[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.139653][ T26] audit: type=1800 audit(1559880201.910:25): pid=8684 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.180654][ T26] audit: type=1800 audit(1559880201.910:26): pid=8684 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.224391][ T26] audit: type=1800 audit(1559880201.910:27): pid=8684 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 82.614150][ T2993] ================================================================== [ 82.622556][ T2993] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 82.629868][ T2993] Read of size 8 at addr ffff888089b96f90 by task kworker/1:2/2993 [ 82.629880][ T2993] [ 82.629895][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #13 [ 82.629911][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.629927][ T2993] Workqueue: events __blk_release_queue [ 82.629935][ T2993] Call Trace: [ 82.629954][ T2993] dump_stack+0x172/0x1f0 [ 82.640307][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.640336][ T2993] print_address_description.cold+0x7c/0x20d [ 82.658381][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.658396][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.658411][ T2993] __kasan_report.cold+0x1b/0x40 [ 82.658427][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.658442][ T2993] kasan_report+0x12/0x20 [ 82.658457][ T2993] __asan_report_load8_noabort+0x14/0x20 [ 82.658478][ T2993] blk_mq_free_rqs+0x49f/0x4b0 [ 82.667300][ T2993] ? dd_exit_queue+0x92/0xd0 [ 82.667313][ T2993] ? kfree+0x170/0x220 [ 82.667337][ T2993] blk_mq_sched_tags_teardown+0x126/0x210 [ 82.676591][ T2993] ? dd_request_merge+0x230/0x230 [ 82.676611][ T2993] blk_mq_exit_sched+0x1fa/0x2d0 [ 82.676631][ T2993] elevator_exit+0x70/0xa0 [ 82.687565][ T2993] __blk_release_queue+0x127/0x330 [ 82.687588][ T2993] process_one_work+0x989/0x1790 [ 82.697456][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320 [ 82.697479][ T2993] ? lock_acquire+0x16f/0x3f0 [ 82.697505][ T2993] worker_thread+0x98/0xe40 [ 82.706829][ T2993] ? trace_hardirqs_on+0x67/0x220 [ 82.706858][ T2993] kthread+0x354/0x420 [ 82.717242][ T2993] ? process_one_work+0x1790/0x1790 [ 82.717258][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 82.717279][ T2993] ret_from_fork+0x24/0x30 [ 82.725921][ T2993] [ 82.725931][ T2993] Allocated by task 8838: [ 82.725955][ T2993] save_stack+0x23/0x90 [ 82.737112][ T2993] __kasan_kmalloc.constprop.0+0xcf/0xe0 executing program [ 82.737124][ T2993] kasan_kmalloc+0x9/0x10 [ 82.737136][ T2993] kmem_cache_alloc_trace+0x151/0x750 [ 82.737156][ T2993] loop_add+0x51/0x8d0 [ 82.742722][ T8841] kobject: 'cpu0' (00000000155d0d08): kobject_add_internal: parent: '0', set: '' [ 82.746583][ T2993] loop_control_ioctl+0x165/0x360 [ 82.746599][ T2993] __ia32_compat_sys_ioctl+0x195/0x620 [ 82.746627][ T2993] do_fast_syscall_32+0x27b/0xd7d [ 82.752267][ T8841] kobject: 'cpu1' (00000000299ff090): kobject_add_internal: parent: '0', set: '' [ 82.756657][ T2993] entry_SYSENTER_compat+0x70/0x7f [ 82.756662][ T2993] [ 82.756669][ T2993] Freed by task 8840: [ 82.756691][ T2993] save_stack+0x23/0x90 [ 82.762726][ T8841] kobject: 'queue' (00000000c97d83de): kobject_uevent_env [ 82.766714][ T2993] __kasan_slab_free+0x102/0x150 [ 82.766727][ T2993] kasan_slab_free+0xe/0x10 [ 82.766738][ T2993] kfree+0xcf/0x220 [ 82.766756][ T2993] loop_remove+0xa1/0xd0 [ 82.771778][ T8841] kobject: 'queue' (00000000c97d83de): kobject_uevent_env: filter function caused the event to drop! [ 82.776265][ T2993] loop_control_ioctl+0x320/0x360 [ 82.776280][ T2993] __ia32_compat_sys_ioctl+0x195/0x620 [ 82.776301][ T2993] do_fast_syscall_32+0x27b/0xd7d [ 82.780499][ T8841] kobject: 'iosched' (00000000d152e94f): kobject_add_internal: parent: 'queue', set: '' [ 82.785555][ T2993] entry_SYSENTER_compat+0x70/0x7f [ 82.785561][ T2993] [ 82.785578][ T2993] The buggy address belongs to the object at ffff888089b96d80 [ 82.785578][ T2993] which belongs to the cache kmalloc-1k of size 1024 [ 82.792017][ T8841] kobject: 'iosched' (00000000d152e94f): kobject_uevent_env [ 82.796217][ T2993] The buggy address is located 528 bytes inside of [ 