[ 37.873092] audit: type=1800 audit(1563785133.020:33): pid=7034 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.899251] audit: type=1800 audit(1563785133.020:34): pid=7034 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.598307] random: sshd: uninitialized urandom read (32 bytes read) [ 42.925215] audit: type=1400 audit(1563785138.070:35): avc: denied { map } for pid=7207 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.978606] random: sshd: uninitialized urandom read (32 bytes read) [ 43.574579] random: sshd: uninitialized urandom read (32 bytes read) [ 43.770482] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts. [ 49.645476] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 49.768547] audit: type=1400 audit(1563785144.910:36): avc: denied { map } for pid=7219 comm="syz-executor652" path="/root/syz-executor652679038" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 51.342263] ================================================================== [ 51.349831] BUG: KASAN: use-after-free in debugfs_remove+0xfb/0x120 [ 51.349842] Read of size 8 at addr ffff88809475e640 by task kworker/1:2/2505 [ 51.349845] [ 51.349853] CPU: 1 PID: 2505 Comm: kworker/1:2 Not tainted 4.14.134 #29 [ 51.349857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.349891] Workqueue: events __blk_release_queue [ 51.363534] Call Trace: [ 51.363578] dump_stack+0x138/0x19c [ 51.363592] ? debugfs_remove+0xfb/0x120 [ 51.371980] print_address_description.cold+0x7c/0x1dc [ 51.371996] ? debugfs_remove+0xfb/0x120 [ 51.386180] kasan_report.cold+0xa9/0x2af [ 51.386192] __asan_report_load8_noabort+0x14/0x20 [ 51.386205] debugfs_remove+0xfb/0x120 [ 51.392435] blk_trace_free+0x38/0x140 [ 51.401741] blk_trace_remove+0x59/0x80 [ 51.401751] blk_trace_shutdown+0x4f/0x60 [ 51.401763] __blk_release_queue+0x1f3/0x480 [ 51.401789] process_one_work+0x863/0x1600 [ 51.401804] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 51.410013] worker_thread+0x5d9/0x1050 [ 51.410045] kthread+0x319/0x430 [ 51.410055] ? process_one_work+0x1600/0x1600 [ 51.418866] ? kthread_create_on_node+0xd0/0xd0 [ 51.418891] ret_from_fork+0x24/0x30 [ 51.418906] [ 51.426758] Allocated by task 7239: [ 51.426780] save_stack_trace+0x16/0x20 [ 51.426791] save_stack+0x45/0xd0 [ 51.435334] kasan_kmalloc+0xce/0xf0 [ 51.435340] kasan_slab_alloc+0xf/0x20 [ 51.435349] kmem_cache_alloc+0x12e/0x780 [ 51.435370] __d_alloc+0x2d/0x9f0 [ 51.444260] d_alloc+0x4d/0x270 [ 51.444268] __lookup_hash+0x58/0x180 [ 51.444274] lookup_one_len+0x27b/0x3a0 [ 51.444284] start_creating+0xa6/0x1b0 [ 51.444290] __debugfs_create_file+0x53/0x3d0 [ 51.444297] debugfs_create_file+0x5a/0x70 [ 51.444305] do_blk_trace_setup+0x32d/0xb10 [ 51.444313] blk_trace_setup+0xbd/0x140 [ 51.453115] kobject: 'queue' (ffff8880a0b8c298): kobject_add_internal: parent: 'loop0', set: '' [ 51.456127] blk_trace_ioctl+0x147/0x270 [ 51.456149] blkdev_ioctl+0x100/0x1860 [ 51.456165] block_ioctl+0xde/0x120 [ 51.456172] do_vfs_ioctl+0x7ae/0x1060 [ 51.456177] SyS_ioctl+0x8f/0xc0 [ 51.461518] kobject: 'mq' (ffff8880a0b8c2d8): kobject_add_internal: parent: 'loop0', set: '' [ 51.464648] do_syscall_64+0x1e8/0x640 [ 51.464660] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.466344] kobject: 'mq' (ffff8880a0b8c2d8): kobject_uevent_env [ 