[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   37.804424] audit: type=1400 audit(1587343472.889:8): avc:  denied  { execmem } for  pid=6329 comm="syz-executor524" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
executing program
[   37.857650] ==================================================================
[   37.865141] BUG: KASAN: use-after-free in do_blk_trace_setup+0xa5b/0xad0
[   37.871985] Read of size 8 at addr ffff8880a0c44dc0 by task syz-executor524/6339
[   37.879508] 
[   37.881132] CPU: 1 PID: 6339 Comm: syz-executor524 Not tainted 4.14.176-syzkaller #0
[   37.889004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.898351] Call Trace:
[   37.901024]  dump_stack+0x13e/0x194
[   37.904647]  ? do_blk_trace_setup+0xa5b/0xad0
[   37.909137]  print_address_description.cold+0x7c/0x1e2
[   37.914423]  ? do_blk_trace_setup+0xa5b/0xad0
[   37.918915]  kasan_report.cold+0xa9/0x2ae
[   37.923058]  do_blk_trace_setup+0xa5b/0xad0
[   37.927375]  blk_trace_setup+0xa3/0x120
[   37.931342]  ? do_blk_trace_setup+0xad0/0xad0
[   37.935834]  ? do_futex+0x131/0x1850
[   37.939540]  sg_ioctl+0x2f9/0x2620
[   37.943074]  ? trace_hardirqs_on+0x10/0x10
[   37.947301]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   37.951881]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   37.956454]  do_vfs_ioctl+0x75a/0xfe0
[   37.960262]  ? selinux_file_mprotect+0x5c0/0x5c0
[   37.965024]  ? ioctl_preallocate+0x1a0/0x1a0
[   37.969453]  ? security_file_ioctl+0x76/0xb0
[   37.973852]  ? security_file_ioctl+0x83/0xb0
[   37.978259]  SyS_ioctl+0x7f/0xb0
[   37.981622]  ? do_vfs_ioctl+0xfe0/0xfe0
[   37.985613]  do_syscall_64+0x1d5/0x640
[   37.989497]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   37.994679] RIP: 0033:0x44aef9
[   37.997861] RSP: 002b:00007f2b10587ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   38.005559] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aef9
[   38.012821] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000007
[   38.020093] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
[   38.027355] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
[   38.034614] R13: 00007ffc1a56c28f R14: 00007f2b105889c0 R15: 0000000000000000
[   38.041899] 
[   38.043519] Allocated by task 6339:
[   38.047138]  save_stack+0x32/0xa0
[   38.050579]  kasan_kmalloc+0xbf/0xe0
[   38.054281]  kmem_cache_alloc_trace+0x14d/0x7b0
[   38.058939]  do_blk_trace_setup+0x11e/0xad0
[   38.063249]  blk_trace_setup+0xa3/0x120
[   38.067310]  sg_ioctl+0x2f9/0x2620
[   38.070841]  do_vfs_ioctl+0x75a/0xfe0
[   38.074629]  SyS_ioctl+0x7f/0xb0
[   38.077994]  do_syscall_64+0x1d5/0x640
[   38.081873]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.087049] 
[   38.088677] Freed by task 6351:
[   38.091945]  save_stack+0x32/0xa0
[   38.095387]  kasan_slab_free+0x75/0xc0
[   38.099259]  kfree+0xcb/0x260
[   38.102355]  blk_trace_remove+0x52/0x80
[   38.106315]  sg_ioctl+0x22a/0x2620
[   38.109857]  do_vfs_ioctl+0x75a/0xfe0
[   38.113644]  SyS_ioctl+0x7f/0xb0
[   38.117007]  do_syscall_64+0x1d5/0x640
[   38.120904]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.126080] 
[   38.127703] The buggy address belongs to the object at ffff8880a0c44d80
[   38.127703]  which belongs to the cache kmalloc-128 of size 128
[   38.140354] The buggy address is located 64 bytes inside of
[   38.140354]  128-byte region [ffff8880a0c44d80, ffff8880a0c44e00)
[   38.152145] The buggy address belongs to the page:
[   38.157079] page:ffffea0002831100 count:1 mapcount:0 mapping:ffff8880a0c44000 index:0xffff8880a0c44a80
[   38.166522] flags: 0xfffe0000000100(slab)
[   38.170661] raw: 00fffe0000000100 ffff8880a0c44000 ffff8880a0c44a80 0000000100000009
[   38.178541] raw: ffffea0002a00320 ffffea000280b420 ffff88812fe56640 0000000000000000
[   38.186411] page dumped because: kasan: bad access detected
[   38.192120] 
[   38.193732] Memory state around the buggy address:
[   38.198651]  ffff8880a0c44c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   38.205999]  ffff8880a0c44d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   38.213362] >ffff8880a0c44d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.220709]                                            ^
[   38.226147]  ffff8880a0c44e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   38.233494]  ffff8880a0c44e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   38.240844] ==================================================================
[   38.248199] Disabling lock debugging due to kernel taint
[   38.258761] Kernel panic - not syncing: panic_on_warn set ...
[   38.258761] 
[   38.266137] CPU: 0 PID: 6339 Comm: syz-executor524 Tainted: G    B           4.14.176-syzkaller #0
[   38.275226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.284574] Call Trace:
[   38.287151]  dump_stack+0x13e/0x194
[   38.290799]  panic+0x1f9/0x42d
[   38.293973]  ? add_taint.cold+0x16/0x16
[   38.297937]  ? preempt_schedule_common+0x4a/0xc0
[   38.302711]  ? do_blk_trace_setup+0xa5b/0xad0
[   38.307194]  ? ___preempt_schedule+0x16/0x18
[   38.311671]  ? do_blk_trace_setup+0xa5b/0xad0
[   38.316147]  kasan_end_report+0x43/0x49
[   38.320098]  kasan_report.cold+0x12f/0x2ae
[   38.324319]  do_blk_trace_setup+0xa5b/0xad0
[   38.328633]  blk_trace_setup+0xa3/0x120
[   38.332589]  ? do_blk_trace_setup+0xad0/0xad0
[   38.337068]  ? do_futex+0x131/0x1850
[   38.340761]  sg_ioctl+0x2f9/0x2620
[   38.344281]  ? trace_hardirqs_on+0x10/0x10
[   38.348494]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   38.353067]  ? sg_new_write.isra.0+0x8c0/0x8c0
[   38.357629]  do_vfs_ioctl+0x75a/0xfe0
[   38.361419]  ? selinux_file_mprotect+0x5c0/0x5c0
[   38.366150]  ? ioctl_preallocate+0x1a0/0x1a0
[   38.370537]  ? security_file_ioctl+0x76/0xb0
[   38.374964]  ? security_file_ioctl+0x83/0xb0
[   38.379357]  SyS_ioctl+0x7f/0xb0
[   38.382702]  ? do_vfs_ioctl+0xfe0/0xfe0
[   38.386668]  do_syscall_64+0x1d5/0x640
[   38.390536]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.395701] RIP: 0033:0x44aef9
[   38.398874] RSP: 002b:00007f2b10587ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   38.406575] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aef9
[   38.413827] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000007
[   38.421075] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
[   38.428323] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
[   38.435570] R13: 00007ffc1a56c28f R14: 00007f2b105889c0 R15: 0000000000000000
[   38.443870] Kernel Offset: disabled
[   38.447487] Rebooting in 86400 seconds..