[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 70.056533][ T26] audit: type=1800 audit(1559806856.611:25): pid=8647 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 70.102008][ T26] audit: type=1800 audit(1559806856.611:26): pid=8647 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 70.140202][ T26] audit: type=1800 audit(1559806856.621:27): pid=8647 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 80.414565][ T22] ================================================================== [ 80.414649][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 80.430271][ T22] Read of size 8 at addr ffff88808f92eb10 by task kworker/1:1/22 [ 80.430276][ T22] [ 80.430292][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3-next-20190605 #9 [ 80.430300][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.430331][ T22] Workqueue: events __blk_release_queue [ 80.440667][ T22] Call Trace: [ 80.440705][ T22] dump_stack+0x172/0x1f0 [ 80.440727][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.459321][ T22] print_address_description.cold+0xd4/0x306 [ 80.459353][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.468219][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.468237][ T22] __kasan_report.cold+0x1b/0x36 [ 80.468257][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.477638][ T22] kasan_report+0x12/0x20 [ 80.477656][ T22] __asan_report_load8_noabort+0x14/0x20 [ 80.477678][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 80.488598][ T22] ? dd_exit_queue+0x92/0xd0 [ 80.488612][ T22] ? kfree+0x1ec/0x2a0 [ 80.488635][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 80.498884][ T22] ? dd_request_merge+0x230/0x230 [ 80.498900][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 80.498920][ T22] elevator_exit+0x70/0xa0 [ 80.508190][ T22] __blk_release_queue+0x127/0x330 [ 80.508235][ T22] process_one_work+0x989/0x1790 [ 80.518712][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 80.518744][ T22] ? lock_acquire+0x16f/0x3f0 [ 80.527416][ T22] worker_thread+0x98/0xe40 [ 80.527446][ T22] ? trace_hardirqs_on+0x67/0x220 [ 80.538518][ T22] kthread+0x354/0x420 [ 80.538536][ T22] ? process_one_work+0x1790/0x1790 [ 80.538556][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 80.548279][ T22] ret_from_fork+0x24/0x30 [ 80.548300][ T22] [ 80.558438][ T22] Allocated by task 8806: [ 80.558460][ T22] save_stack+0x23/0x90 [ 80.558480][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 80.568627][ T22] kasan_kmalloc+0x9/0x10 [ 80.568640][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 80.568665][ T22] loop_add+0x51/0x8d0 [ 80.568682][ T22] loop_probe+0x161/0x1a0 [ 80.578347][ T22] kobj_lookup+0x260/0x460 [ 80.578361][ T22] get_gendisk+0x4d/0x390 [ 80.578390][ T22] __blkdev_get+0x457/0x1660 [ 80.583116][ T8808] kobject: 'cpu1' (00000000602b2473): kobject_add_internal: parent: '0', set: '' [ 80.587768][ T22] blkdev_get+0xc4/0x990 [ 80.587779][ T22] blkdev_open+0x205/0x290 executing program [ 80.587794][ T22] do_dentry_open+0x4df/0x1250 [ 80.587811][ T22] vfs_open+0xa0/0xd0 [ 80.595085][ T8808] kobject: 'queue' (00000000ff8239e2): kobject_uevent_env [ 80.598513][ T22] path_openat+0x10e9/0x46d0 [ 80.598527][ T22] do_filp_open+0x1a1/0x280 [ 80.598544][ T22] do_sys_open+0x3fe/0x5d0 [ 80.600935][ T8808] kobject: 'queue' (00000000ff8239e2): kobject_uevent_env: filter function caused the event to drop! [ 80.605285][ T22] __x64_sys_open+0x7e/0xc0 [ 80.605300][ T22] do_syscall_64+0xfd/0x680 [ 80.605315][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.605319][ T22] [ 80.605325][ T22] Freed by task 8807: [ 80.605338][ T22] save_stack+0x23/0x90 [ 80.605356][ T22] __kasan_slab_free+0x102/0x150 [ 80.605366][ T22] kasan_slab_free+0xe/0x10 [ 80.605375][ T22] kfree+0x106/0x2a0 [ 80.605386][ T22] loop_remove+0xa1/0xd0 [ 80.605404][ T22] loop_control_ioctl+0x320/0x360 [ 80.613054][ T8808] kobject: 'iosched' (00000000a04bad86): kobject_add_internal: parent: 'queue', set: '' [ 80.615174][ T22] do_vfs_ioctl+0xdb6/0x13e0 [ 80.615184][ T22] ksys_ioctl+0xab/0xd0 [ 80.615204][ T22] __x64_sys_ioctl+0x73/0xb0 [ 80.619702][ T8808] kobject: 'iosched' (00000000a04bad86): kobject_uevent_env [ 80.624927][ T22] do_syscall_64+0xfd/0x680 [ 80.624944][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.624947][ T22] [ 80.624958][ T22] The buggy address belongs to the object at ffff88808f92e900 [ 80.624958][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 80.624968][ T22] The buggy address is located 528 bytes inside of [ 80.624968][ T22] 1024-byte region [ffff88808f92e900, ffff88808f92ed00) [ 80.624972][ T22] The buggy address belongs to the page: [ 80.624986][ T22] page:ffffea00023e4b80 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 80.624999][ T22] flags: 0x1fffc0000010200(slab|head) [ 80.625016][ T22] raw: 01fffc0000010200 ffffea0002906f88 ffffea00023e4608 ffff8880aa400ac0 [ 80.625030][ T22] raw: 0000000000000000 ffff88808f92e000 0000000100000007 0000000000000000 [ 80.625035][ T22] page dumped because: kasan: bad access detected [ 80.625047][ T22] [ 80.630156][ T8808] kobject: 'iosched' (00000000a04bad86): kobject_uevent_env: filter function caused the event to drop! [ 80.633545][ T22] Memory state around the buggy address: [ 80.633561][ T22] ffff88808f92ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.633570][ T22] ffff88808f92ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.633579][ T22] >ffff88808f92eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.633584][ T22] ^ [ 80.633593][ T22] ffff88808f92eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.633602][ T22] ffff88808f92ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.633607][ T22] ================================================================== [ 80.633612][ T22] Disabling lock debugging due to kernel taint [ 80.637591][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 80.640110][ T8808] kobject: 'integrity' (00000000e669cc4c): kobject_add_internal: parent: 'loop0', set: '' [ 80.642613][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3-next-20190605 #9 [ 80.642621][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.642641][ T22] Workqueue: events __blk_release_queue [ 80.642648][ T22] Call Trace: [ 80.642666][ T22] dump_stack+0x172/0x1f0 [ 80.642683][ T22] panic+0x2cb/0x744 [ 80.642696][ T22] ? __warn_printk+0xf3/0xf3 [ 80.642711][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.642724][ T22] ? preempt_schedule+0x4b/0x60 [ 80.642738][ T22] ? ___preempt_schedule+0x16/0x18 [ 80.642760][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 80.648125][ T8808] kobject: 'integrity' (00000000e669cc4c): kobject_uevent_env [ 80.657299][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.657314][ T22] end_report+0x47/0x4f [ 80.657326][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.657337][ T22] __kasan_report.cold+0xe/0x36 [ 80.657358][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 80.657371][ T22] kasan_report+0x12/0x20 [ 80.657393][ T22] __asan_report_load8_noabort+0x14/0x20 [ 80.662232][ T8808] kobject: 'integrity' (00000000e669cc4c): kobject_uevent_env: filter function caused the event to drop! [ 80.666096][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 80.666110][ T22] ? dd_exit_queue+0x92/0xd0 [ 80.666131][ T22] ? kfree+0x1ec/0x2a0 [ 80.677053][ T8809] kobject: 'integrity' (00000000e669cc4c): kobject_uevent_env [ 80.682004][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 80.682020][ T22] ? dd_request_merge+0x230/0x230 [ 80.682031][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 80.682046][ T22] elevator_exit+0x70/0xa0 [ 80.682060][ T22] __blk_release_queue+0x127/0x330 [ 80.682077][ T22] process_one_work+0x989/0x1790 [ 80.682092][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 80.682114][ T22] ? lock_acquire+0x16f/0x3f0 [ 80.687116][ T8809] kobject: 'integrity' (00000000e669cc4c): kobject_uevent_env: filter function caused the event to drop! [ 80.691285][ T22] worker_thread+0x98/0xe40 [ 80.691303][ T22] ? trace_hardirqs_on+0x67/0x220 [ 80.691323][ T22] kthread+0x354/0x420 [ 80.696504][ T8809] kobject: 'integrity' (00000000e669cc4c): kobject_cleanup, parent 00000000d34479d9 [ 80.706608][ T22] ? process_one_work+0x1790/0x1790 [ 80.706622][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 80.706637][ T22] ret_from_fork+0x24/0x30 [ 80.708633][ T22] Kernel Offset: disabled [ 81.221166][ T22] Rebooting in 86400 seconds..