[....] Starting enhanced syslogd: rsyslogd[ 13.905844] audit: type=1400 audit(1564046273.930:4): avc: denied { syslog } for pid=1918 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.791655] ================================================================== [ 32.799058] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 32.805799] Read of size 8 at addr ffff8801cf3a8568 by task syz-executor573/2089 [ 32.813318] [ 32.814941] CPU: 0 PID: 2089 Comm: syz-executor573 Not tainted 4.4.174+ #4 [ 32.821942] 0000000000000000 296d3e421fc83d37 ffff8800b658f730 ffffffff81aad1a1 [ 32.829987] 0000000000000000 ffffea00073cea00 ffff8801cf3a8568 0000000000000008 [ 32.838044] 0000000000000000 ffff8800b658f768 ffffffff81490120 0000000000000000 [ 32.846121] Call Trace: [ 32.848705] [] dump_stack+0xc1/0x120 [ 32.854070] [] print_address_description+0x6f/0x21b [ 32.860731] [] kasan_report.cold+0x8c/0x2be [ 32.866701] [] ? disk_unblock_events+0x55/0x60 [ 32.872937] [] __asan_report_load8_noabort+0x14/0x20 [ 32.879687] [] disk_unblock_events+0x55/0x60 [ 32.885740] [] __blkdev_get+0x70c/0xdf0 [ 32.891359] [] ? __blkdev_put+0x840/0x840 [ 32.897153] [] ? blkdev_get_block+0x80/0x80 [ 32.903120] [] ? __might_sleep+0x90/0x1a0 [ 32.908911] [] blkdev_get+0x2e8/0x920 [ 32.914355] [] ? bd_may_claim+0xd0/0xd0 [ 32.919982] [] ? bd_acquire+0x133/0x370 [ 32.925600] [] ? _raw_spin_unlock+0x2d/0x50 [ 32.931571] [] blkdev_open+0x1aa/0x250 [ 32.937113] [] do_dentry_open+0x38f/0xbd0 [ 32.942905] [] ? __inode_permission2+0x9e/0x250 [ 32.949217] [] ? blkdev_get_by_dev+0x80/0x80 [ 32.955270] [] vfs_open+0x10b/0x210 [ 32.960542] [] ? may_open.isra.0+0xe7/0x210 [ 32.966690] [] path_openat+0x136f/0x4470 [ 32.972484] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 32.978799] [] ? may_open.isra.0+0x210/0x210 [ 32.984851] [] ? trace_hardirqs_on+0x10/0x10 [ 32.990903] [] do_filp_open+0x1a1/0x270 [ 32.996522] [] ? user_path_mountpoint_at+0x50/0x50 [ 33.003090] [] ? __alloc_fd+0x1ea/0x490 [ 33.008807] [] ? _raw_spin_unlock+0x2d/0x50 [ 33.014759] [] do_sys_open+0x2f8/0x600 [ 33.020272] [] ? filp_open+0x70/0x70 [ 33.025615] [] ? retint_user+0x18/0x3c [ 33.031156] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 33.037988] [] SyS_open+0x2d/0x40 [ 33.043067] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.049617] [ 33.051233] Allocated by task 2089: [ 33.054841] [] save_stack_trace+0x26/0x50 [ 33.060737] [] kasan_kmalloc.part.0+0x62/0xf0 [ 33.066995] [] kasan_kmalloc+0xb7/0xd0 [ 33.072626] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 33.079220] [] alloc_disk_node+0x50/0x3c0 [ 33.085125] [] alloc_disk+0x1b/0x20 [ 33.090620] [] loop_add+0x380/0x830 [ 33.096195] [] loop_control_ioctl+0x138/0x2f0 [ 33.102436] [] do_vfs_ioctl+0x6e7/0xfa0 [ 33.108157] [] SyS_ioctl+0x8f/0xc0 [ 33.113446] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.120126] [ 33.121730] Freed by task 2089: [ 33.124978] [] save_stack_trace+0x26/0x50 [ 33.130870] [] kasan_slab_free+0xb0/0x190 [ 33.136782] [] kfree+0xf4/0x310 [ 33.141804] [] disk_release+0x255/0x330 [ 33.147539] [] device_release+0x7d/0x220 [ 33.153350] [] kobject_put+0x14c/0x260 [ 33.158981] [] put_disk+0x23/0x30 [ 33.164177] [] __blkdev_get+0x66c/0xdf0 [ 33.169913] [] blkdev_get+0x2e8/0x920 [ 33.175458] [] blkdev_open+0x1aa/0x250 [ 33.181085] [] do_dentry_open+0x38f/0xbd0 [ 33.187034] [] vfs_open+0x10b/0x210 [ 33.192404] [] path_openat+0x136f/0x4470 [ 33.198230] [] do_filp_open+0x1a1/0x270 [ 33.203951] [] do_sys_open+0x2f8/0x600 [ 33.209579] [] SyS_open+0x2d/0x40 [ 33.214788] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.221495] [ 33.223101] The buggy address belongs to the object at ffff8801cf3a8000 [ 33.223101] which belongs to the cache kmalloc-2048 of size 2048 [ 33.235903] The buggy address is located 1384 bytes inside of [ 33.235903] 2048-byte region [ffff8801cf3a8000, ffff8801cf3a8800) [ 33.247926] The