[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 52.624007][ T26] audit: type=1800 audit(1559687769.333:25): pid=8391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 52.669716][ T26] audit: type=1800 audit(1559687769.333:26): pid=8391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 52.704051][ T26] audit: type=1800 audit(1559687769.333:27): pid=8391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program syzkaller login: [ 64.215538][ T22] ================================================================== [ 64.223786][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 64.223797][ T22] Read of size 8 at addr ffff88809f077410 by task kworker/1:1/22 [ 64.223799][ T22] [ 64.223809][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #38 [ 64.223819][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.223831][ T22] Workqueue: events __blk_release_queue [ 64.223837][ T22] Call Trace: [ 64.223852][ T22] dump_stack+0x172/0x1f0 [ 64.223860][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.223873][ T22] print_address_description.cold+0x7c/0x20d [ 64.223891][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.223899][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.223907][ T22] __kasan_report.cold+0x1b/0x40 [ 64.223916][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.223924][ T22] kasan_report+0x12/0x20 [ 64.239035][ T22] __asan_report_load8_noabort+0x14/0x20 [ 64.239051][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 64.248830][ T22] ? dd_exit_queue+0x92/0xd0 [ 64.248838][ T22] ? kfree+0x170/0x220 [ 64.248852][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 64.248861][ T22] ? dd_request_merge+0x230/0x230 [ 64.248870][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 64.248882][ T22] elevator_exit+0x70/0xa0 [ 64.248891][ T22] __blk_release_queue+0x127/0x330 [ 64.248905][ T22] process_one_work+0x989/0x1790 [ 64.248919][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 64.248928][ T22] ? lock_acquire+0x16f/0x3f0 [ 64.248942][ T22] worker_thread+0x98/0xe40 [ 64.248963][ T22] ? trace_hardirqs_on+0x67/0x220 [ 64.259665][ T8552] kobject: 'holders' (00000000bb3c9ad4): kobject_add_internal: parent: 'loop0', set: '' [ 64.264731][ T22] kthread+0x354/0x420 [ 64.264744][ T22] ? process_one_work+0x1790/0x1790 [ 64.264752][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 64.264799][ T22] ret_from_fork+0x24/0x30 [ 64.268418][ T8552] kobject: 'slaves' (00000000c11b3dd0): kobject_add_internal: parent: 'loop0', set: '' [ 64.272692][ T22] [ 64.272702][ T22] Allocated by task 8550: [ 64.272719][ T22] save_stack+0x23/0x90 [ 64.272729][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 64.272739][ T22] kasan_kmalloc+0x9/0x10 [ 64.272746][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 64.272754][ T22] loop_add+0x51/0x8d0 [ 64.272767][ T22] loop_probe+0x161/0x1a0 [ 64.278487][ T8552] kobject: 'loop0' (00000000ac6b4ca1): kobject_uevent_env [ 64.283778][ T22] kobj_lookup+0x260/0x460 [ 64.283795][ T22] get_gendisk+0x4d/0x390 [ 64.283805][ T22] __blkdev_get+0x457/0x1660 [ 64.283813][ T22] blkdev_get+0xc4/0x990 [ 64.283822][ T22] blkdev_open+0x205/0x290 [ 64.283834][ T22] do_dentry_open+0x4df/0x1250 [ 64.283844][ T22] vfs_open+0xa0/0xd0 [ 64.283857][ T22] path_openat+0x10e9/0x46d0 [ 64.283867][ T22] do_filp_open+0x1a1/0x280 [ 64.283877][ T22] do_sys_open+0x3fe/0x5d0 [ 64.283895][ T22] __x64_sys_open+0x7e/0xc0 [ 64.289403][ T8552] kobject: 'loop0' (00000000ac6b4ca1): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 64.293775][ T22] do_syscall_64+0xfd/0x680 [ 64.293791][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.293795][ T22] [ 64.293801][ T22] Freed by task 8551: [ 64.293814][ T22] save_stack+0x23/0x90 [ 64.293824][ T22] __kasan_slab_free+0x102/0x150 [ 64.293834][ T22] kasan_slab_free+0xe/0x10 [ 64.293842][ T22] kfree+0xcf/0x220 [ 64.293853][ T22] loop_remove+0xa1/0xd0 [ 64.293864][ T22] loop_control_ioctl+0x320/0x360 [ 64.293879][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 64.299738][ T8552] kobject: 'queue' (00000000fc79722d): kobject_add_internal: parent: 'loop0', set: '' [ 64.303731][ T22] ksys_ioctl+0xab/0xd0 [ 64.303746][ T22] __x64_sys_ioctl+0x73/0xb0 [ 64.303759][ T22] do_syscall_64+0xfd/0x680 [ 64.303774][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.303777][ T22] [ 64.303786][ T22] The buggy address belongs to the object at ffff88809f077200 [ 64.303786][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 64.303796][ T22] The buggy address is located 528 bytes inside of [ 64.303796][ T22] 1024-byte