[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.78' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 33.095040] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.148285] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. [ 33.187288] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program executing program [ 33.246518] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.297795] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.346644] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.396423] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.447000] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.497931] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program [ 33.538131] netlink: 4 bytes leftover after parsing attributes in process `syz-executor125'. executing program executing program executing program executing program executing program executing program executing program executing program [ 33.883536] ================================================================== [ 33.890953] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1d0 [ 33.897856] Read of size 4 at addr ffff888098282418 by task syz-executor125/8193 [ 33.905360] [ 33.906969] CPU: 0 PID: 8193 Comm: syz-executor125 Not tainted 4.19.211-syzkaller #0 [ 33.914821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.924149] Call Trace: [ 33.926718] dump_stack+0x1fc/0x2ef [ 33.930327] print_address_description.cold+0x54/0x219 [ 33.935585] kasan_report_error.cold+0x8a/0x1b9 [ 33.940231] ? refcount_dec_not_one+0x71/0x1d0 [ 33.944789] kasan_report+0x8f/0xa0 [ 33.948408] ? refcount_dec_not_one+0x71/0x1d0 [ 33.952973] refcount_dec_not_one+0x71/0x1d0 [ 33.957362] ? refcount_dec_and_test_checked+0x20/0x20 [ 33.962617] ? nbd_config_put+0x5da/0x870 [ 33.966749] refcount_dec_and_mutex_lock+0x1c/0x80 [ 33.971659] nbd_genl_connect+0x11ee/0x1630 [ 33.975963] ? nbd_xmit_timeout+0x730/0x730 [ 33.980269] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 33.985442] ? validate_nla+0x270/0x820 [ 33.989395] ? nla_parse+0x1b2/0x290 [ 33.993090] genl_family_rcv_msg+0x642/0xc40 [ 33.997483] ? genl_rcv+0x40/0x40 [ 34.000913] ? genl_rcv_msg+0x12f/0x160 [ 34.004876] ? mutex_trylock+0x1a0/0x1a0 [ 34.008919] ? __radix_tree_lookup+0x216/0x370 [ 34.013483] genl_rcv_msg+0xbf/0x160 [ 34.017180] netlink_rcv_skb+0x160/0x440 [ 34.021218] ? genl_family_rcv_msg+0xc40/0xc40 [ 34.025780] ? netlink_ack+0xae0/0xae0 [ 34.029648] ? genl_rcv+0x15/0x40 [ 34.033090] genl_rcv+0x24/0x40 [ 34.036346] netlink_unicast+0x4d5/0x690 [ 34.040387] ? netlink_sendskb+0x110/0x110 [ 34.044597] ? _copy_from_iter_full+0x229/0x7c0 [ 34.049243] ? __phys_addr_symbol+0x2c/0x70 [ 34.053555] ? __check_object_size+0x17b/0x3e0 [ 34.058116] netlink_sendmsg+0x6c3/0xc50 [ 34.062154] ? aa_af_perm+0x230/0x230 [ 34.065936] ? nlmsg_notify+0x1f0/0x1f0 [ 34.069885] ? kernel_recvmsg+0x220/0x220 [ 34.074023] ? nlmsg_notify+0x1f0/0x1f0 [ 34.077974] sock_sendmsg+0xc3/0x120 [ 34.081663] ___sys_sendmsg+0x7bb/0x8e0 [ 34.085615] ? copy_msghdr_from_user+0x440/0x440 [ 34.090348] ? netlink_dump+0xc10/0xc10 [ 34.094316] ? nlmsg_notify+0x1f0/0x1f0 [ 34.098274] ? security_socket_recvmsg+0x8f/0xc0 [ 34.103017] ? __sys_recvfrom+0x2cd/0x3a0 [ 34.107141] ? __ia32_sys_send+0x100/0x100 [ 34.111360] ? __fdget+0x1a0/0x230 [ 34.114889] __x64_sys_sendmsg+0x132/0x220 [ 