[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.785304][ T26] audit: type=1800 audit(1559740419.286:25): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.829926][ T26] audit: type=1800 audit(1559740419.296:26): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.882075][ T26] audit: type=1800 audit(1559740419.296:27): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program syzkaller login: [ 75.532942][ T22] ================================================================== [ 75.532990][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 75.533000][ T22] Read of size 8 at addr ffff88809ff39410 by task kworker/1:1/22 [ 75.533003][ T22] [ 75.533016][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #38 [ 75.548607][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.548625][ T22] Workqueue: events __blk_release_queue [ 75.548643][ T22] Call Trace: [ 75.566344][ T22] dump_stack+0x172/0x1f0 [ 75.566362][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.566384][ T22] print_address_description.cold+0x7c/0x20d [ 75.582168][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.582183][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.582199][ T22] __kasan_report.cold+0x1b/0x40 [ 75.582215][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.582234][ T22] kasan_report+0x12/0x20 [ 75.589835][ T22] __asan_report_load8_noabort+0x14/0x20 [ 75.589850][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 75.589863][ T22] ? dd_exit_queue+0x92/0xd0 [ 75.589874][ T22] ? kfree+0x170/0x220 [ 75.589896][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 75.600799][ T22] ? dd_request_merge+0x230/0x230 [ 75.600818][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 75.600838][ T22] elevator_exit+0x70/0xa0 [ 75.600859][ T22] __blk_release_queue+0x127/0x330 [ 75.610803][ T22] process_one_work+0x989/0x1790 [ 75.610829][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.610843][ T22] ? lock_acquire+0x16f/0x3f0 [ 75.610868][ T22] worker_thread+0x98/0xe40 [ 75.620740][ T22] ? trace_hardirqs_on+0x67/0x220 [ 75.620769][ T22] kthread+0x354/0x420 [ 75.620784][ T22] ? process_one_work+0x1790/0x1790 [ 75.620804][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 75.625314][ T8951] kobject: 'loop0' (000000008ab451f6): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 75.630744][ T22] ret_from_fork+0x24/0x30 [ 75.630765][ T22] [ 75.630773][ T22] Allocated by task 8949: [ 75.630786][ T22] save_stack+0x23/0x90 [ 75.630805][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 75.636147][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_add_internal: parent: 'loop0', set: '' [ 75.640160][ T22] kasan_kmalloc+0x9/0x10 [ 75.640172][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 75.640185][ T22] loop_add+0x51/0x8d0 [ 75.640196][ T22] loop_control_ioctl+0x165/0x360 [ 75.640207][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 75.640226][ T22] ksys_ioctl+0xab/0xd0 executing program [ 75.640235][ T22] __x64_sys_ioctl+0x73/0xb0 [ 75.645016][ T8951] kobject: 'mq' (000000001d3314e3): kobject_add_internal: parent: 'loop0', set: '' [ 75.650086][ T22] do_syscall_64+0xfd/0x680 [ 75.650099][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.650110][ T22] [ 75.650117][ T22] Freed by task 8950: [ 75.650128][ T22] save_stack+0x23/0x90 [ 75.650140][ T22] __kasan_slab_free+0x102/0x150 [ 75.650158][ T22] kasan_slab_free+0xe/0x10 [ 75.655374][ T8951] kobject: 'mq' (000000001d3314e3): kobject_uevent_env [ 75.660115][ T22] kfree+0xcf/0x220 [ 75.660126][ T22] loop_remove+0xa1/0xd0 [ 75.660138][ T22] loop_control_ioctl+0x320/0x360 [ 75.660149][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 75.660158][ T22] ksys_ioctl+0xab/0xd0 [ 75.660168][ T22] __x64_sys_ioctl+0x73/0xb0 [ 75.660187][ T22] do_syscall_64+0xfd/0x680 [ 75.665033][ T8951] kobject: 'mq' (000000001d3314e3): kobject_uevent_env: filter function caused the event to drop! [ 75.670310][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.670315][ T22] [ 75.670326][ T22] The buggy address belongs to the object at ffff88809ff39200 [ 75.670326][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 75.670338][ T22] The buggy address is located 528 bytes inside of [ 75.670338][ T22] 1024-byte region [ffff88809ff39200, ffff88809ff39600) [ 75.670343][ T22] The buggy address belongs to the page: [ 75.670355][ T22] page:ffffea00027fce00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 