[....] Starting enhanced syslogd: rsyslogd[   13.166583] audit: type=1400 audit(1548685640.261:4): avc:  denied  { syslog } for  pid=1923 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   51.205759] ==================================================================
[   51.213187] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60
[   51.220051] Read of size 8 at addr ffff8800bb48f3e8 by task blkid/2682
[   51.226715] 
[   51.228349] CPU: 0 PID: 2682 Comm: blkid Not tainted 4.4.172+ #13
[   51.234575]  0000000000000000 332adde1b6e14b29 ffff8800bb4cf730 ffffffff81aacde1
[   51.242667]  0000000000000000 ffffea0002ed2200 ffff8800bb48f3e8 0000000000000008
[   51.250731]  0000000000000000 ffff8800bb4cf768 ffffffff8148fedd 0000000000000000
[   51.258812] Call Trace:
[   51.261413]  [<ffffffff81aacde1>] dump_stack+0xc1/0x120
[   51.266787]  [<ffffffff8148fedd>] print_address_description+0x6f/0x21b
[   51.273455]  [<ffffffff81490115>] kasan_report.cold+0x8c/0x2be
[   51.279437]  [<ffffffff81a825a5>] ? disk_unblock_events+0x55/0x60
[   51.285665]  [<ffffffff81484cc4>] __asan_report_load8_noabort+0x14/0x20
[   51.292436]  [<ffffffff81a825a5>] disk_unblock_events+0x55/0x60
[   51.298508]  [<ffffffff8154ec0c>] __blkdev_get+0x70c/0xdf0
[   51.304146]  [<ffffffff8154e500>] ? __blkdev_put+0x840/0x840
[   51.309959]  [<ffffffff811ff3a0>] ? trace_hardirqs_on+0x10/0x10
[   51.316020]  [<ffffffff81551578>] blkdev_get+0x2e8/0x920
[   51.321472]  [<ffffffff81551290>] ? bd_may_claim+0xd0/0xd0
[   51.327094]  [<ffffffff815509ba>] ? bd_acquire+0x8a/0x370
[   51.332633]  [<ffffffff827179ed>] ? _raw_spin_unlock+0x2d/0x50
[   51.338614]  [<ffffffff81551dda>] blkdev_open+0x1aa/0x250
[   51.344155]  [<ffffffff8149130f>] do_dentry_open+0x38f/0xbd0
[   51.350834]  [<ffffffff814b69ce>] ? __inode_permission2+0x9e/0x250
[   51.357159]  [<ffffffff81551c30>] ? blkdev_get_by_dev+0x80/0x80
[   51.363221]  [<ffffffff81494afb>] vfs_open+0x10b/0x210
[   51.368510]  [<ffffffff814c4587>] ? may_open.isra.0+0xe7/0x210
[   51.374493]  [<ffffffff814c5a1f>] path_openat+0x136f/0x4470
[   51.380216]  [<ffffffff81483d76>] ? kasan_kmalloc.part.0+0xc6/0xf0
[   51.386557]  [<ffffffff814c46b0>] ? may_open.isra.0+0x210/0x210
[   51.392631]  [<ffffffff811ff3a0>] ? trace_hardirqs_on+0x10/0x10
[   51.398705]  [<ffffffff814cc6f1>] do_filp_open+0x1a1/0x270
[   51.404343]  [<ffffffff814cc550>] ? user_path_mountpoint_at+0x50/0x50
[   51.410934]  [<ffffffff814f2f2a>] ? __alloc_fd+0x1ea/0x490
[   51.416566]  [<ffffffff827179ed>] ? _raw_spin_unlock+0x2d/0x50
[   51.422536]  [<ffffffff81495428>] do_sys_open+0x2f8/0x600
[   51.428080]  [<ffffffff81495130>] ? filp_open+0x70/0x70
[   51.433444]  [<ffffffff827191d5>] ? retint_user+0x18/0x3c
[   51.438980]  [<ffffffff811ff175>] ? trace_hardirqs_on_caller+0x385/0x5a0
[   51.445820]  [<ffffffff8149575d>] SyS_open+0x2d/0x40
[   51.450927]  [<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[   51.457497] 
[   51.459120] Allocated by task 2674:
[   51.462733]  [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
[   51.468674]  [<ffffffff81483d12>] kasan_kmalloc.part.0+0x62/0xf0
[   51.474947]  [<ffffffff81483f87>] kasan_kmalloc+0xb7/0xd0
[   51.480617]  [<ffffffff8147ff93>] kmem_cache_alloc_trace+0x123/0x2d0
[   51.487703]  [<ffffffff81a81790>] alloc_disk_node+0x50/0x3c0
[   51.493889]  [<ffffffff81a81b1b>] alloc_disk+0x1b/0x20
[   51.499306]  [<ffffffff81d43130>] loop_add+0x380/0x830
[   51.504713]  [<ffffffff81d43bc2>] loop_control_ioctl+0x132/0x2f0
[   51.510984]  [<ffffffff814d2037>] do_vfs_ioctl+0x6e7/0xfa0
[   51.516737]  [<ffffffff814d297f>] SyS_ioctl+0x8f/0xc0
[   51.522071]  [<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[   51.528786] 
[   51.530419] Freed by task 2682:
[   51.533697]  [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
[   51.539634]  [<ffffffff81484610>] kasan_slab_free+0xb0/0x190
[   51.545567]  [<ffffffff81481a34>] kfree+0xf4/0x310
[   51.550633]  [<ffffffff81a7ffb5>] disk_release+0x255/0x330
[   51.556390]  [<ffffffff81cf745d>] device_release+0x7d/0x220
