[   39.145540][   T25] audit: type=1800 audit(1563783454.783:27): pid=7662 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   39.179575][   T25] audit: type=1800 audit(1563783454.823:28): pid=7662 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   39.768367][   T25] audit: type=1800 audit(1563783455.403:29): pid=7662 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   39.787429][   T25] audit: type=1800 audit(1563783455.413:30): pid=7662 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.60' (ECDSA) to the list of known hosts.
2019/07/22 08:17:44 parsed 1 programs
2019/07/22 08:17:46 executed programs: 0
syzkaller login: [   50.889629][ T7828] IPVS: ftp: loaded support on port[0] = 21
[   50.937469][ T7828] chnl_net:caif_netlink_parms(): no params data found
[   50.961532][ T7828] bridge0: port 1(bridge_slave_0) entered blocking state
[   50.969548][ T7828] bridge0: port 1(bridge_slave_0) entered disabled state
[   50.977129][ T7828] device bridge_slave_0 entered promiscuous mode
[   50.984801][ T7828] bridge0: port 2(bridge_slave_1) entered blocking state
[   50.991899][ T7828] bridge0: port 2(bridge_slave_1) entered disabled state
[   50.999420][ T7828] device bridge_slave_1 entered promiscuous mode
[   51.015184][ T7828] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   51.025848][ T7828] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   51.044762][ T7828] team0: Port device team_slave_0 added
[   51.051462][ T7828] team0: Port device team_slave_1 added
[   51.099974][ T7828] device hsr_slave_0 entered promiscuous mode
[   51.168266][ T7828] device hsr_slave_1 entered promiscuous mode
[   51.214296][ T7828] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.221470][ T7828] bridge0: port 2(bridge_slave_1) entered forwarding state
[   51.229197][ T7828] bridge0: port 1(bridge_slave_0) entered blocking state
[   51.236234][ T7828] bridge0: port 1(bridge_slave_0) entered forwarding state
[   51.263162][ T7828] 8021q: adding VLAN 0 to HW filter on device bond0
[   51.274998][ T2946] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   51.285853][ T2946] bridge0: port 1(bridge_slave_0) entered disabled state
[   51.294285][ T2946] bridge0: port 2(bridge_slave_1) entered disabled state
[   51.302135][ T2946] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   51.313185][ T7828] 8021q: adding VLAN 0 to HW filter on device team0
[   51.322789][   T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   51.331189][   T23] bridge0: port 1(bridge_slave_0) entered blocking state
[   51.338271][   T23] bridge0: port 1(bridge_slave_0) entered forwarding state
[   51.347597][ T2946] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   51.355963][ T2946] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.363057][ T2946] bridge0: port 2(bridge_slave_1) entered forwarding state
[   51.377285][   T23] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   51.388270][ T7831] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   51.397520][ T7831] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   51.409113][ T7831] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   51.419938][ T2946] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   51.429589][ T7828] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   51.444491][ T7828] 8021q: adding VLAN 0 to HW filter on device batadv0
[   51.631915][ T7842] debugfs: Directory 'loop0' with parent 'block' already present!
