[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   68.017728][   T26] kauditd_printk_skb: 5 callbacks suppressed
[   68.017741][   T26] audit: type=1800 audit(1559968491.026:33): pid=9514 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   68.046290][   T26] audit: type=1800 audit(1559968491.026:34): pid=9514 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   71.826991][   T26] audit: type=1400 audit(1559968494.836:35): avc:  denied  { map } for  pid=9692 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts.
executing program
[   78.430378][   T26] audit: type=1400 audit(1559968501.436:36): avc:  denied  { map } for  pid=9704 comm="syz-executor574" path="/root/syz-executor574067501" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   78.515918][   T12] ==================================================================
[   78.524156][   T12] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   78.531426][   T12] Read of size 8 at addr ffff8882192ad450 by task kworker/0:1/12
[   78.539240][   T12] 
[   78.541570][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc3+ #16
[   78.559967][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   78.570542][   T12] Workqueue: events __blk_release_queue
[   78.576070][   T12] Call Trace:
[   78.579348][   T12]  dump_stack+0x172/0x1f0
[   78.583680][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   78.588604][   T12]  print_address_description.cold+0x7c/0x20d
[   78.594592][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   78.599619][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   78.617477][   T12]  __kasan_report.cold+0x1b/0x40
[   78.622405][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   78.627575][   T12]  kasan_report+0x12/0x20
[   78.631894][   T12]  __asan_report_load8_noabort+0x14/0x20
[   78.637511][   T12]  blk_mq_free_rqs+0x49f/0x4b0
[   78.642269][   T12]  ? dd_exit_queue+0x92/0xd0
[   78.646879][   T12]  ? kfree+0x170/0x220
[   78.651117][   T12]  blk_mq_sched_tags_teardown+0x126/0x210
[   78.656837][   T12]  ? dd_request_merge+0x230/0x230
[   78.662044][   T12]  blk_mq_exit_sched+0x1fa/0x2d0
[   78.666997][   T12]  elevator_exit+0x70/0xa0
[   78.671412][   T12]  __blk_release_queue+0x127/0x330
[   78.676515][   T12]  process_one_work+0x989/0x1790
[   78.681624][   T12]  ? pwq_dec_nr_in_flight+0x320/0x320
[   78.687074][   T12]  ? lock_acquire+0x16f/0x3f0
[   78.691756][   T12]  worker_thread+0x98/0xe40
[   78.696258][   T12]  ? trace_hardirqs_on+0x67/0x220
[   78.701279][   T12]  kthread+0x354/0x420
[   78.705366][   T12]  ? process_one_work+0x1790/0x1790
[   78.710565][   T12]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   78.716817][   T12]  ret_from_fork+0x24/0x30
[   78.721232][   T12] 
[   78.723543][   T12] Allocated by task 1:
[   78.727611][   T12]  save_stack+0x23/0x90
[   78.731753][   T12]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   78.738658][   T12]  kasan_kmalloc+0x9/0x10
[   78.742985][   T12]  kmem_cache_alloc_trace+0x151/0x750
[   78.748344][   T12]  loop_add+0x51/0x8d0
[   78.752422][   T12]  loop_init+0x1fe/0x25a
[   78.756653][   T12]  do_one_initcall+0x107/0x7ba
[   78.761403][   T12]  kernel_init_freeable+0x4d4/0x5c3
[   78.766587][   T12]  kernel_init+0x12/0x1c5
[   78.770899][   T12]  ret_from_fork+0x24/0x30
[   78.775294][   T12] 
[   78.777611][   T12] Freed by task 9705:
[   78.781581][   T12]  save_stack+0x23/0x90
[   78.785739][   T12]  __kasan_slab_free+0x102/0x150
[   78.790686][   T12]  kasan_slab_free+0xe/0x10
[   78.795173][   T12]  kfree+0xcf/0x220
[   78.798973][   T12]  loop_remove+0xa1/0xd0
[   78.803195][   T12]  loop_control_ioctl+0x320/0x360
[   78.808195][   T12]  do_vfs_ioctl+0xd5f/0x1380
[   78.812766][   T12]  ksys_ioctl+0xab/0xd0
[   78.816922][   T12]  __x64_sys_ioctl+0x73/0xb0
[   78.821508][   T12]  do_syscall_64+0xfd/0x680
[   78.826039][   T12]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.832076][   T12] 
[   78.834386][   T12] The buggy address belongs to the object at ffff8882192ad240
