[....] Starting enhanced syslogd: rsyslogd[ 15.269925] audit: type=1400 audit(1551295704.270:4): avc: denied { syslog } for pid=1919 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.159' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 41.960212] ================================================================== [ 41.967650] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 41.974391] Read of size 8 at addr ffff8801d2e4c0e8 by task syz-executor318/2205 [ 41.981898] [ 41.983507] CPU: 0 PID: 2205 Comm: syz-executor318 Not tainted 4.4.174+ #4 [ 41.990535] 0000000000000000 86bd5c262fd1860d ffff8801d24af730 ffffffff81aad1a1 [ 41.998533] 0000000000000000 ffffea00074b9200 ffff8801d2e4c0e8 0000000000000008 executing program executing program executing program executing program executing program executing program [ 42.006521] 0000000000000000 ffff8801d24af768 ffffffff81490120 0000000000000000 [ 42.014501] Call Trace: [ 42.017066] [] dump_stack+0xc1/0x120 [ 42.022407] [] print_address_description+0x6f/0x21b [ 42.029047] [] kasan_report.cold+0x8c/0x2be [ 42.034996] [] ? disk_unblock_events+0x55/0x60 [ 42.041203] [] __asan_report_load8_noabort+0x14/0x20 [ 42.047938] [] disk_unblock_events+0x55/0x60 [ 42.053971] [] __blkdev_get+0x70c/0xdf0 executing program executing program executing program executing program [ 42.059568] [] ? __blkdev_put+0x840/0x840 [ 42.065347] [] ? blkdev_get_block+0x80/0x80 [ 42.071296] [] ? __might_sleep+0x90/0x1a0 [ 42.077079] [] blkdev_get+0x2e8/0x920 [ 42.082610] [] ? bd_may_claim+0xd0/0xd0 [ 42.088216] [] ? bd_acquire+0x133/0x370 [ 42.093831] [] ? _raw_spin_unlock+0x2d/0x50 [ 42.099775] [] blkdev_open+0x1aa/0x250 [ 42.105291] [] do_dentry_open+0x38f/0xbd0 executing program executing program executing program executing program executing program executing program [ 42.111065] [] ? __inode_permission2+0x9e/0x250 [ 42.117356] [] ? blkdev_get_by_dev+0x80/0x80 [ 42.123384] [] vfs_open+0x10b/0x210 [ 42.128635] [] ? may_open.isra.0+0xe7/0x210 [ 42.134581] [] path_openat+0x136f/0x4470 [ 42.140266] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 42.146565] [] ? may_open.isra.0+0x210/0x210 [ 42.152603] [] ? trace_hardirqs_on+0x10/0x10 executing program executing program executing program executing program executing program executing program [ 42.158634] [] do_filp_open+0x1a1/0x270 [ 42.164340] [] ? user_path_mountpoint_at+0x50/0x50 [ 42.170946] [] ? __alloc_fd+0x1ea/0x490 [ 42.176586] [] ? _raw_spin_unlock+0x2d/0x50 [ 42.182576] [] do_sys_open+0x2f8/0x600 [ 42.188090] [] ? filp_open+0x70/0x70 [ 42.193429] [] ? retint_user+0x18/0x3c [ 42.198940] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 42.205752] [] SyS_open+0x2d/0x40 executing program executing program executing program executing program executing program executing program [ 42.210828] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.217377] [ 42.218977] Allocated by task 2205: [ 42.222570] [] save_stack_trace+0x26/0x50 [ 42.228521] [] kasan_kmalloc.part.0+0x62/0xf0 [ 42.234769] [] kasan_kmalloc+0xb7/0xd0 [ 42.240397] [] kmem_cache_alloc_trace+0x123/0x2d0 [ 42.246977] [] alloc_disk_node+0x50/0x3c0 [ 42.252865] [] alloc_disk+0x1b/0x20 executing program executing program executing program executing program executing program [ 42.258234] [] loop_add+0x380/0x830 [ 42.263606] [] loop_control_ioctl+0x138/0x2f0 [ 42.269846] [] do_vfs_ioctl+0x6e7/0xfa0 [ 42.275571] [] SyS_ioctl+0x8f/0xc0 [ 42.280850] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.287754] [ 42.289355] Freed by task 2205: [ 42.292604] [] save_stack_trace+0x26/0x50 [ 42.298495] [] kasan_slab_free+0xb0/0x190 [ 42.304384] [] kfree+0xf4/0x310 executing program executing program executing program executing program executing program executing program [ 42.309405] [] disk_release+0x255/0x330 [ 42.315164] [] device_release+0x7d/0x220 [ 42.321043] [] kobject_put+0x14c/0x260 [ 42.326676] [] put_disk+0x23/0x30 [ 42.331869] [] __blkdev_get+0x66c/0xdf0 [ 42.337584] [] blkdev_get+0x2e8/0x920 [ 42.343125] [] blkdev_open+0x1aa/0x250 [ 42.348753] [] do_dentry_open+0x38f/0xbd0 [ 42.354638] [] vfs_open+0x10b/0x210 executing program executing program executing program executing program executing program [ 42.360018] [] path_openat+0x136f/0x4470 [ 42.365826] [] do_filp_open+0x1a1/0x270 [ 42.371548] [] do_sys_open+0x2f8/0x600 [ 42.377177] [] SyS_open+0x2d/0x40 [ 42.382371] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.389045] [ 42.390653] The buggy address belongs to the object at ffff8801d2e4bb80 [ 42.390653] which belongs to the cache kmalloc-2048 of size 2048 [ 42.403460] The buggy address is located 1384 bytes inside of executing program [ 42.403460] 2048-byte region [ffff8801d2e4bb80, ffff8801d2e4c380) [ 42.415585] The buggy address belongs to the page: [ 42.421247] kasan: CONFIG_KASAN_INLINE enabled [ 42.425774] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 42.425785] Modules linked in: [ 42.425791] CPU: 1 PID: 1993 Comm: mcstransd Not tainted 4.4.174+ #4 [ 42.425794] task: ffff8800b866c740 task.stack: ffff8800b85c8000 [ 42.425796] RIP: 0010:[] [] __enqueue_entity+0x8a/0x2c0 [ 42.425807] RSP: 0018:ffff8801db707b58 EFLAGS: 00010002 [ 42.425810] RAX: 050c4c2d8a6cacf4 RBX: 2862616c53656761 RCX: 00000002d782dfdc [ 42.425812] RDX: ffff8801db71e928 RSI: ffff8801db71e950 RDI: 2862616c536567a1 [ 42.425815] RBP: ffff8801db707ba0 R08: ffff8801d5fd0110 R09: ffff8801d5fd0070 [ 42.425818] R10: ffff8801d5fd0000 R11: ffff8801db71e99c R12: ffffffff82891bf0 [ 42.425821] R13: dffffc0000000000 R14: ffff8801d5fd0060 R15: 0000000000000000 [ 42.425825] FS: 00007f33b610e7a0(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 42.425827] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 42.425830] CR2: 0000000001c44c60 CR3: 00000000b85e9000 CR4: 00000000001606b0 [ 42.425836] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 42.425838] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 42.425839] Stack: [ 42.425840] ffffffff81b0abec ffff8801db707ba0 ffffffff8117cedf ffff8801db71e880 [ 42.425846] ffff8800b866c7a0 ffff8801db71e928 ffff8801d5fd0060 00000002d7de0212 [ 42.425851] dffffc0000000000 ffff8801db707cc8 ffffffff8119f190 ffffffff811bbc03 [ 42.425855] Call Trace: [ 42.425857] [ 42.425863] [] ? check_preemption_disabled+0x3c/0x200 [ 42.425868] [] ? account_entity_enqueue+0x20f/0x370 [ 42.425872] [] enqueue_task_fair+0x13c0/0xb6c0 [ 42.425876] [] ? select_task_rq_fair+0x483/0x2e90 [ 42.425880] [] ? debug_object_deactivate+0x1e4/0x360 [ 42.425884] [] activate_task+0x154/0x280 [ 42.425888] [] ttwu_do_activate.constprop.0+0xbe/0x1e0 [ 