[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.273042] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.282332] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.291193] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.348359] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.357582] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.366396] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.416148] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.425201] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.435168] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 29.485632] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.494593] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.504688] nbd: socks must be embedded in a SOCK_ITEM attr [ 29.545943] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.555443] netlink: 4 bytes leftover after parsing attributes in process `syz-executor143'. [ 29.565381] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 29.635715] nbd: socks must be embedded in a SOCK_ITEM attr [ 29.670315] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.715658] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.777658] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.825968] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.886685] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 29.933145] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 29.982982] nbd: socks must be embedded in a SOCK_ITEM attr [ 29.992482] nbd: nbd0 already in use executing program executing program [ 30.042852] nbd: nbd0 already in use [ 30.050369] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 30.094971] nbd: socks must be embedded in a SOCK_ITEM attr [ 30.105079] nbd: nbd0 already in use executing program [ 30.155987] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.205660] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.265371] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 30.315090] nbd: socks must be embedded in a SOCK_ITEM attr [ 30.324806] nbd: nbd0 already in use executing program executing program [ 30.367596] nbd: socks must be embedded in a SOCK_ITEM attr [ 30.378440] nbd: nbd0 already in use executing program [ 30.435334] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.488721] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.544383] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.605464] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.664989] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 30.716219] nbd: socks must be embedded in a SOCK_ITEM attr [ 30.754986] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.795481] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.845983] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.912823] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 30.972166] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.025919] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.086614] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.137237] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.184590] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.244717] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.302148] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 31.353774] nbd: socks must be embedded in a SOCK_ITEM attr [ 31.365902] nbd: socks must be embedded in a SOCK_ITEM attr [ 31.426415] ================================================================== [ 31.435744] BUG: KASAN: use-after-free in refcount_dec_not_one+0x9a/0xc0 [ 31.442727] Read of size 4 at addr ffff8880b4443358 by task syz-executor143/8262 [ 31.450250] [ 31.452026] CPU: 0 PID: 8262 Comm: syz-executor143 Not tainted 4.14.244-syzkaller #0 [ 31.460080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.469717] Call Trace: [ 31.472291] dump_stack+0x1b2/0x281 [ 31.476876] print_address_description.cold+0x54/0x1d3 [ 31.482315] kasan_report_error.cold+0x8a/0x191 [ 31.487221] ? refcount_dec_not_one+0x9a/0xc0 [ 31.491718] __asan_report_load4_noabort+0x68/0x70 [ 31.496661] ? refcount_dec_not_one+0x9a/0xc0 [ 31.501148] refcount_dec_not_one+0x9a/0xc0 [ 31.505726] refcount_dec_and_mutex_lock+0x1a/0x60 [ 31.510906] nbd_genl_connect+0xf94/0x1400 [ 31.515166] ? nbd_xmit_timeout+0x500/0x500 [ 31.519491] ? validate_nla+0x192/0x5e0 [ 31.523666] genl_family_rcv_msg+0x572/0xb20 [ 31.528320] ? genl_rcv+0x40/0x40 [ 31.531773] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 31.537823] ? trace_hardirqs_on+0x10/0x10 [ 31.542302] ? sock_sendmsg+0xb5/0x100 [ 31.546576] genl_rcv_msg+0xaf/0x140 [ 31.550375] netlink_rcv_skb+0x125/0x390 [ 31.554444] ? genl_family_rcv_msg+0xb20/0xb20 [ 31.559225] ? netlink_ack+0x9a0/0x9a0 [ 31.563255] ? lock_acquire+0x170/0x3f0 [ 31.567310] genl_rcv+0x24/0x40 [ 31.570570] netlink_unicast+0x437/0x610 [ 31.574711] ? netlink_sendskb+0xd0/0xd0 [ 31.578760] ? __check_object_size+0x179/0x230 [ 31.583963] netlink_sendmsg+0x62e/0xb80 [ 31.588571] ? nlmsg_notify+0x170/0x170 [ 31.592536] ? kernel_recvmsg+0x210/0x210 [ 31.596769] ? security_socket_sendmsg+0x83/0xb0 [ 31.601847] ? nlmsg_notify+0x170/0x170 [ 31.606058] sock_sendmsg+0xb5/0x100 [ 31.609763] ___sys_sendmsg+0x6c8/0x800 [ 31.613814] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 31.618642] ? netlink_dump+0xad0/0xad0 [ 31.622633] ? nlmsg_notify+0x170/0x170 [ 31.626798] ? security_socket_recvmsg+0x8b/0xc0 [ 31.631736] ? SyS_recvfrom+0x27f/0x340 [ 31.635781] ? SyS_send+0x40/0x40 [ 31.639305] ? vm_insert_page+0x7c0/0x7c0 [ 31.643435] ? __fdget+0x167/0x1f0 [ 31.647008] ? sockfd_lookup_light+0xb2/0x160 [ 31.651491] __sys_sendmsg+0xa3/0x120 [ 31.655283] ? SyS_shutdown+0x160/0x160 [ 31.659242] ? up_read+0x17/0x30 [ 31.662598] ? __do_page_fault+0x159/0xad0 [ 31.666814] SyS_sendmsg+0x27/0x40 [ 31.670332] ? __sys_sendmsg+0x120/0x120 [ 31.675065] do_syscall_64+0x1d5/0x640 [ 31.679132] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.684457] RIP: 0033:0x440669 [ 31.687792] RSP: 002b:00007ffdc93c3108 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 31.695887] RAX: ffffffffffffffda RBX: 0000000000007aa0 RCX: 0000000000440669 [ 31.703432] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 31.710776] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffdc93c32a8 [ 31.718149] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdc93c311c [ 31.725665] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 31.732923] [ 31.734531] Allocated by task 8257: [ 31.738136] kasan_kmalloc+0xeb/0x160 [ 31.741991] kmem_cache_alloc_trace+0x131/0x3d0 [ 31.746770] nbd_dev_add+0x7c/0x800 [ 31.750390] nbd_genl_connect+0x36c/0x1400 [ 31.754618] genl_family_rcv_msg+0x572/0xb20 [ 31.759044] genl_rcv_msg+0xaf/0x140 [ 31.762852] netlink_rcv_skb+0x125/0x390 [ 31.766914] genl_rcv+0x24/0x40 [ 31.770188] netlink_unicast+0x437/0x610 [ 31.774331] netlink_sendmsg+0x62e/0xb80 [ 31.778592] sock_sendmsg+0xb5/0x100 [ 31.782285] ___sys_sendmsg+0x6c8/0x800 [ 31.786239] __sys_sendmsg+0xa3/0x120 [ 31.790020] SyS_sendmsg+0x27/0x40 [ 31.793552] do_syscall_64+0x1d5/0x640 [ 31.797515] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.802694] [ 31.804352] Freed by task 8262: [ 31.807715] kasan_slab_free+0xc3/0x1a0 [ 31.811685] kfree+0xc9/0x250 [ 31.814778] nbd_put.part.0+0x100/0x140 [ 31.818853] nbd_config_put+0x62a/0x810 [ 31.822824] nbd_genl_connect+0xf6c/0x1400 [ 31.827042] genl_family_rcv_msg+0x572/0xb20 [ 31.831443] genl_rcv_msg+0xaf/0x140 [ 31.835153] netlink_rcv_skb+0x125/0x390 [ 31.839219] genl_rcv+0x24/0x40 [ 31.842478] netlink_unicast+0x437/0x610 [ 31.846613] netlink_sendmsg+0x62e/0xb80 [ 31.850651] sock_sendmsg+0xb5/0x100 [ 31.854362] ___sys_sendmsg+0x6c8/0x800 [ 31.858398] __sys_sendmsg+0xa3/0x120 [ 31.862347] SyS_sendmsg+0x27/0x40 [ 31.865955] do_syscall_64+0x1d5/0x640 [ 31.869834] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.875139] [ 31.877061] The buggy address belongs to the object at ffff8880b4443280 [ 31.877061] which belongs to the cache kmalloc-512 of size 512 [ 31.889990] The buggy address is located 216 bytes inside of [ 31.889990] 512-byte region [ffff8880b4443280, ffff8880b4443480) [ 31.902020] The buggy address belongs to the page: [ 31.906988] page:ffffea0002d110c0 count:1 mapcount:0 mapping:ffff8880b4443000 index:0x0 [ 31.915294] flags: 0xfff00000000100(slab) [ 31.919427] raw: 00fff00000000100 ffff8880b4443000 0000000000000000 0000000100000006 [ 31.927290] raw: ffffea0002d312a0 ffffea00029258e0 ffff88813fe80940 0000000000000000 [ 31.935857] page dumped because: kasan: bad access detected [ 31.941561] [ 31.943168] Memory state around the buggy address: [ 31.948074] ffff8880b4443200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.955495] ffff8880b4443280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.962828] >ffff8880b4443300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.970281] ^ [ 31.976511] ffff8880b4443380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.984380] ffff8880b4443400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.992096] ================================================================== [ 31.999615] Disabling lock debugging due to kernel taint [ 32.005765] Kernel panic - not syncing: panic_on_warn set ... [ 32.005765] [ 32.013178] CPU: 0 PID: 8262 Comm: syz-executor143 Tainted: G B 4.14.244-syzkaller #0 [ 32.022266] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.031790] Call Trace: [ 32.034462] dump_stack+0x1b2/0x281 [ 32.038140] panic+0x1f9/0x42d [ 32.041584] ? add_taint.cold+0x16/0x16 [ 32.045690] ? ___preempt_schedule+0x16/0x18 [ 32.050081] kasan_end_report+0x43/0x49 [ 32.054143] kasan_report_error.cold+0xa7/0x191 [ 32.058795] ? refcount_dec_not_one+0x9a/0xc0 [ 32.063393] __asan_report_load4_noabort+0x68/0x70 [ 32.068587] ? refcount_dec_not_one+0x9a/0xc0 [ 32.073159] refcount_dec_not_one+0x9a/0xc0 [ 32.077466] refcount_dec_and_mutex_lock+0x1a/0x60 [ 32.082395] nbd_genl_connect+0xf94/0x1400 [ 32.086627] ? nbd_xmit_timeout+0x500/0x500 [ 32.091250] ? validate_nla+0x192/0x5e0 [ 32.095412] genl_family_rcv_msg+0x572/0xb20 [ 32.099799] ? genl_rcv+0x40/0x40 [ 32.103235] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 32.108696] ? trace_hardirqs_on+0x10/0x10 [ 32.113139] ? sock_sendmsg+0xb5/0x100 [ 32.117007] genl_rcv_msg+0xaf/0x140 [ 32.120703] netlink_rcv_skb+0x125/0x390 [ 32.127924] ? genl_family_rcv_msg+0xb20/0xb20 [ 32.132741] ? netlink_ack+0x9a0/0x9a0 [ 32.136744] ? lock_acquire+0x170/0x3f0 [ 32.140711] genl_rcv+0x24/0x40 [ 32.144244] netlink_unicast+0x437/0x610 [ 32.148380] ? netlink_sendskb+0xd0/0xd0 [ 32.152431] ? __check_object_size+0x179/0x230 [ 32.157680] netlink_sendmsg+0x62e/0xb80 [ 32.161734] ? nlmsg_notify+0x170/0x170 [ 32.165780] ? kernel_recvmsg+0x210/0x210 [ 32.169919] ? security_socket_sendmsg+0x83/0xb0 [ 32.174668] ? nlmsg_notify+0x170/0x170 [ 32.178641] sock_sendmsg+0xb5/0x100 [ 32.182327] ___sys_sendmsg+0x6c8/0x800 [ 32.186331] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.191078] ? netlink_dump+0xad0/0xad0 [ 32.195033] ? nlmsg_notify+0x170/0x170 [ 32.198987] ? security_socket_recvmsg+0x8b/0xc0 [ 32.203731] ? SyS_recvfrom+0x27f/0x340 [ 32.207694] ? SyS_send+0x40/0x40 [ 32.211124] ? vm_insert_page+0x7c0/0x7c0 [ 32.215247] ? __fdget+0x167/0x1f0 [ 32.218774] ? sockfd_lookup_light+0xb2/0x160 [ 32.223268] __sys_sendmsg+0xa3/0x120 [ 32.227060] ? SyS_shutdown+0x160/0x160 [ 32.231030] ? up_read+0x17/0x30 [ 32.234382] ? __do_page_fault+0x159/0xad0 [ 32.238837] SyS_sendmsg+0x27/0x40 [ 32.242704] ? __sys_sendmsg+0x120/0x120 [ 32.246745] do_syscall_64+0x1d5/0x640 [ 32.250869] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.256121] RIP: 0033:0x440669 [ 32.259286] RSP: 002b:00007ffdc93c3108 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 32.267154] RAX: ffffffffffffffda RBX: 0000000000007aa0 RCX: 0000000000440669 [ 32.274831] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 32.282252] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffdc93c32a8 [ 32.289499] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdc93c311c [ 32.296832] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 32.305594] Kernel Offset: disabled [ 32.309204] Rebooting in 86400 seconds..