[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.137983][ T26] audit: type=1800 audit(1559858544.641:25): pid=8668 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.182077][ T26] audit: type=1800 audit(1559858544.651:26): pid=8668 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.229942][ T26] audit: type=1800 audit(1559858544.651:27): pid=8668 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.135' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 67.475211][ T12] ================================================================== [ 67.483463][ T12] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 67.483480][ T12] Read of size 8 at addr ffff88809ebc8210 by task kworker/0:1/12 [ 67.483484][ T12] [ 67.483497][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc3+ #39 [ 67.483505][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.483527][ T12] Workqueue: events __blk_release_queue [ 67.483545][ T12] Call Trace: [ 67.483564][ T12] dump_stack+0x172/0x1f0 [ 67.531790][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.536738][ T12] print_address_description.cold+0x7c/0x20d [ 67.542707][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.547653][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.552584][ T12] __kasan_report.cold+0x1b/0x40 [ 67.557516][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.562443][ T12] kasan_report+0x12/0x20 [ 67.566761][ T12] __asan_report_load8_noabort+0x14/0x20 [ 67.572383][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 67.577131][ T12] ? dd_exit_queue+0x92/0xd0 [ 67.581702][ T12] ? kfree+0x170/0x220 [ 67.585762][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 67.591474][ T12] ? dd_request_merge+0x230/0x230 [ 67.596491][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 67.601430][ T12] elevator_exit+0x70/0xa0 [ 67.605926][ T12] __blk_release_queue+0x127/0x330 [ 67.611036][ T12] process_one_work+0x989/0x1790 [ 67.615973][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.621332][ T12] ? lock_acquire+0x16f/0x3f0 [ 67.626022][ T12] worker_thread+0x98/0xe40 [ 67.630553][ T12] ? trace_hardirqs_on+0x67/0x220 [ 67.635573][ T12] kthread+0x354/0x420 [ 67.639719][ T12] ? process_one_work+0x1790/0x1790 [ 67.644906][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 67.651144][ T12] ret_from_fork+0x24/0x30 [ 67.655580][ T12] [ 67.657898][ T12] Allocated by task 8822: [ 67.662226][ T12] save_stack+0x23/0x90 [ 67.666375][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 67.671991][ T12] kasan_kmalloc+0x9/0x10 [ 67.676304][ T12] kmem_cache_alloc_trace+0x151/0x750 [ 67.681656][ T12] loop_add+0x51/0x8d0 [ 67.685710][ T12] loop_control_ioctl+0x165/0x360 [ 67.690808][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 67.695378][ T12] ksys_ioctl+0xab/0xd0 [ 67.699510][ T12] __x64_sys_ioctl+0x73/0xb0 [ 67.704277][ T12] do_syscall_64+0xfd/0x680 [ 67.708764][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.714626][ T12] [ 67.716931][ T12] Freed by task 8824: [ 67.720889][ T12] save_stack+0x23/0x90 [ 67.725026][ T12] __kasan_slab_free+0x102/0x150 [ 67.729947][ T12] kasan_slab_free+0xe/0x10 [ 67.734431][ T12] kfree+0xcf/0x220 [ 67.738224][ T12] loop_remove+0xa1/0xd0 [ 67.742446][ T12] loop_control_ioctl+0x320/0x360 [ 67.747727][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 67.752297][ T12] ksys_ioctl+0xab/0xd0 [ 67.756428][ T12] __x64_sys_ioctl+0x73/0xb0 [ 67.761090][ T12] do_syscall_64+0xfd/0x680 [ 67.765585][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.771452][ T12] [ 67.773763][ T12] The buggy address belongs to the object at ffff88809ebc8000 [ 67.773763][ T12] which belongs to the cache kmalloc-1k of size 1024 [ 67.787798][ T12] The buggy address is located 528 bytes inside of [ 67.787798][ T12] 1024-byte region [ffff88809ebc8000, ffff88809ebc8400) [ 67.801134][ T12] The buggy address belongs to the page: [ 67.806753][ T12] page:ffffea00027af200 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 67.817845][ T12] flags: 0x1fffc0000010200(slab|head) [ 67.823204][ T12] raw: 01fffc0000010200 ffffea00025e7188 ffffea000281ca08 