82.796217][ T2993] 1024-byte region [ffff888089b96d80, ffff888089b97180) [ 82.796223][ T2993] The buggy address belongs to the page: [ 82.796236][ T2993] page:ffffea000226e580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 82.798629][ T8841] kobject: 'iosched' (00000000d152e94f): kobject_uevent_env: filter function caused the event to drop! [ 82.802913][ T2993] flags: 0x1fffc0000010200(slab|head) [ 82.802932][ T2993] raw: 01fffc0000010200 ffffea00026fa488 ffffea00025d2e88 ffff8880aa400ac0 [ 82.802947][ T2993] raw: 0000000000000000 ffff888089b96000 0000000100000007 0000000000000000 [ 82.802953][ T2993] page dumped because: kasan: bad access detected [ 82.802957][ T2993] [ 82.802961][ T2993] Memory state around the buggy address: [ 82.802972][ T2993] ffff888089b96e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.802991][ T2993] ffff888089b96f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.807910][ T8841] kobject: 'integrity' (0000000025262cfa): kobject_add_internal: parent: 'loop0', set: '' [ 82.812764][ T2993] >ffff888089b96f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.812770][ T2993] ^ [ 82.812781][ T2993] ffff888089b97000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.812791][ T2993] ffff888089b97080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.812797][ T2993] ================================================================== [ 82.812802][ T2993] Disabling lock debugging due to kernel taint [ 82.813317][ T2993] Kernel panic - not syncing: panic_on_warn set ... [ 82.817266][ T8841] kobject: 'integrity' (0000000025262cfa): kobject_uevent_env [ 82.822514][ T2993] CPU: 1 PID: 2993 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #13 [ 82.822522][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.822541][ T2993] Workqueue: events __blk_release_queue [ 82.822556][ T2993] Call Trace: [ 82.822575][ T2993] dump_stack+0x172/0x1f0 [ 82.822594][ T2993] panic+0x2cb/0x744 [ 82.822609][ T2993] ? __warn_printk+0xf3/0xf3 [ 82.822628][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.826717][ T8841] kobject: 'integrity' (0000000025262cfa): kobject_uevent_env: filter function caused the event to drop! [ 82.836608][ T2993] ? preempt_schedule+0x4b/0x60 [ 82.836618][ T2993] ? ___preempt_schedule+0x16/0x18 [ 82.836627][ T2993] ? trace_hardirqs_on+0x5e/0x220 [ 82.836641][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.862635][ T8842] kobject: 'integrity' (0000000025262cfa): kobject_uevent_env [ 82.866780][ T2993] end_report+0x47/0x4f [ 82.866802][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.869150][ T8842] kobject: 'integrity' (0000000025262cfa): kobject_uevent_env: filter function caused the event to drop! [ 82.873103][ T2993] __kasan_report.cold+0xe/0x40 [ 82.873118][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0 [ 82.873131][ T2993] kasan_report+0x12/0x20 [ 82.873151][ T2993] __asan_report_load8_noabort+0x14/0x20 [ 82.877730][ T8842] kobject: 'integrity' (0000000025262cfa): kobject_cleanup, parent 00000000bcf9ed0f [ 82.884388][ T2993] blk_mq_free_rqs+0x49f/0x4b0 [ 82.884401][ T2993] ? dd_exit_queue+0x92/0xd0 [ 82.884412][ T2993] ? kfree+0x170/0x220 [ 82.884464][ T2993] blk_mq_sched_tags_teardown+0x126/0x210 [ 82.889718][ T8842] kobject: 'integrity' (0000000025262cfa): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. [ 82.893878][ T2993] ? dd_request_merge+0x230/0x230 [ 82.893895][ T2993] blk_mq_exit_sched+0x1fa/0x2d0 [ 82.893911][ T2993] elevator_exit+0x70/0xa0 [ 82.893930][ T2993] __blk_release_queue+0x127/0x330 [ 82.898063][ T8842] kobject: 'integrity': free name [ 82.901971][ T2993] process_one_work+0x989/0x1790 [ 82.901991][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320 [ 82.902004][ T2993] ? lock_acquire+0x16f/0x3f0 [ 82.902024][ T2993] worker_thread+0x98/0xe40 [ 83.350686][ T2993] ? trace_hardirqs_on+0x67/0x220 [ 83.355697][ T2993] kthread+0x354/0x420 [ 83.359758][ T2993] ? process_one_work+0x1790/0x1790 [ 83.364947][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 83.371194][ T2993] ret_from_fork+0x24/0x30 [ 83.376672][ T2993] Kernel Offset: disabled [ 83.380993][ T2993] Rebooting in 86400 seconds..