[   72.008138][   T26] audit: type=1800 audit(1559943765.466:30): pid=8802 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.58' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   80.656524][   T26] kauditd_printk_skb: 5 callbacks suppressed
[   80.656539][   T26] audit: type=1400 audit(1559943774.156:36): avc:  denied  { map } for  pid=9014 comm="syz-executor154" path="/root/syz-executor154089551" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   81.183717][ T3001] ==================================================================
[   81.191959][ T3001] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   81.191975][ T3001] Read of size 8 at addr ffff8880a8959450 by task kworker/1:2/3001
[   81.191978][ T3001] 
[   81.191992][ T3001] CPU: 1 PID: 3001 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #15
[   81.192000][ T3001] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   81.192015][ T3001] Workqueue: events __blk_release_queue
[   81.192022][ T3001] Call Trace:
[   81.192040][ T3001]  dump_stack+0x172/0x1f0
[   81.192054][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.192072][ T3001]  print_address_description.cold+0x7c/0x20d
[   81.192085][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.192097][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.192112][ T3001]  __kasan_report.cold+0x1b/0x40
[   81.192127][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.192141][ T3001]  kasan_report+0x12/0x20
[   81.192159][ T3001]  __asan_report_load8_noabort+0x14/0x20
[   81.192169][ T3001]  blk_mq_free_rqs+0x49f/0x4b0
[   81.192179][ T3001]  ? dd_exit_queue+0x92/0xd0
[   81.192187][ T3001]  ? kfree+0x170/0x220
[   81.192203][ T3001]  blk_mq_sched_tags_teardown+0x126/0x210
[   81.192218][ T3001]  ? dd_request_merge+0x230/0x230
[   81.199953][ T9025] kobject: '7:0' (00000000cc2817b2): kobject_uevent_env
[   81.207393][ T3001]  blk_mq_exit_sched+0x1fa/0x2d0
[   81.207411][ T3001]  elevator_exit+0x70/0xa0
[   81.207423][ T3001]  __blk_release_queue+0x127/0x330
[   81.207437][ T3001]  process_one_work+0x989/0x1790
[   81.207454][ T3001]  ? pwq_dec_nr_in_flight+0x320/0x320
[   81.207464][ T3001]  ? lock_acquire+0x16f/0x3f0
[   81.207483][ T3001]  worker_thread+0x98/0xe40
[   81.207495][ T3001]  ? trace_hardirqs_on+0x67/0x220
[   81.207515][ T3001]  kthread+0x354/0x420
[   81.207527][ T3001]  ? process_one_work+0x1790/0x1790
[   81.207537][ T3001]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   81.207550][ T3001]  ret_from_fork+0x24/0x30
[   81.207564][ T3001] 
[   81.207570][ T3001] Allocated by task 9023:
[   81.207581][ T3001]  save_stack+0x23/0x90
[   81.207590][ T3001]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   81.207599][ T3001]  kasan_kmalloc+0x9/0x10
[   81.207607][ T3001]  kmem_cache_alloc_trace+0x151/0x750
[   81.207618][ T3001]  loop_add+0x51/0x8d0
[   81.207628][ T3001]  loop_control_ioctl+0x22d/0x360
[   81.207639][ T3001]  do_vfs_ioctl+0xd5f/0x1380
[   81.207649][ T3001]  ksys_ioctl+0xab/0xd0
[   81.207663][ T3001]  __x64_sys_ioctl+0x73/0xb0
[   81.210030][ T9025] kobject: '7:0' (00000000cc2817b2): fill_kobj_path: path = '/devices/virtual/bdi/7:0'
[   81.217573][ T3001]  do_syscall_64+0xfd/0x680
[   81.217586][ T3001]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   81.217589][ T3001] 
[   81.217595][ T3001] Freed by task 9023:
[   81.217610][ T3001]  save_stack+0x23/0x90
[   81.229779][ T9025] kobject: 'loop0' (00000000f3c36380): kobject_add_internal: parent: 'block', set: 'devices'
[   81.233159][ T3001]  __kasan_slab_free+0x102/0x150
[   81.233171][ T3001]  kasan_slab_free+0xe/0x10
[   81.233181][ T3001]  kfree+0xcf/0x220
[   81.233198][ T3001]  loop_remove+0xa1/0xd0
[   81.236893][ T9025] kobject: 'loop0' (00000000f3c36380): kobject_uevent_env
[   81.240769][ T3001]  loop_control_ioctl+0x320/0x360
[   81.240780][ T3001]  do_vfs_ioctl+0xd5f/0x1380
[   81.240790][ T3001]  ksys_ioctl+0xab/0xd0
[   81.240798][ T3001]  __x64_sys_ioctl+0x73/0xb0
[   81.240816][ T3001]  do_syscall_64+0xfd/0x680
[   81.245761][ T9025] kobject: 'loop0' (00000000f3c36380): kobject_uevent_env: uevent_suppress caused the event to drop!
