[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.718484][ T26] audit: type=1800 audit(1560011961.953:25): pid=8676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.739901][ T26] audit: type=1800 audit(1560011961.953:26): pid=8676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.776845][ T26] audit: type=1800 audit(1560011961.953:27): pid=8676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. syzkaller login: [ 67.734384][ T8835] IPVS: ftp: loaded support on port[0] = 21 [ 67.742386][ T8843] IPVS: ftp: loaded support on port[0] = 21 [ 67.752458][ T8841] IPVS: ftp: loaded support on port[0] = 21 [ 67.753280][ T8842] IPVS: ftp: loaded support on port[0] = 21 [ 67.760726][ T8839] IPVS: ftp: loaded support on port[0] = 21 [ 67.766677][ T8840] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program [ 67.969908][ T22] ================================================================== [ 67.978162][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 67.978180][ T22] Read of size 8 at addr ffff8880a3e1eb10 by task kworker/1:1/22 [ 67.978184][ T22] [ 67.978199][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #23 [ 67.978208][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.978225][ T22] Workqueue: events __blk_release_queue [ 67.978232][ T22] Call Trace: [ 67.978251][ T22] dump_stack+0x172/0x1f0 [ 67.978265][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.978283][ T22] print_address_description.cold+0x7c/0x20d [ 67.978302][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.978313][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.978326][ T22] __kasan_report.cold+0x1b/0x40 [ 67.978341][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.993403][ T22] kasan_report+0x12/0x20 [ 67.993423][ T22] __asan_report_load8_noabort+0x14/0x20 [ 67.993439][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 67.993451][ T22] ? dd_exit_queue+0x92/0xd0 [ 67.993464][ T22] ? kfree+0x170/0x220 [ 67.993484][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 67.997121][ T8845] kobject: '7:1' (000000007ba50fd1): kobject_cleanup, parent 00000000e80ce31d [ 68.003268][ T22] ? dd_request_merge+0x230/0x230 [ 68.003290][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 68.003311][ T22] elevator_exit+0x70/0xa0 [ 68.003329][ T22] __blk_release_queue+0x127/0x330 [ 68.003349][ T22] process_one_work+0x989/0x1790 [ 68.003370][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 68.014121][ T8845] kobject: '7:1' (000000007ba50fd1): calling ktype release [ 68.018971][ T22] ? lock_acquire+0x16f/0x3f0 [ 68.019002][ T22] worker_thread+0x98/0xe40 [ 68.019032][ T22] kthread+0x354/0x420 [ 68.019046][ T22] ? process_one_work+0x1790/0x1790 [ 68.019059][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 68.019076][ T22] ret_from_fork+0x24/0x30 [ 68.019094][ T22] [ 68.023067][ T8845] kobject: '7:1': free name [ 68.026769][ T22] Allocated by task 1: [ 68.026787][ T22] save_stack+0x23/0x90 [ 68.026801][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 68.026812][ T22] kasan_kmalloc+0x9/0x10 [ 68.026824][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 68.026837][ T22] loop_add+0x51/0x8d0 [ 68.026849][ T22] loop_init+0x1fe/0x25a [ 68.026863][ T22] do_one_initcall+0x107/0x7ba [ 68.026877][ T22] kernel_init_freeable+0x4d4/0x5c3 [ 68.026889][ T22] kernel_init+0x12/0x1c5 [ 68.026907][ T22] ret_from_fork+0x24/0x30 [ 68.032658][ T8845] kobject: 'mq' (000000003aafa98c): kobject_uevent_env [ 68.037793][ T22] [ 68.037802][ T22] Freed by task 8844: [ 68.037818][ T22] save_stack+0x23/0x90 [ 68.037831][ T22] __kasan_slab_free+0x102/0x150 [ 68.037842][ T22] kasan_slab_free+0xe/0x10 [ 68.037853][ T22] kfree+0xcf/0x220 [ 68.037865][ T22] loop_remove+0xa1/0xd0 [ 68.037877][ T22] loop_control_ioctl+0x320/0x360 [ 68.037888][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 68.037897][ T22] ksys_ioctl+0xab/0xd0 [ 68.037907][ T22] __x64_sys_ioctl+0x73/0xb0 [ 68.037920][ T22] do_syscall_64+0xfd/0x680 [ 68.037933][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.037944][ T22] [ 68.037954][ T22] The buggy address belongs to the object