34.119101] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.123142] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.128495] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.133488] ? do_syscall_64+0x21/0x620 [ 34.137439] do_syscall_64+0xf9/0x620 [ 34.141216] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.146380] RIP: 0033:0x7f049cb98969 [ 34.150073] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.168957] RSP: 002b:00007ffcc0244f48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.176662] RAX: ffffffffffffffda RBX: 0000000000008401 RCX: 00007f049cb98969 [ 34.183914] RDX: 0000000000008000 RSI: 00000000200005c0 RDI: 0000000000000003 [ 34.191169] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffcc02450e8 [ 34.198420] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcc0244f5c [ 34.205668] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 34.212922] [ 34.214540] Allocated by task 8187: [ 34.218152] kmem_cache_alloc_trace+0x12f/0x380 [ 34.222798] nbd_dev_add+0x44/0x890 [ 34.226403] nbd_genl_connect+0x4cc/0x1630 [ 34.230618] genl_family_rcv_msg+0x642/0xc40 [ 34.234999] genl_rcv_msg+0xbf/0x160 [ 34.238687] netlink_rcv_skb+0x160/0x440 [ 34.242721] genl_rcv+0x24/0x40 [ 34.245976] netlink_unicast+0x4d5/0x690 [ 34.250013] netlink_sendmsg+0x6c3/0xc50 [ 34.254052] sock_sendmsg+0xc3/0x120 [ 34.257739] ___sys_sendmsg+0x7bb/0x8e0 [ 34.261686] __x64_sys_sendmsg+0x132/0x220 [ 34.265896] do_syscall_64+0xf9/0x620 [ 34.269674] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.274833] [ 34.276445] Freed by task 8193: [ 34.279699] kfree+0xcc/0x210 [ 34.282780] nbd_put.part.0+0xfe/0x140 [ 34.286652] nbd_config_put+0x6a0/0x870 [ 34.290600] nbd_genl_connect+0x11bb/0x1630 [ 34.294900] genl_family_rcv_msg+0x642/0xc40 [ 34.299283] genl_rcv_msg+0xbf/0x160 [ 34.302971] netlink_rcv_skb+0x160/0x440 [ 34.307007] genl_rcv+0x24/0x40 [ 34.310261] netlink_unicast+0x4d5/0x690 [ 34.314385] netlink_sendmsg+0x6c3/0xc50 [ 34.318424] sock_sendmsg+0xc3/0x120 [ 34.322111] ___sys_sendmsg+0x7bb/0x8e0 [ 34.326069] __x64_sys_sendmsg+0x132/0x220 [ 34.330280] do_syscall_64+0xf9/0x620 [ 34.334055] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.339216] [ 34.340819] The buggy address belongs to the object at ffff888098282340 [ 34.340819] which belongs to the cache kmalloc-512 of size 512 [ 34.353452] The buggy address is located 216 bytes inside of [ 34.353452] 512-byte region [ffff888098282340, ffff888098282540) [ 34.365308] The buggy address belongs to the page: [ 34.370211] page:ffffea000260a080 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880982820c0 [ 34.379643] flags: 0xfff00000000100(slab) [ 34.383777] raw: 00fff00000000100 ffffea00027ecb88 ffffea0002aacdc8 ffff88813bff0940 [ 34.391638] raw: ffff8880982820c0 ffff8880982820c0 0000000100000003 0000000000000000 [ 34.399497] page dumped because: kasan: bad access detected [ 34.405186] [ 34.406790] Memory state around the buggy address: [ 34.411696] ffff888098282300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.419037] ffff888098282380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.426375] >ffff888098282400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.433729] ^ [ 34.437852] ffff888098282480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.445188] ffff888098282500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.452522] ================================================================== [ 34.459855] Disabling lock debugging