[....] Starting enhanced syslogd: rsyslogd[ 13.555838] audit: type=1400 audit(1539844081.753:4): avc: denied { syslog } for pid=1918 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 44.817917] ================================================================== [ 44.825308] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 44.832037] Read of size 8 at addr ffff8800b4bf73e8 by task blkid/2339 [ 44.838673] [ 44.840278] CPU: 1 PID: 2339 Comm: blkid Not tainted 4.4.161+ #1 [ 44.846397] 0000000000000000 d6f7743e666517b2 ffff8801d14af6d0 ffffffff81a9969d [ 44.854389] ffffea0002d2fc00 ffff8800b4bf73e8 0000000000000000 ffff8800b4bf73e8 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.862430] 0000000000000000 ffff8801d14af708 ffffffff8148a889 ffff8800b4bf73e8 [ 44.870542] Call Trace: [ 44.873129] [] dump_stack+0xc1/0x124 [ 44.878479] [] print_address_description+0x6c/0x217 [ 44.885167] [] kasan_report.cold.6+0x175/0x2f7 [ 44.891383] [] ? disk_unblock_events+0x51/0x60 [ 44.897591] [] __asan_report_load8_noabort+0x14/0x20 [ 44.904319] [] disk_unblock_events+0x51/0x60 [ 44.910351] [] __blkdev_get+0x70c/0xdf0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.915990] [] ? trace_hardirqs_on+0x10/0x10 [ 44.922024] [] ? __blkdev_put+0x840/0x840 [ 44.927800] [] ? avc_has_perm_noaudit+0x197/0x2f0 [ 44.934270] [] ? avc_has_perm_noaudit+0x90/0x2f0 [ 44.940649] [] ? fsnotify+0x866/0x10c0 [ 44.946165] [] blkdev_get+0x2da/0x920 [ 44.951596] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 44.958321] [] ? bd_may_claim+0xd0/0xd0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.963923] [] ? bd_acquire+0x29/0x370 [ 44.969439] [] ? bd_acquire+0x8a/0x370 [ 44.975016] [] ? _raw_spin_unlock+0x2c/0x50 [ 44.980974] [] blkdev_open+0x1a5/0x250 [ 44.986501] [] do_dentry_open+0x38d/0xbd0 [ 44.992275] [] ? __inode_permission2+0x9b/0x240 [ 44.998565] [] ? blkdev_get_by_dev+0x70/0x70 [ 45.004602] [] vfs_open+0x12a/0x210 [ 45.009862] [] ? may_open.isra.18+0x156/0x240 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.015989] [] path_openat+0x50c/0x39a0 [ 45.021586] [] ? may_open.isra.18+0x240/0x240 [ 45.027750] [] ? getname+0x19/0x20 [ 45.032919] [] ? do_sys_open+0x203/0x610 [ 45.038604] [] ? SyS_open+0x2d/0x40 [ 45.043858] [] ? entry_SYSCALL_64_fastpath+0x1e/0x9a [ 45.050590] [] ? trace_hardirqs_on+0x10/0x10 [ 45.056626] [] do_filp_open+0x197/0x270 [ 45.062234] [] ? user_path_mountpoint_at+0x70/0x70 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.068854] [] ? __alloc_fd+0x36/0x4a0 [ 45.074373] [] ? _raw_spin_unlock+0x2c/0x50 [ 45.080360] [] ? __alloc_fd+0x1f3/0x4a0 [ 45.085976] [] do_sys_open+0x31c/0x610 [ 45.091591] [] ? filp_open+0x70/0x70 [ 45.096932] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 45.103750] [] SyS_open+0x2d/0x40 [ 45.108909] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 45.115467] executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.117075] Allocated by task 2328: [ 45.120674] [] save_stack_trace+0x26/0x50 [ 45.126610] [] kasan_kmalloc.part.1+0x62/0xf0 [ 45.132862] [] kasan_kmalloc+0xaf/0xc0 [ 45.138539] [] kmem_cache_alloc_trace+0x117/0x2d0 [ 45.145137] [] alloc_disk_node+0x54/0x3a0 [ 45.151032] [] alloc_disk+0x18/0x20 [ 45.156417] [] loop_add+0x33e/0x780 [ 45.161795] [] loop_control_ioctl+0x136/0x300 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.168033] [] compat_SyS_ioctl+0x4af/0x2220 [ 45.174188] [] do_fast_syscall_32+0x31e/0xa80 [ 45.180561] [] sysenter_flags_fixed+0xd/0x1a [ 