[info] Using makefile-style concurrent boot in runlevel 2. [ 25.157833] audit: type=1800 audit(1543716596.514:21): pid=5809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 25.184862] audit: type=1800 audit(1543716596.514:22): pid=5809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.374074] sshd (5946) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program executing program executing program [ 37.275889] ================================================================== [ 37.283316] BUG: KASAN: use-after-free in debugfs_remove+0x10b/0x130 [ 37.289785] Read of size 8 at addr ffff8881b6a51bc0 by task kworker/0:2/2931 [ 37.296941] [ 37.298548] CPU: 0 PID: 2931 Comm: kworker/0:2 Not tainted 4.20.0-rc4+ #358 [ 37.305617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.314965] Workqueue: events __blk_release_queue [ 37.319779] Call Trace: [ 37.322357] dump_stack+0x244/0x39d [ 37.325992] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.331157] ? printk+0xa7/0xcf [ 37.334429] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.339181] print_address_description.cold.7+0x9/0x1ff [ 37.344523] kasan_report.cold.8+0x242/0x309 [ 37.348906] ? debugfs_remove+0x10b/0x130 [ 37.353031] __asan_report_load8_noabort+0x14/0x20 [ 37.357937] debugfs_remove+0x10b/0x130 [ 37.362065] blk_trace_free+0x35/0x130 [ 37.365943] __blk_trace_remove+0x7a/0xa0 [ 37.370067] blk_trace_shutdown+0x63/0x80 [ 37.374196] __blk_release_queue+0x235/0x510 [ 37.378608] process_one_work+0xc90/0x1c40 [ 37.382886] ? mark_held_locks+0x130/0x130 [ 37.387112] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 37.391770] ? __switch_to_asm+0x40/0x70 [ 37.395834] ? __switch_to_asm+0x34/0x70 [ 37.399873] ? __switch_to_asm+0x40/0x70 [ 37.403910] ? __switch_to_asm+0x34/0x70 [ 37.407945] ? __switch_to_asm+0x40/0x70 [ 37.412041] ? __switch_to_asm+0x34/0x70 [ 37.416112] ? __switch_to_asm+0x40/0x70 [ 37.420163] ? __switch_to_asm+0x34/0x70 [ 37.424200] ? __switch_to_asm+0x40/0x70 [ 37.428240] ? __schedule+0x8d7/0x21d0 [ 37.432137] ? lock_downgrade+0x900/0x900 [ 37.436267] ? zap_class+0x640/0x640 [ 37.439961] ? find_held_lock+0x36/0x1c0 [ 37.444034] ? lock_acquire+0x1ed/0x520 [ 37.447987] ? worker_thread+0x3e0/0x1390 [ 37.452133] ? kasan_check_read+0x11/0x20 [ 37.456274] ? do_raw_spin_lock+0x14f/0x350 [ 37.460574] ? kasan_check_read+0x11/0x20 [ 37.464698] ? rwlock_bug.part.2+0x90/0x90 [ 37.468910] ? trace_hardirqs_on+0x310/0x310 [ 37.473300] worker_thread+0x17f/0x1390 [ 37.477249] ? __switch_to_asm+0x34/0x70 [ 37.481310] ? process_one_work+0x1c40/0x1c40 [ 37.485806] ? zap_class+0x640/0x640 [ 37.489535] ? find_held_lock+0x36/0x1c0 [ 37.493580] ? __kthread_parkme+0xce/0x1a0 [ 37.497790] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.502872] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.507954] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 37.512514] ? trace_hardirqs_on+0xbd/0x310 [ 37.516821] ? kasan_check_read+0x11/0x20 [ 37.516836] ? __kthread_parkme+0xce/0x1a0 [ 37.516849] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.525302] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.525322] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 