================================================================== BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 block/genhd.c:1647 Read of size 8 at addr ffff888056aac688 by task syz-executor.0/1958 CPU: 0 PID: 1958 Comm: syz-executor.0 Not tainted 4.14.222-syzkaller #0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 disk_unblock_events+0x4b/0x50 block/genhd.c:1647 __blkdev_get+0x83b/0x1090 fs/block_dev.c:1556 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x4194e4 RSP: 002b:00007f8be14a9ed0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00000000004afb60 RCX: 00000000004194e4 RDX: 0000000000000002 RSI: 00007f8be14aa000 RDI: 00000000ffffff9c RBP: 00007f8be14aa000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002 R13: 0000000000000005 R14: 0000000020000948 R15: 0000000000000003 Allocated by task 21023: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661 kmalloc_node include/linux/slab.h:526 [inline] kzalloc_node include/linux/slab.h:672 [inline] alloc_disk_node+0x5d/0x3d0 block/genhd.c:1390 loop_add+0x3cb/0x830 drivers/block/loop.c:1869 loop_control_ioctl+0x11a/0x3f0 drivers/block/loop.c:2001 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 1958: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xc9/0x250 mm/slab.c:3815 device_release+0xf0/0x1a0 drivers/base/core.c:846 kobject_cleanup lib/kobject.c:646 [inline] kobject_release lib/kobject.c:675 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x251/0x550 lib/kobject.c:692 put_disk+0x1f/0x30 block/genhd.c:1455 __blkdev_get+0x7a6/0x1090 fs/block_dev.c:1549 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff888056aac100 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 1416 bytes inside of 2048-byte region [ffff888056aac100, ffff888056aac900) The buggy address belongs to the page: page:ffffea00015aab00 count:1 mapcount:0 mapping:ffff888056aac100 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffff888056aac100 0000000000000000 0000000100000003 raw: ffffea00017494a0 ffffea0002750620 ffff88813fe80c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888056aac580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888056aac600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888056aac680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888056aac700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888056aac780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== audit: type=1804 audit(1614267030.545:10364): pid=1983 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir519183578/syzkaller.O07vR2/790/bus" dev="sda1" ino=16117 res=1