[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 61.008909][ T25] audit: type=1800 audit(1559881850.605:25): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 61.053875][ T25] audit: type=1800 audit(1559881850.605:26): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 61.104684][ T25] audit: type=1800 audit(1559881850.605:27): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
syzkaller login: [ 72.646034][ T2600] ==================================================================
[ 72.654331][ T2600] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[ 72.654350][ T2600] Read of size 8 at addr ffff8880a308af90 by task kworker/1:2/2600
[ 72.654362][ T2600]
[ 72.654383][ T2600] CPU: 1 PID: 2600 Comm: kworker/1:2 Not tainted 5.2.0-rc3+ #21
[ 72.654391][ T2600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 72.669600][ T2600] Workqueue: events __blk_release_queue
[ 72.669621][ T2600] Call Trace:
[ 72.669661][ T2600] dump_stack+0x172/0x1f0
[ 72.669681][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.679642][ T2600] print_address_description.cold+0x7c/0x20d
[ 72.679658][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.679680][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.695257][ T2600] __kasan_report.cold+0x1b/0x40
[ 72.695276][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.695292][ T2600] kasan_report+0x12/0x20
[ 72.695313][ T2600] __asan_report_load8_noabort+0x14/0x20
[ 72.702895][ T2600] blk_mq_free_rqs+0x49f/0x4b0
[ 72.702923][ T2600] ? dd_exit_queue+0x92/0xd0
[ 72.702935][ T2600] ? kfree+0x170/0x220
[ 72.702958][ T2600] blk_mq_sched_tags_teardown+0x126/0x210
[ 72.713838][ T2600] ? dd_request_merge+0x230/0x230
[ 72.713856][ T2600] blk_mq_exit_sched+0x1fa/0x2d0
[ 72.713876][ T2600] elevator_exit+0x70/0xa0
[ 72.713891][ T2600] __blk_release_queue+0x127/0x330
[ 72.713940][ T2600] process_one_work+0x989/0x1790
[ 72.723767][ T2600] ? pwq_dec_nr_in_flight+0x320/0x320
[ 72.723791][ T2600] ? lock_acquire+0x16f/0x3f0
[ 72.723817][ T2600] worker_thread+0x98/0xe40
[ 72.733663][ T2600] ? trace_hardirqs_on+0x67/0x220
[ 72.733691][ T2600] kthread+0x354/0x420
[ 72.733707][ T2600] ? process_one_work+0x1790/0x1790
[ 72.733726][ T2600] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 72.733749][ T2600] ret_from_fork+0x24/0x30
[ 72.743767][ T2600]
[ 72.743786][ T2600] Allocated by task 8962:
[ 72.743805][ T2600] save_stack+0x23/0x90
[ 72.743818][ T2600] __kasan_kmalloc.constprop.0+0xcf/0xe0
executing program
[ 72.743836][ T2600] kasan_kmalloc+0x9/0x10
[ 72.753161][ T2600] kmem_cache_alloc_trace+0x151/0x750
[ 72.753184][ T2600] loop_add+0x51/0x8d0
[ 72.753195][ T2600] loop_probe+0x161/0x1a0
[ 72.753208][ T2600] kobj_lookup+0x260/0x460
[ 72.753229][ T2600] get_gendisk+0x4d/0x390
[ 72.757318][ T8964] kobject: 'mq' (0000000082cd6fb7): kobject_uevent_env: filter function caused the event to drop!
[ 72.762987][ T2600] __blkdev_get+0x457/0x1660
[ 72.762999][ T2600] blkdev_get+0xc4/0x990
[ 72.763009][ T2600] blkdev_open+0x205/0x290
[ 72.763029][ T2600] do_dentry_open+0x4df/0x1250
[ 72.763047][ T2600] vfs_open+0xa0/0xd0
[ 72.768120][ T8964] kobject: '0' (00000000a8f291d7): kobject_add_internal: parent: 'mq', set: '<NULL>'
[ 72.772993][ T2600] path_openat+0x10e9/0x46d0
[ 72.773006][ T2600] do_filp_open+0x1a1/0x280
[ 72.773018][ T2600] do_sys_open+0x3fe/0x5d0
[ 72.773032][ T2600] __x64_sys_open+0x7e/0xc0
[ 72.773060][ T2600] do_syscall_64+0xfd/0x680
[ 72.777589][ T8964] kobject: 'cpu0' (0000000068caaeea): kobject_add_internal: parent: '0', set: '<NULL>'
[ 72.782546][ T2600] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 72.782550][ T2600]
[ 72.782557][ T2600] Freed by task 8963:
[ 72.782574][ T2600] save_stack+0x23/0x90
[ 72.787614][ T8964] kobject: 'cpu1' (00000000c5d2eef8): kobject_add_internal: parent: '0', set: '<NULL>'
[ 72.792841][ T2600] __kasan_slab_free+0x102/0x150
[ 72.792853][ T2600] kasan_slab_free+0xe/0x10
[ 72.792864][ T2600] kfree+0xcf/0x220
[ 72.792875][ T2600] loop_remove+0xa1/0xd0
[ 72.792888][ T2600] loop_control_ioctl+0x320/0x360
[ 72.792905][ T2600] do_vfs_ioctl+0xd5f/0x1380
[ 72.797753][ T8964] kobject: 'queue' (00000000de0156a7): kobject_uevent_env
[ 72.802043][ T2600] ksys_ioctl+0xab/0xd0
[ 72.802053][ T2600] __x64_sys_ioctl+0x73/0xb0
[ 72.802067][ T2600] do_syscall_64+0xfd/0x680
[ 72.802087][ T2600] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 72.807160][ T8964] kobject: 'queue' (00000000de0156a7): kobject_uevent_env: filter function caused the event to drop!
