[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 57.572865][ T24] audit: type=1800 audit(1560017618.837:25): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 57.616973][ T24] audit: type=1800 audit(1560017618.847:26): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 57.654154][ T24] audit: type=1800 audit(1560017618.847:27): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [ 67.900565][ T2885] ==================================================================
[ 67.908791][ T2885] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[ 67.908806][ T2885] Read of size 8 at addr ffff888218c30210 by task kworker/0:2/2885
[ 67.908810][ T2885]
[ 67.908823][ T2885] CPU: 0 PID: 2885 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #23
[ 67.908836][ T2885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 67.908850][ T2885] Workqueue: events __blk_release_queue
[ 67.924239][ T2885] Call Trace:
[ 67.924263][ T2885] dump_stack+0x172/0x1f0
[ 67.924280][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 67.924300][ T2885] print_address_description.cold+0x7c/0x20d
[ 67.934240][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 67.934255][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 67.934271][ T2885] __kasan_report.cold+0x1b/0x40
[ 67.934288][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 67.949949][ T2885] kasan_report+0x12/0x20
[ 67.949966][ T2885] __asan_report_load8_noabort+0x14/0x20
[ 67.949979][ T2885] blk_mq_free_rqs+0x49f/0x4b0
[ 67.949991][ T2885] ? dd_exit_queue+0x92/0xd0
[ 67.950002][ T2885] ? kfree+0x170/0x220
[ 67.950022][ T2885] blk_mq_sched_tags_teardown+0x126/0x210
[ 67.957707][ T2885] ? dd_request_merge+0x230/0x230
[ 67.957726][ T2885] blk_mq_exit_sched+0x1fa/0x2d0
[ 67.957746][ T2885] elevator_exit+0x70/0xa0
[ 67.957761][ T2885] __blk_release_queue+0x127/0x330
[ 67.957780][ T2885] process_one_work+0x989/0x1790
[ 67.963505][ T8646] kobject: 'mq' (000000003d4a9346): kobject_uevent_env
[ 67.968701][ T2885] ? pwq_dec_nr_in_flight+0x320/0x320
[ 67.968716][ T2885] ? lock_acquire+0x16f/0x3f0
[ 67.968739][ T2885] worker_thread+0x98/0xe40
[ 67.968753][ T2885] ? trace_hardirqs_on+0x67/0x220
[ 67.968779][ T2885] kthread+0x354/0x420
[ 67.974157][ T8646] kobject: 'mq' (000000003d4a9346): kobject_uevent_env: filter function caused the event to drop!
[ 67.978774][ T2885] ? process_one_work+0x1790/0x1790
[ 67.978790][ T2885] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 67.978807][ T2885] ret_from_fork+0x24/0x30
[ 67.978825][ T2885]
[ 67.978833][ T2885] Allocated by task 1:
[ 67.978849][ T2885] save_stack+0x23/0x90
[ 67.984266][ T8646] kobject: 'queue' (00000000cc2e24c0): kobject_uevent_env
[ 67.988802][ T2885] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 67.988814][ T2885] kasan_kmalloc+0x9/0x10
[ 67.988826][ T2885] kmem_cache_alloc_trace+0x151/0x750
[ 67.988837][ T2885] loop_add+0x51/0x8d0
[ 67.988849][ T2885] loop_init+0x1fe/0x25a
[ 67.988862][ T2885] do_one_initcall+0x107/0x7ba
[ 67.988878][ T2885] kernel_init_freeable+0x4d4/0x5c3
[ 67.994007][ T8646] kobject: 'queue' (00000000cc2e24c0): kobject_uevent_env: filter function caused the event to drop!
[ 67.999143][ T2885] kernel_init+0x12/0x1c5
[ 67.999155][ T2885] ret_from_fork+0x24/0x30
[ 67.999159][ T2885]
[ 67.999166][ T2885] Freed by task 8645:
[ 67.999179][ T2885] save_stack+0x23/0x90
[ 67.999190][ T2885] __kasan_slab_free+0x102/0x150
[ 67.999201][ T2885] kasan_slab_free+0xe/0x10
[ 67.999214][ T2885] kfree+0xcf/0x220
[ 68.004644][ T8646] kobject: 'iosched' (00000000b5f9e0bf): kobject_uevent_env
[ 68.008526][ T2885] loop_remove+0xa1/0xd0
[ 68.008538][ T2885] loop_control_ioctl+0x320/0x360
[ 68.008550][ T2885] do_vfs_ioctl+0xd5f/0x1380
[ 68.008559][ T2885] ksys_ioctl+0xab/0xd0
[ 68.008570][ T2885] __x64_sys_ioctl+0x73/0xb0
[ 68.008583][ T2885] do_syscall_64+0xfd/0x680
[ 68.008595][ T2885] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.008603][ T2885]
[ 68.013049][ T8646] kobject: 'iosched' (00000000b5f9e0bf): kobject_uevent_env: attempted to send uevent without kset!