buggy address belongs to the page: [ 33.255792] BUG: unable to handle kernel paging request at ffffeb88001cf3a0 [ 33.263182] IP: [] qlist_free_all+0x7a/0xc0 [ 33.269225] PGD 0 [ 33.271503] Oops: 0000 [#1] PREEMPT SMP KASAN [ 33.276554] Modules linked in: [ 33.279876] CPU: 1 PID: 2076 Comm: syz-executor573 Not tainted 4.4.174+ #4 [ 33.286880] task: ffff8801d4ed97c0 task.stack: ffff8800b6af0000 [ 33.292927] RIP: 0010:[] [] qlist_free_all+0x7a/0xc0 [ 33.307323] RSP: 0000:ffff8800b6af7860 EFLAGS: 00010282 [ 33.312780] RAX: ffffeb88001cf380 RBX: 0000000000000000 RCX: 000000018080005f [ 33.320048] RDX: 000077ff80000000 RSI: ffffea00073cea00 RDI: 0000000000000000 [ 33.327407] RBP: ffff8800b6af7888 R08: 0000000000000001 R09: ffffffff814850f1 [ 33.334677] R10: ffffea0002d944c0 R11: 0000000000000000 R12: ffff8800b6af78a0 [ 33.341941] R13: 0000000080000000 R14: ffffea0000000000 R15: ffffea00073cea00 [ 33.349736] FS: 00000000024d0880(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 33.357992] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.363871] CR2: ffffeb88001cf3a0 CR3: 00000000b68a6000 CR4: 00000000001606b0 [ 33.371149] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.378416] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 33.385682] Stack: [ 33.387826] ffff8801d4ed97c0 0000000000000000 ffff8800b6af78a0 ffffffff81139e98 [ 33.395886] ffff8801da488640 ffff8800b6af78d0 ffffffff8148558f ffffffff81485495 [ 33.403958] ffff8801d3e58000 ffff8800b641c400 00000000001010a0 7d276a79957381f4 [ 33.412033] Call Trace: [ 33.414623] [] ? prepare_creds+0x28/0x2b0 [ 33.420423] [] quarantine_reduce+0x18f/0x1d0 [ 33.426484] [] ? quarantine_reduce+0x95/0x1d0 [ 33.432628] [] kasan_kmalloc+0xa0/0xd0 [ 33.438166] [] ? prepare_creds+0x28/0x2b0 [ 33.444531] [] kasan_slab_alloc+0xf/0x20 [ 33.450734] [] kmem_cache_alloc+0xdc/0x2c0 [ 33.456749] [] prepare_creds+0x28/0x2b0 [ 33.462474] [] do_coredump+0x30f/0x29d0 [ 33.468094] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 33.475029] [] ? debug_check_no_obj_freed+0x2b9/0x6e0 [ 33.483395] [] ? dump_align+0x80/0x80 [ 33.488846] [] ? check_preemption_disabled+0x3c/0x200 [ 33.495686] [] ? check_preemption_disabled+0x3c/0x200 [ 33.502615] [] ? __sigqueue_free.part.0+0x55/0x60 [ 33.509105] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 33.515947] [] ? kmem_cache_free+0x2c4/0x350 [ 33.522012] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.528760] [] ? recalc_sigpending+0x74/0xa0 [ 33.534813] [] ? dequeue_signal+0xc8/0x550 [ 33.540700] [] ? check_preemption_disabled+0x3c/0x200 [ 33.547533] [] ? _raw_spin_unlock_irq+0x28/0x60 [ 33.553853] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 33.560775] [] get_signal+0x5d9/0x1570 [ 33.566313] [] ? check_preemption_disabled+0x3c/0x200 [ 33.573153] [] do_signal+0x9c/0x1840 [ 33.578511] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 33.585434] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 33.592271] [] ? setup_sigcontext+0x780/0x780 [ 33.598417] [] ? force_sig_info+0x23e/0x310 [ 33.604386] [] ? do_trap+0x198/0x220 [ 33.609770] [] ? do_error_trap+0x12a/0x270 [ 33.615657] [] ? do_trap+0x220/0x220 [ 33.621017] [] ? exit_to_usermode_loop+0xf2/0x170 [ 33.627511] [] exit_to_usermode_loop+0x127/0x170 [ 33.633911] [] prepare_exit_to_usermode+0x15a/0x1e0 [ 33.640573] [] retint_user+0x8/0x3c [ 33.645843] Code: 4c 89 fe 48 85 db 48 89 df 75 d7 48 89 f0 4c 01 e8 72 52 48 ba 00 00 00 80 ff 77 00 00 48 01 d0 48 c1 e8 0c 48 c1 e0 06 4c 01 f0 <48> 8b 50 20 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 30 eb a2 [ 33.673811] RIP [] qlist_free_all+0x7a/0xc0 [ 33.679927] RSP [ 33.683540] CR2: ffffeb88001cf3a0 [ 33.687023] ---[ end trace dbaf3d1cc2c5a2c7 ]--- [ 33.691768] Kernel panic - not syncing: Fatal exception [ 34.830735] Shutting down cpus with NMI [ 34.835204] Kernel Offset: disabled [ 34.838814] Rebooting in 86400 seconds..