[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.215159] random: sshd: uninitialized urandom read (32 bytes read)
[   32.416488] kauditd_printk_skb: 10 callbacks suppressed
[   32.416495] audit: type=1400 audit(1573016182.120:35): avc:  denied  { map } for  pid=6933 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   32.477448] random: sshd: uninitialized urandom read (32 bytes read)
[   33.063792] random: sshd: uninitialized urandom read (32 bytes read)
[   33.252729] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.205' (ECDSA) to the list of known hosts.
[   38.741643] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   38.872278] audit: type=1400 audit(1573016188.580:36): avc:  denied  { map } for  pid=6946 comm="syz-executor346" path="/root/syz-executor346322002" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   38.880636] devpts: called with bogus options
executing program
[   39.051481] devpts: called with bogus options
executing program
[   39.186911] devpts: called with bogus options
executing program
[   39.326969] devpts: called with bogus options
executing program
[   39.496824] devpts: called with bogus options
executing program
[   39.637023] devpts: called with bogus options
executing program
[   39.757136] devpts: called with bogus options
executing program
[   39.887636] devpts: called with bogus options
executing program
[   40.026387] devpts: called with bogus options
executing program
executing program
[   40.166033] devpts: called with bogus options
[   40.179831] devpts: called with bogus options
executing program
[   40.474300] devpts: called with bogus options
executing program
[   40.645666] devpts: called with bogus options
[   40.772376] ==================================================================
[   40.780166] BUG: KASAN: use-after-free in debugfs_remove+0xfb/0x120
[   40.780175] Read of size 8 at addr ffff8880a7773640 by task kworker/1:1/23
[   40.780177] 
[   40.780186] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.151 #0
[   40.780190] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.780203] Workqueue: events __blk_release_queue
[   40.780208] Call Trace:
[   40.780218]  dump_stack+0x138/0x197
[   40.780227]  ? debugfs_remove+0xfb/0x120
[   40.780236]  print_address_description.cold+0x7c/0x1dc
[   40.780245]  ? debugfs_remove+0xfb/0x120
[   40.780251]  kasan_report.cold+0xa9/0x2af
[   40.780260]  __asan_report_load8_noabort+0x14/0x20
[   40.780267]  debugfs_remove+0xfb/0x120
[   40.794609]  blk_trace_free+0x38/0x140
[   40.794616]  blk_trace_remove+0x59/0x80
[   40.794624]  blk_trace_shutdown+0x4f/0x60
[   40.794634]  __blk_release_queue+0x22e/0x4d0
[   40.794646]  process_one_work+0x863/0x1600
[   40.794658]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   40.794671]  worker_thread+0x5d9/0x1050
[   40.802772]  kthread+0x319/0x430
[   40.802780]  ? process_one_work+0x1600/0x1600
[   40.802785]  ? kthread_create_on_node+0xd0/0xd0
[   40.802795]  ret_from_fork+0x24/0x30
[   40.802808] 
[   40.816957] Allocated by task 6974:
[   40.816966]  save_stack_trace+0x16/0x20
[   40.816973]  save_stack+0x45/0xd0
[   40.816979]  kasan_kmalloc+0xce/0xf0
[   40.822431] kobject: 'loop0' (ffff888083f6a6e0): kobject_add_internal: parent: 'block', set: 'devices'
[   40.823157]  kasan_slab_alloc+0xf/0x20
[   40.827980] kobject: 'loop0' (ffff888083f6a6e0): kobject_uevent_env
[   40.832733]  kmem_cache_alloc+0x12e/0x780
[   40.832741]  __d_alloc+0x2d/0x9f0
[   40.832746]  d_alloc+0x4d/0x270
[   40.832754]  __lookup_hash+0x58/0x180
[   40.832760]  lookup_one_len+0x27b/0x3a0
[   40.832770]  start_creating+0xa6/0x1b0
[   40.836849] kobject: 'loop0' (ffff888083f6a6e0): kobject_uevent_env: uevent_suppress caused the event to drop!