[ 68.018355][ T2885] The buggy address belongs to the object at ffff888218c30000
[ 68.018355][ T2885] which belongs to the cache kmalloc-1k of size 1024
[ 68.018368][ T2885] The buggy address is located 528 bytes inside of
[ 68.018368][ T2885] 1024-byte region [ffff888218c30000, ffff888218c30400)
[ 68.018372][ T2885] The buggy address belongs to the page:
[ 68.018385][ T2885] page:ffffea0008630c00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[ 68.018401][ T2885] flags: 0x6fffc0000010200(slab|head)
[ 68.018427][ T2885] raw: 06fffc0000010200 ffffea0008658d08 ffffea0008635288 ffff8880aa400ac0
[ 68.024016][ T8646] kobject: 'holders' (0000000017e3b027): kobject_cleanup, parent 000000006be5ab36
[ 68.028467][ T2885] raw: 0000000000000000 ffff888218c30000 0000000100000007 0000000000000000
[ 68.028473][ T2885] page dumped because: kasan: bad access detected
[ 68.028477][ T2885]
[ 68.028481][ T2885] Memory state around the buggy address:
[ 68.028493][ T2885] ffff888218c30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.028503][ T2885] ffff888218c30180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.028512][ T2885] >ffff888218c30200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.028517][ T2885] ^
[ 68.028527][ T2885] ffff888218c30280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.028536][ T2885] ffff888218c30300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.028545][ T2885] ==================================================================
[ 68.033536][ T8646] kobject: 'holders' (0000000017e3b027): auto cleanup kobject_del
[ 68.038031][ T2885] Disabling lock debugging due to kernel taint
[ 68.039666][ T2885] Kernel panic - not syncing: panic_on_warn set ...
[ 68.045458][ T8646] kobject: 'holders' (0000000017e3b027): calling ktype release
[ 68.053831][ T2885] CPU: 0 PID: 2885 Comm: kworker/0:2 Tainted: G B 5.2.0-rc3+ #23
[ 68.053838][ T2885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.053857][ T2885] Workqueue: events __blk_release_queue
[ 68.053864][ T2885] Call Trace:
[ 68.053882][ T2885] dump_stack+0x172/0x1f0
[ 68.053897][ T2885] panic+0x2cb/0x744
[ 68.053920][ T2885] ? __warn_printk+0xf3/0xf3
[ 68.060262][ T8646] kobject: (0000000017e3b027): dynamic_kobj_release
[ 68.063941][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 68.063957][ T2885] ? preempt_schedule+0x4b/0x60
[ 68.063975][ T2885] ? ___preempt_schedule+0x16/0x18
[ 68.068813][ T8646] kobject: 'holders': free name
[ 68.073484][ T2885] ? trace_hardirqs_on+0x5e/0x220
[ 68.073499][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 68.073510][ T2885] end_report+0x47/0x4f
[ 68.073526][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 68.077887][ T8646] kobject: 'slaves' (00000000ebbd0b35): kobject_cleanup, parent 000000006be5ab36
[ 68.088135][ T2885] __kasan_report.cold+0xe/0x40
[ 68.088150][ T2885] ? blk_mq_free_rqs+0x49f/0x4b0
[ 68.088163][ T2885] kasan_report+0x12/0x20
[ 68.088176][ T2885] __asan_report_load8_noabort+0x14/0x20
[ 68.088191][ T2885] blk_mq_free_rqs+0x49f/0x4b0
[ 68.093797][ T8646] kobject: 'slaves' (00000000ebbd0b35): auto cleanup kobject_del
[ 68.099775][ T2885] ? dd_exit_queue+0x92/0xd0
[ 68.099788][ T2885] ? kfree+0x170/0x220
[ 68.099805][ T2885] blk_mq_sched_tags_teardown+0x126/0x210
[ 68.099818][ T2885] ? dd_request_merge+0x230/0x230
[ 68.099834][ T2885] blk_mq_exit_sched+0x1fa/0x2d0
[ 68.104552][ T8646] kobject: 'slaves' (00000000ebbd0b35): calling ktype release
[ 68.106558][ T2885] elevator_exit+0x70/0xa0
[ 68.106573][ T2885] __blk_release_queue+0x127/0x330
[ 68.106595][ T2885] process_one_work+0x989/0x1790
[ 68.110914][ T8646] kobject: (00000000ebbd0b35): dynamic_kobj_release
[ 68.114775][ T2885] ? pwq_dec_nr_in_flight+0x320/0x320
[ 68.114788][ T2885] ? lock_acquire+0x16f/0x3f0
[ 68.114807][ T2885] worker_thread+0x98/0xe40
[ 68.122168][ T8646] kobject: 'slaves': free name
[ 68.127517][ T2885] ? trace_hardirqs_on+0x67/0x220
[ 68.127537][ T2885] kthread+0x354/0x420
[ 68.127550][ T2885] ? process_one_work+0x1790/0x1790
[ 68.127567][ T2885] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 68.132787][ T8646] kobject: 'loop3' (000000006be5ab36): kobject_uevent_env
[ 68.137225][ T2885] ret_from_fork+0x24/0x30
[ 68.138751][ T2885] Kernel Offset: disabled
[ 68.677526][ T2885] Rebooting in 86400 seconds..