[   51.698962][ T2946] ==================================================================
[   51.707113][ T2946] BUG: KASAN: use-after-free in debugfs_remove+0x6d/0xf0
[   51.714115][ T2946] Read of size 8 at addr ffff8880aa09ebd8 by task kworker/0:2/2946
[   51.721974][ T2946] 
[   51.725157][ T2946] CPU: 0 PID: 2946 Comm: kworker/0:2 Not tainted 5.2.0+ #37
[   51.732410][ T2946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.742450][ T2946] Workqueue: events __blk_release_queue
[   51.747991][ T2946] Call Trace:
[   51.751257][ T2946]  dump_stack+0x1d8/0x2f8
[   51.755567][ T2946]  print_address_description+0x75/0x5b0
[   51.761084][ T2946]  ? log_buf_vmcoreinfo_setup+0x153/0x153
[   51.766787][ T2946]  __kasan_report+0x14b/0x1c0
[   51.771437][ T2946]  ? debugfs_remove+0x6d/0xf0
[   51.776087][ T2946]  kasan_report+0x26/0x50
[   51.780390][ T2946]  __asan_report_load8_noabort+0x14/0x20
[   51.785991][ T2946]  debugfs_remove+0x6d/0xf0
[   51.790467][ T2946]  __blk_trace_remove+0xa5/0x180
[   51.795378][ T2946]  blk_trace_shutdown+0x20b/0x260
[   51.800378][ T2946]  ? kfree_const+0x2a/0x40
[   51.804768][ T2946]  __blk_release_queue+0x1bd/0x250
[   51.809861][ T2946]  process_one_work+0x83b/0x1150
[   51.814781][ T2946]  ? rescuer_thread+0x14e0/0x14e0
[   51.819780][ T2946]  ? worker_thread+0x10de/0x1630
[   51.824691][ T2946]  worker_thread+0xc01/0x1630
[   51.829705][ T2946]  kthread+0x332/0x350
[   51.833746][ T2946]  ? rcu_lock_release+0x30/0x30
[   51.838578][ T2946]  ? kthread_blkcg+0xe0/0xe0
[   51.843139][ T2946]  ret_from_fork+0x24/0x30
[   51.847531][ T2946] 
[   51.849832][ T2946] Allocated by task 7839:
[   51.854133][ T2946]  __kasan_kmalloc+0x11c/0x1b0
[   51.858888][ T2946]  kasan_slab_alloc+0xf/0x20
[   51.863449][ T2946]  kmem_cache_alloc+0x1e9/0x2e0
[   51.868270][ T2946]  __d_alloc+0x2d/0x6e0
[   51.872394][ T2946]  d_alloc_parallel+0xcc/0x15a0
[   51.877216][ T2946]  __lookup_slow+0xfc/0x410
[   51.881707][ T2946]  lookup_one_len+0x173/0x2a0
[   51.886356][ T2946]  start_creating+0xd3/0x270
[   51.890924][ T2946]  debugfs_create_dir+0x27/0x440
[   51.895836][ T2946]  blk_mq_debugfs_register+0x8a/0x890
[   51.901178][ T2946]  blk_register_queue+0x24b/0x370
[   51.906176][ T2946]  __device_add_disk+0xc3f/0x1180
[   51.911169][ T2946]  device_add_disk+0x2a/0x40
[   51.915730][ T2946]  loop_add+0x5d1/0x780
[   51.919857][ T2946]  loop_probe+0x1e8/0x2f0
[   51.924155][ T2946]  kobj_lookup+0x3da/0x450
[   51.928897][ T2946]  get_gendisk+0xe7/0x400
[   51.933201][ T2946]  __blkdev_get+0x12c/0x1400
[   51.937758][ T2946]  blkdev_get+0x889/0x9d0
[   51.942060][ T2946]  blkdev_open+0x1e3/0x2c0
[   51.946446][ T2946]  do_dentry_open+0x7d1/0x1080
[   51.951178][ T2946]  vfs_open+0x73/0x80
[   51.955134][ T2946]  path_openat+0x136d/0x4440
[   51.959696][ T2946]  do_filp_open+0x1f7/0x430
[   51.964167][ T2946]  do_sys_open+0x343/0x620
[   51.968557][ T2946]  __x64_sys_open+0x87/0x90
[   51.973034][ T2946]  do_syscall_64+0xfe/0x140
[   51.977514][ T2946]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.983374][ T2946] 
[   51.985675][ T2946] Freed by task 7828:
[   51.989631][ T2946]  __kasan_slab_free+0x12a/0x1e0
[   51.994538][ T2946]  kasan_slab_free+0xe/0x10
[   51.999015][ T2946]  kmem_cache_free+0x81/0xf0
[   52.003576][ T2946]  __d_free+0x20/0x30
[   52.007528][ T2946]  rcu_core+0x7e2/0xf00
[   52.011655][ T2946]  rcu_core_si+0x9/0x10
[   52.015785][ T2946]  __do_softirq+0x307/0x774
