INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. 2018/04/14 01:20:08 parsed 1 programs 2018/04/14 01:20:08 executed programs: 0 syzkaller login: [ 37.769223] IPVS: Creating netns size=2536 id=1 [ 37.790812] IPVS: Creating netns size=2536 id=2 [ 37.812019] IPVS: Creating netns size=2536 id=3 [ 37.832710] IPVS: Creating netns size=2536 id=4 [ 37.855142] IPVS: Creating netns size=2536 id=5 [ 37.876002] IPVS: Creating netns size=2536 id=6 [ 37.898278] IPVS: Creating netns size=2536 id=7 [ 37.919451] IPVS: Creating netns size=2536 id=8 2018/04/14 01:20:13 executed programs: 64 2018/04/14 01:20:18 executed programs: 132 [ 51.756008] ================================================================== [ 51.763387] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 51.770107] Read of size 8 at addr ffff8801ca311660 by task syz-executor6/4300 [ 51.777432] [ 51.779049] CPU: 1 PID: 4300 Comm: syz-executor6 Not tainted 4.9.93-gcb02358 #1 [ 51.786464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.795796] ffff8801ca3576c8 ffffffff81d9aa29 ffffea000728c400 ffff8801ca311660 [ 51.803767] 0000000000000000 ffff8801ca311660 0000000000000000 ffff8801ca357700 [ 51.811734] ffffffff81564acb ffff8801ca311660 0000000000000008 0000000000000000 [ 51.819703] Call Trace: [ 51.822264] [] dump_stack+0xc1/0x128 [ 51.827600] [] print_address_description+0x6c/0x234 [ 51.834240] [] kasan_report.cold.6+0x242/0x2fe [ 51.840446] [] ? disk_unblock_events+0x51/0x60 [ 51.846651] [] __asan_report_load8_noabort+0x14/0x20 [ 51.853374] [] disk_unblock_events+0x51/0x60 [ 51.859403] [] __blkdev_get+0x6b6/0xd60 [ 51.864997] [] ? __blkdev_put+0x840/0x840 [ 51.870767] [] ? fsnotify+0x114/0x1100 [ 51.876273] [] blkdev_get+0x2da/0x920 [ 51.881695] [] ? bd_may_claim+0xd0/0xd0 [ 51.887289] [] ? bd_acquire+0x27/0x250 [ 51.892794] [] ? bd_acquire+0x88/0x250 [ 51.898300] [] ? _raw_spin_unlock+0x2c/0x50 [ 51.904238] [] blkdev_open+0x1a5/0x250 [ 51.909743] [] do_dentry_open+0x703/0xc80 [ 51.915508] [] ? blkdev_get_by_dev+0x70/0x70 [ 51.921534] [] vfs_open+0x11c/0x210 [ 51.926777] [] ? may_open.isra.57+0x14f/0x2a0 [ 51.932897] [] path_openat+0x758/0x3590 [ 51.938575] [] ? save_stack+0xa9/0xd0 [ 51.943995] [] ? path_lookupat.isra.41+0x410/0x410 [ 51.950542] [] ? __lock_is_held+0xa2/0xf0 [ 51.956306] [] do_filp_open+0x197/0x270 [ 51.961899] [] ? may_open_dev+0xe0/0xe0 [ 51.967499] [] ? _raw_spin_unlock+0x2c/0x50 [ 51.973440] [] ? __alloc_fd+0x1d7/0x4a0 [ 51.979033] [] do_sys_open+0x30d/0x5c0 [ 51.984543] [] ? filp_open+0x70/0x70 [ 51.989876] [] ? up_read+0x1a/0x40 [ 51.995036] [] compat_SyS_open+0x2a/0x40 [ 52.000713] [] ? compat_SyS_getdents64+0x280/0x280 [ 52.007262] [] do_fast_syscall_32+0x2f7/0x870 [ 52.013465] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.020101] [] entry_SYSENTER_compat+0x90/0xa2 [ 52.026301] [ 52.027899] Allocated by task 4302: [ 52.031496] save_stack_trace+0x16/0x20 [ 52.035440] save_stack+0x43/0xd0 [ 52.038863] kasan_kmalloc+0xc7/0xe0 [ 52.042548] kmem_cache_alloc_trace+0xfd/0x2b0 [ 52.047100] alloc_disk_node+0x54/0x3a0 [ 52.051054] alloc_disk+0x18/0x20 [ 52.054476] loop_add+0x33b/0x770 [ 52.057899] loop_probe+0x14f/0x180 [ 52.061496] kobj_lookup+0x223/0x410 [ 52.065181] get_gendisk+0x39/0x2d0 [ 52.068777] __blkdev_get+0x351/0xd60 [ 52.072545] blkdev_get+0x2da/0x920 [ 52.076141] blkdev_open+0x1a5/0x250 [ 52.079822] do_dentry_open+0x703/0xc80 [ 52.083763] vfs_open+0x11c/0x210 [ 52.087187] path_openat+0x758/0x3590 [ 52.090960] do_filp_open+0x197/0x270 [ 52.094730] do_sys_open+0x30d/0x5c0 [ 52.098416] compat_SyS_open+0x2a/0x40 [ 52.102273] do_fast_syscall_32+0x2f7/0x870 [ 52.106561] entry_SYSENTER_compat+0x90/0xa2 [ 52.110935] [ 52.112533] Freed by task 4300: [ 52.115780] save_stack_trace+0x16/0x20 [ 52.119722] save_stack+0x43/0xd0 [ 52.123153] kasan_slab_free+0x72/0xc0 [ 52.127009] kfree+0xfb/0x310 [ 52.130081] disk_release+0x259/0x330 [ 52.133849] device_release+0x7e/0x220 [ 52.137707] kobject_release+0x103/0x1b0 [ 52.141736] kobject_put+0x6d/0xd0 [ 52.145243] put_disk+0x23/0x30 [ 52.148493] __blkdev_get+0x616/0xd60 [ 52.152260] blkdev_get+0x2da/0x920 [ 52.155855] blkdev_open+0x1a5/0x250 [ 52.159535] do_dentry_open+0x703/0xc80 [ 52.163477] vfs_open+0x11c/0x210 [ 52.166899] path_openat+0x758/0x3590 [ 52.170671] do_filp_open+0x197/0x270 [ 52.174443] do_sys_open+0x30d/0x5c0 [ 52.178127] compat_SyS_open+0x2a/0x40 [ 52.181985] do_fast_syscall_32+0x2f7/0x870 [ 52.186274] entry_SYSENTER_compat+0x90/0xa2 [ 52.190651] [ 52.192251] The buggy address belongs to the object at ffff8801ca311100 [ 52.192251] which belongs to the cache kmalloc-2048 of size 2048 [ 52.205050] The buggy address is located 1376 bytes inside of [ 52.205050] 2048-byte region [ffff8801ca311100, ffff8801ca311900) [ 52.217065] The buggy address belongs to the page: [ 52.221971] page:ffffea000728c400 count:1 mapcount:0 mapping: (null) index:0xffff8801ca316600 compound_mapcount: 0 [ 52.233445] flags: 0x8000000000004080(slab|head) [ 52.238169] page dumped because: kasan: bad access detected [ 52.243847] [ 52.245442] Memory state around the buggy address: [ 52.250348] ffff8801ca311500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.257676] ffff8801ca311580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.265003] >ffff8801ca311600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.272329] ^ [ 52.278789] ffff8801ca311680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.286116] ffff8801ca311700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.293440] ================================================================== [ 52.300767] Disabling lock debugging due to kernel taint [ 52.