42.425892] [] try_to_wake_up+0x6d1/0x1110 [ 42.425897] [] ? kvm_clock_read+0x23/0x40 [ 42.425901] [] wake_up_process+0x15/0x20 [ 42.425905] [] hrtimer_wakeup+0x48/0x60 [ 42.425909] [] ? clock_was_set_work+0x30/0x30 [ 42.425913] [] __hrtimer_run_queues+0x34e/0xfc0 [ 42.425917] [] ? hrtimer_fixup_init+0x70/0x70 [ 42.425920] [] ? kvm_clock_get_cycles+0x9/0x10 [ 42.425924] [] ? hrtimer_interrupt+0x121/0x450 [ 42.425928] [] hrtimer_interrupt+0x1b6/0x450 [ 42.425932] [] local_apic_timer_interrupt+0x76/0xa0 [ 42.425939] [] smp_apic_timer_interrupt+0x79/0xb0 [ 42.425942] [] apic_timer_interrupt+0x9d/0xb0 [ 42.425944] [ 42.425948] [] ? console_unlock+0x8c9/0xa10 [ 42.425952] [] ? console_unlock+0x8d3/0xa10 [ 42.425956] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 42.425959] [] ? vprintk_emit+0x36d/0x820 [ 42.425963] [] vprintk_emit+0x3b2/0x820 [ 42.425966] [] vprintk+0x28/0x30 [ 42.425971] [] printk+0xc2/0xf5 [ 42.425975] [] ? log_wakeup_reason.cold+0x145/0x145 [ 42.425980] [] ? dump_trace+0x183/0x390 [ 42.425985] [] ? kasan_die_handler.cold+0x5/0x22 [ 42.425988] [] kasan_die_handler.cold+0x11/0x22 [ 42.425993] [] notifier_call_chain+0xb9/0x1e0 [ 42.426005] [] __atomic_notifier_call_chain+0x87/0x150 [ 42.426009] [] ? raw_notifier_call_chain+0x40/0x40 [ 42.426013] [] notify_die+0xe0/0x160 [ 42.426017] [] ? blocking_notifier_call_chain+0xa0/0xa0 [ 42.426021] [] ? kmem_cache_alloc+0x9c/0x2c0 [ 42.426028] [] ? search_exception_tables+0x33/0x40 [ 42.426035] [] do_general_protection+0x205/0x2b0 [ 42.426041] [] ? selinux_file_alloc_security+0xae/0x190 [ 42.426045] [] general_protection+0x25/0x30 [ 42.426050] [] ? selinux_file_alloc_security+0xae/0x190 [ 42.426055] [] ? get_empty_filp+0x8c/0x370 [ 42.426058] [] ? kmem_cache_alloc+0x9c/0x2c0 [ 42.426063] [] selinux_file_alloc_security+0xae/0x190 [ 42.426068] [] security_file_alloc+0x73/0xb0 [ 42.426072] [] get_empty_filp+0x11b/0x370 [ 42.426077] [] path_openat+0xa5/0x4470 [ 42.426082] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 42.426087] [] ? save_stack_trace+0x26/0x50 [ 42.426090] [] ? kasan_kmalloc.part.0+0x62/0xf0 [ 42.426095] [] ? entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.426098] [] ? may_open.isra.0+0x210/0x210 [ 42.426104] [] ? trace_hardirqs_on+0x10/0x10 [ 42.426108] [] do_filp_open+0x1a1/0x270 [ 42.426112] [] ? user_path_mountpoint_at+0x50/0x50 [ 42.426116] [] ? do_dup2+0x3d0/0x3d0 [ 42.426120] [] ? __alloc_fd+0x36/0x490 [ 42.426123] [] ? __alloc_fd+0x1ea/0x490 [ 42.426127] [] ? _raw_spin_unlock+0x2d/0x50 [ 42.426131] [] do_sys_open+0x2f8/0x600 [ 42.426134] [] ? filp_open+0x70/0x70 [ 42.426140] [] ? SyS_getsockopt+0x159/0x220 [ 42.426144] [] ? SyS_setsockopt+0x240/0x240 [ 42.426147] [] SyS_open+0x2d/0x40 [ 42.426151] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 42.426152] Code: 00 0f 85 16 02 00 00 49 8b 4e 50 41 bf 01 00 00 00 49 bd 00 00 00 00 00 fc ff df eb 03 48 89 c3 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 05 01 00 00 48 3b 4b 40 4c 8d 63 10 78 07 [ 42.426216] RIP [] __enqueue_entity+0x8a/0x2c0 [ 42.426222] RSP [ 42.426225] ---[ end trace bfe5cf554b5f4b8b ]--- [ 42.426228] Kernel panic - not syncing: Fatal exception in interrupt [ 43.533987] Shutting down cpus with NMI [ 43.534682] Kernel Offset: disabled [ 44.145191] Rebooting in 86400 seconds..