[ 40.429035][ T26] audit: type=1800 audit(1573227464.954:26): pid=7697 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.479104][ T26] audit: type=1800 audit(1573227464.954:27): pid=7697 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 40.504990][ T26] audit: type=1800 audit(1573227464.954:28): pid=7697 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.241230][ T26] audit: type=1800 audit(1573227465.794:29): pid=7697 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. syzkaller login: [ 986.976195][ T7851] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 987.074577][ T7852] devpts: called with bogus options [ 987.129210][ T7854] devpts: called with bogus options executing program [ 987.188233][ T7856] devpts: called with bogus options executing program [ 987.258452][ T7858] devpts: called with bogus options executing program [ 987.317532][ T7860] devpts: called with bogus options executing program [ 987.387793][ T7862] devpts: called with bogus options executing program [ 987.448210][ T7864] devpts: called with bogus options executing program [ 987.497150][ T7866] devpts: called with bogus options executing program [ 987.558213][ T7868] devpts: called with bogus options executing program [ 987.720049][ T7872] devpts: called with bogus options [ 987.768581][ T2908] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 987.819964][ T7872] debugfs: Directory 'loop0' with parent 'block' already present! [ 987.843404][ T7876] devpts: called with bogus options [ 987.887779][ T2908] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 987.957581][ T7879] devpts: called with bogus options [ 987.989142][ T3015] relay: one or more items not logged [item size (56) > sub-buffer size (9)] executing program [ 988.039840][ T7879] debugfs: Directory 'loop0' with parent 'block' already present! [ 988.066907][ T7883] devpts: called with bogus options [ 988.117617][ T2908] ================================================================== [ 988.125942][ T2908] BUG: KASAN: use-after-free in relay_switch_subbuf+0x27a/0x630 [ 988.125957][ T2908] Read of size 8 at addr ffff8880aa0ce4f8 by task kworker/0:2/2908 [ 988.125959][ T2908] [ 988.125969][ T2908] CPU: 0 PID: 2908 Comm: kworker/0:2 Not tainted 5.4.0-rc6+ #0 [ 988.151508][ T2908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 988.161773][ T2908] Workqueue: events __blk_release_queue [ 988.167319][ T2908] Call Trace: [ 988.170627][ T2908] dump_stack+0x1fb/0x318 [ 988.175085][ T2908] print_address_description+0x75/0x5c0 [ 988.180649][ T2908] ? vprintk_func+0x158/0x170 [ 988.185317][ T2908] ? printk+0x62/0x8d [ 988.189276][ T2908] ? vprintk_emit+0x2d4/0x3a0 [ 988.193946][ T2908] __kasan_report+0x14b/0x1c0 [ 988.198600][ T2908] ? relay_switch_subbuf+0x27a/0x630 [ 988.203860][ T2908] kasan_report+0x26/0x50 [ 988.208166][ T2908] __asan_report_load8_noabort+0x14/0x20 [ 988.213782][ T2908] relay_switch_subbuf+0x27a/0x630 [ 988.218878][ T2908] relay_flush+0x1ff/0x2e0 [ 988.223315][ T2908] blk_trace_shutdown+0x203/0x260 [ 988.228318][ T2908] __blk_release_queue+0x244/0x2e0 [ 988.233443][ T2908] process_one_work+0x7ef/0x10e0 [ 988.238379][ T2908] worker_thread+0xc01/0x1630 [ 988.243085][ T2908] kthread+0x332/0x350 [ 988.247129][ T2908] ? rcu_lock_release+0x30/0x30 [ 988.251952][ T2908] ? kthread_blkcg+0xe0/0xe0 [ 988.256561][ T2908] ret_from_fork+0x24/0x30 [ 988.260969][ T2908] [ 988.263279][ T2908] Allocated by task 7879: [ 988.267583][ T2908] __kasan_kmalloc+0x11c/0x1b0 [ 988.272333][ T2908] kasan_slab_alloc+0xf/0x20 [ 988.276930][ T2908] kmem_cache_alloc+0x1f5/0x2e0 [ 988.281797][ T2908] __d_alloc+0x2d/0x6e0 [ 988.285927][ T2908] d_alloc_parallel+0x7f/0x1430 [ 988.290765][ T2908] __lookup_slow+0xa7/0x380 [ 988.295253][ T2908] lookup_one_len+0x123/0x220 [ 988.299944][ T2908] start_creating+0xd3/0x270 [ 988.304514][ T2908] __debugfs_create_file+0x75/0x470 [ 988.309698][ T2908] debugfs_create_file+0x4a/0x60 [ 988.314623][ T2908] blk_create_buf_file_callback+0x34/0x40 [ 988.320321][ T2908] relay_open_buf+0x5cb/0xd60 [ 988.324974][ T2908] relay_open+0x491/0x970 [ 988.329276][ T2908] do_blk_trace_setup+0x4b9/0xaa0 [ 988.334270][ T2908] blk_trace_ioctl+0x24c/0x7d0 [ 988.339098][ T2908] blkdev_ioctl+0x134a/0x2980 [ 988.343774][ T2908] block_ioctl+0xbd/0x100 [ 988.348084][ T2908] do_vfs_ioctl+0x744/0x1730 [ 988.352647][ T2908] __x64_sys_ioctl+0xe3/0x120 [ 988.357333][ T2908] do_syscall_64+0xf7/0x1c0 [ 988.361818][ T2908] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 988.367694][ T2908] [ 988.369996][ T2908] Freed by task 0: [ 988.373692][ T2908] __kasan_slab_free+0x12a/0x1e0 [ 988.378620][ T2908] kasan_slab_free+0xe/0x10 [ 988.383096][ T2908] kmem_cache_free+0x81/0xf0 [ 988.387708][ T2908] __d_free+0x20/0x30 [ 988.391689][ T2908] rcu_core+0x843/0x1050 [ 988.395906][ T2908] rcu_core_si+0x9/0x10 [ 988.400072][ T2908] __do_softirq+0x333/0x7c4 [ 988.404545][ T2908] [ 988.406856][ T2908] The buggy address belongs to the object at ffff8880aa0ce4a0 [ 988.406856][ T2908] which belongs to the cache dentry(17:syz0) of size 288 [ 988.421226][ T2908] The buggy address is located 88 bytes inside of [ 988.421226][ T2908] 288-byte region [ffff8880aa0ce4a0, ffff8880aa0ce5c0) [ 988.434379][ T2908] The buggy address belongs to the page: [ 988.439984][ T2908] page:ffffea0002a83380 refcount:1 mapcount:0 mapping:ffff8880910e3e00 index:0x0 [ 988.449148][ T2908] flags: 0x1fffc0000000200(slab) [ 988.454077][ T2908] raw: 01fffc0000000200 ffffea0002a82188 ffffea0002a81cc8 ffff8880910e3e00 [ 988.462636][ T2908] raw: 0000000000000000 ffff8880aa0ce080 000000010000000b 0000000000000000 [ 988.471189][ T2908] page dumped because: kasan: bad access detected [ 988.477570][ T2908] [ 988.479880][ T2908] Memory state around the buggy address: [ 988.485551][ T2908] ffff8880aa0ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 988.493612][ T2908] ffff8880aa0ce400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 988.501649][ T2908] >ffff8880aa0ce480: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 988.509682][ T2908] ^ [ 988.517630][ T2908] ffff8880aa0ce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 988.525673][ T2908] ffff8880aa0ce580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 988.533708][ T2908] ================================================================== [ 988.541748][ T2908] Disabling lock debugging due to kernel taint [ 988.547996][ T2908] Kernel panic - not syncing: panic_on_warn set ... [ 988.554581][ T2908] CPU: 0 PID: 2908 Comm: kworker/0:2 Tainted: G B 5.4.0-rc6+ #0 [ 988.563485][ T2908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 988.573640][ T2908] Workqueue: events __blk_release_queue [ 988.579162][ T2908] Call Trace: [ 988.582466][ T2908] dump_stack+0x1fb/0x318 [ 988.586833][ T2908] panic+0x264/0x7a9 [ 988.590705][ T2908] ? __kasan_report+0x195/0x1c0 [ 988.595573][ T2908] ? trace_hardirqs_on+0x34/0x80 [ 988.600484][ T2908] ? __kasan_report+0x195/0x1c0 [ 988.605313][ T2908] __kasan_report+0x1bb/0x1c0 [ 988.609968][ T2908] ? relay_switch_subbuf+0x27a/0x630 [ 988.615224][ T2908] kasan_report+0x26/0x50 [ 988.619526][ T2908] __asan_report_load8_noabort+0x14/0x20 [ 988.625131][ T2908] relay_switch_subbuf+0x27a/0x630 [ 988.630286][ T2908] relay_flush+0x1ff/0x2e0 [ 988.634721][ T2908] blk_trace_shutdown+0x203/0x260 [ 988.639721][ T2908] __blk_release_queue+0x244/0x2e0 [ 988.644817][ T2908] process_one_work+0x7ef/0x10e0 [ 988.649730][ T2908] worker_thread+0xc01/0x1630 [ 988.654385][ T2908] kthread+0x332/0x350 [ 988.658427][ T2908] ? rcu_lock_release+0x30/0x30 [ 988.663263][ T2908] ? kthread_blkcg+0xe0/0xe0 [ 988.667826][ T2908] ret_from_fork+0x24/0x30 [ 988.673482][ T2908] Kernel Offset: disabled [ 988.677804][ T2908] Rebooting in 86400 seconds..