[ 466.048754] devpts: called with bogus options [ 466.056443] devpts: called with bogus options [ 466.090227] devpts: called with bogus options [ 466.107901] devpts: called with bogus options [ 466.133284] devpts: called with bogus options [ 466.138765] devpts: called with bogus options [ 466.151855] devpts: called with bogus options [ 466.253444] devpts: called with bogus options [ 466.286070] devpts: called with bogus options [ 466.332808] devpts: called with bogus options [ 466.455673] devpts: called with bogus options [ 466.474665] devpts: called with bogus options [ 466.489840] devpts: called with bogus options [ 466.503908] devpts: called with bogus options [ 466.565362] devpts: called with bogus options [ 466.593675] devpts: called with bogus options [ 466.605895] devpts: called with bogus options [ 466.642807] devpts: called with bogus options [ 466.743267] devpts: called with bogus options [ 466.780708] devpts: called with bogus options [ 466.824849] devpts: called with bogus options [ 466.834397] devpts: called with bogus options [ 466.861866] devpts: called with bogus options [ 466.887500] devpts: called with bogus options [ 466.948901] devpts: called with bogus options [ 466.963626] devpts: called with bogus options [ 466.968692] devpts: called with bogus options [ 466.982613] devpts: called with bogus options [ 467.026795] devpts: called with bogus options [ 467.070332] devpts: called with bogus options [ 467.086689] devpts: called with bogus options [ 467.135941] devpts: called with bogus options [ 467.142002] devpts: called with bogus options [ 467.183303] devpts: called with bogus options [ 467.276957] devpts: called with bogus options [ 467.293730] devpts: called with bogus options [ 467.393267] devpts: called with bogus options [ 467.405095] devpts: called with bogus options [ 467.406955] devpts: called with bogus options [ 467.417736] devpts: called with bogus options [ 467.424577] devpts: called with bogus options [ 467.434249] devpts: called with bogus options [ 467.441226] devpts: called with bogus options [ 467.599016] devpts: called with bogus options [ 467.600302] devpts: called with bogus options [ 467.707320] devpts: called with bogus options [ 467.723530] devpts: called with bogus options [ 467.764570] devpts: called with bogus options [ 467.878976] devpts: called with bogus options [ 467.898037] devpts: called with bogus options [ 467.905680] devpts: called with bogus options [ 467.913318] devpts: called with bogus options [ 470.871419] device bridge_slave_1 left promiscuous mode [ 470.877510] bridge0: port 2(bridge_slave_1) entered disabled state [ 470.943184] device bridge_slave_0 left promiscuous mode [ 470.948809] bridge0: port 1(bridge_slave_0) entered disabled state [ 471.054886] device hsr_slave_1 left promiscuous mode [ 471.142829] device hsr_slave_0 left promiscuous mode [ 471.194437] team0 (unregistering): Port device team_slave_1 removed [ 471.204057] team0 (unregistering): Port device team_slave_0 removed [ 471.215146] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 471.262983] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 471.362732] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. [ 471.586557] devpts: called with bogus options [ 471.775986] devpts: called with bogus options [ 471.787091] devpts: called with bogus options [ 471.796400] devpts: called with bogus options [ 471.807707] devpts: called with bogus options [ 471.815565] devpts: called with bogus options [ 471.826765] devpts: called with bogus options [ 471.834724] devpts: called with bogus options [ 471.845961] devpts: called with bogus options [ 471.854784] devpts: called with bogus options [ 471.865624] devpts: called with bogus options [ 471.873481] devpts: called with bogus options [ 471.885662] devpts: called with bogus options [ 471.893505] devpts: called with bogus options [ 471.901471] devpts: called with bogus options [ 471.909200] devpts: called with bogus options [ 471.922524] ================================================================== [ 471.930109] BUG: KASAN: use-after-free in debugfs_remove+0xda/0x100 [ 471.936681] Read of size 8 at addr ffff8880883e9340 by task kworker/1:2/2680 [ 471.943854] [ 471.945485] CPU: 1 PID: 2680 Comm: kworker/1:2 Not tainted 4.14.160-syzkaller #0 [ 471.953005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 471.962413] Workqueue: events __blk_release_queue [ 471.967452] Call Trace: [ 471.970093] dump_stack+0xf7/0x13b [ 471.973627] ? debugfs_remove+0xda/0x100 [ 471.977678] print_address_description.cold.7+0x9/0x1c9 [ 471.983035] ? debugfs_remove+0xda/0x100 [ 471.987085] kasan_report.cold.8+0x11a/0x2d3 [ 471.991486] __asan_report_load8_noabort+0x14/0x20 [ 471.996431] debugfs_remove+0xda/0x100 [ 472.000329] blk_trace_free+0x30/0x130 [ 472.004215] blk_trace_remove+0x42/0x70 [ 472.008180] blk_trace_shutdown+0x42/0x50 [ 472.012329] __blk_release_queue+0x1f9/0x470 [ 472.017008] process_one_work+0x79e/0x16c0 [ 