[....] Starting enhanced syslogd: rsyslogd[ 14.682019] audit: type=1400 audit(1564046302.553:4): avc: denied { syslog } for pid=1918 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 39.042329] ================================================================== [ 39.050710] BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 [ 39.057739] Read of size 8 at addr ffff8800b613d1e8 by task syz-executor552/2132 [ 39.065891] [ 39.067529] CPU: 1 PID: 2132 Comm: syz-executor552 Not tainted 4.4.174+ #17 [ 39.074725] 0000000000000000 c13e9a7ffcea12d9 ffff8801d41ff6c0 ffffffff81aad1a1 [ 39.083102] 0000000000000000 ffffea0002d84e00 ffff8800b613d1e8 0000000000000008 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.091413] 0000000000000000 ffff8801d41ff6f8 ffffffff81490120 0000000000000000 [ 39.099486] Call Trace: [ 39.102088] [] dump_stack+0xc1/0x120 [ 39.107492] [] print_address_description+0x6f/0x21b [ 39.114178] [] kasan_report.cold+0x8c/0x2be [ 39.120257] [] ? disk_unblock_events+0x55/0x60 [ 39.126582] [] __asan_report_load8_noabort+0x14/0x20 [ 39.133347] [] disk_unblock_events+0x55/0x60 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.139420] [] __blkdev_get+0x70c/0xdf0 [ 39.146738] [] ? __blkdev_put+0x840/0x840 [ 39.152630] [] ? trace_hardirqs_on+0x10/0x10 [ 39.158796] [] blkdev_get+0x2e8/0x920 [ 39.164254] [] ? bd_may_claim+0xd0/0xd0 [ 39.169912] [] ? bd_acquire+0x8a/0x370 [ 39.175458] [] ? _raw_spin_unlock+0x2d/0x50 [ 39.181437] [] blkdev_open+0x1aa/0x250 [ 39.187071] [] do_dentry_open+0x38f/0xbd0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.192895] [] ? __inode_permission2+0x9e/0x250 [ 39.199345] [] ? blkdev_get_by_dev+0x80/0x80 [ 39.206259] [] vfs_open+0x10b/0x210 [ 39.211648] [] ? may_open.isra.0+0xe7/0x210 [ 39.217623] [] path_openat+0x136f/0x4470 [ 39.223342] [] ? kasan_kmalloc.part.0+0xc6/0xf0 [ 39.229671] [] ? may_open.isra.0+0x210/0x210 [ 39.235860] [] ? trace_hardirqs_on+0x10/0x10 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.241929] [] do_filp_open+0x1a1/0x270 [ 39.247579] [] ? user_path_mountpoint_at+0x50/0x50 [ 39.254171] [] ? do_dup2+0x3d0/0x3d0 [ 39.259539] [] ? _raw_spin_unlock+0x2d/0x50 [ 39.265498] [] do_sys_open+0x2f8/0x600 [ 39.271391] [] ? filp_open+0x70/0x70 [ 39.276766] [] ? __do_page_fault+0x2b3/0x7f0 [ 39.282842] [] compat_SyS_open+0x2a/0x40 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.288573] [] ? compat_SyS_getdents64+0x270/0x270 [ 39.295191] [] do_fast_syscall_32+0x32d/0xa90 [ 39.301430] [] sysenter_flags_fixed+0xd/0x1a [ 39.307510] [ 39.309131] Allocated by task 2132: [ 39.312748] [] save_stack_trace+0x26/0x50 [ 39.318720] [] kasan_kmalloc.part.0+0x62/0xf0 [ 39.325445] [] kasan_kmalloc+0xb7/0xd0 [ 39.331566] [] kmem_cache_alloc_trace+0x123/0x2d0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 39.338523] [] alloc_disk_node+0x50/0x3c0 [ 39.354797] [] alloc_disk+0x1b/0x20 [ 39.360719] [] loop_add+0x380/0x830 [ 39.366954] [] loop_control_ioctl+0x138/0x2f0 [ 39.373299] [] compat_SyS_ioctl+0x403/0x2210 [ 39.379765] [] do_fast_syscall_32+0x32d/0xa90 [ 39.386248] [] sysenter_flags_fixed+0xd/0x1a [ 39.392759] executing program executing program executing program executing program [ 39.394479] Freed by task 2132: [ 39.397752] [] save_stack_trace+0x26/0x50 [ 39.403866] [] kasan_slab_free+0xb0/0x190 [ 39.409825] [] kfree+0xf4/0x310 [ 39.414989] [] disk_release+0x255/0x330 [ 39.420762] [] device_release+0x7d/0x220 [ 39.426640] [] kobject_put+0x14c/0x260 [ 39.432578] [] put_disk+0x23/0x30 [ 39.438008] [] __blkdev_get+0x66c/0xdf0 executing program executing program executing