[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   57.247712][   T26] audit: type=1800 audit(1560009497.042:25): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   57.278287][   T26] audit: type=1800 audit(1560009497.042:26): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   57.311396][   T26] audit: type=1800 audit(1560009497.042:27): pid=8624 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts.
2019/06/08 15:58:56 parsed 1 programs
2019/06/08 15:58:57 executed programs: 0
syzkaller login: [   97.889010][ T8794] IPVS: ftp: loaded support on port[0] = 21
[   97.952932][ T8794] chnl_net:caif_netlink_parms(): no params data found
[   97.979802][ T8794] bridge0: port 1(bridge_slave_0) entered blocking state
[   97.987113][ T8794] bridge0: port 1(bridge_slave_0) entered disabled state
[   97.995215][ T8794] device bridge_slave_0 entered promiscuous mode
[   98.003424][ T8794] bridge0: port 2(bridge_slave_1) entered blocking state
[   98.010619][ T8794] bridge0: port 2(bridge_slave_1) entered disabled state
[   98.018482][ T8794] device bridge_slave_1 entered promiscuous mode
[   98.034906][ T8794] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   98.045374][ T8794] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   98.064175][ T8794] team0: Port device team_slave_0 added
[   98.071917][ T8794] team0: Port device team_slave_1 added
[   98.140605][ T8794] device hsr_slave_0 entered promiscuous mode
[   98.208832][ T8794] device hsr_slave_1 entered promiscuous mode
[   98.267080][ T8794] bridge0: port 2(bridge_slave_1) entered blocking state
[   98.274287][ T8794] bridge0: port 2(bridge_slave_1) entered forwarding state
[   98.282013][ T8794] bridge0: port 1(bridge_slave_0) entered blocking state
[   98.289122][ T8794] bridge0: port 1(bridge_slave_0) entered forwarding state
[   98.322899][ T8794] 8021q: adding VLAN 0 to HW filter on device bond0
[   98.334108][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   98.354352][ T3542] bridge0: port 1(bridge_slave_0) entered disabled state
[   98.362868][ T3542] bridge0: port 2(bridge_slave_1) entered disabled state
[   98.371752][ T3542] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   98.383201][ T8794] 8021q: adding VLAN 0 to HW filter on device team0
[   98.393288][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   98.402117][   T17] bridge0: port 1(bridge_slave_0) entered blocking state
[   98.409227][   T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[   98.430135][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   98.439067][ T8796] bridge0: port 2(bridge_slave_1) entered blocking state
[   98.446159][ T8796] bridge0: port 2(bridge_slave_1) entered forwarding state
[   98.454358][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   98.463742][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   98.473006][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   98.484143][ T2993] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   98.495029][ T8796] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   98.505940][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   98.523710][ T8794] 8021q: adding VLAN 0 to HW filter on device batadv0
[   98.880703][ T2993] ==================================================================
[   98.888980][ T2993] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   98.888998][ T2993] Read of size 8 at addr ffff88808be84fd0 by task kworker/1:2/2993
[   98.889002][ T2993] 
[   98.889018][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #42
[   98.889026][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   98.889042][ T2993] Workqueue: events __blk_release_queue
[   98.889050][ T2993] Call Trace:
[   98.889068][ T2993]  dump_stack+0x172/0x1f0
[   98.889084][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   98.889104][ T2993]  print_address_description.cold+0x7c/0x20d
[   98.889116][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   98.889130][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   98.889144][ T2993]  __kasan_report.cold+0x1b/0x40
[   98.889158][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   98.889172][ T2993]  kasan_report+0x12/0x20
[   98.889188][ T2993]  __asan_report_load8_noabort+0x14/0x20
