==================================================================
BUG: KASAN: use-after-free in disk_unblock_events+0x55/0x60 block/genhd.c:1543
Read of size 8 at addr ffff8800b2b9eb68 by task blkid/4693

CPU: 1 PID: 4693 Comm: blkid Not tainted 4.4.174+ #17
 0000000000000000 6c684c160ca9a063 ffff8801d8fc7730 ffffffff81aad1a1
 0000000000000000 ffffea0002cae600 ffff8800b2b9eb68 0000000000000008
 0000000000000000 ffff8801d8fc7768 ffffffff81490120 0000000000000000
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81490120>] print_address_description+0x6f/0x21b mm/kasan/report.c:252
 [<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
 [<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
 [<ffffffff81484ed4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81a82965>] disk_unblock_events+0x55/0x60 block/genhd.c:1543
 [<ffffffff8154efcc>] __blkdev_get+0x70c/0xdf0 fs/block_dev.c:1297
 [<ffffffff81551938>] blkdev_get+0x2e8/0x920 fs/block_dev.c:1353
 [<ffffffff8155219a>] blkdev_open+0x1aa/0x250 fs/block_dev.c:1508
 [<ffffffff8149154f>] do_dentry_open+0x38f/0xbd0 fs/open.c:749
 [<ffffffff81494d3b>] vfs_open+0x10b/0x210 fs/open.c:862
 [<ffffffff814c5ddf>] do_last fs/namei.c:3269 [inline]
 [<ffffffff814c5ddf>] path_openat+0x136f/0x4470 fs/namei.c:3406
 [<ffffffff814ccab1>] do_filp_open+0x1a1/0x270 fs/namei.c:3440
 [<ffffffff81495668>] do_sys_open+0x2f8/0x600 fs/open.c:1038
 [<ffffffff8149599d>] SYSC_open fs/open.c:1056 [inline]
 [<ffffffff8149599d>] SyS_open+0x2d/0x40 fs/open.c:1051
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

Allocated by task 4683:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81483f22>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81483f22>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81483f22>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff81484197>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
 [<ffffffff814801a3>] kmem_cache_alloc_trace+0x123/0x2d0 mm/slub.c:2642
 [<ffffffff81a81b50>] kmem_cache_alloc_node_trace include/linux/slab.h:367 [inline]
 [<ffffffff81a81b50>] kmalloc_node include/linux/slab.h:514 [inline]
 [<ffffffff81a81b50>] kzalloc_node include/linux/slab.h:631 [inline]
 [<ffffffff81a81b50>] alloc_disk_node+0x50/0x3c0 block/genhd.c:1282
 [<ffffffff81a81edb>] alloc_disk+0x1b/0x20 block/genhd.c:1274
 [<ffffffff81d436d0>] loop_add+0x380/0x830 drivers/block/loop.c:1857
 [<ffffffff81d440a8>] loop_control_ioctl+0x138/0x2f0 drivers/block/loop.c:1988
 [<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
 [<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 [<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397
 [<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a

