Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.787841] audit: type=1400 audit(1598954865.763:8): avc: denied { execmem } for pid=6468 comm="syz-executor908" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program executing program executing program [ 38.873797] blktrace: Concurrent blktraces are not allowed on loop0 executing program [ 38.921165] blktrace: Concurrent blktraces are not allowed on loop0 [ 38.965255] ================================================================== [ 38.972759] BUG: KASAN: use-after-free in debugfs_remove+0x1c1/0x210 [ 38.979254] Read of size 8 at addr ffff8880837098c0 by task kworker/0:2/2740 [ 38.986425] [ 38.988043] CPU: 0 PID: 2740 Comm: kworker/0:2 Not tainted 4.19.142-syzkaller #0 [ 38.995556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.004903] Workqueue: events __blk_release_queue [ 39.009727] Call Trace: [ 39.012302] dump_stack+0x1fc/0x2fe [ 39.015925] print_address_description.cold+0x54/0x219 [ 39.021188] kasan_report_error.cold+0x8a/0x1c7 [ 39.025845] ? debugfs_remove+0x1c1/0x210 [ 39.029977] __asan_report_load8_noabort+0x88/0x90 [ 39.034890] ? debugfs_remove+0x1c1/0x210 [ 39.039026] debugfs_remove+0x1c1/0x210 [ 39.042987] blk_trace_free+0x31/0x130 [ 39.046859] __blk_trace_remove+0x8b/0x100 [ 39.051174] blk_trace_shutdown+0x92/0x100 [ 39.055394] __blk_release_queue+0x235/0x4e0 [ 39.059791] process_one_work+0x864/0x1570 [ 39.064014] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 39.068678] worker_thread+0x64c/0x1130 [ 39.072659] ? __kthread_parkme+0x133/0x1e0 [ 39.076964] ? process_one_work+0x1570/0x1570 [ 39.081444] kthread+0x33f/0x460 [ 39.084796] ? kthread_park+0x180/0x180 [ 39.088761] ret_from_fork+0x24/0x30 [ 39.092463] [ 39.094073] Allocated by task 6479: [ 39.097703] kmem_cache_alloc+0x122/0x370 [ 39.101832] __d_alloc+0x2b/0xa10 [ 39.105267] d_alloc+0x4a/0x230 [ 39.108531] d_alloc_parallel+0xeb/0x19e0 [ 39.112669] __lookup_slow+0x18d/0x4a0 [ 39.116538] lookup_one_len+0x163/0x190 [ 39.120508] start_creating.part.0+0x62/0x160 [ 39.125074] __debugfs_create_file+0xb8/0x4e0 [ 39.129638] do_blk_trace_setup+0x3a5/0xc30 [ 39.133943] __blk_trace_setup+0xca/0x180 [ 39.138075] blk_trace_ioctl+0x155/0x290 [ 39.142118] blkdev_ioctl+0x112/0x1a7e [ 39.145987] block_ioctl+0xe9/0x130 [ 39.149596] do_vfs_ioctl+0xcdb/0x12e0 [ 39.153466] ksys_ioctl+0x9b/0xc0 [ 39.156907] __x64_sys_ioctl+0x6f/0xb0 [ 39.160796] do_syscall_64+0xf9/0x620 [ 39.164585] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.169752] [ 39.171358] Freed by task 18: [ 39.174449] kmem_cache_free+0x7f/0x260 [ 39.178438] rcu_process_callbacks+0x8ff/0x18b0 [ 39.183097] __do_softirq+0x26c/0x9a0 [ 39.186878] [ 39.188495] The buggy address belongs to the object at ffff888083709880 [ 39.188495] which belongs to the cache dentry of size 288 [ 39.200706] The buggy address is located 64 bytes inside of [ 39.200706] 288-byte region [ffff888083709880, ffff8880837099a0) [ 39.212474] The buggy address belongs to the page: [ 39.217388] page:ffffea00020dc240 count:1 mapcount:0 mapping:ffff88821bc44c80 index:0x0 [ 39.225532] flags: 0xfffe0000000100(slab) [ 39.229683] raw: 00fffe0000000100 ffffea00020dbbc8 ffffea00020dbc08 ffff88821bc44c80 [ 39.237549] raw: 0000000000000000 ffff888083709040 000000010000000b 0000000000000000 [ 39.245414] page dumped because: kasan: bad access detected [ 39.251115] [ 39.252737] Memory state around the buggy address: [ 39.257646] ffff888083709780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.264986] ffff888083709800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.272336] >ffff888083709880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.279693] ^ [ 39.285135] ffff888083709900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.292476] ffff888083709980: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 39.299815] ================================================================== [ 39.307162] Disabling lock debugging due to kernel taint executing program [ 39.325966] Kernel panic - not syncing: panic_on_warn set ... [ 39.325966] [ 39.333375] CPU: 0 PID: 2740 Comm: kworker/0:2 Tainted: G B 4.19.142-syzkaller #0 [ 39.342297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.351896] Workqueue: events __blk_release_queue [ 39.356720] Call Trace: [ 39.359407] dump_stack+0x1fc/0x2fe [ 39.363026] panic+0x26a/0x50e [ 39.366206] ? __warn_printk+0xf3/0xf3 [ 39.370082] ? preempt_schedule_common+0x45/0xc0 [ 39.374827] ? ___preempt_schedule+0x16/0x18 [ 39.379220] ? trace_hardirqs_on+0x55/0x210 [ 39.383527] kasan_end_report+0x43/0x49 [ 39.387571] kasan_report_error.cold+0xa7/0x1c7 [ 39.392221] ? debugfs_remove+0x1c1/0x210 [ 39.396360] __asan_report_load8_noabort+0x88/0x90 [ 39.401271] ? debugfs_remove+0x1c1/0x210 [ 39.405488] debugfs_remove+0x1c1/0x210 [ 39.409464] blk_trace_free+0x31/0x130 [ 39.413335] __blk_trace_remove+0x8b/0x100 [ 39.417557] blk_trace_shutdown+0x92/0x100 [ 39.421778] __blk_release_queue+0x235/0x4e0 [ 39.426168] process_one_work+0x864/0x1570 [ 39.430387] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 39.435041] worker_thread+0x64c/0x1130 [ 39.439018] ? __kthread_parkme+0x133/0x1e0 [ 39.443321] ? process_one_work+0x1570/0x1570 [ 39.447800] kthread+0x33f/0x460 [ 39.451147] ? kthread_park+0x180/0x180 [ 39.455105] ret_from_fork+0x24/0x30 [ 39.459984] Kernel Offset: disabled [ 39.465452] Rebooting in 86400 seconds..