[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 68.163009][ T26] audit: type=1800 audit(1559979363.788:25): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 68.202746][ T26] audit: type=1800 audit(1559979363.788:26): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 68.240139][ T26] audit: type=1800 audit(1559979363.798:27): pid=8782 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 78.405674][ T12] ================================================================== [ 78.414046][ T12] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0 [ 78.414065][ T12] Read of size 8 at addr ffff88808cc51450 by task kworker/0:1/12 [ 78.414068][ T12] [ 78.414084][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc3+ #23 [ 78.414092][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.414109][ T12] Workqueue: events __blk_release_queue [ 78.414138][ T12] Call Trace: [ 78.414188][ T12] dump_stack+0x172/0x1f0 [ 78.429426][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.429486][ T12] print_address_description.cold+0x7c/0x20d [ 78.429499][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.429512][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.429525][ T12] __kasan_report.cold+0x1b/0x40 [ 78.429541][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.429556][ T12] kasan_report+0x12/0x20 [ 78.429571][ T12] __asan_report_load8_noabort+0x14/0x20 [ 78.429591][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 78.439414][ T12] ? dd_exit_queue+0x92/0xd0 [ 78.439427][ T12] ? kfree+0x170/0x220 [ 78.439450][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 78.439465][ T12] ? dd_request_merge+0x230/0x230 [ 78.439480][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 78.439503][ T12] elevator_exit+0x70/0xa0 [ 78.455137][ T12] __blk_release_queue+0x127/0x330 [ 78.455186][ T12] process_one_work+0x989/0x1790 [ 78.455214][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 78.467799][ T12] ? lock_acquire+0x16f/0x3f0 [ 78.478717][ T12] worker_thread+0x98/0xe40 [ 78.478749][ T12] ? trace_hardirqs_on+0x67/0x220 [ 78.488625][ T12] kthread+0x354/0x420 [ 78.488643][ T12] ? process_one_work+0x1790/0x1790 [ 78.488670][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 78.497974][ T12] ret_from_fork+0x24/0x30 [ 78.497995][ T12] [ 78.508397][ T12] Allocated by task 8939: [ 78.508419][ T12] save_stack+0x23/0x90 [ 78.508439][ T12] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 78.513674][ T8941] kobject: 'loop0' (00000000583f178b): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 78.517093][ T12] kasan_kmalloc+0x9/0x10 [ 78.517105][ T12] kmem_cache_alloc_trace+0x151/0x750 [ 78.517142][ T12] loop_add+0x51/0x8d0 [ 78.517168][ T12] loop_probe+0x161/0x1a0 [ 78.524131][ T8941] kobject: 'queue' (00000000856f4f05): kobject_add_internal: parent: 'loop0', set: '' [ 78.528098][ T12] kobj_lookup+0x260/0x460 [ 78.528113][ T12] get_gendisk+0x4d/0x390 [ 78.528144][ T12] __blkdev_get+0x457/0x1660 [ 78.528167][ T12] blkdev_get+0xc4/0x990 [ 78.528176][ T12] blkdev_open+0x205/0x290 [ 78.535208][ T8941] kobject: 'mq' (00000000350fbc61): kobject_add_internal: parent: 'loop0', set: '' [ 78.537620][ T12] do_dentry_open+0x4df/0x1250 [ 78.537640][ T12] vfs_open+0xa0/0xd0 [ 78.543440][ T8941] kobject: 'mq' (00000000350fbc61): kobject_uevent_env [ 78.547701][ T12] path_openat+0x10e9/0x46d0 [ 78.547721][ T12] do_filp_open+0x1a1/0x280 [ 78.553641][ T8941] kobject: 'mq' (00000000350fbc61): kobject_uevent_env: filter function caused the event to drop! [ 78.557856][ T12] do_sys_open+0x3fe/0x5d0 [ 78.557870][ T12] __x64_sys_open+0x7e/0xc0 [ 78.557903][ T12] do_syscall_64+0xfd/0x680 [ 78.562482][ T8941] kobject: '0' (00000000a0f956df): kobject_add_internal: parent: 'mq', set: '' [ 78.567444][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.567450][ T12] [ 78.567457][ T12] Freed by task 8940: [ 78.567470][ T12] save_stack+0x23/0x90 [ 78.567481][ T12] __kasan_slab_free+0x102/0x150 [ 78.567491][ T12] kasan_slab_free+0xe/0x10 [ 78.567500][ T12] kfree+0xcf/0x220 [ 78.567510][ T12] loop_remove+0xa1/0xd0 [ 78.567522][ T12] loop_control_ioctl+0x320/0x360 [ 78.567532][ T12] do_vfs_ioctl+0xd5f/0x1380 [ 78.567541][ T12] ksys_ioctl+0xab/0xd0 [ 78.567550][ T12] __x64_sys_ioctl+0x73/0xb0 [ 78.567563][ T12] do_syscall_64+0xfd/0x680 [ 78.567575][ T12] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.567579][ T12] [ 78.567589][ T12] The buggy address belongs to the object at ffff88808cc51240 [ 78.567589][ T12] which belongs to the cache kmalloc-1k of size 1024 [ 78.567609][ T12] The buggy address is located 528 bytes inside of [ 78.567609][ T12] 1024-byte region [ffff88808cc51240, ffff88808cc51640) [ 78.577154][ T8941] kobject: 'cpu0' (000000003f046852): kobject_add_internal: parent: '0', set: '' [ 78.583416][ T12] The buggy address belongs to the page: [ 78.583444][ T12] page:ffffea0002331400 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 [ 78.583464][ T12] flags: 0x1fffc0000010200(slab|head) [ 78.583482][ T12] raw: 01fffc0000010200 ffffea0002664588 ffffea0002172688 ffff8880aa400ac0 [ 78.583498][ T12] raw: 0000000000000000 ffff88808cc50040 0000000100000007 0000000000000000 [ 78.583503][ T12] page dumped because: kasan: bad access detected [ 78.583507][ T12] [ 78.583510][ T12] Memory state around the buggy address: [ 78.583521][ T12] ffff88808cc51300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.583531][ T12] ffff88808cc51380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.583541][ T12] >ffff88808cc51400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.583547][ T12] ^ [ 78.583556][ T12] ffff88808cc51480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.583566][ T12] ffff88808cc51500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.583579][ T12] ================================================================== [ 78.589115][ T8941] kobject: 'cpu1' (00000000d8d974c0): kobject_add_internal: parent: '0', set: '' [ 78.590359][ T12] Disabling lock debugging due to kernel taint [ 78.595157][ T8941] kobject: 'queue' (00000000856f4f05): kobject_uevent_env [ 78.599088][ T12] Kernel panic - not syncing: panic_on_warn set ... [ 78.606347][ T8941] kobject: 'queue' (00000000856f4f05): kobject_uevent_env: filter function caused the event to drop! [ 78.614759][ T12] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.2.0-rc3+ #23 [ 78.614767][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.614787][ T12] Workqueue: events __blk_release_queue [ 78.614794][ T12] Call Trace: [ 78.614815][ T12] dump_stack+0x172/0x1f0 [ 78.614857][ T12] panic+0x2cb/0x744 [ 78.619685][ T8941] kobject: 'iosched' (00000000409b1f8f): kobject_add_internal: parent: 'queue', set: '' [ 78.624540][ T12] ? __warn_printk+0xf3/0xf3 [ 78.624555][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.624572][ T12] ? preempt_schedule+0x4b/0x60 [ 78.624585][ T12] ? ___preempt_schedule+0x16/0x18 [ 78.624599][ T12] ? trace_hardirqs_on+0x5e/0x220 [ 78.624613][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.624634][ T12] end_report+0x47/0x4f [ 78.629243][ T8941] kobject: 'iosched' (00000000409b1f8f): kobject_uevent_env [ 78.633038][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.633053][ T12] __kasan_report.cold+0xe/0x40 [ 78.633066][ T12] ? blk_mq_free_rqs+0x49f/0x4b0 [ 78.633078][ T12] kasan_report+0x12/0x20 [ 78.633091][ T12] __asan_report_load8_noabort+0x14/0x20 [ 78.633111][ T12] blk_mq_free_rqs+0x49f/0x4b0 [ 78.643730][ T8941] kobject: 'iosched' (00000000409b1f8f): kobject_uevent_env: filter function caused the event to drop! [ 78.647601][ T12] ? dd_exit_queue+0x92/0xd0 [ 78.647622][ T12] ? kfree+0x170/0x220 [ 78.652055][ T8941] kobject: 'integrity' (000000009176a0ec): kobject_add_internal: parent: 'loop0', set: '' [ 78.656534][ T12] blk_mq_sched_tags_teardown+0x126/0x210 [ 78.656548][ T12] ? dd_request_merge+0x230/0x230 [ 78.656561][ T12] blk_mq_exit_sched+0x1fa/0x2d0 [ 78.656576][ T12] elevator_exit+0x70/0xa0 [ 78.656591][ T12] __blk_release_queue+0x127/0x330 [ 78.656612][ T12] process_one_work+0x989/0x1790 [ 78.662999][ T8941] kobject: 'integrity' (000000009176a0ec): kobject_uevent_env [ 78.665261][ T12] ? pwq_dec_nr_in_flight+0x320/0x320 [ 78.665282][ T12] ? lock_acquire+0x16f/0x3f0 [ 78.675199][ T8941] kobject: 'integrity' (000000009176a0ec): kobject_uevent_env: filter function caused the event to drop! [ 78.679891][ T12] worker_thread+0x98/0xe40 [ 78.679916][ T12] ? trace_hardirqs_on+0x67/0x220 [ 79.207749][ T12] kthread+0x354/0x420 [ 79.211829][ T12] ? process_one_work+0x1790/0x1790 [ 79.217047][ T12] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 79.223291][ T12] ret_from_fork+0x24/0x30 [ 79.228957][ T12] Kernel Offset: disabled [ 79.233285][ T12] Rebooting in 86400 seconds..