[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.765138][ T26] audit: type=1800 audit(1559846805.704:25): pid=8599 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.803282][ T26] audit: type=1800 audit(1559846805.704:26): pid=8599 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 65.842490][ T26] audit: type=1800 audit(1559846805.704:27): pid=8599 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 75.694771][ T12] ================================================================== [ 75.703942][ T12] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 75.703961][ T12] Read of size 8 at addr ffff8880a3508b10 by task kworker/0:1/12 [ 75.703964][ T12] [ 75.703981][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc3+ #20 [ 75.703990][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.704006][ T12] Workqueue: events __blk_release_queue [ 75.704024][ T12] Call Trace: [ 75.704073][ T12] dump_stack+0x172/0x1f0 [ 75.704088][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.704136][ T12] print_address_description.cold+0x7c/0x20d [ 75.704157][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.704167][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.704179][ T12] __kasan_report.cold+0x1b/0x40 [ 75.704191][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.704204][ T12] kasan_report+0x12/0x20 [ 75.704219][ T12] __asan_report_load8_noabort+0x14/0x20 [ 75.720006][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 75.720030][ T12] ? dd_exit_queue+0x92/0xd0 [ 75.720051][ T12] ? kfree+0x170/0x220 [ 75.729881][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 75.729902][ T12] ? dd_request_merge+0x230/0x230 [ 75.729924][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 75.745592][ T12] elevator_exit+0x70/0xa0 [ 75.745610][ T12] __blk_release_queue+0x127/0x330 [ 75.745653][ T12] process_one_work+0x989/0x1790 [ 75.745676][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.750399][ T8755] kobject: 'loop0' (00000000af4a17ca): kobject_uevent_env [ 75.753323][ T12] ? lock_acquire+0x16f/0x3f0 [ 75.753353][ T12] worker_thread+0x98/0xe40 [ 75.753380][ T12] ? trace_hardirqs_on+0x67/0x220 [ 75.753405][ T12] kthread+0x354/0x420 [ 75.759615][ T8755] kobject: 'loop0' (00000000af4a17ca): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 75.764360][ T12] ? process_one_work+0x1790/0x1790 [ 75.764375][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 75.764403][ T12] ret_from_fork+0x24/0x30 [ 75.764423][ T12] [ 75.770447][ T8755] kobject: 'queue' (00000000525c6182): kobject_add_internal: parent: 'loop0', set: '' [ 75.774330][ T12] Allocated by task 8754: [ 75.774351][ T12] save_stack+0x23/0x90 [ 75.774363][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 75.774374][ T12] kasan_kmalloc+0x9/0x10 [ 75.774385][ T12] kmem_cache_alloc_trace+0x151/0x750 [ 75.774411][ T12] loop_add+0x51/0x8d0 [ 75.774430][ T12] loop_control_ioctl+0x165/0x360 [ 75.774445][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 75.780480][ T8755] kobject: 'mq' (000000001631afe4): kobject_add_internal: parent: 'loop0', set: '' [ 75.784617][ T12] ksys_ioctl+0xab/0xd0 [ 75.784628][ T12] __x64_sys_ioctl+0x73/0xb0 [ 75.784658][ T12] do_syscall_64+0xfd/0x680 [ 75.784672][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.784677][ T12] [ 75.784683][ T12] Freed by task 8755: [ 75.784696][ T12] save_stack+0x23/0x90 [ 75.784714][ T12] __kasan_slab_free+0x102/0x150 [ 75.789628][ T8755] kobject: 'mq' (000000001631afe4): kobject_uevent_env [ 75.794803][ T12] kasan_slab_free+0xe/0x10 [ 75.794814][ T12] kfree+0xcf/0x220 [ 75.794825][ T12] loop_remove+0xa1/0xd0 [ 75.794835][ T12] loop_control_ioctl+0x320/0x360 [ 75.794846][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 75.794855][ T12] ksys_ioctl+0xab/0xd0 [ 75.794864][ T12] __x64_sys_ioctl+0x73/0xb0 [ 75.794878][ T12] do_syscall_64+0xfd/0x680 [ 75.794900][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.800250][ T8755] kobject: 'mq' (000000001631afe4): kobject_uevent_env: filter function caused the event to drop! [ 75.804256][ T12] [ 75.804269][ T12] The buggy address belongs to the object at ffff8880a3508900 [ 75.804269][ T12] which belongs to the cache kmalloc-1k of size 1024 [ 75.804280][ T12] The buggy address is located 528 bytes inside