[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.358561][ T26] audit: type=1800 audit(1559684750.661:25): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.383280][ T26] audit: type=1800 audit(1559684750.661:26): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.420487][ T26] audit: type=1800 audit(1559684750.671:27): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 67.048645][ T22] ================================================================== [ 67.057312][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 67.057333][ T22] Read of size 8 at addr ffff888085ce2250 by task kworker/1:1/22 [ 67.057336][ T22] [ 67.057349][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #19 [ 67.072746][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.072767][ T22] Workqueue: events __blk_release_queue [ 67.072774][ T22] Call Trace: [ 67.072795][ T22] dump_stack+0x172/0x1f0 [ 67.082632][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.082649][ T22] print_address_description.cold+0x7c/0x20d [ 67.082665][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.098243][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.098258][ T22] __kasan_report.cold+0x1b/0x40 [ 67.098275][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.105857][ T22] kasan_report+0x12/0x20 [ 67.105872][ T22] __asan_report_load8_noabort+0x14/0x20 [ 67.105884][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 67.105897][ T22] ? dd_exit_queue+0x92/0xd0 [ 67.105906][ T22] ? kfree+0x170/0x220 [ 67.105925][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 67.105939][ T22] ? dd_request_merge+0x230/0x230 [ 67.105956][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 67.116842][ T22] elevator_exit+0x70/0xa0 [ 67.116858][ T22] __blk_release_queue+0x127/0x330 [ 67.116876][ T22] process_one_work+0x989/0x1790 [ 67.116897][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.116907][ T22] ? lock_acquire+0x16f/0x3f0 [ 67.116930][ T22] worker_thread+0x98/0xe40 [ 67.132001][ T22] ? trace_hardirqs_on+0x67/0x220 [ 67.132024][ T22] kthread+0x354/0x420 [ 67.132044][ T22] ? process_one_work+0x1790/0x1790 [ 67.132055][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 67.141374][ T22] ret_from_fork+0x24/0x30 [ 67.141394][ T22] [ 67.151747][ T22] Allocated by task 8661: [ 67.151764][ T22] save_stack+0x23/0x90 [ 67.151780][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 67.156745][ T8662] kobject: 'mq' (00000000149ceda4): kobject_uevent_env: filter function caused the event to drop! [ 67.160399][ T22] kasan_kmalloc+0x9/0x10 [ 67.160411][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 67.160426][ T22] loop_add+0x51/0x8d0 [ 67.166612][ T8662] kobject: '0' (000000008cfe52b3): kobject_add_internal: parent: 'mq', set: '' [ 67.171156][ T22] loop_control_ioctl+0x165/0x360 [ 67.171168][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 67.171176][ T22] ksys_ioctl+0xab/0xd0 [ 67.171194][ T22] __x64_sys_ioctl+0x73/0xb0 [ 67.176733][ T8662] kobject: 'cpu0' (0000000058f6603f): kobject_add_internal: parent: '0', set: '' [ 67.180520][ T22] do_syscall_64+0xfd/0x680 [ 67.180534][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.180542][ T22] [ 67.186103][ T8662] kobject: 'cpu1' (000000007f1df700): kobject_add_internal: parent: '0', set: '' [ 67.190560][ T22] Freed by task 8662: [ 67.190576][ T22] save_stack+0x23/0x90 [ 67.190586][ T22] __kasan_slab_free+0x102/0x150 [ 67.190601][ T22] kasan_slab_free+0xe/0x10 [ 67.196517][ T8662] kobject: 'queue' (00000000aca8c71e): kobject_uevent_env [ 67.200616][ T22] kfree+0xcf/0x220 [ 67.200628][ T22] loop_remove+0xa1/0xd0 [ 67.200644][ T22] loop_control_ioctl+0x320/0x360 [ 67.205537][ T8662] kobject: 'queue' (00000000aca8c71e): kobject_uevent_env: filter function caused the event to drop! [ 67.210216][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 67.210226][ T22] ksys_ioctl+0xab/0xd0 [ 67.210240][ T22] __x64_sys_ioctl+0x73/0xb0 [ 67.214816][ T8662] kobject: 'iosched' (00000000cca8fbff): kobject_add_internal: parent: 'queue', set: '' [ 67.219521][ T22] do_syscall_64+0xfd/0x680 [ 67.219535][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.219543][ T22] [ 67.226366][ T8662] kobject: 'iosched' (00000000cca8fbff): kobject_uevent_env [ 67.230392][ T22] The buggy address belongs to the object at ffff888085ce2040 [ 67.230392][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 67.230404][ T22] The buggy address is located 528 bytes inside of [ 67.230404][ T22] 1024-byte region [ffff888085ce2040, ffff888085ce2440) [ 67.230408][ T22] The buggy address belongs to the page: [ 67.230419][ T22] page:ffffea0002173880 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 67.232827][ T8662] kobject: 'iosched' (00000000cca8fbff): kobject_uevent_env: filter function caused the event to drop! [ 67.237078][ T22] flags: 0x1fffc0000010200(slab|head) [ 67.237095][ T22] raw: 01fffc0000010200 ffffea0002a2ea08 ffffea0002336208 ffff8880aa400ac0 [ 67.237108][ T22] raw: 0000000000000000 ffff888085ce2040 0000000100000007 0000000000000000 [ 67.237113][ T22] page dumped because: kasan: bad access detected [ 67.237116][ T22] [ 67.237120][ T22] Memory state around the buggy address: [ 67.237131][ T22] ffff888085ce2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.237141][ T22] ffff888085ce2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.237149][ T22] >ffff888085ce2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.237154][ T22] ^ [ 67.237161][ T22] ffff888085ce2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.237168][ T22] ffff888085ce2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.237172][ T22] ================================================================== [ 67.237176][ T22] Disabling lock debugging due to kernel taint [ 67.238293][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 67.246063][ T8662] kobject: 'integrity' (0000000030abff88): kobject_add_internal: parent: 'loop0', set: '' [ 67.247235][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #19 [ 67.247247][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.612551][ T22] Workqueue: events __blk_release_queue [ 67.618171][ T22] Call Trace: [ 67.621446][ T22] dump_stack+0x172/0x1f0 [ 67.625775][ T22] panic+0x2cb/0x744 [ 67.629661][ T22] ? __warn_printk+0xf3/0xf3 [ 67.634233][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.639267][ T22] ? preempt_schedule+0x4b/0x60 [ 67.644185][ T22] ? ___preempt_schedule+0x16/0x18 [ 67.649278][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 67.654293][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.659258][ T22] end_report+0x47/0x4f [ 67.663402][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.668340][ T22] __kasan_report.cold+0xe/0x40 [ 67.673176][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.678106][ T22] kasan_report+0x12/0x20 [ 67.682611][ T22] __asan_report_load8_noabort+0x14/0x20 [ 67.688235][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 67.692977][ T22] ? dd_exit_queue+0x92/0xd0 [ 67.697663][ T22] ? kfree+0x170/0x220 [ 67.701721][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 67.707422][ T22] ? dd_request_merge+0x230/0x230 [ 67.712512][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 67.717433][ T22] elevator_exit+0x70/0xa0 [ 67.721829][ T22] __blk_release_queue+0x127/0x330 [ 67.726938][ T22] process_one_work+0x989/0x1790 [ 67.731858][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.737293][ T22] ? lock_acquire+0x16f/0x3f0 [ 67.742343][ T22] worker_thread+0x98/0xe40 [ 67.746831][ T22] ? trace_hardirqs_on+0x67/0x220 [ 67.751859][ T22] kthread+0x354/0x420 [ 67.755908][ T22] ? process_one_work+0x1790/0x1790 [ 67.761087][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 67.767304][ T22] ret_from_fork+0x24/0x30 [ 67.774180][ T22] Kernel Offset: disabled [ 67.778529][ T22] Rebooting in 86400 seconds..