[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.441462][ T26] audit: type=1800 audit(1559956497.103:25): pid=8739 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.479842][ T26] audit: type=1800 audit(1559956497.113:26): pid=8739 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 65.531739][ T26] audit: type=1800 audit(1559956497.113:27): pid=8739 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts. 2019/06/08 01:15:10 parsed 1 programs 2019/06/08 01:15:12 executed programs: 0 syzkaller login: [ 81.033157][ T8908] IPVS: ftp: loaded support on port[0] = 21 [ 81.100490][ T8908] chnl_net:caif_netlink_parms(): no params data found [ 81.130496][ T8908] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.139478][ T8908] bridge0: port 1(bridge_slave_0) entered disabled state [ 81.147720][ T8908] device bridge_slave_0 entered promiscuous mode [ 81.156235][ T8908] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.163461][ T8908] bridge0: port 2(bridge_slave_1) entered disabled state [ 81.171221][ T8908] device bridge_slave_1 entered promiscuous mode [ 81.189559][ T8908] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 81.199903][ T8908] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 81.220119][ T8908] team0: Port device team_slave_0 added [ 81.227628][ T8908] team0: Port device team_slave_1 added [ 81.284270][ T8908] device hsr_slave_0 entered promiscuous mode [ 81.322832][ T8908] device hsr_slave_1 entered promiscuous mode [ 81.370770][ T8908] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.378335][ T8908] bridge0: port 2(bridge_slave_1) entered forwarding state [ 81.386322][ T8908] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.393450][ T8908] bridge0: port 1(bridge_slave_0) entered forwarding state [ 81.429838][ T8908] 8021q: adding VLAN 0 to HW filter on device bond0 [ 81.443998][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.456231][ T3004] bridge0: port 1(bridge_slave_0) entered disabled state [ 81.465981][ T3004] bridge0: port 2(bridge_slave_1) entered disabled state [ 81.476755][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 81.494173][ T8908] 8021q: adding VLAN 0 to HW filter on device team0 [ 81.505770][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 81.514610][ T2820] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.521811][ T2820] bridge0: port 1(bridge_slave_0) entered forwarding state [ 81.533121][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 81.541909][ T3004] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.549032][ T3004] bridge0: port 2(bridge_slave_1) entered forwarding state [ 81.566212][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 81.576167][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 81.586990][ T3004] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 81.604433][ T8908] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 81.616390][ T8908] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 81.628910][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 81.638702][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 81.647643][ T2820] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 81.666918][ T8908] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 82.374170][ T3004] ================================================================== [ 82.382573][ T3004] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 82.382594][ T3004] Read of size 8 at addr ffff888095c62b50 by task kworker/0:2/3004 [ 82.382597][ T3004] [ 82.382620][ T3004] CPU: 0 PID: 3004 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #22 [ 82.382628][ T3004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.382653][ T3004] Workqueue: events __blk_release_queue [ 82.382669][ T3004] Call Trace: [ 82.382707][ T3004] dump_stack+0x172/0x1f0 [ 82.382721][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.398102][ T3004] print_address_description.cold+0x7c/0x20d [ 82.398120][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.398132][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.398146][ T3004] __kasan_report.cold+0x1b/0x40 [ 82.398161][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.398176][ T3004] kasan_report+0x12/0x20 [ 82.398191][ T3004] __asan_report_load8_noabort+0x14/0x20 [ 82.398203][ T3004] blk_mq_free_rqs+0x49f/0x4b0 [ 82.398235][ T3004] ? dd_exit_queue+0x92/0xd0 [ 82.408211][ T3004] ? kfree+0x170/0x220 [ 82.408239][ T3004] blk_mq_sched_tags_teardown+0x126/0x210 [ 82.408257][ T3004] ? dd_request_merge+0x230/0x230 [ 82.408274][ T3004] blk_mq_exit_sched+0x1fa/0x2d0 [ 82.408295][ T3004] elevator_exit+0x70/0xa0 [ 82.421963][ T8947] kobject: 'loop0' (00000000e4cd8ac7): kobject_add_internal: parent: 'block', set: 'devices' [ 82.423936][ T3004] __blk_release_queue+0x127/0x330 [ 82.423983][ T3004] process_one_work+0x989/0x1790 [ 82.424007][ T3004] ? pwq_dec_nr_in_flight+0x320/0x320 [ 82.427939][ T8947] kobject: 'loop0' (00000000e4cd8ac7): kobject_uevent_env [ 82.431662][ T3004] ? lock_acquire+0x16f/0x3f0 [ 82.431692][ T3004] worker_thread+0x98/0xe40 [ 82.431719][ T3004] ? trace_hardirqs_on+0x67/0x220 [ 82.431743][ T3004] kthread+0x354/0x420 [ 82.431758][ T3004] ? process_one_work+0x1790/0x1790 [ 82.431781][ T3004] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 82.436857][ T8947] kobject: 'loop0' (00000000e4cd8ac7): kobject_uevent_env: uevent_suppress caused the event to drop! [ 82.442747][ T3004] ret_from_fork+0x24/0x30 [ 82.442768][ T3004] [ 82.442777][ T3004] Allocated by task 8943: [ 82.442794][ T3004] save_stack+0x23/0x90 [ 82.442806][ T3004] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 82.442824][ T3004] kasan_kmalloc+0x9/0x10 [ 82.447963][ T8947] kobject: 'holders' (0000000045283468): kobject_add_internal: parent: 'loop0', set: '' [ 82.452729][ T3004] kmem_cache_alloc_trace+0x151/0x750 [ 82.452755][ T3004] loop_add+0x51/0x8d0 [ 82.452764][ T3004] loop_probe+0x161/0x1a0 [ 82.452776][ T3004] kobj_lookup+0x260/0x460 [ 82.452790][ T3004] get_gendisk+0x4d/0x390 [ 82.452807][ T3004] __blkdev_get+0x457/0x1660 [ 82.452817][ T3004] blkdev_get+0xc4/0x990 [ 82.452826][ T3004] blkdev_open+0x205/0x290 [ 82.452846][ T3004] do_dentry_open+0x4df/0x1250 [ 82.452867][ T3004] vfs_open+0xa0/0xd0 [ 82.458002][ T8947] kobject: 'slaves' (000000009c0c4b4e): kobject_add_internal: parent: 'loop0', set: '' [ 82.462775][ T3004] path_openat+0x10e9/0x46d0 [ 82.462789][ T3004] do_filp_open+0x1a1/0x280 [ 82.462802][ T3004] do_sys_open+0x3fe/0x5d0 [ 82.462814][ T3004] __x64_sys_open+0x7e/0xc0 [ 82.462833][ T3004] do_syscall_64+0xfd/0x680 [ 82.462849][ T3004] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.462862][ T3004] [ 82.467339][ T8947] kobject: 'loop0' (00000000e4cd8ac7): kobject_uevent_env [ 82.472846][ T3004] Freed by task 8945: [ 82.472870][ T3004] save_stack+0x23/0x90 [ 82.472880][ T3004] __kasan_slab_free+0x102/0x150 [ 82.472891][ T3004] kasan_slab_free+0xe/0x10 [ 82.472899][ T3004] kfree+0xcf/0x220 [ 82.472910][ T3004] loop_remove+0xa1/0xd0 [ 82.472920][ T3004] loop_control_ioctl+0x320/0x360 [ 82.472931][ T3004] do_vfs_ioctl+0xd5f/0x1380 [ 82.472940][ T3004] ksys_ioctl+0xab/0xd0 [ 82.472949][ T3004] __x64_sys_ioctl+0x73/0xb0 [ 82.472963][ T3004] do_syscall_64+0xfd/0x680 [ 82.472977][ T3004] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.472981][ T3004] [ 82.472992][ T3004] The buggy address belongs to the object at ffff888095c62940 [ 82.472992][ T3004] which belongs to the cache kmalloc-1k of size 1024 [ 82.473011][ T3004] The buggy address is located 528 bytes inside of [ 82.473011][ T3004] 1024-byte region [ffff888095c62940, ffff888095c62d40) [ 82.478722][ T8947] kobject: 'loop0' (00000000e4cd8ac7): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 82.482391][ T3004] The buggy address belongs to the page: [ 82.482417][ T3004] page:ffffea0002571880 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 82.482444][ T3004] flags: 0x1fffc0000010200(slab|head) [ 82.482463][ T3004] raw: 01fffc0000010200 ffffea000257cc08 ffffea000255ba88 ffff8880aa400ac0 [ 82.482477][ T3004] raw: 0000000000000000 ffff888095c62040 0000000100000007 0000000000000000 [ 