Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 69.724202][ T26] kauditd_printk_skb: 6 callbacks suppressed [ 69.724215][ T26] audit: type=1800 audit(1559976022.141:33): pid=9458 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 69.752418][ T26] audit: type=1800 audit(1559976022.141:34): pid=9458 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 73.385137][ T26] audit: type=1400 audit(1559976025.801:35): avc: denied { map } for pid=9635 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. executing program [ 80.952693][ T26] audit: type=1400 audit(1559976033.371:36): avc: denied { map } for pid=9647 comm="syz-executor595" path="/root/syz-executor595106258" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program [ 81.113468][ T5] ================================================================== [ 81.121722][ T5] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 81.129000][ T5] Read of size 8 at addr ffff88809ffe2250 by task kworker/0:0/5 [ 81.136606][ T5] [ 81.138918][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc3+ #16 [ 81.146261][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.156307][ T5] Workqueue: events __blk_release_queue [ 81.161827][ T5] Call Trace: [ 81.165100][ T5] dump_stack+0x172/0x1f0 [ 81.169409][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.174342][ T5] print_address_description.cold+0x7c/0x20d [ 81.180310][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.185225][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.190143][ T5] __kasan_report.cold+0x1b/0x40 [ 81.195062][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.199978][ T5] kasan_report+0x12/0x20 [ 81.204287][ T5] __asan_report_load8_noabort+0x14/0x20 [ 81.209898][ T5] blk_mq_free_rqs+0x49f/0x4b0 [ 81.214640][ T5] ? dd_exit_queue+0x92/0xd0 [ 81.219221][ T5] ? kfree+0x170/0x220 [ 81.223284][ T5] blk_mq_sched_tags_teardown+0x126/0x210 [ 81.228983][ T5] ? dd_request_merge+0x230/0x230 [ 81.233988][ T5] blk_mq_exit_sched+0x1fa/0x2d0 [ 81.238954][ T5] elevator_exit+0x70/0xa0 [ 81.243369][ T5] __blk_release_queue+0x127/0x330 [ 81.248469][ T5] process_one_work+0x989/0x1790 [ 81.253399][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 81.258765][ T5] ? lock_acquire+0x16f/0x3f0 [ 81.263445][ T5] worker_thread+0x98/0xe40 [ 81.267957][ T5] kthread+0x354/0x420 [ 81.272008][ T5] ? process_one_work+0x1790/0x1790 [ 81.277188][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 81.283433][ T5] ret_from_fork+0x24/0x30 [ 81.287833][ T5] [ 81.290152][ T5] Allocated by task 9648: [ 81.294461][ T5] save_stack+0x23/0x90 [ 81.298593][ T5] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 81.304202][ T5] kasan_kmalloc+0x9/0x10 [ 81.308613][ T5] kmem_cache_alloc_trace+0x151/0x750 [ 81.313964][ T5] loop_add+0x51/0x8d0 [ 81.318013][ T5] loop_control_ioctl+0x165/0x360 [ 81.323024][ T5] do_vfs_ioctl+0xd5f/0x1380 [ 81.327595][ T5] ksys_ioctl+0xab/0xd0 [ 81.331728][ T5] __x64_sys_ioctl+0x73/0xb0 [ 81.336295][ T5] do_syscall_64+0xfd/0x680 [ 81.340776][ T5] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.346639][ T5] [ 81.348945][ T5] Freed by task 9649: [ 81.352907][ T5] save_stack+0x23/0x90 [ 81.357040][ T5] __kasan_slab_free+0x102/0x150 [ 81.361962][ T5] kasan_slab_free+0xe/0x10 [ 81.366440][ T5] kfree+0xcf/0x220 [ 81.370222][ T5] loop_remove+0xa1/0xd0 [ 81.374457][ T5] loop_control_ioctl+0x320/0x360 [ 81.379469][ T5] do_vfs_ioctl+0xd5f/0x1380 [ 81.384045][ T5] ksys_ioctl+0xab/0xd0 [ 81.388176][ T5] __x64_sys_ioctl+0x73/0xb0 [ 81.392744][ T5] do_syscall_64+0xfd/0x680 [ 81.397224][ T5] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.403106][ T5] [ 81.405417][ T5] The buggy address belongs to the