INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.15.233' (ECDSA) to the list of known hosts. 2017/10/28 12:18:16 parsed 1 programs 2017/10/28 12:18:16 executed programs: 0 2017/10/28 12:18:21 executed programs: 1126 syzkaller login: [ 144.329316] ================================================================== [ 144.330842] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 144.332399] Read of size 8 at addr ffff8801c60ef880 by task blkid/4601 [ 144.333770] [ 144.334018] CPU: 1 PID: 4601 Comm: blkid Not tainted 4.14.0-rc6+ #60 [ 144.335339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 144.336853] Call Trace: [ 144.337235] dump_stack+0x194/0x257 [ 144.337748] ? arch_local_irq_restore+0x53/0x53 [ 144.338389] ? show_regs_print_info+0x65/0x65 [ 144.339031] ? kfree_const+0x31/0x40 [ 144.339568] ? disk_unblock_events+0x51/0x60 [ 144.340198] print_address_description+0x73/0x250 [ 144.340953] ? disk_unblock_events+0x51/0x60 [ 144.341757] kasan_report+0x25b/0x340 [ 144.342579] __asan_report_load8_noabort+0x14/0x20 [ 144.343444] disk_unblock_events+0x51/0x60 [ 144.344157] __blkdev_get+0x78d/0xf90 [ 144.344716] ? __blkdev_put+0x7c0/0x7c0 [ 144.345307] blkdev_get+0x3a1/0xad0 [ 144.345888] ? do_raw_spin_trylock+0x190/0x190 [ 144.346520] ? bd_link_disk_holder+0x8b0/0x8b0 [ 144.347155] ? __fsnotify_parent+0xb4/0x3a0 [ 144.347754] ? errseq_sample+0xee/0x140 [ 144.348338] ? _copy_to_user+0xc0/0xc0 [ 144.349151] ? _raw_spin_unlock+0x22/0x30 [ 144.352143] blkdev_open+0x1c9/0x250 [ 144.355841] ? security_file_open+0x89/0x190 [ 144.360246] do_dentry_open+0x664/0xd40 [ 144.364204] ? security_inode_permission+0xbb/0xf0 [ 144.369123] ? bd_acquire+0x2c0/0x2c0 [ 144.372924] vfs_open+0x107/0x220 [ 144.376371] path_openat+0x1151/0x3520 [ 144.380281] ? path_lookupat+0xba0/0xba0 [ 144.384342] ? lock_downgrade+0x990/0x990 [ 144.388496] ? getname+0x19/0x20 [ 144.391862] ? do_raw_spin_trylock+0x190/0x190 [ 144.396431] ? find_held_lock+0x35/0x1d0 [ 144.400488] ? __lock_is_held+0xb6/0x140 [ 144.404540] ? _find_next_bit+0xee/0x120 [ 144.408586] ? _raw_spin_unlock+0x22/0x30 [ 144.412717] ? __alloc_fd+0x29b/0x750 [ 144.416530] do_filp_open+0x25b/0x3b0 [ 144.420309] ? may_open_dev+0xe0/0xe0 [ 144.424091] ? mpi_resize+0x200/0x200 [ 144.427868] ? get_unused_fd_flags+0x121/0x190 [ 144.432422] ? getname_flags+0x256/0x580 [ 144.436462] do_sys_open+0x502/0x6d0 [ 144.440149] ? do_sys_open+0x502/0x6d0 [ 144.444018] ? filp_open+0x70/0x70 [ 144.447541] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 144.452357] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 144.457351] SyS_open+0x2d/0x40 [ 144.460604] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 144.465326] RIP: 0033:0x7eff1919c120 [ 144.469004] RSP: 002b:00007ffec5237e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 144.476684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007eff1919c120 [ 144.483921] RDX: 00007ffec5239f34 RSI: 0000000000000000 RDI: 00007ffec5239f34 [ 144.491157] RBP: 0000000000000082 R08: 0000000000000078 R09: 0000000000000000 [ 