[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   57.572865][   T24] audit: type=1800 audit(1560017618.837:25): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   57.616973][   T24] audit: type=1800 audit(1560017618.847:26): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   57.654154][   T24] audit: type=1800 audit(1560017618.847:27): pid=8479 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   67.900565][ T2885] ==================================================================
[   67.908791][ T2885] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[   67.908806][ T2885] Read of size 8 at addr ffff888218c30210 by task kworker/0:2/2885
[   67.908810][ T2885] 
[   67.908823][ T2885] CPU: 0 PID: 2885 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #23
[   67.908836][ T2885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.908850][ T2885] Workqueue: events __blk_release_queue
[   67.924239][ T2885] Call Trace:
[   67.924263][ T2885]  dump_stack+0x172/0x1f0
[   67.924280][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   67.924300][ T2885]  print_address_description.cold+0x7c/0x20d
[   67.934240][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   67.934255][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   67.934271][ T2885]  __kasan_report.cold+0x1b/0x40
[   67.934288][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   67.949949][ T2885]  kasan_report+0x12/0x20
[   67.949966][ T2885]  __asan_report_load8_noabort+0x14/0x20
[   67.949979][ T2885]  blk_mq_free_rqs+0x49f/0x4b0
[   67.949991][ T2885]  ? dd_exit_queue+0x92/0xd0
[   67.950002][ T2885]  ? kfree+0x170/0x220
[   67.950022][ T2885]  blk_mq_sched_tags_teardown+0x126/0x210
[   67.957707][ T2885]  ? dd_request_merge+0x230/0x230
[   67.957726][ T2885]  blk_mq_exit_sched+0x1fa/0x2d0
[   67.957746][ T2885]  elevator_exit+0x70/0xa0
[   67.957761][ T2885]  __blk_release_queue+0x127/0x330
[   67.957780][ T2885]  process_one_work+0x989/0x1790
[   67.963505][ T8646] kobject: 'mq' (000000003d4a9346): kobject_uevent_env
[   67.968701][ T2885]  ? pwq_dec_nr_in_flight+0x320/0x320
[   67.968716][ T2885]  ? lock_acquire+0x16f/0x3f0
[   67.968739][ T2885]  worker_thread+0x98/0xe40
[   67.968753][ T2885]  ? trace_hardirqs_on+0x67/0x220
[   67.968779][ T2885]  kthread+0x354/0x420
[   67.974157][ T8646] kobject: 'mq' (000000003d4a9346): kobject_uevent_env: filter function caused the event to drop!
[   67.978774][ T2885]  ? process_one_work+0x1790/0x1790
[   67.978790][ T2885]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   67.978807][ T2885]  ret_from_fork+0x24/0x30
[   67.978825][ T2885] 
[   67.978833][ T2885] Allocated by task 1:
[   67.978849][ T2885]  save_stack+0x23/0x90
[   67.984266][ T8646] kobject: 'queue' (00000000cc2e24c0): kobject_uevent_env
[   67.988802][ T2885]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   67.988814][ T2885]  kasan_kmalloc+0x9/0x10
[   67.988826][ T2885]  kmem_cache_alloc_trace+0x151/0x750
[   67.988837][ T2885]  loop_add+0x51/0x8d0
[   67.988849][ T2885]  loop_init+0x1fe/0x25a
[   67.988862][ T2885]  do_one_initcall+0x107/0x7ba
[   67.988878][ T2885]  kernel_init_freeable+0x4d4/0x5c3
[   67.994007][ T8646] kobject: 'queue' (00000000cc2e24c0): kobject_uevent_env: filter function caused the event to drop!
[   67.999143][ T2885]  kernel_init+0x12/0x1c5
[   67.999155][ T2885]  ret_from_fork+0x24/0x30
[   67.999159][ T2885] 
[   67.999166][ T2885] Freed by task 8645:
[   67.999179][ T2885]  save_stack+0x23/0x90
[   67.999190][ T2885]  __kasan_slab_free+0x102/0x150
[   67.999201][ T2885]  kasan_slab_free+0xe/0x10
[   67.999214][ T2885]  kfree+0xcf/0x220
[   68.004644][ T8646] kobject: 'iosched' (00000000b5f9e0bf): kobject_uevent_env
[   68.008526][ T2885]  loop_remove+0xa1/0xd0
[   68.008538][ T2885]  loop_control_ioctl+0x320/0x360
[   68.008550][ T2885]  do_vfs_ioctl+0xd5f/0x1380
[   68.008559][ T2885]  ksys_ioctl+0xab/0xd0
[   68.008570][ T2885]  __x64_sys_ioctl+0x73/0xb0
[   68.008583][ T2885]  do_syscall_64+0xfd/0x680
[   68.008595][ T2885]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   68.008603][ T2885] 
[   68.013049][ T8646] kobject: 'iosched' (00000000b5f9e0bf): kobject_uevent_env: attempted to send uevent without kset!
