[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.20' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 51.449436] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.519436] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. [ 51.558259] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program executing program executing program [ 51.621662] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. [ 51.635956] nbd: nbd0 already in use executing program [ 51.667936] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.713724] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.766430] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.816418] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.865704] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program [ 51.931626] netlink: 4 bytes leftover after parsing attributes in process `syz-executor127'. executing program executing program [ 51.995647] nbd: nbd0 already in use executing program executing program executing program executing program executing program [ 52.166950] nbd: nbd0 already in use executing program executing program executing program [ 52.256006] nbd: nbd0 already in use executing program executing program executing program executing program executing program executing program executing program executing program [ 52.666103] ================================================================== [ 52.673656] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1d0 [ 52.680577] Read of size 4 at addr ffff8880aff60618 by task syz-executor127/8324 [ 52.688090] [ 52.689703] CPU: 0 PID: 8324 Comm: syz-executor127 Not tainted 4.19.211-syzkaller #0 [ 52.697571] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 52.706904] Call Trace: [ 52.709476] dump_stack+0x1fc/0x2ef [ 52.713092] print_address_description.cold+0x54/0x219 [ 52.718355] kasan_report_error.cold+0x8a/0x1b9 [ 52.723036] ? refcount_dec_not_one+0x71/0x1d0 [ 52.727605] kasan_report+0x8f/0xa0 [ 52.731312] ? refcount_dec_not_one+0x71/0x1d0 [ 52.735880] refcount_dec_not_one+0x71/0x1d0 [ 52.740272] ? refcount_dec_and_test_checked+0x20/0x20 [ 52.745534] ? nbd_config_put+0x5da/0x870 [ 52.749682] refcount_dec_and_mutex_lock+0x1c/0x80 [ 52.754605] nbd_genl_connect+0x11ee/0x1630 [ 52.758911] ? nbd_xmit_timeout+0x730/0x730 [ 52.763215] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 52.768384] ? validate_nla+0x270/0x820 [ 52.772449] ? nla_parse+0x1b2/0x290 [ 52.776173] genl_family_rcv_msg+0x642/0xc40 [ 52.780569] ? genl_rcv+0x40/0x40 [ 52.784098] ? genl_rcv_msg+0x12f/0x160 [ 52.788052] ? mutex_trylock+0x1a0/0x1a0 [ 52.792097] ? __radix_tree_lookup+0x216/0x370 [ 52.796754] genl_rcv_msg+0xbf/0x160 [ 52.800463] netlink_rcv_skb+0x160/0x440 [ 52.804508] ? genl_family_rcv_msg+0xc40/0xc40 [ 52.809078] ? netlink_ack+0xae0/0xae0 [ 52.812956] ? genl_rcv+0x15/0x40 [ 52.816397] genl_rcv+0x24/0x40 [ 52.819674] netlink_unicast+0x4d5/0x690 [ 52.823726] ? netlink_sendskb+0x110/0x110 [ 52.827942] ? _copy_from_iter_full+0x229/0x7c0 [ 52.832588] ? __phys_addr_symbol+0x2c/0x70 [ 52.836915] ? __check_object_size+0x17b/0x3e0 [ 52.841479] netlink_sendmsg+0x6c3/0xc50 [ 52.845538] ? aa_af_perm+0x230/0x230 [ 52.849330] ? nlmsg_notify+0x1f0/0x1f0 [ 52.853387] ? kernel_recvmsg+0x220/0x220 [ 52.857520] ? nlmsg_notify+0x1f0/0x1f0 [ 52.861571] sock_sendmsg+0xc3/0x120 [ 52.865273] ___sys_sendmsg+0x7bb/0x8e0 [ 52.869236] ? copy_msghdr_from_user+0x440/0x440 [ 52.873987] ? __fget+0x32f/0x510 [ 52.877444] ? lock_downgrade+0x720/0x720 [ 52.881620] ? check_preemption_disabled+0x41/0x280 [ 