==================================================================
BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 block/genhd.c:1543
Read of size 8 at addr ffff8800b4bf73e8 by task blkid/2339

CPU: 1 PID: 2339 Comm: blkid Not tainted 4.4.161+ #1
 0000000000000000 d6f7743e666517b2 ffff8801d14af6d0 ffffffff81a9969d
 ffffea0002d2fc00 ffff8800b4bf73e8 0000000000000000 ffff8800b4bf73e8
 0000000000000000 ffff8801d14af708 ffffffff8148a889 ffff8800b4bf73e8
Call Trace:
 [<ffffffff81a9969d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81a9969d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8148a889>] print_address_description+0x6c/0x217 mm/kasan/report.c:252
 [<ffffffff8148aba9>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8148aba9>] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff8147f824>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81a6ed11>] disk_unblock_events+0x51/0x60 block/genhd.c:1543
 [<ffffffff8154827c>] __blkdev_get+0x70c/0xdf0 fs/block_dev.c:1297
 [<ffffffff8154abea>] blkdev_get+0x2da/0x920 fs/block_dev.c:1353
 [<ffffffff8154b445>] blkdev_open+0x1a5/0x250 fs/block_dev.c:1508
 [<ffffffff8148bc2d>] do_dentry_open+0x38d/0xbd0 fs/open.c:749
 [<ffffffff8148f39a>] vfs_open+0x12a/0x210 fs/open.c:862
 [<ffffffff814bef7c>] do_last fs/namei.c:3222 [inline]
 [<ffffffff814bef7c>] path_openat+0x50c/0x39a0 fs/namei.c:3359
 [<ffffffff814c60a7>] do_filp_open+0x197/0x270 fs/namei.c:3393
 [<ffffffff8148fcbc>] do_sys_open+0x31c/0x610 fs/open.c:1038
 [<ffffffff8148ffdd>] SYSC_open fs/open.c:1056 [inline]
 [<ffffffff8148ffdd>] SyS_open+0x2d/0x40 fs/open.c:1051
 [<ffffffff82705b21>] entry_SYSCALL_64_fastpath+0x1e/0x9a

Allocated by task 2328:
 [<ffffffff8102e6b6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff8147e862>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff8147e862>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff8147e862>] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff8147eadf>] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601
 [<ffffffff8147aaa7>] kmem_cache_alloc_trace+0x117/0x2d0 mm/slub.c:2642
 [<ffffffff81a6df34>] kmem_cache_alloc_node_trace include/linux/slab.h:367 [inline]
 [<ffffffff81a6df34>] kmalloc_node include/linux/slab.h:514 [inline]
 [<ffffffff81a6df34>] kzalloc_node include/linux/slab.h:631 [inline]
 [<ffffffff81a6df34>] alloc_disk_node+0x54/0x3a0 block/genhd.c:1282
 [<ffffffff81a6e298>] alloc_disk+0x18/0x20 block/genhd.c:1274
 [<ffffffff81d2fc1e>] loop_add+0x33e/0x780 drivers/block/loop.c:1798
 [<ffffffff81d30596>] loop_control_ioctl+0x136/0x300 drivers/block/loop.c:1930
 [<ffffffff8159376f>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8159376f>] compat_SyS_ioctl+0x4af/0x2220 fs/compat_ioctl.c:1544
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82707290>] sysenter_flags_fixed+0xd/0x1a

Freed by task 2339:
 [<ffffffff8102e6b6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff8147f15c>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff8147f15c>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff8147f15c>] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589
 [<ffffffff8147c534>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff8147c534>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff8147c534>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff8147c534>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff81a6c7b9>] disk_release+0x259/0x330 block/genhd.c:1118
