[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 57.785304][ T26] audit: type=1800 audit(1559740419.286:25): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 57.829926][ T26] audit: type=1800 audit(1559740419.296:26): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 57.882075][ T26] audit: type=1800 audit(1559740419.296:27): pid=8788 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.164' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
syzkaller login: [ 75.532942][ T22] ==================================================================
[ 75.532990][ T22] BUG: KASAN: use-after-free in blk_mq_free_rqs+0x49f/0x4b0
[ 75.533000][ T22] Read of size 8 at addr ffff88809ff39410 by task kworker/1:1/22
[ 75.533003][ T22]
[ 75.533016][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc3+ #38
[ 75.548607][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 75.548625][ T22] Workqueue: events __blk_release_queue
[ 75.548643][ T22] Call Trace:
[ 75.566344][ T22] dump_stack+0x172/0x1f0
[ 75.566362][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.566384][ T22] print_address_description.cold+0x7c/0x20d
[ 75.582168][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.582183][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.582199][ T22] __kasan_report.cold+0x1b/0x40
[ 75.582215][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.582234][ T22] kasan_report+0x12/0x20
[ 75.589835][ T22] __asan_report_load8_noabort+0x14/0x20
[ 75.589850][ T22] blk_mq_free_rqs+0x49f/0x4b0
[ 75.589863][ T22] ? dd_exit_queue+0x92/0xd0
[ 75.589874][ T22] ? kfree+0x170/0x220
[ 75.589896][ T22] blk_mq_sched_tags_teardown+0x126/0x210
[ 75.600799][ T22] ? dd_request_merge+0x230/0x230
[ 75.600818][ T22] blk_mq_exit_sched+0x1fa/0x2d0
[ 75.600838][ T22] elevator_exit+0x70/0xa0
[ 75.600859][ T22] __blk_release_queue+0x127/0x330
[ 75.610803][ T22] process_one_work+0x989/0x1790
[ 75.610829][ T22] ? pwq_dec_nr_in_flight+0x320/0x320
[ 75.610843][ T22] ? lock_acquire+0x16f/0x3f0
[ 75.610868][ T22] worker_thread+0x98/0xe40
[ 75.620740][ T22] ? trace_hardirqs_on+0x67/0x220
[ 75.620769][ T22] kthread+0x354/0x420
[ 75.620784][ T22] ? process_one_work+0x1790/0x1790
[ 75.620804][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 75.625314][ T8951] kobject: 'loop0' (000000008ab451f6): fill_kobj_path: path = '/devices/virtual/block/loop0'
[ 75.630744][ T22] ret_from_fork+0x24/0x30
[ 75.630765][ T22]
[ 75.630773][ T22] Allocated by task 8949:
[ 75.630786][ T22] save_stack+0x23/0x90
[ 75.630805][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 75.636147][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[ 75.640160][ T22] kasan_kmalloc+0x9/0x10
[ 75.640172][ T22] kmem_cache_alloc_trace+0x151/0x750
[ 75.640185][ T22] loop_add+0x51/0x8d0
[ 75.640196][ T22] loop_control_ioctl+0x165/0x360
[ 75.640207][ T22] do_vfs_ioctl+0xd5f/0x1380
[ 75.640226][ T22] ksys_ioctl+0xab/0xd0
executing program
[ 75.640235][ T22] __x64_sys_ioctl+0x73/0xb0
[ 75.645016][ T8951] kobject: 'mq' (000000001d3314e3): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[ 75.650086][ T22] do_syscall_64+0xfd/0x680
[ 75.650099][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 75.650110][ T22]
[ 75.650117][ T22] Freed by task 8950:
[ 75.650128][ T22] save_stack+0x23/0x90
[ 75.650140][ T22] __kasan_slab_free+0x102/0x150
[ 75.650158][ T22] kasan_slab_free+0xe/0x10
[ 75.655374][ T8951] kobject: 'mq' (000000001d3314e3): kobject_uevent_env
[ 75.660115][ T22] kfree+0xcf/0x220
[ 75.660126][ T22] loop_remove+0xa1/0xd0
[ 75.660138][ T22] loop_control_ioctl+0x320/0x360
[ 75.660149][ T22] do_vfs_ioctl+0xd5f/0x1380
[ 75.660158][ T22] ksys_ioctl+0xab/0xd0
[ 75.660168][ T22] __x64_sys_ioctl+0x73/0xb0
[ 75.660187][ T22] do_syscall_64+0xfd/0x680
[ 75.665033][ T8951] kobject: 'mq' (000000001d3314e3): kobject_uevent_env: filter function caused the event to drop!
