[....] Starting enhanced syslogd: rsyslogd[ 12.976394] audit: type=1400 audit(1540689116.059:4): avc: denied { syslog } for pid=1923 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 44.329296] ================================================================== [ 44.336789] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 44.343515] Read of size 8 at addr ffff8801d2642fe8 by task blkid/2578 [ 44.350148] [ 44.351750] CPU: 0 PID: 2578 Comm: blkid Not tainted 4.4.162+ #7 [ 44.357865] 0000000000000000 1e730fc92ccaf3a8 ffff8800b5b3f6d0 ffffffff81a994bd [ 44.365862] ffffea0007499000 ffff8801d2642fe8 0000000000000000 ffff8801d2642fe8 executing program executing program executing program [ 44.373853] 0000000000000000 ffff8800b5b3f708 ffffffff8148a669 ffff8801d2642fe8 [ 44.381847] Call Trace: [ 44.384409] [] dump_stack+0xc1/0x124 [ 44.389757] [] print_address_description+0x6c/0x217 [ 44.396424] [] kasan_report.cold.6+0x175/0x2f7 [ 44.396430] [] ? disk_unblock_events+0x51/0x60 [ 44.396434] [] __asan_report_load8_noabort+0x14/0x20 [ 44.396438] [] disk_unblock_events+0x51/0x60 [ 44.396442] [] __blkdev_get+0x70c/0xdf0 [ 44.396460] [] ? trace_hardirqs_on+0x10/0x10 [ 44.396463] [] ? __blkdev_put+0x840/0x840 [ 44.396468] [] ? avc_has_perm_noaudit+0x197/0x2f0 [ 44.396471] [] ? avc_has_perm_noaudit+0x90/0x2f0 [ 44.396475] [] ? fsnotify+0x866/0x10c0 [ 44.396478] [] blkdev_get+0x2da/0x920 [ 44.396483] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 44.396486] [] ? bd_may_claim+0xd0/0xd0 [ 44.396489] [] ? bd_acquire+0x29/0x370 [ 44.396492] [] ? bd_acquire+0x8a/0x370 [ 44.396498] [] ? _raw_spin_unlock+0x2c/0x50 [ 44.396513] [] blkdev_open+0x1a5/0x250 [ 44.396517] [] do_dentry_open+0x38d/0xbd0 [ 44.396521] [] ? __inode_permission2+0x9b/0x240 [ 44.396525] [] ? blkdev_get_by_dev+0x70/0x70 [ 44.396528] [] vfs_open+0x12a/0x210 [ 44.396531] [] ? may_open.isra.18+0x156/0x240 [ 44.396535] [] path_openat+0x50c/0x39a0 [ 44.396553] [] ? may_open.isra.18+0x240/0x240 [ 44.396556] [] ? getname+0x19/0x20 [ 44.396559] [] ? do_sys_open+0x203/0x610 [ 44.396574] [] ? SyS_open+0x2d/0x40 [ 44.396578] [] ? entry_SYSCALL_64_fastpath+0x1e/0x9a [ 44.396582] [] ? trace_hardirqs_on+0x10/0x10 [ 44.396586] [] do_filp_open+0x197/0x270 [ 44.396590] [] ? user_path_mountpoint_at+0x70/0x70 [ 44.396594] [] ? __alloc_fd+0x36/0x4a0 [ 44.396597] [] ? _raw_spin_unlock+0x2c/0x50 [ 44.396601] [] ? __alloc_fd+0x1f3/0x4a0 [ 44.396604] [] do_sys_open+0x31c/0x610 [ 44.396607] [] ? filp_open+0x70/0x70 [ 44.396611] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 44.396614] [] SyS_open+0x2d/0x40 [ 44.396619] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 44.396625] [ 44.396627] Allocated by task 2569: [ 44.396634] [] save_stack_trace+0x26/0x50 [ 44.396638] [] kasan_kmalloc.part.1+0x62/0xf0 [ 44.396642] [] kasan_kmalloc+0xaf/0xc0 [ 44.396646] [] kmem_cache_alloc_trace+0x117/0x2d0 [ 44.396649] [] alloc_disk_node+0x54/0x3a0 [ 44.396653] [] alloc_disk+0x18/0x20 [ 44.396658] [] loop_add+0x36b/0x7c0 [ 44.396662] [] loop_probe+0x14f/0x180 [ 44.396667] [] kobj_lookup+0x223/0x410 [ 44.396671] [] get_gendisk+0x39/0x2d0 [ 44.396674] [] blkdev_get+0xf6/0x920 [ 44.396678] [] blkdev_open+0x1a5/0x250 [ 44.396682] [] do_dentry_open+0x38d/0xbd0 [ 44.396685] [] vfs_open+0x12a/0x210 [ 44.396689] [] path_openat+0x50c/0x39a0 [ 44.396692] [] do_filp_open+0x197/0x270 [ 44.396696] [] do_sys_open+0x31c/0x610 [ 44.396701] [] compat_SyS_open+0x2a/0x40 [ 44.396706] [] do_fast_syscall_32+0x31e/0xa80 [ 44.396710] [] sysenter_flags_fixed+0xd/0x1a [ 44.396711] [ 44.396712] Freed by task 2578: [ 44.396716] [] save_stack_trace+0x26/0x50 [ 44.396720] [] kasan_slab_free+0xac/0x190 [ 44.396735] [] kfree+0xf4/0x310 [ 