[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 55.794115][ T26] audit: type=1800 audit(1559808570.632:25): pid=8649 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 55.839656][ T26] audit: type=1800 audit(1559808570.632:26): pid=8649 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 55.873637][ T26] audit: type=1800 audit(1559808570.632:27): pid=8649 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 64.022764][ T2994] ================================================================== [ 64.031048][ T2994] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 64.031068][ T2994] Read of size 8 at addr ffff88808cc5b890 by task kworker/0:2/2994 [ 64.031071][ T2994] [ 64.031086][ T2994] CPU: 0 PID: 2994 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #12 [ 64.031095][ T2994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.031111][ T2994] Workqueue: events __blk_release_queue [ 64.031118][ T2994] Call Trace: [ 64.031140][ T2994] dump_stack+0x172/0x1f0 [ 64.031153][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.031172][ T2994] print_address_description.cold+0x7c/0x20d [ 64.031193][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.031204][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.031215][ T2994] __kasan_report.cold+0x1b/0x40 [ 64.031228][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.031242][ T2994] kasan_report+0x12/0x20 [ 64.046546][ T2994] __asan_report_load8_noabort+0x14/0x20 [ 64.056474][ T2994] blk_mq_free_rqs+0x49f/0x4b0 [ 64.056488][ T2994] ? dd_exit_queue+0x92/0xd0 [ 64.056500][ T2994] ? kfree+0x170/0x220 [ 64.056520][ T2994] blk_mq_sched_tags_teardown+0x126/0x210 [ 64.056535][ T2994] ? dd_request_merge+0x230/0x230 [ 64.056550][ T2994] blk_mq_exit_sched+0x1fa/0x2d0 [ 64.056569][ T2994] elevator_exit+0x70/0xa0 [ 64.056589][ T2994] __blk_release_queue+0x127/0x330 [ 64.068194][ T8809] kobject: 'loop0' (00000000776a54ab): kobject_uevent_env [ 64.072195][ T2994] process_one_work+0x989/0x1790 [ 64.072219][ T2994] ? pwq_dec_nr_in_flight+0x320/0x320 [ 64.072233][ T2994] ? lock_acquire+0x16f/0x3f0 [ 64.072255][ T2994] worker_thread+0x98/0xe40 [ 64.072278][ T2994] ? trace_hardirqs_on+0x67/0x220 [ 64.072303][ T2994] kthread+0x354/0x420 [ 64.076048][ T8809] kobject: 'loop0' (00000000776a54ab): kobject_uevent_env: uevent_suppress caused the event to drop! [ 64.079910][ T2994] ? process_one_work+0x1790/0x1790 [ 64.079924][ T2994] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 64.079942][ T2994] ret_from_fork+0x24/0x30 [ 64.079961][ T2994] [ 64.079968][ T2994] Allocated by task 8807: [ 64.079984][ T2994] save_stack+0x23/0x90 [ 64.080003][ T2994] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 64.085554][ T8809] kobject: 'holders' (00000000d12b4453): kobject_add_internal: parent: 'loop0', set: '' [ 64.090897][ T2994] kasan_kmalloc+0x9/0x10 [ 64.090909][ T2994] kmem_cache_alloc_trace+0x151/0x750 [ 64.090921][ T2994] loop_add+0x51/0x8d0 [ 64.090931][ T2994] loop_control_ioctl+0x165/0x360 [ 64.090946][ T2994] __ia32_compat_sys_ioctl+0x195/0x620 [ 64.090960][ T2994] do_fast_syscall_32+0x27b/0xd7d [ 64.090973][ T2994] entry_SYSENTER_compat+0x70/0x7f [ 64.090977][ T2994] [ 64.090983][ T2994] Freed by task 8808: [ 64.090994][ T2994] save_stack+0x23/0x90 [ 64.091011][ T2994] __kasan_slab_free+0x102/0x150 [ 64.096662][ T8809] kobject: 'slaves' (0000000009d473e6): kobject_add_internal: parent: 'loop0', set: '' [ 64.100869][ T2994] kasan_slab_free+0xe/0x10 [ 64.100880][ T2994] kfree+0xcf/0x220 [ 64.100891][ T2994] loop_remove+0xa1/0xd0 [ 64.100901][ T2994] loop_control_ioctl+0x320/0x360 [ 64.100916][ T2994] __ia32_compat_sys_ioctl+0x195/0x620 [ 64.100930][ T2994] do_fast_syscall_32+0x27b/0xd7d [ 64.100944][ T2994] entry_SYSENTER_compat+0x70/0x7f [ 64.100955][ T2994] [ 64.106449][ T8809] kobject: 'loop0' (00000000776a54ab): kobject_uevent_env [ 64.110806][ T2994] The buggy address belongs to the object at ffff88808cc5b680 [ 64.110806][ T2994] which belongs to the cache kmalloc-1k of size 1024 [ 64.110818][ T2994] The buggy address is located 528 bytes inside of [ 64.110818][ T2994] 1024-byte region [ffff88808cc5b680, ffff88808cc5ba80) [ 64.110823][ T2994] The buggy address belongs to the page: [ 64.110835][ T2994] page:ffffea0002331680 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 64.110850][ T2994] flags: 0x1fffc0000010200(slab|head) [ 