45.186726] [ 45.188335] Freed by task 2339: [ 45.191587] [] save_stack_trace+0x26/0x50 [ 45.197488] [] kasan_slab_free+0xac/0x190 [ 45.203382] [] kfree+0xf4/0x310 [ 45.208411] [] disk_release+0x259/0x330 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.214139] [] device_release+0x7e/0x220 [ 45.219956] [] kobject_put+0x144/0x260 [ 45.225593] [] put_disk+0x23/0x30 [ 45.230791] [] __blkdev_get+0x66c/0xdf0 [ 45.236511] [] blkdev_get+0x2da/0x920 [ 45.242076] [] blkdev_open+0x1a5/0x250 [ 45.247723] [] do_dentry_open+0x38d/0xbd0 [ 45.253619] [] vfs_open+0x12a/0x210 [ 45.258993] [] path_openat+0x50c/0x39a0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 45.264725] [] do_filp_open+0x197/0x270 [ 45.270495] [] do_sys_open+0x31c/0x610 [ 45.276476] [] SyS_open+0x2d/0x40 [ 45.281725] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 45.288412] [ 45.290016] The buggy address belongs to the object at ffff8800b4bf6e80 [ 45.290016] which belongs to the cache kmalloc-2048 of size 2048 [ 45.302830] The buggy address is located 1384 bytes inside of [ 45.302830] 2048-byte region [ffff8800b4bf6e80, ffff8800b4bf7680) [ 45.314853] The buggy address belongs to the page: [ 45.320626] kasan: CONFIG_KASAN_INLINE enabled [ 45.325548] audit: type=1400 audit(1539844113.523:5): avc: denied { sigchld } for pid=2082 comm="syz-executor110" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1 [ 45.347407] kasan: CONFIG_KASAN_INLINE enabled [ 45.351812] BUG: unable to handle kernel paging request at fffffffb9762b340 [ 45.351816] IP: [] cpuacct_charge+0x155/0x380 [ 45.351828] PGD 2e0d067 PUD 0 [ 45.351833] Oops: 0000 [#1] PREEMPT SMP KASAN [ 45.351838] Modules linked in: [ 45.351844] CPU: 0 PID: 2082 Comm: syz-executor110 Not tainted 4.4.161+ #1 [ 45.351846] task: ffff8800b702c740 task.stack: ffff8800b68d8000 [ 45.351848] RIP: 0010:[] [] cpuacct_charge+0x155/0x380 [ 45.351857] RSP: 0018:ffff8801db607968 EFLAGS: 00010046 [ 45.351859] RAX: 1ffffffff05d2a0b RBX: 00000000000181a8 RCX: ffffffff831a1e40 [ 45.351862] RDX: fffffbff72ec5668 RSI: fffffffb9762b340 RDI: ffffffff82e95058 [ 45.351864] RBP: ffff8801db6079a8 R08: 0000000000000000 R09: 0000000000000000 [ 45.351868] R10: ffffed0043fffa01 R11: 0000000aee7ac21b R12: ffffffff82e94f80 [ 45.351871] R13: dffffc0000000000 R14: 0000000004df40b3 R15: ffffffff828912a0 [ 45.351876] FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:000000000823a840 [ 45.351879] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 45.351881] CR2: fffffffb9762b340 CR3: 00000000b8151000 CR4: 00000000001606b0 [ 45.351888] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.351890] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.351891] Stack: [ 45.351892] ffffffff811f0b60 1ffff1003b6c0f33 ffff8801d127b5c8 ffff8801d1a72fe0 [ 45.351898] ffff8801d1a72f80 0000000004df40b3 ffff8801d1a73030 0000000000000000 [ 45.351902] ffff8801db6079f0 ffffffff8117c439 0000000000000008 0000000000000000 [ 45.351907] Call Trace: [ 45.351908] [ 45.351913] [] ? cpuacct_charge+0x60/0x380 [ 45.351919] [] update_curr+0x2c9/0x6d0 [ 45.351925] [] enqueue_task_fair+0x12a/0xab90 [ 45.351929] [] ? select_task_rq_fair+0x4ba/0x2d10 [ 45.351934] [] ? kvm_sched_clock_read+0x9/0x20 [ 45.351938] [] activate_task+0x1dd/0x280 [ 45.351942] [] ttwu_do_activate.constprop.29+0xbf/0x1e0 [ 45.351946] [] try_to_wake_up+0x6dd/0x1120 [ 45.351950] [] default_wake_function+0x35/0x50 [ 45.351957] [] ? check_preemption_disabled+0x3b/0x170 [ 45.351961] [] autoremove_wake_function+0x11/0x40 [ 45.351965] [] __wake_up_common+0xb6/0x150 [ 45.351978] [] __wake_up+0x34/0x50 [ 45.351983] [] wake_up_klogd_work_func+0x80/0x90 [ 45.351989] [] irq_work_run_list+0xd7/0x140 [ 45.351993] [] irq_work_tick+0x116/0x170 [ 45.351998] [] update_process_times+0x69/0x70 [ 45.352004] [] tick_sched_handle.isra.6+0x4a/0xf0 [ 45.352007] [] tick_sched_timer+0x76/0x130 [ 45.352011] [] ? tick_sched_handle.isra.6+0xf0/0xf0 [ 45.352015] [] __hrtimer_run_queues+0x390/0xfc0 [ 45.352022] [] ? _raw_spin_unlock_irq+0x38/0x50 [ 45.352026] [] ? hrtimer_fixup_init+0x70/0x70 [ 45.352029] [] ? kvm_clock_read+0x23/0x40 [ 45.352033] [] ? kvm_clock_get_cycles+0x9/0x10 [ 45.352037] [] ? hrtimer_interrupt+0x12d/0x430 [ 45.352040] [] hrtimer_interrupt+0x1b1/0x430 [ 45.352045] [] local_apic_timer_interrupt+0x74/0xa0 [ 45.352049] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 45.352053] [] apic_timer_interrupt+0x9d/0xb0 [ 45.352055] [ 45.352059] [] ? console_unlock+0x8c4/0xa10 [ 45.352062] [] ? console_unlock+0x8ce/0xa10 [ 45.352066] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 45.352070] [] ? vprintk_emit+0x3af/0x830 [ 45.352073] [] vprintk_emit+0x3f5/0x830 [ 45.352077] [] vprintk+0x28/0x30 [ 45.352080] [] vprintk_default+0x1d/0x30 [ 45.352085] [] printk+0xaf/0xd7 [ 45.352089] [] ? log_wakeup_reason.cold.1+0x13f/0x13f [ 45.352094] [] ? kasan_die_handler.cold.3+0x5/0x22 [ 45.352097] [] kasan_die_handler.cold.3+0x11/0x22 [ 45.352102] [] notifier_call_chain+0xb9/0x1e0 [ 45.352106] [] __atomic_notifier_call_chain+0x87/0x150 [ 45.352110] [] ? raw_notifier_call_chain+0x40/0x40 [ 45.352113] [] notify_die+0xe2/0x160 [ 45.352117] [] ? blocking_notifier_call_chain+0xa0/0xa0 [ 45.352122] [] ? wait_consider_task+0x1895/0x35e0 [ 45.352128] [] ? search_exception_tables+0x31/0x40 [ 45.352133] [] do_general_protection+0x20a/0x2b0 [ 45.352136] [] general_protection+0x25/0x30 [ 45.352140] [] ? wait_consider_task+0x182b/0x35e0 [ 45.352144] [] ? wait_consider_task+0x1895/0x35e0 [ 45.352149] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.352153] [] ? complete_and_exit+0x40/0x40 [ 45.352156] [] ? do_wait+0x2ce/0xa30 [ 45.352160] [] do_wait+0x366/0xa30 [ 45.352164] [] ? wait_consider_task+0x35e0/0x35e0 [ 45.352168] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 45.352172] [] SyS_wait4+0x12b/0x1f0 [ 45.352175] [] ? SyS_waitid+0x2d0/0x2d0 [ 45.352179] [] ? kill_orphaned_pgrp+0x390/0x390 [ 45.352183] [] ? kvm_clock_read+0x23/0x40 [ 45.352186] [] ? kvm_clock_get_cycles+0x9/0x10 [ 45.352192] [] compat_SyS_wait4+0x25a/0x2a0 [ 45.352195] [] ? put_compat_rusage+0x550/0x550 [ 45.352200] [] ? SyS_clock_gettime+0x11e/0x1e0 [ 45.352204] [] ? SyS_clock_settime+0x210/0x210 [ 45.352209] [] ? __compat_put_timespec.isra.3+0xc7/0x140 [ 45.352213] [] ? compat_SyS_clock_gettime+0x14d/0x1d0 [ 45.352217] [] ? compat_SyS_clock_settime+0x1b0/0x1b0 [ 45.352223] [] ? __do_page_fault+0x2b6/0x7e0 [ 45.352227] [] sys32_waitpid+0x25/0x30 [ 45.352231] [] ? sys32_mmap+0x110/0x110 [ 45.352236] [] do_fast_syscall_32+0x31e/0xa80 [ 45.352240] [] sysenter_flags_fixed+0xd/0x1a [ 45.352241] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 [ 45.352303] RIP [] cpuacct_charge+0x155/0x380 [ 45.352308] RSP [ 45.352309] CR2: fffffffb9762b340 [ 45.352312] ---[ end trace 0758269e1e1a7760 ]--- [ 45.352315] Kernel panic - not syncing: Fatal exception in interrupt [ 46.467389] Shutting down cpus with NMI [ 46.468049] Kernel Offset: disabled [ 47.144593] Rebooting in 86400 seconds..