[....] Starting enhanced syslogd: rsyslogd[ 14.873897] audit: type=1400 audit(1573239326.579:4): avc: denied { syslog } for pid=1920 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. 2019/11/08 18:55:38 parsed 1 programs 2019/11/08 18:55:40 executed programs: 0 syzkaller login: [ 29.922555] ================================================================== [ 29.929962] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 29.936711] Read of size 8 at addr ffff8801d2097c68 by task blkid/2330 [ 29.943371] [ 29.944999] CPU: 0 PID: 2330 Comm: blkid Not tainted 4.4.174+ #4 [ 29.951137] 0000000000000000 b72725c64a7912c5 ffff8800b456f730 ffffffff81aad1a1 [ 29.959211] 0000000000000000 ffffea0007482400 ffff8801d2097c68 0000000000000008 [ 29.967269] 0000000000000000 ffff8800b456f768 ffffffff81490120 0000000000000000 [ 29.975337] Call Trace: [ 29.977925] [] dump_stack+0xc1/0x120 [ 29.983295] [] print_address_description+0x6f/0x21b [ 29.990062] [] kasan_report.cold+0x8c/0x2be [ 29.996037] [] ? disk_unblock_events+0x55/0x60 [ 30.002271] [] __asan_report_load8_noabort+0x14/0x20 [ 30.009029] [] disk_unblock_events+0x55/0x60 [ 30.015548] [] __blkdev_get+0x70c/0xdf0 [ 30.021175] [] ? __blkdev_put+0x840/0x840 [ 30.026979] [] ? trace_hardirqs_on+0x10/0x10 [ 30.033229] [] blkdev_get+0x2e8/0x920 [ 30.038681] [] ? bd_may_claim+0xd0/0xd0 [ 30.044740] [] ? bd_acquire+0x8a/0x370 [ 30.050278] [] ? _raw_spin_unlock+0x2d/0x50 [ 30.056249] [] blkdev_open+0x1aa/0x250 [ 30.061791] [] do_dentry_open+0x38f/0xbd0 [ 30.069328] [] ? __inode_permission2+0x9e/0x250 [ 30.075648] [] ? blkdev_get_by_dev+0x80/0x80 [ 30.081711] [] vfs_open+0x10b/0x210 [ 30.086992] [] ? may_open.isra.0+0xe7/0x210 [ 30.092990] [] path_openat+0x136f/0x4470 [ 30.098712] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 30.105037] [] ? may_open.isra.0+0x210/0x210 [ 30.111294] [] ? trace_hardirqs_on+0x10/0x10 [ 30.117355] [] do_filp_open+0x1a1/0x270 [ 30.122982] [] ? user_path_mountpoint_at+0x50/0x50 [ 30.129560] [] ? __alloc_fd+0x1ea/0x490 [ 30.135184] [] ? _raw_spin_unlock+0x2d/0x50 [ 30.141154] [] do_sys_open+0x2f8/0x600 [ 30.146692] [] ? filp_open+0x70/0x70 [ 30.161260] [] ? retint_user+0x18/0x3c [ 30.166824] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 30.173663] [] SyS_open+0x2d/0x40 [ 30.178878] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 30.185434] [ 30.187038] Allocated by task 2309: [ 30.190643] [] save_stack_trace+0x26/0x50 [ 30.196586] [] kasan_kmalloc.part.0+0x62/0xf0 [ 30.202874] [] kasan_kmalloc+0xb7/0xd0 [ 30.208554] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 30.215191] [] alloc_disk_node+0x50/0x3c0 [ 30.221104] [] alloc_disk+0x1b/0x20 [ 30.226493] [] loop_add+0x380/0x830 [ 30.231867] [] loop_probe+0x154/0x180 [ 30.237415] [] kobj_lookup+0x221/0x410 [ 30.243060] [] get_gendisk+0x3c/0x2e0 [ 30.248607] [] __blkdev_get+0x39c/0xdf0 [ 30.254329] [] blkdev_get+0x2e8/0x920 [ 30.259878] [] blkdev_open+0x1aa/0x250 [ 30.265514] [] do_dentry_open+0x38f/0xbd0 [ 30.271440] [] vfs_open+0x10b/0x210 [ 30.276826] [] path_openat+0x136f/0x4470 [ 30.282741] [] do_filp_open+0x1a1/0x270 [ 30.288477] [] do_sys_open+0x2f8/0x600 [ 30.294113] [] SyS_open+0x2d/0x40 [ 30.299314] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 30.305991] [ 30.307594] Freed by task 2330: [ 30.310864] [] save_stack_trace+0x26/0x50 [ 30.316762] [] kasan_slab_free+0xb0/0x190 [ 30.322671] [] kfree+0xf4/0x310 [ 30.327700] [] disk_release+0x255/0x330 [ 30.333440] [] device_release+0x7d/0x220 [ 30.339248] [] kobject_put+0x14c/0x260 [ 30.344906] [] put_disk+0x23/0x30 [ 30.350108] [] __blkdev_get+0x66c/0xdf0 [ 30.355830] [] blkdev_get+0x2e8/0x920 [ 30.361382] [] blkdev_open+0x1aa/0x250 [ 30.367022] [] do_dentry_open+0x38f/0xbd0 [ 30.372932] [] vfs_open+0x10b/0x210 [ 30.378326] [] path_openat+0x136f/0x4470 [ 30.384139] [] do_filp_open+0x1a1/0x270 [ 30.389949] [] do_sys_open+0x2f8/0x600 [ 30.395592] [] SyS_open+0x2d/0x40 [ 30.400796] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 30.407490] [ 30.409095] The buggy address belongs to the object at ffff8801d2097700 [ 30.409095] which belongs to the cache kmalloc-2048 of size 2048 [ 30.422188] The buggy address is located 1384 bytes inside of [ 30.422188] 2048-byte region [ffff8801d2097700, ffff8801d2097f00) [ 30.434224] The buggy address belongs to the page: