[ 64.616519][ T24] audit: type=1800 audit(1563801075.943:24): pid=9124 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="sudo" dev="sda1" ino=2454 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.347741][ T24] audit: type=1800 audit(1563801076.723:25): pid=9124 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.370222][ T24] audit: type=1800 audit(1563801076.723:26): pid=9124 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 76.756765][ T9283] debugfs: Directory 'loop0' with parent 'block' already present! [ 76.839694][ T2622] ================================================================== [ 76.848116][ T2622] BUG: KASAN: use-after-free in debugfs_remove+0x10d/0x130 [ 76.848135][ T2622] Read of size 8 at addr ffff8880aa0c4300 by task kworker/0:2/2622 [ 76.848139][ T2622] [ 76.848156][ T2622] CPU: 0 PID: 2622 Comm: kworker/0:2 Not tainted 5.2.0+ #71 [ 76.848164][ T2622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.848199][ T2622] Workqueue: events __blk_release_queue [ 76.848216][ T2622] Call Trace: [ 76.848264][ T2622] dump_stack+0x16f/0x1f0 [ 76.848285][ T2622] ? debugfs_remove+0x10d/0x130 [ 76.848326][ T2622] print_address_description.cold+0xd4/0x306 [ 76.863610][ T2622] ? debugfs_remove+0x10d/0x130 [ 76.873252][ T2622] ? debugfs_remove+0x10d/0x130 [ 76.888913][ T2622] __kasan_report.cold+0x1b/0x36 [ 76.888962][ T2622] ? __sanitizer_cov_trace_const_cmp2+0x20/0x20 [ 76.888984][ T2622] ? debugfs_remove+0x10d/0x130 [ 76.896655][ T2622] kasan_report+0x12/0x17 [ 76.896673][ T2622] __asan_report_load8_noabort+0x14/0x20 [ 76.896687][ T2622] debugfs_remove+0x10d/0x130 [ 76.896719][ T2622] blk_trace_free+0x38/0x140 [ 76.907576][ T2622] __blk_trace_remove+0x78/0xa0 [ 76.907593][ T2622] blk_trace_shutdown+0x67/0x90 [ 76.907610][ T2622] __blk_release_queue+0x1de/0x340 [ 76.907663][ T2622] process_one_work+0x9af/0x16d0 [ 76.917668][ T2622] ? pwq_dec_nr_in_flight+0x320/0x320 [ 76.917705][ T2622] ? lock_acquire+0x190/0x400 [ 76.917728][ T2622] worker_thread+0x98/0xe40 [ 76.917743][ T2622] ? trace_hardirqs_on+0x67/0x220 [ 76.917766][ T2622] kthread+0x361/0x430 [ 76.929270][ T2622] ? process_one_work+0x16d0/0x16d0 [ 76.929285][ T2622] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 76.929320][ T2622] ret_from_fork+0x24/0x30 [ 76.929340][ T2622] [ 76.938761][ T2622] Allocated by task 9284: [ 76.938790][ T2622] save_stack+0x23/0x90 [ 76.938812][ T2622] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 76.949266][ T2622] kasan_slab_alloc+0xf/0x20 [ 76.949278][ T2622] kmem_cache_alloc+0x121/0x700 [ 76.949303][ T2622] __d_alloc+0x2e/0x8c0 [ 76.949315][ T2622] d_alloc+0x4d/0x280 [ 76.949337][ T2622] d_alloc_parallel+0xf4/0x1b90 [ 76.954003][ T9286] kobject: '0' (000000007c5735ba): kobject_add_internal: parent: 'mq', set: '' [ 76.958868][ T2622] __lookup_slow+0x1ab/0x500 [ 76.958881][ T2622] lookup_one_len+0x16d/0x1a0 [ 76.958892][ T2622] start_creating+0xc5/0x1d0 [ 76.958902][ T2622] __debugfs_create_file+0x65/0x3c0 [ 76.958912][ T2622] debugfs_create_file+0x5a/0x70 [ 76.958935][ T2622] do_blk_trace_setup+0x361/0xb50 [ 76.963929][ T9286] kobject: 'cpu0' (000000009bccb783): kobject_add_internal: parent: '0', set: '' [ 76.968934][ T2622] __blk_trace_setup+0xe3/0x190 [ 76.968947][ T2622] blk_trace_ioctl+0x170/0x300 [ 76.968974][ T2622] blkdev_ioctl+0x126/0x1c1a [ 76.968993][ T2622] block_ioctl+0xee/0x130 [ 76.969023][ T2622] do_vfs_ioctl+0xdb6/0x13e0 [ 76.974067][ T9286] kobject: 'cpu1' (00000000fded1e61): kobject_add_internal: parent: '0', set: '' [ 76.979472][ T2622] ksys_ioctl+0xab/0xd0 [ 76.979483][ T2622] __x64_sys_ioctl+0x73/0xb0 [ 76.979516][ T2622] do_syscall_64+0xfd/0x6a0 [ 76.979535][ T2622] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.979550][ T2622] [ 76.986133][ T9286] kobject: 'queue' (00000000591a4602): kobject_uevent_env [ 76.988864][ T2622] Freed by task 0: [ 76.994187][ T9286] kobject: 'queue' (00000000591a4602): kobject_uevent_env: filter function caused the event to drop! [ 76.998282][ T2622] save_stack+0x23/0x90 [ 76.998296][ T2622] __kasan_slab_free+0x102/0x150 [ 76.998306][ T2622] kasan_slab_free+0xe/0x10 [ 76.998316][ T2622] kmem_cache_free+0x86/0x310 [ 76.998329][ T2622] __d_free+0x20/0x30 [ 76.998374][ T2622] rcu_core+0x66a/0x1470 [ 77.004876][ T9286] kobject: 'iosched' (00000000ba0e5ce5): kobject_add_internal: parent: 'queue', set: '' [ 77.010722][ T2622] rcu_core_si+0x9/0x10 [ 77.010737][ T2622] __do_softirq+0x30d/0x970 [ 77.010741][ T2622] [ 77.010753][ T2622] The buggy address belongs to the object at ffff8880aa0c42c0 [ 77.010753][ T2622] which belongs to the cache dentry of size 288 [ 77.010764][ T2622] The buggy address is located 64 bytes inside of [ 77.010764][ T2622] 288-byte region [ffff8880aa0c42c0, ffff8880aa0c43e0) [ 77.010778][ T2622] The buggy address belongs to the page: [ 77.015597][ T9286] kobject: 'iosched' (00000000ba0e5ce5): kobject_uevent_env [ 77.017760][ T2622] page:ffffea0002a83100 refcount:1 mapcount:0 mapping:ffff88821bc46540 index:0x0 [ 77.022299][ T9286] kobject: 'iosched' (00000000ba0e5ce5): kobject_uevent_env: filter function caused the event to drop! [ 77.026459][ T2622] flags: 0x1fffc0000000200(slab) [ 77.026479][ T2622] raw: 01fffc0000000200 ffffea0002250388 ffffea0002a81308 ffff88821bc46540 [ 77.026492][ T2622] raw: 0000000000000000 ffff8880aa0c4000 000000010000000b 0000000000000000 [ 77.026498][ T2622] page dumped because: kasan: bad access detected [ 77.026502][ T2622] [ 77.026506][ T2622] Memory state around the buggy address: [ 77.026535][ T2622] ffff8880aa0c4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.032304][ T9286] kobject: 'integrity' (00000000dbd44e57): kobject_add_internal: parent: 'loop0', set: '' [ 77.036836][ T2622] ffff8880aa0c4280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 77.036848][ T2622] >ffff8880aa0c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.036853][ T2622] ^ [ 77.036862][ T2622] ffff8880aa0c4380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 77.036872][ T2622] ffff8880aa0c4400: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 77.036877][ T2622] ================================================================== [ 77.036899][ T2622] Disabling lock debugging due to kernel taint [ 77.037151][ T2622] Kernel panic - not syncing: panic_on_warn set ... [ 77.041876][ T9286] kobject: 'integrity' (00000000dbd44e57): kobject_uevent_env [ 77.045941][ T2622] CPU: 0 PID: 2622 Comm: kworker/0:2 Tainted: G B 5.2.0+ #71 [ 77.045948][ T2622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.045970][ T2622] Workqueue: events __blk_release_queue [ 77.045978][ T2622] Call Trace: [ 77.046001][ T2622] dump_stack+0x16f/0x1f0 [ 77.046030][ T2622] panic+0x2dc/0x755 [ 77.046041][ T2622] ? add_taint.cold+0x16/0x16 [ 77.046058][ T2622] ? trace_hardirqs_on+0x5e/0x220 [ 77.046070][ T2622] ? trace_hardirqs_on+0x5e/0x220 [ 77.046084][ T2622] ? debugfs_remove+0x10d/0x130 [ 77.046107][ T2622] end_report+0x47/0x4f [ 77.050120][ T9286] kobject: 'integrity' (00000000dbd44e57): kobject_uevent_env: filter function caused the event to drop! [ 77.054991][ T2622] ? debugfs_remove+0x10d/0x130 [ 77.516391][ T2622] __kasan_report.cold+0xe/0x36 [ 77.521281][ T2622] ? __sanitizer_cov_trace_const_cmp2+0x20/0x20 [ 77.527631][ T2622] ? debugfs_remove+0x10d/0x130 [ 77.532615][ T2622] kasan_report+0x12/0x17 [ 77.536982][ T2622] __asan_report_load8_noabort+0x14/0x20 [ 77.542701][ T2622] debugfs_remove+0x10d/0x130 [ 77.547505][ T2622] blk_trace_free+0x38/0x140 [ 77.552350][ T2622] __blk_trace_remove+0x78/0xa0 [ 77.557867][ T2622] blk_trace_shutdown+0x67/0x90 [ 77.562751][ T2622] __blk_release_queue+0x1de/0x340 [ 77.568072][ T2622] process_one_work+0x9af/0x16d0 [ 77.573230][ T2622] ? pwq_dec_nr_in_flight+0x320/0x320 [ 77.579096][ T2622] ? lock_acquire+0x190/0x400 [ 77.583893][ T2622] worker_thread+0x98/0xe40 [ 77.588523][ T2622] ? trace_hardirqs_on+0x67/0x220 [ 77.593612][ T2622] kthread+0x361/0x430 [ 77.598235][ T2622] ? process_one_work+0x16d0/0x16d0 [ 77.603470][ T2622] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 77.609755][ T2622] ret_from_fork+0x24/0x30 [ 77.615587][ T2622] Kernel Offset: disabled [ 77.620113][ T2622] Rebooting in 86400 seconds..