[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   64.968734][   T27] audit: type=1800 audit(1559984791.389:25): pid=8755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   65.011211][   T27] audit: type=1800 audit(1559984791.389:26): pid=8755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   65.067971][   T27] audit: type=1800 audit(1559984791.389:27): pid=8755 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts.
syzkaller login: [   74.671621][ T8910] IPVS: ftp: loaded support on port[0] = 21
[   74.737000][ T8910] chnl_net:caif_netlink_parms(): no params data found
[   74.766197][ T8910] bridge0: port 1(bridge_slave_0) entered blocking state
[   74.773999][ T8910] bridge0: port 1(bridge_slave_0) entered disabled state
[   74.781983][ T8910] device bridge_slave_0 entered promiscuous mode
[   74.790124][ T8910] bridge0: port 2(bridge_slave_1) entered blocking state
[   74.797370][ T8910] bridge0: port 2(bridge_slave_1) entered disabled state
[   74.805166][ T8910] device bridge_slave_1 entered promiscuous mode
[   74.821286][ T8910] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   74.830833][ T8910] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   74.848282][ T8910] team0: Port device team_slave_0 added
[   74.855974][ T8910] team0: Port device team_slave_1 added
[   74.922937][ T8910] device hsr_slave_0 entered promiscuous mode
[   74.971371][ T8910] device hsr_slave_1 entered promiscuous mode
[   75.048965][ T8910] bridge0: port 2(bridge_slave_1) entered blocking state
[   75.056184][ T8910] bridge0: port 2(bridge_slave_1) entered forwarding state
[   75.064170][ T8910] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.071285][ T8910] bridge0: port 1(bridge_slave_0) entered forwarding state
[   75.117515][ T8910] 8021q: adding VLAN 0 to HW filter on device bond0
[   75.129466][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   75.139664][   T22] bridge0: port 1(bridge_slave_0) entered disabled state
[   75.148204][   T22] bridge0: port 2(bridge_slave_1) entered disabled state
[   75.158251][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   75.170504][ T8910] 8021q: adding VLAN 0 to HW filter on device team0
[   75.181300][ T2830] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   75.189704][ T2830] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.196822][ T2830] bridge0: port 1(bridge_slave_0) entered forwarding state
[   75.208283][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   75.217660][   T22] bridge0: port 2(bridge_slave_1) entered blocking state
[   75.224773][   T22] bridge0: port 2(bridge_slave_1) entered forwarding state
[   75.240553][ T2830] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   75.250477][ T2830] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   75.262988][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   75.277339][ T8910] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   75.288430][ T8910] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   75.301943][ T3232] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   75.310702][ T3232] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   75.319703][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
executing program
[   75.338521][ T8910] 8021q: adding VLAN 0 to HW filter on device batadv0
[   75.414602][ T2830] ==================================================================
[   75.422820][ T2830] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   75.430092][ T2830] Read of size 8 at addr ffff8880a3efdd50 by task kworker/0:2/2830
[   75.437960][ T2830] 
[   75.440276][ T2830] CPU: 0 PID: 2830 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #16
[   75.447884][ T2830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.457933][ T2830] Workqueue: events __blk_release_queue
[   75.463468][ T2830] Call Trace:
[   75.466765][ T2830]  dump_stack+0x172/0x1f0
[   75.471083][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.476028][ T2830]  print_address_description.cold+0x7c/0x20d
[   75.482006][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.486928][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.491942][ T2830]  __kasan_report.cold+0x1b/0x40
[   75.496862][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.501795][ T2830]  kasan_report+0x12/0x20
[   75.506118][ T2830]  __asan_report_load8_noabort+0x14/0x20
[   75.511755][ T2830]  blk_mq_free_rqs+0x49f/0x4b0
[   75.516509][ T2830]  ? dd_exit_queue+0x92/0xd0
[   75.521931][ T2830]  ? kfree+0x170/0x220
[   75.525986][ T2830]  blk_mq_sched_tags_teardown+0x126/0x210
[   75.531694][ T2830]  ? dd_request_merge+0x230/0x230
[   75.536706][ T2830]  blk_mq_exit_sched+0x1fa/0x2d0
[   75.541653][ T2830]  elevator_exit+0x70/0xa0
[   75.546067][ T2830]  __blk_release_queue+0x127/0x330
[   75.551185][ T2830]  process_one_work+0x989/0x1790
[   75.556110][ T2830]  ? pwq_dec_nr_in_flight+0x320/0x320
[   75.561495][ T2830]  ? lock_acquire+0x16f/0x3f0
[   75.566175][ T2830]  worker_thread+0x98/0xe40
