[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] startpar: service(s) returned failure: restorecond ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   68.304888][   T26] kauditd_printk_skb: 4 callbacks suppressed
[   68.304903][   T26] audit: type=1400 audit(1560018979.018:35): avc:  denied  { map } for  pid=9095 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.1.14' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[   74.869122][   T26] audit: type=1400 audit(1560018985.588:36): avc:  denied  { map } for  pid=9107 comm="syz-executor047" path="/root/syz-executor047762852" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   75.051887][   T17] ==================================================================
[   75.060180][   T17] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   75.060195][   T17] Read of size 8 at addr ffff8882193a8b10 by task kworker/1:0/17
[   75.060199][   T17] 
[   75.060212][   T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.2.0-rc3+ #16
[   75.060219][   T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.060233][   T17] Workqueue: events __blk_release_queue
[   75.060239][   T17] Call Trace:
[   75.060257][   T17]  dump_stack+0x172/0x1f0
[   75.060271][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.060290][   T17]  print_address_description.cold+0x7c/0x20d
[   75.060302][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.060316][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.060330][   T17]  __kasan_report.cold+0x1b/0x40
[   75.060347][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.060359][   T17]  kasan_report+0x12/0x20
[   75.060371][   T17]  __asan_report_load8_noabort+0x14/0x20
[   75.060380][   T17]  blk_mq_free_rqs+0x49f/0x4b0
[   75.060392][   T17]  ? dd_exit_queue+0x92/0xd0
[   75.070657][ T9119] kobject: '7:3' (0000000076383710): calling ktype release
[   75.075587][   T17]  ? kfree+0x170/0x220
[   75.075614][   T17]  blk_mq_sched_tags_teardown+0x126/0x210
[   75.075634][   T17]  ? dd_request_merge+0x230/0x230
[   75.075647][   T17]  blk_mq_exit_sched+0x1fa/0x2d0
[   75.075666][   T17]  elevator_exit+0x70/0xa0
[   75.078477][ T9119] kobject: '7:3': free name
[   75.085430][   T17]  __blk_release_queue+0x127/0x330
[   75.085451][   T17]  process_one_work+0x989/0x1790
[   75.085474][   T17]  ? pwq_dec_nr_in_flight+0x320/0x320
[   75.085485][   T17]  ? lock_acquire+0x16f/0x3f0
[   75.085507][   T17]  worker_thread+0x98/0xe40
[   75.096204][ T9119] kobject: 'mq' (00000000cc2b76ac): kobject_uevent_env
[   75.101266][   T17]  kthread+0x354/0x420
[   75.101283][   T17]  ? process_one_work+0x1790/0x1790
[   75.101297][   T17]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   75.101314][   T17]  ret_from_fork+0x24/0x30
[   75.101333][   T17] 
[   75.101340][   T17] Allocated by task 1:
[   75.101356][   T17]  save_stack+0x23/0x90
[   75.101368][   T17]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   75.105252][ T9119] kobject: 'mq' (00000000cc2b76ac): kobject_uevent_env: filter function caused the event to drop!
[   75.109008][   T17]  kasan_kmalloc+0x9/0x10
[   75.109021][   T17]  kmem_cache_alloc_trace+0x151/0x750
[   75.109039][   T17]  loop_add+0x51/0x8d0
[   75.109052][   T17]  loop_init+0x1fe/0x25a
[   75.109064][   T17]  do_one_initcall+0x107/0x7ba
[   75.109077][   T17]  kernel_init_freeable+0x4d4/0x5c3
[   75.109090][   T17]  kernel_init+0x12/0x1c5
[   75.109100][   T17]  ret_from_fork+0x24/0x30
[   75.109108][   T17] 
[   75.114958][ T9119] kobject: 'queue' (000000001bde7952): kobject_uevent_env
[   75.120265][   T17] Freed by task 9114:
[   75.120282][   T17]  save_stack+0x23/0x90
[   75.120294][   T17]  __kasan_slab_free+0x102/0x150
[   75.120306][   T17]  kasan_slab_free+0xe/0x10
[   75.120317][   T17]  kfree+0xcf/0x220
[   75.120328][   T17]  loop_remove+0xa1/0xd0
[   75.120338][   T17]  loop_control_ioctl+0x320/0x360
[   75.120348][   T17]  do_vfs_ioctl+0xd5f/0x1380
[   75.120357][   T17]  ksys_ioctl+0xab/0xd0
[   75.120366][   T17]  __x64_sys_ioctl+0x73/0xb0
[   75.120377][   T17]  do_syscall_64+0xfd/0x680
[   75.120395][   T17]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   75.125934][ T9119] kobject: 'queue' (000000001bde7952): kobject_uevent_env: filter function caused the event to drop!