[   68.018355][ T2885] The buggy address belongs to the object at ffff888218c30000
[   68.018355][ T2885]  which belongs to the cache kmalloc-1k of size 1024
[   68.018368][ T2885] The buggy address is located 528 bytes inside of
[   68.018368][ T2885]  1024-byte region [ffff888218c30000, ffff888218c30400)
[   68.018372][ T2885] The buggy address belongs to the page:
[   68.018385][ T2885] page:ffffea0008630c00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[   68.018401][ T2885] flags: 0x6fffc0000010200(slab|head)
[   68.018427][ T2885] raw: 06fffc0000010200 ffffea0008658d08 ffffea0008635288 ffff8880aa400ac0
[   68.024016][ T8646] kobject: 'holders' (0000000017e3b027): kobject_cleanup, parent 000000006be5ab36
[   68.028467][ T2885] raw: 0000000000000000 ffff888218c30000 0000000100000007 0000000000000000
[   68.028473][ T2885] page dumped because: kasan: bad access detected
[   68.028477][ T2885] 
[   68.028481][ T2885] Memory state around the buggy address:
[   68.028493][ T2885]  ffff888218c30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.028503][ T2885]  ffff888218c30180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.028512][ T2885] >ffff888218c30200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.028517][ T2885]                          ^
[   68.028527][ T2885]  ffff888218c30280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.028536][ T2885]  ffff888218c30300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.028545][ T2885] ==================================================================
[   68.033536][ T8646] kobject: 'holders' (0000000017e3b027): auto cleanup kobject_del
[   68.038031][ T2885] Disabling lock debugging due to kernel taint
[   68.039666][ T2885] Kernel panic - not syncing: panic_on_warn set ...
[   68.045458][ T8646] kobject: 'holders' (0000000017e3b027): calling ktype release
[   68.053831][ T2885] CPU: 0 PID: 2885 Comm: kworker/0:2 Tainted: G    B             5.2.0-rc3+ #23
[   68.053838][ T2885] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.053857][ T2885] Workqueue: events __blk_release_queue
[   68.053864][ T2885] Call Trace:
[   68.053882][ T2885]  dump_stack+0x172/0x1f0
[   68.053897][ T2885]  panic+0x2cb/0x744
[   68.053920][ T2885]  ? __warn_printk+0xf3/0xf3
[   68.060262][ T8646] kobject: (0000000017e3b027): dynamic_kobj_release
[   68.063941][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.063957][ T2885]  ? preempt_schedule+0x4b/0x60
[   68.063975][ T2885]  ? ___preempt_schedule+0x16/0x18
[   68.068813][ T8646] kobject: 'holders': free name
[   68.073484][ T2885]  ? trace_hardirqs_on+0x5e/0x220
[   68.073499][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.073510][ T2885]  end_report+0x47/0x4f
[   68.073526][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.077887][ T8646] kobject: 'slaves' (00000000ebbd0b35): kobject_cleanup, parent 000000006be5ab36
[   68.088135][ T2885]  __kasan_report.cold+0xe/0x40
[   68.088150][ T2885]  ? blk_mq_free_rqs+0x49f/0x4b0
[   68.088163][ T2885]  kasan_report+0x12/0x20
[   68.088176][ T2885]  __asan_report_load8_noabort+0x14/0x20
[   68.088191][ T2885]  blk_mq_free_rqs+0x49f/0x4b0
[   68.093797][ T8646] kobject: 'slaves' (00000000ebbd0b35): auto cleanup kobject_del
[   68.099775][ T2885]  ? dd_exit_queue+0x92/0xd0
[   68.099788][ T2885]  ? kfree+0x170/0x220
[   68.099805][ T2885]  blk_mq_sched_tags_teardown+0x126/0x210
[   68.099818][ T2885]  ? dd_request_merge+0x230/0x230
[   68.099834][ T2885]  blk_mq_exit_sched+0x1fa/0x2d0
[   68.104552][ T8646] kobject: 'slaves' (00000000ebbd0b35): calling ktype release
[   68.106558][ T2885]  elevator_exit+0x70/0xa0
[   68.106573][ T2885]  __blk_release_queue+0x127/0x330
[   68.106595][ T2885]  process_one_work+0x989/0x1790
[   68.110914][ T8646] kobject: (00000000ebbd0b35): dynamic_kobj_release
[   68.114775][ T2885]  ? pwq_dec_nr_in_flight+0x320/0x320
[   68.114788][ T2885]  ? lock_acquire+0x16f/0x3f0
[   68.114807][ T2885]  worker_thread+0x98/0xe40
[   68.122168][ T8646] kobject: 'slaves': free name
[   68.127517][ T2885]  ? trace_hardirqs_on+0x67/0x220
[   68.127537][ T2885]  kthread+0x354/0x420
[   68.127550][ T2885]  ? process_one_work+0x1790/0x1790
[   68.127567][ T2885]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   68.132787][ T8646] kobject: 'loop3' (000000006be5ab36): kobject_uevent_env
[   68.137225][ T2885]  ret_from_fork+0x24/0x30
[   68.138751][ T2885] Kernel Offset: disabled
[   68.677526][ T2885] Rebooting in 86400 seconds..