[   40.840942]  __debugfs_create_file+0x53/0x3d0
[   40.840948]  debugfs_create_file+0x5a/0x70
[   40.840955]  do_blk_trace_setup+0x32d/0xb10
[   40.840960]  blk_trace_setup+0xbd/0x140
[   40.840965]  blk_trace_ioctl+0x147/0x270
[   40.840971]  blkdev_ioctl+0x100/0x1860
[   40.840979]  block_ioctl+0xde/0x120
[   40.845959] kobject: 'holders' (ffff888086dadc00): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   40.849749]  do_vfs_ioctl+0x7ae/0x1060
[   40.849755]  SyS_ioctl+0x8f/0xc0
[   40.849761]  do_syscall_64+0x1e8/0x640
[   40.849770]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.853701] kobject: 'slaves' (ffff888086dadb80): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   40.857579] 
[   40.857584] Freed by task 0:
[   40.857592]  save_stack_trace+0x16/0x20
[   40.857600]  save_stack+0x45/0xd0
[   40.861801] kobject: 'loop0' (ffff888083f6a6e0): kobject_uevent_env
[   40.866125]  kasan_slab_free+0x75/0xc0
[   40.866132]  kmem_cache_free+0x83/0x2b0
[   40.866138]  __d_free+0x20/0x30
[   40.866145]  rcu_process_callbacks+0x7b8/0x12b0
[   40.870432] kobject: 'loop0' (ffff888083f6a6e0): fill_kobj_path: path = '/devices/virtual/block/loop0'
[   40.875001]  __do_softirq+0x244/0x9a0
[   40.875004] 
[   40.875010] The buggy address belongs to the object at ffff8880a7773600
[   40.875010]  which belongs to the cache dentry of size 288
[   40.875017] The buggy address is located 64 bytes inside of
[   40.875017]  288-byte region [ffff8880a7773600, ffff8880a7773720)
[   40.882897] kobject: 'queue' (ffff8880a0fba998): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   40.886811] The buggy address belongs to the page:
[   40.886819] page:ffffea00029ddcc0 count:1 mapcount:0 mapping:ffff8880a7773080 index:0x0
[   40.886827] flags: 0x1fffc0000000100(slab)
[   40.886839] raw: 01fffc0000000100 ffff8880a7773080 0000000000000000 000000010000000b
[   40.886846] raw: ffffea00029dcf20 ffffea00029ddfe0 ffff88821f8b5680 0000000000000000
[   40.886849] page dumped because: kasan: bad access detected
[   40.886851] 
[   40.886854] Memory state around the buggy address:
[   40.893044] kobject: 'mq' (ffff8880a0fba9d8): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   40.895547]  ffff8880a7773500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.895553]  ffff8880a7773580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   40.895558] >ffff8880a7773600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.895563]                                            ^
[   40.897220] kobject: 'mq' (ffff8880a0fba9d8): kobject_uevent_env
[   40.900783]  ffff8880a7773680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.900788]  ffff8880a7773700: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
[   40.900791] ==================================================================
[   40.900794] Disabling lock debugging due to kernel taint
[   40.910092] Kernel panic - not syncing: panic_on_warn set ...
[   40.910092] 
[   40.917700] kobject: 'mq' (ffff8880a0fba9d8): kobject_uevent_env: filter function caused the event to drop!
[   40.921364] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G    B           4.14.151 #0
[   40.921368] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.921384] Workqueue: events __blk_release_queue
[   40.921388] Call Trace:
[   40.921397]  dump_stack+0x138/0x197
[   40.921407]  ? debugfs_remove+0xfb/0x120
[   40.921415]  panic+0x1f9/0x42d
[   40.926195] kobject: '0' (ffff8880a065d8e8): kobject_add_internal: parent: 'mq', set: '<NULL>'
[   40.932542]  ? add_taint.cold+0x16/0x16
[   40.932550]  ? ___preempt_schedule+0x16/0x18
[   40.932560]  kasan_end_report+0x47/0x4f
[   40.932568]  kasan_report.cold+0x130/0x2af
[   40.937062] kobject: 'cpu0' (ffffe8ffffc2d4d8): kobject_add_internal: parent: '0', set: '<NULL>'
[   40.940135]  __asan_report_load8_noabort+0x14/0x20
[   40.940143]  debugfs_remove+0xfb/0x120
[   40.940152]  blk_trace_free+0x38/0x140
[   40.943458] kobject: 'cpu1' (ffffe8ffffd2d4d8): kobject_add_internal: parent: '0', set: '<NULL>'
[   40.947187]  blk_trace_remove+0x59/0x80
[   40.947193]  blk_trace_shutdown+0x4f/0x60
[   40.947202]  __blk_release_queue+0x22e/0x4d0
[   40.952895] kobject: 'queue' (ffff8880a0fba998): kobject_uevent_env
[   40.955030]  process_one_work+0x863/0x1600
[   40.955040]  ? pwq_dec_nr_in_flight+0x2e0/0x2e0
[   40.965287] kobject: 'queue' (ffff8880a0fba998): kobject_uevent_env: filter function caused the event to drop!
[   40.969723]  worker_thread+0x5d9/0x1050
[   40.969735]  kthread+0x319/0x430
[   40.974315] kobject: 'iosched' (ffff8880a065c950): kobject_add_internal: parent: 'queue', set: '<NULL>'
[   40.978244]  ? process_one_work+0x1600/0x1600
[   40.978251]  ? kthread_create_on_node+0xd0/0xd0
[   40.982302] kobject: 'iosched' (ffff8880a065c950): kobject_uevent_env
[   40.986238]  ret_from_fork+0x24/0x30
[   40.991617] Kernel Offset: disabled
[   41.421077] Rebooting in 86400 seconds..