52.886627] ? check_preemption_disabled+0x41/0x280 [ 52.891623] ? __fget+0x356/0x510 [ 52.895060] ? do_dup2+0x450/0x450 [ 52.898584] ? __fdget+0x1d0/0x230 [ 52.902202] __x64_sys_sendmsg+0x132/0x220 [ 52.906522] ? __sys_sendmsg+0x1b0/0x1b0 [ 52.910564] ? __se_sys_futex+0x298/0x3b0 [ 52.914788] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.920140] ? trace_hardirqs_off_caller+0x6e/0x210 [ 52.925141] ? do_syscall_64+0x21/0x620 [ 52.929097] do_syscall_64+0xf9/0x620 [ 52.932887] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.938060] RIP: 0033:0x7f23dc094479 [ 52.941760] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 52.961497] RSP: 002b:00007f23dc045318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 52.969188] RAX: ffffffffffffffda RBX: 00007f23dc11c408 RCX: 00007f23dc094479 [ 52.976793] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 52.984047] RBP: 00007f23dc11c400 R08: 0000000000000006 R09: 0000000000000000 [ 52.991298] R10: 000000000000000c R11: 0000000000000246 R12: 00007f23dc11c40c [ 52.998588] R13: 00007ffcb6b74a5f R14: 00007f23dc045400 R15: 0000000000022000 [ 53.005858] [ 53.007469] Allocated by task 8318: [ 53.011517] kmem_cache_alloc_trace+0x12f/0x380 [ 53.016176] nbd_dev_add+0x44/0x890 [ 53.019813] nbd_genl_connect+0x488/0x1630 [ 53.024032] genl_family_rcv_msg+0x642/0xc40 [ 53.028422] genl_rcv_msg+0xbf/0x160 [ 53.032148] netlink_rcv_skb+0x160/0x440 [ 53.036206] genl_rcv+0x24/0x40 [ 53.039467] netlink_unicast+0x4d5/0x690 [ 53.043534] netlink_sendmsg+0x6c3/0xc50 [ 53.047590] sock_sendmsg+0xc3/0x120 [ 53.051286] ___sys_sendmsg+0x7bb/0x8e0 [ 53.055238] __x64_sys_sendmsg+0x132/0x220 [ 53.059464] do_syscall_64+0xf9/0x620 [ 53.063247] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.068409] [ 53.070014] Freed by task 8324: [ 53.073272] kfree+0xcc/0x210 [ 53.076363] nbd_put.part.0+0xfe/0x140 [ 53.080231] nbd_config_put+0x6a0/0x870 [ 53.084199] nbd_genl_connect+0x11bb/0x1630 [ 53.088600] genl_family_rcv_msg+0x642/0xc40 [ 53.092989] genl_rcv_msg+0xbf/0x160 [ 53.096681] netlink_rcv_skb+0x160/0x440 [ 53.100720] genl_rcv+0x24/0x40 [ 53.104240] netlink_unicast+0x4d5/0x690 [ 53.108283] netlink_sendmsg+0x6c3/0xc50 [ 53.112333] sock_sendmsg+0xc3/0x120 [ 53.116031] ___sys_sendmsg+0x7bb/0x8e0 [ 53.119989] __x64_sys_sendmsg+0x132/0x220 [ 53.124207] do_syscall_64+0xf9/0x620 [ 53.127993] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.133160] [ 53.134770] The buggy address belongs to the object at ffff8880aff60540 [ 53.134770] which belongs to the cache kmalloc-512 of size 512 [ 53.147407] The buggy address is located 216 bytes inside of [ 53.147407] 512-byte region [ffff8880aff60540, ffff8880aff60740) [ 53.159257] The buggy address belongs to the page: [ 53.164183] page:ffffea0002bfd800 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 53.172307] flags: 0xfff00000000100(slab) [ 53.176462] raw: 00fff00000000100 ffffea0002ba0148 ffffea0002a712c8 ffff88813bff0940 [ 53.184952] raw: 0000000000000000 ffff8880aff60040 0000000100000006 0000000000000000 [ 53.192812] page dumped because: kasan: bad access detected [ 53.198497] [ 53.200100] Memory state around the buggy address: [ 53.205015] ffff8880aff60500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.212353] ffff8880aff60580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.220381] >ffff8880aff60600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.227718] ^ [ 53.231855] ffff8880aff60680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.239294] ffff8880aff60700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.246631] ================================================================== [ 