netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. ================================================================== BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 block/genhd.c:1644 Read of size 8 at addr ffff88804bf09008 by task systemd-udevd/3641 CPU: 0 PID: 3641 Comm: systemd-udevd Not tainted 4.14.182-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 disk_unblock_events+0x4b/0x50 block/genhd.c:1644 __blkdev_get+0x79c/0x10c0 fs/block_dev.c:1556 blkdev_get+0x84/0x8a0 fs/block_dev.c:1612 blkdev_open+0x1cc/0x250 fs/block_dev.c:1770 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0xb68/0x2aa0 fs/namei.c:3569 do_filp_open+0x18e/0x250 fs/namei.c:3603 do_sys_open+0x292/0x3e0 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7ff5f13c8840 RSP: 002b:00007ffc01737e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007ffc01737f10 RCX: 00007ff5f13c8840 RDX: 0000557c5fa00fe3 RSI: 00000000000a0800 RDI: 0000557c6111bac0 RBP: 00007ffc01738400 R08: 0000557c5fa00670 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc01738020 R13: 0000557c6106ba60 R14: 0000557c61137dc0 R15: 00007ffc01737ef0 Allocated by task 30672: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661 kmalloc_node include/linux/slab.h:526 [inline] kzalloc_node include/linux/slab.h:672 [inline] alloc_disk_node+0x5d/0x3d0 block/genhd.c:1387 loop_add+0x3cb/0x830 drivers/block/loop.c:1869 loop_control_ioctl+0x108/0x2d0 drivers/block/loop.c:2001 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xfe0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 3641: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcb/0x260 mm/slab.c:3815 device_release+0xf0/0x1a0 drivers/base/core.c:831 kobject_cleanup lib/kobject.c:646 [inline] kobject_release lib/kobject.c:675 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x13e/0x1f0 lib/kobject.c:692 put_disk+0x1f/0x30 block/genhd.c:1452 __blkdev_get+0x707/0x10c0 fs/block_dev.c:1549 blkdev_get+0x84/0x8a0 fs/block_dev.c:1612 blkdev_open+0x1cc/0x250 fs/block_dev.c:1770 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0xb68/0x2aa0 fs/namei.c:3569 do_filp_open+0x18e/0x250 fs/namei.c:3603 do_sys_open+0x292/0x3e0 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff88804bf08a80 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 1416 bytes inside of 2048-byte region [ffff88804bf08a80, ffff88804bf09280) The buggy address belongs to the page: page:ffffea00012fc200 count:1 mapcount:0 mapping:ffff88804bf08200 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffff88804bf08200 0000000000000000 0000000100000003 raw: ffffea000285ae20 ffffea0001475720 ffff8880aa800c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804bf08f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804bf08f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88804bf09000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804bf09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804bf09100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.