51.469909] [ 51.469914] Freed by task 17: [ 51.469924] save_stack_trace+0x16/0x20 [ 51.469931] save_stack+0x45/0xd0 [ 51.469941] kasan_slab_free+0x75/0xc0 [ 51.473993] kobject: 'mq' (ffff8880a0b8c2d8): kobject_uevent_env: filter function caused the event to drop! [ 51.477369] kmem_cache_free+0x83/0x2b0 [ 51.477377] __d_free+0x20/0x30 [ 51.477386] rcu_process_callbacks+0x7b8/0x12b0 [ 51.477397] __do_softirq+0x244/0x9a0 [ 51.481298] kobject: '0' (ffff8880994a98e8): kobject_add_internal: parent: 'mq', set: '' [ 51.485056] [ 51.485063] The buggy address belongs to the object at ffff88809475e600 [ 51.485063] which belongs to the cache dentry of size 288 [ 51.485070] The buggy address is located 64 bytes inside of [ 51.485070] 288-byte region [ffff88809475e600, ffff88809475e720) [ 51.485073] The buggy address belongs to the page: [ 51.485081] page:ffffea000251d780 count:1 mapcount:0 mapping:ffff88809475e080 index:0xffff88809475ece0 [ 51.489382] kobject: 'cpu0' (ffffe8ffffc2d318): kobject_add_internal: parent: '0', set: '' [ 51.492707] flags: 0x1fffc0000000100(slab) [ 51.492725] raw: 01fffc0000000100 ffff88809475e080 ffff88809475ece0 0000000100000004 [ 51.492733] raw: ffffea000251d420 ffffea0002516a20 ffff88821f8b5680 0000000000000000 [ 51.492740] page dumped because: kasan: bad access detected [ 51.496115] kobject: 'cpu1' (ffffe8ffffd2d318): kobject_add_internal: parent: '0', set: '' [ 51.499821] [ 51.499824] Memory state around the buggy address: [ 51.499832] ffff88809475e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.499837] ffff88809475e580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 51.499843] >ffff88809475e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.499847] ^ [ 51.499855] ffff88809475e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.506354] kobject: 'queue' (ffff8880a0b8c298): kobject_uevent_env [ 51.507711] ffff88809475e700: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb [ 51.507715] ================================================================== [ 51.507724] Disabling lock debugging due to kernel taint [ 51.512520] Kernel panic - not syncing: panic_on_warn set ... [ 51.512520] [ 51.786519] CPU: 1 PID: 2505 Comm: kworker/1:2 Tainted: G B 4.14.134 #29 [ 51.795954] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.805343] Workqueue: events __blk_release_queue [ 51.810179] Call Trace: [ 51.812767] dump_stack+0x138/0x19c [ 51.816389] ? debugfs_remove+0xfb/0x120 [ 51.820441] panic+0x1f2/0x426 [ 51.823621] ? add_taint.cold+0x16/0x16 [ 51.827588] ? ___preempt_schedule+0x16/0x18 [ 51.832000] kasan_end_report+0x47/0x4f [ 51.835963] kasan_report.cold+0x130/0x2af [ 51.840191] __asan_report_load8_noabort+0x14/0x20 [ 51.845113] debugfs_remove+0xfb/0x120 [ 51.848997] blk_trace_free+0x38/0x140 [ 51.852879] blk_trace_remove+0x59/0x80 [ 51.856843] blk_trace_shutdown+0x4f/0x60 [ 51.860994] __blk_release_queue+0x1f3/0x480 [ 51.865398] process_one_work+0x863/0x1600 [ 51.869659] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 51.874329] worker_thread+0x5d9/0x1050 [ 51.878308] kthread+0x319/0x430 [ 51.881669] ? process_one_work+0x1600/0x1600 [ 51.886157] ? kthread_create_on_node+0xd0/0xd0 [ 51.890895] ret_from_fork+0x24/0x30 [ 51.895676] Kernel Offset: disabled [ 51.899436] Rebooting in 86400 seconds..