[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   53.550707][   T26] audit: type=1800 audit(1559970127.160:25): pid=8396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   53.603987][   T26] audit: type=1800 audit(1559970127.170:26): pid=8396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   53.633622][   T26] audit: type=1800 audit(1559970127.170:27): pid=8396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   61.490498][ T2945] ==================================================================
[   61.490540][ T2945] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   61.490550][ T2945] Read of size 8 at addr ffff8880a3892690 by task kworker/0:2/2945
[   61.506039][ T2945] 
[   61.506056][ T2945] CPU: 0 PID: 2945 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #16
[   61.506064][ T2945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.506084][ T2945] Workqueue: events __blk_release_queue
[   61.506092][ T2945] Call Trace:
[   61.506109][ T2945]  dump_stack+0x172/0x1f0
[   61.506129][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.516359][ T2945]  print_address_description.cold+0x7c/0x20d
[   61.516373][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.516387][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.516401][ T2945]  __kasan_report.cold+0x1b/0x40
[   61.516418][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.534103][ T2945]  kasan_report+0x12/0x20
[   61.534121][ T2945]  __asan_report_load8_noabort+0x14/0x20
[   61.534136][ T2945]  blk_mq_free_rqs+0x49f/0x4b0
[   61.534148][ T2945]  ? dd_exit_queue+0x92/0xd0
[   61.534163][ T2945]  ? kfree+0x170/0x220
[   61.534183][ T2945]  blk_mq_sched_tags_teardown+0x126/0x210
[   61.542979][ T2945]  ? dd_request_merge+0x230/0x230
[   61.542997][ T2945]  blk_mq_exit_sched+0x1fa/0x2d0
[   61.543017][ T2945]  elevator_exit+0x70/0xa0
[   61.543036][ T2945]  __blk_release_queue+0x127/0x330
[   61.547944][ T8560] kobject: 'iosched' (0000000047289250): kobject_uevent_env
[   61.559251][ T2945]  process_one_work+0x989/0x1790
[   61.559273][ T2945]  ? pwq_dec_nr_in_flight+0x320/0x320
[   61.559287][ T2945]  ? lock_acquire+0x16f/0x3f0
[   61.559311][ T2945]  worker_thread+0x98/0xe40
[   61.559324][ T2945]  ? trace_hardirqs_on+0x67/0x220
[   61.559353][ T2945]  kthread+0x354/0x420
[   61.565456][ T8560] kobject: 'iosched' (0000000047289250): kobject_uevent_env: attempted to send uevent without kset!
[   61.570234][ T2945]  ? process_one_work+0x1790/0x1790
[   61.570248][ T2945]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   61.570265][ T2945]  ret_from_fork+0x24/0x30
[   61.570284][ T2945] 
[   61.570292][ T2945] Allocated by task 1:
[   61.570304][ T2945]  save_stack+0x23/0x90
[   61.570320][ T2945]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   61.575704][ T8560] kobject: 'holders' (00000000d0c667cb): kobject_cleanup, parent 00000000b7663e18
[   61.580170][ T2945]  kasan_kmalloc+0x9/0x10
[   61.580181][ T2945]  kmem_cache_alloc_trace+0x151/0x750
[   61.580192][ T2945]  loop_add+0x51/0x8d0
[   61.580204][ T2945]  loop_init+0x1fe/0x25a
[   61.580217][ T2945]  do_one_initcall+0x107/0x7ba
[   61.580231][ T2945]  kernel_init_freeable+0x4d4/0x5c3
[   61.580243][ T2945]  kernel_init+0x12/0x1c5
[   61.580252][ T2945]  ret_from_fork+0x24/0x30
[   61.580262][ T2945] 
[   61.585337][ T8560] kobject: 'holders' (00000000d0c667cb): auto cleanup kobject_del
[   61.589502][ T2945] Freed by task 8561:
[   61.589518][ T2945]  save_stack+0x23/0x90
[   61.589530][ T2945]  __kasan_slab_free+0x102/0x150
[   61.589541][ T2945]  kasan_slab_free+0xe/0x10
[   61.589552][ T2945]  kfree+0xcf/0x220
[   61.589561][ T2945]  loop_remove+0xa1/0xd0
[   61.589571][ T2945]  loop_control_ioctl+0x320/0x360
[   61.589584][ T2945]  __ia32_compat_sys_ioctl+0x195/0x620
[   61.589601][ T2945]  do_fast_syscall_32+0x27b/0xd7d
[   61.595498][ T8560] kobject: 'holders' (00000000d0c667cb): calling ktype release
[   61.600129][ T2945]  entry_SYSENTER_compat+0x70/0x7f
[   61.600132][ T2945] 
[   61.600143][ T2945] The buggy address belongs to the object at ffff8880a3892480
[   61.600143][ T2945]  which belongs to the cache kmalloc-1k of size 1024
