]  ? __switch_to_asm+0x40/0x70
[   40.317792]  ? __switch_to_asm+0x34/0x70
[   40.317802]  ? __switch_to_asm+0x40/0x70
[   40.317818]  ? __switch_to_asm+0x34/0x70
[   40.326397]  ? __switch_to_asm+0x40/0x70
[   40.335310]  ? __switch_to_asm+0x34/0x70
[   40.335321]  ? __switch_to_asm+0x40/0x70
[   40.335340]  ? __schedule+0x8d7/0x21d0
[   40.335382]  ? zap_class+0x640/0x640
[   40.335396]  ? lock_downgrade+0x900/0x900
[   40.335417]  ? trace_hardirqs_off+0xb8/0x310
[   40.335433]  ? kasan_check_read+0x11/0x20
[   40.335451]  ? do_raw_spin_unlock+0xa7/0x330
[   40.343523]  ? lock_acquire+0x1ed/0x520
[   40.352090]  ? worker_thread+0x3e0/0x1390
[   40.360588]  ? kasan_check_read+0x11/0x20
[   40.373391]  ? do_raw_spin_lock+0x14f/0x350
[   40.373410]  ? kasan_check_read+0x11/0x20
[   40.381689]  ? rwlock_bug.part.2+0x90/0x90
[   40.389810]  ? trace_hardirqs_on+0x310/0x310
[   40.397994]  worker_thread+0x17f/0x1390
[   40.398011]  ? __switch_to_asm+0x34/0x70
[   40.398034]  ? process_one_work+0x1c40/0x1c40
[   40.398082]  ? __sched_text_start+0x8/0x8
[   40.398112]  ? __kthread_parkme+0xce/0x1a0
[   40.398132]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   40.406106]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   40.413966]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.422516]  ? trace_hardirqs_on+0xbd/0x310
[   40.430898]  ? kasan_check_read+0x11/0x20
[   40.439211]  ? __kthread_parkme+0xce/0x1a0
[   40.447702]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.447767]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   40.447793]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.447812]  ? __kthread_parkme+0xfb/0x1a0
[   40.447826]  ? process_one_work+0x1c40/0x1c40
[   40.447851]  kthread+0x35a/0x440
[   40.447870]  ? kthread_stop+0x900/0x900
[   40.447901]  ret_from_fork+0x3a/0x50
[   40.447941] 
[   40.447952] Allocated by task 6032:
[   40.447988]  save_stack+0x43/0xd0
[   40.456647]  kasan_kmalloc+0xc7/0xe0
[   40.464685]  kasan_slab_alloc+0x12/0x20
[   40.464697]  kmem_cache_alloc+0x12e/0x730
[   40.464710]  __d_alloc+0xc8/0xb90
[   40.464720]  d_alloc+0x96/0x380
[   40.464731]  d_alloc_parallel+0x15a/0x1f40
[   40.464744]  __lookup_slow+0x1e6/0x540
[   40.464756]  lookup_one_len+0x1d8/0x220
[   40.464769]  start_creating+0xc6/0x200
[   40.464781]  __debugfs_create_file+0x63/0x400
[   40.464792]  debugfs_create_file+0x57/0x70
[   40.464807]  do_blk_trace_setup+0x45d/0xdb0
[   40.464819]  __blk_trace_setup+0xd5/0x180
[   40.464837]  blk_trace_ioctl+0x17a/0x2f0
[   40.477723]  blkdev_ioctl+0x9e9/0x21b0
[   40.487928]  block_ioctl+0xee/0x130
[   40.487942]  do_vfs_ioctl+0x1de/0x1790
[   40.487952]  ksys_ioctl+0xa9/0xd0
[   40.487962]  __x64_sys_ioctl+0x73/0xb0
[   40.487976]  do_syscall_64+0x1b9/0x820
[   40.487989]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.487993] 
[   40.487999] Freed by task 0:
[   40.488014]  save_stack+0x43/0xd0
[   40.488026]  __kasan_slab_free+0x102/0x150
[   40.488038]  kasan_slab_free+0xe/0x10
[   40.488049]  kmem_cache_free+0x83/0x290
[   40.488060]  __d_free+0x20/0x30
[   40.488072]  rcu_process_callbacks+0x100a/0x1ac0
[   40.488092]  __do_softirq+0x308/0xb7e
[   40.497006] 
[   40.666728] The buggy address belongs to the object at ffff8881b65f2040
[   40.666728]  which belongs to the cache dentry of size 288
[   40.678979] The buggy address is located 64 bytes inside of
[   40.678979]  288-byte region [ffff8881b65f2040, ffff8881b65f2160)
[   40.690792] The buggy address belongs to the page:
[   40.695754] page:ffffea0006d97c80 count:1 mapcount:0 mapping:ffff8881da980b00 index:0x0
[   40.703928] flags: 0x2fffc0000000200(slab)
[   40.708224] raw: 02fffc0000000200 ffffea0006d97c08 ffffea0006d97e48 ffff8881da980b00
[   40.716143] raw: 0000000000000000 ffff8881b65f2040 000000010000000b 0000000000000000
[   40.724041] page dumped because: kasan: bad access detected
[   40.729793] 
[   40.731429] Memory state around the buggy address:
[   40.736390]  ffff8881b65f1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.743795]  ffff8881b65f2000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.751208] >ffff8881b65f2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.758591]                    ^
[   40.761981]  ffff8881b65f2100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   40.769375]  ffff8881b65f2180: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
[   40.776748] ==================================================================
[   40.784138] Disabling lock debugging due to kernel taint
[   40.792164] Kernel panic - not syncing: panic_on_warn set ...