[   81.251682][ T3001]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   81.251687][ T3001] 
[   81.251697][ T3001] The buggy address belongs to the object at ffff8880a8959240
[   81.251697][ T3001]  which belongs to the cache kmalloc-1k of size 1024
[   81.251708][ T3001] The buggy address is located 528 bytes inside of
[   81.251708][ T3001]  1024-byte region [ffff8880a8959240, ffff8880a8959640)
[   81.251716][ T3001] The buggy address belongs to the page:
[   81.256706][ T9025] kobject: 'holders' (00000000a5aef05d): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   81.261552][ T3001] page:ffffea0002a25600 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   81.261568][ T3001] flags: 0x1fffc0000010200(slab|head)
[   81.261588][ T3001] raw: 01fffc0000010200 ffffea0002345e08 ffffea00025b8b88 ffff8880aa400ac0
[   81.266558][ T9025] kobject: 'slaves' (0000000023ba1f31): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   81.271416][ T3001] raw: 0000000000000000 ffff8880a8958040 0000000100000007 0000000000000000
[   81.271422][ T3001] page dumped because: kasan: bad access detected
[   81.271425][ T3001] 
[   81.271429][ T3001] Memory state around the buggy address:
[   81.271440][ T3001]  ffff8880a8959300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   81.271452][ T3001]  ffff8880a8959380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   81.275886][ T9025] kobject: 'loop0' (00000000f3c36380): kobject_uevent_env
[   81.281448][ T3001] >ffff8880a8959400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   81.281453][ T3001]                                                  ^
[   81.281463][ T3001]  ffff8880a8959480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   81.281473][ T3001]  ffff8880a8959500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   81.281483][ T3001] ==================================================================
[   81.286298][ T9025] kobject: 'loop0' (00000000f3c36380): fill_kobj_path: path = '/devices/virtual/block/loop0'
[   81.290796][ T3001] Disabling lock debugging due to kernel taint
[   81.295159][ T3001] Kernel panic - not syncing: panic_on_warn set ...
[   81.302818][ T9025] kobject: 'queue' (00000000f2dc008c): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   81.305575][ T3001] CPU: 1 PID: 3001 Comm: kworker/1:2 Tainted: G    B             5.2.0-rc3+ #15
[   81.305591][ T3001] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   81.312842][ T9025] kobject: 'mq' (00000000411426fc): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   81.317422][ T3001] Workqueue: events __blk_release_queue
[   81.321860][ T9025] kobject: 'mq' (00000000411426fc): kobject_uevent_env
[   81.326895][ T3001] Call Trace:
[   81.326911][ T3001]  dump_stack+0x172/0x1f0
[   81.326930][ T3001]  panic+0x2cb/0x744
[   81.331870][ T9025] kobject: 'mq' (00000000411426fc): kobject_uevent_env: filter function caused the event to drop!
[   81.337185][ T3001]  ? __warn_printk+0xf3/0xf3
[   81.337203][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.341892][ T9025] kobject: '0' (0000000018f0b9b0): kobject_add_internal: parent: 'mq', set: '<NULL>'
[   81.346325][ T3001]  ? preempt_schedule+0x4b/0x60
[   81.346343][ T3001]  ? ___preempt_schedule+0x16/0x18
[   81.351421][ T9025] kobject: 'cpu0' (000000005b3764fa): kobject_add_internal: parent: '0', set: '<NULL>'
[   81.355375][ T3001]  ? trace_hardirqs_on+0x5e/0x220
[   81.355391][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.360613][ T9025] kobject: 'cpu1' (000000003009c0cd): kobject_add_internal: parent: '0', set: '<NULL>'
[   81.367117][ T3001]  end_report+0x47/0x4f
[   81.367133][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.371589][ T9025] kobject: 'queue' (00000000f2dc008c): kobject_uevent_env
[   81.373829][ T3001]  __kasan_report.cold+0xe/0x40
[   81.373845][ T3001]  ? blk_mq_free_rqs+0x49f/0x4b0
[   81.378160][ T9025] kobject: 'queue' (00000000f2dc008c): kobject_uevent_env: filter function caused the event to drop!
[   81.382270][ T3001]  kasan_report+0x12/0x20
[   81.382283][ T3001]  __asan_report_load8_noabort+0x14/0x20
[   81.382298][ T3001]  blk_mq_free_rqs+0x49f/0x4b0
[   81.388547][ T9025] kobject: 'iosched' (00000000304d355e): kobject_add_internal: parent: 'queue', set: '<NULL>'
[   81.392775][ T3001]  ? dd_exit_queue+0x92/0xd0
[   81.392786][ T3001]  ? kfree+0x170/0x220
[   81.392805][ T3001]  blk_mq_sched_tags_teardown+0x126/0x210
[   81.398232][ T9025] kobject: 'iosched' (00000000304d355e): kobject_uevent_env
[   81.402188][ T3001]  ? dd_request_merge+0x230/0x230
[   81.402201][ T3001]  blk_mq_exit_sched+0x1fa/0x2d0
[   81.402217][ T3001]  elevator_exit+0x70/0xa0
[   81.407226][ T9025] kobject: 'iosched' (00000000304d355e): kobject_uevent_env: filter function caused the event to drop!
[   81.411779][ T3001]  __blk_release_queue+0x127/0x330
[   81.411792][ T3001]  process_one_work+0x989/0x1790
[   81.411810][ T3001]  ? pwq_dec_nr_in_flight+0x320/0x320
[   81.415982][ T9025] kobject: 'integrity' (0000000046d14426): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   81.420509][ T3001]  ? lock_acquire+0x16f/0x3f0
[   81.420526][ T3001]  worker_thread+0x98/0xe40
[   81.420544][ T3001]  ? trace_hardirqs_on+0x67/0x220
[   81.430222][ T9025] kobject: 'integrity' (0000000046d14426): kobject_uevent_env
[   81.434634][ T3001]  kthread+0x354/0x420
[   81.434652][ T3001]  ? process_one_work+0x1790/0x1790
[   81.440543][ T9025] kobject: 'integrity' (0000000046d14426): kobject_uevent_env: filter function caused the event to drop!
[   81.442821][ T3001]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   81.442838][ T3001]  ret_from_fork+0x24/0x30
[   81.446880][ T9025] kobject: 'integrity' (0000000046d14426): kobject_uevent_env
[   81.452157][ T3001] Kernel Offset: disabled
[   82.043714][ T3001] Rebooting in 86400 seconds..