Warning: Permanently added '10.128.0.226' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 29.357843] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program [ 29.430568] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program [ 29.498962] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program [ 29.548982] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program [ 29.619072] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program [ 29.668747] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program executing program [ 29.729188] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. [ 29.768961] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program executing program executing program [ 29.809102] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. [ 29.848942] netlink: 4 bytes leftover after parsing attributes in process `syz-executor065'. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.398300] ================================================================== [ 30.405842] BUG: KASAN: use-after-free in refcount_dec_not_one+0x9a/0xc0 [ 30.412833] Read of size 4 at addr ffff8880a97f5ad8 by task syz-executor065/8075 [ 30.420357] [ 30.422027] CPU: 0 PID: 8075 Comm: syz-executor065 Not tainted 4.14.228-syzkaller #0 [ 30.429950] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.439869] Call Trace: [ 30.442546] dump_stack+0x1b2/0x281 [ 30.446261] print_address_description.cold+0x54/0x1d3 [ 30.451534] kasan_report_error.cold+0x8a/0x191 [ 30.456255] ? refcount_dec_not_one+0x9a/0xc0 [ 30.460878] __asan_report_load4_noabort+0x68/0x70 [ 30.465980] ? refcount_dec_not_one+0x9a/0xc0 [ 30.470915] refcount_dec_not_one+0x9a/0xc0 [ 30.475594] refcount_dec_and_mutex_lock+0x1a/0x60 [ 30.480974] nbd_genl_connect+0xf94/0x1400 [ 30.485333] ? nbd_xmit_timeout+0x500/0x500 [ 30.489815] ? validate_nla+0x192/0x5e0 [ 30.493998] genl_family_rcv_msg+0x572/0xb20 [ 30.498403] ? genl_rcv+0x40/0x40 [ 30.501853] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 30.507377] ? trace_hardirqs_on+0x10/0x10 [ 30.511611] ? sock_sendmsg+0xb5/0x100 [ 30.515509] genl_rcv_msg+0xaf/0x140 [ 30.519269] netlink_rcv_skb+0x125/0x390 [ 30.523327] ? genl_family_rcv_msg+0xb20/0xb20 [ 30.527917] ? netlink_ack+0x9a0/0x9a0 [ 30.531797] ? lock_acquire+0x170/0x3f0 [ 30.535767] genl_rcv+0x24/0x40 [ 30.539103] netlink_unicast+0x437/0x610 [ 30.543315] ? netlink_sendskb+0xd0/0xd0 [ 30.547495] ? __check_object_size+0x179/0x230 [ 30.552155] netlink_sendmsg+0x62e/0xb80 [ 30.556221] ? nlmsg_notify+0x170/0x170 [ 30.560202] ? kernel_recvmsg+0x210/0x210 [ 30.564361] ? security_socket_sendmsg+0x83/0xb0 [ 30.569113] ? nlmsg_notify+0x170/0x170 [ 30.573091] sock_sendmsg+0xb5/0x100 [ 30.576830] ___sys_sendmsg+0x6c8/0x800 [ 30.580807] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 30.585800] ? netlink_dump+0xad0/0xad0 [ 30.590140] ? nlmsg_notify+0x170/0x170 [ 30.594111] ? security_socket_recvmsg+0x8b/0xc0 [ 30.599028] ? SyS_recvfrom+0x27f/0x340 [ 30.603251] ? SyS_send+0x40/0x40 [ 30.606865] ? __fdget+0x167/0x1f0 [ 30.610608] ? sockfd_lookup_light+0xb2/0x160 [ 30.615154] __sys_sendmsg+0xa3/0x120 [ 30.619154] ? SyS_shutdown+0x160/0x160 [ 30.623127] ? up_read+0x17/0x30 [ 30.626625] ? __do_page_fault+0x159/0xad0 [ 30.630854] SyS_sendmsg+0x27/0x40 [ 30.634387] ? __sys_sendmsg+0x120/0x120 [ 30.638561] do_syscall_64+0x1d5/0x640 [ 30.642504] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.647701] RIP: 0033:0x440849 [ 30.650886] RSP: 002b:00007ffc3fd431d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 30.658635] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440849 [ 30.666273] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 30.673936] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 30.681210] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000074f7 [ 30.688607] R13: 00007ffc3fd431ec R14: 00007ffc3fd43200 R15: 00007ffc3fd431f0 [ 30.695878] [ 30.697499] Allocated by task 8064: [ 30.701122] kasan_kmalloc+0xeb/0x160 [ 30.704923] kmem_cache_alloc_trace+0x131/0x3d0 [ 30.709603] nbd_dev_add+0x7c/0x800 [ 30.713240] nbd_genl_connect+0x3a4/0x1400 [ 30.717467] genl_family_rcv_msg+0x572/0xb20 [ 30.721869] genl_rcv_msg+0xaf/0x140 [ 30.725575] netlink_rcv_skb+0x125/0x390 [ 30.729624] genl_rcv+0x24/0x40 [ 30.732893] netlink_unicast+0x437/0x610 [ 30.737213] netlink_sendmsg+0x62e/0xb80 [ 30.741649] sock_sendmsg+0xb5/0x100 [ 30.745493] ___sys_sendmsg+0x6c8/0x800 [ 30.749556] __sys_sendmsg+0xa3/0x120 [ 30.753484] SyS_sendmsg+0x27/0x40 [ 30.757143] do_syscall_64+0x1d5/0x640 [ 30.761030] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.766522] [ 30.768200] Freed by task 8075: [ 30.771616] kasan_slab_free+0xc3/0x1a0 [ 30.775773] kfree+0xc9/0x250 [ 30.778873] nbd_put.part.0+0x100/0x140 [ 30.782981] nbd_config_put+0x62a/0x810 [ 30.787082] nbd_genl_connect+0xf6c/0x1400 [ 30.791337] genl_family_rcv_msg+0x572/0xb20 [ 30.795739] genl_rcv_msg+0xaf/0x140 [ 30.799509] netlink_rcv_skb+0x125/0x390 [ 30.803860] genl_rcv+0x24/0x40 [ 30.807270] netlink_unicast+0x437/0x610 [ 30.811395] netlink_sendmsg+0x62e/0xb80 [ 30.815576] sock_sendmsg+0xb5/0x100 [ 30.819280] ___sys_sendmsg+0x6c8/0x800 [ 30.823270] __sys_sendmsg+0xa3/0x120 [ 30.827303] SyS_sendmsg+0x27/0x40 [ 30.831075] do_syscall_64+0x1d5/0x640 [ 30.834959] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.840601] [ 30.842228] The buggy address belongs to the object at ffff8880a97f5a00 [ 30.842228] which belongs to the cache kmalloc-512 of size 512 [ 30.854969] The buggy address is located 216 bytes inside of [ 30.854969] 512-byte region [ffff8880a97f5a00, ffff8880a97f5c00) [ 30.866929] The buggy address belongs to the page: [ 30.872052] page:ffffea0002a5fd40 count:1 mapcount:0 mapping:ffff8880a97f5000 index:0x0 [ 30.880686] flags: 0xfff00000000100(slab) [ 30.884985] raw: 00fff00000000100 ffff8880a97f5000 0000000000000000 0000000100000006 [ 30.893282] raw: ffffea0002aca6e0 ffffea0002afed60 ffff88813fe80940 0000000000000000 [ 30.901430] page dumped because: kasan: bad access detected [ 30.907352] [ 30.908969] Memory state around the buggy address: [ 30.914025] ffff8880a97f5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.921554] ffff8880a97f5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.929288] >ffff8880a97f5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.936720] ^ [ 