Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 40.645936] ================================================================== [ 40.653523] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 40.660433] Read of size 8 at addr ffff8801d3147c68 by task syz-executor168/2191 [ 40.667971] [ 40.669611] CPU: 1 PID: 2191 Comm: syz-executor168 Not tainted 4.4.174+ #17 [ 40.676863] 0000000000000000 a39953c38ea83aea ffff8801d2cef6c0 ffffffff81aad1a1 [ 40.685194] 0000000000000000 ffffea00074c5000 ffff8801d3147c68 0000000000000008 [ 40.693340] 0000000000000000 ffff8801d2cef6f8 ffffffff81490120 0000000000000000 [ 40.701482] Call Trace: [ 40.704092] [] dump_stack+0xc1/0x120 [ 40.709473] [] print_address_description+0x6f/0x21b [ 40.716241] [] kasan_report.cold+0x8c/0x2be [ 40.722233] [] ? disk_unblock_events+0x55/0x60 [ 40.728480] [] __asan_report_load8_noabort+0x14/0x20 [ 40.735256] [] disk_unblock_events+0x55/0x60 [ 40.741415] [] __blkdev_get+0x70c/0xdf0 [ 40.747053] [] ? __blkdev_put+0x840/0x840 [ 40.752953] [] ? trace_hardirqs_on+0x10/0x10 [ 40.759027] [] blkdev_get+0x2e8/0x920 [ 40.764491] [] ? bd_may_claim+0xd0/0xd0 [ 40.770126] [] ? bd_acquire+0x8a/0x370 [ 40.775763] [] ? _raw_spin_unlock+0x2d/0x50 [ 40.781759] [] blkdev_open+0x1aa/0x250 [ 40.787314] [] do_dentry_open+0x38f/0xbd0 [ 40.793125] [] ? __inode_permission2+0x9e/0x250 [ 40.799552] [] ? blkdev_get_by_dev+0x80/0x80 [ 40.805620] [] vfs_open+0x10b/0x210 [ 40.810909] [] ? may_open.isra.0+0xe7/0x210 [ 40.816897] [] path_openat+0x136f/0x4470 [ 40.822757] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 40.829093] [] ? may_open.isra.0+0x210/0x210 [ 40.835250] [] ? trace_hardirqs_on+0x10/0x10 [ 40.841440] [] do_filp_open+0x1a1/0x270 [ 40.847165] [] ? user_path_mountpoint_at+0x50/0x50 [ 40.853760] [] ? do_dup2+0x3d0/0x3d0 [ 40.859396] [] ? _raw_spin_unlock+0x2d/0x50 [ 40.865378] [] do_sys_open+0x2f8/0x600 [ 40.871267] [] ? filp_open+0x70/0x70 [ 40.876760] [] ? __do_page_fault+0x2b3/0x7f0 [ 40.882835] [] compat_SyS_open+0x2a/0x40 [ 40.888658] [] ? compat_SyS_getdents64+0x270/0x270 [ 40.895293] [] do_fast_syscall_32+0x32d/0xa90 [ 40.901537] [] sysenter_flags_fixed+0xd/0x1a [ 40.907601] [ 40.909237] Allocated by task 2191: [ 40.912867] [] save_stack_trace+0x26/0x50 [ 40.918834] [] kasan_kmalloc.part.0+0x62/0xf0 [ 40.925139] [] kasan_kmalloc+0xb7/0xd0 [ 40.930877] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 40.937534] [] alloc_disk_node+0x50/0x3c0 [ 40.943491] [] alloc_disk+0x1b/0x20 [ 40.948949] [] loop_add+0x380/0x830 [ 40.954580] [] loop_control_ioctl+0x138/0x2f0 [ 40.960888] [] compat_SyS_ioctl+0x403/0x2210 [ 40.967108] [] do_fast_syscall_32+0x32d/0xa90 [ 40.973465] [] sysenter_flags_fixed+0xd/0x1a [ 40.979750] [ 40.981386] Freed by task 2191: [ 40.984672] [] save_stack_trace+0x26/0x50 [ 40.990678] [] kasan_slab_free+0xb0/0x190 [ 40.996684] [] kfree+0xf4/0x310 [ 41.001844] [] disk_release+0x255/0x330 [ 41.007748] [] device_release+0x7d/0x220 [ 41.013625] [] kobject_put+0x14c/0x260 [ 41.019323] [] put_disk+0x23/0x30 [ 41.024592] [] __blkdev_get+0x66c/0xdf0 [ 41.030386] [] blkdev_get+0x2e8/0x920 [ 41.035993] [] blkdev_open+0x1aa/0x250 [ 41.041682] [] do_dentry_open+0x38f/0xbd0 [ 41.048040] [] vfs_open+0x10b/0x210 [ 41.053481] [] path_openat+0x136f/0x4470 [ 41.059355] [] do_filp_open+0x1a1/0x270 [ 41.065139] [] do_sys_open+0x2f8/0x600 [ 41.070880] [] compat_SyS_open+0x2a/0x40 [ 41.076973] [] do_fast_syscall_32+0x32d/0xa90 [ 41.083279] [] sysenter_flags_fixed+0xd/0x1a [ 41.089584] [ 41.091225] The buggy address belongs to the object at ffff8801d3147700 [ 41.091225] which belongs to the cache kmalloc-2048 of size 2048 [ 41.104217] The buggy address is located 1384 bytes inside of [ 41.104217] 2048-byte region [ffff8801d3147700, ffff8801d3147f00) [ 41.116529] The buggy address belongs to the page: [ 41.121948] kasan: CONFIG_KASAN_INLINE enabled [ 41.126468] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory access [ 41.137181] ------------[ cut here ]------------ [ 41.142289] WARNING: CPU: 0 PID: 2084 at kernel/sched/core.c:7941 __might_sleep+0x138/0x1a0() [ 41.150974] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x265/0xa00 [ 41.161586] Kernel panic - not syncing: panic_on_warn set ... [ 41.161586] [ 42.320640] Shutting down cpus with NMI [ 42.325456] Kernel Offset: disabled [ 42.329263] Rebooting in 86400 seconds..