[ 72.811125][ T2600]
[ 72.811143][ T2600] The buggy address belongs to the object at ffff8880a308ad80
[ 72.811143][ T2600] which belongs to the cache kmalloc-1k of size 1024
[ 72.811156][ T2600] The buggy address is located 528 bytes inside of
[ 72.811156][ T2600] 1024-byte region [ffff8880a308ad80, ffff8880a308b180)
[ 72.811167][ T2600] The buggy address belongs to the page:
[ 72.816496][ T8964] kobject: 'iosched' (0000000053dce263): kobject_add_internal: parent: 'queue', set: '<NULL>'
[ 72.822579][ T2600] page:ffffea00028c2280 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[ 72.827150][ T8964] kobject: 'iosched' (0000000053dce263): kobject_uevent_env
[ 72.829314][ T2600] flags: 0x1fffc0000010200(slab|head)
[ 72.829339][ T2600] raw: 01fffc0000010200 ffffea000292dd88 ffffea00022cfe88 ffff8880aa400ac0
[ 72.833730][ T8964] kobject: 'iosched' (0000000053dce263): kobject_uevent_env: filter function caused the event to drop!
[ 72.837789][ T2600] raw: 0000000000000000 ffff8880a308a000 0000000100000007 0000000000000000
[ 72.837795][ T2600] page dumped because: kasan: bad access detected
[ 72.837799][ T2600]
[ 72.837803][ T2600] Memory state around the buggy address:
[ 72.837817][ T2600] ffff8880a308ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 72.843581][ T8964] kobject: 'integrity' (00000000c0693a46): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[ 72.847736][ T2600] ffff8880a308af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 72.847748][ T2600] >ffff8880a308af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 72.847753][ T2600] ^
[ 72.847767][ T2600] ffff8880a308b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 72.853286][ T8964] kobject: 'integrity' (00000000c0693a46): kobject_uevent_env
[ 72.857169][ T2600] ffff8880a308b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 72.857174][ T2600] ==================================================================
[ 72.857179][ T2600] Disabling lock debugging due to kernel taint
[ 72.861990][ T2600] Kernel panic - not syncing: panic_on_warn set ...
[ 72.869454][ T8964] kobject: 'integrity' (00000000c0693a46): kobject_uevent_env: filter function caused the event to drop!
[ 72.870244][ T2600] CPU: 1 PID: 2600 Comm: kworker/1:2 Tainted: G B 5.2.0-rc3+ #21
[ 72.893093][ T8965] kobject: 'integrity' (00000000c0693a46): kobject_uevent_env
[ 72.893992][ T2600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 72.894013][ T2600] Workqueue: events __blk_release_queue
[ 72.898813][ T8965] kobject: 'integrity' (00000000c0693a46): kobject_uevent_env: filter function caused the event to drop!
[ 72.902741][ T2600] Call Trace:
[ 72.902766][ T2600] dump_stack+0x172/0x1f0
[ 72.902802][ T2600] panic+0x2cb/0x744
[ 72.912317][ T8965] kobject: 'integrity' (00000000c0693a46): kobject_cleanup, parent 0000000000767b55
[ 72.916797][ T2600] ? __warn_printk+0xf3/0xf3
[ 72.916815][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.916837][ T2600] ? preempt_schedule+0x4b/0x60
[ 72.921340][ T8965] kobject: 'integrity' (00000000c0693a46): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
[ 72.925713][ T2600] ? ___preempt_schedule+0x16/0x18
[ 72.925729][ T2600] ? trace_hardirqs_on+0x5e/0x220
[ 72.925754][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.930706][ T8965] kobject: 'integrity': free name
[ 72.935172][ T2600] end_report+0x47/0x4f
[ 72.935186][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 72.935199][ T2600] __kasan_report.cold+0xe/0x40
[ 72.935217][ T2600] ? blk_mq_free_rqs+0x49f/0x4b0
[ 73.381518][ T2600] kasan_report+0x12/0x20
[ 73.385831][ T2600] __asan_report_load8_noabort+0x14/0x20
[ 73.391443][ T2600] blk_mq_free_rqs+0x49f/0x4b0
[ 73.396185][ T2600] ? dd_exit_queue+0x92/0xd0
[ 73.400760][ T2600] ? kfree+0x170/0x220
[ 73.404822][ T2600] blk_mq_sched_tags_teardown+0x126/0x210
[ 73.410521][ T2600] ? dd_request_merge+0x230/0x230
[ 73.415526][ T2600] blk_mq_exit_sched+0x1fa/0x2d0
[ 73.420450][ T2600] elevator_exit+0x70/0xa0
[ 73.424869][ T2600] __blk_release_queue+0x127/0x330
[ 73.429985][ T2600] process_one_work+0x989/0x1790
[ 73.434908][ T2600] ? pwq_dec_nr_in_flight+0x320/0x320
[ 73.440256][ T2600] ? lock_acquire+0x16f/0x3f0
[ 73.444913][ T2600] worker_thread+0x98/0xe40
[ 73.449396][ T2600] ? trace_hardirqs_on+0x67/0x220
[ 73.454406][ T2600] kthread+0x354/0x420
[ 73.458453][ T2600] ? process_one_work+0x1790/0x1790
[ 73.463626][ T2600] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 73.469848][ T2600] ret_from_fork+0x24/0x30
[ 73.475387][ T2600] Kernel Offset: disabled
[ 73.479706][ T2600] Rebooting in 86400 seconds..