Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 60.321264] ================================================================== [ 60.328789] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 60.335537] Read of size 8 at addr ffff8800b39a9668 by task syz-executor536/2538 [ 60.343231] [ 60.344877] CPU: 0 PID: 2538 Comm: syz-executor536 Not tainted 4.4.174+ #17 [ 60.351974] 0000000000000000 f9b3ea2c59de4324 ffff8801ceb776c0 ffffffff81aad1a1 executing program executing program executing program executing program executing program [ 60.366568] 0000000000000000 ffffea0002ce6a00 ffff8800b39a9668 0000000000000008 [ 60.374625] 0000000000000000 ffff8801ceb776f8 ffffffff81490120 0000000000000000 [ 60.382687] Call Trace: [ 60.385271] [] dump_stack+0xc1/0x120 [ 60.390640] [] print_address_description+0x6f/0x21b [ 60.397309] [] kasan_report.cold+0x8c/0x2be [ 60.403313] [] ? disk_unblock_events+0x55/0x60 [ 60.409554] [] __asan_report_load8_noabort+0x14/0x20 [ 60.416316] [] disk_unblock_events+0x55/0x60 [ 60.423875] [] __blkdev_get+0x70c/0xdf0 [ 60.436464] [] ? __blkdev_put+0x840/0x840 [ 60.442264] [] ? trace_hardirqs_on+0x10/0x10 [ 60.448323] [] blkdev_get+0x2e8/0x920 [ 60.453765] [] ? bd_may_claim+0xd0/0xd0 [ 60.459392] [] ? bd_acquire+0x8a/0x370 [ 60.464928] [] ? _raw_spin_unlock+0x2d/0x50 [ 60.470908] [] blkdev_open+0x1aa/0x250 [ 60.476448] [] do_dentry_open+0x38f/0xbd0 [ 60.482255] [] ? __inode_permission2+0x9e/0x250 [ 60.488576] [] ? blkdev_get_by_dev+0x80/0x80 [ 60.494763] [] vfs_open+0x10b/0x210 [ 60.500049] [] ? may_open.isra.0+0xe7/0x210 [ 60.506024] [] path_openat+0x136f/0x4470 [ 60.511738] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 60.518063] [] ? may_open.isra.0+0x210/0x210 [ 60.524134] [] ? trace_hardirqs_on+0x10/0x10 [ 60.530202] [] do_filp_open+0x1a1/0x270 [ 60.535829] [] ? user_path_mountpoint_at+0x50/0x50 [ 60.542416] [] ? do_dup2+0x3d0/0x3d0 [ 60.547780] [] ? _raw_spin_unlock+0x2d/0x50 [ 60.553756] [] do_sys_open+0x2f8/0x600 [ 60.559327] [] ? filp_open+0x70/0x70 [ 60.564771] [] ? __do_page_fault+0x2b3/0x7f0 [ 60.570836] [] compat_SyS_open+0x2a/0x40 [ 60.576564] [] ? compat_SyS_getdents64+0x270/0x270 [ 60.583153] [] do_fast_syscall_32+0x32d/0xa90 [ 60.589313] [] sysenter_flags_fixed+0xd/0x1a [ 60.595365] [ 60.596987] Allocated by task 2538: [ 60.600605] [] save_stack_trace+0x26/0x50 [ 60.606546] [] kasan_kmalloc.part.0+0x62/0xf0 [ 60.612825] [] kasan_kmalloc+0xb7/0xd0 [ 60.618586] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 60.625213] [] alloc_disk_node+0x50/0x3c0 [ 60.631152] [] alloc_disk+0x1b/0x20 [ 60.636567] [] loop_add+0x380/0x830 [ 60.642000] [] loop_probe+0x154/0x180 [ 60.647588] [] kobj_lookup+0x221/0x410 [ 60.653371] [] get_gendisk+0x3c/0x2e0 [ 60.658977] [] __blkdev_get+0x39c/0xdf0 [ 60.664744] [] blkdev_get+0x2e8/0x920 [ 60.670340] [] blkdev_open+0x1aa/0x250 [ 60.676035] [] do_dentry_open+0x38f/0xbd0 [ 60.681979] [] vfs_open+0x10b/0x210 [ 60.687392] [] path_openat+0x136f/0x4470 [ 60.693237] [] do_filp_open+0x1a1/0x270 [ 60.698998] [] do_sys_open+0x2f8/0x600 [ 60.704670] [] compat_SyS_open+0x2a/0x40 [ 60.710516] [] do_fast_syscall_32+0x32d/0xa90 [ 60.716979] [] sysenter_flags_fixed+0xd/0x1a [ 60.723173] [ 60.724796] Freed by task 2538: [ 60.728067] [] save_stack_trace+0x26/0x50 [ 60.734006] [] kasan_slab_free+0xb0/0x190 [ 60.739942] [] kfree+0xf4/0x310 [ 60.745010] [] disk_release+0x255/0x330 [ 60.750777] [] device_release+0x7d/0x220 [ 60.756635] [] kobject_put+0x14c/0x260 [ 60.762314] [] put_disk+0x23/0x30 [ 60.767564] [] __blkdev_get+0x66c/0xdf0 [ 60.773339] [] blkdev_get+0x2e8/0x920 [ 60.778967] [] blkdev_open+0x1aa/0x250 [ 60.784637] [] do_dentry_open+0x38f/0xbd0 [ 60.790579] [] vfs_open+0x10b/0x210 [ 60.795990] [] path_openat+0x136f/0x4470 [ 60.801840] [] do_filp_open+0x1a1/0x270 [ 60.807606] [] do_sys_open+0x2f8/0x600 [ 60.813284] [] compat_SyS_open+0x2a/0x40 [ 60.819138] [] do_fast_syscall_32+0x32d/0xa90 [ 60.825421] [] sysenter_flags_fixed+0xd/0x1a [ 60.831622] [ 60.833248] The buggy address belongs to the object at ffff8800b39a9100 [ 60.833248] which belongs to the cache kmalloc-2048 of size 2048 [ 60.846082] The buggy address is located 1384 bytes inside of [ 60.846082] 2048-byte region [ffff8800b39a9100, ffff8800b39a9900) [ 60.858134] The buggy address belongs to the page: [ 62.599681] double fault: 0000 [#1] PREEMPT SMP KASAN [ 62.605423] Modules linked in: [ 62.608739] CPU: 0 PID: 2538 Comm: syz-executor536 Not tainted 4.4.174+ #17 [ 62.615833] task: ffff8801d0592f80 task.stack: ffff8801ceb70000 [ 62.621909] RIP: 0010:[] [] dump_page+0x4/0x30 [ 62.629842] RSP: 0018:ffff880100000000 EFLAGS: 00010093 [ 62.635300] RAX: ffff8801d0592f80 RBX: 0000000000000000 RCX: 0000000000000000 [ 62.642570] RDX: 0000000000000000 RSI: ffffffff82891be0 RDI: ffffea0002ce6a00 [ 62.649843] RBP: ffff880100000000 R08: 0000000000000026 R09: 0000000000000000 [ 62.657119] R10: 0000000000000001 R11: ffffffff83fdf174 R12: ffffea0002ce6a00 [ 62.664384] R13: ffffffff82891be0 R14: ffff8800b39a9900 R15: ffff8800b39a9100 [ 62.671651] FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008753840 [ 62.679880] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 62.685846] CR2: ffff8800fffffff8 CR3: 00000001d633a000 CR4: 00000000001606b0 [ 62.693116] Stack: [ 62.695251] [ 62.696882] Call Trace: [ 62.699459] [ 62.701505] Code: c6 e0 1b 89 82 4c 89 e7 e8 1a 00 00 00 0f 0b 4c 89 e7 e8 a0 a2 05 00 eb d4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 <41> 55 49 89 f5 41 54 49 89 fc e8 ad e9 ed ff 4c 89 ee 4c 89 e7 [ 62.729612] RIP [] dump_page+0x4/0x30 [ 62.735196] RSP [ 62.738816] ---[ end trace 47dc74f8a3c579aa ]--- [ 62.743560] Kernel panic - not syncing: Fatal exception [ 62.749198] Kernel Offset: disabled [ 62.752817] Rebooting in 86400 seconds..