[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 58.195268][ T26] audit: type=1800 audit(1559690788.907:25): pid=8309 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 58.245496][ T26] audit: type=1800 audit(1559690788.907:26): pid=8309 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 58.267885][ T26] audit: type=1800 audit(1559690788.907:27): pid=8309 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. 2019/06/04 23:26:39 parsed 1 programs 2019/06/04 23:26:41 executed programs: 0 syzkaller login: [ 70.945910][ T8480] IPVS: ftp: loaded support on port[0] = 21 [ 71.005335][ T8480] chnl_net:caif_netlink_parms(): no params data found [ 71.030451][ T8480] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.038554][ T8480] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.046591][ T8480] device bridge_slave_0 entered promiscuous mode [ 71.054691][ T8480] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.061858][ T8480] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.069429][ T8480] device bridge_slave_1 entered promiscuous mode [ 71.085766][ T8480] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 71.095491][ T8480] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 71.112479][ T8480] team0: Port device team_slave_0 added [ 71.119279][ T8480] team0: Port device team_slave_1 added [ 71.193985][ T8480] device hsr_slave_0 entered promiscuous mode [ 71.232503][ T8480] device hsr_slave_1 entered promiscuous mode [ 71.299483][ T8480] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.306698][ T8480] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.314680][ T8480] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.321788][ T8480] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.352990][ T8480] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.367065][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.387909][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.396367][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.405582][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 71.416537][ T8480] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.429898][ T2891] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.439986][ T2891] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.447090][ T2891] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.462996][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.471393][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.478493][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.493026][ T2891] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 71.503579][ T2891] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 71.514445][ T8482] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 71.527638][ T8480] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 71.538375][ T8480] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 71.550826][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.559842][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.568633][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 71.585905][ T8480] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 71.805802][ T17] ================================================================== [ 71.814087][ T17] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 71.822235][ T17] Read of size 8 at addr ffff8880a941cfd0 by task kworker/1:0/17 [ 71.822246][ T17] [ 71.822259][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.2.0-rc3+ #38 [ 71.822268][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.822286][ T17] Workqueue: events __blk_release_queue [ 71.822293][ T17] Call Trace: [ 71.822313][ T17] dump_stack+0x172/0x1f0 [ 71.822333][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.822349][ T17] print_address_description.cold+0x7c/0x20d [ 71.822359][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.832449][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.832465][ T17] __kasan_report.cold+0x1b/0x40 [ 71.832479][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 71.832493][ T17] kasan_report+0x12/0x20 [ 71.832506][ T17] __asan_report_load8_noabort+0x14/0x20 [ 71.832522][ T17] blk_mq_free_rqs+0x49f/0x4b0 [ 71.849992][ T17] ? dd_exit_queue+0x92/0xd0 [ 71.850002][ T17] ? kfree+0x170/0x220 [ 71.850020][ T17] blk_mq_sched_tags_teardown+0x126/0x210 [ 71.850035][ T17] ? dd_request_merge+0x230/0x230 [ 71.850049][ T17] blk_mq_exit_sched+0x1fa/0x2d0 [ 71.850067][ T17] elevator_exit+0x70/0xa0 [ 71.850098][ T17] __blk_release_queue+0x127/0x330 [ 71.858897][ T17] process_one_work+0x989/0x1790 [ 71.868120][ T17] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.878981][ T17] ? lock_acquire+0x16f/0x3f0 [ 71.879005][ T17] worker_thread+0x98/0xe40 [ 71.888833][ T17] kthread+0x354/0x420 [ 71.898082][ T17] ? process_one_work+0x1790/0x1790 [ 71.908520][ T17] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 71.917127][ T17] ret_from_fork+0x24/0x30 [ 71.927825][ T17] [ 71.937139][ T17] Allocated by task 8489: [ 71.947150][ T17] save_stack+0x23/0x90 [ 71.957135][ T17] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 71.957149][ T17] kasan_kmalloc+0x9/0x10 [ 71.965672][ T17] kmem_cache_alloc_trace+0x151/0x750 [ 71.965692][ T17] loop_add+0x51/0x8d0 [ 71.970859][ T8493] kobject: 'queue' (0000000050e46080): kobject_uevent_env: filter function caused the event to drop! [ 71.977070][ T17] loop_probe+0x161/0x1a0 [ 71.977081][ T17] kobj_lookup+0x260/0x460 [ 71.977093][ T17] get_gendisk+0x4d/0x390 [ 71.977104][ T17] __blkdev_get+0x457/0x1660 [ 71.977112][ T17] blkdev_get+0xc4/0x990 [ 71.977121][ T17] blkdev_open+0x205/0x290 [ 71.977133][ T17] do_dentry_open+0x4df/0x1250 [ 71.977144][ T17] vfs_open+0xa0/0xd0 [ 71.977161][ T17] path_openat+0x10e9/0x46d0 [ 71.982528][ T8493] kobject: 'iosched' (00000000ab917464): kobject_add_internal: parent: 'queue', set: '' [ 71.983856][ T17] do_filp_open+0x1a1/0x280 [ 71.983873][ T17] do_sys_open+0x3fe/0x5d0 [ 71.988246][ T8493] kobject: 'iosched' (00000000ab917464): kobject_uevent_env [ 71.992309][ T17] __x64_sys_open+0x7e/0xc0 [ 71.992323][ T17] do_syscall_64+0xfd/0x680 [ 71.992337][ T17] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.992341][ T17] [ 71.992347][ T17] Freed by task 8492: [ 71.992358][ T17] save_stack+0x23/0x90 [ 71.992368][ T17] __kasan_slab_free+0x102/0x150 [ 71.992378][ T17] kasan_slab_free+0xe/0x10 [ 71.992389][ T17] kfree+0xcf/0x220 [ 71.992399][ T17] loop_remove+0xa1/0xd0 [ 71.992411][ T17] loop_control_ioctl+0x320/0x360 [ 71.992421][ T17] do_vfs_ioctl+0xd5f/0x1380 [ 71.992430][ T17] ksys_ioctl+0xab/0xd0 [ 71.992440][ T17] __x64_sys_ioctl+0x73/0xb0 [ 71.992452][ T17] do_syscall_64+0xfd/0x680 [ 71.992464][ T17] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.992467][ T17] [ 71.992478][ T17] The buggy address belongs to the object at ffff8880a941cdc0 [ 71.992478][ T17] which belongs to the cache kmalloc-1k of size 1024 [ 71.992490][ T17] The buggy address is located 528 bytes inside of [ 71.992490][ T17] 1024-byte region [ffff8880a941cdc0, ffff8880a941d1c0) [ 71.992494][ T17] The buggy address belongs to the page: [ 71.992508][ T17] page:ffffea0002a50700 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 71.992523][ T17] flags: 0x1fffc0000010200(slab|head) [ 71.992541][ T17] raw: 01fffc0000010200 ffffea00023ed808 ffffea0002a19888 ffff8880aa400ac0 [ 71.992557][ T17] raw: 0000000000000000 ffff8880a941c040 0000000100000007 0000000000000000 [ 71.992562][ T17] page dumped because: kasan: bad access detected [ 71.992566][ T17] [ 71.992570][ T17] Memory state around the buggy address: [ 71.992581][ T17] ffff8880a941ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.992591][ T17] ffff8880a941cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.992603][ T17] >ffff8880a941cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.998257][ T8493] kobject: 'iosched' (00000000ab917464): kobject_uevent_env: filter function caused the event to drop! [ 72.002519][ T17] ^ [ 72.002529][ T17] ffff8880a941d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.002538][ T17] ffff8880a941d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.002543][ T17] ================================================================== [ 72.002547][ T17] Disabling lock debugging due to kernel taint [ 72.005833][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 72.008320][ T8493] kobject: 'integrity' (00000000c715deed): kobject_add_internal: parent: 'loop0', set: '' [ 72.012004][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.2.0-rc3+ #38 [ 72.012010][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.012030][ T17] Workqueue: events __blk_release_queue [ 72.012036][ T17] Call Trace: [ 72.012053][ T17] dump_stack+0x172/0x1f0 [ 72.012068][ T17] panic+0x2cb/0x744 [ 72.012087][ T17] ? __warn_printk+0xf3/0xf3 [ 72.023562][ T8493] kobject: 'integrity' (00000000c715deed): kobject_uevent_env [ 72.027212][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 72.031593][ T8493] kobject: 'integrity' (00000000c715deed): kobject_uevent_env: filter function caused the event to drop! [ 72.035900][ T17] ? preempt_schedule+0x4b/0x60 [ 72.035913][ T17] ? ___preempt_schedule+0x16/0x18 [ 72.035928][ T17] ? trace_hardirqs_on+0x5e/0x220 [ 72.035941][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 72.035956][ T17] end_report+0x47/0x4f [ 72.035967][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 72.035978][ T17] __kasan_report.cold+0xe/0x40 [ 72.035991][ T17] ? blk_mq_free_rqs+0x49f/0x4b0 [ 72.036003][ T17] kasan_report+0x12/0x20 [ 72.036015][ T17] __asan_report_load8_noabort+0x14/0x20 [ 72.036025][ T17] blk_mq_free_rqs+0x49f/0x4b0 [ 72.036035][ T17] ? dd_exit_queue+0x92/0xd0 [ 72.036045][ T17] ? kfree+0x170/0x220 [ 72.036062][ T17] blk_mq_sched_tags_teardown+0x126/0x210 [ 72.036072][ T17] ? dd_request_merge+0x230/0x230 [ 72.036084][ T17] blk_mq_exit_sched+0x1fa/0x2d0 [ 72.036099][ T17] elevator_exit+0x70/0xa0 [ 72.081789][ T8495] kobject: 'integrity' (00000000c715deed): kobject_uevent_env [ 72.088941][ T17] __blk_release_queue+0x127/0x330 [ 72.088961][ T17] process_one_work+0x989/0x1790 [ 72.093987][ T8495] kobject: 'integrity' (00000000c715deed): kobject_uevent_env: filter function caused the event to drop! [ 72.097935][ T17] ? pwq_dec_nr_in_flight+0x320/0x320 [ 72.097952][ T17] ? lock_acquire+0x16f/0x3f0 [ 72.104053][ T8495] kobject: 'integrity' (00000000c715deed): kobject_cleanup, parent 00000000a99b3db2 [ 72.106127][ T17] worker_thread+0x98/0xe40 [ 72.106146][ T17] kthread+0x354/0x420 [ 72.110116][ T8495] kobject: 'integrity' (00000000c715deed): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 72.114230][ T17] ? process_one_work+0x1790/0x1790 [ 72.114242][ T17] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 72.114256][ T17] ret_from_fork+0x24/0x30 [ 72.120414][ T17] Kernel Offset: disabled [ 72.571415][ T17] Rebooting in 86400 seconds..