due to kernel taint [ 34.469385] Kernel panic - not syncing: panic_on_warn set ... [ 34.469385] [ 34.476769] CPU: 1 PID: 8193 Comm: syz-executor125 Tainted: G B 4.19.211-syzkaller #0 [ 34.486035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.495379] Call Trace: [ 34.497973] dump_stack+0x1fc/0x2ef [ 34.501597] panic+0x26a/0x50e [ 34.504782] ? __warn_printk+0xf3/0xf3 [ 34.508650] ? preempt_schedule_common+0x45/0xc0 [ 34.513384] ? ___preempt_schedule+0x16/0x18 [ 34.517772] ? trace_hardirqs_on+0x55/0x210 [ 34.522081] kasan_end_report+0x43/0x49 [ 34.526041] kasan_report_error.cold+0xa7/0x1b9 [ 34.530689] ? refcount_dec_not_one+0x71/0x1d0 [ 34.535247] kasan_report+0x8f/0xa0 [ 34.538850] ? refcount_dec_not_one+0x71/0x1d0 [ 34.543414] refcount_dec_not_one+0x71/0x1d0 [ 34.547814] ? refcount_dec_and_test_checked+0x20/0x20 [ 34.553074] ? nbd_config_put+0x5da/0x870 [ 34.557209] refcount_dec_and_mutex_lock+0x1c/0x80 [ 34.562120] nbd_genl_connect+0x11ee/0x1630 [ 34.566423] ? nbd_xmit_timeout+0x730/0x730 [ 34.570726] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 34.575895] ? validate_nla+0x270/0x820 [ 34.579846] ? nla_parse+0x1b2/0x290 [ 34.583540] genl_family_rcv_msg+0x642/0xc40 [ 34.587928] ? genl_rcv+0x40/0x40 [ 34.591354] ? genl_rcv_msg+0x12f/0x160 [ 34.595306] ? mutex_trylock+0x1a0/0x1a0 [ 34.599346] ? __radix_tree_lookup+0x216/0x370 [ 34.603906] genl_rcv_msg+0xbf/0x160 [ 34.607596] netlink_rcv_skb+0x160/0x440 [ 34.611650] ? genl_family_rcv_msg+0xc40/0xc40 [ 34.616208] ? netlink_ack+0xae0/0xae0 [ 34.620071] ? genl_rcv+0x15/0x40 [ 34.623503] genl_rcv+0x24/0x40 [ 34.626757] netlink_unicast+0x4d5/0x690 [ 34.630794] ? netlink_sendskb+0x110/0x110 [ 34.635006] ? _copy_from_iter_full+0x229/0x7c0 [ 34.639651] ? __phys_addr_symbol+0x2c/0x70 [ 34.643951] ? __check_object_size+0x17b/0x3e0 [ 34.648510] netlink_sendmsg+0x6c3/0xc50 [ 34.652548] ? aa_af_perm+0x230/0x230 [ 34.656323] ? nlmsg_notify+0x1f0/0x1f0 [ 34.660275] ? kernel_recvmsg+0x220/0x220 [ 34.664402] ? nlmsg_notify+0x1f0/0x1f0 [ 34.668350] sock_sendmsg+0xc3/0x120 [ 34.672039] ___sys_sendmsg+0x7bb/0x8e0 [ 34.675989] ? copy_msghdr_from_user+0x440/0x440 [ 34.680718] ? netlink_dump+0xc10/0xc10 [ 34.684666] ? nlmsg_notify+0x1f0/0x1f0 [ 34.688621] ? security_socket_recvmsg+0x8f/0xc0 [ 34.693355] ? __sys_recvfrom+0x2cd/0x3a0 [ 34.697479] ? __ia32_sys_send+0x100/0x100 [ 34.701692] ? __fdget+0x1a0/0x230 [ 34.705219] __x64_sys_sendmsg+0x132/0x220 [ 34.709449] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.713497] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.718855] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.723862] ? do_syscall_64+0x21/0x620 [ 34.727814] do_syscall_64+0xf9/0x620 [ 34.731594] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.736759] RIP: 0033:0x7f049cb98969 [ 34.740461] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.759343] RSP: 002b:00007ffcc0244f48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.767028] RAX: ffffffffffffffda RBX: 0000000000008401 RCX: 00007f049cb98969 [ 34.774275] RDX: 0000000000008000 RSI: 00000000200005c0 RDI: 0000000000000003 [ 34.781532] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffcc02450e8 [ 34.788776] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcc0244f5c [ 34.796019] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 34.803343] Kernel Offset: disabled [ 34.806964] Rebooting in 86400 seconds..