[....] Starting enhanced syslogd: rsyslogd[ 15.953939] audit: type=1400 audit(1555444869.944:4): avc: denied { syslog } for pid=1921 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 70.820468] ================================================================== [ 70.833588] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 70.840344] Read of size 8 at addr ffff8801d3a69668 by task syz-executor330/2129 [ 70.847875] [ 70.849571] CPU: 1 PID: 2129 Comm: syz-executor330 Not tainted 4.4.174+ #4 [ 70.867626] 0000000000000000 e4462a4f19dfa746 ffff8800b6777730 ffffffff81aad1a1 [ 70.875824] 0000000000000000 ffffea00074e9a00 ffff8801d3a69668 0000000000000008 [ 70.883893] 0000000000000000 ffff8800b6777768 ffffffff81490120 0000000000000000 [ 70.891979] Call Trace: [ 70.894572] [] dump_stack+0xc1/0x120 [ 70.900034] [] print_address_description+0x6f/0x21b [ 70.906715] [] kasan_report.cold+0x8c/0x2be [ 70.912707] [] ? disk_unblock_events+0x55/0x60 [ 70.918964] [] __asan_report_load8_noabort+0x14/0x20 [ 70.925735] [] disk_unblock_events+0x55/0x60 [ 70.931810] [] __blkdev_get+0x70c/0xdf0 [ 70.937448] [] ? __blkdev_put+0x840/0x840 [ 70.943256] [] ? trace_hardirqs_on+0x10/0x10 [ 70.949325] [] blkdev_get+0x2e8/0x920 [ 70.954787] [] ? bd_may_claim+0xd0/0xd0 [ 70.960424] [] ? bd_acquire+0x8a/0x370 [ 70.965976] [] ? _raw_spin_unlock+0x2d/0x50 [ 70.971966] [] blkdev_open+0x1aa/0x250 [ 70.977519] [] do_dentry_open+0x38f/0xbd0 [ 70.983332] [] ? __inode_permission2+0x9e/0x250 [ 70.989667] [] ? blkdev_get_by_dev+0x80/0x80 [ 70.995740] [] vfs_open+0x10b/0x210 [ 71.001032] [] ? may_open.isra.0+0xe7/0x210 [ 71.007021] [] path_openat+0x136f/0x4470 [ 71.012777] [] ? kasan_kmalloc.part.0+0xc6/0xf0 executing program [ 71.019111] [] ? may_open.isra.0+0x210/0x210 [ 71.025184] [] ? trace_hardirqs_on+0x10/0x10 [ 71.031260] [] do_filp_open+0x1a1/0x270 [ 71.036898] [] ? user_path_mountpoint_at+0x50/0x50 [ 71.043509] [] ? __alloc_fd+0x1ea/0x490 [ 71.049150] [] ? _raw_spin_unlock+0x2d/0x50 [ 71.055138] [] do_sys_open+0x2f8/0x600 [ 71.060687] [] ? filp_open+0x70/0x70 [ 71.066062] [] ? retint_user+0x18/0x3c executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 71.071612] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 71.078462] [] SyS_open+0x2d/0x40 [ 71.083571] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 71.090137] [ 71.091755] Allocated by task 2129: [ 71.095359] [] save_stack_trace+0x26/0x50 [ 71.101301] [] kasan_kmalloc.part.0+0x62/0xf0 [ 71.107587] [] kasan_kmalloc+0xb7/0xd0 [ 71.113267] [] kmem_cache_alloc_trace+0x123/0x2d0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 71.119915] [] alloc_disk_node+0x50/0x3c0 [ 71.125864] [] alloc_disk+0x1b/0x20 [ 71.131286] [] loop_add+0x380/0x830 [ 71.136701] [] loop_control_ioctl+0x138/0x2f0 [ 71.142976] [] do_vfs_ioctl+0x6e7/0xfa0 [ 71.148736] [] SyS_ioctl+0x8f/0xc0 [ 71.154066] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 71.160792] [ 71.162421] Freed by task 2129: [ 71.165691] [] save_stack_trace+0x26/0x50 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 71.171627] [] kasan_slab_free+0xb0/0x190 [ 71.177602] [] kfree+0xf4/0x310 [ 71.182673] [] disk_release+0x255/0x330 [ 71.188440] [] device_release+0x7d/0x220 [ 71.194291] [] kobject_put+0x14c/0x260 [ 71.199973] [] put_disk+0x23/0x30 [ 71.205335] [] __blkdev_get+0x66c/0xdf0 [ 71.211105] [] blkdev_get+0x2e8/0x920 [ 71.216695] [] blkdev_open+0x1aa/0x250 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 71.222373] [] do_dentry_open+0x38f/0xbd0 [ 71.228310] [] vfs_open+0x10b/0x210 [ 71.233723] [] path_openat+0x136f/0x4470 [ 71.239573] [] do_filp_open+0x1a1/0x270 [ 71.245343] [] do_sys_open+0x2f8/0x600 [ 71.251028] [] SyS_open+0x2d/0x40 [ 71.256255] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 71.262976] [ 71.264602] The buggy address belongs to the object at ffff8801d3a69100 executing program executing program executing program executing program executing program executing program [ 71.264602] which belongs to the cache kmalloc-2048 of size 2048 [ 71.277436] The buggy address is located 1384 bytes inside of [ 71.277436] 2048-byte region [ffff8801d3a69100, ffff8801d3a69900) [ 71.289485] The buggy address belongs to the page: [ 71.294607] ------------[ cut here ]------------ [ 71.299419] WARNING: CPU: 0 PID: -2126336944 at kernel/locking/lockdep.c:3198 __lock_acquire+0x278d/0x4f50() [ 71.309397] DEBUG_LOCKS_WARN_ON(chain_key != 0) [ 71.313912] Kernel panic - not syncing: panic_on_warn set ... [ 71.313912] [ 71.321617] CPU: 0 PID: -2126336944 Comm: Not tainted 4.4.174+ #4 [ 71.327957] 0000000000000000 db6fd8ae1c34b988 ffff8800b6e97630 ffffffff81aad1a1 [ 71.336069] ffff8800b6e97780 ffffffff82835ee0 ffffffff8284bd20 0000000000000c7e [ 71.344187] ffffffff81201d3d ffff8800b6e97710 ffffffff813a48c2 0000000041b58ab3 [ 71.352324] Call Trace: [ 71.354911] [ 72.515491] Shutting down cpus with NMI [ 72.520157] Kernel Offset: disabled [ 72.523776] ------------[ cut here ]------------ [ 72.528527] WARNING: CPU: 0 PID: -2126336944 at kernel/rcu/update.c:211 __rcu_read_unlock+0x140/0x1a0() [ 72.538037] Modules linked in: [ 72.541332] CPU: 0 PID: -2126336944 Comm: Not tainted 4.4.174+ #4 [ 72.547631] 0000000000000000 db6fd8ae1c34b988 ffff8800b6e97548 ffffffff81aad1a1 [ 72.555649] 0000000000000000 0000000000000009 ffffffff82859540 00000000000000d3 [ 72.563643] ffffffff8123abb0 ffff8800b6e97588 ffffffff810d3849 ffff8800b6e97568 [ 72.571658] Call Trace: [ 72.574214] [ 72.576275] ---[ end trace f7c35167f4461458 ]--- [ 72.581321] Rebooting in 86400 seconds..