[   40.798101] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G    B             4.20.0-rc4+ #137
[   40.806441] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.815819] Workqueue: events __blk_release_queue
[   40.820682] Call Trace:
[   40.823272]  dump_stack+0x244/0x39d
[   40.826899]  ? dump_stack_print_info.cold.1+0x20/0x20
[   40.832088]  panic+0x2ad/0x55c
[   40.835275]  ? add_taint.cold.5+0x16/0x16
[   40.839423]  ? preempt_schedule+0x4d/0x60
[   40.843571]  ? ___preempt_schedule+0x16/0x18
[   40.848107]  ? trace_hardirqs_on+0xb4/0x310
[   40.852431]  kasan_end_report+0x47/0x4f
[   40.856406]  kasan_report.cold.8+0x76/0x309
[   40.860726]  ? debugfs_remove+0x10b/0x130
[   40.864873]  __asan_report_load8_noabort+0x14/0x20
[   40.869809]  debugfs_remove+0x10b/0x130
[   40.873791]  blk_trace_free+0x35/0x130
[   40.877674]  __blk_trace_remove+0x7a/0xa0
[   40.881819]  blk_trace_shutdown+0x63/0x80
[   40.885976]  __blk_release_queue+0x235/0x510
[   40.890388]  process_one_work+0xc90/0x1c40
[   40.894623]  ? mark_held_locks+0x130/0x130
[   40.898857]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   40.903520]  ? __switch_to_asm+0x40/0x70
[   40.907576]  ? __switch_to_asm+0x34/0x70
[   40.911633]  ? __switch_to_asm+0x40/0x70
[   40.915690]  ? __switch_to_asm+0x34/0x70
[   40.919749]  ? __switch_to_asm+0x40/0x70
[   40.923804]  ? __switch_to_asm+0x34/0x70
[   40.927971]  ? __switch_to_asm+0x40/0x70
[   40.932024]  ? __switch_to_asm+0x34/0x70
[   40.936090]  ? __switch_to_asm+0x40/0x70
[   40.940172]  ? __schedule+0x8d7/0x21d0
[   40.944068]  ? zap_class+0x640/0x640
[   40.947789]  ? lock_downgrade+0x900/0x900
[   40.951934]  ? trace_hardirqs_off+0xb8/0x310
[   40.956355]  ? kasan_check_read+0x11/0x20
[   40.960508]  ? do_raw_spin_unlock+0xa7/0x330
[   40.964918]  ? lock_acquire+0x1ed/0x520
[   40.968885]  ? worker_thread+0x3e0/0x1390
[   40.973052]  ? kasan_check_read+0x11/0x20
[   40.977321]  ? do_raw_spin_lock+0x14f/0x350
[   40.981663]  ? kasan_check_read+0x11/0x20
[   40.985807]  ? rwlock_bug.part.2+0x90/0x90
[   40.990034]  ? trace_hardirqs_on+0x310/0x310
[   40.994440]  worker_thread+0x17f/0x1390
[   40.998414]  ? __switch_to_asm+0x34/0x70
[   41.002587]  ? process_one_work+0x1c40/0x1c40
[   41.007082]  ? __sched_text_start+0x8/0x8
[   41.011228]  ? __kthread_parkme+0xce/0x1a0
[   41.015455]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   41.020551]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   41.026241]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   41.030944]  ? trace_hardirqs_on+0xbd/0x310
[   41.035361]  ? kasan_check_read+0x11/0x20
[   41.039521]  ? __kthread_parkme+0xce/0x1a0
[   41.043748]  ? trace_hardirqs_off_caller+0x310/0x310
[   41.048845]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   41.053941]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   41.059488]  ? __kthread_parkme+0xfb/0x1a0
[   41.063731]  ? process_one_work+0x1c40/0x1c40
[   41.068217]  kthread+0x35a/0x440
[   41.071569]  ? kthread_stop+0x900/0x900
[   41.075550]  ret_from_fork+0x3a/0x50
[   41.080340] Kernel Offset: disabled
[   41.083981] Rebooting in 86400 seconds..