[....] Starting enhanced syslogd: rsyslogd[ 13.540045] audit: type=1400 audit(1520467629.536:4): avc: denied { syslog } for pid=3647 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.517937] IPVS: Creating netns size=2536 id=1 executing program executing program [ 26.539300] IPVS: Creating netns size=2536 id=2 [ 26.552986] IPVS: Creating netns size=2536 id=3 executing program [ 26.590102] IPVS: Creating netns size=2536 id=4 executing program [ 26.612287] IPVS: Creating netns size=2536 id=5 executing program executing program [ 26.635725] IPVS: Creating netns size=2536 id=6 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.666448] ================================================================== [ 26.673832] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 26.680565] Read of size 8 at addr ffff8801d97d0560 by task blkid/3837 [ 26.687211] [ 26.688834] CPU: 0 PID: 3837 Comm: blkid Not tainted 4.9.86-gd3a2afb #51 [ 26.695650] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.704985] ffff8801d79576f0 ffffffff81d956f9 ffffea000765f400 ffff8801d97d0560 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.713008] 0000000000000000 ffff8801d97d0560 0000000000000000 ffff8801d7957728 [ 26.721034] ffffffff8153e083 ffff8801d97d0560 0000000000000008 0000000000000000 [ 26.729059] Call Trace: [ 26.731634] [] dump_stack+0xc1/0x128 [ 26.736987] [] print_address_description+0x73/0x280 [ 26.743646] [] kasan_report+0x275/0x360 [ 26.749262] [] ? disk_unblock_events+0x51/0x60 [ 26.755489] [] __asan_report_load8_noabort+0x14/0x20 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.762232] [] disk_unblock_events+0x51/0x60 [ 26.768276] [] __blkdev_get+0x4b5/0xd50 [ 26.773886] [] ? __blkdev_put+0x7e0/0x7e0 [ 26.779673] [] blkdev_get+0x33b/0x960 [ 26.785112] [] ? bd_link_disk_holder+0x6c0/0x6c0 [ 26.791509] [] ? bd_acquire+0x27/0x250 [ 26.797036] [] ? bd_acquire+0x88/0x250 [ 26.802563] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.808523] [] blkdev_open+0x1a5/0x250 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.814055] [] do_dentry_open+0x607/0xc60 [ 26.819841] [] ? blkdev_get_by_dev+0x60/0x60 [ 26.825889] [] vfs_open+0x105/0x220 [ 26.831151] [] ? may_open+0x231/0x2e0 [ 26.836587] [] path_openat+0x5ac/0x2910 [ 26.842210] [] ? path_lookupat+0x3f0/0x3f0 [ 26.848087] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.855087] [] ? __lock_is_held+0xa1/0xf0 [ 26.860876] [] do_filp_open+0x197/0x290 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.866484] [] ? may_open_dev+0xe0/0xe0 [ 26.872094] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.878054] [] ? __alloc_fd+0x1d7/0x510 [ 26.883665] [] do_sys_open+0x366/0x620 [ 26.889194] [] ? filp_open+0x70/0x70 [ 26.894543] [] ? up_read+0x1a/0x40 [ 26.899720] [] ? __do_page_fault+0x3bd/0xd40 [ 26.905761] [] SyS_open+0x2d/0x40 [ 26.910847] [] ? do_sys_open+0x620/0x620 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.916542] [] do_syscall_64+0x1a4/0x490 [ 26.922238] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.929143] [ 26.930751] Allocated by task 3825: [ 26.934366] save_stack_trace+0x16/0x20 [ 26.938324] save_stack+0x43/0xd0 [ 26.941760] kasan_kmalloc+0xad/0xe0 [ 26.945457] kmem_cache_alloc_trace+0xfb/0x2a0 [ 26.950025] alloc_disk_node+0x54/0x3b0 [ 26.953986] alloc_disk+0x18/0x20 [ 26.957424] loop_add+0x324/0x770 [ 26.960863] loop_control_ioctl+0x119/0x300 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 26.965166] do_vfs_ioctl+0x1aa/0x1140 [ 26.969045] SyS_ioctl+0x8f/0xc0 [ 26.972397] do_syscall_64+0x1a4/0x490 [ 26.976272] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.981356] [ 26.982967] Freed by task 3837: [ 26.986231] save_stack_trace+0x16/0x20 [ 26.990191] save_stack+0x43/0xd0 [ 26.993631] kasan_slab_free+0x72/0xc0 [ 26.997504] kfree+0x103/0x300 [ 27.000686] disk_release+0x259/0x330 [ 27.004471] device_release+0x7c/0x210 [ 27.008345] kobject_release+0xed/0x1a0 [ 27.012303] kobject_put+0x63/0xc0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.015829] put_disk+0x23/0x30 [ 27.019093] __blkdev_get+0x415/0xd50 [ 27.022881] blkdev_get+0x33b/0x960 [ 27.026491] blkdev_open+0x1a5/0x250 [ 