[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 59.269084][ T27] audit: type=1800 audit(1559508938.087:25): pid=8744 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 59.296514][ T27] audit: type=1800 audit(1559508938.087:26): pid=8744 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 59.316540][ T27] audit: type=1800 audit(1559508938.087:27): pid=8744 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 71.653740][ T22] ================================================================== [ 71.661985][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 71.662001][ T22] Read of size 8 at addr ffff88809b5c0b10 by task kworker/1:1/22 [ 71.662005][ T22] [ 71.662018][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc2+ #17 [ 71.662026][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.662048][ T22] Workqueue: events __blk_release_queue [ 71.662055][ T22] Call Trace: [ 71.662074][ T22] dump_stack+0x172/0x1f0 [ 71.662088][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.677146][ T22] print_address_description.cold+0x7c/0x20d [ 71.677160][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.677174][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.677188][ T22] __kasan_report.cold+0x1b/0x40 [ 71.677204][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.677223][ T22] kasan_report+0x12/0x20 [ 71.686979][ T22] __asan_report_load8_noabort+0x14/0x20 [ 71.686994][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 71.687013][ T22] ? dd_exit_queue+0x92/0xd0 [ 71.702605][ T22] ? kfree+0x170/0x220 [ 71.702629][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 71.702671][ T22] ? dd_request_merge+0x230/0x230 [ 71.702694][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 71.710289][ T22] elevator_exit+0x70/0xa0 [ 71.710307][ T22] __blk_release_queue+0x127/0x330 [ 71.710355][ T22] process_one_work+0x989/0x1790 [ 71.721262][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.721277][ T22] ? lock_acquire+0x16f/0x3f0 [ 71.721303][ T22] worker_thread+0x98/0xe40 [ 71.721324][ T22] ? trace_hardirqs_on+0x67/0x220 [ 71.731199][ T22] kthread+0x354/0x420 [ 71.731216][ T22] ? process_one_work+0x1790/0x1790 [ 71.731229][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 71.731245][ T22] ret_from_fork+0x24/0x30 [ 71.731264][ T22] [ 71.736656][ T8906] kobject: 'slaves' (0000000092fba5e8): kobject_add_internal: parent: 'loop0', set: '' [ 71.741105][ T22] Allocated by task 8904: [ 71.741122][ T22] save_stack+0x23/0x90 [ 71.741135][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 71.741146][ T22] kasan_kmalloc+0x9/0x10 [ 71.741157][ T22] kmem_cache_alloc_trace+0x151/0x750 [ 71.741169][ T22] loop_add+0x51/0x8d0 [ 71.741186][ T22] loop_control_ioctl+0x165/0x360 [ 71.745986][ T8906] kobject: 'loop0' (00000000cf6c49a9): kobject_uevent_env [ 71.751118][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 71.751129][ T22] ksys_ioctl+0xab/0xd0 [ 71.751140][ T22] __x64_sys_ioctl+0x73/0xb0 [ 71.751155][ T22] do_syscall_64+0xfd/0x680 executing program [ 71.751168][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.751179][ T22] [ 71.756432][ T8906] kobject: 'loop0' (00000000cf6c49a9): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 71.760515][ T22] Freed by task 8905: [ 71.760529][ T22] save_stack+0x23/0x90 [ 71.760542][ T22] __kasan_slab_free+0x102/0x150 [ 71.760554][ T22] kasan_slab_free+0xe/0x10 [ 71.760563][ T22] kfree+0xcf/0x220 [ 71.760574][ T22] loop_remove+0xa1/0xd0 [ 71.760593][ T22] loop_control_ioctl+0x320/0x360 [ 71.765377][ T8906] kobject: 'queue' (00000000707d09fc): kobject_add_internal: parent: 'loop0', set: '' [ 71.770383][ T22] do_vfs_ioctl+0xd5f/0x1380 [ 71.770394][ T22] ksys_ioctl+0xab/0xd0 [ 71.770404][ T22] __x64_sys_ioctl+0x73/0xb0 [ 71.770425][ T22] do_syscall_64+0xfd/0x680 [ 71.770440][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.776523][ T8906] kobject: 'mq' (0000000019b5b9a8): kobject_add_internal: parent: 'loop0', set: '' [ 71.780440][ T22] [ 71.780452][ T22] The buggy address belongs to the object at ffff88809b5c0900 [ 71.780452][ T22] which belongs to the cache kmalloc-1k of size 1024 [ 71.780463][ T22] The buggy address is located 528 bytes inside of [ 71.780463][ T22] 1024-byte region [ffff88809b5c0900, ffff88809b5c0d00) [ 71.780468][ T22] The buggy address belongs to the page: [ 71.780488][ T22] page:ffffea00026d7000 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 71.785342][ T8906] kobject: 'mq' (0000000019b5b9a8): kobject_uevent_env [ 71.790003][ T22] flags: 0x1fffc0000010200(slab|head) [ 