[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 52.019428][ T26] audit: type=1800 audit(1561327244.413:25): pid=8323 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 52.061865][ T26] audit: type=1800 audit(1561327244.413:26): pid=8323 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 52.112498][ T26] audit: type=1800 audit(1561327244.413:27): pid=8323 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 62.072910][ T3490] ================================================================== [ 62.081208][ T3490] BUG: KASAN: use-after-free in debugfs_remove+0x10d/0x130 [ 62.081231][ T3490] Read of size 8 at addr ffff8880aa01c340 by task kworker/1:2/3490 [ 62.081234][ T3490] [ 62.081248][ T3490] CPU: 1 PID: 3490 Comm: kworker/1:2 Not tainted 5.2.0-rc5+ #39 [ 62.096689][ T3490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.096708][ T3490] Workqueue: events __blk_release_queue [ 62.096714][ T3490] Call Trace: [ 62.096734][ T3490] dump_stack+0x172/0x1f0 [ 62.096747][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.096765][ T3490] print_address_description.cold+0x7c/0x20d [ 62.096781][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.106722][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.106737][ T3490] __kasan_report.cold+0x1b/0x40 [ 62.106754][ T3490] ? __sanitizer_cov_trace_cmp1+0x10/0x20 [ 62.106765][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.106782][ T3490] kasan_report+0x12/0x20 [ 62.122346][ T3490] __asan_report_load8_noabort+0x14/0x20 [ 62.122359][ T3490] debugfs_remove+0x10d/0x130 [ 62.122376][ T3490] blk_trace_free+0x38/0x140 [ 62.122393][ T3490] __blk_trace_remove+0x78/0xa0 [ 62.129987][ T3490] blk_trace_shutdown+0x67/0x90 [ 62.130009][ T3490] __blk_release_queue+0x1d6/0x330 [ 62.140821][ T3490] process_one_work+0x989/0x1790 [ 62.150494][ T3490] ? pwq_dec_nr_in_flight+0x320/0x320 [ 62.150511][ T3490] ? lock_acquire+0x16f/0x3f0 [ 62.161150][ T3490] worker_thread+0x98/0xe40 [ 62.161167][ T3490] ? trace_hardirqs_on+0x67/0x220 [ 62.170324][ T3490] kthread+0x354/0x420 [ 62.170342][ T3490] ? process_one_work+0x1790/0x1790 [ 62.180606][ T3490] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 62.180623][ T3490] ret_from_fork+0x24/0x30 [ 62.180640][ T3490] [ 62.190137][ T3490] Allocated by task 8480: [ 62.190153][ T3490] save_stack+0x23/0x90 [ 62.190169][ T3490] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 62.205020][ T3490] kasan_slab_alloc+0xf/0x20 [ 62.205030][ T3490] kmem_cache_alloc+0x11a/0x6f0 [ 62.205047][ T3490] __d_alloc+0x2e/0x8c0 [ 62.205056][ T3490] d_alloc+0x4d/0x280 [ 62.215150][ T3490] d_alloc_parallel+0xf4/0x1bb0 [ 62.215162][ T3490] __lookup_slow+0x1ab/0x500 [ 62.215172][ T3490] lookup_one_len+0x16d/0x1a0 [ 62.215184][ T3490] start_creating+0xbf/0x1e0 [ 62.215195][ T3490] __debugfs_create_file+0x65/0x3d0 [ 62.215205][ T3490] debugfs_create_file+0x5a/0x70 [ 62.215218][ T3490] do_blk_trace_setup+0x376/0xb90 [ 62.215229][ T3490] __blk_trace_setup+0xe3/0x190 [ 62.215244][ T3490] blk_trace_ioctl+0x170/0x300 [ 62.220035][ T8483] kobject: 'mq' (000000007187569e): kobject_uevent_env [ 62.224728][ T3490] blkdev_ioctl+0x126/0x1c10 [ 62.224738][ T3490] block_ioctl+0xee/0x130 [ 62.224747][ T3490] do_vfs_ioctl+0xd5f/0x1380 [ 62.224757][ T3490] ksys_ioctl+0xab/0xd0 [ 62.224767][ T3490] __x64_sys_ioctl+0x73/0xb0 [ 62.224780][ T3490] do_syscall_64+0xfd/0x680 [ 62.224799][ T3490] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.229002][ T8483] kobject: 'mq' (000000007187569e): kobject_uevent_env: filter function caused the event to drop! [ 62.233999][ T3490] [ 62.234006][ T3490] Freed by task 0: [ 62.234021][ T3490] save_stack+0x23/0x90 [ 62.234032][ T3490] __kasan_slab_free+0x102/0x150 [ 62.234043][ T3490] kasan_slab_free+0xe/0x10 [ 62.234053][ T3490] kmem_cache_free+0x86/0x260 [ 62.234063][ T3490] __d_free+0x20/0x30 [ 62.234076][ T3490] rcu_core+0xba5/0x1500 [ 62.234096][ T3490] __do_softirq+0x25c/0x94c [ 62.240622][ T8483] kobject: '0' (000000006f703568): kobject_add_internal: parent: 'mq', set: '' [ 62.244786][ T3490] [ 62.244797][ T3490] The buggy address belongs to the object at ffff8880aa01c300 [ 62.244797][ T3490] which belongs to the cache dentry of size 288 [ 62.244808][ T3490] The buggy address is located 64 bytes inside of [ 62.244808][ T3490] 288-byte region [ffff8880aa01c300, ffff8880aa01c420) [ 62.244812][ T3490] The buggy address belongs to the page: [ 62.244826][ T3490] page:ffffea0002a80700 refcount:1 mapcount:0 mapping:ffff88821bc48200 index:0x0 [ 62.244837][ T3490] flags: 0x1fffc0000000200(slab) [ 62.244858][ T3490] raw: 01fffc0000000200 ffffea0002221ac8 ffffea0002221b48 ffff88821bc48200 [ 62.247421][ T8483] kobject: 'cpu0' (000000002a518fa8): kobject_add_internal: parent: '0', set: '' [ 62.251480][ T3490] raw: 0000000000000000 ffff8880aa01c040 000000010000000b 0000000000000000 [ 62.251486][ T3490] page dumped because: kasan: bad access detected [ 62.251489][ T3490] [ 62.251498][ T3490] Memory state around the buggy address: [ 62.255922][ T8483] kobject: 'cpu1' (00000000a71e6443): kobject_add_internal: parent: '0', set: '' [ 62.261290][ T3490] ffff8880aa01c200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.261300][ T3490] ffff8880aa01c280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 62.261315][ T3490] >ffff8880aa01c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.267274][ T8483] kobject: 'queue' (00000000eb674405): kobject_uevent_env [ 62.270717][ T3490] ^ [ 62.270730][ T3490] ffff8880aa01c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.270744][ T3490] ffff8880aa01c400: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb [ 62.277987][ T8483] kobject: 'queue' (00000000eb674405): kobject_uevent_env: filter function caused the event to drop! [ 62.278834][ T3490] ================================================================== [ 62.278840][ T3490] Disabling lock debugging due to kernel taint [ 62.291812][ T3490] Kernel panic - not syncing: panic_on_warn set ... [ 62.294712][ T8483] kobject: 'iosched' (00000000fe4d8b90): kobject_add_internal: parent: 'queue', set: '' [ 62.297546][ T3490] CPU: 1 PID: 3490 Comm: kworker/1:2 Tainted: G B 5.2.0-rc5+ #39 [ 62.297558][ T3490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.303108][ T8483] kobject: 'iosched' (00000000fe4d8b90): kobject_uevent_env [ 62.307656][ T3490] Workqueue: events __blk_release_queue [ 62.312998][ T8483] kobject: 'iosched' (00000000fe4d8b90): kobject_uevent_env: filter function caused the event to drop! [ 62.317481][ T3490] Call Trace: [ 62.317500][ T3490] dump_stack+0x172/0x1f0 [ 62.317520][ T3490] panic+0x2cb/0x744 [ 62.322585][ T8483] kobject: 'integrity' (0000000019201aa7): kobject_add_internal: parent: 'loop0', set: '' [ 62.329101][ T3490] ? __warn_printk+0xf3/0xf3 [ 62.329118][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.334078][ T8483] kobject: 'integrity' (0000000019201aa7): kobject_uevent_env [ 62.337990][ T3490] ? preempt_schedule+0x4b/0x60 [ 62.338009][ T3490] ? ___preempt_schedule+0x16/0x18 [ 62.342851][ T8483] kobject: 'integrity' (0000000019201aa7): kobject_uevent_env: filter function caused the event to drop! [ 62.346727][ T3490] ? trace_hardirqs_on+0x5e/0x220 [ 62.346744][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.725514][ T3490] end_report+0x47/0x4f [ 62.729655][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.734486][ T3490] __kasan_report.cold+0xe/0x40 [ 62.739329][ T3490] ? __sanitizer_cov_trace_cmp1+0x10/0x20 [ 62.745114][ T3490] ? debugfs_remove+0x10d/0x130 [ 62.749954][ T3490] kasan_report+0x12/0x20 [ 62.754264][ T3490] __asan_report_load8_noabort+0x14/0x20 [ 62.759873][ T3490] debugfs_remove+0x10d/0x130 [ 62.764617][ T3490] blk_trace_free+0x38/0x140 [ 62.769187][ T3490] __blk_trace_remove+0x78/0xa0 [ 62.774017][ T3490] blk_trace_shutdown+0x67/0x90 [ 62.779020][ T3490] __blk_release_queue+0x1d6/0x330 [ 62.784116][ T3490] process_one_work+0x989/0x1790 [ 62.789042][ T3490] ? pwq_dec_nr_in_flight+0x320/0x320 [ 62.794400][ T3490] ? lock_acquire+0x16f/0x3f0 [ 62.799133][ T3490] worker_thread+0x98/0xe40 [ 62.803614][ T3490] ? trace_hardirqs_on+0x67/0x220 [ 62.808620][ T3490] kthread+0x354/0x420 [ 62.812674][ T3490] ? process_one_work+0x1790/0x1790 [ 62.817851][ T3490] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 62.824072][ T3490] ret_from_fork+0x24/0x30 [ 62.830137][ T3490] Kernel Offset: disabled [ 62.834467][ T3490] Rebooting in 86400 seconds..