[   98.889200][ T2993]  blk_mq_free_rqs+0x49f/0x4b0
[   98.889213][ T2993]  ? dd_exit_queue+0x92/0xd0
[   98.889223][ T2993]  ? kfree+0x170/0x220
[   98.889245][ T2993]  blk_mq_sched_tags_teardown+0x126/0x210
[   98.889261][ T2993]  ? dd_request_merge+0x230/0x230
[   98.889277][ T2993]  blk_mq_exit_sched+0x1fa/0x2d0
[   98.889299][ T2993]  elevator_exit+0x70/0xa0
[   98.889316][ T2993]  __blk_release_queue+0x127/0x330
[   98.889337][ T2993]  process_one_work+0x989/0x1790
[   98.889361][ T2993]  ? pwq_dec_nr_in_flight+0x320/0x320
[   98.889383][ T2993]  ? lock_acquire+0x16f/0x3f0
[   98.889408][ T2993]  worker_thread+0x98/0xe40
[   98.904657][ T2993]  ? trace_hardirqs_on+0x67/0x220
[   98.914642][ T2993]  kthread+0x354/0x420
[   98.914658][ T2993]  ? process_one_work+0x1790/0x1790
[   98.914672][ T2993]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   98.914690][ T2993]  ret_from_fork+0x24/0x30
[   98.914709][ T2993] 
[   98.933596][ T2993] Allocated by task 8814:
[   98.933616][ T2993]  save_stack+0x23/0x90
[   98.933637][ T2993]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   99.084898][ T2993]  kasan_kmalloc+0x9/0x10
[   99.089236][ T2993]  kmem_cache_alloc_trace+0x151/0x750
[   99.094618][ T2993]  loop_add+0x51/0x8d0
[   99.098698][ T2993]  loop_probe+0x161/0x1a0
[   99.103048][ T2993]  kobj_lookup+0x260/0x460
[   99.107477][ T2993]  get_gendisk+0x4d/0x390
[   99.111815][ T2993]  __blkdev_get+0x457/0x1660
[   99.116400][ T2993]  blkdev_get+0xc4/0x990
[   99.120642][ T2993]  blkdev_open+0x205/0x290
[   99.125071][ T2993]  do_dentry_open+0x4df/0x1250
[   99.129853][ T2993]  vfs_open+0xa0/0xd0
[   99.133851][ T2993]  path_openat+0x10e9/0x46d0
[   99.138456][ T2993]  do_filp_open+0x1a1/0x280
[   99.142978][ T2993]  do_sys_open+0x3fe/0x5d0
[   99.148671][ T2993]  __x64_sys_open+0x7e/0xc0
[   99.153203][ T2993]  do_syscall_64+0xfd/0x680
[   99.157727][ T2993]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   99.163650][ T2993] 
[   99.165991][ T2993] Freed by task 8816:
[   99.169986][ T2993]  save_stack+0x23/0x90
[   99.174157][ T2993]  __kasan_slab_free+0x102/0x150
[   99.179110][ T2993]  kasan_slab_free+0xe/0x10
[   99.183634][ T2993]  kfree+0xcf/0x220
[   99.187468][ T2993]  loop_remove+0xa1/0xd0
[   99.191738][ T2993]  loop_control_ioctl+0x320/0x360
[   99.196780][ T2993]  do_vfs_ioctl+0xd5f/0x1380
[   99.201388][ T2993]  ksys_ioctl+0xab/0xd0
[   99.205557][ T2993]  __x64_sys_ioctl+0x73/0xb0
[   99.210168][ T2993]  do_syscall_64+0xfd/0x680
[   99.214690][ T2993]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   99.220581][ T2993] 
[   99.222929][ T2993] The buggy address belongs to the object at ffff88808be84dc0
[   99.222929][ T2993]  which belongs to the cache kmalloc-1k of size 1024
[   99.237000][ T2993] The buggy address is located 528 bytes inside of
[   99.237000][ T2993]  1024-byte region [ffff88808be84dc0, ffff88808be851c0)
[   99.250371][ T2993] The buggy address belongs to the page:
[   99.256028][ T2993] page:ffffea00022fa100 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   99.266999][ T2993] flags: 0x1fffc0000010200(slab|head)
[   99.272387][ T2993] raw: 01fffc0000010200 ffffea000294d088 ffffea0002927988 ffff8880aa400ac0
[   99.280984][ T2993] raw: 0000000000000000 ffff88808be84040 0000000100000007 0000000000000000
[   99.289568][ T2993] page dumped because: kasan: bad access detected
[   99.295982][ T2993] 
[   99.298307][ T2993] Memory state around the buggy address:
[   99.303949][ T2993]  ffff88808be84e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   99.312024][ T2993]  ffff88808be84f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   99.320107][ T2993] >ffff88808be84f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   99.328176][ T2993]                                                  ^
[   99.334866][ T2993]  ffff88808be85000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   99.342941][ T2993]  ffff88808be85080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   99.351003][ T2993] ==================================================================
[   99.359068][ T2993] Disabling lock debugging due to kernel taint
[   99.369081][ T2993] Kernel panic - not syncing: panic_on_warn set ...