44.396741] [] disk_release+0x259/0x330 [ 44.396746] [] device_release+0x7e/0x220 [ 44.396763] [] kobject_put+0x144/0x260 [ 44.396767] [] put_disk+0x23/0x30 [ 44.396770] [] __blkdev_get+0x66c/0xdf0 [ 44.396774] [] blkdev_get+0x2da/0x920 [ 44.396778] [] blkdev_open+0x1a5/0x250 [ 44.396782] [] do_dentry_open+0x38d/0xbd0 [ 44.396786] [] vfs_open+0x12a/0x210 [ 44.396790] [] path_openat+0x50c/0x39a0 [ 44.396794] [] do_filp_open+0x197/0x270 [ 44.396798] [] do_sys_open+0x31c/0x610 [ 44.396801] [] SyS_open+0x2d/0x40 [ 44.396806] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 44.396807] [ 44.396810] The buggy address belongs to the object at ffff8801d2642a80 [ 44.396810] which belongs to the cache kmalloc-2048 of size 2048 [ 44.396813] The buggy address is located 1384 bytes inside of [ 44.396813] 2048-byte region [ffff8801d2642a80, ffff8801d2643280) [ 44.396814] The buggy address belongs to the page: [ 44.402880] kasan: CONFIG_KASAN_INLINE enabled [ 44.402886] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 44.402889] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 44.402891] Modules linked in: [ 44.402897] CPU: 1 PID: -2104946016 Comm: €*dÒˆÿÿ€2dÒˆÿÿÐ6µ Not tainted 4.4.162+ #7 [ 44.402900] task: ffff8800b5112f80 task.stack: ffff8801d2643280 [ 44.402911] RIP: 0010:[] [] __enqueue_entity+0x7d/0x230 [ 44.402913] RSP: 0018:ffff8801db707b20 EFLAGS: 00010007 [ 44.402916] RAX: 0cc000000000108b RBX: 660000000000841f RCX: ffff8801db71e928 [ 44.402918] RDX: 0000000000000000 RSI: ffff8801db71e950 RDI: 660000000000845f [ 44.402921] RBP: ffff8801db707b70 R08: ffff8801d40700b0 R09: ffffffff81425f4f [ 44.402923] R10: ffffffff831a2338 R11: ffffffff82835e80 R12: 00000002698fac23 [ 44.402926] R13: dffffc0000000000 R14: ffff8801d4070060 R15: ffffed003a80e016 [ 44.402929] FS: 00007f8b166b97a0(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 44.402932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.402934] CR2: 00000000ffb01a28 CR3: 00000000b8372000 CR4: 00000000001606b0 [ 44.402938] Stack: [ 44.402943] ffff8801db707b60 ffffffff81af752b ffff8801db707b70 ffffffff8117cc3f [ 44.402947] ffff8801db71e880 ffff8801d4070060 ffff8800b5112fe0 ffff8801db71e928 [ 44.402954] dffffc0000000000 0000000269e4a83e ffff8801db707c90 ffffffff8119d208 [ 44.402955] Call Trace: [ 44.402964] [ 44.402965] [] ? check_preemption_disabled+0x3b/0x170 [ 44.402971] [] ? account_entity_enqueue+0x20f/0x370 [ 44.402975] [] enqueue_task_fair+0x14c8/0xab90 [ 44.402979] [] ? select_task_rq_fair+0x4ba/0x2d10 [ 44.402984] [] activate_task+0x1dd/0x280 [ 44.402988] [] ttwu_do_activate.constprop.29+0xbf/0x1e0 [ 44.402992] [] try_to_wake_up+0x6dd/0x1120 [ 44.402997] [] ? debug_object_activate+0x480/0x480 [ 44.403001] [] wake_up_process+0x15/0x20 [ 44.403006] [] hrtimer_wakeup+0x48/0x60 [ 44.403010] [] ? clock_was_set_work+0x30/0x30 [ 44.403013] [] __hrtimer_run_queues+0x390/0xfc0 [ 44.403019] [] ? clockevents_program_event+0x17a/0x3e0 [ 44.403023] [] ? hrtimer_fixup_init+0x70/0x70 [ 44.403028] [] ? kvm_clock_read+0x23/0x40 [ 44.403032] [] ? kvm_clock_get_cycles+0x9/0x10 [ 44.403035] [] ? hrtimer_interrupt+0x12d/0x430 [ 44.403039] [] hrtimer_interrupt+0x1b1/0x430 [ 44.403044] [] local_apic_timer_interrupt+0x74/0xa0 [ 44.403050] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 44.403054] [] apic_timer_interrupt+0x9d/0xb0 [ 44.403056] [ 44.403058] Code: [ 44.403058] ------------[ cut here ]------------ [ 44.403065] WARNING: CPU: 1 PID: -2104946016 at include/linux/uaccess.h:15 __probe_kernel_read+0x1e3/0x230() [ 44.403067] Kernel panic - not syncing: panic_on_warn set ... [ 44.403067] [ 45.530948] Shutting down cpus with NMI [ 45.531308] Kernel Offset: disabled [ 46.305023] Rebooting in 86400 seconds..