[   78.834386][   T12]  which belongs to the cache kmalloc-1k of size 1024
[   78.848707][   T12] The buggy address is located 528 bytes inside of
[   78.848707][   T12]  1024-byte region [ffff8882192ad240, ffff8882192ad640)
[   78.862045][   T12] The buggy address belongs to the page:
[   78.867661][   T12] page:ffffea000864ab00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   78.878572][   T12] flags: 0x6fffc0000010200(slab|head)
[   78.884147][   T12] raw: 06fffc0000010200 ffffea0008657b08 ffffea000864e208 ffff8880aa400ac0
[   78.892725][   T12] raw: 0000000000000000 ffff8882192ac040 0000000100000007 0000000000000000
[   78.901324][   T12] page dumped because: kasan: bad access detected
[   78.907714][   T12] 
[   78.910021][   T12] Memory state around the buggy address:
[   78.915633][   T12]  ffff8882192ad300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.923673][   T12]  ffff8882192ad380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.931717][   T12] >ffff8882192ad400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.939752][   T12]                                                  ^
[   78.946413][   T12]  ffff8882192ad480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.954478][   T12]  ffff8882192ad500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   78.962771][   T12] ==================================================================
[   78.970812][   T12] Disabling lock debugging due to kernel taint
[   78.980325][   T12] Kernel panic - not syncing: panic_on_warn set ...
[   78.986942][   T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.2.0-rc3+ #16
[   78.995792][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   79.005860][   T12] Workqueue: events __blk_release_queue
[   79.011397][   T12] Call Trace:
[   79.014677][   T12]  dump_stack+0x172/0x1f0
[   79.015563][ T9707] kobject: 'integrity' (00000000cf2ae532): kobject_uevent_env
[   79.019011][   T12]  panic+0x2cb/0x744
[   79.019030][   T12]  ? __warn_printk+0xf3/0xf3
[   79.026585][ T9707] kobject: 'integrity' (00000000cf2ae532): kobject_uevent_env: filter function caused the event to drop!
[   79.030367][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   79.030388][   T12]  ? preempt_schedule+0x4b/0x60
[   79.035608][ T9707] kobject: 'integrity' (00000000cf2ae532): kobject_cleanup, parent 0000000025bbc8dc
[   79.046138][   T12]  ? ___preempt_schedule+0x16/0x18
[   79.046154][   T12]  ? trace_hardirqs_on+0x5e/0x220
[   79.046168][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   79.046181][   T12]  end_report+0x47/0x4f
[   79.046193][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   79.046205][   T12]  __kasan_report.cold+0xe/0x40
[   79.046224][   T12]  ? blk_mq_free_rqs+0x49f/0x4b0
[   79.051704][ T9707] kobject: 'integrity' (00000000cf2ae532): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
[   79.055999][   T12]  kasan_report+0x12/0x20
[   79.056022][   T12]  __asan_report_load8_noabort+0x14/0x20
[   79.065863][ T9707] kobject: 'integrity': free name
[   79.070512][   T12]  blk_mq_free_rqs+0x49f/0x4b0
[   79.070531][   T12]  ? dd_exit_queue+0x92/0xd0
[   79.137982][   T12]  ? kfree+0x170/0x220
[   79.142065][   T12]  blk_mq_sched_tags_teardown+0x126/0x210
[   79.147778][   T12]  ? dd_request_merge+0x230/0x230
[   79.152788][   T12]  blk_mq_exit_sched+0x1fa/0x2d0
[   79.157733][   T12]  elevator_exit+0x70/0xa0
[   79.162152][   T12]  __blk_release_queue+0x127/0x330
[   79.167247][   T12]  process_one_work+0x989/0x1790
[   79.172173][   T12]  ? pwq_dec_nr_in_flight+0x320/0x320
[   79.177538][   T12]  ? lock_acquire+0x16f/0x3f0
[   79.182200][   T12]  worker_thread+0x98/0xe40
[   79.186683][   T12]  ? trace_hardirqs_on+0x67/0x220
[   79.191690][   T12]  kthread+0x354/0x420
[   79.195744][   T12]  ? process_one_work+0x1790/0x1790
[   79.200936][   T12]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   79.207158][   T12]  ret_from_fork+0x24/0x30
[   79.212927][   T12] Kernel Offset: disabled
[   79.217251][   T12] Rebooting in 86400 seconds..