[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   56.739469][   T27] audit: type=1800 audit(1559879015.525:25): pid=8552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   56.784227][   T27] audit: type=1800 audit(1559879015.525:26): pid=8552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   56.824349][   T27] audit: type=1800 audit(1559879015.535:27): pid=8552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
syzkaller login: [   68.858606][ T2504] ==================================================================
[   68.866882][ T2504] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   68.866899][ T2504] Read of size 8 at addr ffff8880916eefd0 by task kworker/0:2/2504
[   68.866903][ T2504] 
[   68.866918][ T2504] CPU: 0 PID: 2504 Comm: kworker/0:2 Not tainted 5.2.0-rc3-next-20190606 #10
[   68.866926][ T2504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.866946][ T2504] Workqueue: events __blk_release_queue
[   68.882163][ T2504] Call Trace:
[   68.882186][ T2504]  dump_stack+0x172/0x1f0
[   68.882202][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.882222][ T2504]  print_address_description.cold+0xd4/0x306
[   68.882237][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.882256][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.893421][ T2504]  __kasan_report.cold+0x1b/0x36
[   68.893440][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.893457][ T2504]  kasan_report+0x12/0x20
[   68.893474][ T2504]  __asan_report_load8_noabort+0x14/0x20
[   68.893492][ T2504]  blk_mq_free_rqs+0x49f/0x4b0
[   68.909280][ T2504]  ? dd_exit_queue+0x92/0xd0
[   68.909301][ T2504]  ? kfree+0x1ec/0x2a0
[   68.971531][ T2504]  blk_mq_sched_tags_teardown+0x126/0x210
[   68.977250][ T2504]  ? dd_request_merge+0x230/0x230
[   68.982279][ T2504]  blk_mq_exit_sched+0x1fa/0x2d0
[   68.987220][ T2504]  elevator_exit+0x70/0xa0
[   68.991679][ T2504]  __blk_release_queue+0x127/0x330
[   68.996786][ T2504]  process_one_work+0x989/0x1790
[   69.001721][ T2504]  ? pwq_dec_nr_in_flight+0x320/0x320
[   69.007126][ T2504]  ? lock_acquire+0x16f/0x3f0
[   69.011938][ T2504]  worker_thread+0x98/0xe40
[   69.016499][ T2504]  ? trace_hardirqs_on+0x67/0x220
[   69.021569][ T2504]  kthread+0x354/0x420
[   69.025729][ T2504]  ? process_one_work+0x1790/0x1790
[   69.030920][ T2504]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   69.037345][ T2504]  ret_from_fork+0x24/0x30
[   69.041761][ T2504] 
[   69.044081][ T2504] Allocated by task 8710:
[   69.048406][ T2504]  save_stack+0x23/0x90
[   69.052749][ T2504]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   69.058460][ T2504]  kasan_kmalloc+0x9/0x10
[   69.062921][ T2504]  kmem_cache_alloc_trace+0x151/0x750
[   69.068421][ T2504]  loop_add+0x51/0x8d0
[   69.072761][ T2504]  loop_probe+0x161/0x1a0
[   69.077173][ T2504]  kobj_lookup+0x260/0x460
[   69.081717][ T2504]  get_gendisk+0x4d/0x390
[   69.086045][ T2504]  __blkdev_get+0x457/0x1660
[   69.090705][ T2504]  blkdev_get+0xc4/0x990
[   69.094941][ T2504]  blkdev_open+0x205/0x290
[   69.099505][ T2504]  do_dentry_open+0x4df/0x1250
[   69.104346][ T2504]  vfs_open+0xa0/0xd0
[   69.108325][ T2504]  path_openat+0x10e9/0x46d0
[   69.113203][ T2504]  do_filp_open+0x1a1/0x280
[   69.117846][ T2504]  do_sys_open+0x3fe/0x5d0
[   69.122394][ T2504]  __x64_sys_open+0x7e/0xc0
[   69.126900][ T2504]  do_syscall_64+0xfd/0x680
[   69.131400][ T2504]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.137450][ T2504] 
[   69.139772][ T2504] Freed by task 8711:
[   69.143882][ T2504]  save_stack+0x23/0x90
[   69.148139][ T2504]  __kasan_slab_free+0x102/0x150
[   69.153242][ T2504]  kasan_slab_free+0xe/0x10
[   69.158000][ T2504]  kfree+0x106/0x2a0
[   69.161895][ T2504]  loop_remove+0xa1/0xd0
[   69.166137][ T2504]  loop_control_ioctl+0x320/0x360
[   69.171176][ T2504]  do_vfs_ioctl+0xdb6/0x13e0
[   69.175756][ T2504]  ksys_ioctl+0xab/0xd0
[   69.180043][ T2504]  __x64_sys_ioctl+0x73/0xb0
[   69.185182][ T2504]  do_syscall_64+0xfd/0x680
[   69.189776][ T2504]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.195878][ T2504] 
