Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0[ 70.329868][ T25] kauditd_printk_skb: 6 callbacks suppressed [ 70.329879][ T25] audit: type=1800 audit(1563809695.607:33): pid=9678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 c. [....] Start[ 70.358884][ T25] audit: type=1800 audit(1563809695.607:34): pid=9678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 ing file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 73.471128][ T25] audit: type=1400 audit(1563809698.747:35): avc: denied { map } for pid=9857 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.169' (ECDSA) to the list of known hosts. [ 80.095225][ T25] audit: type=1400 audit(1563809705.367:36): avc: denied { map } for pid=9869 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/07/22 15:35:06 parsed 1 programs [ 81.116844][ T25] audit: type=1400 audit(1563809706.387:37): avc: denied { map } for pid=9869 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1132 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/07/22 15:35:08 executed programs: 0 [ 82.884475][ T9884] IPVS: ftp: loaded support on port[0] = 21 [ 82.952114][ T9884] chnl_net:caif_netlink_parms(): no params data found [ 82.980623][ T9884] bridge0: port 1(bridge_slave_0) entered blocking state [ 82.987696][ T9884] bridge0: port 1(bridge_slave_0) entered disabled state [ 82.995658][ T9884] device bridge_slave_0 entered promiscuous mode [ 83.003655][ T9884] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.010766][ T9884] bridge0: port 2(bridge_slave_1) entered disabled state [ 83.018380][ T9884] device bridge_slave_1 entered promiscuous mode [ 83.036314][ T9884] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 83.047503][ T9884] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 83.066181][ T9884] team0: Port device team_slave_0 added [ 83.073925][ T9884] team0: Port device team_slave_1 added [ 83.120976][ T9884] device hsr_slave_0 entered promiscuous mode [ 83.158929][ T9884] device hsr_slave_1 entered promiscuous mode [ 83.247382][ T9884] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.254626][ T9884] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.262377][ T9884] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.269461][ T9884] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.304093][ T9884] 8021q: adding VLAN 0 to HW filter on device bond0 [ 83.315696][ T3514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 83.326465][ T3514] bridge0: port 1(bridge_slave_0) entered disabled state [ 83.334670][ T3514] bridge0: port 2(bridge_slave_1) entered disabled state [ 83.343192][ T3514] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 83.356110][ T9884] 8021q: adding VLAN 0 to HW filter on device team0 [ 83.367729][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 83.376174][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 83.383235][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 83.394069][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 83.402638][ T23] bridge0: port 2(bridge_slave_1) entered blocking state [ 83.409733][ T23] bridge0: port 2(bridge_slave_1) entered forwarding state [ 83.426592][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 83.444936][ T9884] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 83.455825][ T9884] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 83.467979][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 83.475846][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 83.484345][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 83.493093][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 