[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.213' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.612171][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.621941][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.632410][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.641954][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.651485][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. executing program [ 67.660885][ T8449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.691852][ T8452] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.701590][ T8452] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.713168][ T8452] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. [ 67.724159][ T8452] netlink: 4 bytes leftover after parsing attributes in process `syz-executor070'. executing program executing program executing program executing program executing program executing program [ 68.037662][ T8451] ================================================================== [ 68.045942][ T8451] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 [ 68.053624][ T8451] Read of size 4 at addr ffff888143bf71a0 by task systemd-udevd/8451 [ 68.061729][ T8451] [ 68.064087][ T8451] CPU: 0 PID: 8451 Comm: systemd-udevd Not tainted 5.11.0-rc7-syzkaller #0 [ 68.076676][ T8451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.086733][ T8451] Call Trace: [ 68.090016][ T8451] dump_stack+0x107/0x163 [ 68.094349][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.099650][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.104948][ T8451] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 68.111995][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.117269][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.122632][ T8451] kasan_report.cold+0x79/0xd5 [ 68.127393][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.132672][ T8451] check_memory_region+0x13d/0x180 [ 68.137795][ T8451] refcount_dec_not_one+0x71/0x1e0 [ 68.142906][ T8451] ? refcount_warn_saturate+0x1e0/0x1e0 [ 68.148453][ T8451] ? nbd_config_put+0x5d0/0x8c0 [ 68.153320][ T8451] refcount_dec_and_mutex_lock+0x19/0x140 [ 68.159052][ T8451] nbd_release+0x116/0x190 [ 68.163481][ T8451] ? nbd_genl_disconnect+0x540/0x540 [ 68.168865][ T8451] __blkdev_put+0x548/0x800 [ 68.173373][ T8451] ? __mutex_unlock_slowpath+0xe2/0x610 [ 68.178929][ T8451] ? freeze_bdev+0x250/0x250 [ 68.183537][ T8451] ? wait_for_completion_io+0x260/0x260 [ 68.189133][ T8451] ? _raw_spin_unlock+0x24/0x40 [ 68.193979][ T8451] ? locks_remove_file+0x30d/0x560 [ 68.199089][ T8451] blkdev_put+0x92/0x570 [ 68.203334][ T8451] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 68.209574][ T8451] blkdev_close+0x8c/0xb0 [ 68.213915][ T8451] __fput+0x283/0x920 [ 68.218066][ T8451] ? blkdev_put+0x570/0x570 [ 68.222564][ T8451] task_work_run+0xdd/0x190 [ 68.227079][ T8451] exit_to_user_mode_prepare+0x249/0x250 [ 68.232737][ T8451] syscall_exit_to_user_mode+0x19/0x50 [ 68.238295][ T8451] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.244197][ T8451] RIP: 0033:0x7fc1e92b5270 [ 68.248603][ T8451] Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 [ 68.268225][ T8451] RSP: 002b:00007ffe8beb2d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 68.276640][ T8451] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1e92b5270 [ 68.284630][ T8451] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 [ 68.292601][ T8451] RBP: 00007fc1ea16f710 R08: 000000000000004a R09: 0000000000000008 [ 68.300595][ T8451] R10: 0000562f8cb0b2a8 R11: 0000000000000246 R12: 0000000000000000 [ 68.308622][ T8451] R13: 0000562f8cb0afd0 R14: 0000000000000003 R15: 000000000000000e [ 68.316642][ T8451] [ 68.318955][ T8451] Allocated by task 1: [ 68.323005][ T8451] kasan_save_stack+0x1b/0x40 [ 68.327685][ T8451] ____kasan_kmalloc.constprop.0+0x82/0xa0 [ 68.333504][ T8451] nbd_dev_add+0x44/0x8e0 [ 68.337848][ T8451] nbd_init+0x250/0x271 [ 68.342014][ T8451] do_one_initcall+0x103/0x650 [ 68.346808][ T8451] kernel_init_freeable+0x605/0x689 [ 68.352012][ T8451] kernel_init+0xd/0x1b8 [ 68.356258][ T8451] ret_from_fork+0x1f/0x30 [ 68.360677][ T8451] [ 68.362987][ T8451] Freed by task 8451: [ 68.366965][ T8451] kasan_save_stack+0x1b/0x40 [ 68.371633][ T8451] kasan_set_track+0x1c/0x30 [ 68.376328][ T8451] kasan_set_free_info+0x20/0x30 [ 68.381303][ T8451] ____kasan_slab_free+0xe1/0x110 [ 68.386334][ T8451] slab_free_freelist_hook+0x5d/0x150 [ 68.391712][ T8451] kfree+0xdb/0x3b0 [ 68.395648][ T8451] nbd_put.part.0+0x180/0x1d0 [ 68.400318][ T8451] nbd_config_put+0x6dd/0x8c0 [ 68.405117][ T8451] nbd_release+0x103/0x190 [ 68.409570][ T8451] __blkdev_put+0x548/0x800 [ 68.414119][ T8451] blkdev_put+0x92/0x570 [ 68.418397][ T8451] blkdev_close+0x8c/0xb0 [ 68.422730][ T8451] __fput+0x283/0x920 [ 68.426704][ T8451] task_work_run+0xdd/0x190 [ 68.431243][ T8451] exit_to_user_mode_prepare+0x249/0x250 [ 68.436886][ T8451] syscall_exit_to_user_mode+0x19/0x50 [ 68.442357][ T8451] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.448295][ T8451] [ 68.450609][ T8451] The buggy address belongs to the object at ffff888143bf7000 [ 68.450609][ T8451] which belongs to the cache kmalloc-1k of size 1024 [ 68.464655][ T8451] The buggy address is located 416 bytes inside of [ 68.464655][ T8451] 1024-byte region [ffff888143bf7000, ffff888143bf7400) [ 68.479161][ T8451] The buggy address belongs to the page: [ 68.484788][ T8451] page:000000005238f4ce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143bf0 [ 68.495032][ T8451] head:000000005238f4ce order:3 compound_mapcount:0 compound_pincount:0 [ 68.503370][ T8451] flags: 0x57ff00000010200(slab|head) [ 68.508751][ T8451] raw: 057ff00000010200 ffffea00004b1400 0000000300000003 ffff888010c41140 [ 68.517336][ T8451] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 68.525922][ T8451] page dumped because: kasan: bad access detected [ 68.532339][ T8451] [ 68.534653][ T8451] Memory state around the buggy address: [ 68.540269][ T8451] ffff888143bf7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.548325][ T8451] ffff888143bf7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.556390][ T8451] >ffff888143bf7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.564443][ T8451] ^ [ 68.570155][ T8451] ffff888143bf7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.578217][ T8451] ffff888143bf7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.586272][ T8451] ================================================================== [ 68.594325][ T8451] Disabling lock debugging due to kernel taint [ 68.615039][ T8451] Kernel panic - not syncing: panic_on_warn set ... [ 68.621755][ T8451] CPU: 0 PID: 8451 Comm: systemd-udevd Tainted: G B 5.11.0-rc7-syzkaller #0 [ 68.631748][ T8451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.642688][ T8451] Call Trace: [ 68.645999][ T8451] dump_stack+0x107/0x163 [ 68.650362][ T8451] ? refcount_dec_not_one+0x10/0x1e0 [ 68.655756][ T8451] panic+0x306/0x73d [ 68.659693][ T8451] ? __warn_printk+0xf3/0xf3 [ 68.664306][ T8451] ? preempt_schedule_common+0x59/0xc0 [ 68.669787][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.675106][ T8451] ? preempt_schedule_thunk+0x16/0x18 [ 68.680527][ T8451] ? trace_hardirqs_on+0x38/0x1c0 [ 68.685581][ T8451] ? trace_hardirqs_on+0x51/0x1c0 [ 68.690634][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.695946][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.701269][ T8451] end_report+0x58/0x5e [ 68.705451][ T8451] kasan_report.cold+0x67/0xd5 [ 68.710216][ T8451] ? refcount_dec_not_one+0x71/0x1e0 [ 68.717122][ T8451] check_memory_region+0x13d/0x180 [ 68.722366][ T8451] refcount_dec_not_one+0x71/0x1e0 [ 68.727476][ T8451] ? refcount_warn_saturate+0x1e0/0x1e0 [ 68.733027][ T8451] ? nbd_config_put+0x5d0/0x8c0 [ 68.738392][ T8451] refcount_dec_and_mutex_lock+0x19/0x140 [ 68.744110][ T8451] nbd_release+0x116/0x190 [ 68.748539][ T8451] ? nbd_genl_disconnect+0x540/0x540 [ 68.753870][ T8451] __blkdev_put+0x548/0x800 [ 68.758718][ T8451] ? __mutex_unlock_slowpath+0xe2/0x610 [ 68.764310][ T8451] ? freeze_bdev+0x250/0x250 [ 68.768926][ T8451] ? wait_for_completion_io+0x260/0x260 [ 68.774464][ T8451] ? _raw_spin_unlock+0x24/0x40 [ 68.780348][ T8451] ? locks_remove_file+0x30d/0x560 [ 68.785483][ T8451] blkdev_put+0x92/0x570 [ 68.789743][ T8451] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 68.795984][ T8451] blkdev_close+0x8c/0xb0 [ 68.800311][ T8451] __fput+0x283/0x920 [ 68.804290][ T8451] ? blkdev_put+0x570/0x570 [ 68.808784][ T8451] task_work_run+0xdd/0x190 [ 68.813369][ T8451] exit_to_user_mode_prepare+0x249/0x250 [ 68.819083][ T8451] syscall_exit_to_user_mode+0x19/0x50 [ 68.824567][ T8451] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.831671][ T8451] RIP: 0033:0x7fc1e92b5270 [ 68.836091][ T8451] Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 [ 68.855974][ T8451] RSP: 002b:00007ffe8beb2d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 68.864396][ T8451] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1e92b5270 [ 68.872372][ T8451] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 [ 68.880354][ T8451] RBP: 00007fc1ea16f710 R08: 000000000000004a R09: 0000000000000008 [ 68.888324][ T8451] R10: 0000562f8cb0b2a8 R11: 0000000000000246 R12: 0000000000000000 [ 68.896286][ T8451] R13: 0000562f8cb0afd0 R14: 0000000000000003 R15: 000000000000000e [ 68.904766][ T8451] Kernel Offset: disabled [ 68.909097][ T8451] Rebooting in 86400 seconds..