INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.21' (ECDSA) to the list of known hosts. 2017/10/25 04:45:00 parsed 1 programs 2017/10/25 04:45:00 executed programs: 0 2017/10/25 04:45:05 executed programs: 214 2017/10/25 04:45:10 executed programs: 415 syzkaller login: [ 55.159194] ================================================================== [ 55.160334] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 at addr ffff8801c79fda60 [ 55.161498] Read of size 8 by task blkid/6860 [ 55.162117] CPU: 1 PID: 6860 Comm: blkid Not tainted 4.9.58-g27155df #71 [ 55.163026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.164246] ffff8801cfcf7760 ffffffff81d91149 ffff8801da002000 ffff8801c79fd500 [ 55.165376] ffff8801c79fdd00 ffffed0038f3fb4c ffff8801c79fda60 ffff8801cfcf7788 [ 55.166505] ffffffff8153c01c ffffed0038f3fb4c ffff8801da002000 0000000000000000 [ 55.167639] Call Trace: [ 55.167993] [] dump_stack+0xc1/0x128 [ 55.168715] [] kasan_object_err+0x1c/0x70 [ 55.169490] [] kasan_report.part.1+0x21c/0x500 [ 55.170309] [] ? disk_unblock_events+0x51/0x60 [ 55.171129] [] ? dev_attr_show+0xc0/0xc0 [ 55.171882] [] __asan_report_load8_noabort+0x29/0x30 [ 55.172768] [] disk_unblock_events+0x51/0x60 [ 55.173565] [] __blkdev_get+0x4b5/0xd50 [ 55.174329] [] ? avc_has_perm+0xb0/0x4f0 [ 55.175118] [] ? __blkdev_put+0x7e0/0x7e0 [ 55.175931] [] blkdev_get+0x33b/0x960 [ 55.176650] [] ? bd_link_disk_holder+0x6c0/0x6c0 [ 55.177510] [] ? bd_acquire+0x27/0x250 [ 55.178258] [] ? bd_acquire+0x88/0x250 [ 55.179020] [] ? _raw_spin_unlock+0x2c/0x50 [ 55.182857] [] blkdev_open+0x1a5/0x250 [ 55.188359] [] do_dentry_open+0x607/0xc60 [ 55.194119] [] ? blkdev_get_by_dev+0x60/0x60 [ 55.200139] [] vfs_open+0x105/0x220 [ 55.205379] [] ? may_open+0x231/0x2e0 [ 55.210792] [] path_openat+0x5ac/0x2910 [ 55.216380] [] ? path_lookupat+0x3f0/0x3f0 [ 55.222228] [] ? filemap_map_pages+0x607/0xd70 [ 55.228424] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 55.235401] [] ? find_lock_entry+0x3e0/0x3e0 [ 55.241425] [] ? lru_cache_add+0xd9/0x1e0 [ 55.247189] [] ? handle_mm_fault+0x1ba1/0x2530 [ 55.253384] [] do_filp_open+0x197/0x290 [ 55.258972] [] ? may_open_dev+0xe0/0xe0 [ 55.264563] [] ? _raw_spin_unlock+0x2c/0x50 [ 55.270498] [] ? __alloc_fd+0x1d7/0x510 [ 55.276083] [] do_sys_open+0x352/0x4c0 [ 55.281583] [] ? filp_open+0x70/0x70 [ 55.286924] [] ? mm_fault_error+0x2c0/0x2c0 [ 55.292860] [] SyS_open+0x2d/0x40 [ 55.297931] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.304474] Object at ffff8801c79fd500, in cache kmalloc-2048 size: 2048 [ 55.311276] Allocated: [ 55.313737] PID = 6836 [ 55.316201] save_stack_trace+0x16/0x20 [ 55.320138] save_stack+0x43/0xd0 [ 55.323557] kasan_kmalloc+0xad/0xe0 [ 55.327234] kmem_cache_alloc_trace+0xfb/0x2a0 [ 55.331783] alloc_disk_node+0x54/0x3b0 [ 55.335719] alloc_disk+0x18/0x20 [ 55.339138] loop_add+0x324/0x770 [ 55.342555] loop_probe+0x155/0x180 [ 55.346146] kobj_lookup+0x2ac/0x410 [ 55.349824] get_gendisk+0x37/0x2d0 [ 55.353413] blkdev_get+0x110/0x960 [ 55.357002] blkdev_open+0x1a5/0x250 [ 55.360678] do_dentry_open+0x607/0xc60 [ 55.364615] vfs_open+0x105/0x220 [ 55.368031] path_openat+0x5ac/0x2910 [ 55.371794] do_filp_open+0x197/0x290 [ 55.375559] do_sys_open+0x352/0x4c0 [ 55.379235] SyS_open+0x2d/0x40 [ 55.382487] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.387204] Freed: [ 55.389318] PID = 6860 [ 55.391779] save_stack_trace+0x16/0x20 [ 55.395716] save_stack+0x43/0xd0 [ 55.399132] kasan_slab_free+0x73/0xc0 [ 55.402981] kfree+0xf0/0x2f0 [ 55.406051] disk_release+0x259/0x330 [ 55.409827] device_release+0x7c/0x210 [ 55.413682] kobject_release+0xed/0x1a0 [ 55.417620] kobject_put+0x63/0xc0 [ 55.421125] put_disk+0x23/0x30 [ 55.424369] __blkdev_get+0x415/0xd50 [ 55.428133] blkdev_get+0x33b/0x960 [ 55.431726] blkdev_open+0x1a5/0x250 [ 55.435405] do_dentry_open+0x607/0xc60 [ 55.439353] vfs_open+0x105/0x220 [ 55.442774] path_openat+0x5ac/0x2910 [ 55.446540] do_filp_open+0x197/0x290 [ 55.450304] do_sys_open+0x352/0x4c0 [ 55.453983] SyS_open+0x2d/0x40 [ 55.457226] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 55.461943] Memory state around the buggy address: [ 55.466838] ffff8801c79fd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.474160] ffff8801c79fd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.481482] >ffff8801c79fda00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.488805] ^ [ 55.495261] ffff8801c79fda80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.502582] ffff8801c79fdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.509904] ==================================================================