83.502334][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 83.520657][ T9884] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.556080][ T25] audit: type=1400 audit(1563809708.827:38): avc: denied { associate } for pid=9884 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 83.737421][ T9899] debugfs: Directory 'loop0' with parent 'block' already present! [ 83.850341][ T23] ================================================================== [ 83.858494][ T23] BUG: KASAN: use-after-free in debugfs_remove+0x10d/0x130 [ 83.865668][ T23] Read of size 8 at addr ffff888090b2eb40 by task kworker/1:1/23 [ 83.873357][ T23] [ 83.875668][ T23] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.2.0+ #64 [ 83.882750][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.892792][ T23] Workqueue: events __blk_release_queue [ 83.898318][ T23] Call Trace: [ 83.901611][ T23] dump_stack+0x16f/0x1f0 [ 83.905939][ T23] ? debugfs_remove+0x10d/0x130 [ 83.910879][ T23] print_address_description.cold+0xd4/0x306 [ 83.910900][ T23] ? debugfs_remove+0x10d/0x130 [ 83.910918][ T23] ? debugfs_remove+0x10d/0x130 [ 83.910931][ T23] __kasan_report.cold+0x1b/0x36 [ 83.921874][ T23] ? __sanitizer_cov_trace_const_cmp2+0x20/0x20 [ 83.921887][ T23] ? debugfs_remove+0x10d/0x130 [ 83.921906][ T23] kasan_report+0x12/0x17 [ 83.931659][ T23] __asan_report_load8_noabort+0x14/0x20 [ 83.931672][ T23] debugfs_remove+0x10d/0x130 [ 83.931688][ T23] blk_trace_free+0x38/0x140 [ 83.931705][ T23] __blk_trace_remove+0x78/0xa0 [ 83.942758][ T23] blk_trace_shutdown+0x67/0x90 [ 83.942776][ T23] __blk_release_queue+0x1de/0x340 [ 83.942797][ T23] process_one_work+0x9af/0x16d0 [ 83.952733][ T23] ? pwq_dec_nr_in_flight+0x320/0x320 [ 83.952749][ T23] ? lock_acquire+0x190/0x400 [ 83.952774][ T23] worker_thread+0x98/0xe40 [ 83.962002][ T23] ? trace_hardirqs_on+0x67/0x220 [ 83.962035][ T23] kthread+0x361/0x430 [ 83.971708][ T23] ? process_one_work+0x16d0/0x16d0 [ 83.971723][ T23] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 83.971747][ T23] ret_from_fork+0x24/0x30 [ 83.981755][ T23] [ 83.981764][ T23] Allocated by task 9899: [ 83.981779][ T23] save_stack+0x23/0x90 [ 83.981798][ T23] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 83.981809][ T23] kasan_slab_alloc+0xf/0x20 [ 83.991906][ T23] kmem_cache_alloc+0x121/0x700 [ 83.991919][ T23] __d_alloc+0x2e/0x8c0 [ 83.991930][ T23] d_alloc+0x4d/0x280 [ 83.991949][ T23] d_alloc_parallel+0xf4/0x1b90 [ 84.001437][ T23] __lookup_slow+0x1ab/0x500 [ 84.001450][ T23] lookup_one_len+0x16d/0x1a0 [ 84.001462][ T23] start_creating+0xc5/0x1d0 [ 84.001479][ T23] __debugfs_create_file+0x65/0x3c0 [ 84.010710][ T23] debugfs_create_file+0x5a/0x70 [ 84.010723][ T23] do_blk_trace_setup+0x361/0xb50 [ 84.010733][ T23] __blk_trace_setup+0xe3/0x190 [ 84.010751][ T23] blk_trace_ioctl+0x170/0x300 [ 84.021376][ T23] blkdev_ioctl+0x126/0x1c1a [ 84.021389][ T23] block_ioctl+0xee/0x130 [ 84.021401][ T23] do_vfs_ioctl+0xdb6/0x13e0 [ 84.021417][ T23] ksys_ioctl+0xab/0xd0 [ 84.028041][ T23] __x64_sys_ioctl+0x73/0xb0 [ 84.028067][ T23] do_syscall_64+0xfd/0x6a0 [ 84.037815][ T23] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.037825][ T23] [ 84.047229][ T23] Freed by task 0: [ 84.047248][ T23] save_stack+0x23/0x90 [ 84.055348][ T23] __kasan_slab_free+0x102/0x150 [ 84.055366][ T23] kasan_slab_free+0xe/0x10 [ 84.064762][ T23] kmem_cache_free+0x86/0x310 [ 84.064780][ T23] __d_free+0x20/0x30 [ 84.074016][ T23] rcu_core+0x66a/0x1470 [ 84.074033][ T23] rcu_core_si+0x9/0x10 [ 84.084140][ T23] __do_softirq+0x30d/0x970 [ 84.084151][ T23] [ 84.094008][ T23] The buggy address belongs to the object at ffff888090b2eb00 [ 84.094008][ T23] which belongs to the cache dentry(17:syz0) of size 288 [ 84.094026][ T23] The buggy address is located 64 bytes inside of [ 84.094026][ T23] 288-byte region [ffff888090b2eb00, ffff888090b2ec20) [ 84.103341][ T23] The buggy address belongs to the page: [ 84.103358][ T23] page:ffffea000242cb80 refcount:1 mapcount:0 mapping:ffff88809bb861c0 index:0x0 [ 84.112239][ T23] flags: 0x1fffc0000000200(slab) [ 84.112270][ T23] raw: 01fffc0000000200 ffffea00023a04c8 ffffea0002699e48 ffff88809bb861c0 [ 84.112283][ T23] raw: 0000000000000000 ffff888090b2e000 000000010000000b 0000000000000000 [ 84.112289][ T23] page dumped because: kasan: bad access detected [ 84.112292][ T23] [ 84.112296][ T23] Memory state around the buggy address: [ 84.112310][ T23] ffff888090b2ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.266197][ T23] ffff888090b2ea80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.274260][ T23] >ffff888090b2eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.282344][ T23] ^ [ 84.288490][ T23] ffff888090b2eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.296541][ T23] ffff888090b2ec00: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb [ 84.304724][ T23] ================================================================== [ 84.312772][ T23] Disabling lock debugging due to kernel taint [ 84.319855][ T23] Kernel panic - not syncing: panic_on_warn set ... [ 84.326460][ T23] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 5.2.0+ #64 [ 84.334953][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.345014][ T23] Workqueue: events __blk_release_queue [ 84.350584][ T23] Call Trace: [ 84.353892][ T23] dump_stack+0x16f/0x1f0 [ 84.358224][ T23] panic+0x2dc/0x755 [ 84.360225][ T9907] kobject: 'integrity' (000000004ec0c078): kobject_uevent_env [ 84.362120][ T23] ? add_taint.cold+0x16/0x16 [ 84.362148][ T23] ? trace_hardirqs_on+0x5e/0x220 [ 84.369623][ T9907] kobject: 'integrity' (000000004ec0c078): kobject_uevent_env: filter function caused the event to drop! [ 84.374266][ T23] ? trace_hardirqs_on+0x5e/0x220 [ 84.379340][ T9907] kobject: 'integrity' (000000004ec0c078): kobject_cleanup, parent 00000000737eb797 [ 84.390487][ T23] ? debugfs_remove+0x10d/0x130 [ 84.390501][ T23] end_report+0x47/0x4f [ 84.390517][ T23] ? debugfs_remove+0x10d/0x130 [ 84.395533][ T9907] kobject: 'integrity' (000000004ec0c078): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 84.404889][ T23] __kasan_report.cold+0xe/0x36 [ 84.404906][ T23] ? __sanitizer_cov_trace_const_cmp2+0x20/0x20 [ 84.404923][ T23] ? debugfs_remove+0x10d/0x130 [ 84.409774][ T9907] kobject: 'integrity': free name [ 84.413892][ T23] kasan_report+0x12/0x17 [ 84.458301][ T23] __asan_report_load8_noabort+0x14/0x20 [ 84.463911][ T23] debugfs_remove+0x10d/0x130 [ 84.468664][ T23] blk_trace_free+0x38/0x140 [ 84.473237][ T23] __blk_trace_remove+0x78/0xa0 [ 84.478074][ T23] blk_trace_shutdown+0x67/0x90 [ 84.482961][ T23] __blk_release_queue+0x1de/0x340 [ 84.488065][ T23] process_one_work+0x9af/0x16d0 [ 84.492982][ T23] ? pwq_dec_nr_in_flight+0x320/0x320 [ 84.498874][ T23] ? lock_acquire+0x190/0x400 [ 84.503530][ T23] worker_thread+0x98/0xe40 [ 84.508036][ T23] ? trace_hardirqs_on+0x67/0x220 [ 84.513041][ T23] kthread+0x361/0x430 [ 84.517103][ T23] ? process_one_work+0x16d0/0x16d0 [ 84.522310][ T23] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 84.528569][ T23] ret_from_fork+0x24/0x30 [ 84.533880][ T23] Kernel Offset: disabled [ 84.538199][ T23] Rebooting in 86400 seconds..