[ 75.670310][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 75.670315][ T22]
[ 75.670326][ T22] The buggy address belongs to the object at ffff88809ff39200
[ 75.670326][ T22] which belongs to the cache kmalloc-1k of size 1024
[ 75.670338][ T22] The buggy address is located 528 bytes inside of
[ 75.670338][ T22] 1024-byte region [ffff88809ff39200, ffff88809ff39600)
[ 75.670343][ T22] The buggy address belongs to the page:
[ 75.670355][ T22] page:ffffea00027fce00 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0
[ 75.675506][ T8951] kobject: '0' (000000000a48ab7f): kobject_add_internal: parent: 'mq', set: '<NULL>'
[ 75.680654][ T22] flags: 0x1fffc0000010200(slab|head)
[ 75.680673][ T22] raw: 01fffc0000010200 ffffea000261f988 ffffea0002822708 ffff8880aa400ac0
[ 75.680690][ T22] raw: 0000000000000000 ffff88809ff38000 0000000100000007 0000000000000000
[ 75.680696][ T22] page dumped because: kasan: bad access detected
[ 75.680700][ T22]
[ 75.680704][ T22] Memory state around the buggy address:
[ 75.680721][ T22] ffff88809ff39300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.685703][ T8951] kobject: 'cpu0' (00000000ff2e1b8e): kobject_add_internal: parent: '0', set: '<NULL>'
[ 75.689877][ T22] ffff88809ff39380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.689888][ T22] >ffff88809ff39400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.689894][ T22] ^
[ 75.689904][ T22] ffff88809ff39480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.689916][ T22] ffff88809ff39500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.689920][ T22] ==================================================================
[ 75.689925][ T22] Disabling lock debugging due to kernel taint
[ 75.691224][ T22] Kernel panic - not syncing: panic_on_warn set ...
[ 75.695254][ T8951] kobject: 'cpu1' (000000000c05f3f4): kobject_add_internal: parent: '0', set: '<NULL>'
[ 75.699056][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.2.0-rc3+ #38
[ 75.699070][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 75.704507][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_uevent_env
[ 75.710507][ T22] Workqueue: events __blk_release_queue
[ 75.710515][ T22] Call Trace:
[ 75.710534][ T22] dump_stack+0x172/0x1f0
[ 75.710561][ T22] panic+0x2cb/0x744
[ 75.720881][ T8951] kobject: 'queue' (00000000bb323bf9): kobject_uevent_env: filter function caused the event to drop!
[ 75.725123][ T22] ? __warn_printk+0xf3/0xf3
[ 75.725140][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.725160][ T22] ? preempt_schedule+0x4b/0x60
[ 75.727760][ T8951] kobject: 'iosched' (00000000a358e860): kobject_add_internal: parent: 'queue', set: '<NULL>'
[ 75.731968][ T22] ? ___preempt_schedule+0x16/0x18
[ 75.731983][ T22] ? trace_hardirqs_on+0x5e/0x220
[ 75.731997][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.732016][ T22] end_report+0x47/0x4f
[ 75.736555][ T8951] kobject: 'iosched' (00000000a358e860): kobject_uevent_env
[ 75.741931][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.741945][ T22] __kasan_report.cold+0xe/0x40
[ 75.741959][ T22] ? blk_mq_free_rqs+0x49f/0x4b0
[ 75.741978][ T22] kasan_report+0x12/0x20
[ 75.752698][ T8951] kobject: 'iosched' (00000000a358e860): kobject_uevent_env: filter function caused the event to drop!
[ 75.756825][ T22] __asan_report_load8_noabort+0x14/0x20
[ 75.756840][ T22] blk_mq_free_rqs+0x49f/0x4b0
[ 75.756860][ T22] ? dd_exit_queue+0x92/0xd0
[ 75.762431][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_add_internal: parent: 'loop0', set: '<NULL>'
[ 75.766284][ T22] ? kfree+0x170/0x220
[ 75.766303][ T22] blk_mq_sched_tags_teardown+0x126/0x210
[ 75.766322][ T22] ? dd_request_merge+0x230/0x230
[ 75.771694][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env
[ 75.776051][ T22] blk_mq_exit_sched+0x1fa/0x2d0
[ 75.776069][ T22] elevator_exit+0x70/0xa0
[ 75.780348][ T8951] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env: filter function caused the event to drop!
[ 75.784793][ T22] __blk_release_queue+0x127/0x330
[ 75.784815][ T22] process_one_work+0x989/0x1790
[ 75.833347][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env
[ 75.836730][ T22] ? pwq_dec_nr_in_flight+0x320/0x320
[ 75.836750][ T22] ? lock_acquire+0x16f/0x3f0
[ 75.841064][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_uevent_env: filter function caused the event to drop!
[ 75.846058][ T22] worker_thread+0x98/0xe40
[ 75.846079][ T22] ? trace_hardirqs_on+0x67/0x220
[ 75.851232][ T8953] kobject: 'integrity' (00000000a6fabbf6): kobject_cleanup, parent 0000000005f0d58f
[ 75.854820][ T22] kthread+0x354/0x420
[ 75.854841][ T22] ? process_one_work+0x1790/0x1790
[ 75.859453][ T8953] kobject: 'integrity' (00000000a6fabbf6): does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt.
[ 75.863908][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 75.863923][ T22] ret_from_fork+0x24/0x30
[ 75.875460][ T22] Kernel Offset: disabled
[ 76.362545][ T22] Rebooting in 86400 seconds..