64.110869][ T2994] raw: 01fffc0000010200 ffffea000281bb88 ffffea0002a21988 ffff8880aa400ac0 [ 64.110883][ T2994] raw: 0000000000000000 ffff88808cc5a000 0000000100000007 0000000000000000 [ 64.110887][ T2994] page dumped because: kasan: bad access detected [ 64.110890][ T2994] [ 64.110894][ T2994] Memory state around the buggy address: [ 64.110905][ T2994] ffff88808cc5b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.110918][ T2994] ffff88808cc5b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.116071][ T8809] kobject: 'loop0' (00000000776a54ab): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 64.120857][ T2994] >ffff88808cc5b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.120863][ T2994] ^ [ 64.120874][ T2994] ffff88808cc5b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.120883][ T2994] ffff88808cc5b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.120887][ T2994] ================================================================== [ 64.120892][ T2994] Disabling lock debugging due to kernel taint [ 64.125988][ T2994] Kernel panic - not syncing: panic_on_warn set ... [ 64.132357][ T8809] kobject: 'queue' (00000000b858f574): kobject_add_internal: parent: 'loop0', set: '' [ 64.134320][ T2994] CPU: 0 PID: 2994 Comm: kworker/0:2 Tainted: G B 5.2.0-rc3+ #12 [ 64.134336][ T2994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.140812][ T8809] kobject: 'mq' (00000000492794d2): kobject_add_internal: parent: 'loop0', set: '' [ 64.145056][ T2994] Workqueue: events __blk_release_queue [ 64.150387][ T8809] kobject: 'mq' (00000000492794d2): kobject_uevent_env [ 64.154377][ T2994] Call Trace: [ 64.154402][ T2994] dump_stack+0x172/0x1f0 [ 64.154424][ T2994] panic+0x2cb/0x744 [ 64.159974][ T8809] kobject: 'mq' (00000000492794d2): kobject_uevent_env: filter function caused the event to drop! [ 64.166605][ T2994] ? __warn_printk+0xf3/0xf3 [ 64.166627][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.172294][ T8809] kobject: '0' (000000004185e5c0): kobject_add_internal: parent: 'mq', set: '' [ 64.176906][ T2994] ? preempt_schedule+0x4b/0x60 [ 64.176928][ T2994] ? ___preempt_schedule+0x16/0x18 [ 64.182125][ T8809] kobject: 'cpu0' (00000000bf410e99): kobject_add_internal: parent: '0', set: '' [ 64.186093][ T2994] ? trace_hardirqs_on+0x5e/0x220 [ 64.186118][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.191721][ T8809] kobject: 'cpu1' (0000000062e433f1): kobject_add_internal: parent: '0', set: '' [ 64.195181][ T2994] end_report+0x47/0x4f [ 64.195203][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.206531][ T8809] kobject: 'queue' (00000000b858f574): kobject_uevent_env [ 64.211218][ T2994] __kasan_report.cold+0xe/0x40 [ 64.211236][ T2994] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.211248][ T2994] kasan_report+0x12/0x20 [ 64.211261][ T2994] __asan_report_load8_noabort+0x14/0x20 [ 64.211285][ T2994] blk_mq_free_rqs+0x49f/0x4b0 [ 64.218028][ T8809] kobject: 'queue' (00000000b858f574): kobject_uevent_env: filter function caused the event to drop! [ 64.221932][ T2994] ? dd_exit_queue+0x92/0xd0 [ 64.221944][ T2994] ? kfree+0x170/0x220 [ 64.221963][ T2994] blk_mq_sched_tags_teardown+0x126/0x210 [ 64.221975][ T2994] ? dd_request_merge+0x230/0x230 [ 64.221990][ T2994] blk_mq_exit_sched+0x1fa/0x2d0 [ 64.222008][ T2994] elevator_exit+0x70/0xa0 [ 64.225389][ T8809] kobject: 'iosched' (00000000eed9871d): kobject_add_internal: parent: 'queue', set: '' [ 64.228647][ T2994] __blk_release_queue+0x127/0x330 [ 64.228671][ T2994] process_one_work+0x989/0x1790 [ 64.233258][ T8809] kobject: 'iosched' (00000000eed9871d): kobject_uevent_env [ 64.238454][ T2994] ? pwq_dec_nr_in_flight+0x320/0x320 [ 64.238474][ T2994] ? lock_acquire+0x16f/0x3f0 [ 64.249150][ T8809] kobject: 'iosched' (00000000eed9871d): kobject_uevent_env: filter function caused the event to drop! [ 64.253023][ T2994] worker_thread+0x98/0xe40 [ 64.253041][ T2994] ? trace_hardirqs_on+0x67/0x220 [ 64.253061][ T2994] kthread+0x354/0x420 [ 64.253080][ T2994] ? process_one_work+0x1790/0x1790 [ 64.259233][ T8809] kobject: 'integrity' (00000000070831b2): kobject_add_internal: parent: 'loop0', set: '' [ 64.262485][ T2994] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 64.262501][ T2994] ret_from_fork+0x24/0x30 [ 64.263552][ T2994] Kernel Offset: disabled [ 64.817827][ T2994] Rebooting in 86400 seconds..