82.482482][ T3004] page dumped because: kasan: bad access detected [ 82.482485][ T3004] [ 82.482498][ T3004] Memory state around the buggy address: [ 82.487264][ T8947] kobject: 'queue' (0000000063e58cec): kobject_add_internal: parent: 'loop0', set: '' [ 82.492402][ T3004] ffff888095c62a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.492413][ T3004] ffff888095c62a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.492428][ T3004] >ffff888095c62b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.492435][ T3004] ^ [ 82.492444][ T3004] ffff888095c62b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.492453][ T3004] ffff888095c62c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.492458][ T3004] ================================================================== [ 82.492463][ T3004] Disabling lock debugging due to kernel taint [ 82.501098][ T3004] Kernel panic - not syncing: panic_on_warn set ... [ 82.509915][ T8947] kobject: 'mq' (00000000bf7bf7a6): kobject_add_internal: parent: 'loop0', set: '' [ 82.517587][ T3004] CPU: 0 PID: 3004 Comm: kworker/0:2 Tainted: G B 5.2.0-rc3+ #22 [ 82.517595][ T3004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.517616][ T3004] Workqueue: events __blk_release_queue [ 82.517624][ T3004] Call Trace: [ 82.517647][ T3004] dump_stack+0x172/0x1f0 [ 82.517683][ T3004] panic+0x2cb/0x744 [ 82.517706][ T3004] ? __warn_printk+0xf3/0xf3 [ 82.522971][ T8947] kobject: 'mq' (00000000bf7bf7a6): kobject_uevent_env [ 82.527791][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.533209][ T8947] kobject: 'mq' (00000000bf7bf7a6): kobject_uevent_env: filter function caused the event to drop! [ 82.540283][ T3004] ? preempt_schedule+0x4b/0x60 [ 82.545082][ T8947] kobject: '0' (0000000014466243): kobject_add_internal: parent: 'mq', set: '' [ 82.549470][ T3004] ? ___preempt_schedule+0x16/0x18 [ 82.554643][ T8947] kobject: 'cpu0' (000000001a103aab): kobject_add_internal: parent: '0', set: '' [ 82.558570][ T3004] ? trace_hardirqs_on+0x5e/0x220 [ 82.563949][ T8947] kobject: 'cpu1' (00000000267c3935): kobject_add_internal: parent: '0', set: '' [ 82.570024][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.581051][ T8947] kobject: 'queue' (0000000063e58cec): kobject_uevent_env [ 82.585310][ T3004] end_report+0x47/0x4f [ 82.585327][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.585339][ T3004] __kasan_report.cold+0xe/0x40 [ 82.585360][ T3004] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.587717][ T8947] kobject: 'queue' (0000000063e58cec): kobject_uevent_env: filter function caused the event to drop! [ 82.592042][ T3004] kasan_report+0x12/0x20 [ 82.592057][ T3004] __asan_report_load8_noabort+0x14/0x20 [ 82.592072][ T3004] blk_mq_free_rqs+0x49f/0x4b0 [ 82.592095][ T3004] ? dd_exit_queue+0x92/0xd0 [ 82.596331][ T8947] kobject: 'iosched' (000000007b609229): kobject_add_internal: parent: 'queue', set: '' [ 82.601889][ T3004] ? kfree+0x170/0x220 [ 82.601909][ T3004] blk_mq_sched_tags_teardown+0x126/0x210 [ 82.601924][ T3004] ? dd_request_merge+0x230/0x230 [ 82.601937][ T3004] blk_mq_exit_sched+0x1fa/0x2d0 [ 82.601951][ T3004] elevator_exit+0x70/0xa0 [ 82.601966][ T3004] __blk_release_queue+0x127/0x330 [ 82.601991][ T3004] process_one_work+0x989/0x1790 [ 82.606774][ T8947] kobject: 'iosched' (000000007b609229): kobject_uevent_env [ 82.616571][ T3004] ? pwq_dec_nr_in_flight+0x320/0x320 [ 82.616585][ T3004] ? lock_acquire+0x16f/0x3f0 [ 82.616614][ T3004] worker_thread+0x98/0xe40 [ 82.622446][ T8947] kobject: 'iosched' (000000007b609229): kobject_uevent_env: filter function caused the event to drop! [ 82.626061][ T3004] ? trace_hardirqs_on+0x67/0x220 [ 82.630426][ T8947] kobject: 'integrity' (000000005c570d00): kobject_add_internal: parent: 'loop0', set: '' [ 82.634787][ T3004] kthread+0x354/0x420 [ 82.634803][ T3004] ? process_one_work+0x1790/0x1790 [ 82.634815][ T3004] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 82.634829][ T3004] ret_from_fork+0x24/0x30 [ 82.636338][ T3004] Kernel Offset: disabled [ 83.253961][ T3004] Rebooting in 86400 seconds..