[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 53.900587][ T26] audit: type=1800 audit(1559967745.999:25): pid=8500 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 53.945021][ T26] audit: type=1800 audit(1559967745.999:26): pid=8500 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 53.979780][ T26] audit: type=1800 audit(1559967745.999:27): pid=8500 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [ 64.794008][ T2993] ==================================================================
[ 64.794050][ T2993] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[ 64.794060][ T2993] Read of size 8 at addr ffff8880a3fc6690 by task kworker/0:2/2993
[ 64.794063][ T2993]
[ 64.809652][ T2993] CPU: 0 PID: 2993 Comm: kworker/0:2 Not tainted 5.2.0-rc3+ #42
[ 64.809660][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 64.809680][ T2993] Workqueue: events __blk_release_queue
[ 64.809688][ T2993] Call Trace:
[ 64.809707][ T2993] dump_stack+0x172/0x1f0
[ 64.809725][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 64.820092][ T2993] print_address_description.cold+0x7c/0x20d
[ 64.820106][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 64.820119][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 64.820133][ T2993] __kasan_report.cold+0x1b/0x40
[ 64.820148][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 64.820164][ T2993] kasan_report+0x12/0x20
[ 64.837813][ T2993] __asan_report_load8_noabort+0x14/0x20
executing program
[ 64.837827][ T2993] blk_mq_free_rqs+0x49f/0x4b0
[ 64.837841][ T2993] ? dd_exit_queue+0x92/0xd0
[ 64.837852][ T2993] ? kfree+0x170/0x220
[ 64.837872][ T2993] blk_mq_sched_tags_teardown+0x126/0x210
[ 64.837886][ T2993] ? dd_request_merge+0x230/0x230
[ 64.837904][ T2993] blk_mq_exit_sched+0x1fa/0x2d0
[ 64.846786][ T2993] elevator_exit+0x70/0xa0
[ 64.846804][ T2993] __blk_release_queue+0x127/0x330
[ 64.846824][ T2993] process_one_work+0x989/0x1790
[ 64.846847][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320
[ 64.856076][ T2993] ? lock_acquire+0x16f/0x3f0
[ 64.856103][ T2993] worker_thread+0x98/0xe40
[ 64.856119][ T2993] ? trace_hardirqs_on+0x67/0x220
[ 64.856147][ T2993] kthread+0x354/0x420
[ 64.867127][ T2993] ? process_one_work+0x1790/0x1790
[ 64.867142][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 64.867160][ T2993] ret_from_fork+0x24/0x30
[ 64.867178][ T2993]
[ 64.877030][ T2993] Allocated by task 1:
[ 64.877047][ T2993] save_stack+0x23/0x90
[ 64.877060][ T2993] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 64.877071][ T2993] kasan_kmalloc+0x9/0x10
[ 64.877082][ T2993] kmem_cache_alloc_trace+0x151/0x750
[ 64.877097][ T2993] loop_add+0x51/0x8d0
[ 64.886422][ T2993] loop_init+0x1fe/0x25a
[ 64.886438][ T2993] do_one_initcall+0x107/0x7ba
[ 64.886453][ T2993] kernel_init_freeable+0x4d4/0x5c3
[ 64.886466][ T2993] kernel_init+0x12/0x1c5
[ 64.886481][ T2993] ret_from_fork+0x24/0x30
[ 64.897002][ T2993]
[ 64.897010][ T2993] Freed by task 8662:
[ 64.897029][ T2993] save_stack+0x23/0x90
[ 64.897040][ T2993] __kasan_slab_free+0x102/0x150
[ 64.897052][ T2993] kasan_slab_free+0xe/0x10
[ 64.897061][ T2993] kfree+0xcf/0x220
[ 64.897077][ T2993] loop_remove+0xa1/0xd0
[ 64.905697][ T2993] loop_control_ioctl+0x320/0x360
[ 64.905708][ T2993] do_vfs_ioctl+0xd5f/0x1380
[ 64.905719][ T2993] ksys_ioctl+0xab/0xd0
[ 64.905729][ T2993] __x64_sys_ioctl+0x73/0xb0
[ 64.905742][ T2993] do_syscall_64+0xfd/0x680
[ 64.905765][ T2993] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 65.094934][ T2993]
