==================================================================
BUG: KASAN: use-after-free in debugfs_remove fs/debugfs/inode.c:657 [inline]
BUG: KASAN: use-after-free in debugfs_remove+0xfb/0x120 fs/debugfs/inode.c:649
Read of size 8 at addr ffff88808a2641a0 by task syz-executor.5/16064

CPU: 0 PID: 16064 Comm: syz-executor.5 Not tainted 4.14.112 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 debugfs_remove fs/debugfs/inode.c:657 [inline]
 debugfs_remove+0xfb/0x120 fs/debugfs/inode.c:649
 blk_trace_free+0x38/0x140 kernel/trace/blktrace.c:324
 blk_trace_cleanup kernel/trace/blktrace.c:351 [inline]
 blk_trace_remove+0x59/0x80 kernel/trace/blktrace.c:364
 blk_trace_ioctl+0x21d/0x270 kernel/trace/blktrace.c:708
 blkdev_ioctl+0x106/0x1880 block/ioctl.c:580
 block_ioctl+0xde/0x120 fs/block_dev.c:1881
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f1041a04c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003
RBP: 000000000073c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1041a056d4
R13: 00000000004c012d R14: 00000000004d2540 R15: 00000000ffffffff

Allocated by task 16056:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 __d_alloc+0x2d/0x9f0 fs/dcache.c:1623
 d_alloc+0x4d/0x270 fs/dcache.c:1710
 __lookup_hash fs/namei.c:1570 [inline]
 __lookup_hash+0x58/0x190 fs/namei.c:1562
 lookup_one_len+0x281/0x3b0 fs/namei.c:2538
 start_creating fs/debugfs/inode.c:309 [inline]
 start_creating+0xa6/0x1b0 fs/debugfs/inode.c:285
 __debugfs_create_file+0x53/0x3d0 fs/debugfs/inode.c:348
 debugfs_create_file+0x5a/0x70 fs/debugfs/inode.c:399
 do_blk_trace_setup+0x32d/0xb10 kernel/trace/blktrace.c:529
 blk_trace_setup+0xbd/0x140 kernel/trace/blktrace.c:579
 blk_trace_ioctl+0x147/0x270 kernel/trace/blktrace.c:694
 blkdev_ioctl+0x106/0x1880 block/ioctl.c:580
 block_ioctl+0xde/0x120 fs/block_dev.c:1881
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 16062:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 __d_free+0x20/0x30 fs/dcache.c:270
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x7c0/0x12c0 kernel/rcu/tree.c:2946
 __do_softirq+0x24e/0x9ae kernel/softirq.c:288

The buggy address belongs to the object at ffff88808a264160
 which belongs to the cache dentry of size 288
The buggy address is located 64 bytes inside of
 288-byte region [ffff88808a264160, ffff88808a264280)
The buggy address belongs to the page:
page:ffffea0002289900 count:1 mapcount:0 mapping:ffff88808a264000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88808a264000 0000000000000000 000000010000000b
raw: ffffea00022898e0 ffffea00022817a0 ffff88821f8b5680 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808a264080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808a264100: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
>ffff88808a264180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88808a264200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808a264280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================