INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-2,10.128.0.51' (ECDSA) to the list of known hosts. 2017/10/25 04:20:50 parsed 1 programs 2017/10/25 04:20:50 executed programs: 0 2017/10/25 04:20:55 executed programs: 396 2017/10/25 04:21:00 executed programs: 786 2017/10/25 04:21:05 executed programs: 1186 2017/10/25 04:21:10 executed programs: 1582 2017/10/25 04:21:15 executed programs: 1951 syzkaller login: [ 884.161068] ================================================================== [ 884.162425] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 884.163349] Read of size 8 at addr ffff8801d1971840 by task blkid/5499 [ 884.164239] [ 884.164502] CPU: 0 PID: 5499 Comm: blkid Not tainted 4.14.0-rc6+ #56 [ 884.165404] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 884.166776] Call Trace: [ 884.167213] dump_stack+0x194/0x257 [ 884.167777] ? arch_local_irq_restore+0x53/0x53 [ 884.168739] ? show_regs_print_info+0x65/0x65 [ 884.169519] ? kfree_const+0x31/0x40 [ 884.170127] ? disk_unblock_events+0x51/0x60 [ 884.171018] print_address_description+0x73/0x250 [ 884.171761] ? disk_unblock_events+0x51/0x60 [ 884.172419] kasan_report+0x25b/0x340 [ 884.172953] __asan_report_load8_noabort+0x14/0x20 [ 884.173658] disk_unblock_events+0x51/0x60 [ 884.174405] __blkdev_get+0x78d/0xf90 [ 884.174981] ? __blkdev_put+0x7c0/0x7c0 [ 884.175567] blkdev_get+0x3a1/0xad0 [ 884.176091] ? do_raw_spin_trylock+0x190/0x190 [ 884.176743] ? bd_link_disk_holder+0x8b0/0x8b0 [ 884.177384] ? __fsnotify_parent+0xb4/0x3a0 [ 884.178035] ? errseq_sample+0xee/0x140 [ 884.178585] ? _copy_to_user+0xc0/0xc0 [ 884.179163] ? _raw_spin_unlock+0x22/0x30 [ 884.179808] blkdev_open+0x1c9/0x250 [ 884.180597] ? security_file_open+0x89/0x190 [ 884.181271] do_dentry_open+0x664/0xd40 [ 884.185242] ? security_inode_permission+0xbb/0xf0 [ 884.190166] ? bd_acquire+0x2c0/0x2c0 [ 884.193967] vfs_open+0x107/0x220 [ 884.197443] path_openat+0x1151/0x3520 [ 884.201318] ? path_lookupat+0xba0/0xba0 [ 884.205368] ? lock_downgrade+0x990/0x990 [ 884.209479] ? getname+0x19/0x20 [ 884.212815] ? do_raw_spin_trylock+0x190/0x190 [ 884.217364] ? find_held_lock+0x35/0x1d0 [ 884.221396] ? __lock_is_held+0xb6/0x140 [ 884.225426] ? _find_next_bit+0xee/0x120 [ 884.229460] ? _raw_spin_unlock+0x22/0x30 [ 884.233591] ? __alloc_fd+0x29b/0x750 [ 884.237368] do_filp_open+0x25b/0x3b0 [ 884.241135] ? may_open_dev+0xe0/0xe0 [ 884.244930] ? mpi_resize+0x200/0x200 [ 884.248702] ? get_unused_fd_flags+0x121/0x190 [ 884.253266] ? getname_flags+0x256/0x580 [ 884.257302] do_sys_open+0x502/0x6d0 [ 884.260979] ? do_sys_open+0x502/0x6d0 [ 884.264836] ? filp_open+0x70/0x70 [ 884.268342] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 884.273153] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 884.278142] SyS_open+0x2d/0x40 [ 884.281392] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 884.286113] RIP: 0033:0x7fe182fa7120 [ 884.289796] RSP: 002b:00007ffc21a17df8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 884.297468] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe182fa7120 [ 884.304703] RDX: 00007ffc21a18f44 RSI: 0000000000000000 