syzbot

==================================================================
BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 block/genhd.c:1657
Read of size 8 at addr ffff8801d4f82e40 by task blkid/4168

CPU: 1 PID: 4168 Comm: blkid Not tainted 4.15.0-rc8+ #263
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 disk_unblock_events+0x51/0x60 block/genhd.c:1657
 __blkdev_get+0x869/0x10e0 fs/block_dev.c:1535
 blkdev_get+0x3a1/0xad0 fs/block_dev.c:1591
 blkdev_open+0x1c9/0x250 fs/block_dev.c:1749
 do_dentry_open+0x667/0xd40 fs/open.c:752
 vfs_open+0x107/0x220 fs/open.c:866
 do_last fs/namei.c:3379 [inline]
 path_openat+0x1151/0x3530 fs/namei.c:3519
 do_filp_open+0x25b/0x3b0 fs/namei.c:3554
 do_sys_open+0x502/0x6d0 fs/open.c:1059
 SYSC_open fs/open.c:1077 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1072
 entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x7fc3ad794120
RSP: 002b:00007fff61c14658 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fc3adc7587c RCX: 00007fc3ad794120
RDX: 00007fff61c16f45 RSI: 0000000000000000 RDI: 00007fff61c16f45
RBP: 00007fff61c16f3d R08: 0000000000000078 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403738
R13: 0000000000000001 R14: 0000000000000000 R15: 00007fc3ada6aa20

Allocated by task 4153:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_node_trace+0x150/0x750 mm/slab.c:3653
 kmalloc_node include/linux/slab.h:537 [inline]
 kzalloc_node include/linux/slab.h:699 [inline]
 __alloc_disk_node+0xb4/0x4e0 block/genhd.c:1400
 loop_add+0x44c/0xa70 drivers/block/loop.c:1814
 loop_control_ioctl+0x2e9/0x490 drivers/block/loop.c:1972
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 entry_SYSCALL_64_fastpath+0x29/0xa0

Freed by task 4168:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3488 [inline]
 kfree+0xd6/0x260 mm/slab.c:3803
 disk_release+0x327/0x410 block/genhd.c:1249
 device_release+0x7c/0x210 drivers/base/core.c:814
 kobject_cleanup lib/kobject.c:648 [inline]
 kobject_release lib/kobject.c:677 [inline]
 kref_put include/linux/kref.h:70 [inline]
 kobject_put+0x14c/0x250 lib/kobject.c:694
 put_disk+0x23/0x30 block/genhd.c:1465
 __blkdev_get+0x7c9/0x10e0 fs/block_dev.c:1528
 blkdev_get+0x3a1/0xad0 fs/block_dev.c:1591
 blkdev_open+0x1c9/0x250 fs/block_dev.c:1749
 do_dentry_open+0x667/0xd40 fs/open.c:752
 vfs_open+0x107/0x220 fs/open.c:866
 do_last fs/namei.c:3379 [inline]
 path_openat+0x1151/0x3530 fs/namei.c:3519
 do_filp_open+0x25b/0x3b0 fs/namei.c:3554
 do_sys_open+0x502/0x6d0 fs/open.c:1059
 SYSC_open fs/open.c:1077 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1072
 entry_SYSCALL_64_fastpath+0x29/0xa0

The buggy address belongs to the object at ffff8801d4f828c0
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1408 bytes inside of
 2048-byte region [ffff8801d4f828c0, ffff8801d4f830c0)
The buggy address belongs to the page:
page:ffffea000753e080 count:1 mapcount:0 mapping:ffff8801d4f82040 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d4f82040 0000000000000000 0000000100000003
raw: ffffea000753e020 ffffea000763c420 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d4f82d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d4f82d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d4f82e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801d4f82e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d4f82f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================