Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.424479][ T8439] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.433923][ T8439] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. executing program [ 65.527137][ T8445] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.536932][ T8445] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. executing program executing program [ 65.622582][ T8453] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.632111][ T8453] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.663573][ T8456] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.673232][ T8456] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. executing program [ 65.762136][ T8462] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. [ 65.771671][ T8462] netlink: 4 bytes leftover after parsing attributes in process `syz-executor225'. executing program executing program executing program executing program [ 66.102992][ T8476] ================================================================== [ 66.111220][ T8476] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 [ 66.118861][ T8476] Read of size 4 at addr ffff88801a75a1a0 by task syz-executor225/8476 [ 66.127099][ T8476] [ 66.129410][ T8476] CPU: 0 PID: 8476 Comm: syz-executor225 Not tainted 5.11.0-rc7-syzkaller #0 [ 66.138155][ T8476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.148197][ T8476] Call Trace: [ 66.151462][ T8476] dump_stack+0x107/0x163 [ 66.155790][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.161062][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.166332][ T8476] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 66.173349][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.178663][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.183934][ T8476] kasan_report.cold+0x79/0xd5 [ 66.188734][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.194224][ T8476] check_memory_region+0x13d/0x180 [ 66.199327][ T8476] refcount_dec_not_one+0x71/0x1e0 [ 66.204426][ T8476] ? refcount_warn_saturate+0x1e0/0x1e0 [ 66.209975][ T8476] ? nbd_config_put+0x5d0/0x8c0 [ 66.214818][ T8476] refcount_dec_and_mutex_lock+0x19/0x140 [ 66.220528][ T8476] nbd_genl_connect+0xee7/0x1560 [ 66.225458][ T8476] ? nbd_start_device+0xd40/0xd40 [ 66.230487][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.236717][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290 [ 66.244075][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290 [ 66.251350][ T8476] genl_family_rcv_msg_doit+0x228/0x320 [ 66.256886][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 66.264251][ T8476] ? genl_op_from_small+0x23/0x3c0 [ 66.269357][ T8476] ? genl_get_cmd+0x3cf/0x480 [ 66.274032][ T8476] genl_rcv_msg+0x328/0x580 [ 66.278526][ T8476] ? genl_get_cmd+0x480/0x480 [ 66.283191][ T8476] ? nbd_start_device+0xd40/0xd40 [ 66.288217][ T8476] ? lock_release+0x710/0x710 [ 66.292891][ T8476] netlink_rcv_skb+0x153/0x420 [ 66.297643][ T8476] ? genl_get_cmd+0x480/0x480 [ 66.302341][ T8476] ? netlink_ack+0xaa0/0xaa0 [ 66.306950][ T8476] genl_rcv+0x24/0x40 [ 66.314932][ T8476] netlink_unicast+0x533/0x7d0 [ 66.319691][ T8476] ? netlink_attachskb+0x870/0x870 [ 66.324789][ T8476] ? _copy_from_iter_full+0x275/0x850 [ 66.330147][ T8476] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 66.336388][ T8476] ? __phys_addr_symbol+0x2c/0x70 [ 66.341402][ T8476] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 66.347144][ T8476] ? __check_object_size+0x171/0x3f0 [ 66.352417][ T8476] netlink_sendmsg+0x856/0xd90 [ 66.357172][ T8476] ? netlink_unicast+0x7d0/0x7d0 [ 66.362100][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.368329][ T8476] ? netlink_unicast+0x7d0/0x7d0 [ 66.373253][ T8476] sock_sendmsg+0xcf/0x120 [ 66.377658][ T8476] ____sys_sendmsg+0x6e8/0x810 [ 66.382419][ T8476] ? kernel_sendmsg+0x50/0x50 [ 66.387081][ T8476] ? do_recvmmsg+0x6c0/0x6c0 [ 66.391704][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.397994][ T8476] ? netlink_recvmsg+0x826/0xee0 [ 66.402927][ T8476] ___sys_sendmsg+0xf3/0x170 [ 66.407506][ T8476] ? sendmsg_copy_msghdr+0x160/0x160 [ 66.412781][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.419056][ T8476] ? security_socket_recvmsg+0x8f/0xc0 [ 66.424519][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.430745][ T8476] ? __sys_recvfrom+0x2cc/0x3a0 [ 66.435700][ T8476] ? __ia32_sys_send+0x100/0x100 [ 66.440638][ T8476] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 