[   51.562255]  [<ffffffff81ab2cdc>] kobject_put+0x14c/0x260
[   51.567934]  [<ffffffff81a7dc53>] put_disk+0x23/0x30
[   51.573178]  [<ffffffff8154eb6c>] __blkdev_get+0x66c/0xdf0
[   51.578934]  [<ffffffff81551578>] blkdev_get+0x2e8/0x920
[   51.584522]  [<ffffffff81551dda>] blkdev_open+0x1aa/0x250
[   51.590191]  [<ffffffff8149130f>] do_dentry_open+0x38f/0xbd0
[   51.596131]  [<ffffffff81494afb>] vfs_open+0x10b/0x210
[   51.601549]  [<ffffffff814c5a1f>] path_openat+0x136f/0x4470
[   51.607403]  [<ffffffff814cc6f1>] do_filp_open+0x1a1/0x270
[   51.613166]  [<ffffffff81495428>] do_sys_open+0x2f8/0x600
[   51.618820]  [<ffffffff8149575d>] SyS_open+0x2d/0x40
[   51.624024]  [<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[   51.630706] 
[   51.632314] The buggy address belongs to the object at ffff8800bb48ee80
[   51.632314]  which belongs to the cache kmalloc-2048 of size 2048
[   51.645147] The buggy address is located 1384 bytes inside of
[   51.645147]  2048-byte region [ffff8800bb48ee80, ffff8800bb48f680)
[   51.657269] The buggy address belongs to the page:
[   51.664290] BUG: unable to handle kernel paging request at fffffbfffc053b4b
[   51.671758] IP: [<ffffffff8123ae1d>] rcu_sync_lockdep_assert+0x5d/0xb0
[   51.678570] PGD 21ff68067 PUD 21ff67067 PMD 0 
[   51.683568] Oops: 0000 [#1] PREEMPT SMP KASAN
[   51.688603] Modules linked in:
[   51.691939] CPU: 1 PID: 2955 Comm: syz-executor553 Not tainted 4.4.172+ #13
[   51.699043] task: ffff8801cea90000 task.stack: ffff8801cea98000
[   51.705117] RIP: 0010:[<ffffffff8123ae1d>]  [<ffffffff8123ae1d>] rcu_sync_lockdep_assert+0x5d/0xb0
[   51.714370] RSP: 0018:ffff8801cea9fc20  EFLAGS: 00010a06
[   51.719827] RAX: dffffc0000000000 RBX: 0000000002ed2200 RCX: 1ffffffff05f7178
[   51.727106] RDX: 1ffffffffc053b4b RSI: ffffffff81b0a7fc RDI: ffffffffe029da58
[   51.734384] RBP: ffff8801cea9fc28 R08: ffff8801d4dd59a0 R09: 0000000000000000
[   51.741672] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000148
[   51.748965] R13: ffff8800bb496600 R14: ffff8800bb4969b8 R15: 0000000000000000
[   51.756261] FS:  0000000002599880(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000
[   51.764498] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.770383] CR2: fffffbfffc053b4b CR3: 00000001d9153000 CR4: 00000000001606b0
[   51.777769] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   51.785050] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   51.792350] Stack:
[   51.794499]  ffff8800bb4969b8 ffff8801cea9fc68 ffffffff8149e59f 0000001d811ea67b
[   51.802602]  ffff8801d6dcb720 ffff8801d40ce620 ffff8801d40ce670 ffff8801d42d5888
[   51.810703]  0000000000000001 ffff8801cea9fd00 ffffffff814b0bf4 ffff8801cea90008
[   51.818918] Call Trace:
[   51.821516]  [<ffffffff8149e59f>] __sb_start_write+0xdf/0x310
[   51.827421]  [<ffffffff814b0bf4>] pipe_write+0x8f4/0xe70
[   51.832866]  [<ffffffff81496788>] __vfs_write+0x2e8/0x3d0
[   51.838404]  [<ffffffff814964a0>] ? __vfs_read+0x3c0/0x3c0
[   51.844031]  [<ffffffff81965a85>] ? selinux_file_permission+0x2f5/0x450
[   51.850782]  [<ffffffff81497be3>] ? rw_verify_area+0x103/0x2f0
[   51.856751]  [<ffffffff814982b2>] vfs_write+0x182/0x4e0
[   51.862109]  [<ffffffff8149a8ec>] SyS_write+0xdc/0x1c0
[   51.867386]  [<ffffffff8149a810>] ? SyS_read+0x1c0/0x1c0
[   51.872845]  [<ffffffff810021a4>] ? lockdep_sys_exit_thunk+0x12/0x14
[   51.879340]  [<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
[   51.885921] Code: 02 84 c0 74 04 3c 03 7e 60 48 b8 00 00 00 00 00 fc ff df 8b 5b 68 48 89 df 48 c1 e7 05 48 81 c7 58 9a 85 82 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 3f 48 c1 e3 05 48 8b 83 58 9a 85 82 e8 3d 2a 4e 
[   51.913999] RIP  [<ffffffff8123ae1d>] rcu_sync_lockdep_assert+0x5d/0xb0
[   51.920892]  RSP <ffff8801cea9fc20>
[   51.924509] CR2: fffffbfffc053b4b
[   51.927956] ---[ end trace a9f5402e5043da3b ]---
[   51.932708] Kernel panic - not syncing: Fatal exception
SeaBIOS (version 1.8.2-20181029_212248-google)
Total RAM Size = 0x00000001e0000000 = 7680 MiB