71.790023][ T22] raw: 01fffc0000010200 ffffea0002411188 ffffea000290c088 ffff8880aa400ac0 [ 71.790039][ T22] raw: 0000000000000000 ffff88809b5c0000 0000000100000007 0000000000000000 [ 71.795334][ T8906] kobject: 'mq' (0000000019b5b9a8): kobject_uevent_env: filter function caused the event to drop! [ 71.800341][ T22] page dumped because: kasan: bad access detected [ 71.800345][ T22] [ 71.800349][ T22] Memory state around the buggy address: [ 71.800360][ T22] ffff88809b5c0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.800376][ T22] ffff88809b5c0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.805493][ T8906] kobject: '0' (000000009e7d0c0f): kobject_add_internal: parent: 'mq', set: '' [ 71.809539][ T22] >ffff88809b5c0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.809545][ T22] ^ [ 71.809568][ T22] ffff88809b5c0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.809596][ T22] ffff88809b5c0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.815102][ T8906] kobject: 'cpu0' (00000000acd419a5): kobject_add_internal: parent: '0', set: '' [ 71.818677][ T22] ================================================================== [ 71.818683][ T22] Disabling lock debugging due to kernel taint [ 71.823985][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 71.832418][ T8906] kobject: 'cpu1' (000000006a1f9ef5): kobject_add_internal: parent: '0', set: '' [ 71.834603][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc2+ #17 [ 71.834610][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.834640][ T22] Workqueue: events __blk_release_queue [ 71.837032][ T8906] kobject: 'queue' (00000000707d09fc): kobject_uevent_env [ 71.847086][ T22] Call Trace: [ 71.847106][ T22] dump_stack+0x172/0x1f0 [ 71.847124][ T22] panic+0x2cb/0x744 [ 71.847144][ T22] ? __warn_printk+0xf3/0xf3 [ 71.851859][ T8906] kobject: 'queue' (00000000707d09fc): kobject_uevent_env: filter function caused the event to drop! [ 71.855598][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.855620][ T22] ? preempt_schedule+0x4b/0x60 [ 71.861601][ T8906] kobject: 'iosched' (000000002f8837be): kobject_add_internal: parent: 'queue', set: '' [ 71.865561][ T22] ? ___preempt_schedule+0x16/0x18 [ 71.865584][ T22] ? trace_hardirqs_on+0x5e/0x220 [ 71.871251][ T8906] kobject: 'iosched' (000000002f8837be): kobject_uevent_env [ 71.875018][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.875037][ T22] end_report+0x47/0x4f [ 71.880331][ T8906] kobject: 'iosched' (000000002f8837be): kobject_uevent_env: filter function caused the event to drop! [ 71.887403][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.887423][ T22] __kasan_report.cold+0xe/0x40 [ 71.887442][ T22] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.892359][ T8906] kobject: 'integrity' (0000000085a146ed): kobject_add_internal: parent: 'loop0', set: '' [ 71.896154][ T22] kasan_report+0x12/0x20 [ 71.896177][ T22] __asan_report_load8_noabort+0x14/0x20 [ 71.901092][ T8906] kobject: 'integrity' (0000000085a146ed): kobject_uevent_env [ 71.905239][ T22] blk_mq_free_rqs+0x49f/0x4b0 [ 71.905260][ T22] ? dd_exit_queue+0x92/0xd0 [ 71.911379][ T8906] kobject: 'integrity' (0000000085a146ed): kobject_uevent_env: filter function caused the event to drop! [ 71.913462][ T22] ? kfree+0x170/0x220 [ 71.913489][ T22] blk_mq_sched_tags_teardown+0x126/0x210 [ 71.929537][ T8907] kobject: 'integrity' (0000000085a146ed): kobject_uevent_env [ 71.931757][ T22] ? dd_request_merge+0x230/0x230 [ 71.931773][ T22] blk_mq_exit_sched+0x1fa/0x2d0 [ 71.931794][ T22] elevator_exit+0x70/0xa0 [ 71.936964][ T8907] kobject: 'integrity' (0000000085a146ed): kobject_uevent_env: filter function caused the event to drop! [ 71.941210][ T22] __blk_release_queue+0x127/0x330 [ 71.941228][ T22] process_one_work+0x989/0x1790 [ 71.941248][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.945428][ T8907] kobject: 'integrity' (0000000085a146ed): kobject_cleanup, parent 000000004c8fe47d [ 71.949280][ T22] ? lock_acquire+0x16f/0x3f0 [ 71.949305][ T22] worker_thread+0x98/0xe40 [ 71.954602][ T8907] kobject: 'integrity' (0000000085a146ed): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 71.964380][ T22] ? trace_hardirqs_on+0x67/0x220 [ 71.964401][ T22] kthread+0x354/0x420 [ 71.964426][ T22] ? process_one_work+0x1790/0x1790 [ 71.969270][ T8907] kobject: 'integrity': free name [ 71.973135][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 71.973151][ T22] ret_from_fork+0x24/0x30 [ 71.978650][ T22] Kernel Offset: disabled [ 72.496376][ T22] Rebooting in 86400 seconds..