[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   34.167091] ==================================================================
[   34.174819] BUG: KASAN: use-after-free in do_blk_trace_setup+0xa5b/0xad0
[   34.182410] Read of size 8 at addr ffff8880a1376040 by task syz-executor073/6353
[   34.190145] 
[   34.191774] CPU: 0 PID: 6353 Comm: syz-executor073 Not tainted 4.14.176-syzkaller #0
[   34.199766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.209108] Call Trace:
[   34.212375]  dump_stack+0x13e/0x194
[   34.216004]  ? do_blk_trace_setup+0xa5b/0xad0
[   34.220928]  print_address_description.cold+0x7c/0x1e2
[   34.226542]  ? do_blk_trace_setup+0xa5b/0xad0
[   34.231115]  kasan_report.cold+0xa9/0x2ae
[   34.235252]  do_blk_trace_setup+0xa5b/0xad0
[   34.239570]  blk_trace_setup+0xa3/0x120
[   34.243563]  ? do_blk_trace_setup+0xad0/0xad0
[   34.248067]  ? do_futex+0x131/0x1850
[   34.251788]  sg_ioctl+0x2f9/0x2620
[   34.255374]  ? trace_hardirqs_on+0x10/0x10
[   34.259603]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   34.264262]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   34.268907]  do_vfs_ioctl+0x75a/0xfe0
[   34.272700]  ? selinux_file_mprotect+0x5c0/0x5c0
[   34.277719]  ? ioctl_preallocate+0x1a0/0x1a0
[   34.282294]  ? security_file_ioctl+0x76/0xb0
[   34.286865]  ? security_file_ioctl+0x83/0xb0
[   34.291731]  SyS_ioctl+0x7f/0xb0
[   34.296408]  ? do_vfs_ioctl+0xfe0/0xfe0
[   34.300372]  do_syscall_64+0x1d5/0x640
[   34.304832]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.310996] RIP: 0033:0x44aea9
[   34.314260] RSP: 002b:00007f3abf214ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   34.322166] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aea9
[   34.329605] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000004
[   34.337166] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
[   34.345148] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
[   34.352920] R13: 00007fffbdde4dcf R14: 00007f3abf2159c0 R15: 0000000000000000
[   34.360361] 
[   34.361981] Allocated by task 6353:
[   34.365722]  save_stack+0x32/0xa0
[   34.369160]  kasan_kmalloc+0xbf/0xe0
[   34.372944]  kmem_cache_alloc_trace+0x14d/0x7b0
[   34.377605]  do_blk_trace_setup+0x11e/0xad0
[   34.382849]  blk_trace_setup+0xa3/0x120
[   34.386829]  sg_ioctl+0x2f9/0x2620
[   34.390459]  do_vfs_ioctl+0x75a/0xfe0
[   34.394334]  SyS_ioctl+0x7f/0xb0
[   34.397704]  do_syscall_64+0x1d5/0x640
[   34.401667]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.407025] 
[   34.408641] Freed by task 6358:
[   34.411909]  save_stack+0x32/0xa0
[   34.415348]  kasan_slab_free+0x75/0xc0
[   34.421225]  kfree+0xcb/0x260
[   34.424731]  blk_trace_remove+0x52/0x80
[   34.428981]  sg_ioctl+0x22a/0x2620
[   34.432645]  do_vfs_ioctl+0x75a/0xfe0
[   34.436639]  SyS_ioctl+0x7f/0xb0
[   34.440001]  do_syscall_64+0x1d5/0x640
[   34.443876]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.449698] 
[   34.451496] The buggy address belongs to the object at ffff8880a1376000
[   34.451496]  which belongs to the cache kmalloc-128 of size 128
[   34.464489] The buggy address is located 64 bytes inside of
[   34.464489]  128-byte region [ffff8880a1376000, ffff8880a1376080)
[   34.476451] The buggy address belongs to the page:
[   34.481731] page:ffffea000284dd80 count:1 mapcount:0 mapping:ffff8880a1376000 index:0xffff8880a1376b40
[   34.491535] flags: 0xfffe0000000100(slab)
[   34.495681] raw: 00fffe0000000100 ffff8880a1376000 ffff8880a1376b40 0000000100000014
[   34.504145] raw: ffffea0002912ca0 ffffea000285ee60 ffff88812fe56640 0000000000000000
[   34.512986] page dumped because: kasan: bad access detected
[   34.518689] 
[   34.520300] Memory state around the buggy address:
[   34.525396]  ffff8880a1375f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.533148]  ffff8880a1375f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.542222] >ffff8880a1376000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.550667]                                            ^
[   34.556403]  ffff8880a1376080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
executing program
executing program
executing program
executing program
[   34.564793]  ffff8880a1376100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.574549] ==================================================================
[   34.582851] Disabling lock debugging due to kernel taint
[   34.612762] Kernel panic - not syncing: panic_on_warn set ...
[   34.612762] 
[   34.620750] CPU: 0 PID: 6353 Comm: syz-executor073 Tainted: G    B           4.14.176-syzkaller #0
[   34.631464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.642107] Call Trace:
[   34.644917]  dump_stack+0x13e/0x194
[   34.648806]  panic+0x1f9/0x42d
[   34.651995]  ? add_taint.cold+0x16/0x16
[   34.656787]  ? preempt_schedule_common+0x4a/0xc0
[   34.661902]  ? do_blk_trace_setup+0xa5b/0xad0
[   34.667535]  ? ___preempt_schedule+0x16/0x18
[   34.672121]  ? do_blk_trace_setup+0xa5b/0xad0
[   34.677036]  kasan_end_report+0x43/0x49
[   34.681191]  kasan_report.cold+0x12f/0x2ae
[   34.685651]  do_blk_trace_setup+0xa5b/0xad0
[   34.694072]  blk_trace_setup+0xa3/0x120
[   34.698929]  ? do_blk_trace_setup+0xad0/0xad0
[   34.703550]  ? do_futex+0x131/0x1850
[   34.707515]  sg_ioctl+0x2f9/0x2620
[   34.711525]  ? trace_hardirqs_on+0x10/0x10
[   34.717779]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   34.723773]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   34.728626]  do_vfs_ioctl+0x75a/0xfe0
[   34.734791]  ? selinux_file_mprotect+0x5c0/0x5c0
[   34.739629]  ? ioctl_preallocate+0x1a0/0x1a0
[   34.744114]  ? security_file_ioctl+0x76/0xb0
[   34.748641]  ? security_file_ioctl+0x83/0xb0
[   34.753058]  SyS_ioctl+0x7f/0xb0
[   34.756429]  ? do_vfs_ioctl+0xfe0/0xfe0
[   34.760598]  do_syscall_64+0x1d5/0x640
[   34.764580]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.771377] RIP: 0033:0x44aea9
[   34.774756] RSP: 002b:00007f3abf214ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   34.783566] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aea9
[   34.791180] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000004
[   34.798744] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
[   34.806284] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
[   34.813924] R13: 00007fffbdde4dcf R14: 00007f3abf2159c0 R15: 0000000000000000
[   34.822759] Kernel Offset: disabled
[   34.826395] Rebooting in 86400 seconds..