[   75.570820][ T2830]  ? trace_hardirqs_on+0x67/0x220
[   75.575849][ T2830]  kthread+0x354/0x420
[   75.579908][ T2830]  ? process_one_work+0x1790/0x1790
[   75.585219][ T2830]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   75.591464][ T2830]  ret_from_fork+0x24/0x30
[   75.595864][ T2830] 
[   75.598180][ T2830] Allocated by task 1:
[   75.602252][ T2830]  save_stack+0x23/0x90
[   75.606439][ T2830]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   75.612083][ T2830]  kasan_kmalloc+0x9/0x10
[   75.616400][ T2830]  kmem_cache_alloc_trace+0x151/0x750
[   75.621785][ T2830]  loop_add+0x51/0x8d0
[   75.625881][ T2830]  loop_init+0x1fe/0x25a
[   75.630289][ T2830]  do_one_initcall+0x107/0x7ba
[   75.635071][ T2830]  kernel_init_freeable+0x4d4/0x5c3
[   75.640279][ T2830]  kernel_init+0x12/0x1c5
[   75.644594][ T2830]  ret_from_fork+0x24/0x30
[   75.648985][ T2830] 
[   75.651301][ T2830] Freed by task 8910:
[   75.655270][ T2830]  save_stack+0x23/0x90
[   75.659411][ T2830]  __kasan_slab_free+0x102/0x150
[   75.664447][ T2830]  kasan_slab_free+0xe/0x10
[   75.668950][ T2830]  kfree+0xcf/0x220
[   75.672747][ T2830]  loop_remove+0xa1/0xd0
[   75.676977][ T2830]  loop_control_ioctl+0x320/0x360
[   75.682021][ T2830]  __ia32_compat_sys_ioctl+0x195/0x620
[   75.687482][ T2830]  do_fast_syscall_32+0x27b/0xd7d
[   75.692496][ T2830]  entry_SYSENTER_compat+0x70/0x7f
[   75.697591][ T2830] 
[   75.699927][ T2830] The buggy address belongs to the object at ffff8880a3efdb40
[   75.699927][ T2830]  which belongs to the cache kmalloc-1k of size 1024
[   75.713970][ T2830] The buggy address is located 528 bytes inside of
[   75.713970][ T2830]  1024-byte region [ffff8880a3efdb40, ffff8880a3efdf40)
[   75.727315][ T2830] The buggy address belongs to the page:
[   75.732944][ T2830] page:ffffea00028fbf00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   75.743874][ T2830] flags: 0x1fffc0000010200(slab|head)
[   75.749236][ T2830] raw: 01fffc0000010200 ffffea00028f4008 ffffea00028fbb08 ffff8880aa400ac0
[   75.757898][ T2830] raw: 0000000000000000 ffff8880a3efc040 0000000100000007 0000000000000000
[   75.766468][ T2830] page dumped because: kasan: bad access detected
[   75.772883][ T2830] 
[   75.775193][ T2830] Memory state around the buggy address:
[   75.780808][ T2830]  ffff8880a3efdc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.788859][ T2830]  ffff8880a3efdc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.796907][ T2830] >ffff8880a3efdd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.804952][ T2830]                                                  ^
[   75.811617][ T2830]  ffff8880a3efdd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.819670][ T2830]  ffff8880a3efde00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.827732][ T2830] ==================================================================
[   75.835777][ T2830] Disabling lock debugging due to kernel taint
[   75.842705][ T2830] Kernel panic - not syncing: panic_on_warn set ...
[   75.849338][ T2830] CPU: 0 PID: 2830 Comm: kworker/0:2 Tainted: G    B             5.2.0-rc3+ #16
[   75.858343][ T2830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.868503][ T2830] Workqueue: events __blk_release_queue
[   75.874030][ T2830] Call Trace:
[   75.877308][ T2830]  dump_stack+0x172/0x1f0
[   75.881672][ T2830]  panic+0x2cb/0x744
[   75.885675][ T2830]  ? __warn_printk+0xf3/0xf3
[   75.890251][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.895179][ T2830]  ? preempt_schedule+0x4b/0x60
[   75.900026][ T2830]  ? ___preempt_schedule+0x16/0x18
[   75.905121][ T2830]  ? trace_hardirqs_on+0x5e/0x220
[   75.910260][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.915180][ T2830]  end_report+0x47/0x4f
[   75.919316][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.924347][ T2830]  __kasan_report.cold+0xe/0x40
[   75.929184][ T2830]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.934105][ T2830]  kasan_report+0x12/0x20
[   75.938414][ T2830]  __asan_report_load8_noabort+0x14/0x20
[   75.944053][ T2830]  blk_mq_free_rqs+0x49f/0x4b0
[   75.948814][ T2830]  ? dd_exit_queue+0x92/0xd0
[   75.953398][ T2830]  ? kfree+0x170/0x220
[   75.957450][ T2830]  blk_mq_sched_tags_teardown+0x126/0x210
[   75.963175][ T2830]  ? dd_request_merge+0x230/0x230
[   75.968188][ T2830]  blk_mq_exit_sched+0x1fa/0x2d0
[   75.973109][ T2830]  elevator_exit+0x70/0xa0
[   75.977505][ T2830]  __blk_release_queue+0x127/0x330
[   75.982599][ T2830]  process_one_work+0x989/0x1790
[   75.987520][ T2830]  ? pwq_dec_nr_in_flight+0x320/0x320
[   75.992874][ T2830]  ? lock_acquire+0x16f/0x3f0
[   75.997533][ T2830]  worker_thread+0x98/0xe40
[   76.002019][ T2830]  ? trace_hardirqs_on+0x67/0x220
[   76.007023][ T2830]  kthread+0x354/0x420
[   76.011080][ T2830]  ? process_one_work+0x1790/0x1790
[   76.016256][ T2830]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   76.022476][ T2830]  ret_from_fork+0x24/0x30
[   76.028020][ T2830] Kernel Offset: disabled
[   76.032344][ T2830] Rebooting in 86400 seconds..