[....] Starting enhanced syslogd: rsyslogd[ 14.815563] audit: type=1400 audit(1563771765.624:4): avc: denied { syslog } for pid=1926 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 35.960747] ================================================================== [ 35.968150] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 35.974902] Read of size 8 at addr ffff8801d30c2768 by task syz-executor032/2144 [ 35.982433] [ 35.984059] CPU: 0 PID: 2144 Comm: syz-executor032 Not tainted 4.4.174+ #4 [ 35.991078] 0000000000000000 2b031651ad2e3ebb ffff8800b5d3f730 ffffffff81aad1a1 [ 35.999155] 0000000000000000 ffffea00074c3000 ffff8801d30c2768 0000000000000008 [ 36.007229] 0000000000000000 ffff8800b5d3f768 ffffffff81490120 0000000000000000 [ 36.015304] Call Trace: [ 36.017892] [] dump_stack+0xc1/0x120 [ 36.023258] [] print_address_description+0x6f/0x21b [ 36.029923] [] kasan_report.cold+0x8c/0x2be [ 36.035898] [] ? disk_unblock_events+0x55/0x60 [ 36.042153] [] __asan_report_load8_noabort+0x14/0x20 [ 36.048902] [] disk_unblock_events+0x55/0x60 [ 36.054958] [] __blkdev_get+0x70c/0xdf0 [ 36.060583] [] ? __blkdev_put+0x840/0x840 [ 36.066383] [] ? trace_hardirqs_on+0x10/0x10 [ 36.072441] [] blkdev_get+0x2e8/0x920 [ 36.077888] [] ? bd_may_claim+0xd0/0xd0 [ 36.083523] [] ? bd_acquire+0x8a/0x370 [ 36.089063] [] ? _raw_spin_unlock+0x2d/0x50 [ 36.095053] [] blkdev_open+0x1aa/0x250 [ 36.100610] [] do_dentry_open+0x38f/0xbd0 [ 36.106412] [] ? __inode_permission2+0x9e/0x250 [ 36.112732] [] ? blkdev_get_by_dev+0x80/0x80 [ 36.118788] [] vfs_open+0x10b/0x210 [ 36.124062] [] ? may_open.isra.0+0xe7/0x210 [ 36.130042] [] path_openat+0x136f/0x4470 [ 36.135775] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 36.142106] [] ? may_open.isra.0+0x210/0x210 [ 36.148171] [] ? trace_hardirqs_on+0x10/0x10 [ 36.154231] [] do_filp_open+0x1a1/0x270 [ 36.159859] [] ? user_path_mountpoint_at+0x50/0x50 [ 36.166463] [] ? __alloc_fd+0x1ea/0x490 [ 36.172103] [] ? _raw_spin_unlock+0x2d/0x50 [ 36.178088] [] do_sys_open+0x2f8/0x600 [ 36.183630] [] ? filp_open+0x70/0x70 [ 36.188998] [] ? retint_user+0x18/0x3c [ 36.194561] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 36.194569] [] SyS_open+0x2d/0x40 [ 36.194577] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.194581] [ 36.194586] Allocated by task 2145: [ 36.194598] [] save_stack_trace+0x26/0x50 [ 36.194608] [] kasan_kmalloc.part.0+0x62/0xf0 [ 36.194616] [] kasan_kmalloc+0xb7/0xd0 [ 36.194624] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 36.194634] [] alloc_disk_node+0x50/0x3c0 [ 36.194641] [] alloc_disk+0x1b/0x20 [ 36.194649] [] loop_add+0x380/0x830 [ 36.194657] [] loop_probe+0x154/0x180 [ 36.194666] [] kobj_lookup+0x221/0x410 [ 36.194674] [] get_gendisk+0x3c/0x2e0 [ 36.194682] [] __blkdev_get+0x39c/0xdf0 [ 36.194689] [] blkdev_get+0x2e8/0x920 [ 36.194697] [] blkdev_open+0x1aa/0x250 [ 36.194706] [] do_dentry_open+0x38f/0xbd0 [ 36.194713] [] vfs_open+0x10b/0x210 [ 36.194722] [] path_openat+0x136f/0x4470 [ 36.194730] [] do_filp_open+0x1a1/0x270 [ 36.194738] [] do_sys_open+0x2f8/0x600 [ 36.194744] [] SyS_open+0x2d/0x40 [ 36.194753] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.194754] [ 36.194757] Freed by task 2144: [ 36.194765] [] save_stack_trace+0x26/0x50 [ 36.194773] [] kasan_slab_free+0xb0/0x190 [ 36.194780] [] kfree+0xf4/0x310 [ 36.194788] [] disk_release+0x255/0x330 [ 