[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 57.247712][ T26] audit: type=1800 audit(1560009497.042:25): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 57.278287][ T26] audit: type=1800 audit(1560009497.042:26): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 57.311396][ T26] audit: type=1800 audit(1560009497.042:27): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts.
2019/06/08 15:58:56 parsed 1 programs
2019/06/08 15:58:57 executed programs: 0
syzkaller login: [ 97.889010][ T8794] IPVS: ftp: loaded support on port[0] = 21
[ 97.952932][ T8794] chnl_net:caif_netlink_parms(): no params data found
[ 97.979802][ T8794] bridge0: port 1(bridge_slave_0) entered blocking state
[ 97.987113][ T8794] bridge0: port 1(bridge_slave_0) entered disabled state
[ 97.995215][ T8794] device bridge_slave_0 entered promiscuous mode
[ 98.003424][ T8794] bridge0: port 2(bridge_slave_1) entered blocking state
[ 98.010619][ T8794] bridge0: port 2(bridge_slave_1) entered disabled state
[ 98.018482][ T8794] device bridge_slave_1 entered promiscuous mode
[ 98.034906][ T8794] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 98.045374][ T8794] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 98.064175][ T8794] team0: Port device team_slave_0 added
[ 98.071917][ T8794] team0: Port device team_slave_1 added
[ 98.140605][ T8794] device hsr_slave_0 entered promiscuous mode
[ 98.208832][ T8794] device hsr_slave_1 entered promiscuous mode
[ 98.267080][ T8794] bridge0: port 2(bridge_slave_1) entered blocking state
[ 98.274287][ T8794] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 98.282013][ T8794] bridge0: port 1(bridge_slave_0) entered blocking state
[ 98.289122][ T8794] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 98.322899][ T8794] 8021q: adding VLAN 0 to HW filter on device bond0
[ 98.334108][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 98.354352][ T3542] bridge0: port 1(bridge_slave_0) entered disabled state
[ 98.362868][ T3542] bridge0: port 2(bridge_slave_1) entered disabled state
[ 98.371752][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 98.383201][ T8794] 8021q: adding VLAN 0 to HW filter on device team0
[ 98.393288][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 98.402117][ T17] bridge0: port 1(bridge_slave_0) entered blocking state
[ 98.409227][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 98.430135][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 98.439067][ T8796] bridge0: port 2(bridge_slave_1) entered blocking state
[ 98.446159][ T8796] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 98.454358][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 98.463742][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 98.473006][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 98.484143][ T2993] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 98.495029][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 98.505940][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 98.523710][ T8794] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 98.880703][ T2993] ==================================================================
[ 98.888980][ T2993] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[ 98.888998][ T2993] Read of size 8 at addr ffff88808be84fd0 by task kworker/1:2/2993
[ 98.889002][ T2993]
[ 98.889018][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #42
[ 98.889026][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 98.889042][ T2993] Workqueue: events __blk_release_queue
[ 98.889050][ T2993] Call Trace:
[ 98.889068][ T2993] dump_stack+0x172/0x1f0
[ 98.889084][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 98.889104][ T2993] print_address_description.cold+0x7c/0x20d
[ 98.889116][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 98.889130][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 98.889144][ T2993] __kasan_report.cold+0x1b/0x40
[ 98.889158][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 98.889172][ T2993] kasan_report+0x12/0x20
[ 98.889188][ T2993] __asan_report_load8_noabort+0x14/0x20
[ 98.889200][ T2993] blk_mq_free_rqs+0x49f/0x4b0
[ 98.889213][ T2993] ? dd_exit_queue+0x92/0xd0
[ 98.889223][ T2993] ? kfree+0x170/0x220
[ 98.889245][ T2993] blk_mq_sched_tags_teardown+0x126/0x210
[ 98.889261][ T2993] ? dd_request_merge+0x230/0x230
[ 98.889277][ T2993] blk_mq_exit_sched+0x1fa/0x2d0
[ 98.889299][ T2993] elevator_exit+0x70/0xa0
[ 98.889316][ T2993] __blk_release_queue+0x127/0x330
[ 98.889337][ T2993] process_one_work+0x989/0x1790
[ 98.889361][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320
[ 98.889383][ T2993] ? lock_acquire+0x16f/0x3f0
[ 98.889408][ T2993] worker_thread+0x98/0xe40
[ 98.904657][ T2993] ? trace_hardirqs_on+0x67/0x220
[ 98.914642][ T2993] kthread+0x354/0x420
[ 98.914658][ T2993] ? process_one_work+0x1790/0x1790
[ 98.914672][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 98.914690][ T2993] ret_from_fork+0x24/0x30
[ 98.914709][ T2993]
[ 98.933596][ T2993] Allocated by task 8814:
[ 98.933616][ T2993] save_stack+0x23/0x90
[ 98.933637][ T2993] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 99.084898][ T2993] kasan_kmalloc+0x9/0x10
[ 99.089236][ T2993] kmem_cache_alloc_trace+0x151/0x750