of [ 75.804280][ T12] 1024-byte region [ffff8880a3508900, ffff8880a3508d00) [ 75.804284][ T12] The buggy address belongs to the page: [ 75.804308][ T12] page:ffffea00028d4200 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 75.804329][ T12] flags: 0x1fffc0000010200(slab|head) [ 75.804349][ T12] raw: 01fffc0000010200 ffffea00028d3b88 ffffea00028d4388 ffff8880aa400ac0 [ 75.809208][ T8755] kobject: '0' (0000000019bda046): kobject_add_internal: parent: 'mq', set: '' [ 75.814184][ T12] raw: 0000000000000000 ffff8880a3508000 0000000100000007 0000000000000000 [ 75.814191][ T12] page dumped because: kasan: bad access detected [ 75.814195][ T12] [ 75.814198][ T12] Memory state around the buggy address: [ 75.814210][ T12] ffff8880a3508a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.814219][ T12] ffff8880a3508a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.814230][ T12] >ffff8880a3508b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.814235][ T12] ^ [ 75.814244][ T12] ffff8880a3508b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.814253][ T12] ffff8880a3508c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.814258][ T12] ================================================================== [ 75.814272][ T12] Disabling lock debugging due to kernel taint [ 75.819895][ T8755] kobject: 'cpu0' (00000000451af450): kobject_add_internal: parent: '0', set: '' [ 75.841206][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 75.849667][ T8755] kobject: 'cpu1' (00000000697e0b2c): kobject_add_internal: parent: '0', set: '' [ 75.851313][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc3+ #20 [ 75.851321][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.851339][ T12] Workqueue: events __blk_release_queue [ 75.851346][ T12] Call Trace: [ 75.851365][ T12] dump_stack+0x172/0x1f0 [ 75.851404][ T12] panic+0x2cb/0x744 [ 75.856554][ T8755] kobject: 'queue' (00000000525c6182): kobject_uevent_env [ 75.860567][ T12] ? __warn_printk+0xf3/0xf3 [ 75.860586][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.860607][ T12] ? preempt_schedule+0x4b/0x60 [ 75.866063][ T8755] kobject: 'queue' (00000000525c6182): kobject_uevent_env: filter function caused the event to drop! [ 75.869685][ T12] ? ___preempt_schedule+0x16/0x18 [ 75.869709][ T12] ? trace_hardirqs_on+0x5e/0x220 [ 75.880322][ T8755] kobject: 'iosched' (000000006861f677): kobject_add_internal: parent: 'queue', set: '' [ 75.885076][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.885091][ T12] end_report+0x47/0x4f [ 75.885102][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.885114][ T12] __kasan_report.cold+0xe/0x40 [ 75.885132][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.891945][ T8755] kobject: 'iosched' (000000006861f677): kobject_uevent_env [ 75.895805][ T12] kasan_report+0x12/0x20 [ 75.895822][ T12] __asan_report_load8_noabort+0x14/0x20 [ 75.895843][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 75.898231][ T8755] kobject: 'iosched' (000000006861f677): kobject_uevent_env: filter function caused the event to drop! [ 75.908246][ T12] ? dd_exit_queue+0x92/0xd0 [ 75.908257][ T12] ? kfree+0x170/0x220 [ 75.908288][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 75.908318][ T12] ? dd_request_merge+0x230/0x230 [ 75.908339][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 75.913286][ T8755] kobject: 'integrity' (00000000fe34f8ec): kobject_add_internal: parent: 'loop0', set: '' [ 75.917015][ T12] elevator_exit+0x70/0xa0 [ 75.917034][ T12] __blk_release_queue+0x127/0x330 [ 75.917057][ T12] process_one_work+0x989/0x1790 [ 75.923350][ T8755] kobject: 'integrity' (00000000fe34f8ec): kobject_uevent_env [ 75.927202][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.927222][ T12] ? lock_acquire+0x16f/0x3f0 [ 75.933152][ T8755] kobject: 'integrity' (00000000fe34f8ec): kobject_uevent_env: filter function caused the event to drop! [ 75.936841][ T12] worker_thread+0x98/0xe40 [ 75.936862][ T12] ? trace_hardirqs_on+0x67/0x220 [ 76.464841][ T12] kthread+0x354/0x420 [ 76.468913][ T12] ? process_one_work+0x1790/0x1790 [ 76.474207][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 76.480446][ T12] ret_from_fork+0x24/0x30 [ 76.486079][ T12] Kernel Offset: disabled [ 76.490423][ T12] Rebooting in 86400 seconds..