Warning: Permanently added '10.128.0.176' (ECDSA) to the list of known hosts. [ 41.289485] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 41.418146] audit: type=1400 audit(1564602699.073:36): avc: denied { map } for pid=6952 comm="syz-executor187" path="/root/syz-executor187480956" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.429623] md: md0 stopped. executing program executing program [ 41.528207] md: md0 stopped. executing program [ 41.574927] md: md0 stopped. executing program [ 41.615541] md: md0 stopped. executing program [ 41.664819] md: md0 stopped. executing program [ 41.705193] md: md0 stopped. executing program [ 41.747243] md: md0 stopped. executing program [ 41.784730] md: md0 stopped. executing program [ 41.824935] md: md0 stopped. executing program [ 41.875118] md: md0 stopped. executing program [ 41.915065] md: md0 stopped. executing program [ 41.944714] md: md0 stopped. executing program [ 41.974978] md: md0 stopped. executing program [ 41.995376] md: md0 stopped. executing program [ 42.024745] md: md0 stopped. executing program [ 42.046561] md: md0 stopped. executing program [ 42.094665] md: md0 stopped. executing program [ 42.134983] md: md0 stopped. executing program [ 42.164646] md: md0 stopped. executing program [ 42.204965] md: md0 stopped. executing program [ 42.235022] md: md0 stopped. executing program [ 42.276343] md: md0 stopped. executing program [ 42.325191] md: md0 stopped. [ 42.385433] ================================================================== [ 42.392972] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 42.399814] Read of size 8 at addr ffff8880965e9188 by task syz-executor187/7006 [ 42.407333] [ 42.408965] CPU: 1 PID: 7006 Comm: syz-executor187 Not tainted 4.14.135 #31 [ 42.416185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.426261] Call Trace: [ 42.428856] dump_stack+0x138/0x19c [ 42.432536] ? disk_unblock_events+0x55/0x60 [ 42.436945] print_address_description.cold+0x7c/0x1dc [ 42.442223] ? disk_unblock_events+0x55/0x60 [ 42.446808] kasan_report.cold+0xa9/0x2af [ 42.450961] __asan_report_load8_noabort+0x14/0x20 [ 42.455890] disk_unblock_events+0x55/0x60 [ 42.460116] __blkdev_get+0x7d6/0x1120 [ 42.464091] ? __blkdev_put+0x7f0/0x7f0 [ 42.468056] ? bd_acquire+0x178/0x2c0 [ 42.471988] ? find_held_lock+0x35/0x130 [ 42.476246] blkdev_get+0xa8/0x8e0 [ 42.479966] ? bd_may_claim+0xd0/0xd0 [ 42.483778] ? _raw_spin_unlock+0x2d/0x50 [ 42.487986] blkdev_open+0x1d1/0x260 [ 42.491698] ? security_file_open+0x89/0x190 [ 42.496100] do_dentry_open+0x73b/0xeb0 [ 42.500085] ? bd_acquire+0x2c0/0x2c0 [ 42.503996] vfs_open+0x105/0x220 [ 42.507436] path_openat+0x8bd/0x3f70 [ 42.511317] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.516832] ? trace_hardirqs_on+0x10/0x10 [ 42.521063] ? path_lookupat.isra.0+0x7b0/0x7b0 [ 42.526140] ? __lock_is_held+0xb6/0x140 [ 42.530312] ? save_trace+0x290/0x290 [ 42.534099] ? __alloc_fd+0x1d4/0x4a0 [ 42.537900] do_filp_open+0x18e/0x250 [ 42.541688] ? __alloc_fd+0x1d4/0x4a0 [ 42.545586] ? may_open_dev+0xe0/0xe0 [ 42.549489] ? _raw_spin_unlock+0x2d/0x50 [ 42.553640] ? __alloc_fd+0x1d4/0x4a0 [ 42.557440] do_sys_open+0x2c5/0x430 [ 42.561253] ? filp_open+0x70/0x70 [ 42.564806] ? do_futex+0x19e0/0x19e0 [ 42.568600] SyS_openat+0x30/0x40 [ 42.572122] ? SyS_open+0x40/0x40 [ 42.575574] do_syscall_64+0x1e8/0x640 [ 42.579449] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.584286] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.589476] RIP: 0033:0x446759 [ 42.592660] RSP: 002b:00007f769af9adb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 42.600349] RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446759 [ 42.607608] RDX: 0000000000000000 RSI: 0000000020000240 RDI: ffffffffffffff9c [ 42.614874] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 42.622135] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 42.629397] R13: 00007fffafcd89df R14: 00007f769af9b9c0 R15: 20c49ba5e353f7cf [ 42.636781] [ 42.638394] Allocated by task 7003: [ 42.642007] save_stack_trace+0x16/0x20 [ 42.645964] save_stack+0x45/0xd0 [ 42.649399] kasan_kmalloc+0xce/0xf0 [ 42.653318] kmem_cache_alloc_node_trace+0x153/0x770 [ 42.658408] alloc_disk_node+0x64/0x3e0 [ 42.662364] alloc_disk+0x1b/0x20 [ 42.665803] md_alloc+0x219/0x840 [ 42.669428] md_probe+0x31/0x40 [ 42.672701] kobj_lookup+0x21c/0x400 [ 42.676413] get_gendisk+0x3b/0x240 [ 42.680176] __blkdev_get+0x3af/0x1120 [ 42.684121] blkdev_get+0xa8/0x8e0 [ 42.687654] blkdev_open+0x1d1/0x260 [ 42.691360] do_dentry_open+0x73b/0xeb0 [ 42.695321] vfs_open+0x105/0x220 [ 42.698763] path_openat+0x8bd/0x3f70 [ 42.702613] do_filp_open+0x18e/0x250 [ 42.706412] do_sys_open+0x2c5/0x430 [ 42.710141] SyS_openat+0x30/0x40 [ 42.713602] do_syscall_64+0x1e8/0x640 [ 42.717484] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.722654] [ 42.724266] Freed by task 7006: [ 42.727537] save_stack_trace+0x16/0x20 [ 42.731503] save_stack+0x45/0xd0 [ 42.735030] kasan_slab_free+0x75/0xc0 [ 42.738916] kfree+0xcc/0x270 [ 42.742012] disk_release+0x24b/0x2d0 [ 42.745798] device_release+0xf6/0x1a0 [ 42.749738] kobject_put.cold+0x269/0x2f9 [ 42.753899] put_disk+0x23/0x30 [ 42.757252] __blkdev_get+0x73c/0x1120 [ 42.761133] blkdev_get+0xa8/0x8e0 [ 42.764668] blkdev_open+0x1d1/0x260 [ 42.768385] do_dentry_open+0x73b/0xeb0 [ 42.772349] vfs_open+0x105/0x220 [ 42.775795] path_openat+0x8bd/0x3f70 [ 42.779760] do_filp_open+0x18e/0x250 [ 42.783565] do_sys_open+0x2c5/0x430 [ 42.787376] SyS_openat+0x30/0x40 [ 42.790821] do_syscall_64+0x1e8/0x640 [ 42.794692] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.799951] [ 42.801571] The buggy address belongs to the object at ffff8880965e8c00 [ 42.801571] which belongs to the cache kmalloc-2048 of size 2048 [ 42.814394] The buggy address is located 1416 bytes inside of [ 42.814394] 2048-byte region [ffff8880965e8c00, ffff8880965e9400) [ 42.827128] The buggy address belongs to the page: [ 42.832044] page:ffffea0002597a00 count:1 mapcount:0 mapping:ffff8880965e8380 index:0x0 compound_mapcount: 0 [ 42.842048] flags: 0x1fffc0000008100(slab|head) [ 42.846729] raw: 01fffc0000008100 ffff8880965e8380 0000000000000000 0000000100000003 [ 42.854610] raw: ffffea000259b2a0 ffffea0002657f20 ffff8880aa800c40 0000000000000000 [ 