RDI: 00007ffc21a18f44 [ 884.311939] RBP: 0000000000000082 R08: 0000000000000078 R09: 0000000000000000 [ 884.319174] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403738 [ 884.326413] R13: 0000000000000001 R14: 0000000000000000 R15: 00007fe18327da20 [ 884.333665] [ 884.335269] Allocated by task 5491: [ 884.338895] save_stack_trace+0x16/0x20 [ 884.342863] save_stack+0x43/0xd0 [ 884.346284] kasan_kmalloc+0xad/0xe0 [ 884.349961] kmem_cache_alloc_node_trace+0x150/0x750 [ 884.355031] alloc_disk_node+0xb4/0x4e0 [ 884.358969] alloc_disk+0x18/0x20 [ 884.362426] loop_add+0x45c/0xa50 [ 884.365843] loop_probe+0x16d/0x1a0 [ 884.369459] kobj_lookup+0x2ac/0x410 [ 884.373136] get_gendisk+0x37/0x230 [ 884.376730] blkdev_get+0x12d/0xad0 [ 884.380321] blkdev_open+0x1c9/0x250 [ 884.383999] do_dentry_open+0x664/0xd40 [ 884.387941] vfs_open+0x107/0x220 [ 884.391359] path_openat+0x1151/0x3520 [ 884.395210] do_filp_open+0x25b/0x3b0 [ 884.398974] do_sys_open+0x502/0x6d0 [ 884.402652] compat_SyS_open+0x2a/0x40 [ 884.406538] do_fast_syscall_32+0x3f2/0xf05 [ 884.410826] entry_SYSENTER_compat+0x51/0x60 [ 884.415194] [ 884.416787] Freed by task 5499: [ 884.420036] save_stack_trace+0x16/0x20 [ 884.423976] save_stack+0x43/0xd0 [ 884.427391] kasan_slab_free+0x71/0xc0 [ 884.431253] kfree+0xca/0x250 [ 884.434325] disk_release+0x327/0x410 [ 884.438118] device_release+0x7c/0x200 [ 884.441989] kobject_put+0x14c/0x240 [ 884.445671] put_disk+0x23/0x30 [ 884.448917] __blkdev_get+0x6ed/0xf90 [ 884.452680] blkdev_get+0x3a1/0xad0 [ 884.456271] blkdev_open+0x1c9/0x250 [ 884.459949] do_dentry_open+0x664/0xd40 [ 884.463887] vfs_open+0x107/0x220 [ 884.467306] path_openat+0x1151/0x3520 [ 884.471155] do_filp_open+0x25b/0x3b0 [ 884.474919] do_sys_open+0x502/0x6d0 [ 884.478598] SyS_open+0x2d/0x40 [ 884.481848] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 884.486564] [ 884.488159] The buggy address belongs to the object at ffff8801d19712c0 [ 884.488159] which belongs to the cache kmalloc-2048 of size 2048 [ 884.500953] The buggy address is located 1408 bytes inside of [ 884.500953] 2048-byte region [ffff8801d19712c0, ffff8801d1971ac0) [ 884.512963] The buggy address belongs to the page: [ 884.517861] page:ffffea0007465c00 count:1 mapcount:0 mapping:ffff8801d19701c0 index:0x0 compound_mapcount: 0 [ 884.527793] flags: 0x200000000008100(slab|head) [ 884.532429] raw: 0200000000008100 ffff8801d19701c0 0000000000000000 0000000100000003 [ 884.540276] raw: ffffea0007167ea0 ffffea0007465ca0 ffff8801dac00c40 0000000000000000 [ 884.548118] page dumped because: kasan: bad access detected [ 884.553790] [ 884.555385] Memory state around the buggy address: [ 884.560279] ffff8801d1971700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 884.567602] ffff8801d1971780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 884.574924] >ffff8801d1971800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 884.582248] ^ [ 884.587662] ffff8801d1971880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 884.594987] ffff8801d1971900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 884.602308] ================================================================== [ 