netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 block/genhd.c:1644 Read of size 8 at addr ffff8880a542c808 by task syz-executor.0/6380 CPU: 0 PID: 6380 Comm: syz-executor.0 Not tainted 4.14.196-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 disk_unblock_events+0x4b/0x50 block/genhd.c:1644 __blkdev_get+0x83b/0x1090 fs/block_dev.c:1556 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x417101 RSP: 002b:00007ffe2d26f4e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 000000000002aae4 RCX: 0000000000417101 RDX: 00007ffe2d26f57a RSI: 0000000000000002 RDI: 00007ffe2d26f570 RBP: 0000000000000058 R08: 0000000000000000 R09: 000000000000000a R10: 0000000000000075 R11: 0000000000000293 R12: 0000000000000000 R13: 00007ffe2d26f520 R14: 000000000002aa5e R15: 00007ffe2d26f530 Allocated by task 7960: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661 kmalloc_node include/linux/slab.h:526 [inline] kzalloc_node include/linux/slab.h:672 [inline] alloc_disk_node+0x5d/0x3d0 block/genhd.c:1387 loop_add+0x3cb/0x830 drivers/block/loop.c:1869 loop_control_ioctl+0x11a/0x3f0 drivers/block/loop.c:2001 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 6380: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xc9/0x250 mm/slab.c:3815 device_release+0xf0/0x1a0 drivers/base/core.c:831 kobject_cleanup lib/kobject.c:646 [inline] kobject_release lib/kobject.c:675 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1f3/0x2d0 lib/kobject.c:692 put_disk+0x1f/0x30 block/genhd.c:1452 __blkdev_get+0x7a6/0x1090 fs/block_dev.c:1549 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff8880a542c280 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 1416 bytes inside of 2048-byte region [ffff8880a542c280, ffff8880a542ca80) The buggy address belongs to the page: page:ffffea0002950b00 count:1 mapcount:0 mapping:ffff8880a542c280 index:0xffff8880a542d380 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffff8880a542c280 ffff8880a542d380 0000000100000002 raw: ffffea0002463e20 ffffea00014b00a0 ffff88812fe52c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a542c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a542c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a542c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a542c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a542c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ptrace attach of "/root/syz-executor.4"[8991] was attempted by "/root/syz-executor.4"[8993]