75.675506][ T8951] kobject: '0' (000000000a48ab7f): kobject_add_internal: parent: 'mq', set: '' [ 75.680654][ T22] flags: 0x1fffc0000010200(slab|head) [ 75.680673][ T22] raw: 01fffc0000010200 ffffea000261f988 ffffea0002822708 ffff8880aa400ac0 [ 75.680690][ T22] raw: 0000000000000000 ffff88809ff38000 0000000100000007 0000000000000000 [ 75.680696][ T22] page dumped because: kasan: bad access detected [ 75.680700][ T22] [ 75.680704][ T22] Memory state around the buggy address: [ 75.680721][ T22] ffff88809ff39300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.685703][ T8951] kobject: 'cpu0' (00000000ff2e1b8e): kobject_add_internal: parent: '0', set: '' [ 75.689877][ T22] ffff88809ff39380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.689888][ T22] >ffff88809ff39400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.689894][ T22] ^ [ 75.689904][ T22] ffff88809ff39480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.689916][ T22] ffff88809ff39500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.689920][ T22] ================================================================== [ 75.689925][ T22] Disabling lock debugging due to kernel taint [ 75.691224][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 75.695254][ T8951] kobject: 'cpu1' (000000000c05f3f4): kobject_add_internal: parent: '0', set: '' [ 75.699056][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #38 [ 75.699070][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.704507][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_uevent_env [ 75.710507][ T22] Workqueue: events __blk_release_queue [ 75.710515][ T22] Call Trace: [ 75.710534][ T22] dump_stack+0x172/0x1f0 [ 75.710561][ T22] panic+0x2cb/0x744 [ 75.720881][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_uevent_env: filter function caused the event to drop! [ 75.725123][ T22] ? __warn_printk+0xf3/0xf3 [ 75.725140][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.725160][ T22] ? preempt_schedule+0x4b/0x60 [ 75.727760][ T8951] kobject: 'iosched' (00000000a358e860): kobject_add_internal: parent: 'queue', set: '' [ 75.731968][ T22] ? ___preempt_schedule+0x16/0x18 [ 75.731983][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 75.731997][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.732016][ T22] end_report+0x47/0x4f [ 75.736555][ T8951] kobject: 'iosched' (00000000a358e860): kobject_uevent_env [ 75.741931][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.741945][ T22] __kasan_report.cold+0xe/0x40 [ 75.741959][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 75.741978][ T22] kasan_report+0x12/0x20 [ 75.752698][ T8951] kobject: 'iosched' (00000000a358e860): kobject_uevent_env: filter function caused the event to drop! [ 75.756825][ T22] __asan_report_load8_noabort+0x14/0x20 [ 75.756840][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 75.756860][ T22] ? dd_exit_queue+0x92/0xd0 [ 75.762431][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_add_internal: parent: 'loop0', set: '' [ 75.766284][ T22] ? kfree+0x170/0x220 [ 75.766303][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 75.766322][ T22] ? dd_request_merge+0x230/0x230 [ 75.771694][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env [ 75.776051][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 75.776069][ T22] elevator_exit+0x70/0xa0 [ 75.780348][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env: filter function caused the event to drop! [ 75.784793][ T22] __blk_release_queue+0x127/0x330 [ 75.784815][ T22] process_one_work+0x989/0x1790 [ 75.833347][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env [ 75.836730][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.836750][ T22] ? lock_acquire+0x16f/0x3f0 [ 75.841064][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env: filter function caused the event to drop! [ 75.846058][ T22] worker_thread+0x98/0xe40 [ 75.846079][ T22] ? trace_hardirqs_on+0x67/0x220 [ 75.851232][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_cleanup, parent 0000000005f0d58f [ 75.854820][ T22] kthread+0x354/0x420 [ 75.854841][ T22] ? process_one_work+0x1790/0x1790 [ 75.859453][ T8953] kobject: 'integrity' (00000000a6fabbf6): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 75.863908][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 75.863923][ T22] ret_from_fork+0x24/0x30 [ 75.875460][ T22] Kernel Offset: disabled [ 76.362545][ T22] Rebooting in 86400 seconds..