[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 51.827113][ T26] audit: type=1800 audit(1559890987.844:25): pid=8310 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 51.871045][ T26] audit: type=1800 audit(1559890987.844:26): pid=8310 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 51.902035][ T26] audit: type=1800 audit(1559890987.844:27): pid=8310 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.143' (ECDSA) to the list of known hosts. syzkaller login: [ 61.219706][ T8462] IPVS: ftp: loaded support on port[0] = 21 [ 61.279439][ T8462] chnl_net:caif_netlink_parms(): no params data found [ 61.305440][ T8462] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.313076][ T8462] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.321311][ T8462] device bridge_slave_0 entered promiscuous mode [ 61.329347][ T8462] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.336520][ T8462] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.344747][ T8462] device bridge_slave_1 entered promiscuous mode [ 61.360823][ T8462] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 61.370838][ T8462] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 61.388713][ T8462] team0: Port device team_slave_0 added [ 61.395394][ T8462] team0: Port device team_slave_1 added [ 61.475714][ T8462] device hsr_slave_0 entered promiscuous mode [ 61.564554][ T8462] device hsr_slave_1 entered promiscuous mode [ 61.641439][ T8462] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.648647][ T8462] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.656412][ T8462] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.663467][ T8462] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.696759][ T8462] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.707760][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 61.728168][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.737044][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.746084][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 61.757950][ T8462] 8021q: adding VLAN 0 to HW filter on device team0 [ 61.767782][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 61.776465][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.783560][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.806098][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 61.814592][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.821634][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.829888][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 61.838886][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready executing program [ 61.849171][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 61.857472][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 61.865814][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 61.875745][ T8462] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 61.892308][ T8462] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 61.947900][ T22] ================================================================== [ 61.956120][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 61.956136][ T22] Read of size 8 at addr ffff888219162250 by task kworker/1:1/22 [ 61.956139][ T22] [ 61.956152][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #40 [ 61.956159][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.956173][ T22] Workqueue: events __blk_release_queue [ 61.956180][ T22] Call Trace: [ 61.956197][ T22] dump_stack+0x172/0x1f0 [ 61.956210][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 61.956231][ T22] print_address_description.cold+0x7c/0x20d [ 61.956243][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 61.971317][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 61.981048][ T22] __kasan_report.cold+0x1b/0x40 [ 61.981063][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 61.981077][ T22] kasan_report+0x12/0x20 [ 61.981091][ T22] __asan_report_load8_noabort+0x14/0x20 [ 61.981101][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 61.981113][ T22] ? dd_exit_queue+0x92/0xd0 [ 61.981124][ T22] ? kfree+0x170/0x220 [ 61.981145][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 61.981159][ T22] ? dd_request_merge+0x230/0x230 [ 61.981175][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 61.981191][ T22] elevator_exit+0x70/0xa0 [ 61.981205][ T22] __blk_release_queue+0x127/0x330 [ 61.981223][ T22] process_one_work+0x989/0x1790 [ 61.981241][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 61.981253][ T22] ? lock_acquire+0x16f/0x3f0 [ 61.981278][ T22] worker_thread+0x98/0xe40 [ 61.996870][ T22] kthread+0x354/0x420 [ 61.996885][ T22] ? process_one_work+0x1790/0x1790 [ 61.996897][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 61.996912][ T22] ret_from_fork+0x24/0x30 [ 61.996928][ T22] [ 62.000359][ T8462] kobject: 'loop0' (00000000d84184a0): kobject_uevent_env [ 62.004502][ T22] Allocated by task 1: [ 62.004517][ T22] save_stack+0x23/0x90 [ 62.004529][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 62.004539][ T22] kasan_kmalloc+0x9/0x10 [ 62.004549][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 62.004575][ T22] loop_add+0x51/0x8d0 [ 62.004586][ T22] loop_init+0x1fe/0x25a [ 62.004603][ T22] do_one_initcall+0x107/0x7ba [ 62.010614][ T8462] kobject: 'loop0' (00000000d84184a0): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 62.015562][ T22] kernel_init_freeable+0x4d4/0x5c3 [ 62.015574][ T22] kernel_init+0x12/0x1c5 [ 62.015586][ T22] ret_from_fork+0x24/0x30 [ 62.015589][ T22] [ 62.015595][ T22] Freed by task 8462: [ 62.015606][ T22] save_stack+0x23/0x90 [ 62.015615][ T22] __kasan_slab_free+0x102/0x150 [ 62.015625][ T22] kasan_slab_free+0xe/0x10 [ 62.015634][ T22] kfree+0xcf/0x220 [ 62.015643][ T22] loop_remove+0xa1/0xd0 [ 62.015652][ T22] loop_control_ioctl+0x320/0x360 [ 62.015666][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 62.027933][ T8462] kobject: 'queue' (0000000017a90e59): kobject_add_internal: parent: 'loop0', set: '' [ 62.030426][ T22] ksys_ioctl+0xab/0xd0 [ 62.036112][ T8462] kobject: 'mq' (000000007303f368): kobject_add_internal: parent: 'loop0', set: '' [ 62.039733][ T22] __x64_sys_ioctl+0x73/0xb0 [ 62.046609][ T8462] kobject: 'mq' (000000007303f368): kobject_uevent_env [ 62.050181][ T22] do_syscall_64+0xfd/0x680 [ 62.055574][ T8462] kobject: 'mq' (000000007303f368): kobject_uevent_env: filter function caused the event to drop! [ 62.058794][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.065468][ T8462] kobject: '0' (00000000eca802c4): kobject_add_internal: parent: 'mq', set: '' [ 62.069474][ T22] [ 62.069490][ T22] The buggy address belongs to the object at ffff888219162040 [ 62.069490][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 62.074647][ T8462] kobject: 'cpu0' (00000000892e32f2): kobject_add_internal: parent: '0', set: '' [ 62.078802][ T22] The buggy address is located 528 bytes inside of [ 62.078802][ T22] 1024-byte region [ffff888219162040, ffff888219162440) [ 62.084917][ T8462] kobject: 'cpu1' (000000002bfbec1b): kobject_add_internal: parent: '0', set: '' [ 62.088816][ T22] The buggy address belongs to the page: [ 62.094558][ T8462] kobject: 'queue' (0000000017a90e59): kobject_uevent_env [ 62.098853][ T22] page:ffffea0008645880 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 62.103771][ T8462] kobject: 'queue' (0000000017a90e59): kobject_uevent_env: filter function caused the event to drop! [ 62.107836][ T22] flags: 0x6fffc0000010200(slab|head) [ 62.107853][ T22] raw: 06fffc0000010200 ffffea0008650d08 ffffea0008647188 ffff8880aa400ac0 [ 62.107866][ T22] raw: 0000000000000000 ffff888219162040 0000000100000007 0000000000000000 [ 62.107871][ T22] page dumped because: kasan: bad access detected [ 62.107874][ T22] [ 62.107878][ T22] Memory state around the buggy address: [ 62.107887][ T22] ffff888219162100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.107896][ T22] ffff888219162180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.107905][ T22] >ffff888219162200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.107910][ T22] ^ [ 62.107920][ T22] ffff888219162280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.107928][ T22] ffff888219162300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.107933][ T22] ================================================================== [ 62.107937][ T22] Disabling lock debugging due to kernel taint [ 62.123943][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 62.125723][ T8462] kobject: 'iosched' (000000001165378f): kobject_add_internal: parent: 'queue', set: '' [ 62.127326][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #40 [ 62.134728][ T8462] kobject: 'iosched' (000000001165378f): kobject_uevent_env [ 62.138549][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.142686][ T8462] kobject: 'iosched' (000000001165378f): kobject_uevent_env: filter function caused the event to drop! [ 62.148301][ T22] Workqueue: events __blk_release_queue [ 62.148307][ T22] Call Trace: [ 62.148325][ T22] dump_stack+0x172/0x1f0 [ 62.148345][ T22] panic+0x2cb/0x744 [ 62.148357][ T22] ? __warn_printk+0xf3/0xf3 [ 62.148369][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 62.148386][ T22] ? preempt_schedule+0x4b/0x60 [ 62.153430][ T8462] kobject: 'integrity' (000000003be63fe2): kobject_add_internal: parent: 'loop0', set: '' [ 62.158046][ T22] ? ___preempt_schedule+0x16/0x18 [ 62.158060][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 62.158075][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 62.158087][ T22] end_report+0x47/0x4f [ 62.158099][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 62.158110][ T22] __kasan_report.cold+0xe/0x40 [ 62.158123][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 62.158136][ T22] kasan_report+0x12/0x20 [ 62.158148][ T22] __asan_report_load8_noabort+0x14/0x20 [ 62.158158][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 62.158169][ T22] ? dd_exit_queue+0x92/0xd0 [ 62.158178][ T22] ? kfree+0x170/0x220 [ 62.158196][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 62.162568][ T8462] kobject: 'integrity' (000000003be63fe2): kobject_uevent_env [ 62.166499][ T22] ? dd_request_merge+0x230/0x230 [ 62.166514][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 62.166528][ T22] elevator_exit+0x70/0xa0 [ 62.166541][ T22] __blk_release_queue+0x127/0x330 [ 62.166569][ T22] process_one_work+0x989/0x1790 [ 62.171746][ T8462] kobject: 'integrity' (000000003be63fe2): kobject_uevent_env: filter function caused the event to drop! [ 62.181433][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 62.181445][ T22] ? lock_acquire+0x16f/0x3f0 [ 62.181461][ T22] worker_thread+0x98/0xe40 [ 62.181480][ T22] kthread+0x354/0x420 [ 62.702279][ T22] ? process_one_work+0x1790/0x1790 [ 62.707461][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 62.713690][ T22] ret_from_fork+0x24/0x30 [ 62.719396][ T22] Kernel Offset: disabled [ 62.723720][ T22] Rebooting in 86400 seconds..