[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 63.178566][ T26] audit: type=1800 audit(1559994385.872:25): pid=8783 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 63.247152][ T26] audit: type=1800 audit(1559994385.882:26): pid=8783 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.300975][ T26] audit: type=1800 audit(1559994385.882:27): pid=8783 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 73.746878][ T2854] ================================================================== [ 73.755081][ T2854] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 73.755098][ T2854] Read of size 8 at addr ffff88808f2cfd10 by task kworker/1:2/2854 [ 73.755103][ T2854] [ 73.755118][ T2854] CPU: 1 PID: 2854 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #23 [ 73.755126][ T2854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.755145][ T2854] Workqueue: events __blk_release_queue [ 73.755152][ T2854] Call Trace: [ 73.770391][ T2854] dump_stack+0x172/0x1f0 [ 73.770407][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.770429][ T2854] print_address_description.cold+0x7c/0x20d [ 73.780359][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.780373][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.780389][ T2854] __kasan_report.cold+0x1b/0x40 [ 73.780406][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.780424][ T2854] kasan_report+0x12/0x20 [ 73.796002][ T2854] __asan_report_load8_noabort+0x14/0x20 [ 73.796017][ T2854] blk_mq_free_rqs+0x49f/0x4b0 [ 73.796031][ T2854] ? dd_exit_queue+0x92/0xd0 [ 73.796042][ T2854] ? kfree+0x170/0x220 [ 73.796064][ T2854] blk_mq_sched_tags_teardown+0x126/0x210 [ 73.803653][ T2854] ? dd_request_merge+0x230/0x230 [ 73.803678][ T2854] blk_mq_exit_sched+0x1fa/0x2d0 [ 73.803698][ T2854] elevator_exit+0x70/0xa0 [ 73.803725][ T2854] __blk_release_queue+0x127/0x330 [ 73.814626][ T2854] process_one_work+0x989/0x1790 [ 73.814652][ T2854] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.814666][ T2854] ? lock_acquire+0x16f/0x3f0 [ 73.814691][ T2854] worker_thread+0x98/0xe40 [ 73.819812][ T8941] kobject: 'loop0' (00000000fa3d45f1): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 73.824541][ T2854] ? trace_hardirqs_on+0x67/0x220 [ 73.824569][ T2854] kthread+0x354/0x420 [ 73.824584][ T2854] ? process_one_work+0x1790/0x1790 [ 73.824604][ T2854] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 73.829919][ T8941] kobject: 'queue' (00000000ca20ce7c): kobject_add_internal: parent: 'loop0', set: '' [ 73.834454][ T2854] ret_from_fork+0x24/0x30 [ 73.834474][ T2854] [ 73.834482][ T2854] Allocated by task 8939: [ 73.834495][ T2854] save_stack+0x23/0x90 [ 73.834513][ T2854] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 73.834524][ T2854] kasan_kmalloc+0x9/0x10 [ 73.839569][ T8941] kobject: 'mq' (000000001f798dd4): kobject_add_internal: parent: 'loop0', set: '' [ 73.844523][ T2854] kmem_cache_alloc_trace+0x151/0x750 [ 73.844535][ T2854] loop_add+0x51/0x8d0 [ 73.844547][ T2854] loop_control_ioctl+0x165/0x360 executing program [ 73.844558][ T2854] do_vfs_ioctl+0xd5f/0x1380 [ 73.844568][ T2854] ksys_ioctl+0xab/0xd0 [ 73.844578][ T2854] __x64_sys_ioctl+0x73/0xb0 [ 73.844599][ T2854] do_syscall_64+0xfd/0x680 [ 73.849553][ T8941] kobject: 'mq' (000000001f798dd4): kobject_uevent_env [ 73.853927][ T2854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.853931][ T2854] [ 73.853938][ T2854] Freed by task 8940: [ 73.853950][ T2854] save_stack+0x23/0x90 [ 73.853962][ T2854] __kasan_slab_free+0x102/0x150 [ 73.853974][ T2854] kasan_slab_free+0xe/0x10 [ 73.853990][ T2854] kfree+0xcf/0x220 [ 73.858226][ T8941] kobject: 'mq' (000000001f798dd4): kobject_uevent_env: filter function caused the event to drop! [ 73.863747][ T2854] loop_remove+0xa1/0xd0 [ 73.863760][ T2854] loop_control_ioctl+0x320/0x360 [ 73.863771][ T2854] do_vfs_ioctl+0xd5f/0x1380 [ 73.863781][ T2854] ksys_ioctl+0xab/0xd0 [ 73.863791][ T2854] __x64_sys_ioctl+0x73/0xb0 [ 73.863811][ T2854] do_syscall_64+0xfd/0x680 [ 73.869033][ T8941] kobject: '0' (0000000032617a06): kobject_add_internal: parent: 'mq', set: '' [ 73.873745][ T2854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.873749][ T2854] [ 73.873760][ T2854] The buggy address belongs to the object at ffff88808f2cfb00 [ 73.873760][ T2854] which belongs to the cache kmalloc-1k of size 1024 [ 73.873773][ T2854] The buggy address is located 528 bytes inside of [ 73.873773][ T2854] 1024-byte region [ffff88808f2cfb00, ffff88808f2cff00) [ 73.873778][ T2854] The buggy address belongs to the page: [ 73.873791][ T2854] page:ffffea00023cb380 