[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 62.923071][ T27] audit: type=1800 audit(1559879409.308:25): pid=8847 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.968365][ T27] audit: type=1800 audit(1559879409.308:26): pid=8847 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.022916][ T27] audit: type=1800 audit(1559879409.318:27): pid=8847 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 83.001454][ T2962] ================================================================== [ 83.010739][ T2962] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 83.018746][ T2962] Read of size 8 at addr ffff888219589d50 by task kworker/0:2/2962 [ 83.027784][ T2962] [ 83.030248][ T2962] CPU: 0 PID: 2962 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #40 [ 83.037867][ T2962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.047927][ T2962] Workqueue: events __blk_release_queue [ 83.053503][ T2962] Call Trace: [ 83.056972][ T2962] dump_stack+0x172/0x1f0 [ 83.061309][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.066268][ T2962] print_address_description.cold+0x7c/0x20d [ 83.072398][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.077337][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.082414][ T2962] __kasan_report.cold+0x1b/0x40 [ 83.087355][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.092715][ T2962] kasan_report+0x12/0x20 [ 83.097053][ T2962] __asan_report_load8_noabort+0x14/0x20 [ 83.102827][ T2962] blk_mq_free_rqs+0x49f/0x4b0 [ 83.107600][ T2962] ? dd_exit_queue+0x92/0xd0 [ 83.112194][ T2962] ? kfree+0x170/0x220 [ 83.116360][ T2962] blk_mq_sched_tags_teardown+0x126/0x210 [ 83.122611][ T2962] ? dd_request_merge+0x230/0x230 [ 83.127735][ T2962] blk_mq_exit_sched+0x1fa/0x2d0 [ 83.132677][ T2962] elevator_exit+0x70/0xa0 [ 83.137161][ T2962] __blk_release_queue+0x127/0x330 [ 83.142296][ T2962] process_one_work+0x989/0x1790 [ 83.147240][ T2962] ? pwq_dec_nr_in_flight+0x320/0x320 [ 83.152668][ T2962] ? lock_acquire+0x16f/0x3f0 [ 83.157361][ T2962] worker_thread+0x98/0xe40 [ 83.161870][ T2962] ? trace_hardirqs_on+0x67/0x220 [ 83.167094][ T2962] kthread+0x354/0x420 [ 83.171332][ T2962] ? process_one_work+0x1790/0x1790 [ 83.177339][ T2962] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 83.183786][ T2962] ret_from_fork+0x24/0x30 [ 83.188211][ T2962] [ 83.190612][ T2962] Allocated by task 1: [ 83.201726][ T2962] save_stack+0x23/0x90 [ 83.205908][ T2962] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 83.213994][ T2962] kasan_kmalloc+0x9/0x10 [ 83.218413][ T2962] kmem_cache_alloc_trace+0x151/0x750 [ 83.223910][ T2962] loop_add+0x51/0x8d0 [ 83.227987][ T2962] loop_init+0x1fe/0x25a [ 83.232388][ T2962] do_one_initcall+0x107/0x7ba [ 83.237362][ T2962] kernel_init_freeable+0x4d4/0x5c3 [ 83.242569][ T2962] kernel_init+0x12/0x1c5 [ 83.246928][ T2962] ret_from_fork+0x24/0x30 [ 83.251341][ T2962] [ 83.253653][ T2962] Freed by task 9003: [ 83.257625][ T2962] save_stack+0x23/0x90 [ 83.261844][ T2962] __kasan_slab_free+0x102/0x150 [ 83.266910][ T2962] kasan_slab_free+0xe/0x10 [ 83.271423][ T2962] kfree+0xcf/0x220 [ 83.275495][ T2962] loop_remove+0xa1/0xd0 [ 83.279746][ T2962] loop_control_ioctl+0x320/0x360 [ 83.284766][ T2962] do_vfs_ioctl+0xd5f/0x1380 [ 83.289548][ T2962] ksys_ioctl+0xab/0xd0 [ 83.293707][ T2962] __x64_sys_ioctl+0x73/0xb0 [ 83.298474][ T2962] do_syscall_64+0xfd/0x680 [ 83.302973][ T2962] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.308850][ T2962] [ 83.311171][ T2962] The buggy address belongs to the object at ffff888219589b40 [ 83.311171][ T2962] which belongs to the cache kmalloc-1k of size 1024 [ 83.325357][ T2962] The buggy address is located 528 bytes inside of [ 83.325357][ T2962] 1024-byte region [ffff888219589b40, ffff888219589f40) [ 83.338714][ T2962] The buggy address belongs to the page: [ 83.344552][ T2962] page:ffffea0008656200 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff888219588040 compound_mapcount: 0 [ 83.356926][ T2962] flags: 0x6fffc0000010200(slab|head) [ 83.362320][ T2962] raw: 06fffc0000010200 ffffea00085ae888 ffffea0008654d88 ffff8880aa400ac0 [ 83.370954][ T2962] raw: ffff888219588040 ffff888219588040 0000000100000005 0000000000000000 [ 83.379558][ T2962] page dumped because: kasan: bad access detected [ 83.386504][ T2962] [ 83.389098][ T2962] Memory state around the buggy address: [ 83.394796][ T2962] ffff888219589c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.402871][ T2962] ffff888219589c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.411136][ T2962] >ffff888219589d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.419553][ T2962] ^ [ 83.426233][ T2962] ffff888219589d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.434585][ T2962] ffff888219589e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.443086][ T2962] ================================================================== executing program [ 83.451205][ T2962] Disabling lock debugging due to kernel taint [ 83.459887][ T2962] Kernel panic - not syncing: panic_on_warn set ... [ 83.466642][ T2962] CPU: 0 PID: 2962 Comm: kworker/0:2 Tainted: G B 5.2.0-rc3+ #40 [ 83.475845][ T2962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.486085][ T2962] Workqueue: events __blk_release_queue [ 83.491651][ T2962] Call Trace: [ 83.494949][ T2962] dump_stack+0x172/0x1f0 [ 83.499291][ T2962] panic+0x2cb/0x744 [ 83.503868][ T2962] ? __warn_printk+0xf3/0xf3 [ 83.508460][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.513408][ T2962] ? preempt_schedule+0x4b/0x60 [ 83.518599][ T2962] ? ___preempt_schedule+0x16/0x18 [ 83.524003][ T2962] ? trace_hardirqs_on+0x5e/0x220 [ 83.529730][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.534845][ T2962] end_report+0x47/0x4f [ 83.539010][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.543955][ T2962] __kasan_report.cold+0xe/0x40 [ 83.548825][ T2962] ? blk_mq_free_rqs+0x49f/0x4b0 [ 83.553870][ T2962] kasan_report+0x12/0x20 [ 83.558304][ T2962] __asan_report_load8_noabort+0x14/0x20 [ 83.564443][ T2962] blk_mq_free_rqs+0x49f/0x4b0 [ 83.569595][ T2962] ? dd_exit_queue+0x92/0xd0 [ 83.574424][ T2962] ? kfree+0x170/0x220 [ 83.579342][ T2962] blk_mq_sched_tags_teardown+0x126/0x210 [ 83.588038][ T2962] ? dd_request_merge+0x230/0x230 [ 83.594922][ T2962] blk_mq_exit_sched+0x1fa/0x2d0 [ 83.599932][ T2962] elevator_exit+0x70/0xa0 [ 83.604603][ T2962] __blk_release_queue+0x127/0x330 [ 83.609909][ T2962] process_one_work+0x989/0x1790 [ 83.614866][ T2962] ? pwq_dec_nr_in_flight+0x320/0x320 [ 83.620442][ T2962] ? lock_acquire+0x16f/0x3f0 [ 83.625241][ T2962] worker_thread+0x98/0xe40 [ 83.629788][ T2962] ? trace_hardirqs_on+0x67/0x220 [ 83.634881][ T2962] kthread+0x354/0x420 [ 83.638978][ T2962] ? process_one_work+0x1790/0x1790 [ 83.644180][ T2962] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 83.650638][ T2962] ret_from_fork+0x24/0x30 [ 83.656412][ T2962] Kernel Offset: disabled [ 83.660856][ T2962] Rebooting in 86400 seconds..