53.254057] Disabling lock debugging due to kernel taint [ 53.259973] Kernel panic - not syncing: panic_on_warn set ... [ 53.259973] [ 53.267354] CPU: 0 PID: 8324 Comm: syz-executor127 Tainted: G B 4.19.211-syzkaller #0 [ 53.276624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 53.285973] Call Trace: [ 53.288562] dump_stack+0x1fc/0x2ef [ 53.292193] panic+0x26a/0x50e [ 53.295386] ? __warn_printk+0xf3/0xf3 [ 53.299360] ? preempt_schedule_common+0x45/0xc0 [ 53.304111] ? ___preempt_schedule+0x16/0x18 [ 53.308503] ? trace_hardirqs_on+0x55/0x210 [ 53.312825] kasan_end_report+0x43/0x49 [ 53.316789] kasan_report_error.cold+0xa7/0x1b9 [ 53.321458] ? refcount_dec_not_one+0x71/0x1d0 [ 53.326023] kasan_report+0x8f/0xa0 [ 53.329636] ? refcount_dec_not_one+0x71/0x1d0 [ 53.334207] refcount_dec_not_one+0x71/0x1d0 [ 53.338620] ? refcount_dec_and_test_checked+0x20/0x20 [ 53.343899] ? nbd_config_put+0x5da/0x870 [ 53.348062] refcount_dec_and_mutex_lock+0x1c/0x80 [ 53.352986] nbd_genl_connect+0x11ee/0x1630 [ 53.357291] ? nbd_xmit_timeout+0x730/0x730 [ 53.361599] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 53.366770] ? validate_nla+0x270/0x820 [ 53.370726] ? nla_parse+0x1b2/0x290 [ 53.374421] genl_family_rcv_msg+0x642/0xc40 [ 53.378926] ? genl_rcv+0x40/0x40 [ 53.382359] ? genl_rcv_msg+0x12f/0x160 [ 53.386402] ? mutex_trylock+0x1a0/0x1a0 [ 53.390465] ? __radix_tree_lookup+0x216/0x370 [ 53.395030] genl_rcv_msg+0xbf/0x160 [ 53.398911] netlink_rcv_skb+0x160/0x440 [ 53.403251] ? genl_family_rcv_msg+0xc40/0xc40 [ 53.407811] ? netlink_ack+0xae0/0xae0 [ 53.411735] ? genl_rcv+0x15/0x40 [ 53.415376] genl_rcv+0x24/0x40 [ 53.418731] netlink_unicast+0x4d5/0x690 [ 53.422771] ? netlink_sendskb+0x110/0x110 [ 53.426987] ? _copy_from_iter_full+0x229/0x7c0 [ 53.431643] ? __phys_addr_symbol+0x2c/0x70 [ 53.435964] ? __check_object_size+0x17b/0x3e0 [ 53.440705] netlink_sendmsg+0x6c3/0xc50 [ 53.444750] ? aa_af_perm+0x230/0x230 [ 53.448531] ? nlmsg_notify+0x1f0/0x1f0 [ 53.452484] ? kernel_recvmsg+0x220/0x220 [ 53.456622] ? nlmsg_notify+0x1f0/0x1f0 [ 53.460577] sock_sendmsg+0xc3/0x120 [ 53.464269] ___sys_sendmsg+0x7bb/0x8e0 [ 53.468227] ? copy_msghdr_from_user+0x440/0x440 [ 53.472981] ? __fget+0x32f/0x510 [ 53.476418] ? lock_downgrade+0x720/0x720 [ 53.480546] ? check_preemption_disabled+0x41/0x280 [ 53.485558] ? check_preemption_disabled+0x41/0x280 [ 53.490570] ? __fget+0x356/0x510 [ 53.494001] ? do_dup2+0x450/0x450 [ 53.497521] ? __fdget+0x1d0/0x230 [ 53.501041] __x64_sys_sendmsg+0x132/0x220 [ 53.505256] ? __sys_sendmsg+0x1b0/0x1b0 [ 53.509296] ? __se_sys_futex+0x298/0x3b0 [ 53.513442] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.518787] ? trace_hardirqs_off_caller+0x6e/0x210 [ 53.523781] ? do_syscall_64+0x21/0x620 [ 53.527732] do_syscall_64+0xf9/0x620 [ 53.531535] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.536703] RIP: 0033:0x7f23dc094479 [ 53.540482] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 53.559451] RSP: 002b:00007f23dc045318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 53.567139] RAX: ffffffffffffffda RBX: 00007f23dc11c408 RCX: 00007f23dc094479 [ 53.574387] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 [ 53.581645] RBP: 00007f23dc11c400 R08: 0000000000000006 R09: 0000000000000000 [ 53.588900] R10: 000000000000000c R11: 0000000000000246 R12: 00007f23dc11c40c [ 53.596164] R13: 00007ffcb6b74a5f R14: 00007f23dc045400 R15: 0000000000022000 [ 53.603630] Kernel Offset: disabled [ 53.607242] Rebooting in 86400 seconds..