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 73.878536][ T8941] kobject: 'cpu0' (000000004ec7a217): kobject_add_internal: parent: '0', set: '' [ 73.883303][ T2854] flags: 0x1fffc0000010200(slab|head) [ 73.883322][ T2854] raw: 01fffc0000010200 ffffea0002a42888 ffffea0002a46d08 ffff8880aa400ac0 [ 73.883350][ T2854] raw: 0000000000000000 ffff88808f2ce000 0000000100000007 0000000000000000 [ 73.883356][ T2854] page dumped because: kasan: bad access detected [ 73.883371][ T2854] [ 73.883375][ T2854] Memory state around the buggy address: [ 73.883388][ T2854] ffff88808f2cfc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.888565][ T8941] kobject: 'cpu1' (000000000111d4b5): kobject_add_internal: parent: '0', set: '' [ 73.893677][ T2854] ffff88808f2cfc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.893699][ T2854] >ffff88808f2cfd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.893704][ T2854] ^ [ 73.893714][ T2854] ffff88808f2cfd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.893738][ T2854] ffff88808f2cfe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.893743][ T2854] ================================================================== [ 73.893748][ T2854] Disabling lock debugging due to kernel taint [ 73.901059][ T2854] Kernel panic - not syncing: panic_on_warn set ... [ 73.903210][ T8941] kobject: 'queue' (00000000ca20ce7c): kobject_uevent_env [ 73.913062][ T2854] CPU: 1 PID: 2854 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #23 [ 73.913071][ T2854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.913088][ T2854] Workqueue: events __blk_release_queue [ 73.918305][ T8941] kobject: 'queue' (00000000ca20ce7c): kobject_uevent_env: filter function caused the event to drop! [ 73.922215][ T2854] Call Trace: [ 73.922233][ T2854] dump_stack+0x172/0x1f0 [ 73.922265][ T2854] panic+0x2cb/0x744 [ 73.927687][ T8941] kobject: 'iosched' (000000006d3f9622): kobject_add_internal: parent: 'queue', set: '' [ 73.933666][ T2854] ? __warn_printk+0xf3/0xf3 [ 73.933681][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.933703][ T2854] ? preempt_schedule+0x4b/0x60 [ 73.943953][ T8941] kobject: 'iosched' (000000006d3f9622): kobject_uevent_env [ 73.948152][ T2854] ? ___preempt_schedule+0x16/0x18 [ 73.948174][ T2854] ? trace_hardirqs_on+0x5e/0x220 [ 73.950513][ T8941] kobject: 'iosched' (000000006d3f9622): kobject_uevent_env: filter function caused the event to drop! [ 73.957150][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.957164][ T2854] end_report+0x47/0x4f [ 73.957177][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.957196][ T2854] __kasan_report.cold+0xe/0x40 [ 73.961572][ T8941] kobject: 'integrity' (00000000306d5f8a): kobject_add_internal: parent: 'loop0', set: '' [ 73.966960][ T2854] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.966975][ T2854] kasan_report+0x12/0x20 [ 73.966996][ T2854] __asan_report_load8_noabort+0x14/0x20 [ 73.971504][ T8941] kobject: 'integrity' (00000000306d5f8a): kobject_uevent_env [ 73.981121][ T2854] blk_mq_free_rqs+0x49f/0x4b0 [ 73.981133][ T2854] ? dd_exit_queue+0x92/0xd0 [ 73.981142][ T2854] ? kfree+0x170/0x220 [ 73.981161][ T2854] blk_mq_sched_tags_teardown+0x126/0x210 [ 73.986640][ T8941] kobject: 'integrity' (00000000306d5f8a): kobject_uevent_env: filter function caused the event to drop! [ 73.990568][ T2854] ? dd_request_merge+0x230/0x230 [ 73.990587][ T2854] blk_mq_exit_sched+0x1fa/0x2d0 [ 74.015095][ T8942] kobject: 'integrity' (00000000306d5f8a): kobject_uevent_env [ 74.020195][ T2854] elevator_exit+0x70/0xa0 [ 74.020220][ T2854] __blk_release_queue+0x127/0x330 [ 74.026998][ T8942] kobject: 'integrity' (00000000306d5f8a): kobject_uevent_env: filter function caused the event to drop! [ 74.028415][ T2854] process_one_work+0x989/0x1790 [ 74.028433][ T2854] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.032462][ T8942] kobject: 'integrity' (00000000306d5f8a): kobject_cleanup, parent 0000000097181beb [ 74.036545][ T2854] ? lock_acquire+0x16f/0x3f0 [ 74.036565][ T2854] worker_thread+0x98/0xe40 [ 74.036584][ T2854] ? trace_hardirqs_on+0x67/0x220 [ 74.043041][ T8942] kobject: 'integrity' (00000000306d5f8a): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 74.046006][ T2854] kthread+0x354/0x420 [ 74.046038][ T2854] ? process_one_work+0x1790/0x1790 [ 74.049855][ T8942] kobject: 'integrity': free name [ 74.060406][ T2854] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 74.060422][ T2854] ret_from_fork+0x24/0x30 [ 74.065615][ T2854] Kernel Offset: disabled [ 74.584926][ T2854] Rebooting in 86400 seconds..