syzbot

md: md1 stopped.
md: md1 stopped.
md: md1 stopped.
md: md1 stopped.
==================================================================
BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 block/genhd.c:1647
md: md1 stopped.
Read of size 8 at addr ffff8880b38d4888 by task syz-executor561/8085

CPU: 1 PID: 8085 Comm: syz-executor561 Not tainted 4.14.217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 disk_unblock_events+0x4b/0x50 block/genhd.c:1647
 __blkdev_get+0x83b/0x1090 fs/block_dev.c:1556
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
md: md1 stopped.
md: md1 stopped.
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
md: md1 stopped.
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x447369
RSP: 002b:00007f1fb6e9fd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dec58 RCX: 0000000000447369
RDX: 0000000000000000 RSI: 00000000200020c0 RDI: 00000000ffffff9c
RBP: 00000000006dec50 R08: 00007f1fb6ea0700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec5c
R13: 0000000020000000 R14: 00000000004af9e0 R15: 0000000000000001

Allocated by task 8077:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661
 kmalloc_node include/linux/slab.h:526 [inline]
 kzalloc_node include/linux/slab.h:672 [inline]
 alloc_disk_node+0x5d/0x3d0 block/genhd.c:1390
 md_alloc+0x22a/0x890 drivers/md/md.c:5332
 md_probe+0x28/0x40 drivers/md/md.c:5389
 kobj_lookup+0x21f/0x400 drivers/base/map.c:124
 get_gendisk+0x36/0x230 block/genhd.c:788
 __blkdev_get+0x3e5/0x1090 fs/block_dev.c:1449
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 8085:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 device_release+0xf0/0x1a0 drivers/base/core.c:831
 kobject_cleanup lib/kobject.c:646 [inline]
 kobject_release lib/kobject.c:675 [inline]
 kref_put include/linux/kref.h:70 [inline]
 kobject_put+0x251/0x550 lib/kobject.c:692
 put_disk+0x1f/0x30 block/genhd.c:1455
 __blkdev_get+0x7a6/0x1090 fs/block_dev.c:1549
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880b38d4300
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1416 bytes inside of
 2048-byte region [ffff8880b38d4300, ffff8880b38d4b00)
The buggy address belongs to the page:
page:ffffea0002ce3500 count:1 mapcount:0 mapping:ffff8880b38d4300 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880b38d4300 0000000000000000 0000000100000003
raw: ffffea0002bf19a0 ffffea0002d069a0 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b38d4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b38d4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b38d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880b38d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b38d4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================