[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 69.450313][ T26] audit: type=1800 audit(1559667014.414:25): pid=8942 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 69.489102][ T26] audit: type=1800 audit(1559667014.414:26): pid=8942 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 69.533405][ T26] audit: type=1800 audit(1559667014.414:27): pid=8942 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.0' (ECDSA) to the list of known hosts. syzkaller login: [ 78.624617][ T9103] IPVS: ftp: loaded support on port[0] = 21 [ 78.628400][ T9104] IPVS: ftp: loaded support on port[0] = 21 [ 78.634601][ T9107] IPVS: ftp: loaded support on port[0] = 21 [ 78.641820][ T9108] IPVS: ftp: loaded support on port[0] = 21 [ 78.647031][ T9105] IPVS: ftp: loaded support on port[0] = 21 [ 78.650736][ T9106] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 78.983790][ T12] ================================================================== [ 78.992207][ T12] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 78.999624][ T12] Read of size 8 at addr ffff8880a3e38210 by task kworker/0:1/12 [ 79.007444][ T12] [ 79.009815][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc3+ #19 [ 79.017362][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.027561][ T12] Workqueue: events __blk_release_queue [ 79.033140][ T12] Call Trace: [ 79.036492][ T12] dump_stack+0x172/0x1f0 [ 79.040930][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.046107][ T12] print_address_description.cold+0x7c/0x20d [ 79.052210][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.057262][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.062669][ T12] __kasan_report.cold+0x1b/0x40 [ 79.067645][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.072602][ T12] kasan_report+0x12/0x20 [ 79.077026][ T12] __asan_report_load8_noabort+0x14/0x20 [ 79.082675][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 79.087468][ T12] ? dd_exit_queue+0x92/0xd0 [ 79.092069][ T12] ? kfree+0x170/0x220 [ 79.096172][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 79.101917][ T12] ? dd_request_merge+0x230/0x230 [ 79.107050][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 79.112010][ T12] elevator_exit+0x70/0xa0 [ 79.116446][ T12] __blk_release_queue+0x127/0x330 [ 79.121730][ T12] process_one_work+0x989/0x1790 [ 79.126695][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 79.132089][ T12] ? lock_acquire+0x16f/0x3f0 [ 79.136812][ T12] worker_thread+0x98/0xe40 [ 79.141345][ T12] ? trace_hardirqs_on+0x67/0x220 [ 79.146401][ T12] kthread+0x354/0x420 [ 79.150497][ T12] ? process_one_work+0x1790/0x1790 [ 79.155719][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 79.162080][ T12] ret_from_fork+0x24/0x30 [ 79.166513][ T12] [ 79.169046][ T12] Allocated by task 1: [ 79.173209][ T12] save_stack+0x23/0x90 [ 79.177365][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.183007][ T12] kasan_kmalloc+0x9/0x10 [ 79.187344][ T12] kmem_cache_alloc_trace+0x151/0x750 [ 79.192750][ T12] loop_add+0x51/0x8d0 [ 79.196956][ T12] loop_init+0x1fe/0x25a [ 79.201495][ T12] do_one_initcall+0x107/0x7ba [ 79.206365][ T12] kernel_init_freeable+0x4d4/0x5c3 [ 79.211751][ T12] kernel_init+0x12/0x1c5 [ 79.216086][ T12] ret_from_fork+0x24/0x30 [ 79.220503][ T12] [ 79.222845][ T12] Freed by task 9110: [ 79.226847][ T12] save_stack+0x23/0x90 [ 79.231007][ T12] __kasan_slab_free+0x102/0x150 [ 79.236557][ T12] kasan_slab_free+0xe/0x10 [ 79.241154][ T12] kfree+0xcf/0x220 [ 79.244974][ T12] loop_remove+0xa1/0xd0 [ 79.249480][ T12] loop_control_ioctl+0x320/0x360 [ 79.254558][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 79.259415][ T12] ksys_ioctl+0xab/0xd0 [ 79.263673][ T12] __x64_sys_ioctl+0x73/0xb0 [ 79.268271][ T12] do_syscall_64+0xfd/0x680 [ 79.272785][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.278781][ T12] [ 79.281164][ T12] The buggy address belongs to the object at ffff8880a3e38000 [ 79.281164][ T12] which belongs to the cache kmalloc-1k of size 1024 [ 79.295783][ T12] The buggy address is located 528 bytes inside of [ 79.295783][ T12] 1024-byte region [ffff8880a3e38000, ffff8880a3e38400) [ 79.309583][ T12] The buggy address belongs to the page: [ 79.315255][ T12] page:ffffea00028f8e00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 79.326590][ T12] flags: 0x1fffc0000010200(slab|head) [ 79.331983][ T12] raw: 01fffc0000010200 ffffea00028f7008 ffffea00023a2b08 ffff8880aa400ac0 [ 79.340589][ T12] raw: 0000000000000000 ffff8880a3e38000 0000000100000007 0000000000000000 [ 79.349182][ T12] page dumped because: kasan: bad access detected [ 79.355701][ T12] [ 79.358039][ T12] Memory state around the buggy address: [ 79.363683][ T12] ffff8880a3e38100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.371848][ T12] ffff8880a3e38180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program executing program [ 79.379947][ T12] >ffff8880a3e38200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.388026][ T12] ^ [ 79.392717][ T12] ffff8880a3e38280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.401066][ T12] ffff8880a3e38300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.409223][ T12] ================================================================== [ 79.417661][ T12] Disabling lock debugging due to kernel taint executing program executing program [ 79.452014][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 79.458666][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc3+ #19 [ 79.467639][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.477810][ T12] Workqueue: events __blk_release_queue [ 79.483370][ T12] Call Trace: [ 79.486768][ T12] dump_stack+0x172/0x1f0 [ 79.491149][ T12] panic+0x2cb/0x744 [ 79.495056][ T12] ? __warn_printk+0xf3/0xf3 executing program executing program executing program [ 79.500065][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.505197][ T12] ? preempt_schedule+0x4b/0x60 [ 79.510071][ T12] ? ___preempt_schedule+0x16/0x18 [ 79.515212][ T12] ? trace_hardirqs_on+0x5e/0x220 [ 79.520258][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.525568][ T12] end_report+0x47/0x4f [ 79.529832][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.534789][ T12] __kasan_report.cold+0xe/0x40 [ 79.539665][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 79.544610][ T12] kasan_report+0x12/0x20 executing program executing program executing program executing program [ 79.549040][ T12] __asan_report_load8_noabort+0x14/0x20 [ 79.554696][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 79.559491][ T12] ? dd_exit_queue+0x92/0xd0 [ 79.564103][ T12] ? kfree+0x170/0x220 [ 79.568289][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 79.574039][ T12] ? dd_request_merge+0x230/0x230 [ 79.579133][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 79.584212][ T12] elevator_exit+0x70/0xa0 [ 79.589262][ T12] __blk_release_queue+0x127/0x330 [ 79.594532][ T12] process_one_work+0x989/0x1790 executing program [ 79.600289][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 79.605722][ T12] ? lock_acquire+0x16f/0x3f0 [ 79.610775][ T12] worker_thread+0x98/0xe40 [ 79.615846][ T12] ? trace_hardirqs_on+0x67/0x220 [ 79.621080][ T12] kthread+0x354/0x420 [ 79.626352][ T12] ? process_one_work+0x1790/0x1790 [ 79.631611][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 79.638229][ T12] ret_from_fork+0x24/0x30 [ 79.644052][ T12] Kernel Offset: disabled [ 79.649475][ T12] Rebooting in 86400 seconds..