[ 60.934502][ T26] audit: type=1800 audit(1560012154.565:25): pid=8802 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.976490][ T26] audit: type=1800 audit(1560012154.575:26): pid=8802 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 61.005337][ T26] audit: type=1800 audit(1560012154.575:27): pid=8802 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.205' (ECDSA) to the list of known hosts. syzkaller login: [ 72.666664][ T8975] IPVS: ftp: loaded support on port[0] = 21 [ 72.731818][ T8975] chnl_net:caif_netlink_parms(): no params data found [ 72.759208][ T8975] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.767125][ T8975] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.774944][ T8975] device bridge_slave_0 entered promiscuous mode [ 72.783326][ T8975] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.790624][ T8975] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.798349][ T8975] device bridge_slave_1 entered promiscuous mode [ 72.814856][ T8975] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 72.826168][ T8975] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 72.845034][ T8975] team0: Port device team_slave_0 added [ 72.852396][ T8975] team0: Port device team_slave_1 added [ 72.908818][ T8975] device hsr_slave_0 entered promiscuous mode [ 72.946897][ T8975] device hsr_slave_1 entered promiscuous mode [ 72.994370][ T8975] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.001576][ T8975] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.009703][ T8975] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.016837][ T8975] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.051803][ T8975] 8021q: adding VLAN 0 to HW filter on device bond0 [ 73.063065][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.088220][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.098562][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.107189][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 73.118553][ T8975] 8021q: adding VLAN 0 to HW filter on device team0 [ 73.130996][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 73.139779][ T3489] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.146995][ T3489] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.169108][ T8980] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 73.178776][ T8980] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.185854][ T8980] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.194301][ T8980] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 73.204269][ T8980] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 73.214245][ T8980] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 73.229154][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 73.238294][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 73.250201][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 73.269080][ T8975] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 73.351470][ T8980] ================================================================== [ 73.359921][ T8980] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 73.367227][ T8980] Read of size 8 at addr ffff8880a3dc9890 by task kworker/1:3/8980 [ 73.367242][ T8980] [ 73.367258][ T8980] CPU: 1 PID: 8980 Comm: kworker/1:3 Not tainted 5.2.0-rc3+ #16 [ 73.367265][ T8980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.367286][ T8980] Workqueue: events __blk_release_queue [ 73.367293][ T8980] Call Trace: [ 73.367317][ T8980] dump_stack+0x172/0x1f0 [ 73.367331][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.367348][ T8980] print_address_description.cold+0x7c/0x20d [ 73.367360][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.367371][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.367383][ T8980] __kasan_report.cold+0x1b/0x40 [ 73.367395][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.367408][ T8980] kasan_report+0x12/0x20 [ 73.367420][ T8980] __asan_report_load8_noabort+0x14/0x20 [ 73.367431][ T8980] blk_mq_free_rqs+0x49f/0x4b0 [ 73.367443][ T8980] ? dd_exit_queue+0x92/0xd0 [ 73.367452][ T8980] ? kfree+0x170/0x220 [ 73.367469][ T8980] blk_mq_sched_tags_teardown+0x126/0x210 [ 73.367482][ T8980] ? dd_request_merge+0x230/0x230 [ 73.367495][ T8980] blk_mq_exit_sched+0x1fa/0x2d0 [ 73.367510][ T8980] elevator_exit+0x70/0xa0 [ 73.367525][ T8980] __blk_release_queue+0x127/0x330 [ 73.367545][ T8980] process_one_work+0x989/0x1790 [ 73.367568][ T8980] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.367580][ T8980] ? lock_acquire+0x16f/0x3f0 [ 73.367606][ T8980] worker_thread+0x98/0xe40 [ 73.367624][ T8980] ? trace_hardirqs_on+0x67/0x220 [ 73.367650][ T8980] kthread+0x354/0x420 [ 73.367664][ T8980] ? process_one_work+0x1790/0x1790 [ 73.367677][ T8980] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 73.367691][ T8980] ret_from_fork+0x24/0x30 [ 73.367711][ T8980] [ 73.367718][ T8980] Allocated by task 1: [ 73.367731][ T8980] save_stack+0x23/0x90 [ 73.367743][ T8980] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 73.367754][ T8980] kasan_kmalloc+0x9/0x10 [ 73.367766][ T8980] kmem_cache_alloc_trace+0x151/0x750 [ 73.367779][ T8980] loop_add+0x51/0x8d0 [ 73.367793][ T8980] loop_init+0x1fe/0x25a [ 73.367805][ T8980] do_one_initcall+0x107/0x7ba [ 73.367817][ T8980] kernel_init_freeable+0x4d4/0x5c3 [ 73.367827][ T8980] kernel_init+0x12/0x1c5 [ 73.367835][ T8980] ret_from_fork+0x24/0x30 [ 73.367838][ T8980] [ 73.367843][ T8980] Freed by task 8975: [ 73.367852][ T8980] save_stack+0x23/0x90 [ 73.367860][ T8980] __kasan_slab_free+0x102/0x150 [ 73.367869][ T8980] kasan_slab_free+0xe/0x10 [ 73.367877][ T8980] kfree+0xcf/0x220 [ 73.367886][ T8980] loop_remove+0xa1/0xd0 [ 73.367896][ T8980] loop_control_ioctl+0x320/0x360 [ 73.367908][ T8980] __ia32_compat_sys_ioctl+0x195/0x620 [ 73.367919][ T8980] do_fast_syscall_32+0x27b/0xd7d [ 73.367930][ T8980] entry_SYSENTER_compat+0x70/0x7f [ 73.367933][ T8980] [ 73.367943][ T8980] The buggy address belongs to the object at ffff8880a3dc9680 [ 73.367943][ T8980] which belongs to the cache kmalloc-1k of size 1024 [ 73.367953][ T8980] The buggy address is located 528 bytes inside of [ 73.367953][ T8980] 1024-byte region [ffff8880a3dc9680, ffff8880a3dc9a80) [ 73.367957][ T8980] The buggy address belongs to the page: [ 73.367968][ T8980] page:ffffea00028f7200 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 73.367982][ T8980] flags: 0x1fffc0000010200(slab|head) [ 73.368000][ T8980] raw: 01fffc0000010200 ffffea00028f4008 ffffea00028fbd88 ffff8880aa400ac0 [ 73.368013][ T8980] raw: 0000000000000000 ffff8880a3dc8000 0000000100000007 0000000000000000 [ 73.368018][ T8980] page dumped because: kasan: bad access detected [ 73.368021][ T8980] [ 73.368025][ T8980] Memory state around the buggy address: [ 73.368035][ T8980] ffff8880a3dc9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.368045][ T8980] ffff8880a3dc9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.368054][ T8980] >ffff8880a3dc9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.368058][ T8980] ^ [ 73.368067][ T8980] ffff8880a3dc9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.368076][ T8980] ffff8880a3dc9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.368081][ T8980] ================================================================== [ 73.368086][ T8980] Disabling lock debugging due to kernel taint [ 73.368220][ T8980] Kernel panic - not syncing: panic_on_warn set ... [ 73.377203][ T8975] kobject: 'holders' (000000003791896f): kobject_add_internal: parent: 'loop0', set: '' [ 73.378387][ T8980] CPU: 1 PID: 8980 Comm: kworker/1:3 Tainted: G B 5.2.0-rc3+ #16 [ 73.386057][ T8975] kobject: 'slaves' (00000000f50f7dac): kobject_add_internal: parent: 'loop0', set: '' [ 73.396067][ T8980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.396091][ T8980] Workqueue: events __blk_release_queue [ 73.396098][ T8980] Call Trace: [ 73.396128][ T8980] dump_stack+0x172/0x1f0 [ 73.396145][ T8980] panic+0x2cb/0x744 [ 73.396157][ T8980] ? __warn_printk+0xf3/0xf3 [ 73.396170][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.396187][ T8980] ? preempt_schedule+0x4b/0x60 [ 73.396200][ T8980] ? ___preempt_schedule+0x16/0x18 [ 73.396214][ T8980] ? trace_hardirqs_on+0x5e/0x220 [ 73.396228][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.396240][ T8980] end_report+0x47/0x4f [ 73.396250][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.396261][ T8980] __kasan_report.cold+0xe/0x40 [ 73.396273][ T8980] ? blk_mq_free_rqs+0x49f/0x4b0 [ 73.396284][ T8980] kasan_report+0x12/0x20 [ 73.396297][ T8980] __asan_report_load8_noabort+0x14/0x20 [ 73.396309][ T8980] blk_mq_free_rqs+0x49f/0x4b0 [ 73.396321][ T8980] ? dd_exit_queue+0x92/0xd0 [ 73.396330][ T8980] ? kfree+0x170/0x220 [ 73.396345][ T8980] blk_mq_sched_tags_teardown+0x126/0x210 [ 73.396358][ T8980] ? dd_request_merge+0x230/0x230 [ 73.396371][ T8980] blk_mq_exit_sched+0x1fa/0x2d0 [ 73.396394][ T8980] elevator_exit+0x70/0xa0 [ 73.404304][ T8975] kobject: 'loop0' (0000000039d9c5a0): kobject_uevent_env [ 73.405600][ T8980] __blk_release_queue+0x127/0x330 [ 73.410108][ T8975] kobject: 'loop0' (0000000039d9c5a0): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 73.414863][ T8980] process_one_work+0x989/0x1790 [ 73.427475][ T8975] kobject: 'queue' (00000000c31228d8): kobject_add_internal: parent: 'loop0', set: '' [ 73.430692][ T8980] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.435926][ T8975] kobject: 'mq' (000000001f8c40f3): kobject_add_internal: parent: 'loop0', set: '' [ 73.440547][ T8980] ? lock_acquire+0x16f/0x3f0 [ 73.440567][ T8980] worker_thread+0x98/0xe40 [ 73.440582][ T8980] ? trace_hardirqs_on+0x67/0x220 [ 73.440599][ T8980] kthread+0x354/0x420 [ 73.440610][ T8980] ? process_one_work+0x1790/0x1790 [ 73.440622][ T8980] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 73.440636][ T8980] ret_from_fork+0x24/0x30 [ 73.441656][ T8980] Kernel Offset: disabled [ 74.026586][ T8980] Rebooting in 86400 seconds..