[   99.369848][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_add_internal: parent: 'queue', set: '<NULL>'
[   99.375700][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Tainted: G    B             5.2.0-rc3+ #42
[   99.388584][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_uevent_env
[   99.394975][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   99.402389][ T8817] kobject: 'iosched' (00000000e51ecdb6): kobject_uevent_env: filter function caused the event to drop!
[   99.412358][ T2993] Workqueue: events __blk_release_queue
[   99.412366][ T2993] Call Trace:
[   99.412389][ T2993]  dump_stack+0x172/0x1f0
[   99.412406][ T2993]  panic+0x2cb/0x744
[   99.412417][ T2993]  ? __warn_printk+0xf3/0xf3
[   99.412431][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   99.412448][ T2993]  ? preempt_schedule+0x4b/0x60
[   99.412462][ T2993]  ? ___preempt_schedule+0x16/0x18
[   99.412477][ T2993]  ? trace_hardirqs_on+0x5e/0x220
[   99.412491][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   99.412505][ T2993]  end_report+0x47/0x4f
[   99.412514][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   99.412525][ T2993]  __kasan_report.cold+0xe/0x40
[   99.412537][ T2993]  ? blk_mq_free_rqs+0x49f/0x4b0
[   99.412548][ T2993]  kasan_report+0x12/0x20
[   99.412560][ T2993]  __asan_report_load8_noabort+0x14/0x20
[   99.412571][ T2993]  blk_mq_free_rqs+0x49f/0x4b0
[   99.412594][ T2993]  ? dd_exit_queue+0x92/0xd0
[   99.412607][ T2993]  ? kfree+0x170/0x220
[   99.412625][ T2993]  blk_mq_sched_tags_teardown+0x126/0x210
[   99.412640][ T2993]  ? dd_request_merge+0x230/0x230
[   99.412655][ T2993]  blk_mq_exit_sched+0x1fa/0x2d0
[   99.412671][ T2993]  elevator_exit+0x70/0xa0
[   99.412683][ T2993]  __blk_release_queue+0x127/0x330
[   99.412700][ T2993]  process_one_work+0x989/0x1790
[   99.412716][ T2993]  ? pwq_dec_nr_in_flight+0x320/0x320
[   99.412730][ T2993]  ? lock_acquire+0x16f/0x3f0
[   99.412748][ T2993]  worker_thread+0x98/0xe40
[   99.412761][ T2993]  ? trace_hardirqs_on+0x67/0x220
[   99.412783][ T2993]  kthread+0x354/0x420
[   99.424412][ T8817] kobject: 'integrity' (00000000cdfdee7e): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[   99.429373][ T2993]  ? process_one_work+0x1790/0x1790
[   99.429387][ T2993]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   99.429401][ T2993]  ret_from_fork+0x24/0x30
[   99.433878][ T2993] Kernel Offset: disabled
[   99.597625][ T2993] Rebooting in 86400 seconds..