27.030190] do_dentry_open+0x607/0xc60 [ 27.034146] vfs_open+0x105/0x220 [ 27.037588] path_openat+0x5ac/0x2910 [ 27.041375] do_filp_open+0x197/0x290 [ 27.045160] do_sys_open+0x366/0x620 [ 27.048863] SyS_open+0x2d/0x40 [ 27.052130] do_syscall_64+0x1a4/0x490 [ 27.056002] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.061082] executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.062693] The buggy address belongs to the object at ffff8801d97d0000 [ 27.062693] which belongs to the cache kmalloc-2048 of size 2048 [ 27.075512] The buggy address is located 1376 bytes inside of [ 27.075512] 2048-byte region [ffff8801d97d0000, ffff8801d97d0800) [ 27.087544] The buggy address belongs to the page: [ 27.092464] page:ffffea000765f400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.102668] flags: 0x8000000000004080(slab|head) [ 27.107409] page dumped because: kasan: bad access detected [ 27.113096] executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.114704] Memory state around the buggy address: [ 27.119619] ffff8801d97d0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.126960] ffff8801d97d0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.134304] >ffff8801d97d0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.141645] ^ [ 27.148117] ffff8801d97d0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.155464] ffff8801d97d0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.162805] ================================================================== [ 27.170157] Disabling lock debugging due to kernel taint [ 27.176542] IPVS: Creating netns size=2536 id=7 [ 27.183994] Kernel panic - not syncing: panic_on_warn set ... [ 27.183994] [ 27.191356] CPU: 0 PID: 3837 Comm: blkid Tainted: G B 4.9.86-gd3a2afb #51 [ 27.199387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.208722] ffff8801d7957648 ffffffff81d956f9 ffffffff84197a0f ffff8801d7957720 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.216745] 0000000000000000 ffff8801d97d0560 0000000000000000 ffff8801d7957710 [ 27.224765] ffffffff8142f531 0000000041b58ab3 ffffffff8418b470 ffffffff8142f375 [ 27.232786] Call Trace: [ 27.235363] [] dump_stack+0xc1/0x128 [ 27.240715] [] panic+0x1bc/0x3a8 [ 27.245724] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.253938] [] ? preempt_schedule+0x25/0x30 [ 27.259906] [] ? ___preempt_schedule+0x16/0x18 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.266125] [] kasan_end_report+0x50/0x50 [ 27.271920] [] kasan_report+0x167/0x360 [ 27.277532] [] ? disk_unblock_events+0x51/0x60 [ 27.283752] [] __asan_report_load8_noabort+0x14/0x20 [ 27.290495] [] disk_unblock_events+0x51/0x60 [ 27.296544] [] __blkdev_get+0x4b5/0xd50 [ 27.302161] [] ? __blkdev_put+0x7e0/0x7e0 [ 27.307947] [] blkdev_get+0x33b/0x960 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.313390] [] ? bd_link_disk_holder+0x6c0/0x6c0 [ 27.319785] [] ? bd_acquire+0x27/0x250 [ 27.325309] [] ? bd_acquire+0x88/0x250 [ 27.330840] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.336798] [] blkdev_open+0x1a5/0x250 [ 27.342327] [] do_dentry_open+0x607/0xc60 [ 27.348111] [] ? blkdev_get_by_dev+0x60/0x60 [ 27.354171] [] vfs_open+0x105/0x220 [ 27.359437] [] ? may_open+0x231/0x2e0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.364871] [] path_openat+0x5ac/0x2910 [ 27.370479] [] ? path_lookupat+0x3f0/0x3f0 [ 27.376356] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.383357] [] ? __lock_is_held+0xa1/0xf0 [ 27.389150] [] do_filp_open+0x197/0x290 [ 27.394757] [] ? may_open_dev+0xe0/0xe0 [ 27.400370] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.406326] [] ? __alloc_fd+0x1d7/0x510 [ 27.411939] [] do_sys_open+0x366/0x620 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.417466] [] ? filp_open+0x70/0x70 [ 27.422813] [] ? up_read+0x1a/0x40 [ 27.427986] [] ? __do_page_fault+0x3bd/0xd40 [ 27.434029] [] SyS_open+0x2d/0x40 [ 27.439115] [] ? do_sys_open+0x620/0x620 [ 27.444830] [] do_syscall_64+0x1a4/0x490 [ 27.450530] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.457848] Dumping ftrace buffer: [ 27.461365] (ftrace buffer empty) [ 27.465044] Kernel Offset: disabled [ 27.468638] Rebooting in 86400 seconds..