144.498395] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000feb030 [ 144.505631] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005 [ 144.512888] [ 144.514484] Allocated by task 4184: [ 144.518082] save_stack_trace+0x16/0x20 [ 144.522031] save_stack+0x43/0xd0 [ 144.525453] kasan_kmalloc+0xad/0xe0 [ 144.529136] kmem_cache_alloc_node_trace+0x150/0x750 [ 144.534208] alloc_disk_node+0xb4/0x4e0 [ 144.538156] alloc_disk+0x18/0x20 [ 144.541578] loop_add+0x45c/0xa50 [ 144.544998] loop_probe+0x16d/0x1a0 [ 144.548597] kobj_lookup+0x2ac/0x410 [ 144.552276] get_gendisk+0x37/0x230 [ 144.555870] __blkdev_get+0x3ea/0xf90 [ 144.559635] blkdev_get+0x5ca/0xad0 [ 144.563228] blkdev_open+0x1c9/0x250 [ 144.566910] do_dentry_open+0x664/0xd40 [ 144.570849] vfs_open+0x107/0x220 [ 144.574268] path_openat+0x1151/0x3520 [ 144.578123] do_filp_open+0x25b/0x3b0 [ 144.581890] do_sys_open+0x502/0x6d0 [ 144.585572] compat_SyS_open+0x2a/0x40 [ 144.589425] do_fast_syscall_32+0x3f2/0xf05 [ 144.593716] entry_SYSENTER_compat+0x51/0x60 [ 144.598087] [ 144.599683] Freed by task 4601: [ 144.602928] save_stack_trace+0x16/0x20 [ 144.606868] save_stack+0x43/0xd0 [ 144.610288] kasan_slab_free+0x71/0xc0 [ 144.614143] kfree+0xca/0x250 [ 144.617216] disk_release+0x327/0x410 [ 144.620986] device_release+0x7c/0x200 [ 144.624842] kobject_put+0x14c/0x240 [ 144.628521] put_disk+0x23/0x30 [ 144.631768] __blkdev_get+0x6ed/0xf90 [ 144.635535] blkdev_get+0x3a1/0xad0 [ 144.639128] blkdev_open+0x1c9/0x250 [ 144.642806] do_dentry_open+0x664/0xd40 [ 144.646747] vfs_open+0x107/0x220 [ 144.650166] path_openat+0x1151/0x3520 [ 144.654024] do_filp_open+0x25b/0x3b0 [ 144.657793] do_sys_open+0x502/0x6d0 [ 144.661473] SyS_open+0x2d/0x40 [ 144.664720] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 144.669440] [ 144.671036] The buggy address belongs to the object at ffff8801c60ef300 [ 144.671036] which belongs to the cache kmalloc-2048 of size 2048 [ 144.683832] The buggy address is located 1408 bytes inside of [ 144.683832] 2048-byte region [ffff8801c60ef300, ffff8801c60efb00) [ 144.695844] The buggy address belongs to the page: [ 144.700739] page:ffffea0007183b80 count:1 mapcount:0 mapping:ffff8801c60ee200 index:0x0 compound_mapcount: 0 [ 144.710678] flags: 0x200000000008100(slab|head) [ 144.715315] raw: 0200000000008100 ffff8801c60ee200 0000000000000000 0000000100000003 [ 144.723162] raw: ffffea00071946a0 ffffea000718eba0 ffff8801dac00c40 0000000000000000 [ 144.731008] page dumped because: kasan: bad access detected [ 144.736685] [ 144.738282] Memory state around the buggy address: [ 144.743178] ffff8801c60ef780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 144.750506] ffff8801c60ef800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 144.757831] >ffff8801c60ef880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 144.765156] ^ [ 144.768487] ffff8801c60ef900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 144.775815] ffff8801c60ef980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 144.783138] ================================================================== [ 144.790460] Disabling