[   75.130216][   T17] 
[   75.130228][   T17] The buggy address belongs to the object at ffff8882193a8900
[   75.130228][   T17]  which belongs to the cache kmalloc-1k of size 1024
[   75.130238][   T17] The buggy address is located 528 bytes inside of
[   75.130238][   T17]  1024-byte region [ffff8882193a8900, ffff8882193a8d00)
[   75.130243][   T17] The buggy address belongs to the page:
[   75.130256][   T17] page:ffffea000864ea00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   75.130272][   T17] flags: 0x6fffc0000010200(slab|head)
[   75.130290][   T17] raw: 06fffc0000010200 ffffea0008667908 ffffea0008630188 ffff8880aa400ac0
[   75.130305][   T17] raw: 0000000000000000 ffff8882193a8000 0000000100000007 0000000000000000
[   75.130309][   T17] page dumped because: kasan: bad access detected
[   75.130312][   T17] 
[   75.130316][   T17] Memory state around the buggy address:
[   75.130331][   T17]  ffff8882193a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.136081][ T9119] kobject: 'iosched' (0000000047dafea2): kobject_uevent_env
[   75.140165][   T17]  ffff8882193a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.140175][   T17] >ffff8882193a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.140181][   T17]                          ^
[   75.140191][   T17]  ffff8882193a8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.140202][   T17]  ffff8882193a8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.140207][   T17] ==================================================================
[   75.140212][   T17] Disabling lock debugging due to kernel taint
[   75.141158][   T17] Kernel panic - not syncing: panic_on_warn set ...
[   75.146790][ T9119] kobject: 'iosched' (0000000047dafea2): kobject_uevent_env: attempted to send uevent without kset!
[   75.150273][   T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G    B             5.2.0-rc3+ #16
[   75.150281][   T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.150301][   T17] Workqueue: events __blk_release_queue
[   75.150307][   T17] Call Trace:
[   75.150323][   T17]  dump_stack+0x172/0x1f0
[   75.150342][   T17]  panic+0x2cb/0x744
[   75.155477][ T9119] kobject: 'holders' (0000000043136e73): kobject_cleanup, parent 00000000db41dee7
[   75.159655][   T17]  ? __warn_printk+0xf3/0xf3
[   75.159670][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.159685][   T17]  ? preempt_schedule+0x4b/0x60
[   75.159697][   T17]  ? ___preempt_schedule+0x16/0x18
[   75.159714][   T17]  ? trace_hardirqs_on+0x5e/0x220
[   75.167287][ T9119] kobject: 'holders' (0000000043136e73): auto cleanup kobject_del
[   75.171214][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.171228][   T17]  end_report+0x47/0x4f
[   75.171240][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.171251][   T17]  __kasan_report.cold+0xe/0x40
[   75.171268][   T17]  ? blk_mq_free_rqs+0x49f/0x4b0
[   75.177821][ T9119] kobject: 'holders' (0000000043136e73): calling ktype release
[   75.182263][   T17]  kasan_report+0x12/0x20
[   75.182279][   T17]  __asan_report_load8_noabort+0x14/0x20
[   75.182293][   T17]  blk_mq_free_rqs+0x49f/0x4b0
[   75.182303][   T17]  ? dd_exit_queue+0x92/0xd0
[   75.182317][   T17]  ? kfree+0x170/0x220
[   75.188129][ T9119] kobject: (0000000043136e73): dynamic_kobj_release
[   75.191894][   T17]  blk_mq_sched_tags_teardown+0x126/0x210
[   75.191907][   T17]  ? dd_request_merge+0x230/0x230
[   75.191924][   T17]  blk_mq_exit_sched+0x1fa/0x2d0
[   75.196752][ T9119] kobject: 'holders': free name
[   75.202011][   T17]  elevator_exit+0x70/0xa0
[   75.202031][   T17]  __blk_release_queue+0x127/0x330
[   75.202046][   T17]  process_one_work+0x989/0x1790
[   75.202064][   T17]  ? pwq_dec_nr_in_flight+0x320/0x320
[   75.207317][ T9119] kobject: 'slaves' (00000000174746d7): kobject_cleanup, parent 00000000db41dee7
[   75.212321][   T17]  ? lock_acquire+0x16f/0x3f0
[   75.212341][   T17]  worker_thread+0x98/0xe40
[   75.212360][   T17]  kthread+0x354/0x420
[   75.212377][   T17]  ? process_one_work+0x1790/0x1790
[   75.217674][ T9119] kobject: 'slaves' (00000000174746d7): auto cleanup kobject_del
[   75.221520][   T17]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   75.221534][   T17]  ret_from_fork+0x24/0x30
[   75.223940][   T17] Kernel Offset: disabled
[   75.790411][   T17] Rebooting in 86400 seconds..