[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   57.895800][   T27] audit: type=1800 audit(1560008456.117:25): pid=8809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   57.942107][   T27] audit: type=1800 audit(1560008456.117:26): pid=8809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   57.989342][   T27] audit: type=1800 audit(1560008456.127:27): pid=8809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   69.846218][   T22] ==================================================================
[   69.854450][   T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   69.861904][   T22] Read of size 8 at addr ffff888086dd0f90 by task kworker/1:1/22
[   69.861907][   T22] 
[   69.861918][   T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3-next-20190607 #11
[   69.861931][   T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.872119][   T22] Workqueue: events __blk_release_queue
[   69.872130][   T22] Call Trace:
[   69.891003][   T22]  dump_stack+0x172/0x1f0
[   69.891017][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.891030][   T22]  print_address_description.cold+0xd4/0x306
[   69.891037][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.891053][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.900093][   T22]  __kasan_report.cold+0x1b/0x36
[   69.900120][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.909512][   T22]  kasan_report+0x12/0x20
[   69.909528][   T22]  __asan_report_load8_noabort+0x14/0x20
[   69.920420][   T22]  blk_mq_free_rqs+0x49f/0x4b0
[   69.920435][   T22]  ? dd_exit_queue+0x92/0xd0
[   69.930408][   T22]  ? kfree+0x1ec/0x2a0
[   69.930433][   T22]  blk_mq_sched_tags_teardown+0x126/0x210
[   69.939862][   T22]  ? dd_request_merge+0x230/0x230
[   69.950216][   T22]  blk_mq_exit_sched+0x1fa/0x2d0
[   69.950234][   T22]  elevator_exit+0x70/0xa0
[   69.958910][   T22]  __blk_release_queue+0x127/0x330
[   69.958927][   T22]  process_one_work+0x989/0x1790
[   69.969655][   T22]  ? pwq_dec_nr_in_flight+0x320/0x320
[   69.969670][   T22]  ? lock_acquire+0x16f/0x3f0
[   69.979202][   T22]  worker_thread+0x98/0xe40
[   69.979214][   T22]  ? trace_hardirqs_on+0x67/0x220
[   69.979229][   T22]  kthread+0x354/0x420
[   69.989432][   T22]  ? process_one_work+0x1790/0x1790
[   69.989442][   T22]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   69.989461][   T22]  ret_from_fork+0x24/0x30
[   69.999500][   T22] 
[   69.999508][   T22] Allocated by task 8969:
[   69.999520][   T22]  save_stack+0x23/0x90
[   69.999534][   T22]  __kasan_kmalloc.constprop.0+0xcf/0xe0
executing program
[   70.009242][   T22]  kasan_kmalloc+0x9/0x10
[   70.009251][   T22]  kmem_cache_alloc_trace+0x151/0x750
[   70.009259][   T22]  loop_add+0x51/0x8d0
[   70.009271][   T22]  loop_control_ioctl+0x165/0x360
[   70.013580][ T8972] kobject: 'iosched' (00000000912673e7): kobject_add_internal: parent: 'queue', set: '<NULL>'
[   70.018663][   T22]  do_vfs_ioctl+0xdb6/0x13e0
[   70.018670][   T22]  ksys_ioctl+0xab/0xd0
[   70.018676][   T22]  __x64_sys_ioctl+0x73/0xb0
[   70.018685][   T22]  do_syscall_64+0xfd/0x680
[   70.018696][   T22]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.018699][   T22] 
[   70.018703][   T22] Freed by task 8971:
[   70.018710][   T22]  save_stack+0x23/0x90
[   70.018717][   T22]  __kasan_slab_free+0x102/0x150
[   70.018732][   T22]  kasan_slab_free+0xe/0x10
[   70.025715][ T8972] kobject: 'iosched' (00000000912673e7): kobject_uevent_env
[   70.029598][   T22]  kfree+0x106/0x2a0
[   70.029608][   T22]  loop_remove+0xa1/0xd0
[   70.029615][   T22]  loop_control_ioctl+0x320/0x360
[   70.029628][   T22]  do_vfs_ioctl+0xdb6/0x13e0
[   70.031981][ T8972] kobject: 'iosched' (00000000912673e7): kobject_uevent_env: filter function caused the event to drop!
