[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 52.324920][ T26] audit: type=1800 audit(1560024719.664:25): pid=8387 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 52.363319][ T26] audit: type=1800 audit(1560024719.664:26): pid=8387 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 52.405364][ T26] audit: type=1800 audit(1560024719.664:27): pid=8387 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 67.655337][ T2889] ================================================================== [ 67.663577][ T2889] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 67.670947][ T2889] Read of size 8 at addr ffff8882190eb450 by task kworker/1:2/2889 [ 67.678824][ T2889] [ 67.681160][ T2889] CPU: 1 PID: 2889 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #23 [ 67.688765][ T2889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.698810][ T2889] Workqueue: events __blk_release_queue [ 67.704336][ T2889] Call Trace: [ 67.707613][ T2889] dump_stack+0x172/0x1f0 [ 67.711955][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.716874][ T2889] print_address_description.cold+0x7c/0x20d [ 67.722834][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.727753][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.732674][ T2889] __kasan_report.cold+0x1b/0x40 [ 67.737599][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 67.742518][ T2889] kasan_report+0x12/0x20 [ 67.746929][ T2889] __asan_report_load8_noabort+0x14/0x20 [ 67.752541][ T2889] blk_mq_free_rqs+0x49f/0x4b0 [ 67.757283][ T2889] ? dd_exit_queue+0x92/0xd0 [ 67.761875][ T2889] ? kfree+0x170/0x220 [ 67.765953][ T2889] blk_mq_sched_tags_teardown+0x126/0x210 [ 67.771655][ T2889] ? dd_request_merge+0x230/0x230 [ 67.776753][ T2889] blk_mq_exit_sched+0x1fa/0x2d0 [ 67.781684][ T2889] elevator_exit+0x70/0xa0 [ 67.786731][ T2889] __blk_release_queue+0x127/0x330 [ 67.791928][ T2889] process_one_work+0x989/0x1790 [ 67.796862][ T2889] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.802318][ T2889] ? lock_acquire+0x16f/0x3f0 [ 67.807077][ T2889] worker_thread+0x98/0xe40 [ 67.811570][ T2889] ? trace_hardirqs_on+0x67/0x220 [ 67.816591][ T2889] kthread+0x354/0x420 [ 67.820651][ T2889] ? process_one_work+0x1790/0x1790 [ 67.825839][ T2889] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 67.832243][ T2889] ret_from_fork+0x24/0x30 [ 67.836649][ T2889] [ 67.838967][ T2889] Allocated by task 1: [ 67.843025][ T2889] save_stack+0x23/0x90 [ 67.847162][ T2889] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 67.852945][ T2889] kasan_kmalloc+0x9/0x10 [ 67.857257][ T2889] kmem_cache_alloc_trace+0x151/0x750 [ 67.862780][ T2889] loop_add+0x51/0x8d0 [ 67.866842][ T2889] loop_init+0x1fe/0x25a [ 67.871073][ T2889] do_one_initcall+0x107/0x7ba [ 67.875963][ T2889] kernel_init_freeable+0x4d4/0x5c3 [ 67.881331][ T2889] kernel_init+0x12/0x1c5 [ 67.885640][ T2889] ret_from_fork+0x24/0x30 [ 67.890027][ T2889] [ 67.892335][ T2889] Freed by task 8550: [ 67.896301][ T2889] save_stack+0x23/0x90 [ 67.900447][ T2889] __kasan_slab_free+0x102/0x150 [ 67.905363][ T2889] kasan_slab_free+0xe/0x10 [ 67.909844][ T2889] kfree+0xcf/0x220 [ 67.913718][ T2889] loop_remove+0xa1/0xd0 [ 67.917945][ T2889] loop_control_ioctl+0x320/0x360 [ 67.922972][ T2889] do_vfs_ioctl+0xd5f/0x1380 [ 67.927547][ T2889] ksys_ioctl+0xab/0xd0 [ 67.933200][ T2889] __x64_sys_ioctl+0x73/0xb0 [ 67.937796][ T2889] do_syscall_64+0xfd/0x680 [ 67.942368][ T2889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.948237][ T2889] [ 67.950558][ T2889] The buggy address belongs to the object at ffff8882190eb240 [ 67.950558][ T2889] which belongs to the cache kmalloc-1k of size 1024 [ 67.964761][ T2889] The buggy address is located 528 bytes inside of [ 