Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 58.347014] ================================================================== [ 58.354657] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 58.361522] Read of size 8 at addr ffff8800b67d40e8 by task syz-executor936/2128 [ 58.369204] [ 58.370894] CPU: 1 PID: 2128 Comm: syz-executor936 Not tainted 4.4.174+ #17 [ 58.378187] 0000000000000000 826393fae749addf ffff8801d3f8f6c0 ffffffff81aad1a1 [ 58.386584] 0000000000000000 ffffea0002d9f400 ffff8800b67d40e8 0000000000000008 [ 58.394912] 0000000000000000 ffff8801d3f8f6f8 ffffffff81490120 0000000000000000 [ 58.403287] Call Trace: [ 58.405924] [] dump_stack+0xc1/0x120 [ 58.411398] [] print_address_description+0x6f/0x21b [ 58.418185] [] kasan_report.cold+0x8c/0x2be [ 58.424764] [] ? disk_unblock_events+0x55/0x60 [ 58.431284] [] __asan_report_load8_noabort+0x14/0x20 [ 58.438899] [] disk_unblock_events+0x55/0x60 [ 58.445557] [] __blkdev_get+0x70c/0xdf0 [ 58.451386] [] ? __blkdev_put+0x840/0x840 [ 58.457595] [] ? trace_hardirqs_on+0x10/0x10 [ 58.464111] [] blkdev_get+0x2e8/0x920 [ 58.469597] [] ? bd_may_claim+0xd0/0xd0 [ 58.475257] [] ? bd_acquire+0x8a/0x370 [ 58.480823] [] ? _raw_spin_unlock+0x2d/0x50 [ 58.487297] [] blkdev_open+0x1aa/0x250 [ 58.493821] [] do_dentry_open+0x38f/0xbd0 [ 58.499709] [] ? __inode_permission2+0x9e/0x250 [ 58.506250] [] ? blkdev_get_by_dev+0x80/0x80 [ 58.512634] [] vfs_open+0x10b/0x210 [ 58.518286] [] ? may_open.isra.0+0xe7/0x210 [ 58.524290] [] path_openat+0x136f/0x4470 [ 58.530203] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 58.536882] [] ? may_open.isra.0+0x210/0x210 executing program executing program executing program [ 58.543093] [] ? trace_hardirqs_on+0x10/0x10 [ 58.549441] [] do_filp_open+0x1a1/0x270 [ 58.555174] [] ? user_path_mountpoint_at+0x50/0x50 [ 58.561776] [] ? do_dup2+0x3d0/0x3d0 [ 58.567161] [] ? _raw_spin_unlock+0x2d/0x50 [ 58.573160] [] do_sys_open+0x2f8/0x600 [ 58.578983] [] ? filp_open+0x70/0x70 [ 58.584462] [] ? __do_page_fault+0x2b3/0x7f0 [ 58.590743] [] compat_SyS_open+0x2a/0x40 executing program executing program executing program executing program executing program executing program [ 58.597173] [] ? compat_SyS_getdents64+0x270/0x270 [ 58.604998] [] do_fast_syscall_32+0x32d/0xa90 [ 58.611260] [] sysenter_flags_fixed+0xd/0x1a [ 58.617502] [ 58.619153] Allocated by task 2128: [ 58.623141] [] save_stack_trace+0x26/0x50 [ 58.629112] [] kasan_kmalloc.part.0+0x62/0xf0 [ 58.635463] [] kasan_kmalloc+0xb7/0xd0 [ 58.641183] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 58.647882] [] alloc_disk_node+0x50/0x3c0 [ 58.653890] [] alloc_disk+0x1b/0x20 [ 58.659614] [] loop_add+0x380/0x830 [ 58.665063] [] loop_control_ioctl+0x138/0x2f0 [ 58.671571] [] compat_SyS_ioctl+0x403/0x2210 [ 58.678315] [] do_fast_syscall_32+0x32d/0xa90 [ 58.684685] [] sysenter_flags_fixed+0xd/0x1a [ 58.691595] [ 58.693363] Freed by task 2128: [ 58.696651] [] save_stack_trace+0x26/0x50 [ 58.702815] [] kasan_slab_free+0xb0/0x190 [ 58.708929] [] kfree+0xf4/0x310 [ 58.714032] [] disk_release+0x255/0x330 [ 58.719822] [] device_release+0x7d/0x220 [ 58.725750] [] kobject_put+0x14c/0x260 [ 58.731457] [] put_disk+0x23/0x30 [ 58.736829] [] __blkdev_get+0x66c/0xdf0 [ 58.742867] [] blkdev_get+0x2e8/0x920 [ 58.748954] [] blkdev_open+0x1aa/0x250 [ 58.754677] [] do_dentry_open+0x38f/0xbd0 [ 58.760927] [] vfs_open+0x10b/0x210 [ 58.766461] [] path_openat+0x136f/0x4470 [ 58.772349] [] do_filp_open+0x1a1/0x270 [ 58.778171] [] do_sys_open+0x2f8/0x600 [ 58.784057] [] compat_SyS_open+0x2a/0x40 [ 58.790254] [] do_fast_syscall_32+0x32d/0xa90 [ 58.796752] [] sysenter_flags_fixed+0xd/0x1a [ 58.803428] [ 58.805118] The buggy address belongs to the object at ffff8800b67d3b80 [ 58.805118] which belongs to the cache kmalloc-2048 of size 2048 [ 58.818243] The buggy address is located 1384 bytes inside of [ 58.818243] 2048-byte region [ffff8800b67d3b80, ffff8800b67d4380) [ 58.830738] The buggy address belongs to the page: [ 58.836483] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a6 [ 58.845084] IP: [] kmem_cache_alloc+0x9c/0x2c0 [ 58.851528] PGD b73c4067 PUD b73c5067 PMD 0 [ 58.856478] Oops: 0000 [#1] PREEMPT SMP KASAN [ 58.861669] Modules linked in: [ 58.866054] CPU: 0 PID: 2099 Comm: syz-executor936 Not tainted 4.4.174+ #17 [ 58.873171] task: ffff8801d4114740 task.stack: ffff8800b6618000 [ 58.879248] RIP: 0010:[] [] kmem_cache_alloc+0x9c/0x2c0 [ 58.889143] RSP: 0018:ffff8800b661fb20 EFLAGS: 00010246 [ 58.894616] RAX: 00000000000000a6 RBX: ffff8801d42410f0 RCX: 0000000000022650 [ 58.902026] RDX: 0000000000061180 RSI: 0000000000061180 RDI: 0000000000022650 [ 58.909533] RBP: ffff8800b661fb50 R08: ffff8801d6a35ee0 R09: ffff8801d4115050 [ 58.916827] R10: ffffffff81456699 R11: 0000000000000000 R12: ffff8801da402dc0 [ 58.924289] R13: 00000000024000c0 R14: ffffffff8145677e R15: 00000000000000a6 [ 58.931960] FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008d4a840 [ 58.940213] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 58.946111] CR2: 00000000000000a6 CR3: 00000000b6d2a000 CR4: 00000000001606b0 [ 58.953498] Stack: [ 58.955667] ffff8800b7e6b2a0 ffff8801d42410f0 ffff8800b67d4380 0000000000000000 [ 58.963874] ffff8801d4241178 ffff8800b67d4408 ffff8800b661fba0 ffffffff8145677e [ 58.972220] ffff8800b661fba0 ffff8801d6a35ee0 ffff8801d6a35f70 ffff8800b67d4380 [ 58.980435] Call Trace: [ 58.983151] [] anon_vma_fork+0x1ce/0x4b0 [ 58.989116] [] copy_process+0x412c/0x68a0 [ 58.995294] [] ? __cleanup_sighand+0x50/0x50 [ 59.001467] [] ? kvm_clock_read+0x23/0x40 [ 59.007290] [] ? kvm_clock_get_cycles+0x9/0x10 [ 59.013555] [] _do_fork+0x14e/0xdc0 [ 59.019028] [] ? fork_idle+0x280/0x280 [ 59.025024] [] ? __compat_put_timespec.isra.0+0xce/0x140 [ 59.032285] [] ? compat_SyS_clock_gettime+0x162/0x1f0 [ 59.039158] [] ? compat_SyS_clock_settime+0x1b0/0x1b0 [ 59.046115] [] ? __do_page_fault+0x2b3/0x7f0 [ 59.052205] [] SyS_clone+0x37/0x50 [ 59.057507] [] ? entry_INT80_compat+0xa0/0xa0 [ 59.063681] [] do_fast_syscall_32+0x32d/0xa90 [ 59.070508] [] sysenter_flags_fixed+0xd/0x1a [ 59.076819] Code: 48 8b 70 08 48 39 f2 75 e7 4c 8b 38 4d 85 ff 0f 84 80 01 00 00 49 63 44 24 20 49 8b 3c 24 4c 01 f8 40 f6 c7 0f 0f 85 a5 01 00 00 <48> 8b 18 48 8d 4a 08 4c 89 f8 65 48 0f c7 0f 0f 94 c0 84 c0 74 [ 59.111645] RIP [] kmem_cache_alloc+0x9c/0x2c0 [ 59.119653] RSP [ 59.124113] CR2: 00000000000000a6 [ 59.127603] kasan: CONFIG_KASAN_INLINE enabled [ 59.132446] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN [ 59.146085] Modules linked in: [ 59.149627] CPU: 0 PID: 2099 Comm: syz-executor936 Tainted: G D 4.4.174+ #17 [ 59.158597] task: ffff8801d4114740 task.stack: ffff8800b6618000 [ 59.164967] RIP: 0010:[] [] debug_object_deactivate+0x16f/0x360 [ 59.174690] RSP: 0018:ffff8801db607ce0 EFLAGS: 00010006 [ 59.180522] RAX: 1ffffffff080f258 RBX: 0000000000000003 RCX: 000000000000c4c2 [ 59.188115] RDX: 000000000101de03 RSI: ffffffff82eafea0 RDI: 00000000080ef018 [ 59.195906] RBP: ffff8801db607dd0 R08: 0000000000000001 R09: ffffffff840792c8 [ 59.203291] R10: 0000000000000096 R11: ffffffff831a5078 R12: 00000000080ef000 [ 59.210655] R13: dffffc0000000000 R14: 1ffff1003b6c0fa0 R15: ffff8800b6cefd48 [ 59.218739] FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:0000000008d4a840 [ 59.227740] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 59.233663] CR2: 00000000000000a6 CR3: 00000000b6d2a000 CR4: 00000000001606b0 [ 59.240963] Stack: [ 59.243322] ffff880200000002 ffff880200000000 ffffffff840792c8 ffffffff82eafea0 [ 59.252486] 0000000041b58ab3 ffffffff82c76921 ffffffff81b0c500 ffffffff82c4d560 [ 59.260944] ffffffff811ff5b0 dffffc0000000001 ffff880100000000 ffffffff00000000 [ 59.269338] Call Trace: [ 59.272029] [ 59.274127] [] ? debug_object_activate+0x470/0x470 [ 59.281376] [] ? trace_hardirqs_on+0x10/0x10 [ 59.287554] [] ? trace_hardirqs_on+0x10/0x10 [ 59.293978] [] ? default_inquire_remote_apic+0x60/0x60 [ 59.300946] [] __hrtimer_run_queues+0x1bd/0xfc0 [ 59.307381] [] ? hrtimer_fixup_init+0x70/0x70 [ 59.313922] [] ? kvm_clock_get_cycles+0x9/0x10 [ 59.322476] [] ? hrtimer_interrupt+0x121/0x450 [ 59.330006] [] hrtimer_interrupt+0x1b6/0x450 [ 59.336194] [] local_apic_timer_interrupt+0x76/0xa0 [ 59.344057] [] smp_apic_timer_interrupt+0x79/0xb0 [ 59.350771] [] apic_timer_interrupt+0x9d/0xb0 [ 59.357827] [ 59.360271] [] ? add_taint+0x1c/0x50 [ 59.366827] [] ? oops_end+0x4c/0xc0 [ 59.372580] [] no_context+0x2b6/0x820 [ 59.378181] [] ? force_sig_info_fault.constprop.0+0x110/0x110 [ 59.385779] [] ? copy_process+0x412c/0x68a0 [ 59.391907] [] ? _do_fork+0x14e/0xdc0 [ 59.398806] [] ? SyS_clone+0x37/0x50 [ 59.405516] [] ? do_fast_syscall_32+0x32d/0xa90 [ 59.412385] [] ? sysenter_flags_fixed+0xd/0x1a [ 59.418987] [] __bad_area_nosemaphore+0x282/0x3f0 [ 59.426660] [] ? mark_held_locks+0xb1/0x100 [ 59.433279] [] ? preempt_count_add+0xc0/0x1d0 [ 59.440262] [] bad_area_nosemaphore+0x2b/0x40 [ 59.447202] [] __do_page_fault+0x410/0x7f0 [ 59.454571] [] ? anon_vma_fork+0x1ce/0x4b0 [ 59.460629] [] do_page_fault+0x28/0x30 [ 59.467157] [] page_fault+0x25/0x30 [ 59.473163] [] ? anon_vma_fork+0x1ce/0x4b0 [ 59.483059] [] ? anon_vma_fork+0xe9/0x4b0 [ 59.490269] [] ? kmem_cache_alloc+0x9c/0x2c0 [ 59.497404] [] anon_vma_fork+0x1ce/0x4b0 [ 59.506555] [] copy_process+0x412c/0x68a0 [ 59.513363] [] ? __cleanup_sighand+0x50/0x50 [ 59.520810] [] ? kvm_clock_read+0x23/0x40 [ 59.528812] [] ? kvm_clock_get_cycles+0x9/0x10 [ 59.537138] [] _do_fork+0x14e/0xdc0 [ 59.545126] [] ? fork_idle+0x280/0x280 [ 59.552105] [] ? __compat_put_timespec.isra.0+0xce/0x140 [ 59.559994] [] ? compat_SyS_clock_gettime+0x162/0x1f0 [ 59.574078] [] ? compat_SyS_clock_settime+0x1b0/0x1b0 [ 59.583938] [] ? __do_page_fault+0x2b3/0x7f0 [ 59.590132] [] SyS_clone+0x37/0x50 [ 59.596692] [] ? entry_INT80_compat+0xa0/0xa0 [ 59.603777] [] do_fast_syscall_32+0x32d/0xa90 [ 59.611263] [] sysenter_flags_fixed+0xd/0x1a [ 59.617425] Code: 48 c1 ea 03 42 80 3c 2a 00 0f 85 8e 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e9 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00 0f 85 3f 01 00 00 4d 3b 7c 24 18 75 c0 49 8d 7c [ 59.648203] RIP [] debug_object_deactivate+0x16f/0x360 [ 59.656426] RSP [ 59.660553] ---[ end trace 0a148c7d09f55266 ]--- [ 59.665818] Kernel panic - not syncing: Fatal exception in interrupt [ 60.819209] Shutting down cpus with NMI [ 60.824916] Kernel Offset: disabled [ 60.829000] Rebooting in 86400 seconds..