Warning: Permanently added '10.128.0.132' (ECDSA) to the list of known hosts. syzkaller login: [ 69.776763][ T8565] IPVS: ftp: loaded support on port[0] = 21 [ 69.836714][ T8565] chnl_net:caif_netlink_parms(): no params data found [ 69.864129][ T8565] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.871845][ T8565] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.879839][ T8565] device bridge_slave_0 entered promiscuous mode [ 69.887876][ T8565] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.895272][ T8565] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.903012][ T8565] device bridge_slave_1 entered promiscuous mode [ 69.918096][ T8565] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 69.929625][ T8565] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 69.946343][ T8565] team0: Port device team_slave_0 added [ 69.953778][ T8565] team0: Port device team_slave_1 added [ 70.020264][ T8565] device hsr_slave_0 entered promiscuous mode [ 70.068685][ T8565] device hsr_slave_1 entered promiscuous mode [ 70.115797][ T8565] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.123188][ T8565] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.130970][ T8565] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.138028][ T8565] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.171639][ T8565] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.183815][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 70.204348][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.212637][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.222026][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 70.233145][ T8565] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.243332][ T2848] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 70.252098][ T2848] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.259232][ T2848] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.279789][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 70.288445][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.295515][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.303818][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.312969][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.321948][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 70.332840][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 70.340717][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 70.351695][ T8565] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 70.368377][ T8565] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 70.442636][ T8567] ================================================================== [ 70.450927][ T8567] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 70.458198][ T8567] Read of size 8 at addr ffff888219398250 by task kworker/0:3/8567 [ 70.466066][ T8567] [ 70.468385][ T8567] CPU: 0 PID: 8567 Comm: kworker/0:3 Not tainted 5.2.0-rc3+ #23 [ 70.475998][ T8567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.486045][ T8567] Workqueue: events __blk_release_queue [ 70.491653][ T8567] Call Trace: [ 70.494927][ T8567] dump_stack+0x172/0x1f0 [ 70.499252][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.504172][ T8567] print_address_description.cold+0x7c/0x20d [ 70.510130][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.515046][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.519963][ T8567] __kasan_report.cold+0x1b/0x40 [ 70.524880][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.529798][ T8567] kasan_report+0x12/0x20 [ 70.534107][ T8567] __asan_report_load8_noabort+0x14/0x20 [ 70.539717][ T8567] blk_mq_free_rqs+0x49f/0x4b0 [ 70.544454][ T8567] ? dd_exit_queue+0x92/0xd0 [ 70.549018][ T8567] ? kfree+0x170/0x220 [ 70.553088][ T8567] blk_mq_sched_tags_teardown+0x126/0x210 [ 70.558788][ T8567] ? dd_request_merge+0x230/0x230 [ 70.563791][ T8567] blk_mq_exit_sched+0x1fa/0x2d0 [ 70.568709][ T8567] elevator_exit+0x70/0xa0 [ 70.573133][ T8567] __blk_release_queue+0x127/0x330 [ 70.583744][ T8567] process_one_work+0x989/0x1790 [ 70.588682][ T8567] ? pwq_dec_nr_in_flight+0x320/0x320 [ 70.594033][ T8567] ? lock_acquire+0x16f/0x3f0 [ 70.599956][ T8567] worker_thread+0x98/0xe40 [ 70.604445][ T8567] ? trace_hardirqs_on+0x67/0x220 [ 70.609454][ T8567] kthread+0x354/0x420 [ 70.613500][ T8567] ? process_one_work+0x1790/0x1790 [ 70.618677][ T8567] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 70.624913][ T8567] ret_from_fork+0x24/0x30 [ 70.629313][ T8567] [ 70.631619][ T8567] Allocated by task 1: [ 70.635754][ T8567] save_stack+0x23/0x90 [ 70.639887][ T8567] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 70.645513][ T8567] kasan_kmalloc+0x9/0x10 [ 70.650022][ T8567] kmem_cache_alloc_trace+0x151/0x750 [ 70.655369][ T8567] loop_add+0x51/0x8d0 [ 70.659416][ T8567] loop_init+0x1fe/0x25a [ 70.663643][ T8567] do_one_initcall+0x107/0x7ba [ 70.668390][ T8567] kernel_init_freeable+0x4d4/0x5c3 [ 70.673562][ T8567] kernel_init+0x12/0x1c5 [ 70.677964][ T8567] ret_from_fork+0x24/0x30 [ 70.682351][ T8567] [ 70.684657][ T8567] Freed by task 8565: [ 70.688616][ T8567] save_stack+0x23/0x90 [ 70.692763][ T8567] __kasan_slab_free+0x102/0x150 [ 70.697680][ T8567] kasan_slab_free+0xe/0x10 [ 70.702178][ T8567] kfree+0xcf/0x220 [ 70.705982][ T8567] loop_remove+0xa1/0xd0 [ 70.710218][ T8567] loop_control_ioctl+0x320/0x360 [ 70.715221][ T8567] do_vfs_ioctl+0xd5f/0x1380 [ 70.719785][ T8567] ksys_ioctl+0xab/0xd0 [ 70.723914][ T8567] __x64_sys_ioctl+0x73/0xb0 [ 70.728478][ T8567] do_syscall_64+0xfd/0x680 [ 70.732958][ T8567] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.738915][ T8567] [ 70.741223][ T8567] The buggy address belongs to the object at ffff888219398040 [ 70.741223][ T8567] which belongs to the cache kmalloc-1k of size 1024 [ 70.755268][ T8567] The buggy address is located 528 bytes inside of [ 70.755268][ T8567] 1024-byte region [ffff888219398040, ffff888219398440) [ 70.768599][ T8567] The buggy address belongs to the page: [ 70.774210][ T8567] page:ffffea000864e600 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 70.785117][ T8567] flags: 0x6fffc0000010200(slab|head) [ 70.790490][ T8567] raw: 06fffc0000010200 ffffea0008659f88 ffffea000864ef88 ffff8880aa400ac0 [ 70.799058][ T8567] raw: 0000000000000000 ffff888219398040 0000000100000007 0000000000000000 [ 70.807627][ T8567] page dumped because: kasan: bad access detected [ 70.814115][ T8567] [ 70.816419][ T8567] Memory state around the buggy address: [ 70.822029][ T8567] ffff888219398100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.830067][ T8567] ffff888219398180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.838111][ T8567] >ffff888219398200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.846159][ T8567] ^ [ 70.852905][ T8567] ffff888219398280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.861029][ T8567] ffff888219398300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.869061][ T8567] ================================================================== [ 70.877095][ T8567] Disabling lock debugging due to kernel taint [ 70.885875][ T8567] Kernel panic - not syncing: panic_on_warn set ... [ 70.892491][ T8567] CPU: 0 PID: 8567 Comm: kworker/0:3 Tainted: G B 5.2.0-rc3+ #23 [ 70.901484][ T8567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.911789][ T8567] Workqueue: events __blk_release_queue [ 70.917305][ T8567] Call Trace: [ 70.920583][ T8567] dump_stack+0x172/0x1f0 [ 70.924896][ T8567] panic+0x2cb/0x744 [ 70.934123][ T8567] ? __warn_printk+0xf3/0xf3 [ 70.938806][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.943899][ T8567] ? preempt_schedule+0x4b/0x60 [ 70.948731][ T8567] ? ___preempt_schedule+0x16/0x18 [ 70.953816][ T8567] ? trace_hardirqs_on+0x5e/0x220 [ 70.958835][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.963747][ T8567] end_report+0x47/0x4f [ 70.967897][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.972813][ T8567] __kasan_report.cold+0xe/0x40 [ 70.977661][ T8567] ? blk_mq_free_rqs+0x49f/0x4b0 [ 70.982579][ T8567] kasan_report+0x12/0x20 [ 70.986892][ T8567] __asan_report_load8_noabort+0x14/0x20 [ 70.992503][ T8567] blk_mq_free_rqs+0x49f/0x4b0 [ 70.997260][ T8567] ? dd_exit_queue+0x92/0xd0 [ 71.001830][ T8567] ? kfree+0x170/0x220 [ 71.007341][ T8567] blk_mq_sched_tags_teardown+0x126/0x210 [ 71.013133][ T8567] ? dd_request_merge+0x230/0x230 [ 71.018151][ T8567] blk_mq_exit_sched+0x1fa/0x2d0 [ 71.023094][ T8567] elevator_exit+0x70/0xa0 [ 71.027494][ T8567] __blk_release_queue+0x127/0x330 [ 71.032593][ T8567] process_one_work+0x989/0x1790 [ 71.037510][ T8567] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.042856][ T8567] ? lock_acquire+0x16f/0x3f0 [ 71.047521][ T8567] worker_thread+0x98/0xe40 [ 71.052001][ T8567] ? trace_hardirqs_on+0x67/0x220 [ 71.057010][ T8567] kthread+0x354/0x420 [ 71.061211][ T8567] ? process_one_work+0x1790/0x1790 [ 71.066390][ T8567] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 71.072781][ T8567] ret_from_fork+0x24/0x30 [ 71.078601][ T8567] Kernel Offset: disabled [ 71.082944][ T8567] Rebooting in 86400 seconds..