INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. 2018/04/23 20:49:03 parsed 1 programs 2018/04/23 20:49:03 executed programs: 0 syzkaller login: [ 26.776768] IPVS: Creating netns size=2536 id=1 [ 26.800500] IPVS: Creating netns size=2536 id=2 [ 26.811666] IPVS: Creating netns size=2536 id=3 [ 26.837491] IPVS: Creating netns size=2536 id=4 [ 26.854313] IPVS: Creating netns size=2536 id=5 [ 26.880881] IPVS: Creating netns size=2536 id=6 [ 26.917191] IPVS: Creating netns size=2536 id=7 [ 26.962208] IPVS: Creating netns size=2536 id=8 [ 27.211523] ================================================================== [ 27.218931] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 27.225667] Read of size 8 at addr ffff8801b8775a60 by task blkid/3938 [ 27.232314] [ 27.233942] CPU: 1 PID: 3938 Comm: blkid Not tainted 4.9.95-g142d4b5 #7 [ 27.240675] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.250019] ffff8801d7d976d8 ffffffff81eb0f89 ffffea0006e1dc00 ffff8801b8775a60 [ 27.258067] 0000000000000000 ffff8801b8775a60 0000000000000000 ffff8801d7d97710 [ 27.266112] ffffffff815653cb ffff8801b8775a60 0000000000000008 0000000000000000 [ 27.274145] Call Trace: [ 27.276725] [] dump_stack+0xc1/0x128 [ 27.282079] [] print_address_description+0x6c/0x234 [ 27.288734] [] kasan_report.cold.6+0x242/0x2fe [ 27.294957] [] ? disk_unblock_events+0x51/0x60 [ 27.301184] [] __asan_report_load8_noabort+0x14/0x20 [ 27.307930] [] disk_unblock_events+0x51/0x60 [ 27.313976] [] __blkdev_get+0x6b6/0xd60 [ 27.319599] [] ? __blkdev_put+0x840/0x840 [ 27.325390] [] ? fsnotify+0x114/0x1100 [ 27.330919] [] blkdev_get+0x2da/0x920 [ 27.336364] [] ? bd_may_claim+0xd0/0xd0 [ 27.341979] [] ? bd_acquire+0x27/0x250 [ 27.347507] [] ? bd_acquire+0x88/0x250 [ 27.353038] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.358994] [] blkdev_open+0x1a5/0x250 [ 27.364524] [] do_dentry_open+0x703/0xc80 [ 27.370318] [] ? blkdev_get_by_dev+0x70/0x70 [ 27.376363] [] vfs_open+0x11c/0x210 [ 27.381632] [] ? may_open.isra.57+0x14f/0x2a0 [ 27.387766] [] path_openat+0x758/0x3590 [ 27.393377] [] ? save_stack+0xa9/0xd0 [ 27.398822] [] ? path_lookupat.isra.41+0x410/0x410 [ 27.405390] [] ? __lock_is_held+0xa2/0xf0 [ 27.411176] [] do_filp_open+0x197/0x270 [ 27.416789] [] ? may_open_dev+0xe0/0xe0 [ 27.422403] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.428366] [] ? __alloc_fd+0x1d7/0x4a0 [ 27.433979] [] do_sys_open+0x30d/0x5c0 [ 27.439503] [] ? filp_open+0x70/0x70 [ 27.444852] [] ? up_read+0x1a/0x40 [ 27.450033] [] ? __do_page_fault+0x183/0xd50 [ 27.456081] [] SyS_open+0x2d/0x40 [ 27.461173] [] ? do_sys_open+0x5c0/0x5c0 [ 27.466874] [] do_syscall_64+0x1a6/0x490 [ 27.472578] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.479490] [ 27.481103] Allocated by task 3930: [ 27.484721] save_stack_trace+0x16/0x20 [ 27.488683] save_stack+0x43/0xd0 [ 27.492123] kasan_kmalloc+0xc7/0xe0 [ 27.495829] kmem_cache_alloc_trace+0xfd/0x2b0 [ 27.500401] alloc_disk_node+0x54/0x3a0 [ 27.504362] alloc_disk+0x18/0x20 [ 27.507804] loop_add+0x33b/0x770 [ 27.511247] loop_probe+0x14f/0x180 [ 27.514860] kobj_lookup+0x223/0x410 [ 27.518565] get_gendisk+0x39/0x2d0 [ 27.522182] __blkdev_get+0x351/0xd60 [ 27.525975] blkdev_get+0x2da/0x920 [ 27.529595] blkdev_open+0x1a5/0x250 [ 27.533298] do_dentry_open+0x703/0xc80 [ 27.537262] vfs_open+0x11c/0x210 [ 27.540701] path_openat+0x758/0x3590 [ 27.544491] do_filp_open+0x197/0x270 [ 27.548279] do_sys_open+0x30d/0x5c0 [ 27.551979] SyS_open+0x2d/0x40 [ 27.555247] do_syscall_64+0x1a6/0x490 [ 27.559121] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.564205] [ 27.565814] Freed by task 3938: [ 27.569083] save_stack_trace+0x16/0x20 [ 27.573041] save_stack+0x43/0xd0 [ 27.576482] kasan_slab_free+0x72/0xc0 [ 27.580358] kfree+0xfb/0x310 [ 27.583454] disk_release+0x259/0x330 [ 27.587246] device_release+0x7e/0x220 [ 27.591120] kobject_release+0x103/0x1b0 [ 27.595168] kobject_put+0x6d/0xd0 [ 27.598694] put_disk+0x23/0x30 [ 27.601958] __blkdev_get+0x616/0xd60 [ 27.605743] blkdev_get+0x2da/0x920 [ 27.609360] blkdev_open+0x1a5/0x250 [ 27.613061] do_dentry_open+0x703/0xc80 [ 27.617022] vfs_open+0x11c/0x210 [ 27.620461] path_openat+0x758/0x3590 [ 27.624251] do_filp_open+0x197/0x270 [ 27.628038] do_sys_open+0x30d/0x5c0 [ 27.631735] SyS_open+0x2d/0x40 [ 27.635001] do_syscall_64+0x1a6/0x490 [ 27.638876] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.643955] [ 27.645573] The buggy address belongs to the object at ffff8801b8775500 [ 27.645573] which belongs to the cache kmalloc-2048 of size 2048 [ 27.658389] The buggy address is located 1376 bytes inside of [ 27.658389] 2048-byte region [ffff8801b8775500, ffff8801b8775d00) [ 27.670420] The buggy address belongs to the page: [ 27.675338] page:ffffea0006e1dc00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 27.685542] flags: 0x8000000000004080(slab|head) [ 27.690281] page dumped because: kasan: bad access detected [ 27.695975] [ 27.697583] Memory state around the buggy address: [ 27.702497] ffff8801b8775900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.709840] ffff8801b8775980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.717185] >ffff8801b8775a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.724530] ^ [ 27.731012] ffff8801b8775a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.738355] ffff8801b8775b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.745697] ================================================================== [ 27.753038] Disabling lock debugging due to kernel taint [ 27.770222] Kernel panic - not syncing: panic_on_warn set ... [ 27.770222] [ 27.777608] CPU: 1 PID: 3938 Comm: blkid Tainted: G B 4.9.95-g142d4b5 #7 [ 27.785561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.794936] ffff8801d7d97638 ffffffff81eb0f89 ffffffff841c4735 00000000ffffffff [ 27.802973] 0000000000000000 0000000000000001 0000000000000000 ffff8801d7d976f8 [ 27.811020] ffffffff8141f945 0000000041b58ab3 ffffffff841b7e38 ffffffff8141f786 [ 27.819054] Call Trace: [ 27.821631] [] dump_stack+0xc1/0x128 [ 27.826986] [] panic+0x1bf/0x3bc [ 27.831989] [] ? add_taint.cold.6+0x16/0x16 [ 27.837951] [] ? ___preempt_schedule+0x16/0x18 [ 27.844173] [] kasan_end_report+0x47/0x4f [ 27.849955] [] kasan_report.cold.6+0x76/0x2fe [ 27.856088] [] ? disk_unblock_events+0x51/0x60 [ 27.862312] [] __asan_report_load8_noabort+0x14/0x20 [ 27.869052] [] disk_unblock_events+0x51/0x60 [ 27.875100] [] __blkdev_get+0x6b6/0xd60 [ 27.880711] [] ? __blkdev_put+0x840/0x840 [ 27.886498] [] ? fsnotify+0x114/0x1100 [ 27.892032] [] blkdev_get+0x2da/0x920 [ 27.897484] [] ? bd_may_claim+0xd0/0xd0 [ 27.903099] [] ? bd_acquire+0x27/0x250 [ 27.908627] [] ? bd_acquire+0x88/0x250 [ 27.914158] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.920118] [] blkdev_open+0x1a5/0x250 [ 27.925644] [] do_dentry_open+0x703/0xc80 [ 27.931432] [] ? blkdev_get_by_dev+0x70/0x70 [ 27.937477] [] vfs_open+0x11c/0x210 [ 27.942742] [] ? may_open.isra.57+0x14f/0x2a0 [ 27.948877] [] path_openat+0x758/0x3590 [ 27.954497] [] ? save_stack+0xa9/0xd0 [ 27.959944] [] ? path_lookupat.isra.41+0x410/0x410 [ 27.966514] [] ? __lock_is_held+0xa2/0xf0 [ 27.972305] [] do_filp_open+0x197/0x270 [ 27.977916] [] ? may_open_dev+0xe0/0xe0 [ 27.983532] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.989515] [] ? __alloc_fd+0x1d7/0x4a0 [ 27.995132] [] do_sys_open+0x30d/0x5c0 [ 28.000657] [] ? filp_open+0x70/0x70 [ 28.006020] [] ? up_read+0x1a/0x40 [ 28.011200] [] ? __do_page_fault+0x183/0xd50 [ 28.017247] [] SyS_open+0x2d/0x40 [ 28.022338] [] ? do_sys_open+0x5c0/0x5c0 [ 28.028040] [] do_syscall_64+0x1a6/0x490 [ 28.033735] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 28.041055] Dumping ftrace buffer: [ 28.044568] (ftrace buffer empty) [ 28.048247] Kernel Offset: disabled [ 28.051844] Rebooting in 86400 seconds..