[   61.600161][ T2945] The buggy address is located 528 bytes inside of
[   61.600161][ T2945]  1024-byte region [ffff8880a3892480, ffff8880a3892880)
[   61.600167][ T2945] The buggy address belongs to the page:
[   61.600179][ T2945] page:ffffea00028e2480 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   61.600199][ T2945] flags: 0x1fffc0000010200(slab|head)
[   61.604920][ T8560] kobject: (00000000d0c667cb): dynamic_kobj_release
[   61.608888][ T2945] raw: 01fffc0000010200 ffffea00028e1d08 ffffea00028e3108 ffff8880aa400ac0
[   61.608903][ T2945] raw: 0000000000000000 ffff8880a3892000 0000000100000007 0000000000000000
[   61.608909][ T2945] page dumped because: kasan: bad access detected
[   61.608913][ T2945] 
[   61.608917][ T2945] Memory state around the buggy address:
[   61.608928][ T2945]  ffff8880a3892580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.608938][ T2945]  ffff8880a3892600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.608947][ T2945] >ffff8880a3892680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.608952][ T2945]                          ^
[   61.608965][ T2945]  ffff8880a3892700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.614778][ T8560] kobject: 'holders': free name
[   61.619673][ T2945]  ffff8880a3892780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.619678][ T2945] ==================================================================
[   61.619682][ T2945] Disabling lock debugging due to kernel taint
[   61.620877][ T2945] Kernel panic - not syncing: panic_on_warn set ...
[   61.626418][ T8560] kobject: 'slaves' (00000000d92f0675): kobject_cleanup, parent 00000000b7663e18
[   61.629132][ T2945] CPU: 0 PID: 2945 Comm: kworker/0:2 Tainted: G    B             5.2.0-rc3+ #16
[   61.629140][ T2945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.629163][ T2945] Workqueue: events __blk_release_queue
[   61.629170][ T2945] Call Trace:
[   61.629190][ T2945]  dump_stack+0x172/0x1f0
[   61.635018][ T8560] kobject: 'slaves' (00000000d92f0675): auto cleanup kobject_del
[   61.641585][ T2945]  panic+0x2cb/0x744
[   61.641599][ T2945]  ? __warn_printk+0xf3/0xf3
[   61.641613][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.641628][ T2945]  ? preempt_schedule+0x4b/0x60
[   61.641639][ T2945]  ? ___preempt_schedule+0x16/0x18
[   61.641661][ T2945]  ? trace_hardirqs_on+0x5e/0x220
[   61.647021][ T8560] kobject: 'slaves' (00000000d92f0675): calling ktype release
[   61.652120][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.652134][ T2945]  end_report+0x47/0x4f
[   61.652150][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.652163][ T2945]  __kasan_report.cold+0xe/0x40
[   61.652173][ T2945]  ? blk_mq_free_rqs+0x49f/0x4b0
[   61.652188][ T2945]  kasan_report+0x12/0x20
[   61.657139][ T8560] kobject: (00000000d92f0675): dynamic_kobj_release
[   61.661415][ T2945]  __asan_report_load8_noabort+0x14/0x20
[   61.661427][ T2945]  blk_mq_free_rqs+0x49f/0x4b0
[   61.661439][ T2945]  ? dd_exit_queue+0x92/0xd0
[   61.661450][ T2945]  ? kfree+0x170/0x220
[   61.661464][ T2945]  blk_mq_sched_tags_teardown+0x126/0x210
[   61.661479][ T2945]  ? dd_request_merge+0x230/0x230
[   61.666690][ T8560] kobject: 'slaves': free name
[   61.670544][ T2945]  blk_mq_exit_sched+0x1fa/0x2d0
[   61.670561][ T2945]  elevator_exit+0x70/0xa0
[   61.670581][ T2945]  __blk_release_queue+0x127/0x330
[   61.670601][ T2945]  process_one_work+0x989/0x1790
[   61.670619][ T2945]  ? pwq_dec_nr_in_flight+0x320/0x320
[   61.682333][ T8560] kobject: 'loop3' (00000000b7663e18): kobject_uevent_env
[   61.686708][ T2945]  ? lock_acquire+0x16f/0x3f0
[   61.686730][ T2945]  worker_thread+0x98/0xe40
[   61.686742][ T2945]  ? trace_hardirqs_on+0x67/0x220
[   61.686759][ T2945]  kthread+0x354/0x420
[   61.693268][ T8560] kobject: 'loop3' (00000000b7663e18): fill_kobj_path: path = '/devices/virtual/block/loop3'
[   61.697538][ T2945]  ? process_one_work+0x1790/0x1790
[   61.697553][ T2945]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   61.697566][ T2945]  ret_from_fork+0x24/0x30
[   61.702038][ T2945] Kernel Offset: disabled
[   62.225130][ T2945] Rebooting in 86400 seconds..