[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.149847][ T27] audit: type=1800 audit(1559984626.171:25): pid=8657 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.192386][ T27] audit: type=1800 audit(1559984626.171:26): pid=8657 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 65.239118][ T27] audit: type=1800 audit(1559984626.171:27): pid=8657 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.238' (ECDSA) to the list of known hosts. syzkaller login: [ 73.706177][ T8813] IPVS: ftp: loaded support on port[0] = 21 [ 73.762543][ T8813] chnl_net:caif_netlink_parms(): no params data found [ 73.790242][ T8813] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.797666][ T8813] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.805793][ T8813] device bridge_slave_0 entered promiscuous mode [ 73.813415][ T8813] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.820544][ T8813] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.828069][ T8813] device bridge_slave_1 entered promiscuous mode [ 73.843166][ T8813] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 73.853015][ T8813] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 73.871146][ T8813] team0: Port device team_slave_0 added [ 73.878194][ T8813] team0: Port device team_slave_1 added [ 73.956388][ T8813] device hsr_slave_0 entered promiscuous mode [ 74.025233][ T8813] device hsr_slave_1 entered promiscuous mode [ 74.102077][ T8813] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.109212][ T8813] bridge0: port 2(bridge_slave_1) entered forwarding state [ 74.116826][ T8813] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.123856][ T8813] bridge0: port 1(bridge_slave_0) entered forwarding state [ 74.158264][ T8813] 8021q: adding VLAN 0 to HW filter on device bond0 [ 74.169110][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 74.179052][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.187142][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.195332][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 74.206255][ T8813] 8021q: adding VLAN 0 to HW filter on device team0 [ 74.216094][ T3003] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 74.224355][ T3003] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.231455][ T3003] bridge0: port 1(bridge_slave_0) entered forwarding state [ 74.256383][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 74.264660][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.271753][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 74.279690][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 74.288229][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 74.296660][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 74.304798][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 74.313439][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 74.323049][ T8813] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 74.340434][ T8813] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 74.417802][ T5] ================================================================== [ 74.425904][ T5] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 74.433159][ T5] Read of size 8 at addr ffff888219513d50 by task kworker/0:0/5 [ 74.440769][ T5] [ 74.443076][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc3+ #42 [ 74.450411][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.460444][ T5] Workqueue: events __blk_release_queue [ 74.465956][ T5] Call Trace: [ 74.469233][ T5] dump_stack+0x172/0x1f0 [ 74.473539][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.478454][ T5] print_address_description.cold+0x7c/0x20d [ 74.484403][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.489312][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.494223][ T5] __kasan_report.cold+0x1b/0x40 [ 74.499135][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.504058][ T5] kasan_report+0x12/0x20 [ 74.508368][ T5] __asan_report_load8_noabort+0x14/0x20 [ 74.513998][ T5] blk_mq_free_rqs+0x49f/0x4b0 [ 74.518737][ T5] ? dd_exit_queue+0x92/0xd0 [ 74.523299][ T5] ? kfree+0x170/0x220 [ 74.527346][ T5] blk_mq_sched_tags_teardown+0x126/0x210 [ 74.533039][ T5] ? dd_request_merge+0x230/0x230 [ 74.538040][ T5] blk_mq_exit_sched+0x1fa/0x2d0 [ 74.542954][ T5] elevator_exit+0x70/0xa0 [ 74.547345][ T5] __blk_release_queue+0x127/0x330 [ 74.552434][ T5] process_one_work+0x989/0x1790 [ 74.557349][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.562696][ T5] ? lock_acquire+0x16f/0x3f0 [ 74.567352][ T5] worker_thread+0x98/0xe40 [ 74.571838][ T5] kthread+0x354/0x420 [ 74.575883][ T5] ? process_one_work+0x1790/0x1790 [ 74.581053][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 74.587268][ T5] ret_from_fork+0x24/0x30 [ 74.591673][ T5] [ 74.593974][ T5] Allocated by task 1: [ 74.598021][ T5] save_stack+0x23/0x90 [ 74.602151][ T5] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 74.607767][ T5] kasan_kmalloc+0x9/0x10 [ 74.612078][ T5] kmem_cache_alloc_trace+0x151/0x750 [ 74.617424][ T5] loop_add+0x51/0x8d0 [ 74.621467][ T5] loop_init+0x1fe/0x25a [ 74.625685][ T5] do_one_initcall+0x107/0x7ba [ 74.630419][ T5] kernel_init_freeable+0x4d4/0x5c3 [ 74.635604][ T5] kernel_init+0x12/0x1c5 [ 74.639905][ T5] ret_from_fork+0x24/0x30 [ 74.644288][ T5] [ 74.646592][ T5] Freed by task 8813: [ 74.650546][ T5] save_stack+0x23/0x90 [ 74.654674][ T5] __kasan_slab_free+0x102/0x150 [ 74.659616][ T5] kasan_slab_free+0xe/0x10 [ 74.664090][ T5] kfree+0xcf/0x220 [ 74.667878][ T5] loop_remove+0xa1/0xd0 [ 74.672096][ T5] loop_control_ioctl+0x320/0x360 [ 74.677109][ T5] do_vfs_ioctl+0xd5f/0x1380 [ 74.681670][ T5] ksys_ioctl+0xab/0xd0 [ 74.685799][ T5] __x64_sys_ioctl+0x73/0xb0 [ 74.690363][ T5] do_syscall_64+0xfd/0x680 [ 74.694841][ T5] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.700699][ T5] [ 74.703003][ T5] The buggy address belongs to the object at ffff888219513b40 [ 74.703003][ T5] which belongs to the cache kmalloc-1k of size 1024 [ 74.717158][ T5] The buggy address is located 528 bytes inside of [ 74.717158][ T5] 1024-byte region [ffff888219513b40, ffff888219513f40) [ 74.730498][ T5] The buggy address belongs to the page: [ 74.736115][ T5] page:ffffea0008654480 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff888219512040 compound_mapcount: 0 [ 74.748333][ T5] flags: 0x6fffc0000010200(slab|head) [ 74.753677][ T5] raw: 06fffc0000010200 ffffea0008627a88 ffffea0008653188 ffff8880aa400ac0 [ 74.762250][ T5] raw: ffff888219512040 ffff888219512040 0000000100000005 0000000000000000 [ 74.770800][ T5] page dumped because: kasan: bad access detected [ 74.777181][ T5] [ 74.779481][ T5] Memory state around the buggy address: [ 74.785084][ T5] ffff888219513c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.793113][ T5] ffff888219513c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.801180][ T5] >ffff888219513d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.809212][ T5] ^ [ 74.815867][ T5] ffff888219513d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.824093][ T5] ffff888219513e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.832120][ T5] ================================================================== [ 74.840150][ T5] Disabling lock debugging due to kernel taint [ 74.848365][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 74.854968][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.2.0-rc3+ #42 [ 74.863716][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.873754][ T5] Workqueue: events __blk_release_queue [ 74.879266][ T5] Call Trace: [ 74.882530][ T5] dump_stack+0x172/0x1f0 [ 74.886846][ T5] panic+0x2cb/0x744 [ 74.890734][ T5] ? __warn_printk+0xf3/0xf3 [ 74.895299][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.900219][ T5] ? preempt_schedule+0x4b/0x60 [ 74.905043][ T5] ? ___preempt_schedule+0x16/0x18 [ 74.910143][ T5] ? trace_hardirqs_on+0x5e/0x220 [ 74.915140][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.920047][ T5] end_report+0x47/0x4f [ 74.924170][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.929076][ T5] __kasan_report.cold+0xe/0x40 [ 74.934195][ T5] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.939108][ T5] kasan_report+0x12/0x20 [ 74.943411][ T5] __asan_report_load8_noabort+0x14/0x20 [ 74.949014][ T5] blk_mq_free_rqs+0x49f/0x4b0 [ 74.953750][ T5] ? dd_exit_queue+0x92/0xd0 [ 74.958311][ T5] ? kfree+0x170/0x220 [ 74.962377][ T5] blk_mq_sched_tags_teardown+0x126/0x210 [ 74.968068][ T5] ? dd_request_merge+0x230/0x230 [ 74.973078][ T5] blk_mq_exit_sched+0x1fa/0x2d0 [ 74.977991][ T5] elevator_exit+0x70/0xa0 [ 74.982379][ T5] __blk_release_queue+0x127/0x330 [ 74.987463][ T5] process_one_work+0x989/0x1790 [ 74.992373][ T5] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.997719][ T5] ? lock_acquire+0x16f/0x3f0 [ 75.002373][ T5] worker_thread+0x98/0xe40 [ 75.006895][ T5] kthread+0x354/0x420 [ 75.010951][ T5] ? process_one_work+0x1790/0x1790 [ 75.016123][ T5] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 75.022337][ T5] ret_from_fork+0x24/0x30 [ 75.027844][ T5] Kernel Offset: disabled [ 75.032165][ T5] Rebooting in 86400 seconds..