472.021239] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 472.025903] worker_thread+0xcc/0xee0 [ 472.029703] kthread+0x338/0x400 [ 472.033104] ? process_one_work+0x16c0/0x16c0 [ 472.037590] ? kthread_create_on_node+0xa0/0xa0 [ 472.042935] ret_from_fork+0x24/0x30 [ 472.042952] [ 472.042979] Allocated by task 12769: [ 472.042987] save_stack_trace+0x16/0x20 [ 472.042992] save_stack+0x43/0xd0 [ 472.042994] kasan_kmalloc+0xc7/0xe0 [ 472.042998] kasan_slab_alloc+0x12/0x20 [ 472.043002] kmem_cache_alloc+0x12e/0x790 [ 472.043007] __d_alloc+0x28/0x9f0 [ 472.043010] d_alloc+0x43/0x260 [ 472.043015] __lookup_hash+0x40/0x160 [ 472.043018] lookup_one_len+0x26e/0x3a0 [ 472.043024] start_creating+0x91/0x190 [ 472.063431] __debugfs_create_file+0x37/0x390 [ 472.094358] debugfs_create_file+0x24/0x30 [ 472.098585] do_blk_trace_setup+0x2fe/0xb10 [ 472.102911] blk_trace_setup+0xa8/0x110 [ 472.102916] blk_trace_ioctl+0x136/0x230 [ 472.110968] blkdev_ioctl+0x6a0/0x16a0 [ 472.110973] block_ioctl+0xd7/0x130 [ 472.110978] do_vfs_ioctl+0x180/0xfb0 [ 472.110981] SyS_ioctl+0x74/0x80 [ 472.110986] do_syscall_64+0x1c7/0x5b0 [ 472.110991] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 472.110994] [ 472.110997] Freed by task 17: [ 472.111002] save_stack_trace+0x16/0x20 [ 472.111007] save_stack+0x43/0xd0 [ 472.111011] kasan_slab_free+0x71/0xc0 [ 472.134687] kmem_cache_free+0x80/0x2d0 [ 472.139390] __d_free+0x17/0x20 [ 472.158206] rcu_process_callbacks+0x7e0/0x11e0 [ 472.162936] __do_softirq+0x246/0x9b0 [ 472.162939] [ 472.168391] The buggy address belongs to the object at ffff8880883e9300 [ 472.168391] which belongs to the cache dentry of size 288 [ 472.181009] The buggy address is located 64 bytes inside of [ 472.181009] 288-byte region [ffff8880883e9300, ffff8880883e9420) [ 472.181013] The buggy address belongs to the page: [ 472.181018] page:ffffea000220fa40 count:1 mapcount:0 mapping:ffff8880883e9040 index:0xffff8880883e9720 [ 472.181023] flags: 0x1fffc0000000100(slab) [ 472.181029] raw: 01fffc0000000100 ffff8880883e9040 ffff8880883e9720 000000010000000a [ 472.181033] raw: ffffea00029140e0 ffffea0000c47ce0 ffff88821f8b5680 0000000000000000 [ 472.181035] page dumped because: kasan: bad access detected [ 472.181036] [ 472.181038] Memory state around the buggy address: [ 472.181041] ffff8880883e9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 472.181044] ffff8880883e9280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 472.181047] >ffff8880883e9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 472.181049] ^ [ 472.181052] ffff8880883e9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 472.181055] ffff8880883e9400: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 472.181057] ================================================================== [ 472.181059] Disabling lock debugging due to kernel taint [ 472.188700] Kernel panic - not syncing: panic_on_warn set ... [ 472.188700] [ 472.200829] devpts: called with bogus options [ 472.207264] CPU: 1 PID: 2680 Comm: kworker/1:2 Tainted: G B 4.14.160-syzkaller #0 [ 472.212248] kobject: 'mq' (ffff8880a189ea18): kobject_add_internal: parent: 'loop0', set: '' [ 472.219352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 472.227365] kobject: 'mq' (ffff8880a189ea18): kobject_uevent_env [ 472.232926] Workqueue: events __blk_release_queue [ 472.232930] Call Trace: [ 472.232940] dump_stack+0xf7/0x13b [ 472.232947] ? debugfs_remove+0xda/0x100 [ 472.232952] panic+0x1b0/0x358 [ 472.234582] kobject: 'mq' (ffff8880a189ea18): kobject_uevent_env: filter function caused the event to drop! [ 472.239478] ? add_taint.cold.5+0x11/0x11 [ 472.246959] kobject: '0' (ffff8880a197b428): kobject_add_internal: parent: 'mq', set: '' [ 472.254181] ? ___preempt_schedule+0x16/0x18 [ 472.254189] ? debugfs_remove+0xda/0x100 [ 472.254195] kasan_end_report+0x47/0x4f [ 472.254199] kasan_report.cold.8+0x76/0x2d3 [ 472.254203] __asan_report_load8_noabort+0x14/0x20 [ 472.254208] debugfs_remove+0xda/0x100 [ 472.261671] kobject: 'cpu0' (ffffe8ffffc2f258): kobject_add_internal: parent: '0', set: '' [ 472.266989] blk_trace_free+0x30/0x130 [ 472.274489] kobject: 'cpu1' (ffffe8ffffd2f258): kobject_add_internal: parent: '0', set: '' [ 472.281677] blk_trace_remove+0x42/0x70 [ 472.281682] blk_trace_shutdown+0x42/0x50 [ 472.281688] __blk_release_queue+0x1f9/0x470 [ 472.281694] process_one_work+0x79e/0x16c0 [ 472.281700] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 472.281706] worker_thread+0xcc/0xee0 [ 472.290644] kobject: 'queue' (ffff8880a189e9d8): kobject_uevent_env [ 472.294489] kthread+0x338/0x400 [ 472.301904] kobject: 'queue' (ffff8880a189e9d8): kobject_uevent_env: filter function caused the event to drop! [ 472.306324] ? process_one_work+0x16c0/0x16c0 [ 472.315320] kobject: 'iosched' (ffff888091646950): kobject_add_internal: parent: 'queue', set: '' [ 472.324148] ? kthread_create_on_node+0xa0/0xa0 [ 472.324155] ret_from_fork+0x24/0x30 [ 472.325858] Kernel Offset: disabled [ 472.502296] Rebooting in 86400 seconds..