program executing program executing program [ 39.443774] [] blkdev_get+0x2e8/0x920 [ 39.449367] [] blkdev_open+0x1aa/0x250 [ 39.455247] [] do_dentry_open+0x38f/0xbd0 [ 39.461205] [] vfs_open+0x10b/0x210 [ 39.467157] [] path_openat+0x136f/0x4470 [ 39.473214] [] do_filp_open+0x1a1/0x270 [ 39.478989] [] do_sys_open+0x2f8/0x600 [ 39.484783] [] compat_SyS_open+0x2a/0x40 [ 39.490644] [] do_fast_syscall_32+0x32d/0xa90 executing program executing program executing program [ 39.497084] [] sysenter_flags_fixed+0xd/0x1a [ 39.503291] [ 39.504919] The buggy address belongs to the object at ffff8800b613cc80 [ 39.504919] which belongs to the cache kmalloc-2048 of size 2048 [ 39.518028] The buggy address is located 1384 bytes inside of [ 39.518028] 2048-byte region [ffff8800b613cc80, ffff8800b613d480) [ 39.530435] The buggy address belongs to the page: [ 39.536263] BUG: unable to handle kernel paging request at fffff940005b09c0 [ 39.543657] IP: [] memset_erms+0x9/0x10 [ 39.549349] PGD 330c067 PUD 330b063 PMD 330a063 PTE 800000000330d161 [ 39.556431] Oops: 0003 [#1] PREEMPT SMP KASAN [ 39.561505] Modules linked in: [ 39.565013] CPU: 0 PID: 567 Comm: udevd Not tainted 4.4.174+ #17 [ 39.571438] task: ffff8801d5688000 task.stack: ffff8801d5690000 [ 39.577500] RIP: 0010:[] [] memset_erms+0x9/0x10 [ 39.585799] RSP: 0018:ffff8801d5697b50 EFLAGS: 00010202 [ 39.591453] RAX: 1ffffd40005b0900 RBX: fffff940005b09c4 RCX: 0000000000000004 [ 39.599174] RDX: 0000000000000004 RSI: 0000000000000000 RDI: fffff940005b09c0 [ 39.606650] RBP: ffff8801d5697b68 R08: 1ffff1003a8f11c0 R09: fffff940005b09c0 [ 39.614342] R10: ffffed003a8f11c3 R11: ffff8801d4788e1f R12: 0000000000000020 [ 39.621729] R13: ffffea0002d84e00 R14: ffffea0002d84e1f R15: ffff8801da401a00 [ 39.629480] FS: 00007f1d80ea37a0(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 [ 39.637836] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 39.643731] CR2: fffff940005b09c0 CR3: 00000001d5679000 CR4: 00000000001606b0 [ 39.651122] Stack: [ 39.653276] ffffffff81484025 ffffea0002d84e20 00000000024000c0 ffff8801d5697ba8 [ 39.661725] ffffffff8148412c ffffea0002d84e1f 0000000000004080 ffff8801da401a00 [ 39.669984] 00000000024000c0 0000000000000011 ffffea0002d84e00 ffff8801d5697bb8 [ 39.678358] Call Trace: [ 39.680953] [] ? kasan_unpoison_shadow+0x35/0x50 [ 39.687579] [] kasan_kmalloc+0x4c/0xd0 [ 39.693147] [] kasan_slab_alloc+0xf/0x20 [ 39.698891] [] __kmalloc+0xff/0x330 [ 39.704177] [] ? shmem_initxattrs+0x82/0x1f0 [ 39.710248] [] shmem_initxattrs+0x82/0x1f0 [ 39.717220] [] security_inode_init_security+0x279/0x370 [ 39.724334] [] ? shmem_encode_fh+0x330/0x330 [ 39.730501] [] ? security_d_instantiate+0xe0/0xe0 [ 39.737025] [] ? lockdep_annotate_inode_mutex_key+0x4c/0x60 [ 39.744509] [] ? shmem_get_inode+0x3d3/0x6b0 [ 39.750719] [] shmem_symlink+0xee/0x670 [ 39.756368] [] ? shmem_file_read_iter+0x870/0x870 [ 39.763186] [] ? selinux_inode_symlink+0x23/0x30 [ 39.769629] [] ? security_inode_symlink+0xcd/0x100 [ 39.776412] [] vfs_symlink2+0x1ef/0x3c0 [ 39.782342] [] SyS_symlinkat+0x14e/0x240 [ 39.788344] [] ? SyS_unlink+0x20/0x20 [ 39.793817] [] SyS_symlink+0x23/0x30 [ 39.799196] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 39.805863] Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 [ 39.834416] RIP [] memset_erms+0x9/0x10 [ 39.840196] RSP [ 39.843818] CR2: fffff940005b09c0 [ 39.847274] ---[ end trace 7332debb7d6ef803 ]--- [ 39.852215] Kernel panic - not syncing: Fatal exception [ 40.979101] Shutting down cpus with NMI [ 40.983591] Kernel Offset: disabled [ 40.987248] Rebooting in 86400 seconds..