37.525353] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.525366] ? __kthread_parkme+0xfb/0x1a0 [ 37.525381] ? process_one_work+0x1c40/0x1c40 [ 37.525433] kthread+0x35a/0x440 [ 37.525448] ? kthread_stop+0x900/0x900 [ 37.535676] ret_from_fork+0x3a/0x50 [ 37.535696] [ 37.535702] Allocated by task 5965: [ 37.535715] save_stack+0x43/0xd0 [ 37.535730] kasan_kmalloc+0xc7/0xe0 [ 37.535756] kasan_slab_alloc+0x12/0x20 [ 37.535782] kmem_cache_alloc+0x12e/0x730 [ 37.546477] __d_alloc+0xc8/0xb90 [ 37.546488] d_alloc+0x96/0x380 [ 37.546499] d_alloc_parallel+0x15a/0x1f40 [ 37.546512] __lookup_slow+0x1e6/0x540 [ 37.546538] lookup_one_len+0x1d8/0x220 [ 37.546549] start_creating+0xc6/0x200 [ 37.546563] __debugfs_create_file+0x63/0x400 [ 37.555278] debugfs_create_file+0x57/0x70 [ 37.555290] do_blk_trace_setup+0x45d/0xdb0 [ 37.555301] __blk_trace_setup+0xd5/0x180 [ 37.555312] blk_trace_ioctl+0x17a/0x2f0 [ 37.555325] blkdev_ioctl+0x9e9/0x21b0 [ 37.555353] block_ioctl+0xee/0x130 [ 37.562806] do_vfs_ioctl+0x1de/0x1790 [ 37.562819] ksys_ioctl+0xa9/0xd0 [ 37.568158] __x64_sys_ioctl+0x73/0xb0 [ 37.593820] do_syscall_64+0x1b9/0x820 [ 37.601927] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.609750] [ 37.614259] kobject: 'slaves' (00000000689664f7): kobject_add_internal: parent: 'loop0', set: '' [ 37.618453] Freed by task 0: [ 37.618467] save_stack+0x43/0xd0 [ 37.618480] __kasan_slab_free+0x102/0x150 [ 37.618492] kasan_slab_free+0xe/0x10 [ 37.618504] kmem_cache_free+0x83/0x290 [ 37.618515] __d_free+0x20/0x30 [ 37.618530] rcu_process_callbacks+0x100a/0x1ac0 [ 37.625337] kobject: 'loop0' (000000009adfb848): kobject_uevent_env [ 37.627007] __do_softirq+0x308/0xb7e [ 37.631066] kobject: 'loop0' (000000009adfb848): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 37.634942] [ 37.634955] The buggy address belongs to the object at ffff8881b6a51b80 [ 37.634955] which belongs to the cache dentry of size 288 [ 37.643052] kobject: 'queue' (00000000d475bda4): kobject_add_internal: parent: 'loop0', set: '' [ 37.645892] The buggy address is located 64 bytes inside of [ 37.645892] 288-byte region [ffff8881b6a51b80, ffff8881b6a51ca0) [ 37.645896] The buggy address belongs to the page: [ 37.645908] page:ffffea0006da9440 count:1 mapcount:0 mapping:ffff8881da980c80 index:0x0 [ 37.645918] flags: 0x2fffc0000000200(slab) [ 37.645935] raw: 02fffc0000000200 ffffea0006da8448 ffffea0006da94c8 ffff8881da980c80 [ 37.645949] raw: 0000000000000000 ffff8881b6a51080 000000010000000b 0000000000000000 [ 37.645954] page dumped because: kasan: bad access detected [ 37.645962] [ 37.645965] Memory state around the buggy address: [ 37.645975] ffff8881b6a51a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.654973] kobject: 'mq' (00000000a3db6337): kobject_add_internal: parent: 'loop0', set: '' [ 37.659017] ffff8881b6a51b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.659028] >ffff8881b6a51b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.659033] ^ [ 37.659043] ffff8881b6a51c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.659053] ffff8881b6a51c80: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 