Warning: Permanently added '10.128.0.162' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 23.192401] ================================================================== [ 23.199803] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 23.206550] Read of size 8 at addr ffff8801cee2f3e8 by task blkid/2193 [ 23.213200] [ 23.214826] CPU: 0 PID: 2193 Comm: blkid Not tainted 4.4.174+ #4 [ 23.220958] 0000000000000000 de0d443612faf0c5 ffff8800b55ef730 ffffffff81aad1a1 [ 23.229014] 0000000000000000 ffffea00073b8a00 ffff8801cee2f3e8 0000000000000008 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.237114] 0000000000000000 ffff8800b55ef768 ffffffff81490120 0000000000000000 [ 23.245153] Call Trace: [ 23.247735] [] dump_stack+0xc1/0x120 [ 23.253107] [] print_address_description+0x6f/0x21b [ 23.259767] [] kasan_report.cold+0x8c/0x2be [ 23.265732] [] ? disk_unblock_events+0x55/0x60 [ 23.271960] [] __asan_report_load8_noabort+0x14/0x20 [ 23.278706] [] disk_unblock_events+0x55/0x60 [ 23.284754] [] __blkdev_get+0x70c/0xdf0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.290372] [] ? __blkdev_put+0x840/0x840 [ 23.296168] [] ? trace_hardirqs_on+0x10/0x10 [ 23.302219] [] blkdev_get+0x2e8/0x920 [ 23.307660] [] ? bd_may_claim+0xd0/0xd0 [ 23.313280] [] ? bd_acquire+0x8a/0x370 [ 23.318810] [] ? _raw_spin_unlock+0x2d/0x50 [ 23.324776] [] blkdev_open+0x1aa/0x250 [ 23.330308] [] do_dentry_open+0x38f/0xbd0 [ 23.336103] [] ? __inode_permission2+0x9e/0x250 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.342412] [] ? blkdev_get_by_dev+0x80/0x80 [ 23.348463] [] vfs_open+0x10b/0x210 [ 23.353734] [] ? may_open.isra.0+0xe7/0x210 [ 23.359709] [] path_openat+0x136f/0x4470 [ 23.365413] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 23.371815] [] ? may_open.isra.0+0x210/0x210 [ 23.377870] [] ? trace_hardirqs_on+0x10/0x10 [ 23.383921] [] do_filp_open+0x1a1/0x270 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.389538] [] ? getname_flags+0xcc/0x550 [ 23.395334] [] ? user_path_mountpoint_at+0x50/0x50 [ 23.401906] [] ? __alloc_fd+0x1ea/0x490 [ 23.407521] [] ? _raw_spin_unlock+0x2d/0x50 [ 23.413483] [] do_sys_open+0x2f8/0x600 [ 23.419009] [] ? filp_open+0x70/0x70 [ 23.424367] [] ? retint_user+0x18/0x3c [ 23.429898] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 23.436730] [] SyS_open+0x2d/0x40 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.441830] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 23.448394] [ 23.450360] Allocated by task 2181: [ 23.453973] [] save_stack_trace+0x26/0x50 [ 23.460388] [] kasan_kmalloc.part.0+0x62/0xf0 [ 23.466653] [] kasan_kmalloc+0xb7/0xd0 [ 23.472315] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 23.478930] [] alloc_disk_node+0x50/0x3c0 [ 23.484938] [] alloc_disk+0x1b/0x20 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.490347] [] loop_add+0x380/0x830 [ 23.495748] [] loop_control_ioctl+0x138/0x2f0 [ 23.502019] [] do_vfs_ioctl+0x6e7/0xfa0 [ 23.507766] [] SyS_ioctl+0x8f/0xc0 [ 23.513079] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 23.519783] [ 23.521403] Freed by task 2193: [ 23.524664] [] save_stack_trace+0x26/0x50 [ 23.530586] [] kasan_slab_free+0xb0/0x190 [ 23.536510] [] kfree+0xf4/0x310 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.541576] [] disk_release+0x255/0x330 [ 23.547327] [] device_release+0x7d/0x220 [ 23.553161] [] kobject_put+0x14c/0x260 [ 23.558823] [] put_disk+0x23/0x30 [ 23.564056] [] __blkdev_get+0x66c/0xdf0 [ 23.569825] [] blkdev_get+0x2e8/0x920 [ 23.575397] [] blkdev_open+0x1aa/0x250 [ 23.581066] [] do_dentry_open+0x38f/0xbd0 [ 23.587029] [] vfs_open+0x10b/0x210 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 23.592433] [] path_openat+0x136f/0x4470 [ 23.598264] [] do_filp_open+0x1a1/0x270 [ 23.604012] [] do_sys_open+0x2f8/0x600 [ 23.609670] [] SyS_open+0x2d/0x40 [ 23.614901] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 23.621599] [ 23.623219] The buggy address belongs to the object at ffff8801cee2ee80 [ 23.623219] which belongs to the cache kmalloc-2048 of size 2048 [ 23.636042] The buggy address is located 1384 bytes inside of executing program executing program executing program executing program [ 23.636042] 2048-byte region [ffff8801cee2ee80, ffff8801cee2f680) [ 23.648170] The buggy address belongs to the page: [ 23.653390] kasan: CONFIG_KASAN_INLINE enabled [ 23.657839] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 23.665431] ------------[ cut here ]------------ [ 23.670192] WARNING: CPU: 1 PID: 2071 at kernel/sched/core.c:7941 __might_sleep+0x138/0x1a0() [ 23.678859] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x265/0xa00 [ 23.689167] Kernel panic - not syncing: panic_on_warn set ... [ 23.689167] [ 24.822849] Shutting down cpus with NMI [ 24.827217] Kernel Offset: disabled [ 24.830821] Rebooting in 86400 seconds..