ffff8880aa400ac0 [ 67.831789][ T12] raw: 0000000000000000 ffff88809ebc8000 0000000100000007 0000000000000000 [ 67.840388][ T12] page dumped because: kasan: bad access detected [ 67.846781][ T12] [ 67.849111][ T12] Memory state around the buggy address: [ 67.854743][ T12] ffff88809ebc8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.862793][ T12] ffff88809ebc8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.870856][ T12] >ffff88809ebc8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.878904][ T12] ^ [ 67.883480][ T12] ffff88809ebc8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.891632][ T12] ffff88809ebc8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.899675][ T12] ================================================================== [ 67.907719][ T12] Disabling lock debugging due to kernel taint [ 67.914137][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 67.914622][ T8825] kobject: 'loop0' (0000000075406c3b): kobject_uevent_env [ 67.920748][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc3+ #39 [ 67.934764][ T8825] kobject: 'loop0' (0000000075406c3b): kobject_uevent_env: uevent_suppress caused the event to drop! [ 67.936678][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.947900][ T8825] kobject: 'holders' (000000009635ef5a): kobject_add_internal: parent: 'loop0', set: '' [ 67.957582][ T12] Workqueue: events __blk_release_queue [ 67.957590][ T12] Call Trace: [ 67.957610][ T12] dump_stack+0x172/0x1f0 [ 67.957632][ T12] panic+0x2cb/0x744 [ 67.968298][ T8825] kobject: 'slaves' (000000001e8fb28b): kobject_add_internal: parent: 'loop0', set: '' [ 67.973402][ T12] ? __warn_printk+0xf3/0xf3 [ 67.973417][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.973439][ T12] ? preempt_schedule+0x4b/0x60 [ 67.977321][ T8825] kobject: 'loop0' (0000000075406c3b): kobject_uevent_env [ 67.981043][ T12] ? ___preempt_schedule+0x16/0x18 [ 67.985236][ T8825] kobject: 'loop0' (0000000075406c3b): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 67.995061][ T12] ? trace_hardirqs_on+0x5e/0x220 [ 67.995076][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.995090][ T12] end_report+0x47/0x4f [ 67.995115][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.000805][ T8825] kobject: 'queue' (00000000d2b9fe9b): kobject_add_internal: parent: 'loop0', set: '' [ 68.004621][ T12] __kasan_report.cold+0xe/0x40 [ 68.004637][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.004651][ T12] kasan_report+0x12/0x20 [ 68.004670][ T12] __asan_report_load8_noabort+0x14/0x20 [ 68.010704][ T8825] kobject: 'mq' (00000000c7f1d000): kobject_add_internal: parent: 'loop0', set: '' [ 68.016619][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 68.016631][ T12] ? dd_exit_queue+0x92/0xd0 [ 68.016641][ T12] ? kfree+0x170/0x220 [ 68.016664][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 68.022608][ T8825] kobject: 'mq' (00000000c7f1d000): kobject_uevent_env [ 68.031904][ T12] ? dd_request_merge+0x230/0x230 [ 68.031920][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 68.031936][ T12] elevator_exit+0x70/0xa0 [ 68.031957][ T12] __blk_release_queue+0x127/0x330 [ 68.037720][ T8825] kobject: 'mq' (00000000c7f1d000): kobject_uevent_env: filter function caused the event to drop! [ 68.041914][ T12] process_one_work+0x989/0x1790 [ 68.041931][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 68.041943][ T12] ? lock_acquire+0x16f/0x3f0 [ 68.041963][ T12] worker_thread+0x98/0xe40 [ 68.046854][ T8825] kobject: '0' (00000000a621c340): kobject_add_internal: parent: 'mq', set: '' [ 68.051046][ T12] ? trace_hardirqs_on+0x67/0x220 [ 68.061501][ T8825] kobject: 'cpu0' (0000000001902957): kobject_add_internal: parent: '0', set: '' [ 68.068428][ T12] kthread+0x354/0x420 [ 68.068444][ T12] ? process_one_work+0x1790/0x1790 [ 68.068457][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 68.068477][ T12] ret_from_fork+0x24/0x30 [ 68.073810][ T8825] kobject: 'cpu1' (0000000032c1759d): kobject_add_internal: parent: '0', set: '' [ 68.084564][ T12] Kernel Offset: disabled [ 68.227314][ T12] Rebooting in 86400 seconds..