region [ffff88809f077200, ffff88809f077600) [ 64.303806][ T22] The buggy address belongs to the page: [ 64.303816][ T22] page:ffffea00027c1d80 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 64.309162][ T8552] kobject: 'mq' (00000000687d4da4): kobject_add_internal: parent: 'loop0', set: '' [ 64.313801][ T22] flags: 0x1fffc0000010200(slab|head) [ 64.313819][ T22] raw: 01fffc0000010200 ffffea000237f508 ffffea0002414088 ffff8880aa400ac0 [ 64.313832][ T22] raw: 0000000000000000 ffff88809f076000 0000000100000007 0000000000000000 [ 64.313837][ T22] page dumped because: kasan: bad access detected [ 64.313841][ T22] [ 64.313846][ T22] Memory state around the buggy address: [ 64.313855][ T22] ffff88809f077300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.313865][ T22] ffff88809f077380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.313873][ T22] >ffff88809f077400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.313878][ T22] ^ [ 64.313887][ T22] ffff88809f077480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.313900][ T22] ffff88809f077500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.319292][ T8552] kobject: 'mq' (00000000687d4da4): kobject_uevent_env [ 64.323208][ T22] ================================================================== [ 64.323213][ T22] Disabling lock debugging due to kernel taint [ 64.323318][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 64.329541][ T8552] kobject: 'mq' (00000000687d4da4): kobject_uevent_env: filter function caused the event to drop! [ 64.333036][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #38 [ 64.333043][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.333063][ T22] Workqueue: events __blk_release_queue [ 64.333075][ T22] Call Trace: [ 64.338379][ T8552] kobject: '0' (00000000cf328786): kobject_add_internal: parent: 'mq', set: '' [ 64.343009][ T22] dump_stack+0x172/0x1f0 [ 64.343025][ T22] panic+0x2cb/0x744 [ 64.343044][ T22] ? __warn_printk+0xf3/0xf3 [ 64.347757][ T8552] kobject: 'cpu0' (000000002e495eca): kobject_add_internal: parent: '0', set: '' [ 64.352545][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.352559][ T22] ? preempt_schedule+0x4b/0x60 [ 64.352572][ T22] ? ___preempt_schedule+0x16/0x18 [ 64.352593][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 64.357794][ T8552] kobject: 'cpu1' (0000000022e6afc6): kobject_add_internal: parent: '0', set: '' [ 64.362853][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.362866][ T22] end_report+0x47/0x4f [ 64.362877][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.362893][ T22] __kasan_report.cold+0xe/0x40 [ 64.367826][ T8552] kobject: 'queue' (00000000fc79722d): kobject_uevent_env [ 64.372075][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 64.372089][ T22] kasan_report+0x12/0x20 [ 64.372101][ T22] __asan_report_load8_noabort+0x14/0x20 [ 64.372116][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 64.377376][ T8552] kobject: 'queue' (00000000fc79722d): kobject_uevent_env: filter function caused the event to drop! [ 64.387345][ T22] ? dd_exit_queue+0x92/0xd0 [ 64.387356][ T22] ? kfree+0x170/0x220 [ 64.387372][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 64.387383][ T22] ? dd_request_merge+0x230/0x230 [ 64.387399][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 64.392413][ T8552] kobject: 'iosched' (00000000da004952): kobject_add_internal: parent: 'queue', set: '' [ 64.397388][ T22] elevator_exit+0x70/0xa0 [ 64.397407][ T22] __blk_release_queue+0x127/0x330 [ 64.403989][ T8552] kobject: 'iosched' (00000000da004952): kobject_uevent_env [ 64.408039][ T22] process_one_work+0x989/0x1790 [ 64.408058][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 64.418450][ T8552] kobject: 'iosched' (00000000da004952): kobject_uevent_env: filter function caused the event to drop! [ 64.420491][ T22] ? lock_acquire+0x16f/0x3f0 [ 64.420511][ T22] worker_thread+0x98/0xe40 [ 64.425085][ T8552] kobject: 'integrity' (000000008b5a5e41): kobject_add_internal: parent: 'loop0', set: '' [ 64.428971][ T22] ? trace_hardirqs_on+0x67/0x220 [ 64.428991][ T22] kthread+0x354/0x420 [ 64.434923][ T8552] kobject: 'integrity' (000000008b5a5e41): kobject_uevent_env [ 64.438919][ T22] ? process_one_work+0x1790/0x1790 [ 64.438936][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 64.444519][ T8552] kobject: 'integrity' (000000008b5a5e41): kobject_uevent_env: filter function caused the event to drop! [ 64.448332][ T22] ret_from_fork+0x24/0x30 [ 64.453757][ T22] Kernel Offset: disabled [ 65.063473][ T22] Rebooting in 86400 seconds..