36.194796] [] device_release+0x7d/0x220 [ 36.194805] [] kobject_put+0x14c/0x260 [ 36.194813] [] put_disk+0x23/0x30 [ 36.194820] [] __blkdev_get+0x66c/0xdf0 [ 36.194827] [] blkdev_get+0x2e8/0x920 [ 36.194833] [] blkdev_open+0x1aa/0x250 [ 36.194841] [] do_dentry_open+0x38f/0xbd0 [ 36.194848] [] vfs_open+0x10b/0x210 [ 36.194857] [] path_openat+0x136f/0x4470 [ 36.194864] [] do_filp_open+0x1a1/0x270 [ 36.194871] [] do_sys_open+0x2f8/0x600 [ 36.194878] [] SyS_open+0x2d/0x40 [ 36.194887] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.194888] [ 36.194894] The buggy address belongs to the object at ffff8801d30c2200 [ 36.194894] which belongs to the cache kmalloc-2048 of size 2048 [ 36.194899] The buggy address is located 1384 bytes inside of [ 36.194899] 2048-byte region [ffff8801d30c2200, ffff8801d30c2a00) [ 36.194901] The buggy address belongs to the page: [ 36.202429] BUG: unable to handle kernel paging request at fffff94000e98600 [ 36.202445] IP: [] memset_erms+0x9/0x10 [ 36.202456] PGD 330c067 PUD 330b063 PMD 330a063 PTE 800000000330d161 [ 36.202466] Oops: 0003 [#1] PREEMPT SMP KASAN [ 36.202474] Modules linked in: [ 36.202483] CPU: 1 PID: 2244 Comm: syz-executor032 Not tainted 4.4.174+ #4 [ 36.202487] task: ffff8801d3a74740 task.stack: ffff8801d4740000 [ 36.202499] RIP: 0010:[] [] memset_erms+0x9/0x10 [ 36.202503] RSP: 0018:ffff8801d4747d10 EFLAGS: 00010206 [ 36.202507] RAX: 1ffffd4000e98800 RBX: fffff94000e98800 RCX: 0000000000000200 [ 36.202511] RDX: 0000000000000200 RSI: 0000000000000000 RDI: fffff94000e98600 [ 36.202515] RBP: ffff8801d4747d28 R08: 000000000000000f R09: fffff94000e98600 [ 36.202519] R10: 00000000004002e0 R11: 0000000000000246 R12: 0000000000001000 [ 36.202524] R13: ffffea00074c3000 R14: ffffea00074c3fff R15: ffff8801da548dc0 [ 36.202530] FS: 0000000001f4e880(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 36.202535] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.202539] CR2: fffff94000e98600 CR3: 00000001d4784000 CR4: 00000000001606b0 [ 36.202549] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 36.202553] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 36.202554] Stack: [ 36.202564] ffffffff81484025 ffffea00074c4000 00000000024000c0 ffff8801d4747d68 [ 36.202581] ffffffff8148412c ffffea00074c3fff 4000000000004080 ffff8801da548dc0 [ 36.202590] 00000000024000c0 ffffffff814ca46c ffffea00074c3000 ffff8801d4747d78 [ 36.202591] Call Trace: [ 36.202602] [] ? kasan_unpoison_shadow+0x35/0x50 [ 36.202609] [] kasan_kmalloc+0x4c/0xd0 [ 36.202617] [] ? getname_flags+0xcc/0x550 [ 36.202624] [] kasan_slab_alloc+0xf/0x20 [ 36.202631] [] kmem_cache_alloc+0xdc/0x2c0 [ 36.202637] [] getname_flags+0xcc/0x550 [ 36.202644] [] getname+0x1a/0x20 [ 36.202651] [] do_sys_open+0x1fd/0x600 [ 36.202657] [] ? filp_open+0x70/0x70 [ 36.202665] [] ? retint_user+0x18/0x3c [ 36.202675] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 36.202681] [] SyS_open+0x2d/0x40 [ 36.202688] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.202798] Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 [ 36.202807] RIP [] memset_erms+0x9/0x10 [ 36.202809] RSP [ 36.202812] CR2: fffff94000e98600 [ 36.202818] ---[ end trace 00f410ea6d38c027 ]--- [ 36.202823] Kernel panic - not syncing: Fatal exception [ 37.340655] Shutting down cpus with NMI [ 37.340988] Kernel Offset: disabled [ 37.890924] Rebooting in 86400 seconds..