[ 65.097255][ T2993] The buggy address belongs to the object at ffff8880a3fc6480
[ 65.097255][ T2993] which belongs to the cache kmalloc-1k of size 1024
[ 65.111699][ T2993] The buggy address is located 528 bytes inside of
[ 65.111699][ T2993] 1024-byte region [ffff8880a3fc6480, ffff8880a3fc6880)
[ 65.125083][ T2993] The buggy address belongs to the page:
[ 65.130740][ T2993] page:ffffea00028ff180 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[ 65.141693][ T2993] flags: 0x1fffc0000010200(slab|head)
[ 65.147572][ T2993] raw: 01fffc0000010200 ffffea00028fdc88 ffffea00028e0988 ffff8880aa400ac0
[ 65.156872][ T2993] raw: 0000000000000000 ffff8880a3fc6000 0000000100000007 0000000000000000
[ 65.165644][ T2993] page dumped because: kasan: bad access detected
[ 65.172273][ T2993]
[ 65.174604][ T2993] Memory state around the buggy address:
[ 65.180241][ T2993] ffff8880a3fc6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.188328][ T2993] ffff8880a3fc6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.196384][ T2993] >ffff8880a3fc6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.204522][ T2993] ^
[ 65.209145][ T2993] ffff8880a3fc6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.217214][ T2993] ffff8880a3fc6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.225373][ T2993] ==================================================================
[ 65.233971][ T2993] Disabling lock debugging due to kernel taint
[ 65.240616][ T2993] Kernel panic - not syncing: panic_on_warn set ...
[ 65.247234][ T2993] CPU: 0 PID: 2993 Comm: kworker/0:2 Tainted: G B 5.2.0-rc3+ #42
[ 65.256565][ T2993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 65.266819][ T2993] Workqueue: events __blk_release_queue
[ 65.272400][ T2993] Call Trace:
[ 65.275695][ T2993] dump_stack+0x172/0x1f0
[ 65.280166][ T2993] panic+0x2cb/0x744
[ 65.285623][ T2993] ? __warn_printk+0xf3/0xf3
[ 65.290428][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 65.295481][ T2993] ? preempt_schedule+0x4b/0x60
[ 65.300681][ T2993] ? ___preempt_schedule+0x16/0x18
[ 65.305811][ T2993] ? trace_hardirqs_on+0x5e/0x220
[ 65.311457][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 65.316608][ T2993] end_report+0x47/0x4f
[ 65.320842][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 65.325824][ T2993] __kasan_report.cold+0xe/0x40
[ 65.330763][ T2993] ? blk_mq_free_rqs+0x49f/0x4b0
[ 65.335939][ T2993] kasan_report+0x12/0x20
[ 65.340304][ T2993] __asan_report_load8_noabort+0x14/0x20
[ 65.346459][ T2993] blk_mq_free_rqs+0x49f/0x4b0
[ 65.351395][ T2993] ? dd_exit_queue+0x92/0xd0
[ 65.356083][ T2993] ? kfree+0x170/0x220
[ 65.360164][ T2993] blk_mq_sched_tags_teardown+0x126/0x210
[ 65.366218][ T2993] ? dd_request_merge+0x230/0x230
[ 65.371244][ T2993] blk_mq_exit_sched+0x1fa/0x2d0
[ 65.376209][ T2993] elevator_exit+0x70/0xa0
[ 65.380639][ T2993] __blk_release_queue+0x127/0x330
[ 65.385752][ T2993] process_one_work+0x989/0x1790
[ 65.391244][ T2993] ? pwq_dec_nr_in_flight+0x320/0x320
[ 65.397249][ T2993] ? lock_acquire+0x16f/0x3f0
[ 65.402075][ T2993] worker_thread+0x98/0xe40
[ 65.406983][ T2993] ? trace_hardirqs_on+0x67/0x220
[ 65.412748][ T2993] kthread+0x354/0x420
[ 65.416866][ T2993] ? process_one_work+0x1790/0x1790
[ 65.422192][ T2993] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 65.428789][ T2993] ret_from_fork+0x24/0x30
[ 65.434817][ T2993] Kernel Offset: disabled
[ 65.439214][ T2993] Rebooting in 86400 seconds..