37.659058] ================================================================== [ 37.659062] Disabling lock debugging due to kernel taint [ 37.659951] Kernel panic - not syncing: panic_on_warn set ... [ 37.866333] CPU: 0 PID: 2931 Comm: kworker/0:2 Tainted: G B 4.20.0-rc4+ #358 [ 37.874813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.884184] Workqueue: events __blk_release_queue [ 37.889012] Call Trace: [ 37.891591] dump_stack+0x244/0x39d [ 37.895214] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.900443] panic+0x2ad/0x55c [ 37.903624] ? add_taint.cold.5+0x16/0x16 [ 37.907778] ? preempt_schedule+0x4d/0x60 [ 37.911933] ? ___preempt_schedule+0x16/0x18 [ 37.916350] ? trace_hardirqs_on+0xb4/0x310 [ 37.920664] kasan_end_report+0x47/0x4f [ 37.924691] kasan_report.cold.8+0x76/0x309 [ 37.929130] ? debugfs_remove+0x10b/0x130 [ 37.933306] __asan_report_load8_noabort+0x14/0x20 [ 37.938263] debugfs_remove+0x10b/0x130 [ 37.942262] blk_trace_free+0x35/0x130 [ 37.946172] __blk_trace_remove+0x7a/0xa0 [ 37.950360] blk_trace_shutdown+0x63/0x80 [ 37.954512] __blk_release_queue+0x235/0x510 [ 37.958943] process_one_work+0xc90/0x1c40 [ 37.963184] ? mark_held_locks+0x130/0x130 [ 37.967435] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 37.972096] ? __switch_to_asm+0x40/0x70 [ 37.976196] ? __switch_to_asm+0x34/0x70 [ 37.980241] ? __switch_to_asm+0x40/0x70 [ 37.984303] ? __switch_to_asm+0x34/0x70 [ 37.988352] ? __switch_to_asm+0x40/0x70 [ 37.992398] ? __switch_to_asm+0x34/0x70 [ 37.996455] ? __switch_to_asm+0x40/0x70 [ 38.000503] ? __switch_to_asm+0x34/0x70 [ 38.004578] ? __switch_to_asm+0x40/0x70 [ 38.008649] ? __schedule+0x8d7/0x21d0 [ 38.012567] ? lock_downgrade+0x900/0x900 [ 38.016724] ? zap_class+0x640/0x640 [ 38.020435] ? find_held_lock+0x36/0x1c0 [ 38.024512] ? lock_acquire+0x1ed/0x520 [ 38.028479] ? worker_thread+0x3e0/0x1390 [ 38.032662] ? kasan_check_read+0x11/0x20 [ 38.036818] ? do_raw_spin_lock+0x14f/0x350 [ 38.041139] ? kasan_check_read+0x11/0x20 [ 38.045288] ? rwlock_bug.part.2+0x90/0x90 [ 38.049527] ? trace_hardirqs_on+0x310/0x310 [ 38.053940] worker_thread+0x17f/0x1390 [ 38.057947] ? __switch_to_asm+0x34/0x70 [ 38.062027] ? process_one_work+0x1c40/0x1c40 [ 38.066518] ? zap_class+0x640/0x640 [ 38.070220] ? find_held_lock+0x36/0x1c0 [ 38.074279] ? __kthread_parkme+0xce/0x1a0 [ 38.078504] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 38.083592] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 38.088689] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 38.093290] ? trace_hardirqs_on+0xbd/0x310 [ 38.097600] ? kasan_check_read+0x11/0x20 [ 38.101738] ? __kthread_parkme+0xce/0x1a0 [ 38.105966] ? trace_hardirqs_off_caller+0x310/0x310 [ 38.111055] ? trace_hardirqs_off_caller+0x310/0x310 [ 38.116151] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 38.121243] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.126801] ? __kthread_parkme+0xfb/0x1a0 [ 38.131028] ? process_one_work+0x1c40/0x1c40 [ 38.135526] kthread+0x35a/0x440 [ 38.138895] ? kthread_stop+0x900/0x900 [ 38.142855] ret_from_fork+0x3a/0x50 [ 38.147548] Kernel Offset: disabled [ 38.151170] Rebooting in 86400 seconds..