30.943302] ffff8880a97f5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.950823] ffff8880a97f5b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.958570] ================================================================== [ 30.966132] Disabling lock debugging due to kernel taint [ 30.972504] Kernel panic - not syncing: panic_on_warn set ... [ 30.972504] [ 30.979886] CPU: 0 PID: 8075 Comm: syz-executor065 Tainted: G B 4.14.228-syzkaller #0 [ 30.989083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.998613] Call Trace: [ 31.001486] dump_stack+0x1b2/0x281 [ 31.005342] panic+0x1f9/0x42d [ 31.008538] ? add_taint.cold+0x16/0x16 [ 31.012817] ? ___preempt_schedule+0x16/0x18 [ 31.017326] kasan_end_report+0x43/0x49 [ 31.021493] kasan_report_error.cold+0xa7/0x191 [ 31.026433] ? refcount_dec_not_one+0x9a/0xc0 [ 31.031179] __asan_report_load4_noabort+0x68/0x70 [ 31.036105] ? refcount_dec_not_one+0x9a/0xc0 [ 31.040589] refcount_dec_not_one+0x9a/0xc0 [ 31.045117] refcount_dec_and_mutex_lock+0x1a/0x60 [ 31.050093] nbd_genl_connect+0xf94/0x1400 [ 31.054455] ? nbd_xmit_timeout+0x500/0x500 [ 31.058773] ? validate_nla+0x192/0x5e0 [ 31.062746] genl_family_rcv_msg+0x572/0xb20 [ 31.067208] ? genl_rcv+0x40/0x40 [ 31.070658] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 31.076105] ? trace_hardirqs_on+0x10/0x10 [ 31.080425] ? sock_sendmsg+0xb5/0x100 [ 31.084503] genl_rcv_msg+0xaf/0x140 [ 31.088345] netlink_rcv_skb+0x125/0x390 [ 31.092409] ? genl_family_rcv_msg+0xb20/0xb20 [ 31.096984] ? netlink_ack+0x9a0/0x9a0 [ 31.100984] ? lock_acquire+0x170/0x3f0 [ 31.104950] genl_rcv+0x24/0x40 [ 31.108370] netlink_unicast+0x437/0x610 [ 31.112511] ? netlink_sendskb+0xd0/0xd0 [ 31.116571] ? __check_object_size+0x179/0x230 [ 31.121464] netlink_sendmsg+0x62e/0xb80 [ 31.125810] ? nlmsg_notify+0x170/0x170 [ 31.130140] ? kernel_recvmsg+0x210/0x210 [ 31.134694] ? security_socket_sendmsg+0x83/0xb0 [ 31.139447] ? nlmsg_notify+0x170/0x170 [ 31.143478] sock_sendmsg+0xb5/0x100 [ 31.147182] ___sys_sendmsg+0x6c8/0x800 [ 31.151146] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 31.156013] ? netlink_dump+0xad0/0xad0 [ 31.159985] ? nlmsg_notify+0x170/0x170 [ 31.164028] ? security_socket_recvmsg+0x8b/0xc0 [ 31.169683] ? SyS_recvfrom+0x27f/0x340 [ 31.173861] ? SyS_send+0x40/0x40 [ 31.177978] ? __fdget+0x167/0x1f0 [ 31.181512] ? sockfd_lookup_light+0xb2/0x160 [ 31.186317] __sys_sendmsg+0xa3/0x120 [ 31.190257] ? SyS_shutdown+0x160/0x160 [ 31.194357] ? up_read+0x17/0x30 [ 31.197886] ? __do_page_fault+0x159/0xad0 [ 31.202242] SyS_sendmsg+0x27/0x40 [ 31.205931] ? __sys_sendmsg+0x120/0x120 [ 31.210092] do_syscall_64+0x1d5/0x640 [ 31.213980] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.219159] RIP: 0033:0x440849 [ 31.222339] RSP: 002b:00007ffc3fd431d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 31.230037] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440849 [ 31.237302] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 31.244578] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 31.251995] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000074f7 [ 31.259949] R13: 00007ffc3fd431ec R14: 00007ffc3fd43200 R15: 00007ffc3fd431f0 [ 31.268483] Kernel Offset: disabled [ 31.272401] Rebooting in 86400 seconds..