 [<ffffffff81ce46be>] device_release+0x7e/0x220 drivers/base/core.c:247
 [<ffffffff81a9f494>] kobject_cleanup lib/kobject.c:643 [inline]
 [<ffffffff81a9f494>] kobject_release lib/kobject.c:672 [inline]
 [<ffffffff81a9f494>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff81a9f494>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff81a9f494>] kobject_put+0x144/0x260 lib/kobject.c:689
 [<ffffffff81a6a4c3>] put_disk+0x23/0x30 block/genhd.c:1346
 [<ffffffff815481dc>] __blkdev_get+0x66c/0xdf0 fs/block_dev.c:1290
 [<ffffffff8154abea>] blkdev_get+0x2da/0x920 fs/block_dev.c:1353
 [<ffffffff8154b445>] blkdev_open+0x1a5/0x250 fs/block_dev.c:1508
 [<ffffffff8148bc2d>] do_dentry_open+0x38d/0xbd0 fs/open.c:749
 [<ffffffff8148f39a>] vfs_open+0x12a/0x210 fs/open.c:862
 [<ffffffff814bef7c>] do_last fs/namei.c:3222 [inline]
 [<ffffffff814bef7c>] path_openat+0x50c/0x39a0 fs/namei.c:3359
 [<ffffffff814c60a7>] do_filp_open+0x197/0x270 fs/namei.c:3393
 [<ffffffff8148fcbc>] do_sys_open+0x31c/0x610 fs/open.c:1038
 [<ffffffff8148ffdd>] SYSC_open fs/open.c:1056 [inline]
 [<ffffffff8148ffdd>] SyS_open+0x2d/0x40 fs/open.c:1051
 [<ffffffff82705b21>] entry_SYSCALL_64_fastpath+0x1e/0x9a

The buggy address belongs to the object at ffff8800b4bf6e80
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1384 bytes inside of
 2048-byte region [ffff8800b4bf6e80, ffff8800b4bf7680)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
audit: type=1400 audit(1539844113.523:5): avc:  denied  { sigchld } for  pid=2082 comm="syz-executor110" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1
kasan: CONFIG_KASAN_INLINE enabled
BUG: unable to handle kernel paging request at fffffffb9762b340
IP: [<ffffffff811f0c55>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
PGD 2e0d067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2082 Comm: syz-executor110 Not tainted 4.4.161+ #1
task: ffff8800b702c740 task.stack: ffff8800b68d8000
RIP: 0010:[<ffffffff811f0c55>]  [<ffffffff811f0c55>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
RSP: 0018:ffff8801db607968  EFLAGS: 00010046
RAX: 1ffffffff05d2a0b RBX: 00000000000181a8 RCX: ffffffff831a1e40
RDX: fffffbff72ec5668 RSI: fffffffb9762b340 RDI: ffffffff82e95058
RBP: ffff8801db6079a8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed0043fffa01 R11: 0000000aee7ac21b R12: ffffffff82e94f80
R13: dffffc0000000000 R14: 0000000004df40b3 R15: ffffffff828912a0
FS:  0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:000000000823a840
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: fffffffb9762b340 CR3: 00000000b8151000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff811f0b60 1ffff1003b6c0f33 ffff8801d127b5c8 ffff8801d1a72fe0
 ffff8801d1a72f80 0000000004df40b3 ffff8801d1a73030 0000000000000000
 ffff8801db6079f0 ffffffff8117c439 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff8117c439>] update_curr+0x2c9/0x6d0 kernel/sched/fair.c:882
 [<ffffffff8119c08a>] enqueue_entity kernel/sched/fair.c:3512 [inline]
 [<ffffffff8119c08a>] enqueue_task_fair+0x12a/0xab90 kernel/sched/fair.c:4695
 [<ffffffff81163a6d>] enqueue_task kernel/sched/core.c:858 [inline]
 [<ffffffff81163a6d>] activate_task+0x1dd/0x280 kernel/sched/core.c:874