Freed by task 4693:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
 [<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff81a80375>] disk_release+0x255/0x330 block/genhd.c:1118
 [<ffffffff81cf785d>] device_release+0x7d/0x220 drivers/base/core.c:247
 [<ffffffff81ab309c>] kobject_cleanup lib/kobject.c:643 [inline]
 [<ffffffff81ab309c>] kobject_release lib/kobject.c:672 [inline]
 [<ffffffff81ab309c>] kref_sub include/linux/kref.h:73 [inline]
 [<ffffffff81ab309c>] kref_put include/linux/kref.h:98 [inline]
 [<ffffffff81ab309c>] kobject_put+0x14c/0x260 lib/kobject.c:689
 [<ffffffff81a7e013>] put_disk+0x23/0x30 block/genhd.c:1346
 [<ffffffff8154ef2c>] __blkdev_get+0x66c/0xdf0 fs/block_dev.c:1290
 [<ffffffff81551938>] blkdev_get+0x2e8/0x920 fs/block_dev.c:1353
Dead loop on virtual device ip6tnl0, fix it urgently!
Dead loop on virtual device ip6tnl0, fix it urgently!
Dead loop on virtual device ip6tnl0, fix it urgently!
Dead loop on virtual device ip6tnl0, fix it urgently!
Dead loop on virtual device ip6tnl0, fix it urgently!
Dead loop on virtual device ip6tnl0, fix it urgently!
 [<ffffffff8155219a>] blkdev_open+0x1aa/0x250 fs/block_dev.c:1508
 [<ffffffff8149154f>] do_dentry_open+0x38f/0xbd0 fs/open.c:749
 [<ffffffff81494d3b>] vfs_open+0x10b/0x210 fs/open.c:862
 [<ffffffff814c5ddf>] do_last fs/namei.c:3269 [inline]
 [<ffffffff814c5ddf>] path_openat+0x136f/0x4470 fs/namei.c:3406
 [<ffffffff814ccab1>] do_filp_open+0x1a1/0x270 fs/namei.c:3440
 [<ffffffff81495668>] do_sys_open+0x2f8/0x600 fs/open.c:1038
 [<ffffffff8149599d>] SYSC_open fs/open.c:1056 [inline]
 [<ffffffff8149599d>] SyS_open+0x2d/0x40 fs/open.c:1051
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

The buggy address belongs to the object at ffff8800b2b9e600
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1384 bytes inside of
 2048-byte region [ffff8800b2b9e600, ffff8800b2b9ee00)
The buggy address belongs to the page:
BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1196
BUG: spinlock bad magic on CPU#0, syz-executor.1/2145
 lock: 0xffff8801d8b99620, .magic: ffffea00, .owner: ����
���P�B�����/-1296439808, .owner_cpu: -2104943648
CPU: 0 PID: -2126336944 Comm:  Not tainted 4.4.174+ #17
 0000000000000000 437f401f648c4597 ffff8800a7787a80 ffffffff81aad1a1
 ffff8801d8b99d90 ffff8801d8b99620 00000000b2b9e600 0000000082891be0
 ffff8800a7787ca8 ffff8800a7787ab8 ffffffff813ae1ce 0000000000000046
Call Trace:
 <UNK> 
double fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: -2126336944 Comm:  Not tainted 4.4.174+ #17
task: ffff8801ce9317c0 task.stack: ffffffff82891be0
RIP: 0010:[<ffffffff8142abda>]  [<ffffffff8142abda>] constant_test_bit arch/x86/include/asm/bitops.h:311 [inline]
RIP: 0010:[<ffffffff8142abda>]  [<ffffffff8142abda>] PageSlab include/linux/page-flags.h:217 [inline]
RIP: 0010:[<ffffffff8142abda>]  [<ffffffff8142abda>] page_mapcount include/linux/mm.h:464 [inline]
RIP: 0010:[<ffffffff8142abda>]  [<ffffffff8142abda>] dump_page_badflags+0x1a/0x70 mm/debug.c:85
RSP: 0018:ffff880100000000  EFLAGS: 00010086
RAX: ffff8801ce9317c0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82891be0 RDI: ffffea0002cae600
RBP: ffff880100000030 R08: 0000000000000026 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff83fdf174 R12: ffffea0002cae600
R13: ffffffff82891be0 R14: ffff8800b2b9ee00 R15: ffff8800b2b9e600
FS:  00007fecad8d3740(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800fffffff8 CR3: 00000000b8a95000 CR4: 00000000001606b0
Stack:

Call Trace:
 <UNK> 
Code: [  147.625926] ------------[ cut here ]------------
WARNING: CPU: 1 PID: -2126336944 at include/linux/uaccess.h:18 pagefault_disabled_dec include/linux/uaccess.h:18 [inline]()
WARNING: CPU: 1 PID: -2126336944 at include/linux/uaccess.h:18 pagefault_enable include/linux/uaccess.h:45 [inline]()
WARNING: CPU: 1 PID: -2126336944 at include/linux/uaccess.h:18 __probe_kernel_read+0x1ee/0x230 mm/maccess.c:35()