67.964761][ T2889] 1024-byte region [ffff8882190eb240, ffff8882190eb640) [ 67.978111][ T2889] The buggy address belongs to the page: [ 67.983724][ T2889] page:ffffea0008643a80 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 67.994632][ T2889] flags: 0x6fffc0000010200(slab|head) [ 67.999990][ T2889] raw: 06fffc0000010200 ffffea000866fc88 ffffea0008647288 ffff8880aa400ac0 [ 68.008562][ T2889] raw: 0000000000000000 ffff8882190ea040 0000000100000007 0000000000000000 [ 68.017118][ T2889] page dumped because: kasan: bad access detected [ 68.023503][ T2889] [ 68.025809][ T2889] Memory state around the buggy address: [ 68.031438][ T2889] ffff8882190eb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.039477][ T2889] ffff8882190eb380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.047521][ T2889] >ffff8882190eb400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.055571][ T2889] ^ [ 68.062251][ T2889] ffff8882190eb480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.070383][ T2889] ffff8882190eb500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.078435][ T2889] ================================================================== [ 68.086478][ T2889] Disabling lock debugging due to kernel taint [ 68.093411][ T2889] Kernel panic - not syncing: panic_on_warn set ... [ 68.095970][ T8552] kobject: '7:2' (00000000b99c78ef): kobject_uevent_env executing program [ 68.100021][ T2889] CPU: 1 PID: 2889 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #23 [ 68.107615][ T8552] kobject: '7:2' (00000000b99c78ef): fill_kobj_path: path = '/devices/virtual/bdi/7:2' [ 68.115948][ T2889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.115966][ T2889] Workqueue: events __blk_release_queue [ 68.115973][ T2889] Call Trace: [ 68.115990][ T2889] dump_stack+0x172/0x1f0 [ 68.116005][ T2889] panic+0x2cb/0x744 [ 68.116017][ T2889] ? __warn_printk+0xf3/0xf3 [ 68.116034][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.129691][ T8552] kobject: '7:2' (00000000b99c78ef): kobject_cleanup, parent 000000005aaac289 [ 68.135682][ T2889] ? preempt_schedule+0x4b/0x60 [ 68.135697][ T2889] ? ___preempt_schedule+0x16/0x18 [ 68.135710][ T2889] ? trace_hardirqs_on+0x5e/0x220 [ 68.135724][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.135743][ T2889] end_report+0x47/0x4f [ 68.141732][ T8552] kobject: '7:2' (00000000b99c78ef): calling ktype release [ 68.144537][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.144553][ T2889] __kasan_report.cold+0xe/0x40 [ 68.144564][ T2889] ? blk_mq_free_rqs+0x49f/0x4b0 [ 68.144576][ T2889] kasan_report+0x12/0x20 [ 68.144588][ T2889] __asan_report_load8_noabort+0x14/0x20 [ 68.144603][ T2889] blk_mq_free_rqs+0x49f/0x4b0 [ 68.149257][ T8552] kobject: '7:2': free name [ 68.153251][ T2889] ? dd_exit_queue+0x92/0xd0 [ 68.153264][ T2889] ? kfree+0x170/0x220 [ 68.153285][ T2889] blk_mq_sched_tags_teardown+0x126/0x210 [ 68.153299][ T2889] ? dd_request_merge+0x230/0x230 [ 68.153318][ T2889] blk_mq_exit_sched+0x1fa/0x2d0 [ 68.153332][ T2889] elevator_exit+0x70/0xa0 [ 68.153344][ T2889] __blk_release_queue+0x127/0x330 [ 68.153360][ T2889] process_one_work+0x989/0x1790 [ 68.153381][ T2889] ? pwq_dec_nr_in_flight+0x320/0x320 [ 68.158969][ T8552] kobject: 'mq' (000000004ef6f53c): kobject_uevent_env [ 68.163002][ T2889] ? lock_acquire+0x16f/0x3f0 [ 68.163027][ T2889] worker_thread+0x98/0xe40 [ 68.163041][ T2889] ? trace_hardirqs_on+0x67/0x220 [ 68.163058][ T2889] kthread+0x354/0x420 [ 68.163069][ T2889] ? process_one_work+0x1790/0x1790 [ 68.163080][ T2889] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 68.163093][ T2889] ret_from_fork+0x24/0x30 [ 68.173812][ T2889] Kernel Offset: disabled [ 68.336136][ T2889] Rebooting in 86400 seconds..