42.862486] page dumped because: kasan: bad access detected [ 42.868366] [ 42.869985] Memory state around the buggy address: [ 42.875020] ffff8880965e9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.882371] ffff8880965e9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.889715] >ffff8880965e9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.897165] ^ [ 42.900782] ffff8880965e9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.908372] ffff8880965e9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.915723] ================================================================== [ 42.923236] Disabling lock debugging due to kernel taint [ 42.928782] Kernel panic - not syncing: panic_on_warn set ... [ 42.928782] [ 42.936150] CPU: 1 PID: 7006 Comm: syz-executor187 Tainted: G B 4.14.135 #31 [ 42.944651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.954000] Call Trace: [ 42.956595] dump_stack+0x138/0x19c [ 42.960222] ? disk_unblock_events+0x55/0x60 [ 42.964652] panic+0x1f2/0x426 [ 42.967849] ? add_taint.cold+0x16/0x16 [ 42.971915] ? ___preempt_schedule+0x16/0x18 [ 42.976334] kasan_end_report+0x47/0x4f [ 42.980309] kasan_report.cold+0x130/0x2af [ 42.984555] __asan_report_load8_noabort+0x14/0x20 [ 42.989492] disk_unblock_events+0x55/0x60 [ 42.993798] __blkdev_get+0x7d6/0x1120 [ 42.997688] ? __blkdev_put+0x7f0/0x7f0 [ 43.001652] ? bd_acquire+0x178/0x2c0 [ 43.005441] ? find_held_lock+0x35/0x130 [ 43.009549] blkdev_get+0xa8/0x8e0 [ 43.013087] ? bd_may_claim+0xd0/0xd0 [ 43.016883] ? _raw_spin_unlock+0x2d/0x50 [ 43.021022] blkdev_open+0x1d1/0x260 [ 43.024730] ? security_file_open+0x89/0x190 [ 43.029121] do_dentry_open+0x73b/0xeb0 [ 43.033071] ? bd_acquire+0x2c0/0x2c0 [ 43.036851] vfs_open+0x105/0x220 [ 43.040285] path_openat+0x8bd/0x3f70 [ 43.044085] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.049440] ? trace_hardirqs_on+0x10/0x10 [ 43.053659] ? path_lookupat.isra.0+0x7b0/0x7b0 [ 43.058320] ? __lock_is_held+0xb6/0x140 [ 43.062378] ? save_trace+0x290/0x290 [ 43.066178] ? __alloc_fd+0x1d4/0x4a0 [ 43.069971] do_filp_open+0x18e/0x250 [ 43.073783] ? __alloc_fd+0x1d4/0x4a0 [ 43.077576] ? may_open_dev+0xe0/0xe0 [ 43.081372] ? _raw_spin_unlock+0x2d/0x50 [ 43.085517] ? __alloc_fd+0x1d4/0x4a0 [ 43.089314] do_sys_open+0x2c5/0x430 [ 43.093020] ? filp_open+0x70/0x70 [ 43.096543] ? do_futex+0x19e0/0x19e0 [ 43.100335] SyS_openat+0x30/0x40 [ 43.103768] ? SyS_open+0x40/0x40 [ 43.107208] do_syscall_64+0x1e8/0x640 [ 43.111083] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.115930] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.121542] RIP: 0033:0x446759 [ 43.124712] RSP: 002b:00007f769af9adb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 43.132410] RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446759 [ 43.139754] RDX: 0000000000000000 RSI: 0000000020000240 RDI: ffffffffffffff9c [ 43.147097] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 43.154364] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 43.161628] R13: 00007fffafcd89df R14: 00007f769af9b9c0 R15: 20c49ba5e353f7cf [ 43.170154] Kernel Offset: disabled [ 43.173783] Rebooting in 86400 seconds..