[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 62.422144][ T26] audit: type=1800 audit(1559987112.814:25): pid=8842 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.450866][ T26] audit: type=1800 audit(1559987112.814:26): pid=8842 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 62.502138][ T26] audit: type=1800 audit(1559987112.824:27): pid=8842 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 74.132829][ T3542] ================================================================== [ 74.141090][ T3542] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 74.141108][ T3542] Read of size 8 at addr ffff88809aa318d0 by task kworker/1:2/3542 [ 74.141111][ T3542] [ 74.141126][ T3542] CPU: 1 PID: 3542 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #23 [ 74.141134][ T3542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.141149][ T3542] Workqueue: events __blk_release_queue [ 74.141157][ T3542] Call Trace: [ 74.141177][ T3542] dump_stack+0x172/0x1f0 [ 74.141192][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.141212][ T3542] print_address_description.cold+0x7c/0x20d [ 74.141226][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.141240][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.141256][ T3542] __kasan_report.cold+0x1b/0x40 [ 74.141273][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.141290][ T3542] kasan_report+0x12/0x20 [ 74.141306][ T3542] __asan_report_load8_noabort+0x14/0x20 [ 74.141326][ T3542] blk_mq_free_rqs+0x49f/0x4b0 [ 74.141338][ T3542] ? dd_exit_queue+0x92/0xd0 [ 74.141356][ T3542] ? kfree+0x170/0x220 [ 74.141378][ T3542] blk_mq_sched_tags_teardown+0x126/0x210 [ 74.156653][ T3542] ? dd_request_merge+0x230/0x230 [ 74.156671][ T3542] blk_mq_exit_sched+0x1fa/0x2d0 [ 74.156690][ T3542] elevator_exit+0x70/0xa0 [ 74.156707][ T3542] __blk_release_queue+0x127/0x330 [ 74.156726][ T3542] process_one_work+0x989/0x1790 [ 74.156749][ T3542] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.159762][ T9002] kobject: '7:0' (00000000f55a3542): fill_kobj_path: path = '/devices/virtual/bdi/7:0' [ 74.166697][ T3542] ? lock_acquire+0x16f/0x3f0 [ 74.166725][ T3542] worker_thread+0x98/0xe40 [ 74.166741][ T3542] ? trace_hardirqs_on+0x67/0x220 [ 74.166766][ T3542] kthread+0x354/0x420 [ 74.166787][ T3542] ? process_one_work+0x1790/0x1790 [ 74.183457][ T9002] kobject: 'loop0' (00000000c687bbe3): kobject_add_internal: parent: 'block', set: 'devices' [ 74.185847][ T3542] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 74.185866][ T3542] ret_from_fork+0x24/0x30 [ 74.185886][ T3542] [ 74.191061][ T9002] kobject: 'loop0' (00000000c687bbe3): kobject_uevent_env [ 74.195235][ T3542] Allocated by task 9000: [ 74.195253][ T3542] save_stack+0x23/0x90 [ 74.195266][ T3542] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 74.195284][ T3542] kasan_kmalloc+0x9/0x10 [ 74.201350][ T9002] kobject: 'loop0' (00000000c687bbe3): kobject_uevent_env: uevent_suppress caused the event to drop! [ 74.206190][ T3542] kmem_cache_alloc_trace+0x151/0x750 [ 74.206202][ T3542] loop_add+0x51/0x8d0 [ 74.206214][ T3542] loop_control_ioctl+0x165/0x360 [ 74.206232][ T3542] do_vfs_ioctl+0xd5f/0x1380 [ 74.211573][ T9002] kobject: 'holders' (000000003517f06b): kobject_add_internal: parent: 'loop0', set: '' [ 74.216087][ T3542] ksys_ioctl+0xab/0xd0 [ 74.216097][ T3542] __x64_sys_ioctl+0x73/0xb0 [ 74.216111][ T3542] do_syscall_64+0xfd/0x680 [ 74.216133][ T3542] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.221395][ T9002] kobject: 'slaves' (0000000024a70655): kobject_add_internal: parent: 'loop0', set: '' [ 74.225395][ T3542] [ 74.225405][ T3542] Freed by task 9001: [ 74.225423][ T3542] save_stack+0x23/0x90 [ 74.225435][ T3542] __kasan_slab_free+0x102/0x150 [ 74.225454][ T3542] kasan_slab_free+0xe/0x10 [ 74.231402][ T9002] kobject: 'loop0' (00000000c687bbe3): kobject_uevent_env [ 74.235847][ T3542] kfree+0xcf/0x220 [ 74.235859][ T3542] loop_remove+0xa1/0xd0 [ 74.235870][ T3542] loop_control_ioctl+0x320/0x360 [ 74.235880][ T3542] do_vfs_ioctl+0xd5f/0x1380 [ 74.235897][ T3542] ksys_ioctl+0xab/0xd0 [ 74.240678][ T9002] kobject: 'loop0' (00000000c687bbe3): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 74.244621][ T3542] __x64_sys_ioctl+0x73/0xb0 [ 74.244635][ T3542] do_syscall_64+0xfd/0x680 [ 74.244648][ T3542] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.244653][ T3542] [ 74.244663][ T3542] The buggy address belongs to the object at ffff88809aa316c0 [ 74.244663][ T3542] which belongs to the cache kmalloc-1k of size 1024 [ 74.244675][ T3542] The buggy address is located 528 bytes inside of [ 74.244675][ T3542] 1024-byte region [ffff88809aa316c0, ffff88809aa31ac0) [ 