CPUs found: 2     Max CPUs supported: 2
found virtio-scsi at 0:3
virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=4194304 = 2048 MiB
drive 0x000f2a50: PCHS=0/0/0 translation=lba LCHS=520/128/63 s=4194304
Booting from Hard Disk 0...
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.4.172+ (syzkaller@ci) (gcc version 9.0.0 20181231 (experimental) (GCC) ) #13 SMP PREEMPT Mon Jan 28 09:44:39 UTC 2019
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti
[    0.000000] KERNEL supported cpus:
[    0.000000]   Intel GenuineIntel
[    0.000000]   AMD AuthenticAMD
[    0.000000] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
[    0.000000] x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers'
[    0.000000] x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers'
[    0.000000] x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers'
[    0.000000] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
[    0.000000] BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable
[    0.000000] bootconsole [earlyser0] enabled
[    0.000000] NX (Execute Disable) protection: active
[    0.000000] Hypervisor detected: KVM
[    0.000000] Kernel/User page tables isolation: disabled
[    0.000000] e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000
[    0.000000] x86/PAT: Configuration [0-7]: WB  WC  UC- UC  UC  UC  UC  UC  
[    0.000000] e820: last_pfn = 0xbfffd max_arch_pfn = 0x400000000
[    0.000000] found SMP MP-table at [mem 0x000f2cc0-0x000f2ccf] mapped at [ffff8800000f2cc0]
[    0.000000] Using GB pages for direct mapping
[    0.000000] ACPI: Early table checksum verification disabled
[    0.000000] ACPI: RSDP 0x00000000000F2A90 000014 (v00 Google)
[    0.000000] ACPI: RSDT 0x00000000BFFFDBA0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[    0.000000] ACPI: FACP 0x00000000BFFFFF00 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[    0.000000] ACPI: DSDT 0x00000000BFFFDBE0 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[    0.000000] ACPI: FACS 0x00000000BFFFFEC0 000040
[    0.000000] ACPI: FACS 0x00000000BFFFFEC0 000040
[    0.000000] ACPI: SSDT 0x00000000BFFFF590 000930 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[    0.000000] ACPI: APIC 0x00000000BFFFF4A0 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001)
[    0.000000] ACPI: WAET 0x00000000BFFFF470 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[    0.000000] ACPI: SRAT 0x00000000BFFFF3A0 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001)
[    0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[    0.000000] kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock
[    0.000000] kvm-clock: using sched offset of 1880357196 cycles
[    0.000000] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.000000] Zone ranges:
[    0.000000]   DMA32    [mem 0x0000000000001000-0x00000000ffffffff]
[    0.000000]   Normal   [mem 0x0000000100000000-0x000000021fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.000000]   node   0: [mem 0x0000000000100000-0x00000000bfffcfff]
[    0.000000]   node   0: [mem 0x0000000100000000-0x000000021fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff]
[    0.000000] kasan: KernelAddressSanitizer initialized
[    0.000000] ACPI: PM-Timer IO Port: 0xb008
[    0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.000000] Using ACPI (MADT) for SMP configuration information
[    0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[    0.000000] e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices
[    0.000000] Booting paravirtualized kernel on KVM
[    0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.000000] setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:2 nr_node_ids:1
[    0.000000] PERCPU: Embedded 41 pages/cpu @ffff8801db600000 s130696 r8192 d29048 u1048576
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 1935238
[    0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[    0.000000] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
[    0.000000] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)