 [<ffffffff81164c4f>] ttwu_activate kernel/sched/core.c:1736 [inline]
 [<ffffffff81164c4f>] ttwu_do_activate.constprop.29+0xbf/0x1e0 kernel/sched/core.c:1789
 [<ffffffff811680ed>] ttwu_queue kernel/sched/core.c:1934 [inline]
 [<ffffffff811680ed>] try_to_wake_up+0x6dd/0x1120 kernel/sched/core.c:2068
 [<ffffffff81168cb5>] default_wake_function+0x35/0x50 kernel/sched/core.c:3494
 [<ffffffff811e7371>] autoremove_wake_function+0x11/0x40 kernel/sched/wait.c:293
 [<ffffffff811e51c6>] __wake_up_common+0xb6/0x150 kernel/sched/wait.c:73
 [<ffffffff811e5294>] __wake_up+0x34/0x50 kernel/sched/wait.c:95
 [<ffffffff8121ed50>] wake_up_klogd_work_func+0x80/0x90 kernel/printk/printk.c:2736
 [<ffffffff8136b027>] irq_work_run_list+0xd7/0x140 kernel/irq_work.c:156
 [<ffffffff8136b6a6>] irq_work_tick+0x116/0x170 kernel/irq_work.c:182
 [<ffffffff8125ae39>] update_process_times+0x69/0x70 kernel/time/timer.c:1430
 [<ffffffff81288dca>] tick_sched_handle.isra.6+0x4a/0xf0 kernel/time/tick-sched.c:151
 [<ffffffff81288ee6>] tick_sched_timer+0x76/0x130 kernel/time/tick-sched.c:1097
 [<ffffffff8125ce80>] __run_hrtimer kernel/time/hrtimer.c:1261 [inline]
 [<ffffffff8125ce80>] __hrtimer_run_queues+0x390/0xfc0 kernel/time/hrtimer.c:1325
 [<ffffffff8125fb01>] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359
 [<ffffffff8108b6e4>] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901
 [<ffffffff8270817c>] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:925
 [<ffffffff827074dd>] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> [   45.352059]  [<ffffffff8121d324>] ? console_cont_flush kernel/printk/printk.c:2217 [inline]
 <EOI> [   45.352059]  [<ffffffff8121d324>] ? console_unlock+0x8c4/0xa10 kernel/printk/printk.c:2265
 [<ffffffff8121d865>] vprintk_emit+0x3f5/0x830 kernel/printk/printk.c:1832
 [<ffffffff8121dcc8>] vprintk+0x28/0x30 kernel/printk/printk.c:1843
 [<ffffffff8121dced>] vprintk_default+0x1d/0x30 kernel/printk/printk.c:1844
 [<ffffffff813acb66>] printk+0xaf/0xd7 kernel/printk/printk.c:1922
 [<ffffffff810c77ad>] kasan_die_handler.cold.3+0x11/0x22 arch/x86/mm/kasan_init_64.c:58
 [<ffffffff81137ba9>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
 [<ffffffff81137dd7>] __atomic_notifier_call_chain+0x87/0x150 kernel/notifier.c:183
 [<ffffffff81139112>] atomic_notifier_call_chain kernel/notifier.c:193 [inline]
 [<ffffffff81139112>] notify_die+0xe2/0x160 kernel/notifier.c:549
 [<ffffffff8100f23a>] do_general_protection+0x20a/0x2b0 arch/x86/kernel/traps.c:461
 [<ffffffff82706d15>] general_protection+0x25/0x30 arch/x86/entry/entry_64.S:1036
 [<ffffffff810decf6>] do_wait_thread kernel/exit.c:1439 [inline]
 [<ffffffff810decf6>] do_wait+0x366/0xa30 kernel/exit.c:1510
 [<ffffffff810dfc3b>] SYSC_wait4 kernel/exit.c:1641 [inline]
 [<ffffffff810dfc3b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606
 [<ffffffff812b188a>] C_SYSC_wait4 kernel/compat.c:543 [inline]
 [<ffffffff812b188a>] compat_SyS_wait4+0x25a/0x2a0 kernel/compat.c:536
 [<ffffffff810bf265>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82707290>] sysenter_flags_fixed+0xd/0x1a
Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 
RIP  [<ffffffff811f0c55>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
 RSP <ffff8801db607968>
CR2: fffffffb9762b340
---[ end trace 0758269e1e1a7760 ]---