[   52.020258][ T2946] 
[   52.022566][ T2946] The buggy address belongs to the object at ffff8880aa09eb80
[   52.022566][ T2946]  which belongs to the cache dentry(17:syz0) of size 288
[   52.037227][ T2946] The buggy address is located 88 bytes inside of
[   52.037227][ T2946]  288-byte region [ffff8880aa09eb80, ffff8880aa09eca0)
[   52.050381][ T2946] The buggy address belongs to the page:
[   52.055986][ T2946] page:ffffea0002a82780 refcount:1 mapcount:0 mapping:ffff8880a4316c40 index:0x0
[   52.065069][ T2946] flags: 0x1fffc0000000200(slab)
[   52.070088][ T2946] raw: 01fffc0000000200 ffffea0002527f88 ffffea00022411c8 ffff8880a4316c40
[   52.078647][ T2946] raw: 0000000000000000 ffff8880aa09e080 000000010000000b 0000000000000000
[   52.087200][ T2946] page dumped because: kasan: bad access detected
[   52.093581][ T2946] 
[   52.095885][ T2946] Memory state around the buggy address:
[   52.101492][ T2946]  ffff8880aa09ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.109526][ T2946]  ffff8880aa09eb00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   52.117559][ T2946] >ffff8880aa09eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.125919][ T2946]                                                     ^
[   52.132822][ T2946]  ffff8880aa09ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.140857][ T2946]  ffff8880aa09ec80: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
[   52.148889][ T2946] ==================================================================
[   52.156918][ T2946] Disabling lock debugging due to kernel taint
[   52.163724][ T2946] Kernel panic - not syncing: panic_on_warn set ...
[   52.170319][ T2946] CPU: 0 PID: 2946 Comm: kworker/0:2 Tainted: G    B             5.2.0+ #37
[   52.172748][ T7828] kobject: '7:0' (0000000037ac1dbd): kobject_add_internal: parent: 'bdi', set: 'devices'
[   52.178968][ T2946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.178983][ T2946] Workqueue: events __blk_release_queue
[   52.178988][ T2946] Call Trace:
[   52.179001][ T2946]  dump_stack+0x1d8/0x2f8
[   52.179011][ T2946]  panic+0x29b/0x7d9
[   52.179021][ T2946]  ? __kasan_report+0x195/0x1c0
[   52.179033][ T2946]  ? trace_hardirqs_on+0x34/0x80
[   52.189010][ T7828] kobject: '7:0' (0000000037ac1dbd): kobject_uevent_env
[   52.198860][ T2946]  ? nmi_panic+0x97/0x97
[   52.198870][ T2946]  ? trace_hardirqs_on+0x34/0x80
[   52.198879][ T2946]  ? __kasan_report+0x195/0x1c0
[   52.198887][ T2946]  ? _raw_spin_unlock_irqrestore+0xad/0xd0
[   52.198896][ T2946]  __kasan_report+0x1bb/0x1c0
[   52.198905][ T2946]  ? debugfs_remove+0x6d/0xf0
[   52.198914][ T2946]  kasan_report+0x26/0x50
[   52.198922][ T2946]  __asan_report_load8_noabort+0x14/0x20
[   52.198928][ T2946]  debugfs_remove+0x6d/0xf0
[   52.198937][ T2946]  __blk_trace_remove+0xa5/0x180
[   52.198945][ T2946]  blk_trace_shutdown+0x20b/0x260
[   52.198954][ T2946]  ? kfree_const+0x2a/0x40
[   52.198962][ T2946]  __blk_release_queue+0x1bd/0x250
[   52.198970][ T2946]  process_one_work+0x83b/0x1150
[   52.198980][ T2946]  ? rescuer_thread+0x14e0/0x14e0
[   52.198985][ T2946]  ? worker_thread+0x10de/0x1630
[   52.198994][ T2946]  worker_thread+0xc01/0x1630
[   52.199010][ T2946]  kthread+0x332/0x350
[   52.199017][ T2946]  ? rcu_lock_release+0x30/0x30
[   52.199024][ T2946]  ? kthread_blkcg+0xe0/0xe0
[   52.199032][ T2946]  ret_from_fork+0x24/0x30
[   52.205640][ T2946] Kernel Offset: disabled
[   52.338527][ T2946] Rebooting in 86400 seconds..