66.446887][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.453123][ T8476] ? __fget_light+0x215/0x280 [ 66.457795][ T8476] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 66.464036][ T8476] __sys_sendmsg+0xe5/0x1b0 [ 66.468526][ T8476] ? __sys_sendmsg_sock+0xb0/0xb0 [ 66.473536][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 66.479788][ T8476] ? syscall_enter_from_user_mode+0x1d/0x50 [ 66.485686][ T8476] do_syscall_64+0x2d/0x70 [ 66.490087][ T8476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.495967][ T8476] RIP: 0033:0x440789 [ 66.499847][ T8476] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 66.519440][ T8476] RSP: 002b:00007ffd30483ad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 66.527859][ T8476] RAX: ffffffffffffffda RBX: 00000000000101bf RCX: 0000000000440789 [ 66.535814][ T8476] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 66.543840][ T8476] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd30483c78 [ 66.551819][ T8476] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd30483aec [ 66.559776][ T8476] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 66.567748][ T8476] [ 66.570056][ T8476] Allocated by task 1: [ 66.574109][ T8476] kasan_save_stack+0x1b/0x40 [ 66.578799][ T8476] ____kasan_kmalloc.constprop.0+0x82/0xa0 [ 66.584594][ T8476] nbd_dev_add+0x44/0x8e0 [ 66.588913][ T8476] nbd_init+0x250/0x271 [ 66.593101][ T8476] do_one_initcall+0x103/0x650 [ 66.597852][ T8476] kernel_init_freeable+0x605/0x689 [ 66.603038][ T8476] kernel_init+0xd/0x1b8 [ 66.607268][ T8476] ret_from_fork+0x1f/0x30 [ 66.611674][ T8476] [ 66.613980][ T8476] Freed by task 8476: [ 66.617942][ T8476] kasan_save_stack+0x1b/0x40 [ 66.622604][ T8476] kasan_set_track+0x1c/0x30 [ 66.627187][ T8476] kasan_set_free_info+0x20/0x30 [ 66.632148][ T8476] ____kasan_slab_free+0xe1/0x110 [ 66.637184][ T8476] slab_free_freelist_hook+0x5d/0x150 [ 66.642564][ T8476] kfree+0xdb/0x3b0 [ 66.646382][ T8476] nbd_put.part.0+0x180/0x1d0 [ 66.651078][ T8476] nbd_config_put+0x6dd/0x8c0 [ 66.655775][ T8476] nbd_genl_connect+0xeb7/0x1560 [ 66.660730][ T8476] genl_family_rcv_msg_doit+0x228/0x320 [ 66.666294][ T8476] genl_rcv_msg+0x328/0x580 [ 66.670817][ T8476] netlink_rcv_skb+0x153/0x420 [ 66.675599][ T8476] genl_rcv+0x24/0x40 [ 66.679600][ T8476] netlink_unicast+0x533/0x7d0 [ 66.684392][ T8476] netlink_sendmsg+0x856/0xd90 [ 66.689170][ T8476] sock_sendmsg+0xcf/0x120 [ 66.693605][ T8476] ____sys_sendmsg+0x6e8/0x810 [ 66.698384][ T8476] ___sys_sendmsg+0xf3/0x170 [ 66.702986][ T8476] __sys_sendmsg+0xe5/0x1b0 [ 66.707504][ T8476] do_syscall_64+0x2d/0x70 [ 66.712047][ T8476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.717964][ T8476] [ 66.720287][ T8476] The buggy address belongs to the object at ffff88801a75a000 [ 66.720287][ T8476] which belongs to the cache kmalloc-1k of size 1024 [ 66.734341][ T8476] The buggy address is located 416 bytes inside of [ 66.734341][ T8476] 1024-byte region [ffff88801a75a000, ffff88801a75a400) [ 66.747826][ T8476] The buggy address belongs to the page: [ 66.753439][ T8476] page:000000004723a253 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a758 [ 66.763572][ T8476] head:000000004723a253 order:3 compound_mapcount:0 compound_pincount:0 [ 66.771883][ T8476] flags: 0xfff00000010200(slab|head) [ 66.777159][ T8476] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41140 [ 66.785732][ T8476] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 66.794310][ T8476] page dumped because: kasan: bad access detected [ 66.800701][ T8476] [ 66.803006][ T8476] Memory state around the buggy address: [ 66.808618][ T8476] ffff88801a75a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.816664][ T8476] ffff88801a75a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.824709][ T8476] >ffff88801a75a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.832786][ T8476] ^ [ 66.837876][ T8476] ffff88801a75a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.845917][ T8476] ffff88801a75a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.853956][ T8476] ================================================================== [ 66.861994][ T8476] Disabling lock debugging due to kernel taint [ 66.868833][ T8476] Kernel panic - not syncing: panic_on_warn set ... [ 66.875415][ T8476] CPU: 0 PID: 8476 Comm: syz-executor225 Tainted: G B 5.11.0-rc7-syzkaller #0 [ 66.885564][ T8476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.895622][ T8476] Call Trace: [ 66.898898][ T8476] dump_stack+0x107/0x163 [ 66.903236][ T8476] ? refcount_dec_not_one+0x10/0x1e0 [ 66.908690][ T8476] panic+0x306/0x73d [ 66.912576][ T8476] ? __warn_printk+0xf3/0xf3 [ 66.917152][ T8476] ? preempt_schedule_common+0x59/0xc0 [ 66.922595][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.927862][ T8476] ? preempt_schedule_thunk+0x16/0x18 [ 66.933214][ T8476] ? trace_hardirqs_on+0x38/0x1c0 [ 66.938222][ T8476] ? trace_hardirqs_on+0x51/0x1c0 [ 66.943232][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.948498][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.953765][ T8476] end_report+0x58/0x5e [ 66.957905][ T8476] kasan_report.cold+0x67/0xd5 [ 66.962649][ T8476] ? refcount_dec_not_one+0x71/0x1e0 [ 66.967914][ T8476] check_memory_region+0x13d/0x180 [ 66.973023][ T8476] refcount_dec_not_one+0x71/0x1e0 [ 66.978175][ T8476] ? refcount_warn_saturate+0x1e0/0x1e0 [ 66.983703][ T8476] ? nbd_config_put+0x5d0/0x8c0 [ 66.988552][ T8476] refcount_dec_and_mutex_lock+0x19/0x140 [ 66.994263][ T8476] nbd_genl_connect+0xee7/0x1560 [ 66.999184][ T8476] ? nbd_start_device+0xd40/0xd40 [ 67.004197][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.010438][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290 [ 67.017791][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290 [ 67.025071][ T8476] genl_family_rcv_msg_doit+0x228/0x320 [ 67.030603][ T8476] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 67.037958][ T8476] ? genl_op_from_small+0x23/0x3c0 [ 67.043159][ T8476] ? genl_get_cmd+0x3cf/0x480 [ 67.048788][ T8476] genl_rcv_msg+0x328/0x580 [ 67.053287][ T8476] ? genl_get_cmd+0x480/0x480 [ 67.057956][ T8476] ? nbd_start_device+0xd40/0xd40 [ 67.062965][ T8476] ? lock_release+0x710/0x710 [ 67.067625][ T8476] netlink_rcv_skb+0x153/0x420 [ 67.072391][ T8476] ? genl_get_cmd+0x480/0x480 [ 67.077056][ T8476] ? netlink_ack+0xaa0/0xaa0 [ 67.081627][ T8476] genl_rcv+0x24/0x40 [ 67.085591][ T8476] netlink_unicast+0x533/0x7d0 [ 67.090336][ T8476] ? netlink_attachskb+0x870/0x870 [ 67.095427][ T8476] ? _copy_from_iter_full+0x275/0x850 [ 67.100776][ T8476] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.106996][ T8476] ? __phys_addr_symbol+0x2c/0x70 [ 67.112014][ T8476] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 67.117715][ T8476] ? __check_object_size+0x171/0x3f0 [ 67.122989][ T8476] netlink_sendmsg+0x856/0xd90 [ 67.127735][ T8476] ? netlink_unicast+0x7d0/0x7d0 [ 67.132656][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.138893][ T8476] ? netlink_unicast+0x7d0/0x7d0 [ 67.143813][ T8476] sock_sendmsg+0xcf/0x120 [ 67.148211][ T8476] ____sys_sendmsg+0x6e8/0x810 [ 67.152966][ T8476] ? kernel_sendmsg+0x50/0x50 [ 67.157622][ T8476] ? do_recvmmsg+0x6c0/0x6c0 [ 67.163755][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.169980][ T8476] ? netlink_recvmsg+0x826/0xee0 [ 67.174901][ T8476] ___sys_sendmsg+0xf3/0x170 [ 67.179475][ T8476] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.184755][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.190978][ T8476] ? security_socket_recvmsg+0x8f/0xc0 [ 67.196419][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.202641][ T8476] ? __sys_recvfrom+0x2cc/0x3a0 [ 67.207479][ T8476] ? __ia32_sys_send+0x100/0x100 [ 67.212395][ T8476] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 67.218634][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.224855][ T8476] ? __fget_light+0x215/0x280 [ 67.229512][ T8476] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.235760][ T8476] __sys_sendmsg+0xe5/0x1b0 [ 67.240246][ T8476] ? __sys_sendmsg_sock+0xb0/0xb0 [ 67.245263][ T8476] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.251490][ T8476] ? syscall_enter_from_user_mode+0x1d/0x50 [ 67.257391][ T8476] do_syscall_64+0x2d/0x70 [ 67.261788][ T8476] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.267662][ T8476] RIP: 0033:0x440789 [ 67.271536][ T8476] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 67.291124][ T8476] RSP: 002b:00007ffd30483ad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 67.299514][ T8476] RAX: ffffffffffffffda RBX: 00000000000101bf RCX: 0000000000440789 [ 67.307465][ T8476] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 67.315416][ T8476] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd30483c78 [ 67.323366][ T8476] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd30483aec [ 67.331315][ T8476] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 67.339874][ T8476] Kernel Offset: disabled [ 67.344185][ T8476] Rebooting in 86400 seconds..