884.609637] Disabling lock debugging due to kernel taint [ 884.615136] Kernel panic - not syncing: panic_on_warn set ... [ 884.615136] [ 884.622478] CPU: 0 PID: 5499 Comm: blkid Tainted: G B 4.14.0-rc6+ #56 [ 884.630171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 884.639510] Call Trace: [ 884.642089] dump_stack+0x194/0x257 [ 884.645712] ? arch_local_irq_restore+0x53/0x53 [ 884.650364] ? kasan_end_report+0x32/0x50 [ 884.654503] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 884.659251] ? disk_unblock_events+0x10/0x60 [ 884.663711] panic+0x1e4/0x417 [ 884.666895] ? __warn+0x1d9/0x1d9 [ 884.670345] ? disk_unblock_events+0x51/0x60 [ 884.674735] kasan_end_report+0x50/0x50 [ 884.678691] kasan_report+0x144/0x340 [ 884.682485] __asan_report_load8_noabort+0x14/0x20 [ 884.687400] disk_unblock_events+0x51/0x60 [ 884.691618] __blkdev_get+0x78d/0xf90 [ 884.695412] ? __blkdev_put+0x7c0/0x7c0 [ 884.699386] blkdev_get+0x3a1/0xad0 [ 884.703003] ? do_raw_spin_trylock+0x190/0x190 [ 884.707582] ? bd_link_disk_holder+0x8b0/0x8b0 [ 884.712150] ? __fsnotify_parent+0xb4/0x3a0 [ 884.716453] ? errseq_sample+0xee/0x140 [ 884.720409] ? _copy_to_user+0xc0/0xc0 [ 884.724283] ? _raw_spin_unlock+0x22/0x30 [ 884.728416] blkdev_open+0x1c9/0x250 [ 884.732112] ? security_file_open+0x89/0x190 [ 884.736507] do_dentry_open+0x664/0xd40 [ 884.740462] ? security_inode_permission+0xbb/0xf0 [ 884.745377] ? bd_acquire+0x2c0/0x2c0 [ 884.749166] vfs_open+0x107/0x220 [ 884.752605] path_openat+0x1151/0x3520 [ 884.756483] ? path_lookupat+0xba0/0xba0 [ 884.760536] ? lock_downgrade+0x990/0x990 [ 884.764664] ? getname+0x19/0x20 [ 884.768023] ? do_raw_spin_trylock+0x190/0x190 [ 884.772601] ? find_held_lock+0x35/0x1d0 [ 884.776659] ? __lock_is_held+0xb6/0x140 [ 884.780701] ? _find_next_bit+0xee/0x120 [ 884.784750] ? _raw_spin_unlock+0x22/0x30 [ 884.788900] ? __alloc_fd+0x29b/0x750 [ 884.792700] do_filp_open+0x25b/0x3b0 [ 884.796483] ? may_open_dev+0xe0/0xe0 [ 884.800276] ? mpi_resize+0x200/0x200 [ 884.805267] ? get_unused_fd_flags+0x121/0x190 [ 884.809835] ? getname_flags+0x256/0x580 [ 884.813881] do_sys_open+0x502/0x6d0 [ 884.817575] ? do_sys_open+0x502/0x6d0 [ 884.821447] ? filp_open+0x70/0x70 [ 884.824973] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 884.829812] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 884.834822] SyS_open+0x2d/0x40 [ 884.838090] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 884.842824] RIP: 0033:0x7fe182fa7120 [ 884.846514] RSP: 002b:00007ffc21a17df8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 884.854202] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe182fa7120 [ 884.861453] RDX: 00007ffc21a18f44 RSI: 0000000000000000 RDI: 00007ffc21a18f44 [ 884.868707] RBP: 0000000000000082 R08: 0000000000000078 R09: 0000000000000000 [ 884.875964] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403738 [ 884.883216] R13: 0000000000000001 R14: 0000000000000000 R15: 00007fe18327da20 [ 884.890883] Dumping ftrace buffer: [ 884.894393] (ftrace buffer empty) [ 884.898067] Kernel Offset: disabled [ 884.901659] Rebooting in 86400 seconds..