object at ffff88809ffe2040 [ 81.405417][ T5] which belongs to the cache kmalloc-1k of size 1024 [ 81.419474][ T5] The buggy address is located 528 bytes inside of [ 81.419474][ T5] 1024-byte region [ffff88809ffe2040, ffff88809ffe2440) [ 81.432808][ T5] The buggy address belongs to the page: [ 81.438418][ T5] page:ffffea00027ff880 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 81.449326][ T5] flags: 0x1fffc0000010200(slab|head) [ 81.454678][ T5] raw: 01fffc0000010200 ffffea0002601188 ffffea0002555908 ffff8880aa400ac0 [ 81.463257][ T5] raw: 0000000000000000 ffff88809ffe2040 0000000100000007 0000000000000000 [ 81.471832][ T5] page dumped because: kasan: bad access detected [ 81.478219][ T5] [ 81.480534][ T5] Memory state around the buggy address: [ 81.486162][ T5] ffff88809ffe2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.494205][ T5] ffff88809ffe2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.502245][ T5] >ffff88809ffe2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.510279][ T5] ^ [ 81.516937][ T5] ffff88809ffe2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.524984][ T5] ffff88809ffe2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.533033][ T5] ================================================================== [ 81.541103][ T5] Disabling lock debugging due to kernel taint [ 81.555112][ T5] Kernel panic - not syncing: panic_on_warn set ... executing program [ 81.561743][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.2.0-rc3+ #16 [ 81.570494][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.580578][ T5] Workqueue: events __blk_release_queue [ 81.586113][ T5] Call Trace: [ 81.589395][ T5] dump_stack+0x172/0x1f0 [ 81.591193][ T9652] kobject: 'integrity' (00000000e1776ee0): kobject_uevent_env [ 81.593732][ T5] panic+0x2cb/0x744 [ 81.593753][ T5] ? __warn_printk+0xf3/0xf3 [ 81.601296][ T9652] kobject: 'integrity' (00000000e1776ee0): kobject_uevent_env: filter function caused the event to drop! [ 81.605085][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.605106][ T5] ? preempt_schedule+0x4b/0x60 [ 81.611967][ T9652] kobject: 'integrity' (00000000e1776ee0): kobject_cleanup, parent 0000000005e26760 [ 81.620876][ T5] ? ___preempt_schedule+0x16/0x18 [ 81.620902][ T5] ? trace_hardirqs_on+0x5e/0x220 [ 81.620915][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.620927][ T5] end_report+0x47/0x4f [ 81.620944][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.626200][ T9652] kobject: 'integrity' (00000000e1776ee0): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 81.630734][ T5] __kasan_report.cold+0xe/0x40 [ 81.630749][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 81.630763][ T5] kasan_report+0x12/0x20 [ 81.630783][ T5] __asan_report_load8_noabort+0x14/0x20 [ 81.640804][ T9652] kobject: 'integrity': free name [ 81.645237][ T5] blk_mq_free_rqs+0x49f/0x4b0 [ 81.645251][ T5] ? dd_exit_queue+0x92/0xd0 [ 81.645268][ T5] ? kfree+0x170/0x220 [ 81.716507][ T5] blk_mq_sched_tags_teardown+0x126/0x210 [ 81.722210][ T5] ? dd_request_merge+0x230/0x230 [ 81.727229][ T5] blk_mq_exit_sched+0x1fa/0x2d0 [ 81.732160][ T5] elevator_exit+0x70/0xa0 [ 81.736559][ T5] __blk_release_queue+0x127/0x330 [ 81.741652][ T5] process_one_work+0x989/0x1790 [ 81.746572][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 81.751932][ T5] ? lock_acquire+0x16f/0x3f0 [ 81.756585][ T5] worker_thread+0x98/0xe40 [ 81.761080][ T5] kthread+0x354/0x420 [ 81.765143][ T5] ? process_one_work+0x1790/0x1790 [ 81.770320][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 81.776555][ T5] ret_from_fork+0x24/0x30 [ 81.781969][ T5] Kernel Offset: disabled [ 81.786287][ T5] Rebooting in 86400 seconds..