at ffff8880a3e1e900 [ 68.037954][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 68.037964][ T22] The buggy address is located 528 bytes inside of [ 68.037964][ T22] 1024-byte region [ffff8880a3e1e900, ffff8880a3e1ed00) [ 68.037967][ T22] The buggy address belongs to the page: [ 68.043965][ T8845] kobject: 'mq' (000000003aafa98c): kobject_uevent_env: filter function caused the event to drop! [ 68.047997][ T22] page:ffffea00028f8780 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 68.048014][ T22] flags: 0x1fffc0000010200(slab|head) [ 68.048034][ T22] raw: 01fffc0000010200 ffffea0002954888 ffffea00028fe788 ffff8880aa400ac0 [ 68.048050][ T22] raw: 0000000000000000 ffff8880a3e1e000 0000000100000007 0000000000000000 [ 68.048057][ T22] page dumped because: kasan: bad access detected [ 68.048060][ T22] [ 68.048065][ T22] Memory state around the buggy address: [ 68.048076][ T22] ffff8880a3e1ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.048086][ T22] ffff8880a3e1ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.048097][ T22] >ffff8880a3e1eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.048102][ T22] ^ [ 68.048112][ T22] ffff8880a3e1eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.048129][ T22] ffff8880a3e1ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.053935][ T8845] kobject: 'queue' (00000000933ddf7a): kobject_uevent_env [ 68.057982][ T22] ================================================================== [ 68.057987][ T22] Disabling lock debugging due to kernel taint [ 68.060268][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 68.065157][ T8845] kobject: 'queue' (00000000933ddf7a): kobject_uevent_env: filter function caused the event to drop! [ 68.068049][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #23 [ 68.068057][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.068075][ T22] Workqueue: events __blk_release_queue [ 68.068082][ T22] Call Trace: [ 68.068099][ T22] dump_stack+0x172/0x1f0 [ 68.068123][ T22] panic+0x2cb/0x744 [ 68.068137][ T22] ? __warn_printk+0xf3/0xf3 [ 68.068152][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.068168][ T22] ? preempt_schedule+0x4b/0x60 [ 68.068182][ T22] ? ___preempt_schedule+0x16/0x18 [ 68.068198][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 68.068216][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.075324][ T8845] kobject: 'iosched' (000000001bfef60b): kobject_uevent_env [ 68.077550][ T22] end_report+0x47/0x4f [ 68.077565][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.077577][ T22] __kasan_report.cold+0xe/0x40 [ 68.077590][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.077611][ T22] kasan_report+0x12/0x20 [ 68.082624][ T8845] kobject: 'iosched' (000000001bfef60b): kobject_uevent_env: attempted to send uevent without kset! [ 68.087406][ T22] __asan_report_load8_noabort+0x14/0x20 [ 68.087421][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 68.087434][ T22] ? dd_exit_queue+0x92/0xd0 [ 68.087443][ T22] ? kfree+0x170/0x220 [ 68.087460][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 68.087478][ T22] ? dd_request_merge+0x230/0x230 [ 68.097022][ T8845] kobject: 'holders' (0000000022a7b611): kobject_cleanup, parent 000000008dbf5057 [ 68.101515][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 68.101533][ T22] elevator_exit+0x70/0xa0 [ 68.101548][ T22] __blk_release_queue+0x127/0x330 [ 68.101568][ T22] process_one_work+0x989/0x1790 [ 68.106907][ T8845] kobject: 'holders' (0000000022a7b611): auto cleanup kobject_del [ 68.110894][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 68.110908][ T22] ? lock_acquire+0x16f/0x3f0 [ 68.110932][ T22] worker_thread+0x98/0xe40 [ 68.116466][ T8845] kobject: 'holders' (0000000022a7b611): calling ktype release [ 68.120961][ T22] kthread+0x354/0x420 [ 68.120976][ T22] ? process_one_work+0x1790/0x1790 [ 68.120990][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 68.121008][ T22] ret_from_fork+0x24/0x30 [ 68.126829][ T8845] kobject: (0000000022a7b611): dynamic_kobj_release [ 68.134630][ T22] Kernel Offset: disabled [ 68.728338][ T22] Rebooting in 86400 seconds..