[   70.036260][   T22]  ksys_ioctl+0xab/0xd0
[   70.036268][   T22]  __x64_sys_ioctl+0x73/0xb0
[   70.036280][   T22]  do_syscall_64+0xfd/0x680
[   70.036291][   T22]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   70.036294][   T22] 
[   70.036302][   T22] The buggy address belongs to the object at ffff888086dd0d80
[   70.036302][   T22]  which belongs to the cache kmalloc-1k of size 1024
[   70.036315][   T22] The buggy address is located 528 bytes inside of
[   70.036315][   T22]  1024-byte region [ffff888086dd0d80, ffff888086dd1180)
[   70.041015][ T8972] kobject: 'integrity' (0000000097043b23): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   70.046268][   T22] The buggy address belongs to the page:
[   70.046282][   T22] page:ffffea00021b7400 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   70.046292][   T22] flags: 0x1fffc0000010200(slab|head)
[   70.046304][   T22] raw: 01fffc0000010200 ffffea0002900388 ffffea0002314f88 ffff8880aa400ac0
[   70.046313][   T22] raw: 0000000000000000 ffff888086dd0000 0000000100000007 0000000000000000
[   70.046316][   T22] page dumped because: kasan: bad access detected
[   70.046319][   T22] 
[   70.046330][   T22] Memory state around the buggy address:
[   70.051339][ T8972] kobject: 'integrity' (0000000097043b23): kobject_uevent_env
[   70.056272][   T22]  ffff888086dd0e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.056280][   T22]  ffff888086dd0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.056285][   T22] >ffff888086dd0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.056289][   T22]                          ^
[   70.056295][   T22]  ffff888086dd1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.056300][   T22]  ffff888086dd1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.056304][   T22] ==================================================================
[   70.056307][   T22] Disabling lock debugging due to kernel taint
[   70.057642][   T22] Kernel panic - not syncing: panic_on_warn set ...
[   70.063673][ T8972] kobject: 'integrity' (0000000097043b23): kobject_uevent_env: filter function caused the event to drop!
[   70.065483][   T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G    B             5.2.0-rc3-next-20190607 #11
[   70.065489][   T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.065509][   T22] Workqueue: events __blk_release_queue
[   70.065514][   T22] Call Trace:
[   70.065527][   T22]  dump_stack+0x172/0x1f0
[   70.065539][   T22]  panic+0x2cb/0x744
[   70.065547][   T22]  ? __warn_printk+0xf3/0xf3
[   70.065563][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   70.083940][ T8973] kobject: 'integrity' (0000000097043b23): kobject_uevent_env
[   70.084951][   T22]  ? preempt_schedule+0x4b/0x60
[   70.084968][   T22]  ? ___preempt_schedule+0x16/0x18
[   70.089791][ T8973] kobject: 'integrity' (0000000097043b23): kobject_uevent_env: filter function caused the event to drop!
[   70.094245][   T22]  ? trace_hardirqs_on+0x5e/0x220
[   70.094258][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   70.094269][   T22]  end_report+0x47/0x4f
[   70.094284][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   70.100553][ T8973] kobject: 'integrity' (0000000097043b23): kobject_cleanup, parent 0000000066afdf11
[   70.102472][   T22]  __kasan_report.cold+0xe/0x36
[   70.102486][   T22]  ? blk_mq_free_rqs+0x49f/0x4b0
[   70.106932][ T8973] kobject: 'integrity' (0000000097043b23): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
[   70.110765][   T22]  kasan_report+0x12/0x20
[   70.110780][   T22]  __asan_report_load8_noabort+0x14/0x20
[   70.115923][ T8973] kobject: 'integrity': free name
[   70.120180][   T22]  blk_mq_free_rqs+0x49f/0x4b0
[   70.120196][   T22]  ? dd_exit_queue+0x92/0xd0
[   70.508869][   T22]  ? kfree+0x1ec/0x2a0
[   70.513391][   T22]  blk_mq_sched_tags_teardown+0x126/0x210
[   70.519112][   T22]  ? dd_request_merge+0x230/0x230
[   70.524127][   T22]  blk_mq_exit_sched+0x1fa/0x2d0
[   70.529279][   T22]  elevator_exit+0x70/0xa0
[   70.533688][   T22]  __blk_release_queue+0x127/0x330
[   70.538900][   T22]  process_one_work+0x989/0x1790
[   70.543839][   T22]  ? pwq_dec_nr_in_flight+0x320/0x320
[   70.549200][   T22]  ? lock_acquire+0x16f/0x3f0
[   70.553875][   T22]  worker_thread+0x98/0xe40
[   70.558372][   T22]  ? trace_hardirqs_on+0x67/0x220
[   70.563394][   T22]  kthread+0x354/0x420
[   70.567580][   T22]  ? process_one_work+0x1790/0x1790
[   70.572767][   T22]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   70.579015][   T22]  ret_from_fork+0x24/0x30
[   70.584464][   T22] Kernel Offset: disabled
[   70.588818][   T22] Rebooting in 86400 seconds..