lock debugging due to kernel taint [ 144.796022] Kernel panic - not syncing: panic_on_warn set ... [ 144.796022] [ 144.803365] CPU: 1 PID: 4601 Comm: blkid Tainted: G B 4.14.0-rc6+ #60 [ 144.811046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 144.820365] Call Trace: [ 144.822919] dump_stack+0x194/0x257 [ 144.826514] ? arch_local_irq_restore+0x53/0x53 [ 144.831148] ? kasan_end_report+0x32/0x50 [ 144.835261] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 144.839984] ? disk_unblock_events+0x50/0x60 [ 144.844357] panic+0x1e4/0x417 [ 144.847516] ? __warn+0x1d9/0x1d9 [ 144.850941] ? disk_unblock_events+0x51/0x60 [ 144.855313] kasan_end_report+0x50/0x50 [ 144.859253] kasan_report+0x144/0x340 [ 144.863025] __asan_report_load8_noabort+0x14/0x20 [ 144.867919] disk_unblock_events+0x51/0x60 [ 144.872120] __blkdev_get+0x78d/0xf90 [ 144.875888] ? __blkdev_put+0x7c0/0x7c0 [ 144.879836] blkdev_get+0x3a1/0xad0 [ 144.883436] ? do_raw_spin_trylock+0x190/0x190 [ 144.887984] ? bd_link_disk_holder+0x8b0/0x8b0 [ 144.892532] ? __fsnotify_parent+0xb4/0x3a0 [ 144.896818] ? errseq_sample+0xee/0x140 [ 144.900757] ? _copy_to_user+0xc0/0xc0 [ 144.904610] ? _raw_spin_unlock+0x22/0x30 [ 144.908725] blkdev_open+0x1c9/0x250 [ 144.912405] ? security_file_open+0x89/0x190 [ 144.916780] do_dentry_open+0x664/0xd40 [ 144.920719] ? security_inode_permission+0xbb/0xf0 [ 144.925614] ? bd_acquire+0x2c0/0x2c0 [ 144.929381] vfs_open+0x107/0x220 [ 144.932802] path_openat+0x1151/0x3520 [ 144.936661] ? path_lookupat+0xba0/0xba0 [ 144.940689] ? lock_downgrade+0x990/0x990 [ 144.944799] ? getname+0x19/0x20 [ 144.948132] ? do_raw_spin_trylock+0x190/0x190 [ 144.952679] ? find_held_lock+0x35/0x1d0 [ 144.956705] ? __lock_is_held+0xb6/0x140 [ 144.960732] ? _find_next_bit+0xee/0x120 [ 144.964769] ? _raw_spin_unlock+0x22/0x30 [ 144.968883] ? __alloc_fd+0x29b/0x750 [ 144.972656] do_filp_open+0x25b/0x3b0 [ 144.976423] ? may_open_dev+0xe0/0xe0 [ 144.980195] ? mpi_resize+0x200/0x200 [ 144.983961] ? get_unused_fd_flags+0x121/0x190 [ 144.988508] ? getname_flags+0x256/0x580 [ 144.992540] do_sys_open+0x502/0x6d0 [ 144.996220] ? do_sys_open+0x502/0x6d0 [ 145.000080] ? filp_open+0x70/0x70 [ 145.003585] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 145.008394] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 145.013380] SyS_open+0x2d/0x40 [ 145.016626] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 145.021345] RIP: 0033:0x7eff1919c120 [ 145.025023] RSP: 002b:00007ffec5237e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 145.032693] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007eff1919c120 [ 145.039927] RDX: 00007ffec5239f34 RSI: 0000000000000000 RDI: 00007ffec5239f34 [ 145.047161] RBP: 0000000000000082 R08: 0000000000000078 R09: 0000000000000000 [ 145.054397] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000feb030 [ 145.061630] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005 [ 145.069342] Dumping ftrace buffer: [ 145.072856] (ftrace buffer empty) [ 145.076532] Kernel Offset: disabled [ 145.080123] Rebooting in 86400 seconds..