[ 99.094618][ T2993] loop_add+0x51/0x8d0
[ 99.098698][ T2993] loop_probe+0x161/0x1a0
[ 99.103048][ T2993] kobj_lookup+0x260/0x460
[ 99.107477][ T2993] get_gendisk+0x4d/0x390
[ 99.111815][ T2993] __blkdev_get+0x457/0x1660
[ 99.116400][ T2993] blkdev_get+0xc4/0x990
[ 99.120642][ T2993] blkdev_open+0x205/0x290
[ 99.125071][ T2993] do_dentry_open+0x4df/0x1250
[ 99.129853][ T2993] vfs_open+0xa0/0xd0
[ 99.133851][ T2993] path_openat+0x10e9/0x46d0
[ 99.138456][ T2993] do_filp_open+0x1a1/0x280
[ 99.142978][ T2993] do_sys_open+0x3fe/0x5d0
[ 99.148671][ T2993] __x64_sys_open+0x7e/0xc0
[ 99.153203][ T2993] do_syscall_64+0xfd/0x680
[ 99.157727][ T2993] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 99.163650][ T2993]
[ 99.165991][ T2993] Freed by task 8816:
[ 99.169986][ T2993] save_stack+0x23/0x90
[ 99.174157][ T2993] __kasan_slab_free+0x102/0x150
[ 99.179110][ T2993] kasan_slab_free+0xe/0x10
[ 99.183634][ T2993] kfree+0xcf/0x220
[ 99.187468][ T2993] loop_remove+0xa1/0xd0
[ 99.191738][ T2993] loop_control_ioctl+0x320/0x360
[ 99.196780][ T2993] do_vfs_ioctl+0xd5f/0x1380
[ 99.201388][ T2993] ksys_ioctl+0xab/0xd0
[ 99.205557][ T2993] __x64_sys_ioctl+0x73/0xb0
[ 99.210168][ T2993] do_syscall_64+0xfd/0x680
[ 99.214690][ T2993] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 99.220581][ T2993]
[ 99.222929][ T2993] The buggy address belongs to the object at ffff88808be84dc0
[ 99.222929][ T2993] which belongs to the cache kmalloc-1k of size 1024
[ 99.237000][ T2993] The buggy address is located 528 bytes inside of
[ 99.237000][ T2993] 1024-byte region [ffff88808be84dc0, ffff88808be851c0)
[ 99.250371][ T2993] The buggy address belongs to the page:
[ 99.256028][ T2993] page:ffffea00022fa100 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[ 99.266999][ T2993] flags: 0x1fffc0000010200(slab|head)
[ 99.272387][ T2993] raw: 01fffc0000010200 ffffea000294d088 ffffea0002927988 ffff8880aa400ac0
[ 99.280984][ T2993] raw: 0000000000000000 ffff88808be84040 0000000100000007 0000000000000000
[ 99.289568][ T2993] page dumped because: kasan: bad access detected
[ 99.295982][ T2993]
[ 99.298307][ T2993] Memory state around the buggy address:
[ 99.303949][ T2993] ffff88808be84e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.312024][ T2993] ffff88808be84f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.320107][ T2993] >ffff88808be84f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.328176][ T2993] ^
[ 99.334866][ T2993] ffff88808be85000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.342941][ T2993] ffff88808be85080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 99.351003][ T2993] ==================================================================
[ 99.359068][ T2993] Disabling lock debugging due to kernel taint
[ 99.369081][ T2993] Kernel panic - not syncing: panic_on_warn set ...
[ 99.369848][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_add_internal: parent: 'queue', set: '<NULL>'
[ 99.375700][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #42
[ 99.388584][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_uevent_env
[ 99.394975][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 99.402389][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_uevent_env: filter function caused the event to drop!
[ 99.412358][ T2993] Workqueue: events __blk_release_queue
[ 99.412366][ T2993] Call Trace:
[ 99.412389][ T2993] dump_stack+0x172/0x1f0
[ 99.412406][ T2993] panic+0x2cb/0x744
[ 99.412417][ T2993] ? __warn_printk+0xf3/0xf3
[ 99.412431][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 99.412448][ T2993] ? preempt_schedule+0x4b/0x60
[ 99.412462][ T2993] ? ___preempt_schedule+0x16/0x18
[ 99.412477][ T2993] ? trace_hardirqs_on+0x5e/0x220
[ 99.412491][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 99.412505][ T2993] end_report+0x47/0x4f
[ 99.412514][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 99.412525][ T2993] __kasan_report.cold+0xe/0x40
[ 99.412537][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 99.412548][ T2993] kasan_report+0x12/0x20
[ 99.412560][ T2993] __asan_report_load8_noabort+0x14/0x20
[ 99.412571][ T2993] blk_mq_free_rqs+0x49f/0x4b0
[ 99.412594][ T2993] ? dd_exit_queue+0x92/0xd0
[ 99.412607][ T2993] ? kfree+0x170/0x220
[ 99.412625][ T2993] blk_mq_sched_tags_teardown+0x126/0x210
[ 99.412640][ T2993] ? dd_request_merge+0x230/0x230
[ 99.412655][ T2993] blk_mq_exit_sched+0x1fa/0x2d0
[ 99.412671][ T2993] elevator_exit+0x70/0xa0
[ 99.412683][ T2993] __blk_release_queue+0x127/0x330
[ 99.412700][ T2993] process_one_work+0x989/0x1790
[ 99.412716][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320
[ 99.412730][ T2993] ? lock_acquire+0x16f/0x3f0
[ 99.412748][ T2993] worker_thread+0x98/0xe40
[ 99.412761][ T2993] ? trace_hardirqs_on+0x67/0x220
[ 99.412783][ T2993] kthread+0x354/0x420
[ 99.424412][ T8817] kobject: 'integrity' (00000000cdfdee7e): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[ 99.429373][ T2993] ? process_one_work+0x1790/0x1790
[ 99.429387][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 99.429401][ T2993] ret_from_fork+0x24/0x30
[ 99.433878][ T2993] Kernel Offset: disabled
[ 99.597625][ T2993] Rebooting in 86400 seconds..