74.244680][ T3542] The buggy address belongs to the page: [ 74.244692][ T3542] page:ffffea00026a8c00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 74.251391][ T9002] kobject: 'queue' (0000000086a753b1): kobject_add_internal: parent: 'loop0', set: '' [ 74.255575][ T3542] flags: 0x1fffc0000010200(slab|head) [ 74.255594][ T3542] raw: 01fffc0000010200 ffffea0002695d08 ffffea0002798488 ffff8880aa400ac0 [ 74.255608][ T3542] raw: 0000000000000000 ffff88809aa30040 0000000100000007 0000000000000000 [ 74.255614][ T3542] page dumped because: kasan: bad access detected [ 74.255626][ T3542] [ 74.255631][ T3542] Memory state around the buggy address: [ 74.255641][ T3542] ffff88809aa31780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.255649][ T3542] ffff88809aa31800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.261621][ T9002] kobject: 'mq' (000000002b93169b): kobject_add_internal: parent: 'loop0', set: '' [ 74.265218][ T3542] >ffff88809aa31880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265225][ T3542] ^ [ 74.265235][ T3542] ffff88809aa31900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265246][ T3542] ffff88809aa31980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265260][ T3542] ================================================================== [ 74.270575][ T9002] kobject: 'mq' (000000002b93169b): kobject_uevent_env [ 74.275491][ T3542] Disabling lock debugging due to kernel taint [ 74.276717][ T3542] Kernel panic - not syncing: panic_on_warn set ... [ 74.281678][ T9002] kobject: 'mq' (000000002b93169b): kobject_uevent_env: filter function caused the event to drop! [ 74.290707][ T3542] CPU: 1 PID: 3542 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #23 [ 74.290715][ T3542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.290733][ T3542] Workqueue: events __blk_release_queue [ 74.295674][ T9002] kobject: '0' (00000000ded345e8): kobject_add_internal: parent: 'mq', set: '' [ 74.299915][ T3542] Call Trace: [ 74.299938][ T3542] dump_stack+0x172/0x1f0 [ 74.299959][ T3542] panic+0x2cb/0x744 [ 74.305294][ T9002] kobject: 'cpu0' (00000000d7e99226): kobject_add_internal: parent: '0', set: '' [ 74.309070][ T3542] ? __warn_printk+0xf3/0xf3 [ 74.309093][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.316030][ T9002] kobject: 'cpu1' (0000000007af1677): kobject_add_internal: parent: '0', set: '' [ 74.325947][ T3542] ? preempt_schedule+0x4b/0x60 [ 74.325962][ T3542] ? ___preempt_schedule+0x16/0x18 [ 74.325976][ T3542] ? trace_hardirqs_on+0x5e/0x220 [ 74.325991][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.326012][ T3542] end_report+0x47/0x4f [ 74.332541][ T9002] kobject: 'queue' (0000000086a753b1): kobject_uevent_env [ 74.336767][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.336784][ T3542] __kasan_report.cold+0xe/0x40 [ 74.336803][ T3542] ? blk_mq_free_rqs+0x49f/0x4b0 [ 74.339178][ T9002] kobject: 'queue' (0000000086a753b1): kobject_uevent_env: filter function caused the event to drop! [ 74.346252][ T3542] kasan_report+0x12/0x20 [ 74.346267][ T3542] __asan_report_load8_noabort+0x14/0x20 [ 74.346280][ T3542] blk_mq_free_rqs+0x49f/0x4b0 [ 74.346291][ T3542] ? dd_exit_queue+0x92/0xd0 [ 74.346309][ T3542] ? kfree+0x170/0x220 [ 74.351006][ T9002] kobject: 'iosched' (000000004013e745): kobject_add_internal: parent: 'queue', set: '' [ 74.354807][ T3542] blk_mq_sched_tags_teardown+0x126/0x210 [ 74.354829][ T3542] ? dd_request_merge+0x230/0x230 [ 74.360955][ T9002] kobject: 'iosched' (000000004013e745): kobject_uevent_env [ 74.365089][ T3542] blk_mq_exit_sched+0x1fa/0x2d0 [ 74.365110][ T3542] elevator_exit+0x70/0xa0 [ 74.376043][ T9002] kobject: 'iosched' (000000004013e745): kobject_uevent_env: filter function caused the event to drop! [ 74.381332][ T3542] __blk_release_queue+0x127/0x330 [ 74.381381][ T3542] process_one_work+0x989/0x1790 [ 74.381403][ T3542] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.385725][ T9002] kobject: 'integrity' (000000006c173b66): kobject_add_internal: parent: 'loop0', set: '' [ 74.390486][ T3542] ? lock_acquire+0x16f/0x3f0 [ 74.390507][ T3542] worker_thread+0x98/0xe40 [ 74.390528][ T3542] ? trace_hardirqs_on+0x67/0x220 [ 74.395398][ T9002] kobject: 'integrity' (000000006c173b66): kobject_uevent_env [ 74.405345][ T3542] kthread+0x354/0x420 [ 74.405369][ T3542] ? process_one_work+0x1790/0x1790 [ 74.405381][ T3542] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 74.405402][ T3542] ret_from_fork+0x24/0x30 [ 74.409754][ T9002] kobject: 'integrity' (000000006c173b66): kobject_uevent_env: filter function caused the event to drop! [ 74.415873][ T3542] Kernel Offset: disabled [ 74.988793][ T3542] Rebooting in 86400 seconds..