[   69.198315][ T2504] The buggy address belongs to the object at ffff8880916eedc0
[   69.198315][ T2504]  which belongs to the cache kmalloc-1k of size 1024
[   69.212789][ T2504] The buggy address is located 528 bytes inside of
[   69.212789][ T2504]  1024-byte region [ffff8880916eedc0, ffff8880916ef1c0)
[   69.226142][ T2504] The buggy address belongs to the page:
[   69.231948][ T2504] page:ffffea000245bb80 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   69.243072][ T2504] flags: 0x1fffc0000010200(slab|head)
[   69.248538][ T2504] raw: 01fffc0000010200 ffffea0002358e08 ffffea0002597008 ffff8880aa400ac0
[   69.257426][ T2504] raw: 0000000000000000 ffff8880916ee040 0000000100000007 0000000000000000
[   69.266226][ T2504] page dumped because: kasan: bad access detected
[   69.272767][ T2504] 
[   69.275101][ T2504] Memory state around the buggy address:
[   69.281140][ T2504]  ffff8880916eee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.289195][ T2504]  ffff8880916eef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.297510][ T2504] >ffff8880916eef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.305659][ T2504]                                                  ^
[   69.312577][ T2504]  ffff8880916ef000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.321073][ T2504]  ffff8880916ef080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.329345][ T2504] ==================================================================
[   69.337527][ T2504] Disabling lock debugging due to kernel taint
[   69.348597][ T2504] Kernel panic - not syncing: panic_on_warn set ...
executing program
[   69.355330][ T2504] CPU: 0 PID: 2504 Comm: kworker/0:2 Tainted: G    B             5.2.0-rc3-next-20190606 #10
[   69.365576][ T2504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.367244][ T8713] kobject: 'integrity' (000000001087f3e4): kobject_uevent_env
[   69.376162][ T2504] Workqueue: events __blk_release_queue
[   69.376170][ T2504] Call Trace:
[   69.376190][ T2504]  dump_stack+0x172/0x1f0
[   69.376212][ T2504]  panic+0x2cb/0x744
[   69.391699][ T8713] kobject: 'integrity' (000000001087f3e4): kobject_uevent_env: filter function caused the event to drop!
[   69.392967][ T2504]  ? __warn_printk+0xf3/0xf3
[   69.392988][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.399898][ T8713] kobject: 'integrity' (000000001087f3e4): kobject_cleanup, parent 00000000bb78a8ac
[   69.401365][ T2504]  ? preempt_schedule+0x4b/0x60
[   69.401387][ T2504]  ? ___preempt_schedule+0x16/0x18
[   69.413042][ T8713] kobject: 'integrity' (000000001087f3e4): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
[   69.417584][ T2504]  ? trace_hardirqs_on+0x5e/0x220
[   69.417603][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.417618][ T2504]  end_report+0x47/0x4f
[   69.417636][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.422715][ T8713] kobject: 'integrity': free name
[   69.432466][ T2504]  __kasan_report.cold+0xe/0x36
[   69.432482][ T2504]  ? blk_mq_free_rqs+0x49f/0x4b0
[   69.432495][ T2504]  kasan_report+0x12/0x20
[   69.432516][ T2504]  __asan_report_load8_noabort+0x14/0x20
[   69.501743][ T2504]  blk_mq_free_rqs+0x49f/0x4b0
[   69.506570][ T2504]  ? dd_exit_queue+0x92/0xd0
[   69.511423][ T2504]  ? kfree+0x1ec/0x2a0
[   69.515615][ T2504]  blk_mq_sched_tags_teardown+0x126/0x210
[   69.521453][ T2504]  ? dd_request_merge+0x230/0x230
[   69.526557][ T2504]  blk_mq_exit_sched+0x1fa/0x2d0
[   69.531761][ T2504]  elevator_exit+0x70/0xa0
[   69.536181][ T2504]  __blk_release_queue+0x127/0x330
[   69.541310][ T2504]  process_one_work+0x989/0x1790
[   69.546379][ T2504]  ? pwq_dec_nr_in_flight+0x320/0x320
[   69.551890][ T2504]  ? lock_acquire+0x16f/0x3f0
[   69.556715][ T2504]  worker_thread+0x98/0xe40
[   69.561445][ T2504]  ? trace_hardirqs_on+0x67/0x220
[   69.566588][ T2504]  kthread+0x354/0x420
[   69.570802][ T2504]  ? process_one_work+0x1790/0x1790
[   69.576017][ T2504]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   69.582472][ T2504]  ret_from_fork+0x24/0x30
[   69.588647][ T2504] Kernel Offset: disabled
[   69.593111][ T2504] Rebooting in 86400 seconds..